Android anti theft with Cerberus

posted 23 Feb 2013, 05:21 by James Gibbard

Cerberus is an android application that helps you to get your phone back if it has been lost or stolen. It allows your phone's location to be tracked via the Cerberus website, or by SMS messages. In addition Cerberus allows you to take a picture or video of the suspected thief and even listen to what they are saying. Cerberus has a one time cost of £2.59 for up to 5 devices.

Software like Cerberus is great if you lose your phone, however if it is stolen it is very likely that the thief will immediately turn the device off, wipe it and then sell it on at a later date. Wiping the device effectively removes the anti theft software, leaving you with no clues as to where your device is. A way around this problem is to include the anti theft software as part of the phones ROM. This way even after a hard reset you can still track your phone's location. 

Cerberus includes a special install file that allow you to integrate it into your rom. In order to do this you must have an unlocked bootloader. XDA developers have a huge amount of information regarding rooting, unlocking and installing custom roms on your android device. I have a UK GSM Samsung Galaxy Nexus and followed these instructions to root the device and return it to stock condition. 

Go to the Cerberus website and download the file. Copy the zip file over to your android device. 

Follow steps 1 and 2 of these instructions. This downloads a recovery image file that will allow us to install the Cerberus application from a zip file. 

If you don't have the fastboot application then you can download it from this post where it named platform_tools-V??.zip. Before running fastboot make sure you have correctly installed the drivers for your device, see this post for more details. 

Plug your Nexus into your computer and switch it off. Start your Nexus in bootloader mode by holding power, volume up and volume down at the same time. 

On the computer open up a command prompt and type "fastboot devices". This should show the device ID of your phone. If not then the phones drivers are not correctly installed on your PC. 

Next type "fastboot boot cwn.img" The phone should load up the ClockworkMod Recovery img.
Use the volume keys to move up and down, and the power button to select. 
Select "install zip from sdcard"
Select "choose zip from sdcard"
Select "0/"
Select ""
Select "Yes"
Restart the phone.

Since Cerberus is hidden from the application tray you must dial a phone number to access it. 
The default is 23723787.

Login with your Cerberus username and password and configure the application as desired. 

Go to to check that your device shows up. 


Is it worth fitting an older laptop with an SSD?

posted 17 Nov 2012, 13:35 by James Gibbard   [ updated 17 Nov 2012, 13:44 ]

Solid state drives (SSDs) allow far faster data transfer rates than standard hard drives. This leads to faster boot up times and quicker loading of programs. Although including an SSD in any new computer is highly recommended, it is less apparent whether it is worth upgrading an old laptop (3 to 4 years old) by switching the hard drive for an SSD.
Since laptops normally only have space for one hard drive the SSD must be large enough to hold all required programs and files. For most people this means that at least a 256GB drive it required, ruling out the cheaper 64 and 128GB options.
The price of solid state drives (SSDs) has dropped rapidly since the beginning of this year, however there is still a large cost premium when compared to regular hard drives.
SSD Price
The above graph shows the price of a Samsung 256GB 830 SSD from April 2012 to Nov 2012.
At time of writing laptop hard drives can be purchased for less than £0.10/GB while SSDs are around £0.50/GB mark.
SATA 2.0 limitations
Another issue is that most older laptops feature a SATA 2.0 hard drive controller instead of the newer SATA 3.0.   SATA 2.0 has a maximum transfer rate of 3Gbits/s. Although this sounds high, it is only equivalent to 384Mbytes/s. Furthermore there are additional communication overheads that reduce the maximum speed to around 300Mbytes/s. Since most modern SSDs can manage about 500Mbytes/s transfer speeds the SATA 2.0 interface will be the limiting factor.
If you are lucky enough to have a laptop with a SATA 3.0 port you should not experience any throttling.
For this test a Dell Studio 1555 laptop was used. The laptop was purchased in Aug 2009.
  • Intel Core 2 Duo P8600 @ 2.40GHz
  • 4GB DDR2 RAM
  • ATI Mobility Radeon HD 4500 Series
  • Intel ICH9M I/O Controller (Sata 2.0)
  • Seagate Momentus 5400RPM, 320GB Hard drive
  • Windows 7 Home Premium
Before the SSD was fitted a clean install of Windows 7, Office 2010, Firefox and Microsoft Security Essentials was installed. All Windows updates were also installed.
The following measurements were recorded:
  • Boot up time (From pressing power button to displaying the desktop): 1 Minute 42 Seconds
  • Boot up time (and loading Firefox): 2 Minutes 12 Seconds
  • Loading Microsoft Word: 8 seconds
HD Tune was installed and a speed test was run. The results are shown below:
 A Samsung 256Gb 830 SSD was then fitted in place of the Seagate hard drive.
The Samsung 256Gb 830 has the following specifications:
  • Sata 3.0 6Gbits/s (Backward compatible with SATA 2.0)
  • Up to 520MB/s Sequential Read Speed
  • Up to 400MB/s Sequential Write Speed
Windows 7 was reinstalled and set up as before (All updates installed, Office 2010, Firefox and Microsoft Security Essentials).
The following measurements were recorded:
  • Boot up time (From pressing power button to displaying the desktop): 37 seconds
  • Boot up time (and loading Firefox): 38 seconds
  • Loading Microsoft Word: 1 second
 HD Tune was installed and a speed test was run. The results are shown below:

Although the SSD failed to get anywhere near the manufactures specifications (due to the SATA 2.0 interface), the difference in loading times before and after the upgrade is massive. The laptop now feels highly responsive where before it felt slightly sluggish. I can definitely recommend upgrading an older laptop with an SSD. It will likely result in a very noticeable performance gain, maybe even extending the useful life of a laptop for a year or two.

Website password security

posted 17 Jun 2012, 06:16 by James Gibbard   [ updated 4 Feb 2017, 06:56 ]

There has been a lot in the news recently about websites being 'hacked' and login details being stolen. The most recent high profile case was linkedin where over 6 million passwords were obtained. With these large scale security breaches becoming increasingly common it may be worth spending a few minutes to learn about how websites store passwords and what you can do to protect yourself  from having your passwords stolen.

Most websites store login details in a large database located on a database server. Database servers are normally well protected, however as seen recently they cannot be assumed to be completely secure. Once a database is breached the method in which the login data was stored becomes very important, and determines how easy it is for the hackers to gain access to people's passwords.

Probably the best way to explain how websites store passwords is through a series of examples.

Case 1 - Storing the password in plain text

In this first case the password is simply stored in the database in plain text.
I.e if your password is: testpassword then it will be stored in the database as: testpassword.

If a hacker was to gain access to the database they would immediately have access to everyone's user names and passwords. This would not be a major problem, however unfortunately many people use the same user name and password combination for many different websites. A hacker could gain access to a low-profile website which has minimal security, and then use the user names and passwords to try and login to people's email accounts.

This is an extremely insecure method of storing passwords and very very few websites will use this technique.

Case 2 - Storing the password as a hash

What is a hash?
A hash takes any string of characters, of any length, and converts it to a fixed length string. When hashing passwords a special type of hash is used; this is known as a Cryptographic hash. To put it simply with an ideal cryptographic hash it is easy to create a hash from a password, but practically impossible to obtain the password from the hash. Also a very small change in the password will result in a completely different hash.

The are many different hashing algorithms available including MD5, SHA-1 and SHA-2. Some vulnerabilities have been found with MD5 and SHA-1, however at time of writing SHA-2 is still a good option.

How does it work?
  1. When you create a new account a hash is generated for your password
  2. Your user name and password hash are stored in the database
  3. When you try and login a hash of you password is generated
  4. The hash stored in the database is compared to the hash of the password you just entered
  5. If they match you are logged in.
Why is in not secure?
If a hacker gains access to the database they now have a big list of user names with the associated hashed passwords. As mentioned previously, it is very difficult to get from a hash back to the plain text password.  Unfortunately hackers can easily generate the hashes for nearly every possible password combination and store them in massive lookup tables.

Lookup table (SHA-1)

aaaaa:   DF51E37C269AA94D38F93E537BF6E2020B21406C
aaaab:   0B6AF663352EE0C8C74C90D4B20B6C7724B0547B
zzzzz:    A2B7CADDBC353BD7D7ACE2067B8C4E34DB2097A3

To cover every possible combination these look up tables have to be very large. The number of possible combinations = NUMBER OF CHARACTERS ^ PASSWORD LENGTH. So if you are just using lower case letters and the password is 10 or less characters then there are 26^10 = 1.4*10^14 combinations. If you use capital letters as well that number rises to 52^10 = 1.4*10^17 and using all standard ASCII characters the are 128^10 = 1.18*10^21 possible combinations.

These numbers may seem high but with the power of modern computers these tables can be generated relatively quickly and in many cases are available to download precomputed from the internet.

The hackers then compare the hashes stored in the lookup table with the hashes in the compromised database. If any match the plain text password can be read from the lookup table.

Unfortunately this is the method linkedin were using to store passwords. As a result most of the hashes have already cracked and the plain text passwords revealed.

Case 3 - Using a salt

What is a salt?
A salt is some random data added to a password before it is hashed. The main purpose of a salt is to stop hackers using pre computed lookup tables to crack large databases full of passwords. Salts can be any length, but longer salts help to increase the security.

How does it work?
  1. When you create a new account a random salt is generated
  2. The salt is combined with the password and the result is hashed
  3. The user name, salt and hashed combination of the password and salt are stored in the database
  4. When you try and login your password is combined with the salt and the result is hashed
  5. If this hash matches the hash stored in the database you are logged in.

How does this help protect the password?

If a hacker gains access to the database they will have a list of all the user names, salts and the hash of the combination of the password and salt. The salts are long enough that a hacker can not feasibly generate a lookup table the covers every possible combination of password and salt. If all the passwords use the same salt the hacker can just regenerate the lookup tables so that they include the salt. However if the salts are long and random then using a lookup table  is no longer an option for the hacker.

The passwords are still vulnerable to a brute-force attach, however this is very time consuming.

Case 4 - Key stretching

Key stretching is a technique used to slow down a brute force attack. Key stretching basically involves repeatedly hashing the output of the hash of the password and salt. When an attacker is attempting to gain the password through a brute force attack, each password they try will need to be hashed the same number of times as the hashes in the compromised database. If several 1000 iterations were used then it will take roughly 1000 times more CPU time to guess the password through a brute force attack. As computers get faster the number of iterations can be increased. 

What can you do to protect yourself?

  1. Use a different password for every website you use
  2. Use a long (14digits+) secure password containing uppercase, lowercase, numbers and symbols
  3. Use a password manager like lastpass or keypass to keep track of all your passwords.

Creating a VPN server for secure browsing

posted 6 Aug 2010, 04:03 by James Gibbard   [ updated 8 Aug 2010, 17:42 ]

While connected to a public network, such as a free wifi hotspot, it is worryingly easy to intercept other user's web traffic including login details, sites visited and the contents of emails. I will shortly be writing a post describing how to actually perform this attack, but first here is how to protect yourself .

The idea behind a virtual private network (VPN) is to securely connect a remote user to a company's network, in order to access to resources and offer the security of browsing the web behind the organisation's firewall. This is of course a a simplistic description, if you are interested wikipedia is a good place to start.

By setting up a VPN server at home you can remotely connect to this over the internet, allowing you to encrypt all your web traffic between your current location and your home computer.

Note: This does not encrypt the traffic between you and the internet, only between you and your home network, where the data is then sent on like normal. A quick example of where this would be useful is if you were in a coffee shop, where there is free wifi, you can browse safely, even if someone else at the coffee shop is trying to intercept web traffic.

Setting up the server
There are many ways to set up a VPN server, using both windows and linux. For this tutorial I will use a linux operating system running OpenVPN access server. The first step is to install linux on a computer, almost any distribution will do. For this tutorial I have chosen to use Ubuntu Server 10.04 (32bit) which at the time of writing is the most recent version. If you do not have a spare computer to use as a server you can use a virtual machine, [LINK TO VIRTUAL MACHINE PAGE]

Note: Installing Ubuntu using the method described below will wipe the computers hard drive. Please ensure that there is nothing saved on that computer that you wish to keep. There are ways to dual boot with linux and windows, however this is outside the scope of this article.

Installing Ubuntu server is pretty straight forward. How to Forge have a great guide but only follow Page 1 and Page 2 as the rest of the tutorial is surplus to requirements for the server we are creating.

Once the server is up and running it is time to give it a static IP address. Log in to the account you created during the setup and type:
sudo nano /etc/network/interfaces
You will be asked for your password and then you will be shown the contents of a text file which will look roughly like this:

auto eth0
iface eth0 inet dhcp

Change the file so that it is like the example below, remembering to replace the values for address, netmask and gateway with the correct ones for your network.

auto eth0
iface eth0 inet static

Save the file by pressing Ctrl-x, then typing y to confirm the changes and finally pressing enter.
Next restart the networking by typing:
sudo /etc/init.d/networking restart

Type ifconfig to check that you now have the IP address that you set.

Ubuntu server is now correctly set up so it's time to install OpenVPN access sever. First go to their website and register for an account. This will give you a licence key that allows 2 concurrent users to connect to your VPN server. More user licence can be purchased if required however if it's only you using the server, it's completely free.

Once registered download the software to your server by typing:
(This is the latest version at the time of writing, visit here to check for updates)

Next install the software by typing:
sudo dpkg -i  openvpn-as-1.5.4-Ubuntu9.i386.deb
After it finishes it should look look similar to the screen below (Click to enlarge).

The next step is to run the configuration program by typing:
sudo /usr/local/openvpn_as/bin/ovpn-init

Accept the terms and conditions by typing yes and then pressing enter, as shown below.
Press enter to set as the primary server.
Press enter to select default network interface.
Press enter to select the default port of 943.
Press enter to select the default tcp port of 443.
Press enter to allow client traffic to be sent through the VPN.
Press enter to allow private subnets to be accessible.
Press enter to use 'root' as the login.
Type in the licence key that you got when you registered and press enter.

Once you have done this you should see a screen like the one below.

This completes the installation, before we can login to the VPN's web interface we need to set up a root password. (This is because in Ubuntu you can't log in to the root account by default.)
This is done by typing: sudo passwd root
Type in your normal password, hit enter, then type the new root password, hit enter and type it in again. (Make sure it's very secure!)

Got to another computer on your network and go to https://YourServer'sIPAddress:943/admin
You will probably told by your web browser that the connection is untrusted, or words to that effect. This is because we are using a self signed ssl certificate. It is fine to continue through since we own the server and we know it is safe to connect to.

Log in using the root account and you will be presented with the web interface of the VPN server. From here you can configure the VPN server just the way you want it.

For this tutorial the only setting that needs changing is the "Hostname or IP Address" setting, which can be found under the "Server Network Settings" section. This should be changed to your external IP address (this can be found by visiting here). If you have a dynamic IP address visit which is a service that provides you with a web address which always points to your correct IP address. Once this is entered go to the bottom of the page and click "Save Settings".

Finally go back to the "Status overview" page and click "Start Server".

The server should now be fully operational.

In order to access the server from outside you home network you will need to forward the correct ports to the internal IP address of your server. By default the OpenVPN uses:
TCP 443
UDP 1194
TCP/UDP 943 has instructions on how to do this for most routers.

Connecting to the VPN
Now the server is all set up you are ready to connect to the VPN from a remote client. Using your web browser got to https://YourIPAddress:943 and login with your user name and password (not the root account). You will then be presented with a page that allows you to download a client for your operating system. If you are using a Windows computer to connect to the server, download the file openvpn-client.msi in the "Auto Login" row of the table.

Run the openvpn-client.msi installer and once that has finished start the client by clicking on the desktop shortcut. Click on the grey square, with the IP of your server written inside of it, to start the VPN connection.

Your web traffic is now being securely tunnelled between the client and the server.

You can now browse the internet on untrusted networks and public wifi hotspots in relative safety.

Speed up tagging photos on Facebook

posted 23 Jan 2010, 12:49 by James Gibbard   [ updated 23 Jan 2010, 15:39 ]

Tagging photos on Facebook can be a laborious process. Normally if I upload a large set of photos I will tag  all the people in the album, in one photo each, and then allow them to tag themselves in the rest.  I will then go through and tag myself in all the ones in which I appear.

As anyone who uses Facebook knows to tag a photo you click on the person in the photo, type the first few letters of their name and then hit enter. This takes a while, and if you are only tagging yourself you find that you are constantly going from the keyboard to the mouse over and over again.

To stop this I made a small program in AutoHotKey to partially automate the process and consequently greatly speed it up.

The program allows entry of the names of the two people that you wish to tag quickly (For example you and your other half).

  • Double click on the .exe file
  • Click ok and press the windows key and z to set the two names (Or one name)
  • Once entered, simply go to the first photo in the Facebook album and click "Tag this photo".
  •  Hold the control key and left click to tag the first person and control and right click to tag the second person.
  • To go to the next photo double press control
  • Once all the photos have been tagged click finish tagging.
  • Press the windows key and x to exit the program.
This won't work if you are trying to tag a person who has the same name as someone else in your Facebook contacts (i.e. two John Smith's).
Secondly you must enter their name as it appears on their Facebook account. If you do not do this then the person will be tagged but the tag will not be linked to their profile.

I made this program for my own use therefore its not very user friendly but I'm sharing it in the hope that someone else might find it useful!

Click here to download the program.
See below to download the source code.
(Feel free to edit and redistribute it as you wish.)

Play sound through the line-in jack on Windows 7

posted 22 Jan 2010, 11:56 by James Gibbard   [ updated 22 Jan 2010, 12:43 ]

Windows 7 comes with the ability play the sound inputed from the line in jack. This allows you to play a friends mp3 player through your computers speakers. This is especially useful if you have a laptop, as it means that it can be used as a portable speaker system.

1. Right click on the sound icon in the bottom right of the screen and select recording devices.

2. Select your line in device from the list and click properties.

3.Tick the "listen to this device" box then click ok and ok again.

4. Finally plug the mp3 player in the the line-in socket using a 3.5mm male to 3.5mm male audio cable.

Online backup with Mozy

posted 22 Jan 2010, 05:29 by James Gibbard   [ updated 15 Jun 2010, 12:29 ]

While working in a small computer repair shop I regularly saw cases where people lost every digital picture, document and file they owned. Whether it was due to hard drive failure or a particularly nasty virus, it was very rare to find that they kept an up to date backup of thier files. 

Realizing how priceless my digital files are I've been doing a weekly back up to an external hard drive for several years. Recently I discovered that the hard drive on which I store the back ups of both my desktop and laptop on, had itself suffered from hardware failure. I decided that I needed a more robust back system.

After reading lifehacker's hive five about online backup services I decided to go with Mozy. My decision was mainly based on the fact that Mozy is owned by a large and respected backup company and therefore less likely to disappear after a few months like many internet companies.

For home users there are two account types, a free account with 2GB of storage and a paid account with unlimited storage.

The Mozy software allows you to be very specific in what you back up, therefore if you are only worried about keeping remote copies of all your word documents this can be easily configured in the options. 

At first I started using the free account to back up documents but not pictures and music. I quickly forgot that it was running until an important word document I was working on became corrupted. Mozy attaches a virtual hard drive to your computer that when browsed shows all current files as well as files that have been deleted up to 30 days ago. It is also possibe to see all revisions of each file over the past 30 days. Restoring a file is as simple as right clicking and selecting restore. Since then I have upgraded to the unlimited paid account so that I can back up all everything.

The obvious disadvantage with  an online back up is that your files need to be uploaded over the internet. Despite having a relatively fast connection this still took nearly a week. Mozy does a good job of doing this in the background so that it does not disrupt your computer use. 

Download Mozy for here

1-7 of 7