Category Archives: Security

Review: Akeeba LoginGuard

We have taken a sneak peek at Akeeba LoginGuard for you, and made it into a video.

Akeeba LoginGuard is a Joomla add-on that will give your website new two-factor authentication tools. The tools lift the security of your website to the next level. Akeeba LoginGuard offers quite a few benefits over the already existing options in Joomla

More authentication options

Where Joomla offers ‘only’ OTP (one-time passwords) and Yubikey out of the box, LoginGuard takes things further. Which is a positive thing. While the options in Joomla are a good start, and Yubikeys are a great little things to use, it’s always good to have other options, especially in corporate settings.

LoginGuard offers the following options:

  • OTP (via an authenticator app)
  • Yubikey
  • Codes via e-mail
  • Codes via SMS (using SMSAPI.com)
  • Push notification (using PushBullet)
  • Fixed code(s)

Configure 2FA for users

Akeeba LoginGuard also allows you to setup 2FA options for your users. We discuss the upside of this feature and other features in our video review.

 

Advertisements

Microsoft to Outlook 2016 users: “Trust the certificate, and it all goes away…”

Of course, Microsoft never really said these words to the Mac users using Outlook 2016. Which is the best mail client available for the Mac by far, especially if you grew up with Outlook. If you ignore one error that hasn’t been fixed for ages.

When you are using Office 365 and your website isn’t hosted on the same server as the mail server, you run into a neat little problem. You get an SSL error, since Outlook 2016 is looking at the wrong server, and says “Hey, this SSL record is no good”. It happens whenever you don’t have an SSL certificate installed (get with the time people, me included) on your website, that isn’t hosted on Office365. Which is basically, every website error.

So, anyway, this error is pretty well known with the folks of Microsoft and instead of doing something about it, they’re telling people to just ignore the error. It’s okay. You can just click to always trust the certificate, and the problem is gone!

While that technically solves the problem, it’s not exactly the most security minded advice, Microsoft. How about an actual explanation on how to solve the problem when your site is hosted on your own server? A tip on how to re-issue the certificate? You’re just going to choose to focus on telling people to ignore warning messages in a time when that very same Outlook 2016 offers support for encryption and digital signing? Okay, then.

In case you’re wondering what I’m talking and ranting about, here’s the official KB article on the problem. Short. To the point. The security equivalent of “Did you try turning it on and off again?”

Enjoy the article in it’s full glory here.

Pike in attempt to abuse old Joomla exploits

Is your mailbox currently blowing up with Admintools notifications? Then you’re not alone. We’re noticing a definite spike in attempts to abuse Joomla exploits. The exploits the “attackers” are using are for older versions of Joomla.

Using Admintools or a similar tool will help you to block these malicious attempts to screw with your site. But instead of patching those holes, it’s better to make sure that the holes aren’t there.

How?

Make sure that you’re running the latest version of Joomla. We know it’s not always within your means to update that 2.5 or 1.5 website. Clients aren’t willing to pay. And you don’t work for free. We get that.

But, if it’s within your means, now is a good time to update those older sites. Actually, last year was a good time, but it’s better to be late than sorry. Joomla 3.x is the latest release and should be supported for a long time from now.

On top of a more secure version, you’ll get the following features:

  • A CMS that wasn’t built years ago
  • A faster Joomla
  • Better UI with more configuration options
  • Detailed UI
  • No more “Your old crap site isn’t supported, you moron” from both developers and your Joomla site itself (See for reference: Joomla 2.5 sites displaying a message it’s outdated)

Gentlemen, start your analysis of your old sites and get to updating.

Watch out for fake invoices!

Users and anti-virus companies are reporting a big number of spam messages, which contain fake invoices. The senders aren’t out for your money, but they’re interested in infecting machine. The invoices are fake, and opening the files can or will infect your machine.

Word documents

There’s a few ways to detect these fake, virus-ridden invoices right off the bat – so keep them in mind.

  • Word documents: If the attachment is a Word document, don’t open it under any circumstance. No self-respecting company would send you an invoice using an editable document format like a Word document. The reason they’re sending these word documents is that they contain Macro’s which are run on opening the document, to infect your machine.
  • You didn’t order anything: This should be an obvious give-away; if you didn’t order anything you’re not supposed to get an invoice. Most self-respecting vendors allow you to lookup your invoices on their sales platform, anyway.
  • Your anti-virus kicks it in the ass: If you’ve got a decent anti-virus solution which includes e-mail scanning, such as Gdata’s Internet Security solution, you won’t even get to see the mail – or the attachment – as they’re taken care of before they reach your inbox.

Of course, there are exceptions to the first rule. PDF’s which trigger malicious code are also on the rise. So, the golden rule is “If you didn’t order anything, don’t open that invoice.”

Be safe, kids. It’s a dark place out there.

How to enable 2-factor authentication in Gmail / Google

1. Introduction

Online security is a hot topic these days, and with good reason. One solution which all the big guys have implemented, is offering support for two-factor authentication. In lay mans’ terms: You’ll need another “code” on top of your username and password, which is generated when needed. This adds an extra layer on security.

One of the big guys who offers 2-factor authentication (in the rest of the article written as 2FA) is Google. This post helps you setup two-factor authentication for your Google / Gmail account. Enjoy!

2. Enabling 2FA in Gmail

To enable 2-factor authentication in Gmail, the following steps must be followed.

  1. Login to Gmail using your username / password
  2. Click your Profile (top right corner) (1), then click “Account(2)”

2.1 Open your account

To enable 2-factor authentication in Gmail, the following steps must be followed.

  1. Login to Gmail using your username / password
  2. Click your Profile (top right corner) (1), then click “Account(2)”

2.2 2FA Setup
  1. On your account page, go to the Security tab.
  2. In the Password section, click “Setup” next to 2-step Verification.
  3. Click “Start set up” on the next page to continue

2.3 Configure Phone

By default, Gmail will ask to provide a phone number to provide codes to, for 2-factor authentication purposes. This is mandatory and can’t be skipped.

  • Enter a (valid) phone number
  • Choose how you want to receive your codes
  • Click “Send code”. Google will text or call you, to send a code, to verify you own the phone.

2.4 Verify your phone

Google will send you a text message (or call you) and provide a 6-digit code, which you need to copy

  1. Enter he code in the text field
  2. Click “Verify”

2.5 Add trusted computer

In the next screen, Google asks to make your computer a “Trusted computer”. With 2FA enabled, when you can’t receive the codes (by phone, mail or otherwise) it’s possible to access Gmail through a “trusted” computer. Make sure only to add a secure computer you own. Do not add a public computer, ever!

You can choose not to add your current computer, and add trusted computers later on.

Click Next to continue.

2.6 Confirm enabling 2-step verification

Finally, Google will aslo you to confirm that you want to enable 2-factor authentication, which will protect your account when you try to login from untrusted computers.

Untrusted computers are all computers which aren’t added to your account, but, and this is important, can also apply to other browsers on the same computer. E.G if you “trust” a comupter in Google Chrome it’s possible you’ll be asked for a 2FA code in Safari and vice versa.

3. (Optional) Configure the authentication app

You’ll now receive a code on your phone when you try to log in.

Optionally, you can use an authentication app on your phone. This app can be used without an internet / data connection.

Click “Settings” in the Security tab to start configuring this app.

3.1 Configure verification options

You’ll be presented different verification options. Configuring them is as simple as following the instructions. Other than the verification codes and the app codes which we’ve covered, you can add trusted computers (under Registered computers) or configure a “Security Key”, which is an USB device for authentication purposes.

We’ll be configuring the authentication app, under “Verification codes”.

Click “Switch to app”

3.2 Follow the instructions for your phone

Next, follow the instructions for your smartphone of choice, to install the app, and configure it. Once this is done, the app will generate a code which you can use when prompted.