Archive for the ‘Software’ Category

TrueCrypt 6.0a

July 21, 2008

I’m a bit late on this one, but TrueCrypt 6 was released earlier this month. This upgrade won’t be a major benefit to everyone, but it does have some interesting new features.

The first is the ability to create hidden encrypted operating systems when using whole-disk encryption. This works in a similar fashion to hidden encrypted disk containers. That is, you have a primary boot partition that is encrypted with one password, and a second virtual one that is contained within the primary, but encrypted with another password. The password you enter will determine which partition is loaded and, without knowing the password, it is impossible to know that there is a second hidden operating system. This is called plausible deniability and allows you to have a “decoy” or “safe” operating system to open if, for example, you were under duress. While most of us aren’t spies, this feature may still come in handy.

The other new features are more performance and reliability enhancements. TrueCrypt is now multi-core aware, so if you’re creating a lot of encrypted disks, the time to encrypt them will now be halved on a dual-core, quartered on a quad-core, etc. In the area of reliability, the team have added header redundancy so you have a greater chance of recovering a damaged container or partition.

For regular use, you probably won’t notice a lot of difference, but none-the-less, it’s another great release from the TrueCrypt team.

OpenVPN Guide

June 27, 2008

I’ve finally finished my OpenVPN guide. It’s based on the guide I used from It’s a Tech World, but I’ve beefed up the security and added explanations and detail to some of the more complicated steps.

Here is the URL (it’s linked from the homepage as well):

As I mentioned in a previous post, using this configuration of OpenVPN, you’ll be able to securely connect to your host network from anywhere, access files, services and the host internet connection, but you’re host network will remain completely invisible to ports scans.

This product is amazingly effective, simple to use (once setup) and, with the right configuration, secure. I think my guide is fairly comprehensive, but if you have any suggestions, feel free to comment.

Big thanks to Riley at It’s a Tech World for writing such a great guide.

OpenVPN: Really Good VPN

June 10, 2008

As the name suggests, OpenVPN is an open source VPN package. What isn’t immediately obvious is that, rather than using the more popular PPTP or L2TP/IPsec VPN protocols, OpenVPN uses SSL/TLS (using the OpenSSL toolkit). I’ve been playing with this free product for the last week and have been very impressed.

While PPTP and L2TP/IPsec are certainly the more popular VPN technologies, just by taking a look at their Wikipedia pages (here and here) it would seem that they are neither the most secure nor the most straight forward to set up.

While I can’t say that OpenVPN has the most user-friendly setup process, with good instructions it’s fairly straight-forward and, once it’s up and running, it’s mightily secure. In fact, from the outside world, it’s nearly impossible to detect it’s even there (but more on that later).

OpenVPN works in a client-server arrangement. On your host network, you install a copy and drop in a config file to designate it as the server. You then generate the client-server SSL/TLS certificate pairs and set up passwords, ports, etc. Once that’s done, you can port forward from your router to the OpenVPN server on your host network, allowing you to access it from remote networks.

On the client (eg. your laptop), you run the same install file, but use a client config file. You then drop the certificate files you just created onto the client machine and boom, you have yourself a VPN.

While it’s not quite as easy as I’m making it out to be, as I’ll explain, it’s well worth the hour or two (plus the inevitable time for annoying mistakes).

The reason I’m so pro-OpenVPN is that it implements some very cool technologies. The first being SSL/TLS for tunneling. Being so widely used on the web, this protocol has been proven to be secure. In addition, it is also very routable and you can change the inbound port number on your router to work on 80, 443, etc if you think you’ll be working on restrictive networks.

Using SSL/TLS also means that you’re using certificates for authentication. OpenVPN let’s you generate 2048-bit certificate pairs, so unless an attacker actually has a client certificate, they can forget it. Even if your laptop was stolen, your certificate can be password protected, giving you plenty of time to delete the certificate pair from the server to render it useless.

Another nice touch is the option to use UDP, which is much less susceptible to attack due to its connectionless nature. I also like the flexibility to choose any encryption cipher in the OpenSSL toolkit, including the speedy yet secure AES-128.

But, in my opinion, what seals the deal is a lesser known feature called TLS-AUTH. As I mentioned briefly, even with OpenVPN running and with port forwarding on, it’s impossible for anyone but the client machines to solicit a response from your OpenVPN server. That’s because, with TLS-AUTH turned on, the server requires that all handshake packets be signed with a predefined cryptographic string, called an HMAC signature. This signature is stored in one of the files you copy to each client. Any packets sent to the server that haven’t been authenticated with this signature are dropped cold, so it appears to the would-be attacker that there is no machine at all.

On top of all this, initiating a VPN tunnel from a your laptop couldn’t be easier. You double click a system tray icon, enter a password and it’s done. From then on it’s just like you are plugged into the host network. You can browse file shares, use network services (eg. VoIP or Exchange) and browse out through the host internet connection. It’s nice when you can get this level of functionality for such a small sacrifice to security and I can certainly say that OpenVPN has the best functionality to security ratio that I’ve seen. In addition, it’s free.

In the next few days I’ll be posting a comprehensive guide to setting up OpenVPN. It will be based on a couple of guides I’ve used, official documentation and a lot of Googling. I hope it’ll prove useful.

In the meantime, if you’d like to read up on OpenVPN security, just Google it. There are a bunch of good articles.

EDIT: The guide is finished, you can can view it here.

New to NAC

May 6, 2008

Reading through the news coming out of the Interop conference in Las Vegas, I’ve learnt about a relatively new class of security product called NAC or Network Access Control.

NAC involves verifying the integrity of a system before granting it access to a network. This might involve checking that anti-malware is up-to-date, the OS is patched and that group policies have been applied. The aim of this is to stop attacks on new systems as they join a network and to protect a network from compromised systems.

NAC is generally enforced by client software, which is now included in XP and Vista (but called Network Access Protection), with the latest round of service packs. Security vendors such as Symantec, McAfee and Sophos have also have packages released to market.

This approach to network security seems much more comprehensive and seamless than using combinations of software, group policy, scripting and user priviledge control, but increased security always comes at a price.

One of the greatest difficulties with implementing NAC is the challenge of authenticating and monitoring non-PC devices such as VoIP phones, network printers and IP security cameras. While exceptions could be made based on IP or MAC address for such devices, if a rogue system spoofs these addresses, NAC could be bypassed. Developing secure ways to authenticate and verify the integrity of such devices will not be a trivial task.

Challenges aside, this is a promising technology for enhancing the security of any network.

Read more about NAC here.

SilentBanker: Stealing Money While You Wait

April 7, 2008

Online banking is a precarious thing. While it’s great to avoid the line at the bank, the security risks that come with this convenience are immense. Online banking has broken down the geographic and physical limitations that previously prevented fraudsters from thinking global.

To get to the point, there are some really powerful, cleverly designed trojans in the wild, designed to steal hard earned cash from under our noses.

One that’s had a lot of attention over the last couple of months is SilentBanker. While other banking trojans indiscriminately log keystrokes, take screenshots and/or redirect you to phishing sites, SilentBanker takes a much more tactful and targeted approach.

SilentBanker’s evil genius lies in its ability to dynamically adapt attacks based on which banking site you use. The administrators of this trojan continually create profiles for new banks and, once a bank is profiled, SilentBanker can then perform a host of tricks to swipe cash from unsuspecting users. The most worrying are HTML code injection to prompt users for extra credentials, and the ability to dynamically modify the destination account numbers during live transactions, sending funds to a hacker’s account, rather than the intended recipient. In the case of the latter, the user is not presented with any evidence of the fraudulent transaction. Confirmation pages are presented with the original, user submitted details.

While other attacks will often spike a user’s attention when thousands of dollars go missing from an account, trojans like SilentBanker are much less likely to draw such attention, because they only withdraw amount which users specify. There is nothing unexpected, unless the intended recipient of a transactions start asking their whereabouts of payments.

The best ways to protect against trojans like this are up-to-date antivirus, a firewall with application control and being alert to any change in the authentication process for your online account.

Symantec has rated SilentBanker as a low risk threat, largely due to it’s limited distribution, so it’s a case of be alert, not alarmed. However, more will follow.

Symantec have done a good technical write up:

And Sophos have a write up on a similar trojan called Zbot:

m0n0wall: DIY Firewall

March 29, 2008

If you have an old PC lying around that you were too lazy to throw out, don’t change your ways in a hurry. It may come in handy. If you have the need, you can turn it in to a first-rate NAT firewall router.

Why? Well, sure, you can buy a router for $80 bucks and, to be honest, a cheap D-Link or Linksys router is all you need most of the time. But if that kicks the bucket and you need a replacement or if you take a look at the m0n0wall GUI, and fall in love, you may find this great little firewall is the perfect way to get your Pentium II back in the game.

The reason old machines are perfect for DIY appliances (like m0n0wall) is that, while you won’t have much luck running XP (and Vista, you’d be dreaming) on them, they have ample grunt to run a stripped down Linux/BSD operating system.

m0n0wall is a FreeBSD-based system with a bit of a difference. It’s entire boot-time command sequence is done in PHP and all system configuration is stored in an XML file, making it ridiculously resource efficient. Not only that, but the whole install image manages to squeeze in under 6MB. That said, every megabyte sure packs a punch. It does stateful packet filtering, NAT, DHCP, SNMP, IPsec and PPTP VPN, DynDNS, Wake-on-LAN, captive portal and traffic shaping. It also has a great SVG based traffic grapher and one of the best web GUIs around.

So how do you get it up and running? If you just want to try it or you’re not bothered to do a hard drive install, you can download the CD-ROM image and run it straight from the CD. You can even do this on your primary machine (although not recommended) without it messing with Windows. Just pop a floppy or USB stick in to store the config file.

If you’re using it long term, grab the Generic-PC image. If you need a hand with setup, take a look here.

Bottom line, this product is amazing… and secure… and open source… and free. Give it a try.



March 20, 2008

I can’t understand why Windows has so little control over itself. Specifically, I take issue with the fact that it periodically refuses to terminate processes on demand, usually saying something like:

Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.

Sorry to bother you Windows. How inconsiderate of me.

Unlocker is a tool you can use to get around Windows’ incompetence. It’s a lightweight app that adds a context menu allowing you to unbind files, folders and USB device from any process or user.

Along with being just plain useful for everyday, there’s also a security tie-in. A lot of malware will use this inadequacy in Windows to prevent you or your anti-malware program from removing files. With Unlocker on hand, you can delete or move whatever you like, when you like, without having to boot to Safe Mode or a Linux live-cd.


TrueCrypt 5.1a

March 17, 2008

The TrueCrypt team are working overtime adding improvements and bug fixes.

This time they’ve increased boot speed (for system encrypted drives) by ~10% and fixed some system incompatibility issues which could lead to the hibernation file being left unencrypted on particular setups. Good to see them dealing with these issues so quickly, yet another reason TrueCrypt’s such a great product.

TrueCrypt 5.1

March 14, 2008

A few days ago, the TrueCrypt guys released version 5.1 of their stunningly secure and free, data encryption utility. The release of TrueCrypt 5.0 added support for system partition encryption, ie. encrypting every byte on your OS partition, so you have to enter a password before Windows/OSX/Linux boots. 5.1 added hibernation support for this sort of encryption.

Whole disk encryption isn’t a do-or-die for everyone, so here’s my two cents on using TrueCrypt.

USB Sticks: They’re just asking to be lost. If they are, any old sideshow could read through your resume, work documents, love letters and whatever else you keep on it. TrueCrypt has a ‘Traveller Disk’ tool which lets you encrypt some or all of your USB stick. Making a small (mine’s 100MB) encrypted file (an encrypted file which you mount as a drive letter) container will give you enough space to lock up your important files, while leaving your videos and mp3s alone. TrueCrypt throws a portable version of the software on your USB so you always have it on hand.

External Hard Drives: From a security point of view, these are similar to USB Sticks. They’re small, light and easily stolen/lost. However, you’re likely to store a lot more data on them and the data’s likely to be more important. It’s best to encrypt the whole disk. A couple of caveats though. Unlike system partition encryption, you can’t just click “decrypt disk” to get rid of the encryption. You have to copy the data off the disk, reformat, then copy it back on. Another issue is that if you use your disk on other people’s systems, you’ll have to install TrueCrypt first. If either will cause problems, figure out what needs to be secured and create an encrypted file container.

Laptops: There are a lot of news articles about laptop theft. Because they are so tempting to thieves, it’s probably best to encrypt your whole disk. You could just create an encrypted file container or encrypt your data partition (if you have one), but it’s better to do the whole lot, just in case you have some financial papers or embarrassing photos stored somewhere you’ve forgotten about.

Desktops: The risk of these being lost/stolen is significantly less than laptops or USB sticks, but it still happens. Encrypting your whole disk doesn’t hurt. In fact, according to tests by Steve Gibson, it actually makes your drive run faster in some situations. That said, even though TrueCrypt is phenomenally reliable, encrypting your drive could make it more difficult to recover data from if there is a problem. It’s probably better to create an encrypted file container and mount that. If you have a separate HDD or partition for your data (which is recommended, less system files fragmention), you can encrypt the whole thing and have TrueCrypt auto-mount and prompt for a password when you boot up your OS.

Then again, if you don’t store anything private on your computer, don’t bother. But chances are you have at least a few files which are worth the small inconvenience of using TrueCrypt. I highly recommend giving it a try.


KeePass Password Safe

March 2, 2008

Passwords are annoying. If we make them too simple they can be cracked. If we make them too complex they will be forgotten. We also don’t want to use the same password for every account we have, in case someone gets hold of it.

It’s easy to use the password manager built into the browser to cut out the hassle, but these password managers have limitations. Few let you review and change the saved information and, unless you are using a portable browser, it’s stuck on the one machine.

KeePass is a good solution. It’s a lightweight, open source password manager which lets you organise your ever-growing list of passwords and encrypt them with 256-bit AES. You then use one master password to get access to the database.

You can throw it on a USB key or save it in a draft email on your online account so you have access to it wherever you may be. It probably isn’t worth the effort putting an overly-complex passwords on everything, but at least for financial accounts, this is very useful.

The interface is a bit cluttered, but with the search bar it doesn’t really matter.