Search my Blog

Tags

Browse Past Posts

Browse by Topic

♥ Special ♥

Blogroll

Frequently Visited Sites

News, Geek & Security

www.flickr.com
This is a Flickr badge showing public photos and videos from Bruce Westbrook. Make your own badge here.

My Hosting Provider

My most excellent hosting provider since 2002...9 years and counting!

This is not the image you are looking for.

Hocking Hills Fall Tour Ride

Posted: October 9th, 2011, by Bruce

View on on my EveryTrail profile: Hocking Hills Fall Tour

—————-
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

New Handgun — Home Defense & Recreational Fun

Posted: August 21st, 2011, by Bruce

 

So I’ve been thinking about getting some type of home protection weapon for a few years now.  With all the craziness in the world and the various stalking issues that we’ve been put through, it’s been nudging at me for a while.  With the kids older and mature enough to understand the respect such a tool must be given, Lisa and I started seriously considering the option a few months ago.  We did our research, checked out several shooting ranges and shot about 400 rounds through 5 different pistols to get a feel for what we wanted.

We finally bit the bullet on Saturday.

While we were out riding around town and running some errands, we decided to stop by Vance Outdoors just to see if they had our handgun of choice — a Smith & Wesson M&P 9mm.

Since having settled on the M&P as our home defense handgun, we found that they’re pretty dang hard to get your hands on right now.  The more we researched the more we found just how good the pistol is.  Seems Smith & Wesson is getting hammered with orders from law enforcement and military around the world.  Will it give the venerable Glock a run for it’s glory?  Only time will tell I suppose.

Three other local gun shops and most of the Internet don’t have these handguns in stock, so we had little hope that Vance’s would. But lo and behold, they had two of them!  They didn’t have the box kit that I was thinking we’d get (extra magazine, a fast loader and a holster), but what they did have was a “special-ops” version that isn’t even on the Smith & Wesson website as a normal model.  It comes with the threaded barrel (for a suppressor), no mag lock, no internal lock, plus night sights pre-installed — and it was on sale for less then what I would have ended up paying for the standard  gun plus installation of the night sights post-purchase.  Nice!

We bought it on the spot.  :-)

We’ll be putting the first rounds through it later this week.  I can’t wait!

Next up, we’ll be going through the CCW (concealed carry weapon class) for the right to carry if we want to.  We also plan to take some one-on-one shooting lessons with the great folks over at the Powder Room.  In the meantime, as soon as we get a few rounds through it ourselves, we’ll be taking each of the kids out to the range to teach them about gun safety.  We believe that knowledge is power and ignorance is NOT bliss — particularly with a weapon in the house.

Still, that being said and done…the quick open (digital key pad) gun safe will be installed shortly too.

:-)

—————-
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

iPhone Photos – A Love/Hate Relationship

Posted: June 12th, 2011, by Bruce

For those that know me, I have been a BlackBerry fan for the past several years.  My BB did everything that mattered — it made phone calls, allowed me to send/receive emails in an immediate fashion, it kept my passwords very securely, kept some small notes handy, and even allowed me to use some social networks like Facebook and Twitter.

And then my sweet wife pushed and prodded me to get an iPhone 4 for my birthday.

I’ve seen the dark-side — and I’m loving it!

But now that I’m just getting over the initial infatuation and slowly removing my love blinders, I’m getting a little frustrated with some of the things that Apple actually doesn’t do quite so well. Or perhaps, they do as they like to without providing users the options to use the phone in their own way.

My greatest frustration so far — photos.

Yes, the iPhone takes amazing pictures and video compared to my old BB.  And I can do things like zoom in and out on the photo with the two-finger “pinch” technique which is oh so cool for a newbie Apple guy like me. But what it doesn’t do so well is sort photos like I want it to. And figuring out what exactly Apple was basing their sorting algorithm on took more determination that I initially anticipated. And although some may see that it was obvious to start with, the process of determining it based on what others had found or not found, as well as my own testing, was a bit painful and time consuming. And once I did figure it out, finding a method to sort and order my photos “my way” has led to a multi-application, dual-pronged approach.

*sigh*

Here’s the story in a nut-shell.

I have a pretty significant digital photo collection.  Not quite like a few other friends, but a decent amount nonetheless.  As such I don’t simply want to sync all my photos to my little iPhone, but just a subset of them.  Things like a set of photos of my kids, the family, friends, faceshots for my contacts, etc.  Being a Windows/Linux guy, I happily use Picasa to organize, crop, rename, etc.  The first thing I found is that if export a subset of my pics into an organized directory structure, such as “iPhone\Family\” and “iPhone\Family\Kids” and maybe “iPhone\Family\Lisa”, and then sync the root iPhone directory — all those organized photos simply end up in a single iPhone “album” called Family.  I pretty quickly found that iPhone has no clue about nested directory structures.

Ummm…c’mon Apple, even my BB could handle nested directories and you can’t?

Okay, fine. Kinda dumb, but I can deal with that.  Using my same example, I move & rename the directories to “iPhone\Family”, “iPhone\Family-Kids” and “iPhone\Family-Lisa”.  Now they’re all at the root level and will at least be sorted at the Album level to make some sense for me.

But then I look in the folders on the iPhone and the pictures are all in some random order (“random” being my initial perception).  So I assume that it’s sorting by filename, which is simple enough to change in Picasa.  Using the “trick” of setting the base filename in the Picasa rename function to “name-1001″ to ensure the count increments properly (otherwise preceding zeroes won’t be used) the rename takes all of 5 seconds.  Sync the iPhone and…what?! Still all randomized, although now some of the pics have moved around.

It took me some time to figure out that Apple, in it’s infinite wisdom, uses the EXIF field of “Date Taken” to order the pics (there’s a LOT of confusion about this fact on the Interwebs). Oh, and in what I see as a reverse order too — meaning the oldest pics are at the top of the Album which is where you are placed when you open an Album.  Now why on earth would I be placed at the oldest photo rather the the newest one?

Another *sigh*

Now some may ask — “Why would you NOT want to sort by the Date Taken EXIF attribute?”  Well, let me tell you.  Some of my older pics don’t have that field.  Other pics have been cropped and copied with various applications that have also either removed the EXIF field or replaced it with the modifed date.  Even others were taken with cameras that had the date set wrong.  All of these and more would cause all sorts of strange sorting patterns. However, the problem has never really been a problem with my use of Picasa, or exporting and sorting by filename.

Okay, okay…I’ll make this work somehow.  And I have.  It just took me a lot of time and patience that I didn’t expect such as simple thing to require.

Here’s my current convuluted process:

  1. One-time – create a new directory structure to house photos that I want sync’d to my iPhone and set up iTunes to sync photos and videos using this directory.
  2. One-time (or as needed for more directories) – Create a new Collection for my iPhone folder and move all my iPhone folders into that collection.
  3. Within Picasa, locate the photos that I would like on my iPhone.  Export those photos into my various designated iPhone sync folders.  Sticking with my example, that would be “iPhone\Family”, “iPhone\Family-Kids” and “iPhone\Family-Lisa”.
  4. Go to my iPhone photo collection and within Picasa re-order the photos as desired.  A simple matter of sorting them by name or date first to see how close we can get, and then simply drag/drop photos around to manipulate the order.
  5. Once they are ordered as I want, select all the photos, hit [F2] and set a basename, such as “Family-Kids-1001″.  Rename the pics in the order I’ve set.
  6. Now I leave Picasa and open Windows Live Photo Gallery (WLPG).
  7. Open the iPhone directory in WLPG
  8. Select all the photos
  9. Click View > Tag and Caption Pane
  10. Set the “Date Taken” field to some date/time.
  11. Since all the pics are selected, they now all have the exact same EXIF Date Taken property set.
  12. Sync the photos to my iPhone
  13. Since all the pics have the exact same Date Taken info, I found that the iPhone will then perform a secondary sort based on the filename!  FTW!!

Of course, as I mentioned earlier, the photos are in my mind sorted in reverse by showing the oldest pics first.  As such, you could reverse order the photos when renaming them, thereby establishing a reversed reverse order which will then cause iPhone to really sort by newest first.  I haven’t gone that route because that means it would be the opposite of the Camer Roll and perhaps lead to some confusion in the future depending on which folder you may be looking through.

Now, did it really have to be that difficult Apple?

 

—————-
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

RSA’s Recent Compromise

Posted: March 21st, 2011, by Bruce

On Thursday, March 17 RSA published an open letter to their customers. It can be found on their website at http://www.rsa.com/node.aspx?id=3872 and is placed here in its entirety. I highlighted some key points, with the second paragraph being what I found most interesting.

Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers’ relevant partners.

We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps we’ve outlined in our SecurCare Online Note. APT threats are becoming a significant challenge for all large corporations, and it’s a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.

Sincerely,

Art Coviello
Executive Chairman, RSA

Essentially, RSA was infiltrated by an attacker (or attackers, nation state, terrorists, Russian mafia, whoever) for an extended period of time before detection occurred (APT), and certain sensitive information was disclosed.

 

My Analysis:

I’m not sure that a bureaucrat could have been any less clear about something then this statement from RSA.  But given the sensitive nature of the compromise it’s probably the best they could do in such a public forum.  They do point actual customers to the SecurCare Online portal for what seems to be more information – however, I will not release any customer-only provided information here.

Regardless of any additional SecurCare information that could potentially add further detail to my analysis, my initial reaction to this was not a huge concern — regardless that some other technical analysts and so-called experts seemed to start yelling that the sky was falling.  This is based on the simple fact that the very worst a compromise at RSA could do is essentially disclose their entire SecurID mapping database, thereby allowing an attacker to retrieve the “seed” keys to customer tokens — my own included.  That’s the most sensitive information RSA houses regarding their SecurID tokens.  While certainly not something to disregard, this cannot in and of itself provide access to systems – likely the reasoning behind the statements “…the information extracted does not enable a successful direct attack” and “…could potentially be used to reduce the effectiveness of a current two-factor authentication implementation…”.

These “seeds” are the most sensitive part of the SecurID tokens — more so then the RSA algorithm itself (which itself has already been replicated before).  It’s the secret number that would allow an attacker to determine the next rotation of a token’s 6-digit display number, provided they also had at least one past number sequence and the exact date/time of that display.  Is that a bad thing?  In and of itself, lacking any further security layers or controls, the answer most certainly is a resounding — YES.  I believe that’s where some “experts” stopped their analysis and started crying wolf.  However, there are several mitigating factors to its successful use against most systems.  In fact, RSA tokens deployed in their default mode with no further security would still be relatively safe.  Even if an attacker knew what those numbers were and the exact 60-second window they would be good for, they would not know the 4-digit (or greater) PIN code of the user.  The PIN is not stored or even known by RSA – PINs are only known by the user and the specific installation of any given organization’s authentication server (RSA ACE Server).

Of course, an attacker could attempt to brute force the PIN.  While it’s technically feasible that 1 MILLION attempts (the possible number of outcomes based on the 6-digit display tokens — 100 MILLION on the newer 8-digit displays) could be conducted within a 60-second window on powerful dedicated computers, the vast majority of real-world systems could not react or process fast enough for anywhere near that number of attempts to be done within 60-seconds.  Additionally, provided an organization implemented such a basic security measure as account lockouts after X unsuccessful attempts (let’s say 5 bad passwords), the token would lock any access after just 5 attempts.  And finally, even if the attacker were lucky enough to brute force the PIN in those first 5 attempts – they wouldn’t know the user that token was assigned to and therefore don’t have a username to match it to.  The username, like the PIN, is not something that RSA stores or has any knowledge of whatsoever.

On top of all that, some implementations of SecurID tokens are used in conjunction with additional authentication controls.  Take for instance a Cisco IPSec VPN.  In order to use a token to access such a VPN an attacker would also need to have the VPN group credentials – yet another name and passphrase combination that’s used before they are even prompted to provide the SecurID authentication.  Another example would be a remote control or terminal session, such as GoToMyPC.  In that case the attacker would require a second set of authentication credentials — the corresponding user’s email address and passphrase — to login to GoToMyPC, and then yet ANOTHER secret passphrase known only to the user and their specific workstation, at which point they can finally try to brute force the PIN…with just 5 tries.

So as you can see, the mitigating factors that should be place lower the risk to most organizations dramatically.  It would be exponentially easier for an attacker to have physically stolen a SecurID token (thereby at least having a possibility of knowing the username and possibly even the PIN if the user wrote it down and stored it with the token) then to have stolen the “seed” numbers from RSA associated to any given organization.  Let’s even go so far as to say that the user was silly enough to write down their exact username and even their PIN to the token itself, providing the attacker with everything they need to use the SecurID token.  Given additional security measure that should be in place, they still can’t access our systems using the SecurID token alone.

 

Technical Interest

RSA SecurID keys are known to work around a 64-bit secret and unique “seed” cipher (newer tokens may use 128-bit ciphers).  This 64-bit cipher is combined with a 64-bit value for the current date/time via an undisclosed (but not necessarily indeterminable) algorithm, resulting in a pre-converted 64-bit hexadecimal value.  This hex value is in turn processed through a simple transform to output a 6-digit (or 8-digit in newer models) display number that the user sees and uses.

 

Note that the fact that the pre-converted value is actually obfuscated by the transform is a by-product of the process and not directly intended to provide additional security to the SecurID algorithm.

 

 

 

As an interesting sidebar, examination conducted by mathematical experts has shown that the 64-bit time value is itself generated from a 32-bit representation of current time (GMT) in seconds since SecurID epoch time, which is 01/01/86 (Security Dynamics, the creator of SecurID technology, began operations in 1986).  Even then, through some additional mathematical manipulation, current time is further reduced and represented by only 24-bits of the original 32-bits representing seconds from epoch time, and then again by dropping the 2 least significant digits to finally arrive at a 22-bit time value, providing one of 4,194,304 possible time values.

22-bits may not seem like much in 2011, when we are now using 256-bit SSL ciphers.  However, since the 22-bit key is changed every 60-seconds, it’s very effective and still outlasts the expected lifetime of these tokens.  In fact, even for newer 8-digit tokens with a 60-second display interval, it would take ~16 years to cycle through every value.

The “seed” key that we talk about is the secret 64-bit (or 128-bit) cipher.  Now we don’t know much publicly about how these are established and matched to each specific token, but there’s likely one of two ways.  The first is that there is an algorithm based off of each token’s unique serial number that establishes that cipher key (seed).  It’s very unlikely that RSA did something so inane, and given the many bits of information leaked from RSA over the years this is apparently not how it’s implemented, but it is one possibility.

The more likely scenario is that the seed is a random or pseudo-random number generated when the token is manufactured.  RSA then keeps a database that maps every token ever manufactured (via their serial numbers) to their corresponding seeds.

For an attacker to conduct a successful attack, they would need to gain access to the following information for each of the two systems that I used as examples above:

VPN

  1. One of the following:
    • A token seed + one or more 6-digit output displays with their exact corresponding date/time (the more the better in order to narrow the 60-second window down)
      OR
    • A stolen physical token
  2. The corresponding username assigned to the token
  3. The user’s secret PIN for the token
  4. The system the token is used for (VPN IP address or DNS name)
  5. Yet another set of credentials (username + password) to the VPN group credentials of the Cisco VPN itself.

GoToMyPC

  1. One of the following:
    • A token seed + one or more 6-digit output displays with their exact corresponding date/time (the more the better in order to narrow the 60-second window down)
      OR
    • A stolen physical token
  2. The user’s secret PIN for the token
  3. The system the token is used for (GoToMyPC)
  4. The corresponding username (email address) assigned to the token
  5. The user’s password to the GoToMyPC website
  6. Yet another secret passphrase known only to the user and stored only on their workstation (not stored on any other system)

Given the worst-case scenario of an attacker having breached RSA’s serial number to seed database (or even having discovered a universal algorithm that breaks every token), that only provides an attacker with step #1a of both authentication processes in our examples.

 

Final Words:

Now having said all that, I’m certain there are organizations that have implemented SecurID without ANY additional controls in place — and in that case, likely don’t have any monitoring either.  If the seeds to their tokens were disclosed to an attacker, those particular organizations MAY be at risk.  I say MAY because even then, unless the organization has eliminated every default setting (account lockouts, PIN use, etc.) AND  associated the key directly with a user without any corresponding username, the risk is higher but certainly doesn’t provide immediate access.

I would recommend that existing users of RSA tokens indeed follow the RSA guidance that may be provided.  But I take the line that from a technical standpoint the disclosure of the seed database from RSA, while a critical issue of information disclosure, does not provide an attacker with any direct access to systems.

The one caveat I’ll throw out is this — given that the attack was itself an APT (something that, if correctly identified as such by RSA, is an attack postured by nation-states and such) it’s possible that the attacker was looking for specific information within the seed database based on additional information already gathered by the attacker.  In that case, there may certainly be reason for further concern for that particular entity.  In that case…ruh roh.

References:

—————-
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

Am I Good Enough?

Posted: March 12th, 2011, by Bruce

Amy Lee has an incredible voice. Singer, pianist and songwriter — she is a truly talented musician. She’s an artist I admire, with “Good Enough” topping the list of my favorite songs of hers. She said the song was inspired by her husband (long-time friend and soon to be fiance’ at the time).

While some have criticized Amy Lee and her band Evanescence as being “pop” goth-metal, corny and sophomoric, I find her songwriting to be warm and heartfelt, and her soaring vocals to be quite enchanting.

 

 

Good Enough

Under your spell again.
I can’t say no to you.
Crave my heart and it’s bleeding in your hand.
I can’t say no to you.

Shouldn’t let you torture me so sweetly.
Now I can’t let go of this dream.
I can’t breathe but I feel…

Good enough,
I feel good enough for you.

Drink up sweet decadence.
I can’t say no to you,
And I’ve completely lost myself, and I don’t mind.
I can’t say no to you.

Shouldn’t let you conquer me completely.
Now I can’t let go of this dream.
Can’t believe that I feel…

Good enough,
I feel good enough.
It’s been such a long time coming, but I feel good.

And I’m still waiting for the rain to fall.
Pour real life down on me.
‘Cause I can’t hold on to anything this good enough.
Am I good enough for you to love me too?

So take care what you ask of me,
’cause I can’t say no.

—————-
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

My First WordPress Plugin – Kind Of

Posted: March 9th, 2011, by Bruce

Well, not really my own plugin from scratch.  I finally found a pretty good and relatively recent plugin to show my recently played songs.  By creating a profile at Last.fm and linking to my iTunes, songs I listen to on both my main home computer and my iPod (when it syncs) update my Last.fm profile.  The plugin I found then pulls the last X number of songs from my profile and displays it in the sidebar.

Of all the song plugins I played with over several days, this was the best of the bunch.  But it still had things I felt were missing or needed to be changed.

So for the past few days during some downtime at home I’ve been re-learning PHP and getting up to date with XML parsing, along with trying to intrepret someone else’s code.  For the most part this particular author took care to remark his code pretty well so it made it easier then most other authors I’ve come across.

The plugin I modded was Justin Turner’s “Last.fm Recently Played Tracks“.  Here’s a list of what I did:

  • Get larger profile picture for clearer image
  • Get larger album art for clearer image
  • Removed separate “view my profile” link
  • Added profile link via username and picture
  • Modifed user information syntax
  • Modified spacing within the “theTracks” user info panel
  • Added hyperlinks for artist, song and album
  • Added a CD jewel case around the album image (will mod this later with an actual image rather then borders, but good enough right now)
  • Get “generic” artist image if no album art exists or return a default album image if no artist image exists either

Most of it wasn’t all that difficult, just modifying HTML within the plugin.  The last one that took more then half my time was getting a generic artist image if the album image didn’t exist.  I found that an earlier version of Last.fm API actually had an artist image in the returned XML when looking for similar artists.  For some reason the version 2.0 doesn’t have that information.  Once I found that I got to learn all about parsing XML.  Fun stuff!

You can see the fruits of my labor on the right sidebar.  Nice, huh?

Per the license agreement, GNU General Public License v2, I am posting my modded version here.  I will also be contacting the original author, Justin Turner, to see if he wants my mods to possibly include into his version.  Sadly, it looks like his own website content went bye-bye recently, but maybe this will cheer him up some.

:-)

Next up, I may try my hand at a complete plugin and see what I can do.  Something simple to start with, but it will include a widget.  Not sure what yet, but stay tuned.

—————-
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...


FireStats icon Powered by FireStats