I’ve just been looking at a nice new tool called sysdig, which seems to be really useful for analysing and troubleshooting on production systems.  There’s a great blog post by Gianluca Borello, detailing how he set up a number of honey-pot servers with poor passwords, and then captured system activity with sysdig, showing exactly how his server was compromised, and what the hacker did at each stage.  The level of detail he was able to garner is astounding, and I can see how powerful this tool could be in the future, for any sort of troubleshooting where it’s not clear exactly what has happened/is happening on a system.

Old Article Comments

I exported these from my old wordpress blog, so they are a bit out of date, but I thought I’d keep them around for posterity.

[billjonesgeneralstore] - Nov 5, 2013 Reblogged this on You Better Watch Out.

An excellent and informing interview with the founder of the Lavabit email service, who was recently involved in a legal case with the FBI, who attempted to force him to hand over SSL encryption keys. This was of course the email service used by Edward Snowden, so attracted a lot of attention. There’s some really interesting technical stuff in here, specifically about the value of perfect forward secrecy in HTTPS encryption, which he wasn’t using, and how he protected his user’s data, in many clever ways. A classic part, was when finally forced to reveal the SSL key protecting all 400,000 user’s data, he printed it out in 4 point font, to hand to the FBI agents, and then whilst they took the sealed envelope away, proceeded to completely shutdown the service, his company, and encrypt all the data onto external hard drives.  Brilliant stuff. http://www.youtube.com/watch?v=XTe0mT1611c

There’s a new piece of ransomware in the wild, called Cryptolocker. It’s a nasty piece of software that uses public/private keypairs to background encrypt all your documents and files, and then helpfully let you know it has done it. Then - you will be asked to pay $300/€300 to unlock your files.  If you don’t, you will lose the key to decrypt them, and then lose all your files. Not only that - it also encrypts shared drives, such as on your business network. The biggest problem - this is properly implemented encryption, and they have thought it through.  There is absolutely no way to recover your files, short of paying them the money, or restoring the backups (which you obviously already had taken). BACKUP YOUR FILES. [http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information] And don’t open random email attachments - that’s the key way it is spreading.

Distruptive technologies ocassionally come along which can make a big difference in computing.  Something in the early days which I heard about last week was the SQRL authentication proposal by Steve Gibson. This proposal aims to address the extremely big problem of user and password authentication across the internet.  This is a huge and annoying problem for all internet users - you must try to come up with secure passwords, whilst giving passwords to many different parties, some of who you can trust, and some of whom you can’t. The proposal is a simple idea, but it seems to work very well. 1. Website presents a QR code. 2. User snaps the QR code with their phone’s camera.3. User is logged into the website. A bit too simple? The strength comes in the implementation though - your secrets are not shared across different sites, you control your private key password at all times, and no third parties are involved. In the background, the QR code contains a URL - the app on your phone uses this URL and it’s unique token, signs a return message with the private key, and then sends that message to the URL given by the QR code.  The beauty of this, is that you have out-of-band authentication, which is hard to intercept, and that the site never sees your private password, so even if the site is compromised, these details are not lost. There are probably some weaknesses, but the general idea is brilliant, and will hopefully gain the traction it deserves. For more information have a look here: https://www.grc.com/sqrl/sqrl.htm

Do you have an Android phone? Some interesting news I read this week was that an innocuous (on by default) setting on Android phones can save your Wifi passwords on Google’s servers.  It also backs up all your app settings, bookmarks and so on.  This isn’t that worrying - it could be considered a useful feature.  However, the worrying thing is that these plain-text passwords aren’t encrypted using your account details - they are available in unencrypted form to Google employees. This includes the password to any Wifi point you’ve connected to - home, work, and so on.  Seeing as how Google have been harshly criticised in the past for collecting data about the locations of Wifi access points, it seems a little foolish to trust them with unencrypted passwords to all these access points too.  We already know they can be compelled to hand off this information to the security services.  It just makes it a little too easy for it to be abused. They claim that turning off the feature will delete the data from their servers - but who knows whether that happens or not?  I am getting more and more concerned about how much this one company knows about me.  It gives them an awful lot of power. What if I want to save my app settings but not my Wifi passwords?  There is no option.  It’s pretty much all or nothing.  I shall be backing up my data myself from now on I think…

I found some interesting old news, back from 1999 that someone posted a link to in the SecurityNow newsgroups. I’ve recently started listening to this podcast - it’s a brilliant way to keep up with computer security news, and I feel a lot more informed having started to listen. http://www.heise.de/tp/artikel/5/5263/1.html http://www.heise.de/tp/artikel/2/2898/1.html The articles were to do with NSA back doors in several pieces of software, Microsoft Windows and Lotus Notes. Both of these were verified back in 2009 by security researchers by reverse engineering software. They traced inbuilt keys to the NSA, by virtue of the fact that they were called by the stealthy name, ‘NSAKEY’. This came out of some debugging symbols mistakenly left in Service Pack 5 for Windows NT. To some, this might be extremely old news (well, it was 14 years ago). However, it does show that at least then, Microsoft and Lotus (now owned by IBM) were willing and able to install backdoors, for the NSA to snoop on their customers. If they were willing and able then - why not now? So, the chances of there actually being backdoors in Windows and Notes today, given the revelations last week - I’d say are pretty high. Microsoft have had years to develop a reputation for poor security in their products, and have been desperately trying to regain people’s trust since the bad old days. I wonder if the coming revelations from the Snowden files may set them back again in winning their customer’s trust.

Is it a crisis? The latest news from the NSA snooping debacle suggests it is.  If they have the means to deliberately insert vulnerabilities into well known encryption standards and circumvent others, then what were previously thought to be secure connections, to banks, email providers and search engines, may not be anymore. Bruce Schneier issued somewhat of a call to arms yesterday, asking the engineers to look at how to resolve these problems, and reegineer the internet to our own needs once again, rather than those of some faceless security services personnel, somewhere.  I am not at all reassured by reports that the NSA only spied on their exs a few times using these powerful technologies they have at their disposal. This got me thinking about areas of trust , which really are based on the word of large companies.  One such area is SSL, which has long been criticised for it’s reliance on central certificate authorities as the purveyors of trust and identity.  When getting an SSL certificate for your server, if you want it to be correctly recognised by web browsers, you must have your certificate issued via a root authority, such as Symantec, Comodo, or Globalsign, or the reseller of these.  If I was the NSA, I’d try to get my own access to root certificates, so I could issue man-in-the-middle attacks on encrypted websites.  That’s not withstanding problems already reported in the past, with issue of root certificates to untrusted third parties. Although an end user may see that the website is secure, there is presently no standard validation procedure to ensure the certificate you are receiving is the one you would expect to be receiving.  This has been well publicised, and there’s been several cases of commercial companies using it to their advantage - notably, nokia in their mobile web browsers. What this essentially means is that it isn’t that technically difficult to trick a user into submitting their ‘secure’ traffic via your proxy.  All the traffic will be encrypted - until it gets to your proxy - then you read it all, and forward it on to the actual website the user was trying to access.  They believe they are accessing the website directly, but in reality, it’s all being decrypted by some third-party on the way. There are several ways to defeat this - one is the extended validation (EV) certificate that some companies, notably banks, often use.  These certificates can’t be spoofed - so you know if you are seeing a padlock in green, the browser is verifying it in a separate way.  These are well and good, but most sites do not use them, and again, they are only as secure as the keys embedded in the browser.  The green bar is also worthless for Internet Explorer, which has a way to add your own EV certificates, for ‘convenience’.  I think the engineers at Microsoft sort of missed the point of these certificates entirely. A more promising solution is the DANE standard, a co-technology of DNSSEC.  DANE allows the fingerprint of an SSL certificate to be entered as a DNS record.  Your browser can then verify that the certificate you are receiving, is the one the site owner intended you to receive, and not issued by a third party in transit. This standard sounds great, but as yet, it’s not supported by browsers.  There are some extensions to allow people to use it - but the average user certainly isn’t going to do that.  DNSSEC rollout has been slow, and most people’s domains do not yet have the keys needed to verify the validity of the DNS records either. This is promising though - technologies are already there to improve the integrity of the internet, it’s just a case of using them.  And there’s nothing like a major security scare to push people to start implementing more secure means of communications. If the NSA want to get into your computer, they probably can.  But that’s not what we are trying to prevent really - it’s the casual snooping of data, from anyone and everyone, just because they can, which is the problem.  No warrants, no court orders, just riffling through your underwear, without anyone’s permission. I can see in the next few months, more revelations coming out.  I am already eyeing up my android phone with suspicion - it would be easy enough for the NSA or GCHQ to write nefarious code into the operating system to track people’s locations, turn on the microphones or cameras, or record calls and texts they sent.  We already know they get co-operation from Google, so why not?  Indeed, it was already revealed that Apple was tracking user locations in an iPhone cache file - now it seems to me that this could have been one of the helpful security issues NSA would be happy to exploit. The problem is - companies that we trusted to be acting in their customer’s best interests, have now been revealed not to have been.  They often seemed to prefer the approval of the NSA, than of their own customers.  If that isn’t a privacy crisis, then I don’t know what is.