Saturday, April 24, 2010

The Skinny on LastPass

One of the people that I do odd-jobs and random tech consulting/work for asked me a question about Lastpass and I figured that I should post it up here for everyone to see.

The security added on by lastpass essentially falls into the area of user awareness/best practices. Security is provided on the basis that it is easier for a user to remember one password that meets recommended requirements (more than 14 characters including uppercase, lowercase, symbols and special characters) than for the users to manage a number of passwords for a number of services that meet these needs for complexity.

This will mostly serve to protect you from persons wishing to gain access to your accounts through what is commonly referred to as 'bruteforcing' you may already be familiar with it, but it essentially when someone either uses a dictionary/wordlist attack or a pure bruteforce to access your account(s). These people would have found your login name or username somewhere else on the internet and are trying remotely to gain access to your accounts.

Users that are already on your box can either MITM (Man in the Middle) your browser, install a keylogger or datamine your box to obtain your LastPass password, so in the case of malware (like the Zeus Bot Agent) or a virus on your computer, LastPass will gain you absolutely nothing. Once your computer is compromised it's game over.

My personal advice is to write down your passwords on a piece of paper that you keep on your person or to put all of your passwords into an encypted file or drive.

Once again, security is not nearly as complicated as most people think, follow these best practices to help protect your passwords, accounts and digitally stored personal data:

1. Use strong passwords EVERYWHERE (you can check your password strength here: https://www.microsoft.com/protect/fraud/passwords/checker.aspx )
2. Do not have a "passwords.txt" or "secret" file that can be easily accessed on your computer.
3. Keep your antivirus software up to date (both the software AND the signatures)
4. Harden your browser and don't visit sites you don't trust (install noscript, adblock plus, etc and don't allow scripts to run for advertisement sites or other untrusted sites)
5. Don't allow 3rd party cookies (unless you use gmail, in which case you'll have to allow 3rd party cookies from *.google.com)

As a parting comment, I have heard of numerous penetration tests that have involved lastpass, and in every case the tester was able to gain control of the workstation and get all of the passwords.

The moral of the story is focus on securing your workstation and following security best practices.

Monday, April 19, 2010

Installing Dradis with MYSQL on Ubuntu 9.10 (and up)

So honestly I just wanted to write this down somewhere in case I should ever find myself wondering how to do this again. The whole installation process was a pain in the arse, mostly because of stupidity - my advice is that if you're the only one using it, install dradis with the default (sqlite).

If you need more than 10 people to access it at one time however, you're going to want to install it with mysql which means following these instructions.

1. setup and install a LAMP (don't forget to write down your mysql root password)
$ sudo tasksel install lamp-server

2. install additional dependencies for dradis
$ sudo apt-get install ruby1.9.1-dev
$ sudo apt-get install ruby irb rdoc libopenssl-ruby
$ sudo apt-get install libmysqlclient16-dev

3. ruby on rails/rake config
$ sudo gem install rake rubygems mysql

4. grab a copy of dradis:
$ wget http://downloads.sourceforge.net/dradis/dradis-v2.5.1.tar.gz

4. make sure your dradis database config (/dradis-2.5/server/config/database.yml) looks like this:

# MYSQL CONFIG #
production:
adapter: mysql
encoding: utf8
database: dradis
pool: 5
username: root
password: yourmagicalrootpassword
socket: /var/run/mysqld/mysqld.sock

5. create the dradis database in MYSQL:
$ mysql --user=USER --password=PASS
mysql> create database dradis;

6. go to the proper directory and populate the dradis DB and start the server:
$ cd /dradis/server
$ rake dradis:reset
$ ruby ./dradis/server/script/server -b

You should now be able to browse you dradis install at https://localhost:3004

Hope this helps/works for you.

Thursday, April 8, 2010

A little more about me...

Well it's been quite a while since I started this to basically serve as a repository for those crazy thoughts, ruminations and solutions to peculiar computer issues that nobody seems to have easy answers for.

One of my buddies posted a bunch of stuff online and I guess some of the stuff that I do for consulting these days should end up somewhere in the public domain - so here goes...stay tuned for a few updates here and there :-)