Anti-Phishing Phriends

We just discovered a great little game called Anti-Phishing Phil (thanks to this blogpost).

The game was created by CMU Usable Privacy and Security Laboratory (CUPS). And it has done a pretty good job of turning internet security training into a game.

The game works like this: you are a fish named Phil who lives in the Interweb Bay. While trying to find something to eat, you need to decide which URL addresses, disguised as worms, are edible.

If you are successful, you move onto other rounds. If you need any advice on identifying a legitimate URL address, Phil’s Father is there to help you. Good ol’Dad.

In between rounds, you get a very clear and concise explanation to your errors and a mini-lesson on typical phishing scams.

What is Phishing?

Phishing is all too common a method of “asking” and tricking info out of unsuspecting account holders. We’ve all seen it – emails urgently asking us for financial info to receive a distant relative’s inheritance, a reputable sites immediate request of a password change through a link or frightening security email alerts.

You may think “who’d fall for those scams. Everyone knows how they work.”

Well the sad fact is that phishing is hard to spot for the average Joe. And it really is up to you, the user, to protect yourself. All you need to do is look at the URL of the site you are visiting. Look carefully. If it’s not correct, don’t insert your data.

Many companies have tried to implement some form of anti-phishing method, to help thier users help themselves. All of these techniques can do nothing more than try and grab your attention so that you remember to check that URL - but they can’t do much more than that. Really, it’s up to you.

So give Anti-Phishing Phil a try - it’s fun, and maybe it’ll help you better understand how to spot a rotten site.

Terms and Conditions Update

An error in the Terms and Conditions (TAC) was corrected - in your favor. Providing an email when registering for a PassPack account is entirely optional, yet the TAC was claiming it as mandatory.

This was incorrect. A working email is only needed in order to provide you with emergency support. We have corrected the error as follows:

(i) Email and Emergency Support. In order to receive emergency support, possibly including a Pass reset an account Rollback after a changed Packing Key or account deletion, the user must supply and confirm a working email to be associated with the account. Without a confirmed email, emergency support can not be supplied.

About Anonymous Email Addresses

If you would like to use an anonymous email service, that is fine. PassPack’s goal is not to identify you in the world - it is just to identify you as the proper account holder. Please feel free to use any working email you’d like. The important thing is that you are able to both send and receive emails from the address.

To request emergency support, you will need to send us an email from the address associated with your account. We will then reply to that address and expect you to be able to reply back to us again.

About Disposable Email Addresses

If you do not wish to associate an email with PassPack at all, that is also fine. You are not required to. There is no need to provide a disposable email - you can simply not provide one at all. This is your choice.

When requesting emergency support, it is not enough to simply tell us what the email you provided was - you need to be able to actually use it. So disposable email address defeat the purpose.

How to Confirm Your Email

If you have not confirmed your email and would like to, see this post or if you have any questions, don’t hesitate to ask.

Monday Updates

Just a quick post while we toil away here on the Beta 6. Here’s a few links for those of you who’d like to keep up on PassPack news and/or follow us while we work:

Follow You Favorite Founders

I, Tara, am fretting over the interface and can be most often found on twitter. Follow me and get the play-by-play of what I’m working on.

Francesco is testing the secret sauce. He is most often found on his tumblog where he posts photos in some mysterious order, or occasionally on twitter.

We also maintain a slightly more formal PassPack News account on Twitter - just straightforward product announcements.

PassPack in the Google Gears Meme

The Google Operating System blog posted about PC world’s disappointment in lack of Google Gears apps, and replied with a list of the important applications that are using the Gears plugin. PassPack was mentioned for our offline version. We’ve been getting quite a bit of attention today as a result.

Il Sole 24 Ore

This Italian financial newspaper gave front page space to password fatigue.

PassPack was featured in the call out box of password managers with a lovely color photo of our homepage (warms my heart!).

That’s it for today - see you all in twitterverse!

Techcruch Waking Up to Europe

I recently posted about there being just a handful of European companies among the Webware 100 awards finalists - 21 out of 300 companies, with PassPack as the lone ranger for Italy. Now it seems Techcrunch is sitting up and recognizing that there’s something interesting is astir in the EU.

The article poses the question of if and where a European Silicon Valley will eventually pop up. In the era of Web2.0 where everything is online, applications are distributed, and networks are virtual.

Do we really need the highly centralized model of
“one valley to rule the world”?

I believe Erik Schonfeld, Techcrunch author, came darn close to the truth here:

“As Europe searches for its Silicon Valley, it may turn up as a state of mind rather than a specific place. The truth is that Europe may not need a single Silicon Valley because business is becoming so distributed.”

Agreed.

It all comes down to the VCs really. While US VCs still seem reluctant (or so the story goes) to invest outside three miles of their home, my brief experience with chatting with EU investors show a generally more lenient attitude. If that’s anything more than just an impression, then European startups may well have a chance of building a distributed “Valley”.

Europe has been long known as the Old World, with it’s patchwork of countries, cultures and languages crammed into a relatively small spot of land. But just as data silos are being broken down and distributed, the business silos like Silicon Valley may be destined do the same.

What do you think? Could Europe may be in for a minor tech renaissance if it plays its cards right?

Technorati Tags: PassPack, password manager, online privacy, privacy, security, lifehack, web2.0, tech, hostproofhosting, techcrunch, europe

Thoughts on Biometric Passwords

Wolfgang Schauble, Germany’s interior minister and adamant supporter of biometric authentication, seems to be waiting for the day when biometric technology will be available on a large scale and passwords will be a thing of the past.

But recently Chaos Computer Club, Europe’s largest hacker group caused a fuss when a recent issue of Die Datenschleudere printed Schauble’s own fingerprint.

The stir brought about the issue - how is reusing my fingerprint everywhere, different or safer from reusing the same password everywhere? Should it really be a diffused authentication method? And most importantly, how safe is it really?

The Register reported Karsten Nohl, who engineered the hack, as saying “It’s basically like leaving the password to your computer everywhere you go without you being able to control it anymore.”

Comparing Passwords & Fingerprints

We all know by now that reusing the same password is practically like handing over your identity to someone and giving them the entry way to sensitive information. And we all know that making strong, unique passwords for every single site you visit - and remembering them - is something of a nightmare. Even formulas and tricks fall short of solving the problem. That’s where password managers come in handy.

Passwords		Fingerprints
If someone captures your password, they can use it to login everywhere you can.		If someone captures your fingerprint, they can use it everywhere you can.
Bots scan the web looking for unprotected passwords to capture.		Scanners can be placed in common objects (public doorways, countertops at the cashier) looking for unprotected fingerprints to capture.
If stolen, you must change the password on all sites, hopefully before any damage is done.		If stolen, you can’t change your fingerprints.

Fingerprints are Everywhere

We know more or less how to protect ourselves when it comes to modern ‘identity scams’ – be careful about giving out personal information, protect your mail, be smart about passwords and PINs and so on. But how exactly would we protect ourselves from biometric identity theft?

Schauble’s fingerprint was said to be captured off a water glass he used last summer while participating in a public discussion at a University in Berlin.

Do future preventative measures include wearing gloves at all times in public to leave no trace of fingerprints? Will we eventually have to avoid looking straight into public mirrors for fear of exposing our irises to a hidden scanner?

It may seem a bit extreme but then again…

History Repeats Itself

According to a Marines memo, on July 21, 2003, the FBI and Federal Trade Commission first reported the existence of a new form of identity theft known as “phishing”. In 2007, just 4 years later, Gartner reported ‘The overall cost to consumers of online fraud [approached] $3 billion, compared with $2 billion in losses reported [in 2006], while more than three million consumers [were] victimized. This upward trend is expected to continue as phishing expeditions get more sophisticated and security upgrades play catch-up.’

Will this upward trend prove true for biometric phishing as well? And do the potential consequences really outweigh the potential benefits? Think about it - every child in the US is finger and footprinted at birth. Every foreign visitor to the US is fingerprinted and photographed. In fact, The Department of Homeland Security ‘plans to replace the current two-fingerprint scanners with new 10‑fingerprint scanners at all U.S. ports of entry over the next year.’

It doesn’t stop at government involvement - some companies are indexing the worlds DNA.

Right from the get go, your “authentic passwords” are stored. And these will be a bit more difficult to regenerate should they get stolen.

Technorati Tags: PassPack, password manager, online privacy, privacy, security, lifehack, web2.0, tech, hostproofhosting, fingerprints, biometrics

Thanks to Louise for contributing this article.

Password Meter Mania

Seems everyone has been talking about password meters lately. And word is spreading that a password like ‘thomas123’ just might not fit the bill anymore.

Read More »

European Tech at Webware 100

There’s just 21 European companies among the 300 finalists selected for the 2008 Webware 100 Awards - with only a handful of those outside of the UK.*

Read More »

Who Would Want My Password?

If you think – “No one cares about stealing a password from lil’ol me” - you’re right.

Read More »

PassPack on The Morning News

Dan Costa of PC Magazine was interviewed recently on The CW11 Morning News about his Best Free Software picks. Love the enthusiasm! Thanks.
Technorati Tags: PassPack, password manager, online privacy, privacy, security, lifehack, web2.0, tech, hostproofhosting

Three Levels of Encryption

With PassPack’s upcoming Beta 6 version, you’ll have the tools to take your security into your own hands. Our aim is to give you security, portability and speed.

Until now (Beta 5) PassPack has been using AES-256 bit encryption for all your entries, but Beta 6 will allow you to choose from 3 different level encryptions. On the main page of the Beta 6, next to each one of your entries, you will have a lock. This lock represents your choice of encryption. You can choose a single bolt lock, a double bolt lock or a triple bolt lock (this is the default).

Here’s a mini crash-course in encryption, so you can get ready to make your choice.

Triple Bolt Lock

AES-256 bit encryption, your PassPack default lock. This is the same encryption used by the US government for ‘top secret’ information and would take 149 trillion years to ‘crack’ only one entry encrypted with AES-256. We suggest you use this lock for all sites linked to any personal information, e-mail accounts or links to online shopping.

Once PassPack starts allowing storage of passwords to financial information (not yet though) like credit cards, PayPal or on-line banking, you’ll want to use the triple bolt lock for these.

Double Bolt Lock

AES-128 bit encryption. This encryption is also approved and used by the US government for ‘classified’ or ‘secret’ information. You’d probably want to double bolt entries that take you to frequently visited forum sites or social networking sites where your name and reputation is public.

Single Bolt Lock

xxTEA-128 bit encryption. This is the fastest, yet least robust, of the 3 locks. xxTEA would lighten your Pack and making unpacking faster overall. xxTEA is a valid option for sites in which no personal information has been disclosed, such as online magazines, download registrations and the famous ‘junk accounts’.

Some folks also store some-non password entries in their PassPack account - like bookmarks. xxTEA would also be fine for these non-critical entries as well.

Make Your Choice

You could choose to set all your entries on any one of the above encryptions or you could mix and match following the suggestions mentioned.

 

How you use your locks is completely up to you.

Keep in mind that the more accounts you have, the heavier your PassPack will be - so lighten up what you can, giving more speed to the entries which are less critical and extra protection to those you’d prefer to keep ‘top secret’.

Note - we’re still not convinced about those icons, and we may even change the xxTEA algorithm if we can find an even faster substitute.

Technorati Tags: PassPack, password manager, passwords, security, lifehack, phishing, antiphishing