1Password Smart Folder for One-Time Passwords

I wanted to create a list of my accounts that use a TOTP code (often called by sites as 2-Step Verification, One-Time Password, or 2-Factor Authentication). Luckily it is easy to do this when you store the TOTP secrets in 1Password.

Go to the File menu and select ‘New Smart Folder’
Set the following simple criteria:
1. “All” of the following is true
2. “Any field name” “is” “One-Time Password”

Screenshot of this Smart Folder criteria:

Save the search and call it something like “2FA Enabled”

Now I can just click on this Smart Folder in 1Password and instantly view all of my logins that have a TOTP code configured.

In Defence Of WordPress

I’m very impressed with how much easier it is to maintain WordPress than back in the day. Especially when it comes to automatic updates.

The internet is verbally attacking WordPress again. I read a lot of hate towards WordPress for its latest security vulnerabilities that have become public. What I don’t see is praise in how those updates are handled and distributed to its millions of users. Cross-Site Scripting Vulnerabilities The last 2 weeks, 3 major security releases have […]

Source: In Defence Of WordPress

The best PGP tutorial for Mac OS X, ever

Ran across an excellent tutorial on how to setup PGP on Mac OS X. If you want to send me a test email, my PGP key is on my contact page.

A little HTTPS for all

One downside of running a self-hosted WordPress site has been the lack of encryption with I’m logged in. This means my login credentials are sent in the clear across the Internet with who knows what three letter agencies and not so innocent folks potentially listening in. This is probably a major reason why I rarely blog when I travel.

Not any longer: this site is now fully SSL enabled. All HTTP traffic is now redirected to its HTTPS equivalent even for normal, every day visitors, however few there are.

Many thanks to this Digital Ocean tutorial for describing how to configure SSL certificates and for some semi-ancient knowledge from my early days on the Dyn tech support team when we were SSL certificate resellers. It by and large went very smooth, with only a few minor hiccups that are probably due to my lack of experience than the tutorial.

Now to experiment with TLSA records…

Update: Thanks to some tweaking with my config, this site now receives an A+ on the Qualys SSL Labs test.

Securing WordPress in 2014

I thought I would share some of the WordPress plugins I use to protect my blog. I tend to lean towards smaller, single purpose plugins vs. the large security plugins that claim to support every security “feature” you can think of.

Akismet – The best comment spam flighted out there and it benefits in real time from all of the different WordPress sites contributing information on the latest spam attacks.
Bad Behavior – This helps protect WordPress from obvious bots and traffic originating from suspicious IPs. Almost like an intelligent firewall.
Limit Login Attempts – This blocks those who are trying to login to your WordPress instance by guessing a correct username and password. This plugin hasn’t been updated in two years, but seems to still work quite fine. I set a very low threshold to get blocked and make sure that IP stays blocked for a very long time.
Stop User Enumeration – Especially in the past year, I started seeing many login attempts (thanks to Limit Login Attempts) that used the correct username to login to my blog. After some investigation, I found this plugin that blocks a particular way that WordPress leaks the username of a blog.

There are other techniques I use, but I won’t share them for now since I’m still tweaking them.

When in doubt, backup!

I considered myself to be a very secure geek, who follows recommended practices for keeping my data safe and secure. That is until I read this harrowing account of Mat Honan’s entire digital life being erased and taken over in a matter of minutes.

The scary part about this event is that while there was steps that Mat could have done to protect his data (backups!), there is literally nothing he could do regarding Amazon and Apple’s account recovery policies being so weak that it took trivial detective work to take over his accounts.

In this case, the scariest part of this for Mat was the loss of data due to not having proper backups. He could get his Gmail, Twitter, etc. accounts back, but has to cross his fingers that data recovery can be done on his laptop for the priceless photos and other data that weren’t properly backed up.

Backups are the one thing that everyone regrets not having when disaster strikes. The reason everyone regrets not setting up backups is that historically, backups are a pain in the ass, especially if you use a laptop. Luckily the days of going to your backup drive and pulling out the backup tape have long since passed and there are options that are literally set and forget:

Local Backups – In my case, I have a Time Capsule that does this for me hourly and most importantly, without me having to initiate any action other than my laptop being on and in my house.
Remote Backups – I use the cloud for this. Backblaze is awesome, cheap, and a extremely easy to use. I’m even contemplating using my own Private Key so no one can get to my data unless you have this key.
Offsite Backup – This is one that I admit is still on my to-do list. I probably will get some big 3.5″ hard drives, do a massive backup, and store the drives offsite in a safe deposit box or at a relative’s house. Then maybe once a quarter refresh the backup.

These simple measures will ensure that as long as one of my three backup options are safe, my data is in turn safe and recoverable.

Preparing an iPhone to be sold

With my wife and I both upgrading to the new iPhone 4, we decided to sell both of our old iPhone 3G’s to Gazelle.com. No hassle and nothing to worry about with scammers.

This made me to wonder, what is the safe way to securely wipe an iPhone? I do not want any of my personal data on the old phone to get in the wrong hands.

EverythingiCafe.com has a great article on how to do this. It essentially boils down to doing a restore of the iPhone and then using the “Erase All Content and Settings” setting on the newly restored iPhone to securely erase all of the data on it.

Lock your screen in OS X

For some odd reason, Apple doesn’t by default give you a quick way to lock your screen when you step away from your computer. I have used the hot corner to activate screensaver option, but here is a cool way courtsey of Art Of Geek to lock your Mac with a simple key command. All it requires is creating a service using Automator that runs a shell script and mapping that service to a keyboard shortcut (ctrl-option-L in my case). Took me 2 minutes to create it.