Disc Image – Why not to use a plain Dictionary Word

In the process of playing with backing up to disc images I wanted to play around how to automate the password entry. I may get into why in a future post. Whatever you do, do not use a plain dictionary word to secure your images. Here is why. I based it on the scripts I found at: http://ask.metafilter.com/47171/How-to-crack-a-disk-image

Modified and tested. Worked like a champ when I added my chosen password to a dictionary text file of words. In the below example I used a path to where I have a large collection of dictionary files used for password cracking in forensics etc. This is not the fastest thing in the world but it works if the chosen password shows up in the word lists you throw at the image.


for word in $(cat /Volumes/ExternalDrive/Dictionaries/test.txt | grep -v “#”)


echo -n $word | hdiutil attach /Volumes/iPod/Backup/Backup.sparseimage -stdinpass

if [[ $? = 0 ]]


echo “Password found!”

echo $word

exit 0



echo “password not found :(”

exit 1


Laptop Backup via Rsync + iPod

My previous post talked about using rsync to backup securely to another computer over the Internet. What if you want a local spare backup or do not have Internet?

Here is what I did on my mac powerbook.

Set your iPod so you can use it as a removable drive. iPod has to be set to “Enable Disc Use”.

Create an Encrypted Sparse Disc Image on the iPod. You can just follow the directions over on Macosxhints.com

hdiutil create -size 5g -encryption -type SPARSE -fs HFS+ Backup

That creates an encrypted sparse image file named Backup that maxes out at 5GB. We open the image once, and rename the Drive name label to EncryptBackup. That will be what shows if we look at the mounted volumes.

Now all you have to do is use a nice rsync command to backup your documents into the mounted encrypted Spare Image.

rsync -avg –exclude “Documents/browseback/” ~/Documents /Volumes/EncryptBackup

That will sync our Documents folder over into the Encrypted Backup image file on the iPod just as if it were its own drive. Note the –exclude option. I have a program called BrowseBack for the Mac. It caches copies of everything I browse there so I can find previous content again via web, send to pdf, email etc. But I don’t want to backup all that cached data.


Modified the script I have on my iPod to mount, backup then dismount the image.

hdiutil attach /Volumes/iPod/Backup/Backup.sparseimage
rsync -avg –exclude “Documents/browseback/” ~/Documents /Volumes/EncryptBackup
hdiutil detach /Volumes/EncryptBackup

Then an Automator saved as an application onto the iPod and its an easy double click. If you save your image’s password in your keychain you won’t have to enter that either.


Laptop Backup via Rsync + SSH

I was playing around with rsync the other night. Now I have a scripted command so I can backup folders from my laptop back to the external harddrive on my iMac at home. You can find the command below.

We need to assume you have done several a couple of things to improve the security of your SSH at home.

  1. Moved from the standard tcp 22 port to a new port: example 5346
  2. Turned off password authentication in favor of public-private key authentication.
  3. Have your ssh private key saved somewhere on your laptop simple like the default ~/.ssh folder. The default keyname is id_rsa if you generated your key with a command like
    ssh-keygen -t rsa
  4. The folder we want to backup is called Documents just in our home folder on our Apple Powerbook.
  5. We will assume you registered a Dyndns name for you home machine.: example home.homedns.org
  6. The username on your home iMac or *nix box is: username
  7. The external drive is called: ExternalDrive

Here is the command you would issue on your Mac or *nix laptop. It should all be on one line. The best part is that it will take a while depending on how much stuff you have in your Documents folder. After that it will only sync over the changes. Perfect when away from home and you want a backup safely off your laptop.

rsync -avrz -e “ssh -p 5346 -i .ssh/id_rsa” Documents username@home.homedns.org:/Volumes/ExternalDrive/Backups/Powerbook


Begging to be a presentation at Black Hat.

The other day a public relation email was sent to the Certified Computer Examiner mail list. This email talked about a new secure USB flash drive. That is pretty brave to send such an announcement to forensics professionals. The drive is called the Flash Padlock from Corsair.

I will start with disclosing I have not seen this device in person. My opinions here are strictly based on the vendor documentation from their own web site materials. I did email back to the sender of the announcement that I wouldn’t mind reviewing the drive for the In the Trenches Podcast. Days later and I have yet to receive a reply. But I was still curious. I started reading the materials on the Corsair web site.

The device looks to be very interesting. It is using a combination lock with indicator leds showing the status of the drive. Since the combination is physically entered it is compatible with any computer (Windows, Mac etc) that can recognize flash drives. Corsair provides an online site where you can register the pin you set for your drive. Handy if you forget it. Any computer will let you look it up from their systems. The pin can be up to ten digits in length. No software component is required. This all makes it pretty much impossible to brute force the drive. At least until some enterprising hacker figures out a way to wire up the entry mechanism to a custom interface on a laptop. Another interesting feature is that it locks when the drive is removed from the computer automatically. This is a nice design idea. Makes it less likely anyone will get into the contained data.

They have an interesting PDF White Paper. I see a couple of interesting things in this paper.

  • Page 4 – “A PIN…is not stored anywhere that is accessible from the computer.” Makes you wonder where the pin is stored. Is it hashed, plain text etc? Could someone pull it straight from the flash chips?
  • Page 4 – Read the part about Two Factor Authentication. They claim it is two factor because you have to have the Flash Padlock and know the PIN. I find this debatable. This is like saying a bank vault is using two factor authentication. You have to have possession of the safe and know the combination. To me it is only two factor authentication if the two factors actually authenticate the proper user. Possessing the lock does not mean the lock requires two items of proof of valid access. In my opinion and this is my personal opinion only, this consists of one factor of authentication. So at this point I am starting to get skeptical on this device being the wonder affordable security flash drive.
  • I found no reference of encryption in the white paper at all relating to the Padlock. In fact unless I am blind I find only encryption references in the comparison to other device protection types. So I began to wonder if this PIN is only protecting read access. If some clever security researcher could read the data straight from the flash memory and present it at Black Hat. At the bottom of page 4 there is a reference that the DataLock(tm) technology has been licensed from a company called ClevX. They even nicely provide a link to www.clevx.com.

Finally, I find the last thing that makes me nervous about this device. I needed only look at ClevX’s page on Datalock. http://www.clevx.com/datalock.html Do you see the words that make every security professional cringe? “Proprietary on-board encryption…” At least the data does not sound like it is in plain text.

So seems to me this device would make some skilled security researcher a wonderful paper for Black Hat. I would still love to play with one of these devices and compare it from a usability frame of reference to the Kingston DataTraveller Elite that comes fully encrypted using non-proprietary 256-bit hardware-based AES encryption.


CISSP – Earning CPEs on your own time

I wanted to update an older topic. These days to keep your CISSP, CCE and other credentials you may have to have keep up on educational material. Also known as continuing professional education. We like to call them CPE units or simply CPEs. Here are some great sources.

The SANS Institute offers many great webcasts every month. You can even subscribe to the schedule via RSS or in an iCal compatible client. Watch for topics that you need development in or that just interest you. You are able to actually print out a CPE certificate for your records.

If you are Cisco certified here a new one. Cisco just partnered with the IET (Institute of Engineering and Technology). Check out the benefits. There is a ton of online educational material for IET members. Just get your Cisco ID handy and join for a fairly reasonable membership fee.

If you are an iTunes user. There is always iTunesU. The online area of the Apple iTunes store where there are tons of University courses online.  You can probably find something suitable for CPEs either type A or B.

Lastly for now. If you want some good personal development type B CPE credits for your CISSP? I love the Manager Tools podcast. These guys know what they are talking about when it comes to management skills, handling coworkers, ethics etc. I would probably hold onto the copy of the audio file and the show notes for your records in case you get a CPE audit from ISC2.


LogParser – MS Exchange Webmail User Access List

I had to make a list of whom accessed the webmail system at work and when. Here is a way to do it with logparser if you have your IIS logs in normal IIS format.

  1. Get the IIS logs from the web server front end of the
    webmail server. Dump them into a location like g:\logs\owa
  2. Grab a copy of MS Log Parser
  3. Make a text file called WebAccess.sql and put the following
    commands in the sql text file.
    cs-username, Date
    FROM g:\logs\owa\*
    (cs-username IS NOT NULL)
    (sc-status = 200)
    GROUP BY Date, cs-username
  4. Put the ms log parser and your WebAccess.sql into the g:\logs folder
  5. Execute this command at a command line in the folder with ms log
    Logparser.exe file:WebmailAccess.sql -i:IISW3C -o:CSV
  6. If you want it to go to a file just add > WebmailUsers.csv to the end
  7. of the command in step four above. That will redirect the output to a csv you can open in excel.

SurfControl – Ad Blocking

Today I was playing around with blocking the Ad and Popup category. By default uses your default blocking page. This made for an ugly web experience with odd looking parts of the text policy blocking page we have setup. So I made a new rule just for blocking ads and popups. Then you make a new HTTP Deny Page. Call it something like “Ad Block”. Now the trick. Put the below code into that page.   Assign the new deny page to the ad block only rule and the result is a nice blank area everywhere you had ads that got blocked.

Uploaded with Skitch!


An iGotcha from iGet

I found out one more thing.  iGet is hard coded to the default filename id_rsa for the private key.  Save that with no passphrase in your .ssh folder and iGet will recognize the key and use it.  Nothing else I could do worked.  Even changing the name to iGet from id_rsa so I could recognize the key as being the unsecured key for iGet would not work.   These guys really ought to take a page from Cyberduck.