Barkings! | The Small Dog Apple Blog

A blog about our business, our industry, and our lives. You'll find posts from everyone at Small Dog and if the dogs could blog, they'd be here, too!

(RSS) and (ATOM)

Hacking: The Other Side of Computer Security

Hopefully by now, most people have heard about Heartbleed. No need to panic (click here for steps to take if you haven’t already), but it was a serious issue in the tech world. If nothing else, it’s really shone a light on all sorts of computing security practice vulnerabilities. Many experts have suggested now is a great time to update passwords you use online.

When I started studying computer science in college, the older students often talked about this “hacking challenge” that one of the professors liked to do in his course on operating systems. It didn’t seem real…a challenge where the goal was to hack into a system? When I finally found myself in the operating systems course, I discovered just how real the hacking challenge was.

There were two parts: In the first part, we students took on the role of the defenders. In real life, most of us are defenders trying to keep hackers away from our private data. For this challenge, we were defending a system from attacks by the professor. In the second part, we assumed the role of the attackers. We were the bad guys trying to get into a system that the professor was defending.

In the defending role, the only thing at stake was pride and bragging rights. In the attacker role, in addition to pride and bragging rights, a hefty number of bonus points were offered up as added incentive. We were successfully able to defend the system against the professor’s attacks, but only barely. We underestimated his deviousness, and a key logger was nearly our undoing.

The more interesting part was when we assumed the ‘attackers’ role. As in love and war, nothing (within the rule of law) was off limits. There were a number of “checkpoints” we could reach in compromising the system, and we received points for each unencrypted password we were able to successfully identify. Each identification was met with exasperated groans from the professor as we called him to report it. The ultimate prize was an encrypted file that we needed to find and decrypt. Ultimately, we were able to compromise the entire system including the root password, and given more time, we were on our way to recovering and decrypting the encrypted file.

What did I learn from this challenge? I was taken by complete surprise how devious and clever we all became trying to break into that system. I also learned just how easy it was to break reasonable length passwords. Dictionary words? Might as well just hand your data to us on a silver platter. Proper nouns? No problem. Numbers added in? No problem. Weird characters? Slight inconvenience, but still doable. In many cases, we didn’t even bother being clever at all. Computational power and speed has become so ubiquitous and cheap, “lazy” brute force attacks on some more common hash and encryption algorithms are almost trivial. Just three or four of us requisitioning about 15 computers in a lab to do our bidding for a few hours was all it took.

Full disclosure: We had physical access to the machine in this situation. No one wanted to be responsible for us picking locks or otherwise trying to get into a locked office. Physical access allows attackers to bypass many of the network security speed bumps. The machine was also running a version of Linux, which uses similar security features and technologies to OSX. Windows is (or was) theoretically even easier to compromise. I expect newer versions don’t use the easily breakable hash algorithms of versions past.

So what would I recommend? Good complex passwords are important, but if it’s so complex you’re just going to write it on a post-it and stick it to your monitor, it’s too complex. There are tools to help keep track of your passwords, and I’ve used things like Keychain Access to help with that, but ultimately, the longest, or most complex password you can memorize is the best policy. Many companies and organizations use a password expiration policy, but these policies are somewhat outdated. They cause frustration for users and admins, and discourage people from memorizing passwords (more post-its on monitors). Nowadays if someone gets your password, they aren’t going to wait. They’re going to start looking for where it will work immediately. I know I would.

My personal recommendation is to go for the longest password you can, as that’s what I do. The web comic XKCD had a great strip about long passwords a while back. Another good idea is to check if your favorite password shows up in any password leak or common passwords lists.

Disclaimer: The hacking exercise described here is an example of white hat hacking). We were authorized to hack into the system as part of a learning exercise. You should never willfully hack into any system or attempt to steal passwords from anyone. For one, it’s highly unethical, and in many cases, it’s also illegal and could result in heavy fines or jail time. Even grey hat or activist hackers often find themselves on the wrong side of the law.

post this at del.icio.uspost this at Newsvinepost this at Redditpost this at TailRank

Comments Closed

MAC TREAT #246: LOST

Last week, I experienced a scare when I couldn’t find my right hand iPhone after a series of stops in Burlington. At the point at which semi-panic set in, I found myself digging through my car, desperately trying to locate it, for the better (nope) part of half an hour. To my dismay, it wasn’t there, and I had to plan my next steps.

I made my way back to the S. Burlington store to get online to use Find My iPhone with the hope that it would show me exactly where it absconded to (sorry for ending this sentence with a preposition — I couldn’t resist the opportunity to use the word “absconded.”) Anyway, I logged into iCloud.com and got to sleuthing.

I clicked on Find My iPhone, and it located it within a minute. It was in car, moving swiftly down the highway. Important: Not my car.

I’ll spare you the details since this was likely the result of a misunderstanding and get to the part that you’ll need to know/have if this ever happens to you. Everyone knows that the Find My iPhone app/technology is cool, but until you have to use it, you never realize just how much, and that the process of retrieving your phone if it’s actually with someone else rather than lost in your couch cushions requires certain info.

Here are my tips to protect yourself:

Register your phone when you buy it.
This not only protects your warranty, but it also provides a way for you to look up your serial number if it’s ever stolen. The police ask for this as part of their report, and you have access to your serial number no matter where you are — so even if your receipt is stored at home or you’ve thrown it (or the original box) out, you can get that crucial (and time-sensitive) data to the authorities when they need it.

Set up Find My iPhone.
Duh. I’m so glad I took the time to do this because it let me know exactly where my phone was once I accessed it in iCloud. There are three options once you locate it: Play Sound, Lost Mode, and Erase iPhone. It’s important to note that the latter two will render your phone untrackable; I chose not to select those because I wanted to still see where my phone was headed. Whether you choose to use those or not depends on your situation. Playing the sound would also potentially alert the person with the phone to the fact that you know it’s gone, so evaluate that as well. Find My iPhone also displays your battery’s charge, which was extremely helpful for me because I knew that its time on was numbered. Once the battery goes dead, it’s also (obviously) not trackable.

Bookmark this site.
Log in to Apple’s Support Profile page with your iCloud information, and there, you will be able to view all of your (registered) Apple devices and computers. This was my saving grace, since I didn’t have my serial number accessible any other way when I was at the store. (Note: We record a device’s serial number on the original invoice, but I had swapped out my iPhone 5 for another model recently, so the data wasn’t accurate.)

All’s well that ends well, and I got my phone back that day. It was a great lesson in why registering your valuables is essential!

post this at del.icio.uspost this at Newsvinepost this at Redditpost this at TailRank

Comments Closed

Introducing Outdoor Tech

Spring is here, and although last night was in the 20s, it quickly warmed up to 60 during the day. Ah, spring in the Valley! As the snow melts and mud season begins, it was time to dust off the bike equipment, put the skis away and make the transition. As I got my bike equipment out, I thought back to all the good times I had last year — I got a new cross bike for the dirt roads around here and used a new app called Strava to track my rides.

As we all prepare to get back outside, I thought that there was no better time to bring in a company called Outdoor Tech. As their name suggests, these guys specialize in technology made for the outdoor elements. In particular, their speakers, Turtle Shell 2.0 and the Buckshot, both offer great sound, are water-resistant and have the ability to mount on a bike. The Buckshot includes a bike mount and can fit onto your handlebars (or, in the winter, fit on the chairlift bar) and is great for rocking and taking calls. Its cylindrical shotgun shell shape and single speaker design makes it super portable and great for hitting the bike path!

The Turtle Shell is larger, offering a louder sound with two speakers and battery bass. They claim it’s “louder than a bear’s roar!” I’m not entirely sure how they tested that, but I’ll take their word for it. For those of you who love to belt it out in the shower (really, who doesn’t?), you can mount it there or on your bike using the Turtle Claw. Either one will ensure you get heard this summer and keep you safe. A great speaker with good lows and highs. Note: I have found headphones while biking on the road isn’t the best idea, apparently cars use the road too — who knew?

We’ve also brought in some headphones from Outdoor Tech: The Adapt and the Privates, an over-ear Bluetooth headphone with touch control and an awesome slogan — “Touch your privates in public!”

The Adapt is just that — a great Bluetooth adapter that allows you to make any pair of headphones wireless. A very cool device for those who already love their wired headphones, especially for the ski/snowboard helmets with them already built-in. If you want to skip adapting your old headphones and step into something new, the Privates are a great pair of headphones that offer hands-free calling, as well as a touch interface for controlling play/pause, skip forward/back, and answer/hangup.

Now get outside and enjoy the lovely spring weather!

post this at del.icio.uspost this at Newsvinepost this at Redditpost this at TailRank

Comment

Heartbroken About Heartbleed? Don't Be! Here's What You Need to Know.

The internet may not actually be a series of tubes, but it still is a complex layering of protocols, software, hardware and people. One of those protocols that we rely on heavily is SSL/TLS (Secure Socket Layer/Transport Layer Security). This protocol is what allows your data to pass securely between your computer or device and the sites you visit. It does this by encrypting the data end-to-end.

For example, you might notice that Smalldog.com’s shopping cart URL has an “https” at the beginning. This signals that you’re viewing a secured page. Any information you enter on forms will be transmitted encrypted. Credit card numbers, passwords, and everything else are all encrypted and safe. Any site that handles credit card information, or other sensitive customer information must be PCI compliant. Here at Small Dog Electronics, we go through compliance testing each month to verify that our servers and systems check out. When something like the Heartbleed bug comes along, we take it very seriously and have procedures in place to resolve it.

The bug works by exploiting a flaw in the way heartbeat messages are handled in OpenSSL. A heartbeat message is nothing more than a tiny message from a client to the server that says, “Hey server, even though I’m not sending encrypted data right now, I’m still here, so don’t close my secure connection.” It does this because closing and reopening the connection takes work, so it’s more efficient to leave it open. These heartbeat messages typically contain some payload data and an indication of how big the payload data is. So a message might be “Hey server, I’m still here” and the payload size might say 32 bytes. The server hears this message and responds by returning the payload data and payload size to the client.

In the exploitation of this transaction a malicious client would send a heartbeat message with a very small payload (say 10 bytes), but it would lie and say that the payload size was very large (50,000 bytes). When the server goes to respond by sending back the payload, it mistakenly grabs 50,000 bytes worth of data from its memory. This could include all kinds of data that this client should NOT know about. It could be anything the server was working on at that time: other client secure data, passwords, or even encryption keys. This is all very bad, so we want to stop it from happening.

Fortunately, the fix for the bug is fairly simple. Servers running OpenSSL need to upgrade their version. Because it’s possible that encryption keys and certificates could have been compromised, it’s advisable to also replace those keys and certificates. Here at Small Dog Electronics, we’ve done both of these things. We’ve also reset login sessions in case an old user login session was still active or compromised.

So what else should you know? OS X itself is not vulnerable to the bug. We use custom software versions and configurations on our servers to allow us to keep up with the latest bug fixes in a more timely manner, but in this case, it meant our version included the bug.

Because we’re lovers of security here, we suggest everyone update their Top Dog Club passwords just to be extra safe. Additionally, since OpenSSL is very common software used all across the web (somewhere around 60% at last estimation), we also suggest that people update passwords for accounts on other sites. As always, we recommend choosing good, strong passwords.

Please don’t hesitate to reach out to us on our blog, Twitter, or Facebook if you have any questions about our security, what we’ve done to patch the Heartbleed bug, or you’d like help updating your account passwords.

post this at del.icio.uspost this at Newsvinepost this at Redditpost this at TailRank

Comments Closed

AppleCare: Because WE Care!

It happens regularly…technology breaks. Nothing is perfect, and in the age of constant change, that statement is truer than ever. It forces us to ask the age old question, “What is AppleCare and why do I want it?” Well, I can personally attest to the fact that AppleCare is a NECESSITY for anyone with an Apple product. To insure your computer is to ensure your future happiness with everything Apple. 

Apple’s product quality speaks for itself, but just like any piece of technology, regular wear and tear can (and will) take its toll at some point. One can understand the mindset of trying to save a few bucks, but what if I told you that it is actually in your benefit to purchase AppleCare? That’s right, folks — if you spend more money now, it’s extremely likely that you’ll save much more money later.

Most people know that AppleCare covers all parts and labor associated with your hardware issue. It also covers diagnostic fees and phone support fees with Apple that have been known to cost upwards of $100 without coverage. An extra benefit? Your Mac is covered should you travel outside of the US, something that the standard warranty does not.

So why do you want it? To ENsure a happy, and hassle-free future with your Apple product! AppleCare for your computer runs from $169.99 – $349.99 depending on your model and is available for purchase any time within the first year you own your Mac.

post this at del.icio.uspost this at Newsvinepost this at Redditpost this at TailRank

Comments Closed

Previous Page