Sunday, July 15, 2012

Safely storing passwords

A classic advice on the Internet is to have different passwords for different sites. The reason behind is that if someone manages to get your password for an application - webmail, facebook, linkedin or anything else - he may have a way to find some of your other applications. And if your password is shared, the attacker has access to them. But, with that advice comes the hassle - rather the pain actually - to manage all these passwords, with certain sites that ask you to change your key from time to time.

The solution comes with a "keyring" or password manager: an application that will securely store your passwords and credentials, and that will allow you to access them whenever you need. Its characteristics need to be:
  • Secure, i.e. the information cannot be retrieved without your master password 
  • Easy to use
  • Portable, so you may have your password database on a USB thumb drive
Here are three options.

Excel/LibreOffice spreadsheet

Maybe the easiest is to use an application you are used to: a spreadsheet. In this case, you may create one to store your sites, usernames and passwords, and protect the spreadsheet with a password.

Modern versions of Microsoft Office and LibreOffice come with a strong encryption - as long as the password you use is strong - that cannot be easily brute forced.

While the spreadsheet can be put on a USB drive, you will need all the machines on which you expect to read the file to have the relevant Office suite installed.

To use LastPass ****, you have to install a small piece on your computer and allow the device to access your database.

While the master database is stored online, each device gets a locally stored copy. That way, if you don't have an Internet connectivity or if the LastPass site is down, you still have some of your credentials available.

The con is actually that the master database is stored online: you have to trust that the security of the site and the master databases is adequate.

Password Safe

This is a little more than a spreadsheet, as you also need to install the application on all your devices. It has a few interesting features, such as generating passwords for you.

There are many, many more options available, certain commercials (ironkey, Kaspersky), others free.

Happy surfing!

Sunday, July 8, 2012

Falstad Circuit Simulator - Transistor Graph

Recently, and after almost 15 years without touching a component, I decided to go back to my roots - electrical engineering - and annoy again transistors and other diodes. To quickly test, I use a java applet on the Falstad website.

The components are idealized, and for instance, there is only one NPN transistor - forget about the BC547 A through C, the 2N2222 and other BD135 - whose only changeable parameter is its DC gain β, 100 by default.

A need I had was to have the graph UCE/Ic for various Ib.  I decided to plot it myself. 

Saturday, July 7, 2012

How to protect your home internet connection

Besides protecting your computers, protecting your access is an important part of your home network security. This includes multiple parts:

  1. Protecting the management of your Internet router
  2. Creating rules to allow only what you need to go from the Internet to your network
  3. Creating rules to allow only what you need to go from your network to the Internet

1. Protecting the management of your Internet router

It may sound dull, obvious and over-repeated but this is a very important part of securing your network. For instance, I just scanned the /24 Internet network I am on: I found the router of another subscriber with remote management - usually port tcp/8080 - and it took me two attempts to find the administrative password. In this case, the username is "admin" and the password is "admin". 

From there, what can I do? A lot! I could obviously mess with the person's Internet access, but I could also get his username/password. On another side, I could also start creating PAT to access his home machines, potentially getting access to his computers. From there: game over, I'm in.

The first thing I suggest: when you get a new Internet router, change the password! There are lists of all the default combinations of username/password for the major brands.

Then, ask yourself that question: how likely is it you will be administering your router from the Internet? In most of the cases, the answer is: not likely at all. In that case, I suggest disabling the remote management facility.

2. Creating rules to allow only what you need to go from the Internet to your network

99% of the time the answer is: you don't need to allow any access from the Internet to your internal network. Do you really host a server at home? Or is it to access your home machine from work? 

In all the cases, be aware of what you do! If you expose your machine to the Internet, you may be giving access from a wider audience than you realize. And in that case, how well is your machine protected? Again, scanning the /24 Internet network I am on, I found 4 machines accessible through RDP. Chances are that I could find a combination of username/password, and again: then, I am in. Game over.

If you need to access your machine from outside your internal network, restrict the IPs from which this is possible. Are you accessing it from your workplace? Ask your network team what the corporate public IP range is, and allow only from that range. If you can't restrict to a specific set of IPs or networks, investigate other ways, such as a secured VPN, and don't be shy with the password!

3. Creating rules to allow only what your need to go from your network to the Internet

This is probably the most overlooked part: all the routers usually come with a default policy that permits anything from the inside network to the outside. While this is nice and works in all the cases, it also adds several security vulnerabilities.

  • Unwanted applications may start communicating
For instance, do you use IRC? Or peer-to-peer? Or do you often send e-mail through a chinese mail server? If the answer is "no", then blocking the corresponding hosts/ports will increase the security of your network. For instance, my own rule set allows:

  • HTTP/HTTPS/FTP/POPS/IMAPS/SSH to the whole Internet;
  • SMTP/SMTPS to my mail server
  • Google Chat to the whole Internet
  • MSN to the address defined in my IM client
  • DNS to the two Google DNS servers and
  • A couple of ports/hosts needed for a few online games I play from time to time

And that's it. All in all, I have 29 rules, including the last one that denies everything that is not explicitly permitted. Once in a while, I look at the logs and check whether something was dropped, and if so, if it is normal - such as friends staying with me, broadcasts and all the noise that can exist on a network.

This actually helped me show to a friend that his machine was infected. He was visiting and needed access for his laptop, which I provided through my home wireless. I happened to be playing with IPv6, and I started seeing a lot of drops. Further investigation proved that these were attempts from his machine to send e-mails. I then asked if he was trying to e-mail, and he wasn't, so we started looking closer at his machine, It appeared his machine was compromised by a Trojan that was trying to send some spam. 

Another example happened when I was helping a friend secure his home network. We started seeing drops on some ports. It happens his kid had installed a peer-to-peer client on the family computer. When we looked at the peer-to-peer program, we found it was not secured at all and was sharing his whole hard drive.

  • Your machine may be used to scan the Internet to find other vulnerable machines

If your machine gets compromised, it may start scanning the Internet to find other vulnerable computers. This may result in your address appearing as an attacker in other people's logs, with the potential consequence that you may get a visit from your local authorities - in certain countries, if you fail to protect your Internet connection and your computer, you may be considered responsible for all the damages resulting from a compromise originating from IP address, regardless of whether your are the actual author.

Happy surfing!