Category Archives: Mac

BASH OpenSSL HMAC

I just posted a BASH script that works around the OpenSSL 0.9.8 limitation of using printable ASCII keys for HMAC by moving the key processing into BASH and only utilizing OpenSSL for the hash functions.

BASH Base32 Decoder

I just published a Base32 decoder written in BASH.

This is a piece of a project I’m working on to implement a command line authenticator script as a backup for my Google Authenticator app.

Creating a UDF TrueCrypt Volume

I had an old hard drive I wanted to use as a secure, cross platform file transfer device, so I thought of TrueCrypt and UDF. Unfortunately, TrueCrypt for MacOS only supports formatting drives as Mac OS Extended and TrueCrypt for Windows only supports NTFS and FAT32. I ended up using TrueCrypt for Mac OS and the Mac’s command line formatting utility.

Login as an Administrator
Connect the drive you want to protect with TrueCrypt
Open TrueCrypt and create a TrueCrypt Volume like normal, but select "None" when asked to select a filesystem
Wait for the encryption to complete
From TrueCrypt, click the "Select File…" or "Select Device…" to select your newly encrypted volume and click "Mount"
Enter the password and any other authentication credentials required for the Volume. Check "Do not mount" before clicking "OK"
Back in the main TrueCrypt window, select the Volume and click "Volume Properties…"
Record the Virtual Device value. In this case "/dev/disk3"
Open a Terminal window
Run sudo newfs_udf /dev/disk3 to format the TrueCrypt volume with the UDF filesystem
From now on, the UDF filesystem will automatically be mounted when mounting the TrueCrypt volume on Window or Mac OS

Bypassing Basic Download Filters

The other day, I was trying to update the driver for my EVGA GeForce GTX460 Video Card, but the download kept stopping at 180MB out of 271MB. After re-starting the download a few times, realized that my ISP or firewall was flagging something malicious and interrupting the download. I figured I had 4 options:

Download the driver on my server, and then download it to my PC using SFTP.
Download it over a VPN. Being limited to 300kb/s bandwidth on the free ProXPN VPN didn’t seem like a good option either.
Download it over public Wi-Fi. Just annoying.
Download it over https.

Assuming it worked, I figured option 4 would be the easiest. The default download link too me to http://us.download.nvidia.com/Windows.... By changing the link to https://us.download.nvidia.com/Windows..., I received a certificate mismatch message, but the download worked when I overrode the warning. A closer look at the warning, shows the https certificate is for the domain name a248.e.akamai.net. This seems safe to me, since Akamai is a CDN, so it makes sense that NVIDIA could be using Akamai to distribute their drivers. I would be more cautious if the certificate was not issued to a CDN or NVIDIA itself. Remember to check that the installer was signed by the appropriate company (NVIDIA in this case).

I haven’t tried this on other downloads, but I think it should work on a fair percentage of them.

Converting from Chrome to Firefox

I’ve been a long time Google Chrome user, but Chrome’s lack of certificate revocation checking persuaded me to switch to Firefox as my secure browser. I’ve relegated Chrome to being my media browser to take advantage of it’s built in and automatically updated Flash player.

After a few days back on Firefox, I’m happy with the switch. Firefox’s certificate revocation checking seems to be faster than Chrome’s (completely subjective) and Firefox’s security is much easier to customize.

Transition Process

Add-Ons

under Settings → Add-Ons, I added:

LastPass – works about the same, but seems to be slightly less stable
NoScript – more mature than ScriptSafe
CipherFox – provides ciphersuite information in a dropdown and allows easy enabling and disabling of RC4 based ciphersuites (check "Disable RC4 cipher" in the Extension preferences).

I also installed HTTPS Everywhere. It seems to be more mature and easier to manage than the Chrome version, with the exception of adding custom rules. Custom rules must be added to a folder in the filesystem and cannot be edited from within Firefox.

Plugins

Under Settings → Add-Ons → Plugins

I set all of my media plugins like Google Talk and Microsoft Silverlight to "Ask to Activate".

I set to Java (it got installed when I was doing some Java development) to "Never Activate".

Preferences/Options

Under Advanced → Data Choices, I disabled Firefox Health Report and Crash Reporter, because these could inadvertently disclose sensitive information.

Under Advanced → Certificates, click the Validation button and check "When an OCSP server connection fails, treat the certificate as invalid".

Advanced Configuration

Type "about:config" into the address bar.

Disable SSLv3.0: security.tls.version.min = 1
Disable DSS based authentication: security.ssl3.dhe_dss_aes_128_sha = false; security.ssl3.dhe_dss_aes_256_sha = false
Disable Triple DES based ciphersuites: security.ssl3.dhe_rsa_des_ede3_sha = false; security.ssl3.ecdhe_rsa_des_ede3_sha = false; security.ssl3.dhe_rsa_des_ede3_sha = false; security.ssl3.ecdhe_rsa_des_ede3_sha = false; security.ssl3.rsa_des_ede3_sha = false
Minimize Session Data Storage: browser.sessionstore.restore_on_demand = false; browser.sessionstore.resume_from_crash = false

Summary

These configurations give you good control over what runs on each page through NoScript and Ask to Activate.

The most sites use RSA or ECDSA certificates and support AES. I generally find that sites that don’t support AES, only support RC4, so disabling Tripple DES doesn’t reduce compatibility. I use CipherFox to enable RC4 on an as-needed basis, because some sites that support AES, prioritize RC4 (e.g. BarclayCard). Due to Dreamhost’s server configuration, this site only supports RC4.

At this point, I rarely encounter a site that does not support at least TLSv1.0, so I figure it’s time to disable SSLv3.0.

tidgubi.com

(computer) tips, security, tools