Hacking Interview on Radio Hauraki

Last Friday I got to do live radio for the first time! Since I didn’t come across as a complete idiot I thought I’d share the clip with everyone. The subject was hacking and the clip was recorded during the breakfast show on Radio Hauraki.

Unfortunately I miss-heard the question about the Whaleoil hack and landing up talking about the likely attack vector for The Fappening (the August 2014 celebrity photo leaks)… the perils of live radio I guess :)

BTW the tool I was referring to was called ibrute and it took advantage of an issue with Apple’s find my phone service which, did not lock out accounts if successive incorrect passwords were entered. The application simply tries a bunch of common passwords for a list of email addresses you give it and reports back on the ones that worked.

The passwords that the tool uses where the 500 most common ones used by users of the RockYou website that was hacked (the details of around 32 million accounts were stolen). If your password is on this list you should really go and change it right now! And of course never, ever use the same password on different sites. Here is a handy way to come up with unique but easy to remember passwords.

YouTube drops IE6 support

Earlier this week YouTube officially dropped support for older browsers such as Internet Explorer 6. If you try access YouTube with IE6 you get this nice warning message:

The order of the browsers appears to be random, refreshing on each load. Hopefully they used a better random algorithm then Microsoft recently used for their EU browser choice site.

I’m really hoping that this trend will be followed by more mainstream sites and we will finally, finally see the death of IE6 which still holds around about a 20% market share!

And if you are still running IE6 (I’m looking at you big New Zealand corporates),  a quick read of the “Operation Aurora” attacks on Google and other big US companies should be enough to scare you into upgrading ASAP.

Death to IE6!!!

Tip: Creating easy to remember passwords

Passwords are a pain in the butt, if you use a computer or the Internet then you no doubt have a list of passwords bouncing around in your skull or worse yet a single password that you use everywhere! Here is a simple technique for creating good, easy to remember passwords.

Password inputFirst off here are some golden rules for passwords:

  1. A password needs to be strong (see below)
  2. You should only use a password for one site or account
  3. You should never write a password down
  4. You should never tell anyone else your password (duh)

Of course all of us break these rules…

So what is a good password? A good password is one that is “strong” from a security point of view. Typically this means a string of 8 characters made up of numbers and letters. Additionally the password should not contain any “dictionary” words (e.g. a word you find in the dictionary) nor should it contain information relating to you, such as your name or date of birth.

On top of that, your password should not be a common one. Believe it or not, people tend to think just like you and so there is a whole raft of passwords that people tend to use such as qwerty, 7777777, bond007, butthead, trustno1. This list (from Twitter’s sign-up) page contains 370 common passwords which Twitter does not allow to be used. Needless to say, if one of your passwords is on this list then you should probably not use it :)

Here are 10 “strong” passwords generated using the excellent from pctools.com password generator.

ne3hebr4 fe5ec7ur
th55ucep 2rayaves
24astete 8hacruth
fathu4e7 5rubrast
tebra2ep 4awraph4

Now these passwords are all well and good but you are not likely to memorise them are you? Which means you will either write them down or you will just memorise one, which you would use everywhere. Once again breaking the rules.

So here is better way, which not only generates strong passwords, unique to each website but also makes them easy to remember !

First off choose 4 characters, a mix of letters and numbers (ideally more numbers then letters). These 4 characters are the only thing you will need to remember. For instance r085, which I will use in the examples below.

Next up, when you need a password for a website, take the first 4 characters of the website’s domain name and alternate them with the characters in your secret 4 character string, for example:

facebook.com:
                f a c e
                   +      = fra0c8e5
                 r 0 8 5 

twitter.com     t w i t
                   +       = trw0i8t5
                 r 0 8 5 

gmail.com       g m a i
                   +       = grm0a8i5
                 r 0 8 5 

digg.com        d i g g
                   +       = dri0g8g5
                 r 0 8 5

And voila you get nice strong passwords, unique to every site !

Configuring a test SSL certificate for Jboss

I just had to set up a test certificate for my local install of Jboss 4.2.3 to try out some SSL code. It wasn’t completely obvious so here are some notes on how to do it.

First off you need to create a self-signed certificate. You do this using the keytools application that comes with Java. Open a command prompt and run the following command. You will need to change the path to your Jboss conf directory to reflect your install:

C:\>keytool -genkey -alias tomcat -keyalg RSA -keystore C:\jboss-4.2.3.GA\server\default\conf\localhost.keystore

When prompted use a password of changeit everywhere. It’s important that you answer localhost to the first question:

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?

What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?

Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=NZ correct?


Enter key password for
        (RETURN if same as keystore password): changeit
Re-enter new password: changeit

Next up you need to configure tomcat to create a SSL connector.

Edit C:\jboss-4.2.3.GA\server\default\deploy\jboss-web.deployer\server.xml and find the commented out SSL connector example, uncomment it and tweak it as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>

Finally add two System properties to your Jboss startup command to get the javax.net.ssl library to use your new keystore. These are only needed if you need to make SSL calls back to yourself. I needed them because I had CAS and 3 apps authenticating with CAS all running in the same dev Jboss instance:

-Djavax.net.ssl.trustStore=C:\jboss-4.2.3.GA\server\default\conf\localhost.keystore
-Djavax.net.ssl.trustStorePassword=changeit

Ok now browse to http://localhost:8443/

Your browser will complain about a self-signed certificate. Just follow your browser’s instructions to add this certificate as a security exception so you won’t be prompted again and you are all done.