This project is based off of Truecrypt. It's worth looking at. They are apparently fixing the issues found in the truecrypt audit.
Source Page: https://veracrypt.codeplex.com/
List of weakness fixed: https://veracrypt.codeplex.com/discussions/569777#PostContent_1313325
I really do want to see version 1.0f. This version is retiring RIPEMD-160 in favor of SHA256. This is good. Commercial encryption programs are starting to go this route as well.
Sunday, December 28, 2014
Sunday, December 14, 2014
Reminder to always verify your downloads
Something a little weird happened today as I downloaded the new fedora 21 live images. Unfortunately I don't know which mirror I was directed to but there is a mirror that is pushing out a bad incomplete image.. or something else..
After re-downloading from what I would assume a different mirror. All is ok.
Moral of the story. Always verify images that you download.
Moral of the story. Always verify images that you download.
Saturday, December 13, 2014
Encryption, Privacy, and Security Resources
For year 2014: Some of the tools I'd recommend for privacy and security. I've added the TC next home page because they have the official binaries for truecrypt. Use truecrypt with caution. The best alternative free FDE right now is DiskCryptor for Windows. (Use linux for FDE. Use VM's for Windows. Much safer.)
I may update this as needed.
Full Disk Encryption Windows (Free)
DiskCryptor - Open Source FDE
https://diskcryptor.net/wiki/Main_Page
CipherShed - Fork of Truecrypt (In Development)
https://ciphershed.org/
TC next (Verified binaries of truecrypt. Use with caution. No longer developed)
https://truecrypt.ch/
File level Encryption (If it doesn't do AES 256. Don't use it)
AES Crypt - https://www.aescrypt.com/
7-ZIP - http://www.7-zip.org/
GNUPG (Windows Binary Modern v 2.1) - ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe
Encryption Wizard (Runs of Java 7) - http://www.spi.dod.mil/docs/EWizard-Public-3.4.5.zip
(Use Java Cryptography extension unlimited strength jurisdiction policy files in combination with EW. This will help you encrypt with AES 256.)
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
VIIVO- https://www.viivo.com/#download-page
https://www.viivo.com/how-our-security-works
Minilock - https://minilock.io/
Communications Security
Mozilla Thunderbird, Enigmail, GNUPG (For Email Encryption)
Mozilla Thunderbird - https://www.mozilla.org/en-US/thunderbird/
Enigmail - https://www.enigmail.net/download/index.php
GNUPG - ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe
Pidgin with OTR - https://www.pidgin.im/
Cryptocat - https://crypto.cat/
Wickr - https://www.wickr.com/
Haveged (Provides RNG Entropy. RNG's are very important in creating secure encryption keys with strong entropy) - http://www.issihosts.com/haveged/
Mobile Communications Security
Android Hardening Guide - https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist
Chatsecure + Orbot (Look up in Google Play Store)
Redphone (Look up in Google Play store)
TextSecure (Look up in Google Play Store)
Wickr - https://www.wickr.com/
Password Security
Keepass (Use Key files and back them up somewhere safe. It's a good two factor practice in case your database gets stolen) - http://keepass.info/
Yubikey Neo - http://www.amazon.com/gp/product/B00LX8KZZ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B00LX8KZZ8&linkCode=as2&tag=yubicocom0a-20&linkId=AK5WXSVVQX66J7GL
Firewall Security and IDS
Security Onion - http://blog.securityonion.net/p/securityonion.html
Sophos UTM Home - http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
Other Privacy and Security Resources
Surveillance Self Defence (EFF) - https://ssd.eff.org/
Better crypto . org - https://bettercrypto.org/
Applied Crypto Hardening - https://bettercrypto.org/static/applied-crypto-hardening.pdf
Prism Break - https://prism-break.org/en/
Operating Systems hardening and security resources
Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx
CIS Benchmarks - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm
Bastille Linux hardening tool - http://bastille-linux.sourceforge.net/
EMET - http://www.microsoft.com/en-us/download/details.aspx?id=43714
OS Security layout that I would recommend using
1. If you are in what I'd consider a high risk country then use Tails - https://tails.boum.org/
2. Use Linux open source as your primary OS. Stick with a main distro. Don't use Ubuntu. Ubuntu has a history of data leaks with Amazon. Don't use Ubuntu based distro's either.
Linux OS distro's I would use:
Fedora Linux - https://getfedora.org/en/workstation/
CentOS - https://www.centos.org/
Open Suse - https://www.opensuse.org/en/
Debian - https://www.debian.org/
All should work with the hardening tool Bastille. Always encrypt the disk with a strong passphrase.
As far as a browser goes I still use firefox. I still have issues with Google Chrome and privacy.
Use the following firefox add ons
https everywhere
Ghostery
No Script
If you need to use windows then use it in a VM environment with Oracle Virtual Box or some other means. Harden it with Security Compliance manager and CIS policies. I would suggest two windows vm's. One in off-line mode strictly for security baseline modelling. The other one on-line and hardening.
A Note on Routers and Firewalls:
Routers have a high probability of getting compromised. Especially older ones. Home Routers should be replaced every three years for security purposes. For stronger security I highly recommend setting a device in front of your router such as Sophos UTM and then bridging your router to the UTM environment. It's safer because UTM is a product that is regularly updated. IT also has advanced firewall and IDS capabilities. You are also able to obtain a much clearer picture on what exactly is going on inside your network.
I may update this as needed.
Full Disk Encryption Windows (Free)
DiskCryptor - Open Source FDE
https://diskcryptor.net/wiki/Main_Page
CipherShed - Fork of Truecrypt (In Development)
https://ciphershed.org/
TC next (Verified binaries of truecrypt. Use with caution. No longer developed)
https://truecrypt.ch/
File level Encryption (If it doesn't do AES 256. Don't use it)
AES Crypt - https://www.aescrypt.com/
7-ZIP - http://www.7-zip.org/
GNUPG (Windows Binary Modern v 2.1) - ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe
Encryption Wizard (Runs of Java 7) - http://www.spi.dod.mil/docs/EWizard-Public-3.4.5.zip
(Use Java Cryptography extension unlimited strength jurisdiction policy files in combination with EW. This will help you encrypt with AES 256.)
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
VIIVO- https://www.viivo.com/#download-page
https://www.viivo.com/how-our-security-works
Minilock - https://minilock.io/
Communications Security
Mozilla Thunderbird, Enigmail, GNUPG (For Email Encryption)
Mozilla Thunderbird - https://www.mozilla.org/en-US/thunderbird/
Enigmail - https://www.enigmail.net/download/index.php
GNUPG - ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe
Pidgin with OTR - https://www.pidgin.im/
Cryptocat - https://crypto.cat/
Wickr - https://www.wickr.com/
Haveged (Provides RNG Entropy. RNG's are very important in creating secure encryption keys with strong entropy) - http://www.issihosts.com/haveged/
Mobile Communications Security
Android Hardening Guide - https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist
Chatsecure + Orbot (Look up in Google Play Store)
Redphone (Look up in Google Play store)
TextSecure (Look up in Google Play Store)
Wickr - https://www.wickr.com/
Password Security
Keepass (Use Key files and back them up somewhere safe. It's a good two factor practice in case your database gets stolen) - http://keepass.info/
Yubikey Neo - http://www.amazon.com/gp/product/B00LX8KZZ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B00LX8KZZ8&linkCode=as2&tag=yubicocom0a-20&linkId=AK5WXSVVQX66J7GL
Firewall Security and IDS
Security Onion - http://blog.securityonion.net/p/securityonion.html
Sophos UTM Home - http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
Other Privacy and Security Resources
Surveillance Self Defence (EFF) - https://ssd.eff.org/
Better crypto . org - https://bettercrypto.org/
Applied Crypto Hardening - https://bettercrypto.org/static/applied-crypto-hardening.pdf
Prism Break - https://prism-break.org/en/
Operating Systems hardening and security resources
Microsoft Security Compliance Manager - http://technet.microsoft.com/en-us/library/cc677002.aspx
CIS Benchmarks - https://benchmarks.cisecurity.org/downloads/multiform/index.cfm
Bastille Linux hardening tool - http://bastille-linux.sourceforge.net/
EMET - http://www.microsoft.com/en-us/download/details.aspx?id=43714
OS Security layout that I would recommend using
1. If you are in what I'd consider a high risk country then use Tails - https://tails.boum.org/
2. Use Linux open source as your primary OS. Stick with a main distro. Don't use Ubuntu. Ubuntu has a history of data leaks with Amazon. Don't use Ubuntu based distro's either.
Linux OS distro's I would use:
Fedora Linux - https://getfedora.org/en/workstation/
CentOS - https://www.centos.org/
Open Suse - https://www.opensuse.org/en/
Debian - https://www.debian.org/
All should work with the hardening tool Bastille. Always encrypt the disk with a strong passphrase.
As far as a browser goes I still use firefox. I still have issues with Google Chrome and privacy.
Use the following firefox add ons
https everywhere
Ghostery
No Script
If you need to use windows then use it in a VM environment with Oracle Virtual Box or some other means. Harden it with Security Compliance manager and CIS policies. I would suggest two windows vm's. One in off-line mode strictly for security baseline modelling. The other one on-line and hardening.
A Note on Routers and Firewalls:
Routers have a high probability of getting compromised. Especially older ones. Home Routers should be replaced every three years for security purposes. For stronger security I highly recommend setting a device in front of your router such as Sophos UTM and then bridging your router to the UTM environment. It's safer because UTM is a product that is regularly updated. IT also has advanced firewall and IDS capabilities. You are also able to obtain a much clearer picture on what exactly is going on inside your network.
Monday, December 8, 2014
Sony and the Kim Jong Un Pairing....
How is this for a load of laughs...
Read this.....
http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
Especially this part....
Now read this email from Mandiant to Sony's top Executive.
Write this compliance issue down..... I'm out....
Read this.....
http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
Especially this part....
Now read this email from Mandiant to Sony's top Executive.
Write this compliance issue down..... I'm out....
Sunday, December 7, 2014
Windows 8.1 Security Resources list
A few resources for Windows 8.1 security.
Windows 8.1 security defense in depth training course: http://www.microsoftvirtualacademy.com/training-courses/defense-in-depth-windows-8-1-security
Windows 8.1 Security and Control
http://technet.microsoft.com/en-us/windows/security-and-control.aspx
Countermeasures: Protecting BitLocker-encrypted Devices from Attacks
http://www.microsoft.com/en-us/download/details.aspx?id=41671
Microsoft Security Compliance Manager
http://technet.microsoft.com/en-us/library/cc677002.aspx
CIS Benchmarks
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm
EMET 5.1
http://www.microsoft.com/en-us/download/details.aspx?id=43714
If you are going to use bitlocker for Full Disk Encryption:
Open Up GPEDIT.MSC
Navigate to Computer configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption
(Swap to AES 256 for Encryption Algorithm)
Navigate to Computer configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drive
I'd do these in the OS drive area. Note the first one. If you don't have a TPM chip. No worries I would recommend doing a startup usb key + enhanced pin
Windows 8.1 security defense in depth training course: http://www.microsoftvirtualacademy.com/training-courses/defense-in-depth-windows-8-1-security
Windows 8.1 Security and Control
http://technet.microsoft.com/en-us/windows/security-and-control.aspx
Countermeasures: Protecting BitLocker-encrypted Devices from Attacks
http://www.microsoft.com/en-us/download/details.aspx?id=41671
Microsoft Security Compliance Manager
http://technet.microsoft.com/en-us/library/cc677002.aspx
CIS Benchmarks
https://benchmarks.cisecurity.org/downloads/multiform/index.cfm
EMET 5.1
http://www.microsoft.com/en-us/download/details.aspx?id=43714
If you are going to use bitlocker for Full Disk Encryption:
Open Up GPEDIT.MSC
Navigate to Computer configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption
(Swap to AES 256 for Encryption Algorithm)
Navigate to Computer configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drive
I'd do these in the OS drive area. Note the first one. If you don't have a TPM chip. No worries I would recommend doing a startup usb key + enhanced pin
Saturday, November 15, 2014
ports scanning threats... 30 days
Just some common ports that are hitting my IP from chinese and russian based IP's that I find a little interesting.
TCP -9064
Typical port used by EMC legato networker and sun solcitice backup.
2646 packet drops
UDP - 17643
Unknown
3234 packet drops
The rest are typical. Telnet and SSH... should be a given.
TCP -9064
Typical port used by EMC legato networker and sun solcitice backup.
2646 packet drops
UDP - 17643
Unknown
3234 packet drops
The rest are typical. Telnet and SSH... should be a given.
Monday, November 10, 2014
Elliptic Curve Cryptography with GNUPG
A few things about the release of GNUPG 2.1.
https://gnupg.org/faq/whats-new-in-2.1.html
A few things that make support for ECC very peculiar in the 2.1 release.
"For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein’s Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won’t wait any longer and go ahead using the proposed format for this signing algorithm. The format for an encryption key has not yet been finalized and will be added to GnuPG in one of the next point releases."
https://gnupg.org/faq/whats-new-in-2.1.html
- Revocation tickets are now created by default.
- Secring.gpg will no longer store secret keys (About Damn time)
- Support for ECC.
A few things that make support for ECC very peculiar in the 2.1 release.
"For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein’s Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won’t wait any longer and go ahead using the proposed format for this signing algorithm. The format for an encryption key has not yet been finalized and will be added to GnuPG in one of the next point releases."
$ gpg2 --expert --full-gen-key
gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
Your selection? 9
Please select which elliptic curve you want:
(2) NIST P-256
(3) NIST P-384
(4) NIST P-521
(5) Brainpool P-256
(6) Brainpool P-384
(7) Brainpool P-512
Your selection? 2
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
These slides make a good case for the dangers of ECC.
http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
I would personally Stay away from ECC in GNUPG until they have curve 25519 available
for processes other than signing messages.
Sunday, November 2, 2014
Onedrive lulz
So everyone is now freaking out over this one drive article on the cryptome website.
http://cryptome.org/2014/11/ms-onedrive-nsa-prism.htm
So does onedrive really get your encryption keys when you do full disk encryption using bitlocker? Yes and No...
I do have a Windows 8.1 box... It's a box I do absolutely nothing on minus checking email on my outlook.com account and I have it converted over to conform with what Microsoft really wants you to do with that OS. (Hooked in with a Microsoft account)
It's encrypted with Bitlocker but with a small difference. I confirmed my bitlocker keys are not stored on my onedrive account. Originally when I created the box it had a local account when I encrypted it with Bitlocker. << This is key.... If you do it this way everything is forced locally somewhere. Such as a usb stick.
I do have a backup of my keys.. but they are in encrypted form on skydrive.
When using any cloud provider I suggest to never trust it. Layer your security with encryption that is done locally before you upload it to skydrive. I suggest using something like PGP.
Interested in testing this out... try it yourself.. remember create a local account and use that local account to encrypt your computer with bitlocker.
http://cryptome.org/2014/11/ms-onedrive-nsa-prism.htm
So does onedrive really get your encryption keys when you do full disk encryption using bitlocker? Yes and No...
I do have a Windows 8.1 box... It's a box I do absolutely nothing on minus checking email on my outlook.com account and I have it converted over to conform with what Microsoft really wants you to do with that OS. (Hooked in with a Microsoft account)
It's encrypted with Bitlocker but with a small difference. I confirmed my bitlocker keys are not stored on my onedrive account. Originally when I created the box it had a local account when I encrypted it with Bitlocker. << This is key.... If you do it this way everything is forced locally somewhere. Such as a usb stick.
I do have a backup of my keys.. but they are in encrypted form on skydrive.
When using any cloud provider I suggest to never trust it. Layer your security with encryption that is done locally before you upload it to skydrive. I suggest using something like PGP.
Interested in testing this out... try it yourself.. remember create a local account and use that local account to encrypt your computer with bitlocker.
Friday, October 24, 2014
FTDI Bricking
Got a small laugh out of the FTDI bricking...although I would have been pissed if my usb to serial device had been caught up in this.
http://hardware.slashdot.org/story/14/10/24/1330252/ftdi-removes-driver-from-windows-update-that-bricked-cloned-chips
Here is some good advice when it comes to driver installs in windows. Don't allow it...Just drivers...
http://technet.microsoft.com/en-us/library/cc730606%28v=ws.10%29.aspx
http://hardware.slashdot.org/story/14/10/24/1330252/ftdi-removes-driver-from-windows-update-that-bricked-cloned-chips
Here is some good advice when it comes to driver installs in windows. Don't allow it...Just drivers...
http://technet.microsoft.com/en-us/library/cc730606%28v=ws.10%29.aspx