Oct 12
How-To Guides David
add-on, crack, e-mail, email, extension, firefox, free, gmail, google, hack, hotmail, maker, mobile, online, open, password, source, yahoo
Password Maker
If you were following the tech news last week, hopefully you’ll have heard about the surge in leaked and phished passwords from Gmail, Hotmail and Yahoo. CNET UK covered it twice.
This brings up the thorny issue of how to effectively manage all of your passwords. Some people have one strong password they use everywhere, others will do this but append something for each site. Other people, who frankly scare me, use simple things like “password”, “12345″, “67890″, etc.
What exactly is a strong password? The more random and unpredictable a password is, the stronger it is. In other words, predictable passwords are easy to remember, and easy to crack.
Randomly flaying your fingers at the keyboard will generate a random block of text. Although, you need to recall this random text sometimes, but how? You could keep them all in a file, but this is no good, because if someone gets that file, you’re sunk (same goes for paper records). Even if you use a password manager which keeps your passwords in an encrypted file, they’re still there in a file, which if obtained, could be decrypted by brute force.
The Password Maker Firefox add-on.
A while ago, I listened to Floss Weekly interviewing Eric Jung from the Foxy Proxy project. During the interview, his involvement with a free and open source project called Password Maker was mentioned. Password Maker works by generating a cryptographic hash of both the domain of the website you’re logging into and a master password of your choosing. Thus creating a different piece of pseudo-random text for every website you use. There are lots more settings so that you can finely tune what goes into the password, but don’t worry about those just now.
To put it simply, you never have to find or recover your passwords, because they’re never stored, they’re just generated for you when you need access to them.
The best way to use Password Maker is in the form of a Firefox add-on. However, if you’re away from home, or whatever, there is an on-line version and a mobile browser version, which you can even install on your own website, if you have one. This best security aspect of this is that your master password isn’t stored, and the hashing algorithm is already open, so there’s nothing to hack.
If any one of your site passwords are compromised, it is easy to create a new one by using a new master password. Furthermore, so that you’re not having to remember different master passwords for different sites, I would take one compromised password as an excuse to change ALL of your passwords. Changing your passwords is inconvenient when you have a lot of accounts on the web, but Password Maker makes it easier to get into the habit, especially with the Firefox add-on.
The recent news pushed me into finally doing this, although I had been putting it off due to the fear of trying to make it work with my mobile browser. Although thanks to Opera Mini 5 now supporting text selection and tabbed browsing, the mobile browser version is a viable method for advanced password management on your phone.
Share this post 
Oct 5
How-To Guides David
address, bash, blog, change, changing, directory, dynamic, file, folder, hosted, htaccess, ip, linux, mac, osx, page, password, php, protect, restrict, script, secure, security, unix, weblog, wordpress, wp-admin
WordPress
If you have a self-hosted WordPress blog, I hope that you are thinking about security. The best thing you can do is to use the automatic updates so you always have the current version of WordPress.
One of the most pernicious hacks someone can do to your blog is to access to your wp-admin folder. This folder contains the back-end PHP pages of your site where you control everything and write your posts.
Via your web-host’s control panel you might be able to password protect this directory, although that could still be brute forced. An alternative method, which is well documented (see reference links below), is to create a “.htaccess” file in your wp-admin directory, with which you can limit access to a specific set of IP addresses. E.g. your home IP address and your work IP address. See the references below for links on how to write this.
This method is perfect for locking down and restricting who can access your admin pages without having to go through any sort of manual authentication. I held off doing this for a long time because my ISP assigns dynamic IP addresses, and my Netgear router needs frequent reboots. So my IP address changes a lot, so I’d keep getting locked out of my own blog!
To get around this, I thought of a script I could write to keep my wp-admin’s .htaccess file automatically updated! You could even use this if you took your laptop away from home and connected on another network, as your laptop will have your ssh keys installed. Try to stickto using a secure VPN though, just on principal 
Sorry, it’s a bash script, so if you use Windows you’ll be stuck unless you install the cygwin environment and PuTTY. If you use a Mac, I’m sure you can switch on the bash shell.
Without further ado, here’s the script:
Note: make sure you have cURL installed first.
#! /bin/bash
# Auto-update .htaccess in http://your-blog/wp-admin/
# Run this from cron on a short interval.
# This will grab your IP address, and then rewrite the
# .htaccess file and use scp to upload to your server.
#
# David.R.Gilson 3rd October 2009
# http://www.davidgilson.co.uk
# I distrobute this under the Creative Commons Attribution Share Alike license.
# http://creativecommons.org/licenses/by-sa/3.0/
cd ~
# Grab your external IP address.
ip="$(curl www.whatismyip.org)"
ip="$(curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//')"
# Write the file.
echo "AuthUserFile /dev/null" > htacc.txt
echo "AuthGroupFile /dev/null" >> htacc.txt
echo -e "AuthName \042Limit wp-admin access\042" >> htacc.txt
echo "AuthType Basic" >> htacc.txt
echo "<LIMIT GET>" >> htacc.txt
echo "order deny,allow" >> htacc.txt
echo "deny from all" >> htacc.txt
echo "# Whitelist home router" >> htacc.txt
echo "allow from "$ip >> htacc.txt
echo "</LIMIT>" >> htacc.txt
# Copy to server
scp htacc.txt [YOUR SSH LOGIN HERE]:"~/www/wp-admin/.htaccess"
# Clean up
rm htacc.txt
Once you’ve pasted all that into a file (I named mine htaccessupdate.sh), remember to make it executable by typing chmod +x htaccessupdate.sh.
References
ip=”$(curl -s checkip.dyndns.org|sed -e ‘s/.*Current IP Address: //’ -e ‘s/<.*$//’)”
Share this post
Dec 1
How-To Guides David
back up, decryption, encryption, freedos, hard drive, maintenance, password, repair, rsync, spinrite, syncback, synchronise, Tech, thumb drive, truecrypt, usb
Part 2
Last time we ended with showing you how to encrypt your thumb drive. Now we’ll resume and show you how to make using encryption a little less inconvenient.
We can minimise the inconvenience of using TrueCrypt by going back to the “autorun.inf” file we created before. I didn’t write the autorun script that I use for TrueCrypt, I copied it from a post on “EricsProjects” blog (follow the link for the script). With that script, I get this window when I plug in and autoplay my USB drive:
Note: Follow his instructions about copying TrueCrypt to your drive or this won’t work. You need TrueCrypt installed on the thumb drive if you’re going to be able to decrypt it somewhere other than your home computer.
All you have to do is select the TrueCrypt option, then you are given a prompt for the password to decipher the encrypted volume. Once this is done, you can just run your normal back up routine. This is of course a subjective thing to say, but I think an extra double click and password entry per-plug-in is a small price to pay for knowing that if you loose your drive, nobody will be able to read your files.
Finally, I said in part 1 that my thumb drive could repair my hard drive didn’t I? Well yes, but there’s one catch though. Up until now, the software I have recommended has been free of cost. The hard drive repair program I am using is Steve Gibson’s “SpinRite” [Wikipedia] which costs $89 US. I’d heard so many testimonials on the “Secuirty Now” podcast, that I finally decided I must get it. Many of the testimonials were about people who didn’t want to buy SpinRite, but had finally bought it out of desperation when their hard drives seemed inoperable, making strange noises, etc. Those people then reported that their drives were brought back to life by using SpinRite (running it for days on end in extreme cases). If used routinely before problems occur, it can help the hard drive’s own systems help detect and avoid problem areas on the disk platters.
The way SpinRite works means it needs exclusive access to your drive, so you must install SpinRite to some removable media, then boot your computer from that media. This has the advantage that it is truly platform independent (it utilises the “FreeDOS” operating system). Here is a picture of it in action:
So, there we have it. A USB stick that keeps a back up of all your irreplaceable data. You have the assurance of knowing if a bad guy finds it, your privacy is safe and if a good guy finds it ,they can get in touch with you to arrange its return. Finally, if your hard drive seems to have died on you, not only do you have a safe copy of your files, but you can probably return the drive to service by booting from this same little USB stick and running SpinRite.
Please let me know if you have any improvements on what I’ve posted.
Share this post
Nov 24
How-To Guides David
back up, decryption, encryption, freedos, hard drive, maintenance, password, repair, rsync, spinrite, syncback, synchronise, Tech, thumb drive, truecrypt, usb
Introduction
This is a series showing you how you can load up a basic USB thumb drive with some practical tools which will ensure you can keep your data safe from theft and hard drive failure.
Part 1
This USB drive has become a powerful tool for me. It holds an encrypted back up all of my irreplaceable data and it can repair my hard drive in the event of failure.
For back up, I just do a simple “synchronisation” of files. I use a Windows program called “Syncback”, but you could just as easily use any other synchronisation/backup program, such as the open-source “rsync”. I simply plug in the USB drive, start up Syncback and run my backup profile. Files that have either been created or updated since the last backup are copied on to the drive and files that have been deleted are also deleted from the USB drive. You could argue this lacks sophistication, although I prefer the lack of complication. If I’m working on something I want chronological versions of, I’ll create chronological versions myself – it’s all in my control. (Although, I will admit that since I first wrote this, I started using an on-line back up service as an added layer of protection, and that does take chronological versions of files as I they are edited.)
Something to consider, this is only a 4GB drive, and all my irreplaceable data only takes up 2.7GB (so far). This doesn’t sound much, but I’m being very minimalist. You know when you’re moving house you start to wonder how you amassed so much stuff that you never use or think about? Be honest, you do don’t you? Well what you accrue on your hard drive is much the same. So if you want to be able to get all your stuff on such a drive then you need to have a ruthless clear out of your personal data. Note that I’m not including music here. If it comes to it, you can buy and/or download replacements of your music, you can’t do that for all those photos of your friends and family.
Now, if you get in to a routine of doing this simple back up, what if you lost the drive? You then have two problems: how could anyone return it to you and what about your privacy?
For identifying yourself as the owner, you can do the following. Create an “autorun.inf” file on the root directory of my drive (yes, this is a Windows thing, sorry). I then used the “label” command to show my e-mail address. To do this, you’d write a line in thie autofun.inf file (it’s a text file so only use notepad or similar): “label=email@somedomain.com”. In the “My Computer” window, your e-mail address will show in place of the drive letter. You can find even more tips about how your lost drive can identify it’s owner at this post on Daily Cup of Tech.
For your privacy you need to encrypt your data, and the ideal choice is the open source & cross platofm encryption application, “TrueCrypt”. The simplest way of working with TrueCrypt is to create an encrypted “container file”, which TrueCrypt then mounts as a drive on your computer. When it comes to security there’s one constant rule – the more secure it is, the less convenient it is. So if we were to take the step of backing up onto an encrypted virtual drive, we’ve given ourselves some inconvenience. Believe me, if you don’t mind even more inconvenience, TrueCrypt can give you some real James Bond level privacy protection, but we’ll leave that for another day.
See part 2.
Share this post
Twitter
Facebook
LinkedIn
Google
Flickr
YouTube
WishList
RSS
