Apr 29, 2017

Serious Alternative to Truecrypt: VeraCrypt

As many people know, TrueCrypt has been discontinued since 2014. The developers said that TrueCrypt had some unfixed security issues. In 2015 the Fraunhofer Institute for Secure Information Technology conducted an audit on the last stable release of TrueCrypt, and although they did find a number of bugs, they came to the conclusion that it is still secure when data is at rest.

That being said, since TrueCrypt is no longer being developed, if you are still using it you should move to something that is actively being developed. Now, there are lots of encryption solutions today. Most modern operating systems have some form of disk encryption built in now. Microsoft has BitLocker, Linux has LUKS. You get the idea right? What if you really liked the way TrueCrypt worked though? What if you liked that TrueCrypt was multi-platform? Then in my opinion, you only have one serious alternative.

That alternative is VeraCrypt! From their page:
VeraCrypt picks up from where TrueCrypt left and it adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks. 
VeraCrypt also solves many vulnerabilities and security issues found in TrueCrypt. It can load TrueCrypt volume and it offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format. This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. 
This is acceptable to the legitimate owner but it makes it much more harder for an attacker to gain access to the encrypted data.
Now, to be fair, there is another fork of TrueCrypt called CipherShed, but they only have a pre-compiled version for Windows. If you want to use it on Mac or Linux, you need to compile it yourself. Not to mention, they don't issue releases as frequently as VeraCrypt.

Some cool things I like about VeraCrypt are that the layout is very similar to that of TrueCrypt, and I'm already used to that. Also VeraCrypt offers some other encryption algorithms that TrueCrypt did not. Those algorithms are Camellia and Kuznyechik.



They also have some other hash options.


I'll be honest, I am still using TrueCrypt on my VPS email server. I'm not terribly worried about it because it should still be able to protect my emails at rest if my VPS is shutdown to reset the root password without my permission. Still though, I'm making plans to migrate to a new VPS when Ubuntu 18.04 LTS comes out, and when that day comes I'm going to make the switch to VeraCrypt!

Do you still use TrueCrypt? Do you think you will make the change to VeraCrypt? Why or why not? Let us know in the comments!

Apr 28, 2017

Now Virginia farm boys are trying to break into my email server?

One day after my post about Venafi setting off a host based intrusion detection alert on my email server, and me wondering if Venafi is a front for the NSA since they are stationed in Utah where the NSA's gigantic datacenter is; I get another interesting alert. This time from an IP address in Ashburn Virginia!



What is only 30 minutes away from Ashburn Virginia? Oh, just CIA Headquarters in Langley Virginia!



The alert I got was a little more aggressive than that from Venafi. This one was fired off as a "Possible attack on the ssh server (or version gathering)."




I get it. Just because Venafi is out of Utah, and the NSA is out of Utah doesn't make them both NSA. Also, just because this IP is out of Virginia, and the CIA are in Virginia doesn't mean that it's the CIA trying to hack my email. Still though, the timing of it is suspicious don't you think? One day after possibly outing a NSA front?

Just to be cautious I added firewall rules to block the following IP ranges from the ISP out of Virginia:
70.104.0.0/16
70.105.0.0/17
70.105.128.0/18
70.105.192.0/19
Hopefully that will keep the Virginia farm boys from snooping in my email.

Apr 27, 2017

Who the hell is @Venafi, and why the hell are they trying to connect to my private email server?

I work in a company where cyber security is kind of a big deal, and one of the tools I use a lot is a host based intrusion detection system called OSSEC. Well, the other day I decided to also install OSSEC on my private email server to see what kind of threats and intrusion attempts are happening on a daily basis. Needless to say, things have been interesting.

One thing that caught my eye this morning though is an SSL error message that showed up in the Apache logs that said "rejecting client initiated renegotiation". See below:



Okay, a simple SSL error. So what? No harm no foul right? Well, there is something kind of strange with this one. The IP address in question is 208.93.152.147, and when I do an IP address WHOIS lookup I see it belongs to a company out of Utah called Venafi, Inc.



Their website says that they are in essence an SSL company, and Wikipedia describes them as a privately held cyber security company that develops software to secure and protect cryptographic keys and digital certificates. The problem is that I don't do business with them, so they really have no reason to be scoping out my private email server.

Another thing that made me wonder about this company is that this isn't the first time I've seen their IP addresses show up in intrusion detection alerts. I've also seen their IP addresses in alerts for some of my day job company's web servers as well, and we don't do business with Venafi either.

Maybe it's my conspiracy mind at play here, but you know who else has a big data center in Utah that is designed to hack and store data about everyone on the Internet? That's right, the NSA has a huge data center in Utah called the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center.



Could Venafi be a front for the NSA? It makes me wonder...

Anyway, for now I am blocking the entire 208.93.152.0/22 range and I will continue to block ranges of suspicious IP's. There is no reason for Venafi to be connecting to my servers at all, even if they really are the NSA.

Have you seen these guys trying to connect to your systems? What are you doing about it? Do you do business with them? Is this something I shouldn't worry about? Let me know in the comments.

======

UPDATE: Venafi sent me the following tweet in reply to this post:



The link to their TrustNet Scanner talks about how they passively scan the certifications of every IP address on the internet to build a global certificate repository that they make available to the public. I suppose that's plausible... I'm still not convinced they aren't a front for the NSA though!



Update #2: Is the CIA now trying to break into my email server?

Apr 26, 2017

Super cheap cell phone for my soon-to-be teenage daughter

My Daughter and Her New Phone
I am not like most modern parents I think. Lots of kids these days are walking around with the latest and greatest in cell phones because their parents buy them for their kids. I'm a little bit more old fashion. I refuse to buy my kids a cell phone unless they can pay for it themselves!

When I was a teenager, my parents didn't buy me a cell phone. Granted, cell phones were way more expensive in the 90's, but that's not the point. I did have a pager (Remember pagers?!?), but I bought that with my own money!

My daughter has been wanting a smartphone, and she actually came up with a brilliant plan on her own! She decided that she would earn some cold hard cash by mowing my lawn and doing chores around the house, then she would go out and buy a pre-paid Verizon Samsung Galaxy J1 for $45!

Normally Verizon makes you sign up for a pre-paid account that is billed monthly at $40 per month or more. Instead of doing that though, she said she would use a free app for text and calling over WiFi!

The app we opted to use is TalkaTone which gives you a free phone number and lets you have unlimited text and calling in the US and Canada! It's available for both Android and iOS too!

Some things to consider if you decide to do this setup for your kids:
  • The pre-paid cell phone wants you to go through an activation process when you power it on. You can actually skip this process. The activation app will pop up occasionally to bug you about activation, but you can ignore it.
  • Your child will only be able to make and received calls/text where WiFi is available. Keep in mind that many restaurants like McDonalds have free WiFi. Encourage your kids to connect to these free hotspots so they can call you if they need to.
With this setup it only cost my daughter a measly $45, and there is no monthly fee for me to take care of! Win win if you ask me!

Do you use a similar setup for your kids? Let me know in the comments.


Apr 24, 2017

Mindless Investing Made Easy

Have you ever seen Superman III where Richard Pryor's character came up with a computer program to rip off the company he worked for by rounding up company transactions to the nearest penny and sticking those fractions of cents in a bank account? They did the same thing in Office Space. Well, imagine doing something similar to that for yourself, but with your own money. Sounds weird? Well stay with me, it will all make sense!

I discovered an app that in essence does this for you, but instead of fractions of a penny, it's fractions of a dollar. Once you sign up, this app rounds up transactions on every purchase you make to the nearest dollar and takes that difference and invests it in a diversified portfolio! You don't even have to think about it!

Still not making sense? Let me give you an example. Let's say you go to the grocery store, and buy $123.48 worth of groceries with your debit card. This app will then round that up to $124.00, and take that $0.52 and invest it in the stock market for you! After a while, that money can add up to thousands of dollars, and you don't even have to think about it!

This app is called Acorns, and here is a video that can explain it better than I can:




If you've been looking for a way to get into the stock market, but didn't know where to start, then you might give Acorns a try. It's ridiculously easy to setup, and you don't have to be a finance major to figure it out. Best of all, it's automated and you don't have to think about it!

Do you use Acorns? Do you like it? What do you like about it? Let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam