BitLocker Drive Encryption is a feature of Windows Vista Ultimate and Windows Server 2008, which offers full disk encryption on the level of logical volumes (e.g., C:). As it uses AES 128 by default and the only publicly known way to defeat programs like BitLocker or TrueCrypt (if properly configured) is the famous (but easily preventable) cold boot attack, I’d really recommend using it if you are not a follower of the “Microsoft is pure evil” cult. Needless to say, even the strongest disk encryption is only as good as the password or key mechanism you use. In the following, I will describe a little-known option which was introduced with Service Pack 1 for Vista and massively aggravates attacks based on keyloggers or stolen USB sticks.

Read the rest of this entry »

Some days ago I decided to improve the security of my new Wordpress blog by using .htaccess and Basic Authentication to protect the wp-admin folder. This task was rather trivial as the whole procedure is well documented in the Apache manual and there are convenient online tools to create the necessary .htaccess and .htpasswd files (.htaccess generator & .htpasswd generator) for those who don’t have their own server and use shared hosting instead.

So far, so good. But when I tried to access wp-login.php, which is located in Wordpress’ base folder, I had to realize that it uses two CSS files from the folder wp-admin/css. As wp-login.php and the two CSS files should be accessible to any visitor of my blog, I needed to find a way to exclude the subfolder wp-admin/css from the Basic Authentication protecting wp-admin. Unluckily, it seems that there is no specific command for that purpose.

After crawling Google for approximately two hours I finally managed to find a solution, which needs only three lines of code to bypass the Basic Authentication of the parent directory. Simply create a new .htaccess file in the subfolder you want to exclude from the authentication and add the following lines:

1
2
3

Order Deny,Allow
Allow from all
Satisfy any

“Allow from all” will grant any IP address access to this folder. But the decisive line is ”Satisfy any”, which tells the server to require either a correct Basic Authentication or the satisfaction of the “Deny/Allow” properties (the standard is “Satisfy all”, which requires both). As “Allow from all” gives access to anyone, this effectively neutralizes the Basic Authentication inherited from the parent folder.