Secure Browsing With Firefox

This is a guide on how to configure Firefox to harden it against most of the common known vulnerabilities. It concentrates on Cookies, Scripts, TLS Encryption Suites, and more. This whole process will take about 10-20 minutes to set up, and an hour or so of browsing to get used to.

Step 1: Install the Firefox browser.

Why Firefox: I prefer this for secure browsing because it is open-source and run by a non-profit organization. It is frequently security audited and frequently updated to close vulnerabilities. It also has a lot of granularity in control over privacy and security settings so you can custom-configure the browser to defend against new threats easily.more information In the past i have bashed Firefox for being behind on TLS. They have since caught up on the standard but still have TLS 1.1 and 1.2 disabled by default which I am generally unhappy with. It is understandable though, as it is done mainly to make the browser compatible with old TLS 1.0 sites that have issues with huge lists of cipher suites being supported.

> read more

Securing the Data Supply Chain - The Uphill Battle of Security

The age of easy privacy on the internet is over. Or, rather, it was never there, and we have learned over the last few months that it is far far worse than your most paranoid friend could have ever imagined. There are government entities and other "Advanced Persistent Threats" that will attack your computer, your phone, your modem and router, and they have schemed and plotted their way into the most basic of control systems for your devices.

This article is about understanding the data supply chain, and how complex defending your devices can be.

First, we must look at how data moves around the internet.

I am doing a HUGE amount of generalizing here, but this is a simple overview of how data moves. It begins at your device, and travels through your home network via a wired or Wifi Ethernet connection. There it hits your router, which sends it to your modem, and out to the internet. Once on the 'net, it travels along various routers to reach it's destination, which is often a website or server hosting a service.

> read more

Youtube Channel Discusses the Math Behind Dual_EC_DRBG

A Youtube channel about breaking down complex math systems and how they apply to everyday life has done a nice piece on how Elliptic Curve Cryptography works, and how the NSA subverted the algorithm.

Professor Edward Frenkel discusses the mathematics behind elliptic curves and the nature of what makes it a secure encryption technique.

It is important to note that while this piece puts emphasis on email, using DUAL_EC_DBRG for your number generator can break any cryptosystem that relies on it. This is why it is very significant that it has now come to light that American security company RSA Security accepted a $10,000,000 contract with the NSA to make DUAL_EC_DBRG their default random number generator.

So, bearing the huge scope of this scandal in mind, enjoy this video. It gives a nice visual look of how the DUAL_EC_DBRG works and why it is a problem.

> read more

Private Internet Access Forums Hacked

Private Internet Access, a VPN provider based in the United States, experienced a security breach early this morning by what appears to be spammers.

They were alerted to the intrusion because the attacker inserted code into the site to prompt the forums users to "send bitcoins to an address to receive 10x that amount in return".

The attackers used a known PHP object injection vulnerability for Vanilla Forums, the forum software PIA uses. Updating the forums to current would have prevented this vulnerability from being exposed for this attack to occur.

They also accessed the SQL database of the server and likely pulled hashed forum passwords from the server. They did not disclose if other registration information such as emails were compromised in the data breach. This is significant because typically users will use the same passwords in multiple places, such as to log in to the VPN service or for their personal email.

> read more

In a new revelation from the Snowden files, it has been revealed that the NSA has been tapping the unencrypted links between datacenters of major email providers and possibly more.

The program, dubbed "Muscular" places a tap on the links between datacenters for content delivery network style services. Apparently these links are unencrypted, which amazes me unless these companies were compelled to do so. It does create plausible deniability for the companies transferring the data. These networks are private, but the size and scope of Google facilities and the technical expertise of state-sponsored eavesdropping still make it horribly irresponsible to move customer data around "in the clear".

> read more

The NSA is Hacking Consumer-Level Routers

Speaking at the European Parliament, Jacob Appelbaum has disclosed a program called "Quantum Insertion" where the NSA is compromising consumer-level routers in homes and using them to redirect traffic to "FoxAcid" servers. As he describes it, FoxAcid is a system that detects the activity of targets and the system inserts itself as a service you are trying to connect to. It then masquerades itself as the service the target is trying to connect to while gathering and profiling the targets system for vulnerabilities in their browser or client software. It then can attack the target in a purely automated fashion and compromise the computer of the target with no human intervention.

> read more

Security Alert: Two Major VPN Providers Hacked

VikingVPN is on high alert after two major VPN providers have been compromised this week in what looks to be a black-hat attempt to destroy competition by an unknown actor. The profiles of the attacks appear to be that the attackers are trying to deface or damage the companies rather than gain customer information. This points to an actor from the industry either acting on its own, or hiring mercenary hackers to damage competitors reputations.

Earlier this week, EarthVPN appears to have suffered a major breech via SQL injection attack. It is discussed here. EarthVPN comments in the thread saying that users should not be concerned about the breach because the passwords are hashed, which is abysmally bad policy. A weak hashed password can be broken in minutes. They should be mass emailing their users to change their passwords immediately, or generating new temporary passwords for everyone and advising them to the situation. Falling victim to a SQL injection is also very unprofessional, as it is one of the oldest types of attacks on the internet that is a persistent threat to databases of customer information.

> read more

Attacking Exponential Key Agreement -- Breaking Diffie-Hellman

Today we are going to broadly cover how exponential key agreement is attacked by researchers, and discuss how close the white-hat security world actually is to breaking exponential key agreement.

Since the inception of the Diffie-Hellman key exchange in the 1970's by British intelligence, it has been under a long mathematical siege by researchers, law-enforcement, and state-sponsored clandestine groups. It has been believed to be secure for this entire period as long as the private keys were not given up through other means. It relies on complex mathematics to come up with a mutual number to encrypt data. There are multiple asymmetric algorithms out there that rely on the Diffie-Hellman principal, including modern Elliptic Curve algorithms (believed to be the strongest). Researchers and security experts alike are growing concerned that the time is rapidly approaching where the Discrete Logarithm Problem that exponential key agreement relies on may be becoming weak enough to be broken.

> read more

The Mathematics of Exponential Key-Agreement

            There is a lot of chatter right now concerning the “old” methods of handshakes for secure connections over a network. These are the RSA key exchange, and the Diffie-Hellman key exchange. This is the beginning of a multi-part series that will detail how these algorithms work, their weaknesses, and how they are currently defeated (if it is possible).

            In this first part I’m going to cover the Diffie-Hellman key exchange, also known as Exponential Key Agreement.

> read more

The State of eCommerce Security – Web Browser Safety

This month, we learned about the BREACH attack. A new exploit that uses flaws in TLS compression to decipher small pieces of encrypted data. It is an updated version of the CRIME attack which also attacked TLS compression. This is a good example of attacks only getting better as time goes forward. I felt that with this new flurry of news about security breaches in the news, that I would give you all a brief history on the state of cipher suites in eCommerce. 

The Transport Layer Security (TLS) stack has been under siege since its inception in 1999.

1.       Padding Oracle Attack – 2002 – Researchers find a vulnerability in the way that TLS fills in space when data doesn’t take up an entire packet. It is entirely theoretical and cannot be demonstrated as working.

> read more