PHP Class – OpenSSL Encryption with MCRYPT Randomized Instantiation Vectors

Disclaimer: I am not a computer scientist.  I am not a cryptologist.  I’m just a guy who knows how to code and even that can be debatable from time to time.  DO NOT trust this to secure any sensitive information until you do your own research.

Download the class here:  http://pastebin.com/cu4jUN9K

Requirements: Requires PHP 5.4+.  OpenSSL and MCRYPT libraries must be installed.

If you’re reading this post you already know what this is and why you need it.  The only thing I will say is that the added strategy  of randomized instantiation vectors, based on my research, is the solution to the critical OpenSSL vulnerabilities reported in 2014 (Heartbleed, et al.).

This class should do the trick if you need to encrypt data you need to transmit without using HTTPS.  Each party in the transaction must have knowledge of the same shared key.

Pseudo-randomness is provided on the encryption end when the instantiation vector is created by mcrypt_create_iv() and seeded with MCRYPT_DEV_URANDOM.  Said vector is then prepended to the encrypted data and sent along with the data.  The receiving end uses this vector, together with the private key shared by the sender and receiver, to decrypt the data.

Be sure to understand the algorithms/ciphers/methods used and choose accordingly.

Defending Your Castle

A friend once asked me what made IT security difficult enough to warrant people dedicating entire careers to practicing it. He was under the impression that one could simply acquire the appropriate software to totally secure anything that needed to be secured. At the time I was so overwhelmed by the array of possible explanations that all I could muster was a generic explanation of “It’s much more complicated than that.”

If I’d had the presence of mind to give him a relatable metaphor, I would’ve told him to imagine he was king of a far off land living in a castle. Your foremost duty as king is to protect the castle and all the people living within. Protect them from what? Everything. There are countless dangers outside of your castle that would harm you, and your people, if given the chance.

There are two types of threats to your castle, known and unknown. Familiar threats are significantly less dangerous because you already know how to prepare for them. For example, you know your neighboring kingdom has a newly crowned ruler who came to power with something to prove, and his ambition could lead him to your front gates. A competitor or neighbor coveting something you have isn’t as uncommon as you might believe, in both our metaphorical kingdom and the modern internet. The easiest way to protect yourself from invaders storming the front gate and taking what belongs to you is to close the gate and station a squad of knights there. Given that you own the castle you should be familiar with all of the ways in and out so you review each one and ensure that access is granted only to those you want inside. You establish protocols for determining when to open the gate and when it should be closed, how closely to scrutinize different types of visitors depending on where they come from, and what to do with unwanted visitors.

Unknown threats are a different kind of problem altogether. You know there is a darkness out there beyond your borders, always waiting for an opportunity to deprive you and your people of your collective livelihood. The only way to combat this unknown but inevitable threat is to always be prepared for it. How do you prepare for something you’ve not experienced? You limit the scope of damage that can possibly be inflicted by a single incident or compromise through compartmentalization. You segment access to sections of your keep. You make sure that even if an ill-doer were to make it through your gate he surely won’t get past the second checkpoint. He most definitely will not have access to the throne room. You consult adventurers for advice, the breadth of whose experience beyond your realm can add an invaluable layer of protection to that which you hold most dear. You employ scouts whose job it is to patrol the kingdom and the areas beyond it searching for new threats and reporting back to you when they find something so that you can prepare your defenses. You enlist trustworthy men to police your kingdom, quarantining troublemakers when they show their faces and segregating them from the public to await judgment.

The thing about this metaphor is that it applies to almost any system. From something as small as your personal laptop all the way up to a corporate network. You have two primary threats to deal with. Preventing unwarranted access and dealing with any problems that arise internally, whether that be unruly software or someone who managed to get inside without permission. We can install antivirus and firewalls to address the issues that we know about, and even subscribe to automatic updates so that we’re prepared for new threats as they are unveiled. This is generally standard practice for, once again, all systems large and small.

The problem is that when the sensitivity of your data reaches a certain threshold you cannot rely on these methods alone. You cannot operate on the chance that no one will ever discover an unprotected port on your network. You cannot operate on the assumption that none of your software is subject to a zero-day exploit. This is why IT security is a complex topic. The landscape is constantly evolving, even more so than you might imagine because we’re in the relative infancy of computing technology. We have to be conscious of shifting security concerns and be able to react to them. Sometimes this requires the reconfiguration of complex systems, and it always requires the ability to interpret and understand the implications of new technology.

PHP classes: Date Object (Add/Subtract dates)

While coding a recent project I was looking around for a good way to simplify adding and subtracting dates. I found a function here written by “jm AT trinitywebdev DOT com”. I modified this function slightly (formatting, added support for weeks) and built a class around it. You can download the class here.

Example Usage:

require "c_date.php";	
$date = new date();

echo "Yesterday: " 	. $date->yesterday;
echo "Today: " 		. $date->today;
echo "Tomorrow: " 	. $date->tomorrow;
	
echo "Today minus 1 month: " 	. $date->modify($date->today,'-1m','m/d/Y');
echo "Today plus 5 days: " 		. $date->modify($date->today,'+5d','m/d/Y');
echo "Yesterday plus 6 weeks: " . $date->modify($date->yesterday,'+6w','m/d/Y');

Output:

(created on 4/19/2010)

Yesterday: 04/18/2010
Today: 04/19/2010
Tomorrow: 04/20/2010

Today minus 1 month: 03/19/2010
Today plus 5 days: 04/24/2010
Yesterday plus 6 weeks: 05/30/2010

Javascript: Credit card validation

Here’s a quick Javascript I wrote to validate (The 4 major American) credit card numbers, based on this post by Harrell W. Stiles.

Validate a credit card number with Javascript.

View the source on that page to grab the code, here are the two main functions as a quick reference:

function get_cc_type(n){
	var n2 = n.substr(0,2);
	var n4 = n.substr(0,4);
	var n1 = n.substr(0,1);
	var l = n.length
	
	if(n4 == "6011" && l == 16){
		return "discover";
	} else if(n1 == "4" && l > 12 && l < 17){
		return "visa";
	} else if(n2 == "51" || n2 == "52" || n2 == "53" || n2 == "54" || n2 == "55" && l == 16){
		return "mastercard";
	} else if(n2 == "34" || n2 == "37" && l == 15){
		return "american_express";
	} else {
		return "unknown";
	}
}

function is_valid_cc_number(n){
	var toggle = 0;
	var total = 0;
	n = n.split("").reverse();
	for(i=0;i<n.length;i++){
		if(toggle == 0){
			val = n[i];
			toggle = 1;
		} else {
			val = n[i] * 2;
			if(val > 9){
				tempVal = val.toString().split("");
				val = parseInt(tempVal[0]) + parseInt(tempVal[1]);
			}
			toggle = 0;
		}
		total = parseInt(total) + parseInt(val);
	}
	
	if(total % 10 === 0){
		return true;
	} else {
		return false;
	}
}

PHPBB3: Delete spam users and posts

One particular forum that I administrate recently had a problem with an influx of spam users and posts.  We needed a solution but until I could come up with one we needed a quick way to get rid of the trash they were posting on our public forums, so I wrote this script.  

The script accepts a username as input, and it will remove every trace of that user from the PHPBB database.  It deletes their username, bans their username and IP Address, removes any posts and/or topics created by them, and corrects the ‘last post by’ on each forum by removing them.

Feel free to use this script if you like, but be aware it’s very dangerous as it’s directly editing the PHPBB3 database tables.  The only configuration you need to supply is the database name, hostname, and auth credentials.  The script also assumes you used the default table prefix (phpbb_) when installing.

Code: http://ryanbrotherton.pastebin.com/f2dd5c4a3

JavaScript: Image Carousel

One day I found myself in need of an image carousel, but instead of grabbing a pre-made script I decided to write my own.  Why re-invent the wheel you ask?  Because I like to learn and I love JavaScript, I don’t get to write custom JavaScript nearly enough.  Also, to better understand how this particular wheel works.  I want to re-write this eventually  to remove the dependency on Scriptaculous.

I shouldn’t have to say this but if you want to use it, you’re free to use it for any purpose.

Dependencies: Scriptaculous – For the fading effect.

Code: http://ryanbrotherton.pastebin.com/f1cc2203c

Internet Explorer 6 is AWESOME!

Standards

Daniel Miessler

The absolute worst browser when it comes to supporting the standards is Internet Explorer.

The Internet works for one simple reason – everything at its core has been built on agreements that bind it together. Whether a computer is connected from California or Sri Lanka, it’s going to speak the same language and obey the same rules – the rules defined by standards. If this weren’t the case there would be no Internet at all.

The designers of Internet Explorer have purposely turned their back on the standards designed to benefit the Internet as a whole. They have done this for years, continue to do it today, and appear to have nothing but their own interests at heart.

http://dmiessler.com/writing/dumpie/

Free the Web

IE6 is the bane of every web developer’s life. Released in 2001, IE6 fails to even properly support the CSS 1.0 standard from 1996.

Internet Explorer 6 is holding back the future.

Supporting IE6 prevents us from using cool new features, standard with up to date browsers. This erodes user-experience for everyone. Additionally, the hacks and workarounds that web developers are forced to use degrades their code, and this limits progress in other areas. Above all it’s simply a waste of millions of hours of human potential.

http://www.free-the-web.com/

Security

Daniel Miessler

What makes other browsers better than IE at protecting vs. spyware and other attacks? Well, it’s simple really – most other browsers don’t make it so easy to install malicious software on your system without you knowing about it. IE makes it relatively trivial through two features called ActiveX and Active Scripting. These technologies were designed specifically for the purpose of giving Web sites more control over a user’s computer. Unfortunately, as we have seen with exploit after exploit – that’s not always a good thing.

http://dmiessler.com/writing/dumpie/

Bruce Schneier – Security Expert

This study is from August, but I missed it. The researchers tracked three browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were “known unsafe.” Their definition of “known unsafe”: a remotely exploitable security vulnerability had been publicly announced and no patch was yet available.

MSIE was 98% unsafe. There were only 7 days in 2004 without an unpatched publicly disclosed security hole.

Firefox was 15% unsafe. There were 56 days with an unpatched publicly disclosed security hole. 30 of those days were a Mac hole that only affected Mac users. Windows Firefox was 7% unsafe.

http://www.schneier.com/blog/archives/2005/12/internet_explor.html

PC World

In 2006, citing its lack of security, PC World magazine named Internet Explorer 6 number 8 on their list of the “25 worst tech products of all time”.

http://www.pcworld.com/article/125772-3/the_25_worst_tech_products_of_all_time.html

Current

Just recently, A major flaw in Microsoft’s Internet Explorer that allows hackers to gain the password details of the user was revealed.

This is not a rumor, it was confirmed by Microsoft who in fact announced the discovery themselves admitting a “vulnerability in Internet Explorer” that “could allow remote code execution.” Not Good.

http://thenextweb.com/2008/12/16/dump-internet-explorer-at-least-for-now/

Market Share

These stats are accurate to anyones guess, bost most claim google as a source.  This is an averaging of the best sources I could find.  (w3c puts firefox at 44%, I didn’t use them because that seemed way out of line with all other sources)

  • IE7 – 47.32%
  • Firefox: 21%
  • IE6 – 19.21%
  • Safari – 8%
  • Chrome/Opera – 2%

Conclusion

It is becoming more and more clear that, as some of our quoted authors have suggested, IE6 is severely impeding the progress of the web as a whole.  You could say this of any inferior or outdated browser but IE6 is the only one still widely used, and the cause of its continued widespread use is uneducated users.  They remain uneducated because they are unaware of the inherent security risks in IE6 due to a tight integration with the Windows operating system and exploitable access to ActiveX controls.

IE6 is not only an incredible time sink and headache for developers, it is a danger to consumers as well.

Spreadfirefox Affiliate Button

imgsize.net opens as beta.

http://www.imgsize.net

I got bored last weekend and started writing this.  I opened the doors as beta so people can easily use it to resize simple images if they’re in a pinch or if they don’t have an image manipulation tool readily available.

It’s also great for people who aren’t really tech savvy.

The primary goals for the project were ease of use, simplicity, and an intuitive interface with as few steps as possible to get a quickly resized image.

Planned Features/Fixes

  • Manual Input of dimensions (w/ constrained proportions)
  • Allow slider to increment 1% instead of only 2%
  • Transparency Support?
  • Web Service of some sort?
Using the service is as easy as uploading an image, adjusting a slider to change the size, and clicking save:

10 digit decimal IP addresses – How to

There is a little known quirk in the Internet Explorer and Firefox browsers.  Here’s an example link to Google: http://1249710995.  If clicking it doesn’t work for you, copy and paste it into IE6 or 7 or FF3. (I haven’t tested any other browsers except for Opera and Chrome, neither of them work.)

I wrote a quick converter in PHP, you can play with it here and download the source code on the same page.

How to: Convert each octet of an IPv4 address to hex and concatenate the hex values into one giant number. Convert the number back to decimal and you have the 10 digit number.

Quick reference conversion functions:

IP Address to 10 digit:

	function toTen($i){
		$a = explode(".",$i);
		$g1 = $a[0];
		$g2 = $a[1];
		$g3 = $a[2];
		$g4 = $a[3];
		
		$g1 *= 16777216;
		$g2 *= 65536;
		$g3 *= 256;
		
		return $g1 + $g2 + $g3 + $g4;
	}

10 digit back to IP:

	function toIP($i){
		$i = dechex($i+0);
		$g1 = hexdec(substr($i,0,2));
		$g2 = hexdec(substr($i,2,2));
		$g3 = hexdec(substr($i,4,2));
		$g4 = hexdec(substr($i,6,2));
		
		return $g1.".".$g2.".".$g3.".".$g4;
	}

Why: Anonymity.  I can’t think of a use for this that isn’t potentially malicious.  It could be used by malware to trick users into going to an unfriendly url, and bypass blacklisted domain names in spam filters.

I’m sure the feature is put there for a reason, I’m just not sure what it is.  Got any ideas?