Patrick’s development blog

Using the OpenBSD package system

Posted in BSD by Patrick on June 15, 2009

The package system in OpenBSD consists of pre-compiled programs that can be managed with the pkg tool. The packages may not necessarily contain the same kind of security and realibility as the base system, but pkg is useful for installing “third party” software.

1. Create the environment variabel PKG_PATH with the value of the right directory to fetch the packages.
export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.5/packages/i386/

2. Add this line into the startup file, ~/.profiles so we don’t have to export it every time we use pkg.

Installing a package
pkg_add -i firefox

Removing a package
pkg_delete firefox

Information about installed packages
pkg_info

Advertisements

Useful free software to optimize and secure your system

Posted in Security by Patrick on June 28, 2008

Here’s a list of useful programs in different categories. Most of these programs are for Windows, but some of them are also open source and works for Linux. I only list programs that are free. I might update this post over time.

———————————————

Mozilla Firefox
The web-browser Firefox, has optional add-ons that you can install which makes it possible to extends the browsers functionality. I’ve picked out three add-ons that I find very useful. They speed up the browser and adds more security.

NoScript
It blocks all Javascript, Java and other malicious code from sites you don’t trust. Ever since I installed this, i’ve never had any spywares on my XP computer at all. A most have for people who wants a secure browser. My favorite add-on.

AdBlock Plus
Get rid of all those annoying banners and ads on websites.

Flash Block
Blocks all flash animations on all websites. If you want to play a certain flash animation though, just click on it, that’s what I like most about this add-on.

———————————————

Security
Zonealarm Firewall – A free version of the popular firewall Zonealarm. This software also has program control and port stealthing for example.

AVG Anti-Virus Free Edition – Free anti-virus program, that is easy to use, provides high level of detection capability and doesn’t use so much system resources.

Ad-Aware 2008 – Scan for spywares, data-mining, advertising, and tracking components in general.

Spybot Search & Destroy – Spyware cleaner that also has real time protection.

TrueCrypt – Open Source encryption software. Can encrypt partitions, make virtual drives and encrypt harddrives completely.

———————————————

Optimize and cleaning software
JkDefrag – Free disk defragmenter program. Optimizes your harddrive.

CCleaner – System optimization tool which cleans registry and removes temporary files. It’s very fast.

secure hashes in PHP using salt

Posted in Articles, Security by Patrick on February 12, 2008

This tutorial shows the principle of using a salt in order to secure your password hashes. It’s written with my scripting-language of choice which is PHP, but the principle is the same with whatever server-language you might be using. Before going on, i’ll explain some facts that might be good to know before reading the article.

Brute force
Brute force is a comparison technique which goes trough all possible characters and in this case runs trough an algorithm to compare with the hashed password. To put it simply, it compares all different characters until it finds the right password.

One way encryption
The process of encrypting a string so it cannot be decrypted. These are also called hashing algorithms. The most used ones are md5 and sha1. The general difference between these two is that sha1 is generally stronger since it returns a 160-bit fingerprint while md5 is 128-bit. You might ask how we can make use of something that cannot be decrypted. It’s quite easy, we compare different hashes and do not decrypt them.

Whenever you store information about a user in your database. You most likely store the passwords using a one way encryption like md5 or sha1. If not, you really have to think over your security, big time. Still, even if you encrypt the passwords, they can still be cracked using brute force, rainbow tables or dictionary attacks. If we assume the passwords are very sloppy and insecure while the hashes have leaked to the cracker. Unfortunately it’s very uncommon that the users use a smart password, so it’s no use relying on the users.

This is where salt comes in. It simply adds a certain string into the password before hashing it. It’s not any harder to do than regular hashing.

The principle of using salt

// this is what it normally looks like when hashing a string using md5
$password = md5($password);

// using a salt, you instead concentate a string to the password before hashing it
$password = md5($salt.$password);

If we assume $password contains a very weak password, for example “abcdef”. Which would be very easy to brute force. The salt can make this password practically as strong as you want it. There are many methods out there and people constantly invent new ways to generate a salt. In my option, the salt doesn’t need to be that complicated though. The only way someone can brute force the password in this state, is by knowing which salt you use. If they’ve come that far, it wouldn’t matter in any case.

A salt can be as complicated or simple as you want it. Here is an example.

Creating a simple salt

$password = "banana";
$salt = "aB1cD2eF3G";
$password = md5($salt.$password);

This might not be the best and most used salt method out there, but it works. Suppose you use the password “banana” from the example. Then the generated hash would actually become “aB1cD2eF3Gbanana” which is a considerably stronger password than “banana”. This takes care of the user’s bad habit of using easy passwords with only lowercase characters. Just remember that you don’t have to use the salt in the beginning of the string, the principle is the same if you type md5($password.$salt). You can do however you want.

I have seen it’s very common to combine different encryption methods as well. This is in my option very effective. If we create a salt based on the password that uses sha1 and md5 together and then use md5 to concentate these strings like a normal salt. We would get a salt that contains a double encryption of two different encryption methods. The hash we get from this is then added to the password before hashing it once again.

$password = "banana"
$salt = sha1(md5($password));
$password = md5($password.$salt);

This would be equal to a password that is a hash itself + it’s regular password.

md5("f8bbff024e7d04d98a349ccb0984ad85d8ba86fabanana");

Brute forcing the password hash in this case would mean to brute force the sha1 generated string with the password”f8bbff024e7d04d98a349ccb0984ad85d8ba86fabanana”. In other words close to impossible unless you have over million years and a supercomputer at hand. Well, even if you had, you would only get another hash out of the current one, if you want it to be that way.

How to crack salted hashes
The only known way to crack salted hashes is to know the salt algorithm. If the cracker knows this, it’s possible to brute force it by adding the necessary data before starting the brute force process. It’s hard to explain in words so i’ll give another example.

// the regular salt process, this is the “algorithm”
$salt = md5($password);
$password = md5($salt.$password);

// we suppose $test_string is the string it tests
// since this is brute force it’ll be various different strings
// “a”, “b”, “c”, “d” .. “aa”, “ab” … etc

// if md5(md5(“abc”). “abc”) is equal to
// md5(md5($password). $password) then
// “abc” is the password we are searching for

if (md5(md5($test_string). $test_string) == md5($salt.$password))
echo $test_string; // this is the password

To put it simply, if the cracker knows what salt algorithm is used. We will be back to step one and the salted hash is just as vulnerable as the regular md5 hash that isn’t salted. It’s very unlikely that the cracker do know though, i’m just pointing out the flaws.

This is how webmasters can protect their users from evil crackers or annoying skiddies that have come across a cracking program. Not many webmasters secure their website and use salted passwords though, some even leave them in clear text in the database. So i’ll let my next article be about how to create strong passwords so the users themselves can protect their password/account better. Strong passwords should be an obvious thing, but it sadly isn’t.