archiveren

Tagarchief: security

BitLocker_icon

Bitlocker is that often forgotten FDE tool from Microsoft.
It basically gives you the ability to encrypt your entire hard drive (or any external device), and roam safely around the globe without fear.

Default setting is AES with a 128 bit key with diffuser.

There are some powershell commands in windows with kernel 6.2+ and two bde-commands for other windowses πŸ™‚
And the console of course…

Most configuration is done using Local Group Policies. Some of those changes must be made BEFORE encrypting your disk…
So check out the options before encrypting everything!

bitlocker components_2

To quickly check your current status (and which encryption type you’re using):

PS C:\Windows\system32> manage-bde -status
 BitLocker Drive Encryption: Configuration Tool version 6.3.9600
 Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
 BitLocker Drive Encryption:
 Volume C: []
 [OS Volume]
Size: 237,96 GB
 BitLocker Version: 2.0
 Conversion Status: Used Space Only Encrypted
 Percentage Encrypted: 100,0%
 Encryption Method: AES 128
 Protection Status: Protection On
 Lock Status: Unlocked
 Identification Field: Unknown
 Key Protectors:
 TPM
 Numerical Password

Sidenote on this subject

AES 256 isn’t safer then AES with an 128 bit key length.

Choose the encryption strength

BitLocker supports two levels of cipher strength for BitLocker: 128-bit and 256-bit. Both use the Advanced Encryption Standard (AES) to perform encryption. Longer encryption keys provide an enhanced level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption and decryption of data. On some computers, using longer keys might result in noticeable performance degradation. You can use Group Policy to change the length of the encryption key used by BitLocker.

In addition, BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses. By default, BitLocker uses AES encryption with 128-bit encryption keys and Diffuser. You can also select encryption without Diffuser by using Group Policy if your organization is Federal Information Processing Standard (FIPS) compliant.

It is recommended that most organizations use AES 128-bit with Diffuser. For organizations that are required to use 256-bit encryption, the AES 256-bit with Diffuser option can be enabled by using Group Policy. => howto

http://lukenotricks.blogspot.be/2010/04/aes-128-versus-aes-256-encryption.html

http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit

http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

http://www.bolehvpn.net/blog/2013/10/what-data-encryption-algorithm-should-we-use/

http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/DDJ/2007/0710/070901me01/070901me01.html

http://technet.microsoft.com/en-us/library/ee706531%28v=ws.10%29.aspx

 

Sidenote on recovery key

Keep that key somewhere quickly accessible. Especially with windows 8…
On your phone, a hardcopy in your wallet, a tattoo on your arm…

When Windows 8 detects something has gone wrong booting itself, it will try to recovery.
But it can’t recover without the partition unlocked. So you’ll need to enter the key.
When you cannot unlock it, and reboot again, it’s just going to try to recover again.
And you’re looping forever…

Damn windows 8!

Advertenties

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…Β  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…

lotsofaccounts

only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them

LOTS OF THEM……

And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…

fuck

10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” πŸ˜›

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” πŸ˜›

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!

Jej!

————–

Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? πŸ™‚
Maybe it was of laziness, because lastpass just works that handy πŸ˜› But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that πŸ™‚
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? πŸ˜›

In this first part, in a series of posts, I want to talk about obfuscation.

This pretty hard to pronounce word actually means “the art to make things difficult”.
Google translates this word in Dutch as “verduisteren”, to darken/occult or something like that.

In the IT world, it’s a technique to make code or information unreadable by humans, which on its turn makes it almost impossible to analyse…

This can be done because of multiple reasons.

  1. a software developer doesn’t want his code to be read (think of RSA, iTunes’ DRM fairplay, copy protection like StarForce or SecuROM)
  2. virus writers trying to hide malicious code, making it harder detect by anti-virus software
  3. defense contractors making sure not a single terrorist can find a hole in mission control software of a missile

So, any programming language (or even hardware designs!) can be obfuscated (yep, even javascript).
It transforms your initial source code, to something.

A nice example.

void main(){
   string name="mendel";
   int age=24;
}

could make

void main(){
   string a = function1("mendel","24",1);
   int b = convert.toint32(function1("mendel","24",2));
}
string void function1(string a, int b, int c){
   if(c==1)
      return a;
   if(c==2)
      return b
}

(or something like that ^^)
The result is 100% the same, but the first part gives away a lot more information about what this function does.!

An even funnier example:

void function2()
{
   for(int i=0; i<5; i++)
   {
      if(i>3)
         x=4;
      else
         i++;
   }
}

which actually just sets the variable x=4;

The idea behind all this, is when you as a reader, analyse the code, you would not be able to figure out what is does πŸ™‚
It just doesn’t make sense..

These obfuscation translations can go pretty far.
Take a look on the annual IOCCC contest, which results in really crazy stuff!

There are a lot of obfuscators written for IDE’s like visual studio (dotfuscator), java (proguard), and many, many others… All with one reason in mind: protect (or just hide) your code!
If you want to read more code obfuscation, this series is a very good start!
But you’ll find a whoooole lot more on google!

There is no actually reason for this post. But sometimes you come across this kind of code. And I wanted to share this out-of-your-mind subject with you πŸ™‚
I just hope you’re as intrigued with it as I was when I first saw it πŸ™‚

javascript code from the “runforestrun” infection

My first introduction with this subject was at Ghent University.
Next, I stumbled upon more obfuscated code when Stuxnet appeared.
After that,Β  a virus infected a website of a customer at work (screenshot above), also pretty weird.
And even more recently in a DLL originating from a WP7 app.

More on that dll later! πŸ˜‰

It’s confronting, no?

Just a bunch of people with their according passwords in plaintext πŸ™‚
(Last login dating from 2011-03-27 13:20:47)

It’s the result of a project of mine in 2007 from school. Apparently everyone creating an account on the website had full trust in me (even people I’ve never heard of)… Poor people πŸ˜›

Never trust something you don’t entirely know πŸ™‚

“Secrets” will eventually spread: linkedin, last.fm, … ING?

If you follow me on twitter, you might have read my tweet about my leaked linkedin password.
Yep, it’s out there!
Go and find it! I still haven’t changed it 😎
Badass!
(Challenge: the first one who can actually post something on my facebook wins a crate of beer!)

P.S.: A good trick to know if your password is stored in plaintext on a website: if you’re able to “recover” password when you’ve “forgotten” it: it’s plaintext…
When you have to reset it completely, it’s probably hashed πŸ˜‰

Let’s talk a bit about ISSISP, the reason why I was in Ghent the entire week…

It’s a summer school, organised by Prof. Bjorn De Schutter from the University of Ghent.
ISSISP stands for “International Summer School on Information Security and Protection”, it’s now organised for the 2nd time and is supported by IEEE, ACM, Irdeto and some others…

We have all kind of cool guest speakers:
βœ“ Christian Collberg (University of Arizona, USA)
βœ“ Jack Davidson (University of Virginia, USA)
βœ“ Roberto Giacobazzi (UniversitΓ  di Verona, Italy)
βœ“ Yuan Xiang Gu (Irdeto, Canada)
βœ“ Bjorn De Sutter (Ghent University, Belgium)

And they all talked about different techniques on protection software from third-party users. Like for code that checks licensing information and how hackers try to get around it…

Code obfuscation, watermarking, virtualisation, tamperproofing, … All pretty cool techniques for hiding information of your code and making sure nobody else could use it πŸ™‚

It where nice courses, it where (the one more than the other) fascinating speakers, cool people around, very good organisation, …

Actually, I don’t have any negative points! =)

It was fun and I learned really a lot!

Way to go!