Technical Intercourse

Storing Passwords in the Cloud?

There’s been a recent event at LastPass and users have potentially lost their passwords. Honestly, I wonder why would anyone ever store their passwords anywhere, much less in the Cloud?

Good security practice dictates that passwords should never be stored at all. Period.

While we should use random passwords with different ones for different sites, and it is difficult for users to remember so many meaningless passwords across so many different sites, it is no excuse to store passwords.

IMHO, the ideal solution for this would be to use generated passwords. These passwords could be generated from multiple secrets that are known only to each individual, but not to everyone. Think of it has having different parts of a dollar.

One example would be to use something like password hash, which would generate the password based on the website domain name and a known secret. Try it out and you’ll see.

There are more complex schemes that can be invented if necessary but the idea is there – don’t store the passwords anywhere – generate passwords on-the-fly.

Securing My Blog

In order to improve the security of my blog, I have tried a few measures.

A while ago, I bought a Yubi-Key, which generates a one-time-password to be used alongside the regular login. This provided two-factor authentication and it was certainly working for a while. Then, I read up more about the Yubi-Key and found that there might be holes in the implementation of the plugin since it is still quite a new product and relatively untested.

So, I switched to using VPN instead. I configured my web-server to reject all attempts to access the administrative pages unless the connection originated from the local server. Then, I would use SSH to create a tunnel into the server and secure my connection through SSH keys. This also required two-factor authentication and provided the additional fact that the entire connection was secured over SSH.

I added this to my lighttpd configuration.
# Deny access to wordpress admin pages $HTTP["host"] =~ "blog.sybreon.com|tech.sybreon.com" { $HTTP["remoteip"] !~ "213\.229\.116\.90$" { $HTTP["url"] =~ "^/wp-admin/|^/server-" { url.access-deny = ("") } } }

However, I had troubles accessing my blog from certain places because they blocked SSH connections.

Finally, I switched to SSL instead. I have now configured my web-server to only accept connections that present a valid security certificate over SSL. Again, this is a two-factor authentication using SSL certificates. Once again, the connection is also secured over SSL. I park my web server behind a pound reverse-proxy. So, this is the way I did it.
ListenHTTP Address :: Port 80 ## allow PUT and DELETE also (by default only GET, POST and HEAD)?: xHTTP 0


        Service

                URL "^(?!/wp-admin).*"

                HeadRequire     "Host:.*(blog|tech).sybreon.com"

                BackEnd

                        Address ::1

                        Port    8080

                End

        End
End
ListenHTTPS

        Address ::

        Port    443
        Cert    "/etc/ssl/private/blog.crt"

        CAlist  "/etc/ssl/private/sybreon.ca.asc"

        VerifyList "/etc/ssl/private/sybreon.ca.asc"

        Ciphers "HIGH"

        ClientCert 2 3

Service HeadRequire "Host:.*(blog|tech).sybreon.com" BackEnd Address ::1 Port 8080 End End End

What this does is to reject all connections to the admin pages for my blogs if they came over regular HTTP and to only allow connections over HTTPS. However, for HTTPS connections, client certifications are required, which are signed by a my own custom CA. Otherwise, the connection will fail if a client certificate is not presented.

The advantage of doing it this way is that I can actually have collaborators. All I need to do is to generate new certificates for them and email it to them. This process can even be automated if need be.

PS: You can try accessing the admin page over HTTP and HTTPS here, to see how this works.

Sony EPIC Fail

I just received this in the mail today:

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network password and login, and PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. If you have provided your credit card data through PlayStation Network, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Wow. Epic fail.

Don’t the programmers at Sony understand the most basic rules about storing personal data? You never store it in the clear. And data for verification purposes should never be stored at all – it should just be HMAC-ed and the fingerprint/hash stored instead.

On my part, I did not store any credit cards with Sony because I have never bought anything from the PSN (and to avoid my nephew accidentally buying anything off the PSN). As for my passwords, I have been practicing new password policies for a while now. So, I think that I should be safe.

While I understand that Sony could just be playing it safe and saying that everything that they store could have been stolen, but this does not help me sleep better at night, knowing that Sony has my data.

No wonder they need to rebuild PSN from the ground up. They are quite screwed. Their new firmware introduced this hole and they cannot patch the consoles through the PSN until the PSN is secure. It’s a security nightmare indeed. Then, they need to re-architect the entire system and restore all the data.

If we thought that the Amazon down-time was bad, this is much worse. Lawsuits!

Chasing the MHz

Is it just me or is the smart-phone market actually going down the similar path as the PC market did a decade ago – chasing more cores and more Mega-Hertz speeds. Even while the smart-phone market is dominated by ARM-only platforms, it is still folly to be making hand-sets that are faster and furiouser than the rest.

I would think that these companies would have realised that it is far more important to improve the experience and functionality of the smart-phone than to increase the speed of the phone. Increasing the speed of a phone is easy – just wait a few months and Moore’s Law will ensure that it happens eventually. There is no magic in that.

I would think that the smart-phone is a booming market, that has still got so many pain-points. Although I must confess that I do not own a smart-phone, I am fairly familiar with their architectures and have a good idea of how to actually build one. The reason that I do not own one is because I do not see any useful phones out in the market.

If you were to just sit down and observe a smart-phone user, you will find that there are lots of problems with using the phone. For one, it’s terribly small and it requires a person to stare at the screen to use it. While I think that the touch interface is a pretty cool invention, I do not understand why it is that for a device that comes with a microphone and a speaker, I need to use my fingers and eyes to interact with it. To me, this is just silly.

If I was one of those smart-phone hand-set makers, I would put some good money into developing a new user experience that does not take my eyes off the road and fingers off the wheel. The first should be easy enough to accomplish. With gobs of memory and processing power, the phone should be able to speak to me instead of presenting a visual response. You don’t need to build some fancy text-to-speech engine to do this – just store MP3 samples of audio output.

As for getting user input, again, the system does not need to have some super speech-recognition engine built in. Just being able to discern a “yes” from a “no” can already build us a tremendously complex menu system. Then, put the money into the smarts of predicting what it is that the user wants to do based on context. If the user is driving, the user may be interested in accessing the GPS and *not* the camera application.

With that, we can probably come up with a better smart-phone – one that actually has some ‘smarts’ and is not dependent on my smarts.

Region and Country

I recently realised that there are a lot of corporate websites out there that will ask a user for region/country when visiting, and then forward the user to a different landing page depending on the geographical location of the user. With the technology available today, I sometimes wonder why any of this is necessary at all.

There is such a thing called GeoIP. While it is not 100% accurate, it is largely accurate and is used by certain people like Google analytics to work out where a site’s visitor comes from. It occurred to me that these websites should just use GeoIP to redirect the user to the appropriate landing page instead of asking the user a bunch of useless questions.

This is just a random thought.

Anonymous vs Aaron Barr

Personally, I used to think that Anonymous were just a bunch of kids doing dumb stuff since their attacks have largely been limited to DDoS attacks against targets. DDoS attacks do not reflect any sort of sophistication and can be done by just any dumb hick with access to the right resources.

However, their latest attack on the security company HBGary is quite another thing altogether, and deserves some respect. From the Ars feature article on the story, I found that Anonymous has been right to act and to do it with some sophistication and class. While I still think that they’re a bunch of kids, at least they’ve got their heads screwed on right.

When someone threatens your life, you have every right to beat them down hard. I totally support the kind of action that they took against the security expert.

This is another lesson that we security types should learn, that security is a never ending cat-and-mouse game where the role of predator and prey can swap places constantly. Personally, I know some basics on security too and as one of the top sys-admins at Serverfault, I have to also keep a watchful eye on the dozens of servers that I administer.

However, it is not so easy to stay on top of the game because I am learning new things all the time, and have to do that to stay ahead. However, I know full well what my limits are and that I may be good, but I am most certainly not the best at the game. However, that’s fine with me because I do not sell my services as a security expert. I am a chip designer and embedded engineer. Knowing some security does help even at the chip level.

Hmm. Maybe it’s a good business idea to design ‘security chips’??

Hats off to Anonymous! Keep up the good work!