Jul 152012
 

I’m sure you’ve seen reports in the news recently of all the online services which have been hacked causing their users’ passwords to be exposed. Assuming the website has followed best practice and only stored password hashes, this shouldn’t be a big deal as it will take the hackers some time to decode the password and in that time you can log on and change your password. However, a lot of people will use the same password on multiple services. This means that, if a hacker gets access to one password, he may be able to log into lots of other services using your account.

The Security industry is constantly reminding people not to use the same password for multiple services, but this is an almost impossible task. I recently spent a couple of days tracking down all my online accounts and setting secure passwords on all of them – I found 78 different accounts – there is no way I could remember 78 unique passwords without some sort of reminder.

A few years ago I came up with one solution, but I think I now have a better one.

My original solution was to come up with a password which I would be able to remember – I used a line from a book, taking the first letter of each letter to make up the password.

For example, if I chose the line “It was a bright cold day in April, and the clocks were striking thirteen.”, my password would be IwabcdiA,atcws13. That’s not a bad starting point as it’s easily memorable, 17 characters long, it has upper and lower case letters, numbers and symbols. But, we now need some way to make it unique to each site.

I added the consonants from the site name to the middle of the password. For example, www.google.com would become “Ggl” and my password would be IwabcdiA,Gglatcws13. My twitter password would be IwabcdiA,Twttratcws13.The problem with this system is that an attacker who finds one of your passwords might recognise the string “Twttr” as being related to Twitter and be able to guess your other passwords.

I realised that it would be more secure to have completely unique passwords for every site, and tried to find a way of performing some sort of hashing algorithm on the domain name with and appended salt mentally to produce a unique password. It turns out this is pretty difficult to do. I came up with the following system which will allow you to work out your password with a pen and paper – I think this is better than having your passwords written down, and does not rely on having access to a password manager (although I have a solution to that too!)

Ok, bare with me – this gets a bit complicated, but after you have done it a couple of times it becomes easier.

I’m not a cryptographer, so I can’t vouch for this being at all secure, use it at your own risk. In my opinion, though, it must be more secure than using the same password in multiple places.

  1. Firstly, choose a secret number, say 5 numbers long. I’ll use 35187 as an example – this is used for every password
  2. Next, take the domain name – example.com
  3. Use RotX on each of the numbers where X is a digit of your secret number. RotX just means to count X letters through the alphabet from your starting letter. So, C Rot5 would become H (count in your head “C,d,e,f,g,H”) We will change our domain name e+3, x+5, a+1, m+8, p+7 (then repeat your number as necessary) l+3, e+5, .+1 (I’ll come back to the dot in a second), c+ 8, o+7, m+3
  4. We now have hcbuwoj.kvp
  5. Where there is punctuation, count the number of characters before the symbol and use [shift]+number to create a symbol. In this case, hcbuwoj has 7 characters, and [shift]+7 gives an & symbol.
  6. We now have hcbuwoj&kvp
  7. Transpose (swap) each pair of characters – this becomes chubow&jvkp
  8. Capitalise all characters which are on the left side of the keyboard – this becomes ChuBoW&jkp
  9. Before each group of capital letters, enter the number of preceding lower case letters – we now have 0Chu2Bo1W&jkp
  10. Before each number insert [shift]+[n+1], that is, increase the number by one and insert the symbol which you get by typing shift and the number. On a UK keyboard, this gives !0Chu£2Bo”1W&jkp which is your final password.

You can, of course, come up with your own set of steps and customise to suit your own taste. The idea is to come up with a password which looks as random as possible and does not obviously relate to the original domain name.

This system may be useful where you are travelling across borders and do not want to transport passwords which could be intercepted by the authorities.

You can make some changes to the above steps to speed up the generation process – for example step 8 can be done at the same time as step 3.

Do you have any better systems, or see any holes in the system? Let me know in the comments!

Jul 132012
 

Recently, there has been a spate of websites being hacked and passwords being exposed.

Although I do use unique passwords on all sites they all followed a rule which meant that, if one password was exposed, it wouldn’t take a genius to work out the others. I know that a lot of people use the same password for multiple online accounts. And who can blame them, I have found I have 59 different accounts (that I know of!) – who can remember that many unique passwords?

I decided it was time to come up with a better system. I wasn’t interested storing the passwords on my computer as I wouldn’t have access to them on my phone, or at work, or if I was using a friend’s computer.

I considered writing them down and carrying them in my wallet as has been suggested previously by Bruce Schneier, but I didn’t want to face the mad dash to change my passwords if I ever lost my wallet.

I came up with a system which will give you a secure(?) password for every site, but it has drawbacks. I may post the method later.

I did some research and found that it is possible to use a password manager and share the database via Dropbox which makes it available on all your computers and on your mobile phone. Problem solved!

Here are the steps you will need to follow to set it up for yourself.

  • Sign up for a Dropbox account and install the client on your desktop computer. If you use this link, we both get some extra free space and I will be forever thankful to you Smilehttp://db.tt/4Db0HSpj
  • Download KeePass from http://keepass.info/download.html It is available for Windows, Mac and Linux. I suggest you download the Classic Edition rather than the Professional Edition as it will allow you to write passwords on your mobile (The professional edition will only allow read access from your phone)
  • Install KeePass, following the wizard and run it when complete.
  • Create a new database in KeePass by choosing File > New
  • Choose a strong password as the master password – this will be the only password you need to remember.
  • Repeat the password when prompted.
  • You should now see the main KeePass window with categories under which you can save passwords.
  • See the excellent Keepass FAQ for details on how to enter and generate secure passwords (it’s easy)

image

  • Save the database to your local Dropbox folder.

image

  • Close the desktop client.
  • Download the Dropbox app for your phone and install it – enter the details you used when signing up for your dropbox account.
  • Download the appropriate client for your mobile phone. I use Android, so downloaded KeePassDroid.
  • Open the mobile Dropbox client and you should see the .kdb – click on it and it will open in KeePass.
  • Enter the secure password you set up earlier and click ‘OK’
  • You will now see the General group – click on it and you will see the same sub-groups which you saw in the desktop client. Once you have stored your passwords, you will be able to access them under the appropriate group.

So, now all my passwords are secure, how do I use them on my phone?

  • Open the General group, then the Internet sub-group – you will see all your website logins.
  • Click the site you want to access.
  • In the notifications bar at the top of the screen, you will see two new entries with padlock symbols next to them: Copy username to clipboard and Copy password to clipboard
  • Click the URL of the site and navigate to the login screen
  • Choose ‘Copy username to clipboard’ from your notification area and paste it into the Username field on the Website
  • Choose ‘Copy password to clipboard’ from your notification area and paste it into the Password field on the Website
  • Click ‘Login’ – you are in the site without having to memorise your password!

Now, go and change all your passwords choosing secure, unique passwords and store them in your password manager. If a hacker gets one of your passwords, your other accounts will still be safe, and if you choose complex enough passwords, the hacker may not even be able to get your password at all if they are stored as hashes by the website.

If you’ve found this useful, please sign up to Dropbox using my link so we both get some extra free space! Thanks!

Feb 262012
 

What is an SSL certificate?
At its most basic level, an SSL certificate is used to encrypt electronic communication, to authenticate users or devices, and to sign electronic communication. There are various types of SSL certificate – Web Server certificates, Email certificates, code signing certificates etc.
Here, I will describe the process of creating a new SSL certificate for use on a website as this is the most common use for certificates. At some point, I may write further guides describing different types too.

What are the components of an SSL certificate?
SSL certificates contain a number of pieces of information:
Subject – the name of the entity being identified by the certificate.
Private key – never seen by the client.
Public key – associated with the private key.
Issuer – the name of the Certification Authority who has signed the certificate.
Serial number – a unique identifier for the certificate
Validity period – the start and end dates between which the certificate can be considered valid.
Usage – a description of what the associated public/private  key pair can be used for.
Digital Signature – the signature of the issuer.

The certificate uses Public Key cryptography to encrypt, sign and authenticate.
The private key is known only to the owner of the certificate. A piece of information encrypted with this key can only be decrypted by the associated public key.

How do we communicate securely?
Let’s assume a situation where I want to communicate securely with you. I make a connection to your web server and request your certificate. Your server supplies the certificate which contains your public key. I generate a master key which we will both use to encrypt our communication. I encrypt the master key with your public key and send it to you. You are the only person who can decrypt the master key as you are the only person who knows your private key.

We have now securely exchanged a master key without anyone else being able to know it and can communicate securely.

What is signing?
In the same way you can sign a letter to ‘prove’ that it was written by you (assuming no one is capable of forging your signature), you can digitally sign an electronic communication to prove it was created by you – this also confirms that the content has not been changed since you signed it (and means you can’t deny the document was created by you)
When you digitally sign a document, you hash the content and encrypt the hash value with your private key. This is then sent with your certificate and the document. When I receive the signed document, I can decrypt the hash using your public key from the certificate. I then hash the document myself and confirm the two hashes match.

But, how do I know you are you?
Communicating securely is fine, but how do I know you are who you claim to be and not someone pretending to be you?
Public Key Cryptography to the rescue again!
When you create a certificate, you can have it signed by a Certification Authority (CA) – they will do some checks to confirm your identity; generally by doing a WHOIS search against your domain name and verifying your name and address.
Once they have established that you own the domain for which you are creating the certificate, they will digitally sign the certificate for you. This means they are vouching for your identity.
Every web browser comes with a list of CAs which it trusts – there are hundreds of them. When I receive your certificate, I check who it was issued by. If it was issued by a CA which I trust, I am able to confirm that it is signed by them and I know that I can trust the certificate.

Great, how do I create a web certificate then?
The high level steps to create a certificate signed by a CA are:
Create a public/private key pair.
Send the public key and certificate info to a trusted CA
The CA creates and signs a certificate which contains your domain name and private key.
You install the certificate on your web sever where it is associated with the private key.

Creating the key pair.
I will use the Microsoft IIS web sever as an example because I am most familiar with it. Other web severs use similar steps.
IIS has a wizard to step you through creating a certificate…
In IIS, right-click on your website and choose ‘properties’.
On the Directory Security tab, click the Server Certificate button this will open the wizard.
Choose ‘Create a new certificate’ then ‘Prepare the request now, but send it later’.
Enter the details as you are prompted for them and, at the end, save the certificate request somewhere you can find it.

You have now created the keypair and prepared a Certificate Signing Request (CSR) ready to submit to your favorite Certification Authority.
The CSR is a block of text which is uploaded to the CA as part of the enrolment process. Once enrolment is complete, the CA will provide you with your new certificate – either as some text displayed on screen or as a file in an email. Either way, it should be saved as a file on your web server.

Installing to certificate
Back in the certificate wizard in IIS, choose ‘Process the pending request’
Choose the file supplied by your CA and follow the wizard to install your certificate.

The certificate should now be served when you visit the website in your browser on port 443. (https://)
You should probably make a secure backup of the certificate now by exporting it from the certificates snap-in.

For Apache servers, the CSR is created using the OpenSSL software – there are plenty of guides online.

 

If you have found this article useful, please consider purchasing an SSL certificate from Godaddy using my affiliate link – http://x.co/lesault – It will help me keep the site online! Thanks.

Enhanced by Zemanta
Apr 292011
 

When I tried to power on my TV this afternoon, pressing the power button did nothing, it felt like the switch inside was not being activated. I decided to void my warranty and take a look inside. My TV is a Toshiba Regza model number 32XV555D, but I imagine the same switch is used on many Toshiba models and the following instructions may be of use to you too.

Opening your TV is dangerous and will void your warranty – there are high voltages inside and the following steps should only be carried out if you are sure you know what you are doing. I’m not a professional TV engineer and I take no responsibility for any damage you do to yourself or your TV if you are foolhardy enough to follow my description!

The first step to repairing the switch is to remove the back of the TV. Unplug the TV from the wall, and remove any HDMI/SCART/Aerial cables. Put the TV screen side down on a soft non-scratch surface.

The back of the TV is held on by 17 screws – you will need a phillips head screwdriver to remove them. The screws are not all the same size, so ensure you remember which screw goes in which hole. The screws to remove are all marked with an arrow, the 17th one took me a while to find – it is located above 2nd SCART connector.

Once the screws are removed, carefully lift off the back panel – it should come off easily. If not, make sure you have removed all the screws.

Switch as I found it

Switch as I found it

The power switch is at the right side of the TV , you will see that the button you push has a cylinder on the back which needs to somehow activate the switch which does not line up with it.

The button should push a square plastic plate which should be attached to the switch. In my case, the plate had broken and fallen off the switch. This meant that the button did nothing. You can see in the photograph that the plate has fallen off and is lying underneath the button. You have a couple of options at this point; you can either activate the switch manually, put the TV back together again and just use the wall switch to power your TV off an on, or you can repair the switch.

From a search of the Internet, it seems that this is a common problem with Toshiba TVs – if your TV is still in warranty, it is probably best to get an official spare fitted, but I decided to make a stronger repair so it does not happen again.

The plastic piece with broken section

The plastic piece with broken section

The plastic clip which holds the plate in place seems to be very fragile, and I could not find the small piece of plastic which had broken off. I mixed up some 5-minute epoxy and waited a couple of minutes for it to thicken up a bit. I put a small blob of epoxy onto the clip and put it in place on the switch. You will find this easier if you manually press the switch to put it in the ‘on’ position as this gives a little more space for maneuvering. The plate should be able to stay in position by itself while the epoxy cures (why not go and write a how to fix your TV blog post while you’re waiting!)

Once the epoxy has cured (mine says it is ready to handle in 15 minutes and achieves full strength in 1 hour) you can put the back on the TV by replacing all the screws. Power on your TV and, with a bit of luck, the power switch will work again. You have probably missed the programme you were wanting to watch though!

I hope this helps you if you have the same problem – the whole thing took me about 20 minutes to fix – much faster than waiting for the repair man! Leave a comment if it worked for you. Thanks.

The plastic piece glued back in place

The plastic piece glued back in place

 

 

Enhanced by Zemanta
Sep 112010
 

When attempting an automatic upgrade of iTunes from version 9 to 10, I got a pop-up saying “Service ‘iPod Service’ (iPod Service) could not be installed. Verify that you have sufficient privileges to install system services.”

The solution I found was to download the installer only and run it manually.  Here’s a step by step guide of the problem you are likely to see. Before carrying this out, please back up your catalogue – I’m not responsible if you lose your music!

1. When installing iTunes, you get an error pop-up “Service ‘iPod Service’ (iPod Service) could not be installed. Verify that you have sufficient privileges to install system services.”

"Service 'iPod Service' (iPod Service) could not be installed. Verify that you have sufficient privileges to install system services."

iTunes Installation Error

2. Without pressing any of the buttons, open the services manager by clicking the start menu, right click ‘computer’ and choose ‘manage’. Navigate through “Services and Applications” then “Services”. Find the iPod Service.

Services control panel

Services control panel

3. You should find that the iPod Service is stopped and disabled. Double click the service to see its properties.

iPod Service Properties

iPod Service Properties

4. If you make any changes to the service (try changing it from ‘Disabled’ to ‘Automatic’ and press apply), you will see that “The specified service has been marked for deletion”.

5. It seems that the service needs to be deleted to allow the new version to be installed, but for some reason it hasn’t. The service will be deleted if you restart your computer though. Did I mention you should back up your catalogue before doing this?

6. Without cancelling the current iTunes installation, restart your computer. If you do cancel the install, iTunes will roll back to where you were before you started the install and the service will not be marked for deletion.

7. After your computer reboots, run the installer again and follow the prompts, it should install fine. In my case, all my music was still there. But if not, you can restore from the backup you took earlier – you did take a back up, didn’t you?!?

I hope this helps you get iTunes 10 installed – let me know how you get on!

Enhanced by Zemanta
Jul 282009
 

Often when you buy a new PC or laptop, you don’t get the operating system on CD in order to reinstall it if you hit any problems. Instead, they have a hidden partition on the hard drive which contains all the system software – if you need to restore the PC, you hit one of the function keys while the computer is booting and it takes you into a recovery program. If you wipe your hard drive, though, you can lose that partition and you’re left without an operating system.

If you bother reading the manual it’ll probably have instructions for creating recovery media – you really should do this as your first action, it’ll save lots of messing about later.

Suppose the worst has come to the worst, you’ve deleted the partition and haven’t burned any recovery disks.

vista_labelOn a PC which comes with Vista installed, you’ll find a blue, green and pink sticker on it somewhere with a 25 digit product key (XXXXX-XXXXX-XXXXX-XXXXX-XXXXX). If the sticker mentions the brand of your PC (Dell, Advent, HP etc) then you have an OEM version of the software. If it doesn’t you probably have the full retail version and likely have a boxed Vista installation disk somewhere.

In my case, I had an Advent OEM product key. I had a full retail version of Vista (Home Premium Upgrade version) which I had bought to upgrade an XP machine a while ago. The good thing is that the Vista installation disk actually contains all versions of the OS – the product key supplied with the disk is what determines which version of the software you can install. I tried installing Vista using the OEM product key from the bottom of my laptop, but it was rejected as not being a valid key!

After much trial and error, I found a solution. A non-profit organization called Neosmart have produced a Vista recovery disk which is intended to allow you to restore from backups if you don’t have an installation disk. It appears to be the installer from the official Vista disk repackaged. It doesn’t contain any of the files which would be required to install a complete working Vista system though.

Windows Vista 32-Bit (x86) Recovery Disc

Download the iso file from the link above (you may need to Google to find a working download link) – it’s about 120MB in size,  and burn it to a CD using your favourite CD creation software – I used the excellent and free InfraRecorder and boot your failed PC from this disk.

Vista Recovery Disk Welcome Screen

Vista Recovery Disk Welcome Screen

Choose your language and location and then take the install option. You will be prompted at this point for your product key. At this point, eject the recovery CD and insert your Full Retail disc. Enter the product key from the sticker on your PC (don’t use an illegal one – it probably won’t work and you’ll soon have black helicopters circling your house, and guilt is a terrible thing to live with anyway)

The product key should be happily accepted and the Operating System will install as normal. Once the OS has installed, follow the wizard and set up your Admin user etc.

Once you are at the desktop go to the start menu, right-click on ‘computer’ and choose properties. Scroll down to the Windows activation section and you should see something like ‘3 days until automatic activation. Activate now‘. If you have an internet connection try activating by clicking the link – in my case this did not work. If this happens to you, choose the ‘automated telephone line‘ activation method. This will involve calling a toll-free number and entering the 54(!) numbers from the activation wizard using your phone, then typing the 48(!) numbers read out to you on the phone – this will result in an activated, legal copy of Vista.

Vista Phone Activation

Vista Phone Activation


Now make an image of your freshly installed system so you don’t have to go through all this next time!
– I recommend Driveimage-XML

Please leave me a comment if you found this useful!