Tag Archives: security

Mint.com Security

This review was performed on January 16, 2014 and is part of a series of comparisons of financial management sites.

Mint.com is run by Intuit, well known makers of Quicken and QuickBooks.

mint.com uses a EV certificate with a 2048 bit RSA key.

mint.com receives an A- on the Qualys SSL Test run on February 11, 2014.

Security Claims

  • Home Page
    • McAfee Secure Seal
    • VeriSign Security Seal
  • Safe and Secure
    • Bank-level security
    • “128-bit encryption”
    • Security Audits – VeriSign
    • Read-only
  • Safe and Secure “Watch security video”
    • Bank-level security
    • Security Audits – HackerSafe, VeriSign
    • Read-only
  • Security FAQ
    • “…bank login credentials are stored securely in a separate database using multi-layered hardware and software encryption.”
    • “Your bank account and credit card numbers are stored securely.”
    • read-only – “Your online banking user names and passwords are never displayed”
  • Security Technology and Practices
    • “Your bank login credentials are encrypted”
    • “Our servers are housed in a secure facility protected by biometric palm scanners and 24/7 security guards.”
    • “We apply bank-level data security standards. This includes encryption, auditing, logging, backups, and safe-guarding data.”
    • “We hack our own site. Intuit runs thousands of tests on its own software to ensure security. We scan our ports, test for SQL injection, and protect against cross-site scripting. We also employ Hackersafe to test our site daily.”
    • “Mint.com has received the VeriSign security seal.”
  • Privacy and Security Policy #12
    • “…use a combination of firewall barriers, encryption techniques and authentication procedures, among others…”
    • “…servers are in a secure facility. Access requires multiple levels of authentication, including biometrics recognition procedures.”
    • “…databases are protected from general employee access both physically and logically.”
    • “…encrypt your Service password so that your password cannot be recovered, even by us. All backup drives and tapes also are encrypted.”
    • “No employee may put any sensitive content on any insecure machine.”
    • “Intuit has been verified by Verisign for its use of SSL encryption technologies and audited by TRUSTe for its privacy practices. In addition, Intuit tests the Site daily for any failure points that would allow hacking.”

Analysis of claims

Overall, Mint.com says the right things. “Bank level security” is more of a marketing term that a real security claim, but 128 bit encryption is good enough for most uses. Looking at the SSL Labs scan, 128 bit AES or RC4 is the smalles key size mint supports.

In case an attacker can obtain your password, it is good that the standard user interface is read-only and does not display account numbers, usernames, or passwords.

It’s good that their site is tested by themselves, McAfee, VeriSign, and HackerSafe; because this is the most likely way an attacker could potentially access the database which contains bank credentials. Fortunately bank credentials are encrypted; however, the security practices do not discuss how the encryption key for bank credentials is protected. Firewalls are good, but a properly secured web-server shouldn’t really need a firewall. It would be nice if they also had an Intrusion Detection System (IDS) since an IDS has some chance to detect zero day exploits.

Physical site security of mint’s data centers and personelle policies are impossible to say much about how determined an attacker might be. Even with policies against copying customer data onto an unsecured laptops, humans always seem to be the weak link (e.g. Edward Snowden).

Everything Mint.com says about their security sounds good, except for the lack of an IDS. I give their security claims a B.

Inconsistencies

The only inconsistency in Mint.com’s security claims are the 3rd party tests and certifications performed. Mint.com consistently claims they have the VeriSign Security seal, but it is unclear whether the site is tested by McAfee or Hackersafe.

Safely Printing at a Hotel

When using a hotel’s Business Center or other shared computer; I’m always nervous about the types of malware, viruses, or keyloggers might be installed on the computer. I never login to any accounts. Even if I have two factor authentication, I’d rather not give a criminal the opportunity to gather my password. When I have to print something, I’ve been printing to PDF from my personal computer, transferring the file to a USB flash drive, and printing the PDF on the hotel’s computer. This approach made me feel better, but I still felt like there was the opportunity for a virus on the hotel computer to infect my flash drive. What I needed was a way to prevent the hotel computer form writing to the USB flash drive. A hardware write-protect switch seemed to be the answer.

Now-days, USB flash drives with write-protect switches are pretty rare. After extensive searching on amazon.com, NewEgg, and Tiger Direct; I was only able to find a single modern flash drive with a write-protect switch. The Kanguru Flashblu 2 series of drives.

The other option is to use an SD card. Pretty much all of these have a write-protect switch, but the write-protection is in the card reader, not the card itself. There is a small mechanical switch in the SD card reader that detects if the SD card’s switch is in the lock position. While it’s unlikely someone trying to infect your card will have physically tampered with the SD card reader, it’s safer to bring your your own SD card reader.

Once you have your lockable memory, just unlock it, copy your pdf, lock the memory, insert into the hotel computer and print. Since malicious software can still read the data off of your memory, make sure you don’t store or print any sensitive files. I only print un-important things like movie tickets, directions, and other passes.

Be safe!

gpg for Mac

Lately I’ve been building a bunch of “Linux” command line tools for my Mac. As I focus on security, I decided GPG would be the next tool. You can download my GPG public key at KenjiYoshino.pub.

Download

  1. gpg-1.4.13.tar.gz
    • SHA-1 of gpg-1.4.13.tar.gz: 45901f228377c65b445104d7037ad26dde70fe7a
    • Signature: gpg-1.4.13tar.gz.sig
    • SHA-1 of the gpg executable: 361b9beec3667abdc01d30b0b5ac0b215b3d4d48
    • SHA-1 of the gpgv executable: 006c7ac41d63f1a1a7aa695428f42acd9f7a54e3
  2. Open the Terminal and navigate to the downloaded archive
  3. Extract the files by running tar xzf gpg-1.4.13.tar.gz
  4. Login with an account with Administrator privileges
  5. Copy /bin/gpg and /bin/gpgv to /usr/local/bin
  6. Copy /man/gpg.1 and /man/gpgv.1 to /usr/local/share/man/man1
  7. Make sure all users have execute/read access to these files

Compile

Note: You must have Xcode installed.

  1. Download the GPG 1.4.13 source from http://www.gnupg.org/download/
  2. Open a terminal window and browse to the downloaded archive
  3. Extract the archive using tar xzf gnupg-1.4.13.tar.gz
  4. Open the gnupg-1.4.13 directory
  5. Run ./configure
  6. Run make
  7. You will have the gpg and gpgv binaries in the /g10 directory and the man page in the /doc directory
  8. Copy /g10/gpg and /g10/gpgv to /usr/local/bin
  9. Copy /doc/gpg.1 and /doc/gpgv.1 to /usr/local/share/man/man1
  10. Make sure all users have execute/read access to these files

Installing Unsigned Software on a Mac

I’ve been starting to find more useful software that isn’t necessarily produced by a big software company or installed though the Mac App Store. I was a little surprised when I first received the following dialog:
Unsigned_Installer

It’s nice that Apple is adding restrictions that will help prevent the accidental installation of potentially untrusted software, but how do I install this software when I’m sure I want to install software that’s not signed.

It’s actually pretty simple. Open “System Preferences” and select the “Security & Privacy” Preferences. Select the “General” tab and click the lock to allow changes (you’re not doing your daily computing with an Administrator account). Authenticate with an admin account.

You should see the following:
Allowed_Installers

Under “Allow applications downloaded from:”, select “Anywhere”. MacOS will warn you with the following message:
Allow_Anywhere_Installation

Click “Allow from anywhere” and install your “untrusted” software. Make sure you change your settings back to “Mac App Store and identified developers” or if you want to be really secure set it to “Mac App Store” only. Then whenever you download software to install, you’ll have to consciously change this setting.

MacOS WDE

I decided I should get around to encrypting the data on my Mac hard drives, so a thief would not be able to access potentially sensitive information if I got my laptop stolen. I wanted a Whole Disk Encryption solution that works similar to Symantec PGP Whole Disk Encryption or TrueCrypt, but I didn’t want to pay for Symantec/PGP and (as far as I can tell) TrueCrypt doesn’t support System Encryption for Mac.

When FileVault first came out, I wasn’t too impressed. It seemed like a hack where Apple was just shoehorning user directories into encrypted disk images. Then I heard about performing whole disk encryption using FileVault 2. This sounded pretty good and Apple seems to be doing security right so I decided to explore the FileVault 2 option.

First I went int System Preferences -> Security & Privacy -> FileVault. As I read about FileVault I found it is designed to encrypt the disk encryption key with a key derived from each user’s password. I didn’t want my disk encryption key protected by weak passwords and I didn’t want to be inconvenienced by having to enter extremely long/strong passwords for normal unlocking of the computer. It only took a slight hack of MacOS built in features to accomplish this.

Mac OS WDE Steps

  1. Create a new Administrator account. This will be your unlocking account, so name it and create a password accordingly.
    Note: We are creating a separate account, because FileVault can only be enabled from an Administrator account, but you cannot remove the ability to unlock the drive once it has been granted.
  2. Logout and login with the new unlocking account
  3. Open System Preferences -> Security & Privacy -> FileVault
  4. Click “Turn On FileVault…”
  5. Follow the steps to turn on FileVault. I chose not to send a recovery key to Apple.
  6. Wait for the encryption to finish.
  7. Logout with your unlocking account.
  8. Login with another Administrator account.
  9. Open System Preferences -> Users & Groups
  10. Select the unlocking account and uncheck “Allow user to administer this computer”
  11. Check “Enable parental controls” and click “Open Parental Controls…”
  12. Now restrict this account, so it is unusable for general use and can only reasonably be used to unlock the hard drive.
    1. Under Apps
      1. Check “Use Simple Finder”
      2. Check “Limit Applications”
      3. Uncheck all “Allowed Apps:”.
        Note: I went back and allowed the GoogleSoftwareUpdateAgent and SIMBL Agent, because these were giving me permission errors when logging in.
    2. Under Web
      1. Select “Allow access only to these websites” and do not include any websites in the list.
    3. Under People, deselect all options
    4. Don’t make any changes under “Time Limits”
    5. Under Other
      1. Check all option.
        Note: Checking “Disable changing the password” is especially important if you share the password to allow a few people to unlock the computer.

Now when you boot your computer, you will be presented by a screen asking for the password to your unlocking account. Once you login to the unlocking account, you will not have access to any applications, so the only reasonable thing to do is logout. Then you will have the option to login to on of the other accounts on the system.