Tag Archives: security

Run KeePass with mono on FreeBSD 10.1

Using a password safe can make the life much easier. You can store your passwords encrypted for each service and if you need a new password, there is a password generator included as well.

To have the same password safe on all Linux/Mac/BSD machines you can use KeePass. It is a mono based software. O.k is not sexy but does its job quite well.

Install dependencies for KeePass on FreeBSD 10.1

pkg install mono libgdiplus

Download KeePass

Download the KeePass portable version!

Download KeePass for FreeBSD


Homepage: http://www.keepass.info/download.html#

Run KeePass

After you extracted KeePass to the place you want, run it with mono:

mono KeePass.exe

or use your file browser to execute the KeePass.exe file with mono. This works for me with dolphin in KDE.

KeePass with mono on FreeBSD 10.1

Hope this helps to make your life easier with managing passwords.

One bad thing is that KeeFox seems not to be working on FreeBSD, yet. KeeFox is a nice integration into your Firefox browser to automatically fill forms with the stored password for that site. I didn’t investigate maybe you have some time to find an alternative or make it work on FreeBSD.

Security reviews became sexy nowadays, we need to make them happen

If you’re interested in software security you will have noticed that there where some bigger  security problems with widely used software the last year. The attention this problems get in common media raised the last two years. We had some big security problems in the past as well, just remember the problem with all the SSH keys on Debian systems which where generated with bad entropy. This critical security problem of one of the most used Linux distributions should have had as much attention as heartbeat had.

OpenSource is not the answer for everything but the only way

For me this hopefully kills a former adoption that open source is more secure by default. This is complete bullshit in most cases. If you have a look at these open source graveyards like SourceForge, GitHub or Google Code you will mostly find a lot of dead projects with poor quality. Why I am so sure about that? Because I am part of the problem. Most of us have committed or published to some of these projects with good intentions to share something and give it to those who maybe can use it. And maybe the quality at its time was good and everything worked fine but time changes.

If I think about this today we all should delete this old rubbish to prevent it form being used somewhere else. It would be nice if source code which no one is maintaining would delete itself some day, but as long this does not happen we have to take care of it ourself or setup a proper maintaining infrastructure for it. Just because some code is open source does not guarantee that it is reviewed. Only because the code is open and could be reviewed has brought us to where we are today. I never have meet this somebody who reviews code for fun and for free all day long. And even if we have someone like Andy Lutomirski who looks like he has incredible fun doing such a job for parts of the Linux kernel there are not enough Andys around for every Open Source project.

OpenSource needs more money

All the good intentions to share the source code to make it reviewed by more people and to make it more secure does not work in all projects. We need more money to pay people to read our critical software components. Nobody will do this for free, not frequently and motivated over a long time. And we need to do it again and again and again. It is not only Truecrypt, the Linux kernel or the most used web servers that need our attention.

To do this reviews we do not only need more people at the openssl foundation or a fork like libressl. This maybe can fix the problem for openssl but not for all the other libraries which can have a similar impact when they are screwed up. There is already an infrastructure we can use to spend the money which is needed to make our systems more secure. Security always was expensive and a community of volunteers can not handle it without our support over such a long time.

We should start to spend more money for open source. Security comes at its price. Don’t misunderstand this, I don’t want to make every open source project to take money for their source code, but we need to establish ways to secure someone does the job nobody wants to do.

And we should make it sexy for the companies we work for to spend money, too. Some of this companies build there complete business with this free and open tools and still relay on them. If you’re a grown established company, give back a piece of the cake to those who helped you to get where you are today.

What organization should we give our money

To those who support the developers doing such a great job for us. Some good candidates are:

They bring a lot of software to us we often or never recognized that we are using it every single day.

ssh -X doesn’t work on CentOS

If you installed the server without GUI it may is useful sometimes to have a GUI output via ssh on an different computer.

You can connect with ssh to the server and present the output on you local machine by using ssh with the option -X. You need to be sure that the package xauth is installed on the target machine to do this. Maybe for some types of software you need some additional libraries aswell but they should be installed by yum automatically.

Install xauth like this:

sudo yum install xauth

Secure erase USB – Stick or Hard Disk on Mac OS X

Mac OS X brings a build in solution for secure erasing hard disks or usb devices. The option you should choose depends on what data where stored on the device you want to delete.

For example if you want to sell your old private hard disc with all your private photos your tax information etc. on it, you should have some time to delete it secure. If it’s just a usb stick with some music on it you maybe can safe some time and choose a faster option. If the device is for business use and it has high secure information stored on the it you should think about selling this device. In some cases it’s better to erase the data and destroy the device to make it not useable for anybody.

I use the Disk Utility to do this job. There are some console methods as well but they do the same thing. The erase mechanism which is built in the Disk Utility is certified by government institutions (Department of Defens) of the US and should do its job. If you need higher or different security certification you maybe can check the German BSI homepage for information about alternative tools and methods.

Disk Utiltiy Screenshot

Select the Secure Erase Options which fits best to your needs.

Secure Erase Options Screenshot

Secure Erase USB Stick Disk Utility

Use SSH for more secure browsing in public networks

In the time of free wifi and free internet connections in every hotel, bar or cafe you should be sure your connections are secure. In some cases you can’t trust the connection but you need to go online and read some mails or share some documents. In this case some basic tools like SSH and Firefox can help you to build an secure connection to an known computer in the internet you can trust (for example your own root server).

To make more clear what I am talking about i created this small diagram to make it more easy for me to explain what I am doing with this SSH connection and how I can benefit from it.

SSH browsing diagram

Let’s say I am connected with an public network or wifi access point. There are many people around me using the same connection and I don’t know the provider of the network very well. What I can do to get an secure connection is to open an SSH tunnel to my known machine and send all the traffic I am generating with my web browser through this tunnel.

This can be done with a SSH command like this:

ssh -D 8080 username@host

What this command does is explained in the man pages of the ssh command:

-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.  This works by allocating a
socket to listen to port on the local side, optionally bound to the specified bind_address.
Whenever a connection is made to this port, the connection is forwarded over the secure chan-
nel, and the application protocol is then used to determine where to connect to from the remote
machine.  Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS
server.  Only root can forward privileged ports.  Dynamic port forwardings can also be speci-
fied in the configuration file.

IPv6 addresses can be specified with an alternative syntax: [bind_address/]port or by enclosing
the address in square brackets.  Only the superuser can forward privileged ports.  By default,
the local port is bound in accordance with the GatewayPorts setting.  However, an explicit
bind_address may be used to bind the connection to a specific address.  The bind_address of
“localhost” indicates that the listening port be bound for local use only, while an empty
address or `*’ indicates that the port should be available from all interfaces.

Now I have a local port (8080) where I can send my traffic trough. Only one thing I need to do now is to reconfigure my Firefox to use this port and connection and be sure DNS requests are sent through this secure connection as well.

Firefox proxy configuration window

Open the about:config page and set the following boolean.

Firefox configuration boolean

If you want a possibility to activate and deactivate this proxy configuration with one click there are several firefox addons for managing proxy configurations like QuickProxy or FoxyProxy.

Another method of securing your browsing is the usage of the Tor network. Tor is a good and well known solution to protect your privacy.

If you are more familiar with server administration you should setup an own vpn server for you.

For example use openvpn to secure your browsing if you are in a non trusted wifi network. The setup is quite simple an takes around 1 hour if your are familiar with configuring and if you have some basic network skills.
A lot of good documentation can be found on the project website of OpenVPN: openvpn.net

One big advantage of the usage of an VPN solution is that you can tunnel your complete traffic no matter from what application to a trusted endpoint and from there to the internet. This is the best solution if you really don’t trust the network and you need to go online with you mail programm, your messenger or your custom application which does not use a encrypted or weak encryption mechanism.