Jul 26, 2016 - PC Build

My desktop PC was becoming long in the tooth, considering it was a pre-built HP Intel Core 2 Quad 9550-based system with only 4GB of RAM. Even though I wasn’t in desperate need of more performance, I didn’t want to worry about my primary, 8-year-old PC dying.

I haven’t assembled a PC from parts since the early 2000s, but I decided that the cost savings were worth the effort. I was actually surprised just how simple the process was using modern equipment.

Without further ado, here’s the parts list:

  • CPU: Skylake Core i5-6500 ($180)
  • Motherboard: MSI B150 PC Mate in ATX ($90)
  • Memory: GSkill Ripjaws DDR4 2133 16GB (2 x 8 GB) ($54)
  • Power Supply: Corsair CX500 500W ($30 after rebate)
  • Case: Thermaltake VERSA H25 ATX ($40)
  • Drive: Samsung 850 EVO 500GB ($110)

So, for a bit over $500, I had a PC that perfectly fit my needs. Notably, I did not purchase a video card. I don’t do much PC gaming (I do some 8/16 bit gaming on emulators), and the Skylake i5’s integrated HD Graphics 530 is more than sufficient, and actually surprisingly good.

The physical build was simple, and even though the case is a budget model, I found it more than adequate. Cable routing was decent, and the ATX form-factor has plenty of room for 3.5 inch drives and bays specifically for SSDs. I had a license for Windows 8 Pro, which I upgraded to Windows 10 Pro. I then did a completely clean install of Windows 10 Pro from USB to ensure there wouldn’t be any performance issues.

Overall, I’m very satisfied with my choice to build instead of buy a HP/Dell/other pre-built machine. Most pre-builts in that price range come with a standard hard disk and only 8GB of RAM. In addition, I was able to pick a motherboard that had the features I wanted (USB 3.1, HDMI/DVI-D/VGA) without features I didn’t care about (Bluetooth, WiFi.) The only oversight that I made was this motherboard only supports PCIe 3.0 x 2 for the M2 slot. This will limit my transfer speeds if I upgrade to a Samsung 950 M2 SSD, but at least for now, those drives aren’t worth the $ premium for my use.

Jan 10, 2013 - Healthcare.gov Doesn't Use an EV Certificate?

I was attempting to work my way through the US Government’s Health Insurance Marketplace tonight[1], and in addition to the horrible load times, javascript timeouts, and strange behavior, I also noticed that the website does not use an Extended Validation (EV) Certificate. Granted, for many businesses, paying the extra couple of hundred dollars for an EV Certificate for their secure socket layer-protected websites is an unnecessary expense. However, for a website that may be used by a sizable percentage of the adult US population, this seems like a large mistake.

It seems to me, that a website that is used by a large number of individuals that aren’t tech-savvy is the perfect application for an EV Certificate. These certificates have a stricter application process, and are therefore much more difficult to forge or impersonate using the standard phishing techniques – at least for now. In addition, all web browsers from about 3 years back provide a clear visual indicator for sites using EV Certificates. For example:


A SSL-protected page using a standard certificate as it appears in Firefox[2]:

No EV


A SSL-protected page using an EV Certificate as it appears in Firefox:

EV


The EV Certificate is much clearer to the end user that they are on the correct website. From a technical perspective, the issuers of EV Certificates are compiled into the browser code itself, preventing malware from modifying the certificate store.

Given all the advantages, one has to wonder why healthcare.gov decided not to use one. Verisign, the most well-known (and most expensive) provider sells EV Certificates for about $2000. Expensive, but a drop in the bucket compared to the hundreds of millions of dollars spent on this website so far. I would imagine that the US Government might be able to strike up some kind of deal with Verisign, in any case.

Some might argue that the EV Certificate is unnecessary, and that may be true. However, let’s look at the ‘competition’ – some of the private insurance company websites.

Aetna:

EV


Coventry:

EV


Geisinger:

EV


And…Healthcare.gov:

EV


Now, to be fair, many of the other sites did not use EV Certificates either, but I doubt they see anywhere near the level of users the Government’s site will. Most customers of those healthcare plans are fully managed through their employer, and it is probably only a small number of users that log in through the web portal.

Given the amount of personal data the healthcare.gov website collects, I believe that they should acquire an EV Certificate to protect users. Any effort made to reduce the likelihood of phishing attacks seems like a worthwhile investment for a site that may be used by millions of citizens.


[1] This is a discussion of a technical oversight, not a political statement

[2] Facebook does not use an EV Certificate because they use a wildcard certificate Healthcare.gov does not use a wildcard certificate

Jan 10, 2013 - Password Managers & Lastpass

This post is a collection of forum posts that I made on the topic of password managers and LastPass. As a developer interested in security software and encryption, I have a number of issues with LastPass, and I recommend KeePass instead. KeePass is free and open source. Download here


I don’t really trust LastPass, and I find their security to be lacking (convenience over security.)

A system (like KeePass) where you can use a master password plus a keyfile to encrypt the database is the most secure option. It should be noted that LP (and possibly other cloud services) only use the other factor as access control. That is to say, if someone grabbed your password DB from LP’s servers through some attack, all they would need is your master password.

I’ve never been cool with this. Say an (ex)employee wanted to inject some javascript into the login page that sent them your master password. They also grabbed the DB through some other mechanism–you’re screwed. The access control provided by multi-factor is great and should be used more often, but it does nothing to protect the security of your actual password DB should it fall into the wrong hands. The fact that LP admitted to suspicious behavior on their network and the fact that they weren’t using key transforms to make bruteforcing harder removes any trust I may have given them.

The key transforms is a standout to me. I’m a software developer that has written security/encryption code. Setting up a system that doesn’t perform these transforms is very sloppy. I’d unfortunately expect as much on commercial websites, but for a company focused on security, this is a huge failure.

For what it’s worth, I inspected the KeePass source code a few versions ago, and it passed my exam. Note, the packaged versions (for download) may have evil code added, but the developer has been at this awhile and personally signs his products.


haven’t looked at 1Password in any depth. When I looked into LastPass, I was trying to find a service that would allow other members of my business to easily use common passwords. I did a deep dive into the service, including purchasing the full version and a Yubikey. The Yubikey is very cool, but that’s a story for another day.

In the end, I use KeePass with 2 databases. One for ‘work’ and one for my personal passwords. I also use Firefox’s password manager (with a master password for encryption support) for my less sensitive passwords (forums, shopping sites that don’t have my CC info, etc.) This is a decent compromise between convenience and security for passwords that wouldn’t be disastrous if lost.


(On the YubiKey device)

The YubiKey (http://yubico.com/yubikey) is a cool little USB device that has multiple security functions. It is small and thin, and it only has one ‘button’ on the top, which is really just a gold-plated finger contact. Anyway, LastPass uses one of its modes called OATH OTP (one time password.) Using their code or your own, you can write a form entry field (textbox) on your site that expects a code. Once plugged in, the YubiKey functions as a USB keyboard that can automatically ‘type’ a string of characters into the input field when the user presses the button. Using a couple algorithms, the server can determine that yes, you have the key in your possession. This satisfies multi-factor authentication: something you know (password) and something you have (Yubikey.)

Unfortunately, this provides access control only, though more web portals should use it to increase security (Vanguard, you listening?) What would be ideal, is if the YubiKey actually was used to encrypt your password database. Well…turns out you can do just that. I wrote proof of concept code to do it with the YubiKey, as it also supports a mode called ‘challenge-response’. You can actually ‘feed’ the YK a value, and it will return a value constructed from that value + a secret internal value that can’t be read (but can be reprogrammed.) So, for a password database, when you’re saving the database, the software could come up with a random value, feed it to the YK, and encrypt the DB with the resultant value (cyrpto hash). The value initially passed to the YK would need to be stored with the database file (it’s not sensitive.) Now, on next open, that value would be read, passed to the YK, and the hash used to decrypt the DB.

This would be one of the most secure processes I can think of. Of course, (from LastPass’ perspective) there are downsides. Loss of the device would be problematic. A new device could be reprogrammed to function the same as the lost one, but it would require using tools offered by Yubikey. No problem for a local IT department, but hard to tell your customers when you aren’t local (LastPass.) You are also forced to use a computer/device that has drivers for the YubiKey. So, understandably (from a business perspective), LastPass made a pro/con decision to be as secure as they can given the desired functionality: convenience over security.

If you do use LastPass, I would highly recommend one of their options for multi-factor. I believe they now offer the free Google Authenticator method, which uses a small program running on your cell phone as the ‘what you have’ portion.


(On malware that can read your clipboard)

KeePass tries to get around this a number of ways (http://keepass.info/help/v2/autotype_obfuscation.html) For one, it ‘hooks’ clipboard events to try and stop other programs (malware) from knowing that the clipboard just received data. This is not totally foolproof, but it’s the best that is possible for the clipboard in Windows. Another option is to use auto-type. KeePass can ‘type’ your password using a mix of clipboard and key presses. Again, not unbeatable, but it makes it much more difficult.

In any case, many local spyware apps don’t bother with the clipboard. They can simply attach to the network stack and see your raw HTTP (web) data as it’s transmitted over the wire. It’s easier for the hacker to figure out data from the network that looks like:

POST /login.jsp HTTP/1.1
Host: www.vanguard.com
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
userid=joe&password=uhoh

than massive random clipboard data:

this is just a story that I am writing in my word processor(click 35,43)(enter)(click 45,65)(enter)joe(click 45,43)uhoh