October 1, 2009: 7:14 pm: Forensics, Password Security

I really really love Automator on the mac.  It just makes it so easy to setup scripts you can run again later.  More importantly it lets you write a script solution that is point and click for someone else when they need help.

I had an email from a Detective that does forensics work on child exploitation cases.  He wanted a simple way to build a dictionary from a selection of folders and files.  He wanted to use that dictionary with my crowbar tools to go after a filevault from a mac.

Here is what I did.


December 8, 2008: 6:21 pm: Data Security

I recently moved over completely to a macbook pro at work.  I had a windows XP desktop with dual monitor support and had two external drives hooked up via firewire.  On top of that I use PGP and had full disc encrypted both my external drives.

Shortly after completely shifting over to my mbp I found it hard crashing.  I mean the hard crash that says on the laptop screen that you have to use the power button to reboot and recover from a crash.  It took some basic troubleshooting but here is what I found.  Running OSX Leopard with VMWare fusion.  I have Windows XP with PGP installed inside of it.  I had to change the connection of the external drives from firewire to usb.  This is because vmware cannot pass through firewire devices to the XP VM.  It has to be usb.  I plug in the drives while XP has focus and I get the normal prompt for the drive passphrase.  I enter it and everything mounts up fine.  It is not till after a good 5 minutes or more with no specific time that the crash will occur.  Every time.  I rebooted, let the drives connect but I hit cancel so they never mounted using PGP and left the mbp running while I went to lunch.  Magic, no crashes occur.  Lastly I go to decrypt the drives and I find that PGP on the mac side can mount the drives but says it cannot decrypt them because they were encrypted using PGP for Windows.  So I had to hook them back to my old desktop and decrypt them.  Fortunately I saved uninstalling PGP from the desktop as my last step and had not done it yet.

I have to make some decisions about the type of data on the external drives, maybe just encrypting some of it as a pgp disk file instead of full disc encryption.  Mixing PGP FDE inside vmware is definitely a quick way to crash your mac repeatedly.  I had even posted this on twitter and got a response back from vmware.  They agree its an issue something about hardware, drivers etc.  Of course no solution.  Likely that is something for PGP to work out.

May 1, 2007: 7:19 am: Password Security

I noticed over on Andy the ITGuy’s blog a post about writing down passwords. I agree completely that passwords should be recorded in a work environment. They are the property of the company as much as any piece of hardware or software. How you write them down and handle them is very important though.

Here is what we do. We keep all our sensitive passwords in an excel spreadsheet in our IT area on our file server. The folder is locked down tightly with group permissions to just the IT group. Next we turned on file and object auditing on the passwords subfolder in that area. Toss in Snare for Windows that sends all the object audit events to my kiwisyslog box. The file is encrypted via PGP. Keys of the local IT staff plus the key of a backup person in our corporate office are used. Finally the kiwisyslog sends its events to a mySQL database so I can run reports whenever I wish. This way I can tell exactly who goes into the folder and decrypts the file any time. The staff just deletes the file once done looking up the password they need.

You cannot just rely on domain permission lockdown alone. What happens if someone gets elevated privileges without authorization. So this is why we use PGP. Only people whose keys were used can get into the file should they even reach it.

Another advantage of using excel. If you rotate passwords you just make a new tab, copy the current tab into it and name the tabs appropriately. Over time you will have an entire history of all your previous passwords. This is important in larger environments where you may not have changed passwords on all equipment like you thought. You can look up older passwords to try without locking yourself out just because no one is around that remembers passwords from months or years ago.

Lastly, print a copy. Whenever we change any passwords we print a new copy of the entire excel workbook. Proper header-footers are set so we can tell which pages are older passwords. Next we seal that in an envelope signing and dating across the seal. Finally we drop it in a fire resistant safe.

Between these methods you have easy access to password lists, a secured electronic copy, the secured copy gets backed up with all other server based data and lastly a hard copy in case the backups or server is unavailable.

All this can still work in a smaller environment. Just that the backup key used to encrypt the file is likely to be a company officer than a second IT person.