Monday, November 24, 2014

3 Rules for Cyber Monday


3 Rules for Cyber Monday


It’s nearly here again folks, and the clues are all there: planning the office Christmas party, your boss humming Rudolph the Red Nosed Reindeer and an armada of Amazon packages arriving.

Which brings me nicely to the topic of this blog: online shopping at work.

It’s official; we are ‘in love’ with online shopping. At this time of the year, it’s harder to resist temptation. Retailers conjure up special shopping events like Black Friday and Cyber Monday - all aimed at getting us to part with our hard earned cash. While online retailers rub their hands in anticipation of December 1st, for companies without proper web security, the online shopping season could turn out to be the nightmare before Christmas.

In a recent survey by RetailMeNot, a digital coupon provider, 86 percent of working consumers admitted that they planned to spend at least some time shopping or browsing online for gifts during working hours on Cyber Monday. That equates to a whole lot of lost productivity and unnecessary pressure on your bandwidth.

To help prevent distraction and clogged bandwidth, I know of one customer, I’m sure there are others, who is allowing his employees time to shop from their desks in their lunch breaks. He’s a smart man - productivity stays high and employees happy.

But productivity isn’t the only concern for the IT department – cyber criminals are out in force at this time of year, trying to take advantage of big hearts and open wallets with spam and phishing emails. One click on a seemingly innocent link could take your entire network down.

To keep such bad tidings at bay, here’s a web security checklist to ensure your holiday season is filled with cheer not fear.

1.  Flexible Filtering. Set time quotas to allow online shopping access at lunchtimes, or outside of core hours. Whatever you decide is reasonable, make sure your employees are kept in the loop about what you classify as acceptable usage and communicate this through an Acceptable Usage Policy.

2.  Invest in Anti-malware and Anti-spam Controls. As inboxes start to fill with special offer emails, it gets more difficult to differentiate between legitimate emails and spam. These controls will go some way towards separating the wheat from the chaff.

3.  Issue Safety Advice to Your Employees. Ask employees to check the legitimacy of a site before purchasing anything. The locked padlock symbol indicates that the purchase is encrypted and secure. In addition, brief them to be alert for phishing scams and not to open emails, or click on links from unknown contacts.

Friday, September 26, 2014

10 Things to Consider Before You Unblock a Website

Just recently, I was asked by a customer to provide some advice for their network administrators on unblocking sites. Sometimes you have to say no, but how do you decide which to give the green light to? Here are some points to bear in mind...

  1. Have you looked at the whole site? There may be different content on some of the links.
  2. Is the domain a generic one? Maybe many sites are served from this domain. Can we limit the unblock into just one specific URL?
  3. Will the content change in future? If it is dynamic, what kind of content might be found there next week?
  4. Is there a better website people could visit for this same purpose? For example, there is no reason to unblock an image search engine other than Google Image Search, as it may not have all the safety features enforced by Smoothwall.
  5. What’s the reason the site was blocked? If it is a misclassification it should be reported to Smoothwall, and  it will get fixed for everyone.
  6. Do you want to unblock just this website, or all websites of this type?  Often it is better to adjust the categorisation (such as allowing all “sports” websites) rather than dealing with one at a time.
  7. Does it allow access to other pages surreptitiously, or draw content from other sites? Translation sites can cause this problem.
  8. You might be able to understand the risks of this site; but do your users? Children, for example, may not be easily able to understand risks of bullying or grooming on a social network, and less technical users might inadvertently leak sensitive information on file sharing sites.
  9. Are there any regulations or risk assessments you need to consider before unblocking this site?
  10. Does the site rely on 3rd party resources?  You can use the advanced Policy Test Tool to examine these. Are these locations also safe with regard to points 1-9?


Thursday, September 11, 2014

Web Filtering Is Not Glamorous, but You May Still Make the Paper

What may be done at any time will be done at no time. 
  ~ Scottish Proverb

Procrastination seems to be built into human nature somehow; some problems become crises before being dealt with. In the beginning, most web content filtering problems are virtually unnoticeable. Maybe it’s because they always seem to start so small they’re nearly innocuous: A slip here, slide there. And who really wants to deal with web filtering and make it a priority?

Web content filtering isn’t glamorous. Other issues feel more pressing, like network failures on testing days. Some issues are just more pleasant to deal with, like procuring new hardware. And let’s face it, students won’t sing your praises for bulletproofing your web filter. It is, however, necessary. Unlike rescheduled test days or network performance issues, a web filter failure will get your name in the paper.

Take Glen Ellyn Elementary District 41 near Chicago, Illinois. After a web filter failure there, in which fourth and fifth grade students were caught viewing pornography on the playground, parents combined forces to bring to light “other instances of inappropriate computer usage at district schools.” All together, the story originally broke in early May, but once on radar with the press, progressive coverage of events becomes standard. The most recent update on Glen Ellyn was published in August.

Another example of this phenomenon happened in Forest Grove, Oregon. A student there was using her IPad to look at erotica through the literature curation website Wattpad. The story was a follow-up in response to an investigational piece by the local news which focused on student agility in filtering circumvention.

And it isn’t just emergencies that get a school noticed for its web filtering policies. Apparently even over blocking of sites is press worthy, as indicated by the Waseca County News, on grounds that it is unfair. Sometimes the discussion even gets political, as it did in Woodbury, Connecticut, where a student doing research noticed that there seemed to be uneven blocking of conservative branded sites.

There are also probably more instances of web filtering gone bad that go unreported, but there’s really no way to tell how a filtering fumble will shake out before it hits the press. Of course, that begs the question; with so much at stake, why take the risk? Like laundry, dishes, or getting your oil changed, making sure your web filter is up to the challenge is the first small step in making sure that your students are protected, but it’s an important one. Perhaps it’s time to schedule some time

Monday, September 1, 2014

Red Letter Day for Onanists and Internet Fraudsters

Yesterday a number of explicit photographs of celebrities, including Jennifer Lawrence, were leaked on the Internet. I'll get to that in a moment. First, if you read no further, read this:

Don't go looking for these photographs, and don't click any links sent to you purporting to be them.

If you must look, we've hosted them all here. Seriously, we have been out a-searching since the news broke, in order to protect our users from the inevitable tide of malware links that have already begun to spring up. The major search engines work hard to keep malicious sites seeded with "current event" keywords from popping up, but this time will be harder, as the sites offering these images will often be similar to those offering the malware.

Now I am going to break from the norm. Most security blogs include the advice "don't take nude photos". I'm not going to ask you to quit. If that's your bag, keep at it — but bear in mind that your photo collection is now worth more. It's now worth more to an attacker who wants to populate their porn site, or to  blackmail you. It is also worth more to you, for the peace of mind of those images being kept private.

If we said the answer was "don't do it" every time doing something on the Internet resulted in a problem, we wouldn't have Internet banking. Or the Internet, come to think of it. So no, you absolutely should store your personal photos on the Internet. You just need to take further steps to ensure they are secure.

These steps include:

1. Make sure you know where your photos are. Many phones now automatically send your images to the NSA/GCHQ etc. under the guise of backup. This can be turned off. Weigh up your dismay at not having your photos any more, vs. the chance of them being stolen. Personally, I vote for backup, as anyone who pinches my pictures will find a heady combination of safari shots, and pictures of serial numbers for things I need to fix. Remember any other backup services (DropBox, Mozy, Backblaze, Crashplan et al) that you use here as well.

2. Secure the photos on-device. If your PC has no password, and your phone regularly sits around unlocked, there's no point hacking your backups. Seems obvious, but the proportion of people who take nude selfies is greater than those who use a lock screen. Apparently.

3. Use a password you use nowhere else. No, really. I mean it this time. I know you ignored me when I said "use a different password everywhere". Look, I forgive you, because I like you. But this one is pretty serious. Don't share the password with the one you use on a messageboard, or for grocery shopping.

4. Turn on "two step verification", "two factor authentication" or whatever anyone's calling it these days.

5. Secure the reset channel. Password resets are a good way to break an account. This could be email (password and 2 factor advice applies here), phone (PIN protect your voicemail!), or silly security questions that anyone with access to your Facebook can answer (make like Graham Cluley and tell them your first pet was called "9£!ttty7-").

A final word on this: watch for those malware links. They're already out there.

Friday, August 22, 2014

Security: Hard to Get Right!

Couple of interesting articles doing the rounds this week, which are worthy of a quick comment!

Heartbleed: the bug that keeps on giving
Reports suggest that the Heartbleed vulnerability was involved in a breach of over 4 million records from a health provider in the US — we won't see many of these, as identifying the culprit as Heartbleed is really difficult in most cases. That instances like this are still cropping up reminds us of the need to ensure we're patched, and not just in the obvious places like a web server. This time it seems to have been SSL VPN at the heart of the issue, so to speak.

Passwords: why are we still so rubbish at this?
Apparently 51% of people share a password. This is properly daft. Really, crazier than a box of weasels. Even if you trust the other person, there's no telling what accidents might occur, or where they may re-use that password themselves. I always get gyp from my wife that I won't tell her my passwords, but I won't — and believe me, I do pretty much everything else she tells me!

EU "right to be forgotten" rule still here, still a waste of time?!
Internet numptys are still asking Google to remove them from searches in their droves. Happily the BBC is kind enough to reveal who they are by linking us to the relevant articles. When will people realise that once you publish something on the Internet, it is there forever. Unless it's that really useful document you bookmarked last week, which now 404s and was never in the Internet archive. Yes, that one.

Tuesday, August 19, 2014

For an Internet of Things, We Are Going to Need Better Things

There's a lot of hype around at the moment about "The Internet of Things" (IoT), which, I suppose, is all about attaching, uh, things to the Internet. By "things", it seems we are supposed to be thinking household goods, vehicles; basically anything with electrical current running through it is a candidate for the "internet of things".

While setting up a cheapo DVD player last week, I couldn't help thinking of Chief Brody in the film "Jaws"... "You're going to need a bigger boat", he says, on seeing the enormous shark. We're going to need a bigger mindset on security if we are to survive the onslaught of "things". The firmware in the kind of devices we are already routinely connecting up is drivel. I mean some of it is absolute garbage. I know there are exceptions, but most of it is badly built, and almost none of it is ever updated.

Each of these devices is likely perfectly capable as a host in a botnet - for DDoS, for sending SPAM, SPIM and SPIT (OK, we are yet to see much in the way of unsolicited Internet Telephony... but with the IoT, devices built to make calls/send texts are likely to get hijacked), so each of these devices has a value to the Internet's vast supply of wrongdoers.

Researchers at Eurcom recently completed a study showing up vulnerabilities in the 30 thousand or so firmware images they scraped from vendor websites. Apparently one image even contained a linux kernel whose age had just hit double figures. Ouch. The "Nest" next-gen thermostat hasn't been without issues either, a high profile target, at least we can expect firmware updates from them!

Synology's NAS storage devices are among the early victims of malware attacking non-traditional computing devices, and may be an indication of IoT issues to come. Users of these storage devices have found themselves victim of a crypto-ransomware attack: their files are encrypted, and the encryption keys offered for sale back to them! Other early warnings come in the form of attacks on SCADA industrial control systems. These are all places that traditionally, little or no emphasis has been placed on security.

What can we do to help ourselves here? My advice is be careful before you buy anything you're going to add to your network. Look to see if the vendor has a firmware download, and if there's a recent-ish update. If they're the fire'n'forget types, you're probably not going to want to deploy it.

Footnote: Gartner appears to believe the Internet of Things to have reached "peak hype". Reminds me of an old saying about those dwelling in vitreous abodes launching masonry...

Friday, July 4, 2014

Of Wikipedia and vandalism.

Wikipedia is regarded as a bastion of factual accuracy and impartiality.

If you have no idea what Wikipedia is, please step blinking into the sun and let me explain:
It's an online encyclopaedia that anyone can contribute to. Literally anyone. There are no pre-requisites, no background checks and exactly one hoop to jump through: bothering to post the edits.

Fantastic idea isn't it? A platform for the entirety of human knowledge to be collected in a single shining pantheon, stripped of journalistic bias and sensationalism, and laid bare for all to marvel at. Enshrining almost 60 times more information that the Encyclopaedia Britannica. A beacon of knowledge and wisdom through collaboration and communal spirit!

Except this is the internet, a place which at times can be a wretched hive of scum and villainy.

From Wikipedia:
Vandalism is any addition, removal, or change of content, in a deliberate attempt to compromise the integrity of Wikipedia. Examples of typical vandalism are adding irrelevant obscenities and crude humor to a page, illegitimately blanking pages, and inserting obvious nonsense into a page. 
Wikipedia has an entire team and comprehensive guidelines for dealing with vandalism.
As of April 2014, there were 4,500,000 articles on Wikipedia. That's potentially 4,500,000 blank canvases for anyone with the inclination and an email address to put their mark on. Repeated transgressions will result in the user or their IP being banned from editing anything on Wikipedia. This is fine for Vandal A sitting at home trolling, but becomes a problem when an entire organisation's connection is blocked. They don't like to, but Wikipedia can block an entire IP range if the need arises. Jobs have been lost due to irresponsible Wikipedia edits (in Government, no less) — there are very real risks.

Here at Smoothwall, we've had more than one request for the ability to make Wikipedia read only in an effort to prevent this issue getting that far. Tomorrow this goes live and is in a similar vein to our previous work on Facebook and Twitter, albeit a little more niche. It's also not a blanket on/off switch, it's applicable the same way as any policy is — to whomever, whatever and whenever you like.

Tuesday, June 3, 2014

2 Weeks To Secure Your Networks... Starting...

Well, roughly 2 weeks ago. Apparently, there's a malware storm a-comin' - batten down the hatches, man the barricades, etc.

Yawn. Look, if you're not ready for this influx of malware, you're not ready to plug in your router. Surviving on the Internet during this coming malware bonanza is like surviving in a 'phone booth with 2 angry brown bears. If I said, hey, let's go with one angry brown bear instead, you wouldn't fancy your chances any better.

Ursine analogies aside, if we do get the proposed storm (and here I'm going to suggest that we're looking at a level of likelihood similar to that of weather forecasting), keep doing what you're doing. It's always a good time to start doing what you're doing better, but to make changes for this - fairly generic - incident that you're not willing to keep in place full-time is a second rate scheme.

My advice, pick one thing you've been looking to improve about your IT security for a while, and use the press coverage to justify your budget spend - but don't show the bean counters this article.

Monday, June 2, 2014

Passwords - At it again?

The recent eBay hack got me thinking about passwords, for about the 5th time this year. After Heartbleed, I did a bit of an audit on the passwords I was using, and I hope you did too. I then moved house, and had to change a bunch of address details, and in the process, I found a few more places I had passwords set up that I didn't know I had. One of these places emailed me a reminder with the password in plain text. This means they are storing my password, on their server, in the clear. I'm not mean enough to name names, and indeed I have offered to help them fix it, and given a few pointers - I'm nice like that, you see!

There's a moral to this tale, however. I should be concerned that Company X's servers may be compromised, and my password released, because they stored it badly. If that was the case, I would want to change my password as soon as I heard of the breach, as an attacker would immediately be able to access my account. My best defence would probably be that my name's likely to be right in the middle of the list, and any attacker is probably working his way past Archibald Atkins up there at the top of the user list - I hope I can get to reset my creds before the bad guys get to "N"!

However, I hope that eBay are smarter (not that there's any direct evidence that this is the case: they've been a bit evasive on how they stored our passwords). Despite this, I immediately changed my eBay password too. Why? because even a hashed password is cracked fairly easily these days, and that crack is getting easier every day.

Given a 6 character password (still accepted by many sites), hashed with MD5, it is possible to check every possible password in less than a minute on standard hardware.

So: sites are still storing passwords plaintext. For a while, MD5 was the go-to hash function. How many people do you think are still using that? SHA-1? Not much better apparently. Salt-per-password - better odds, but not unbeatable. While there's so much that a site could do "wrong" that would mean your password is brute forced in no time, there's a bunch you could do wrong too, like picking a dictionary word, or something nice and short. Be aware that the bad guys are finding ways to crack passwords orders of magnitude faster, such as using CUDA/GL setups.

What can we do to protect ourselves against the disparity between the ability of wrong 'uns to crack passwords, and the slow uptake of more secure hashing?

You can never ever re-use a password. I am pretty sure I still am - probably on accounts I should have closed years ago, but tidying up your passwords is worse than changing your postal address! It's really difficult. You will need a password manager. I chose Lastpass personally, some of my colleagues use passwordsafe and keep the file in dropbox - pick the one that's right for you.

A password manager is essential to keep up with the large number of passwords you will need - however, I would advocate keeping your key passwords out of any manager - eggs, basket, and all that. So email, financial services, that sort of thing, probably should stay in your head!

Finally, any sites which offer 2 factor authentication, please do take them up on the offer. That way you're less likely to suffer a breach while the organisation decides on the best way to tell you your password has gone walkies.

TL;DR - three things you need to remember about your passwords:


  • Two factor Where You can
  • Password Manager for the Many
  • Remember the Few


Wednesday, April 9, 2014

Statement: OpenSSL "Heartbleed" and Smoothwall

Some of our customers have been asking about Smoothwall's vulnerability to the "Heartbleed" issue in OpenSSL. We can confirm that our version of OpenSSL is not vulnerable to this issue, and our version of GnuTLS has also been upgraded as of update73 to resolve another possible, but unrelated, SSL vulnerability, of which OpenSSL's is the latest of 3 recent issues in SSL implementations.

Smoothwall users are protected from Apple's recent bug (link below) by browsing through the web filter, however they are not immune to the "Heartbleed" issue where present on other web sites and services (though a MITM filtered connection is perhaps marginally harder to attack).

More information on each issue can be found here:
OpenSSL "Heartbleed"
GNUTLS issue
Apple "Goto fail"

Tuesday, February 11, 2014

Safer Internet Day: 4 Things You Might Not Realise Your Webfilter Can Do

Since it's Safer Internet Day today, I thought i'd use it as an excuse to write a blog post. Regular readers will know I don't usually need an excuse, but I always feel better if I do.

Yesterday, I was talking to our Content Filter team about a post on the popular Edugeek forum, where someone asked "is it possible to block adult content in BBC iPlayer?". Well, with the right web filter, the answer is "yes", but how many people think to even ask the question? Certainly we hadn't thought much about formalising the answer. So I'm going to put together a list of things your web filter should be capable of, but you might not have realised...


1. Blocking adult content on "TV catch up" services like iPlayer. With use of the service soaring, it's important that any use in education is complemented with the right safeguards. We don't need students in class seeing things their parents wouldn't want them watching at home. There's a new section of the Smoothwall blocklist now which will deal with anything on iPlayer that the BBC deem unsuitable for minors.

2. Making Facebook and Twitter "Read Only". These social networks are great fun, and it can be useful to relax the rules a bit to prevent students swarming for 4G. A read-only approach can help reduce the incidence of cyber-bullying and keep users more focused.

3. Stripping the comments out of YouTube. YouTube is a wonderful resource, and the majority of video is pretty safe (use Youtube for Schools if you want to tie that down further — your filter can help you there too). The comments on videos, however, are often at best puerile and at worst downright offensive. Strip out the junk, and leave the learning tool - win win!

4. Busting Google searches back down to HTTP and forcing SafeSearch. Everybody appreciates a secure service, but when Google moved their search engine to HTTPS secure traffic by default, they alienated the education community. With SSL traffic it is much harder to vet search terms, log accesses in detain, and importantly force SafeSearch. Google give you DNS trickery to force the site back into plain HTTP - but that's a pain to implement, especially on a Windows DNS server. Use your web filter to rewrite the requests, and have the best of both.

Tuesday, January 28, 2014

A word about achieving PCI compliance on Smoothwall systems

Many people use security scanning software to audit the network. Either generally as part of day-to-day network operations, or when evaluating some new product.

These tools are fine and serve a useful purpose.  However, as with many tools, they are only as good as the person interpreting the scan results.  Oftentimes we will have customers contact our Managed Services department with an enquiry about the results from such scans.  Occasionally it looks as if the Smoothwall system is rife with issues; the scanning software occasionally highlighting "critical" problems which, on closer inspection, mean very little at all from an real-world threat perspective.

Some examples of the kind of output you might see when scanning:

  • "The web-server presents a self-signed certificate" - This "vulnerability" relates to the fact that the Smoothwall, in a standard shipping configuration, presents its' HTTPS connection with an automatically created self-signed certificate and not one you could purchase from a Certificate Authority. Generally these self-signed certs are adequate for small deployments, and indeed you should consider that the scanner is highlighting a configuration decision made on the part of the administrator, and not showing a real world vulnerability.
  • "TCP Timestamp response" - TCP timestamps are a performance feature for increasing the speed of TCP sessions (RFC1323). Nonetheless, the PCI scan will show a low-level vulnerability because the TCP timestamp can be used to determine the target system's uptime, which is (theoretically) useful to an attacker. In any case this option can be disabled using the Networking > Settings > Advanced page. Note that Smoothwall ships with this option enabled, because in the general case network performance is paramount.
  • "ICMP timestamp response"- Similar to the above. ICMP timestamps, while a feature of a standards-compliant TCP/IP stack, are not very useful to anyone and present a generally useless information leak to a potential attacker. A future update will add the ability to disable these responses through the admin interface all the same. In the mean time, this should not be considered a concern and disabling this feature's biggest benefit will be to succeed in giving you warm fuzzy feelings because your scanner now produces less output.
  • "Apache HTTPD: ETag Inode Information Leakage"- ETags are a mechanism used by browsers to know if URLs have changed on the server, so that the browser can know if it has to re-download the URL. A current Smoothwall will generate these tags, to assist the browser in caching images etc. However, in 2003 a vulnerability report was raised against this behaviour in the Apache webserver which Smoothwall incorporates. This vulnerability relates specifically to the use of ETags in file sharing (NFS) setups, something that Smoothwall has never and will never do. This vulnerability is therefore a prime candidate to be considered a false-positive. But nevertheless, the utility of these ETags is not high, so in a a future update ETags will be disabled just to quieten this report from PCI scanners.
  • "Weak Cryptographic Key" - This is the closest thing to a genuine issue so far listed. Over time, computers become faster. This PCI scanner message is an artefact of this and appears because the previously described self-signed certificate is signed with a 1024 bit key. Only a few years ago this was considered excessively long, but up-to-date PCI scanners now flag this as being not completely adequate. It should be pointed out that breaking a "mere" 1024 bit key still requires many years, even with thousands of computers working at the problem. But still, the NSA is rumoured to be able to crack 1024 bit encryption. And in keeping with PCI recommendations, Smoothwall will switch to using 2048 bit keys in all of it's internally generated certificates and keys.
I hope the reader finds this information useful. As the old saying goes "Security is a process". There are no magic bullets, or black and white answers, but the following is a good start:
  • Keep your systems up to date
  • Expose services only to the people who need, and use them
  • Perform regular audits
Cheers!

Thursday, January 2, 2014

5 New Year's Resolutions to Keep You Safe on the Internet


Happy New Year etc.! OK, now the pleasantries are out out of the way, we can get on with the usual cliche'd list of New Year's Resolutions. You can see I'm going well already with my drive to avoid cynicism in blog posts. These resolutions are aimed more at your personal IT needs than your work life, but you might find a spot of cross applicability in any case.

  1. Housekeeping! - Yes, it is a bit early for a spring clean, but since you've a while to go before you have to break out the washing up gloves and the hoover, you've got time for a bit of a clear-out in online accounts. Each login you have, even if it doesn't protect anything "interesting" or "valuable", is a potential route in for a "cross site privilege escalation" - an attacker could, for example use this to find your postal address or mobile number, which you gave on sign-up, and use these to gain entry to a more "interesting" site, which may have your credit card details. Take a look back at the marketing emails you received in December (they're all at it over the holidays so this is a great time for it) and close down anything you don't use. 

  2. Pesky Passwords - by following the first resolution, you've protected yourself some more against having your password stolen in a site-breach - there's been enough of these in 2013 to sink a battleship. Ideally, you're going to want a different password for each site or service, and there are 2 ways to help reduce your password re-use: First, federate login (eg. through google and facebook), which is very much putting all your eggs in one basket - so you had better watch that basket by following my other resolutions. The second method is to use a password service, such as lastpass. There's no reason not to have a little from column A, and a little from column B, of course. While you're at it, you might check to see if any of the passwords you've been naughtily re-using have been leaked to the world here: https://haveibeenpwned.com/

  3. Backup: Half the Story - and I'm assuming you are halfway there, right? You should back up as much as possible as often as possible. I prefer "everything, all the time" for my files (I personally use backblaze, good value for money!) Other backup services/strategies exist. YMMV. The other side of the backup story is restore. Having your files sent to the great hard disk in the sky is all well and good, but you need to be sure you can get them back. At the very least, pick a few files and try to restore them. You might find a problem you never knew you had!

  4. No Pain, No Gain - 2 Factor Authentication. Yes, I mean you. Pay attention at the back. I know you've been putting this off because you think it will be a pain in the backside. Yes, it will, but once you're used to it, it's minor, and the protection afforded against keyloggers and brute force attacks are not to be understated. This isn't a panacea, but it's one more useful protection against the legion wrongdoers. Many sites & services now support this, a not-particularly-exhaustive list on a post over here.

  5. Finally, One Good Turn... - I'm quite sure you are already 100% on top of all of these suggestions, so I am going to leave you with resolution 5 - go help someone less fortunate (in the Info-security sense) than yourself. Parents, siblings, other-halves, whoever. I know, it's a pain, you're probably the person they'll come to when it all goes pear shaped in any case, and you do enough family tech support as it is, blah blah. Nut up, and go do a good turn. It's the new year, and you'll feel better for it. Not only that, but some of these resolutions will help reduce the calls you get in 2014 from panicking friends and family, and their security is, in many ways, allied to your own. Much like a compromise on a "less important" account that can be priv-esc'd, a security-compromised friend is a threat to your own online safety. On the subject of good turns - if you're after more resolutiony goodness, check out Graham Cluley's list here.
One last thing... thanks for reading the Smoothwall blog in 2013, hope we can keep you interested and entertained in 2014. -Tom