Encryption of Disks

Today we should use encryption of disks for many situations.

I recommend at least encrypting disks of portable computers that contain the home directory and portable USB disks. They can easily get stolen or lost and it is better if the thief does not have easy access to the content. We should even consider encrypting swap partitions.

There are many ways to do this on different operating systems and actually I only know how to do it for Linux. A possible approach for Windows is to run MS-Windows in a virtual box inside Linux and just profit from the Linux-based encryption. That is what I do, but I do not use my MS-Windows very much. About Apple computers I have no knowledge, please go to the site of somebody else for encryption of disks for them. I know that there is an option available for this, but I do not know how to use it and how good it is.

I prefer to rely on open source solutions for security related issues, because it is harder (but not impossible) to put in malicious components into the software and it is easier to find and to fix them. This is a general point that serious security specialists tend to make that it is better to rely on good and well maintained open source software for security than on closed software of which we do not know the wanted and unwanted backdoors and vulnerabilities.

The way it works in Linux is that we encrypt a disk partition. It can then be accessed after providing a password. It is possible to provide several alternative passwords. The tools to use are dm-crypt, a kernel module, LUKS, cryptsetup, and cryptmount.

It can be done like this (example session) for an external drive that appears as /dev/sdc. Please be extremely careful not to erase any data that you still need or hide data behind a password that you do not know…


# check the partitions
$ fdisk -l /dev/sdc

# encrypt the partition and provide a password:
$ cryptsetup luksFormat /dev/sdc1

# access the partition
$ cryptsetup luksOpen /dev/sdc1 encrypted-external-drive-1

# format it with whatever file system you want to use
$ mkfs.btrfs /dev/mapper/encrypted-external-photo-drive-1

Now each time the disk is mounted, the password needs to be provided.

Links

Share Button

Hidden CPUs

How many CPUs does your computer have?

If we go way back, we will discover that some time ago there were already ancillary CPUs in our computers. The floppy disk drive of the C64 had a CPU very similar to the one in the computer itself, but very little memory and it was hard, though not impossible, to make use of it. I never really tried. The PC-keyboards had CPUs, it was told that a Z80 or 8080 or something like that was built into them. I never bothered to find out.

Now this concept is not at all new, but was already used 35 years ago. So the question is, if our computers still have such hidden CPUs. This seems to be the case and it is easy to search for „hidden CPUs“ or „secret CPUs“. And it would be extremely strange to expect anything different. They do not have compute power for us, but just run and manage hardware, that appears to be just hardware from the point of view of our main CPU, that we can program. So why not just consider this as hardware and ignore the „secret“ or „hidden“ CPUs and see them as implementation detail of the hardware. That is a very legitimate approach and to be honest what we do most of the time.

The issue is more delicate now, because these hidden CPUs can access the internet, even when the computer is turned off or seems to be offline. There are tools to analyze the network traffic and to detect this. But we should start to become aware of this invisible world that is potentially as dangerous as visible malware. And this applies to all kinds of devices, especially cell phones, tablets, routers, TV-sets and all „things“ that have their own CPU power and network access…

Links

Share Button

Source Code of Apple-iOS leaked

It seems that the parts of the source code of Apple’s iOS 9 have leaked via github. They might have been removed from there, while you are reading this, but probably they will be passed around in the internet anyway.

Some sources say that this is a risk to security. It might be, but in the end cryptography specialists tend to consider the availability of the source code as an advantage for security, because it can be analyzed by everyone, vulnerabilities can be found and published and of course more easily be corrected if the source is available to everyone. Hiding the source code is some kind of „security by obfuscation“, which is not really a strong mechanism and it should be based on verifiable secure mechanisms, as successfully applied by Linux and other open source operating systems. But this might not be fully true, if the sources are just passed around in somewhat closed circles and not easily available to the general public.

This does not make iOS open source, because the licenses that Apple imposes on their software are still valid and to my understanding they do not make this part of the system open source, which means much more than just being able to read the source code of a certain version that might already be outdated. Please observe that if the source code that you might find on github is really coming from Apple, their original license and not the one mentioned in github applies.

To put Jail breaking somewhere near security breaches is wrong, because this is an action done by the owner of the device with his or her own device at own risk. This should be everyone’s right to do so and there should be nothing wrong with making it easier. I know, we are not living in a perfect world…

So please relax. If Apple has done a good job, there will not be too bad exploits and if they are still doing a good job, they will quickly fix any exploits that show up. And if you like to have an open source system, you should still consider using something else.

Links

Share Button

The magic trailing space

When comparing string, of course spaces count as well and they should count. To ignore them, we can normalize strings. Typical white space normalization includes the following (Perl regular expressions):

  • /[ \t]+/ /g replace any sequence of tabs and spaces used to separate content by one space.
  • /\r\n/\n/g replace carriage return + linefeed by linefeed only.
  • /\s+$// remove trailing whitespace.
  • /^\s+// remove leading whitespace.

More or less it is often useful to do something like this when comparing strings that originally come from outside sources and are not normalized, but only „the content“ counts. There can be more sophisticated rules, to deal with no-break-space, with control characters, with trailing spaces at the end of each line or only at the end of the whole thing or replacing multiple empty lines by just one empty line. Just the general idea is to think about the right normalization.

In some cases, like long numbers, spaces or other symbols are used to group digits. These should also be removed. Sometimes more specific rules apply, like for phone numbers, web sites, email addresses etc. that need to be done specifically for this type, hopefully using an adequate library.

More often than not we see that web sites do not do this properly. Quite often an information has to be entered and it is not normalized prior to further processing. So credit card numbers or IBAN numbers are rejected because of spaces or anything because of trailing spaces, of course with an error message that does not give us a hint about what was the problem.

For serious application there needs to be a serious processing step for data coming from outside anyway, for security reasons. Even though SQL injection should not work due to sound SQL-placeholder usage, it is a good practice to check the data anyway and reject it early and with a meaningful message. Should I trust the security of a site that cannot deal with spaces in a credit card number for giving them my card number? I am not sure.

It is about time that UI developers get into the habit of doing the proper processing, normalization and checks for user input. Beware that any security relevant checks need to be done on the server or on the server as well.

Share Button

WPA2 compromised

The WPA2 protocol has been compromised. The so called KRACK attack allows reading encrypted content.
It was always a good idea to use encrypted communication on top of WPA2 for sensitive data, like https, ssh or a VPN. This practice has been recommended in this blog before, which was again inspired by what Bruce Schneier wrote about it.

Anyway, we should certainly start of thinking of WLANs with WPA2 encryption as a useful transport mechanism, but not as a very secure mechanism to encrypt data. At least from now on we should use other encrypted protocols on top of WPA2 where appropriate or use cable networks for internal communication that we do not want to encrypt additionally.

Links:

Share Button

WLANs

We use our computers and other devices everywhere. While phones are of course equipped with a SIM card that at least part of the time allows relatively cheap internet access via the GSM-network (of course today UMTS or LTE or whatever comes next), laptops usually do not have SIM cards, even though they could. So we rely on these WLANs that we find in Cafés, gas stations, shops, hotels, camp ground, airports, train stations, trains and sometimes even in cities. While we are used to paying for our SIM cards monthly fees or even volume based fees, the question if it should cost money to use a WLAN is still open. Some years ago the WLAN cost extra in most places. The problem was, that the effort for collecting the money was by some orders of magnitude higher than the effort for actually providing the WLAN, resulting in prices that were way too high. So the normal model is now that we pay for the camping, train, flight, hotel, coffee or whatever and some very very tiny fraction of this money is used to implement the WLAN. It does not hurt the people, who do not use it, because it is so little.

Now there are some ways to get into WLANs, which we all know too well:

  1. Open WLAN: just use it
  2. Password for WLAN required
  3. „Open“ WLAN, need to confirm the conditions
  4. „Open“ WLAN, need to provide phone number or email address with some verification
  5. „Open“ WLAN, need to give username + password on some page

While (1) is of course ok from a user point of view and (2) works very well for small sites like hotels, the other approaches are somewhat problematic and fragile.

They all rely on the assumption that the device uses the DNS as is provided by DHCP from the WLAN or on an intercepting proxy. Anyway, the network is in two different states. In the first state it does not behave regularly, but going to any page with the browser will actually lead to the login page. The internet will not work in the beginning, even though at network level everything is there, just the routing or maybe the DNS or the Web-Caching are skrewed up. My phone detects such a skrewed up internet and by itself opens the „login“-page by going to www.google.com, which of course is today https://www.google.com/. It won’t work, because it leads to a fake „www.google.com“, so the https-certificate is not correct and the browser refuses to show it, unless we really ask for an exception, which I would not recommend. Knowing this, we can always overcome the problem by just surfing to any site that is still not https and that is not in the browser cache. This is going to become harder, but is still possible. Is it ugly? I would think so. Even worse, there is a time window for doing this, and sometimes the login does not really work well, so we need to try it over and over again, until it finally works or we give up and use the phone as a temporary WLAN-router, hoping it will not break out of our free Megabytes. Verifying a phone number is not too bad, because via SMS there is a channel independent from the WLAN to transmit the verification code. Do we have a phone? I guess so, people without phone are really very rare, so I would consider that ok. Why do they need this information? Should they ask for it? I do not think so… It depends of course how much we trust in our current and future democracy and in our government and company organizations constraining themselves to legal and ethical conduct. But from a purly technical point of view this kind of works. The email is kind of cute. To confirm it, we need access to our email system, which in turn already requires internet. But it happens. Just confirming „terms and conditions“ is also kind of cute, because the option of actually reading them is offered, but rarely used. And they would know it, if they just looked into their logs.

So I would really love to just use the internet and I would really love to rely on people using the internet to behave legally and ethically without going through long terms and conditions. Maybe those who provide the internet need these, to ensure that they do not have to pay for fallacies of their internet users, but making them pay is not really a good idea. A criminal offense is the fault of a criminal and not of those who provide some common infrastructure for communication that is in no way specific to criminal activity. Actually those who are somewhat skilled in criminal activities also know their ways to hide their identity when using some WLAN.

The last one is kind of tricky. It does have some justification, because it allows for more fine granular access. But it still uses somewhat broken mechanisms by providing a broken internet to log in and then the working internet. I think it would be better to extend the WLAN standard to provide for a username+password-login instead of only using a password for the WLAN.

Btw., I recommend to assume that the WLAN is not safe and always run a firewall against the WLAN and do delicate access to other systems via the WLAN using a vpn like OpenVPN or of course encrypted variants of common internet protocols like ssh, https etc. The older WLAN encryption standard was just a joke. The current one is kind of ok but I prefer not to trust it. Since we use our devices in all kinds of WLANs anyway, trusting some WLANs and not trusting others is just too much risk in terms of misconfiguration. And as soon as we are accessible via the internet, the attackers are already there and scanning ports and some common URLs. If they are in the WLAN or not, I do not want to rely on them not being there…

Share Button

Bring your own Device

This issue is quite controversial and it applies to laptops, tablets and smart phones.
Usually the „bringing“ is not really an issue, you can have anything in your bags and connect it via the mobile phone network as long as it does not absorb the working time.
But usually this implies a bit more.
There are some advantages in having company emails and calendar on a smart phone. This is convenient and useful. But there are some security concerns that should be taken serious. How is the calendar and the emails accessed? How confidential are the emails? Do they pass through servers that we do not trust? What happens, if a phone gets lost?
This is an area, where security concerns are often not taken too serious, because it is cool for top manager to have such devices. And they can just override any worries and concerns, if they like.
This can be compensated by being more restrictive in other areas. 😉
Anyway, the questions should be answered. In addition, the personal preferences for a certain type of phone are very strong. So the phone provided by the company might not be the one that the employee prefers, so there is a big desire to use the own phone or one that is similar to the own phone, which depends on the question of who pays the bills, how much of private telephony is allowed on the company phone and if there are work related calls to abusive times.
Generally the desirable path is to accept this and to find ways to make this secure.

The other issue is about the computer we work with. For some kind of jobs it is clear that the computer of the company is used, for example when selling railroad tickets or working in the post office or in a bank serving customers.

It shows that more creative people and more IT-oriented people like to have more control on the computer they work with.
We like to have hardware that is powerful enough to do the job. We like to be able to install software that helps us do our job. We like to use the OS and the software that we are skilled with. Sometimes it is already useful to be able to install this on the company computer or in a virtual computer within the company computer. Does the company allow this? It should, with some reasonable guidelines.

Some companies allow their employees to use their own laptops instead. They might give some money to pay for this and expect a certain level of equipment for that. Or just allow the employees to buy a laptop with their own money and use it instead of the company computer. They will do so and happily spend the money, even though it is wrong and the company should pay it. But the pain of spending some of the own money is for many people less than the pain of having to use crappy company equipment.

This rises the question of the network drive Q:, the outlook, MS-Word, MS-Excel,…
Actually this is not so much an issue, at least for the group we are talking here. Or becoming less of an issue.
Drive Q: can quite well be accessed from Linux, if the company policies allow it. But actually modern working patterns do not need this any more.
We can use a Wiki, like MediaWiki or Confluence for documentation. This is actually a bit better in many cases and I would see a trend in this direction, at least for IT-oriented teams.
Office-Formats and Email are more and more providing Web-Applications that can be used to work with them on Linux, for example. And MS-Office is already available for Linux, at least for Android, which is a Linux Variant. It might or might not come for Desktop Linux. LibreOffice is most of the time a useful replacement. Maybe better, maybe almost as good, depending on perspective… And there is always the possibility to have a virtual computer running MS-Windows for the absolutely mandatory MS-Windows-programs, if they actually exist. Such an image could be provided and maintained by the company instead of a company computer.

It is better to let the people work. To allow them to use useful tools. To pay them for bringing their own laptop or to allow them to install what they want on the company laptop. I have seen people who quit their job because of issues like this. The whole expensive MS-Windows-oriented universe that has been built in companies for a lot of money proves to be obsolete in some areas. A Wiki, a source code repository, … these things can be accessed over the internet using ssh or https. They can be hosted by third parties, if we trust the third party. Or they can be hosted by the company itself. Some companies work with distributed teams…

It is of course important to figure out a good security policy that allows working with „own“ devices and still provide a sufficient level of security. Maybe we just have to get used to other ways of working and to learn how to solve the problems that they bring us. In the end of the day we will see which companies are more successful. It depends on many factors, but the ability to provide a innovative and powerful IT and to have good people working there and actually getting stuff done is often an important factor.

Share Button

WannaCry or better learn from it?

The malware WannaCry became quite well known, especially because it manifested itself on the displays of the German federal railroad and it even blocked most of the hospital infrastructure in the UK. Find some discussion on Bruce Schneier’s Blog… You find a a href=“https://www.schneier.com/blog/archives/2017/05/did_north_korea_1.html“>more elaborate article on his blog as well. Read Bruce’s blog article, he knows more about security than I do… 🙂

We might have observed, that this attack was targeting MS-Windows computers. The argument, that this is just because MS-Windows computers are more common, is no longer true. But the argument, that the MS-Windows developers just did a lousy job does not hold either. It was true 10, 15, 20, 25 years ago. We have seen it. But today I would assume, that they have improved and are doing a good job.

There is an argument, to favor open source over closed source for security reasons. If a software is open source, it is much more difficult to incorporate malicious features like backdoors into it or to leave security holes open by mistake, because the source code can be analyzed and fixed by anybody who has access to the internet and the capabilities. This is no guarantee, but it is a good thing.

The other argument is more like a question. How close are US companies to US government agencies? Do they do each other little favors? We do not know.

In any way, the people who did this malware attack are criminals and I regret that this has caused so much damage. Fortunately criminals are relatively rare. So the frequency of encountering them in daily life is usually not so high, unless we live in especially crime infested areas. But the internet connects us with criminals all over the world and allows them to damage us. So it might be ok in a good neighborhood not to lock the door or not to lock the bicycle. It gives a good feeling to trust our neighbors. But in the internet, the bad guys are there for sure and they will discover our unlocked virtual door. We can rely on that.

Share Button

HTTPS

This Blog is now using https. So the new URL is https://brodowsky.it-sky.net/, while the old URL http://brodowsky.it-sky.net/ will continue to work for some time.

If you like to read more about changing the links within the Blog you can find information on Vladimir’s Blog including a recipe, both in German.

Share Button

Login Mechanisms

By Karl Brodowsky IT Sky Consulting GmbH

Deutsch

E-Banking examples

  • „Calculator“
  • RSA-Number-Generator
  • SMS
  • Sheet with 100 Codes
  • Android-App
  • USB-Device
  • SmartCard
  • Not so common for banks: plain old username+password
  • Login with google, twitter, facebook

Calculator

  • Enter PIN Code
  • Enter Code from login page
  • Read Result from calculator
  • Enter Result in Login Page

Security Questions:

  • Depends on how the calculator works
  • Due to calculator PIN/Password some security agains theft/loss of device

Practical Questions:

  • Always forgotten calculator
  • Expensive hardware required

Summary:

This method is potentially quite good, if it is done well with good algorithms and good data.

Number Generator

  • On login page enter 6-digit code from RSA device in addition to username+password

Security issues

  • Looks good because it comes from RSA
  • Does the timing always work well enough in sync (apparently yes)?
  • Device can be stolen, no additional protection
  • No Challenge-Response, not as good as the calculator

Practical issues:

  • Device is small enough to be in the pocket all the time
  • Device is quite expensive

SMS

  • Enter username and password
  • Receive code by SMS
  • Enter Code

Security issues

  • How secure is the mobile network?
  • How secure is the phone? Not-so-smart phones are better. Ideally use the old Nokia phone for this with a prepaid SIM-card
  • For m-banking two phones are needed or the security is much lower

Practical issues

  • Phone is in the pocket
  • But if an additional phone is needed just for this not very practical any more
  • Sometimes SMS get lost
  • some people play with many SIM cards (not a common problem)
  • Battery of phone can be empty (only a problem for older generation)

Summary

This seems to be a solid mechanism, but is slightly inferior to the calculator.

Sheet with 100 codes

  • Login with username and password
  • Page requests code with a given number from a given sheet.
  • Each number is used only once
  • New sheet supplied when 80% used up

Security issues

  • Depends on quality of numbers
  • Paper can be lost or stolen
  • Printing and handling of numbers leaves a lot of vulnerability which is hard to control.

Practical issues

  • Paper needs to be managed by bank and customer
  • Needs to be in the luggage or as image on the phone
  • Needs to be stored carefully

Summary

Mechanism seems to be in the middle field. Apart from being uncool the mechanism is not so bad, but it is inferior to the calculator.

Android App

Can off course technically work for your favorite smart phone, even if it is not Android… 😉

  • Login with username and password
  • A colored code is displayed:

code

  • Run Android App which takes a photo of the code and provides a 6 digit code plus some information.
  • Enter that for login
  • Remark: the App needs to be personalized, so it is only working for the own e-banking, not for someone elses.

Security issues

  • No password within App
  • Depends on keeping phone safe
  • Positive is that it is so easy that it can be used a lot, even for verifiying single bookings to an unknown receipient
  • The code can transport information that can be displayed in the

Practical issues

  • Requires Smart phone that supports the App
  • Phone is always in the pocket

USB-Device

An USB-device is plugged into the PC. It can be „smart“ and communicate directly with the server. Can also provide secure browser or even boot PC into a specially safety-hardened Linux distribution.

I have only theoretical knowledge about this, not used it.

Security issues

  • Has a lot of potential
  • A „bad PC“ can be a problem, but there are ways to implement this that are quite secure, as long as encrypted data traffic is considered secure at all. If not, we should forget the internet for anything that requires any non-trivial level of security.

Practical issues

  • requires special USB-stick
  • USB is disabled or „castrated“ on many PCs, so it might be hard to let the PC accept the device
  • Are there „device driver issues“?

Smart Card

This is just like the USB device, but with a chip card instead of an USB device.

Username + Password

  • For ebanking not enough (some banks don’t care)
  • For „simple“ apps it is a pain to keep usernames and passwords safe on server
  • Still „easy default“
  • How about user management?

Security issues

  • This has the lowest security of all mechanisms presented here.
  • user and password database is always a risk

Login with Google

  • Use google+, facebook, twitter etc. for login
  • Assume Google here…
  • Login into google (you normally are anyway…)
  • Click login with google
  • First time google asks if it is ok to provide the identity information to web page xyz
  • In Google settings this can be removed…

Security issues:

  • Do we want to have NSA-connected companies involved in our login process?
  • User management is something that the big guys claim to do well
  • OAuth2 is our friend for this, it is not so hard to do

Just remember this

  • Always use https when serious about security
  • http means transmitting password unencrypted and making some of our „friends“ who could intercept traffic very happy
  • Especially if it deals with money.
  • Serious https helps at least a little bit
  • Maybe, who knows what the NSA knows. 🙁

As a task for me I have to get this page on https…

 

Share Button