• A Developers Guide to Storage and Manipulation of Passwords

    For many users, creating and entering passwords is an everyday occurrence. On today’s internet, very few services will allow access without some form of credential. Whether it’s internet banking or social networking, the user is required to enter a username and a password.

    Although passwords have a number of weaknesses when compared to alternative methods (such as One Time Tokens), they continue to be the most common form of authorisation. As a developer, it is highly likely that you will need to process and store passwords at some point

    The aim of this whitepaper is to look at the strengths and weaknesses of the various methods available. We will also look into the available methods of processing supplied credentials to establish whether to permit the user access to the system.

  • David Cameron: Idiot, Dangerous or just a lover of soundbites?

    We've heard Theresa May parroting the same lines for months, but in the wake of the Charlie Hebdo massacre, David Cameron has joined the choir of people calling for new surveillance powers.

    Mr Cameron has stated that if the Conservatives are re-elected, he will ensure that there is no form of communication that cannot be intercepted by the government.

    So, one of the question we'll be examining in this post, is - Is David Cameron

    1. An idiot who doesn't understand the technology he's talking about
    2. Demonstrating that pre-election promises are inevitably broken
    3. Planning on introducing a draconian surveillance state
    4. Being mis-informed by other parties
    5. Simply creating sound-bites to raise the chances of re-election

    Most of the coverage thus far has focused on option 3 - which seems fair given that it's the inevitable result of actually attempting to do what he is claiming.

    We'll also be taking a look at why Option 3 could, and should not happen

  • Howto Encrypt your Harddrive in Microsoft Windows

    Some versions of Windows 7 include Bitlocker, a utility which allows you to encrypt the system drive. This, however, is of little use to those not running the 'Ultimate' version of Windows 7. There is, however, a free alternative – TrueCrypt. TrueCrypt supports Windows 2000/XP/Vista and 7.

    This walkthrough will show you how to encrypt your entire harddrive so that should your laptop be lost, an attacker will be unable to access your sensitive information (unless, of course, you left the laptop powered on!)

  • Howto Encrypt Your Removeable Media on Linux

    Data security is an area that people are becoming increasingly aware of. Between companies losing customer details, and the growing risk of identity theft, its becoming increasingly important that removeable media be encrypted.

  • PGP Encrypted Text Chat Via DNS

    In a recent post, I alluded to having given a little bit of thought to ways in which clandestine communications could be achieved.

    Having given a little more thought to the idea, I was unable to resist the temptation to build a small proof of concept - if only to see whether there were any obstacles that I hadn't considered.

    This post is the documentation for DNSChat - a small proof of concept enabling PGP encrypted text chat using DNS Queries as a transport mechanism

  • Protecting Identity and Copyright Online

    At times, it really feels like the world is completely fucked. We've got a US president who somehow manages to be enough of an arse to fall out with Canadians flying off to meet a nuclear armed mad-man. We seem to be witnessing the increasing rise of a foaming mouthed racist alt-right, and have long since mourned the death of quality journalism in the media. Israeli defence forces are so focused on justifying murder of unarmed civillians that they now tweet about executing people for throwing a stone.

    Yes, at times, it seems like the entire world is off to hell in a hand-cart.

    Underneath it all, though, politics doesn't seem to be that different behind the scenes. Politician are still trying to implement many of the same stupid things that we've seen raised again and again throughout our lives. 

    As fucked as the world may seem, it's important that it not act as a distraction from the issues we can do something about. Trump, for better or worse, is here to stay (at least until his KFC infested diet catches up with him).

    But we can do something about fuckwits in Government once again suggesting that implementing the ability to control and track what everyone does online is in any way a positive. We also can do something about fuckwits from many Government's who think it's beneficial for humanity for them to take a bended knee before Copyright cartels and screw the lot of us in the process (otherwise known as Article 13 of the EU Copyright Directive).

    This post isn't about the things that have become big, but about the things that will become massive infringements on our lives if allowed to pass unchallenged.

  • Republished: CPS trying to bluff RIPA Action?

    This was originally posted to benscomputer.no-ip.org 14 Nov 2007

    This story caught my eye as it holds consequences for all of us. Well those of us that use encryption anyway, as you may be aware on the 1st October 2007 RIPA came into effect. To but the law basically, if you encrypt something then the police can require you to hand over your encryption keys. If you don't and it's not terror related then you can get 2 years in the slammer, if it is terror related then you are looking at 5 years.

  • The Importance of Salting Stored Passwords And How To Do So Correctly

    Many will have watched the recent releases of user passwords from Sony (and others) with interest. A lot of people, won't however, realise why Sony's practises were so poor. For many, storing passwords means just that, purely because they aren't aware of the methods available to make it a lot harder for an attacker to gain access to users passwords.

    Whilst network security obviously plays a very important part, even when that fails it should be almost impossible for an attacker to tell you what your password was based on nothing but a database dump. In this short post we'll examine exactly how passwords should be handled and stored in a database.

  • Understanding Password Storage

    I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.

    In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).

  • Understanding the Difficulty of Assessing True Randomness

    I've had to explain, more than a few times, quite why it's so hard to assess whether a Random Number Generator (RNG) is compromised unless you have access to how the specific implementation works. Just because the data appears to be random, does not necessarily mean that it is actually unpredictable.

    In this short piece of documentation, I'll be attempting to demonstrate exactly how a compromised RNG can appear to be generating random data, based on the tests that are available to us.

  • Why is Encryption not used more?

    Earlier this year I wrote this piece questioning why use of encryption was still not widespread. If more businesses and agencies adopted encryption, there'd be far less data leakage.

    Had Fisher Hargreaves Proctor employed encryption, the breach of their site would not have been so severe. Yet businesses continue to use and store unencrypted data as a matter of course. Why?

  • Why You Shouldn't be using SHA1 or MD5 to Store Passwords

    There are a lot of badly coded sites out there, and far too many sites still seem to be falling prey to SQL Injection vulnerabilities resulting in a lot of high profile leaks of user data.

    I wrote quite some time ago on The Importance of Salting Stored Passwords And How To Do So Correctly, but whilst the underlying message remains correct, the techniques for doing so have been outpaced by technology.

    Although still widely used, checksum algorithms such as SHA1 and MD5 are no longer sufficiently secure.

    In this post we'll be exploring why you shouldn't be using MD5/SHA1 and how you should be storing passwords.