Wednesday, January 4, 2017

Google's FIDO U2F Security Key: Taking two-step authentication to another level

A prominent Computer Science professor, Dr. Ramzi Haraty, said once "No system is fully and 100% secure". I was 18 years old when I heard that statement back then, and I didn't really take it seriously.

However, as I grew older, I realized how that statement was entirely true, beyond any reasonable doubt. Matter of fact, there isn't any service, login page, software, database or website that cannot be hacked and penetrated.

Even NSA's hidden and encrypted servers were hacked. However, each security system haps his own drastic security measures; some are challenging and tough to break into, and others are trivial.

One company that takes security extremely seriously is: "Google Inc." Behind this simple-looking login page you see on the right; there a monster security system that is beyond any person's imagination:

Matter of fact, if you can hack (not hijack) this page and access a consumer's account, your hack is worth at least: USD 25,000,000.

What Google does to protect the consumer Gmail accounts of their members is astonishing. This includes but not limited:

1. Bug bounty programs: Google pays millions of dollars each year for hackers and security researchers that report bugs to their system. In return, Google would pay cash in exchange for the information. That does push bored and opportunist programmers to start searching for the bugs on the system for hoping to get paid. Eventually, as bugs get reported over the years. They get minimized.

2. Encrypting the web, literally. In summary, this means HTTPS. This encrypts your communications: including passwords, credit card numbers, with many websites, making your browsing more secure. Without HTTPS, anyone spying on your Wifi could get personal information from you.

3. Locking your Gmail if it is signed up via Tor or a different country. If you access your Gmail from another country, it will be locked.

4. Obsessing about the sandbox. Google's security system is designed in a way where they have multiple security layers. That is, if you find one bug inside Google's page and access one protected page, you'll have to find a bug in the next security layer, then move to the next security layer, and so on. So, your chances of getting bugs and breaking this page are close to 0.

Allowing users to set up two-step authentication on their account is another way Google Inc. implemented security on their website. That means, if you log in from a new device, you will have to receive a 6-digit code on your mobile to be able to access the account (the secret code can be provided by a phone call, SMS, or an application known as Google Authenticator or Authy).  That is, even if you know the password of one account, you will not be able to access the account unless you receive that 6-digit code.

That's cool, right?

Not really. Google recently realized, due to their advanced artificially intelligent technologies, that governments are targeting social activists and breaking into their account. So, the standard two-step authentication feature (mobile) would be weak too.

Wait, how come?

Very simple; I'll give you one example. Imagine that you have a Gmail account, and I figured out your password. However, you're an intelligent person and have set up two-step authentication by receiving a phone call.

So, I get stuck here. What do I do? I can impersonate you and go to your mobile provider and claim that I lost your phone number and receive a new SIM card with your phone number.

It might not work in a phone company like Version or AT&T, but in other third world country countries (like Lebanon, for example) it would apparently work due to their pathetic security checks (Alfa or Touch).

Now imagine this. 

A corrupt government targets a journalist or a rebel's Gmail and get his password by spying on him. They can, for example, get access to his phone number and reset the password very quickly by collaborating with the phone company. 

In fact, this has happened as Google announced in a blog spot that since 2012 users have been targeted by state-sponsored attackers.

It might not be the method that I alleged of but I highly suspect it does. They said that they can't reveal the tip-off because hackers can adapt but however they said "Enable two-factor authentication and set up a Security Key" which could highly mean that the attempt goes on by targeting the mobile phone.

Google said they've sent those notices to 0.1% of their users which is a huge number considering there are more than one billion users with Google accounts. 0.1% of 1 billion is 1 million.

Google ended their post with "The security of our users and their data is paramount." which is clear illustrated and because of that you should trust and respect Google more.

So what is a security key?

It is a small USB that can be plugged into your machine to allow access to an account. It is a two-step authentication code that doesn't require a phone number. The full name being "FIDO U2F Security Key"; the security key is based on a U2F is an open authentication standard that empowers two-factor authentication using specialized USB or NFC devices based on similar security technologies found in smart cards. It has been developed by Google and Yubico. U2F security keys can also be used on Dropbox, GitLab, and Bitbucket.

How does it work? 

Once you've got two-step verification enabled and configured the security key. Each time you log in on a new (or unsaved) device, you will be asked to input your own safety key inside the machine, and press a button.

While you may keep the phone call as a backup verification method, I do not recommend since it defeats the primary purpose of the security key.

It is wise to generate backup codes and memorize them (not write them down anywhere) in case you lose the security key or want to login on a mobile phone.

If you decide to use one for your own safety, it is wise not to inform anyone of your friends, colleagues or anyone that you're using this type of security mechanism.

Hackers will adapt to the security features in whatever shape and forms. Let them be surprised if they access your account instead of letting them plan ahead.

Do I use a security key?

Yes, definitely. I have purchased this item on July 14, 2016, and added on July 25, 2016. My experience has been phenomenal as I gradually reduced two-step authentication. I've treated the security as any other standard security key and implemented it as a regular key on a key ring. I've had a bit of a hard time explaining what is this to my family and friends but eventually they got used to it.

How do I buy one?

You can purchase one from (provided by Yubico) for as cheap as $17.99. Configuration is easy and can be done easily on websites like Google or Dropbox.

In Summary

No matter where you go. You will never find anything as secure as your Google account: be it online bank accounts, Microsoft accounts, Facebook accounts, Akamai accounts, etc.  This company is obsessed security and breathes security. If you have sensitive information on your Google account or any critical material, it would be wise to purchase and configure a security key to take advantage of Google's security.

Tuesday, January 3, 2017

Starting 2017 with the "Nordic" template on this blog

I have recently realized how much I started to hate complicated blogging themes that are full of animations, design and javascript loaded that slows down the page, although I used them for years.

But I have recently realized I want something very simple, a clean cut design that lets u focus on content instead of anything else. I have been very lucky to find "Nordic" template, an immaculate template that was originally designed for Wordpress (a PHP-based slow and vulnerable blogging platform that I dislike) but later converted to Blogger (the robust and secure cloud blogging platform hosted and acquired by Google Inc.)

What I really liked about the Blogger version of the template is that pictures do not show on the main page (which has been an issue in the past).

Simplicity is key. As you see on the right, it is incredibly simple, clean and symmetric. Extremely useful to look at as well it looks well organized. 

By default, around 13 posts are originally posted on the main page, and they're all taking the same size (unlike what you see with other templates).

The share buttons are clean and work efficiently as well.  In some other models, they used to cause lots of headaches because they needed confirmation; and some templates required external add-on libraries.

The search bar looks decent and is hidden by default. But you can toggle it from the button on the right and the search page results. Social media icons are also provided by default on the right.

The page is responsive as well, and it can quickly shrink. There is no need to upload a separate template for mobile (as the option is already provided by Blogger). So the work that needs to be done is minimal.

The hamburger icon automatically appears on the left which is vital to use on the mobile.

Checking the publicly available blog on the service "Am I responsive?" illustrates that the blog looks incredible well on most major portable devices. 

It is worth mentioning that half of the internet's traffic comes from mobile. The mobile may and most likely will be the dominant source of traffic in the future as the people tend to visit websites from mobile devices instead of laptops.

Mobile responsiveness is not luxury but a prerequisite. 

Other than that: individual blog post pages - comments, footer, and other stuff are very well made.

According to a prominent speed test tool Pingdom, the site's load time is on average 1.11s (which is not really excellent but average). The template has no dependencies and doesn't request any additional external libraries.