Archive for the ‘Security’ Category

TorPark – an easy way to try out Tor

Want to try out Tor, the anonymizing TCP service? TorPark makes it easy with a customized version of Portable Firefox altered to communicate via Tor.

With TorPark on a USB flash drive, you can bring the power and flexibility of Firefox with you when you travel — and count on Tor to keep your browsing anonymous and secure at the same time.The current TorPark package (1.5.0.2) is available as a 5.6MB self-extracting Windows archive, localized for more than 30 languages. Expand the archive and inside you will find a folder that you can copy directly onto any rewriteable medium (flash drive, hard drive, etc.). TorPark will not run from a CD, since it must write to a local directory.

The folder contains a portable build of Firefox 1.5, a pre-configured Tor installation, and the Torpark.exe executable. Running Torpark.exe establishes an encrypted circuit to the distributed anonymous network of Tor routers, then launches Firefox. You can test whether TorPark is running by pointing the browser at a Web site like whatismyip.com; the IP address reported by the site should be different in TorPark than it is in a native browser.

apt-get install keychain

ssh (secure shell) is an extremely useful tool. I won’t say much about it, because odds are if you are reading this blog you know what it is and what it does. One thing I’ve been meaning to do forever is set up my Linux machines to do passwordless authentication, mainly for security. A password is easy to hack, a private key is definitely not-so-much.

So I sat down yesterday and did some digging. And I found a great guide for configuring OpenSSH to use RSA/DSA keys on IBM’s Developer Works Library. The first step is, of course, to generate your keypair. From the article:

% ssh-keygenGenerating public/private rsa1 key pair.
Enter file in which to save the key (/home/drobbins/.ssh/identity): (hit enter)
Enter passphrase (empty for no passphrase): (enter a passphrase)
Enter same passphrase again: (enter it again)
Your identification has been saved in /home/drobbins/.ssh/identity.
Your public key has been saved in /home/drobbins/.ssh/identity.pub.
The key fingerprint is:a4:e7:f2:39:a7:eb:fd:f8:39:f1:f1:7b:fe:48:a1:09
drobbins@localbox

Easy enough, and anyone who has used gpg will have a feel for what’s going on here. A public/private key pair is created in this step. The private key (identity in this example) is created and stored in the user’s .ssh directory. A matching public key (identity.pub) is also created.

The second step of the process is also fairly simple. You have to copy the contents of the public key into the .ssh/authorized_keys on the remote computer. One can use scp or ssh to do this. The beauty of public keys are that they can be freely shared. If someone grabs your public key, there’s not much they can do with it. And they definitely can’t use it to break into the remote machine. The most they can do is copy it onto a machine, then try to get you to log into their computer instead of the remote machine. But that still doesn’t gain them much.

But I digress. After the public key is added to the remote computer’s authorized_keys, ssh will no longer prompt for a password when connecting to the remote computer. It’ll attempt an RSA or DSA authentication, and – assuming you have the correct private key – you’ll be logged on passwordlessly.

Of course, ssh on the local machine will prompt you for the passphrase for your private key every time it is accessed. This is both a good thing (it provides even more security for your private key) and a bad thing (it is a pain in the ass to have to enter a long passphrase over and over and over.

The solution? ssh-agent!

ssh-agent, included with the OpenSSH distribution, is a special program designed to make dealing with RSA and DSA keys both pleasant and secure (see Part 1 of this series for an introduction to RSA and DSA authentication.) ssh-agent, unlike ssh, is a long-running daemon designed for the sole purpose of caching your decrypted private keys.

ssh includes built-in support that allows it to communicate with ssh-agent, allowing ssh to acquire your decrypted private keys without prompting you for a password for every single new connection. With ssh-agent you simply use ssh-add to add your private keys to ssh-agent‘s cache. It’s a one-time process; after using ssh-add, ssh will grab your private key from ssh-agent, rather than bugging you by prompting for a passphrase. (IBM Developer Works Library)

In other words, ssh-agent caches your passphrase: enter it once, and ssh-agent remembers it for the rest of that log-in session. Which is definitely a step in the right direction. But there’s two problems with ssh-agent: first, when you log out of your current session, your cached passphrase is gone. Log back into your local computer and you have to run ssh-agent again. Second, shell scripts and other utilities can’t access the ssh-agent session, so they can’t take advantage of ssh-agent.

So there’s one more piece to add to the puzzle: keychain!

To solve these problems, I wrote a handy bash-based ssh-agent front-end called keychain. What makes keychain special is the fact that it allows you to use a single ssh-agent process per system, not just per login session. This means that you only need to do one ssh-add per private key, period. As we’ll see in a bit, keychain even helps to optimize the ssh-add process by only trying to add private keys that aren’t already in the running ssh-agent‘s cache.

Here’s a run-through of how keychain works. When started from your ~/.bash_profile, it will first check to see whether an ssh-agent is already running. If not, then it will start ssh-agent and record the important SSH_AUTH_SOCK and SSH_AGENT_PID variables in the ~/.ssh-agent file for safe keeping and later use. Here’s the best way to start keychain; like using plain old ssh-agent, we perform the necessary setup inside ~/.bash_profile: (IBM Developer Works Library)

One note: if you use the example in the IBM link, the directory that they give in the last step of the example is incorrect. The newest versions of keychain create the file to source in ~/.keychain; the filename format is %HOSTNAME%-sh. So if your local machine hostname is ubuntu1, you’d want the following line in .bash_profile:

source ~/.keychain/ubuntu1.sh

With that done, you have a fairly-secure solution. You enter your passphrase once, and the combination of keychain and ssh-agent caches that passphrase until you tell it not to. You can log in and out of your remote machine without needing to re-enter your passphrase. Shell scripts can access this to perform passwordless connections. And, as long as your local machine isn’t compromised (e.g. someone gains physical access to your computer), it’s fairly secure.

Oh, there is one last step: turning off password authentication for ssh. This ensures that the only way someone can make an ssh connection to the remote computer is if they have an RSA/DSA key listed in the authorized_keys file on the remote computer. I haven’t done this yet, because it does mean that no one can connect, not even me! I have to make sure I have a way to get to my computers from anywhere before I do this. I’m thinking I’ll probably get a cheap USB key, copy my private key onto it, and then take it with me.

I’ll post an update here once I turn off password authentication.

Securing tax files with GPG

Okay, so like me, you take the obvious route of using a tax preparation software package, a la TurboTax to take care of your federal and state income tax returns. It’s silly not to: if you have all the data needed on-hand, and there’s nothing complex about your financial situation, you can either save a hundred bucks over going to an accountant, or save hours over filling out the forms yourself. It’s fast, easy, and the software tends to find deductions that you wouldn’t have thought of if you do the forms yourself.

So you have your tax software do its job, you submit the claim electronically, you print out your forms, and then you have the software save the tax files in case you ever need them. The tax software has done its job, and can then be removed from your computer. All that you need for your own records is the actual tax files the program created.

But there’s one major problem here, something that the tax software doesn’t even try to address: security. These files contain an awful lot of very important personal data. If they were to fall into the wrong hands, you can kiss your identity goodbye. Social security number, address, employer, salary, it’s all right there in one easy-to-handle package. Good for filing your taxes, bad for security.

So what do you do? Personally, I used GnuPG to deal with this mess. GPG isn’t exactly intuitive, nor user-friendly, though, so I’d also recommend adding in kgpg (or whatever it’s Gnome equivalent is) to help with creating/maintaining keys.

But I digress. GnuPG (gpg for short) is an open-source public/private key encryption application. It is the open-source equivalent of Pretty Good Privacy (PGP), and provides encryption that is at least as good as PGPs.

(Note: It is outside of the scope of this article to explain public/private keys.)

The basic idea is this: You create a personal private key that is only ever stored on your computer. This key is protected with a passphrase (think a password on steroids) that you generate. Any file that is encrypted using your public key can then only be decrypted using your private key + your passphrase. Assuming you are careful with your private key and passphrase, this should keep anyone but you from being able to access the file.

So I used kgpg’s Konqueror plugin to encrypt my tax files, then used kgpg to shred (securely delete) the original files (after verifying that I could decrypt the original files, of course). Instantly, the security on my tax files has gone way up. Since I don’t have my gpg passphrase stored anywhere on my computer, I am safe, even if someone steals my computer. (Unless they are either lucky enough to guess my passphrase, which is highly unlikely, or they are willing to dedicate some serious computing horsepower to hacking the passphrase.)

The general steps to follow are:

  1. Install gpg
  2. Install kgpg
  3. If you don’t already have a public/private key pair, choose the Generate Key Pair option in kgpg. Be sure you choose a strong passphrase that you can remember. Single words are bad. Dictionary words are bad. A passphrase like “frankie” is going to be broken into. A better passphrase is “Frankie is 33 next week!” An even better passphrase is “Frankie l0vz Pf dS0tM!” How would you remember that? Say to yourself, “Frankie loves Pink Floyd’s Dark Side of the Moon!” It’s up to you to remember which letters are upper-case and which are replaced with numbers.
  4. In Konqueror, right-click on the tax file (e.g. mytaxes.tax). Go to Actions, and you should see an option to Encrypt the file. Clicking this will fire up kgpg’s front-end. The defaults are fine, so you can choose OK.
  5. kgpg’s window will close, and you’ll now have a new file, mytaxes.tax.asc (per our example). This is the actual encrypted file.
  6. Copy this new file to an easy-to-find location.
  7. Navigate to this directory, then try to open the file. You should be presented with kgpg’s window, requesting that you enter your passphrase (unless you are using gpg-agent, which stores your passphrase in memory). Either way, the file should decrypt.
  8. Check the now-decrypted file (mytaxes.tax in our example) to make sure it still works.
  9. Once you’ve verified everything works, right-click on the original file and choose the Shred option. Shred will ask if you are positive you want to do this. Assuming the above test worked, it is safe to say yes.
  10. Make sure that you Shred all decrypted copies of the file. Shred copies random data multiple times over the part of the disk where the file was stored. On most filesystems, this ensures that the file cannot be recovered
  11. Save and backup the encrypted file (mytaxes.tax.asc in our example).

Yes, this procedure is a bit involved. But it is more than worth the time it takes.

Profile picI am a 40-ish uber-geek, Daoist and family man. Blessed to have one incredible wife and three wonderful kiddos. Dao has been kind to me.

Archives
October 2019
S M T W T F S
« Sep    
 12345
6789101112
13141516171819
20212223242526
2728293031  
QR Code
Top categories