You read pretty much every day about some new virus, or a new attack against a person or company, but last week there was an attack against a company that can only be described as terrifying. The company attacked was Coventry (UK) based Svn hosting company CodeSpaces.
I read about this attack in The Hacker News. An attacker started a Distributed Denial of Service (DD0s) attack against the company, and also managed to gain access to their Amazon AWS and EC2 dashboard. The attacker then proceeded to hold them to ransom for a large fee to stop the DDos attack. The company, naturally, tried to regain control of their system and started changing passwords. When the attacker realised what they were doing, he started deleting all the companies data from the Amazon cloud servers, including all the backups.
I have recently released a small open source library that I thought might be useful to people. The library is called Block Encrypter it is designed to make asymmetric encryption of data in .NET / C# easier. The code in this library has been developed over the past year and used in my open source tools SafePad and Text Shredder. The way in which this library goes about encryption has been peer reviewed by many people in the open source community so should give you a level of comfort that it is secure in how it goes about encrypting data. Block Encrypter encrypts data using standard cryptographic primitives like AES, HMAC, PBKDF, and cryptographically secure random number generation.
First lets look at some usage examples. The main object in the library to call is the Block Encrypter object and this contains methods that allow you to encrypt/decrypt strings or byte arrays of data.
Overview of the Library
The library itself is quite straight forward to use and there are not that many objects to get to grips with. The main entry point for the library is the BlockEncrypter object. This object will then call out to the GzipCompression object, Aes object, and the ByteHelpers object.
The library is also well covered in unit tests that exercise the majority of the functionality.
In January 2012 we defeated the SOPA and PIPA censorship legislation with the largest Internet protest in history. Today we face another critical threat, one that again undermines the Internet and the notion that any of us live in a genuinely free society: mass surveillance.
In celebration of the win against SOPA and PIPA two years ago, and in memory of one of its leaders, Aaron Swartz, we are planning a day of protest against mass surveillance, to take placethis February 11th.
Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.
I have now released version 1.1 of my popular encrypted notepad application SafePad. Version 1.1 focuses on many of the requests I have had from users. These are mainly around usability.
What is SafePad
SafePad is a simple FREE text editor that lets you encrypt your documents using 3 cascaded iterations of AES encryption (Advanced Encryption Standard). To protect your document you have to provide 2 passwords. Passwords have always been a problem when it comes to security as users tend to pick a password that is easy for them to remember. This also means that the password is most likely easy to crack. By using 2 passwords and performing multiple rounds of encryption, it makes it much harder to crack the passwords. If someone manages to crack password 1, all they will get back is encrypted text, so it would be very hard to them to know they have cracked that password.
Picking strong yet easy to remember passwords is essential when protecting your files. If your passwords are easy to guess or can be cracked by a brute force search then you are leaving your data open to being stolen. Here is a good article over at wolfram.org with some good advice on picking strong passwords.
In this article I want to talk about the storage of passwords in your systems. Passwords are still the most common way of being able to authenticate a user, but it is very easy to put yourself in a situation where your system is not secure and susceptible to attacks. In this article I want to discuss ways in which you shouldn’t store passwords, and talk about how you can safely store passwords and protect yourself where you have been a victim of data theft.
Storing Passwords in the Clear
Easy of Implementation : EASY
Is Good Idea : TERRIBLE IDEA
When you are developing a system that needs to authenticate a user, the biggest mistake you can make is storing passwords as clear text in your database. You may as well not bother having security as you can’t offer any kind of privacy to your users. This may seem like common sense, but there are still plenty of sites that do this. A user’s password should be secret and only known by the person who it belongs too.
In previous posts I talked about the mass surveillance by the NSA and GCHQ, and also posted an excellent video that explains about the threat to privacy in the modern age on the internet. If you are worried about privacy on the internet then there are many tools out there that can help you. I thought I would list a few of them here. Some of the tools are free, and some are not.
Tor Browser Bundle
First up is the Tor Browser Bundle. This is a modified Firefox web browser that is aimed at making your web browsing anonymous. By this I mean that no one can trace what sites you are visiting. It does this by redirecting your browser traffic through thousands of other relays.
This does make your browsing experience a lot slower, but that’s the price you pay for anonymity. Here is their official blurb.
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.