During this week I’ve been trying TrueCrypt(http://www.truecrypt.org/) for file/drive encryption and here are my observations:

The best feature of this software is that is the price: free, zero, nada, nulo, nitchs. Thank God for open source programmers.

All the feature list can be found at the website, so I won’t go deep on explanations. I’ll just say that is a very robust software offering several encryption algorithms (AES-256, Serpent, and Twofish) and three hash functions (RIPEMD-160, SAH-1, Whirlpool) all of them yet to be broken (rumors about SAH-1 being compromised have circulated the net but no practical example yet, mathematical and conspiration theories only). Additinally, you can stack the algorithms to create a more complex result (slower process but theorically more secure), so the possible combinations with the corresponding benchmark in my machine are:


(For comparison, unencrypted IDE drives range from 60 to 90MB/s, SATA150 from 90 to 130MB/s and SATA300 from 120 to 200MB/s)

But what concern us about it is the next two features: real time encryption and virtual disk/device configuration.

Virtual disk encryption means you can create a file and mount it as a volume that creates a new drive in windows. While device encryption means you can configure the whole storage device (disk, volume, usb drive, et al) to be encrypted.

Real time encryption means that all encryption work is done on memory, and transparent for the user. You just configure the disk and voila! you have a new drive letter where you can read/write without noticing it’s being encrypted.

I tested with one virtual disk (Quang didn;t allow me to format the disk I borrowed) and here are my impressions:

I created a 10GB virtual file with the AES-Twofish encryption and whirlpool hash and tested the following scenarios:

• big files read/write
  
• network read/write
  
• VPN accessed (mounted the file located @ the office in my home computer )
  
• Media play (mp3, video)
  

Locally I didn’t notice any slowness in the system. Also file access was very quick (22 MB/s is more than needed for file storage) no more noticeable slowness than any other of my drives. Where i found it “slow” was thru the vpn. And that’s due to the network for sure (around 2MB/min transfer speed)

The virtual file gives the flexibility to move around the file and mount it wherever it’s needed. But since I was greedy enough to create a 10GB file I couldn’t put it in a DVD to mount it from there (yes, suposeddly you can mount files from DVD)

So, in conclusion, I consider this a very good candidate to encrypt our backups and/or personal/proyect folders. This software doesn’t encrypt OS drives because it can’t be booted, but there is a work around using bootable CDs wich aren’t very useful for our case.

Next time I’ll review another free software that encrypts all drives an boot the OS, thus having all data in the machine encrypted.

Phising is nowadays one of the most effective attack techniques. It consists in obtaining users information thru a fake copy of a real website. Then send messages to users asking to enter their data (login information usually) in that website. That website will allways fail to validate the users, so users try again and again until they give up. But by then, users already gave away their info to some stranger just waiting for it to get access to the real websites.

Just last week, I was in my home computer when I realized that something had modified my HOSTS file (see modified content below). That with the intent of getting login information for the online banking system of Banamex bank (citi group’s mexican bank).
If I had any account in Banamex and I wouldn’t realized of the modification, I could’ve entered my info in that fake website. And then several days later discover some strange transactions in my accounts, starting the lenghty process of recovery from an identity loss (fight with the banks, trying to get the money back, etc).
As that day’s good action, I decided to inform Banamex bank about what happened, waiting at least that they could try to take the fake website down, alert their cusomers, or anything.. but oh deception!
They only let their stupidity arise. And here is the communication I had with them (in spanish because they are a mexican bank, basically I let them know about the attack and they answered me with a customer service phone number so they can give me a better service… yeah right!):


De: Abraham Vargas (XXXXXX@XXXXX.XXX)
Enviado el: Viernes, 25 de Mayo de 2007 01:07 a.m.
Para: Servicio A Clientes (1) [BNMX]
Asunto: Servicio a clientes (Portal 1)
Modulo de Servicio Clientes
Nombre del usuario :ABRAHAM VARGAS
Mail del usuario :XXXX@XXXXXX.XXX
Teléfono del usuario :000
Fax del usuario :000
Dirección del usuario :USA
Colonia del usuario :USA
CP del usuario :92069
Ciudad del usuario :SAN MARCOS CALIFORNIA
Estado del usuario :OTRO
País del usuario :ESTADOS UNIDOS
Tema de contacto :SERVICIOS EN LINEA BANCANET
Comentario del usuario:QUE TAL LES ESCRIBO PORQUE ALGUN VIRUS DE INTERNET CAMBIO LA CONFIGURACION DE MI COMPUTADORA PARA QUE AL INTENTAR ACCESAR EL SITIO DE BANAMEX ACCESARA A LA SIGUIENTE DIRECCION DE IP 189.180.78.75 PARA QUEINVESTIGUEN PORQUE PARECE SER UNA DIRECCION FALSA PARA OBTENER PASSWORDS DE SUS USUARIOS. LA CONFIGURACION COMPLETA QUE CAMBIO FUE EL ARCHIVO HOSTS Y PUSO ESTO EN LUGAR DE MI ARCHIVO ORIGINAL:
189.180.78.75 WWW.BANAMEX.COM
189.180.78.75 BANAMEX.COM
189.180.78.75 WWW.BANCANETEMPRESARIAL.BANAMEX.COM.MX
189.180.78.75 BANCANETEMPRESARIAL.BANAMEX.COM.MX
189.180.78.75 BOVEDA.BANAMEX.COM.MX
189.180.78.75 WWW.BOVEDA.BANAMEX.COM.MX
ESPERO PRONTO PUEDAN ARREGLAR EL PROBLEMA
SALUDOS

And the answer was:


From: "Atencion Empresarial 3 [BNMX]" (atenempre3@banamex.com)
To: XXXX@XXXXXX.XXX
Subject: SC-Servicio a clientes (Portal 1)
Date: Mon, 28 May 2007 11:30:00 -0500
Estimado Cliente
Buenas tardes, reciba un cordial y afectuoso saludo.
Con el objeto de proporcionarle el mejor servicio , le invitamos a llamar a los teléfonos de atención a clientes (1800 226 2639 (1800 BANAMEX))
Nota:
Este mensaje tiene el carácter de informativo y la falta de recepción de la misma por parte del cliente no implica obligación ni responsabilidad alguna del banco.
** Nota: Le recordamos que Banamex nunca le solicitará información confidencial como su número secreto, password, información personal y de sus cuentas vía correo electrónico. Si recibes un correo solicitando esta información, sospecha de su origen, no conteste o de click en ligas de estos correos y reenvíelo a la dirección de correo electrónico giso@banamex.com
Gracias y Saludos!!
ATENCION EMPRESARIAL 3
Tel.: 1800 226 2639 (1800 BANAMEX)
La información contenida en este mensaje esta destinada únicamente para el uso de la persona o entidad identificada como receptor. Cualquier uso no autorizado es responsabilidad del receptor. Si usted recibe este mensaje por error favor de notificarlo inmediatamente al remitente y hacer caso omiso de la información ahí contenida.
The information contained in this e-mail message is only for purposes of the intended recipient. Any unauthorized use is responsibility of the receiver. If you have received this e-mail message in error, please immediately notify the sender and delete it from your computer.
What can we wait from a customer service like that?
Thank you, but that’s useless to me… so, do you have an account with Banamex?

banamex bank phishing security seguridad

Practically, all present applications use usernames and passwords to allow the access to systems.
Is also known that that information is of the most coveted by the informatic attackers. We as systems developers , have the moral obligation (and sometimes legal obligation too)to protect our users’ information. Previously, it was very common to find the data stored in flat text fields “UserName” and “Password” – the worst design in information security:

ID_User	User	Password
1	janedoe	systempassword
2	janesmith	janesmith
3	johndoe	password
4	johnsmith	password

An attacker who managed to obtain access to the data, could easily enter the system using another user’s identity. Nowadays, with the improvements in legislation and design of security in systems, it’s common to encrypt the password; so, if an attacker managed to get the information, he could not decipher the obtained data. Using MD5 to encrypt the sample data, we would have Password=MD5(password):

ID_User	User	Password
1	janedoe	67e375717d8d06e5ec5feac9b92e97a4
2	janesmith	1f51c87a47d5c4aacc042ba9945523ce
3	johndoe	5f4dcc3b5aa765d61d8327deb882cf99
4	johnsmith	5f4dcc3b5aa765d61d8327deb882cf99

Pretty much impossible to decipher, right? Totally false… With the sophistication of the informatic attacks, nowadays a simple hash function to encrypt information as delicate as passwords is insufficient. Why? Most of the users choose passwords little less than safe(names, directions, dates, common words , even the username itself), only giving the attacker with access to the DB the hassle of a encrypted known word attack to get some passwords. In order to ease the work, the attacker could scan the passwords’ hash and detect repeated information. Centering his/her attention in those records with a known word attack. That is to say, if there were 10 users who use the word “password” as password, there would be 10 records in the DB with the value of “5f4dcc3b5aa765d61d8327deb882cf99″ (like johndoe and johnsmith in our example). And also, if there are several records with the same value, that is for sure a well-known word (how many people uses the company’s name as password for the Intranet)

Salting

To mitigate this danger, there is a technique called “Password Salting”. This technique consists of adding extra information relative to each user before encrypting the password. Then, when applying the hash function, the result is unique(*) for each user. In our example we will use the extra information in ID_User, getting Password=MD5 (password + ID_User):

ID_User	User	Password
1	janedoe	95ffe45aed7fa057c8b632cc184b7ce5
2	janesmith	8fd6b4806b109a7117faeb64ea810959
3	johndoe	819b0643d6b89dc9b579fdfc9094f28e
4	johnsmith	34cc93ece0ba9e3f6f235d4af979b16c

* “unique” in terms of our DB. It is known that MD5, having a finite number of outputs and an infinite number of inputs, has many hash string collisions . Nevertheless, for our practical example of user/password, we will allways get unique results.
With this method, we now see that we won’t find identical stored data, making the attack more difficult. Let us remember that no method is infallible and no system is inviolable, but taking actions as the one suggested here lessen the risks that we have in users’ data storage.
In the following article we’ll check password salting on the user’s side. As we know, the weakest link in security is the user, but with a little education from sys admins and responsibility on the part of the user, we can obtain an acceptable level of security. For the users, the article will try to improve your passwords used to access systems and to avoid that your information is accessed by unauthorized people.
Cheers!

password salt security seguridad