Internet Explorer "Remember my password" Checkbox Missing

On my office laptop, I discovered the Internet Explorer "Remember my password" checkbox option was missing. This was quite annoying, as I started using Eclipse's internal browser to test my development work on the staging server I setup at home. The staging server is protected by a simple .htaccess file, which prompts you for a username/password with a dialog box like the one below:

As you can see, its missing the "Remember my password" option, which means I have to reenter the credentials every time I want to login. After a lot of research on Google, I finally figured out the problem: the Protected Storage service needs to be running. Either I disabled the Protected Storage service or a Windows security update did. Either way, after changing the "Startup type" to Automatic and restarting all IE browsers, here's how the password dialog looked:

I have a feeling that a Windows, or an Internet Explorer, security update changed the way IE stores passwords. For most users, the update had no effect since the Protected Storage service is set to Automatic by default. But not for me; I love tinkering with stuff. I disabled a lot of unnecessary Windows XP services on my laptop last year to help keep it secure while I'm on the move.

Update:
In the comments, Haiman posted the following alternate fix. Several users reported his fix worked for them, so I'm including it here. (You'll need to use the registry editor to make this change, Start->Run->regedit.exe, but be sure to make a backup of your registry before fooling around with it!)

Your office pushes out a GPO or registry change to disable users from caching passwords.

User Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Internet Settings]
Value Name: DisablePasswordCaching
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = disable password cache)

Comcast/Level3 hit by minor DOS attack?

When I came home from the gym last night, I tried accessing Google, however it timed out. After suspecting my PC, and then my router, and finally my cable modem, I discovered the problem was much further away. A quick traceroute showed where the problem was:

raam@pluto:~$ traceroute google.com traceroute: Warning: google.com has multiple addresses; using 64.233.167.99 traceroute to google.com (64.233.167.99), 30 hops max, 38 byte packets 1 192.168.2.200 (192.168.2.200) 1.816 ms 1.711 ms 1.718 ms 2 73.161.232.1 (73.161.232.1) 7.747 ms 7.374 ms 12.562 ms 3 ge-1-38-ur01.cambridge.ma.boston.comcast.net (68.87.151.137) 7.865 ms 8.434 ms 7.420 ms 4 te-8-1-ur02.cambridge.ma.boston.comcast.net (68.87.144.70) 8.473 ms 7.992 ms 7.890 ms 5 te-9-2-ur01.malden.ma.boston.comcast.net (68.87.144.73) 8.014 ms 18.855 ms 9.047 ms 6 te-8-1-ur02.malden.ma.boston.comcast.net (68.87.144.177) 8.101 ms 9.937 ms 8.489 ms 7 te-8-4-ar01.woburn.ma.boston.comcast.net (68.87.144.173) 8.477 ms 10.514 ms 8.416 ms 8 PO-10-ar01.foxboro.ma.boston.comcast.net (68.87.146.50) 9.407 ms 9.656 ms 10.243 ms 9 po-11-ar01.berlin.ct.hartford.comcast.net (68.87.146.33) 16.007 ms 12.353 ms 12.006 ms 10 po-10-ar01.chartford.ct.hartford.comcast.net (68.87.146.29) 13.468 ms 13.450 ms 13.957 ms 11 * * * 12 te-3-1.car1.NewYork1.Level3.net (4.71.172.109) 302.002 ms 301.466 ms 302.540 ms 13 ae-31-55.ebr1.NewYork1.Level3.net (4.68.97.158) 354.448 ms * ae-32-52.ebr2.NewYork1.Level3.net (4.68.97.62) 371.114 ms 14 ae-2.ebr1.Chicago1.Level3.net (4.69.132.65) 334.429 ms ae-1-100.ebr2.NewYork1.Level3.net (4.69.132.26) 376.366 ms ae-2.ebr1.Chicago1.Level3.n et (4.69.132.65) 325.988 ms 15 * * ae-11-55.car1.Chicago1.Level3.net (4.68.101.130) 326.044 ms 16 ae-11-51.car1.Chicago1.Level3.net (4.68.101.2) 323.914 ms GOOGLE-INC.car1.Chicago1.Level3.net (4.79.208.18) 322.442 ms 325.340 ms 17 66.249.94.133 (66.249.94.133) 325.499 ms 72.14.232.53 (72.14.232.53) 324.420 ms * 18 72.14.232.70 (72.14.232.70) 326.975 ms * 331.300 ms 19 64.233.175.26 (64.233.175.26) 321.481 ms py-in-f99.google.com (64.233.167.99) 320.482 ms *

As you can see from the bold line, the NewYork1.Level3.net server took a full 302.002 ms to go round trip. I tried to traceroute Google from other sites (online traceroute utilities) and they got through without any problem -- but that was because their route through the Internet didn't take them through those specific Level3 servers.

After 20 minutes or so, the problem seemed to clear up and a new traceroute showed a much more healthy response from te-3-2.car1.NewYork1.Level3.net: 11 te-3-2.car1.NewYork1.Level3.net (4.71.172.113) 14.475 ms 14.944 ms 15.518 ms

Replaced Akismet plugin with Challenge 1.1

I'm sick of scanning through the list of comments caught by Akismet to see if there are any false-positives -- I have had a few false-positives, namely from DJT.

So I've deactivated Akismet and installed Challenge 1.1. It works by asking the commenter a question. If the correct answer is provided, the comment is posted. I can customize Challenge to ask any question, however I'm currently using a simple, random math problem. Hopefully this plugin will save me from scanning through hundreds of spam comment posts.

One thing I would like to fix, though I don't think it will be an easy fix, is to save the contents of the users comment in case he enters the wrong answer. Right now, if you enter the wrong answer and click Post, it gives you a message saying you entered the wrong answer. However, when you press the Back button in your browser, you have to retype your comment. So get the answer right the first time!

Go ahead and leave a comment to try out the new system.

EDIT: After deactivating Akismet, I started getting a lot of TrackBack spam. Since Akismet doesn't have any option to only filter TrackBack's, I've decided to disable link notifications altogether.

Five Online Accounts Secured with Two-Factor Authentication

I received my Paypal Security Key in the mail today. I jumped at the chance to order one after I happen to read about its release on codinghorror.com. The key fob, which uses the same technology as SecureID's, works by generating a new 6 digit number every 30 or 60 seconds. When you login to the website using your username and password+passcode, the server computes what 6 digit passcode should currently be displayed on your key fob and, if it matches what you entered, allows you access. Since the passcode constantly changes, even someone who has your username and password would not be able to login without also physically holding your key fob. This is known as two-factor authentication; something you know (username & password) and something you have (key fob).

I have been a fan of the SecureID ever since I worked with them at Getronics, where I supported an international base of banking employees who used a SecureID to login to Deutsche Bank's internal network. I was responsible for not only educating users on how to use their SecureID, but also for re-syncing the ACE Server (which is used to manage all SecureID's), generating temporary passcodes for users who had misplaced their SecureID, monitoring the ACE log monitor to help diagnose authentication issues, and adding/removing SecureID's from the ACE server. It was probably the most fun I had working at Getronics -- and because I enjoyed it, diagnosing SecureID issues, and understanding how they work, became second nature to me.

When E*TRADE started providing SecureID's, they initially gave them out for free to those who were the first to order them. Of course I jumped on the opportunity and within a few weeks I was logging into my E*TRADE account with my Username and Password + SecureID Passcode. In addition to my brokerage account, I opened an E*TRADE checking account, simply because I loved being able to feel secure about logging into my checking account. However, since there are no E*TRADE branches around here where I can make physical deposits, I still need a local bank account. For that I use TDBanknorth. It would be awesome if TDBanknorth provided a SecureID for online access. Now that E*TRADE is offering a savings account, with no minimums, no fees, and a 5.05% savings interest rate (!), I'm going to close my INGDirect savings account (4.50%) and switch to using E*TRADE exclusively. I will now have a checking, savings, and brokerage account with E*TRADE, all which I can securely access from a single site using the SecureID.

Even though Paypal's Security Key is not an official SecureID, it uses the same technology. SecureID is made and produced by RSA Security. Paypal has created their own version of the SecureID with a 6 digit code that changes every 30 seconds. The Paypal Security Key differs from the SecureID in that instead of always displaying the passcode, the display simply turns off after 30 seconds. You need to press a button on the key fob to turn on the display and show a new passcode. In addition, the Paypal key fob is slightly larger, has an oval shape, feels less durable, and has an annoying string with a metal ring on the end to attach to your key chain. I discarded the string and replaced it with a bigger, more durable keyring. The SecureID is definitely designed better, and the only reason I can think of that the Paypal key uses a button to turn on the display, is to save battery life.

Since Paypal is owned by eBay, you can also activate the Security Key for your eBay account, allowing you to secure both your Paypal account and your eBay account with the same Security Key! I completed the activation process for both accounts, and it was very easy. I simply logged into my account, filled out three boxes (serial number from the back of the Security Key, and two passcodes from the key), clicked submit, and the process was done.

Carrying around two key fobs on my key chain isn't fun, but if it means I can feel a lot more safe about the security of five of my online accounts (brokerage, checking, savings, Paypal, and eBay), then I'm all for it! In fact, besides my TDBanknorth account, I can't think of any other accounts that I really wish I could feel safer about accessing online. Of course, even two-factor authentication is vulnerable to man-in-the-middle and other attacks. If the attacker obtains a current passcode, he has a whole 30 (or 60) seconds to reuse that code. So if you combine a hidden screen-capture or key-logger application with the speed of the Internet, you can have an attacker who monitors your computer activity in real-time and logs into your account only a few seconds after you do. The bottom line: don't allow your computer to be compromised in the first place.

There is no security against human stupidity.

HOW-TO: Easily Secure any Wireless Connection with SSH

For a long time I had been running a Squid proxy on my Linux server, opening an SSH tunnel to the server from my wireless laptop with the -L3128:127.0.0.1:3128 SSH option to create the local tunnel, and then configuring my browser to use the 127.0.0.1:3128 HTTP proxy. This method worked well for a long time, however it had its disadvantages -- namely the extra configuration involved.

Probably the most difficult was the setup and configuration of the Squid proxy (getting the access rights configured correctly in squid.conf), but equally as challenging was explaining the whole process to someone else -- impossible if they were not familiar with Linux.

Recently, my Squid server stopped working and I wasn't able to use the tunneling method mentioned above to secure my wireless connection while I was at Panera Bread (currently the largest provider of free WiFi in the USA). For this reason, I didn't feel safe logging into my WordPress administration interface to work on a blog entry. So while I was searching for Squid configuration instructions, I came across a much easier way of securing my wireless connection. How simple? This simple: ssh -D 9000 [email protected].

Yes, really that simple. Nothing needed to be configured on the server (besides having the SSH server running, which most Linux installations already have by default). I then opened my browser and configured it to use a SOCKS v5 proxy to localhost using port 9000 and bingo, all web traffic was now encrypted over the SSH connection! I confirmed this by running the netstat command on my Linux server and found several new connections to websites I was browsing on my wireless laptop.

If you're running Windows, and don't have access to the wonderful Linux command line utilities such as SSH, you can download Putty. The latest version, v.59, has support for the -D SSH option. After you download and install Putty, enter the connection details to your SSH server (or find a service that provides a free shell account and allows port forwarding/proxying and use that), then click on Connection -> Tunnels in the options on the left. What you need to do is add a dynamic port. You do this by filling out the Port field and choosing Dynamic. Leave everything else blank and click Add. The screen should look like this right before you click Add:

Once you're done, you can save your connection information and then connect. Once you have logged into your shell account, you will need to configure your web browser to use the tunnel instead of a direct connection. I have included directions for configuring Firefox and Internet Explorer (IE isn't as straight forward as you'd expect, go figure).

In Firefox, simply choose Tools -> Options -> Advanced -> Network Settings. Choose "Manual proxy configuration:" and in the SOCKS Host field enter "localhost". For the port, enter "9000". I choose SOCKS v5 from the options below the SOCKS Host field, but I'm not sure if that matters. Here is what your screen should look like:

For Internet Explorer, it took me a bit of trial and error to get it working properly. Here is what you do. Tools -> Internet Options -> Connections -> LAN Settings. Choose "Use a proxy server for your LAN" and click Advanced. Erase everything in all fields, except the "Socks" and corresponding "port" field. Enter "localhost" in Socks field and "9000" in the port. Here is what the screen should look like:

Click OK all the way out to your browser, press refresh and you should be loading the web page through your secured tunnel!

This is the easiest method of securing a wireless connection I have come across. Using only WEP or WPA encryption is a joke. If someone is interested in your wireless traffic enough to be monitoring it, you can be certain they know how, and will, break your WEP encryption. At home, I use WEP encryption in addition to this method of tunneling, so effectively I have two layers of encryption protecting my traffic. And if I'm accessing a website through HTTPS, that adds yet a third layer of encryption.

Although you can also use this SOCKS connection to encrypt your E-Mail (at least in Mozilla Thunderbird), you can also use the SSH -L option to encrypt specific connections for which you have no local control over. However, I will leave that for the next HOWTO.

StatHound.com bug gives away free stats

I discovered a bug in StatHound that allows you to get full featured access for any domain on your account, so long as you're paying for at least one domain. How? I’ll explain in a moment, but first, a little about StatHound.

I use StatHound.com to monitor this, and several other websites. It's an awesome tool, with ton's of useful information. Beautiful graphs to see exactly how many visitors have visited your site (both regular and unique hits), entry pages, IP addresses, Time Zones of the visitors, and even their screen resolutions and type of browser they're using! There is a tiny snippet of code that needs to be placed on the entry page to your site. This snippet of code sends information to StatHound about the person visiting your site, which is then stored in a database. Continue reading →

Phishing at it's best

Ever heard of phishing? It involves attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). [phishing] It's a form of social engineering.

Many years ago, around a time that I consider some of my first real programming took place, there were programs written in Visual Basic that sent 50 instant messages automatically to 50 different screen names using the same message. How would you get 50 different screen names of random people? Well, there were programs that would record the screen name of every person that entered a chat room you were in. So you'd just join a very popular chat room, sit there for about 15 minutes and have a list of 100 or so screen names. Then you write a message (there were many template messages that people doing this simply shared instead of creating their own) such as "Hello, Due to a recent server crash, we lost the account information for several of our members. Your account was among that list. Please respond to this message with your full name, AOL password, and credit card billing information. Thank you, America Online Account Services".

It was amazing. Out of 50 messages sent to random screen names, maybe 30 - 40 people would respond with the information! The perpetrators then gathered LISTS of this information on different AOL accounts and would either trade the information, or login to the AOL accounts and create a screen name for themselves (AOL allowed up to 5 at the time) to use while doing other unlawful activities.

So why am I writing about this now? Well I received an email today, from Amazon. It read as follows: Continue reading →