Scary DDos and Ransom Attack against CodeSpaces

You read pretty much every day about some new virus, or a new attack against a person or company, but last week there was an attack against a company that can only be described as terrifying. The company attacked was Coventry (UK) based Svn hosting company CodeSpaces.

DDos and Ransom Attack against CodeSpaces
DDos and Ransom Attack against CodeSpaces

I read about this attack in The Hacker News. An attacker started a Distributed Denial of Service (DD0s) attack against the company, and also managed to gain access to their Amazon AWS and EC2 dashboard. The attacker then proceeded to hold them to ransom for a large fee to stop the DDos attack. The company, naturally, tried to regain control of their system and started changing passwords. When the attacker realised what they were doing, he started deleting all the companies data from the Amazon cloud servers, including all the backups.

Advertisements

Block Encrypter .NET Library

I have recently released a small open source library that I thought might be useful to people. The library is called Block Encrypter it is designed to make asymmetric encryption of  data in .NET / C# easier. The code in this library has been developed over the past year and used in my open source tools SafePad and Text Shredder. The way in which this library goes about encryption has been peer reviewed by many people in the open source community so should give you a level of comfort that it is secure in how it goes about encrypting data. Block Encrypter encrypts data using standard cryptographic primitives like AES, HMAC, PBKDF, and cryptographically secure random number generation.

Download the Block Encrypter .NET encryption library.
Download the Block Encrypter .NET encryption library.

I have previously discussed AES encryption in .NET in my cryptography series of articles. I also posted an article linking to some really useful videos by Patrick Townsend about how the AES algorithm works. If you are interested in symmetric cryptography I highly recommend watching them.

encryption

First lets look at some usage examples. The main object in the library to call is the Block Encrypter object and this contains methods that allow you to encrypt/decrypt strings or byte arrays of data.

Overview of the Library

The library itself is quite straight forward to use and there are not that many objects to get to grips with. The main entry point for the library is the BlockEncrypter object. This object will then call out to the GzipCompression object, Aes object, and the ByteHelpers object.

Block Encryter Class Diagram
Block Encryter Class Diagram

The library is also well covered in unit tests that exercise the majority of the functionality.

The Day we Fight Back Against Mass Surveillance

The Day we Fight Back Against Mass Surveillance.
The Day we Fight Back Against Mass Surveillance.

Click the image above to join in!

From their website :

DEAR USERS OF THE INTERNET,

In January 2012 we defeated the SOPA and PIPA censorship legislation with the largest Internet protest in history. Today we face another critical threat, one that again undermines the Internet and the notion that any of us live in a genuinely free society: mass surveillance.

In celebration of the win against SOPA and PIPA two years ago, and in memory of one of its leaders, Aaron Swartz, we are planning a day of protest against mass surveillance, to take placethis February 11th.

Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.

SafePad Version 1.1 Released

I have now released version 1.1 of my popular encrypted notepad application SafePad. Version 1.1 focuses on many of the requests I have had from users. These are mainly around usability.

Safe Pad 1.1 : Text editor to securely protect your documents using Triple AES
Safe Pad 1.1 : Text editor to securely protect your documents using Triple AES

What is SafePad

SafePad is a simple FREE text editor that lets you encrypt your documents using 3 cascaded iterations of AES encryption (Advanced Encryption Standard). To protect your document you have to provide 2 passwords. Passwords have always been a problem when it comes to security as users tend to pick a password that is easy for them to remember. This also means that the password is most likely easy to crack. By using 2 passwords and performing multiple rounds of encryption, it makes it much harder to crack the passwords. If someone manages to crack password 1, all they will get back is encrypted text, so it would be very hard to them to know they have cracked that password.

Picking strong yet easy to remember passwords is essential when protecting your files. If your passwords are easy to guess or can be cracked by a brute force search then you are leaving your data open to being stolen. Here is a good article over at wolfram.org with some good advice on picking strong passwords.

Checking the Strength of a Password

In this article I want to talk about a recent password strength checker that I build for my open source application SafePad.

Password Strength Indicator in SafePad
Password Strength Indicator in SafePad

 First of all we have a public enumeration that contains the password score results.

Securely Storing Passwords

In this article I want to talk about the storage of passwords in your systems. Passwords are still the most common way of being able to authenticate a user, but it is very easy to put yourself in a situation where your system is not secure and susceptible to attacks. In this article I want to discuss ways in which you shouldn’t store passwords, and talk about how you can safely store passwords and protect yourself where you have been a victim of data theft.

Securely Storing Passwords
Securely Storing Passwords

Storing Passwords in the Clear

Easy of Implementation : EASY

Is Good Idea : TERRIBLE IDEA

When you are developing a system that needs to authenticate a user, the biggest mistake you can make is storing passwords as clear text in your database. You may as well not bother having security as you can’t offer any kind of privacy to your users. This may seem like common sense, but there are still plenty of sites that do this. A user’s password should be secret and only known by the person who it belongs too.

Remaining Private on the Internet

In previous posts I talked about the mass surveillance by the NSA and GCHQ, and also posted an excellent video that explains about the threat to privacy in the modern age on the internet. If you are worried about privacy on the internet then there are many tools out there that can help you. I thought I would list a few of them here. Some of the tools are free, and some are not.

Tor Browser Bundle

First up is the Tor Browser Bundle. This is a modified Firefox web browser that is aimed at making your web browsing anonymous. By this I mean that no one can trace what sites you are visiting. It does this by redirecting your browser traffic through thousands of other relays.

Tor Browser Bundle
Tor Browser Bundle

This does make your browsing experience a lot slower, but that’s the price you pay for anonymity. Here is their official blurb.

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.