PHP Class – OpenSSL Encryption with MCRYPT Randomized Instantiation Vectors

Disclaimer: I am not a computer scientist.  I am not a cryptologist.  I’m just a guy who knows how to code and even that can be debatable from time to time.  DO NOT trust this to secure any sensitive information until you do your own research.

Download the class here:  http://pastebin.com/cu4jUN9K

Requirements: Requires PHP 5.4+.  OpenSSL and MCRYPT libraries must be installed.

If you’re reading this post you already know what this is and why you need it.  The only thing I will say is that the added strategy  of randomized instantiation vectors, based on my research, is the solution to the critical OpenSSL vulnerabilities reported in 2014 (Heartbleed, et al.).

This class should do the trick if you need to encrypt data you need to transmit without using HTTPS.  Each party in the transaction must have knowledge of the same shared key.

Pseudo-randomness is provided on the encryption end when the instantiation vector is created by mcrypt_create_iv() and seeded with MCRYPT_DEV_URANDOM.  Said vector is then prepended to the encrypted data and sent along with the data.  The receiving end uses this vector, together with the private key shared by the sender and receiver, to decrypt the data.

Be sure to understand the algorithms/ciphers/methods used and choose accordingly.

Defending Your Castle

A friend once asked me what made IT security difficult enough to warrant people dedicating entire careers to practicing it. He was under the impression that one could simply acquire the appropriate software to totally secure anything that needed to be secured. At the time I was so overwhelmed by the array of possible explanations that all I could muster was a generic explanation of “It’s much more complicated than that.”

If I’d had the presence of mind to give him a relatable metaphor, I would’ve told him to imagine he was king of a far off land living in a castle. Your foremost duty as king is to protect the castle and all the people living within. Protect them from what? Everything. There are countless dangers outside of your castle that would harm you, and your people, if given the chance.

There are two types of threats to your castle, known and unknown. Familiar threats are significantly less dangerous because you already know how to prepare for them. For example, you know your neighboring kingdom has a newly crowned ruler who came to power with something to prove, and his ambition could lead him to your front gates. A competitor or neighbor coveting something you have isn’t as uncommon as you might believe, in both our metaphorical kingdom and the modern internet. The easiest way to protect yourself from invaders storming the front gate and taking what belongs to you is to close the gate and station a squad of knights there. Given that you own the castle you should be familiar with all of the ways in and out so you review each one and ensure that access is granted only to those you want inside. You establish protocols for determining when to open the gate and when it should be closed, how closely to scrutinize different types of visitors depending on where they come from, and what to do with unwanted visitors.

Unknown threats are a different kind of problem altogether. You know there is a darkness out there beyond your borders, always waiting for an opportunity to deprive you and your people of your collective livelihood. The only way to combat this unknown but inevitable threat is to always be prepared for it. How do you prepare for something you’ve not experienced? You limit the scope of damage that can possibly be inflicted by a single incident or compromise through compartmentalization. You segment access to sections of your keep. You make sure that even if an ill-doer were to make it through your gate he surely won’t get past the second checkpoint. He most definitely will not have access to the throne room. You consult adventurers for advice, the breadth of whose experience beyond your realm can add an invaluable layer of protection to that which you hold most dear. You employ scouts whose job it is to patrol the kingdom and the areas beyond it searching for new threats and reporting back to you when they find something so that you can prepare your defenses. You enlist trustworthy men to police your kingdom, quarantining troublemakers when they show their faces and segregating them from the public to await judgment.

The thing about this metaphor is that it applies to almost any system. From something as small as your personal laptop all the way up to a corporate network. You have two primary threats to deal with. Preventing unwarranted access and dealing with any problems that arise internally, whether that be unruly software or someone who managed to get inside without permission. We can install antivirus and firewalls to address the issues that we know about, and even subscribe to automatic updates so that we’re prepared for new threats as they are unveiled. This is generally standard practice for, once again, all systems large and small.

The problem is that when the sensitivity of your data reaches a certain threshold you cannot rely on these methods alone. You cannot operate on the chance that no one will ever discover an unprotected port on your network. You cannot operate on the assumption that none of your software is subject to a zero-day exploit. This is why IT security is a complex topic. The landscape is constantly evolving, even more so than you might imagine because we’re in the relative infancy of computing technology. We have to be conscious of shifting security concerns and be able to react to them. Sometimes this requires the reconfiguration of complex systems, and it always requires the ability to interpret and understand the implications of new technology.

Booting a Toshiba Satellite P875 to a disk or CD-ROM (ODD); Or why I now dislike Toshiba.

EDIT: After learning more about modern hardware and Windows 8, you would do well to simply research UEFI and fastboot/secure boot technologies. Windows 8 includes advanced options to boot into BIOS or to a disk from within the OS. While completely asinine, they do work.

Dear friends from Google, the solution is in paragraph 4, in bold print.

Recently we needed a replacement laptop at work quickly. We order from Dell almost exclusively but they couldn’t get one here fast enough, so we went to the local best buy and took a chance on this particular Toshiba Satellite (P875-S7200). It’s a pretty excellent machine spec-wise for the price. $699 for an i5, 6GB RAM, 750GB disk, and 17″ screen.

My first problem started when I needed to put something better than the default OS on it, which is Windows 7 home premium. I popped a Win7 Ultimate x64 disc into the drive and rebooted, only for the ‘fast boot’ technology to completely skip any boot options. Okay, no problem. I checked the manuals and user guide on Toshiba’s website, and it says to hold the F12 key when booting to get boot options. This doesn’t work. The laptop simply screeches at you like a deranged harpy. Let’s talk about this for a moment.

In my career thus far I have never seen a more pointless or obnoxious feature put into a piece of equipment. When you hold down a key while booting this laptop it takes full advantage of the included Harmon/Kardon sound system and blasts long, annoying beeps at full volume. It beeps so loud I couldn’t hear the support technician on the phone. It’s not a single beep, either. It’s a series of 2-3 second long pulses that lasts about 10 seconds. This is probably one of the more annoying things I have ever encountered. WHY!?! What could this possibly be useful for? This thing is louder than our building’s fire alarm.

Anyway, back to the solution. After spending half an hour using Toshiba’s support system, which, by the way, is a pain. Dial in to system 1, punch in options until you get to system 2, hold, punch some options, hold, talk to a tech that can’t help you, redirect to level 2, hold, and finally when level 2 picks p they say they can help you for $59. I said no, all I need is you to tell me how to boot this to a CD-ROM because the user-guide and tech manual on your website are wrong, and I’m not paying for that. After trying holding down random keys during boot (F12, F2, esc, C) he eventually had me boot into Windows and run a program called HWSetup. This allows you to change the boot order of the BIOS from within windows, and disable the fast-boot technology. This finally got me to a point where I could boot to a CD.

What in the hell was Toshiba thinking with this? I understand the default config will be ideal for their target audience, but making it this difficult to install a different OS? Wow.

Hopefully you arrived on this post after searching for how to boot this thing to a CD-ROM, because when I Googled it, I couldn’t find anything helpful.

PHP classes: Date Object (Add/Subtract dates)

While coding a recent project I was looking around for a good way to simplify adding and subtracting dates. I found a function here written by “jm AT trinitywebdev DOT com”. I modified this function slightly (formatting, added support for weeks) and built a class around it. You can download the class here.

Example Usage:

require "c_date.php";	
$date = new date();

echo "Yesterday: " 	. $date->yesterday;
echo "Today: " 		. $date->today;
echo "Tomorrow: " 	. $date->tomorrow;
	
echo "Today minus 1 month: " 	. $date->modify($date->today,'-1m','m/d/Y');
echo "Today plus 5 days: " 		. $date->modify($date->today,'+5d','m/d/Y');
echo "Yesterday plus 6 weeks: " . $date->modify($date->yesterday,'+6w','m/d/Y');

Output:

(created on 4/19/2010)

Yesterday: 04/18/2010
Today: 04/19/2010
Tomorrow: 04/20/2010

Today minus 1 month: 03/19/2010
Today plus 5 days: 04/24/2010
Yesterday plus 6 weeks: 05/30/2010

Javascript: Credit card validation

Here’s a quick Javascript I wrote to validate (The 4 major American) credit card numbers, based on this post by Harrell W. Stiles.

Validate a credit card number with Javascript.

View the source on that page to grab the code, here are the two main functions as a quick reference:

function get_cc_type(n){
	var n2 = n.substr(0,2);
	var n4 = n.substr(0,4);
	var n1 = n.substr(0,1);
	var l = n.length
	
	if(n4 == "6011" && l == 16){
		return "discover";
	} else if(n1 == "4" && l > 12 && l < 17){
		return "visa";
	} else if(n2 == "51" || n2 == "52" || n2 == "53" || n2 == "54" || n2 == "55" && l == 16){
		return "mastercard";
	} else if(n2 == "34" || n2 == "37" && l == 15){
		return "american_express";
	} else {
		return "unknown";
	}
}

function is_valid_cc_number(n){
	var toggle = 0;
	var total = 0;
	n = n.split("").reverse();
	for(i=0;i<n.length;i++){
		if(toggle == 0){
			val = n[i];
			toggle = 1;
		} else {
			val = n[i] * 2;
			if(val > 9){
				tempVal = val.toString().split("");
				val = parseInt(tempVal[0]) + parseInt(tempVal[1]);
			}
			toggle = 0;
		}
		total = parseInt(total) + parseInt(val);
	}
	
	if(total % 10 === 0){
		return true;
	} else {
		return false;
	}
}

PHPBB3: Delete spam users and posts

One particular forum that I administrate recently had a problem with an influx of spam users and posts.  We needed a solution but until I could come up with one we needed a quick way to get rid of the trash they were posting on our public forums, so I wrote this script.  

The script accepts a username as input, and it will remove every trace of that user from the PHPBB database.  It deletes their username, bans their username and IP Address, removes any posts and/or topics created by them, and corrects the ‘last post by’ on each forum by removing them.

Feel free to use this script if you like, but be aware it’s very dangerous as it’s directly editing the PHPBB3 database tables.  The only configuration you need to supply is the database name, hostname, and auth credentials.  The script also assumes you used the default table prefix (phpbb_) when installing.

Code: http://ryanbrotherton.pastebin.com/f2dd5c4a3

JavaScript: Image Carousel

One day I found myself in need of an image carousel, but instead of grabbing a pre-made script I decided to write my own.  Why re-invent the wheel you ask?  Because I like to learn and I love JavaScript, I don’t get to write custom JavaScript nearly enough.  Also, to better understand how this particular wheel works.  I want to re-write this eventually  to remove the dependency on Scriptaculous.

I shouldn’t have to say this but if you want to use it, you’re free to use it for any purpose.

Dependencies: Scriptaculous – For the fading effect.

Code: http://ryanbrotherton.pastebin.com/f1cc2203c

Google pushing Chrome to IE users

This morning I noticed this in the upper right hand corner of the screen on Google’s home page

It turns out they are only displaying it for users who come to the Google page using Internet Explorer.

IE6

IE7

Firefox

Internet Explorer 6 is AWESOME!

Standards

Daniel Miessler

The absolute worst browser when it comes to supporting the standards is Internet Explorer.

The Internet works for one simple reason – everything at its core has been built on agreements that bind it together. Whether a computer is connected from California or Sri Lanka, it’s going to speak the same language and obey the same rules – the rules defined by standards. If this weren’t the case there would be no Internet at all.

The designers of Internet Explorer have purposely turned their back on the standards designed to benefit the Internet as a whole. They have done this for years, continue to do it today, and appear to have nothing but their own interests at heart.

http://dmiessler.com/writing/dumpie/

Free the Web

IE6 is the bane of every web developer’s life. Released in 2001, IE6 fails to even properly support the CSS 1.0 standard from 1996.

Internet Explorer 6 is holding back the future.

Supporting IE6 prevents us from using cool new features, standard with up to date browsers. This erodes user-experience for everyone. Additionally, the hacks and workarounds that web developers are forced to use degrades their code, and this limits progress in other areas. Above all it’s simply a waste of millions of hours of human potential.

http://www.free-the-web.com/

Security

Daniel Miessler

What makes other browsers better than IE at protecting vs. spyware and other attacks? Well, it’s simple really – most other browsers don’t make it so easy to install malicious software on your system without you knowing about it. IE makes it relatively trivial through two features called ActiveX and Active Scripting. These technologies were designed specifically for the purpose of giving Web sites more control over a user’s computer. Unfortunately, as we have seen with exploit after exploit – that’s not always a good thing.

http://dmiessler.com/writing/dumpie/

Bruce Schneier – Security Expert

This study is from August, but I missed it. The researchers tracked three browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were “known unsafe.” Their definition of “known unsafe”: a remotely exploitable security vulnerability had been publicly announced and no patch was yet available.

MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole.

Firefox was 15% unsafe. There were 56 days with an unpatched publicly disclosed security hole. 30 of those days were a Mac hole that only affected Mac users. Windows Firefox was 7% unsafe.

http://www.schneier.com/blog/archives/2005/12/internet_explor.html

PC World

In 2006, citing its lack of security, PC World magazine named Internet Explorer 6 number 8 on their list of the “25 worst tech products of all time”.

http://www.pcworld.com/article/125772-3/the_25_worst_tech_products_of_all_time.html

Current

Just recently, A major flaw in Microsoft’s Internet Explorer that allows hackers to gain the password details of the user was revealed.

This is not a rumor, it was confirmed by Microsoft who in fact announced the discovery themselves admitting a “vulnerability in Internet Explorer” that “could allow remote code execution.” Not Good.

http://thenextweb.com/2008/12/16/dump-internet-explorer-at-least-for-now/

Market Share

These stats are accurate to anyones guess, bost most claim google as a source.  This is an averaging of the best sources I could find.  (w3c puts firefox at 44%, I didn’t use them because that seemed way out of line with all other sources)

  • IE7 – 47.32%
  • Firefox: 21%
  • IE6 – 19.21%
  • Safari – 8%
  • Chrome/Opera – 2%

Conclusion

It is becoming more and more clear that, as some of our quoted authors have suggested, IE6 is severely impeding the progress of the web as a whole.  You could say this of any inferior or outdated browser but IE6 is the only one still widely used, and the cause of its continued widespread use is uneducated users.  They remain uneducated because they are unaware of the inherent security risks in IE6 due to a tight integration with the Windows operating system and exploitable access to ActiveX controls.

IE6 is not only an incredible time sink and headache for developers, it is a danger to consumers as well.

Spreadfirefox Affiliate Button