Basic Technology Security

For many people, there are simple tricks that can dramatically improve their security posture. These either remove the common entry points for attackers, or add additional barriers against their attackers. Combined, they are the easiest technical methods available.

The first, and most basic of options, is to ALWAYS have the current version of all software you use installed. If you are on Windows, Microsoft has a  regular schedule for releasing updates. You should even have automatic updates enabled if possible. Adobe also follows this schedule, and Reader updates should be just as important as those Microsoft patches. Same goes for Apple and OSX updates, and the maintainers of various Linux distributions, although the tools to do these updates vary. Check in your system documentation.

Secondly, remove the software you do not use. If you cannot name the reason why you have Java installed, for instance, uninstall it. All it does is add a  major vector for attacks. This goes for any software. If you’re not using it, remove it.

Thirdly, be sure to install and configure a firewall. This is the last barrier against outside attackers, and you want to be sure you are only letting in what you intend to. Create as narrow of exceptions as possible, and look for configuration suggestions for your use case. Remember you don’t need to open ports to browse the internet, unless you are blocking inbound and outbound traffic.

Forth, have good antivirus installed. I honestly find this less important than the first three, just because reducing your exposed surface ends up being far more useful. While anti-malware software and firewalls definitely should be exposed, they can and will miss things. There are plenty of free options for antivirus, although I usually direct people to  AVG on Windows. Microsoft Security Essentials is also a decent choice. No matter your operating system, however, you need to have something installed. With cross-platform malware such as java or pdf-based exploits, and growing desire for mobile attacks, assume that there is something out there.

Fifth, have good password security. Use a strong password to log into your system. Do not use an account with administrative access for everyday activity, to prevent malware from gaining a strong foothold if it gets onto your system. I’ve talked about this previously, but also use a password manager. Generate unique passwords for every single site, it protects you if one of those sites are cracked. Remember if you use the same password everywhere, your bank security depends on the security of that crappy forum you joined.

Finally, where it is available use use two-factor authentication. This is far from foolproof, and there are ways around it, but it stops the cheap attacks used to gain access to your email, your bank, social networking, and more. It also typically protects against repeated incursion on those accounts.

The combination of all of these tools creates an multi-layer protection that is far better than most people have. If any of these are missing, it creates a hole that can be exploited. Together, you will find yourself avoiding many of the greatest pitfalls and be far ahead of others.

The iPhone 5s Biometric Unlock

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

Apple had released the new iPhone with a fingerprint sensor that was supposedly much more secure than previous fingerprint technology. A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."[1]

[1] via CCC | Chaos Computer Club breaks Apple TouchID.

The new iPhone has a biometric unlock option. It took all of three days for a break to show up for it, as was generally expected as well. While this is obviously an indictment of its security, I do somewhat agree with Apple and several other commentators regarding it retaining value.

Apple technology security is strictly weaker in many ways than similar Android options. Apple, for instance, can decrypt iPhones, whereas Google appears to have no such capability. They have also historically shown how their infrastructure allows for attackers to destroy data, although Google is not impervious to this either. I personally use Android (cyanogenmod on a Galaxy S3), with full device encryption and a screen password far longer than is healthy. Unlocking my phone can take up to ten seconds, which most people simply will not put up with.

That is the value in the biometric unlock for the iPhone. A dedicated opponent will be able to get you to unlock it, easier with physical intimidation than an information-based key perhaps. Screen pins should be seen as opposition from casual data theft. Someone who steals your phone, or takes it from a table to try to get some information quickly, often faces absolutely no barrier. Apple’s talking points point out a majority of users have no security pin utilized currently (although I have not found the specific number, if it is available). Tools exist to remotely wipe a phone if custody is lost, and a small barrier may be enough to give time to use that capability.

The one potentially huge concern to this method of unlock however is in allowing Apple aggregation of biometric information. As of now, Apple stores the information locally on the iPhone in question. Any government would love that information and, as demonstrated above, they have those ties with Apple. There is also the question as to if that information can be transferred off the phone if someone has physical access to the device. These are issues that should be addressed, and until they are my support is tentative. Regardless, something that encourages adaptation of a security mindset is helpful.

Setting up GPG

One of the cornerstones of my home infrastructure is GPG. GPG is an encryption/signing/authentication tool, and is used for all three purposes in my network. I use it for SSH connections (authentication), my password store (encryption/decryption), and signing emails.  For added security, this is done via a smart card purchased from kernel concepts. My personal machine is a Lenovo T420, and I use the embedded card reader.

Setting up the card with current versions of GPG (2.0.21 as of today) is different from most tutorials you can find. This is due to GPG versions 2.0.18 and later supporting 4096 bit keys for the kernel concept smart card. Before you start configuring the card, you need to install all necessary software. For me, that is:

gpg2, gpgsm, pcscd, gnupg-agent

Once those are installed, you can begin to create your keys. While these instructions assume you have a smart card, they will work with minimal effort even absent one.

USERNAME@phoenix ~ % gpg --card-status 
Application ID ...: D276000124010200000500001ABD0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00001ABD
Name of cardholder: [not set]
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Your smart card information should look similar to this. First, here’s some important safety information: The card accepts up to three wrong PINs in a row and then block, until unblocked by the admin PIN. Three wrong admin PINs and your card bricks itself, to prevent access to the information. Don’t do this, unless you need to know that the information has to be destroyed.

Now we’ll begin to edit the smart card. With your card, you can either transfer pre-existing keys to the card, or generate new ones. I am going to generate keys on the card, as demonstrated below.

USERNAME@phoenix ~ % gpg --card-edit                        

Application ID ...: D276000124010200000500001ABD0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00001ABD
Name of cardholder: [not set]
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Command> admin
Admin commands are allowed

Command> name
Cardholder's surname: O'Connell
Cardholder's given name: Patrick
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Admin PIN
gpg: gpg-agent is not available in this session

Command> lang
Language preferences: en

Command> sex
Sex ((M)ale, (F)emale or space): m

gpg/card> generate 

Admin-only command

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) y

What keysize do you want for the Signature key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
NOTE: There is no guarantee that the card supports the requested size.
      If the key generation does not succeed, please check the
      documentation of your card to see what sizes are allowed.
What keysize do you want for the Encryption key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
What keysize do you want for the Authentication key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a <a class="zem_slink" title="User identifier" href="http://en.wikipedia.org/wiki/User_identifier" target="_blank" rel="wikipedia">user ID</a> to identify your key.

Real name: Patrick O'Connell
Email address: pat@aeriagloris.net
Comment: 
You selected this USER-ID:
    "Patrick O'Connell <pat@aeriagloris.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

gpg: NOTE: backup of card key saved to `/home//.gnupg/sk_16A65751AA333CD9.gpg'
gpg: key F7D12196 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   4096R/F7D12196 2013-09-22
      Key fingerprint = 0059 EA3C CC54 D92F E203  DE29 12F2 C901 F7D1 2196
uid                  Patrick O'Connell <pat@aeriagloris.net>
sub   4096R/43DDE8B2 2013-09-22
sub   4096R/AA333CD9 2013-09-22

gpg/card> quit

With those initial keys set up, we can now configure some settings. The first we want to get to is changing the preferences for how to do signatures.

USERNAME@phoenix [2] ~ % gpg --edit-key pat@aeriagloris.net 
gpg (GnuPG) 2.0.21; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/14F0F412  created: 2013-07-27  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/61DBC4A3  created: 2013-07-27  expires: never       usage: A   
sub  2048R/2081E3C6  created: 2013-07-27  expires: never       usage: E   
[ultimate] (1). Patrick O'Connell <pat@aeriagloris.net>

gpg> uid 1

pub  2048R/14F0F412  created: 2013-07-27  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/61DBC4A3  created: 2013-07-27  expires: never       usage: A   
sub  2048R/2081E3C6  created: 2013-07-27  expires: never       usage: E   
[ultimate] (1)* Patrick O'Connell <pat@aeriagloris.net>

gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
Really update the preferences for the selected user IDs? (y/N) y

pub  4096R/F7D12196  created: 2013-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/43DDE8B2  created: 2013-09-22  expires: never       usage: A   
sub  4096R/AA333CD9  created: 2013-09-22  expires: never       usage: E   
[ultimate] (1)* Patrick O'Connell <pat@aeriagloris.net>

gpg> save
USERNAME@phoenix ~ %

You can now add any other uids you need to your key. This can be done with the edit-keys command followed by the adduid command.

USERNAME@phoenix ~ % gpg --edit-key pat@aeriagloris.net
gpg (GnuPG) 2.0.21; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/F7D12196  created: 2013-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/43DDE8B2  created: 2013-09-22  expires: never       usage: A   
sub  4096R/AA333CD9  created: 2013-09-22  expires: never       usage: E   
[ultimate] (1). Patrick O'Connell <pat@aeriagloris.net>

gpg> adduid 
Real name: Patrick O'Connell
Email address: 
Comment: 
You selected this USER-ID:
    "Patrick O'Connell "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

pub  4096R/F7D12196  created: 2013-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/43DDE8B2  created: 2013-09-22  expires: never       usage: A   
sub  4096R/AA333CD9  created: 2013-09-22  expires: never       usage: E   
[ultimate] (1)  Patrick O'Connell <pat@aeriagloris.net>
[ unknown] (2). Patrick O'Connell 

gpg>  save
USERNAME@phoenix ~ %

Initializing the card generated both authentication and encryption subkeys, and the next stage is to add a separate signing subkey. Subkeys are keys that cannot sign other keys, but depend on the initial keys set up for their trust. These are used to avoid having to use the ultimately trusted key everywhere. This also helps demonstrate how to add other subkeys later, if needed.

USERNAME@phoenix ~ % gpg --edit-key pat@aeriagloris.net
gpg (GnuPG) 2.0.21; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub  4096R/F7D12196  created: 2013-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/43DDE8B2  created: 2013-09-22  expires: never       usage: A   
sub  4096R/AA333CD9  created: 2013-09-22  expires: never       usage: E   
[ultimate] (1). Patrick O'Connell 
[ultimate] (2)  Patrick O'Connell <pat@aeriagloris.net>

gpg> uid 2

pub  4096R/F7D12196  created: 2013-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/43DDE8B2  created: 2013-09-22  expires: never       usage: A   
sub  4096R/AA333CD9  created: 2013-09-22  expires: never       usage: E   
[ultimate] (1). Patrick O'Connell 
[ultimate] (2)* Patrick O'Connell <pat@aeriagloris.net>

gpg> addkey 
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  4096R/F7D12196  created: 2013-09-22  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/43DDE8B2  created: 2013-09-22  expires: never       usage: A   
sub  4096R/AA333CD9  created: 2013-09-22  expires: never       usage: E   
sub  4096R/31FED8A5  created: 2013-09-22  expires: never       usage: S   
[ultimate] (1). Patrick O'Connell 
[ultimate] (2)* Patrick O'Connell <pat@aeriagloris.net>

gpg> save
USERNAME@phoenix ~ %

The next step, and critical to the security of the entire GPG infrastructure, is creating revocation certificates. These can be posted to GPG key servers to announce that you cannot trust them anymore, typically if you lose physical control over your smart card. This is the only possible way to revoke the trust of a certificate, so do not skip this step!

USERNAME@phoenix ~ % gpg --output pat@aeriagloris.net.gpg-revocation-certificate --gen-revoke pat@aeriagloris.net  

sec  4096R/F7D12196 2013-09-22 Patrick O'Connell <pat@aeriagloris.net>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> 
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
USERNAME@phoenix ~ %

Next, we will upload our GPG key to remote key servers. This allows for people to gain access to our public keys, and is necessary if anyone is going to send us encrypted information, or give us access via our authentication keys. For this I will just send you to the GPG instructions as to how to do so, in case they change in future versions.

Now, we can start actually using the keys we have just generated. First, lets set up SSH. For SSH, using a key is the only way I recommend connections. You do not want to allow password authentication to any machine you control. Additionally, you want to only be able to log in with a non-root user, and then authenticate to higher permissions. There is countless documentation as to why this is true, but in general someone is going to be able to crack your passwords far easier than any key-based login. We will use our authentication subkey, which for me is 43DDE8B2. The following commands, run on a remote machine, would immediately allow us to gain immediate SSH access to that machine.

USERNAME@phoenix ~ % gpg --recv-key 43DDE8B2
USERNAME@phoenix ~ % gpgkey2ssh 43DDE8B2 >> ~/.ssh/authorized_keys
USERNAME@phoenix ~ %

As for the password store, password managers are useful and allow for much easier management of per-account passwords. I do not re-use passwords between websites, which is always nice when you find out that a service has been compromised, I do not have to scurry around and figure out what websites I need to change things for. What I like most about using zx2c4’s Pass for this is that it integrates with GPG. Trust doesn’t have to be given to another service, nor do I need to embed any other plugins.

This sets up a fairly sound foundation for future work, such as enabling automatic GPG signing or encryption of email. It also encourages you to use more secure passwords for other services, and prevents security incident avalanches.

A First Look at International Anger at the Snowden Revelations.

Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

“The global backlash is only beginning and will get far more severe in coming months,” said Sascha Meinrath, director of the Open Technology Institute at the Washington-based New America Foundation think tank. “This notion of national privacy sovereignty is going to be an increasingly salient issue around the globe.”

While Brazil isn’t proposing to bar its citizens from U.S.-based Web services, it wants their data to be stored locally as the nation assumes greater control over Brazilians’ Internet use to protect them from NSA snooping.

The danger of mandating that kind of geographic isolation, Meinrath said, is that it could render inoperable popular software applications and services and endanger the Internet’s open, interconnected structure.

via Brazil Looks to Break from U.S.-Centric Internet | TIME.com.

This article in Time this week shows one of the most likely impacts from the Snowden leaks on U.S. spying. Justifiably, other countries are upset. Some will use this anger to do what they wanted to already, which is to bring some of their national data in-house. This will allow them to put an additional roadblock against the NSA (far from insurmountable) while allowing their own intelligence agencies to potentially mine that data.

While Time talks in fear of the Balkanization of the Internet, they ignore that this has already widely happened in the entertainment industry. The industry itself put up countless barriers from enjoying their goods in certain regions, and despite that people go around them. VPNs, proxies, and pirating allows people to access music and videos not “sold” in their country. Nothing indicates that this would change if new services went up elsewhere in the world to challenge titans from the USA.

The biggest threat, or opportunity, arising from this anger is true competition over security. Tools like email cannot be done securely, simply because of the information they leak in headers. You can encrypt the data within the email, but a dedicated adversary will still get what they want from it. If some usable replacements for this, that included whole-chain encryption, there could be a sizable uptick in usage from this. The same goes for basic network traffic, while options like Tor exist they can’t be trusted due to the limited number of exit nodes an adversary has to control in order to monitor the network. Unless vast numbers of users move to Tor, and move a lot of applications to hidden services, this option doesn’t seem to have a lot of future to it either. It does offer a framework for future technologies to be developed.

Realistically, the only way any of these turn detrimental to the future of the Internet is if new protocols or software are developed that intentionally block other regions. Even in that circumstance, however, as I said before there should be ways around those barriers. Even better, if those protocols are built with privacy and security as core philosophies, they could help provide something to replace those that are used now.

Welcome!

Good morning, and welcome to Aeria Gloris. Here I will be bringing two forms of security experience.

First, I will be giving walk-throughs for how to accomplish some of the basic and advanced security goals you may have. This will include anything from basic system security setups, to network IDS and security data analytics, to incident detection and rectification. In the beginning I will lean towards more beginner tutorials, but I have a list of previous projects I had the hardest trouble accomplishing at the time, and those are priorities to have done.

My second goal for this website is to bring commentary on how events of the world will impact security. Discussion will not come from every single thing occurring, nor will it focus entirely on technology. The main reason I want to do this is that situational awareness is a constantly understated part of information security. And the biggest threats have arisen from circumstances that most people haven’t paid attention to. A good example of this is the Arab Spring, where government use of technology to go after dissidents encouraged those dissidents to learn how to combat them. Those newly-informed rebels could then spread their skills and knowledge throughout the region, and have plenty of targets worldwide who may have sold tools to their former governments.

The schedule for this will involve posts weekly on Mondays and Thursdays. The Monday posts will be tutorials as described above. Thursday will be commentary either on current or past world events, and context for your security decisions.  If you have any suggestions or comments, I look forward to hearing from you.