Bye Drupal

Although drupal has been great, it’s a real pain to keep up-to-date. Sadly drupal has lagged behind the curve in terms of the ability to self update. This means reasonably frequent root logins followed by un-tarring and copying directories, which is never pleasant.

We have been running a WP site for the last year and found updates to be completely painless, so as of today, the drupal sites have all gone bye bye. WP brings it’s own issues of course, but lets see how it goes!

Goodbye Mediawiki and thanks for all the fish..

So here we are in 2017 and I noticed that the wiki has not had an edit for around 3 years, but I still have had to bring it down every few months for security fixes.

So the time has come to kill the Whale – all the wiki content is now moved to articles on the CMS or deleted or published elsewhere and mediawiki has gone to feed the fishes.

It was a great collaborative tool in 2004 but I can do everything in a google doc these days and someone else is keeping that secure and patched (I hope!) .

It did make me realise how much content had no links in or out and thus was effectively invisible.

There is still a private wiki to wrestle with and vSprawl is presently wiki based. But this is at least a start in simplifying the estate a little.

Maltesers

I love Maltesers and can easily consume a large bag or even a box all by myself. Lately though I’ve noticed that the quality has lapsed. The little things are not round any more. Instead they now look like asteroids: they have irregular surfaces all over them.

Pretty annoying given that on the TV adverts they roll around on desks etc!

Try and contact Masterfoods (Mars) about this: You can’t! The website is awful and has not one single contact (Yes, none!)

Bah! Roll on cheaper lookalike product manufacturers prepared to make maltesers round again.

And Dumb Security Company of the day goes to…..

Argh, dammit, I can’t tell you.  But the imaginary conversation goes like this.

Me: “Hi security company, I see that you have an enterprise grade security product that my client has put at the heart of their enterprise?”

Dumb Security Company (DSC) “Yes, can I tell you about it, its great – it has elements that …”

Me: “No, no, please stop.  Anyway, the client tells me that your security products runs on Windows”

DSC: “Yes, that’s right we have a strategic relationship with Mi…”

Me: “Woah, thanks, got that, so my client needs to apply patches to the server that you run your product on?”

DSC: “Very good, patching is an important cyb….”

Me : “Gonna have to stop you again. But in this case your support people have told their support people that they must not install the critical OS patches or bad things might happen?”

DSC: “So stability is of para….”

Me: “Easy there tiger. So just to calibrate my BS detectors – You produce an enterprise grade security product that runs on a version of windows that you insist cannot be patched – in this case for more than a year?”

DSC: “…”

Me: “You, a SECURITY company make a SECURITY PRODUCT and then insist that the platform is NEVER PATCHED?

DSC: “…”

Me: “Do you KNOW how many critical issues there are for the platform that your system runs on?”

DSC: “…”

Me “Great, nice talking to you”.

And the lesson of the day is that just because patching is hard does not mean that it does not need to be done.  Yes, you will need to regression test your product.  Get on with it.  Make fixes not excuses.

New Password Hashing Method

Dammit, Bruce Schneier had a link this month to a password hashing competition, but I was too slow.  the link is here: https://password-hashing.net/

In the meantime it occurs that one way to try and defeat GPU based cracking is to increase the complexity of the hashing process so that it's harder to pipeline the functions on the GPU.

One way to do that would be to have per user based iteration counts where the actual number of iterations is decided within the hashing process itself, by using different hashing algorithms and by re-introducing the salt at various points in the iteration process.

The hashing version would define the total iteration count and each of two hashing algorithms. V1 would use an iteration count i of 100000, SHA-512 and Whirlpool-512.

  • Take the Password 'p', generate a random salt, 'r'
  • concatenate p and r.
  • iterate pr through Algorithm 1 for 1000 iterations to arrive at h incrementing i each time
  • take the last byte of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • iterate hs for x iterations through Algorithm 2 increming i each time
  • take the last bye of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • go back to Algorithm 1 unless the i is exceeded in which case h is the output hash

As part of the password test, the user has required to transmit the password.  This would be a great time to change the salt!  Yes, I mean it, so at the same time as we test the password, we also make a new hash from a new random salt.  if the password test succeeded, we store the new salt and hash.

WTF?  Why are we doing that?  If attackers have regular access to our user table the passwords all change a LOT more frequently, so it's harder to tell who has really changed their password. The disbenefit is that users that log in rarely will be plainly obvious.  An additional benefit if that if there is a need to move from V1 to V2, this will be done magically at next login.

Each concatentaion is a string function converting the 512 bit hash to a string and then adding another string to it.

 

Certificate CA pinning

With many MITM attacks, you get fake certs.  CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning.  Carry on at your peril.   This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.

Ok, so since writing this article, I have discovered Certificate Patrol Firefox plugin, which does exactly what I described above.  Just like all most great ideas – someone has had it already!  If you use firefox, go grab the plugin.

USB Firewall

I have not found one of these,  but can't beleive it doesn't exist: A little USB dongle that plugs into your work desktop and will charge your mobile phone but without making the desktop see your phone as a device.   Basically, connect the volts, but not the data.  Obvious really.  Someone tell me why it won't work?

Bloody Symantec are still Rubbish!

Fancy a laugh? Here is a hilarious transcript of a “support chat” with a symantec bod showing why their customer support is the worst on the planet.  For Gods sake don’t buy anything important from these people!

Toby Seaman has entered room.

Gnanamurthy has entered room.

Email with reconnect link has been sent to:turbotas@yahoo.com

If you get disconnected, click the link to reconnect to the same chat session.

Gnanamurthy You are being transferred to Gnanamurthy.

Gnanamurthy  Hi , my name is Gnanamoorthy from Norton Support, how are you doing today?

Toby Seaman good thanks

Gnanamurthy I understand that you are unable to restore the backup. Am I correct?

Toby Seaman That is correct. So I have purchased Ghost version 15. I have been supplied with a .gho files and it seems that ghost version 15 does not support .gho files any more. so I think I need to download an older version of ghost.

Gnanamurthy Just in case I need to call you back, can I please have your phone number with the country and area code?

Toby Seaman UK +44xxxxxxxxxxxx

Gnanamurthy The .Gho file is from a old version of Norton. Norton Ghost 15 does not support it as it uses .V2i files.

Gnanamurthy May I know which version of Ghost is used to backup .Gho file?

Toby Seaman that’s correct, well done. So I need to restore the .gho file so I would like to downgrade the ghost version to a version which does support .gho files. this was the only reason I purchased ghost.

GnanamurthyThe old version of Norton Ghost cannot be purchased now. But I can give you the link to download the Gho explorer which you can use it to restore the files and folders from the .Gho file.

Toby Seaman no. I don’t need to explore a ghost file I need to restore it. I don’t wish to purchase an old ghost version, I want to downgrade the existing one.

Gnanamurthy I am sorry Toby. There is no option to get the old version of Norton Ghost as they are not supported now.

Toby Seaman so, I need to restore a ghost file .gho. Please escalate this issue.

Gnanamurthy You’re using an older version of Norton Ghost backup. I’m afraid that chat, email and phone support for this product has been discontinued. For assistance with this product we’d recommend that you search our online knowledge base that you’ll find here: www.symantec.com/search.

Toby Seaman I’ve tried that already. No joy. I don’t need product support for an older version. I know exactly what I need to do. I just want to restore a .gho file. Please tell me how to downgrade the license to a version that works.

Gnanamurthy If you have the old version of Norton Ghost that is used to create that .gho file, you can use it to restore the backup. The Ghost 15 license cannot be downgraded to the old version as they are unsupported now.

Toby Seaman I already explained that I don’t have an old version of ghost. My business uses a lot of symantec products. at this point we need to restore a .gho file image of an important device. I do not need to hear that ghost no longer supports .gho files. I need solutions. I’ve purchaed the current up to date version of ghost and I want to restore a .gho file. I’m happy to download an unsupported version of ghost to do that. Please tell me urgently how to make this happen.

Toby Seaman Hello?

Gnanamurthy I understand that Toby. I do not have any other options. There are no support documents regarding the old version of Norton Ghost available. I can only help you to restore the files and folders not the entire backup.

Toby Seaman Can you escalate this issue. Presently all you are doing is demonstrating why I should never buy another Symantec product ever.

Gnanamurthy Okay Toby. I will escalate the issue to my supervisor. You will be getting the call back from him within 24 hours.

Gnanamurthy May I have your time zone along with your telephone number and country name?

Toby Seaman Are you sure this will happen? last time this was promised the call back never happened

Gnanamurthy Sure Toby. You will be getting a call back from my supervisor.

Toby Seaman Okay. In the meantime im completely screwed, so I will try to find a proper version of ghost which supports .gho files on bittorrent. I guess you are happy with this since you no longer sell or supply a working version of ghost?

Gnanamurthy Okay Toby. May I have your time zone along with your telephone number and country name?

Toby Seaman Ok. thanks for your permission to download an illegal copy of Symantec ghost.

Toby Seaman My phone number is 0xxxxxxxxxxxx

Toby Seaman My country is England

Toby Seaman My Timezone is GMT

Gnanamurthy Norton does not recommend to download a pirated version from internet.

Toby Seaman It’s not pirated: you just said you don’t sell it anymore and you have utterly and completely failed to assist me in my time of need. It’s not my fault that your version 15 no longer supports .gho files. So I will find a ripped off version that works, I’ll restore my image and wait for a phone call sometime in the future from your supervisor.

Gnanamurthy Is there anything else I can help you with?

Toby Seaman I’m going to put this trsanscript on my Blog as it shows another hilarious support failing at Symantec. Please note that you have no helped me at all so far.

Gnanamurthy I can help you if you have any issues with the Norton Ghost that you have purchased. But .Gho files are created by old version of Ghost which are unsupported and there are no support documents available. So I do not have any other options.

Toby Seaman You could try to help me find out where to get my license downgraded urgently.

Gnanamurthy There is no option to downgrade the Norton Ghost license. If there are any options available , I would be happy to provide it to you.

Toby Seaman That is crazy.

Toby Seaman here is my blog post with your companies poor customer service recorded for all to see:

Toby Seaman https://www.turbotas.co.uk/recent-news/78-chuckles/266-bloody-symantec-are-still-rubbish.html

Gnanamurthy Is there anything else I can help you with?

Toby Seaman No, I’m busy searching the internet for an old copy of Ghost which supports .gho files. You have been no help whatsoever.

Gnanamurthy Thank you for contacting Norton support. Have a great day!

PS3 Root Key Broken

News just in is that the Root Keys used to sign content for the PS3 has been broken by ~geohot:

erk: C0 CE FE 84 C2 27 F7 5B D0 7A 7E B8 46 50 9F 93 B2 38 E7 70 DA CB 9F F4 A3 88 F8 12 48 2B E2 1B
riv: 47 EE 74 54 E4 77 4C C9 B8 96 0C 7B 59 F4 C1 4D
pub: C2 D4 AA F3 19 35 50 19 AF 99 D4 4E 2B 58 CA 29 25 2C 89 12 3D 11 D6 21 8F 40 B1 38 CA B2 9B 71 01 F3 AE B7 2A 97 50 19
R: 80 6E 07 8F A1 52 97 90 CE 1A AE 02 BA DD 6F AA A6 AF 74 17
n: E1 3A 7E BC 3A CC EB 1C B5 6C C8 60 FC AB DB 6A 04 8C 55 E1
K: BA 90 55 91 68 61 B9 77 ED CB ED 92 00 50 92 F6 6C 7A 3D 8D
Da: C5 B2 BF A1 A4 13 DD 16 F2 6D 31 C0 F2 ED 47 20 DC FB 06 70

This is big news as it seems that this key is built into the hardware and can’t be changed.

More info on this issue at Kotaku.