Gonçalo Valério

Tag: Security

  • Managing Secrets With Vault

    I’ve been looking into this area, of how to handle and manage a large quantity of secrets and users, for quite a while (old post), because when an organization or infrastructure grow, the number of “secrets” required for authentication and authorization increase as well. Is at this stage that bad practices (that are no more than shortcuts) as reusing credentials, storing them in less appropriate ways or no longer invalidating those who are no longer in required, start becoming problematic.

    Yesterday at “Madeira Tech Meetup” I gave a brief introduction to this issue and explored ways to overcome it, which included a quick and basic explanation of Vault and demo about a common use case.

    You can find the slides of the presentation here and if you have any suggestion or something you would like to discuss about it, feel free to comment or reach through any of the contact mediums I provided.

  • Keep your dependencies under check

    Nowadays most software projects with a “decent size” rely on many software dependencies, or in other words: libraries and tools, developed by other people. That usually are under constant change.

    The reasons for these are clear and can go from implementing common patterns and avoid repeating ourselves, to accelerate the development, to use mature implementations and avoid some pitfalls, etc. Sometimes many projects rely on way too many dependencies for simples things (Remember the left-pad fiasco?).

    Once these dependencies are loaded, integrated and working as expected, people often forget they are there and many times they stay untouched for long periods of time. Even when newer versions are released, unless something starts breaking, nobody remembers to keep them up to date, a situation that might lead to security vulnerabilities, not in your code but on the code your project depends on.

    Of course I’m not telling you anything new, what I pretend to achieve with this post, is to show that there are many tools available to help you fight this problem. When you integrate them on your CI or on another step of your development process, they will keep you informed about what dependencies have known security vulnerabilities and what you should upgrade as soon as possible.

    The majority of the programming languages have this sort of tools, so a little search should help you find the one that better suits you stack. Below are some examples:

    As an example here is what I needed to do in order to check the dependencies of Hawkpost (an open-source project that I’m deeply involved with at the moment):

    $ safety check --full-report -r requirements/requirements.txt
safety report
---
No known security vulnerabilities found

    For most of these tools the basic check is this simple to do and in the long run it might save you from some headaches.

    Update (26-06-2018): Added cargo-audit to the list

  • Receive PGP encrypted emails, without the sender needing to know how to do it

    One common trouble of people trying to secure their email communications with PGP, is that more often that not the other end doesn’t know how to use these kind of tools. I’ll be honest, at the current state the learning curve is too steep for the common user. This causes a huge deal of trouble when you desire to receive/sent sensitive information in a secure manner.

    I will give you an example, a software development team helping a customer building his web business or application, may want to receive a wide variety of access keys to external services and APIs, that are in possession of the customer and are required (or useful) to be integrated in the project.

    Lets assume that the customer is not familiarized with encryption tools, the probability of that sensitive material to be shared in an insecure way is too high, he might send it through a clear text email or post it on some shared document (or file). Both the previous situations are red flags, either by the communication channel not secure enough or the possibility of existing multiple copies of the information in different places with doubtful security, all of them in clear text.

    In our recent “Whitesmith Hackathon”, one of the projects tried to address this issue. We though on a more direct approach to this situation based on the assumption that you will not be able to convince the customer into learning this kind of things. We called it Hawkpost, essentially it’s a website that makes use of OpenPGP.js, where you create unique links containing a form, that the user uses to submit any information, that will then be encrypted on his browser with your public key (without the need to install any extra software) and forwarded to your email address.

    You can test and used it on https://hawkpost.co, but the project is open-source, so you can change it and deploy it on your own server if you prefer. It’s still in a green state at the moment, but we will continue improving the concept according with the received feedback. Check it out and tell us what you think.

  • Managing secrets

    A few hours ago, I published a small article on Whitesmith’s blog about sharing and managing secrets, inside a software development environment. At first I dig a little into this problem that is very common and later I explain how we are addressing these issues. You can check it through the following link:

    Managing Secrets (www.whitesmith.co/blog/managing-secrets/)

    I mention some tools on the article that are very interesting in this area, but a more detailed analysis or walk-through was left for a future post as we get more familiarized with them.

  • Django Friday Tips: Security Checklist

    Security is one of those areas where it is very hard to know if everything is taken care of. So you have been working on this project for a while and you want to deploy it into a production server, there are several settings on this new environment that should differ from your development one.

    Since this is very common situation and there are many examples of misconfigurations that later turned to security issues, django has a security checklist (since version 1.8) to remind you of some basic aspects (mostly on/off switches) that you should make sure that are set correctly.

    To run it on your project you simply have to execute the following command:

    $python manage.py check --deploy

    After the verification you will be presented with warnings like this one:

    (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

    More information can be found in the documentation, since it uses the check framework, that has several interesting use cases.

    Interested in more information about security in django? Check this video from the last edition of “Django Under the Hood“.

  • Securing IoT Devices

    During the first couple of months of the year 2015 I’ve worked a “little” on the subject of security in the Internet of things world. Even though there is a lot of information about this topic and its crucial role on this new era of the IoT. So today I will share a small document I’ve compiled, with information about simple issues, that we should take for granted in the functionality of these devices, that I’ve found out that they aren’t always done the right way.

    This document was written in the beginning of the summer but today I’ve decided to recompile the .tex files and share here. The PDF version can be found in this link and web version for quick consultation bellow in this post.

    The document is always open to updates and improvements, so if you have any suggestions just send me an email or leave some feedback in the comment’s section.

    (more…)

  • Getting started with GPG

    Getting started with GPG

    Last week I gave a small workshop during the lunch hour (the famous Whitesmith’s “Lunch’n Learn”) about openPGP. It only covered the most basic aspects so that non-technical people could be introduced to this tool, something that can be very useful when someone is sharing or working with sensitive information (either personal or work related).

    It covers aspects such as key pair generation, key revocation, exportation/importation of keys and obviously encryption and decryption of documents. Most of the examples use a command line interface but there are several frontends available which are straightforward to use once you are familiarized with the concepts. Perhaps it can also be useful to you (somehow) so here is the link to the presentation, if you have any question feel free to ask in the comments section.

  • Integrating security tests into web applications

    Today I published a blog post about how to easily run and automate security tests while developing your websites and web applications using Zed Attack Proxy. The example uses Ruby on Rails framework but it is independent of any stack. I’m planning to write a follow up article on the same theme, so any feedback on this first part is welcome. You can check the blog post here (whitesmith.co/blog) and the sample code here (Github).

  • Please do not let your SSL certificate expire

    nonio-cert

    Please avoid what is happening right now with the student’s platform of my university, that is, letting your SSL certificate expire over the weekend. Initially it will raise suspicion and distrust based on the alert showed by the browser and if the issue lasts too long it will expose lots of users to phishing attacks, since users will not notice the difference between the real site and a rogue one.

  • Lenovo and men in the middle

    Another week, another scandal. The general public might pass by without noticing the recent news about Lenovo computers but the tech community in the Internet is incredulous. What we witnessed was serious and a betrayal of the customer confidence, so in this post I will try to briefly cover everything that I’ve read about the issue and point out how this affects who bought a Lenovo computer in the last 6 months.

    What happened

    Basically the computers were sold with a piece of very intrusive ad-ware (that could be called malware since it is not that different). This software supposedly stands in the middle of every Internet connection that the computer makes (even secure ones) and tries to inspect its contents and inject advertisement on the websites that the users visits [source] [prof].

    On the technical level, this software was able to avoid the securities measures and alerts implemented by browsers by issuing a self-signed root certificate that was added to the list of Trusted Certificate Authorities. This way it was able to trick the browser into thinking that it was connecting to the valid website, issuing certificates when needed, when instead it was talking with the ad-ware (SuperFish) and the secure connection was instead being made by it [source].

    What are the consequences

    Besides users being spied and secure connection being compromised (for example.with bank websites) by the hardware vendor, like many as already stated, this leaves a huge security hole that can be exploited by people with bad intentions. [source]

    In fact as we can see in this tweet, once this issue was uncovered people started digging into the subject and already uncovered the private key, with gives the anyone the ability to sign certificates, tricking the affected users into believing they are visiting the correct website when in reality they are on a malicious one. According with some articles it was relatively easy and the password is the same for every machine.  [source]

    What can be done

    Thankfully, given the enormous pressure on the Internet and media attention, the company tried some excuses and provided some tools to remove the software. But … there is always a but, the less alert users might not know they are vulnerable and it seems the certificate problem is still persisting (probably the worst issue). Fortunately Microsoft stepped in and its windows defender tool that comes bundled with the operating system will automatically clear the software and reset all certificates. [source]

    For the most suspicious users, some people created tools to check if the machines are still vulnerable (here and here).

    Summing up, this serves as a reminder to be careful with the software that you install in your computer. If possible, when acquiring a new machine, the first step is to clean the disc and install everything yourself, i recommend using a Linux based operating system.

    P.S.: Digging into the root of the issue and knowing who crafted the problematic software.

  • Now running over HTTPS

    2014 was a year where we witnessed a huge amount in Internet related security incidents, in the previous years, the world understood that our Internet usage is not only accessible to us and our service providers but to every middleman in the way as well. So it is natural that the recent trend is to secure our communications through the Internet to make the whole web safer, not only emails or chat conversations but our navigation too.

    Last year we saw the rise of many projects that pretend to improve the security of the Internet’s users. For example, most of the big companies enforced the use of HTTPS to access their services, CloudFlare’s launch of Universal SSL, the spawn of “Let’s Encrypt” project and major initiatives to promote the usage of private browsing tools like “tor” and encrypted chat apps like ChatSecure, TextSecure, etc.

    In the long run this will certainly contribute to better and safer web. That is why I decided to start this year with a major change on my personal websites and pet projects, for now on all of them will only be accessible through HTTPS. I know it is not a perfect system but it is a step forward.

    Full SSL
    Cloud flare Full SSL Scheme

    I am using Cloud Flare Full SSL, until the “Let’s encrypt” project takes off this summer. This approach however is not an end-to-end encryption scheme since all traffic is decrypted and encrypted again in the servers of the CDN. This is a drawback (and a deviation of the original concept of SSL) but it still is better than nothing and should be fixed by the summer.

  • “Nothing to hide” is not a good argument

    When talking about privacy and online surveillance (a topic that has been in the spotlight over the last year) with friends, colleagues and people that haven’t given much thought about these issues, the most common answer i hear is (as you’ve already guessed) “I’ve nothing to hide”, which is fallacious argument. Arguing with someone that has this mindset is really difficult because most of the time (in my experience) it means one of 4 things:

    1. I don’t care.
    2. I don’t know the quantity and/or quality of  information that can be gathered.
    3. I don’t believe small pieces of unrelated information leaked in different places will be added up to build a more complete profile.
    4. I’m not really aware of what the implications of surveillance are.

    Trying to convince this person that privacy in the age of the Internet is a topic worth discussing is really hard (it got a little easier after last year’s events).

    Today I’ve read an essay that really sums up some of the arguments i would use to show to someone that privacy matters. It is a long read but it worths the time spent:

    Why Privacy Matters Even if You Have ‘Nothing to Hide

  • Improving your online privacy

    Following this PRISM thing that’s going on for several weeks now, Internet privacy become a hot topic with extensive discussions and vast amounts of content being written about it (a good thing from my perspective).

    In this post I will try to sum some tips to improve your privacy and safety while surfing the web. The majority of this suggestions are also available in other websites, as they are the result from my searches about this subject and in some cases they might not be the best ones (if you can point some improvements in the comment area, i would appreciate).

    Before starting i just want to make clear that this isn’t aimed to make you invisible on the web (is it possible?) or to protect you from all threats since that is huge task and involves a great deal of technical knowledge (a good start would be here).

    Browser

    First of all, if we are talking about navigating through the Internet, the first step must be the web browser, because almost every tip that i will write on the following lines depends on it and is the application in which we spend the majority of our time.

    My choice goes to Firefox, because it’s not strongly tied to any company that makes most of their profit based on the ability of tracking you and it’s open-source software (although only a small percentage of the users ever looked at its source code).

    The other major reason is related with the posture of the non-profit organization that developed Firefox, and their public stand defending the open web and its freedoms.

    Add-ons

    • Ghosthery: This add-on lets you visualize every advertiser and tracker that is embeded on a webpage and enables you to block the unwanted codes.
    • HTTPS Everywhere: When possible this plug-in makes the browser use a secure connection.
    • Adblock Plus: Advertisements finance a big number of Internet sites, paying for the people that work on them, but sometimes they are used in an abusive form. This add-on blocks them and all of their tracking codes.
    • Collusion: Lets you visualize the vast network of entities that collected information about you during the time you were on-line.

    Preferences / Options

    On the “privacy” tab of your browser’s options/preferences, there are some features you can turn on that will help you keep the house clean. First you can start by selecting the “Tell site that i do not want to be tracked” option, i doubt it will be respected but it doesn’t take more than 1 min. The other features are the ones that could improve your privacy a bit, such as “Always use private browsing mode”. If you don’t want to bother with this, you can always set less restricting options such as when to clear cookies (my recommendation is “when the browser is closed”).

    Profiles and Accounts

    Disable / Remove accounts of services that you do not use anymore and old content. If it is not needed anymore there is no excuse to keep it online or to maintain open accounts in those web companies.

    Search Engine

    Like is stated in a video that i shared sometime ago, your search queries can be recorded, analyzed and combined with other data to build a profile about your habits and to give you the results they (or their servers) think you want, with the possibility of keeping important information away from you. To escape this bubble, one solution would be to use one search engine that would give you generic results and my suggestion is to use DuckDuckGo. Its results are fairly good and has some interesting features like !Bangs and instant answers.

    Behavior

    Sure, these things improve your ability to avoid being tracked, make you able to connect you a list of websites in a secure way and don’t record your searches linking them to your profile, but this is a small drop in a big ocean, since a great deal of the privacy protection depends on the user behavior and his choices while surfing the web. Some good pratices would be not to use your real name when it isn’t necessary, choose well your webservices provider giving attention to their privacy policy and their reputation (examples: webmail, file storage, instant messaging, etc.). and finally, the no-brainer, be careful about what you publicly write or share online.

    Note: If you want to go deeper, you can find a set of more holistic recommendations here.

  • Tracking and bubbles everywhere

  • The Cloud and our stuff

    Everyone who works, studies or likes Computer Science and overall Technology, knows that for sometime now the buzzword on the internet is the “Cloud” and the vision that everything we have in our hard drives will be taken to these big company servers, and we will reach that data through our regular notebook, tablet or smart-phone (example). Our machine won’t need many storage neither processing capabilities because most of the work’s done on the server-side.

    Well, the way this system works sounds great but (there’s always a but), in recent months we have been witnessing some of the downsides of this approach, like the personal information of million of users stolen from the “Playstation Network” or Dropbox security bug caused by an update (19/06/11), which allowed all user accounts containing private data to be accessible to anyone without password.  As a Dropbox user, this last one affected me but fortunately I’m not a big fan of storing my stuff in the Cloud(I only have some shared folders at the service), yet this makes me wonder if I can trust my stuff to someone else and how can I guarantee that my data remains private?

    I’m not against the idea of the “Cloud”, it has many advantages and certainly those guys handling private data of thousands of people know about security than I do, but these recent failures and the possibility that this services could be attacked makes me want to do something to reinforce my stuff’s protection.

    So what can we do?
    I think to solution to this problem is to add client-side encryption to all the data we store online. This way I can guarantee that I’m the only one who has the password/key to get access to my stuff. So for those who already are Dropbox’s users the online blog LifeHacker proposed using TrueCrypt to accomplish this. You can also try Secretsync which is still in beta but it is a nice idea.
    For those who lost all their confidence in these kind of services but still want their data synchronized through all computers (office, home, …) there are open source solutions that require a little more computer skills and/or a server, such as OwnCloud and Syncany.

    Summing up, you have to be careful with the way you put your data in the cloud, to stay secure encrypt your files before the upload. This security bugs are bad for the user but they are even worst for companies because their reputation never will be the same, especially if they don’t warn the users.