Enabling Two-factor Authentication for Your Organization

Recent high-profile, security breaches have proven that relying solely on passwords is becoming less adequate for protecting sensitive systems and data. The vast majority of these breaches in the industry have started with some kind of malware listening to keystrokes on client computers, gathering credentials to various online services and sending this information to the attackers. These credentials are then used to provide unauthorized access to these services.

As LogMeIn continues to advance our security features, we are committed to ensuring the ease-of-use for users combined with components that promote secure, safe, and wise use of our products.

Today, when you log in to your LogMeIn Central account you will be greeted by a page asking you to enable two-factor authentication (2FA) for your entire organization. Here you can easily enable 2FA for you and all of your invited users, thereby adding that extra layer of security that will help prevent unauthorized access to your account.

2faLogMeIn has introduced a number of new security enhancements in recent months and this latest addition is focused on the ability to enforce a policy to all users in an account.

Why 2FA?
Two-factor authentication adds a second layer of protection to your LogMeIn account that is difficult to compromise through these types of attacks. When 2FA is enabled, the password alone does not grant access to your Central account. In addition to the password, you are prompted to enter a one-time security code. Users have the opportunity to set this up from either a mobile authenticator app (the most common option) or via SMS text message.  Additionally – if the primary method is unavailable, users will be able to request a code via an email backup. Users can use:

  • LogMeIn Authenticator App  – NEW
  • Google Authenticator (available on iOS & Android, and equivalent on Windows Phone)
  • Security Codes via SMS
  • Emailed Security Codes – (backup option only)

For successful authentication, both the password and the correct one time code must be entered.

Enforcing 2FA
While using 2FA is a highly recommended best practice, it is also mandatory by various security standards, such as PCI DSS or HIPAA. If you have multiple users, it is crucial that all of them follow the policy that you set, including using 2FA when they access your Central account. You can enforce this on the Login Policy settings page in the Users menu on the left navigation bar.

login policy

For a detailed overview of LogMeIn’s security enhancements including 2FA, check out our online guide or login now to adjust your settings.

         

What your organization can do to avoid getting phished

As you are probably well aware, phishing attacks are on the rise all around the world. Organizations must take extra steps to make sure that they protect themselves as well as their customers against this threat.

As Attila mentioned in his post earlier this week, LogMeIn employs SPF, DKIM and DMARC on every email it sends from a @logmein.com address.

The combination of these three technologies allows the recipient server to validate that:

  1. The email was sent from a server authorized by LogMeIn
  2. The contents of the email has not been manipulated

The key point is that the check is done on your organization’s email servers. They have to support DMARC, SPF and SKIM in order to filter out phishing emails.

Most major email providers, including Gmail, Yahoo mail, and Outlook.com checks for these records and will put phishing emails appearing to come from a @logmein.com address into the Spam folder. Be wary of slighter variations of the domain part. If you see an email from logme.in.com or logmeein.com or some other variation of our domain, you can safely delete it.

If your organization maintains its own email servers, and you receive these phishing emails please ask your email administrator to set up SPF, DKIM and DMARC. You are going to save yourself from a lot of headache.

And as always, follow the best practices for email.

Does your organization use DMARC? If it does not, what is the reason?  Please leave a comment and share your thoughts.

         

Sporadic connectivity issues with LogMeIn and join.me

UPDATE:

We’ve successfully applied a fix that should resolve the issues described below. The fix was applied last Friday, and subsequent tests over the weekend into today (Monday) have confirmed that it has had the desired effect. All services should be back to normal. Again, our apologies to those who experienced these issues.

ORIGINAL POST: 

We’re actively investigating reports of sporadic connectivity with join.me, LogMeIn Pro and LogMeIn Central. We apologize for any inconvenience this may cause, and wanted to assure you that our team is working tirelessly on a resolution. Here’s a quick update on what we’re seeing and potential options that may resolve the issues in the meantime, should you experience them.

What we’re seeing

The issues are affecting some but not all people, and result in one of the following experiences.

  • Getting ‘kicked out’ of active sessions. i.e. After successfully logging in, people suddenly appear to get disconnected or logged out.
  • LogMeIn.com or join.me homepages not loading or inaccessible. i.e. You cannot access either the join.me or LogMeIn.com website from your browser

Based on our investigation, we believe both are related to a single, common issue, and we’re actively fixing it.

What might help

One potential short-term fix is to clear your cache, close your browser and try to re-connect.  Many people who have reported these issues have since been able to connect upon further attempts.

When the issues will be resolved

Our team has been working around the clock, and we believe we have identified the contributing factors. Fixes are actively being tested and applied now.  We believe that these steps will enable us to reach a resolution by this weekend, and we will provide a further update as soon as possible.

In the meantime, thank you for your patience, and once again, we apologize for any inconvenience or disruption this may have caused.

         

LogMeIn and OpenSSL

UPDATED

As you may be aware, a major vulnerability has recently been discovered for OpenSSL, the popular encryption software that powers 2/3 of the web.  Some LogMeIn services and products rely on OpenSSL.

We take the security of our customer data very seriously and at this time have no evidence of any compromise, but like many web companies, our security team took immediate action to proactively address the issue.

We’ve already updated many products and parts of our services that rely on OpenSSL, and are in the process of updating all remaining aspects of our services that leverage OpenSSL.

In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our users and will provide product-specific updates if and when necessary.

Update:

We’ve completed key updates to impacted products and services, including replacing certificates on the affected servers.  Below is a list of products impacted, steps taken and recommended customer actions.

NOT impacted by the OpenSSL vulnerability: LogMeIn Rescue, join.me, Hamachi and AppGuru

Impacted and updated:

LogMeIn Free, LogMeIn Pro, LogMeIn Central — LogMeIn hosts have been updated.  Please see this related blog post and FAQ for specifics on the update and additional recommended actions.

BoldChat — Updated. We recommend BoldChat users change their BoldChat password.

Cubby — Updated. We’re recommending that Cubby users change their login password.

         

Important Changes to LogMeIn Free

We’re making some changes to LogMeIn Free — specifically introducing new volume limits on LogMeIn Free accounts — that will impact a small portion of our user base. While the vast majority of LogMeIn Free users will not be impacted by this change – LogMeIn Free is and will remain free – we wanted to take a minute to explain what is changing, who will be impacted and what, if anything, it will mean for you.

For nearly a decade we’ve sought to provide users with a great free remote desktop access product, and users have been able to install and use LogMeIn Free on as many computers as they wish.  In addition to the tens of millions of individuals who use LogMeIn Free to access their home or work computers, we have thousands of businesses, IT organizations and managed service providers (MSPs) who use LogMeIn Free to remotely access and manage hundreds, thousands and even tens of thousands of computers.

As the nature of remote access and mobile working continues to change, this free model has been extended to a broader set of offerings, including our online meeting service, join.me and our cloud data access product, Cubby.  Free is and has been a mutually beneficial proposition for us and our users, and we plan to keep it that way.

In order to ensure that we can continue to provide high-quality, free remote access services, make meaningful improvements, and invest in products that meet the evolving needs of our customers we will be limiting the number of computers a user can access free of charge to 10. For users that would like to remove this volume limit and access more than 10 LogMeIn Free computers a subscription to LogMeIn Central, our remote management tool, will be required.  Any computers that exist beyond the 10 computer, free-only limit will not be deleted; rather they will not be remotely accessible unless the free account is upgraded to Central.

Again, the vast majority of LogMeIn Free users will not be impacted by this change.   For those impacted by the change, we will do what we can to help ease the transition in a couple of ways.

We will be notifying impacted users by email and via the product, and will provide ample notice and a grace period before enforcing any changes.  We will also be offering discounted pricing for Central starting at $199 for the year for existing LogMeIn Free users, i.e. for less than half the price of a cup of coffee per day, you can remotely access and manage as many computers as you’d like.

We appreciate that with change comes questions, concerns, and sometimes angst.  And we want to make sure our users have quick answers to any questions and all the information needed to help ease the transition.  We hope users will make the decision to upgrade their accounts.  We also recognize many users may not be happy with this change and will unfortunately consider other alternatives.  In the long-term we believe this change will allow us to continue to support all of our users, paid and unpaid.

You can find the answers to common questions here, and our staff will be dedicating an area of our community site for fielding questions and feedback.

-Marton Anka
Founder & CTO
LogMeIn, Inc

         

Technical deep dive: Cubby security and Cubby Locks

After our last blog post many of you asked for more details about the Cubby Locks feature. It’s challenging to explain Cubby Locks in a way that’s technically accurate yet still easy to consume. However, since Cubby Locks is a unique and powerful feature that helps set Cubby apart from similar services, we encourage you to take the time to understand what Cubby Locks is and what it isn’t.

The first key idea is to understand that data on the cloud in a locked cubby is encrypted and can only be decrypted by your Cubby password. With most similar services, a password is used to simply keep you in or out. That is, a password is used to determine if you have the right to access the service and your data. With most other services, your data on the cloud is not encrypted or encrypted with a key which is stored somewhere along the data. This means it can be exposed to a rogue employee of the storage service provider, or anyone who manages to bypass the password-protection layer or gain access due to an error in the application.

Cubby Locks

Cubby Locks utilizes some heavy-duty math to keep your data protected. Even a rogue employee or someone who manages to bypass password-protection would find your data useless without your exact password. And just to clarify a very important point: “Data” throughout this post refers to files at rest in the cloud.  Cubby Locks does not provide data encryption on your devices; it’s up to you to secure those. And to get another item out of the way: Data in flight (that is, being transferred between your devices and the cloud) is always transmitted over SSL/TLS with all cubbies, regardless of Cubby Locks.

First let’s look at how a standard cubby works – one that does not take advantage of Cubby Locks. In our data centers all files in all cubbies are stored in encrypted form using the AES-256 symmetric encryption algorithm. The key used for this is the Cubby Data Key (CDK) and is randomly generated for each new cubby. CDKs are stored in our database alongside with other properties of the cubby. When you log in to cubby.com, the web application fetches the CDK from the database and uses it for encrypting and decrypting your data when you upload or download files from your cubby. Like with most other services, your password gets you in to the web site but is not adding any extra encryption.

During your first login to Cubby a series of events happen. First we generate a symmetric key called the User Symmetric Key (USK). We encrypt the USK with your password and store it in an encrypted form (AES-256) in our database. Second, we generate a 4096-bit RSA key pair called the User RSA Key (URK). We encrypt the private part of the URK with the USK and store it. The public part of the URK is, as its name implies, stored in plain text. Both USK and URK are specific to and generated for the user account. If you are not familiar with asymmetric encryption, here’s the shortest possible introduction to asymmetric crypto: Anything encrypted with the public key can only be decrypted with the private key and vice versa.

Still with us? Now, let’s take a closer look at Cubby Locks. When you lock a cubby we encrypt the CDK with the public part of the URK, store it in this form and delete the plaintext CDK from the database. Remember that this CDK can only be decrypted with the private part of the URK. That’s all. Simple, right? Here is the chain of encryption at this point:

  • Your password –> USK –> URK –> CDK –> access Cubby data.

The items on the left side of any arrow are the key for the encryption, while the items on the right side of any arrow is data to be encrypted. So the arrow means “right side is encrypted with left side.”

What does this all mean? Every item in this chain is stored only in encrypted format in our database except for the password, which is not stored at all by us. In order to do anything with data one needs to unlock this chain, and that can’t be done without your password. That’s why we prompt you for your password so often, and this is why no one, not even a LogMeIn employee or a hacker, can read your data without knowledge of your password.

Finally, let’s discuss the so-called Recovery Key (RK). In practical terms, you use the Recovery Key when you forget your password and must reset it to something new. As discussed above, there is no way to access cloud data in a locked cubby without your password. Without the Recovery Key, the situation would be this: “Forget your password – lose your data on the cloud.”  That is, if you were to forget your password and reset it through the standard “email me a password reset link” mechanism, your locked cubbies would be deleted from the cloud and you would be forced to re-synchronize all your data. To users a chance of avoiding this, we generated a Recovery Key for your account when you access a locked cubby for the very first time; the Recovery Key is a cryptographically random 32-character alphanumeric string. We then encrypt the USK with this Recovery Key using AES-256. (Remember,  cubby.com at this point has your plaintext USK since you have just provided your password). So now we have two copies of the USK in the database, one encrypted with your password and the other encrypted with the Recovery Key. When you go through the forget password process and enter your Recovery Key, we use it to decrypt the USK, which is then re-encrypted with your newly created password. This way you can keep your data synchronized with the cloud even if it was in a locked cubby. There is only one Recovery Key per user, so we strongly encourage you to print it and keep it safe. The Recovery Key is stored in the database encrypted with the URK, so it’s only available for you to view online after you enter your password.

  • Recovery Key –> USK –> URK –> CDK –> access Cubby data. 
  • Your password –> USK –> URK –> Encrypted Recovery Key –> Recovery Key.

We should also clarify that there is a case when a Recovery Key will be generated for you even if you don’t lock a cubby yourself.  Namely, a Recovery Key will be generated for you when you are invited to a locked cubby or are the member of a cubby that gets locked by its owner.

In many cases there is a balance between security and ease of use. The more secure you want to keep your data the more complex the process gets. With Cubby Locks you get a solution that’s among the strongest security measures on the market, yet still provides a smooth user experience and ease-of-access to your data.

Thanks for sticking through this. We hope we managed to meet the challenge of making Cubby Locks clear.  We’ll be glad to clarify if you have any questions.  Don’t hesitate let us know what you think or what you find unclear.

— Sandor Palfy

Fellow, Development & Security

         

Changes to Hamachi on November 19th

Below is an open letter from our CTO, Marton Anka to our loyal Hamachi users.

Hi Hamachi users,

I’d like to announce a couple of changes to the LogMeIn Hamachi service that will take effect on the 19th of November.

The first change concerns the use of the 5.x.x.x address space. As you may or may not be aware, this address space has been allocated by IANA to RIPE NCC two years ago. RIPE NCC has been handing out these addresses to their customers, and having Hamachi active on your computer means that you’re not able to access a growing portion of the Internet. We’ve added IPv6 support to Hamachi a while back, and you can simply turn off the use of the 5/8 space, but we realize that IPv4 is still very important to most of you. Therefore we’ll be changing every Hamachi node’s address to the 25/8 space. The first octet of your Hamachi node’s IPv4 address will change from 5 to 25, the last three octets will be unaffected. If you’re using Hamachi with any sort of dynamic name resolution service (Bonjour, etc) you will not notice anything different. If, however, you use Hamachi IP addresses in scripts or, say, saved them in SSH client address books, you will need to change these and add the digit 2 in front.

Why 25/8? Well, it rhymes a bit with 5/8, and furthermore, it’s a block that’s been allocated to a foreign government agency for private use for almost two decades. We have no Hamachi users from this address space, and it’s highly unlikely that the general public would need to access one of these IP addresses. However, our general recommendation is that if you can, please turn off IPv4 support in your Hamachi clients. The IPv6 space we’re using has been registered to LogMeIn, and most modern software should function perfectly without needing an IPv4 address.

The second change concerns licensing. Hamachi is an extremely popular free service with many millions of active users, but we here at LogMeIn can only treat it as a hobby since the revenues from the paid product can only support a rather small dedicated development team after we pay for hosting, bandwidth and power. We have very interesting ideas for the Hamachi service’s future, but in order to fund development, we need more customers. We’ve introduced a very affordable pricing tier for Hamachi a while back; $29 per year gives you a network capable of hosting 32 computers. That’s less than a dime (or ten cents for you guys outside the US) per computer per month. You’re paying 250 times more just for electricity in any given month if you use your computer 8 hours a day.

So, in the hopes of converting more of you into paying customers, we’re making a small change to Hamachi: unless a computer is part of a paid network, you need to be logged in and running the Hamachi UI on your desktop in order to allow it to function. If no user is logged on to the computer then – even though the Hamachi service or daemon is active in the background – it will not go online in any networks that it may belong to. We believe this a fair change; if you’re using Hamachi casually (such as for gaming), then we’re glad to have you as a free user and this change does not affect you. If, on the other hand, you’re using Hamachi to access unattended computers, then this change does affect you and you will want to upgrade to the premium service in order to continue to benefit from it. If you upgrade to the premium service before the 19th of November you’ll save $10 on your standard subscription, that’s just $19/year for 32 computers. Like I said, the price couldn’t be more fair, and by upgrading, you’ll show your support to a few extremely bright and dedicated engineers as well as enable them to bring some extremely cool improvements to the product.

Best,

-Marton Anka
Founder & CTO
LogMeIn, Inc.

         

LogMeIn by the Numbers

It’s been just over 9 years since LogMeIn’s official inception (then called 3am Labs), and almost 8 years since we introduced our signature remote access product, LogMeIn Free.  At the time, if someone were to suggest that one day we’d have tens of millions of users, I’m pretty sure we’d have dismissed them as a dreamer.  As we pass one anniversary and approach another, I thought I’d share some interesting stats about LogMeIn and our users that drive us to dream of even bigger and better things.   Enjoy, thank you, and stay tuned.  The best is yet to come!

LogMeIn by the numbers:

Registered users: over 40,000,000
Application installations: over 190,000,000

Number of computers remotely fixed with LogMeIn Rescue: over 50,000,000
Number of troubleshooting sessions ran with LogMeIn Rescue: over 140,000,000

Number of remote access sessions with LogMeIn Free/Pro: well over 2 billion
Peer to peer data transferred for the above 2bn+ sessions: 22+ petabytes

Join.me screen sharing participants: over 50,000,000

Hamachi peer-to-peer VPN tunnels set up: over 24 billion. Relayed VPN tunnels (where a peer to peer connection was not possible to negotiate) total 4.5 billion.

Hamachi’s peer to peer traffic has been over 71 petabytes, traffic relayed through our datacenters a relatively meager 1.7 PB.

These are pretty impressive numbers, and our operations team did a stellar job at keeping the service humming along. Uptime for the most recent years:

2009: 99.96%
2010: 100%
2011: 99.9939%
2012 YTD: 99.9998%

Ok, there are a few more interesting numbers, but we’ll save those for the tenth anniversary retrospective.

         

Introducing Cubby

Last week we announced Cubby, our latest product, and it was overwhelmingly well received. We will be starting an official Cubby blog soon, but until then Cubby-related content will cybersquat here on b.logme.in. In order to break the silence I thought I’d take a few minutes and explain what goals we had with creating the product and why we think it’s better than the competition.

Cubby is as simple or as flexible as you want it to be. It’s designed to suit your style, not some arbitrary requirements of the software. Simply put, it works the way you work, not the way we want you to. 

You start off with a single cubby. You put stuff into it and it appears on all your devices as well as in the cloud at cubby.com. If that works for you and you don’t need more complexity, that’s fine. You can also create one or more new cubbies and select where their contents appear. With Cubby, you gain fine control over what goes where. For example, you can have your work docs on your office desktop and laptop, your photos on your laptop and your home computer, and so on. Cloud syncing is optional, so you can set a cubby to sync peer-to-peer between your computers when you don’t need web-based or mobile access to a cubby. With peer-to-peer syncing, cubby content doesn’t count against your cloud storage quota.

Cubby is versatile. To share files with somebody, simply send them an URL that provides read-only access a particular file or folder in one of your cubbies. To collaborate with someone, simply invite them to share a cubby with you, and then that particular cubby will update its contents on the devices of your choice as well as the devices of their choice in real time as changes are made.

Cubby is a safety net. For cubbies that sync with cubby.com, we retain deleted files and previous versions of stuff you overwrite. This is automatic and doesn’t count against your quota; it simply uses whatever free space you have with us on cubby.com. If you start to run out of unused space, the oldest versions of your files are eventually thrown away, but you can easily check how your storage is used and how much space you have for storing old files.

Cubby is secure. Every cubby has its own encryption key that’s further encrypted by your password. When you log in to cubby.com and choose high security mode we use your password to temporarily decrypt your cubby keys so we can show you what you store with us, but when you’re not accessing the website we simply don’t have your encryption keys in a usable form. Your computers with Cubby installed do have a copy of these keys so they’re able to sync information back and forth without your intervention. The only downside to high security mode is that if you forget your cubby.com password and have to reset it without the recovery key that we give you when high security mode is enabled, you lose access to the  stuff that’s in cloud storage. Granted, it will re-sync from your computers as soon as they’re online but still, it’s a hassle so this mode will not be enabled by default.

NOTE: While the underlying high security functionality has been implemented (including per-cubby encryption keys) the high security mode will only be publicly available some time later in the beta.

Cubby is smart. It’s powerful and it’s certainly very easy to use, and under the hood there’s a lot of innovation. One of the coolest things is how your computers running Cubby communicate with each other: every computer is assigned an identifier, part of which is the computer’s public IP address. These identifiers are first sorted and then made to form the points around a simple circle graph. Computers will only connect to their immediate neighbor in the graph, and information will flow only between a particular computer and its two neighbors. Why should you or your ISP care about this? Well, this minimizes Internet traffic and makes Cubby replicate files very quickly. Computers on the same network will have the same public IP address which means they will be neighbors on the graph, talking with each other on the LAN without having to involve your ISP. Computers on the same ISP are likely to have similar IP addresses , so they will be neighbors in the Cubby graph, thereby minimizing inter-ISP traffic; again, making things smoother and faster.

We built Cubby from the ground up because we wanted to create a better experience that’s flexible, secure and super easy to use.  The underlying technology took us a long time to develop but,  we think it’s been worth it. Hope you’ll agree.

You can apply on the Cubby website to be part of the closed beta and chances are you won’t have to wait very long. While the line isn’t short by any standards we are letting in thousands of new users every day.

www.cubby.com

-Marton Anka (CTO, LogMeIn)