Archive for November, 2006

Solaris TAR vs GNU TAR

There was a problem using Solaris’ tar as it had problems extracting Apache Tomcat that had files in deep directories inside the tar. It happily truncated the name and created a weird “@LongLink” file outside.

Following suggestions from Google to use GNU tar instead, I found all GNU FTP sites to offer the tar source in a tar.gz.

@_@

Comments

Internet Banking – Security Device

To reduce cases of phishing and sniffing of passwords in Internet Banking, banks are now introducing 2-factor authentication using a little security device. You press the only button and a 6 or 8 digit passcode appears, which you have to enter after your username/password.

In this way hackers not only must know your username and password, they need to gain physical access to your device to complete the stunt. Similarly only getting your device doesn’t give the hacker access to the account.

But how does the device work? How does it generate the number? Is it unique across so many devices in circulation? Can the algorithm be reproduced?

Little information has been provided, probably in hope of less attempts to break it. However, as history shows, security by obscurity will never work. From the information gathered, the device contains a clock, a unique serial number and the algorithm. When the button is pressed, the algorithm takes the serial number and clock as input to generate the number. Since the server knows the time and your serial number (based on your username/password) the server is able to perform the same calculation to verify the numbers entered.

What I felt intelligent in this algorithm is the use of time as input. This means the numbers are only valid for probably the minute the button was pressed – you cannot just remember 1 set of digits and use it every time you login. Instead you are forced to press that button every time.

[1] http://in.answers.yahoo.com/question/in … 355AAe8u8T
[2] http://www.hsbc.co.nz/nz/security/osd/default.htm
[3] http://www.hangseng.com/hsb/eng/onl/sec … x01.html#1
[4] http://computerworld.com.sg/ShowPage.as … issueid=91

On this blog [5] the author feels the device is an overkill. He compares it to another secure account that he has that does not require the security device.

However I feel that despite user education, not all may be able to maintain the rules of thumb. Users who change passwords frequently do not remember their passwords (I have a perfect example for that). With the increasing number of internet applications and passwords to maintain, if every application forces users to change their passwords so regularly, users end up wasting time changing system passwords every other day, and forgetting that password soon after.

Layman users may also not know if they are on a secured or unsecured connection, or if any part of their connection is unsecure. Even if the system is his personal desktop that no one else has access to, it is not guaranteed to be free from keyloggers. With the security device the account is more protected since keyloggers are no longer effective.

[5] http://technobiography.edongskey.com/ne … ty-device/

Comments

In case you have a “leaked” WinXP key

This tool allows you to change your Windows XP registration key:

http://www.magicaljellybean.com/keyfinder.shtml

A “tutorial” or introduction can be found at:

http://www.shivaranjan.com/2006/09/18/h … formation/

Based on information on:

http://support.microsoft.com/default.as … us;Q328874

According to the 2nd link, it is legal to use the tool in the 1st link, since the method has been publicly describied on the 3rd link. The tool simply implement the method described.

Comments

Security Week

The past week happened to be sort of a Security Week. On separate ocassions I was working with symmetric key cryptography and PKI using certificates with digital signatures.

Symmetric keys were more straightforward. Create a cipher, throw in the secret key and data – viola – you have the encrypted data. What’s left is just to keep the secret key safe. DON’T overwrite it yourself!

PKI with Java needed more effort. As usual it was the confusion between the terms: keystore, certificate, signature, CA, keytool, etc. Despite understanding it before, the knowledge just got lost somewhere at the back of my brain.

So what I’ve figured out AGAIN today was: Certificates were invented as an attempt to solve the problem of public key distribution, through a trusted Root Certification Authority. A certificate contains a public key, information about the certified entity, and a signature.

The signature is created by encrypting the HASH of the certificate information and public key using the private key of the certificate issuer. Therefore the signature algorithm is described using a hash algo WITH an encrytion algo, e.g. SHA1withDSA. To verify the signature, calculate the hash using the hash algo on the certificate. Use the issuer’s public key to “decrypt” the signature to get the original hash. If both hashes match, its a valid signature. You do not have to calculate the hash yourself, Java has Signature classes that will compute the hash internally; you just supply it with the relevant data.

A keystore is a database of key pairs and certificates. Certificates may also be contained in independant files. The keystore is protected by a password, and individual key pairs within the keystore is protected by another separate password, each key pair has its unique password.

The keystore can be manipulated using the keytool command line tool. My preferred method is using Windows tools such as KeyToolGUI to help manage and generate keys. Of course if you’re on Unix then too bad. Using keytool you will be able to generate key pairs, export public keys to certificates and import other certificates. A Java application can also read from the keystore (with appropriate passwords) to access key pairs and certificates for the corresponding public/private keys. The keys can then be used in code to encrypt, decrypt, sign, verify signatures, etc.

Sample code are not provided as they can be readily found on the web and by referencing APIs.

Comments

Excel VLookup

VLookups in Excel can help to change values in Excel tables based on a combo box value.

Question: Can I select a combo box value and have the data copied to a new table?

AFAIK the “new table” will need to contain formula that references the combo box, e.g. =vlookup(comboBox, Sheet1!Data, 3). If you want the new table to be empty and the contain pure values, it can only be achieved through macro programming using VBA.

Excel cells cannot be affected without a formula in it. It will stay an empty cell (without VBA).

Comments