Children’s Technology Foundation NW is running out of computers to refurbish and give to underprivileged students. Please help by donating your old home or work computer. Children’s Technology Foundation NW is a 501(c)(3) so your donation is tax-deductible. I will even come pick it up so it will be easy. Please email me for more information or to arrange for a donation. Thank you.
While getting my daily fill of security news, I came across a SaaS offering for two-factor authentication. I was initially drawn to the site because of one of the founders: Dug Song. Anyone who has ever picked up Hacking Exposed (or any other penetration testing book) will recognize Dug as the creator of dsniff. The service is called Duo, or Duo Security, or maybe that’s the name of the company. Hmm, might I suggest hiring a marketing agency to help define your product offerings and develop your brand? But I digress.
Duo Security claims to work with many VPN services, Unix based servers, and websites. It doesn’t appear it integrates with Windows.
I was mainly interested in securing my WordPress login, so I activated their free service that allows up to 10 users.
Installation was a breeze and consisted of signing up with Duo, installing a plugin for WP, verifying my iPhone, and finally installing the Duo iPhone app. The whole process took less than 15 minutes and the documentation was dead-on and included abundant screenshots.
Now, after entering my WP admin username and password, I am prompted by Duo Security,
Duo Push uses the iPhone (Android too) app installed on my phone and after clicking “Log In”, I open the app on my phone and “Approve” or “Deny” the login.
If I click “Approve”, I’m instantly logged into my WP admin page. If I were to click “Deny”, possibly due to an attacker performing reconnaissance, I would get the following options,
I’ve only been using Duo a short time but I already love it. It’s extremely simple, quick, and easy to use. Additionally, the company claims Duo Push protects from the type of attack RSA recently experienced.
By “RSA-proof”, we mean that even if an attacker leaked all the secrets from our database, they’d be unable to forge successful authentication responses for our Duo Push two-factor. We’re able to accomplish this by ditching the traditional shared secret model of OTP-based two-factor, which uses a symmetric key stored on the server-side to validate one-time passcodes.
Instead, we’ve opted to employ asymmetric cryptography to sign and verify all communications between Duo’s servers and a Duo Push-enabled smartphone.
http://blog.duosecurity.com/2011/06/rsa-proofing-our-duo-push-two-factor-authentication/
I’m very impressed and I hope the service gets the attention it deserves.
Hacking Product Reviews by .
Working at closerlook, a marketing agency based in Chicago, I developed an appreciation for good design and effective communication both in print and digital form. I often wish I had the presentation skills of Steve Jobs or the slide creation prowess of Nancy Duarte but, unfortunately, my strengths lie in logic and reasoning not creativity. But I strongly believe that with the right mix of enthusiasm and a dash of originality, anyone can capture an audience’s attention and deliver a compelling argument. And that is the skill that most IT people lack: delivery. IT folks are wizards at mining and massaging data but when it comes to delivering it in a clear and simple format, we often fail. The TED talk below, from Hans Rosling, is an excellent example of how even statistics can be interesting.
Soft Skills by .
Sometime ago I installed a beta version of Microsoft Office 2010, which created a Q: drive that was seemingly inaccessible. I recently noticed some errors in the Event Viewer.
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{volume GUID}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.
Operation: Removing auto-release shadow copies Loading provider
Context: Execution Context: System Provider
After some Googling, I stumbled upon a post which recommended uninstalling Microsoft Office Click-to-Run 2010 (Beta). I had already uninstalled the Office 2010 beta but this product, which appears to be some cloud software delivery technology, stuck around. After a smooth and successful uninstall, the Q: drive disappeared and the next full backup completed without issue.
Troubleshooting by .
I recently installed IE9 on a Windows 2008 R2 system, that I use as both a server and workstation (home use only). After upgrading, IE9 would frequently crash.
The Event logs weren’t extremely helpful.
So, I fired up Procmon, reproduced the crash, then filtered on iexplore.exe and WerFault.exe.
I’m not an expert with Procmon but I usually try to focus on when the application crashed and look for any ACCESS DENIED or NAME NOT FOUND, as recommended in Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition. I noticed references to AllChars, which is an application that assists typing special characters. I remember installing this when I had some Spanish homework and wanted to quickly type accent marks. I knew AllChars wasn’t fully compatible with Windows 2008 but prior to IE9, I hadn’t experienced any issues. I disabled AllChars in the system tray and my IE9 issues were resolved. I then uninstalled AllChars from the Control Panel and considered this case solved.
References: Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition, p. 264, 909
Troubleshooting by .