Much of our daily lives are contained within our smartphones and computers. Email, text messages, and phone calls all contain bits and pieces of information that, in the wrong hands, could harm our privacy. Unfortunately many people either don’t understand how vulnerable their data is when sent across the Internet (or another commercial circuit) or just don’t care. While I don’t have much to say for the crowd in the latter category (can’t fix stupid) I do try to help people in the prior category understand that any network outside of their control is fair game for pilfering and that basic protections need to be taken to protect themselves. While I’m not going to dig into how data can be intercepted (there are plenty of articles out there on the subject) I would like to talk about how one can use tools to protect their data when using an Android smartphone.
Until recently email was the only easily-encrypted mode of communication. Most people didn’t have the means of encrypting their phone conversations and certainly not their SMS messages (unless you happen to be using a SME-PED, but those things are terrible in other ways). Now, Whisper Systems have released two open source programs that allow you to protect your communications. The first is called “RedPhone”. This program encrypts your phone conversations and allows you to converse securely. The second program is called “TextSecure” and encrypts text messages using authenticated, asymmetrical encryption.
I like the way TextSecure manages keys and allows you to verify the user’s key directly so you can establish trust. RedPhone appears to use the trust in the phone number for authentication. RedPhone also provides encryption opportunities when the distant party also has RedPhone on their device which is a nice feature that I wish TextSecure also provided. Both of these programs are very easy to use and need very little configuration.
TextSecure also provides an encrypted container for all your text messages so that your text messages are secure if the attacker has physical access to the device.
And OpenPGP is still a great option for protecting your email communications but that is a topic for later.
Someone sent me a link to the Port scanning /0 using insecure embedded devices article that was recently published. Describing the Carna Botnet, this project aimed to prove (or disprove) the hypothesis that there were one hundred thousand open systems on the Internet in which to make a botnet. I choose to use the word “open” and not “vulnerable” because we aren’t talking about systems that have some sort of unpatched bug that allows access. This researcher only used unsecure telnet sessions to create his botnet.
Because this was for research, no long lasting effects were created by the deployed software but that isn’t to say that other software couldn’t be introduced in a similar manner as was discovered during the experiment. It is believed that most of these open systems are appliances (printers, network devices, etc) which could yield other interesting developments if the software was malicious. This is a good read with lots of data provided inside the article. A good read for anyone interested in information security.
Last week while publishing a new guide I ran into a problem creating the Transifex client configuration file (.tx/config). The configuration file is generally a hateful file that requires a lot of manual manipulation to add in all the POT files for translation. This file exponentially increases the hatefulness as the number of POT files increase or the complexity of where these POT files increases. In summary, I hate to create these POT files. It seems I always end up screwing it up somehow and the Transifex client isn’t real great about telling you why it failed (it just fails in a non-obvious manner).
I started putting together some bash script to write the thing for me until I realized that the script was going to become unwieldy quite quickly. Luckily I have a boss who doesn’t mind poking me into learning a new trick. This new trick came in the form of Python. Realize that the last formal programming class came in the form of a Java class nearly ten years ago. Since then I try not to touch the stuff. But now I have a purpose… a need… a problem in search of a solution… and an excuse to start to learn Python.
So my creation is called create-tx-configuration. This simple program will read the pot/ directory for .pot files and create the .tx/config file for Transifex to use. While there was a way to have the Transifex client make the config file the process wasn’t easy nor did it work in all cases.
If you have a need to create Transifex config files please checkout create-tx-configuration and, as always, I appreciate feedback.
Many websites have both the traditional, unencrypted HTTP and the SSL or TLS-encrypted HTTPS addresses available to access their content. Wikipedia is one good example of this functionality. You can easily view Wikipedia using traditional HTTP protocol but if you wanted or needed a little more privacy the HTTPS address is available as well. Unfortunately it is sometimes hard to know if a website has the encrypted feature or not unless you try. And you might be in a hurry and forget to use the HTTPS version and then you’ve potentially sent sensitive information about yourself out onto the Internet unexpectedly.
There is an easier way, however, to use HTTPS whenever possible. The Electronic Freedom Foundation (EFF) has released a plug-in for Firefox and Chrome that knows of almost all of the commonly used websites that are available over HTTPS and will dynamically redirect your web browser to use that encrypted channel without you having to remember. The plug-in, known as HTTPS Everywhere, will convert any web address from HTTP to HTTPS whenever it knows that HTTPS is available.
Why is it important to encrypt your traffic whenever possible? Well, simply you never know who might be listening to your connection. If you are living in a country dominated by an oppressive government then your liberty or even your life might dictate that you need to obtain your information via encrypted means. Other people might be more concerned with their private browsing getting into the hands of a corporation to be sold to the highest bidder to get more information on you into their files. Others are just concerned with their privacy in general. Whatever the reason it’s a good idea to use encryption whenever possible.
It should be noted that HTTPS Everywhere doesn’t automatically encrypt all websites and users should still verify that the lock is showing in the browser address bar and that the certificate matches the site in which they are visiting. That said, using encryption makes your Internet browsing safer and this tool makes it easier.
Today a line was crossed. I’m not sure if it was the insanity of spending all day writing nine lines of Python (I am not a developer… I am not a developer… I am not a developer.) or what, but I really wanted to do git commands from within vim (my editor of choice). A quick search turned up the properly-named git-vim. The program does just what I want it to: be able to ‘git add’, ‘git commit’, and ‘git push’ all while never leaving vim. It also does other things but these are the basics that I want. If you want this functionality I recommend git-vim.
Yesterday I wrote about a little about Evernote being hacked and how it was bad that I could not remove their software from my device. Today I’d like to commend them for storing my password correctly in the first place. All too often companies store passwords in plaintext which make it trivial for hackers to use if (and when) they are stolen. The email I received from Evernote stated:
...were able to gain access to Evernote user information, which includes
usernames, email addresses associated with Evernote accounts and encrypted
passwords. Even though this information was accessed, the passwords stored
by Evernote are protected by one-way encryption. (In technical terms, they
are hashed and salted.)
Perfect! Hashed passwords are almost impossible to reverse (unless the hashing algorithm is weak (see my earlier post on the use of SHA-1) and the original password isn’t in a rainbow table making it somewhat easier to figure out what the hash says). LinkedIn’s attack last year brought to light the dangers of using weak hashing algorithms (as well as social engineering).
In today’s world passwords should be stored using a SHA-2 (or SHA-3 if you can find it) algorithm with a sufficiently large key (like SHA-512). The larger the key the longer you can expect the passwords to be protected.
When attackers are looking to find the weakest link in the chain in order to gain access to data passwords stored on a system should be the easiest to protect. Unfortunately not everyone has gotten the message. Have you verified your hashes today?
I awoke this morning to find an email from Evernote, the company that has the product of the same name for note taking, saying that they had been hacked and that I should change my password. T-Mobile installs this software, along with many other pieces of software, on my smartphone by default and does not allow the customer to remove it. Luckily the attack against this product was not against the individual installations of the software but rather against the parent server where all the information is stored.
Unfortunately having unwanted software installed on phones is a security problem. The basic rule is that if the software isn’t installed on one’s computer then the software cannot be used as an attack vector. My first smartphone came loaded with five pieces of software that I could not remove. The Galaxy S that I purchased last November came with thirty-nine. And that was just the pieces of software that are visible. Last year we heard about CarrierIQ being installed on nearly every smartphone in America. This software had some very scary features that could allow the cellphone carrier, the software owner, or anyone else able to break into the software, access to everything contained within the phone and every message sent and received (including key strokes).
There’s another price to be paid for this mandatory software. Updates need to be downloaded and installed which take up space on the smartphone and uses up valuable bandwidth. With cellphone companies complaining about usage of their wireless networks it seems silly that some of this is required by the companies themselves.
So what to do about this problem? Cellphone companies should stop preventing users from removing software from their phones. If they want to load up the device with lots of software that they feel the user might like that’s fine but keeping people from removing that software is wrong. If the companies won’t stop this bad practice on their own then perhaps if they get enough complaints from customers then they will change their practices. I guess the only other option is rooting our phones or just purchasing them outright. Still it shouldn’t be so difficult to maintain a secure computing environment. And with privacy and so much money at stake the problem will only get worse.