A couple of weeks ago, we brought to your attention the newly released two-factor authentication that Google rolled out for all of its web-based products (Gmail, Google Docs, Google Calendar, etc.). So now that it’s been out for a few weeks, and it’s finally had a chance to make its rounds to everyone’s accounts, let’s take a step back and see how it actually works.

We’ve talked about the importance of two-factor authentication in the past, and even a few other areas where it’s implemented.

Google did an excellent job at throwing together some tutorials on how to set-up everything and ensure your experience is pleasant. I would go into a detailed tutorial on all of this myself, but really I doubt I could do a better job than they did. But for those who just wanted a quick refresher, here goes. You can also read a fairly straight-forward take on everything directly from Google themselves and learn how it works.

1. Setup
2. Signing in with verification codes
3. Signing in using application-specific passwords

(more…)

Greetings from the 2011 RSA Conference in rainy San Francisco, CA. Yesterday I attended the opening keynotes of the conference, and a certain statement by RSA’s Art Coviello caught my ear and needs some further discussion.

The conference opened with a fantastic video called “Giants Among Us” which provided a brief chronicle of the rise of public key cryptography, from Martin Hellman, Whitfield Diffie, and Ralph Merkel, to Ron Rivest, Adi Shamir, and Leonard Adelman. It was well produced and is worth a watch. Note: updated link to HD version.

Art Coviello then came out and started his talk with a brief history of the 20 years of the RSA Conference, which was entertaining in its own right. He brought up classic confrontations, amusing talk titles, and showed the advance in both the number of talks and the amount of marketing over the years. During this session, Art showed a chart which displayed the number of talks about public key infrastructure (PKI) over the years.

Note: it turns out that 2001 really was the “Year of the PKI”, and it’s not always next year. This chart was a bit of an eye-opener, especially for me – a long time PKI evangelist. (No wonder those proposed talks aren’t being accepted!) At the conclusion of this discussion, Art made the following comment:

While smart cards and PKI never achieved the ubiquity we thought, they’ll continue to play a major role in security, especially PKI in cloud computing…

Here is where I definitely need to disagree. There is a difference between ubiquity and commodity. PKI’s ubiquity cannot be measured by the number of product vendors on the show floor, or talks offered at the conference – it can only be measured by the deployment and use of actual X.509 certificates throughout the world.

Some examples: If you have used SSL or TLS, you have used a PKI. If you have used a web service, such as SAML, you have used a PKI. If you have used a virtual private network (VPN) solution, you have used a PKI. If you have used Microsoft Remote Desktop, Active Directory, or any number of other crucial back-end services which use public key cryptography, you have used a PKI.

PKI is ubiquitous. It just isn’t getting in the way as much anymore.

As you might have heard, the IPcalypse is nigh. Okay, maybe you haven’t heard. The IPcalypse refers to the sale of the last IPv4 addresses on the open market. We’re projected to run out within the next few days. How will this affect you?

Odds are it won’t. Not in the short term, at any rate. Imagine if the post office announced that they’d run out of street addresses. All of the existing houses would be fine, and still be able to receive mail. New houses wouldn’t get addresses, though, and would be unable to send or receive mail. Running out of IPv4 addresses is like that.

Of course, it’s somewhat more complicated. Whereas you can still build a house without a postal address, still live there, still have people come over – well, imagine if you need an address to access the road. Without an IP address, a computer is cut off from the internet. It can neither send nor receive data; it’s just a standalone device.

But there remain options. Plenty of them, in fact.

(more…)

I wrote a bit about Stuxnet on my own blog last November, but we’ve not really addressed it here on Security Musings. By most accounts, this is one of the single-most important incidents in 2010, with the possibility to change the game. There has been a lot of discussion this week about attributing the source of Stuxnet, which is particularly interesting.

First, for a bit of background, check out Bill Brenner’s post over at CSO Online covering “Three takes on Stuxnet” as he includes a couple of the links I’d originally planned to use here. He links to presentations on Stuxnet from Symantec, Kaspersky, and – my personal favorite – Mikko Hyppönen, Chief Research Officer at F-Secure.

Given the scenario around which Stuxnet was identified, it seems to follow logically that there was a state-sponsored angle. It’s interesting, actually, to see how the debate is somewhat split on this topic (as we’ll see below). On the one hand, it seems exactly like the kind of mission for which “cyber warfare” (or, offensive cyber weapons) is ideal. On the other hand, there are questions about the quality of the code involved.

(more…)