Page 3 of 3

Re: Security Tutorials

Posted: Mon Mar 07, 2016 4:41 pm
by mike acker
a message from our new employee, Tom Beasley arrives:
Msg from Beasley 1.png
apparently Tom has been instructed to use PGP/Mail -- as he has attempted to sign his message. However, on our system we see a message: unverified signature.

we can request the details from ENIGMAIL:

Code: Select all

Unverified signature
Public key 8F6A1C6D5E95BC8D needed to verify signature

BAD signature from 
this means we do not have the key, identified above, that was used to sign the message. we have no way to know who sent this message. the from address says the message is from Tom Beasley -- but --anyone could send a message claiming to be Tom Beasley -- or Richard Nixon -- or anyone they wish to impersonate . this is unacceptable for business -- or private communication.

we send Tom back a reply instructing him to
  • have your key signed by Alice, and
  • upload your key to the key server

Re: Security Tutorials

Posted: Mon Mar 07, 2016 5:56 pm
by mike acker
we get a message back from Beasley stating that he has uploaded his key

as soon as we download his key -- we should be able to validate his messages,--

ENIGMAIL provides a dialog for downloading the key
( you do need to know which key server is being used )
Msg from Beasley 2.jpeg
notice that his signature remains unverified until we get his key downloaded,--
Msg from Beasley 3.jpeg
well now! we have his key -- and it is correct on his message -- but ENIGMAIL is telling us his key is UNTRUSTED.
this is because his key is NOT VALID: at this point we have NO ASSURANCE that key "5C8D8076 " actually belongs to Beasley. We could be talking to Nixon -- for all we know -- at this point. We must have the key validated -- so that we are sure that key "5C8D8076" actually belongs to Beasley

that is why we have designated Alice -- our administrative assistant -- to Validate Keys. On our system her key shows FULL trust: i.e. we trust Alice to validate keys for other employees . that is why Tom has to go see Alice. She can download his key, make sure it is key "5C8D8076 ", sign it, and then upload it for Tom;

Re: Security Tutorials

Posted: Tue Mar 08, 2016 9:29 am
by mike acker
at this point, if we display Beasley's key we will see the problem:
Msg from Beasley 4.jpeg
we will have to get after Beasley to follow instructions! So we send him a note, telling him to have Alice sign his key and re-upload it

following that, Beasley responds:
Msg from Beasley 5.jpeg
his key remains NOT VALID: although Alice signed it and uploaded it we need to get the update:

for this we have to REFRESH his key from the server:
Msg from Beasley 6.jpeg
a download -- as we had done earlier -- won't work -- as we already have his key. here we need an update.
( you should refresh all critical keys on some sort of schedule-- )

Re: Security Tutorials

Posted: Tue Mar 08, 2016 9:49 am
by mike acker
Updated key for Beasley
Msg from Beasley 7.jpeg
you notice GnuPG checks its database and derives a value to the VALIDITY of Beasley's key
As we have assigned FULL trust to ALICE her signature on Beasley's key sets Beasley's status to VALID:
i.e. we are satisfied that key 5C8D8076 belongs to Beasley
Msg from Beasley 8.jpeg
we mark him UNTRUSTED -- i.e. we do not trust him in any manner to validate keys for others: we know who he is -- but we don't trust him to handle keys.
Msg from Beasley 9.jpeg

Re: Security Tutorials

Posted: Tue Mar 08, 2016 9:51 am
by mike acker
Msg from Beasley 91.jpeg
at this point the system shows a valid message from Beasley

we'll fire him Friday

Before we do that we have some Suggested Reading

These are from Brian Krebs -- which -- if you like to keep up on security -- is a Good Read

(1) IRS Suspends Insecure ‘Get IP PIN’ Feature

Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.
(2) Seagate Phish Exposes All Employee W-2’s

Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.
in our little parable here which i have written for this tutorial Alice acts as the introducer, validating keys for our new employees.

in real life we would need agencies that deal with validating identities to validate GnuPG, openPGP, and PGP keys for us. Such agencies could include our local credit union, DMV, County Clerk, Notary Public, &c

once a key is validated we would need to associate that key with our business contacts. this could be as simple as logging onto an online account and simply adding the key ID and server ID to the account data. the business could then access the validated key and following that would expect transactions, e/mail &c to be properly validated.

this stuff should have been done back in 1995. Instead we continue to use "Knowlege Base Authentication" (KBA); this in spite of the fact that the "knowlege" -- DoB, SSN etc -- has all been compromised and is readily available to scamsters via various resources available on the "DarkNet".

a Quick Word of Caution

Security depends on the use of a secure operating system. a secure operating system will not allow itself to be corrupted by the activity of an application program; nor will it allow one application program to steal data from another .

Re: Security Tutorials

Posted: Tue Mar 08, 2016 6:09 pm
by mike acker
now that we think we understand PGP it's time to take off the Cowboy Hats and put on the Thinking Caps

Think like a Hacker

a Hacker will study an information flow, and look for a weakness -- a point where he can impersonate a source in order to manipulate a target

I might think I could use PGP to sign my tax return -- and thus foil any scamster who plans to submit a forged return. to do this he needs to generate a keypair with my ordinary identifications on it -- and get that signed by an accredited service -- and submit it to the IRS

to prevent this we will need a change control procedure with two sections:
(a) initial submission and validation of key;
(b) change procedure;

While we are thinking about this I'll relate a little parable. This is a true story that affected this writer.

the annuity manager for one of my retirement annuities abruptly sent me an e/mail stating that i had changed my mailing address to someplace, Klamath Falls. I promptly called them on the phone and had them correct my address back to Michigan.

the attacker immediately changed the address back to Klamath again.

this was repeated 3 times before the attacker gave up.

the important lesson here is -- just implementing PGP is not sufficient; security must be established and then maintained. Maintenance must protect keys from tampering.

the nice thing about PGP is -- once security is established -- we can required changes to be sent via the secure channel,-- up to and including provision of a new public key .

security should be established immediately on new accounts. on existing accounts an existing document could be signed and re-submitted in order to help verify the sender's key. to thwart this the attacker would need an exact machine readable copy of a document to be used for the validation. an attacker might attempt to open a new account on behalf of the victim -- e.g. a credit card. in this case he would not have the proper signature to do it -- although he might have generated one that would look valid to the provider. once the account went active the fraud would be exposed when the signatures didn't check out .

I'm going to throw my thinking cap in the back of the truck now and get my Cowboy hat and a ceegar

While I'm doing that: Suggested reading:
PGP User's Guide, Volume I: Essential Topics
read How to Protect Public Keys from Tampering

it's not an easy topic and the difficulty is seruously exacerbated when you have "Trusted Introducers" or "Certificate Authorities" running around like stray coyotes, ...

Re: Security Tutorials

Posted: Tue Mar 08, 2016 8:59 pm
by Georgia boy
Mike, you keep showing Amor a lot in some of your code shots. With the PGP tools in Enigmail will those do the same thing? Package manger when going there makes look like it does. So got to wondering about if installing from there would do any more for Enigmail or no. My curiosity on security is getting worse than that damn proverbial cat that keeps getting into trouble if left alone.

Re: Security Tutorials

Posted: Wed Mar 09, 2016 8:10 am
by mike acker
Georgia boy wrote:Mike, you keep showing Amor a lot in some of your code shots. With the PGP tools in Enigmail will those do the same thing? Package manger when going there makes look like it does. So got to wondering about if installing from there would do any more for Enigmail or no. My curiosity on security is getting worse than that damn proverbial cat that keeps getting into trouble if left alone.
"armor" -- is not something you need to install -- it's a standard feature of any version of PGP

"armor" is an option you can set when you encrypt a file:
e.g. :

Code: Select all

 $ gpg2 --recipient Beasleyy --armor --encrypt test.txt
ls test*
test.txt  test.txt.asc

remember: the tutorial here is not intended to be a substitute for the manual; rather it is a set of examples that may help the reader dig the stuff out of the manual that he may need for whatever he wants to do.

in the example i did not specify the --output option; for that reason the original file name is appended with the ".asc" suffix and that becomes the "armor" file

here's what the 'armor' looks like :

Code: Select all

Version: GnuPG v2

all that it does is convert the cipher text into 7-bit printable ascii . this was done to reduce problems in transmission where 8-bit characters can sometimes act as control characters and confuse the transmission software . the use of 'armor' continues today as a 'best practice'

In e/mail systems PGP/Mime is used. this is similar but expanded so as to act as a container as well as armor. as a 'container' PGP/Mime can include HTML message text, attached documents of any sort and digital signatures . *

on any test message in Thunderbird/ENIGMAIL just do a "view source" and you see the PGP/Mime data is just a character stream -- similar to above.

you should see something like this:

Code: Select all

To: Tom Beasley <>
From: Mike Acker <>
Subject: here's the al gore file
Message-ID: <>
Date: Wed, 9 Mar 2016 06:43:33 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
MIME-Version: 1.0
Content-Type: multipart/encrypted;

This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156)
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME version identification

Version: 1

Content-Type: application/octet-stream; name="encrypted.asc"
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

Version: GnuPG v2


* my copy of Thunderbird ( 38.5.1 ) is having problems decrypting any PGP/Mime that includes HTML with embedded graphics -- or attachments. the example data shown here was encrypted on T/Bird -- but the message had to be decrypted using CLAWS mail .

the sample message shown here includes a .pdf attachment which has some .png image data included

Re: Security Tutorials

Posted: Wed Mar 09, 2016 6:06 pm
by mike acker
Programs to work with

Mozilla/Thunderbird with the ENIGMAIL

Generally Mozilla/Thunderbird with the ENIGMAIL plug-in is the most comprehensive e/mail client I have used -- although MSFT/Outlook, combined with Symantec/PGP Desktop is comparable

note: Thunderbird/ENIGMAIL should be used with GnuPG version 2
if you are not sure what you have then open terminal and issue the --version inquiry, as follows:

Code: Select all

$ gpg2 --version
gpg (GnuPG) 2.0.26
libgcrypt 1.6.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
if it kicks back program not found then install GnuPG2 as follows

Code: Select all

sudo apt-get install gnupg2
Note, do NOT uninstall gnupg. This is still used by many other parts of the operating system, including aptitude itself.

Thunderbird will automatically use gpg2 if you have it installed ( and I think it's required in the current versions )

Thunderbird/ENIGMAIL offers an *excellent* key-management dialog -- numerous example of which are shown as screen image snips in this tutorial. with their key-management dialog you should not need to deal with GnuPG directly or using an alternate edit such as KGpg


the Evolution e/mail client is also very well done although you may wish to use the the KGpg key manager with this program.


KGpg is a good "GUI" interface to GnuPG although you do need to configure it for gpg2 and for key servers.

command line

a number of examples shown in this sequence have shown command line output
for complete documentation of Command Line options. GnuPG Reference Manual

Claws Mail

Claws Mail is cool, -- in an interesting way --
they don't like HTML mail -- although they have a plug-in that will display HTML formatted mail for you.
they don't have an HTML editor. At first I thought they were really backward -- but -- on 2d thought -- maybe not. Maybe e/mail should have never been more than a transport service... kinda like the old FIDO system .

CLAWS does allow you to compose in whatever -- and send as attachment

ZIP / tar

Anytime you have a collection of files that need to be signed and sent the best option is to use ZIP or Archive Manager to put all the files into a container -- such as .zip or .tar.gz --etc After that you can sign the .zip or .tar container and then zip or tar your signature together with your archive as .zip or .tar -- whatever you are using -- and this will then give you a single file that can be transmitted/downloaded -- including a signature .

Re: Security Tutorials

Posted: Tue May 29, 2018 10:46 am
by Pjotr
andreyswit wrote:
Tue May 29, 2018 6:08 am
How much security is needed for a bunch of old fat farts like most of us?
This is my recommendation: ... t/security