Seventh grade was when we all moved out of elementary school into junior high.  Junior High had lockers.  With lockers came the annoying feature of having to be unlocked multiple times a day.  Some kids figured out jamming paper at the bottom kept the lock from locking.  The problem with this solution was that you could tell from the outside who used this trick.  For them security went from “locked” to “Look at me I’m an unlocked locker”.  I decided the better solution was to just remove the back side of the lock.  Thus keeping the locker looking like it was locked, but in reality just as unsafe as others.  Security through obscurity.

This worked out great for a few weeks, I even removed the lock for my girlfriend at the time.  Then one day she had her locker searched.  Gig was up, “destroying school property”.  Luckily only she got busted and didn’t rat me out.  To be safe I put the lock back on my locker.  Only problem was at some point the combo lock had fallen off and I had put it on upside down.  So now my locker was locked but the combo was upside down.  I tried a few time to unlock it with no success.

With my head hanging low I had to turn myself in.  I didn’t have a choice.  I was locked out of my locker.  I was told to go back to class and it would be taken care of.  About half way though the class I hear a drill start-up in about the same location as my locker.  After class I notice some dents on my locker and a new lock.  I head down to the office and am presented with a $27 bill to pay for the new lock.

I still say my locker security was better than anyone else in that school.

tl;dr – Locked locker to the point it had to be drilled open in the middle of school day.

Every week I listen to Security Now a podcast hosted by Steve Gibson and Leo Laporte. The other week I found out that most File Shredding programs don’t actually delete the files in the correct manner. A file isn’t deleted until its place on disk has been allocated to another file. This is the reason there are so many file recovery programs available. So what are we suppose to do if we want to delete a file and be sure it can never be recovered again? We download SDelete from Sysinternals and put it to work. SDelete is a command line utility and personally I don’t like having to type in a long command just to delete a file. So I wrote up a nice little batch program. You can either drag and drop one file, or one folder and it will delete the item using SDelete. All you have to do is download the batch file to the same directory as SDelete.exe and your good to go. Also the batch file tells SDelete to do five passes, just to make sure your item isn’t coming back.

Download SDelete.exe http://download.sysinternals.com/Files/SDelete.zip
Download delete.bat http://throwthemind.com/tools/delete.bat

In the last few days I have shown you how to encrypt and decrypt any file, and securely delete any file (unencrypted ones) all running off a USB Dive without Administrator access on a Windows machine. I hope you get use out of this, I know I do.

Thanks
Nathan

The other day I picked up a new 2gb USB Drive. I like to keep storage with me, as well as programs like Portable Putty, Firefox, Filezilla, VLC, 7Zip and KeePass. All of which can be downloaded free at PortableApps.com Keeping all these programs only takes up around 150MB, which isn’t bad when you have 1.9GB to play with. Now lets talk about encryption. Using a Mac or Linux a lot like I do, you find OpenSSL is awesome. You can easily encrypt and decrypt files quickly.  I recently got to looking around and found an .exe of OpenSSL. So I started playing. When I was done I had OpenSSL working off a USB Drive, and a batch file that either encrypts or decrypts based on the file extension. Oh and the batch file is run by dropping a file onto it. Here is what I did.

1. Download Win32 OpenSSL v0.9.8g Light and install.
2. Copy C:\OpenSSL\bin to your USB Drive.
3. Rename the bin directory to openssl.
4. Copy libssl32.dll, libeay32.dll, msvcr71.dll, ssleay32.dll from C:\WINDOWS\system32 to your new openssl directory.
5. Double click on openssl.exe in your openssl directory. If it works you should get a command prompt showing OpenSSL>
6. Download this file to the root of your USB Drive. encrypt-and-decrypt.bat
7. Now you have drag and drop encryption and decryption using aes-256.

The batch file will encrypt any file but will not encrypt a directory. If you want to encrypt a directory you can use 7zip to zip up the directory, then encrypt the .zip Also the batch file will only decrypt files ending in .enc Test it out and you will see what I mean. If you have any questions just leave a comment.

Thanks
Nathan

ps. If you want separated encrypt and decrypt files you can download these. encrypt.bat decrypt.bat

While listening Security Now the other week I heard them talking about PayPal offering two factor authentication via a little key dongle you could buy for $5. This little dongle displays a random 6 digit number every 30 sec, which you can hook in with PayPal and Ebay. I thought this was a great idea so off I went to spend my $5. I received the dongle yesterday. It’s pretty small about 2in. x 1in. and hooking it into my account was easier than registering for a new email address.  Now when I go to log in I type my user name and password, then after my password I type in the 6 digit number on the dongle.  Works great.

The best thing about the Security Key is that fact that it uses Verisign’s Identity Protection service. Which means any site could possible use the same service, meaning this dongle can work on those sites also. In any case, you know how I like the idea of OpenID. Well Verisign has added the ability to use this dongle to there OpenID server. So now not only can I have two factor authentication on PayPal and Ebay, but also on any site using OpenID. Woot!!

The other day I was listening to Security Now, a podcast about computer security, and they where talking about OpenID. I have OpenID implemented on this site in case you didn’t know. Anyway, a cool thing about OpenID is since it is open source, you can create your own way to verify yourself. So I can run an OpenID server off my web host, thus I am responsible for my own security and authentication. I like this idea, but one thing I don’t like is that most OpenID server simple use the standard user name and password for verification. This kind of sucks if my credentials get compromised, as this would open up every site I use OpenID on.

Idea for Verification
I got to thinking about this and how it can be improved. First I would only use the user name and password as a way of telling the OpenID server to start its verification processes. The next step would be to have the server use a key located somewhere to authenticate the user. This key would have to be created new after a certain amount of time. Once this key is validated then the server would know its really you. The great thing about this system is the key isn’t created by the OpenID server, it has to be created outside the OpenID server. This way if your user name and password are compromised they would only be good for a day, or less depending on how you have your key set up.

Idea for Storing the Key

• The key could be stored in a non web accessible directory on the the same web server as OpenID. This would entail logging into the server though ssh or other means and creating the key. Still pretty safe as you would need access to the server in order to change the key.
• Another way could be simply running your own OpenID server on you local machine, and storing the key only when the server is running.
• GmailFs or other remote mounting disks.
• Another site to create the key, although I don’t like this idea.
• You could even encrypt the key, before storing it somewhere.
• Many other possibilities