Author Archives: Kenji Yoshino

About Kenji Yoshino

Twitter: @tidgubi

OptionsHouse Secure PINs

OptionsHouse offers two-factor authentication with a Google compatible authenticator and an additional PIN to make security related account changes. This seems to be pretty good security, but if you have multiple accounts, you have to enable the security PIN separately for each account. If you don’t you can get to your two-factor authentication settings from the account(s) without a security PIN, even though the two-factor authentication settings are global.

Converting from Chrome to Firefox

I’ve been a long time Google Chrome user, but Chrome’s lack of certificate revocation checking persuaded me to switch to Firefox as my secure browser. I’ve relegated Chrome to being my media browser to take advantage of it’s built in and automatically updated Flash player.

After a few days back on Firefox, I’m happy with the switch. Firefox’s certificate revocation checking seems to be faster than Chrome’s (completely subjective) and Firefox’s security is much easier to customize.

Transition Process

Add-Ons

under Settings → Add-Ons, I added:

  • LastPass – works about the same, but seems to be slightly less stable
  • NoScript – more mature than ScriptSafe
  • CipherFox – provides ciphersuite information in a dropdown and allows easy enabling and disabling of RC4 based ciphersuites (check "Disable RC4 cipher" in the Extension preferences).

I also installed HTTPS Everywhere. It seems to be more mature and easier to manage than the Chrome version, with the exception of adding custom rules. Custom rules must be added to a folder in the filesystem and cannot be edited from within Firefox.

Plugins

Under Settings → Add-Ons → Plugins

I set all of my media plugins like Google Talk and Microsoft Silverlight to "Ask to Activate".

I set to Java (it got installed when I was doing some Java development) to "Never Activate".

Preferences/Options

Under Advanced → Data Choices, I disabled Firefox Health Report and Crash Reporter, because these could inadvertently disclose sensitive information.

Under Advanced → Certificates, click the Validation button and check "When an OCSP server connection fails, treat the certificate as invalid".

Advanced Configuration

Type "about:config" into the address bar.

Disable SSLv3.0
security.tls.version.min = 1
Disable DSS based authentication
security.ssl3.dhe_dss_aes_128_sha = false
security.ssl3.dhe_dss_aes_256_sha = false
Disable Triple DES based ciphersuites
security.ssl3.dhe_rsa_des_ede3_sha = false
security.ssl3.ecdhe_rsa_des_ede3_sha = false
security.ssl3.dhe_rsa_des_ede3_sha = false
security.ssl3.ecdhe_rsa_des_ede3_sha = false
security.ssl3.rsa_des_ede3_sha = false
Minimize Session Data Storage
browser.sessionstore.restore_on_demand = false
browser.sessionstore.resume_from_crash = false

Summary

These configurations give you good control over what runs on each page through NoScript and Ask to Activate.

The most sites use RSA or ECDSA certificates and support AES. I generally find that sites that don’t support AES, only support RC4, so disabling Tripple DES doesn’t reduce compatibility. I use CipherFox to enable RC4 on an as-needed basis, because some sites that support AES, prioritize RC4 (e.g. BarclayCard). Due to Dreamhost’s server configuration, this site only supports RC4.

At this point, I rarely encounter a site that does not support at least TLSv1.0, so I figure it’s time to disable SSLv3.0.

Backing up WordPress on Dreamhost

I had the following criteria when configuring the backup for my WordPress installation:

  1. Shell Script
  2. Protected from the webserver user
  3. Works with Dreamhost Enhanced User Security

This approach is based on the script from the WordPress Backup Guide at theme.fm.

In addition to your webserver_user, create a backup_user account. The backup_user will have read access to the website files; however, the webserver_user will not have read access to the backups.

Configure the Accounts

Login as backup_user and run ssh-keygen -t rsa -b <keysize>. Keysize should be 2048 or 4096 (pick the bigger size for more security). Accept all of the defaults. Run cat ~/.ssh/id_rsa.pub and copy the output. Create ~/backup and ~/scripts. Run chmod go-rw ~/backup.

Login as webserver_user and edit/create ~/.ssh/authorized_keys. Add the key copied from id_rsa.pub.

Script Files

Create the following files and make the *.sh files executable:

/home/webserver_user/scripts/opts

[client]
host=<mysql_server>
user=<mysql_username>
password=<mysql_password>

/home/webserver_user/scripts/save.sh

#!/bin/bash

# Make sure we're working in the scripts directory
cd /home/webserver_user/scripts

# Backup the datbase
mysqldump --defaults-file=/home/webserver_user/scripts/opts <wp_datbase> > db.sql

# tar the database backup and all of the WordPress files
# --transform is not necessary, but removes home/webserver_user from the path when extracting
tar czf website-$(date +%Y-%m-%d).tar.gz --transform s,^home/webserver_user/www,www, db.sql /home/webserver_user/www

# Cleanup by removing the uncompressed database backup
rm db.sql

/home/backup_user/scripts/backup.sh

#!/bin/bash

# Set the working directory
cd /home/backup_user/backup

# Run the save.sh script as the webserver_user
ssh webserver_user@webhost.com /home/webserver_user/scripts/save.sh

# Copy the backup to the backup_user account
scp webserver_user@webhost.com:/home/webserver_user/scripts/*.tar.gz ./

# Remove the copy of the backup from the webserver_user
ssh webserver_user@webhost.com 'rm /home/webserver_user/scripts/*.tar.gz'

# cleanup the backup directory and only keep the 3 most recent backups
while [ "$(ls -1t | wc -l)" -gt 3 ]; do
   rm "$(ls -t1r | head -n 1)"
done

Panel Configuration

  1. Go to you Dreamhost Web Panel
  2. Login
  3. Go to Main menu → Goodies → Cron Jobs
  4. Click "Add New Cron Job"
    • Select User backup_user
    • Title: backup
    • Email address if you want notification of the script running
    • Command to run: /home/backup_user/scripts/backup.sh
    • When to run: daily or weekly

Increasing Schwab Security

There are two things I did to increase the security of my Charles Schwab account despite the 6–8 character password restrictions:

  1. Changed my username for secrecy
  2. Added an Authenticator Token

With the 8 character password limit, I set a 20 character random username. While many security researchers recommend a random username, I generally rely solely on strong passwords. In this case, going form 8 to 28 characters an attacker needs to guess is a very good improvement.

If you call Schwab, you can also request a physical authenticator token. It is a physical Symantec VIP token, so its an extra device to carry. It was easy enough to setup and Schwab allows you to sign in two different ways with it. You can concatenate <password><authenticator code> in the password field, or you follow the standard flow of entering your username and password before being prompted for the authenticator code. The concatenated option is nice because it enables the authenticator to work with financial management software that only supports username and password fields.

I verified that the authenticator works with the Schwab website, Schwab iOS app, and Mint.com.

Edit: May 14, 2014

If you have any programs or services that periodically updated, you should disable them when adding the authenticator. I think failed login attempts from one of these programs caused Schwab to lock my account.