toolsmith: SpiderFoot

Prerequisites/dependencies

Python 2.7 if running on *nix as well as M2Crypto, CherryPy, netaddr, dnspython, and Mako modules

Windows version comes as a pre-packaged executable, no dependencies

Introduction

All good penetration tests and threat assessments should be initiated with what you’ve seen referred to in toolsmith as OSINT, or open source intelligence gathering. This practice contributes greatly to collecting a useful list of targets of opportunity. One key element to remember though, the bad guys are conducting this same activity against you and your Internet-facing assets too. It’s probably best then that you develop your own OSINT practice so you can find the information you may not wish to, or even know, you are exposing. Steve Micallef’s SpiderFoot is another tool in the arsenal specific to this cause. You may already be aware that the four phases of a web application security assessment, as defined using the SamuraiWTF distribution, are recon, mapping, discovery, and exploitation. The SANS GIAC Certified Web Application Penetration Tester (GWAPT) curriculum follows suit given that Secure Idea’s Kevin Johnson contributed heavily (developed) to both. SpiderFoot nicely blends both recon and mapping as part of its feature set. As we consider legal, privacy, and ethics issues for the March ISSA Journal, OSINT and reconnaissance become interesting and related topics. I have, on more than one occasion, discovered very damaging data via OSINT tactics that, if in the wrong hands, could have been very damaging. When you consider findings of this nature with regard to ethics and the legality you may find yourself in an immediate quandary. Are you obligated to report findings that you know could cause harm to the target if left unmitigated? What if during your analysis you come into possession of classified or proprietary information that having in your possession could create legal challenges for you? Imagine findings of this caliber and it becomes easy to recognize why you should always conduct intelligence gathering and footprinting on your own interests before the wrong people do it for you. SpiderFoot, as a tool for just such purposes, allows you to understand “as much as possible about a given target in order to perform a more complete security penetration test.” For large networks, this can be a daunting task, and SpiderFoot automates this process significantly, allowing penetration testers to focus their efforts on security testing itself.

Steve provided us with some SpiderFoot history as well as insight on what he finds useful and interesting. He originally wrote SpiderFoot as a C# .NET application in 2005, purely as an exercise to learn C#, having been inspired by BiDiBLAH’s developers from Sensepost (who went on to create Maltego), thinking he could make a lighter open source version. For seven years that was Steve’s first and only release until he decided to resume development again in 2012. His work on next generation versions have led SpiderFoot to be cross platform (Python), far more extensible, functional, with a much nicer user interface (UI).

Steve’s current challenge with SpiderFoot is deciding what cool functionality to implement next, his to-do list is ever growing and there are a numerous features he’d love to extend it to include. He typically balances his time between UI/analysis functionality versus new checks to identify more items to aid the penetration tester. The aforementioned OSINT (Open Source Intelligence) community also continues to produce new sources which in turn inspire Steve to build new SpiderFoot checks.

He finds it interesting testing out a new module, and actually finding insightful items out there on the Internet simply during the development process. Steve’s favorite functionality at the moment is identifying owned netblocks, and co-hosted sites. Owned Netblocks indicates entire IP ranges that an organization owns, which enables penetration testers to more completely scan the perimeter of a target. Co-hosted Sites shows you any websites on the same server as the target, which can also be revealing. If your target is hosted on the same server as sites identified as being malicious by the malicious site checker, or the blacklist checker plug-in it could potentially indicate that your target is hosted on a compromised server.

As you read this it’s likely that the following planned enhancements are available in SpiderFoot or will be soon:

·         2.1.2 (early March)

o   SOCKS proxy support

o   Real-time scan progress viewer

o   Identify scan quality impacting issue

o   Autoshun (www.autoshun.org) lookup as part of malicious checks

o   SANS (isc.sans.edu) lookup as part of malicious checks (queue the Austin Powers voice: “Yeah, baby!”)

o   Update GeoIP checker

·         2.1.3 (mid April)

o   VirusTotal, SHODAN, Facebook, Xing, Pastebin and GitHub plug-ins

Note that when you pull SpiderFoot from GitHub, you are downloading a beta version of the next release, as Steve commits new functionality there periodically in preparation for the next version. For instance, SOCKS functionality is in the GitHub repository right now but not in the packaged released version (2.1.1.).

SpiderFoot is a great project with a strong development roadmap, so let’s get down to business and explore.

Quick installation notes

Windows installation is an absolute no brainer; download the package, unpack it, execute sf.exe, and browse to http://127.0.0.1:5001. All dependencies are met including a standalone Python interpreter, so you may find this option optimal.

Linux (I installed it on SamuraiWTF) users need to settle a few dependencies easily solved with the following few steps that assume pip is already installed:

sudo apt-get install swig

sudo pip install mako cherrypy netaddr M2Crypto dnspython

git clone https://github.com/smicallef/spiderfoot.git

cd spiderfoot/

sudo python ./sf.py 0.0.0.0:9999

The last line indicates that you’d like SpiderFoot to bind to all addresses (including localhost) and listen on port 9999. You can define your preferred port or just accept default if undefined (5001). Steve reminds us on his installation page to be cautious regarding exposing SpiderFoot to hostile networks (Intranet, security conference wireless) given that there is currently no authentication scheme.

SpiderFoot unleashed

The SpiderFoot UI is, how shall I say, incredibly simple, intuitive, and obvious even. To start a scan…wait for it…select New Scan. Figure 1 represents a scan being kicked off on my domain (don’t do it) as defined by the By Module view.

FIGURE 1: Kicking off a new scan with SpiderFoot

If you wish to more granularly define your scans, select the By Required Data view (default) then pick and choose your preferred data points including elements such as malicious affiliations, IP data, URL analysis, SSL certificate information, affiliate details, and many other record. You should then be treated to a success message. Scans results are stored in a SQLite DB so over time you’ll likely build up a collection if you don’t purge. Under the Scans tab as seen in Figure 2 you can click the scan in the Name column of the table view and review results. You’ll also note status here and can also halt the scan if need be. I imagine the real-time scan progress viewer will show itself here in the near future as well.

FIGURE 2: SpiderFoot Scans view

If need be (default settings work quite well), you can tune the actual scan configuration as well via Settings, with attention to how you’d like to tune storage, search engines, port scanning, spidering, TLD searches (see Figure 3), amongst others.

FIGURE 3: SpiderFoot Settings view

When my scan completed, with default settings and all checks enabled, the results included 11360 elements. For you data miners, metrics minions, and hosting harvesters, you can export the results to CSV (see Figure 4) and filter by findings type and module, or your preferred data pivot.

FIGURE 4: SpiderFoot results and export functionality

As I navigated all the results, I was intrigued to find a hit for URL (Uses Flash) simply because I didn’t recall any Flash features on my site. I immediately chuckled when I reviewed the result as it was specific to a Flash video I’d created for the 2008 ISSA Northwest Regional Conference wherein I ripped on the now defunct Hacker Safe trustmark for indicating that their customer’s sites were “hacker safe” when, in fact, they were not. Oh, the good old days.

Want to visualize your results? No problem, you can choose from a bubble view of data elements or the discovery path. Figure 5 represents the discovery path for Social Media Presence findings. Hover over each entity for details specific to initial target type, the source module, and the related result.

FIGURE 5: SpiderFoot visualizes a discovery path

SpiderFoot will absolutely uncover nuggets you may have long forgotten about and may want to remove as they are potentially vulnerable (outdated plugins, modules, etc.) or unnecessarily/unintentionally exposed. I found an old dashboard I’d built by hand eons ago with long dead extenal JavaScript calls that had no business still being available. “Be gone!”, I said. That is what SpiderFoot is all about. Add it to the tool collection for penetration tests and OSINT expeditions; you won’t be disappointed.

In Conclusion

Steve Micallef’s SpiderFoot is functionally simple but feature rich and getting better all the time as it is well built and maintained. Follow @binarypool on Twitter and keep an eye out for timely and regular releases.

Ping me via email if you have questions or suggestions for topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.

Cheers…until next month.

Acknowledgements

Steve Micallef (@binarypool), Spiderfoot author

toolsmith: SimpleRisk - Enterprise Risk Management Simplified

Prerequisites/dependencies

LAMP/XAMPP server

Introduction

Our editorial theme for February’s ISSA Journal happens to be Risk, Threats, and Vulnerabilities which means that Josh Sokol’s SimpleRisk as our toolsmith topic is bona fide kismet. I am a major advocate for simplicity and as the occasional practitioner of simpleton arts, SimpleRisk fits my needs perfectly. SimpleRisk is a free and open source web application, released under Mozilla Public License 2.0, and is extremely useful in performing risk management activities. In my new role at Microsoft, I’m building, with a fine team of engineers, a Threat Intelligence and Engineering practice. This effort is intended to be much more robust than what you may currently understand to be Threat Intelligence. Limiting such activity to monitoring threat feeds, deriving indicators of compromise, and reporting out findings is insufficient to cover the vast realm of risk, threats, and vulnerabilities. As such, we include constant threat assessments of our infrastructure and services in a manner that includes risk analysis and threat modeling, based on SDL principles and the infrastructure threat modeling guidance I wrote some years ago. Keeping in mind that threat modeling can be software-centric, asset-centric, and attacker-centric, recognize that the amount of data you generate can be overwhelming. In addition to embracing the principles of good data science, we’ve also expanded our tooling to include the likes of SimpleRisk. I asked Josh to provide us with insight on SimpleRisk in his own words:

“As security professionals, almost every action we take comes down to making a risk-based decision.  Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boil down to some combination of the likelihood of an event happening and the impact of that event.  Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.  The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk.  The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets.  It's cumbersome, time consuming, and just plain sucks.  After starting a Risk Management program from scratch at a $1B a year company, I ran into these same barriers, and when budget wouldn't allow me the GRC route, I finally decided to do something about it.  At Black Hat and BSides Las Vegas 2013, I formally debuted SimpleRisk. A SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews.  It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly.  It is under active development with new features being added all the time and can be downloaded at http://www.simplerisk.org.  SimpleRisk is truly Enterprise Risk Management simplified.”

I can tell you with certainty that a combination of tactics, techniques, and procedures inclusive of threat modeling and analysis, good data science (read The Field Guide to Data Science), and risk management with the likes of SimpleRisk, will lead to an improved security posture. I’ll walk you through a recreation of various real world scenarios and current events using SimpleRisk after some quick installation pointers.

Quick installation notes

I run SimpleRisk on an Ubuntu 13.10 virtual machine configured with a full LAMP stack. Without question you should read the SimpleRisk LAMP Installation Guide, but I’ll give you a quick overview of my installation steps, establishing SimpleRisk as the primary application in the Apache web root:

1)      cd /var/www

2)      Download the latest installation bundle, currently (subject to change): sudo wget http://simplerisk.googlecode.com/files/simplerisk-20131231-001.tgz

3)      sudo tar zxvf simplerisk-20131231-001.tgz

4)      sudo mv simplerisk/ * . (moves all SimpleRisk app files to the web root)

5)      sudo rm simplerisk-20131231-001.tgz (removes the installation bundle)

6)      sudo rm simplerisk (removes the now empty simplerisk directory)

7)      cd ~

8)      Download the SimpleRisk database import: wget http://simplerisk.googlecode.com/files/simplerisk-20131231-001.sql

9)      mysql –u root -p

10)   create database simplerisk;

11)   use simplerisk;

12)   source ~/simplerisk-20131231-001.sql (populates the SimpleRisk database)

13)   GRANT SELECT, INSERT, UPDATE, DELETE ON simplerisk.* TO 'simplerisk'@'localhost' IDENTIFIED BY 'CHANGEME'; (creates the SimpleRisk database user, change CHANGEME to your preferred password)

14)   exit

15)   sudo gedit /var/www/includes/config.php

16)   Edit line 16 with the database password you set in step 13 (you can also change your timezone in config.php)

17)   Browse to your web server’s root and login as admin with password admin

18)   Click the Admin button in the upper right of the UI then click My Profile

19)   Change the admin password!

SimpleRisk and the Flintstones

Flintstone, Inc. a prehistoric cave retailer with a strong online presence has been hacked by the Bedrock Electronic Militia. In one breach, 40 million clams have been stolen, and soon thereafter it is revealed that 70 million additional clams are compromised. Additionally, the attackers have used social engineering to gain access to Flintstone.net social media accounts, including Critter and Cavebook, as well as the Flintstone, Inc. blog. Even the Bedrock news media outlet, Cave News Network, is not immune to Bedrock Electronic Militia’s attacks. Fred and Wilma, the CISO and CEO, are very concerned that their next PCI audit is going to be very difficult given the breach and they want to use SimpleRisk to track and manage the risks they need to mitigate, as well as the related projects necessary to fulfill the mitigations. The SimpleRisk admin has created two accounts for Fred and Wilma; they’re impressed with the fact that the User Management options under Configure are so granular specific to User Responsibilities, including the ability to Submit New Risks, Modify Existing Risks, Close Risks, Plan Mitigations, Review Low Risks, Review Medium Risks, Review High Risks, and Allow Access to "Configure" Menu. Fred and Wilma are also quite happy that the SimpleRisk user interface is so…simple. Fred first uses the Configure | Add and Remove Values menu to add Online and Retail Stores as Site/Location values given the variety and location of risks identified. He also adds Identity Management under Team, as well as POS and Proxy under Technology. Fred notes that the Configure menu also offers significant flexibility in establishing risk formula preferences, review (high, medium, low) settings, and the ability to redefine naming conventions for impact, likelihood, and mitigation effort. He and Wilma then immediately proceed to the Risk Management menu to, you guessed it, begin to manage risks exposed during the breach root cause analysis and after action report. To get started the Flintstones immediately identify five risks to document:

1)      Account compromise via social engineering

a.       The Flintstone.net Critter and Cavebook accounts were compromised when one of their social media management personnel were spear phished

2)      Inadequate antimalware detection

a.       One of the spear phishing emails included a malicious attachment that was not detected by Dinosoft Security Essentials

3)      Flintstone, Inc. users compromised via watering hole attacks

a.       A lack of egress traffic analysis, detection, and prevention from Flintstone.net corporate networks meant that users were compromised when enticed to visit a known good website that had been compromised with the Blackrock Exploit Kit

4)      Flintstone.com web application vulnerable to cross-site scripting (XSS)  

a.       Attackers can use XSS vulnerabilities to deliver malicious payloads in a more trusted manner given that they execute in the context of the vulnerable site

5)      Flintstone, Inc. Point Of Sale (POS) compromised with Frack POS malware

a.       All POS devices must be scanned with the SecureSlate’s Frack POS Malware Scan

As seen in Figure 1, Fred can be very specific in his risk documentation.

FIGURE 1: Fred submits risk for SimpleRisk documentation

As Fred works on the watering hole risk, he decides he’d rather use CVSS risk scoring than classic and is overjoyed to discover that SimpleRisk includes a CVSS calculator as seen in Figure 2. There is also an OWASP calculator the Fred uses when populating the XSS risk and a DREAD calculator he uses for the POS risk.

FIGURE 2: Fred calculates a CVSS score with SimpleRisk CVSS calculator

When Fred and Wilma move to the Plan Your Mitigations phase they are a bit taken aback to find that SimpleRisk has stack ranked the XSS risk as the highest, as seen in Figure 3, but they recognize that risk calculations can be somewhat subjective and that each scoring calculator (CVSS, DREAD, OWASP) derives scores differently. SimpleRisk does include links to references for how each is calculated.

FIGURE 3: SimpleRisk risk ranking allows mitigation prioritization

Fred and Wilma believe that the XSS vulnerability happens to be one they can have mitigated rather quickly and at a low cost, so they choose to focus there first. Clicking No under Mitigation Planned for ID 1004 leads them to the Submit Risk Mitigation page. They submit their planned mitigation as seen in Figure 4.

FIGURE 4: SimpleRisk XSS mitigations submittal

After SimpleRisk accepts the mitigation Fred and Wilma are sent promptly to the Perform Management Reviews phase where they choose to review ID 1001 Account Compromised via social engineering by clicking No in the related row under the Management Review column. Under Submit Management Review they choose to Approve Risk (versus reject), Consider for Project as the Next Step and add Deploy two factor authentication under Comments.

Under Prioritize for Project Planning, Fred and Wilma then add a new project called Two Factor Authentication Deployment. They can add other projects and prioritize them later. They also set a schedule to review risks regularly after planning mitigations for, and a conducting reviews of, their remaining risks.

As the CISO and CEO of Flintstone, Inc., Fred and Wilma love their executive dashboards. They check the SimpleRisk Risk Dashboard under Reporting, as seen in Figure 5.

FIGURE 5: SimpleRisk Risk Dashboard

They also really appreciate that SimpleRisk maintains an audit trail for all changes and updates made.

Finally, Fred and Wilma decide to take advantage of some SimpleRisk “extras” that cost a bit but are offered under a perpetual license:

·         Custom Authentication Extra: Currently provides support for Active Directory Authentication and Duo Security multi-factor authentication, but will have other custom authentication types in the future.

·         Team Based Separation Extra: Restriction of risk viewing to team members the risk is categorized as.

·         Notification Extra: Email notifications when risks are updated or due for action.

·         Encrypted Database Extra: Encryption of sensitive text fields in the database.

In Conclusion

Josh has devised a great platform in SimpleRisk; I’m really glad to have caught mention of it rolling by in Twitter reads. It fits really nicely in any threat/risk management program. On a related note, as I write this Adam Shostack’s new book, ThreatModeling: Designing for Security is nearing its publication date (17 FEB 2014, Wiley). Be sure to grab a copy and incorporate its guidance into your risk, threat and vulnerability management practice along with the use of SimpleRisk.

Ping me via email if you have questions or suggestions for topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.

Cheers…until next month.

Acknowledgements

Josh Sokol, SimpleRisk developer and project lead

2013 Toolsmith Tool of the Year: Recon-ng

Congratulations to Tim Tomes of Black Hills Information Security.

@LaNMaSteR53's Recon-ng is the 2013 Toolsmith Tool of the Year.

We had quite the turnout this year, with 881 total votes.

Recon-ng finished first with 44% of the vote, in a very tight race with ProcDOT which came in second with 40%, and all others pulling up the rear.

Tim will receive a book of his choosing or a donation to his preferred charity. 

Congratulations and thank you to all of this year's participants. 2014 should bring us another great year of tools for information security practitioners. Please feel free to submit your favorites for consideration.

toolsmith: Tails - The Amnesiac Incognito Live System

Privacy for anyone anywhere

Prerequisites/dependencies

Systems that can boot DVD, USB, or SD media (x86, no PowerPC or ARM), 1GB RAM

Introduction

“We will open the book. Its pages are blank. We are going to put words on them ourselves. The book is called Opportunity and its first chapter is New Year's Day.”  -Edith Lovejoy Pierce

First and foremost, Happy New Year!

If you haven’t read or heard about the perpetual stream of rather incredible disclosures continuing to emerge regarding the NSA’s activities as revealed by Edward Snowden, you’ve likely been completely untethered from the Matrix or have indeed been hiding under the proverbial rock. As the ISSA Journal focuses on Cyber Security and Compliance for the January 2014 issue, I thought it a great opportunity to weave a few privacy related current events into the discussion while operating under the auspicious umbrella of the Cyber Security label. The most recent article that caught my attention was Reuters reporting that “as a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry.” The report indicates that RSA received $10M from the NSA in exchange for utilizing the agency-backed Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) as its preferred random number algorithm, an allegation that RSA denies in part.

In September 2013 the New York Times reported that an NSA memo released by Snowden declared that “cryptanalytic capabilities are now coming online…vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." Ars Technica’s Dan Goodin described Operation Bullrun as a “a combination of ‘supercomputers, technical trickery, court orders, and behind-the-scenes persuasion’ to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.” Finally, consider that, again as reported by DanG, a senior NSA cryptographer, Kevin Igoe, is also the co-chair of the Internet Engineering Task Force’s (IETF) Crypto Forum Research Group (CFRG). What could possibly go wrong? According to Dan, Igoe's leadership had largely gone unnoticed until the above mentioned reports surfaced in September 2013 exposing the role NSA agents have played in "deliberately weakening the international encryption standards adopted by developers."

I must admit I am conflicted. I believe in protecting the American citizenry above all else. The NSA claims that their surveillance efforts have thwarted attacks against America. Regardless of the debate over the right or wrong of how or if this was achieved, I honor the intent. Yet, while I believe Snowden’s actions are traitorous, as an Internet denizen I can understand his concerns. The problem is that he swore an oath to his country, was well paid to honor it, and then violated it.  Regardless of my take on these events and revelations, my obligation to you is to provide you with tooling options. The Information Systems Security Association (ISSA) is an international organization of information security professionals and practitioners. As such, are there means by which our global readership can better practice Internet privacy and security? While there is no panacea, I propose that the likes of The Amnesiac Incognito Live System, or Tails, might contribute to the cause. Again, per the Tails team themselves: “Even though we're doing our best to offer you good tools to protect your privacy while using a computer, there is no magic or perfect solution to such a complex problem.” That said, Tails endeavors to help you preserve your privacy and anonymity. Tails documentation is fabulous; you would do well to start with a full read before using Tails to protect your privacy for the first time.

Tails

Tails, a merger of the Amnesia and Incognito projects, is a Debian 6 (Squeeze) Linux distribution that works optimally as a live instance via DVD, USB, or SD media. Tails seeks to provide online anonymity and censorship circumvention with the Tor anonymity network to protect your privacy online. All software is configured to connect to the Internet through Tor and if an application tries to connect to the Internet directly, the connection is automatically blocked for security purposes. At this point the well informed amongst you are likely uttering a “whiskey tango foxtrot, Russ, in October The Guardian revealed that the NSA targeted the Tor network.” Yes, true that, but it doesn’t mean that you can’t safely use Tor in a manner that protects you. This is a great opportunity however to direct you to the Tails warning page. Please read this before you do anything else, it’s important. Schneier’s Guardian article also provides nuance. “The fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.”

Getting under way with Tails is easy. Download it, burn it to your preferred media, load the media into your preferred system, and boot it up. I prefer using Tails on USB media inclusive of a persistence volume, just remember to format the USB media in a manner that leaves room to create the persistent volume.

When you boot Tails, the first thing you’ll see, as noted in Figure 1 is the Tails Greeter which offers you More Options. Selecting Yes leads you to the option to set an administrative password (recommended) as well as Windows XP Camouflage mode (makes Tails look like Windows XP when you may have shoulder surfers).

FIGURE 1: Tails Greeter

You can also boot into a virtual machine, but there are some specific drawbacks to this method (the host operating system and the virtualization software can monitor what you are doing in Tails). However Tails will warn you as seen in Figure 2.

FIGURE 2: Tails warns regarding a VM and confirms Tor

Tor

You’ll also note in Figure 2 that TorBrowser (built on Iceweasel, a Firefox alternative) is already configured to use Tor, including the Torbutton, as well as NoScript, Cookie Monster, and Adblock Plus add-ons. There is one Tor enhancement to consider that can be added during the boot menu sequence for Tails where you can interrupt the boot sequence with Tab, hit Space, and then add bridge to enable Tor Bridge Mode.  According to the Tor Project, bridge relays or bridges for short are Tor relays that aren't listed in the main Tor directory. As such, even if your ISP is filtering connections to all known Tor relays, they probably won't be able to block all bridges. If you suspect access to the Tor network is being blocked, consider use of the Tor bridge feature as supported fully by Tails when booting in bridge mode. Control Tor with Vidalia which is available via the onion icon the notification area found in the upper right area of the Tails UI. 

One last note on Tor use as already described on the Tails Warning page you should have already read. Your Tor use is only as good as your exit node. Remember, “Tor is about hiding your location, not about encrypting your communication.” Tor does not, and cannot, encrypt the traffic between an exit node and the destination server. Therefore, any Tor exit node is in a position to capture any traffic passing through it and you should thus use end-to-end encryption for all communications. Be aware that Tails also offers I2P as an alternative to Tor.

Encryption Options and Features

HTTPS Everywhere is already configured for you in Tor Browser. HTTPS Everywhere uses a ruleset with regular expressions to rewrite URLs to HTTPS. Certain sites offer limited or partial support for encryption over HTTPS, but make it difficult to use where they may default to unencrypted HTTP, or provide hyperlinks on encrypted pages that point back to the unencrypted site.

You can use Pidgin for instant messaging which includes OTR or off-the-record encryption. Each time you start Tails you can count on it to generate a random username for all Pidgin accounts.

If you’re afraid the computer you’ve booted Tails on (a system in an Internet café or library) is not trustworthy due to the like of a hardware keylogger, you can use the Florence virtual keyboard, also found in the notification area as seen in Figure 3.

FIGURE 3: The Tails virtual keyboard

If you’re going to create a persistent volume (recommended) when you use Tails from USB media, do so easily with Applications | Tails | Configure persistent volume. Reboot, then be sure to enable persistence with the Tails Greeter. You will need to setup the USB stick to leave unused space for a persistent volume.

You can securely wipe files and cleanup available space thereafter with Nautilus Wipe. Just right click a file or files in the Nautilus file manager and select Wipe to blow it away…forever…in perpetuity.

KeePassX is available to securely manage passwords and store them on your persistent volume. You can also configure all your keyrings (GPG, Gnome, Pidgin) as well as Claws Mail. Remember, the persistent volume is encrypted upon creation.

You can encrypt text with a passphrase, encrypt and sign text with a public key, and decrypt and verify text with the Tails gpgApplet (the clipboard in the notification area).

One last cool Tails feature that doesn’t garner much attention is the Metadata Anonymisation app. This is not unlike Informatica 64’s OOMetaExtractor, the same folks who bring you FOCA as described in the March 2011 toolsmith.  Metadata Anonymisation is found under Applications then Accessories. This application will strip all of those interesting file properties left in metadata such as author names and date of creation or change. I have used my share of metadata to create a target list for social engineering during penetration tests so it’s definitely a good idea to clean docs if you’re going to publish or share them if you wish to remain anonymous. Figure 4 shows a before and after collage of PowerPoint metadata for a recent presentation I gave.

FIGURE 4: Metadata cleanup with Tails

There are numerous opportunities to protect yourself using The Amnesiac Incognito Live System and I strongly advocate for you keeping an instance at the ready should you need it. It’s ideal for those of you who travel to hostile computing environments, as well as for those of you non-US readers who may not benefit from the same level of personal freedoms and protection from censorship that we typically enjoy here in the States (tongue somewhat in cheek given current events described herein).

Conclusion

Aside from hoping you’ll give Tails a good look and make use of it, I’d like to leave you with two related resources well worth your attention. The first is a 2007 presentation from Dan Shumow and Niels Ferguson of Microsoft titled On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng. Yep, the same random number generator as described in the introduction to this column. The second resource is from bettercrypto.org and is called Applied Crypto Hardening. Systems administrators should definitely give this one a read.

Enjoy your efforts to shield yourself from watchful eyes and ears and let me know what you think of Tails. Ping me via Twitter via @holisticinfosec or email if you have questions (russ at holisticinfosec dot org).

Cheers…until next month.