Category Archives: Linux

Account Password Security: Advanced Edition

Just the Steps

What follows is a discussion on how to use file sync software like Dropbox and encryption software like TrueCrypt to securely and conveniently access an offline password database like those created through KeePassX on every device. The idea is to create a small encrypted file container with TrueCrypt, place the password database inside of it, and sync the file container using Dropbox. Then on any device access the file container in Dropbox, decrypt and mount it with TrueCrypt, and load the password database with KeePassX; this only has to be done once until a device is shut down. The result is a highly secure and convenient way of managing online account credentials.

A thorough look with all the details follows.

I Have a Local Password Database, Now What?

Suppose you followed my advice in the Basic Edition and have created an encrypted KeePassX password database that now contains all the credentials and security questions for your online accounts in one easy-to-use bucket. This is a local solution so the password database resides on your computer, but maybe you have multiple computers and mobile devices. Also, as I mentioned there this does place all your eggs in one basket so to speak so securing that basket is critical. There’s a nice and secure way to fix these problems without resorting to trusting a closed source platform like LastPass to manage both their and your security. I propose using two applications to help accomplish this task: Dropbox and TrueCrypt.

Dropbox

Dropbox is a cloud storage and file sync service. For the uninitiated, you download the client software, create an account, and a special folder called Dropbox will be placed in your computer’s home folder. All files placed in here will be synced and stored online on Dropbox’s servers (Dropbox claims to encrypt the transfers and storage), and any other devices you install Dropbox on will have access to these same files. Dropbox was the first such service to really catch on due to its simplicity, and I believe it’s still the best for a few reasons:

  • It’s fully cross-platform (they even support installation on a headless server)
  • Its sync times are faster than the other cross-platform alternatives
  • It’s a very hands-off solution; all the magic happens without your intervention

That being said some alternatives are Google Drive, Microsoft SkyDrive, and Box. None of these meet all three points I listed above in my experience.

Whatever your choice (I’ll assume Dropbox for the remainder but the procedures are the same), these sorts of services will clearly solve our problem of having a local password database on only one device in the easiest manner possible; just use the service to sync the database and use KeePassX to load it wherever you go. However, since Dropbox requires trusting your data to Dropbox’s servers there is a degree of risk and concern for privacy despite their use of server-side encryption; there have been a few snafus but no reports of data theft. Regardless, it would be ideal not to have to trust your collection of online account credentials to a third party’s security; as we’ve seen before perfect security doesn’t exist, and the more layers we can add without sacrificing much convenience, the better. This leads us to…

TrueCrypt

TrueCrypt is open source cross-platform encryption software that can be used to, among other things, create strongly encrypted file containers. These containers appear as a regular file with size equal to the storage space allocated to the container and, once mounted and decrypted, allow the user to store and access any data inside. In case you’re unfamiliar with the software you may consult the official documentation or my overview of TrueCrypt; while it’s reasonably straightforward there are some considerations such as choosing between standard volumes and hidden volumes that employ plausible deniability methods.

Immediately it’s clear how TrueCrypt can be used to alleviate the problem of placing all of our trust in the hands of Dropbox. Instead of syncing the encrypted password database which, if stolen due to a Dropbox security lapse, might be subject to some vulnerability in KeePassX encryption or a brute force attack if you used a weak password (memorize a strong password instead!), one can sync an encrypted TrueCrypt file container which holds the KeePassX database.

Putting it Together

Now we’ve seen all the pieces of this scheme for conveniently securing your online account credentials without needing to completely trust a single third party: KeePassX, Dropbox, and TrueCrypt (or your preferred equivalents). This is how it all fits together:

Setup

  1. Gather all of your online account credentials into an encrypted password database using software like KeePassX, ideally using it to create maximum length random passwords for each account.
  2. Create an account for Dropbox or a similar file sync service and install the client software on all of your devices.
  3. Create a small encrypted file container with TrueCrypt or equivalent software, place the KeePassX database inside of it, and move the file container to Dropbox to be synced.

Every Day Use

  1. Any time a particular device is rebooted, mount the TrueCrypt file container.
  2. Open the password database found inside the mounted file container using KeePassX.
  3. Any time you need to log into an account, copy and paste the credentials using KeePassX (by default these credentials are cleared from the clipboard after 20 seconds).

By the Numbers

  • Number of one-time steps each time a device is rebooted: 2
  • Number of passwords to remember: 2
  • Effort to take to log into any of your accounts: click (to copy username), paste, click (to copy password), paste

Concluding Remarks

When most people hear words like encryption and security they think of things that get in the way of doing what needs to be done — things that complicate their life. I would simply ask whether the reality laid out in the By the Numbers section above is more or less complicated than memorizing any number of usernames, passwords, and security questions, sometimes being required to change them frequently, and possibly resorting to sharing credentials between accounts.

It’s not often one can enhance both security and convenience at the same time but I suggest this is one of those times.

Account Password Security: Basic Edition

The Short Version

Sharing credentials (username and passwords) between the numerous online accounts we have is a difficult dangerous habit to break. I propose the following steps as a manageable way to fix the problem:

  • Select password database software like KeePassX or LastPass and if necessary complementary mobile apps
  • Track down all of the online accounts you’re aware of and scour your email account(s) for accounts you’ve forgotten; for each account:
    • If you no longer care about the account, delete with prejudice (pkill -9 $account) if possible
    • If two-factor authentication is available, set it up
    • Remove any non-critical personal information, especially from legacy accounts
    • Generate a unique random username (if you can change it) and password (with maximum length and largest dictionary) and store it in the password database
    • If a security question is required, create an entry in the password database for a random answer and make note of the site and question in the database entry
  • Lock down the security of your password database; use a unique, memorable, and strong passwordand see the Advanced Edition (coming soon) for more details
  • Enjoy the ability click a few buttons to log into your accounts!

Read on for full details.

Motivation and Recent Password Leaks

Passwords for most people are just an annoyance. A common scenario is that an individual has:

  • up to just a few basic easy-to-remember short passwords they use as much possible
  • a simple way of modifying a password only when a site forces them to do so by its unique requirements
  • the same security questions/answers used as often as possible, sometimes unknowingly with publicly-identifiable or otherwise easy-to-find information

From an information security perspective this is disastrous although you can hardly blame these individuals on the state of things; passwords are antiquated and increasingly ineffective given the number of accounts most people have lying around. Indeed, Google is among those trying to replace password-based security with a Universal 2nd Factor, or U2F physical key among other approaches.

That is all for the future though; what we have is a potentially dangerous situation where any singlesite’s security being compromised could lead to several other of a user’s accounts also being compromised due to credential reuse. We live in this unfortunate reality where corporations and other entities have suboptimal or outright poor security practices that allow data breaches to lead to actual username/password combinations and personal information in the hands of criminals.

LinkedIn was one such corporation with poor security practices that resulted in no less than 3.5 million plaintext passwords being dumped publicly, and the original attackers would have both email and password combinations. Ok, so you’re a tech geek and you caught wind of this story and changed your LinkedIn password? Well, that’s a start, but if you have any accounts also using that password then they’re at risk as well; Facebook, being aware of this, responded to the recent Adobe security breach by warning its users and prompting security questions and a new password.

For those interested in a more comprehensive list of recent password breaches I advise consulting my long list of password breaches.

A Light at the End of the Tunnel

Even if your password security situation isn’t the worst case described above I invite you to ask how close your situation is to the current optimal:

  • Every single account has a unique random username (where possible) and password with as large a dictionary as possible
  • Every security question has a randomly generated answer
  • All credentials are as long as an individual website will allow
  • When possible, use two-factor authentication
  • A minimum of personal information is stored with each account

Sounds… feasible, right? Ok maybe it sounds absurd and unreasonable, but these days it’s completely possible to accomplish this in a highly secure manner that is also easy to use (at least easier than remembering which of the twenty variants of a weak password goes with which site).

Password Management Software

The biggest piece of the puzzle is the software that manages passwords for you. I’m going to highlight two popular solutions, one of which is online-only and closed source and the other offline-only and open source:

Note that whatever your choice is, use a strong password to access the database! This is going to be one of the last passwords you ever need to memorize and will also be one of the larger security bottlenecks in this scheme, so make it count.

KeePassX

I’ve written a KeePassX tutorial if you’re not familiar with this sort of software — it’s fairly straightforward but there are some details to get the most out of its security offerings.

Mobile

To access your password database on your mobile device you’ll need an appropriate app; for Android I prefer KeePassDroid and for iOS the highest-rated app I’m aware of is MiniKeePass, though I can’t vouch for it.

LastPass

LastPass is a web-based analog to KeePassX; it follows the same concept except the encrypted password database is stored on their servers. In my opinion this is a good reason to go with a locally-stored solution like KeePassX over LastPass; while KeePassX is open source (meaning you have the ability to audit the source code yourself) and local (meaning your security is still entirely in your hands), LastPass requires you to trust the security of LastPass’ closed-source implementation which also requires securing a web app against the entire black hat population. Remember that part of the motivation for randomizing our login credentials like this boils down to being unable to trust online services to use the best (or even better-than-awful) security practices. That being said there have been no attacks against LastPass to date that have verifiably leaked any customer information, and as their user base would presumably diminish severely if such a breach occurred they have a strong financial interest to keep their security optimal.

At the time of writing I haven’t used LastPass myself, but it is well-reputed and follows the same principles as KeePassX so it serves the purposes of this guide. I’ll leave the documentation in the hands of their website; note that it seems that their mobile app requires purchase.

Two-Factor Authentication

This is a method of bolstering the security of password-based authentication; services like battle.net, Google, GitHub, Twitter, Facebook, etc all offer it in some form. The idea is you’ll either receive a specific physical device, install a mobile app, or receive an SMS message to provide the “second factor” of authentication: usually a constantly regenerating single-use code. In other words, not only do you have to know the password but you also have to be in possession of a physical device in order to log into an account. This isn’t completely failsafe, and targeted malware can still do things like perform man-in-the-middle attacks to steal user credentials. Still, it’s going to prevent the shared-credential vulnerability.

Almost every two-factor authentication system I’ve encountered is compatible with Google Authenticator (Android and iOS), and setting it up can usually be done just by scanning a QR code with your phone. Once set up you’ll just pull up the app when logging in and after providing your username and password you’ll also provide the single-use code you receive.

Securing Your Online Presence

We’re almost there! Let’s recap our goals:

  • Every single account has a unique random username (where possible) and password with as large a dictionary as possible
  • Every security question has a randomly generated answer
  • All credentials are as long as an individual website will allow
  • When possible, use two-factor authentication
  • A minimum of personal information is stored with each account

Finding the Accounts

Once you’ve acquainted yourself with your choice of password management software, the path to accomplishing the above goals is visible. Unfortunately now comes the most tedious part; depending on how much of an online footprint you’ve accumulated this could take the better part of a day. You need to track down as many accounts as possible; this might go back well over a decade. Think about it: the weak link could be a random forum from your youth that had no sense of security and is still up and running, and if you shared those credentials with other sites then the potential problem is clear.

You can remember most of the recent websites you’ve dealt with but your strongest resource for tracking down any accounts you’ve forgotten about will be your email account(s). Try searching your email for terms like “username,” “verify,” “verification,” “noreply,” “account,” “welcome,” and so on. If you had older email accounts from years ago try to track those down too and do the same for them. At the time of writing I have records for well over 150 accounts.

Securing Credentials

As you find these accounts:

  1. Figure out how to log in to them; use password recovery options if needed
  2. If you no longer care about them and are able, delete them
  3. Generate optimal passwords and store them in your database
  4. Clear out any unnecessary personal information, particularly from unused sites
  5. If a security question is required, create an entry in your password database with a random answer; make a note there of the site and security question
  6. If the site offers two-factor authentication, set it up

Conclusion

This is basically everything that needs to be done. At the end you’ll have an encrypted database that contains records for your entire online presence. While this means there’s a single point of failure, it’s far easier to lock that down (especially if you chose a local password database like KeePassX) rather than potentially hundreds of points of failure.

For those interested in learning how to both lock down this password database and securely sync it between all of your devices using easy to use software, see the advanced edition.

Unix/Linux Bash: Critical security hole uncovered

Bash
Like many others, I use Bash for my default desktop and server shell, which means I need to get it patched as soon as possible.

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.

By itself, this is one of those security holes where an attacker would already need to have a high level of system access to cause damage. Unfortunately, as Red Hat‘s security team put it, “Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.”

The root of the problem is that Bash is frequently used as the system shell. Thus, if an application calls a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked. As Andy Ellis, the Chief Security Officer of Akamai Technologies, wrote: “This vulnerability may affect many applications that evaluate user input, and call other applications via a shell.”

That could be a lot of web applications — including many of yours.

The most dangerous circumstance is if your applications call scripts with super-user — aka root — permissions. If that’s the case, your attacker could get away with murder on your server.

So what can you do? First you should sanitize the web applications’ inputs. If you’ve already done this against such common attacks as cross-site scripting (XSS) or SQL injection, you’ll already have some protection.

Next, I’d disable any CGI scripts that call on the shell. (I’d also like to know why you’re still using a 21-year old way of allowing users to interact with your web services. You might want to use this opportunity to replace your CGI scripts once and for all.)

After that, I’d follow Akamai’s recommendation and switch “away from using Bash to another shell.” But keep in mind that the alternative shell will not use exactly the same syntax and it may not have all the same features. This means if you try this fix, some of your web applications are likely to start acting up.

Of course, the real fix will be to replace the broken Bash with a new, secure one. As of the morning of September 24, Bash’s developers have patched all current versions of Bash, from 3.0 to 4.3. At this time, only Debian and Red Hat appear to have packaged patches ready to go.

OpenSSH is also vulnerable via the use of AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND. However, since to access those you already need to be in an authenticated session, you’re relatively safe. That said, you’d still be safer if you blocked non-administrative users from using OpenSSH until the underlying Bash problem is patched.

It’s extra work, but if I were a system administrator, I wouldn’t wait for my Unix or Linux distributor to deliver a ready-made patch into my hands. I’d compile the patched Bash code myself and put it in place.

This is not a bug to fool around with. It has the potential to wreak havoc with your systems. Worse still, a smart attacker could just leave malware mines behind to steal data after the fact.

As Ellis said, “Do you have any evidence of system compromises? No. And unfortunately, this isn’t ‘No, we have evidence that there were no compromises;’ rather, ‘we don’t have evidence that spans the lifetime of this vulnerability.’ We doubt many people do — and this leaves system owners in the uncomfortable position of not knowing what, if any, compromises might have happened.”

So patch this bug now or you’ll regret it.

Linux Hacking Tools

  • Nessus– this tool can be used to scan configuration settings, patches, and networks etc. it can be found at http://www.tenable.com/products/nessus
  • NMap. This tool can be used to monitor hosts that are running on the server and the services that they are utilizing. It can also be used to scan for ports. It can be found at http://nmap.org/
  • SARA – SARA is the acronym for Security Auditor’s Research Assistant. As the name implies, this tool can be used to audit networks against threats such as SQL Injection, XSS etc. it can be found at http://www-arc.com/sara/sara.html

The above list is not exhaustive; it gives you an idea of the tools available for hacking Linux systems.