Protecting output content from prying eyes

Sup PSHomies,

Security is on everyone’s mind these days. It’s no wonder, with GDPR  going in effect as of may 2018.  My quick take on GDPR? It’s just Data Protection & ILM (Information Life-cycle Management) with some serious penalty consequences.  That archiving solution isn’t looking that expensive anymore eh? Having a RBAC model in place makes a whole lot of sense right about now huh? But I digress…

I get asked a lot to create reports. GDPR made me stop and reflect on how well (or maybe not so well) I’m handling/sharing these reports. Let’s just say I didn’t give myself a high score…

So my next challenge is about security, how do I keep prying eyes off my data? How do I make sure only the intended audience has access to the data?

First thing that came to mind was encryption. Come to find out that PowerShell v5 has some new cmdlets, Protect/Unprotect-CMSMessage,for this very purpose! Keith Hill has an excellent blog about getting started with them (seriously how did I miss this???). Oh and be sure to read Dave Wyatt’s comment.

Another must read blog is that of Cyber Defense. I tried the code and was able  to recreate the limitations, errors and performance issues. I also tried exporting to XML using Export-CliXML, but that gave me some issues with UTF8 encoding.  I was able to protect a 500 MB file, but unable to unprotect it. Found yet another great tip on Compressing files using the 7zip Module (Could it get any better???) The cmdlets are great for encrypting simple text.

Best route for protecting your data is to encrypt your password and use that password to protect your data as a zip file. Here’s what I came up with…

	<#
	Author: I. Strachan
	Version: 1.0
	Version History:
	Purpose: Create an encrypted password file and saves the password as
	a Credential object
	#>
	function New-EncryptedCredentialFile {
	[CmdletBinding()]
	param(
	[String]$ThumbPrint = '0460483ADEF613D3B1781FAE393DF2AEAE1060ED',
	[String]$PasswordFile = 'C:\scripts\source\txt\Password.txt',
	[ValidateRange(20, 128)]
	[Int]$PasswordLength = 100
	)
	#Load "System.Web" assembly in PowerShell console
	$null = [Reflection.Assembly]::LoadWithPartialName("System.Web")
	#Calling Generated Password Method
	$ClearPassword = [System.Web.Security.Membership]::GeneratePassword($PasswordLength, 0)
	$ClearPassword |
	Protect-CmsMessage -OutFile $PasswordFile -To $ThumbPrint
	#return Credential for encryption
	$Credential = [PSCredential]::new($ThumbPrint, $($ClearPassword | ConvertTo-SecureString -AsPlainText -Force))
	$Credential
	}
	$Cred = New-EncryptedCredentialFile -ThumbPrint '0A5A254C42D710E2C0B1BC77B142FAEC7EA7B93B'
	#Region Compress and password protect 7zip file
	$param7Zip = @{
	Path = 'c:\scripts\export\dsa\20062017'
	ArchiveFileName = 'pshirwin-20062017.7zp'
	Format = 'SevenZip'
	SecurePassword = $Cred.Password
	}
	Compress-7Zip @param7Zip
	#Endregion
	#Region Expand 7Zip protected password file
	#Retrieve exported Credentials
	$thumbPrint = '0A5A254C42D710E2C0B1BC77B142FAEC7EA7B93B'
	$passwd = Unprotect-CmsMessage -LiteralPath 'C:\scripts\sources\txt\Password.txt' -To $thumbPrint |
	ConvertTo-SecureString -AsPlainText -Force
	$Creds = [PSCredential]::new($thumbPrint, $passwd)
	Expand-7Zip -ArchiveFileName 'pshirwin-20062017.7zp' -TargetPath .\temp\pshirwin-20062017 -SecurePassword $Creds.Password
	#Endregion

view raw New-EncryptedCredentialFile.ps1 hosted with ❤ by GitHub

Let’s break down the function. First you’re going to need the public key of the intended party. Keith’s blog covers how to do that. The function will generate a 100 random char password, encrypt it and save it to specified file. Last but not least it will also return said Password as a Credential object. This will be used later on to password protect the zip file.

This will at least protect you data from prying eyes. Like Dave said in his comment:

“Anyone with admin access to a computer, or physical access to an unencrypted hard drive, can steal those private keys in most cases.”

It’s not fool-proof but it’s a start…

Take away

Make sure you’re not the weakest link when it comes to security and protecting/sharing data. Make sure you understand your company’s GDPR compliance policies. I’m seeing quite a few Security officer job offers on LinkedIn if that’s your thing… 😉

One more blog I can definitely recommend reading is David das Neves blog on Powershell Security at Enterprise customers . Granted it’s quite the read but well worth it!

Ok, there’s just one more blog you should also read, Don Jones’ blog on stop using self-signed certificates

It’s going to be a challenge for all of us, but one well worth it…

Hope it’s worth something to you…

Ttyl,

Urv

Share this:

Back on the password wagon again. Having the password there in plain sight, is kinda annoying to say the least. Sure the user login ID wasn’t printed (that would have been something right?) still it’s just there in plain sight!!!

In this day and era with all the smartphones around, do we really need to print passwords and hand them out? Then it hit me… “Hey what about QR Codes?” QR (Quick Response) Codes are those squares that have been popping up all over the place, I’m sure you’ve seen them around… Go on… give it a try… You know you wanna… 😉

Here’s the idea, instead of printing passwords why not use QR code to keep the password from plain view?

“Well that’s all good and well Urv, but anyone with a QR code scanner could still read it…”

True true… Hmmm… Say… wouldn’t it be great if you could somehow encrypt the QR Code in such a way that only the specified smartphone could read it? Go on… I’m listening…

Now QR Codes are public by nature. Still I could imagine there would be times that you only want to give access to few. Imagine having a QR Code in plain view that only you could decrypt!

So I googled ‘encrypted QR Code’ and sure enough a hit! So encrypted QR Code exist? Why isn’t this mainstream???

“Say Urv what does any of this have to do with PowerShell or Passwords?”

I’m getting there… Now ideally I’d like to have the possibility to encrypt / decrypt anything specifically for a smart device. Turns out most apps aren’t that sophisticated… yet or maybe at a price… Somebody makes this happen!

I’ve found some cool QR Code stuff at qrstuff.com. Password QR Code encryption is only for subscribers, but hey it is a possibility!!!

Ok now for the PowerShell part.

Here’s the idea, Now I’ve talked about generating random complex passwords. I can also Validate the credentials. Now all I need is some logistics in place to get the password to the user, ideally encrypted, at the very least obfuscated.

Ok back to the smartphone. What if I generated a random four digit code used to generate a four digit decrypting code from the user’s mobile nr? The logic? The random code is the position of the decrypted code from the mobile nr.

Something like this:

Say the random nr is 6132. The user’s mobile nr is (keep in mind that here in the Netherlands all nr’s start with 06 and are 10 digit in total) 0612345678. The code to decrypt the message would be 5621.

Full disclosure: Why start counting at zero? Just happens I got lucky with the fact that mobile nr start with zero here. The random code is four digits derived from a subset ranging from 1..9. It fits nicely so I’m sticking with it! If anybody asks it was by design.. 😉

So I’d give the user a QR Code with the random code. The user knows his mobile nr. All the user has to do now is decrypt using our “secret rule”. Kinda reminds me of the secret decoder ring toy… Never loose your inner child 🙂

So here’s the PowerShell code

$csvUserInfo = @'
samACCountName,MobileNr
user1,0612345678
user2,0613246587
user3,0618723145
user4,0687654321
'@ | ConvertFrom-Csv -Delimiter ','

$arrUserCodes = @()

$hshASCIIINTValue = @{
    49 = 1
    50 = 2
    51 = 3
    52 = 4
    53 = 5
    54 = 6
    55 = 7
    56 = 8
    57 = 9
}

Function random-passcode {
    param(
        $length = 4
    )
    $digits = 49..57

    $passcode = get-random -count ($length) `
        -input ($digits) |
        % -begin { $aa = $null } `
        -process {$aa += [char]$_} `
        -end {$aa}

    return $passcode
}

$hshUserCode = @{
    SamAccountName = ''
    MobileNr = ''
    PassCode = ''
    DecryptCode = ''
    Shortlink= 'http://<link to QR code>'
}

foreach ($user in $csvUserInfo) {
    $hshUserCode.SamAccountName = $user.samACCountName
    $hshUserCode.MobileNr = $($user.MobileNr).ToString()
    $hshUserCode.PassCode = random-passcode
    $DecryptCode = ''

    #Convert Passcode to charArray get the INT value for the hashtable and get the index on MobileNr
    foreach($char in $hshUserCode.PassCode.ToString().ToCharArray()) {
        $index = [INT]$char
        $DecryptCode += $($hshUserCode.MobileNr[$hshASCIIINTValue[$index]]).ToString()
    }

    $hshUserCode.DecryptCode = $DecryptCode
    $arrUserCodes += New-Object PSObject -Property $hshUserCode
}

$arrUserCodes | select SamAccountName,MobileNr, PassCode, DecryptCode,ShortLink |  Out-GridView -Title "QR code encryption - $(Get-Date)"

Now you can give the user the four digit random code and a shortlink to the QR Code. Use the DecryptCode to encrypt the QR Code. Only someone with knowledge of the ‘secret rule’ AND the mobile nr will be able to decrypt the QR Code.

At first I thought shortlinks were the way to go just incase the user doesn’t have a smartphone with barcode scanner… Or just do both.

• http://”ShortLink to QR Code”
• “Image of Encrypted QR Code”
• Four digit code to decrypt QR Code

No barcode scanner? Use the shortlink, otherwise just scan and decrypt. Just remember encrypted QR codes aren’t mainstream yet (But it is possible at a price), so maybe just having a QR Code instead of plain text in sight is a better option for now.

Ok that’s it for now… Hope this inspires you to think about some more uses for QR Codes…

Ttyl,

Urv