Main Menu  

   

The ICUFR forum  

  • Our forum is hosted by WebWiz the developers of the forum software.
  • The software can handle many different Forums, Sub Forums, Posts, Groups, and Members - subject only to hardware limitations.
  • There is an optimised user interface for mobile phones and tablets and facilities for Polls, RSS Feeds and Social Network sharing.
  • The forum is open to anyone, Rotarian or not, provided they register and accept the terms of use.
  • Registration is required in order to block spam bots who seek to post junk on forums.
  • Details of how to register are available from the 'How to register' page.

Go to the Forum now!

   

Digital Signatures

Part 1 of 3 - Roger Siddle

An article in the Guardian newspaper some while ago claimed 'your personal email set-up can be changed in just a few simple clicks to allow fraudsters to divert financially sensitive emails to their own account without you knowing anything about it’.

It tells how someone had their Gmail web settings changed so that the 'Filter' tab included a rule to select every email that 'Has the words' = 'bank account' and forward them to a hacker. Bank account details in the email were then altered and the email sent back to the victim, who unwittingly paid money into the hacker's account.

Now my wife and I are retired, we take longer holidays and sometimes rent houses abroad. Often private owners can't accept credit cards and insist that we pay the rent upfront into their bank account. Naturally they send us details of the account by email, raising the possibility of a similar fraud.

If this could apply to you, open up your web browser and access your gmail account. Click 'Settings' in the top right corner of the screen and then the 'Filters' tab and the 'Forwarding' tab to make sure there's nothing set up that you don't know about.

This is a classic instance of the 'man in the middle' security problem. If a third party can read your mail they may learn something to their advantage, but if they can alter your mail without your knowing they can lure you or your business into great danger.

To encrypt your email so nobody but the recipient can read it, you need encryption software - which can have issues. See Princeton - Guide to Using Encryption Around the World for advice on taking encrypted laptops and encryption software out of the USA.

These three articles deal with digitally signing a document to ensure that nobody has tampered with it. This would have foiled the exploit described above, but please note - it does not encrypt the text of the message. Anyone intercepting the email can read it.

The facility to create digital signatures is built into every day products like Microsoft Office and Outlook. The reason they are not more widely used is that you need a Public Key Certificate to prove your identity (see Wikipedia for background). There are practical ways in which the ICUFR can help Rotarians acquire digital certificates which will be covered in the second part of this article.

For background information on encryption here is a good starting point:
Beginner’s Guide to Cryptography & Some Useful Resources

Digital Signatures

Part 2 of 3 - Roger Siddle

In the first part of this article we described how a hacker tampered with an email to fool the recipient into sending money to the wrong bank account. If the email had been digitally signed, the recipient's email program would have immediately alerted him to the changes.

Neither businesses nor the average computer user use digital signatures for a number of reasons.

  • They were slow to become available, first appearing in Lotus Notes and other expensive corporate software. This has now changed and all major email programs include facilities to handle digital signatures.
  • They require digital certificates which in the early days were expensive. If you want a certificate for an online retail site then it still won't be cheap, but personal Class 1 certificates suitable for signing emails are now available from some certificate authorities at no cost.
  • They were complex to set up and difficult to use, and if nobody else was using them why should you? This article will show you how easy they are to set up, and hopefully encourage you to start using them.

The first step is to obtain a S/MIME digital certificate for use with email and there is a useful review of providers here. Comodo with 15% of the market in 2009 offers free certificates, valid for a year, from a company that will be recognised by major browsers and email clients. They do NOT validate who you are, but the certificates DO ensure the recipient is alerted to any changes in the email after you sign it and can be used to encrypt messages.

Go to thiis Comodo page and click on the 'Get It Free Now' button. This displays an application form that requires your name, email address, and country. You also need to supply a password (in case you want to revoke the certificate). Read the terms and click the 'Agree & Continue' button. A window should appear announcing 'Application is successful!' and you now need to check your inbox for an email with the subject 'Your certificate is ready for collection!'

The email includes a button labelled 'Click & Install Comodo Email Certificate' together with alternative instructions and a password to download the certificate. If you don't like clicking links in emails go to the secure address given and enter your email address and the 'Collection Password'. Click the 'Submit & Continue' button and a message will appear: 'Your personal certificate has been installed.’ Click 'OK' and you're done except for one thing - where's the certificate?

On the web you will find people going crazy trying to locate it, so here's what you need to know. Whether you click the button in the email or use your browser to fetch the certificate, it ends up in the Certificate store of your default browser (or the one you used). You will need to copy it from your browser to your email client.

Full instructions for importing and exporting certificates from Internet Explorer, Firefox, Chrome, Safari and Opera browsers can be found here. Export (or 'Backup') the certificate to a suitable place such as a 'Certificates' folder in My Documents.

Now you need to install the certificate and instructions for installing S/MIME certificates in most of the major email programs can be found on the LuxSci site. Using a certificate from Comodo it should not be necessary to install the 'Certificate Authority certificate' mentioned in the instructions.

Each installation guide is in two parts: how to import the Comodo certificate from wherever you saved it, and how to use the certificate to encrypt or digitally sign emails. It needs to be understood that you can't encrypt emails unless you know or can obtain the public key of the recipient. However once you have imported the certificate you can digitally sign any or all of your emails so it is probably easier to start with this.

To give an example, on Thunderbird you open your email account settings and select the ‘Security’ page. Pick the digital certificate that corresponds to the account from the drop down list of imported certificates and tick the ‘Digitally sign messages’ box. Now when you write an email on that account it will be digitally signed and the recipient’s client will check that it hasn’t been changed and display an icon to indicate that it is digitally signed.

As noted earlier the digital signature doesn't prove that the email came from the person named in the certificate. This is a difficult but important area for a global organisation such as Rotary which relies heavily on email communications. The final part of this article will discuss possible ways for Rotarians to obtain digital certificates that offer assurance that the holder is who they claim to be.

Digital Signatures

Part 3 of 3 - Roger Siddle

In the last part of this article we described how to get a digital certificate from Comodo for free that allows you to digitally sign your emails. Or you can pay Verisign $19.95 for a Digital ID that ensures "recipients of your e-mail will know that the content came from your e-mail address and has remained private during transmission" - just as the Comodo certificate does. Neither certificate offers any guarantee that you are who you claim to be.

The problem is not technical but practical: how to verify that someone applying for a certificate is who they say they are? Large companies know their employees and so can issue digital ID's for use within the organisation. Commercial websites are typically run by companies which have registered addresses and make annual returns. They can present documents to prove who they are but individuals have a problem proving their identity.

An individual may have a passport or a drivers licence with a picture, but unless the person issuing the certificate meets them and checks the documentation it's not reliable. In practice the people who are in a position to certify who you are - are your friends and acquaintances. But why should we trust what your friends say? We might if you have a lot of friends worldwide who are vouched for by lots of other people. This is the idea of a 'web of trust'.

The idea has been around for some years but has had only limited success, possibly because geeks don't get out much. But Rotarians do, and once a year Rotarians from all over the world get together at the RI Convention, wearing badges showing who they are. The House of Friendship would be a great place to have what is known as a key-signing party. In effect Rotarians would use their own digital certificates to countersign other Rotarians' certificates after checking the details aginst the convention badge. It sounds plausible but there are problems that make it unlikely to happen.

If you want your public key to be signed by others you will need to create it before the Convention. You will need a program to do this and to carry out other functions such as uploading your key to a public key server and counter-signing other people's keys. The instructions on the net are mainly for students running Linux, using free software derived from Phil Zimmerman's Pretty Good Privacy (PGP).

Most Rotarians run Windows or a Mac and will need a program for those operating systems. PGP was sold some years back to Symantec® who offer their PGP Desktop Professional package priced at GBP199.00 in the UK. If you look hard you can find one or two freeware programs for Windows XP based on old versions of PGP, but lack of cheap reliable software for current PC's probably kills off any idea of a Rotarian key-signing party.

That's a pity as a global organisation like Rotary, depending more and more on digital communications, needs to be sure who they are talking to.

How to Find and Activate Windows 7's hidden Admin Account

You may think that all 'administrator' accounts are created equal, but occasionally in Vista or Windows 7 you may need to use a hidden Administrator account created by Microsoft.

One example is when VMware's vCenter Converter tries to install an agent on a target machine to create a virtual image of that machine. If the target is a Vista or Win7 machine it will only allow the agent to be installed by the hidden Administrator account. You need to give the Converter software the name and password of that hidden account. This is how you obtain it.

HTML5 Powered with Connectivity / Realtime, Device Access, Graphics, 3D & Effects, Multimedia, Performance & Integration, Semantics, and Offline & Storage

HTML5 extends the language used to create web pages with new features that allow designers to achieve effects previously possible only with Flash. But it is a new standard and it will take a while before all browsers can correctly display pages which include the new tags. Some recent browser releases can handle nearly all that HTML5 demands of them, but older browsers will struggle.

Here is a resource showing what your current browser can handle, compared with other leading browsers. For each feature there is a demo to show it in action. Click here to visit: HTML 5 Demos and Examples

   

Memory Lane  

   
© ICUFR