Category Archives: Web

OptionsHouse Secure PINs

OptionsHouse offers two-factor authentication with a Google compatible authenticator and an additional PIN to make security related account changes. This seems to be pretty good security, but if you have multiple accounts, you have to enable the security PIN separately for each account. If you don’t you can get to your two-factor authentication settings from the account(s) without a security PIN, even though the two-factor authentication settings are global.

Backing up WordPress on Dreamhost

I had the following criteria when configuring the backup for my WordPress installation:

  1. Shell Script
  2. Protected from the webserver user
  3. Works with Dreamhost Enhanced User Security

This approach is based on the script from the WordPress Backup Guide at theme.fm.

In addition to your webserver_user, create a backup_user account. The backup_user will have read access to the website files; however, the webserver_user will not have read access to the backups.

Configure the Accounts

Login as backup_user and run ssh-keygen -t rsa -b <keysize>. Keysize should be 2048 or 4096 (pick the bigger size for more security). Accept all of the defaults. Run cat ~/.ssh/id_rsa.pub and copy the output. Create ~/backup and ~/scripts. Run chmod go-rw ~/backup.

Login as webserver_user and edit/create ~/.ssh/authorized_keys. Add the key copied from id_rsa.pub.

Script Files

Create the following files and make the *.sh files executable:

/home/webserver_user/scripts/opts

[client]
host=<mysql_server>
user=<mysql_username>
password=<mysql_password>

/home/webserver_user/scripts/save.sh

#!/bin/bash

# Make sure we're working in the scripts directory
cd /home/webserver_user/scripts

# Backup the datbase
mysqldump --defaults-file=/home/webserver_user/scripts/opts <wp_datbase> > db.sql

# tar the database backup and all of the WordPress files
# --transform is not necessary, but removes home/webserver_user from the path when extracting
tar czf website-$(date +%Y-%m-%d).tar.gz --transform s,^home/webserver_user/www,www, db.sql /home/webserver_user/www

# Cleanup by removing the uncompressed database backup
rm db.sql

/home/backup_user/scripts/backup.sh

#!/bin/bash

# Set the working directory
cd /home/backup_user/backup

# Run the save.sh script as the webserver_user
ssh webserver_user@webhost.com /home/webserver_user/scripts/save.sh

# Copy the backup to the backup_user account
scp webserver_user@webhost.com:/home/webserver_user/scripts/*.tar.gz ./

# Remove the copy of the backup from the webserver_user
ssh webserver_user@webhost.com 'rm /home/webserver_user/scripts/*.tar.gz'

# cleanup the backup directory and only keep the 3 most recent backups
while [ "$(ls -1t | wc -l)" -gt 3 ]; do
   rm "$(ls -t1r | head -n 1)"
done

Panel Configuration

  1. Go to you Dreamhost Web Panel
  2. Login
  3. Go to Main menu → Goodies → Cron Jobs
  4. Click "Add New Cron Job"
    • Select User backup_user
    • Title: backup
    • Email address if you want notification of the script running
    • Command to run: /home/backup_user/scripts/backup.sh
    • When to run: daily or weekly

Increasing Schwab Security

There are two things I did to increase the security of my Charles Schwab account despite the 6–8 character password restrictions:

  1. Changed my username for secrecy
  2. Added an Authenticator Token

With the 8 character password limit, I set a 20 character random username. While many security researchers recommend a random username, I generally rely solely on strong passwords. In this case, going form 8 to 28 characters an attacker needs to guess is a very good improvement.

If you call Schwab, you can also request a physical authenticator token. It is a physical Symantec VIP token, so its an extra device to carry. It was easy enough to setup and Schwab allows you to sign in two different ways with it. You can concatenate <password><authenticator code> in the password field, or you follow the standard flow of entering your username and password before being prompted for the authenticator code. The concatenated option is nice because it enables the authenticator to work with financial management software that only supports username and password fields.

I verified that the authenticator works with the Schwab website, Schwab iOS app, and Mint.com.

Edit: May 14, 2014

If you have any programs or services that periodically updated, you should disable them when adding the authenticator. I think failed login attempts from one of these programs caused Schwab to lock my account.

Configuring Chrome’s SSL/TLS

As of version 34.0.1847.116, Google Chrome defaults to the following ciphersuites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5

Overall I think the list is pretty good. I’d rather not use the ciphersuites in red, because of the MD5 message authentication and the DSS site authentication. I also think it is very unlikely these will prevent you from accessing any common sites. The more security conscious users will probably want to disable the orange cipher suites as well, because RC4 and TDES are both weaker than AES. As you make changes, the SSL Labs Client Test is an easy way to see which ciphersuites are enabled. It also gives you the hex code for each ciphersuite, which is used to disable them.

Unfortunately Google Chrome doesn’t have a nice interface for configuring ciphersuites like Firefox and Opera, so you need to use command line switches to selectively disable ciphersuites. I have instructions for using command line switches on Windows and MacOS.

To disable the red ciphersuites, add the following switch: 

--cipher-suite-blacklist=0x0004,0x0032

To disable the red and orange ciphersuites, add the following switch: 

--cipher-suite-blacklist=0x0004,0x0032,0x0005,0x000a,0xc011,0xc007

If you’re concerned about the NSA, the following disables all ciphersuites without perfect forward secrecy: 

--cipher-suite-blacklist="0x0004,0x0005,0x000a,0x0035,0x002f,0x009c,0x0032

I also recommend disabling SSLv3.0 with the following switch:

--ssl-version-min=tls1

Chrome for Mac CLI Options

If you thought there were a lot of options in chrome://flags, there a ton options available as command line switches. See http://peter.sh/experiments/chromium-command-line-switches/ for a list of the available switches.

If you’re using Google Chrome on MacOS X, it is pretty easy to launch Chrome with these command line options. Unfortunately MacOS doesn’t make this as seamless as it should be. I looked at a few different proposed methods, and using Automator seemed like the best combination of ease, stability, and MacOSness.

  1. Launch Automator from /Applications
  2. Click ‘New Document’ in the bottom right of the ‘Open’ dialog.
  3. Select ‘Application’ and click ‘Choose’
  4. Select ‘Utilities’ from the left column
  5. Drag ‘Run Shell Script’ from the next column to the workflow area
  6. Replace cat with 
    args='--args --ssl-version-min=tls1' #single place to update command line switches
                                     #--args is a switch to 'open', not Chrome
                                     #--ssl-version-min=tls1 disables SSLv3.0
if [[ -r "$1" ]]; then # check if a readable file or directory was passed as input
   open -a "Google Chrome" "$1" $args #open Chrome and pass it a file or directory
else
   open -a "Google Chrome" $args #open Chrome normally
fi
  7. Change the ‘Pass Input’ drop down to ‘as arguments’
  8. Save the workflow as an Applications. I named mine ‘Launch Chrome’
  9. (optional) Chang the Icon
    1. Get Info for Google Chrome
    2. Click on the icon in the top left
    3. Select Copy from the Edit menu
    4. Get Info for ‘Launch Chrome’
    5. Click on the icon in the top left
    6. Select Paste from the Edit menu
  10. Opening Launch Chrome opens Google Chrome or brings it into focus. Dropping a file or directory on Launch Chrome opens the file or directory in Chrome.

Automator Screenshot:
ChromeMacLaunch