Blog‎ > ‎

PuffChat, GnuTLS, Cloud, DigitalOcean API, Target leak, Firewalls, DEC64, Encryption and Security

posted Mar 9, 2014, 11:43 AM by Sami Lehtinen   [ updated Mar 9, 2014, 11:44 AM ]
  • PuffChat security - It seems to be business as usual. Unfortunately.
  • Hidden surveillance network - It seems that it's quite impossible to avoid being in big data registers. Or basically, it is impossible. All kind if information is collected and stored, and you can't do anything about it.
  • GnuTLS bug leaves much to wish for proper certificate authentication. It's horrible to see how widely used libraries can be so badly broken for such long times.
  • It seems that there are even more cool acronyms begin added to cloud service briefcase. DCRoom, DCServer, vDC, vCloud, DCvServer, DCIaaS, DCPaaS, DCShare, DCStorage, DCDR, DCBaaS, DCSaaS. Terminology is quite silly again, but it's important to be so cool with all new things, which indicate that DCSaaS is much more reliable than services from any major SaaS service provider.
  • It seems that DigitalOcean API isn't signing messages at all, and is using static API_KEY for each client. Ouch! So they're purely relying HTTPS for all security, and also sending the "shared secret" aka API_KEY over HTTPS connection as plaintext every time. I would have preferred using in messages API_KEY which is actually HMAC which is formed from the request data + the secret api key. So even if messages would be caught as plaintext, it wouldn't allow replay, changing the request content, nor getting the actual API key to perform future arbitrary commands using it. When you combine this issue with When we combine this GnuTLS issue. Then we got real and major problem. Btw. It's quite common anyway to skip proper SSL cert checks, it would be best to use cert pinning in these kind of situations.
  • About that Target credit card information leak I can just say one thing. I think I have written about this earlier. Several cases, when systems are 'opened for traffic' due to integration needs, access rights haven't been managed properly. I have seen several cases, where FTP / SFTP / FTPS account is accompanied by full ssh / remote desktop access, and in some cases full administrative access to the server. Yes, It's happening all the time, and it's nothing new. It's just 'security as usual', nobody really cares about that. Even if you write to them and let them know that systems are seriously misconfigured, response is usually something like: "As far as we can see, it's working fine". Well, I think it's working fine, maybe just too well after all. If something doesn't work, I can login and modify required settings by my self.
  • Hand long chat about effectiveness of firewalls, anti-virus etc products. Well, as we know, those aren't effective anymore. Only working solution is tight security policy, which also is on technical level based on white lists instead of black lists. So only things that are explicitly allowed are allowed, everything which is unknown, is always blocked. So following concept of principle of least privilege should always be present.
  • Had to reread the Scramjet article, because it has been extended substantially. Dual-mode was also quote interesting read. It's clear that scramjet design and knowledge is developing quickly. It was so interesting topic I had to read also this document.
  • Studied DEC64 floating point representation. It's nice, something else than the traditiona IEEE 754. What is 1 divided by 10. Well of course it is: "0.1000000000000000055511151231257827021181583404541015625" as well as 0.1+0.2-0.3 is "2.775557561565156540423631668E-17". That's just so wonderful at times, before you learn to deal with it.
  • Installed and started to use both Threema and Telegram actively. I'm just so fed up with Skype even if it's Linux version doesn't even show ads yet.
  • Studied Infinite Garble Extension (IGE) mod which is related to Telegram.
  • Played with ClearSkies Open Source synchronization software which is like BitTorrent Sync. Unfortunately I just don't have any practical need for it. I'm already running my own servers and services which I need.
  • NTFS / EFS data recovery using Linux. There aren't EFS encryption cracking tools with standard Ubuntu / Linux distributions. But if you user some recovery distribution. Then answer to accessing even encrypted EFS files is easily yes. But that requires that user(s) use weak password(s). Otherwise cracking would take too long. After successful password recovery EFS resources can be accessed. Unfortunately it's really hard (practically impossible) to get user to use proper strong passwords. EFS encryption it self is very strong, but key management is the ultimate weak link. If EFS isn't used, all NTFS access right management can be easily circumvented using NTFS-3G.