Da Vinci Planet » Security Hacks

USB Apps Update

Da Vinci — Fri, 09 Nov 2007 03:30:09 +0000

Portable apps have proven to be very popular and quite resilient in spite of the popularity of on-line apps. On-line apps like Google Apps, Zoho and Basecamp offer solutions for collaboration and portability, but there aren’t many good on-line solutions for applications like text editors, image editors, operating systems and browsers. Because of the need for these types of applications and the benefits of using USB apps I have been adding to my USB app collection. To be fair I have replaced some portable apps with on-line apps, e.g. I prefer Google Reader to GreatNews because desktop RSS readers become bloated and slow down as you add feeds, but at the same time I have discovered a few new portable applications.

SIW – System Information for Windows provides detailed information about your Windows computer, including hardware specs, software and drivers. SIW can reveal passwords and software serial numbers or registration keys. The information can be exported to text documents which is a handy backup to have.

Ad-Aware – Probably the best free spyware detection software. Ad-Aware can be made portable by downloading and installing as normal and then simply copying the installed folder to a USB drive.

Damn Small Linux – DSL is basically a fully functional desktop squashed into 50MB of space. It has a fairly friendly GUI and includes most of the typical applications one might need. What’s the purpose? It offers a rich set of tools that you can use on a locked down or problematic computer. There are many other alternatives (e.g. Bart PE portable or Ubuntu virtual appliance)

Is OpenID the answer to single sign-on?

Da Vinci — Mon, 29 Oct 2007 03:21:45 +0000

OpenID is often compared to Microsoft’s Passport and normally it’s said to be better because “itâ€™s not controlled by any one big corporation”. You may have heard or read about OpenID, but chances are that you 1) aren’t using it or 2) have not really looked into it and 3) even if you have, you still don’t understand it. As with many open source projects documentation is scattered, complicated and mostly technical. Over the last few weeks I have tried to make some sense of OpenID and here is my take on it.

What is OpenID?

It’s a way to identify and authenticate yourself using a trusted Web site of your choice. The “trusted Web site of your choice” has to be an OpenID provider. To register with a Web site that supports OpenID all you need to do is provide them with the URL of your OpenID provider then login at your OpenID provider’s Web site. So basically the login happens at your OpenID provider instead of at the site you’re trying to register with.

OpenID is a way to authenticate yourself to various places (websites) by verifying your identity as the owner of a particular URL (say, a website of your own). Instead of giving a username and password to a login form, you just give it your URL.

The nice thing about OpenID is that you can use your own Web site as your OpenID. That does not mean that you need to set up anything special on your Web site. With a couple of lines of HTML code on your Web site you can delegate OpenID authority to another site. That way you can transparently use a trusted OpenID provider of your choice to do the hard work, while keeping your own domain name as your OpenID.

How do you use your Web site as your OpenID?
It’s a two step process.

1) Choose an OpenID provider.
There are many OpenID providers to choose from and chances are that you already have an OpenID. Sites like Technorati, wordpress.com, etc. provide OpeinIDs, but like most I didn’t trust other sites and wanted to do it on my own so I tried phpMyID. I was quite pleased with my accomplishment, but then I started reading and learning about OpenID security issues and decided that it’s best to use a site dedicated to the purpose like myOpenID. You will find statements like “OpenID: it’s about *identity* and not *trust*“, which definitely doesn’t build trust! So it’s a good reason to choose a trustworthy OpenID provider like myOpenID or VeriSign’s Personal Identity Provider.

2) Configure your site to point to your OpenID provider.
Once you’ve registered with an OpenID provider, you can use the OpenID URL that they provide ar your OpenID. But it’s much nicer to use your own Web site as your identity (heck, it should be much better!). OpenID allows you to use your own Web site as your OpenID and delegate authentication to another site. For example, my OpenID is, of course, http://www.davinciplanet.com. My OpenID provider, for now, is myOpenID and to do that all I need is to include the following lines of HTML in my site:
content="http://www.myopenid.com/xrds?username=davinciplanet.myopenid.com" />

What does OpenID give me?

On some sites like jyte you can enter your OpenID URL instead of registering to “make a claim”. Many blogs now accept OpenID which means that you don’t need to register to comment.

What doesn’t OpenID give me?

Single sign-on. It’s a great idea with great potential and being open source it is a perfect fit to be an open source/Web 2.0 hit. But, it’s in the adoption phase and very few people understand it. And very few sites support it.

Resources

OpenID wiki Introduction. An excellent, very geek-like, explanation of how OpenID works. If you want to understand OpenID then this is the place to start (if you’re a geek).

OpenID phishing. I mentioned that OpenID is about identity and not about trust. This is a good way to scare you.

phpMyID. An OpenID solution for your own site. I have security issues with this implementation, which is why I switched to myOpenID.com. Specifically, authentication using phpMyID doesn’t seem secure to me. Either way, sites like myOpenID offer a lot more funcionality (besides ssl security).

Domain kiting

Da Vinci — Tue, 21 Aug 2007 02:38:11 +0000

MarkMonitor released its Summer 2007 Brandjacking Index, a quarterly report that measures the effect of online threats to brands. The report describes trends of how domain names are used in scamming efforts to hijack well-known brands.

Cybersquatting is a well known form of domain hijacking, but according the report it only grew by 8% in the last quarter, compared to newer and lesser known scams like domain kiting which grew at 242%. Cybersquatting is when someone registers a domain name which contains a brand, slogan or trademark to which the registrant has no right. Owners of registered brands, slogans and trademarks can quite easily approach cybersquatters and gain ownership of the domains. Domain kiting, however, is an advanced hack of cybersquatting and is much more difficult to fight.

Domain Kiting: The process whereby domains are registered and dropped within the 5 day ICANN grace period, and then registered again for another 5 days. Kiting a domain lets the registrant gain the benefit of ownership without ever paying for the domain.

The highest growth rates of kiting is experienced in the media industry. Kiters rotate their domain names through registrars and some registrars simply ignore the practice – it seems they actually thrive on this business!

The report says a lot about spamming and phishing in the pharmaceutical drug industry, but I’m surprised that there’s no mention of stock spam because I have been getting a lot of that lately!

OpenVPN – a proper, free VPN

Da Vinci — Thu, 05 Oct 2006 03:38:01 +0000

In a previous post I discussed the very useful Hamachi personal VPN. OpenVPN is an open source VPN solution that has enterprise scale capabilities and is a “real” virtual private network solution. It’s a Tech World has a very good article on configuring OpenVPN. Like most open source applications, however, it can take some time to understand, but once you do it grows on you.

Create virtual encrypted disks to secure data

Da Vinci — Thu, 10 Aug 2006 05:36:00 +0000

TrueCrypt is an open source application that allows you to create encrypted virtual drives on your computer. That way you can secure files on your computer by putting them in an encrypted space that will only be accessible by mounting the virtual drive which is password protected.

The TrueCrypt file can be emailed, backed up and FTP’ed and remain secure because of the strong encryption. It can also be run from a USB flash drive. The virtual disks can be mounted on any operating system.

Once a volume is mounted, files that are written to the virtual disk are encrypted on the fly.Â Performance is excellent and you hardly notice anything – except if you choose some ridiculous encryption algorithm.

You can create almost any size virtual drive and chose from most popular file systems, e.g. FAT32 and NTFS.

Make sure to save your password:Â There is no way to recover a lost password!

Creates a virtual encrypted disk within a file and mounts it as a real disk.

Encrypts an entire hard disk partition or a device.

Encryption is automatic, real-time (on-the-fly) and transparent.

It’s very simple:

Download and install TrueCrypt: http://www.truecrypt.org/downloads.php
Start the application
Click on Create Volume
Select a location and file name for the virtual drive. The virtual drive is saved as one big encrypted file (or a whole disk)
Choose an encryption algorithm
Choose the virtual drive size
Choose a password
Select the file that you just created and choose a drive letter on which to mount it
Click on Mount and enter password

The drive is available to you and anyone else connected to the computer for as long as it is mounted. See the Beginner’s Tutorial for more information.

Sysinternals purchased by Microsoft

Da Vinci — Thu, 03 Aug 2006 01:54:07 +0000

If you haven’t heard of Sysinternals you better visit their Website while it’s still live (and free) because they have been purchased by Microsoft. Sysinternals has a huge list of free Windows utilities that are very useful for system administrators.

The Sysinternals web site provides you with advanced utilities, technical information, and source code related to Windows internals that you won’t find anywhere else.

Some of my favorite utilities are:

BlueScreen – A “blue screen of death” screensaver : )
Junction -Â Symbolic links for Windows
Du – Disk usage by directory
MoveFile -Â Schedule file rename and delete commands for the next reboot
Process Explorer – Task Manager on steriods

PGP File Encryption Using GnuPG

Da Vinci — Thu, 20 Jul 2006 03:54:47 +0000

I frequently get asked how to encrypt files using Pretty Good Privacy (PGP). There is very good documentation available on the Web, but here is my condensed version.

Public key cryptography uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. Your public key can be distributed to anyone and does not pose a risk. Your private key needs to be kept safe and not given to anyone. Anyone with a copy of your public key can encrypt information that only you can decrypt using your private key.

I use free software called GnuPG (http://gnupg.org/). Once you have the software installed you need to create a public/private key pair and then you need to exchange public keys with the party you wish to exchange encrypted files.

Here’s what you need to do:

1. Download and follow the instructions to install the software:
http://www.gnupg.org/(en)/download/index.html (look for the Binaries section to make your life easier)

2. Generate a public/private key pair: Go to your GnuPG install directory and type in gpg --gen-key. The default settings are usually good (DSA (1024 bit) and Elgamal (2048 bit)/never expires).

C:\Program Files\GNU\GnuPG>gpg –gen-key
gpg (GnuPG) 1.4.4; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: keyring `C:/Documents and Settings/Leonard/Application Data/gnupg\secring.gpg’ created
gpg: keyring `C:/Documents and Settings/Leonard/Application Data/gnupg\pubring.gpg’ created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) < heinrichh@duesseldorf.de>”

Real name: Leonard Labuschagne
Email address: leonard@davinciplanet.com
Comment: Da Vinci Planet
You selected this USER-ID:
“Leonard Labuschagne (Da Vinci Planet) < leonard@davinciplanet.com>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. â€¦. [lots of text and characters while generating keys]
gpg: C:/Documents and Settings/Leonard/Application Data/gnupg\trustdb.gpg: trust db created
gpg: key 51756B80 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/51756B80 2006-07-18
Key fingerprint = 2492 ACA4 EA74 BF33 C45E 31D5 F719 9D78 5175 6B80
uid Leonard Labuschagne (Da Vinci Planet)
sub 2048g/C3BFDE51 2006-07-18

3. Export your public key so that you can give it to others. Run a command similar to this one (replace key name with the key name that you chose when you generated the key pair):
gpg --armor --output YourCompany.asc --export "YourCompany "

C:\Program Files\GNU\GnuPG>gpg –armor –output DaVinciPlanet.asc –export “Leonard Labuschagne (Da Vinci Planet) “

4. To encrypt a file for someone else to decrypt you have to import their public key. Copy their public key file to your GnuPG install directory and run the command gpg --import other_persons_pub_key_file.asc

5. Sign their public key. You need to know their User ID (the name that they gave their key). Run the command gpg --sign-key "their User ID"

To encrypt files, use the following format:
gpg --yes -eq -r "their User ID" -o encrypted_file.pgp file_to_encrypt

For instance if someone wanted to send me an encrypted file, they would use the following:

gpg –yes -eq -r “Leonard Labuschagne (Da Vinci Planet) < leonard@davinciplanet.com>” -o encrypted_file.pgp file_to_encrypt

To decrypt files, use the following format:
gpg -o decrypted_file_name file_to_decrypt.pgp

The GNU Privacy Guard – gnupg.org

Other Resources:
A Practical Introduction to GNU Privacy Guard in Windows – glump.net
GnuPG on WikiPedia