Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 02 Aug 2014, 00:30
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Hacking data
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [44 Posts]   Goto page: 1, 2, 3 Next
Author Message
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Mon 08 Jul 2013, 10:59    Post subject:  Hacking data  

Today I encrypt my files. This is good. A good exercise. There's nothing to hide but then again it is impolite if others nosey around one's affairs. And maybe dangerous.

The question is when we enter the password into the box to do the file encryption and it happened that an intruder in the aether saw that data being entered by some means of intrusion, could such a thing happen? I have no idea.

Later when we need to use the password this takes place I believe at BIOS level so no body can observe it and this occurs before connecting to the world wide globus.

Encryption appears to be an action difficult to explain in terms that are easy to comprehend.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10961
Location: Arizona USA

PostPosted: Mon 08 Jul 2013, 15:39    Post subject:  

Well, an app running under the OS, whether Linux or Windows, is what encrypts the files, even if the files are to be stored in the "cloud." If a keystroke logger has somehow been installed in the OS, it could secretly record your password, along with every other key you hit, and perhaps transmit the whole mess to somewhere in the cloud, for who knows what reason.

Encryption is just another method of access control. A major problem with encryption is that the algorithms are too good. If you lose the password, you can forget about ever recovering the encrypted information. A more practical method of controlling access to archived information would be for instance to put it unencrypted on a DVD or in a flash drive, then put the DVD or flash drive in a place that is safe from prying eyes.
Back to top
View user's profile Send private message 
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Mon 08 Jul 2013, 18:03    Post subject:  

Normally I remove the memory stick from the computer for safety reasons but yesterday I neglected to do so for several hours while connected. At that point I removed the stick and powered off without saving (force dismount?)

Could files on the stick be changed in some way, adding files for example, by some hacker on my network even when I do not allow Puppy to do the final 'save' routine as it closes down, because the memory stick has been removed? Or do the changes occur only in RAM, or both RAM and the disk? (Later I'll post some explanations from Truecrypt for extra confusion)

Let's say the stick is attached for a few hours and periodically you see the Yellow Box saying it is saving, then you remove the stick and switch off the power, have any changes to the original files taken place on the memory disk?

http://www.truecrypt.org/docs/unencrypted-data-in-ram
http://www.truecrypt.org/docs/paging-file#Y797
Some interesting notes here. I'll go through them and see if we can make some sense out of all this. At this point there are a few unanswered questions in need of clarification.
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 678

PostPosted: Mon 08 Jul 2013, 19:34    Post subject: Re: Hacking data  

Edwardo wrote:
The question is when we enter the password into the box to do the file encryption and it happened that an intruder in the aether saw that data being entered by some means of intrusion, could such a thing happen? I have no idea.

Encryption with free software like Peazip and truecrypt permit a "keyfile" to be used with/instead-of a password, which will stymie someone relying on a keylogger.

Last edited by Barkin on Mon 08 Jul 2013, 19:46; edited 2 times in total
Back to top
View user's profile Send private message 
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Mon 08 Jul 2013, 19:41    Post subject: Re: Hacking data  

Barkin wrote:
Edwardo wrote:
The question is when we enter the password into the box to do the file encryption and it happened that an intruder in the aether saw that data being entered by some means of intrusion, could such a thing happen? I have no idea.

Encryption with free software like Peazip and truecrypt permit a "keyfile" to be used with/instead-of a password, which will stymie someone relying on a keylogger.


Hi Barkin.

I came across this just now.
http://www.ivizsecurity.com/security-advisory-iviz-sr-0803.html via a Wilder's post.

TrueCrypt Security Model bypass exploiting wrong BIOS API usage
Synopsis
The password checking routine of TrueCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords.
Affected Software
TrueCrypt 5.0 (possibly older versions also)
Technical Description
Truecrypt's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e. It is also possible for a root user to reboot the computer by incrementing the BIOS keyboard buffer in spite of the full disk encryption.
Impact
1) Plain text password disclosure. Required privileges to perform this operation are OS dependant, from unprivileged users under Windows (any), to root under most Unix.

2) A privileged attacker able to write to the MBR and knowing the password (for instance thanks to 1), is able to reboot the computer in spite of the password prompted at boot time (and in spite of disk encryption) by initializing the BIOS keyboard buffer with the correct password (using an intermediary bootloader that will in turn run TrueCrypt).

This particular BIOS bug has been fixed by TC. I posted this because this is the first time I know about such things as "BIOS Keyboard buffer inside the BIOS Data Area". All very curious. Mysteries within mysteries. Quite fascinating.
I think if I were a bug this is a place I might like to be hiding.
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 678

PostPosted: Mon 08 Jul 2013, 20:04    Post subject: Re: Hacking data  

Edwardo wrote:
Hi Barkin.

I came across this just now.
http://www.ivizsecurity.com/security-advisory-iviz-sr-0803.html

If you used a keyfile with a password this vulnerability would be avoided : BIOS does not "know" about a keyfile.

BTW "A privileged attacker" usually means someone who can lay their hands on your computer.

Last edited by Barkin on Mon 08 Jul 2013, 20:30; edited 1 time in total
Back to top
View user's profile Send private message 
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Mon 08 Jul 2013, 20:14    Post subject: Re: Hacking data  

Barkin wrote:
If you used a keyfile with a password this vulnerability would be avoided : BIOS does not "know" about a keyfile.


Is this the method Bcrypt uses?
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 678

PostPosted: Mon 08 Jul 2013, 20:21    Post subject: Re: Hacking data  

Edwardo wrote:
Barkin wrote:
If you used a keyfile with a password this vulnerability would be avoided : BIOS does not "know" about a keyfile.


Is this the method Bcrypt uses?

IIRC some implementations of Bcrypt permit a keyfile , [ the no-frills version of Bcrypt I have on Windows doesn't ].
Back to top
View user's profile Send private message 
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Mon 08 Jul 2013, 20:53    Post subject: Re: Hacking data  

Barkin wrote:
Edwardo wrote:
Barkin wrote:
If you used a keyfile with a password this vulnerability would be avoided : BIOS does not "know" about a keyfile.


Is this the method Bcrypt uses?

IIRC some implementations of Bcrypt permit a keyfile , [ the no-frills version of Bcrypt I have on Windows doesn't ].


OK. What about Bcrypt on Puppy 5.5, Does it use a keyfile?
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 678

PostPosted: Mon 08 Jul 2013, 22:03    Post subject: Re: Hacking data  

Edwardo wrote:
OK. What about Bcrypt on Puppy 5.5, Does it use a keyfile?

The Implementation of Bcrypt which comes with Puppy 525 does not use keyfiles.

I use PeaZip and select 7z format , which does permit the use of keyfiles . NB: If you loose (or modify) the keyfile you are locked-out. Any file can be used as a keyfile : a document, an image, an audio-file, or specifically made keyfile filled with random stuff, (see below).
Bcrypt on lupu-525 , no keyfile, only password.gif
 Description   
 Filesize   13.87 KB
 Viewed   382 Time(s)

Bcrypt on lupu-525 , no keyfile, only password.gif

The contents of a KeyFile generated by PeaZip shown in a Hex editior.png
Description  A KeyFile made by PeaZip
png

 Download 
Filename  The contents of a KeyFile generated by PeaZip shown in a Hex editior.png 
Filesize  16.2 KB 
Downloaded  166 Time(s) 
Back to top
View user's profile Send private message 
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Mon 08 Jul 2013, 23:27    Post subject:  

Flash wrote:
Well, an app running under the OS, whether Linux or Windows, is what encrypts the files, even if the files are to be stored in the "cloud." If a keystroke logger has somehow been installed in the OS, it could secretly record your password, along with every other key you hit, and perhaps transmit the whole mess to somewhere in the cloud, for who knows what reason.

Encryption is just another method of access control. A major problem with encryption is that the algorithms are too good. If you lose the password, you can forget about ever recovering the encrypted information. A more practical method of controlling access to archived information would be for instance to put it unencrypted on a DVD or in a flash drive, then put the DVD or flash drive in a place that is safe from prying eyes.


You might for example use the serial number for a part on the boiler, something permanently installed in the house. Or the chassis number of your auto, with a salt, or a book's ISBN number. On the bottom of my desklamp the number 1812IPO27-G is stamped. I find I can train myself to memorize 15 digits just as an exercise with repetitive use. I just ordered a few wrist-band USBs. All of this is overkill of course but a recent disaster has made me think more carefully about these kind of things. Why not. Making strong security an embedded way of life without it being too onerous.

What about Chinese and Japanese symbols?
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 678

PostPosted: Tue 09 Jul 2013, 01:14    Post subject:  

Edwardo wrote:
... with a salt

see ... http://www.murga-linux.com/puppy/viewtopic.php?p=623478#623478

Edwardo wrote:
... a book's ISBN number

If your house catches fire that won't be much use to access your encrypted data in the "cloud".

When it comes to passwords, size matters ... https://www.grc.com/haystack.htm

MD5sum calculators always generate a 32 character hexadecimal number whatever file or text you put into them. A 32 character hexadecimal number allows about 10^39 permutations , which would take trillions of years to crack by brute force.
Back to top
View user's profile Send private message 
Edwardo

Joined: 26 Jun 2013
Posts: 42

PostPosted: Tue 09 Jul 2013, 04:19    Post subject:  

Thank you for the link to Steve Gibson, Barkin, this is excellent information. Again, fascinating.

If I may I would like to put a series of simple questions to the forum re general security matters such as wifi, passwords, intrusion detection, intrusion prevention and so on, one by one so things don't get mixed up. Please forgive if we go over topics already discussed, if so a forum link would suffice.

The first is this. My house wifi antenna connected to my home router box is several kilometers distant from the AP. Should I assume my wifi signals can be intercepted by attackers at all points along this route from the house to the AP, or can they be intercepted only when the attacker is in close proximity to my home antenna/router?
Back to top
View user's profile Send private message 
Barkin


Joined: 12 Aug 2011
Posts: 678

PostPosted: Tue 09 Jul 2013, 06:59    Post subject:  

Edwardo wrote:
My house wifi antenna connected to my home router box is several kilometers distant from the AP. Should I assume my wifi signals can be intercepted by attackers at all points along this route from the house to the AP, or can they be intercepted only when the attacker is in close proximity to my home antenna/router?

You should select the most recent method to encrypt your wi-fi link to prevent neighbours (within WiFi range ~100meters) from eavesdropping, which is WPA2, (not WEP). If you choose a random key (password) of 16 characters , your wi-fi is secure, (use upper and lower case letters).

https://www.google.com/search?q=router+wpa2+encryption+setup+how

If you view a website use https if available rather than http, again to prevent eavesdropping by anyone anywhere en-route , you can get a browser plugin for that ... https://www.eff.org/https-everywhere

Financial transactions are always via https links.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10961
Location: Arizona USA

PostPosted: Tue 09 Jul 2013, 10:30    Post subject:  

Actually if you're really paranoid it isn't a bad idea to use a book's ISBN number for an encryption key. If the book is lost or stolen, you can find the exact same book and it will have the same ISBN number. It's easier to remember the title of a book than its ISBN number. Just be sure to choose a book that was popular, so there will be a lot of them in used book stores, but not too popular. Don't use a bible for instance, that would be too easy to guess.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [44 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1049s ][ Queries: 13 (0.0122s) ][ GZIP on ]