Security | Digital Wealth

Leaving your wi-fi network open

Bruce Schneier (a leading US computer security expert) and Electronic Frontier Foundation (EFY) advise leaving your wi-fi network open: meaning, not use encryption protocols such as WEP or WPA2. This allows neighbours and passers-by to use it while in urgent need, and increases societal cooperation. EFY states:

“If you sometimes find yourself needing an open wireless network in order to check your email from a car, a street corner, or a park, you may have noticed that they’re getting harder to find.”

Due to privacy concerns, and also to avoid letting terrorists and anti-national elements use the spectrum – people are closing down their wi-fi networks. This is also the official advice from my ISP.

EFY argues however, that allowing access to others is just another way of giving back to the society. In addition they argue that this allows more efficient use of spectrum compared to cell phone towers. It admits, however, that current protocols are not designed for efficient sharing. The ideal protocol, as per EFY, would allow sharing part of your bandwidth – while leaving the rest encrypted and closed for snooping. They are working on building such a protocol.

I would love to leave my network open – I do not use all my bandwidth, and in fact do not use it at all for several hours a day. I have an unlimited plan – so it would not be a financial burden. It would instead shift the burden to the ISPs, which I believe is fair – they have restricted trade practices too.

Given the current state of terrorism in India – however – I do not feel safe in doing so. America has understood terrorism only a decade ago – we have felt it for last several decades. We know that an open wi-fi was used to claim Mumbai attacks of 26/11. I am also not sure of the legal protection in India, if any. The government machinery works in an ad hoc basis – even though we may claim to be the world’s largest democracy.

Please post thoughts / comments.

Wrenched back a hacked email account: and lesson learnt

I always advised people to enter random text in response to lost password questions – and keep the password written somewhere safe so you never forget. This incident changed my view point. Read on…

This incident happened to a friend of mine a couple of days back. He woke up one morning to find himself unable to log on to his account. Yahoo! had temporarily locked down the account, and people on his address book had received an email showing him to be in trouble, without any money and seeking money. He was unable to contact some people, and inform them that he was fine: the email address book was also inaccessible.

I told him to be patient and wait for Yahoo to unlock the account. It was apparent that someone had brute forced his password and was seeking money. This is more difficult to do with Gmail because of their ‘captcha‘, however is possible with Yahoo. His password was a non-English word.

Around 12 hours later, the account was unlocked and we tried to reset the password. The hacker had added his one email ID as the alternate ID, but luckily Yahoo allowed us to the reset questions (we selected ‘my account is compromised’, and ‘I am unable to access any of the passwords’). Initially we felt that the hacker would have changed those as well and didn’t try to respond. However a moment later I noticed that Yahoo was showing ‘June 09’ as the last modified date of these questions: so the hacker had not changed them! With some trial and error, my friend was able to correctly respond to those questions and the account unlocked! I went back and removed the hacker’s alternate account: this was important, else the hacker could still unlock the account if this was left unchanged.

Lessons learnt? As below:

Use a strong password, having a mix of letters, numbers and special characters – this one was clearly brute forced which is the easiest way to hack an account other than by social engineering (which is tough if you don’t know the person whose account you are targeting). If you have a tough time coping with passwords, use password safe.

The reset questions: answer them randomly so that someone who knows you, and happens to be able to guess the real answers can’t hack your password. However, keep backup of those random responses in a computer file so that YOU are able to answer them if something goes wrong. For example, many people know where you went for honeymoon or your mother’s maiden name. So respond using ‘monkey typing’ and save a copy.

Use updated alternate email IDs / set up to use mobile SMS as backup.

Maintain an offline backup of your address book. Most providers allow this

If you want you can go a step ahead and hide your real ID, as shown here – when submitting your email ID to unscrupulous websites and blogs/boards etc.

Internet censorship and loss of privacy

An excellent essay by Bruce Schneider on government organized initiatives worldwide to reduce internet privacy and for censorship. There is also evidence that criminals can (mis)use such infrastructure for their own purpose. Please click here to read.

Every year brings more Internet censorship and control — not just in
countries like China and Iran, but in the United States, the United
Kingdom, Canada and other free countries.

The control movement is egged on by both law enforcement, trying to
catch terrorists, child pornographers and other criminals, and by media
companies, trying to stop file sharers.

It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers and censors say, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.

False sense of security

http://www.e-signature.com/ provides logo and signature embedded fonts. Per se, there is nothing wrong with the service, and is useful for people who need it.

However, a look at the website throws up the claims below. Each one has a quote from me below it on the truth behind the statement.

Imagine being able to distribute a signed word processing document to your staff or clients without fear of the logo or signature being copied…

DW: Even if the font is embedded, the logo/signature can still be copied and used on other documents. While this is not possible as a font letter, it can be done as a bitmap.

No embedding is the option most often selected for signatures as it ensures the highest security – the signature will only appear on computers that have the font installed. If you use signature fonts for signing checks, no embedding is also recommended.

DW: Please don’t use this for cheques. Its easier for someone to access your computer and steal the font than you think. The font will be installed on your PC and will remain there, its not something that you can carry on a pen drive and keep in lock and key.

The recipient does not have access to the font to reproduce it in another document nor can they cut-and-paste the on-screen signature or logo.

DW: Again wrong. It cannot be cut-and-pasted as a font letter, but can be done as a bitmap.

Keep your font proprietary. No one can copy your font because it will reside in an inaccessible cache on the browser. You can display your text the way you want without fear of anyone copying it.

DW: What’s an inaccessible cache? No cache is inaccessible – a smart user can always take your font away. Remember: if the browser can download it (and use it to show your content), a user can download it too.

It appears to me that these folks are very much aware that they are making statements that are not 100% truth. A false sense of security is worse than no security.

Scripted thumbnail generation: security perspective

While searching for something on the net, I came across some scripts that generate image thumbnail on the fly.

For example: http://tech.mikelopez.info/2006/03/02/php-image-resize-script/.

While using such scripts we should be aware of the security point of view: your site can easily become a proxy for other people or websites. Continue reading “Scripted thumbnail generation: security perspective”

Remembering your passwords

In today’s online world we have to remember a lot of passwords. Security advice is that they must all be different (so that if one account is compromised, we don’t loose the security of all accounts), and be changed every now and then.

It is sometimes difficult to cope with such requirements, without writing down the passwords – and if you do write them down, what happens if you loose your notebook?

The answer to such problems is a piece of software called ‘Password Safe’ – it has been developed under the watchful eyes of a well known security expert. It keeps all your passwords encrypted by one single password. So you only need to remember one password from now on. You can keep the software on a USB pen-drive (its even platform independent so you can run it both on Windows and Linux) and take it along with you – no harm if you loose the pen-drive – no one can retrieve your passwords.

Note that there are a lot of different software applications with the same name, and not all of them may be equally secure. Please download only from http://passwordsafe.sourceforge.net/.

Note: this is not professional advise, use at your own risk.

Safe Browsing Guide – II

Continued from Safe Browsing Guide – I

You might get some ‘warnings’ while opening secure pages, like below:

Warnings

The first one means that the certificate could have been signed by anyone, including by someone you do not trust. If all I need is encryption: for example if I am sending email, and not sending any corporate presentations, or password, or credit card numbers – I should be fine. Many websites use such certificates – but if it’s a bank website using it – I would not login. To give you an idea of the relative security impact of many of the warnings discussed during this guide: this particular warning has a severity of 40 out of 100. It means even on seeing this warning, I am 60% likely to use the website.

The second one means that the certificate has expired. In this case, I would check what is the expiry date (by clicking on the lock) and if it expired a couple of days back I would allow it. In addition, if its sensitive information, I would not use the site until the issue is fixed. This one has a severity of 30.

The last one says that the website names do not match between the certificate and the actual website you are visiting. This could be a case of phishing, and could be serious. What I do in such a case is I find out what name the certificate is issued to (clicking on the lock icon) and check it against the actual website in the URL. If the website visited is server.icicibank.com and the certificate is for icicibank.com – I continue to use the site. If the two are very different, I don’t use the site. Severity is 80.

Mozilla issues one message for each of the issues as noted above while Internet Explorer (shown above) issues just one message with error icons:

Warnings

This corresponds to the second warning from Internet Explorer.

Warnings

This one corresponds to the first warning from Internet Explorer, same actions apply.

Another warning that you might see is this one:

Warnings

Correspondingly for Mozilla:

Warnings

This warning means that there is some content on the page which is not encrypted: this could be images or something else. Severity is 50: on GMail it may mean that the emails have such content so it’s ok to continue to do your stuff. However, if on one of the emails you are sending a password – you may want to be careful.

Lastly I would encourage visitors to read this advise on safe browsing from a security expert. This essay from 2004 is still good.

Disclaimer: This is just a guide and is not meant to replace professional advise. No measures can guarantee 100% security. There are a lot of threat vectors outside the scope of this tutorial: such as key loggers on your computer. In addition, the severities explained for warnings are just guides and have no scientific basis.

Safe Browsing Guide – I

When you browse over the Internet, or Chat, or send/receive email – you are not doing that in private. It is important to understand exactly what is private, and what steps you need to follow to maintain the privacy.

When accessing any website such as Yahoo.com, you get connected to the web site’s server which provides you the information you seek – search results, or email. This connection is not direct: you are connected through a series of nodes. Each node can view/alter the information that is flowing through it.

A protocol – ‘https’ provides privacy to your interaction by adding a ‘Secure Socket Layer‘ on top of the normal HTTP protocol. Enough of jargon, back to English!

So when you use this particular protocol you are secure subject to some caveats. Use of this protocol can be confirmed through the ‘https’ at the beginning of the URL, and through the ‘lock’ icon at the bottom right: .

A lot of online websites support HTTPS for logging in. You have to select ‘secure’ at the login screen where you enter username/password. This means that your password is protected during the communication. However, these sites move back to normal mode after the login: your data (for example the email content) is not protected. Gmail supports secure connection even after login but you have to enable it in the settings – this makes sense and you should do it. However, even after doing this it does not mean that all your content is ‘protected’ – more on this later.

Please understand that if its emails in question: just your using a secure connection is not enough. The recipient should also use it for the information to remain inaccessible at the nodes.

Proceed to the next part of the guide.

Disclaimer: This is just a guide and is not meant to replace professional advise. No measures can guarantee 100% security. There are a lot of threat vectors outside the scope of this tutorial: such as key loggers on your computer. In addition, the severities explained for warnings are just guides and have no scientific basis.

DNS poisoning – in plain English :-)

What is DNS poisoning, why it affects everyone accessing the internet and how to fix it.

Computers do not have names, only numbers. For example, Yahoo! is 68.180.206.184. When you ask your browser to be taken to Yahoo.com, it looks up this number in something similar to a telephone directory.

A person by the name Dan Kaminsky has found that it’s possible for someone (called X henceforth) to modify the directory. So, when you ask for Yahoo, the computer would lookup the wrong number, a number to a computer owned by X. Thereafter, it can record the information you give it, thinking that its Yahoo!. The owner may then misuse this information.

So what do you do to make sure this doesn’t happen? First, check your DNS server (the machine that tells your computer what number a website has) by going to http://www.doxpara.com/.
If that says your computer is vulnerable, change your DNS servers. Detailed instructions for different operating systems are here. For Windows, in short you have to change your DNS settings to 208.67.222.222 and 208.67.220.220 by going to Network Connections.

Note: This is not a security update blog, and I do not talk about every vulnerability. However, this one is important and everyone needs to understand it. On the other hand, most forums on the web talk highly techno. Read this one for more information, only if you think you need it!

Automate encryption with GPG

This blogpost requires some familiarity with GPG.

Today I want to share the scripts for running GPG in the batch (unattended) mode. You can have a password on the keys if you want, but since this is the automated mode, you may want to use keys without a password. Irrespective of whether or not you use a password – use a separate set of keys that you will not use for anything that not batch processed. The scripts are primarily for Linux. If you need them for Windows, please read this and post any problems you face in comments section, and I will help.

The script for encryption is here:

#! /bin/sh GNUPGHOME='/apps/gpg/' export GNUPGHOME gpg --batch -r <reciepient> --output $2 --passphrase-fd 3 --sign --encrypt $1 3</apps/gpg/passph

The first line shows the location of the shell – please change it according to where the shell is on your system. The second line has the location of the folder where the keys are located – the pubring.gpg and secring.gpg. In the last line, replace <reciepient> with the name on the reciepient key. The /apps/gpg/passph points to the location of the file containing the passphrase. The script will both sign and encrypt the file – change this to suit your needs. The script expects the name of the input file and the name of the output files as parameters in that order.

The script for decryption is here:
#! /bin/sh GNUPGHOME='/apps/gpg/' export GNUPGHOME gpg --batch --passphrase-fd 3 --status-fd 1 --decrypt $1 3</apps/gpg/passph | grep '\[GNUPG:\] GOODSIG' if [ $? -eq 0 ]; then gpg --batch --passphrase-fd 3 --output $2 --decrypt $1 3</apps/gpg/passph fi

The first three lines are similar. Line 4 just checks if the file has a valid signature. If you want to skip this step remove lines 4, 5 and 7. No effort is made to see who signed the file. In my scenario, I could control the people who could sign by having only those public keys in the repository, and the repository could only be written to by ‘root’.

Please post comments in case of questions, concerns.

SFTP>FTP+GPG

Shows that FTP+GPG combination cannot be used in place of SFTP – SFTP is still more secure. Also includes a howto document on setting up passwordless SFTP based automated file transfers.

Recently, we needed to setup secure file transfer with a third party that did not support SFTP. Hence we decided to use FTP+GPG – which includes transfer of GPG encrypted files with FTP. For more details on GPG, visit the homepage http://www.gnupg.org/. It can also operate in ‘portable’ mode – from a USB key.

We did not realise that this combination is still significantly less secure that SFTP based transfer. The threats it does not cater to, which SFTP can combat are:

Someone can come to know about the username, password used in the connection since this is still being transferred un-encrypted
Using this, someone can load their own files into the server which can be designed to either infect the system, or upload malicious information

Even if GPG signatures are used (as we did after coming to know about these shortcomings), there is still the risk of someone replaying the same files that we received. Even this can cause problems in certain situations. Hence, we had to resort to fixing the source IP to combat the problems. Due to using signatures and IP fixing, it all turned out to be more cumbersome, and still less secure.

The best way currently to establish automated file transfers is to do a password-less SFTP. It does not require any password transfer over the network at all, keeps everything encrypted, and: a disgruntled employee who happens to remember a password (in case of password based SFTP) cannot disrupt your services.

This document contains instructions on how to set this up: Password SFTP – How to setup. There is also an online version of the same document. If you have any questions, please post as comments.

QR Codes

I came across QR codes recently. QR stands for Quick response. The coded message looks something like this:

In Japan, they are printed on business cards so that you can take a photograph of the code with your mobile phone, and use special software (also in the phone) to decode it. It makes your life simpler so that you dont have to feed the business card information into your phone contact book manually. However they can be used for almost anything – on ads to store contact information etc.

The QR code shown above is my own web business card. It has my name, the names of my websites and my contact email ID. You can go to http://qrcode.kaywa.com/ to generate QR codes, and download an application to read them. Mobile phone applications are also available.

Why they attracted my attention was in connection to digital security: If you digitally sign a document using GPG for example, there is no way to reflect that on a printed version of the document. QR Codes present an easy way: include a QR code for a short summary of the document, digitally signed, into the document itself. To make it watertight, include a URL to the online version of the document, and a hash of the document. Makes sense?

The uses are endless: they can be added to ID cards, where on one side there is human-readable information, and on the other there is QR code, ready to be verified in case of suspected forgery, they can be added to marksheets digitally signed by the university – the list is endless. No softcopy of the marksheet needs to be provided is what makes this schema more interesting.

Here is a signed message from me:

No need to make them black and mundane – in fact you can superimpose your logo. The first reader to unravel the message in this QR Code will get a digitally signed certificate from me! My public key is here. Post in comments.

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31