Author Archives: Kenji Yoshino

About Kenji Yoshino

Twitter: @tidgubi

United’s Insecure Login Page

One of United Airlines login pages potentially sends login credentials in plaintext. www.united.com/web/en-US/apps/account/account.aspx (login page accessed by clicking “Sign In” in the upper right of the homepage)can be accessed over HTTP or HTTPS and the login form sends (POST) its contents to signin.aspx over whichever type of connection account.aspx was served from.

For a long time I didn’t think realize this was a problem, because even when www.united.com/web/en-US/Default.aspx is served over HTTP, it submits usernames and passwords over HTTPS.

It appears all United Airlines pages support HTTPS, so I recommend starting your use of United.com by browsing to https://www.united.com/.

Specifying an SSH Key Exchange Algorithm

I was doing some testing were I needed to test an SSH server’s support for various key exchange algorithms. I know PuTTY for Windows supports the configuration of key exchange algorithms, but I was testing in a Command Line only VM environment that already had a number of Linux clients running. It’s not obvious from the ssh man page or my searches (I found one site that said it’s not possible), it turns out to be almost as straightforward as setting your cipher or MAC algorithm. Just use the
-o KexAlgorithms=<comma_separated_list_of_algorithms> option.
<comma_separated_list_of_algorithms> can be any of the following:

  • ecdh-sha2-nistp256 – (elliptic curve nist-p256), limited support.
  • ecdh-sha2-nistp384 – (elliptic curve nist-p384), limited support.
  • ecdh-sha2-nistp521 – (elliptic curve nist-p512), limited support.
  • diffie-hellman-group-exchange-sha256 – (discrete log bits are negotiated), limited support.
  • diffie-hellman-group-exchange-sha1 – (discrete log bits are negotiated), limited support.
  • diffie-hellman-group14-sha1 – (discrete log 2048 bits), should be good for now, and widely supported.
  • diffie-hellman-group1-sha1 – (discrete log 768 bits), might not be strong enough, but widely supported.

Note: The elliptic curve algorithms are believed to be as strong or stronger than the standard Diffie-Hellman discrete log cryptography; however, they are newer and have not been as thoroughly analyzed.

Example: ssh -o KexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384 kenji@192.0.0.45

Safely Printing at a Hotel

When using a hotel’s Business Center or other shared computer; I’m always nervous about the types of malware, viruses, or keyloggers might be installed on the computer. I never login to any accounts. Even if I have two factor authentication, I’d rather not give a criminal the opportunity to gather my password. When I have to print something, I’ve been printing to PDF from my personal computer, transferring the file to a USB flash drive, and printing the PDF on the hotel’s computer. This approach made me feel better, but I still felt like there was the opportunity for a virus on the hotel computer to infect my flash drive. What I needed was a way to prevent the hotel computer form writing to the USB flash drive. A hardware write-protect switch seemed to be the answer.

Now-days, USB flash drives with write-protect switches are pretty rare. After extensive searching on amazon.com, NewEgg, and Tiger Direct; I was only able to find a single modern flash drive with a write-protect switch. The Kanguru Flashblu 2 series of drives.

The other option is to use an SD card. Pretty much all of these have a write-protect switch, but the write-protection is in the card reader, not the card itself. There is a small mechanical switch in the SD card reader that detects if the SD card’s switch is in the lock position. While it’s unlikely someone trying to infect your card will have physically tampered with the SD card reader, it’s safer to bring your your own SD card reader.

Once you have your lockable memory, just unlock it, copy your pdf, lock the memory, insert into the hotel computer and print. Since malicious software can still read the data off of your memory, make sure you don’t store or print any sensitive files. I only print un-important things like movie tickets, directions, and other passes.

Be safe!

Status

Hi everyone. I haven’t gone anywhere, I’ve just been sidetracked trying to figure out how to deal with comment spam and working on some layout updates. I’ll have some new content soon.

Restricting WordPress Admin Access

Following up on Securing Administration of Shared Hosting, if you can restrict access to your administrative pages to a specific IP address or addresses.

This works best if you’re tunneling your traffic to your webserver though ssh, because your IP address may be changing, if you’re using hotspots or if your ISP changes your IP address. This is done though a simple update to the .htaccess file. Edit or create /wp-admin/.htaccess so it contains:
ErrorDocument 403 http://www.tidgubi.com/
Order Allow,Deny
Allow from 208.113.186.

The first line changes the “Unauthorized” behavior to simply redirect to my homepage. Otherwise the webserver seems to try to serve the error page from /wp-admin/ and ends up in a redirect loop.

The second line makes the allow/deny decision to default to deny unless there is a specific allow directive (https://httpd.apache.org/docs/2.0/mod/mod_access.html#order)

The last line specifies the IP address or partial IP address to allow. I assume Dreamhost uses load balancing and/or virtual servers, so I didn’t want to restrict access to a single IP address, but figured the IP range would be restrictive enough.