Transparent encryption and decryption in rust with cryptostreams

C# developers have long been spoiled when it comes to quickly and easily getting up and running with encryption thanks to the .NET CryptoStream  class, which wraps a Stream instance in a second Stream that automatically encrypts/decrypts anything read/written to/from it before passing it along to the underlying Stream. Long story short, it makes it ridiculously easy to add encryption or decryption facilities to an existing pipeline, as after setting up the CryptoStream instance you can just treat it like any other Stream object and read or write to it normally.

Encryption has been somewhat of a sore spot in the rust ecosystem after a few false starts with “native” rust encryption libraries that went nowhere, but today the rust community has fortunately adopted the OpenSSL bindings as the approach of choice, and the rust-openssl crate makes it easy to both bundle and consume the openssl bindings from rust in a cross-platform manner. What it doesn’t do is make encryption and decryption any easier than OpenSSL itself does.

Continue reading

Windows users vulnerable to Meltdown/Spectre until at least January 9, 2018

Security-conscious Windows users attempting to protect themselves against Meltdown and Spectre attacks in the wild are being met with a deceptive “Your device is up to date” message — but they’re not yet protected.

In the days following the disclosure of CPU cache attacks Meltdown and Spectre, hardware, kernel, and software developers have rushed to provide security updates for their respective devices and platforms in an (ongoing) effort to secure their users against the wide-ranging (and not yet fully understood/internalized) side-channel vulnerabilities disclosed a few days ago on the 3rd of January, 2018.

For those that aren’t up to date on these attacks – stop now, and read this excellent LWN article on Meltdown and Spectre; if you’re so inclined, you can even have a look at the original Google Project Zero article where it all started.1

Continue reading

  1. While the latter is more technical in nature, programming-inclined readers in the audience may find it to actually be easier to grok with its more definite and concrete approach, vs the somewhat abstract nature of pretty much all the other coverage out there. 

Let’s stop punishing IoT devices that embrace HTTPS, shall we?

HTTPS is the future and the future is (finally) here. Secure HTTP requests that provide end-to-end encryption between the client making the request and the server providing it with the requested content is finally making some headway, with almost a third of the top one million sites on the internet serving content over SSL:1

But what this chart doesn’t show is an important subsection of HTTP traffic that is unfortunately infamous for a general lack of security: IoT. The “internet of things,” as it is called, is famous for fiascoes that have allowed hackers to break into the privacy of homes, spying on consumers via internet-enabled nanny cams, gaining access to so-called “smart locks” to break into houses, obtaining sensitive information, and exposing private content and data thanks to insecurely designed consumer products and services that live on the local network.

Continue reading

  1. Source: BuiltWith SSL trends 

A free LastPass to 1Password conversion utility

1Password and LastPass are probably the two best known names in the password storage business, both having been around from 2006 and 2008, respectively. Back in 2008, the internet was a very different place than it is today, especially when it comes to security. Since then, a lot has changed and the world has (hopefully) become a more security-conscious place – and security experts have come to a consensus on a lot of practices and approaches when it comes to encryption and the proper handling of sensitive data.

Both of these password managers are heavily vetted and constantly under scrutiny from security researchers, crackers, state security agencies, white hat hackers, and more with open bug bounty programs [1] [2] (though some considerably more generous than others), and are probably “safe” choices for the average computer user.. to an extent.

Continue reading

Beware of this new Chrome “font wasn’t found” hack!

Today while browsing a (compromised) WordPress site that shall remain unnamed, I came across a very interesting “hack” that was pulled off with a bit more finesse than most of the drive-by-infection attempts. This one relies on using JavaScript to change the text rendering, causing it to resemble mis-encoded text with symbols and rubbish in place of the content, then prompts the user to update “Chrome’s language pack” to fix the problem.

Continue reading

SecureStore: a .NET secrets manager

SecureStore is our open-source (MIT-licensed) solution to secrets management for .NET developers. It’s intended to be dead simple and boldly embraces the KISS principle. We’ve been using it in production for a while now (years, actually!), but hadn’t gotten around to officially releasing it despite its public availability on our GitHub page.

Continue reading

Answers to password reset questions are passwords too — so why aren’t we treating them that way?

identity-theftIf you’re a developer working on or maintaining a website catering to the general public, chances are you’ve implemented some form of password reset via security question-and-answer into your site. How are you storing the answers to these questions in your database? Are you encrypting them? Storing the (hopefully cryptographic, salted) hashes? Or are you storing them plain text?

I can’t answer for you, but I can tell you that I’ve never used a system that didn’t leave tell-tale signs of storing these answers in plaintext. Here’s the thing – if it’s possible to use these answers to reset a password, then these answers, by extension, are passwords too.

In some ways, answers to password reset questions are more important than the password itself. With the password, an attacker can compromise and gain control of a user’s account. With the answers to security questions, an attacker can compromise a user’s entire online and offline security, steal their identity, and quite-literally ruin their lives. Think about it, these same questions (mother’s maiden name, childhood best friend, street you grew up on, where you were on New Year’s Eve of 2000) are the same questions every site asks you to confirm your identity and reset your password. They’re the questions your telephone banker asks before divulging account info or letting you wire money to an international account. They’re the questions that you’ll be asked when applying for a credit card to prove you’re who you claim to be.

Continue reading

Connecting to WPA2-Secured Wi-Fi with Windows XP x64

A while back, we reported on how if you’re a Windows XP x64 user, Microsoft didn’t think you needed the additional Wi-Fi security offered by the WPA2 encryption protocol – which just happens to be one of the only two non-trivial Wi-Fi protection scheme available at the same time. Well, chin-up, because if you’re a Windows XP 64-bit Edition user, you can now up that security level on your router and enjoy WPA2-encrypted networking bliss.

That’s right, 64-bit users can now use WPA2 just like the rest of the world has been doing (including Linux x64 users, OS X users, Windows XP 32-bit, and just about every other operating system on the planet). It seems that Windows XP x64 SP2 includes the hotfix, which Microsoft still refuses to release separately, though the 32-bit version was released as a hotfix two years before XP x64 SP2 was made available.

Anyway, all you need to do to be able to connect to WPA2-encrypted networks is download and install Service Pack 2, then connect using your Wi-Fi connection tool of choice, including the Windows Zero-Configuration Wi-Fi module.

You can read the official release notes for Service Pack 2 – just skip down to the “Wireless Protected Access 2” section and read. Congratulations Windows x64 users, and welcome to the world of the secure. Say thank you to Microsoft for giving you their blessing to enter, but be careful, the party is almost over. So much for a 64-bit future – and Microsoft wants to make Vista the last 32-bit operating system. Scary.

Hat-Tip: Dan

Why isn’t WPA2 an Automatic Update?

If you’re using Wi-Fi in your workplace, chances are, you’re using WPA2 security. After all, nothing else is worth using. WEP (extended or otherwise) was cracked virtually before it was even released, despite the obvious misnomer, you do not want to be using this! WPA came a while later, and is several hundred times more secure. Unfortunately, WPA is also susceptible to wireless cracking techniques and if you aren’t using a strong password, it’s even less secure than a WEP-encrypted network.

Continue reading

Opera, Redirection, Security, and You

I like Opera. Opera 9 is a great piece of software that demonstrates high levels of innovation and understanding for the audience… but there is one thing in Opera that can at once be seen as the beginning of a new form of innovation, or the beginning of a new type of battle for online rights and privacy.

A browser runs on the end-users’ computers obviously, and it may be argued that end users have the right to choose how they want to be able to view web pages, what they see, how they see it, and where they go from there. To that end, Opera (like several other cool browsers) offers an “Author Mode” and “User Mode” CSS display styles: basically a place where users can locally overwrite CSS selectors defined on the website in question. That is, after all, what the web is all about, isn’t it? Information at the fingertips, in an internationally recognized format that can be twisted at will to make things show up the way the user wants them to.

Continue reading