New Year Resolutions

I usually do not make New Year’s resolutions because I mostly forget them by the Super Bowl. But this year I am getting my online life more secure.

  1. I will change all my passwords to 20+ random characters.
  2. I will store these passwords in a secure format.
  3. I will encrypt more email.

The first 2 are pretty easy since I have used a password safe program for many years. When the Heartbleed web security bug hit, I changed many passwords and upgraded to 20+ character length passwords in the process.

The third resolution will be more difficult!  Sending an encrypted email to someone requires setting up both the sender and the receiver with software and cryptographic keys.  The “easiest” setup seems to be using Thunderbird with Enigmail add-on with versions available for Linux, Mac OS X, and Windows.  Now I just need to convince someone else to do it.

Antivirus is Dead!

So declared Brian Dye, Symantec’s senior vice president for information security. “We don’t think of antivirus as a moneymaker in any way.”  Mr. Dye went on to say “antivirus now catches just 45% of cyberattacks.”

So because they cannot make money, this segment of the software industry is dead?  Maybe they are not any good at it!  Or maybe it is the wrong solution to the problem.  Or maybe it is too narrow of a solution.

I believe that this problem can only be dealt with effectively at the operating system level.  But the stage was set by Microsoft years ago when they allowed third party companies to deal with the problem of poor security on Microsoft Windows.  But that is just like plugging holes in a leaking boat, it just slows down the problem.

Microsoft has made feeble attempts to increase security on Windows® with equally feeble results.  A code-signing mechanism was introduced in Windows called Authenticode, but even Microsoft does not use this technology to protect the integrity of all of its software.  Microsoft finally added a firewall application, in a usable form, to the Windows operating system in 2004.

The problem of malicious access and modification of computer systems needs to be dealt with at the lowest levels and with a variety of methods.  Intrusion prevention and intrusion detection software are both needed to prevent system attacks.  Many intrusion prevention solutions exist in the form of stand-alone systems like routers and applications that can be installed on end-user systems.  For Linux systems numerous intrusion detection applications can be found such as AIDE and Tripwire.  There is even an cross-platform, open-source application called OSSEC that runs on Windows based systems.

Some of these solutions are not the “next big thing” required by most “for profit” companies.  So many solutions will come from the open-source community.

Heartbleed Bug – End of the World or Non-event?

heartbleed xkcd comicThat about covers the risks.  Now what can you do about it?  First, update your computer (Windows, Mac OS X or Linux/Unix), right now!  Before you read the rest of this post.

Most software vendors/service providers recognized the serious nature of this bug and updated their software (the easy part).  So getting the fix is usually easy. The biggest problem is trying to determine if your information has been compromised.  You can’t!  Attacks leave no trace or very little on the computers that gave up their private secrets.  This bug has been out in the wild for 2 years!  Maybe nobody found it and took advantage OR somebody did and has all our passwords.  N.S.A is that you?  The actual risk is probably somewhere in between those extremes.

Most security experts are recommending that we change all our passwords and replace all of our SSL certificates.  At the very least change your password on you bank account log-in, but you probably don’t need to change your Facebook password (everybody has all that info).  And definitely change your password if you use one password for everything.  Yea, it is hard to remember all of them, but you can let your computer do the remembering.  Start using a password safe like KeePass or KeePassX to create and store long secure password using one password, that you have to remember, to save them on your system in an encrypted file.

More info about Heartbleed Bug:

 

Microsoft dropping XP support

Microsoft has finally made good on their threat to stop supporting Windows XP and on April 8, 2014 will stop providing update and fixes for one of their most popular operating system releases.  Microsoft released Windows XP in 2001 and end development of it in 2008.  They have continued to provide bug-fixes and minor updates until April 8, 2014.

To find out what version of Windows you are running you could go to this page on Microsoft’s web site, but it said I was running Windows 8.1 even though I am running Ubuntu.  So if you know you are not running Ubuntu or Mac OS X the following steps will help you find your version of Windows.

The minimum hardware you need to run Windows 8.1 is:

  • Processor: 1 gigahertz (GHz) or faster with support for PAE, NX, and SSE2
  • RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit)
  • Hard disk space: 16 GB (32-bit) or 20 GB (64-bit)
  • Graphics card: Microsoft DirectX 9 graphics device with WDDM driver

I stress this is the minimum to even install and doubling these minimums is needed to run Windows 8 in a efficient and productive way. Also this does not take into account any other applications you might install and run.

So you either need to buy new hardware, which will come with a newer version of Windows or switch to another operating system.  To use Mac OS X you need to buy an Apple Macintosh PC which, in my opinion, is a much better interface and less of a target for computer viruses that Microsoft Windows.

If do not want to buy new computer hardware there are alternatives that will run on your existing PC.  Check out the free Lubuntu, a lightweight variation of Ubuntu.

If you use you computer for just email and browsing these free alternatives will fit the bill.  You can also edit documents (in most Microsoft Office and other formats) with the free LibreOffice office suite software.

There are other free Linux distributions that will run on older computers and here is a link to the DistroWatch.com web-site that lists some of them.  Most of these offer a “live CD” download that allows you to download and create a CD that you can use to try out the new operating system and application software without installing it on your system.  A try before you install option!

If you don’t have a writable CD/DVD drive or don’t know how to create a CD, you can order a Lubuntu CD from OSDisc.com for $2.95 +S/H.  They also sell other Linux variations as well.

Other benefits of most Linux distributions are ease of update and less computer viruses that are designed to attack Linux-based computers.

Before your old Window XP system is hacked, check out the alternatives.

Simple Intrusion Detection

Sometimes I want to have a simple way to determine if a file has been changed or has been compromised without the configuration required of a full feature IDS such as AIDE or Tripwire.  This technique uses CFV, a free and open-source program written in Python and “has been verified to work on linux, freebsd, openbsd, netbsd, solaris, macosx, and windows.”  This program can generate a variety of checksum formats including the SHA1 used in this example.

To create the signature file for a directory’s and sub-directories’ files use the following commands in a Linux or Mac OS X command window:

cd /usr/local/bin
cfv -C -rr -f bin.sha1 -t sha1
gpg -sab bin.sha1

To verify the file signatures use the following commands:

cd /usr/local/bin
gpg --verify bin.sha1.asc
cfv -M -f bin.sha1

The gpg command verifies the integrity of the signature file (bin.sha1).  The cfv command then verifies all the files originally tested when creating the signature file.

Amazon Simple Storage Service (S3)

I have been using Amazon Simple Storage Service (S3) for several years to provide off-site backup and synchronizing files on my numerous systems.  It is a cloud-based service that provides storage for a very reasonable cost ($0.14 per GB/Month as of 7/19/2011).  Access to files on S3 are through web service interfaces (REST, SOAP, and BitTorrent) that are not for general use.  So most access is through some end-user program or service.  Many services have been built that use S3 including Netflix, Tumblr, reddit, and SmugMug with the list growing rapidly.

To use this service, I use a variety of tools including command-line utility called s3cmd, on my Linux systems to synchronize directories and upload/download files.  Synchronizing a directory is as simple as:

s3cmd sync /home/dirk/data s3://bta-bucket/dirk/

This will create a “directory” data in the S3 “directory” bta-bucket/dirk; upload the files that have changed or do not exist on S3 and store file metadata date/time information to make all this possible.  The only problem I have run into is s3cmd’s get and put commands do not use this file metadata to set the file modification time.  This prevents using get and put where you have used the sync command, because the file modification time will not be saved (in S3 headers) or set (on local PC) with get and put.  So to restore one file to a directory AND set the file modification time set during the sync upload use the following command:

s3cmd sync s3://bta-bucket/dirk/data/somefile.ods /home/dirk/data/somefile.ods

The local file date should match the original file’s modification date/time.  Note: the date/time shown by the s3cmd ls command is the upload date/time, NOT the file modification date/time.  The file metadata is stored in the S3 metadata headers with the Key  = “x-amz-meta-s3cmd-attrs” with a Value similar to: “uid:1000/gname:dirk/uname:dirk/gid:1000/mode:33188/mtime:1302623148/atime:1311007748/ctime:1302627027” to hold the file information.

Other S3 utilities save file metadata in different and incompatible ways, so be careful in choosing your S3 backup software and remember that changing to another utility may cause problems with synchronization based on the file modification date/time.

For Windows users, there is a free client called DragonDisk that uses S3 for file storage.  I have not used it, so this is not a recommendation.

Keeping track of passwords

If you have run out of pets’ or children’s names to use for passwords.  Or you have ever misplaced that scrap of paper with your bank PINs and passwords.  Or if you have trouble remembering the contrived “passwords” that banks are now asking like “What was your first girl friend’s name?”, then maybe you are ready for a password safe program.  These programs usually keep track of your user names, web addresses, and passwords in a file format the is encrypted that only allows access using a particular software program and a single password.  This keeps your passwords safe if you laptop gets stolen or someone copies the files on your computer or backup disks.

I wrote a program for MS Windows for this purpose years ago, but since I mostly work on Linux and Macintosh computers today, it quickly became obsolete.  Today I use a program called KeePassX (www.keepassx.org) to keep track of my passwords.  I use it to keep track of hundreds of passwords that I have accumulated over the years.  Another great benefit is since I do not need to rely on my memory or have to write or type the passwords, because I can copy and paste them into the password prompts.   I can create long random character/number combination passwords that are very secure compared to your wife’s birthday or your dog’s name.  Even better, KeePassX will generate new passwords for me!

I can copy the encrypted file to a USB thumb drive and access it from my Linux, Macintosh, and even MS Windows computers.  You can even put the software on the thumb drive and access your passwords on systems that do not have the software installed.

KeePassX was originally a Linux clone of a similar software program called KeePass Password Safe (keepass.info).  KeePass Password Safe is for MS Windows only, but KeePassX currently uses the KeePass version 1.x (Classic) password database format as the native format.  So as long as you stay with KeePass v1.x then your encrypted password file can be opened with KeePassX on other platforms (Linux and Macintosh).

Both programs (KeePassX and KeePass) use either the AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key.  The AES encryption algorithm is currently used by the U.S. government for protecting it’s top secrets.

No password safe software program will protect you from every threat to someone getting your passwords, but they eliminate the greatest threats of weak easily guessed passwords and passwords written on paper that is easily obtained.