I also looked at GPG4Win. This is a
front end for GPG for the Windows environment. It seems to have much
of the same functionality as PGP and is compatible with it. It does
give users a freeware option if they need PGP capability. The main
drawback I see is that GPG4Win has it functionality split into
different tools while everything is available in one tool in PGP.
This makes GPG4Win a little more clunky and difficult to figure out.
Certificates management is done by Kleopatra. This program can also
is used to encrypted and decrypt programs. Keys are managed by a tool
called GPA. This tool also can do encryption of files as well as from
the clipboard. The GPA tool was not included in the default
installation. Still it wasn't too bad and is a viable alternative to
PGP.
Thursday, November 28, 2013
Mailvelop
Many people use web based mail
programs. I wanted to see if there was an easy to use encryption
program for working with these programs. I found a convenient and
very easy to use open source tool called Mailvelop. This program
works with common mail programs such as Yahoo, Gmail, and Outlook.
Other mail programs can be added. It is available as an add on to the
Firefox or Chrome browsers. It works as a front end to GPG. When
composing an email an icon appears in the writing window. When
clicked a box appears that allows a message to be created. This box
functions as a sandbox to separate the text from the mail program.
Click a lock to encode. A box appears to chose a key. Select the key
and it encrypts the message. Hit transfer and the message is sent to
the email program. There is also an option that can be selected to
allow encryption to be done in the email editor. This is easier but
less secure since drafts can be saved unencrypted.
Decrypting is also very easy. Mailvelop
detects when an encrypted message is sent. A lock appears. Click on
the lock. A sandbox appears. Enter the pass phrase and the message
appears in the sand box. There is also an option to cache the
password but this is not recommend.
A lock icon in the browser corner
allows confirmation of Mailvelop, and key creation and management. It
has some limits. It does not encrypted attachments. Nor is it able to
do signatures. Other programs will have to be used for that.
http://www.mailvelope.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v0.7.0
Comment: Email security by Mailvelope -
http://www.mailvelope.com
xsBNBFKQK5EBB/911JJrX8A+2NxVhWaF8h6ves9bktShz0tcv7zpC3+eFnk8
vMIJf4bTUzIydcJhapnS4TO5OYdGXFIJqE03njM3OjZMCElv2AVso0Ykt68j
x2G5B6IwdJtRaoAzJas1fA0tQ/TlXIjtHQcYEmc/MjLUnxwcU7Bzly1jW92E
T4ZCMEbJcifEBscPk7cHuvhhUonJ9miHelSmbObGSQFSkq7I8Asm3QwdReiH
cLlvYoA4ugP2ymnpW/NeotTMaJAJyGOLYOuQqtv+I1otMouHgolYZVu9UU3/
tusyc/BukiAebXaS0OX2h1aqSPY+AA9qG2rJzWtA2YSuBUGl637pqCyXABEB
AAHNKSJEYXZpZCBTLiBCYWtlciIgPGRiYWtlcl85NzAxNUB5YWhvby5jb20+
wsBcBBABCAAQBQJSkCuaCRBhVOJO7h1kwAAAk9AH/0oDfN5q283b/m1DPmQT
ykb95u0yreFMsRpUc7li9cIhcOXtfYImPZSpe2Ezo1QpSc9VoisIyxAWVbeI
T0KsoWfV6ZVSSZIS132HIIJEAb3GBlayXfBuIX1Q9FAnTYXi/44dQ475pxXY
TcAqNFxODliMlPnTyFFE8Dg5N56Nhgo9cIPz691eqBnTY7EHFiN5sCzifAqv
4Ac1e4l+QB9hmmaOQN1ZGxikS12ARb9xLUiUwaROsDzSdn82yeqSnx/kiIG9
EcEZP6YdXA77yk13yPNKwRxqv4p08gNZDU/lAFidfIHp0lHnWd/XJexXavEX
S2TzbEO5tp//cilf9AQVjr4=
=hXvV
-----END PGP PUBLIC KEY BLOCK-----
TrueCrypt
For this week’s blog I looked at some different encryption tools. To encourage people to actually use encryption, it has to be easy to use. One tool I looked at was TrueCrypt. TrueCrypt is an opensource free encryption tool that has many of the same features as Microsoft’s Bitlocker. It can encrypt folders and drives. There is a portable version that works with USB drives. It is quite easy to use. The TrueCrypt folder acts like a drive. Normal folder operations can be used and it will automatically handle the encryption and decryption. Data in the encrypted folder is never stored in an unencrypted form on the drive but only in memory. It works with Windows, Linux, and Apple. BitLocker only works with the professional version of Windows, which limits its use. TrueCrypt has a boot loading feature that allows the system to boot from an encrypted disk. TrueCrypt has several strong encryption methods available including AES. TrueCrypt has a stenographic method available which create a hidden volume or even a hidden boot drive. If I were in a work situation where people were doing work on personal devices or taking work out on USB drives, I would encourage the use of TrueCrypt.
http://www.truecrypt.org/
http://www.truecrypt.org/
Wednesday, November 20, 2013
The end of encryption?
Post-Quantum
Cryptography
Daniel J. Bernstein
The textbook expressed
concern that quantum computing will someday end encryption. If this
is true, there will be a major security crisis if and when quantum
computers become generally available. This made me wonder if
alternatives would be developed to provide secure encryption in the
quantum computing age? I reviewed a pdf book on the topic. Much of
the book is highly technical and way over my head. But the answer is
no, quantum computing will not end encryption. A great deal of
research is being done to come up with quantum proof encryption
methods. Most secret key methods such as AES should be still secure.
But public key methods such as RSA and ECC will be vulnerable. A
number of alternative methods of public key encryption are being
researched. Lattice based methods such as NTRUencrypt look promising.
There are many alternatives that are available but not all have been
thoroughly tested for security. Others methods have been been proven
very secure but they are very inefficient or use very long keys.
More work has to be done to create practical alternatives.
Escaping CryptoLocker hell
Businesses offer best
practices for escaping CryptoLocker hell
By Ellen Messmer,
Nov. 18, 2012
This article gives
advice on dealing with the CryptoLocker malware. This malware
encrypts user data and holds it ransom until the user pays the
attackers for a key to unlock the data. Sometimes the key isn't even
delivered when the victim pays. The ransom is typically $300 paid in
Bitcoin. Often the only effective way to deal with the attack without
paying the ransom is to do a full restore from a backup. The article
recommends having frequent backups and backups of the backups.
CryptoLocker is dynamic since its creators are continually finding
ways to have it get past spam and anti-malware filters. CryptoLocker
attacks are growing. The attackers use botnets and managed to hit
10,000 victims between Oct. 27 and Nov. 1. The attackers are relying
solely on phishing emails to trick the users into installing the
malware. From there it can spread through the network infecting other
computers. The phishing emails often contain information seeming to
come from FedEx or U.P.S. CryptoLocker not the only ransomware.
There is a new version of the FBI virus going around. This ransonware
states that it has the victim's criminal record and will delete it
for a fee. The article suggests to use virus removal for the FBI
virus instead of paying the ransom.
Security problems with iOS apps
HP: 90% of Apple iOS
mobile apps show security vulnerabilities
By Ellen Messmer,
Nov. 18, 2012
HP has conducted
extensive testing on more than 2,000 Apple iOS mobile apps. HP found
that 90% of these apps had serious security flaws. HP found that 97%
of the apps inappropriately accessed private information. HP found
that 86% of the apps lack means to protect themselves for common
attacks such as SQL injection or Cross Site Scripting. Three fourths
did not use encryption properly, leaving data unencrypted on the
device. Others did not implement SSL/HTTPS correctly. HP attributed
the poor security problems to the rush of business to get apps out
quickly. HP stated that Apple does provide security guidelines to
developers but that the guidelines did not go far enough. Company are
extending the web presence to mobile devices but are also expanding
their attack surface. The HP report said, “It is our earnest belief
that the pace and cost of development in the mobile space has
hampered security efforts, mobile application security is still in
its infancy.”
Saturday, November 16, 2013
The Art of Deception.
For
this weeks blog decided to scan through the pdf version of Kevin
Mitnick's book “The Art of Deception.” This book gives an
interesting examination of the workings of social engineering.
Mitnick describes how social engineering can defeat even the
strongest security systems. He stated, “Companies that conduct
security penetration tests report that their attempts to break into
client company computer systems by social engineering methods are
nearly 100 percent successful.”
He
gives many interesting examples of scams. These scams are mostly
fictional but they are based on real life situations. If I were the
victim of some of these scams I could see myself falling for them.
Social
engineers know how to play on human nature. They know how to play on
trust, desire to help or be helped, ingratiation, friendliness, and
authority. Mitnick stated, “Some of these stories might lead you to
think that I believe everyone in business
is
a complete idiot, ready, even eager, to give away every secret in his
or her
possession.
The social engineer knows isn't true. Why are social engineering
attacks
so successful? It isn't because people are stupid or lack common
sense.
But
we, as human beings are all vulnerable to being deceived because
people can
misplace
their trust if manipulated in certain ways.”
Mitnick's
examples show how even seemly innocuous information can be useful to
gain more sensitive information. Social engineers are skilled at
extracting little bits of information at a time. These pieces of
information allow them to successfully poise as someone else and get
the information they want. Small things like a cost center number,
employee ID number, or phone extension number may be the key. Much of
the success as a social engineer comes from being able to use the
right insider language and knowledge. Much of the effort of social
engineers is spent on gaining this knowledge.
Mitnick
describes social engineers as follows, “Manipulative people usually
have very attractive personalities. They are typically fast on their
feet and quite articulate. Social engineers are also skilled at
distracting people's thought processes so that they cooperate. To
think that any one particular person is not vulnerable to this
manipulation is to underestimate the skill and the killer instinct of
the social engineer. A good social engineer, on the other hand, never
underestimates his adversary.”
I
found some examples interesting. People have been deceived to
installing a trojan horse by someone poising a IT support person.
They were tricked into installing what they were told was an urgent
security patch. People have claimed to be law enforcement officers to
gain access to confidential records. Other people have fallen to
attackers claiming to be doing a customer survey. It is amazing what
people can get away with if they have a good story. Even pretending
to be a person who called a wrong number can work. He discuss finding
information through dumpster diving and methods of using social
engineering to gain access to buildings.
Mitnick
gives practical advice with his examples on ways to improve security.
The book gives a useful and detailed section on company security
policies. Some of the technical information is dated. Mitnick
stressed the need for training people so that they are aware and on
guard against the dangers of social engineering.
Thursday, November 7, 2013
Response to NSA revelations
Schneier: Make Wide-Scale Surveillance Too Expensive
By Ericka Chickowski
November 06, 2013
Security and privacy advocate, Bruce Schneier, responded to
the recent revelations of NSA spying with a call to make eavesdropping more
expensive. If the cost of eavesdropping is too high the NSA and others spies
will have to shift to targeted tracking rather than the whole tracking we see
today. The vast amount of information that is collected on consumers is aiding
the NSA’s monitoring. He said that what we now have is a public/private
surveillance partnership. Schneier is advocating hardening the Internet for
better security. He stated,
"Fundamentally, surveillance is the business model of the Internet. The
NSA didn't wake up and say let's just spy on everybody. They looked up and
said, 'Wow, corporations are spying on everybody. Let's get ourselves a
cut.'" His main suggestion was to make encryption ubiquitous on the
Internet backbone. He also advocated distributing services to make tracking
more expensive. He encouraged wider use of end point security products and
better anonymity tools. He also encouraged monitoring to make sure that
software does not have hidden back doors. He said that while the NSA is in the
limelight now it isn’t the only problem, many government agencies and private
sector groups are engaged in spying.
Big Brother Is Watching You.
How stores use your phone’s WiFi to track your shopping
habits
BY BRIAN FUNG
October 19, 2013
I find this article rather disturbing. Stores are beginning
to monitor people’s cell phone Wi-Fi and Bluetooth signals when they visit
stores. They are doing this by picking up the devices MAC address. Using this
technology, they can track your every movement through the store. Your
cellphone MAC number can be linked with the purchases you make when you go to
the checkout stand. The stores are keeping this information in a database, so
they can monitor your movements and purchases as you make return visits. The
database can be shared between multiple stores. The company that makes the
equipment to do this has an opt-out policy. But how many people even know that
they are being monitored? Also, the stores that buy this equipment are not obligated
to follow the opt-out policy. Privacy
advocates are concerned. What guarantee will there be that this that this
technology won’t be misused to illegally monitor and track people?
Good Old XP
Microsoft urges users to upgrade from 12-year-old Windows XP
By Adam GreenburgOctober 30, 2013
Good
old XP. In my former work at a large semi-conductor company, we were
still using XP on all our desktops. My old company is not alone. 64%
of all enterprise level companies still are using XP. 52% of medium
and 61% of small companies still are using XP. It got the job done
and was light on system resources. But as of April 8, 2014 Microsoft
will no longer provide security updates for XP SP3. It already has
stopped supporting SP1 and SP2. Microsoft is urging users to upgrade
to newer operating systems. This is easier said then done. Many are
so many legacy computers and applications out there that need XP. XP
has about a six times higher malware rate than Windows 8. When
Microsoft ended its support for XP SP2, its infection rate
skyrocketed 66% above XP SP3. Once XP is no longer supported, any new
security hole found will remain open forever. This is a serious
problem given how popular XP still is.
Friday, November 1, 2013
Metasploit tutorial.
As a network security person it is important to keep
up to date on the tools that are available, both for offense and defense.
Metasploit is a tool for penetration testing. It is rapidly developing. It is
really a framework that allows many separate modules to work together. I found
this recent video tutorial that gives an overview of Metasploit at http://www.securitytube.net/video/7854.
Metasploit has scanning tools for to discover vulnerabilities. Then there is a large database of exploits to
attack those vulnerabilities. The exploit then delivers a payload which is the
result desired from the attack. This can include opening a remote session to a
computer or installing a backdoor. Metasploit also includes encoders. These
encoders scramble the code of the attack program to try to sneak past
anti-virus programs.
He went over a new tool call the Social Engineer
Toolkit (SET). I tried it out on Backtrack Linux. This tool is amazing. It has
everything you need to set up a social engineer attack. There are so many
tools. It can set up phishing emails, complete with handy templates. There are
a number of ways to load malware on to documents such as PDFs. It allows the
attacker clone websites and load exploits on them. It even sets the website up
for you. These fake websites can steal credentials or launch malware. It has a
Java program that can be installed on the fake website. The Java program
presents a credible looking fake certificate to user and when the user press
okay, bam. You can create infectious USB/CD/DVD drives. There are even SMS
attacks and malicious QRcode generators. It will allow you to set up malicious AP.
The speaker warns against misuse of the tool. He
state that, “The difference between penetration testing and hacking is permission.”
Spying on the neighbors.
In my last adventure engaged in session hijacking
over WIFI. This made me wonder how many people out there have unsecured WIFI.
So I loaded Vistumber. It is available from www.vistumbler.net. See project 8-2
in the book. This is a WIFI monitoring tool that gives SSID, MAC address,
channel, signal strength, authentication type and other information. You can
even set the speaker to tell you when it finds a signal. If the computer has
GPS, it will automatically record the WIFI APs location. I could see this tool
being useful for tracking down rouge APs.
Vistumber was able to pick up a surprising number of
signals, even though many of them were too weak to connect to. I live in a
typical residential neighborhood and without leaving my house I managed to pick
up 46 signals. Of those 46, 3 were completely open, including my next door
neighbors. Another 3 had open guest accounts. One used WEP for which there are
cracking tools available. So more than one out of seven homes in my neighborhood
were vulnerable. The other homes were using WPA or WPA2. But I bet a few of these
may have had the router’s passwords set to default and could be opened. (I didn’t
try.)
I found that if I held my laptop against the living
room wall I could pick up quite a few signals. My daughter looked at me like
what was I doing. I explained. She asked, “Dad! You’re NOT going to break into
the neighbor’s computers are you!?” I assured her that I wasn’t. But I could
have. My neighbor has a state of the art burglar alarm, but he left the door
wide open for a virtual burglar.
How to creep your kids out.
This week I played around some more with penetration
tools. I admit, it is kind of fun. But I have mixed feeling about this because these
tools in the wrong hands can be so easily misused. I played around with a Java application
called Cookie Cadger. It is available at www.cookiecadger.com.
Cookie Cadger can be used for session hijacking, in a similar way to Firesheep.
It does this by monitoring for packets containing session cookies. After it
finds the cookies, they are placed in a list. Just click on a session cookie
and the hijacked session will pop up in Firefox. It was too easy. I used a
machine running Backtrack Linux as the attack machine. First I attacked the victim
computer over encrypted WIFI. I did this by doing a man in the middle attack. I
used Nmap to find the IP address of the victim. I used a simple command line tool
called Arpspoof for the MITM attack. Before I knew it I had hijacked my Yahoo
mail, Blogger, and YouTube accounts. Then I temporary turned off my router’s
encryption, it simulate an open WIFI spot. With Linux I was able to set the
card into monitor mode and capture all packets coming from my home computers.
I showed my youngest son and daughter how it worked.
My daughter’s reaction was, “That is creepy, totally creepy!” My oldest
daughter came by for a visit. She pulled out her smart phone and connected to
the home WIFI. My younger daughter said, “Be careful. Dad can see everything. I
mean EVERYTHING!” It is kind of creepy. How many people will use an unsecure
WIFI hotspot without a thought not realizing that the person sipping coffee at
the next table is stealing all their personal secrets?
Subscribe to:
Posts (Atom)