Updates Forum Software Updated June 27th

Discussion in 'Announcements' started by admin, Jun 27, 2015.

  1. admin

    admin Administrator Staff Member

    The forum software was updated today.

    Some of the updates are:

    Two security issues fixed which are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.

    In addition, some of the bugs fixed include:

    • Improved performance in the rich text editor.
    • Support downloading attachments with UTF-8 file names in IE.
    • Ensure guests can view category based media and other media they have permission to see in New Media.
    • Restrict imported media titles to the max length set in Gallery Options.
    • Fetch thumbnails for YouTube videos in a slightly different way that avoids their new API.
    • To not show calendar events unless visitor has thread view permission.
    • Add Advanced option which allows adding reoccurring Calendar Events.
     
  2. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    The dreaded cross site scripting! Warned many a customer about that when I had to do data audits. Oh how I hated that work. Boring!
     
    wedgar likes this.
  3. wedgar

    wedgar Administrator Staff Member Gold Member

    The software authors are very good and are very quick to come out with necessary updates.

    There is another update with some cool goodies coming shortly that we can use tags for message thread.
     
    W.T. Jones likes this.
  4. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    I read that. Looks very useful.

    Not so sure about the 2-step authentication. I use unique passwords for every service. If some were to intercept it here they would have access only to here. Not sure if that level of vulnerability warrants the overhead of me using 2-step.
     
    wedgar likes this.
  5. wedgar

    wedgar Administrator Staff Member Gold Member

    Not necessary to use, but is available if someone wants to use it.
     
  6. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    I do understand that and I am glad to see it is available. The 2-step authentication works well for a "fob" that generates the code required. I am not sure about the app. Too much code available at the client level to suit me.

    I guess I am from the old school. I like to have unique unpronounceable passwords of 12 or more characters. I control the database where they are stored. And even if someone gets that they have to get by the key to it. It takes a long time to memorize a 32 character key. That one is stored on a yubikey fob on my keychain. Like I said I am old school.
     
    wedgar likes this.
  7. wedgar

    wedgar Administrator Staff Member Gold Member

    I also have a different password for each system used. I have a 256 bit encryption password program on my phone and my computer for my passwords. It has worked very well.
     
  8. Tony

    Tony Moderator Staff Member

    What program on your phone and computer?

    All the ones I found for Mac want you to store in the cloud. Yeah, right, after the cloud was hacked twice.

    I really want to keep them on my own machines.

    Walt, what the fob thingie all about?
     
    wedgar likes this.
  9. wedgar

    wedgar Administrator Staff Member Gold Member

    I use eWallet by Ilium Software. Yes, it does store the encrypted file on the cloud, but also syncs with several of my devices.
     
  10. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    The Yubikey is a small device that plugs into the usb port or other attachments for things like PDAs. It uses a very strong encryption algorithm to encrypt passwords but its main thing for me is password generation. OTP are the strongest types of passwords to use. It works with things like gmail and yahoo and others. It even works with the forum.

    Here is the link:
    https://www.yubico.com/products/yubikey-hardware/yubikey-2/

    For example, you log into Google and have 2 factor authentication enabled. Google prompts you with a Yubikey challenge. Put the mouse pointer in the field and touch the Yubikey and it inputs the code.

    Another example is your wifi password. When you set up your router you use the Yubikey to generate the password for it. It will never generate that password again. You can recall it but it will never generate the same password twice. Imagine a 64 character password that is only used once. No pass phrases or other nonsense. As long as you have the Yubikey you have extremely strong passwords.

    BTW, if you lose the Yubikey I don't know what happens. I am sure that somewhere along the line there is a recovery service from Yubico but I have never had to use it.
     
    Last edited: Jul 5, 2015
    Tony and wedgar like this.
  11. wedgar

    wedgar Administrator Staff Member Gold Member

    If you lose your yubikey, can someone break in to get your passwords?
     
    W.T. Jones likes this.
  12. Tony

    Tony Moderator Staff Member

    I don't think they have to break into anything. It looks like all they have to do is plug it into a computer, or hold it near a mobile phone.

    Walt, is this correct?
     
    W.T. Jones and wedgar like this.
  13. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    Losing the FOB is just like losing any other copy of your passwords. Which is why it is for "two factor" most of the time. Something you know and something you have. But the Yubikey generates One Time Passwords based on time and other factors. That prevents someone from stealing the password by something like an Man In The Middle (MITM) attack. Once it is used it is not valid ever again.

    So losing it means that someone finding it would have to know who it belongs to and the other part of the authentication sequence. When I log into Gmail I do get this.

    Email - wn3lif
    Password - *************** (which is the password in my head)
    Then I get this:
    Yubikey Challenge: Gs?#Q2%:tT99Kp#7%9gyS5'o&3'J[)XR;!e{@O8Fh>&1V0L=aw8IFvxb#t+x%o`C{">doU2N"RPMwCGl=Ew&r2MpQow+F"+J%AsD[~kgw2W&]S}Gf4A8v:J`B.ZwouS} (and that is what Yubikey just generated when I touched the button)

    I don't mind giving to you because it will never again be the same and you don't know the "what I know" password.

    So you lost your yubikey. Call the number on the Yubico web site and let them know. It will not generate any new passwords. Oh, it will generate characters but the service knows that your Yubikey is not yours any more.

    Now you have the problem of letting all those places that you have registered to use Yubikey to change you to your new Yubikey.

    Which is why I only use it for critical applications. I only have 6 that I consider at that level. I use password safe and have separate regular passwords for each account.

    Now there is one other time I use Yubikey and that is when I want a really tough password such as on my wireless router access. I can tell my Yubikey to store it for me and access it via its configuration program. So when I program my computer to access my wireless router I can recall it, copy and paste it into the wireless configuration, and all set. Even Beowulf can't crack it.

    So if you lose your Yubikey odds are the person that finds it won't associate you with your user id and your "what you know" login so essentially it is useless. The aggravation of getting things reset with your service providers is the pain.

    Here is the link to the Yubico web site:

    https://www.yubico.com/faq/lose-yubikey/

    https://www.yubico.com/2014/06/lost-yubikey-practices/

    Hope that explains it.
     
  14. wedgar

    wedgar Administrator Staff Member Gold Member

    That is cool. I like the password challenge only issued once.

    Yubico also suggests assigning more than one Yubikey to your account so one can be kept as a backup in the event you lose your key
     
  15. Tony

    Tony Moderator Staff Member

    Stick with me, Walt.

    1. You use a username for gmail. Me, too.
    2. You use a password, but you're not in yet. I do, too, but I'm in now.
    3. You touch the gizmo and it creates another password it has never created before. You're in now.

    If it created a new password at No. 3, how did Google know it?

    Sorry to be so dense on this.
     
    W.T. Jones and wedgar like this.
  16. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    No Tony you're not dense. It is all really magic. No not really. Mental telepathy. There are gnomes inside the Yubikey. No, sorry, no gnomes.

    The way it works is when you register with your service provider (gmail, yahoo, this forum) a code from your Yubikey. This code is stored with your account on the service provider. When you are challenged for the Yubikey input what you put in is matched with that initial code and sent to Yubico Servers. Along with the time that you put it in. This is matched with your Yubico account and Yubico gens a check code to match against. Yubico then responds to your service provider with a yay or nay for permission to log in. The time you entered the response is critical because after so many seconds the response from your Yubikey becomes invalid. BTW, this concept is not unusual but the way Yubico protects the exchange and the information is and that is proprietary. Most fobs have an lcd display on them that shows a 6 digit number that you have to key into the field. It is fairly ease to spoof that number. Rather hard to spoof 128 characters.

    So essentially you Yubikey code is sent to Yubico in a secure way. Yubico validates it and then tells your service provider your good to go or not. If you lose your Yubikey one call to the company invalidates it so it can't be used.

    I hope that helps a bit.
     
    wedgar likes this.
  17. wedgar

    wedgar Administrator Staff Member Gold Member

    Could it be pherognomes? :whistle:

    We used RSA security key fobs with out corporate bank account, however, someone broke RSA's codes several years ago...

    Our bank continued using the RSA security key fobs.
     
    W.T. Jones likes this.
  18. Tony

    Tony Moderator Staff Member

    O.K., Walt. I have that. Excellent.

    Thanks for the explanation. Very easy to understand.

    Now then, it seems to me all my security is on a server somewhere and safe until somebody cracks into that server.
     
    W.T. Jones and wedgar like this.
  19. W.T. Jones

    W.T. Jones Moderator Staff Member Silver Member Golden GPS Recipient

    That, Tony, is the entire failing in the system. I had a chance to visit Yubico way back when. They had a dedicated team always trying to break into their network. I made the comment that "the team should not be the same team next year." The CEO had a puzzled look on his face about that. I retorted that "these guys are good today but somebody else will be better tomorrow." They really need to keep looking for that better hacker before he finds them.

    Marcus Ranum (Inventor of the Firewall) said it this way - The only time a computer is secure is when it is covered in concrete and thrown in the ocean. Until some fisherman drags it up that is.

    I think the statement about a secret shared is no longer a secret is better. So for anything to work in this world you have to share a secret with someone else. There are ways of sharing a secret to keep some control like for launch codes but that is so encumbering that it makes life in general very difficult. Our average human wants ease of use. The extreme desire for security only comes after some bad happens. And that desire fades as time moves away from the event and the human longs for the ease of use again. As long as we have humans in the loop we will not have the security that some of desire.

    For me, I find that diversity in the methods I use is comforting. I step up the level and complexity as the information I am protecting becomes more important to me. But I have concerns about that too. I understand the methods I need to employ to access my important information. What happens when I am not here to perform the keystrokes. Can my wife or Brother do it successfully even with detailed documentation on how to do it. And there is the rub. I have documented all the security procedures on paper. I explained them to my wife and my Brother. But the secrets are now on paper and I know my wife and my brother will do their best to keep them safe. But they are on paper and anyone who gets them can follow the process. The Yubikey negates that to some degree for the financial info but it is still a secret shared.

    BTW, I am surprised that no one has mentioned thumbprints as a secret keeper. They have already been proven to be a fallacy. So I won't go there.
     
    Last edited: Jul 9, 2015
  20. wedgar

    wedgar Administrator Staff Member Gold Member

    Excellent comments!

    I remember reading about a fellow on the FBI top ten list who tried to change his fingerprints with a rubberband around his finger to numb his finger and then using a razor blade to cut new fingerprints. Probably not for the faint at heart.
     
    W.T. Jones likes this.

Share This Page