WireGuard – A Next-Gen VPN

~~   Forward   ~~

Why would we need another VPN when we already have IPSEC, PPTP, L2TP, OpenVPN, and an array of proprietary SSL VPNs?  After all these are tried and true and exhaustively tested.  But are they really, exhaustively tested?

WireGuard has around 4,000 lines of code  —  compare this with 600,000 lines of code for OpenVPN plus OpenSSL, or 400,000 lines of code for XFRM plus StrongSwan for an IPSEC VPN.  How can such huge code have all aspects fully tested, honestly?  WireGuard’s two orders of magnitude fewer lines of code means a lot smaller attack surface to have flaws in.  Reducing attack surface is the same principle used by micro-kernels, and is a cardinal principle of information security.


The Immutable Filesystem — Vastly Reducing Attack Surface

I am working on a novel approach to security by generalizing read-only filesystems in Linux, to prevent malware from modifying files or establishing a foothold in systems.  As far as I know this is a first in InfoSec.  When the whole operating system is set to read-only no changes can be made where it matters, even if the malefactor manages to get root.  This will greatly reduce the attack surface of any system without interfering with its ability to function.

bigdataIn almost all OS installs, system-critical directories and files are set to read-write, at least by root.  Why?  There’s no need.  I say this is unnecessary and leaves open many avenues of attack which are exploited time after time.  An immutable filesystem will eliminate almost all attacks by most of the hacker community, and even makes things difficult for nation-state malefactors.  Oh sure, it’s still possible to inject malware into memory, but that exists anyway and is a different problem.  An old axiom is ‘Good Security is Layering‘.  The Perfect, should not be made the enemy of the Good — and those who make it so end up with nothing.


Securing eMail With D.A.N.E.

Some day I’ll get time to do an article on setting up a complete email server with the most advanced security and spam protection, but for now we’ll focus on DNS-based Authentication of Named Entities (DANE).  Of all the methods of securing email, DANE is the most comprehensive and advanced to date.

In a nutshell, DANE is a way of to authenticate TLS client and server sessions (for both web and email) without the need of a Certificate Authority.  DANE has become more popular in recent years due to security breaches of some Certificate Authorities, which allowed encryption certificates to be issued to non-domain owners for malevolent purposes.  DANE provides an independent means of checking certs to make sure of their provenance, and therefore that the session is secure.


Universal Encrypted Data In Transit – RHEL

Most companies today use Virtual Private Networks for remote users to connect with the enterprise, but few companies encrypt network traffic internally.   So why would universal encryption be a good idea?   Because perimeter defenses have become so good that most security breaches these days have happened when the instigator is already inside the system, as with phishing, SQL injection, or buffer overflow incursions.   Once inside, and with privilege escalation or a vulnerable switch, they can then monitor all traffic.

But let’s back up for a minute and consider VPNs.   A VPN is a ‘tunnel’ within the datastream which carries its data, isolated from the rest of the datastream by encryption.   It is only a ‘virtual’ tunnel since all the data is there with the rest of the crowd, but it is logically isolated from other packets as it is not cleartext.   The headers for its packets describe where it’s coming from, where it’s going, which packet it is in its stream, and information on the encryption, but the payload of each packet is encrypted using the cipher, hash, handshakes which were agreed to by both ends at the beginning of the session.   IPSec is not traditional encapsulation, where a packet is wrapped in an encryption protocol, which may be wrapped in yet another protocol.   IPSec flows in transport mode as normal packets, only encrypted.


Router Security

There is finally beginning to be more awareness of router security.   All of us have routers, large or small;   it’s the bridge between ‘The Internets’ and our LAN, and smaller ones have a built-in firewall which many rely on as their only protection.

All routers come with a well-known default username and password, which most people have enough sense to change.   This helps prevent not only unauthorized access over the airwaves, but also through the internet itself, although WPA2 should also be turned on for airwaves protection.

Recently there’s been more black hat exploitation of certain brands of small router, specifically Asus and the sorry Linksys and DLink routers.   Users often opt for convenience and so turn on Remote Admin…   and black hats have automatic worms running around (check at :23 seconds) out there specifically looking for vulns to exploit for fun and profit.   NEVER turn on Remote Admin, and it’s not a good idea to turn on router disk sharing as it uses the terrible Windows Server Message Block (SMB) protocol.


HowTo: Xen, for the Everyday Microkernel

~~   Forward   ~~

xen-logoMost people think of Xen as only being applicable to large organizations like Amazon’s AWS, RackSpace and other clouds, and various clustering applications.   Why is Xen such a good model of virtualization, clustering and security?   Because it’s the closest we have for now, to a production microkernel architecture.

~~   The Microkernel Model   ~~

The microkernel operating system model is one which rethinks the very core of the way operating systems work.   With microkernel, very few functions are actually handled by the core kernel in privileged mode, and the kernel itself is simple, compact, and fast.   The minimal functions handled by the microkernel are low-level address space management, thread management, and inter-process communication.   All other OS functions, including device drivers, protocol stacks, file systems, etc, are handled in user space.   If there is a buffer overflow or other vuln in a driver of the microkernel system, the best a cracker could do is get to the non-privileged user that driver is running as, inside the virtual machine it’s running in.


About This Bash Bypass Bug

There’s been alot of news in the past couple of days about this Bash bug, some of it hysterically saying that 500 million sites could be impacted.   Well maybe that’s how many sites are running the Bash command-line utility susceptible to the bug, but only a small fraction of those are actually exploitable.   And exploitable is what matters.   This has been an issue with Bash for 20 years, since inception.

First of all, if you’re a Debian user you can relax.   Almost all scripts call /bin/sh, symlinked to /bin/dash, which does not have the vulns.


DefCon corollary — Seeking Employment

Back in 1999, DefCon attendees were viewed with great suspicion by employers.   When a manager of the NSA or a big company became known at the conference, he was overrun by attendees trying to give him their resume, but were mostly denied.   Whenever I described any knowledge of hacking methods, the response was always fear.   So I stopped going into detail, even when the job is computer security.   These days though, people (without a record) who know how hacking is done and how to defend against it, are actively recruited.



DefCon: The good, the bad and ‘the Feds’

defconAh, DefCon, my favorite convention.   I should have gone this year.   It’s a celebration of determination, independence, intellectual accomplishment, and constant learning.

My brother and I went to DefCon in 1999.   I managed to talk my way into the Press Room and got full press credentials with access to special areas   —   I’d hacked the hacker’s conference.   I did have to wait 20 minutes for my brother to get through the regular line though.   I later sold my DefCon press credentials on eBay for $14.   Shoulda kept them.


HowTo: Prevent Tracking via the Browser Cache     

Practically speaking, all of today’s browsers use an internal cache, which stores web objects temporarily so that if they are called for repeatedly, they are brought from local cache much faster than if there were a full web access.   Well, there are some tricks to use your cache to track your movements around The Internets, even if you disable or clear cookies and LSO-cookies.


An Idea for Solving the Certificate Authority Vuln Problem

~~   Forward   ~~

A while back, Comodo and DigiNotar were compromised, opening any SSL using those certificates to attackers.   Maybe it’s time to acknowledge that the traditional SSL trust model is outmoded.   Every web browser trusts the word of scores of Certificate Authorities, and if any one of those CA’s is compromised by a cracker, government agency, or internal hire, then there is no way to know that your HTTPS connection isn’t being intercepted.   Further, if a CA (GeoTrust for example) has a large market share of SSL certs, browsers can’t then just “un-trust” them, as millions of non-tech users will start getting https errors and won’t know what it means nor what to do.   My ideas cover both the questions of forgery, and of CAs which are effectively too large to fail.

Rather than requiring that a root certificate be signed by a single trusted authority, require multiple and independent trusted signatories.


HowTo: ID and Avoid a TBird Bug, and Rake Your Email Client for Other Vulns

~~   Forward   ~~

All of us use a desktop email client to fetch our email, to respond, and to screen out spam.   When you click a link in an email, it will normally come up in your main web browser and take you to that site.   But there’s a way of crafting a link such that when you’re using Mozilla Thunderbird and click on a link, it opens the website in a Thunderbird tab instead of your default web browser.

Why is this a problem?   Because if you have hardened your browser to any reasonable level of security, all those protections are bypassed when the link is opened in a tab of TBird.   I use Iceweasel/Firefox with modifications from the TorBrowser, which include various configuration changes and addons to enhance security and privacy.   For example, addons I use are TorButton, NoScript, RefControl, HTTPS-Everywhere, RequestPolicy, AdBlock Edge, and Element Hiding Helper.   And I browse almost exclusively through TOR.   None of these security mechanisms is emplaced when links are opened in a TBird tab.


What Is Going On With eBay?

I’ve been a member and seller on eBay with the same user ID since 1998, and regularly turn to the site when I want to buy or sell just about anything you can mail.   But recently there have been attacks by criminal gangs on user accounts which eBay seems to be unable or unwilling to inhibit.   These gangs take over an innocent user’s account, possibly by tricking them out of their username and password (or possibly through an internal eBay vuln, which I think is more likely), and then use that account to sell non-existent items (and collect the money) and to seek and find more victims.

Many of the compromised accounts have 100% positive feedback, and had prior sold hundreds of items.   One victim who had his account hijacked says he was locked out of his account, and then later billed “around $50” by eBay for seller’s fees on items he had never heard of.   When customers click on a scammer’s listing, they are redirected to a professional, official-looking page which asks them to log in and ‘confirm’ their credit card and bank account details!   The items ostensibly for sale in these compromised listings range from smartphones and TVs to laptops and bicycles.

Users are taken to a fake page like this by XSS.   But notice the URL is not eBay and has the country-code of Ukraine, the worst for scams next to Nigeria!   Usually  though customers will only see the right-hand side of a long string of gibberish and won't notice.

Users are taken to a fake page like this by XSS.   But notice the URL is not eBay and has the country-code of Ukraine, the worst for scams next to Nigeria!   Usually though customers will only see the right-hand side of a long string of gibberish and won’t notice.


HowTo: Build an Encrypted ZFS Array ~ Part 2 ~ The Array

zfsThis is a continuation of Build an Encrypted ZFS Array – Part 1 – Encryption, although if you do not choose to encrypt, you could pick up here.   This HowTo is Debian-centric.   Caution:   Sometimes command-lines wrap below, because of the width of the page.

~~   Building the Array   ~~

We now have 4 disk drives set up encrypted, and their raw devices reside at /dev/mapper/sdb ~ sde.   We want to assemble these into a ZFS array so they’ll appear as one volume to the system, and with RAID-Z for data integrity.   First a few rules:


HowTo: Build an Encrypted ZFS Array ~ Part 1 ~ Encryption

~~   Forward   ~~


The Zettabyte File System is an advanced filesystem which was developed by Sun Microsystems and is now owned by Oracle, and although it has always been open-source, its CDDL license is incompatible with GPL and so it will not be included in the Linux kernel.   Now that ZFSonLinux is stable though, it is available as a DKMS package.

With this article, we are going to set up a ZFS array of multiple disks, which will be assembled to appear as one volume, for use as /home, or /media/backups, or other functions where massive data storage is required.   In addition each of the disks comprising our array will be encrypted, and the data will be compressed for better storage efficiency and throughput.   Now this may look long, but I am documenting everything and I’ve made every effort to make it easy.


eMail Virus

Look at this pernicious little nasty:
(click to enlarge – it’s just a screenshot)


Credit Card Security – corollary

In response to my prior entry, my son asked about using NFC (phone) for payment, rather than cash.   It’s not simple.   At this moment this country in a maelstrom of deciding what to do next.   Isis with C-Sam is an NFC mobile payment system that’s at least deployed in a few places, and it’s a consortium of Verizon, AT&T and TMobile.   They saw early-on that the crypto chip in phones is controlled by the carriers and took advantage of that, locking other payment processors out. (Like Apple did with Firewire’s high licensing fees and failed when everyone went to USB, even though Firewire was far superior)   Unfortunately though, NFC payments have been minimal in the past year, so some major retailers (7-Eleven, Best Buy, et al) have turned off NFC functions in their terminals as it costs (a few fractions of a cent) to keep them on!


Credit Card Security

You may have heard about the massive credit card breaches at Target, Neiman-Marcus, Sally Beauty Supply, Splash & Key Road Car Washes, Roy’s Restaurants, MAPCO Express, Schnuck Markets, and others.   Where customers of those stores who used credit cards during certain periods in the past year, have had their credit card information scooped up and sold on the black market for carders to buy and steal with.   Thousands of cards for sale in a carders’ forum called Rescator[dot]so and [dot]la (don’t visit it without shields up) at $10-$25 each, in tranches called “Ronald Reagan”, and so on.   Rescator brought an innovation that hasn’t been seen before across dozens of similar crime shops in the underground:   It indexes stolen cards primarily by the city, state and zipcode of the stores from which each card had been stolen, which means carders can conveniently shop in their area and not trip alarms.   Carders (usually street gang members) buy blocks of this card info (tens, hundreds, thousands of cards), write the magstripe of old gift cards with the info, and use them to buy expensive items to re-sell, and more gift cards.   (Incidentally, banks are also buying this card info, to try and stem the tide… it’s cheaper than the thefts they have to cover)


DarkCoin in the altcoin Sphere

As y’all know, I’ve been out of the mining business since ASICs came into LiteCoin, as difficulty skyrocketed from ~2,800 to now 9,000.   The new ASICs are so fast that diff has had to adjust to keep the same pace of block discovery.   BUT to buy an ASIC for a $thousand or three to mine today will net about one LTC a day with current diff, so it’s absolutely not worth it except on gigantic scale.


Security of Bank Checks

As I now have a new credit union I need new checks.   I was just about to order them through the credit union like I usually do, but their price stopped me in my tracks:  $102 for 100 plain green checks!   Well I remember a couple decades ago my dad complaining about paying $1 per check, but that was way before mass-customization.

I’d have to get my own checks this time.   Checks are still a security problem for three main reasons.   Thieves steal your outgoing bill payments from your mailbox, then:

  • “wash” the checks with solvents to get your writing off, then they write their own amount to their alias;
  • use a color copier or scanner to duplicate your checks with new amounts;
  • physically cut out the writing and graft in something suitable to them.

(Get a good locking mailbox, and take your payments to the post office)