All-round Privacy from a Bootable Live USB?

Monday, January 30th, 2012 | Gene Teo | Comments Off

Screenshot of the Tails website

Screenshot of the Tails website

Tails is a Linux distribution that offers internet privacy by default, and comes as a live CD or live USB.

So you would insert the Live USB drive, restart the computer, and it would startup the Tails Linux Operating Sustem. You can encrypt any files you create with built-in tools, and any internet traffic is anonymised. When you’re done, shut down and remove the USB drive.

The concept is fantastic! There are far too many uses to list – from the noble and important goals of safeguarding communications within a repressive government, to simply protecting your privacy when using public WiFi (e.g. At a hotel, Starbucks or McDonalds).

It’s only version 0.10 at the moment (meaning there is a lot of work still to be done), but I’ll be following this closely. Check out the various ways you can support this project.

Technical Stuff: Astute readers will correctly note that you’re still vulnerable to hardware intrusions like keyloggers if you use untrusted hardware. Regardless, some protection (e.g. Tor network) of your activity is better than nothing. There are also various methods of avoiding keyloggers if you suspect hardware tampering – like using on-screen keyboards (incidentally, Tails ships with one).

The other concern is whether one can trust the Tails developers. To each their own.

LCA2012 — MITMproxy presentation

Thursday, January 26th, 2012 | Jim Cheetham | Comments Off

At the LCA2012 conference earlier this year I presented “MITMproxy — use and abuse of a hackable SSL-capable man-in-the-middle proxy“.

The video of the talk is now available in a number of places :-

MITMproxy is a python-based console tool to help you inspect & alter the HTTP conversation between a client and a server, regardless of whether it is over HTTPS or not. “It is not an attack tool”, but instead is a powerful tool for debugging applications at either end of the conversation.

Giving a talk at an LCA conference is excellent fun, and very rewarding. I have 6 months to come up with my next submissions!

Lessons from the Megaupload Takedown

Thursday, January 26th, 2012 | Gene Teo | Comments Off

Screenshot of the takedown notice on megaupload.com

Screenshot of the takedown notice on megaupload.com

Update: Megaupload lawyers report that user data may be destroyed by the end of this week (30 Jan – 5 Feb 2012)

This isn’t a post about copyright infringement. This is a post about backing up your data.

Popular file-sharing site Megaupload was shut down on 19 January 2012, and it’s owners arrested. Of course, all the servers have been seized as evidence, and therefore all uploaded content, including non-infringing files that are not under investigation, is unavailable indefinitely.

Understandably, people whose only copies of important files were on Megaupload are slightly miffed.

The lesson(s):

  • Always keep backups of important files
  • Cloud storage can fail
  • You are always responsible for your data.

Spideroak and Wuala offer secure storage (you hold the only copies of the encryption keys), and the free storage space is enough for most people if you prioritize important files.

Disclaimer: I use Spideroak (the free version) and I’m very happy with it. I’m not endorsing them, just informing you that they exist. I have not used Wuala, but their security mechanism appears to be very similar.

 

 

Google’s New Privacy Policy: Evil or Misunderstood?

Wednesday, January 25th, 2012 | Gene Teo | Comments Off

Screenshot of the Google Policies webpage

The Google Policies Webpage

Google has announced they are shortening and simplifying their privacy policies – going from 60 policies to 1 starting from the 1st of March 2012. A preview of the new policy has been released.

This is a good thing – a concise policy is easier to read and understand.

Part of the change involves a notice that Google services will start to share information with other Google services; I was very surprised to find out they weren’t already doing so! This means that if you searched for “Toyota Prius” on Google Search, an advertisement for that car might appear the next time you watch a YouTube video.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

Some commentators are reacting with outrage. If privacy is important to you, take the time to read and understand the new policy. Think about what information about yourself you’re willing to share. Then act.

There are alternatives to Google. DuckDuckGo (despite the funny name) is a search engine that emphasizes user privacy. There are others, but instead of me listing them, why not do a Google search yourself to find them?

Facebook Timeline – Now for Everyone!

Wednesday, January 25th, 2012 | Gene Teo | Comments Off

In 2011, Facebook introduced Timeline – a new profile layout emphasising photos, videos, and life events. From what I can see, Timeline has attracted surprisingly little opposition – it’s a versatile, clean design, and Facebook has obviously put a lot of resources into making it look good.

Facebook has just announced that Timeline (which was opt-in at first) will now be activated for everyone.

If you’ve held out until now, it’s time to act – you’ve got 7 days to preview and change what shows on your Timeline before it goes live. While Timeline activation doesn’t change your privacy settings, the new layout makes it easier for people who can see your profile to view historical events. Now would be a good moment to check for and remove any pictures that should stay private.

To change who can see your pictures, go to your Facebook profile > Photos and click on the button at the bottom right of each album (what Facebook refers to as a “Privacy Dropdown”). See the screenshot below.

Picture of the Privacy Dropdown for Facebook Photo albums

Privacy Dropdown for Facebook Photo albums

The blog post has more detail on how Timeline works – now would be a great time to check it out. While you’re doing that, why not double check your privacy settings?

The 37 Signals Privacy Discussion

Tuesday, January 17th, 2012 | Gene Teo | 1 Comment

Screenshot of 37signals blog post

Over at 37signals.com, where they make modern, Web 2.0 apps for collaboration, they posted a note to sum up the year that was 2011. There was one line that read:

And a Basecamp user uploaded the 100,000,000th file (It was a picture of a cat!)

This was quickly followed by comments complaining that they were accessing “private” files. To their credit, 37signals responded swiftly and openly (as they usually do) to reassure people that only the filename was viewed, but the privacy concerns were valid, and they would take the opportunity to review their privacy policy and internal controls.

Guys, unless you’ve encrypted something and you’re the only one with the keys, it’s not private. This applies to emails you send, files you upload to Dropbox, 37signals, or any other “Cloud” platform.

Some Dropbox competitors (e.g. Wuala, Spideroak) allow file sharing where only you know the decryption key – they can’t look at your files even if they want to. This is a great feature; everyone should support products that allow for true personal privacy.

USB Drive with Hardware Encryption -and- built-in keypad!

Monday, January 16th, 2012 | Gene Teo | Comments Off

Aegis Secure USB Key

Aegis Secure USB Key

USB drives (also called thumbdrives and flash drives) are often lost and easily stolen – as no doubt many of us already know. There are three basic rules for securing USB drives:

  • Don’t put sensitive data on USB drives
  • Don’t lose your USB drive, or allow it to be stolen
  • If you must put sensitive data on a USB drive, encrypt it

In practice, to get stuff done everyone (myself included!) will break some or all of these rules. Sometimes a USB drive is by far the easiest method to transfer sensitive information. Really small USB drives are easy to misplace. And even if you use encryption software religiously (e.g. The excellent Truecrypt), not everyone has it installed (even though you can run Truecrypt in portable mode from your USB Drive).

For those of you that need the extra security, you can get USB drives with built in hardware encryption. Ironkey is a well known vendor – their USB drives verify a password that you enter on the computer it’s connected to before you can access it. Astute readers will have spotted one potential weakness – if the computer has a keylogger installed, it will be able to record the password.

Enter Apricorn, which has made a secure USB drive with a built-in keypad. You enter a PIN/password directly on the USB drive. This means very wide compatibility, and immunity from keyloggers. This isn’t a product endorsement – I haven’t used one but I really like the concept! PC Mag have reviewed it, and given it 4.5 out of 5.

Hacking WiFi Protected Setup (WPS)

Monday, January 9th, 2012 | Gene Teo | 1 Comment

Update: Cisco has responded to this with a recommendation to disable WPS on their Small Business product series. Note that this does not apply to Linksys devices, even though Cisco does own the Linksys brand.

WiFi Protected Setup (WPS) is a feature on WiFi access points that makes it easier to connect a new device to them – sometimes as easy as pushing the WPS button of the Access Point and new device at the same time.

On 27 December 2011 the US Department of Homeland Security’s Computer Emergency Readiness Team documented a security flaw in WPS that was discovered independently by security researchers Stefan Veihbock (pdf) and Craig Heffner.

The flaw allows an attacker to recover WPA/WPA2 passphrases – the attack reportedly takes 4-10 hours per access point. Both researchers have released tools to verify the vulnerability and allow for other security teams to perform their own evaluations.

Over at Ars Technica, Sean Gallagher has replicated the attack and notes:

That wouldn’t be as much of a problem for security if wireless access points locked out devices after repeated bad PIN entries. But on many WPS wireless routers, there is no lockout feature. That means attackers can continue to attempt to connect at their leisure.

An successful attack means the attacker is now connected to your WiFi network, and is able to start attacking the computers on it. This is an extremely severe vulnerability – anyone transmitting highly sensitive data over WiFi via a WPS capable Access Point should retire the Access Point immediately and use cabled connections.

Wi-Fi Protected Setup Logo

Wi-Fi Protected Setup Logo

Note that not all WiFi Access Points are WPS capable. The easiest way to tell is to check with the manufacturer (search for the make and model of your Access Point), or examine the access point for a button or labels with the WPS logo.