• A Developers Guide to Storage and Manipulation of Passwords

    For many users, creating and entering passwords is an everyday occurrence. On today’s internet, very few services will allow access without some form of credential. Whether it’s internet banking or social networking, the user is required to enter a username and a password.

    Although passwords have a number of weaknesses when compared to alternative methods (such as One Time Tokens), they continue to be the most common form of authorisation. As a developer, it is highly likely that you will need to process and store passwords at some point

    The aim of this whitepaper is to look at the strengths and weaknesses of the various methods available. We will also look into the available methods of processing supplied credentials to establish whether to permit the user access to the system.

  • A guide to designing Account Security Mechanisms

    The history of the Internet is rife with examples of compromises arising both from poor security hygiene, and also from misguided attempts to "make it more secure" without first considering the implications of changes.

    In this post, I'll be detailing some of the decisions you should be making when designing account security and user management functionality.

    There's likely little in here that hasn't already been stated elsewhere, but I thought it might be helpful to put it all together in one post.

    The post itself is quite long, so headings are clicky links to themselves. For those with limited time, there's a Cheat Sheet style summary towards the bottom.

  • A User's Guide to Data Security and Control

    Data Security is the subject of renewed focus within society following some very high profile leaks of information. Worryingly, recent studies suggest that users fail to accurately appraise the value of the data they handle.

    This presentation is part of the Virya Technologies free training selection and is intended to provide users with a basic introduction to the importance of Data Security.

     

  • Analysis of a Compromised GMail Account

    My GMail account was compromised by an attacker in China, this documentation details how to investigate and secure after such a breach

     

  • Barclays Online Banking gives 3rd Parties access to login pages

    Banks aren't exactly known for living on the bleeding edge - even where good security practice moves on, they tend to be years behind. For better or worse, they lean toward preferring stability and consistency over chasing the latest and greatest.

    However, this issue doesn't really fall under that traditional niche of "well, banks will be banks".

    Barclays bank (and others) are giving 3rd party scripts access to their Internet Banking login pages - the result is that a compromise or mistake at their supplier could compromise their customer's login credentials.

    I highlighted this issue a few months back, and Barclays replied with "deliberate, not an issue" (paraphrasing a bit there), so I'm now getting around to writing it up.

  • Best Practice For Network Security in Small and Medium Sized Business

    Very few businesses can function without a network of computers. Be they Windows or *NIX
    based, communication is the name of the game. Unfortunately allowing your computers to
    communicate with each other does have inherent risks, whether that be malware or unauthorised
    access.

     

  • CentOS 8: Requiring a Yubikey OTP Press for SSH logins

    Some 7 years back, I wrote a guide to requiring a Yubikey OTP for SSH logins on CentOS. In the time that's passed, the process has changed (a little), so this documentation provides an updated reference.

    Although this is written (and tested) for CentOS 8, it should work equally well on CentOS 7 (and presumably also Rocky Linux) too.

    The (increased compared to my previous post) flexibility of Yubikeys, along with their relative ubiquity makes them a fantastic candidate for two-factor authentication tokens. Modern Yubikeys can do U2F as well as using their proprietary mechanism, allowing them to be used with a wide range of software.

    By the end of this documentation, we'll have configured a CentOS 8 server to require that a user provides a Yubikey press along with

    • Username AND
    • Account password, OR
    • Authorised SSH key

    For brevities sake, the majority of this documentation assumes you want root to manage user's yubikeys - something Yubico call Administrative level managment - switching between the two is relatively straight forward, so details on how to switch "User Level" will be given at the end of the document.

  • CentOS: Requiring a Yubikey OTP for SSH Password logins

    This documentation was written in 2014. A more up to date version can be found in CentOS 8: Requiring a Yubikey OTP Press for SSH logins

     

    The increasing ubiquity of the Yubikey makes it an ideal candidate for a Two-Factor Authentication mechanism, and configuring a CentOS based server to require a push of a Yubikey is particularly easy.

    By the end of this documentation, we'll have configured a CentOS server to require that a user provide the following in order to login via SSH, unless they already have a valid RSA key pair configured on the server

    • Username (obviously)
    • Account password
    • Valid Yubikey OTP

    For the sake of this documentation, we'll assume that you're using Yubico's validation servers (Yubicloud) rather than running your own (though if you are doing the latter, there's only one change in the configuration).

  • Checking for Outdated Joomla Extensions on your server

    When you're managing Joomla sites it's reasonably easy to keep track of updates, especially if you use something like Watchful to help you. When you're running a server and only managing some (or none) of those sites, it becomes a little more difficult (especially on a busy shared hosting server).

    It's quite easy to shrug and say 'Not my site, not my problem', but the simple fact is that it is. The second someone manages to compromise one of the sites you host, they're going to try and find a way to run arbitrary code, once they've done that they'll try to run an auto-rooter. If they succeed, it's game over for everyone you host!

    The extension that always comes to mind, is the Joomla Content Editor (JCE) as they had a nasty vulnerability involving spoofed GIFs some time back. You'd hope that everyone would have updated by now, but there still seem to be a lot of sites running versions older than 2.1.1!

    In this post, we'll be creating a script designed to automatically check every one of the sites you host for a version of JCE older than the latest. Adjusting it to check other extensions is easy, so long as that extension has an update stream.

  • Computrend Powergrid 902 Powerline Adaptors

    This was originally published at Benscomputer.no-ip.org

    I ran a variety of basic tests against the Computrend Powergrid 902 Powerline Adaptors, these are the results

  • Cynet 360 Uses Insecure Control Channels

    For reasons I won't go into here, recently I was taking a quick look over the "Cynet 360" agent, essentialy an endpoint protection mechanism used as part of Cynet's "Autonomous Breach protection Platform".

    Cynet 360 bills itself as "a comprehensive advanced threat detection & response cybersecurity solution for for [sic] today's multi-faceted cyber battlefield". 

    Which is all well and good, but what I was interested in was whether it could potentially weaken the security posture of whatever system it was installed on.

    I'm a Linux bod, so the only bit I was interested in, or looked at, was the Linux server installer.

  • Darkleech Apache attacks on the rise, but is it really that hard to detect?

    Reports of CDorked.A infections are still on the rise by the looks of things. The attack is reported as 'hard-to-detect', but this should only be true for the more naive sysadmins out there.

    Whilst it's true that CDorked changes nothing on disk, except the HTTPD binary, this change alone should be triggering alerts. On a production server, you should be storing checksums of known good files and comparing these regularly to see if anything's changed.

    As some obviously aren't following this basic step, in this post we'll look at what you need to do to at least be made aware if CDorked gets onto your system - it'd be nice to be able to do a post on avoiding it, but the attack vector is still unknown!

  • Don't Use Web2Tor/Tor2Web (especially Onion.cab)

    Web2Tor and Tor2Web are reverse proxies which allows clearnet users to access Tor Onion Sites (AKA Hidden Services), and there are a variety of services available online (such as onion.to, onion.cab, onion.city and onion direct) running this service.

    This post details why using these is such a bad idea, as well as detailing some of the changes I'm making to the site to help discourage use of these services.

  • Educating Our Way to Security

    The Internet Security landscape is littered with the metaphorical bodies of those who routinely fallfor the popular ruses perpetrated by malware authors, phishing scams and 419'ers. Much of thebadware out there is reliant on convincing the target (or mark) to undertake some type of action,education is therefore a very important weapon in the fight against 'cybercrime'.

    This Whitepaper discusses a number of threats facing businesses today.

    Read the whitepaper: Educating our way to security.

  • Email and Captcha Generation Scripts

    This content was originally published to benscomputer.no-ip.org

    This page is to provide links to a couple of scripts that I knocked together today. One manages and processes Captcha's and the other takes input from a HTML Form and then e-mails it to you.

  • Falling Out Of Love With Siteground

    In the past, I've really rated Siteground Hosting very highly, and recommended them to anyone asking about US Based dedicated servers (Heart would be my first choice for UK Based Dedicated Servers or VPS). Unfortunately experience has worn me down.

    To be clear, I'm not, and never have been, a Siteground customer. However, some of the people I do some work for are, so I occasionally have to escalate things to Siteground, or step in when Siteground have asked their customer to take some action.

    I've been quietly sitting on some of these frustrations for a little while, but in the last week some have been added, tipping the balance in my mind.

  • Howto Encrypt your Harddrive in Microsoft Windows

    Some versions of Windows 7 include Bitlocker, a utility which allows you to encrypt the system drive. This, however, is of little use to those not running the 'Ultimate' version of Windows 7. There is, however, a free alternative – TrueCrypt. TrueCrypt supports Windows 2000/XP/Vista and 7.

    This walkthrough will show you how to encrypt your entire harddrive so that should your laptop be lost, an attacker will be unable to access your sensitive information (unless, of course, you left the laptop powered on!)

  • Howto Encrypt Your Removeable Media on Linux

    Data security is an area that people are becoming increasingly aware of. Between companies losing customer details, and the growing risk of identity theft, its becoming increasingly important that removeable media be encrypted.

  • Howto uninstall the Security Tool Scareware package

    A friend recently asked me to take a look at her laptop as it was reporting that it had numerous viruses. When I fired it up, you couldn't run a thing,  but there was numerous warnings about Viruses trying to steal my credit card data.

  • Installing and Using the SCR335 PGP Smartcard reader on Linux

     

    This document details how to configure and install the SCR335 PGP Smartcard reader on Linux systems.

     

    Read More..........