Tag Archives: Security

News, Rant, Security

GPG Signatures on Press Releases & Verifiable Anonymous Factions

Found the below on anonnews.org (here’s a reddit). As a proponent of public key cryptography, I whole-heartedly agree. If the groups used cryptographically secure signatures on their publications, anonymous would no longer be at risk of having members jump to fight in fabricated battles. This would do away with the potential for the Anonymous Hoax that seems so easy to create at the moment.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Hello Anonymous,

Every time the core group puts out a press release or replaces website content with a message to the owners, it does so in the form of an image. I’ve been musing on the idea that internally these images must have a deeper purpose than simply acting as a style standard–maybe they have some steganographic messages hidden in the pixels to communicate within the inner circle. Maybe somewhere embedded is a forgery-proof watermark or a signature (beyond the famed logo)… but I haven’t found anything (not that I’ve looked too terribly closely) and I’m starting to wonder if it’s because nothing is there.

It’s obvious at this stage that there is a ‘usual’ press release team, no matter the ethereal, leaderless form in which anonymous supposedly exists–and I doubt it’s the only group acting as a team within anonymous. So here’s my suggestion:

Individual groups within Anonymous adopt a standard for communication that involves setting up a GPG encryption key (http://www.gnupg.org/documentation/howtos.en.html) for the faction and then using that key to sign whatever image/message are published by that faction. This is really what Public-Key Cryptography (https://secure.wikimedia.org/wikipedia/en/wiki/Public-key_cryptography) was created for–a public key that anyone in the public can use to verify message origin authenticity, with a secret key, physically protected by the owner (or owners).

If the core group wants to exist in a form that it can be ‘in charge’ of press releases and going on air on the David Parkman show and the like to verbally combat the rantings of lunatics, it would be great to create a public key for the group so the next time someone claims to have received a message from anonymous, that group can say, “Show me the signature? Does it verify against our public key? No? Then we didn’t sent it. Because we have a standard.”

This would also help anyone interested in following different factions in identifying which faction put out which message. If you find that there is an anonymous faction (or even a third party group like the WBC, FBI, etc) acting out against the core values of anonymous or pretending to be a member of an influential group, you can be sure that their messages are not mistaken as coming from any of the groups who accept the GPG signing standard.

Granted, it should be advised that holding a private encryption key belonging to a faction acts as physical proof that you are a member of that faction (in the event that your equipment is seized or accessed by an opposing force)–so this key needs to be treated with the utmost security in mind.

You’ll note that this message is signed by zombies@anonnews.org, which has a public key published for anyone to use to verify that this message was sent by the Anonymous Zombies faction: http://pgp.mit.edu:11371/pks/lookup?search=zombies%40anonnews.org&op=index (forgive us Sven/anonnews.org–but your domain just seemed the most apropos for using as our identification source since you are the closest thing we know to an official anonymous domain besides 4chan, LOL).

You are Anonymous
You are Legion
You do not Forgive
You do not Forget
I Expect you… to cryptographically sign your messages
—–BEGIN PGP SIGNATURE—–
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)

iEYEARECAAYFAk1oUigACgkQNoGgcrl7L2iwggCgjJ1JiZq17Tqz1R7Xs94ctyOi
UHUAoN25E+kLYGgfGTnHnECAwBCAh2+f
=LxmL
—–END PGP SIGNATURE—–

follow on Twitter

News, Security, Tutorials

Passwords: How Websites Do it Wrong, Triaging Services and Memorizing

I was just reading LifeHacker and ran into an old article they linked on “How I’d Hack Your Weak Passwords” by John P. It got me thinking that it’s high time I write up some thoughts of mine on the topic.

Website Passwords

If a website ever sends you an email with your password in it, they are doing something very, very wrong. Actually, they might be doing more than one thing wrong–but I’m just going to focus on the biggest issue:

The fact that the website/company has the ability to show your password to you in any form means one of two things (either are very bad):

  1. Your password is being stored unencrypted, in plaintext, in the database.
  2. Your password is being stored encrypted in the database but can be unencrypted (back into what you type in your keyboard) using a key that is stored somewhere in the website code.

Obviously, the first case is worse–but I’ve seen it in small startup companies.

In either case, anyone with access to the database (and, for #2, the codebase) will have the ability to see your email address, username, password and any other information you’ve given the website. Generally, with web startup companies, this means anyone who works at the company–at the very least it means that the development team has access to it.

This is really bad for you if you use the same password for all websites–especially if you use this password for your email account, which is part of the plain data available. If you are this kind of person and you sign up for a site that treats passwords like this, a malicious (or curious) worker or data thief can simple see your current username,email,password combination, then go to Facebook, Twitter, or any other service they think you use and try those same credentials.

Website Triage

When creating accounts on the web, which is something I do quite a bit, I triage sites like so:

Email

Your email account is the primary gateway to almost all of your other online accounts. If you lose your password (or claim to have lost it), most sites will send instructions to your email account with a simple way to reset your password–often times without needing to supply any other information.
Thus, your email account needs to be hyper secure:

  1. Always use https:// when checking webmail and always use SSL to connect to your email server from clients like Thunderbird, Outlook or Apple Mail.
  2. Make a really strong password for your email account–and make it totally unique! Do not use this password for anything else!

Personally Identifyable + Financial

This includes Facebook, Twitter, Banks, Credit cards, Investment sites, Amazon, LinkedIn… basically, anything that either identifies you to your social groups, work, etc or has the ability to cost you money if compromised.

These accounts need to be extra secure. Unfortunately banks and credit card companies tend to restrict the security of passwords for no good reason. However, luckily, they employ other authentication mechanisms for login and password retrieval.

Now you might think, “What? You treat Facebook with the same password security requirement as your bank?” But I assure you, that doesn’t mean I let my bank password slip, it means I keep my Facebook password strong. It’s bad for someone to compromise your finances but it can also be a nightmare to have someone impersonate and damage your identity.

Everything Else

These would be sites that would only have my email, username and a password but no more personal information–generally services that mean very little to me and would be very easy for someone to forge on my behalf anyway (so I’m not concerned about someone getting in–or of a password leak from another low level site exposing access to this site). An example might be creating an account for a forum or a gaming site, where you need to login to get some info or post a comment. These are throw away accounts that all share the same login information.

Creating Strong Passwords

Gibson Research has an online password generator, along with information regarding the purpose and use:
https://www.grc.com/passwords.htm

After generating passwords of this size, which are generally absurd to imagine memorizing, you can store them in a password keychain. There are many desktop and mobile applications available for this. However, I’ve always been weary of using these programs because essentially, you are putting all of your passwords in a single location, protected by one single password, which is usually weaker than the passwords you can’t be bothered to memorize.

How to Remember a Unique Password for Every Service

If you don’t trust storing all of your passwords in a password keychain tool and you also have trouble remembering passwords, there’s another way.

Consider this simple algorithm for creating decent passwords, which involves only memorizing a single string that you can reuse for generating all of your passwords:

  1. Generate a random character string (6-8 characters is good enough)
  2. Take some portion of the name of the service
  3. Combine

Example:

  1. e$L9wa
  2. Facebook.com – taking ‘book’ (but you could take Face, face, Book, b00k, B00k, cebo, etc)
  3. Password possibilities:
    • e$L9wabook – one after the other
    • booke$L9wa – same as above but reversed
    • eb$oLo9kwa – the every other letter method (a little more difficult for a password thief to realize what your password might be for other services)

Now, when you go to Facebook.com, you can remember your generic random string, look at the name “Facebook” and think about what part of the name you would have used, then try the combination tactic that you think you probably used to create your password. If one doesn’t work, try another. Generally, you will find that it is incredibly easy to recall your password with ease–and after a few times of doing it, you will have effortlessly “memorized” your unique password.

NOTE: if you use an algorithm like this, you run the risk that if someone gets one of your passwords, they can infer a password for another service.

and using numbers and special characters to replace parts of the service name, which will make it much more difficult from a brute force perspective. Even so, this is way better than using the same exact password for every service, which would automatically allow an attacker to steal all of your online accounts. But there are ways to mitigate the risk of one password leak exposing your other accounts.

For more security:

  1. Generate a longer random string
  2. Change that random string regularly (once a week, once a month, your call–but more often is more secure, up to a point)
  3. Choosing odd parts of the service name (rather than “Face” or “Book”, choose “cebo” from the middle to make your algorithm less obvious to someone who captures one of your passwords)
  4. Come up with different rules for each service for integrating the name with your memorized string

follow on Twitter

News, Security

File Deletion & Cloud Backups + Can You Trust Google?

I just strolled by my RSS feeds and saw Bruce Schneier’s latest on file deletion: http://bit.ly/Mx24L. I’ve said this many times–but there’s more to be said. The core of his point is that you can never be sure when you delete a file from a web service that it will actually be deleted. After all, you most likely signed away in the terms of use that they own your data–but sometimes, you can protect your data before it gets to that point.

I actually use Google for a lot of things. The convenience far outweighs the violation of privacy for me. This is because, while I take steps to protect some of my data, I don’t really care about privacy for most of my data in the cloud. I don’t care if someone reads 99% of my emails–most of my communications are in public forums these days anyway (Twitter, facebook status updates, etc), which have so little privacy it’s laughable.

Gmail

I use Gmail to check and manage all of my email accounts. I have several different servers/accounts with various standards of spam filtering and accessibility (and all with different interfaces). Gmail lets me combine them all into one, adding the best email search and online interface I’ve ever used.
I used to use Thunderbird, manage meticulous backups myself, port around my latest email repository on a massive thumbdrive. But then I realized something: it’s a pain to manage all of my email locally, especially when I want to be able to access it from any machine (or my iPhone). And, at the same time, I wasn’t really providing myself any extra security–in fact, I was increasing the insecurity of my email. Here’s why:

All email goes through several parties anyway before it gets to you. Even if you manage your email locally, it resides in someone’s outbox, their backups, your email server and it’s backups + anyone who intercepted it along the way between any of those points. But now that you are managing a local copy, you’ve added more locations that your data can be compromised: now it’s at your house, on your thumbdrive, in your personal backups–and maybe, as I once had it, checked into a subversion repository and checked out on several different machines at home and work.

People always give me Gmail’s adwords parsing of your email data as an example of why Gmail is creepy and untrustworthy but if you are really concerned about it, use PGP/GPG (Tutorial + Download or FirePG, firefox plugin). Now that’s easier said than done. The average lay-user is not going to be comfortable encrypting their emails before sending them and decrypting them before reading them–but if you are really concerned about your privacy, it’s a small price to pay–and the FirePG firefox plugin integrates beautifully with Gmail, allowing a seamless reading of encrypted email.

Once you have PGP/GPG setup, get my key and send me an encrypted message :)

Google Docs

This is a slightly different situation from Gmail because until I put some of my documents on Google Docs, the only place they existed was in my personal subversion repository and the thumbdrive that I checked them out on. Now, I’m faced with a little bit of a problem:

If I want to store information in Google Docs that I don’t want someone to read, I have to encrypt it. This works well for standard Google Documents but it can’t be used on Google Spreadsheets. This ends up being a security lag point and I’m constantly reminding myself not to make the spreadsheet transition yet. Even managing the Word-like Document system with encryption can be tricky, since you have to encrypt the data before you paste it into your Google Document, lest they auto-save an unencrypted copy and you miss all opportunity to keep that data private (once it’s saved, it’s in their backups and you can’t ever be sure it’s gone).

The thing to remember about online data storage is this: if you downloaded it from a server somewhere, it’s already in the cloud–you might be lucky and be able to delete it but you can never be certain that it isn’t sitting in someone’s backup or cache of intercepted traffic. But if you have private documents, messages, etc that you want to store on the cloud or send to someone over the internet, the only way you can be sure your data is safe is if you encrypt it before it goes into any outbox, inbox, or text area of any kind in a web browser. In the end, security is only as good as the weakest link: if you are communicating/sharing data with someone else, make sure they are as concerned as you are–or they might just copy and paste your data into their unencrypted cloud backup system.

follow on Twitter