Tag Archives: encryption

Gemalto and the NSA

Gemalto has presented their findings regarding the allegations about being hacked by the NSA and GCHQ. They do admit that is probably true that they were indeed hacked, but that the encryption keys were not compromised. Only the office network is supposed to have been compromised and it is not where the encryption keys are stored. If they were, it would seriously surprise me. As these encryption keys are vital for securing our cellular communications, I trust that they are stored safely. In this case it is quite hard to really argue on what is safe or not, as they NSA and GCHQ often are described as having endless means of attacking anyone and anything.

The report from Kaspersky on the Equation Group leaves no doubt that the NSA has advanced capabilities. A company like Gemalto also has advanced capabilities and are probably well aware that intelligence agencies are very much interested in what they do. Therefor it is not unlikely that they had taken steps to secure their encryption keys even from such adversaries. They describe their network as a cross between an orange and an onion which is quite familiar to me. When dealing with critical infrastructure, different security zones are needed. Connecting such networks directly to the Internet is not something such a security model would allow.

The NSA and GCHQ on the other hand wants to be able to intercept and store any type of communication we use, whether it is by phone, email or the web. The use of encryption is a huge disadvantage for them, so of course, getting the encryption keys from a company like Gemalto would be a huge win.

In this case I do not think they got what they were looking for, but I am quite sure that they will try again. In their effort to protect us (at least thats what they say), they are pushing for the ban of encryption or that backdoors are implemented in the algorithms used. This is not something we can allow, as history has shown us many times that everyone has the right to privacy. It is one of the basic fundamentals for our modern society and it is a principle we must fight to protect. As I have written before, even if you have got nothing to hide today, who knows what tomorrow says about you and your ideas?

SHIPS have set sail

I was most pleased when I saw the release of the SHIPS software from TrustedSec. The problem with managing local admin accounts could be a thing of the past with this tool, and the best thing about it, it is open source. The idea about SHIPS is rotating the local admin password with a random generated password. It is client and server based, so you have a server part which holds the passwords in encrypted form, as well as a client part which sets the actual password for local admin user on every box where you have the SHIPS client installed. It can be installed on laptops, desktops and servers, it does not really matter, as long as it is running Windows. The communication between the SHIPS server and client relies on HTTPS so nothing is transmitted or stored in clear text.

The most used solution today which is is a tool called AdmPWD does not support encryption in the version that is publicly available, passwords are stored in clear text in Active Directory. Not everyone can read that attribute but it would feel better knowing those passwords were indeed encrypted. With SHIPS, that problem is solved.

This looks like a great boost for everyone on a blue team as this has been and still is a real hassle. This will definitely make the life harder for any penetration tester. I cant wait to try this out. Thanks to TrustedSec for releasing this tool, awesome job, now I just wait for a Linux version!

Vmware PowerCLI credentials

Vmware PowerCLI is a very powerful tool for managing a Vmware Infrastructure using Powershell. Stopping and starting virtual machines, and a ton of other stuff is available to you as an administrator. It is also quite useful for automation using scripts. However, when using scripts, the credentials you provide to connect to your vSphere or vCenter host is not something that should be exposed in clear text. The solution for this is to use the safe store mechanism that is available and allows you to safely store usernames and passwords and access them later on in your scripts. Basically you store credentials for a specific vSphere or Virtual Center server in an encrypted form where they will remain safe from prying eyes.

The Powershell command to use is the New-VICredentialStoreItem which takes the following parameters, Host, User and Password.

So, to safely store credentials for a host I could enter the following:

New-VICredentialStoreItem -Host virtualcenter.local -User demo -Password P@ssw0rd

Once this is done I could simply connect to my Virtual Center server using the stored credentials as follows:

Connect-VIServer virtualcenter.local

Trusting encryption technology

Whatever encryption technology you use, I assume you use it because you trust it? Perhaps you only use it because it was available, or it was easy to install, configure or or use it? Whatever the case may be, relying on a piece of technology you are not able to fully understand can be a bit scary. Myself, I use use different encryption technologies, such as Macos X disk encryption, Microsoft disk encryption and others, but can I trust them?

In a way, I really have no choice but to trust them if I decide to use them, but if I do feel a bit concerned, I can add additional levels of protection. I am quite sure that both Apple and Microsoft provide disk encryption that is resilient to attack, depending on my password or pass-phrase of course. The thing about passwords and pass-phrases are something that many users don’t seem to understand how it makes disk encryption good or virtually useless.

Every password or pass-phrase can be brute forced, basically guessed until you find the correct password or pass-phrase. Depending on the quality of your chosen password or pass-phrase, the disk encryption you might have implemented might not protect your data. If you enable BitLocker in Windows and choose a poor password, an attacker will be able to decrypt your data. If you have chosen a good password, an attacker faces an impossible task of guessing the correct password. The debate of what makes up a good password is ongoing, but I will say this; using dictionary words or abbreviations of those words is probably a bad idea. A good password is based on random characters and the other key factor is length. The longer the password is, the harder it will be to guess, if it based on random characters.

So, adding additional layers of security, how can this be done?

Personally, I add layers of encryption to sensitive material which of course adds to the complexity of managing the information, but I feel that it is worth the extra effort to make absolutely sure that no other than authorized people can access the data. One way to do this is to start with the hardware, as an example an USB drive. There are USB drives that comes with hardware encryption. Second, utilize operating system encryption such as BitLocker on the device, and as last step, add a software encryption container on the device itself. That makes 3 layers of encryption which will make it very hard for any attacker to gain access to the data. If you also make sure to use 3 different random and quite long passwords for the different layers of encryption, I think you can feel that your data is pretty safe. Is it hard to manage a solution like this as a ordinary user? I would say, not that hard that I would say that it is not worth doing. Entering a pin on the hardware device before plugging it in the computer is step 1, entering BitLocker password is step 2 and finally mount the encrypted container is step 3. It is not as hard or as difficult as it may sound. Give it a try, you might like it enough to start using it to protect your sensitive data.

Easy to use encryption tools

Last week I attended Next Generation Threats in Stockholm where a hot topic was the matter of privacy. There are a number of encryption tools out there, but which are really the ones we should use? This easy question has unfortunately no easy answer. In my last post I showed how one can use PGP to encrypt email messages, but it is not very easy to use with webmail providers. PGP works, but one cant say it is very user friendly, and that is very important.

Most users do not care how technology works, they simply want to use it. If it is secure, great, but it is not something that most users are to concerned with. Even if you are concerned with security, the more user friendly it is, the better. The problem is, when somebody claims their software is secure, how can you trust them? As a speaker at this conference pointed out, the more buzzwords you put in, the more likely are you to attract users to use your software. NSA-proof was such a buzzword, a word I would never use myself, but it seems very popular among software vendors these days.

Personally, I prefer to use open source tools instead of closed source. Why? It is not because I am proficient enough to check the source code and validate their claim about being secure or not, but I trust in the community to help me with just that. We are all good a different things and by using open source, those companies gives us a chance, as a community, to validate their efforts of helping us to stay secure when communicating. One obvious example is Open Whisper Systems, which currently have two apps for allowing me as a user to communicate privately. The reason I use their software instead of a number of closed source products is just the fact that their source code is available for everyone. I am not an expert on cryptology, nor am I a great programmer, but the whole Internet community has a number of people who are good at these things. I put my trust in their ability, rather putting my trust into a closed source project that can claim whatever they want without having to actually prove it. Another great project is Tor with their browser bundle as an example, which also is open source. Tor is mainly about anonymity and not about encryption, but the idea of allowing secure communication is basically the same. Secure communication can mean a lot of things, but for me, both these projects are at the core of private, anonymous and secure communication.

Users who do not care about their online privacy and do not care about their data, perhaps you should think again. The idea behind “I have got nothing to hide” may not protect you in the future. If governments and other parties are able to obtain your data and eavesdrop on your communications, that power can be abused. It has happened before, and it will happen again. Remember that your online history and communications can be stored for safe keeping unless you protect it, and maybe not now, but somewhere in the future, that data could come back to haunt you. So, I will leave you with a simple advice, the same advice one of the speakers offered.

If your device offers encryption, use it, simple as that. Many of the devices you use have encryption available, some even have encryption on by default. Encryption is available for most of you, so start using it.