TrueCrypt Paranoia

If you work in anywhere even vaguely related to the tech industry, and haven’t been living under a very large rock, you probably know already that TrueCrypt has been declared dead.

TrueCrypt Homepage

TrueCrypt Homepage as of May 31, 2014

I’ve been holding off writing anything about this until a little more information came to light, and while things still aren’t overly clear, it seems like a good time to dispel a little paranoia.

When I first saw the updated TrueCrypt page (which suggests moving to Bitlocker instead), my immediate reaction was “oh, that’s disappointing – they’ve decided to stop developing the project”. It read to me exactly like “we’re outta here, you’re on your own” – no conspiracy required.

However, as seems to be common in recent times, conspiracy theories have been plentiful, mainly variations on:

  • The project was terminated in such an abrupt and “bizarre” manner because somehow the US government had identified the developers, who were under US jurisdiction, and were served a National Security Letter forcing them to insert some form of backdoor.
  • Hackers managed to take control of the website, and squandered the opportunity for massive financial gain and mischief by replacing the page with an “obviously” hacked page. Oh, and add to this the fact that the developers didn’t seem concerned by the hack, and haven’t reached out to SourceForge to take control of their account.

The “we’re outta here” theory seems to be backed up by comments apparently from the developers (selected comments taken from grc.com):

Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

  • TrueCrypt Developer “David”: “We were happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
  • TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
  • Quoting TrueCrypt Developer David: “There is no longer interest.”

Unless further information comes to light, I think this is still the most likely scenario – the developers have been working hard for no reward for a decade, and they’ve had enough, and they don’t want to be held responsible for any bugs/security flaws that are discovered after today. The good news is (potential licensing issues aside), that the wider IT community seems to be taking the recent issues with Open Source software projects seriously, and I’m sure a suitable replacement won’t be too far off. In the mean time, I’ll still be using TrueCrypt 7.1.

Comments

Dumb passwords lead to compromise

You may think it obvious, but it still apparently needs to be said – using dumb passwords will lead to a compromise.

When I worked with the state police, the hacking investigations I worked on typically fell into one of two categories: disgruntled (ex)employee, or dumb passwords. Things aren’t much different in the private sector, either – but often the stakes are much higher. Yes, there are more sophisticated attackers, but most of the time it simply comes down to obviously bad security practices.

When I saw the title of this article (“hacked via RDP really dumb passwords“), I couldn’t help but sigh – this is exactly what I see time and again, and we just don’t seem to learn.

As a new years resolution, how about we all change our passwords? And yes, I said passwordS… plural. You do use more than one, right?

My security tips for the new year:

  1. Use different, strong passwords on everything
    Yes, this can be difficult, but there’s help available. Use a password manager – I like LastPass, but there are plenty of password managers to choose from). A good password manager will generate secure passwords for you, and keep them all safe (but easily accessible by you). If storing the passwords online (like with LastPass), see my next point.
  2. Enable two factor authentication if available
    This usually means mixing something you know (like a password or PIN) with something you have (like your phone or a physical key), and makes it impossible for a hacker to access your account by guessing your password alone. The list of online services that currently support two factor authentication is growing and currently includes sites like Google, Facebook, Paypal, Apple, Twitter, Dropbox, and many more.

There’s plenty more we can do to keep ourselves secure, but how about we just start with those two? I’d really love 2014 to be the year where we all start taking a bit more control of the security of our online (and other) accounts. Let’s all make it happen, and have a fantastic 2014.

Comments

Biometrics done right?

There’s been lots of talk online about biometrics, sparked by apple’s recent iPhone, that includes the ability to unlock the phone (and, then your iTunes account from the phone) with your fingerprint.

Some articles seem to suggest that biometrics is a terrible idea, but seem to missing the details of Apple’s very clever implementation.

Using biometrics alone is, quite simply, a bad idea for all the reasons identified in the article above. But that’s not what’s happening with the new iPhone. As part of a two-factor-authentication scheme, where both the stored copy of the fingerprint, and the tech to verify it are stored in a physical object you control, biometrics can work brilliantly!

So, if you mix something you have (iPhone) with something you are (fingerprint), you actually have the potential for a really good authentication system.

That’s not to say that some tech companies won’t see Apple’s new iPhone as an excuse to come out with really BAD biometric systems…

Comments

Classic Computer Games

These bring back memories.

Why did computer games have to get more complicated that this?

Comments

How NOT to secure customer information

So, you’d think after all of the recent attacks against high-profile companies, including various database breaches of government departments (even the CIA!) and IT security companies, that people would learn how to do some of the security basics correctly. There’s some REALLY simple things that any company can do to help protect its users, but so many organisations are still not doing them!

IceTV is a provider of TV Electronic Program Guide (EPG) data in Australia, and I signed up years ago to try their services, but never ended up paying the monthly subscription fees. I’ve recently started receiving SPAM at an email address I’ve only ever provided to IceTV, so it’s fairly safe to say that their customer database has been hacked. The first thing I did when I realised they’d been hacked was to notify IceTV. So far, I’ve received an email stating “We take the security of our customer’s information very seriously.”

So, let’s test IceTV’s claim… do they take security seriously? My three pet security peeves for any organisation that stores my data are:

  1. Storing my information insecurely, particularly passwords
  2. Sending sensitive information in insecure ways (non-SSL, email, etc.)
  3. Not giving me reasonable ways to protect my own data

1. Store customer information in the clear

So, I went to IceTV to try and log in and see what information they had about me. It’s been years, so I didn’t remember my password. That’s ok, they have a nice helpful password reminder option. Wait a minute… reminder? Don’t you mean, “reset”? Nope! They’ll simply tell you your password if you ask nicely.

But, don’t worry. Take a look at the tiny warning they give you – “Note: Member ID & password sent in plain text“. IceTV – why do you even KNOW my password?

Come on, IceTV! Haven’t you heard of hashing?

2. Send sensitive information insecurely

Storing passwords in plain text is bad enough, but then sending them via email? Strike number two, IceTV.

The email they send me helpfully says “Please use the following Member ID and Password to access IceTV’s services”, and then provides the password I used to sign up all those years ago.

Yes, IceTV send emails with passwords in plain text.

3. Don’t allow users to have secure passwords.

Generating a password using LastPassSo this was the final straw for me. I HATE websites that won’t let me use good passwords. There is never a good reason for it.

Alright, so I’ve figured out my password to IceTV (and so have the hackers, most likely), and while not a major concern, I did create this account back in a time when I wasn’t particularly good at making secure, unique passwords. IceTV had a password of mine that I had dedicated for “low risk” websites, but had still used for many other websites I’d also deemed to be “low risk”.

I now use LastPass to create and store my passwords, so I fired up the password generator, and created a nice secure password with upper and lowercase characters, digits and special characters.

Of course, I should have guessed. If IceTV aren’t hashing passwords, then they probably would have difficulty storing certain special characters. Trying to run something like:

INSERT INTO users (username, password) values ('myusername','mY;p@ssw'ord');

might send their SQL server into meltdown. Perhaps I should have tried a password containing “; drop table users;” just to see what happened?

At least IceTV require my password to be longer than four characters...Well, I was nice, and didn’t try to get up to any mischief. I simply generated a new password without special characters. Seriously, though, there is NO reason to prevent a user from selecting a good, secure password. If the password is hashed correctly (and, preferably salted), then all you’ll be storing in your database is a string of numbers and letters.

Did IceTV pass?

In a word, no. In two words, hell no! Protecting a website from vulnerabilities which may allow an attacker access to customer data is, admittedly, difficult. Even big IT security companies get hacked, and they (we would assume) actually do take security seriously, and should have some idea how to do it right. Good security doesn’t just happen, it takes time and effort, and most importantly requires a particular mindset. If your developers are only thinking about getting things to work, or aren’t given time to consider security, then I can almost guarantee that it’s just not happening.

I suppose it really should be no surprise, then, that IceTV’s customer database got hacked in the first place. Good thing they never had my credit card number…

Comments (1)

A timetraveler has been accessing my facebook

I just recently signed up to try what seems to be a pretty cool universal contact aggregation service, Gist. It pulls all your contacts from Gmail, Google contacts, Facebook, Twitter, and many other services. Because I’ve asked facebook to notify my when someone logs into my account, when I granted Gist access to my facebook account, I received an email alert.

A timetraveler has been accessing my facebook

Apparently, my Facebook account is being hacked by time travelers.

Comments

Australian English is Funny?

I just bought myself a Kindle, and was looking for a way to replace the American English dictionary with an Australian one.

Interestingly, according to Amazon (well, according to Google’s index of Amazon), an Australian English dictionary is funny. Sure, we may have some strange words, but surely our dictionaries don’t deserve to be filed under “Humour”?!?

Google Search Fail

Comments

Popularity Contest Widget (1.01)

I fixed a minor (but annoying) bug in the Popularity Contest Widget, as identified by Zer0, and described in this thread.

Hopefully now you won’t get the widget title displaying twice! As for the other issues Zer0 mentioned (i.e., that you can only get the most popular 10 items without modifying the plugin), I don’t have any immediate plans to change that, but it’s not hard to change – just look for the line “<?php akpc_most_popular(); ?>“and add whatever you like in the brackets! (obviously you need to know how akpc_most_popular works, but that’s more Alex King’s department…

As usual, visit the project page for more info, or to download the plugin.

Comments (2)

Finally! Google Reader Search

I’ve been using Google Reader for a long time now, ever since they did their last major update nearly 12 months ago, I put aside Egress on my Windows Mobile phone, and various desktop RSS readers in favour of Google Reader.

Of course, as anyone who’s used Google Reader knows, it lacked the one thing Google has always been known to do well – that is, search! I tried various Greasemonkey scripts, but was never happy with any of them.  But now, finally GOOGLE READER HAS SEARCH!

Google Reader Has Search, About Bloody Time!

All I can say is, … about bloody time! ;)

Comments

Popularity Contest Widget (1.0)

Popularity Contest by Alex King which assigns posts a popularity, I’ve created a quick widget to display the most popular posts in the sidebar.

View the project page for more info or to download it.

Comments