Signal SMS: A Quick Plug

I just want to take another opportunity to hawk the Signal SMS app. It’s a good client, it’s run by one of the smartest and seemingly nicest people in security today, and it’s funded as a nonprofit.

Why do I mention it? This is a little political, but it’s related to everyone’s privacy and security, so I’m going to chime in about this tidbit that came out this week:

According to a transparency report (PDF) released by the Office of the Director of National Intelligence, the agency got its hands on 534 million call and text records from telecommunications companies like AT&T and Verizon in 2017. That’s over three times the number (151 million) it collected in 2016, which was the first full year since new surveillance rules under the USA Freedom Act took effect.

haveibeenpwned.com Database Made Public

Troy Hunt, the guy that runs the extremely useful haveibeenpwned.com, has released his working password database in the form of SHA-1 hashes.

What this is: an extremely useful tool for people working in security as they can hash passwords in use and see if it’s in this existing list, and thus, probably in a dictionary file somewhere and vulnerable to a dictionary attack.

What this is not: a usable password list useful for crackers, because everything is in SHA-1 hash form.

Troy deserves all the credit in the world for doing a public service for free, and props to Cloudflare for offering to host a 6GB file (also for free).

Humble Book Bundle: Cybersecurity

This isn’t a bad bundle for $15, all told. I’d consider it a buy if you want to understand some of the underlying security and crypto concepts, but not if you’re looking for up to the minute exploits or state of the industry type stuff.

For example: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition is a book from 2011. A fair bit of it is still relevant, but six years is a long time. On the other hand, something likeĀ Cryptography Engineering: Design Principles and Practical Applications is going to be a solid foundational crypto book for a long time.

If you have zero certs or industry experience, the CEH isn’t the worst place in the world to start to get a beginning job, but it’s basically just a memorization test and the industry knows it.

Hardening SSH With Configuration Changes

Hardening SSH can be a challenge, but it’s critical to get done.

hardening ssh - version

OpenSSH is the administrative tool of choice for any good Unix/Linux sysadmin, and every bad guy in the world knows it. There’s a lot of scanning constantly looking for low-hanging fruit like misconfigured SSH services.

Continue reading “Hardening SSH With Configuration Changes”

Crypto Wars

I’ve got two pieces about the state of modern crypto wars! The current dialog is about hash functions SHA-2 versus SHA-3. They also talk about some other competing functions like BLAKE and KangarooTwelve, but in the interest of sanity I’m going to stick to SHA-2 and SHA-3. These are both NIST-published standards, and NIST standards are generally the bar used by .. well, everyone.

Continue reading “Crypto Wars”