January 5th, 2011 § § permalink
I have found a little OpenSSH switch to be one of my best friends. If I am at a strange client network, cafe, or conference I use “-D” to make me feel warm and fuzzy all over. In OpenSSH if you use this switch you create an SSH SOCKS proxy on the port you specify. Thus encrypting your traffic to the SSH server you specify. In my case I connect to my home computer using a free DYNDNS (http://www.dyndns.com/) dynamic DNS name mapped to my home computer that stays on.
Example:
$ssh -D 6666 username@ip-address-of–your-ssh-server
Then you simply point your browser or other programs like IM to that port (in example 6666) on localhost and you can browse from your home computer free of snooping or any potential malicious users.
Another handy tool is ProxyChains (http://proxychains.sourceforge.net/) which I know works on Linux and might compile for you Mac people too.
December 17th, 2010 § § permalink
August 5th, 2010 § § permalink
The name Wikileaks has become part of the general vernacular ever since their release of the 91k+ documents related to the US war in Afghanistan. But another related topic has only been touched upon as a side note to the leakage of these once secret documents. Iceland has recently only been on people’s minds in relation to the eruption of the Eyjafjallajökull volcano which disrupted a large amount of international travel. But there is another story coming out of Iceland that has not gotten so much attention. It is their passing of the Icelandic Modern Media Initiative, which past the Icelandic Parliament unanimously. The initiative aims to “task the government with finding ways to strengthen freedom of expression around the world and in Iceland, as well as providing strong protections for sources and whistle blowers. To this end the legal environment should be explored in such a way that the goals can be defined, and changes to law or new law proposals can be prepared. The legal environments of other countries should be considered, with the purpose of assembling the best laws to make Iceland a leader of freedoms of expression and information. We also feel it is high time to establish the first Icelandic international prize: The Icelandic Freedom of Expression Award.”
Being form the US I grew up with the impression that the First Amendment allowed people to freely express their much the same things that Iceland is referring to in their bill. In the years since my childhood I have realized that this is more a concept than a practice put into action. Late last month the Washington Post released a series of stories called Top Secret America in which they outlined the ever growing privatization of intelligence gathering in the US. Some 854,000 people hold top secret clearances. With thousands of companies reaping the billions of dollars spent on post 9/11 intelligence gathering and related activities. Many of these activities involve intelligence gathering related to Internet and mobile traffic. The most amazing part of the Post’s series is the utter lack of uproar over the piece. Other recent news has also alluded to the possibility of private volunteer snoops (Cryptome claims a hoax) monitoring US citizens Internet traffic and is correlated to the arrest of Bradley Manning a former US Army intelligence analyst accused of leaking secret video and documents to Wikileaks. So you can say what you want but everyone is listening.
I can understand the need for secrecy in military actions and in certain cases to protect the US from hostile forces and groups. But the fact that the NSA intercepts 1.7 billion emails, phone call, and other electronic communications daily leads me to believe that out of that vast number the majority are just US citizens going about their daily communications. Another twist in the news is the funding by Google and the CIA of a company called Recorded Future which is a site that monitors thousands of sites like Twitter, Facebook, and numerous others to create relationships which may create a view of the future. It also allows for relational and temporal mining of an individual as they relate to other people or groups. This is certainly something that can be of use to intelligence agencies, yet also has a high potential for abuse.
If a person or organization had access to all the traffic coming from your computer (and some do) imagine the picture they can paint when in conjunction with a company like Google that you might use to search for anything of interest to you. They would know your interests, hobbies, music taste, and most anything about you by creating these relationships. Even the kind of legal adult content you may view (let’s be honest here).
So how does one protect themselves and their communications from this sort of snooping done by the government, private “hired guns”, and even individuals?
Cryptography.
There are many Open Source tools to protect yourself from snooping. Even an entire cipherspace to use to protect your privacy online. We will look at a few simple things you can do to protect your communications and Internet browsing.
The first would be GnuPG (Gnu Privacy Guard) which is a cryptographic add-on to allow you to easily encrypt, decrypt, and sign email, chat, and files. There are numerous front-ends to the program to allow ease of use. Another good option for Instant Messaging encryption is Off-the-Record which allows you to easily encrypt your IMs through numerous services. A good client in Pidgin which allows you to use GTalk, Yahoo!, AOL IM, and others in one program to easily encrypt conversations. In terms of safe web browsing there is Freenet, which allows for an encrypted network to safely browse the Internet. Tools like Freenet also help to protect people in Internet restrictive countries like China to access information freely and to report on the goings on inside their countries.
Another popular anonymizer is Tor which uses the onion routing concept.
“Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.”
There are numerous other means of protecting ones privacy online that I have yet to touch up and will in more detail in future posts. The above tools will be a good start to helping you protect your privacy and data.
Update 080620102347: Cryptome has an interesting series on US Government File Spying. It’s latest in the series has some interesting information.
March 6th, 2009 § § permalink
SC has a good write up on cloud computing security:
Cloud computing, as least as a concept, is being driven largely by economics. It is generally less costly to run applications, add capacity and increase storage in the cloud, rather than investing in new hardware and software, and bringing on additional staff and beefing up networking.
“Cloud computing will happen because it has too much of an economic incentive and developer support – applications can be quickly added and developers can have a single place to maintain source code,” says Vatsal Sonecha, VP, business development & product management at TriCipher.
Overall, incentives include application-deployment speed, lower costs and fast prototyping. These are strong drivers. So much so that Gartner predicts that by 2012, 80 percent of Fortune 1000 companies will pay for some cloud computing service, and 30 percent of them will pay for a cloud computing infrastructure.
That is not to say that entire data centers will be moving to the cloud, at least in the largest companies. But for certain solutions, the cost benefits are hard to ignore.
Read More. . . (off site)
March 2nd, 2009 § § permalink
I wanted to touch briefly on the security concerns for having Scalr accessible via the Internet. If you are running your own install of Scalr this is an important factor before even adding the first farm. For my own sake I will not getting into my exact setup, but instead talk about a few approaches to locking down access to Scalr.
Possibly the best approach is to limit access to Scalr interface to internal network requiring users to use OpenVPN or some other VPN solution to access internal resources which would include Scalr. If you are hosting Scalr on an AWS instance be sure to set the security group to only allow the port you are running for VPN. You can find a quick and dirty howto for OpenVPN on an EC2 instance at Google Books.
Another option is to use SSL and mod_access (Apache 1.3) or its renamed equivalent in Apache 2.2 mod_authz_host to limit those who have access to Scalr interface. You should for sure at least use SSL to access Scalr. You can also add a layer of authentication for good measure using Apache Basic Authentication.
Being that Scalr controls the rest of your AWS setup it is by far the one thing you want to lock down as much as possible.
December 1st, 2006 § § permalink
I found the setup and configuration of OpenVPN to be very easy and straight forward. Much easier than setting up IPSec for sure. It was as easy as doing a yum install openvpn then editing the configuration file to fit my needs. One thing I also installed was the OpenVPN Webmin module. The way I use Webmin is to set it up to use SSL after installing it. Then I run it once I log in via SSH to a server. That way it is not running continuously, nor do I keep it on the default port of 10000.
Once the server is configured it is quite easy using the Webmin module to create a CA (Certificate Authority) and generate certs. Another function the module does well is generate a zip file with the needed keys and a client config file for the user you create. This makes is easy to maintain a large list of VPN users. Some clients I use in our environment:
I have found from testing that even with the use of 2048bit keys performance is very good. By forcing users connected to use our internal DNS servers people can access our intranet sites easily from anywhere.
October 27th, 2006 § § permalink
When we were setting up our locking cabinets at the new data center for my job I was wondering how to actively monitor the security around our cabinets. Being that only myself and the data center staff have keys to the cabinets I wanted to be able to monitor when anyone entered them. I came up with a simple solution to be able to monitor the racks and keep track of changes. First I downloaded ZoneMinder, which is cam software that runs on Linux. It allows you to setup cheap consumer grade cams to monitor security. With such advanced features as motion detection. This made it ideal for my needs since I could go buy two cheap $30 web cams to use for front and back of cabinets. Then all I had to do was install ZoneMinder on our monitoring server and configure it for motion detection captures. Now the only step for me to do was put a sign-in sheet inside our cabinet with fields for techs name, date, time, and what was done in cabinet. Then require the data center staff to fill out the sheet every time they enter the rack. Another good idea is to do this before signing a contract with the data center you have chosen. Then you can stipulate that if they enter the rack without signing the sheet you get X amount off your bill that month for each infraction.
