Truecrypt

I’ve long been a fan of Truecrypt for encrypting partitions and creating files with encrypted data for secure storage and transport. The reason I like it so much is that there are a number of cases of government organisations failing to get to the data of a purported criminal nature protected by TrueCrypt.

Although there are many good encryption programs out there Truecrypt covers a number of areas that sets it apart from the others. Lets first look at some of the other methods in use out there that I like.

  • Luks / dmcrypt – This is also one of my favourites and I use this on a regular basis. All my Linux machines are encrypted with luks. Even my Android tablet and phone are encrypted using the Android luks encryption. However, the only drawback (for others) is that it is only applicable to Unix like systems. So far I haven’t found a nice method of using luks on Windows. I have no idea about Macs.
  • PGP / GnuPG – I use this quite a bit for email signing and encryption. Although it is very useful for encrypting partitions stored on HDDs live mounting and encrypting / decrypting on the fly is not an option, so this is not really the space it shines in.

So the above describes what I use on a daily basis. However, on occasion I need to share documents with friends and family. Asking them to have a Linux machine handy just so they can share data with me is not really a practical option, so Windows must also be supported.

This is where TrueCrypt shines. It is available cross platform and has a strong history of successfully protecting data against brute force attacks. Unfortunately, it seems recently the developers, out of the blue, decided to discontinue the development of TrueCrypt.

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The above is posted on their web site. Put on your tin foil hat. Some theories believe that they were pressured into adding back doors and as an act of rebelion rather bailed on the project (I like this theory), and others believe there are vulnerabilities and they rather decided to bail as a result.

The collective community in the form of Kenneth White and Matthew Green decided to audit the project (as the source code is available) and post their findings of the audit on line on the web site Is TrueCrypt Audited Yet. The first half of the report is already available and things are looking good.

In the same vein a fork of the project started. Called TrueCrypt Next or TC Next started but unfortunately failed for various reasons. Once possibility might be that it is in contravention of the license which precludes a fork containing any reference to TrueCrypt (the name).

Enter CipherShed a fork of TrueCrypt with all the references of TrueCrypt removed from the code. Version 1 is TrueCrypt, rebranded. Eventually the goal is to rewerite all of the code so no trace of the original TrueCrypt remains. We’re eagerly awaiting the first release.

Oh, one more feature I really like on the original TrueCrypt software is the ability to have two passwords for an encrypted partition or file. One password is used to decrypt the actual data that one would like to keep secure, the other is used to decrypt fake data that might appear to be the actual contents. This means one can in theory release a password protecting some of your data that may appear to be valuable without sacrificing the really sensitive contents. And best of all it is not possible to determine IF the second password exists. This feature allows what is commonly called “plausible deniability.”

Securing you Virtual servers comment

I forgot to mention. There is one very big flaw in this process. Nothing prevents someone from stealing your server and investigating the contents and then using Mandos (modified for their needs) to download the decryption password.

Now the above assumes time, and this is where Mandos has some additional security. Mandos will regularly query your client. If the client disappears for a specified period it will disable the key. So setting a timout long enough to allow reboots, but not extended poweroffs add some additional security. And if the client key is disabled, it is very simple to reenable it on the server with the mandos-monitor utility.

ptunnel, proxy via icmp

Years ago while sitting at the airport trying to get internet access a friend and I set up a VPN via dns – I can’t remember off hand what it was called. It worked, albeit very slowly, and transferred all requests. However, recently they’ve gotten clever and poisoned DNS till you’ve paid for your internet service. It seems though that some still allow ICMP packets through.

That is where ptunnel comes in. You run it on a server that listens for ICMP packets with a special payload.

This initiated the server that listens on the specified port. A nice safety feature is the password authentication.

This starts up the client. It looks like you can map any port through from the client. So if you need internet browsing, have a remote proxy ready to accept connections through ptunnel. I tested the tunnel with ssh, and although there is a definite additional lag, the response was very good. Delay was not too much and throughput was good.

According to the web site they tested about 150 kbps download speed. Not too shabby for free internet…

More HF ARQ information exchange software – PSKMail

Initially when I started looking at PSKMail it seemed to be the open source version of the Winlink 2000 offering. It however targets a slightly different market.

Both offer the following:

  1. Email
  2. Robust transfers, i.e. automatic retransmission etc.

The advantages of Winlink are the seamless integration into their network. Mail delivered at one mail server, from the internet or via radio is accessible from any of the sites. This means a traveller has to only tune to the nearest Winlink 2000 radio station and send and receive email. This is a huge plus. In addition, the Winmor protocol seems very robust and efficient.

PSKMail has similar advantages. It offers email, however, distributed and redundant mail as offered by Winlink is not available by default. However, with a dedicated group of individuals it can be achieved but will be unlikely. It does offer the ability to link up to your own ISP which is great news. In theory you can connect to any PSKMail server and send your mail settings through and download your mail from your ISP. The drawback is still the single point of failure, your service provider. In addition it also offers file uploads and downloads, APRS positioning, internet browsing (text only) and some other features that might appeal to the traveller. Communication is via all modes supported by fldigi.

Installation

Installing is simple for the client. Download and install the jar file for the latest client from PSKMail. Be sure that the latest librxtx is installed, sudo apt-get install librxtx-java and that you have a oracle sun java install. OpenJDK had some issues with the application on my PC, but maybe that’s just me.

I also had issues with librxtx not being found by my java installation. I had to link the librxtx libraries into my version of java.

/usr/lib/jvm/java-8-oracle/jre/lib/ext$ sudo ln -s /usr/share/java/RXTXcomm.jar

/usr/lib/jvm/java-8-oracle/jre/lib/ext$ sudo ln -s /usr/lib/jni/librxtxSerial.so

Note the java directory of my jre. Make sure it is in your jre,

Remember to change the call sign before doing anything else. People get very excited, in a bad way, when NOCALL is attempting to connect to their station.

FLDigi is required as virtual TNC, and I’m lead to believe it is an excellent piece of software. apt-get install fldigi sorts this out.

I can’t go any further with either Winlink or PSKMail at the moment as my laptop was stolen on Friday (how baffles me, a story for another time) and the patch cable from my server to the HF set is too long and experiences problems with the Vox triggering from the noise it picks up.

I have my sights on an HF set for mobile operation, so perhaps we’ll get the mobile sorted as well sometime soon.

Oh, just for fun I had AndPSKMail (also available from the PSKMail web site) installed on my tabled (the one stolen along with my laptop) and had the server installed on the laptop. Using just the speakers and mics on the two devices they were happy to talk PSK250R.

Sigh, that is the 3rd laptop stolen… 2 cars stolen, 5 breakins in the cars.

Thats it for now.

ownCloud progress

It turns out Ubuntu does not make it as easy as I expected. I was confronted with this non descriptive error message on the client when I launched and tried to sync.

There wasn’t much more to the error message on the clients. The ubuntu server apache logs sheds some more light on the issue.

[Wed Aug 14 11:58:03 2013] [error] [client w.x.y.z] script ‘/usr/share/owncloud/remote.php’ not found or unable to stat

The remote.php file is actually in another directory, but it still fails even if I link the file. The ownCloud forum has a post that indicates that the ubuntu package is broken and to rather use the downloaded package from their site, so that is what I did…

I followed the instructions on ownCloud doc installation. In summary the following is important.

Make sure all the dependencies are met, apache2, php5 etc. Most of it will likely already be on your system. If you’re not sure, you can take the easy route, apt-get install owncloud, and then remove the package. The dependencies will remain.

# tar -xjf owncloud-x.x.x.tar.bz2

# cp -r owncloud /var/vhosts/

# chown -R www-data:www-data /var/owncloud/ /var/vhosts/owncloud

I decided to host the data and web server in two difference locations in the example above. You can always choose another path or use the defaults.

Also perform the following:

# a2enmod rewrite

# a2enmod headers

You will also need to add a vhost for your site or use the default landing. Make sure AllowOverride is set to All to enable .htaccess.

Thats all there is to it. Point the client to your ownCloud service and voilà. In the background we have my browser opened to my ownCloud server, the local folder with the text file and the open text file.

Cloud storage

I experienced a small bit of frustration recently when Dropbox thought it was a good idea to delete about a third of my about 10 GB of data. Fortunately, with a bit of effort I could perform a restore on the lost data, one file at a time.

Now we use services such as Dropbox because of the convenience, however, if it is no longer convenient, or even safe, then perhaps it is time to investigate alternative diy options. Don’t get me wrong though, I will probably never get rid of Dropbox, however, I will still want to use my own service for items I consider a security risk, such as work documents.

I have been toying with the idea of hosting a backup service for my data, specifically the stuff I usually backup manually and keep in sync between my various desktops and laptop. So why not just spin up something that will replace all the cloud storage I currently use on my own server.

ownCloud

In comes ownCloud promising many features:

  • File sync through a webdav interface,
  • sync contacts, calendars and bookmarks,
  • web access to said services,
  • and an api to build your own apps around ownCloud.

Server

It seems simple enough. For the server on ubuntu it’s as simple as

apt-get install owncloud

This installs the server environment on your server, in my case, a droplet in Amsterdam.

Client

On your workstation their instructions are simple enough to add the ppa to your repository.

# echo ‘deb http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_12.04/ /’ >> /etc/apt/sources.list.d/owncloud-client.list

 

# wget http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_12.04/Release.key

 

# apt-key add – < Release.key

# apt-get update

# apt-get install owncloud-client

The above is valid for 12.04 LTS, so just change the 12.04 in the first instruction to your version, e.g. xUbuntu_12.04 becomes xUbuntu_13.04. Now you have both a client and server installed. There are also windows and mobile clients – I’m not that concerned with them for the moment.

Using ownCloud

Its a breeze to use ownCloud as Ubuntu has already done all the work for you. Just point to your domain, http(s)://yourdomain/owncloud

First step is to create your administrator account, but that will fail. The database needs to be configured.

# mysql -u root -p

CREATE DATABASE owncloud;

GRANT ALL ON owncloud.* TO ‘owncloud’@'localhost’ IDENTIFIED BY ‘some_password’;

Under the advanced selection you can enter the db details as configured above. Choose a suitable username and password and Bobs your uncle, you have an ownCloud server.

I’m not sure yet where the data is stored, must be somewhere sensible. I also expect to be able to change the target folder once I add more storage to the system. We’ll explore that in a follow up post.

Small secure linux distributions update

Some time ago I posted on my search for a small secure linux distribution to take care of our office paranoia.

I eventually settled on two. Lightweight portable security is perfect and the one in use at the office. Tails is perfect for personal use.

Lightweight Portable Security

The core requirements are a small OS that leaves no footprint behind and protection against attackers. We need to be able to securely do banking (that’s the office requirement) and be protected from the usual malware, key loggers and the like. It fulfils this requirement completely.

It boots off a CD which is kept in the office safe (yes, we are that paranoid) to prevent tampering. Account details are also kept in a secure location.

The image will boot from a a CD (burnt to disk using any iso CD writing software such as Brasero) or from a flash disk with the following alteration

isohybrid LPS-1.4.1_public_deluxe.iso –entry 4 –type 0x1c

to enable it to boot on the USB disk.

On boot it asks the user to accept or reject the terms and conditions and then ends with a screen that looks suspiciously like a dated version of windows. It has a functional browser, terminal and some software to encrypt and decrypt data. It leaves no trace when the PC is shut down and will not mount any partitions when in use, so it is safe for any secure transaction.

Tails

My favourite for personal use is tails. It is based on the popular tor project. See the excerpt from the tor project web site.

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

Yes, they are even more paranoid than I am. Tails hinges of this awesome project to provide users with even more.

Tails is a live DVD or live USB that aims at preserving your privacy and anonymity.
It helps you to:

  • use the Internet anonymously almost anywhere you go and on any computer:
    all connections to the Internet are forced to go through the Tor network;
  • leave no trace on the computer you’re using unless you ask it explicitly;
  • use state-of-the-art cryptographic tools to encrypt your files, email and instant messaging.

As with LPS it does not leave any footprints. It runs from memory, and when the flash disk is removed from the PC or laptop it immediately writes random data to ram and video memory to limit the chance of someone collecting any sensitive data.

Tails starts up by default with root locked, and no ability to access any form of persistent storage. However, with the USB image it is possible to add a persistent encrypted volume (after numerous warnings about security).

It features the tor project secured browser (a secured Iceweasel, i.e. unbranded firefox), pidgin with security bells and whistles both operating via the tor network proxy. Claws mail provides email comms. It also has an I2P client to connect users to the I2P network – I couldn’t really find any use for it although it is awesome in its own right… Note in the image above how it warns about the dangers of the virtual machine and the insecurities it is running on.

As a little test I booted up the VM and browsed a couple of web sites.

All the connections are to localhost on the tor proxy port except for the tor secure connections.

For the less paranoid, there is also an insecure browser that can initiate direct connections. This is useful for banking institutions that may take exception to their customers who switch countries of origin every 10 minutes.

The setup I use is on a small (only in form factor) 32 GB gem drive from AData

It’s virtually inconspicuous and has plenty of persistent storage (encrypted of course) for any important data. Don’t forget though, it is very dangerous to have persistent storage as someone with nefarious intent can torture you to reveal your password… Yes… It’s not paranoia if they’re really out to get you.

And, oh, and, let’s not forget. It has Windows XP camouflage…

All giggles aside, it is a great little environment. It tagged along on my recent Europe trip. Although I did not need it much it is very convenient to have a Linux boot disk handy so I can boot into something useful and secure on a friends laptop. It also raises an eyebrow or two – it’s so mysterious…

Puppy linux

I had to include puppy linux as it is a close contender. The big reason it lost out was because it failed on a lot of our test hardware, probably because it was stripped down so heavily to optimise it. And it doesn’t have a bundled browser, a big no no.

It runs completely out of memory and has a super tiny footprint. Most likely it will run off very old hardware. Definitely have a look at it if you have need of a small and fast OS to revive your old laptop or desktop.

There were quite a few other distros in the running, however, the above are the favourites.

Others worth mentioning are XPud , ubuntu desktop live CD, Slitaz (a linux OS in under 35 MB), Linux Mint, and Damn small linux.

Long post. Thats it for now.

 

Empower your shell with oh my zsh

From terminal managers to funky aps, I love anything that makes my terminal stand out. More power to me if it is useful. My colleagues shared oh my zsh with me and boy is it sexy. Community plugins and themes can be added in your .zshrc config file to suit your every need.

There are loads of plugins. Take git for example. There are plugins to assist your every command line transaction. It performs clever autocompletion on most transactions. I just started using it. If necessary I’ll give some more feedback later.

For now, lets get to installing. If you’re trusting you can run the following command from the authors web page:

curl -L https://github.com/robbyrussell/oh-my-zsh/raw/master/tools/install.sh | sh

Before that though make sure you have zsh installed.

Config changes are as simple as adding a theme, and plugins, to your .zshrc config file:

ZSH_THEME=”robbyrussell”
plugins=(git battery cake command-not-found cp git-extras gpg-agent history postgres rsync svn)

The themes can be viewed on the web site and available plugins are listed in ~/.oh-my-zsh/plugins/. I honestly have no idea what most of them do, but that does not stop me from being giddy with excitement…

MS Office, without Microsoft

If you see the above and immediately think, Chinese release of MS Word you’d be forgiven for your mistake. It is in fact a Kingsoft product, themed to look like Microsoft office.

I was alerted to its existence in beta state by an article by on OMGubuntu. The debian package can be downloaded from  http://wdl.cache.ijinshan.com/wps/download/Linux/unstable/wps-office_8.1.0.3724~b1p2_i386.deb.

I’ve been using the Android version of the Kingsoft office package for quite some time and it just works. It’s not a paid for product, although, on the Kingsoft website the Windows version seems to be paid for.

The application needs to be broken a little bit for the English to appear, otherwise you’re stuck reading everything in Chinese. After installing the application, launching it brings up in Chinese what appears to be a product registration screen. Just enter whatever you feel like entering. To get rid of most of the Chinese text run the following in a terminal (thanks to the efforts of Mohammed Sayanvala).

cd /opt/kingsoft/wps-office/office6/2052
sudo rm qt.qm wps.qm wpp.qm et.qm

That will remove the fonts making it readable to western civilisation. Opening the suite will generate an error which can be hidden indefinitely with a small check box. It is very interesting that it only appears to open MS office documents, Word, Excel and Presentation. No OpenOffice support seems to be present.

Small secure linux distributions

With the recent news stories about bank accounts being hacked and monies pilfered we decided to investigate ways to protect our business.

Now the problem is two fold.

Online banking login details

The first is quite obvious, protecting the online banking username and password. It is fairly obvious when someone stands over your shoulder concentrating on memorising your account details. It is also very easy to protect yourself from this approach by, say, locking yourself in a tiny room.

More frightening is key logging software. We’ve on occasion identified key logging software running on a clients machine in the logs of one of our products. Malware, trojans, virus (whatever the plural may be) and the like easily infects browsers and workstations. We even had articles this week about government spy software in RSA masquerading as a firefox process collecting end user data. So this is where the problem lies, protecting the details from stealthy criminals thieving all your hard earned cash.

One time passwords

There is a fallacy regarding the cellphones we carry. Banks do not make us aware of this and place the onus on the phone owner to ensure their security. Our cellphone companies do not and have never indicated that sim cards are secure and securely dished out. So when our banks added OTP sms message and claimed we’re all saved it was a huge lie. A fake ID, a couple of bob, and 30 minutes later a crafty criminal is in possession of a new sim card on your account. The OTP sms messages arrive on the new sim card (as the one in your phone was declared stolen) and bobs your uncle, new beneficiaries are created, money transferred and wailing and gnashing of teeth for the now much poorer individual.

Solutions

The solution is not simple, however, one easy start is to use a small OS that stores no data, runs from RAM and loses all data when the workstation is rebooted.

http://en.wikipedia.org/wiki/List_of_Linux_distributions_that_run_from_RAM. Wikipedia lists a number of these small distributions. So now when locked in a small windowless room this ensures no software key loggers are able to steal bank account details. Note software carefully placed in the previous sentence. Physical security is the only way to protect yourself from hardware key loggers readily available for purchase on the internet.

We’re experimenting with Tails, a small distro employing the tor network for anonymity. It’s not ideal, as it forces you to use the Tor network to access the internet securely which makes the experience slow and most banks will raise alarm if your bank activity jumps from country to country.

Another possibility is Lightweight Portable Security (LPS) which is a DoD initiative, if I can get it to work…