markwilson.it

Tag: Security

  • Generating secure passwords

    One corporate blogger at Symantec recently wrote about the useless passwords that people use (with various lists placing “password”) at or close to the top of the list. His source contained some dubious claims (e.g. it claimed that one of the top passwords across Europe is “monkey”… maybe that is the case for English speaking Europeans but it’s unlikely to be the case in French, German, Spanish, Italian, Portugese, Greek, etc., etc.) but his point is valid – systems that require a password require one for a reason – usually to protect either the data contained in the system, or the reputation/identity of the person to which access is being granted or the company who operates the system.

    As a concept, the idea of a username and accompanying password is flawed – ideally we would be using another form of identification and authentication – and that should use multiple factors (something I have/know/am) but in amongst the nearly 2 hours of drivel that was last week’s MacBreak Weekly podcast (note to self: drop this subscription from iTunes) was a little gem about generating new secure passwords. The panel was advocating the use of a utility such as OnePass to generate and manage passwords when one of them said he does something similar from the command line: Unix/Linux and Mac users can type openssl rand -base64 6 to generate a secure 8 character password (the number on the end of the command needs to be multiplied by 4 thirds to get the length of password – more details of using OpenSSL to generate secure passwords are available at the tech-recipes website).

    One man who knows an awful lot about security, Steve Gibson, has produced a secure online password generator but the 64-character passwords it generates are a bit extreme for most purposes – and “secure” passwords of any length create their own problem – they are totally unmemorable, so most users will resort to using some form of password safe (either online or offline), reducing the security considerably.

    Then there’s the issue of password policy – some sites will limit the length of a password whilst others will require the use of special characters.

    At work, I use a variety of corporate systems, some of which respect my Active Directory logon, and others (timesheeting, more timesheeting, mobile phone billing, self-service HR portal) which do not – each with it’s own password policy for password length, complexity, re-use and expiry. Then there are the hundreds of websites that I use and which require registration. It’s a usability nightmare – and many people will use the same passwords repeatedly – an identity thief’s dream.

    I prefer to use a memorable passphrase, which is typically longer than a password and although it may include dictionary words they do not make up the entire password. For example, if my password needs to be changed and something is happening at that time that might be memorable I could use that – “2008HolidayinFrance” is memorable, easy to type and whilst it includes dictionary words it’s also 19 characters long so spotting the dictionary word placement might take a while for a password cracker.

    Of course, there is no one answer – what works for me might not work for you. What I’m pretty certain of though is that “password” is not a good password and that re-using the same password (or variations on it) is not a good idea either.

  • Preparing a 1st generation iPhone for resale

    In some ways, this post is of limited value – as it’s for a first generation iPhone, running on iPhone software v1.1.4 – both of which will become old technology on Friday 11 July 2008. Even so, I expect the market to be flooded with secondhand iPhones over the next few days and contract-free devices will sell for more money than those still locked to O2. In time, the hackers will unlock v2.0 iPhones but, for now, v1.1.4 is the one to get.

    I’ve been happily using my iPhone on an O2 contract since last November but, tomorrow, my iPhone auction on eBay will end and I wanted to get it ready for sale.

    iPhone working with a Vodafone UK SIMLast week, I unlocked (and “jailbroke”) the iPhone using iLiberty+ v1.5.1 for Mac and tested it with a Vodafone SIM (before listing it for sale) but tonight I followed the instructions to securely wipe the iPhone before I finally send it to the new owner.

    When I first jailbroke my iPhone, I found that I’d entered a whole new world of mobile application possibilities. When I first thought about getting an iPhone and using it with my previous (Vodafone) contract, I was concerned about the impact of unlocking and jailbreaking the device but I am amazed to see just how many applications the AppTapp installer provides access to (especially with the Community Sources package installed). I really hope this ecosystem of iPhone underground application development is not killed off as the official Apple App Store route to market takes over but I guess, as long as the device is tied to a particular operator in each market, there will always be people who want to use their iPhone on another network (and I found that jailbreaking takes no more effort than unlocking the device).

    So, with my iPhone restored to it’s factory defaults, then jailbroken, installer added to the splashscreen, the handset activated and unlocked, I set to work installing the BSD Subsystem 2.1 and OpenSSH. At first, I was downloading applications over O2’s 2G network, which took a long time (the BSD subsystem is 5.1MB), but then I figured I could share my MacBook’s Internet connection over Wi-Fi and that speeded things up considerably.

    Even though I could ping the phone (the IP address is displayed in the Wi-Fi settings), I was having trouble connecting to the phone, with my terminal session reporting:

    ssh: connect to host 10.0.2.3 port 22: Connection refused

    Googling turned up various posts suggesting using the BossPrefs application to ensure that OpenSSH is running but I couldn’t get BossPrefs to complete its own installation.

    Eventually, I figured that I could use iLiberty+ to install OpenSSH, after which I was able to copy a previously-downloaded copy of the umount utility to the iPhone:

    scp ~/Desktop/umount root@ipaddress:/sbin/umount

    After entering this command, something similar to the following should be displayed:

    The authenticity of host ‘ipaddress (ipaddress)’ can’t be established.
    RSA key fingerprint is 8d:0c:46:44:6c:ff:25:7c:c3:d6:49:1b:6a:c5:31:8b.
    Are you sure you want to continue connecting (yes/no)?

    To which the, answer is yes. Then you should see:

    Warning: Permanently added ‘ipaddress‘ (RSA) to the list of known hosts.

    Next up, should be a password prompt:

    root@ipaddress‘s password:

    The default password (at least for iPhone v1.1.4) is alpine and, once this has been entered, umount should finally be copied to the iPhone:

    umount                                        100%   15KB  14.6KB/s   00:00

    A few more commands are used to set execute permissions on umount, to do some Unix magic with mountpoints and then to copy lots of nothingness across both the partitions, as Jonathan A. Zdziarski describes:

    chmod 755 /sbin/umount
    umount -f /private/var
    mount -o ro /private/var
    mount -o ro /
    cat /dev/zero > /dev/rdisk0s2; cat /dev/zero > /dev/rdisk0s1

    This will take a while (I think it was about 45 minutes in my case) and when it’s done, you should see a couple of I/O error messages and a return to the shell prompt (#):

    cat: stdout: Input/output error
    cat: stdout: Input/output error

    The iPhone GUI is also likely to be unresponsive (that is expected).

    So, with all data removed, I could put the iPhone into recovery mode once more to restore its factory settings and then jailbreak/activate/unlock it for the final time. After a test with the Vodafone SIM inside the iPhone to call my O2 SIM (in another handset) I had confirmed that the handset was successfully unlocked and ready for its new owner.

  • TNO

    There is a well known phrase in IT security – trust no one (often abbreviated to TNO).  A couple of weeks ago, a United Kingdom government department admitted to having lost a couple of discs containing, among other things, names, addresses, dates of birth and bank account details for my family.  Thanks.  For nothing.

    Then, yesterday, a Senior Marketing Manager at Microsoft was not having a good day.  First of all, she sent a survey invitation to a list of "Microsoft Influencers" in the EMEA region but the bulk mailing tool she was using failed part way through dispatch.  After preparing a second message to the remaining recipients, she hit the wrong button and mailed a bunch of people she didn’t mean to.  So far, no real harm done, and an apologetic e-mail was sent to those affected.  Except that somewhere along the way she attempted to recall the message, the names of the recipients went to everyone who received the recall request, and two bright sparks on the list said (in jest, I think) something to the effect of "wouldn’t it be good if I could sell the e-mail addresses of all these people that Microsoft considers influential" (all 884 of them).  So that’s my e-mail address potentially compromised too.

    And a few weeks back I had an e-mail from Fasthosts (through whom many of my domain names are registered) letting me know that they had experienced a security breach and that my account may have been compromised (but they couldn’t be sure)… so I could have been subject to a domain hijack if they hadn’t already locked my account for me.

    Then there’s the various online and telephone-based services (including banks and credit card providers) that use ludicrously low security, with a myriad of single factors for authentication (and really, what use are my mother’s maiden name and town of birth for "security" questions as both of those items are publicly available information?).

    It seems that avoiding identity theft is fighting a battle that can’t be won.  I have to entrust organisations with my personal details but, based on recent history, those organisations (including my government) cannot be trusted.

    Maybe it’s time for me to find a new identity?

    TNO.

  • 25 million people caught up in UK Government data security fiasco

    I’m treading carefully here to avoid political comment but, for those who haven’t seen tonight’s news, a UK Government department has lost the personal details for 25 million people including names, dates of birth, national insurance/child benefit numbers and bank details. On a CD. In the post.

    So, I’d like to thank HM Revenue and Customs for making such a monumental **** up with my family’s personal information. In this day and age, I find it amazing that two government departments have to transfer data between one another on CD (isn’t that why they have a Government Secure Intranet?) but to send that in the internal mail (unregistered) is amazingly inept (and, according to tonight’s BBC News, against Government guidelines). Furthermore, the news report I heard said that the passwords protecting the data could be cracked in seconds, so I’m interpreting that as a statement that the data wasn’t even encrypted.

    What makes it so galling is that the information was being transferred to the National Audit Office. Surely they can be trusted to access the Revenue’s systems directly without needing a database extract on CD? And why did it take nearly 3 weeks for someone to report that the data was missing?

    Fair enough, names and dates of birth are public information and bank details are not exactly top secret (my bank has told me it’s not something to be too concerned about) but it puts my own attempts to maintain data security into perspective. If the Government can’t keep my identity safe, who can?

    Anybody who is concerned about the implications of this data breach should check out the HMRC and APACS information on the data loss.

  • Installing Microsoft Dynamics CRM without domain administrator rights

    I recently inherited the task of designing the infrastructure for a Microsoft Dynamics CRM 3.0 implementation. After being briefed by the consultancy partner that we are using for the application customisation and reading Microsoft’s implementation guide I was fairly comfortable with the basic principles but I was also alarmed that the product seems to require installation to be carried out using an account with Domain Admins permissions. There’s no way that I will be granted those rights on our corporate Active Directory (and nor should I be) – too many applications seem to require elevated permissions for service accounts and it makes life very difficult when trying to define a delegation policy for Active Directory administration.

    Regardless of the assurances I was given that Domain Admins rights are only required to carry out the installation (and subsequent updates) and that the account can be relegated to a standard domain user afterwards, I felt that there must be a way around this – surely the groups that the CRM installation creates can be pre-staged somehow, or that a organizational unit can be created with delegated rights to create and manage objects?

    It seems the answer to my question is yes – I’ve now been pointed in the direction of Microsoft knowledge base article 908984 which describes how to install Microsoft Dynamics CRM 3.0 as a user who is not a domain administrator by using the minimum required permissions.

  • How Windows PowerShell exposes passwords in clear text

    I’m attending a two-day Windows PowerShell course, delivered by my colleague Dave – who I know reads this blog and should really think about starting his own…

    I’ve written before about Windows PowerShell (twice) and I think it’s a great product, but it is a version 1.0 product and as such it has some faults. One (which I was horrified to discover today) is that this product, which is intended to be secure by default (for a number of good reasons) has the ability to store user credentials in clear text!

    All it takes is two lines of PowerShell script:

    $cred=get-credential username

    (the user wil then be prompted for their password using a standard Windows authentication dialog)

    $cred.getnetworkcredential()

    (the username, password and domain will be displayed in clear text)

    Some people ask what’s wrong with this? After all there are legitimate reasons for needing to use credentials in this manner. That may be so but one of the fundamental principles of Windows security is that passwords are never stored in clear-text – only as a hashed value – clearly this breaks that model. Those who think there is nothing wrong with this argue that the credentials are then only used by the user that entered them in the first place. Even so, I’m sure this method could easily be used as part of a phishing attempt using a fake (or altered) script (digitally signing scripts may be the default configuration but many organisations will disable this, just as they do with signed device drivers and many othe security features).

    After searching Microsoft Connect and being surprised that I couldn’t find any previous feedback on this I’ve raised the issue as a bug but expect to see it closed as “Resolved – by design” within a few days. If it really is by design, then I don’t feel that it’s a particularly smart design decision – especially as security is tauted as one of the key reasons to move from VBscript to PowerShell.

  • Windows fast user switching + Zone Alarm = bad IT day

    My poor colleagues had to put up with a lot of complaining yesterday. I was having a bad IT day (when nothing seems to go well). And it seems to be continuing today.

    I recently rebuilt my company notebook PC to run Windows Vista and Office 2007. That’s going well but then there’s all the stuff that goes on top (anti-virus software, corporate VPN client, etc.). My colleague and trusted advisor, Garry, helped me to get all that in place, an administrator added my machine to the corporate domain and before I left last night I logged on so that I had a profile for my domain account with cached user credentials (for working at home today).

    It should have been fine but I didn’t log out from my original account because I was in the middle of something – I used the fast user switching feature instead and then waited… and waited… and waited… as Windows tried to set up my profile.

    In the end I gave up and logged out, only to find a load of Zone Alarm messages popped up under the original account.

    “Blah blah blah is trying to do something… do you want to allow this?” I don’t know – probably! Just let me get on with logging in.

    Today it’s more of the same, as switching back to my old (non-domain) profile to run Windows Easy Transfer resulted in the same problem.

    I think Garry was quite disturbed to see how I (and another colleague) quickly tired of reading these incessant firewall popups and just clicked the “allow” button (and the “don’t bug me again” checkbox) every time – which proves a point I made about firewall messages almost two years ago. And anyway, what’s wrong with the Windows Firewall? If I didn’t have to use Zone Alarm to meet VPN access policies then I wouldn’t. Grrr.

    The good news is that Windows Easy Transfer was really useful for migrating my application settings from my old profile to the new domain profile (I didn’t use it for the files as it’s easier to just drag and drop them in Explorer).

  • Why the banks just don’t get IT

    Identity theft worries me. It doesn’t stop me sleeping at night but nevertheless it does worry me.

    It seems that each time I log in to a banking website the security has been “enhanced” with yet another item that I fail to enter correctly and then have to call the helpdesk to get my account unlocked – and I’m an IT guy… what about the “normal” users (they probably write down the details somewhere)!

    Mark James has written an interesting article about this issue – and how the answer is really quite simple – if only the banks would apply the same security approach to consumer banking as corporates do for remote access.

  • Security – Why the banks just don’t get IT

    A few weeks back, I read a column in the IT trade press about my bank’s botched attempt to upgrade their website security and I realised that it’s not just me who thinks banks have got it all wrong…

    You see, the banks are caught in a dilemma between providing convenient access for their customers and keeping it secure. That sounds reasonable enough until you consider that most casual Internet users are not too hot on security and so the banks have to dumb it down a bit.

    Frankly, it amazes me that information like my mother’s maiden name, my date of birth, and the town where I was born are used for “security” – they are all publicly available details and if someone wanted to spoof my identity it would be pretty easy to get hold of them all!

    But my bank is not alone in overdressing their (rather basic) security – one of their competitors recently “made some enhancements to [their] login process, ensuring [my] money is even safer”, resulting in what I can only describe as an unmitigated user experience nightmare.

    First I have to remember a customer number (which can at least be stored in a cookie – not advisable on a shared-user PC) and, bizarrely, my last name (in case the customer number doesn’t uniquely identify me?). After supplying those details correctly, I’m presented with a screen similar to the one shown below:

    Screenshot of ING Direct login screen

    So what’s wrong with that? Well, for starters, I haven’t a clue what the last three digits of my oldest open account are so that anti-phishing question doesn’t work. Then, to avoid keystroke loggers, I have to click on the key pad buttons to enter the PIN and memorable date. That would be fair enough except that they are not in a logical order and they move around at every attempt to log in. This is more like an IQ test than a security screen (although the bank describes it as “simple”)!

    I could continue with the anecdotal user experience disasters but I think I’ve probably got my point across by now. Paradoxically, the answer is quite simple and in daily use by many commercial organisations. Whilst banks are sticking with single factor (something you know) login credentials for their customers, companies often use multiple factor authentication for secure remote access by employees. I have a login ID and a token which generates a seemingly random (actually highly mathematical) 6 digit number that I combine with a PIN to access my company network. It’s easy and all it needs is knowledge of the website URL, my login ID and PIN (things that I know), together with physical access to my security token (something I have). For me, those things are easy to remember but for someone else to guess – practically impossible.

    I suspect the reason that the banks have stuck with their security theatre is down to cost. So, would someone please remind me, how many billions did the UK high-street banks make in profit last year? And how much money is lost in identity theft every day? A few pounds for a token doesn’t seem too expensive to me. Failing that, why not make card readers a condition of access to online banking and use the Chip and PIN system with our bank cards?

    [This post originally appeared on the Seriosoft blog, under the pseudonym Mark James.]

  • Quick tip for Mac users to recover a forgotten password

    If you’re anything like me, then you have hundreds of security credentials to use at many websites. Best practice dictates that you should use a different password at each one but sometimes that’s just not practical – and, unless you write it down, sometimes you just forget what the password is.

    I’m not sure how Windows and Linux applications store passwords, etc. (I suspect they use a variety of methods) but Mac applications tend to use the Mac OS X keychain feature – the equivalent of writing down all your passwords and storing them in one (secured) database.

    If credentials are stored in the keychain, you don’t normally need to use them again as the application (e.g. a web browser) reads the keychain as required but users can come unstuck if they need those credentials to log in from a different computer. Luckily, it is possible to find out what the password is for a particular application or website (as stored in the keychain). Simply open the Keychain Access utility, open the appropriate item, select the show password checkbox, supply the keychain password when prompted and click the allow once button – at this point the password should become visible in clear text.

    Password visible in the Mac OS X Keychain access utility