Tag Archives: security

Weak Certificates

Posted on by
Reply

I’ve got an odd little problem at work. I’ve got a Ricoh copier in the Traverse City office that I apparently now can no longer manage remotely due to an error in SSL. The error that Firefox throws is ssl_error_weak_server_cert_key and in Google Chrome it’s ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. In both situations I understand what the issue is, that the SSL layer is weak because the Diffie-Hellman key is not big enough.

I’ve run into this issue before, mostly with self-signed certs and the browsers have usually allowed me to click on an exception and get on with my day. Except for Firefox and Chrome now, that is no longer the case. The browsers just refuse to display the webpage. I understand the logic behind it, everyone wants a more secure web, but sometimes what we are really after isn’t privacy or security, but rather just getting our work done.

I still need to connect to this copier and manage it, and frankly my dear, I don’t really care that much that the transactions be secure. In a way, this security is irrelevant. The traffic on our WAN is flowing over a Meraki VPN site-to-site link, so it’s already secure. This is security on top of security, and it’s in the way.

So I thought about using the awful Internet Explorer for this and I chafe at even considering using one more wretched bit of Microsoft technology – there has to be a better solution. So when you run into little bits like this the best way forward is to pursue my favorite solution, heterogenous computing! There’s more than one way to get what you are after. So if Firefox and Chrome won’t work, and Internet Explorer is unthinkable, how about Opera?

So I downloaded Opera and installed it. Then browsed to my copier in Traverse City. Opera told me about the error, but it also provided me with an exception button and then once I clicked that, the error was bypassed and my copiers remote management screen appeared.

So now I’ll add Opera to all the other browsers I have on my computers. The answer is competition. I wonder sometimes if there isn’t a special browser out there for IT type people like me. They’ll render anything, ignore any “privacy or security” type errors, all so people like me can get our jobs done. For now, Opera seems to lead the pack, at least for this. Thank you Opera!

Google Authenticator

Posted on by
Reply

Dial lockOver the long Fourth of July holiday weekend I received an email from WordPress.com detailing news that they were now fully compatible with the Google Authenticator Two-Factor security system. I haven’t thought of Two-Factor in a long while and decided to look into how Google had cornered the market in this particular security market.

First a little background. The term Two-Factor security means that when you want to prove who you are to some service, called authentication, you usually just have to present two pieces of information, a username and a password. This combination not only identifies who you are and proves your identity through the shared secret of the password, but allows systems to remain as open as possible to all clients who want to connect – assuming that everyone is playing by the rules and nobody is trying to be sneaky or clever. Passwords are notoriously wimpy things, most people give up on complexity because they can’t readily remember the password and it’s not convenient so they select simple passwords like “12345”, “password”, or “secret” and leave it at that. The problem with passwords is that people who make them up are either lazy or don’t care about entropy or complexity and since a lot of your work and identity is being controlled using these systems, using these simple passwords is begging for disaster. Another issue that plagues a lot of people, and goes in with how naturally lazy many of us are, is that people will use one poor password on every site they go to and keep their usernames the same as well. The risk here is that when one service is compromised, all the other services are compromised as well and it’s a huge upward climb to get out of that mess if you find yourself trapped in it.

Cleverness works both against people in general, with thieves, phishers, and hackers as well as for people in general, with things like hashapass or applications like 1Password. Hashapass is a free service that combines the web address of a service with one single complicated password to generate a hash, which is to say, a value that is easily calculated from the combination of the single complicated password and the web address but done so in a way that going backwards is very difficult to do. If any piece of the puzzle is missing, it’s technically unsolvable. As an alternative to this there is 1Password, an application that I have become very fond of, and it uses a similar approach to hashapass. In 1Password one master password unlocks a database of all the sites and their individual passwords so you don’t have to remember a constellation of passwords, all you need is to remember one very good secure password and you are all set. There are a few other nice features to 1Password that I like, being able to generate very long random passwords and store them for me allows me to establish plausible deniability when it comes to my online identities. Because 1Password randomly selected a 32-character password for Facebook, I cannot be compelled, even under torture to reveal that password to anyone else. I just don’t know it. I know 1Password, but that’s not the right question so my account remains secure.

All of this I have collected and use, and I use it everywhere. On my MacBook Pro, my iMac at work, my iPad and my iPhone. 1Password makes it very easy to manage the security database and I’m quite sure that it’s secure. In my life, any more security is rather like putting more padlocks on a firmly locked jail cell, it’s rather silly and feels a lot like overkill. Then again, more security is always better, especially if it’s really clever and somewhat convenient.

Two-Factor security adds another component to the process of authentication. It augments the username and password combination. A password is something I know (or store using 1Password) and the second factor is something called a Time-Based One Time Password (TOTP). This is where the free iPhone app called Google Authenticator comes in. The app records a secret key from a site I wish to prove my identity to in the future, for example, Google itself. I set up two-factor, request a security token for Google Authenticator and set it up in the app. The key is transmitted by QR code, which means you can quickly acquire the long complicated random (hard to type) secret key using the camera in your phone. Once this process is complete the Google Authenticator app displays a six digit number that will work to prove your identity to the site associated with that particular entry and this entry only exists for 30 seconds at a time. This six digit password exists only once in any one 30-second period and there is no way to divine this password without having the Google Authenticator application with it’s stored secret code.

Having two-factor enabled in this way means that my username and password are no longer as important as they once were. Even if my username and password are revealed or compromised without my knowledge, the secret key that I have in my Google Authenticator app remains secure with me and the 30-second-long one-time-password additions remain a secret with me. What I know may be compromised, but what I have (the Google Authenticator) most likely won’t be unless someone steals my phone and finds a way to best the security on that device before I have a chance to wipe it remotely. If in the case my Google Authenticator becomes compromised, my passwords will likely not be because they are uncrackable, and so I am still secure.

Practically how does this work? When I want to log into Google Mail using two-factor, this is what I do. I open a web browser, I type in the address “gmail.com” and press enter. Then I enter my username and my password and then in the third field under the password is a box labeled “Google Authenticator Token” and then I grab my phone, start my Google Authenticator application and then read the six-digit number from my phone and type it in. The service logs me right on and after a few seconds, that six-digit password is no longer valid and is meaningless. I’m authenticated and the system did as it was designed to do. One of the nice parts of Google Authenticator is that the entire app is a mathematical operation, it doesn’t require the network at all to generate these numbers, so this would be a good solution for people who may not have a reliable connection to the network or have a data quota on their phone.

Of course, online authentication is just the beginning. I found a way, yesterday, to embed the Google Authenticator system into my Mac OSX Mountain Lion installation so that when I want to login to my computer at work or my laptop I have to type in my username, my password, and read the six-digit code from my Google Authenticator application. The setup isn’t difficult to get it to work. You need a compiled PAM module which I have (just ask if you want a copy) and an application which you use to create the secret key on your computer. With it all set up, and a slight adjustment to a settings file, even if I were to lose security on my password at work nobody could login to my account without my username, password, and GA token.

This arrangement works quite well and I’ve set it up for my Google accounts, my WordPress.com and .org blogs, Facebook, Evernote, and Dropbox accounts as well. Everything is secure, obnoxiously secure. 🙂

photo by: MoneyBlogNewz

Fake installer malware makes its way to Mac | TUAW – The Unofficial Apple Weblog

Posted on by
Reply

Fake installer malware makes its way to Mac | TUAW – The Unofficial Apple Weblog.

When it comes to installing things on your Macs I often times advocate a rather carefree attitude. One thing that has always been true, and this article just nails home the point, is that even the most secure system can fall if the person holding the keys is tricked or cheated into opening the door.

I have said to many people whom I’ve given computer advice, if you have doubts, please contact me and I can look at it and give you advice. It’s free, and I’d rather help in the vein of “An ounce of prevention is worth a pound of cure.”

Superpass Password Hasher

Posted on by
Reply

Superpass Password Hasher.

This site has a rather novel approach to dealing with passwords. I see this a lot in both my personal and professional life, especially when people lose their computers. The question looms ‘Did you… ?” and usually the answers aren’t very good at least from a security standpoint.

One of the biggest things that people can-and-should do is keep individual passwords for every single site they access. Most people could approach this via tools like my beloved 1Password but this may be another approach that might also work. It uses an encryption staple called a hash to generate a multi-character password based on some simple password, a salt (which is used to increase the randomness that is added to the encryption routine) and the domain you are working with. It’s quite elegant in that it offsets the need to store individual passwords because it, supposedly, relies on stable domain names to provide password reproducibility. Each time you enter your simple password, and the domain name hasn’t changed, you should get the same hash over and over again. I still think that 1Password is still the best choice for everyone, but this might be a good starting place especially if cash is tight and you can’t swing a 1Password license.

UPDATE: After trying this out I discovered that it only really works well on plain sites like Google.com. If you go to any other sites, like Apple or nytimes.com the code breaks down on Safari. I couldn’t get it to even work on Firefox 13 on the Mac, so perhaps this isn’t as robust as I had hoped. The idea is still good, however. For what it’s worth.

It's silly, and you should stop doing it.

Posted on by
Reply

Email confidentiality footers annoy me. I see them frequently on many emails that I get and I think of them as meaningless text that really should be ignored. That an email is somehow a private exchange of information is laughable. Email is sent in plaintext using an open protocol and on the wire it’s all unencrypted.

What really brings this to the forefront is when I see these meaningless bits of mental flotsam and jetsam clogging up my email box because someone set a vacation autoresponse and their membership on a email list is causing them to constantly reply with a “I’ll be out from…” email with this stupid block of text at the bottom asserting that the email is the property of blah blah blah.

Writing email has the same security protections as writing a postcard and tying it to a bird and letting it fly off. Your assertion that your communications are somehow proprietary or classified is utterly hilarious.

If people really wanted to make this not so utterly irrelevant, they should use public-key encryption or at least something like ROT–13 encryption so that the text isn’t readily apparent and takes some work to decode. Sending plaintext with this silly block at the bottom just musses up the display and doesn’t mean anything to anybody. So stop it.

Dropbox Lied to Users About Data Security, Complaint to FTC Alleges | Threat Level | Wired.com

Posted on by
Reply

Dropbox Lied to Users About Data Security, Complaint to FTC Alleges | Threat Level | Wired.com.

Read the above article, it’s quite good and covers the problems that many geeks have with Dropbox. I have to admit that I’m quite fond of finding ways to “Have my cake and eat it too” and in the spirit of that saying it’s important to highlight a core issue that needs to be covered: If you don’t manage your own security, you don’t have any.

Every service is vulnerable to a search and seizure order as long as it’s hardware exists within the United States. Any company that claims that they protect your data even from this basic assumption is lying to you. You can help them by helping yourself. The people who run Dropbox certainly have aims to secure your data, otherwise nobody but a scant few would be willing to store their data in the cloud. This situation is only half-way to what is really required to make a service like Dropbox a real charmer. It comes down to security and I’ve written about it at length before. The end user has to meet Dropbox for the other half of the way. Dropbox encrypts their data using AES-256 and they have a master key that they use along with yours so that they can maintain a backdoor in case of a search and seizure order to fulfill. Protect yourself by using any number of applications, ranging from TrueCrypt, iCrypt, openssh, to encrypted DMG files. If you create one of these encrypted files to store your private information then send it to Dropbox, even if they have to divulge the file to the authorities all they can provide them is another AES-256 encrypted file that they don’t have a key to. When the authorities try to pry open the file, all they’ll see is noise, because they don’t have your key.

It’s really quite easy when you think of it, Dropbox is at most 50% secure. You can provide another 50% making your use of Dropbox 100% secure. It all comes down to going that little extra inch with any of the tools covered above. I can’t help but really love encrypted DMG files as they are the most convenient to use with Macs. You just double-click on the DMG file, enter in your password, and the volume is mounted as if it were a drive on your computer. All the files are plain and easy to use. Ejecting the drive after you are done using it closes it and the data lives 100% secure in the cloud.

Getting bent because Dropbox only gives you 50% security is rather dumb. Anyone at all has to assume that it maxes out at 50% irrespective of what Dropbox claims. If you are smart and secure your own effects, then you’ve nothing to worry about and can get over this silly thing without a single thought. Makes sense to me.

1Password Bug

Posted on by
2

I ran into this little nasty earlier today. First to set the scene:

  • Mac OSX 10.6.6
  • 1Password Version 3.5.3 (build 30812)

I got an email from Trapster.com informing me that my account may have been compromised. Since I started using 1Password I’ve been making unique 16-character passwords for each individual site, so if a hacker gets my password for one site, he may own that, but nothing else. So I opened up 1Password and my highlight was on another entry related to another item. I went to the search field, typed in “trap” and found the entry for Trapster. I edited it, clicked on the password generator and made a new 16 character password. I clicked the “copy” button in the Password Generator dialog box and 1Password decided to replace the password for the previous highlighted item with the generated password that I meant to go into Trapsters entry. I did this three times just to make sure I wasn’t losing my marbles.

The way around this is to not use the search feature at all. If you browse and highlight the Trapster entry and put in a new password that way, everything is fine.

I just thought I would blog about this to help anyone who might have run into this bug on their own, it isn’t your mind, it’s the program. I’ve forwarded the bug report to the people who write 1Password, we’ll see what response we get.