Category Archives: security

Wrong advice on Tor Usage from hacklog.mu

Hacklog.mu presentation on Tor

Hacklog.mu has a presentation on tor on the following page . On the same page, SM mentions that HTML5 elements could be used to leak information about an Internet User even with Tor. This is correct. Several developers were aware of the problem, and there were plans to fix this in orweb. See this URL for : details . This vulnerability was reported in 2013, and fixed in the same year . The presentation, by hacklog.mu, took place in 2014.

Firefox as the solution ?

Hacklog.mu uses firefox from Google Playstore, and configures it to work with Tor. From a security perspective, Firefox leaks more metadata than Orweb or tor-browser, due to the lack of patches that Orweb has. In fact, if you look at Tor-browser, you will realize that it's a modified version of Firefox, with a number of patches added on to protect the privacy of the users. Those patches are not in Firefox. Those patches provide several additional layers of security that Firefox on Android DOES NOT provide. The tor project constantly reworks the patches for their Tor-browser and applies the same design principles in Orweb/Orfox. See the design requirements for Orweb, OrFox and Tor-browser here We tested with Orweb & Orfox, and both do not leak, according to browserleaks.org. It is highly questionable to use Firefox, even with a Mobile proxy, as by default, Firefox is not designed to be as secure as Orweb, Orfox, and Tor-browser.

Conclusion

We recommend Internet users who want to remain anonymous to use orweb/orfox on Android and Tor-browser on their PCs instead of Firefox, and avoid the example presented on hacklog.mu. ^-^

Let’s encrypt

An intriguing mail

When I opened my mailbox in the morning, an interesting mail showed up ! At first, I thought that it was spam, as it said that "You had been selected to participate .."

A closer look

Upon taking a closer look, I quickly realized that it was coming from the letsencrypt non-profit foundation ! Letsencrypt aims to make TLS available to everybody, and wants to make it easy. You might be suprised to hear this when you know that a TLS certificate costs at least $9 USD. I heard about letsencrypt from websites, and they were active at the IETF in Prague when I was there. For Mauritius & Africa, this represents a huge opportunity for non-profits, educational and Small and Medium enterprises to get better security for their websites, for little cost, except investing time to learn how to use the ACME client from letsencrypt.

The downside

You do not get the full EV (Extended Validation) from SSL/TLS vendors which have much more strict requirements, and are normally costly. This is what a critical Internet organization or a bank would use for its HTTPS services.

First impressions

The service is still in limited BETA phase. It can be setup with a single command:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

More to come

Stay tuned as I move a personal website to HTTPS powered by letsencrypt :)

security experts in Mauritius

Cybersecurity in the cyberisland

In Mauritius, We have 7000 people who work in the IT sector. There are many web developers, Enterprise software engineers, and Infrastructure engineers (sysadmin/netadmin). However, there are very few security engineers.

Most companies in Mauritius tend not to think about security of their infrastructure. Paradoxically, most are increasingly relying on their IT infrastructure to store/retrieve/manipulate their data, which is often sensitive. This has led to very few job openings for security experts. Many still think that security is an "add-on" that they buy. Few realise that security is woven into the development process of the software they are developing for their clients, until the client loses faith due to a security flaw.

Recently, 2 LUGM members and myself decided to organize a Security Contest. The goal was to defend and attack a server via the Heartbleed vulnerability to steal sensitive information, such as private keys.After doing a short presentation, on Heartbleed, we gave ample time to participants to come up with a working code, and a reasonable explanation. Heartbleed is fairly old: it happened in 2014.

2 months later, and we still didn't receive a single submission. I grew very worried of the current situation in Mauritius. The implications are far reaching: Most IT workers have little understanding of how vulnerabilities work. There are many self-proclaimed "Hackers" and "Security experts" in Mauritius. However, none of them are able to understand Heartbleed in a detailed manner. Most IT professionals are unable to distinguish between a security expert and someone who is not. In case of a cyberwar, Mauritius would be at an immediate disadvantage.

Developing local security expert talent pool is one of the key pillars of a "Cyberisland". The rise of the Internet of things, where almost everything can be hooked to the internet, has many implications in terms of security. A "smart" car can be hijacked, and people killed. We need security experts who can understand the small details of security flaws and come up with reasonable counter-measures to protect our CyberInfrastructure. This requires a LOT of mental effort & time investment. However, I get the impression that most students are more interested in Computer Security as a fashion trend . Few want to do the hard mental work.

Sadly, I noticed the same attitude with professionals working in the IT sector. Many prefer to copy, without any thought as to what is really happening underneath. They rely on work done by others, instead of making the mental effort needed. A good way to test a security expert is to show him a piece of vulnerable code, and ask him to write an exploit for it. The Contest that we designed followed this principle. It encouraged participants to think about the code that they are copying from the Internet.

The net result is that this has negatively impacted the image of Security Experts from Mauritius. I spoke with a friend who resides in Switzerland, and he told me that he read about the security experts from Mauritius. Upon taking a close examination, he wasn't impressed at all. The lack of skills is obvious, according to him. To be fair, I pointed out that at least 2 Mauritians did understand security to a very good level. On a global picture, we still got a long way to go to secure & protect our Cyberisland.

I’am officially a Google security supplier !


google

Security Services

Last night, I got the confirmation that I am officially recognized as a Supplier of Security Services for Google, the Internet Search Giant :)

google_supplier

What does this mean for Internet Security

I will be working more closely on Internet Security by focusing on key Open Source projects, and this effort will be sponsored by Google. Needless to say, I'm very excited ! I look forward to building a more secure Internet, that benefits not only Google, but also Mauritius, as we are also heavy consumers of products that are based on Open Source Software: Android, gmail and quite a few others.

Collaborative efforts

By working together, as a team, we can strengthen the foundation of Today's Internet, so that we avoid another Heartbleed. I look forward to not only work on code, but also with different people spread across the globe and who speak different languages. There's something beautiful in Open Source: Despite our divergent opinions, we are able to work together. I believe that our strength comes from our ability to readjust ourselves to an increasingly hostile Internet.

Google Security Supplier, am excited for this new adventure! :)


--Logan

I’am officially a Google security supplier !


google

Security Services

Last night, I got the confirmation that I am officially recognized as a Supplier of Security Services for Google, the Internet Search Giant :)

google_supplier

What does this mean for Internet Security

I will be working more closely on Internet Security by focusing on key Open Source projects, and this effort will be sponsored by Google. Needless to say, I'm very excited ! I look forward to building a more secure Internet, that benefits not only the Google, but also Mauritius, as we are also heavy consumers of products that are heavily powered by Open Source Software: Android, gmail and quite a few others.

Collaborative efforts

By working together, as a team, we can strengthen the foundation of Today's Internet, so that we avoid another Heartbleed. I look forward to not only work on code, but also with different people spread across the globe and who speak different languages. There's something beautiful in Open Source: Despite our divergent opinions, we are able to work together. I believe that our strength comes from our ability to readjust ourselves to an increasingly hostile Internet.

Google Security Supplier, am excited for this new adventure! :)


--Logan