Ben Tasker's Blog

ON-Networks PL500 Powerline Adapters

Quite some time ago, I played around with some Computrend 902 Powerline adapters and found a number of different security issues - here and here

Those devices are long gone, but whilst the issues I found were relatively minor (if nothing else, proximity was required) it left me a little concerned about the security of any devices that might replace them. For quite some time, I didn't need to use any powerline adapters, but eventually the need arose again (no practical way to run CAT-5 to the location and the Wifi reception is too spotty).

So I bought 2 pairs of On-Networks' PL500S Powerline adapters. Depending where you buy them from, the model number may be PL500P, PL500-UKS, or even the Netgear part number - Netgear ON NETWORKS PL500-199UKS.

I've not got as far as giving them a serious hammering from a security perspective as yet, however there doesn't seem to be much information about these devices available on the net (and what is there is potentially misleading), so I thought I'd post the information I've pulled together from prodding the devices, as well as a few common sense facts that might be being missed. As I'd have found some of the information helpful had it been available prior to purchase, I suspect others might find it of use too.

Read more...

Understanding Password Storage

I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.

In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).

Read more...

A Bad Boss Can Ruin Your Job

We've all, almost certainly, had a boss we didn't necessarily get on with at some point, but that doesn't necessarily make them a bad boss.

People are different, and sometimes view points collide, it's an inavoidable risk of putting distinct personalities into a group and asking them to spend their days together.

What makes a true bad boss is when the power/influence they exert is mis-used. 

In my career, I've had one particularly bad boss (I hasten to add - I'm not working there anymore!), not only did their behaviour ruin my enjoyment of my role, but they (in my opinion) deliberately went out of their way in an (ultimately unsuccessful) attempt to severely tarnish my reputation and my name. Their attempt could also have had a devastating effect upon my quality of life.

In this post, I'll be taking a broad overview of what happened, and examining what I learnt from the experience, and (with the benefit of hindsight) what the early warning signs were.

The events I'm going to discuss occurred a number of years ago and I always planned to write about it, but wanted to leave it long enough that I could be truly objective. As a result, I never quite got around to writing about my experiences.

Being a denizen of a number of internet forums, I've seen others post about experiences they're currently going through, and some of them really ring alarm bells for me - so it seems like the right time to get around to writing about it.

I'm not going to name names, as that isn't the point in this piece. I've tried to keep it as brief as possible, but being quite complex it's not as short as I had originally hoped.

Read more...

My Own Little HeartBleed Headache

When the HeartBleed bug was unveiled, I checked all of my servers to see whether they were running vulnerable versions. They weren't, but once the patched versions were released it seemed a good juncture to test and roll out the update to one server.

What followed was something of a headache, initially with all the markings of a serious compromise.

Having now identified and resolved the root cause, I thought I'd write a post about it so that others seeing similar behaviour can get something of a headstart.

In response to threats such as CDorked, I run PHP Changed Binaries on all my servers, so any file in PATH is checked (daily) for changes, based on a cryptographic checksum. If any changes are detected, an alert is raised so that I can investigate the cause of the change.

The day after I updated OpenSSL, I started receiving alerts for a wide variety of files (I'd updated hashes following the update of OpenSSL)

Read more...

Falling Out Of Love With Siteground

In the past, I've really rated Siteground Hosting very highly, and recommended them to anyone asking about US Based dedicated servers (Heart would be my first choice for UK Based Dedicated Servers or VPS). Unfortunately experience has worn me down.

To be clear, I'm not, and never have been, a Siteground customer. However, some of the people I do some work for are, so I occasionally have to escalate things to Siteground, or step in when Siteground have asked their customer to take some action.

I've been quietly sitting on some of these frustrations for a little while, but in the last week some have been added, tipping the balance in my mind.

Read more...