• A Developers Guide to Storage and Manipulation of Passwords

    For many users, creating and entering passwords is an everyday occurrence. On today’s internet, very few services will allow access without some form of credential. Whether it’s internet banking or social networking, the user is required to enter a username and a password.

    Although passwords have a number of weaknesses when compared to alternative methods (such as One Time Tokens), they continue to be the most common form of authorisation. As a developer, it is highly likely that you will need to process and store passwords at some point

    The aim of this whitepaper is to look at the strengths and weaknesses of the various methods available. We will also look into the available methods of processing supplied credentials to establish whether to permit the user access to the system.

  • A guide to designing Account Security Mechanisms

    The history of the Internet is rife with examples of compromises arising both from poor security hygiene, and also from misguided attempts to "make it more secure" without first considering the implications of changes.

    In this post, I'll be detailing some of the decisions you should be making when designing account security and user management functionality.

    There's likely little in here that hasn't already been stated elsewhere, but I thought it might be helpful to put it all together in one post.

    The post itself is quite long, so headings are clicky links to themselves. For those with limited time, there's a Cheat Sheet style summary towards the bottom.

  • A User's Guide to Data Security and Control

    Data Security is the subject of renewed focus within society following some very high profile leaks of information. Worryingly, recent studies suggest that users fail to accurately appraise the value of the data they handle.

    This presentation is part of the Virya Technologies free training selection and is intended to provide users with a basic introduction to the importance of Data Security.

     

  • Analysis of a Compromised GMail Account

    My GMail account was compromised by an attacker in China, this documentation details how to investigate and secure after such a breach

     

  • Best Practice For Network Security in Small and Medium Sized Business

    Very few businesses can function without a network of computers. Be they Windows or *NIX
    based, communication is the name of the game. Unfortunately allowing your computers to
    communicate with each other does have inherent risks, whether that be malware or unauthorised
    access.

     

  • CentOS: Requiring a Yubikey OTP for SSH Password logins

    The increasing ubiquity of the Yubikey makes it an ideal candidate for a Two-Factor Authentication mechanism, and configuring a CentOS based server to require a push of a Yubikey is particularly easy.

    By the end of this documentation, we'll have configured a CentOS server to require that a user provide the following in order to login via SSH, unless they already have a valid RSA key pair configured on the server

    • Username (obviously)
    • Account password
    • Valid Yubikey OTP

    For the sake of this documentation, we'll assume that you're using Yubico's validation servers (Yubicloud) rather than running your own (though if you are doing the latter, there's only one change in the configuration).

  • Checking for Outdated Joomla Extensions on your server

    When you're managing Joomla sites it's reasonably easy to keep track of updates, especially if you use something like Watchful to help you. When you're running a server and only managing some (or none) of those sites, it becomes a little more difficult (especially on a busy shared hosting server).

    It's quite easy to shrug and say 'Not my site, not my problem', but the simple fact is that it is. The second someone manages to compromise one of the sites you host, they're going to try and find a way to run arbitrary code, once they've done that they'll try to run an auto-rooter. If they succeed, it's game over for everyone you host!

    The extension that always comes to mind, is the Joomla Content Editor (JCE) as they had a nasty vulnerability involving spoofed GIFs some time back. You'd hope that everyone would have updated by now, but there still seem to be a lot of sites running versions older than 2.1.1!

    In this post, we'll be creating a script designed to automatically check every one of the sites you host for a version of JCE older than the latest. Adjusting it to check other extensions is easy, so long as that extension has an update stream.

  • Computrend Powergrid 902 Powerline Adaptors

    This was originally published at Benscomputer.no-ip.org
  • Darkleech Apache attacks on the rise, but is it really that hard to detect?

    Reports of CDorked.A infections are still on the rise by the looks of things. The attack is reported as 'hard-to-detect', but this should only be true for the more naive sysadmins out there.

    Whilst it's true that CDorked changes nothing on disk, except the HTTPD binary, this change alone should be triggering alerts. On a production server, you should be storing checksums of known good files and comparing these regularly to see if anything's changed.

    As some obviously aren't following this basic step, in this post we'll look at what you need to do to at least be made aware if CDorked gets onto your system - it'd be nice to be able to do a post on avoiding it, but the attack vector is still unknown!

  • Don't Use Web2Tor/Tor2Web (especially Onion.cab)

    Web2Tor and Tor2Web are reverse proxies which allows clearnet users to access Tor Onion Sites (AKA Hidden Services), and there are a variety of services available online (such as onion.to, onion.cab, onion.city and onion direct) running this service.

    This post details why using these is such a bad idea, as well as detailing some of the changes I'm making to the site to help discourage use of these services.

  • Falling Out Of Love With Siteground

    In the past, I've really rated Siteground Hosting very highly, and recommended them to anyone asking about US Based dedicated servers (Heart would be my first choice for UK Based Dedicated Servers or VPS). Unfortunately experience has worn me down.

    To be clear, I'm not, and never have been, a Siteground customer. However, some of the people I do some work for are, so I occasionally have to escalate things to Siteground, or step in when Siteground have asked their customer to take some action.

    I've been quietly sitting on some of these frustrations for a little while, but in the last week some have been added, tipping the balance in my mind.

  • Hacking the Computrend Powergrid 902 Powerline Adaptor

    This was originally published on Benscomputer.no-ip.org in 2009

  • Howto Encrypt your Harddrive in Microsoft Windows

    Some versions of Windows 7 include Bitlocker, a utility which allows you to encrypt the system drive. This, however, is of little use to those not running the 'Ultimate' version of Windows 7. There is, however, a free alternative – TrueCrypt. TrueCrypt supports Windows 2000/XP/Vista and 7.

    This walkthrough will show you how to encrypt your entire harddrive so that should your laptop be lost, an attacker will be unable to access your sensitive information (unless, of course, you left the laptop powered on!)

  • Howto Encrypt Your Removeable Media on Linux

    Data security is an area that people are becoming increasingly aware of. Between companies losing customer details, and the growing risk of identity theft, its becoming increasingly important that removeable media be encrypted.

  • Howto uninstall the Security Tool Scareware package

    A friend recently asked me to take a look at her laptop as it was reporting that it had numerous viruses. When I fired it up, you couldn't run a thing,  but there was numerous warnings about Viruses trying to steal my credit card data.

  • Installing and Using the SCR335 PGP Smartcard reader on Linux

     

    This document details how to configure and install the SCR335 PGP Smartcard reader on Linux systems.

     

    Read More..........

  • Introducing PHPCredLocker Version 1

    For a little while now, I've been working on a small PHP based project designed to store passwords securely. After a lot of testing, bug-hunting and fixing, PHPCredLocker has reached version 1.

    Designed to prefer security over convenience, the system takes every step it can to protect stored credentials. Depending on the version of PHP you are running, passwords will be encrypted with either OpenSSL or MCrypt. A different key is used for each credential type (think FTP password vs Joomla password) and the database has been designed to be as unhelpful as possible to any miscreant who should manage to get a database dump.

    I'm not an interface designer, so the template is very basic, but PHPCredLocker has been designed so that you can adjust and override as necessary (modules and views can be overridden, and templates are easy to create).

     

  • My Own Little HeartBleed Headache

    When the HeartBleed bug was unveiled, I checked all of my servers to see whether they were running vulnerable versions. They weren't, but once the patched versions were released it seemed a good juncture to test and roll out the update to one server.

    What followed was something of a headache, initially with all the markings of a serious compromise.

    Having now identified and resolved the root cause, I thought I'd write a post about it so that others seeing similar behaviour can get something of a headstart.

    In response to threats such as CDorked, I run PHP Changed Binaries on all my servers, so any file in PATH is checked (daily) for changes, based on a cryptographic checksum. If any changes are detected, an alert is raised so that I can investigate the cause of the change.

    The day after I updated OpenSSL, I started receiving alerts for a wide variety of files (I'd updated hashes following the update of OpenSSL)

  • PHP Changed Binaries

    PHPChangedBinaries is a simple server monitoring script. It's designed and exists to do one thing - detect and notify when system files change. 

    I've been running a very similar script for years, but in the wake of CDorked/DarkLeech decided it needed a refresh. The script works by generating checksums for all files within pre-configured paths (you can add more through the configuration file). These are then checked against a stored hash to see if anything has changed - if it has, the system admin is alerted. 

  • RemoteHashStore Documentation

    RemoteHashStore is an API designed for use by the PHP Changed Binaries monitoring script. It's function is to simply maintain a database of file hashes and compare those hashes against those submitted when checking files. This documentation relates to the client included in the PHP Changed Binaries system. See the relevant documentation if you're attempting to build a client for the RemoteHashStore API (Coming Soon!).