The internet of pwned things

Toaster.“The internet of things” gets all the press now days. If to believe the excited journalists, this is the harbinger of utopia, no less. Even Canonical is looking for some action in this space.

Canonical`s efforts are respectable. But it won`t help. Judging from past experience, it is very likely that we will have an internet of things that will be running obsolete, un-patched, non-repairable, DRM-laden software. It is the natural tendency of vendors that sell things, to prefer selling shiny new things to maintaining old ones. Just take a look at the mobile phone world.

Those buggy things will no doubt be used government agencies, hackers, and marketing companies to erode what little privacy we have left. Will we even be able to take things offline?

The EFF are making a preemptive effort to make things better in this area. I hope they succeed, but I have little faith they will.

DIME: New E-Mail protocol with built in encryption

Email PrivacyDIME is a new set of protocols for sending and receiving E-Mail designed by several prominent E-Mail security experts to include built-in privacy features.

One interesting thing to note about this protocol is that it not only prevents unauthorized parties from reading the content of an E-Mail message, but also makes effort to make entities that take part in the delivery of a message know as little as possible.

For example, the fist server the user delivers a message through, knows only the address of the next server to deliver the message to and not the full address of the message recipient. Similarly, the final destination server, from which the recipient can pull the message, does not know the full address of the sender, which is only revealed to the recipient.

Continue reading

Privacy Badger: A privacy-enhancing browser plug-in from EFF

Privacy Badger is an interesting browser plug-in made by EFF in order to help users prevent themselves from being tracked by advertisers and other online organizations.

Privacy Badger’s approach to the problem is interesting. Instead on being based on a white-list of good, non-tracking sites or a black-list of bad sites, privacy badger tries to take an algorithmic path to detect and block domains that engage in tracking.

Privacy Badger works by monitoring the behavior of 3rd-party domains that have content embedded across many sites, and detecting which ones try to implant tracking cookies. When such domains are detected, content from them is blocked to prevent further tracking.

The cookie-based approach isn’t perfect. The developers themselves admit that as it stands, privacy badger will not be effective against Browser fingerprinting. Still, it makes for an interesting effort in this crucial area.

Portspoof flips firewall design on its face

AitportIn a typical network firewall design, an effort is made to close off and block access to as many communication ports as possible. Often, in order to prevent discovery of themselves and the machines hiding behind them, firewalls are configured to drop incoming packets and make no response to communication requests .

This hiding game is up as soon as one exposes network services for consumption. When access to network services is enabled, attackers can focus on and attack the ports of those services while ignoring any protection running on other ports.

Portspoof offers an interesting approach to solving this problem by flipping things around. Instead of closing down ports, all ports are kept open and responsive to query, while masquerading as a whole set of interesting but fake services. With this technique, attackers can end up having great difficulty in figuring out where your real services hide among the fake ones.

With security, then name of the game is time. Portspoof’s premise is to slow attackers down enough for you, the defender, to learn of their actions and take additional protective measures.

Remote-controling Linux from any mobile device

Remote ControlsRemote-controlling desktop computers from mobile devices is an idea that is typically implemented in the form of an Android/Iphone app that connects to the controlled computer over SSH, VNC, RDP or some proprietary protocol typically requiring a closed-source server component.

It had occurred to me a while ago that it shouldn’t be too difficult to write a webapp that would turn any mobile device with a web browser into a remote control for the server its running on, and I was wondering why I didn’t see any implementations of that idea around.

Well now there is one such implementation in the form of “Linux Remote Control“.

Continue reading

News Digest

List of things I find interesting and think people should know about:

  • Caylon is a new programming language from RedHat that is meant for large system development and can run on both the Java virtual machine (JVM) and web browsers’ JavaScript engine. This makes it useful for programming both the client and server-side components of modern applications.
  • Bad Bios is the nickname given by Dragos Ruiu, an apparently well-known security researcher to a new type of malware found in the wild that seems to be able to infect computer BIOS components directly and then escalate the attack in infect all popular operating systems, Linux-based ones included. Not stopping there, it also seems this malware is capable of communicating with an infected computer even when all its communication components have been disconnected. It seems to do this by utilizing high-frequency sound-waves. This technique of using sound to facilitate communications with otherwise disconnected computers was also explored by scientists from Germany.
  • InfiniSQL seems to be one man’s projects to produce a very scalable multi-node database. It seems to be network-protocol-compatible with PostgreSQL and may have an interesting future.
  • Webminstats is a server performance statistics collection plug-in for Webmin. Used together those tools can provide a useful monitoring and management solution (although not very pleasant looking, though that can be somewhat  remedied) for small to medium sized networks.
  • ExplainShell is a new web-based tool for  breaking down complex Linux shell commands and explaining their components. It was recently open-sourced and seems to have a good potential of becoming a very useful tool for people trying to learn Linux shell usage and scripting. The developer was even kind enough to include a readme file listing instruction on how to run your own copy of the website.

Crypton – Open sources encrypted cloud storage library

Crypton is a library that is meant to allow developers to write privacy-enhanced cloud applications where all data is encrypted on the client side before being stored in the cloud.

Crypton currently consists of a JavaScript library for web applications that provides an object storage API, and a data storage backend built with PostgreSQL, Redis and Node.js. Additional client libraries for desktop applications are also planned.

Crypton is currently developed by the SpiderOAK company and licensed under the AGPL.

Huge list of security Tools

Datamation has a huge list of security and privacy tools up on their website. I already know many of the tools on the list, use some of them daily and would wholeheartedly recommend then. The following is a list of tools I would check out and maybe add to my arsenal in the future:

  1. Web of Trust (WOT) – Firefox add-on ranking the trustworthiness of websites.
  2. SafeCache – Protection for browsing history.
  3. PasswordMaker – Password safe
  4. Diaspora – I think this needs no introduction, I’ve been meaning to play with this sometime, but its not really what I would call a “security tool”.