security

Fixing Problems with Passwordless SSH Authentication

I use CentOS, but these guidelines should apply no matter what flavor of linux you use. We all know it's a good security practice to lock down your server and require SSH logins to use an RSA key/pair, rather than a password, right? Plus, it makes it easier for you to login to your server from your primary computers/devices...

I was setting up a new server recently, and spent probably half an hour figuring out why the standard way of creating a shared key, sending it to the server, putting it in /home/[username]/.ssh/authorized_keys, and trying to log in without a password wasn't working for me.

It turns out, there were permissions issues I hadn't thought of (I usually would create accounts through cPanel, since I only live in the Terminal out of necessity, from time to time). When you create the authorized_keys file, which contains public SSH keys for your computers, you need to make sure the permissions are set so that:

Google Switches from Windows to Mac/Linux for Security

From MacRumors:

Google is phasing out the use of Windows company-wide due to security concerns. The move comes after news in January that Google was hacked in an attack originating in China. Those attacks used a security vulnerability in Internet Explorer for Windows. News of the report comes from FT.com who cites several Google employees.

"We're not doing any more Windows. It is a security effort," said one Google employee.

The majority of those moving away from Windows PCs are moving to Mac OS according to another Google employee. New hires are given the option to run Mac OS or a Linux-based machine.

Google employs over 10,000 individuals worldwide.

Secure Your Files: Create an Encrypted Disk on Which to Store Private Files

Secure Disk ImageThe popularity of 'cloud file management' software such as Dropbox and SugarSync has made me re-evaluate my security practices for files on my computers; in the past, I have not put any of my private files (for instance, files with sensitive passwords, or scans of important legal documents) on my shared folders (Dropbox, iDisk, etc.), but I finally came up with an ideal solution to storing and syncing these files. It's like using FileVault, but without the extra overhead of securing every file in your home directory.

Simple Steps to Protect Your Online Identity/Data

[Update: Back when this was written, very nice password managers like 1Password and LastPass didn't exist or were not very capable of managing passwords as well as they are today—please ignore the advice below and use a password manager to generate very long, random passwords, and use the password manager instead of memorizing anything.]

Every month or so, another scary story about a huge security compromise (a.k.a. a hack) surfaces on the Internet, and this month is no exception. Earlier this month, the whole Twitter corporate heirarchy had a lot to worry about, as a hacker (that's kind of a misnomer... hackers are usually nothing more than persistent, patient and sly computer users) accessed many Twitter employees' email, iTunes, Google, etc. accounts, all because of the fact that one of the employees (probably not the only one, though) left an open door via a few small missteps, security-wise.

The hacker, after gathering tons of personal information gleaned from all over the web, was able to recover a user's Gmail password by guessing a few personal questions Gmail asks on the password recovery form (i.e. "Who was your favorite actor?," "What is your maiden name?," etc.). Then the hacker simply searched through the user's emails for something like "username password," because he knew that a lot of websites (like the Joomla! forums, some gaming sites, online stores, etc.) simply send an email upon a new user registration that contains the person's username and password. Once the hacker got ahold of a few more passwords this way, he was on his way to 'hacking' all the user's accounts... because like most people online, the user had only one or maybe two passwords he used for everything.

...but using the same password for multiple sites/services isn't necessarily a bad thing. Not if you follow these steps:

Pages

Subscribe to RSS - security