Security

Cleaning up My Password Security

encryption-imageIt seems like there is an increasing amount of hacks and leaks lately.  These also seem to be larger and higher profile targets more and more.  Recently I’ve been seeing stories about Last.fm and Dropbox accounts apparently being compromised as well as a vulnerability in vBulleten, a popular Message Board hosting tool.  For the most part, a lot of these hacks are going to be harmless, for now.  Any website that actually matters is probably (they better be) using salted passwords, making a password dump mostly useless.  Though in Last.fm’s case, apparently 96% of the passwords were decrypted because their encryption algorithm was shoddy.  Still, it seemed like a good time to check over my Password Security.

Beware, those music scrobbles you see might actually be the music taste of some Russian or Chinese hacker!  Seriously though, I don’t really see the point with hacking Last.fm, I’m not entirely sure they even have any sort of financial data.  I imagine the email list is sort of useful for spam accounts.  I suppose there is also the issue of people using the same passwords everywhere.

The good side of these hacks, the lists get put on-line, on hacker sites or TOR sites, and there are several places that take these lists of leaked accounts, dump them in a database and allow you to search to see if your account shows up in a list and for which site, if available.  With all of these recent lists I went through and checked my primary email addresses and found about 20 entries between the two of them that had been compromised.  Most of those were vBulleten Boards that I had signed up for 10 years ago, never posted to, and had forgotten even existed.

I mentioned the problem of using the same password repeatedly.  I’ve got several “layers” I use for how much complexity I put into my passwords.  Financial sites, large buying sites (eBay, Amazon, etc), all get unique passwords.  I just remember those.  The next level, things like Facebook and Twitter, also get unique passwords, but I have some basic algorithms I use to generate them, mentally, so I can remember those as well while keeping them unique.  Sites like the ones that were compromised, tiny one off bulletin boards with little risk to me if they get hacked, I admit, I use the same few passwords on a lot of those.  Especially older ones from ten years ago, before I got serious about my online security.

Ironically, these sites are now possibly my most secure passwords.  Because I used Lastpass to generate the passwords.  Lastpass is a plug in for pretty much every browser.  It remembers your passwords, and syncs them across your Lastpass account.  I’ve used it for years to store and sync passwords, but I never really bothered with the generated passwords feature.  The best practice at the moment, for passwords, are long strings of random characters, lastpass can create these, and then remember them, so you don’t have to.  I don’t know what my new password is for the PPCGeeks message board, but I don’t need to, because when I visit, Lastpass will enter it and log me in.  It’s long and complex.  I mostly avoided this feature before because it pretty much meant I would never be able to log in via mobile since I would have to manually type the password in.  Lastpass now has a mobile solution, but I also just sort of accepted that, I’m never going to visit many of these sites on mobile anyway.

The even better solution, when available, is to use 2 Factor Authorization.  Something you know, a password, something you have, an Authenticator.  Every mobile platform has an authenticator App.  If you happen to be one of the 1% using Windows Phone like me, the Microsoft Authenticator works just like the Google Authenticator when setting it up.  When I want to log into say, Dropbox, I enter my username and password, like normal, and then I am prompted to enter the generated code from my Authenticator.  It doesn’t matter if someone else has my password, because they don’t have the Authenticator, which is randomly generated and can’t be duplicated.  I use this for any site that has it, which is almost all of the “big ones”, Microsoft, Google, Dropbox, etc.  I actually get frustrated when it’s not available, like when my Rockstar Games account got stolen 6 months ago or with Playstation Network, which has had like 3 or 4 hacks now.

Security Phase 2 – Doors and Windows (Planning)

I just wanted to start off by saying, this isn’t a how to at all, it’s more some general ideas I’ve been looking over for how to add door and window security to my recently set up video monitoring system.  Basically, I want a log of when and if the doors and windows are opened and closed.  I’d prefer not to run a bunch of wires, so wireless sensors are in order.

What I ultimately want is for an indicator light on a webpage to change based on the status of the door or window, a timestamp log to be created and possibly for some sort of email or text alert to occur.  ULTIMATELY I may even use this whole project as an excuse to finally develop my Phone app skills and build an app that I can view it all on, but that’s farther down the road.  A basic web page is fine for now, and it’s something I can manage.

My worry with wireless sensors was that I’d have to constantly change the batteries.  Until I realized that it would be trivial to design the sensor so that it only transmits when the window is open, and while I am not building my own sensors (I probably could) I imagine the makers of such sensors realize that you could save a ton of battery life by designing the sensors to only work when open.  I did a bit of searching on Amazon and found a6 pack of sensors for less than ten dollars.  It appears that each sensor has it’s own receiver/indicator which emits an audible tone.

This is actually probably alright for my needs.

While I am not an Electrical Engineer, I am familiar with basic circuit flow and basic electronics.  I don’t have any of these sensors yet but I can make some basic assumptions based on what I know.   When the window/door is opened, some trigger is closed and the sensor starts transmitting some sort of radio signal.  The fob thing which is always listening will receive the signal and activate some sort of internal speaker. 

There are a couple of issues that need to be solved here.  One, while the sensors hopefully are designed to conserve battery power, the FOBs are probably not.  I also want the signal to go to a computer and not sound a mostly useless audible alarm.  The power issue isn’t a huge issue.  With the right transformer brick providing the proper voltage, it wouldn’t be hard to rewire the contacts to allow for the units to be plugged into the wall, all at once, off of one power supply.  They look to be small enough that they could be mounted inside an electrical box in a small array and wired for power.

A similar method can be used to transform the speaker signal into a trigger for some sort of simple IO board.  To activate the speaker, some sort of voltage is applied to the speaker, the speaker can easily be removed and the contact points that would previously have fed the speaker could be wired to am IO board.  When the voltage is supplied to the "speaker" it will instead be read by the IO board, triggering a signal that "the Window/Door is open."

The main puzzle I have right now is, what would work best for the IO board.  I see two options here, and both would function differently, and I may even require both.  I could go with an Arduino board or a Raspberry Pi.  Both of these options seem to have advantages and disadvantages, and there may even be a third option which corrects the disadvantages.

arduino

Let’s look at the Arduino.  The Arduino is ideal for dealing with the IO board.  It is, by design, meant to work with this sort of "hands on" electronics systems.  It even has build in contacts for working with two wire IO interfaces.  I don’t know anything about Process, the programming language of the Arduino, but I’ve been meaning to learn and I am capable of learning it.  The problem is on the output.  Arduino is not designed to work with PCs in any simple way.  From some quick research online, the Arduino would require a serial interface and likely special software running on the server to poll the Arduino at set intervals.  Which brings up another issue.  As near as I can tell, the Arduino is a "pull" interface, meaning the server would have to pull the status from the Arduino, as opposed to "push" where the Arduino would push the data to the server as it changes.

Raspberry_Pi_Photo

So there is also the Raspberry Pi.  The Raspberry Pi is a computer itself, which makes interfacing with the server simple and easy.  It runs a simplified OS but connecting the Pi to the network is simple and telling it to push even a text file status update to the server via FTP or some similar network protocol is trivial.  the issue comes in the need to read the sensors.  I’m not entirely sure the Raspberry Pi is even capable of reading an analogue IO interface right out of the box.  Some searching suggests it is possible through an additional interface board of some sort but not right out of the box.  Looks like there are a handful of GPIO points build into the PI.  The PI also feels like much more than is really needed for this simple application.

Its kind of a tricky decision, I’ve been wanting to play around with both the Pi and the Arduino so I may just pick up one of each and see what works.  Both are around the same price and the whole system in the end will end up costing around $50-$75, which is almost nothing.  The final step once the sensor data lands on the server is updating the web page but I already am familiar enough with building webpages and simple polling scripts that this step is the easy part.  Whatever I end up going with I’ll certainly document the results in the future.

Security Cameras Part 2: The Software

So, I recently, basically ran through my plans and such for my recently acquired security cameras.  The physical cameras are only half the equation.  I only ended up making one box, and the other two I simply mounted up under the eaves in the appropriate positions.

The second step is the software.  I’m currently using three pieces of software to monitor these cameras.  First was the included myDlink service/software.  This software is most useful for accessing the cameras from outside the house.  It includes some basic notification ability but it doesn’t have an easy to way to record based on those notifications, at least not that I can tell.  The cameras themselves can push files to an FTP, but it’s sort of an all or nothing deal based on a schedule.  Running 1 shot a second creates a TON of files that are mostly useless.  The Phone app is good though (works with Windows Phone even!)

So I set out to find a better solution for capturing during motion.  I already run a private in house web server for testing, so I set out to find something that I could host there, on Ubuntu.  I came across a nice piece of software called Zoneminder.  It’s an OpenSource solution that will monitor cameras for motion and save files based on this activity.  I believe it can also record actual video though I am just doing short term recordings.  It may be a feature that I have not found, but my main issue is that I can’t bring up a view of all three cams at once.  I’m also having the usual issues with the server and IPs, internal vs external, etc.  It’s also tricky to set up.

cams

For multicam monitoring I’m using some Windows Software called IP Camera Viewer.  This simple software allows me to add IP based cameras and view them in a grid as desired.  Simple, and effective.

Security Cameras Part 1: The Hardware

Something I have been vaguely looking into over the years is a DIY solution to home security and automation.  There are several places you can pay to have this sot of thing installed and they often include a subscription for monitoring and leasing the equipment.

We’ve been having some issues lately with kids in the neighborhood knocking on doors and windows and running off late at night.  I had set up a temporary measure using my Sony Handicam on a tripod and even caught one of them once but the video was not clear enough due tot he darkness to really see anything.  Plus, filling the memory card on a daily nightly basis is not likely very good for the camera, nor is leaving the thing plugged in constantly good for the battery.

I could also use my Panasonic DV100 to capture the low light video pretty easily but it takes tapes and would only record an hour max.  Plus I don’t have an AC adaptor for it, so even if I hooked it up to a VCR or something, I’m still only looking at 2 hours max.  Not to mention wear and tear on the camera.

What I really needed was a dedicated camera designed for this sort of thing, one with night vision.  I’d tried using webcams hooked to PCs in the past but that doesn’t work in the dark either and the webcams I own are all ancient.  Plus I am tethered to a PC by a USB cable.  Amazon had a daily deal on some D-Link DCS-932L wireless cameras (which wasn’t as amazing as it seemed on paper due to Amazon’s pricing screweyness but whatever).  They were wireless, they were day/night capable and for the price I could get 2-3 of them compared to one of the other cameras I had been looking at.

IMGP0903

The cameras themselves are decent.  They were cheap, which I liked, and thought they are not super cheap in quality, they are SD only, which I was aware of but its a bit more of a letdown than I expected.  They were easy to set up, I plugged each into the router using the network cable, scanned for the IP address, and opened the GUI.  From there was was simple enough to assign IPs to each camera and connect them to the WiFi.  There is a myDlink service included for “anywhere access” but the cameras can be used independently from myDlink.  I found some software which lets me view multiple cameras at once and may set it up on a TV using an old broken Netbook I have laying around for quick access.

After ordering and receiving the cameras, I had a realization that I had neglected to consider.  These cameras are NOT outdoor cameras.  Specifically, they are not deigned to be outdoor cameras.  In my research, I knew simply placing the cameras in a window sill this would be a problem due to light reflection from the windows.  Just because I can’t see the infrared light at night doesn’t mean it wouldn’t create a massive glare on the window.

It’s still light.

I didn’t even get far enough for that to be an issue, the cameras during the day were horribly obscured by the window screens and the street lights outside, while not bright, created a massive amount of reflection from the blinds.

Oh well, at the very least, I could use them indoors, though the point was to watch the doors and driveway at night.

Still, I didn’t give up.  I did some research online and found many people had used these outside, for at least months and in one case years.  The main concern was condensation and humidity, and to a lesser extent, temperature.  One video even put the camera out on a table in the pouring rain for an hour with no ill effects.

So I set out to build a weather resistant enclosure for the cameras.  I’ve used plastic electrical boxes in the past for other projects and this one was pretty much just drilling a few holes in some plastic.  The boxes I found at Lowes came in 4×4 and 6×6 sizes.  I had my wife measure the camera and she said it was not quite 4 inches tall minus the base, so I opted for the 6×6 box.  The boxes themselves are pretty thick and I wasn’t sure the inner cavity was actually 4″x4″ on the smaller boxes.  Plus going with 6×6 gives the cameras room to breathe a bit, since it is still an electronic device and will generate some heat.  My main irritation wads that the 6×6 boxes were almost twice the cost of the 4×4 option.

I started by measuring out the center along one axis of the box lid, then measuring out the placement of the camera’s circular lens ring on the other axis.  I then found the center point of the circular areas and marked the counterpoint of the hold I was going to drill.  I measure the camera camera ring at 2″ in diameter and used a 2″ drill bit put apparently came up off somewhere because the hole was about an eigth of an inch larger all around.  Slightly annoying because I wanted a tight fit but it was workable and I can always seal it later with some caulking or even just some foam weather sealing that I have laying around.

Next I drilled holes in the bottom of the box to match the screw hole mounts on the bottom of the DSC-932L camera mount.  This size was dependant on the bolts I had handy that would fix in the screw holes.  This would allow the camera to be bolted into place inside the box.  Finally, I needed to get the power cord through.  The largest normal drill bit I had was not quite large enough to make a hole for the power cord to fit through but I was able to ream out the hold enough to get the plug through.  The benefit of this tight push was that the hole would be smaller and easier to seal up.

IMGP0902

So after mounting the camera with bolts and pushing the power through and assembling the cover around the lens, I hade a self contained weather sealed box (the electrical box has a nice rubber seal between the lid and box).   I am not real sure yet on the best way to mount the box but I placed it outside last night on a plant stand and let it run through a rain storm.  Worked out fine and the video from outside the window worked fine.

This project definitely isn’t done but it’s off to a good start.  Next will be finding an effective way to mount the boxes under the soffits, and, more important, providing power.  The cameras are wireless to the network but they still plug in.  I had some ideas about running extension cords through the soffits to the garage but I’m thinking it will be better to just install some outlets in the attic at the appropriate points.  I have a motion activated light I took off of our rental property after the fire that I plan to install on the front door, so the front door cam may just get a hook up right there on the light, since the motion light will need to be on all the time anyway.

The project is working out pretty well though despite a few hiccups.