More Secure Ways To Send Data

Today on the show we go over the security news of the week. We talk about ProtonMail and TutaNota encrypted mail. We talk about Signal, iMessage, and WhatsApp. We get into the open-source software Globaleaks and much more.

We Talk New of The Week

  • Russian hackers were inside Ukraine’s telecoms
  • Russia hacks more than 10,000 security cameras in Ukraine
  • 23andMe hit with over 30 lawsuits
  • LastPass is making changes
  • Ivanti and Juniper have patches
  • Microsoft Patch Tuesday
  • Globaleaks A Secure Way To Send Data To Source

Plus Much More.

The Security Assessment Podcast is Brought To You By Lipani Security LLC.

(Full Show Transcript)

Using Signal for Secure Messaging

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The Signal Foundation was launched in February 2018 as a 501 nonprofit with the mission to develop open-source privacy technology that protects free expression and enables secure global communication.

I recommend everyone use an end-to-end encryption type messenger like Signal. End-to-end encryption is a method of secure communication that prevents third parties from accessing data while it’s transferred from one system or device to another. Communications like Snapchat, Facebook Messenger, Skype, Google Chat, and text messaging are not secure and can be viewed by the providers and third parties.

Signal uses verification servers to ensure the phone numbers are real using a third-party service to send a registration code via SMS or voice call to verify that the person in possession of a given phone number intended to sign up for a Signal account. This is a critical step in helping to prevent fake accounts from signing up for the service.

Signal sends messages encrypted so only the sender and receiver are or can read them. Signal uses metadata encryption technology to protect intimate information about who is communicating with whom. Signal can’t read or access any end-to-end encrypted messages because the keys that are required to decrypt messages are on your device, not their servers. If Signal was asked to provide information to authorities they would be unable since they do not have the keys and store very little if any data on their servers for this reason.

Signal is even proactive with storing undelivered messages When you send a message, the Signal service temporarily queues that message for delivery. As soon as your message is delivered, that small bundle of encrypted data (i.e. your message) can be dropped from the queue. The storage of end-to-end encrypted files is temporary too, and any undelivered end-to-end encrypted data is automatically purged after a period of inactivity.

To add an extra layer of security for held messages Signal has server infrastructure from several providers like Amazon AWS, Google Cloud, Microsoft Azure, and others to ensure that not all saved messages are saved in one place in the event of a security breach. Even if there was a breach of these messages Signal can’t access the messages and neither can the companies that provide any of the infrastructure or even the attackers because the keys are on the user’s device, not the server.

Signal added Snapchat-like features with a feature called scheduling messages. Timers may be attached to messages to automatically delete the messages from both the sender’s and the receivers’ devices. The period for keeping the message may be between five seconds and one week and begins for each recipient once they have read their copy of the message. Signal has in addition added a story’s feature which is something available on all messaging platforms.

Since most Apple and Android devices backup to the cloud Signal excludes users’ messages from non-encrypted cloud backups by default. This is a great idea considering by default Android and iOS store backups unencrypted on iCloud and Google Drive.

Signal allows users to blur the faces of people in photos to protect identities automatically. Signal includes a payment and wallet system but only supports the payment method MobileCoin which is a privacy-focused digital currency.

All Signal contacts and contacts lists are stored on your device encrypted and never sent to Signals servers. Group messaging is designed so that the servers do not have access to the membership list, group title, or group icons. Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered.

Signal is banned in certain countries where governments are allowed to read all citizen communications.  China, Egypt, Cuba, Uzbekistan, and Iran have banned Signal outright. In the U.K., the Signal app warns it will quit the UK if the law weakens end-to-end encryption. The United Nations has recommended the use of Signal in certain countries.

I would rate Signal as the best and most secure app to use at the moment. The company is a non-profit focused on security and not profit. Recently Signal did release a blog post asking for donations as running a worldwide secure message service is not free. If you are using Signal please consider donating to this service which puts people over profit.

zsh command not found msfconsole Metasploit MacOS

Once you have installed Metasploit on your mac from the nightly builds

https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

When you go to run the msfconsole command you may get the error command not found

That is because you need to add Metasploit to the paths file

The PATH file is a system-level variable that holds a list of directories. When you enter a command in the terminal, it’s shorthand for a program with the same name. The system looks in each of the PATH directories for the program corresponding to the command. When it finds a matching program, it runs it.

To edit the paths file type

sudo vi /etc/paths

Enter you password to elevate privileges

Note: each entry is separated by a new line

hit i or shift + : + i and hit enter depends on your version of vi

Add on separate lines

/opt/metasploit-framework/bin

/opt/metasploit-framework

/opt/metasploit-framework/framwork

how hit esc

then enter :wq! + enter

you will need to close and reopen the console now type

msfconsole

and

Metasploit will open

Migrating to BitWarden From LastPass For Password Management

Why I am leaving LastPass for another password manager?

I have recommended LastPass for years as a password manager after their last few cyberattacks, their handling of the attacks, and the way they have handled password storage and security I cannot recommend them. I myself have decided to all my passwords to BitWarden.

How BitWarden Stores Passwords?

The way BitWarden handles the encryption of passwords is very good. To start with they have a secret key feature so even if someone would get your password database and your master password they still cannot decrypt it without the secret key. If they should get the secret key and your password database, they still cannot decrypt your passwords because they do not have your master password.

BitWarden uses sha-256 to derive the encryption keys from your master password. BitWarden salts and hashes your master password with your email address locally before transmission to our servers once a bit Warden server receives the hashed password it is salted again with a cryptographically secure random value hashed again and stored in their database. The default iteration count used with pbkdf2 is one hundred thousand and one iteration on the client client-side iteration count is configurable from your account settings and then an additional 100,000 iterations when stored on our servers for a total of 201,000 iterations by default.

These two methods make password storage very secure. BitWarden has publicly released its third-party security audit schedule and is registered with the HackerOne bug bounty program making their security constantly tested.

Is BitWarden Free or Paid?

BitWarden has personal and business plans. The business plans are starting at three dollars and go up from there. I personally only focused on personal plans which have three price points.

BitWarden is again open source so they offer a free plan with unlimited passwords, and unlimited devices and will be free forever. Most password managers do not offer a free plan, so this was very impressive.

Their next plan is the one I went with which offers all free features but includes two-factor authentication, BitWarden Authenticator, security reports, and emergency access for ten dollars a year. You will also get 1 gig of encrypted storage on BitWarden with this plan which can be important for personal documents and things like certs or codes if you are like me.

The third tier is a family plan for forty dollars a year, including family sharing, six accounts, and more storage.

Which plan to get?

I personally went with the ten-dollar-a-year plan. I don’t agree with BitWarden charging for 2FA authentication, but I feel this is worth the money plus this is a way of supporting the open-source community. I found out later how cool the BitWarden Authenticator is when you install their software on your Mac and PC. The authenticator is part of the ten-dollar-a-year plan and having a right-click authenticator tool is very handy. I was interested as well in the security reports.

Is migrating from Lastpass to BitWarden hard?

No, it’s very easy I recommend downloading the LastPass app for windows or mac. Then go to advanced options and click export. Make sure to export to a . CSV file. Once that is done go to BitWarden login and click on tools and import select the LastPass .csv option get the file you just exported from LastPass and hit import. Once you have verified all your passwords and notes are in BitWarden delete and empty your trash of the export you did from LastPass you do not want that file on your machine.

Now we need to protect ourselves from any further LastPass attacks go to

https://lastpass.com/delete_account.php

Here you can completely delete your account or reset your account to default either way you should do this once you are sure everything you need is in BitWarden.

How is using BitWarden?

Just like LastPass, BitWarden has extensions for all browsers and has local software you can install as well. When you install the software on your computer you get a right-click menu that allows you to authenticate using the BitWarden Authenticator which was very handy. I would rate BitWarden faster and less bloated than LastPass and the functionality is just as good as well.

Can I use this for business?

One thing I did not know until I started doing research is that you can host your own BitWarden server if you wanted since it’s open source. While this would be fun to do the cost of renting a VPS or even running it on my home server does not seem worth the effort for 10 dollars a year.

I could see this being a solution for a big company with a lot of users as this would cut the cost down for them since they would not be paying three to five dollars a user per month. If I was a larger company I could see this being a good solution and I may recommend this to large corporate customers. For small business customers, I would recommend the business plan or even the family plan might work out with less hassle and ease of use.

Will it work on my smartphone?

BitWarden has an iPhone and Android client that you can you use to store and get passwords. The app does support FaceID unlocking, fingerprint unlocks, passcode unlocking, Apple Watch, and many other features you would expect for an app in the mobile world. The app does have a sync feature so if you save a password on your desktop it will sync to the phone or from the phone to the desktop. The app has a password generator and password autofill feature if you would rather use BitWarden than the built-in Apple or Android password generator. The BitWarden app has a neat feature called send where you can send an encrypted message link and then will delete it in so many days protected by a password. Which could be handy for sharing passwords or personal documents with users.

Final Thoughts

I think BitWarden is a much better replacement and a much more secure option than LastPass. The software has more options seems to be less buggy and is 1/3 the price a year of LastPass.

Managing Chrome In Windows With Group Policy

Download the Chrome Group Policy Templates For Windows

Extract the files to a network share or local location

Open Group Policy Management editor or Run gpedit.msc for local install

Open or Create a new policy

Expand Computer Configurations

Right Click on Administrator Templates -> Then Add/Remove Templates -> Click Add

Navigate to the files you extracted and import the Chrome Template

Now under Administrator Templates, you will see a Google folder and a Chrome folder

If you go into the Chrome folder you will see hundreds of options to customize Chrome

Now link the Group Policy Object to a computer’s OU with the customizations you want.

Sh1mmer Exploit Mitigation

The Sh1mmer Exploit is a Chromebook unenrollment tool that allows users to unenroll Chromebooks from Google Enterprise Workspace. Google has not released an ETA on a patch for this they have released mitigation practices to help prevent this exploit from working.

  • Turn off enrollment permissions for most users. This will require users to identify themselves in order to properly re-enroll on a device that was unenrolled.
    1. Open your Admin Console at: https://admin.google.com/
    2. On the left panel, expand “Devices” > “Chrome” > “Settings”, then click on “Users & Browsers”.
    3. Select the organizational unit(s) of the users that you wish to remove enrollment permissions.
    4. Under “Enrollment Controls”, change the “Enrollment permissions” setting to “Do not allow users in this organization to enroll new or re-enroll existing devices”.
  • On managed Chromebooks, block access to chrome://net-export so that users cannot capture wireless credentials. This can be achieved with the URL blocklist policy.
  • Additionally, Block access to the following websites that have been used to spread exploit tools and information using URLBlocklist as well as via content filtering products:
    • sh1mmer.me
    • alicesworld.tech
    • luphoria.com
    • bypassi.com

Fix For Error Security settings do not allow external startup disk on Mac

If you are trying to reinstall macOS or trying to boot off an external hard drive on Mac for any reason and get the error “Security settings do not allow external startup disk on Mac” there is a way to fix this going forward. To start with this is a security feature to protect your machine called secure boot. Secure Boot is an important security feature designed to prevent malicious software from loading when your Mac starts up or boots. But at times you will need to boot off external media to do that follow the steps below.

Restart your Mac and press and hold Command + R as soon as you see the Apple logo.

You should now see the macOS Utilities window. Select Utilities > Startup Security Utility.

Now enter the macOS password, select an administrator account and enter its password.

In the External Boot section check the Allow booting from external media option.

external disk

Reboot and you will be able to boot off of external media.

Fix For Warning SSL Medium Strength Cipher Suites Supported (SWEET32)

I recently ran into an issue where users were getting “SSL Medium Strength Cipher Suites Supported (SWEET32)” looking into the issue I found the following on the Nessus support site.

The remote host supports the use of SSL ciphers that offer medium-strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

To disable the Three DES ciphers run

https://www.nartac.com/Products/IISCrypto/

Click on best Best Practices

Under Ciphers

Uncheck Triples DES 168

Check Reboot and Hit Apply

The server will reboot and disable this protocol.

You must reboot for the changes to take effect.

I would recommend disabling protocals TLS 1.0 and 1.1 on your devices if you can for security purposes.

Uncheck TLS 1.0 and TLS 1.1 under Server Protocols

Check Reboot and Hit Apply

This will reboot the server for the changes to take effect.

With these 2 protocols disabled and the 3DES ciphers disabled, this warning should go away when you do your next scan.

Reason For Secure Boot

Microsoft Secure Boot is a component of Microsoft’s Windows 8, 10, and 11 operating systems that relies on the UEFI (Unified Extensible Firmware Interface) specification’s secure boot functionality to help prevent malicious software applications and “unauthorized” operating systems from loading during the system start-up process. Mac computers that have the Apple T2 chip support secure boot options. Mac computers, unlike Windows, support three settings to make sure that your Mac always starts up from a legitimate, trusted Mac operating system.

Why is this important? In an office environment, someone can again plugin or boot off unsecured media like a password manager or an operating system that’s on a jump drive or Live CD and gain access to the computer. This is probably not an issue in your home but in an office environment, it can be a major security hole for a network administrator to protect against.

A Windows password reset disk is a specially created disk or USB flash drive that can be used to gain access to Windows if you’ve forgotten your password. It’s a useful step to take if you tend to forget your password, and it’s easy to create; all you need is a USB flash drive or disk. Great for the home user who forgets their password no so good for a large company network to boot off of and reset a local administrator password.

A live CD is a complete bootable computer installation including an operating system that runs directly from a CD-ROM or USB Stick. Linux has been adapted to the needs of modern computer users by offering a live CD. This type of operating system type can be booted from a CD, DVD, or USB drive without actually being installed on the computer’s hard drive. Again, great for troubleshooting a computer issue and not so good for a secured network.

Microsoft Windows 11 even has a version that you can use to boot off a jump drive with preloaded tools to help you hack a secure network this is why secure boot is so important and is coming on by default on a lot of new computers.

Google Ecosystem And Privacy

I am not trying to scare anyone but I think that everyone needs to know when it comes to Google how their Ecosystem works. Let’s first talk about Google’s Nest. We have all seen the Google Nest in Home Depot. If you don’t know what a Google Nest is it’s an internet-connected thermostat connected to your Google account. So now Google has data on when and how you like the temperature of your home and what heating and cooling system you have.

Since Google Nest offers door locks now Google knows when you lock and unlock your doors if you have those locks installed. Since Google Nest offers key lending Google knows who you lent keys to and who you trust to enter your home.

Google offers as well Google Chromecast and Android TV devices. You guessed it these devices need to be connected to your Google account. So now Google knows what shows you watch and what services you use like Netflix, Hulu, Pandora, and any others you cast to the TV.

One of Google’s most popular services is Gmail. Gmail is by far one of the most popular email services in the world but like anything free, it comes with a cost of privacy. Google has always made it known that they read your email to target ads at you.

Encase you didn’t know YouTube is owned by Google since most people log in with Gmail and the accounts are connected to YouTube Google knows what kind of videos you are watching on YouTube and unless you have YouTube Premium they are going to target video ads on YouTube to you to get you to buy products. Google even ties music in now with YouTube Premium so they can make money on their subscription music service and see what kind of music you are listening to and when you are listening to that music.

YouTube has broken into the television market as of late with YouTubeTV. This is another way of Google collecting data knowing what TV and movies you watch and finding out your TV viewing habits. While YouTubeTV is a service you pay for they are still collecting your data since you need to again use your Gmail account to log in to use the service.

We all love Google Maps and Google places but every time you use your GPS to find a location in Google maps don’t think that information is not stored somewhere for later ad targeting by Google. Google has even admitted to using the speaker on your phone to listen to help improve their Google Assistant and AI programming but has never said they delete that information.

Google Drive or Google Photos is another issue to think about remembering everything you save in your Google drive is subject to Googles review so if you store all your photos and files on Google Drive it’s a good possibility you are building Google a repository of information to scan through at some time.

The Google picture data is rather concerning considering Google uses metadata from the picture and cell phone used to take the picture to determine where it was taken then uses facial recognition to find which Gmail users are in the picture.

Google Chrome is another great invention by Google, and I really mean that they have made the most secure browser with the best extension store. Google Chrome has even expanded its Chrome browser in recent years into a full-fledged operating system that can compete with Microsoft and Apple. Again, this very secure browser and operating system come at a cost as Google is collecting all internet traffic you are doing and using it to target ads at you since you must sign in to Chrome using you guessed it your Gmail account.

Part of the thing that’s concerning about all this information is Google uses this information to target Google Searches, News, Videos, and Ads. While the ads are for Google to make revenue on, and Google Searches are used to bring you the correct information to entice you to continue to use the service the issue becomes Google giving you the News, Searches, and Videos they think you would most likely enjoy keeping you on the platform longer.

While I do not see an issue with this Google has been known to co-operate will law enforcement on issues. While I have nothing to hide Google turns over these records and of who has done what in a certain area it does technically violate some of our privacy rights. Even though the law in enforcement not looking for me just because I was in that area at a certain time now, they have my files and access to certain data.