After reading an interesting article on posing the question of why we are still using RC4 it got me thinking, why not?
Now, the article itself states that while its not gone the route of XOR encryption just yet, its rapidly getting close to that point. A big aspect of using RC4 is its portability and no need of CPU extensions. RC4 was invented in 1987, made public (well, as public as it can be) in 1994, since then all hell has broken lose.
While there are no official documents by RSA on how the algorithm works, many people have been able to replicate it pretty easily, and have even wrote variants of it to improve some of its downfalls (i.e.: RC4+ and ARC). While the article imposes that RC4 be extinct soon, we are after all still using WEP in some of our networks as well (which I believe also uses RC4 for the encryption stream).
Are there better options when we’re talking about SSL/TLS? Always. You can use encryption that requires hardware (fobs), use asymmetric block-stream ciphers like AES, or even write your own (which will most likely not be a better option in practice but is fun to devise regardless personally).
When it comes to IT, everything will be broken. Everything is meant to fail, or else we’d still be content with using bit-shifting to hide our secret love letters (even rot13 is a wiser choice in that regard).
I got into setting up OpenVPN for my business needs and looked into what ways I can implement to make it more secure. Granted there’s no IPSec set up going on (thankfully for my needs), OpenVPN still allows a lot of options: PAM, certificate, user/password pair, etc… Even more so when you consider OpenVPN’s authentication system is plugin-based so you can in theory have an unlimited options for this.
What I ended up doing is setting up two OpenVPN servers, one a little less strict than the other. One runs on the standard port (1194) while the other runs on 1195. The standard-port install is what I like to call “security dungeon”. The current set up consists of:
- Server certficate
- User certficate and key
- System username
- System password
- Google Authenticator
So, in a way I have 5-factor authentication for an OpenVPN set up. The user needs the first 4 to even be considered, and the authenticator token is prepended to the password when you type it in. However, the one that runs on port 1195 requires only the first 2.
Why did I set these up this way? Well, the standard port instance has sort of become a dev config install. Its easy enough to work on and edit but its mostly intended for testing purposes. The 1195 instance was spawned off to allow my mobile phone to connect to it (using the authenticator on it is just too much hassle). So for those times where I’m connecting my phone to a local McDonald’s WiFi I have nothing to worry about.
Is there really a point to having this much in-depth security, though? Who is going to really sit there and try to highjack my OpenVPN that really isn’t connected to anything within my business’ network? Its just sitting there looking pretty and running in an LXC container.
There’s a plethora of scripting languages available…Shell, Perl, Python and Ruby to name a few. While I’ve used all but one of those (Ruby), I’ve always wondered to myself what makes me use one over another.
Shell I use for when I want something quick and dirty and easy access to the OS. Instead of having to build loops in Python to browse through a directory recursively, I just have to do a simple for loop in Shell. It also allows for retrieval of certain data without requiring extra libraries or modules (next best thing in both these cases would be Perl).
Next there is Perl, which comes standard on most Linux distros. It used to be the de-facto scripting language next to Shell (and really seemed to surpass it). I never used it much to be honest, as the language was far too different for me compared to what I used to at the time (C & C++ mostly) and I was in high school as well. From what I’ve seen of it though it has a similar structure of Python where it has its core functionality then everything else is a module. While this isn’t horrible, it can drag development.
Python, which I have only used for about 2 years now, has become my go-to scripting language for these needs. It offers a lot of power and ease of use without sacrificing much. The only issue really is that its based on indentation (which is why I use Sublime Text Editor). While a lot of things can be done via modules, you can also write your own methods which can be more efficient.
Microsoft has a program called MAPP (Microsoft Active Protections Program). Basically what this is is a program Microsoft started where people can get early access to patch Tuesday releases, basically being able to update their Windows systems before others (sort of like VIP treatment).
From my experience, a lot of environments in the business world that run Linux also run Windows, whether it be server or desktop. Thus, this news does have a big effect on those in that type of environment, because they (Microsoft) are now opening up the program to a broader scope. When the change takes place, you can now access Windows updates 3 days prior to patch Tuesday, and still have all the same perks. This expansion is more intended for incident response teams (i.e.: CIRTs), which every business should have to some degree at least.
The MAPP program is intended to share information with others within about issues, vulnerabilities, etc… Opening this up to security-centric businesses focusing on Windows machines as well can only mean better resources available to others as well.
While I don’t actively support Windows, I do know some who do and are heavily involved in handling the day to day tasks of maintaining the systems as well. What I would like to see, though, is a registry on the MAPP website where one can browse the participants of the program to better know who takes a part in it.
I love security, the cat and mouse game, the endless ventures of finding ways to thwart your best-friend-gone-rogue. You’d figure all of the events circulating the NSA would at least raise a hair or two on my scalp, wouldn’t you? Well, not really…
First and foremost, it just doesn’t surprise me. This isn’t the first time the NSA has been involved in these types of scenarios, and I’m not really sure why this is any different. The government never really has been for or against its people, its been for itself. Just like a business, the government wants to protect its IP, however it has fewer mediums to do so due to the risks there would be if word got out. Case in point: now.
Edward Snowden also isn’t a hero to this, either, as far as I’m concerned. He held an interview about it, yes, but stuff like this has been portrayed in movies and such for a long, long time. Yeah, I know, Hollywood is fake….but, really, how fake is it? Think about this. Anti-Trust came out in 2001. Its basically a movie about a big corporation that creates something called SKYNet, where everything is linked up together (the cloud), what did we get a couple years later? “The Cloud”…even though its just a buzzword for technology that’s existed for a long time (see: roaming profiles in Windows).
Don’t get me wrong, I think its pretty horrible what we got going on here. This sort of stuff shouldn’t have happened in the first place, but the NSA isn’t really to blame as much as it is us for thinking this isn’t real. There’s no reason to wear tin-foil hates all the time, but there is a reason to be more self-aware of your surroundings.
Lastly, as a small note regarding our freedoms, we lost those when we blindly allowed 9/11 to happen… Lets face it, we can’t fix the past but we can fix it only and only when we know where we went wrong.
I found an interesting piece/article on Slashdot that covers an interesting prospect to all of the hooplah over the recent scares in IT regarding data theft and storage (looking at you Mr. NSA)…don’t try to implement more encryption.
The basic idea of it is to not look for solutions that add more security to your environment, because with the way things are now its not unfeasible that the government or some other body will look to pursuade businesses to reduce the security in their products. A good example of this is HTTPS and browsers. Take the 3 biggest browsers in the market (Firefox, Chrome and IE), and have the government pay up a large lump sum to them to randomize HTTPS keys out of a known dictionary.
This wouldn’t be your normal 300-word dictionary, however. This would span millions and millions of lines, and with a lot of products introducing cloud and *-as-a-service offerings, there’s no real way that we can tell this isn’t already occurring.
I’m also not a conspiracy theorist either, so if it is or isn’t are two different playing fields, but it should make you re-evaluate what these scares and controversies are really bringing to the table. My biggest complaint is I’ve always lived the mantra of “if you have nothing to hide then don’t be afraid”.
There’s a plethora of IDSes out for Linux, and even a fair share of them out for Windows as well. While I’m not a fan of running Mac OS as a server, and I’m not sure what software it has already in this regard, I found this little gem today called 4Shadow: http://4shadowapp.com/
Given a lot of people use Macs at their local coffee shop, bakery, etc… it does make sense to think about this, however, especially if you’re there coding away at a website and locally testing it.
I can’t say very much on it as I don’t use Mac, don’t have access to one, or really want to except for OSx86, but it is something for those who do use the OS to look into.
If you do try it please leave a comment so I know how it is, at least.
I read an interesting article talking about how a piece of malware placed a very interesting blockade in being figured out by hooking into Windows’ debugging functionality itself. The article itself can be found here: http://blog.malwarebytes.org/intelligence/2013/07/zeroaccess-anti-debug-uses-debugger/ but this raises an interesting point in malware analysis.
According to the article, debuggers are used heavily to analyze what is going on behind the scenes, which makes sense. A debugger is a tool that allows you to browse memory and most will decompile programs into bytecode or convert the program into assembly best it can. This allows analysts to be able to see what’s going on and also browse various aspects of binaries such as text strings.
This program however prevents a lot of this functionality from happening by debugging itself on start up so nothing else can. This is a fault in the Windows API itself as it only allows 1 program access to debug another at a time.
So, why am I talking about Windows on a Linux-centric blog? Because this is also about security. After what feels like years of the same old methods just being renamed, something new…something interesting…happens. Now, this technique isn’t exactly new in the realm of programs, because a lot of programs in the 90′s, when cracking and pirating was all over the news, put in place measures to prevent people from debugging their code like this. I dabbed into this side of security when I was younger so I have a fair understanding of what went on.
I don’t see this being a major turning point in malware, but it definitely makes the field that much more interesting.
This is one I was really looking forward to writing about, simply because I find it fun to mess with different browsers.
My netbook, as ironic as it will be in a little bit, uses Firefox and Chrome, depending on the need. Using Chrome’s DOM inspector and such is far superior as far as I’m concerned compared to Firefox, while Firefox offers a different view of how the page is rendered. Since I don’t care to support IE, I support these two and it works.
However, my PC uses a different browser usually called LuaKit. As the name suggests, it involves the Lua scripting language, however its more than that. It bundles the rendering engine found in Chrome into a small, bite-sized application that is extremely extendible. Wha tmakes it ironic though as that this is entirely keyboard driven (similar to Awesome).
I’ve tried using it on my netbook, and while I still do occasionally, I just feel its too difficult to work with. I feel this has more to do with my fingers being big and the keys being small more than anything else, however.
I do also use Firefox and Chrome on my desktop, but have began to stray away from Chrome more and more. I’ve noticed over the years that Firefox has greatly improved their product and it is no longer the bug-riddled, memory using product it used to be and is actually comparable, perhaps even better than, Chrome at this point, at least for me.
I also don’t have a bunch of extensions installed for either browser, either, so that probably plays a part in it as well.
I do a lot of programming. Way more than I like to even admit at times. There’s a lot of options out there, including Eclipse, vi/vim, emacs, etc… Eclipse, while being probably 2nd most popular next to vi/vim, is also way too much. If you were to program in Java its great, but 99% of my work now is in Python, and I want to make a mobile app I just use something like Phone Gap.
I’ve tried different writers, like KWrite, and used vim for a while with a plethora of plugins to make things even easier. However, I eventually discovered Sublime Text Editor. This program is like the Notepad++ of Linux editors as far as I care.
If you want extreme control, Sublime offers a good chunk of it but not to the extent of vim. The matter of this really is moot, I suppose, as what editor you use is extremely dependent on what you need, want, and how you have it set up. For me though its very nice, it also plays nicely with Git if you install a plugin for it.
For Python, I personally recommend STE because it has a lot of features you would need from vim right out of the box, but it also costs money too…