Security Tutorials

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Mon Mar 07, 2016 4:41 pm

a message from our new employee, Tom Beasley arrives:

Msg from Beasley 1.png


apparently Tom has been instructed to use PGP/Mail -- as he has attempted to sign his message. However, on our system we see a message: unverified signature.

we can request the details from ENIGMAIL:

Code: Select all

Unverified signature
Public key 8F6A1C6D5E95BC8D needed to verify signature

BAD signature from


this means we do not have the key, identified above, that was used to sign the message. we have no way to know who sent this message. the from address says the message is from Tom Beasley -- but --anyone could send a message claiming to be Tom Beasley -- or Richard Nixon -- or anyone they wish to impersonate . this is unacceptable for business -- or private communication.

we send Tom back a reply instructing him to
  • have your key signed by Alice, and
  • upload your key to the key server
Last edited by mike acker on Mon Mar 07, 2016 6:22 pm, edited 1 time in total.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Mon Mar 07, 2016 5:56 pm

we get a message back from Beasley stating that he has uploaded his key

as soon as we download his key -- we should be able to validate his messages,--

ENIGMAIL provides a dialog for downloading the key
( you do need to know which key server is being used )

Msg from Beasley 2.jpeg


notice that his signature remains unverified until we get his key downloaded,--

Msg from Beasley 3.jpeg


well now! we have his key -- and it is correct on his message -- but ENIGMAIL is telling us his key is UNTRUSTED.
this is because his key is NOT VALID: at this point we have NO ASSURANCE that key "5C8D8076 " actually belongs to Beasley. We could be talking to Nixon -- for all we know -- at this point. We must have the key validated -- so that we are sure that key "5C8D8076" actually belongs to Beasley

that is why we have designated Alice -- our administrative assistant -- to Validate Keys. On our system her key shows FULL trust: i.e. we trust Alice to validate keys for other employees . that is why Tom has to go see Alice. She can download his key, make sure it is key "5C8D8076 ", sign it, and then upload it for Tom;
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Tue Mar 08, 2016 9:29 am

at this point, if we display Beasley's key we will see the problem:

Msg from Beasley 4.jpeg


we will have to get after Beasley to follow instructions! So we send him a note, telling him to have Alice sign his key and re-upload it

following that, Beasley responds:

Msg from Beasley 5.jpeg


his key remains NOT VALID: although Alice signed it and uploaded it we need to get the update:

for this we have to REFRESH his key from the server:

Msg from Beasley 6.jpeg


a download -- as we had done earlier -- won't work -- as we already have his key. here we need an update.
( you should refresh all critical keys on some sort of schedule-- )
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Tue Mar 08, 2016 9:49 am

Updated key for Beasley

Msg from Beasley 7.jpeg


you notice GnuPG checks its database and derives a value to the VALIDITY of Beasley's key
As we have assigned FULL trust to ALICE her signature on Beasley's key sets Beasley's status to VALID:
i.e. we are satisfied that key 5C8D8076 belongs to Beasley

Msg from Beasley 8.jpeg


we mark him UNTRUSTED -- i.e. we do not trust him in any manner to validate keys for others: we know who he is -- but we don't trust him to handle keys.

Msg from Beasley 9.jpeg
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Tue Mar 08, 2016 9:51 am

Msg from Beasley 91.jpeg


at this point the system shows a valid message from Beasley

we'll fire him Friday

Before we do that we have some Suggested Reading

These are from Brian Krebs -- which -- if you like to keep up on security -- is a Good Read

(1) IRS Suspends Insecure ‘Get IP PIN’ Feature

Excerpt

Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.


(2) Seagate Phish Exposes All Employee W-2’s

Excerpt
Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.


in our little parable here which i have written for this tutorial Alice acts as the introducer, validating keys for our new employees.

in real life we would need agencies that deal with validating identities to validate GnuPG, openPGP, and PGP keys for us. Such agencies could include our local credit union, DMV, County Clerk, Notary Public, &c

once a key is validated we would need to associate that key with our business contacts. this could be as simple as logging onto an online account and simply adding the key ID and server ID to the account data. the business could then access the validated key and following that would expect transactions, e/mail &c to be properly validated.

this stuff should have been done back in 1995. Instead we continue to use "Knowlege Base Authentication" (KBA); this in spite of the fact that the "knowlege" -- DoB, SSN etc -- has all been compromised and is readily available to scamsters via various resources available on the "DarkNet".

a Quick Word of Caution

Security depends on the use of a secure operating system. a secure operating system will not allow itself to be corrupted by the activity of an application program; nor will it allow one application program to steal data from another .
Last edited by mike acker on Thu Mar 10, 2016 5:30 pm, edited 1 time in total.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Tue Mar 08, 2016 6:09 pm

now that we think we understand PGP it's time to take off the Cowboy Hats and put on the Thinking Caps

Think like a Hacker

a Hacker will study an information flow, and look for a weakness -- a point where he can impersonate a source in order to manipulate a target

I might think I could use PGP to sign my tax return -- and thus foil any scamster who plans to submit a forged return. to do this he needs to generate a keypair with my ordinary identifications on it -- and get that signed by an accredited service -- and submit it to the IRS

to prevent this we will need a change control procedure with two sections:
(a) initial submission and validation of key;
(b) change procedure;

While we are thinking about this I'll relate a little parable. This is a true story that affected this writer.

the annuity manager for one of my retirement annuities abruptly sent me an e/mail stating that i had changed my mailing address to someplace, Klamath Falls. I promptly called them on the phone and had them correct my address back to Michigan.

the attacker immediately changed the address back to Klamath again.

this was repeated 3 times before the attacker gave up.

the important lesson here is -- just implementing PGP is not sufficient; security must be established and then maintained. Maintenance must protect keys from tampering.

the nice thing about PGP is -- once security is established -- we can required changes to be sent via the secure channel,-- up to and including provision of a new public key .

security should be established immediately on new accounts. on existing accounts an existing document could be signed and re-submitted in order to help verify the sender's key. to thwart this the attacker would need an exact machine readable copy of a document to be used for the validation. an attacker might attempt to open a new account on behalf of the victim -- e.g. a credit card. in this case he would not have the proper signature to do it -- although he might have generated one that would look valid to the provider. once the account went active the fraud would be exposed when the signatures didn't check out .

I'm going to throw my thinking cap in the back of the truck now and get my Cowboy hat and a ceegar

While I'm doing that: Suggested reading:
PGP User's Guide, Volume I: Essential Topics
read How to Protect Public Keys from Tampering

it's not an easy topic and the difficulty is seruously exacerbated when you have "Trusted Introducers" or "Certificate Authorities" running around like stray coyotes, ...
Last edited by mike acker on Thu Mar 10, 2016 5:33 pm, edited 2 times in total.
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

Georgia boy
Level 2
Level 2
Posts: 56
Joined: Tue Oct 12, 2010 9:06 am
Location: Arizona

Re: Security Tutorials

Postby Georgia boy » Tue Mar 08, 2016 8:59 pm

Mike, you keep showing Amor a lot in some of your code shots. With the PGP tools in Enigmail will those do the same thing? Package manger when going there makes look like it does. So got to wondering about if installing from there would do any more for Enigmail or no. My curiosity on security is getting worse than that damn proverbial cat that keeps getting into trouble if left alone.
Debian testing
Hp Pav a1440n
820 Intel Pent D procces 2 process cores, 2.0GB mem,250GB HD, NVIDA GeForce 7300LE, Intel ViiV.
ASUS A53SD-TS72 Intel Cor i7-2670QM 2.20GHz, 8GB DDR3, 750GB HDD, 2GB NVIDIA GeForce GT 610M, Mint LMDE2 64 bit.

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Wed Mar 09, 2016 8:10 am

Georgia boy wrote:Mike, you keep showing Amor a lot in some of your code shots. With the PGP tools in Enigmail will those do the same thing? Package manger when going there makes look like it does. So got to wondering about if installing from there would do any more for Enigmail or no. My curiosity on security is getting worse than that damn proverbial cat that keeps getting into trouble if left alone.


"armor" -- is not something you need to install -- it's a standard feature of any version of PGP

"armor" is an option you can set when you encrypt a file:
e.g. :

Code: Select all

 $ gpg2 --recipient Beasleyy --armor --encrypt test.txt
 
ls test*
test.txt  test.txt.asc



remember: the tutorial here is not intended to be a substitute for the manual; rather it is a set of examples that may help the reader dig the stuff out of the manual that he may need for whatever he wants to do.

in the example i did not specify the --output option; for that reason the original file name is appended with the ".asc" suffix and that becomes the "armor" file

here's what the 'armor' looks like :

Code: Select all

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQEMA49qHG1elbyNAQf+ITWCUVJt6lylqZ8UHUrqFVxOG8GznYrV4qD3OwzCRqC8
mw83xurELQKR7w6f+Jcl7QcCGhxVeevV8pQvHHobqvuFMTM+aUe5LLupvYtkZGji
TBq1xoYojTFQJ4NTQkebsQlfp96ewVv83yQetJSJdmwIlrNT/8qyzvqx+m9XZxiW
eYrqCzCmHTxzqOF3SXnj94VWEjaiI8bSJp7H1Cg8vBxayUJ0QBfCmf70qlB5fabV
2YFwhJ53AKqpYXE1nbjWXUceLHe6HRS0xZY5js/lcwBwZPK3TObeOSGzzXOickAh
NkJTHSMh6KenwoZgiWF8EcKb3dYIEZPlZiBhc+vahdKUARnWrAyeyEY4v/4KAL5i
/ogJZA2L2nEizjUCP+4+Ced5LC61YwKlhWMzgdMeAg7MhowaBMZoxQ4KyA7bsmKG
1UnnNzOE3l0bxmaEqRFN7ub5NUkyldcpgsb0rIBq52auw/5oMiy9EZG+FAKpaC4y
Gj6Nt5iuyfFROjFmCyXMG/8/6BpOCzDsdVIF4MiiVcW5eYI1xg==
=Q5oX
-----END PGP MESSAGE-----


all that it does is convert the cipher text into 7-bit printable ascii . this was done to reduce problems in transmission where 8-bit characters can sometimes act as control characters and confuse the transmission software . the use of 'armor' continues today as a 'best practice'

In e/mail systems PGP/Mime is used. this is similar but expanded so as to act as a container as well as armor. as a 'container' PGP/Mime can include HTML message text, attached documents of any sort and digital signatures . *

on any test message in Thunderbird/ENIGMAIL just do a "view source" and you see the PGP/Mime data is just a character stream -- similar to above.

you should see something like this:

Code: Select all

To: Tom Beasley <beasleyy@charter.net>
From: Mike Acker <mike_acker@charter.net>
Subject: here's the al gore file
Message-ID: <56E00C65.2090408@charter.net>
Date: Wed, 9 Mar 2016 06:43:33 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: multipart/encrypted;
 protocol="application/pgp-encrypted";
 boundary="PFCj6ncDMOp46b5Hhl0LEPtORWdCHQASO"

This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
--PFCj6ncDMOp46b5Hhl0LEPtORWdCHQASO
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME version identification

Version: 1

--PFCj6ncDMOp46b5Hhl0LEPtORWdCHQASO
Content-Type: application/octet-stream; name="encrypted.asc"
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQEMA49qHG1elbyNAQf+Ipy50nSAuWrcRfGIJZI6fq52FRYo6hKaTNxP8JA60zNS
tKdpKphsbXHMXik10SUJqcYiRx27xdWNvlU74crvuef2o8J5qbCNaiOwtr3fr+Cl
yKKD43cSxFbTAIg3HfGy3T7dSvsmQTSxjyJSTSKs1L6FDeTRY3LJUoMIa5Ouo4WT
bPUaSFORJc/16uogxAGtsBCnSMHo+5Ly1wajaqe7Ce0DgbY8XuW2n8yz76WXTv3q
e8Z+r0Qd7A6P0+vL+2F9RwTLUdyJ79j4+pY6WRweKnLDsjinG0nG2PKsc0kr1H4I
OjxQkoE8VKQzEkTw3Zb1rLqf9QVc/2xBVtrmmMSaV4UCDANqQPfbL347qgEP/3YO
QAca8LbrtONhffNsWTV+Cujh0U+A8SxiQkMWT2asSDeBOzOx8SifXtxET5EF1bNj

...


---
* my copy of Thunderbird ( 38.5.1 ) is having problems decrypting any PGP/Mime that includes HTML with embedded graphics -- or attachments. the example data shown here was encrypted on T/Bird -- but the message had to be decrypted using CLAWS mail .

the sample message shown here includes a .pdf attachment which has some .png image data included
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!

User avatar
mike acker
Level 6
Level 6
Posts: 1285
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Security Tutorials

Postby mike acker » Wed Mar 09, 2016 6:06 pm

Programs to work with

Mozilla/Thunderbird with the ENIGMAIL

Generally Mozilla/Thunderbird with the ENIGMAIL plug-in is the most comprehensive e/mail client I have used -- although MSFT/Outlook, combined with Symantec/PGP Desktop is comparable

note: Thunderbird/ENIGMAIL should be used with GnuPG version 2
if you are not sure what you have then open terminal and issue the --version inquiry, as follows:

Code: Select all

$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


if it kicks back program not found then install GnuPG2 as follows

Code: Select all

sudo apt-get install gnupg2

Note, do NOT uninstall gnupg. This is still used by many other parts of the operating system, including aptitude itself.

Thunderbird will automatically use gpg2 if you have it installed ( and I think it's required in the current versions )

Thunderbird/ENIGMAIL offers an *excellent* key-management dialog -- numerous example of which are shown as screen image snips in this tutorial. with their key-management dialog you should not need to deal with GnuPG directly or using an alternate edit such as KGpg


Evolution


the Evolution e/mail client is also very well done although you may wish to use the the KGpg key manager with this program.

KGpg

KGpg is a good "GUI" interface to GnuPG although you do need to configure it for gpg2 and for key servers.

command line

a number of examples shown in this sequence have shown command line output
for complete documentation of Command Line options. GnuPG Reference Manual


Claws Mail


Claws Mail is cool, -- in an interesting way --
they don't like HTML mail -- although they have a plug-in that will display HTML formatted mail for you.
they don't have an HTML editor. At first I thought they were really backward -- but -- on 2d thought -- maybe not. Maybe e/mail should have never been more than a transport service... kinda like the old FIDO system .

CLAWS does allow you to compose in whatever -- and send as attachment

ZIP / tar

Anytime you have a collection of files that need to be signed and sent the best option is to use ZIP or Archive Manager to put all the files into a container -- such as .zip or .tar.gz --etc After that you can sign the .zip or .tar container and then zip or tar your signature together with your archive as .zip or .tar -- whatever you are using -- and this will then give you a single file that can be transmitted/downloaded -- including a signature .
My Computer: IBM 360/50 c. 1975
¡Viva la Resistencia!


Return to “Tutorials”