Categories
Random Bits Technology and Internet

Managing secrets

A few hours ago, I published a small article on Whitesmith’s blog about sharing and managing secrets, inside a software development environment. At first I dig a little into this problem that is very common and later I explain how we are addressing these issues. You can check it through the following link:

Managing Secrets (www.whitesmith.co/blog/managing-secrets/)

I mention some tools on the article that are very interesting in this area, but a more detailed analysis or walk-through was left for a future post as we get more familiarized with them.

Categories
Python Technology and Internet

Django Friday Tips: Security Checklist

Security is one of those areas where it is very hard to know if everything is taken care of. So you have been working on this project for a while and you want to deploy it into a production server, there are several settings on this new environment that should differ from your development one.

Since this is very common situation and there are many examples of misconfigurations that later turned to security issues, django has a security checklist (since version 1.8) to remind you of some basic aspects (mostly on/off switches) that you should make sure that are set correctly.

To run it on your project you simply have to execute the following command:

$python manage.py check --deploy

After the verification you will be presented with warnings like this one:

(security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

More information can be found in the documentation, since it uses the check framework, that has several interesting use cases.

Interested in more information about security in django? Check this video from the last edition of “Django Under the Hood“.

Categories
Technology and Internet

Securing IoT Devices

During the first couple of months of the year 2015 I’ve worked a “little” on the subject of security in the Internet of things world. Even though there is a lot of information about this topic and its crucial role on this new era of the IoT. So today I will share a small document I’ve compiled, with information about simple issues, that we should take for granted in the functionality of these devices, that I’ve found out that they aren’t always done the right way.

This document was written in the beginning of the summer but today I’ve decided to recompile the .tex files and share here. The PDF version can be found in this link and web version for quick consultation bellow in this post.

The document is always open to updates and improvements, so if you have any suggestions just send me an email or leave some feedback in the comment’s section.

Categories
Technology and Internet

Getting started with GPG

Last week I gave a small workshop during the lunch hour (the famous Whitesmith’s “Lunch’n Learn”) about openPGP. It only covered the most basic aspects so that non-technical people could be introduced to this tool, something that can be very useful when someone is sharing or working with sensitive information (either personal or work related).

It covers aspects such as key pair generation, key revocation, exportation/importation of keys and obviously encryption and decryption of documents. Most of the examples use a command line interface but there are several frontends available which are straightforward to use once you are familiarized with the concepts. Perhaps it can also be useful to you (somehow) so here is the link to the presentation, if you have any question feel free to ask in the comments section.

Categories
Technology and Internet

Integrating security tests into web applications

Today I published a blog post about how to easily run and automate security tests while developing your websites and web applications using Zed Attack Proxy. The example uses Ruby on Rails framework but it is independent of any stack. I’m planning to write a follow up article on the same theme, so any feedback on this first part is welcome. You can check the blog post here (whitesmith.co/blog) and the sample code here (Github).

Categories
Technology and Internet

Please do not let your SSL certificate expire

nonio-cert

Please avoid what is happening right now with the student’s platform of my university, that is, letting your SSL certificate expire over the weekend. Initially it will raise suspicion and distrust based on the alert showed by the browser and if the issue lasts too long it will expose lots of users to phishing attacks, since users will not notice the difference between the real site and a rogue one.

Categories
Technology and Internet

Lenovo and men in the middle

Another week, another scandal. The general public might pass by without noticing the recent news about Lenovo computers but the tech community in the Internet is incredulous. What we witnessed was serious and a betrayal of the customer confidence, so in this post I will try to briefly cover everything that I’ve read about the issue and point out how this affects who bought a Lenovo computer in the last 6 months.

What happened

Basically the computers were sold with a piece of very intrusive ad-ware (that could be called malware since it is not that different). This software supposedly stands in the middle of every Internet connection that the computer makes (even secure ones) and tries to inspect its contents and inject advertisement on the websites that the users visits [source] [prof].

On the technical level, this software was able to avoid the securities measures and alerts implemented by browsers by issuing a self-signed root certificate that was added to the list of Trusted Certificate Authorities. This way it was able to trick the browser into thinking that it was connecting to the valid website, issuing certificates when needed, when instead it was talking with the ad-ware (SuperFish) and the secure connection was instead being made by it [source].

What are the consequences

Besides users being spied and secure connection being compromised (for example.with bank websites) by the hardware vendor, like many as already stated, this leaves a huge security hole that can be exploited by people with bad intentions. [source]

In fact as we can see in this tweet, once this issue was uncovered people started digging into the subject and already uncovered the private key, with gives the anyone the ability to sign certificates, tricking the affected users into believing they are visiting the correct website when in reality they are on a malicious one. According with some articles it was relatively easy and the password is the same for every machine.  [source]

What can be done

Thankfully, given the enormous pressure on the Internet and media attention, the company tried some excuses and provided some tools to remove the software. But … there is always a but, the less alert users might not know they are vulnerable and it seems the certificate problem is still persisting (probably the worst issue). Fortunately Microsoft stepped in and its windows defender tool that comes bundled with the operating system will automatically clear the software and reset all certificates. [source]

For the most suspicious users, some people created tools to check if the machines are still vulnerable (here and here).

Summing up, this serves as a reminder to be careful with the software that you install in your computer. If possible, when acquiring a new machine, the first step is to clean the disc and install everything yourself, i recommend using a Linux based operating system.

P.S.: Digging into the root of the issue and knowing who crafted the problematic software.

Categories
Technology and Internet

Now running over HTTPS

2014 was a year where we witnessed a huge amount in Internet related security incidents, in the previous years, the world understood that our Internet usage is not only accessible to us and our service providers but to every middleman in the way as well. So it is natural that the recent trend is to secure our communications through the Internet to make the whole web safer, not only emails or chat conversations but our navigation too.

Last year we saw the rise of many projects that pretend to improve the security of the Internet’s users. For example, most of the big companies enforced the use of HTTPS to access their services, CloudFlare’s launch of Universal SSL, the spawn of “Let’s Encrypt” project and major initiatives to promote the usage of private browsing tools like “tor” and encrypted chat apps like ChatSecure, TextSecure, etc.

In the long run this will certainly contribute to better and safer web. That is why I decided to start this year with a major change on my personal websites and pet projects, for now on all of them will only be accessible through HTTPS. I know it is not a perfect system but it is a step forward.

Full SSL
Cloud flare Full SSL Scheme

I am using Cloud Flare Full SSL, until the “Let’s encrypt” project takes off this summer. This approach however is not an end-to-end encryption scheme since all traffic is decrypted and encrypted again in the servers of the CDN. This is a drawback (and a deviation of the original concept of SSL) but it still is better than nothing and should be fixed by the summer.

Categories
Random Bits

“Nothing to hide” is not a good argument

When talking about privacy and online surveillance (a topic that has been in the spotlight over the last year) with friends, colleagues and people that haven’t given much thought about these issues, the most common answer i hear is (as you’ve already guessed) “I’ve nothing to hide”, which is fallacious argument. Arguing with someone that has this mindset is really difficult because most of the time (in my experience) it means one of 4 things:

  1. I don’t care.
  2. I don’t know the quantity and/or quality of  information that can be gathered.
  3. I don’t believe small pieces of unrelated information leaked in different places will be added up to build a more complete profile.
  4. I’m not really aware of what the implications of surveillance are.

Trying to convince this person that privacy in the age of the Internet is a topic worth discussing is really hard (it got a little easier after last year’s events).

Today I’ve read an essay that really sums up some of the arguments i would use to show to someone that privacy matters. It is a long read but it worths the time spent:

Why Privacy Matters Even if You Have ‘Nothing to Hide

Categories
Technology and Internet

Improving your online privacy

Following this PRISM thing that’s going on for several weeks now, Internet privacy become a hot topic with extensive discussions and vast amounts of content being written about it (a good thing from my perspective).

In this post I will try to sum some tips to improve your privacy and safety while surfing the web. The majority of this suggestions are also available in other websites, as they are the result from my searches about this subject and in some cases they might not be the best ones (if you can point some improvements in the comment area, i would appreciate).

Before starting i just want to make clear that this isn’t aimed to make you invisible on the web (is it possible?) or to protect you from all threats since that is huge task and involves a great deal of technical knowledge (a good start would be here).

Browser

First of all, if we are talking about navigating through the Internet, the first step must be the web browser, because almost every tip that i will write on the following lines depends on it and is the application in which we spend the majority of our time.

My choice goes to Firefox, because it’s not strongly tied to any company that makes most of their profit based on the ability of tracking you and it’s open-source software (although only a small percentage of the users ever looked at its source code).

The other major reason is related with the posture of the non-profit organization that developed Firefox, and their public stand defending the open web and its freedoms.

Add-ons

  • Ghosthery: This add-on lets you visualize every advertiser and tracker that is embeded on a webpage and enables you to block the unwanted codes.
  • HTTPS Everywhere: When possible this plug-in makes the browser use a secure connection.
  • Adblock Plus: Advertisements finance a big number of Internet sites, paying for the people that work on them, but sometimes they are used in an abusive form. This add-on blocks them and all of their tracking codes.
  • Collusion: Lets you visualize the vast network of entities that collected information about you during the time you were on-line.

Preferences / Options

On the “privacy” tab of your browser’s options/preferences, there are some features you can turn on that will help you keep the house clean. First you can start by selecting the “Tell site that i do not want to be tracked” option, i doubt it will be respected but it doesn’t take more than 1 min. The other features are the ones that could improve your privacy a bit, such as “Always use private browsing mode”. If you don’t want to bother with this, you can always set less restricting options such as when to clear cookies (my recommendation is “when the browser is closed”).

Profiles and Accounts

Disable / Remove accounts of services that you do not use anymore and old content. If it is not needed anymore there is no excuse to keep it online or to maintain open accounts in those web companies.

Search Engine

Like is stated in a video that i shared sometime ago, your search queries can be recorded, analyzed and combined with other data to build a profile about your habits and to give you the results they (or their servers) think you want, with the possibility of keeping important information away from you. To escape this bubble, one solution would be to use one search engine that would give you generic results and my suggestion is to use DuckDuckGo. Its results are fairly good and has some interesting features like !Bangs and instant answers.

Behavior

Sure, these things improve your ability to avoid being tracked, make you able to connect you a list of websites in a secure way and don’t record your searches linking them to your profile, but this is a small drop in a big ocean, since a great deal of the privacy protection depends on the user behavior and his choices while surfing the web. Some good pratices would be not to use your real name when it isn’t necessary, choose well your webservices provider giving attention to their privacy policy and their reputation (examples: webmail, file storage, instant messaging, etc.). and finally, the no-brainer, be careful about what you publicly write or share online.

Note: If you want to go deeper, you can find a set of more holistic recommendations here.