Sunday, December 28, 2014

VeraCrypt

This project is based off of Truecrypt. It's worth looking at. They are apparently fixing the issues found in the truecrypt audit.

Source Page: https://veracrypt.codeplex.com/

List of weakness fixed: https://veracrypt.codeplex.com/discussions/569777#PostContent_1313325

I really do want to see version 1.0f. This version is retiring RIPEMD-160 in favor of SHA256. This is good. Commercial encryption programs are starting to go this route as well.


Sunday, December 14, 2014

Reminder to always verify your downloads

Something a little weird happened today as I downloaded the new fedora 21 live images. Unfortunately I don't know which mirror I was directed to but there is a mirror that is pushing out a bad incomplete image.. or something else..

After re-downloading from what I would assume a different mirror. All is ok.


Moral of the story. Always verify images that you download.

Saturday, December 13, 2014

Encryption, Privacy, and Security Resources

For year 2014: Some of the tools I'd recommend for privacy and security. I've added the TC next home page because they have the official binaries for truecrypt. Use truecrypt with caution. The best alternative free FDE right now is DiskCryptor for Windows. (Use linux for FDE. Use VM's for Windows. Much safer.)

I may update this as needed.




Full Disk Encryption Windows (Free)

DiskCryptor - Open Source FDE
https://diskcryptor.net/wiki/Main_Page

CipherShed - Fork of Truecrypt (In Development)
https://ciphershed.org/

TC next (Verified binaries of truecrypt. Use with caution. No longer developed)
https://truecrypt.ch/



File level Encryption (If it doesn't do AES 256. Don't use it)

AES Crypt - https://www.aescrypt.com/ 

7-ZIP - http://www.7-zip.org/

GNUPG (Windows Binary Modern v 2.1) - ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe

Encryption Wizard (Runs of Java 7) - http://www.spi.dod.mil/docs/EWizard-Public-3.4.5.zip
(Use Java Cryptography extension unlimited strength jurisdiction policy files in combination with EW. This will help you encrypt with AES 256.)
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

VIIVO- https://www.viivo.com/#download-page
https://www.viivo.com/how-our-security-works

Minilock - https://minilock.io/


Communications Security

Mozilla Thunderbird, Enigmail, GNUPG (For Email Encryption)
Mozilla Thunderbird - https://www.mozilla.org/en-US/thunderbird/
Enigmail - https://www.enigmail.net/download/index.php
GNUPG - ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe

Pidgin with OTR - https://www.pidgin.im/

Cryptocat -  https://crypto.cat/

Wickr - https://www.wickr.com/

Haveged (Provides RNG Entropy. RNG's are very important in creating secure encryption keys with strong entropy) -  http://www.issihosts.com/haveged/

Mobile Communications Security

Android Hardening Guide - https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist

Chatsecure + Orbot (Look up in Google Play Store)

Redphone (Look up in Google Play store)

TextSecure (Look up in Google Play Store)

Wickr - https://www.wickr.com/

Password Security
Keepass (Use Key files and back them up somewhere safe. It's a good two factor practice in case your database gets stolen) - http://keepass.info/

Yubikey Neo - http://www.amazon.com/gp/product/B00LX8KZZ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B00LX8KZZ8&linkCode=as2&tag=yubicocom0a-20&linkId=AK5WXSVVQX66J7GL

Firewall Security and IDS

Security Onion - http://blog.securityonion.net/p/securityonion.html

Sophos UTM Home - http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
 

Other Privacy and Security Resources

Surveillance Self Defence (EFF) - https://ssd.eff.org/

Better crypto . org - https://bettercrypto.org/

Applied Crypto Hardening - https://bettercrypto.org/static/applied-crypto-hardening.pdf

Prism Break - https://prism-break.org/en/


Operating Systems hardening and security resources

Microsoft Security Compliance Manager -  http://technet.microsoft.com/en-us/library/cc677002.aspx

CIS Benchmarks -  https://benchmarks.cisecurity.org/downloads/multiform/index.cfm

Bastille Linux hardening tool - http://bastille-linux.sourceforge.net/

EMET - http://www.microsoft.com/en-us/download/details.aspx?id=43714

OS Security layout that I would recommend using

1. If you are in what I'd consider a high risk country then use Tails - https://tails.boum.org/

2. Use Linux open source as your primary OS. Stick with a main distro. Don't use Ubuntu. Ubuntu has a history of data leaks with Amazon. Don't use Ubuntu based distro's either.

Linux OS distro's I would use:
Fedora Linux - https://getfedora.org/en/workstation/
CentOS - https://www.centos.org/
Open Suse - https://www.opensuse.org/en/
Debian - https://www.debian.org/

All should work with the hardening tool Bastille. Always encrypt the disk with a strong passphrase.

As far as a browser goes I still use firefox. I still have issues with Google Chrome and privacy.

Use the following firefox add ons
https everywhere
Ghostery
No Script

If you need to use windows then use it in a VM environment with Oracle Virtual Box or some other means. Harden it with Security Compliance manager and CIS policies. I would suggest two windows vm's. One in off-line mode strictly for security baseline modelling. The other one on-line and hardening. 

A Note on Routers and Firewalls:
Routers have a high probability of getting compromised. Especially older ones. Home Routers should be replaced every three years for security purposes. For stronger security I highly recommend setting a device in front of your router such as Sophos UTM and then bridging your router to the UTM environment. It's safer because UTM is a product that is regularly updated. IT also has advanced firewall and IDS capabilities. You are also able to obtain a much clearer picture on what exactly is going on inside your network.



Monday, December 8, 2014

Sony and the Kim Jong Un Pairing....

How is this for a load of laughs...

Read this.....
http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html

Especially this part....





Now read this email from Mandiant to Sony's top Executive.


Write this compliance issue down..... I'm out....

Sunday, December 7, 2014

Windows 8.1 Security Resources list

A few resources for Windows 8.1 security. 


Windows 8.1 security defense in depth training course: http://www.microsoftvirtualacademy.com/training-courses/defense-in-depth-windows-8-1-security


Windows 8.1 Security and Control
http://technet.microsoft.com/en-us/windows/security-and-control.aspx

Countermeasures: Protecting BitLocker-encrypted Devices from Attacks
http://www.microsoft.com/en-us/download/details.aspx?id=41671

Microsoft Security Compliance Manager
http://technet.microsoft.com/en-us/library/cc677002.aspx

CIS Benchmarks
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm

EMET 5.1
http://www.microsoft.com/en-us/download/details.aspx?id=43714

If you are going to use bitlocker for Full Disk Encryption:

Open Up GPEDIT.MSC

Navigate to Computer configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption

(Swap to AES 256 for Encryption Algorithm)


Navigate to Computer configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drive

I'd do these in the OS drive area. Note the first one. If you don't have a TPM chip. No worries I would recommend doing a startup usb key + enhanced pin