Wednesday, January 15, 2014

2013 Toolsmith Tool of the Year: Recon-ng

Congratulations to Tim Tomes of Black Hills Information Security.
@LaNMaSteR53's Recon-ng is the 2013 Toolsmith Tool of the Year.
We had quite the turnout this year, with 881 total votes.
Recon-ng finished first with 44% of the vote, in a very tight race with ProcDOT which came in second with 40%, and all others pulling up the rear.
Tim will receive a book of his choosing or a donation to his preferred charity. 

Congratulations and thank you to all of this year's participants. 2014 should bring us another great year of tools for information security practitioners. Please feel free to submit your favorites for consideration.

Wednesday, January 01, 2014

toolsmith: Tails - The Amnesiac Incognito Live System

Privacy for anyone anywhere

Systems that can boot DVD, USB, or SD media (x86, no PowerPC or ARM), 1GB RAM

“We will open the book. Its pages are blank. We are going to put words on them ourselves. The book is called Opportunity and its first chapter is New Year's Day.”  -Edith Lovejoy Pierce

First and foremost, Happy New Year!
If you haven’t read or heard about the perpetual stream of rather incredible disclosures continuing to emerge regarding the NSA’s activities as revealed by Edward Snowden, you’ve likely been completely untethered from the Matrix or have indeed been hiding under the proverbial rock. As the ISSA Journal focuses on Cyber Security and Compliance for the January 2014 issue, I thought it a great opportunity to weave a few privacy related current events into the discussion while operating under the auspicious umbrella of the Cyber Security label. The most recent article that caught my attention was Reuters reporting that “as a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry.” The report indicates that RSA received $10M from the NSA in exchange for utilizing the agency-backed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) as its preferred random number algorithm, an allegation that RSA denies in part.
In September 2013 the New York Times reported that an NSA memo released by Snowden declared that “cryptanalytic capabilities are now coming online…vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." Ars Technica’s Dan Goodin described Operation Bullrun as a “a combination of ‘supercomputers, technical trickery, court orders, and behind-the-scenes persuasion’ to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.” Finally, consider that, again as reported by DanG, a senior NSA cryptographer, Kevin Igoe, is also the co-chair of the Internet Engineering Task Force’s (IETF) Crypto Forum Research Group (CFRG). What could possibly go wrong? According to Dan, Igoe's leadership had largely gone unnoticed until the above mentioned reports surfaced in September 2013 exposing the role NSA agents have played in "deliberately weakening the international encryption standards adopted by developers."
I must admit I am conflicted. I believe in protecting the American citizenry above all else. The NSA claims that their surveillance efforts have thwarted attacks against America. Regardless of the debate over the right or wrong of how or if this was achieved, I honor the intent. Yet, while I believe Snowden’s actions are traitorous, as an Internet denizen I can understand his concerns. The problem is that he swore an oath to his country, was well paid to honor it, and then violated it.  Regardless of my take on these events and revelations, my obligation to you is to provide you with tooling options. The Information Systems Security Association (ISSA) is an international organization of information security professionals and practitioners. As such, are there means by which our global readership can better practice Internet privacy and security? While there is no panacea, I propose that the likes of The Amnesiac Incognito Live System, or Tails, might contribute to the cause. Again, per the Tails team themselves: “Even though we're doing our best to offer you good tools to protect your privacy while using a computer, there is no magic or perfect solution to such a complex problem.” That said, Tails endeavors to help you preserve your privacy and anonymity. Tails documentation is fabulous; you would do well to start with a full read before using Tails to protect your privacy for the first time.

Tails, a merger of the Amnesia and Incognito projects, is a Debian 6 (Squeeze) Linux distribution that works optimally as a live instance via DVD, USB, or SD media. Tails seeks to provide online anonymity and censorship circumvention with the Tor anonymity network to protect your privacy online. All software is configured to connect to the Internet through Tor and if an application tries to connect to the Internet directly, the connection is automatically blocked for security purposes. At this point the well informed amongst you are likely uttering a “whiskey tango foxtrot, Russ, in October The Guardian revealed that the NSA targeted the Tor network.” Yes, true that, but it doesn’t mean that you can’t safely use Tor in a manner that protects you. This is a great opportunity however to direct you to the Tails warning page. Please read this before you do anything else, it’s important. Schneier’s Guardian article also provides nuance. “The fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.”
Getting under way with Tails is easy. Download it, burn it to your preferred media, load the media into your preferred system, and boot it up. I prefer using Tails on USB media inclusive of a persistence volume, just remember to format the USB media in a manner that leaves room to create the persistent volume.
When you boot Tails, the first thing you’ll see, as noted in Figure 1 is the Tails Greeter which offers you More Options. Selecting Yes leads you to the option to set an administrative password (recommended) as well as Windows XP Camouflage mode (makes Tails look like Windows XP when you may have shoulder surfers).

FIGURE 1: Tails Greeter
You can also boot into a virtual machine, but there are some specific drawbacks to this method (the host operating system and the virtualization software can monitor what you are doing in Tails). However Tails will warn you as seen in Figure 2.

FIGURE 2: Tails warns regarding a VM and confirms Tor

You’ll also note in Figure 2 that TorBrowser (built on Iceweasel, a Firefox alternative) is already configured to use Tor, including the Torbutton, as well as NoScript, Cookie Monster, and Adblock Plus add-ons. There is one Tor enhancement to consider that can be added during the boot menu sequence for Tails where you can interrupt the boot sequence with Tab, hit Space, and then add bridge to enable Tor Bridge Mode.  According to the Tor Project, bridge relays or bridges for short are Tor relays that aren't listed in the main Tor directory. As such, even if your ISP is filtering connections to all known Tor relays, they probably won't be able to block all bridges. If you suspect access to the Tor network is being blocked, consider use of the Tor bridge feature as supported fully by Tails when booting in bridge mode. Control Tor with Vidalia which is available via the onion icon the notification area found in the upper right area of the Tails UI. 
One last note on Tor use as already described on the Tails Warning page you should have already read. Your Tor use is only as good as your exit node. Remember, “Tor is about hiding your location, not about encrypting your communication.” Tor does not, and cannot, encrypt the traffic between an exit node and the destination server. Therefore, any Tor exit node is in a position to capture any traffic passing through it and you should thus use end-to-end encryption for all communications. Be aware that Tails also offers I2P as an alternative to Tor.

Encryption Options and Features

HTTPS Everywhere is already configured for you in Tor Browser. HTTPS Everywhere uses a ruleset with regular expressions to rewrite URLs to HTTPS. Certain sites offer limited or partial support for encryption over HTTPS, but make it difficult to use where they may default to unencrypted HTTP, or provide hyperlinks on encrypted pages that point back to the unencrypted site.

You can use Pidgin for instant messaging which includes OTR or off-the-record encryption. Each time you start Tails you can count on it to generate a random username for all Pidgin accounts.

If you’re afraid the computer you’ve booted Tails on (a system in an Internet café or library) is not trustworthy due to the like of a hardware keylogger, you can use the Florence virtual keyboard, also found in the notification area as seen in Figure 3.

FIGURE 3: The Tails virtual keyboard
If you’re going to create a persistent volume (recommended) when you use Tails from USB media, do so easily with Applications | Tails | Configure persistent volume. Reboot, then be sure to enable persistence with the Tails Greeter. You will need to setup the USB stick to leave unused space for a persistent volume.
You can securely wipe files and cleanup available space thereafter with Nautilus Wipe. Just right click a file or files in the Nautilus file manager and select Wipe to blow it away…forever…in perpetuity.
KeePassX is available to securely manage passwords and store them on your persistent volume. You can also configure all your keyrings (GPG, Gnome, Pidgin) as well as Claws Mail. Remember, the persistent volume is encrypted upon creation.
You can encrypt text with a passphrase, encrypt and sign text with a public key, and decrypt and verify text with the Tails gpgApplet (the clipboard in the notification area).

One last cool Tails feature that doesn’t garner much attention is the Metadata Anonymisation app. This is not unlike Informatica 64’s OOMetaExtractor, the same folks who bring you FOCA as described in the March 2011 toolsmith.  Metadata Anonymisation is found under Applications then Accessories. This application will strip all of those interesting file properties left in metadata such as author names and date of creation or change. I have used my share of metadata to create a target list for social engineering during penetration tests so it’s definitely a good idea to clean docs if you’re going to publish or share them if you wish to remain anonymous. Figure 4 shows a before and after collage of PowerPoint metadata for a recent presentation I gave.
FIGURE 4: Metadata cleanup with Tails
There are numerous opportunities to protect yourself using The Amnesiac Incognito Live System and I strongly advocate for you keeping an instance at the ready should you need it. It’s ideal for those of you who travel to hostile computing environments, as well as for those of you non-US readers who may not benefit from the same level of personal freedoms and protection from censorship that we typically enjoy here in the States (tongue somewhat in cheek given current events described herein).


Aside from hoping you’ll give Tails a good look and make use of it, I’d like to leave you with two related resources well worth your attention. The first is a 2007 presentation from Dan Shumow and Niels Ferguson of Microsoft titled On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng. Yep, the same random number generator as described in the introduction to this column. The second resource is from and is called Applied Crypto Hardening. Systems administrators should definitely give this one a read.
Enjoy your efforts to shield yourself from watchful eyes and ears and let me know what you think of Tails. Ping me via Twitter via @holisticinfosec or email if you have questions (russ at holisticinfosec dot org).
Cheers…until next month.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...