Monday, March 13, 2017
Computer Security - Part 1
Computer Security - Part 1
Computer security covers protecting computer systems - cellphones, workstations, servers, networks or any other hardware, software and data from loss, disruption or other attacks. Cybersecurity is the more recent name for Computer Security as the name describes more fully the span of coverage of the term.
Controlling physical access to a system is the first level protection and includes network protection measures as well as protection from malicious persons with access.
Vulnerabilities include any flaw or weakness in a system be it at the operating system level or within the applications on that system and Exploits are those methods which can be used to take advantage of a vulnerability.
Short list of Exploits:
Backdoors, RootKit, Worm, Trojans, Viruses, DDoS, physical access, eavesdropping, phishing, social engineering, privilege escalation, tampering and spoofing, keylogging, Spyware, Botnet, & Cryptomalware.
Each of these affords the attacker specific or combined methods of attack each with various levels or directions of penetration into a system or network. Targeted compromise of a system or network are briefly described below, but further description and investigation of each will be left to the reader’s responsibility.
Trojan Horse (Trojan):
These are malicious programs which lead the user into believing it’s purpose is that of something else. The name Trojan Horse comes from the ancient Greek story where a Trojan Horse allowed the Greeks to invade Troy. Beware Greeks bearing gifts.
Today most trojans are spread through various methods of Social Engineering to dupe the user into installing the malware. Sometimes these are as simple as browsing a web page which contains an executable embedded in through a banner advertisement that requires absolutely no interaction.
Much like any of the exploits described here, once the trojan is in place on the user’s system, the attacker can perform reconnaissance, disable/remove any program (including anti-virus), remote control, data damage/destruction, malware distribution/installation locally, network or globally, data exfiltration or encryption via crypto-malware (aka ransomware).
Ransomware:
Cryptomalware is a form of ransomeware which leaves the user wondering if there is anything they can do to avoid becoming infected or losing their data; This is especially troublesome given the nature of these attacks and the global connectivity of the Internet.
This malware generally has targeted Microsoft Windows systems as they have been the easiest to infect, but has been infecting other systems such as Android, Linux & Mac OSX. One particularly widespread version is known as Cryptolocker which is spread through infected email attachments or existing botnets. Once the software is activated, it encrypts all mounted drives on a system including network mount points. The private key used for the encryption is maintained by the malware Command and Control Server(s) and demands for the user to pay in lower traceability currency bitcoin.
The best method to avoid this disastrous infection is to make frequent backups to offline or remote storage (such as SpiderOak, Carbonite, etc.). Other helpful ways to avoid this cryptoware is to use a secured Virtual Machine running a secure Linux distribution with very limited or no access to the host operating system, file system or network file system.
Continued in parts 2-9
Source: https://en.wikipedia.org/wiki/Computer_security
Continued in parts 2-9
Source: https://en.wikipedia.org/wiki/Computer_security
VPNs
VPNs
Virtual Private Networks provide encrypted communication over an insecure (or secure) network such as the Internet. This enables a user or users to send/receive data over the insecure network with access to the private network (such as home, work, etc). Security of the private network can be offered or provided to applications running on the client.
Corporate network access (Intranet) while out of the office is a primary use of VPNs, but home users take advantage of VPNs this way as well. Offices very remote from each other can be joined together using VPNs to form a single network and share data just as if the systems were in the same office. This allows the client system to send/receive data through often restricted network locations or foreign countries, but there are some services such as Netflix which restrict or block use of VPNs when connecting to their services. They have their reasons, but the other method discussed in this series of blog posts - ssh tunneling - overcomes detection of the VPN for such blocking.
There are security implications for VPN use as the client systems must be protected by the same or higher level of anti-virus or malware prevention software to decrease the chances of infections of the Intranet resources. This is a less common method of infection of a network’s resources (most come from phishing attacks), but still remains a concern.
Historically VPN type of connections were through phone modems or DSL connections via frame-relay or ATM virtual circuits and other telecom providers, but these are not true VPNs because they use passive security. IP VPNs replaced these more primitive methods after larger bandwidth communication methods became available.
VPNs today can allow users of a device to also protect web browsing from malicious website domains using DNS black holes such as can be provided by the Pi-hole for a home user. Blocklists provided in a DNS black hole can include any website or URL corporate management or a home user requires to prevent a malware infection or advertiser from presenting adverts to the user. Such ad blocking methods can also provide excellent bandwidth savings to the cellphone user connected to the VPN with this service.
Other uses of VPNs are for remote access to VPN services providing access to the more “open” Internet. Uses could be to access sites blocked by the user’s own ISP or country, and provide anonymity, but do not provide any increase in privacy as the traffic can be intercepted on the remote target. In the event true privacy is required, the Tor browser can be used in conjunction with VPN service.
The VPN provides:
- Confidentiality - network traffic could be sniffed at the packet level, but only encrypted data would be recognized.
- Sender authentication to prevent unauthorized users from accessing the VPN
- Message integrity to detect any instances of tampering with transmitted messages
VPN protocols include IPsec, SSL/TLS, DTLS, MPPE, SSTP, MVPN and OpenSSH.
Authentication must occur for VPN tunnels to be built or established. Network to network VPNs use passwords and/or certificates as well as biometrics (such as iris or fingerprint), two-factor authentication (such as Google authenticator), passwords or other cryptographic methods. All traffic on the remote or client system can be routed out through the VPN gateway to the Internet or directed to only provide access to internal network resources.
Encryption Methods - Part 5
SSH:
Secure Shell or SSH is used for secure encrypted remote access to a computer system or systems over insecure networks is provided by ssh. It is built into Linux systems by default and allows the user to enable the ssh service on boot as well as provides a client for accessing other remote systems. Any network service can be secured through encryption afforded by ssh.
Historically Unix-like operating systems such as Linux have had ssh built in and MacOS X has included ssh support as it is BSD based. Microsoft’s Windows operating system is providing ssh support through a reimplementation of the Ubuntu program stack on top of Windows services, but also offers ssh support only in professional versions.
History:
Secure shell was created to replace the very insecure telnet, rsh & rlogin services which send passwords and data in plain text. Such unencrypted communication can easily be intercepted by an attacker. Protocol 2 is the standard recommended as it is more secure and is default on most Linux systems.
Common use of ssh is by password/username authentication to an account on the target system, but more secure methods are available. These include manually generated public key cryptography which is the preferred method to insure end-to-end encrypted communications without the potential for interception by Nation States or other major attackers.
PKI:
Using this method, the user generates a private and public key pair with the ssh-key-gen command and copies the public key to the target server ~/.ssh/authorized_keys file. Often this can be accomplished with the command ssh-copy-id username@hostname:, but can also be performed manually. The one requirement for either of these is that the user has a valid account on the server prior to attempting to copy the public key to the target server.
Ssh will only allow login if the authorized_keys file is owned by the user or root and none other.
The PKI pair method of authentication provides convenience to the user and software programs such as the message passing interface stack which may require passwordless login for automation. However, an additional measure of security can be provided by utilizing a private key passphrase and is important should the system be compromised or attacked by a larger authoritarian agency (NSA, CIA, State Actors, etc). In most cases or normal use this passphrase can be left out and the bash_alises file can have aliases added to simplify access to systems often accessed from the command line.
On Linux distributions, applications such as Dolphin or Nautilus file managers support the sftp or fish protocols for file transfer. Both of these use ssh for authentication and transmission to allow for encrypted transfers. Dolphin affords simple bookmarking of sftp connections to allow even easier methods of secure file access. SImple methods also include scp or Secure Copy to allow transfer from one system to another using ssh.
Tunneling
A common use of ssh is to tunnel traffic to or from a remote machine to execute commands through TCP forwarding and includes X11 forwarding. Such tunneling can often overcome blocks of VPN services by certain ISPs or Countries to allow communications when a method out or in is required. Access to a remote Linux server such as a Raspberry Pi located in an unrestricted country can provide a gateway to the Internet and provide access to region-locked or restricted services such as Netflix, Amazon or even Google. This VPN offers the home user a simple method of creating a VPN for use with cell phones or other computer systems while sitting on an unsecured network.
Simple client ssh tunneling can be accomplished using the sshuttle program on Linux as it handles all tunneling requests in a less complex command sequence and can be added to aliases for even easier use.
Linux systems as well as MacOS provide built-in ssh support through the Terminal while applications for other operating systems such as Microsoft’s Windows can be obtained to allow ssh access: PuTTY is one such example which can be carried around on a USB drive along with the private keys required for access, which doesn’t require any installation to use on the host operating system.
Encryption Methods - Part 3
S/MIME:
S/MIME functionality and inter-operate between them.
Cryptographic services provided by S/MIME:
To utilize S/MIME, an individual key/certificate is required to be generated by a local, internal or external CA (certificate authority) or from numerous public CAs. The best practices standard method to improve security of the private keys and certificates requires escrow of the encryption key to prevent possible disclosure of the signature key and thereby invalidate non-repudiation. Generating an email or document and encrypting requires the author to encrypt using the public certificate of the recipient. Normally a user sends out his/her public certificate attached to emails when using S/MIME to facilitate encryption. Thunderbird Claws is one example of email software which supports the standard.
There are 2 levels or classes of user certificates to obtain for certification of a user (Class 1 or 2) and are dependent upon the level of validation required of the user. Businesses require validation of a user with more thorough investigation of the user's identity (Class 2 CA validated user) whereas the Class 1 certificates can be self-generated and validated using a web-of-trust method often used during key-signing parties (often held at Linux conferences). Most home users requiring or wanting to use encryption for email will use PKI instead of using the more complicated CA methods and can use the web-of-trust to provide validation of the sender to the recipient.
This method of encryption is problematic with webmail clients (browsers primarily) as the private key must be kept accessible to the user but not the webmail server. This issue is resolved by GnuPGP or PGP Desktop applications whereby the clipboard is used for signing the message and passing the data back to the browser or webmail client. This method is utilized by Android apps such as Enigmail and K-9 to provide end-to-end encryption of email.
Speaking of end-to-end encryption, S/MIME encryption encapsulation of message bodies includes any attachments which could contain malware targeted at the end users' machine. Given that inspection software must evaluate all data arriving at a system, true end-to-end encryption must be technically broken; This is used throughout most business situations to open and inspect the content of the message(s) and attachment(s).
Common methods:
Proper key storage of the private key must be maintained for future decryption of messages encrypted for S/MIME. Attention to this issue should be provided for proper future access to emails.
Cryptographic services provided by S/MIME:
- Authentication
- Message integrity
- Non-repudiation (signatures)
- Privacy
- Data security (encryption)
To utilize S/MIME, an individual key/certificate is required to be generated by a local, internal or external CA (certificate authority) or from numerous public CAs. The best practices standard method to improve security of the private keys and certificates requires escrow of the encryption key to prevent possible disclosure of the signature key and thereby invalidate non-repudiation. Generating an email or document and encrypting requires the author to encrypt using the public certificate of the recipient. Normally a user sends out his/her public certificate attached to emails when using S/MIME to facilitate encryption. Thunderbird Claws is one example of email software which supports the standard.
There are 2 levels or classes of user certificates to obtain for certification of a user (Class 1 or 2) and are dependent upon the level of validation required of the user. Businesses require validation of a user with more thorough investigation of the user's identity (Class 2 CA validated user) whereas the Class 1 certificates can be self-generated and validated using a web-of-trust method often used during key-signing parties (often held at Linux conferences). Most home users requiring or wanting to use encryption for email will use PKI instead of using the more complicated CA methods and can use the web-of-trust to provide validation of the sender to the recipient.
This method of encryption is problematic with webmail clients (browsers primarily) as the private key must be kept accessible to the user but not the webmail server. This issue is resolved by GnuPGP or PGP Desktop applications whereby the clipboard is used for signing the message and passing the data back to the browser or webmail client. This method is utilized by Android apps such as Enigmail and K-9 to provide end-to-end encryption of email.
Speaking of end-to-end encryption, S/MIME encryption encapsulation of message bodies includes any attachments which could contain malware targeted at the end users' machine. Given that inspection software must evaluate all data arriving at a system, true end-to-end encryption must be technically broken; This is used throughout most business situations to open and inspect the content of the message(s) and attachment(s).
Common methods:
- Store private keys on the gateway server to allow decryption prior to a the gateway malware scan.
- Store private keys in malware scanners to inspect messages and relay the message or a message with infected/blocked status to the user.
Proper key storage of the private key must be maintained for future decryption of messages encrypted for S/MIME. Attention to this issue should be provided for proper future access to emails.
This is an especially important issue home users should consider when using any encryption of their data should they or their families require access in the future. Often this can be resolved by storing the private key on a CD or USB media locked in a vault, safety deposit box or other secured location.
More to come in part 4:
IPSEC, & SSH
(1) - https://en.wikipedia.org/wiki/S/MIME
More to come in part 4:
IPSEC, & SSH
(1) - https://en.wikipedia.org/wiki/S/MIME
Encryption Methods - Part 4
IPSEC:
IPsec can protect data traversing several different communication methods: host-to-host (i.e. one system to another), network-to-network (i.e. one LAN to another LAN) or network-to-host (i.e. LAN to host system). IPsec is commonly used for protection of traffic over the Internet's IP networks.
Protections of Data afforded by IPsec:
- Network-level peer authentication
- Data-Origin Authentication
- Data Integrity'
- Data Confidentiality (encryption)
- Replay protection
The architecture of IPsec includes:
- Authentication Headers (AH) - Protect against replay attacks and provide both connectionless Data Integrity & Data-Origin Authentication
- Encapsulating Security Payloads (ESP) - Confidentiality, Data-Origin Authentication, & connectionless data Integrity when used with Tunnel mode; This protects the complete IP packet. The whole inner IP packet is protected including the
inner header while the outer header including any outer IPv4 options
or IPv6 extension headers remains unprotected. ESP operates directly on
top of IP.
- Security Associations (SA) - algorithms and data parameters for AH / ESP operations.
These are used to encrypt and authenticate a particular data flow in one direction which results in a pair of security associations for normal bi-directional traffic. These use Internet Security Association and Key Management Protocol (ISAKMP), which is implemented by manual configuration with pre-shared secrets IKE and IKEv2, KINK, and the use of IPSECKEY DNS records. RFC 5386 defines Better-Than-Nothing Security as an unauthenticated mode of IPsec using an extended IKE protocol (3).
Transport Mode = host-to-host
Transport mode presents the payload of the IP packet as either encrypted or authenticated with the routing not modified as the header remains unchanged and encrypted. If the authentication header is used, NAT cannot be used as the IP addresses of the system are part of the hashing algorithm. For home users, this presents a problem as most systems in the home are connected via a home router which is performing IPv4 Network Address Translation routing.
Tunnel Mode = network tunneling mode
When using this mode, the complete IP packet is encrypted and authenticated and this is in turn encapsulated into a new IP packet (with a new IP header). VPNs utilize Tunnel mode to create network-to-network communications (e.g. between routers or host to network communications. This method is useful for individuals wishing to maintain privacy while using unsecured networks such as open wireless network hotspots (wifi hotspots) as the tunnel remotes into a more secure network. This allows the user to work using a known and trusted network.
1 - https://en.wikipedia.org/wiki/IPsec
2 - http://tools.ietf.org/html/rfc4301#page-4
3 - https://tools.ietf.org/html/rfc5386
Friday, January 27, 2017
Encryption Methods - Part 2
More PAM:
In Linux PAM provides for separation of authentication tasks into each of four groups for management: Validation, Identity, Password, Session. Each of these phases of user management can be described in a simple manner.
Validation: Account validation by methods such as time of day, account expiration or actual permission to access system resources or services.
Identity: Verify a user’s identity by checking a password or other secret information. This information can be sent along to other processes for further validation such as Kerberos or RADIUS servers.
Password: Handle tasks of password updates and are most often tied to the Identity modules and are used to enforce password complexity and strength.
Session: Each session has a beginning stage and an ending stage and actions for each are defined using the session modules. Actions also performed after the user has logged into the system or service are performed by these modules.
SSL:
Secure Sockets Layer is an encryption method which was developed by Netscape way back in 1995 to provide security over the Internet and supports multiple encryption protocols for both client and server authentication. SSL creates a secure channel of data over the transport layer and encrypts various sorts of data types.
The most commonly recognized use of SSL protocol is the HTTPS or encrypted web page standard. This provided confidentiality, authentication, integrity and non-repudiation and supports multiple key management utilities and encryption algorithms between each party (i.e. web browser and server processes), but it has been supplanted by the much more secure TLS.
SSL was a step towards making the Internet secure, but attacks have continued and more recent exploits such as POODLE(1) have forced Linux distributions and web browser makers to disable even version 3.0 of SSL.
TLS:
Transport Layer Security (TLS) has replaced SSL as the encryption of choice as it is much more secure than SSL and provides exceptional privacy through symmetric cryptography for data encryption.
TLS 1.1 was adopted as the standard through RFC 4346 in April 2006 and TLS 1.2 via RFC 5246 in August 2008 and was updated in March 2011 via RFC 6176. Each version of TLS has built on the original SSL specification(2).
The primary advantages of TLS is that keys for the session are generated with each connection and are based on a shared secret negotiated at the start of the session. This means the server and client negotiate the encryption algorithm and cryptographic keys before and data is transmitted between them. This transmission between both systems or services cannot be tapped (eavesdropped) even by attackers who might be performing a man-in-the-middle on the session. No attacker can modify the traffic without being detected.
Browser Encryption:
Modern web browsers such as Google Chrome and Firefox are especially adept at notifying the user of such attacks by indicating the status of a connection with a broken lock in the address bar and a pop-up window indicating failed encryption session (3).
Each session also has integrity because each message sent down the wire includes a MAC (message authentication code) to prevent loss, alteration or other data problems during transmission.
Web servers today also utilize public-key-crytographic keys authenticated and verified by a third party such as Thawt, Verisign or LetsEncrypt known as a CA (Certificate Authority). These verified or trusted parties insure communications for e-commerce, banking, etc which in turn protect the very fabric of much of the modern world.
Perfect Forward Secrecy:
TLS can, when properly implemented, provide forward secrecy to ensure that any disclosure of encryption keys in the future doesn’t allow the data from past TLS encrypted sessions to be decrypted. This means any future compromise or disclosure of long-term cryptographic keys doesn’t compromise any data previously protected by those keys. Data remains encrypted even if it were captured and stored by Nation States for unwarranted spying (4).
More to come in part 3:
SMIME, IPSEC, & SSH
Thursday, January 26, 2017
Encryption Methods - Part 1
Password Encryption:
We use passwords everywhere these days. From your run-of-the-mill desktop login to Facebook and beyond, we just can’t get away from passwords (or so it seems).
Try working at any business with any level of security control and you understand just how complex our passwords have must be to provide any level of security.
Linux primarily uses the DES encryption algorithm to encrypt your passwords which are stored in the /etc/shadow file. When logging into your system, the password you’ve typed is encrypted on the fly and compared against the one stored in your system’s /etc/shadow file. If they match, you’re allowed to login. The advantage of this encrypted one-way function is it shouldn’t be possible to reverse the encryption and get to the password from the contents of the /etc/shadow file.
Physical access to the system however, can allow an attacker to use one of a multitude of tools like John The Ripper, Brutus, RainbowCrack,etc. to crack your password if it is not sufficiently random. There are great live Linux ISOs with a plethora of attack tools such as these - Kali Linux and Black Arch are but a couple of examples.
Nothing to hide?
Even if you have nothing to hide, having encryption helps protect your privacy and the privacy of other people from bulk surveillance or from rogue software/malware. Even Edward Snowden used GPG to uncover the secrets of the NSA.
PKI:
Public-key Cryptography uses private and public keys for encryption/decryption of messages (via PGP). The Public key can be used by one party to encrypt a message and return it to the owner of the public key (also the private key holder). This message can be decrypted only by the party holding the private key. This common method is used by Governmental agencies and the military to secure messages from enemies or the public with keys stored on a PKI Token or Common Access Smart Card.
PGP and GPG:
Pretty Good Privacy is fully supported on Linux distributions, however some countries (the USA) limit using such methods and have laws against export of the technology.
GNU Privacy Guard (GPG):
Recent Linux distributions come with GnuGPG support built-in. GPG is the completely open and free encryption standard based on the OpenPGP standard & uses algorithms which do not have export restrictions.
gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. gpg2 features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation -(quoted from gpg2 man page).
Using GPG is a simple matter in Linux and even email clients such as Silpheed-Claws can take advantage and protect your email from prying eyes.
PAM and 2-factor:
With the advent of 2-factor and external authentication programs or services (such as Google Authenticator), additional levels of validation of a user can be applied through PAM. No, not the biscuit pan spray, but Pluggable Authentication Modules. Adding a simple PAM module to your system with a scripted installation of the Google Authenticator program can easily secure your system’s local or remote login (ssh). This additional level of authentication uses PAM libraries and timing to verify the code provided in an app on a phone (or computer system) matches that typed into the authentication dialog.
Part 2 - coming soon:
SSL, TLS and beyond...
Subscribe to:
Comments (Atom)