Security

Cleaning up My Password Security

encryption-imageIt seems like there is an increasing amount of hacks and leaks lately.  These also seem to be larger and higher profile targets more and more.  Recently I’ve been seeing stories about Last.fm and Dropbox accounts apparently being compromised as well as a vulnerability in vBulleten, a popular Message Board hosting tool.  For the most part, a lot of these hacks are going to be harmless, for now.  Any website that actually matters is probably (they better be) using salted passwords, making a password dump mostly useless.  Though in Last.fm’s case, apparently 96% of the passwords were decrypted because their encryption algorithm was shoddy.  Still, it seemed like a good time to check over my Password Security.

Beware, those music scrobbles you see might actually be the music taste of some Russian or Chinese hacker!  Seriously though, I don’t really see the point with hacking Last.fm, I’m not entirely sure they even have any sort of financial data.  I imagine the email list is sort of useful for spam accounts.  I suppose there is also the issue of people using the same passwords everywhere.

The good side of these hacks, the lists get put on-line, on hacker sites or TOR sites, and there are several places that take these lists of leaked accounts, dump them in a database and allow you to search to see if your account shows up in a list and for which site, if available.  With all of these recent lists I went through and checked my primary email addresses and found about 20 entries between the two of them that had been compromised.  Most of those were vBulleten Boards that I had signed up for 10 years ago, never posted to, and had forgotten even existed.

I mentioned the problem of using the same password repeatedly.  I’ve got several “layers” I use for how much complexity I put into my passwords.  Financial sites, large buying sites (eBay, Amazon, etc), all get unique passwords.  I just remember those.  The next level, things like Facebook and Twitter, also get unique passwords, but I have some basic algorithms I use to generate them, mentally, so I can remember those as well while keeping them unique.  Sites like the ones that were compromised, tiny one off bulletin boards with little risk to me if they get hacked, I admit, I use the same few passwords on a lot of those.  Especially older ones from ten years ago, before I got serious about my online security.

Ironically, these sites are now possibly my most secure passwords.  Because I used Lastpass to generate the passwords.  Lastpass is a plug in for pretty much every browser.  It remembers your passwords, and syncs them across your Lastpass account.  I’ve used it for years to store and sync passwords, but I never really bothered with the generated passwords feature.  The best practice at the moment, for passwords, are long strings of random characters, lastpass can create these, and then remember them, so you don’t have to.  I don’t know what my new password is for the PPCGeeks message board, but I don’t need to, because when I visit, Lastpass will enter it and log me in.  It’s long and complex.  I mostly avoided this feature before because it pretty much meant I would never be able to log in via mobile since I would have to manually type the password in.  Lastpass now has a mobile solution, but I also just sort of accepted that, I’m never going to visit many of these sites on mobile anyway.

The even better solution, when available, is to use 2 Factor Authorization.  Something you know, a password, something you have, an Authenticator.  Every mobile platform has an authenticator App.  If you happen to be one of the 1% using Windows Phone like me, the Microsoft Authenticator works just like the Google Authenticator when setting it up.  When I want to log into say, Dropbox, I enter my username and password, like normal, and then I am prompted to enter the generated code from my Authenticator.  It doesn’t matter if someone else has my password, because they don’t have the Authenticator, which is randomly generated and can’t be duplicated.  I use this for any site that has it, which is almost all of the “big ones”, Microsoft, Google, Dropbox, etc.  I actually get frustrated when it’s not available, like when my Rockstar Games account got stolen 6 months ago or with Playstation Network, which has had like 3 or 4 hacks now.

Security Phase 2 – Doors and Windows (Planning)

I just wanted to start off by saying, this isn’t a how to at all, it’s more some general ideas I’ve been looking over for how to add door and window security to my recently set up video monitoring system.  Basically, I want a log of when and if the doors and windows are opened and closed.  I’d prefer not to run a bunch of wires, so wireless sensors are in order.

What I ultimately want is for an indicator light on a webpage to change based on the status of the door or window, a timestamp log to be created and possibly for some sort of email or text alert to occur.  ULTIMATELY I may even use this whole project as an excuse to finally develop my Phone app skills and build an app that I can view it all on, but that’s farther down the road.  A basic web page is fine for now, and it’s something I can manage.

My worry with wireless sensors was that I’d have to constantly change the batteries.  Until I realized that it would be trivial to design the sensor so that it only transmits when the window is open, and while I am not building my own sensors (I probably could) I imagine the makers of such sensors realize that you could save a ton of battery life by designing the sensors to only work when open.  I did a bit of searching on Amazon and found a6 pack of sensors for less than ten dollars.  It appears that each sensor has it’s own receiver/indicator which emits an audible tone.

This is actually probably alright for my needs.

While I am not an Electrical Engineer, I am familiar with basic circuit flow and basic electronics.  I don’t have any of these sensors yet but I can make some basic assumptions based on what I know.   When the window/door is opened, some trigger is closed and the sensor starts transmitting some sort of radio signal.  The fob thing which is always listening will receive the signal and activate some sort of internal speaker. 

There are a couple of issues that need to be solved here.  One, while the sensors hopefully are designed to conserve battery power, the FOBs are probably not.  I also want the signal to go to a computer and not sound a mostly useless audible alarm.  The power issue isn’t a huge issue.  With the right transformer brick providing the proper voltage, it wouldn’t be hard to rewire the contacts to allow for the units to be plugged into the wall, all at once, off of one power supply.  They look to be small enough that they could be mounted inside an electrical box in a small array and wired for power.

A similar method can be used to transform the speaker signal into a trigger for some sort of simple IO board.  To activate the speaker, some sort of voltage is applied to the speaker, the speaker can easily be removed and the contact points that would previously have fed the speaker could be wired to am IO board.  When the voltage is supplied to the "speaker" it will instead be read by the IO board, triggering a signal that "the Window/Door is open."

The main puzzle I have right now is, what would work best for the IO board.  I see two options here, and both would function differently, and I may even require both.  I could go with an Arduino board or a Raspberry Pi.  Both of these options seem to have advantages and disadvantages, and there may even be a third option which corrects the disadvantages.

arduino

Let’s look at the Arduino.  The Arduino is ideal for dealing with the IO board.  It is, by design, meant to work with this sort of "hands on" electronics systems.  It even has build in contacts for working with two wire IO interfaces.  I don’t know anything about Process, the programming language of the Arduino, but I’ve been meaning to learn and I am capable of learning it.  The problem is on the output.  Arduino is not designed to work with PCs in any simple way.  From some quick research online, the Arduino would require a serial interface and likely special software running on the server to poll the Arduino at set intervals.  Which brings up another issue.  As near as I can tell, the Arduino is a "pull" interface, meaning the server would have to pull the status from the Arduino, as opposed to "push" where the Arduino would push the data to the server as it changes.

Raspberry_Pi_Photo

So there is also the Raspberry Pi.  The Raspberry Pi is a computer itself, which makes interfacing with the server simple and easy.  It runs a simplified OS but connecting the Pi to the network is simple and telling it to push even a text file status update to the server via FTP or some similar network protocol is trivial.  the issue comes in the need to read the sensors.  I’m not entirely sure the Raspberry Pi is even capable of reading an analogue IO interface right out of the box.  Some searching suggests it is possible through an additional interface board of some sort but not right out of the box.  Looks like there are a handful of GPIO points build into the PI.  The PI also feels like much more than is really needed for this simple application.

Its kind of a tricky decision, I’ve been wanting to play around with both the Pi and the Arduino so I may just pick up one of each and see what works.  Both are around the same price and the whole system in the end will end up costing around $50-$75, which is almost nothing.  The final step once the sensor data lands on the server is updating the web page but I already am familiar enough with building webpages and simple polling scripts that this step is the easy part.  Whatever I end up going with I’ll certainly document the results in the future.

Security Cameras Part 2: The Software

So, I recently, basically ran through my plans and such for my recently acquired security cameras.  The physical cameras are only half the equation.  I only ended up making one box, and the other two I simply mounted up under the eaves in the appropriate positions.

The second step is the software.  I’m currently using three pieces of software to monitor these cameras.  First was the included myDlink service/software.  This software is most useful for accessing the cameras from outside the house.  It includes some basic notification ability but it doesn’t have an easy to way to record based on those notifications, at least not that I can tell.  The cameras themselves can push files to an FTP, but it’s sort of an all or nothing deal based on a schedule.  Running 1 shot a second creates a TON of files that are mostly useless.  The Phone app is good though (works with Windows Phone even!)

So I set out to find a better solution for capturing during motion.  I already run a private in house web server for testing, so I set out to find something that I could host there, on Ubuntu.  I came across a nice piece of software called Zoneminder.  It’s an OpenSource solution that will monitor cameras for motion and save files based on this activity.  I believe it can also record actual video though I am just doing short term recordings.  It may be a feature that I have not found, but my main issue is that I can’t bring up a view of all three cams at once.  I’m also having the usual issues with the server and IPs, internal vs external, etc.  It’s also tricky to set up.

cams

For multicam monitoring I’m using some Windows Software called IP Camera Viewer.  This simple software allows me to add IP based cameras and view them in a grid as desired.  Simple, and effective.