Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Apr 13, 2011

The importance of verifying file integrity

I've just wasted a couple of hours trying to install Windows 7 on a laptop.  I downloaded the Windows 7 Enterprise Edition x32 image from MSDN, burned it to a cd, and thought that all was well.

To my surprise I got this interesting error message early in the install:
A required CD/DVD device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.
What? Windows 98 revisited? After some googling it seemed I wasn't the only one experiencing the problem, and several people reported that the problem was caused by a bad download or a bad cd. I didn't quite suspect this, as downloads are rarely problematic these days. After spending a considerable amount of time searching for drivers around the Internet, I therefore realized that there was only one thing right to do.

Verifying file integrity
I had downloaded the Win 7 ISO file to my Mac. Calculating the SHA-1 hash for a file is straightforward on OS X, since OpenSSL is preinstalled.

klings$ openssl sha1 en_windows_7_enterprise_with_sp1_x86_dvd_620186.iso 
SHA1(en_windows_7...620186.iso)= bd06158ceb24ad345d4d83104acf16aebbe5be67

Unfortunately, the hash should have been: 4788041EB06E0F49720C112FBD256AC637909D4F. It turns out that my ISO file is not identical to the one on MSDN! No wonder this didn't work out... I'll blame this one on Chrome, MSDN, or both. Chrome reported my download to be successful.

Don't go wasting your life before you've checked the integrity of the files you download!

For Windows, you might want to check out the Microsoft File Checksum Integrity Verifier, it seems to get the job done.

Apr 6, 2011

Norwegian Facebook users first victims of automated attack?

Norwegian media reports of a supposedly attack on Norwegian Facebook users, here's a link to the Norwegian news article.

Facebook users are calling their local police about the incident, phones started ringing at 22:15 CEST. At the time of writing, reports indicate that users near the city Haugesund were first affected. Users have explained the attack to the police as follows:

First you receive a "message" (unclear if it's a message or a wall post), stating: "You are next." Then your profile picture is changed to some sort of animation. Finally, the attackers change your password, and you lose access to your account.

An enjoyable statement from the police: "There's little we can do. We can't just send a patrol car into Facebook."

I'm logged into Facebook right now and haven't noticed anyting unusual, and I'm unable to find similar stories on the Internet. Have Norwegian Facebook users gone crazy (or the police), or are we seeing the start of a potent attack on Facebook users? Judging from the news article, the attack does not necessarily require user interaction. It could be a Facebook worm. I'll be interesting to see tomorrow how the situation develops.

And for the record: The article is dated April 5, so this should have nothing to do with April  fools' Day.

***Update*** April 7.
I contacted the journalist who wrote the story, they hadn't followed up on the matter. But if this was a real attack, I bet it was one of the password stealing apps on Facebook.

Apr 4, 2011

Why security questions are not

The other day, I received an "encrypted e-mail" through the Cisco Registered Envelope Service. Their "about" page states:
If the envelope is password-protected, it can only be opened by authorized recipients who authenticate themselves. If you are a first-time recipient receiving a password-protected secure envelope, you will be asked to register with the service to set the password which will be used to authenticate you.
I had never used the service, so I had to register before I could get access to the e-mail. To my surprise, I had to choose three security questions and provide an answer to them before the registration could be completed.

Apr 2, 2011

Introduction to authentication

The last couple of months large players such as Microsoft, Google, and Facebook have announced changes to their login procedures and how they authenticate their users. Facebook and Hotmail offer single-use codes to avoid compromise of users' regular passwords. Google has rolled out a new (optional) two-step verification for access to Google accounts. These are interesting changes in functionality to increase the security for users on the Internet.

I'll be blogging about some of these authentication procedures. To lay the foundation for my upcoming blog posts on authentication I figured it would be a good idea to give a quick rundown of what authentication is, just to get the basics out of the way. Here it goes:

Authentication defined
If you consult the Oxford dictionary on your iPhone you'll learn that:
prove or show (something) to be true, genuine, or valid;
When we authenticate users of computer systems, what are we trying to prove? In short, that the correct people are logged in to the correct user accounts. So, for computer systems we'll see that it makes sense to use the following definition:
Authentication is the process carried out to show that a user is who she claims to be
To explain what this means we'll break a typical authentication procedure into two phases: the user claims to be the owner of a digital identity, and we need to verify that the claim is true before the user is allowed to assume the claimed identity.

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts