GNUCash. Its awesome.

Now I am no financial guru when it comes to matters pertaining to financial solutions (or am I?), but I’m quite content with GNUCash. GNUCash, for me, is a simple management solution for finances that extends past the capacity of using Excel as your budget tracker (not that you should do that).

The reason I enjoy using GNUCash (apart from it being freely available) is how flexible but powerful it is. In under 5 minutes I was capable of reconciling my accounts and tracking the $18.2 discrepancy between my bank statement and my account balance in GNUCash. The reporting functionality is immaculate (more on that later) and the availability to utilize multiple accounts, with multiple journals is amazing.

Disclaimer: I love this software.

GNUCash uses double-entry accounting and transactions. In basic terms, credit an expense account, and debit a saving account. This basic concept allows for in-depth analysis of the current cash-flow of an account. For example, this is how I personally setup an opening balance against an account:As you can see, under the account “Westpac Expense Account” I am depositing $100.00, which has a double entry to Asset: <Expense Acount>. Now this is where double-entry accounting becomes exciting. In the accounting world, “credits must always equal debits”, meaning that whenever an expense is incurred, there must be an entry under the Expense Account as a credit (we’re adding to the value of this expense account) and a debit to the cashing account responsible for the expense. The following example is how you would credit your Gas Expense, and in-turn reduce the total balance of your bank account:

In a transaction report, we would see the Auto: Gas credited to bring a balance of $100.00 and the Asset: <Account> debited $100.00. On a short side-note, when I studied accounting and finance (quite some time ago) the easiest method for double-entry accounting was PALER:

P – Properitary Equity (Owner Equity)

A – Assets

L – Liabilities

E – Equity

R – Revenue

Which, depending on the transactional nature of the account, would mean the following:

 

 

 

However I have deviated from the topic, slightly – I am not here to teach accounting, I’m here to tell you why I love this program. Apart from simple entries, you are able to reconcile accounts easily; that is, to identify discrepancies and “why credits aren’t equaling debits”. For the example above mentioned, it is able to query the transactions and provide an informative window:

You cannot tell me that’s not a huge function of keeping track of finances!  So again, this financial application not only allows you to easily keep on top of income and expenses, but allows you to get a clear view of your expenses, income and discrepancies (similar to MYOB), all for free.

The last amazing feature I can say about the application is that the reporting mechanisms are very easy to create (should you want to make your own queries) along with several existing reports. For example, the cash flow report will record all “Main Accounts” pertaining to income and expenses, as for this example:

So give it a go, and I am quite confident you’ll thank me later!

My New Backup Policy

It’s been a while since I shared with you why backups and me do not mesh, and I even went as far as asking cloud services to encrypt my data for me. Today (well, it’s actually 1am in the morning, so this morning) I am going to share with you a slightly improved versioning of my backup methods.

This time, I have built in some complexity to my backup regime, and made it more robust. To summarize in the past, I have used applications such as Cobian, and EaseUS; Cobian’s VSS service kept failing me, and EaseUS was corrupting the data when writing, so I had 2 copies of corrupt data and for months was unaware. With my newest solution I aim to tackle this with the following:

  1. 4 jobs to individually copy files (explained later);
  2. 1 job to copy the entire 4 backup files to a NAS and;
  3. 1 job to copy the local files to another NAS drive.

With these jobs, the end files are being written in a native .zip extension, and an email notification with the job status has been sent out to confirm the outcome. Of course, this isn’t foolproof; but I am hoping that the 3 duplicated copies of the files, and the email notifications are enough to save me; heck, the program also checks the integrity of the files! So, I am going to detail this for you wonderful people.

Just warning you – this is going to be a lot of “this is the button I clicked, this is the screen” options below, but that’s life.


Having an escape medium

Before beginning, I needed to come up with a solution that would “get me out of trouble should this PC die”. Of course, the obvious solution to holding upwards of 40GB would be a NAS, or Network Attached Storage. Utilising an independent media allows me to segregate the damage from my PC to the NAS (Virus, power surge and water damage being the main causes).

The initial copy job should be local (as in, an internal drive) for the following reasons:

  1. You’re less likely to have corrupt backups local as opposed to network generated files;
  2. If the external media dies, you should have another copy of the data, and;
  3. You’ve got immediate access for recovery should you require it.

So with that, I re-purposed my Orico 2 Bay NAS (which has been awesome, if you’re after a cheap NAS bay- this does not have full “NAS” functionality) to be the medium for receiving the data. Because I encrypt my files, I needed to have a copy of AxCrypt and Symantec PGP Encryption in each directory I planned on using the backups in. This was my “escape medium”.

Under 4 directories (2x NAS Drives, local SSD and recovery USB) I housed the installers for AxCrypt and Symantec PGP. Note that because my backup solution uses .zip, I do not need it to extract anything.


Backup Software

In this example (and after over 25 hours of research) I have come to the conclusion that iPerius is one of the best tools out there for data backup. I so much enjoyed this software, I paid the $315.00USD figure to unlock all features (and “support development”).

I will go into example (step by step, with pictures) to identify how I performed my backup policies.

Selecting Directories

The first process for creating your backup files is to set your “working” directories; the folders you wish to backup. Because I use Symantec PGP Disks, I want to only backup the .pgd files, and not the entire directory.

With iPerius, I would apply the filter to only include the PGD file extension, as follows:

IncludeFilter

However, I also wanted to do a job per PDG file, so I added the other 3 PGD files to the exclusion list, as follows:

Exclude

 

 

 

 

 

Why is this important?

The reason why this is so important is it demonstrates the robust ability for iPerius to not only include all file extensions, but also to remove specific files you do not want.

Destination Information

The next step is to state where you want the data stored. In this screen there are 3 important options I wanted to identify:

  1. How many copies of the same file did I want this job to keep;
  2. If I wanted the files compressed, and with a password and;
  3. What I wanted the file to be named.

As you can see, I want to keep ~10 copies (full, not incremental) of the backup, and I have named the file based on the following parameters:

CopiesAndName

Logging The Data

Next, we want to enable it to be autonomous; if you need to initiate the backup, you’ll probably forget.

I went and set my days, and time, and asked the program to create a log file per backup:

ScheduleBKLog

Then, I configured the program to send me an email upon completion of set job:

Email Settings

The settings for the email portion.

I want to pay special attention to the email it sends you. Not only can you customize the header, recipients and body, but the format is easy to understand, and all this is wrapped up in a nicely viewed status bar, to tell you where the job is at:

JobRunning


The encryption portion of the data

In the past I’ve explained why it’s important to secure personal privacy, and demonstrated how basic encryption works,  but never how I personally achieve this. I personally (a few years ago) purchased 15 copies of a PGP program for a customer, who never went through with the deal – so now I have copies!

Symantec PGP Disks are how I store (and encrypt) data. Similar to this paper on Whole Disk Encryption, my pretty good privacy application has a screen where it lists PGP disks I have created:

CurrentDisk

These files can be located in Explorer, as such:

DiskInExplorer

To access the files (mounting them into memory) you simply need to enter the passphrase to the disk, with the following pop-up:

DiskPassphrase

The reason why I use this tool? It’s reliable, and rather secure – if my understanding on how PGP works is accurate, anyway.


 

So there you have it, a simple backup policy, that has enough redundancy to keep me out of trouble! Now if only Gmail labels were useful… 😉

Bash, making things easier.

Following on from my post last night about WGet and YouTube-DL, we’ve learned how to enable Bash on Windows 10. Now, this is an extremely useful thing to do, because it empowers you to use commands that are not native on Windows (or as a Linux fanboy would say, M$).

So, just so you all get a better understanding of the improved functionality of bash, we’re going to make some comparisons and examples.

I’m not going into detail – there is far too much to cover.

Network Monitoring – netstat.


On a windows box, to see current usage per process, the easiest method is to run:

netstat -a -b

Which will return a string similar to this:

 [chrome.exe]
     TCP 192.168.0.15:52581 192.0.78.13:https     ESTABLISHED
 [chrome.exe]
     TCP 192.168.0.15:52971 192.0.78.23:https     ESTABLISHED
 [chrome.exe]
     TCP 192.168.0.15:52972 192.0.76.3:https      ESTABLISHED

Rather simple to do, and allows you to see what process is responsible for what traffic, and what protocol it is using.

GNU + Linux supports netstat, but has a complete different syntax for the commands. To see connections with the process, simply run the following:

root@DESKTOP-3O8E0L8:/home/nanky# netstat -p


Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

 

It returns a little more intuitive data (in my opinion). For example, we can then dictate by interface the data we wish to see by adding -i to the command:

netstat -i

This is an advantage over Windows. But let us get to the killer feature:

netstat -a -v -w -r

The following flags are used:

 -a, --all
 Show both listening and non-listening sockets. With the --interfaces option, show interfaces that are not up

--verbose , -v
 Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.

--wide , -W
 Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts.

Thus allowing this command to return more valuable information, depending on the situation. However, there is a better tool: bmon and nethogs.

bmon

Start by issuing the following command:

sudo apt-get install bmon

 

Once installed, you should always look at the man page:

man bmon

 

Using bmon allows you to view the usage and statistics per interface, such as:

BMON Capture

Of course, there are other tools to conquer these tasks out there – I would strongly suggest you read this post outlining other sysadm tools available to you.

 

Automation, crontabs.


As opposed to the clunky Windows Task Scheduler, Linux uses Cron Jobs to execute tasks.

You’ll need to have bash running for CronJobs to work on Windows.

Pretty self explanatory, create a script or command you want to execute, and add it to the scheduler. Here it the default example provided to you:

# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/

You guessed it, the stars represent time:

# m h dom mon dow command

The tar -zcf portion is the code it executes. Pretty self explanatory. 7:30am, every week for example:

crontab -e
30 7 * * 1 /my/command/to/execute/yo.sh

You get this. Easy stuff.

 

Task Maintenance – task.


Okay so this one’s not so critical, I just love this application. TaskWarrior. Tasks is a super simple yet super powerful CLI driven task manager.

sudo apt-get install task

 

There we go, you’ve installed it. Let’s add our first task:

nanky@DESKTOP-3O8E0L8:~$ task P:H  due:31 project personal add edit this css

Now let’s view our task:

 ID Age P Due Description Urg
 2  26s H  4w edit this css

Pretty simple method to view the task at hand. Now we want to view the task with the ID ‘2’:

task id 2

Which will return the following:

Name Value
ID 2
Description change task 1
Status Pending
Entered 2017-09-27 23:50:56 (1min)
Last modified 2017-09-27 23:50:56 (1min)
Virtual tags PENDING READY UDA UNBLOCKED LATEST PRIORITY
UUID 34c4cf80-a857-4123-a463-4c4bcc44b591
Urgency 6
Priority H

UDA priority.H 1 * 6 = 6
 ------
 6

You can sync your tasks across multiple devices, too! Just view their usage examples, and you’ll get the feel for how complex you can make the tool.

Lastly, text editing.


I cannot live without GNU Nano. Yes, you could use Vim but the simplicity of Nano amazes me.

For example, let’s edit a file and close it, all without needed to locate it, open, manually save and confirm dialogs:

nano /mnt/c/path/to/file/yo.txt

It is literally that simple, and you can interact with files stored on Windows natively.

That’s it.

You pretty much get the picture; CLI > GUI.

 

Just read:

  1. 20 Command Line Tools to Monitor Linux Performance
  2. Best Linux Command-Line Tools For Network Engineers
  3. Top 5 Linux Utilities for Network Engineers

 

 

 

 

 

Let’s chat about how you chat.

In the modern day, there are a plethora of instant-messaging applications at disposal to allow you to communicate, send photos and videos, and share your location with family and friends. The same is true about the Government housing all this data. So, I thought I’d add some context as to what you can do to improve security when using instant messaging applications.

The best thing about factual topics on the internet are, you can quote and use them to literally reiterate the same fact on your own post, and it’s for a good cause; keeping things factual.


Why do I need an encrypted chat program?

You do not necessarily need an encrypted chat program, however it is important to those whom wish to have privacy with those they speak to. Any message (ASCII), photo, video or voice recording transmitted via Facebook, Snapchat, Instagram or even conventional SMS can (and most likely) is stored in some centralised database, building a profile of you.

Do you remember people complaining Facebook knows what they look at on their phones?  As an example, this post goes into detail about data you are sharing with Facebook, even though you are not directly opting to do so (read the terms of service next time):

  • Videos you’ve watched
  • Comments you’ve liked
  • Websites you’ve visited
  • Articles and websites you’ve commented on
  • Surveys you’ve filled out
  • Companies you like
  • People you’ve been tagged with
  • People you frequently hang out with
  • Friends you’ve requested
  • Friends you denied
  • Friends you’ve un-friended
  • How often you are online
  • Apps you Admin/created
  • Pages you admin/created
  • Your current mood
  • Device you’ve accessed the Internet from
  • Exact Geo-location (longitude, altitude, latitude, time/date stamp)
  • TV, Film, Concert you are currently watching
  • Book or publication you are currently reading
  • Audio you are currently listening too
  • Drink you are currently drinking
  • Food you are currently eating
  • Activities you participate in
  • Advertising you interact with
  • Profiles you interact with most
  • Locations you access Facebook
  • Locations you access web properties connected to Facebook
  • Level of online engagement
  • When you changed jobs
  • How long you stayed in a job
  • Credit card details
  • IP Address
  • Apps you’ve downloaded
  • Games you’ve played
  • Pages/Businesses you’ve un-liked (when)

The main reasoning behind the highlighted items are that in unison, anyone with access to this data can isolate your location, recent visits and what devices you have on you. Not only does this potentially make you vulnerable to tracking from people, but opens you up for someone to steal your identity (yes, these are very dramatic repercussions but still valid).

  • Device you’ve accessed the Internet from

Services (this is not limited to Facebook) should not have the ability to catalogue the devices tied to an account.

With this ability, they are able to (stemming to the next point) always have a geo-locked location of the device (and assumed person) at their disposal.

  • Exact Geo-location (longitude, altitude, latitude, time/date stamp)

Exact. What the actual Foxtrot Unicorn Charlie Kite?  Services knowing where I am, at whatever time is a clear abuse of power.

Using this information, patterns of travel and location can allow you to be tracked. Using services such as Facebook to allow geo-location tracking is absurd in my opinion.

  • IP Address

If you know my public IP via a NAT you can easily sniff and track web usage of certain people; again, what the actual Foxtrot Unicorn Charlie Kite?

  • Websites you’ve visited

Because Internet Censorship is what everyone wants, right?  Having ISP logging Metadata and services knowing website you visit is a sheer breach of personal privacy.

  • Book or publication you are currently reading

Personally, I read a lot of politically incorrect publications (not that I am some crazy person) and I’d like to keep that private; Facebook knowing I am “Googling” terrorist attacks and researching them should not be recorded without my implicit confirmation.

Now of course, it is impossible not to use services that record all this data (Personally Google knows everything about me) but there are valid techniques to mitigate the collection and aggregation of this information.

What are the things I should look for in set program?

This is a broad and rather opinion-based topic point. Discussion relating open sourced, closed, cross-platform and protocols are open for debate.

Personally (and I am not a security expert), there need to be 3 options available in an application to make it secure:

  • Open source, peer reviewed;
  • De-facto encryption standards and;
  • Non identifying sign-up requirements.

Open source, peer reviewed

This topic has a lot of scrutiny about it. One point being vulnerabilities are shared with anyone reading the code, but at the same time, greater set of eyes allow this to be patched faster.

My opinion is summarised by this statement:

Do I choose Safe Number One that’s advertised to have half-inch steel walls, an inch-thick door, six locking bolts, and is tested by an independent agency to confirm that the contents will survive for two hours in a fire? Or, do I choose for Safe Number Two, a safe the vendor simple says to trust, because the design details of the safe are a trade secret? It could be Safe Number Two is made of plywood and thin sheet metal. Or, it could be that it is stronger than Safe Number One, but the point is I have no idea.

Of course, the battle enraged the internet  and everyone has their own opinions I personally believe that if the code is peer-reviewed, back doors and holes to the software are far less likely than those of a propriety company that will share your data for the right payment.

De-facto encryption standards

When you use a program designed to keep security in mind, you do not want to rely on some newly-created protocol that takes a thousand builds to be stable. Implementing either old (usually broken) or unstable protocols is a flaw in itself when trying to enact secure messaging.

As with all my posts, the technical content will be highly referenced as I am (as I’ve said) not a security expert.

When looking at encryption and cryptography, there are a number of standards you can enact.

Extensible Messaging and Presence Protocol (XMPP)

is a communications protocol for message-oriented middleware based on XML (Extensible Markup Language).[1] It enables the near-real-time exchange of structured yet extensible data between any two or more network entities.[2] Originally named Jabber,[3] the protocol was developed by the Jabber open-source community in 1999 for near real-timeinstant messaging (IM), presence information, and contact list maintenance. Designed to be extensible, the protocol has been used also for publish-subscribe systems, signalling for VoIP, video, file transfergaming, the Internet of Things (IoT) applications such as the smart grid, and social networking services.

Think of XMPP as the back-end transportation method and not necessarily the encryption methodology.  XMPP is good as it has a open-standard, and is scalable across platforms.

According to XMPP:

Secure — any XMPP server may be isolated from the public network (e.g., on a company intranet) and robust security using SASL and TLS has been built into the core XMPP specifications. In addition, the XMPP developer community is actively working on end-to-end encryption to raise the security bar even further.

An XMPP Server is considered secure when the following (minimum) items are present:

  • The server is running with a server certificate
  • The server is configured to not allow any cleartext communications – S2S and C2S
  • The server supports XEP-198

Note that unless you have clear access to the code running on the server to validate the above, you assume the XMPP portion of the application is unsecure.

Off-the-Record Messaging (OTR)

is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AESsymmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecyand malleable encryption.

OTR is a rather complex protocol. Before commencing an encrypted data exchange, both parties must do an unauthenticated Diffie-Hellman (D-H) key exchange to set up an encrypted channel, and then do mutual authentication inside that channel.

Let’s use Bob and Alice as the example here. Bob must initiate the AKE (Authenticated Key Exchange) as follows:

Bob:

  1. Picks a random value r (128 bits)
  2. Picks a random value x (at least 320 bits)
  3. Sends Alice AESr(gx), HASH(gx)

Alice:

  1. Picks a random value y (at least 320 bits)
  2. Sends Bob gy

Bob:

  1. Verifies that Alice’s gy is a legal value (2 <= gy <= modulus-2)
  2. Computes s = (gy)x
  3. Computes two AES keys c, c’ and four MAC keys m1, m1′, m2, m2′ by hashing s in various ways
  4. Picks keyidB, a serial number for his D-H key gx
  5. Computes MB = MACm1(gx, gy, pubB, keyidB)
  6. Computes XB = pubB, keyidB, sigB(MB)
  7. Sends Alice r, AESc(XB), MACm2(AESc(XB))

Alice:

  1. Uses r to decrypt the value of gx sent earlier
  2. Verifies that HASH(gx) matches the value sent earlier
  3. Verifies that Bob’s gx is a legal value (2 <= gx <= modulus-2)
  4. Computes s = (gx)y (note that this will be the same as the value of s Bob calculated)
  5. Computes two AES keys c, c’ and four MAC keys m1, m1′, m2, m2′ by hashing s in various ways (the same as Bob)
  6. Uses m2 to verify MACm2(AESc(XB))
  7. Uses c to decrypt AESc(XB) to obtain XB = pubB, keyidB, sigB(MB)
  8. Computes MB = MACm1(gx, gy, pubB, keyidB)
  9. Uses pubB to verify sigB(MB)
  10. Picks keyidA, a serial number for her D-H key gy
  11. Computes MA = MACm1′(gy, gx, pubA, keyidA)
  12. Computes XA = pubA, keyidA, sigA(MA)
  13. Sends Bob AESc’(XA), MACm2′(AESc’(XA))

Bob:

  1. Uses m2′ to verify MACm2′(AESc’(XA))
  2. Uses c’ to decrypt AESc’(XA) to obtain XA = pubA, keyidA, sigA(MA)
  3. Computes MA = MACm1′(gy, gx, pubA, keyidA)
  4. Uses pubA to verify sigA(MA)

If all of the verifications succeeded, Alice and Bob now know each other’s Diffie-Hellman public keys, and share the value s. Alice is assured that s is known by someone with access to the private key corresponding to pubB, and similarly for Bob.

Once this has been configured, you can go about Exchanging data.

Suppose Alice has a message (msg) to send to Bob:

Alice:

  • Picks the most recent of her own D-H encryption keys that Bob has acknowledged receiving (by using it in a Data Message, or failing that, in the AKE). Let keyA by that key, and let keyidA be its serial number.
  • If the above key is Alice’s most recent key, she generates a new D-H key (next_dh), to get the serial number keyidA+1.
  • Picks the most recent of Bob’s D-H encryption keys that she has received from him (either in a Data Message or in the AKE). Let keyB by that key, and let keyidB be its serial number.
  • Uses Diffie-Hellman to compute a shared secret from the two keys keyA and keyB, and generates the sending AES key, ek, and the sending MAC key, mk, as detailed below.
  • Collects any old MAC keys that were used in previous messages, but will never again be used (because their associated D-H keys are no longer the most recent ones) into a list, oldmackeys.
  • Picks a value of the counter, ctr, so that the triple (keyA, keyB, ctr) is never the same for more than one Data Message Alice sends to Bob.
  • Computes TA = (keyidA, keyidB, next_dh, ctr, AES-CTRek,ctr(msg))
  • Sends Bob TA, MACmk(TA), oldmackeys

Bob:

  • Uses Diffie-Hellman to compute a shared secret from the two keys labelled by keyidA and keyidB, and generates the receiving AES key, ek, and the receiving MAC key, mk, as detailed below. (These will be the same as the keys Alice generated, above.)
  • Uses mk to verify MACmk(TA).
  • Uses ek and ctr to decrypt AES-CTRek,ctr(msg).

Do you like advanced mathematics?

So if it’s just a pre-defined function, surely it can be impersonated?

Socialist Millionaires’ Protocol (SMP)

is one in which two millionaires want to determine if their wealth is equal without disclosing any information about their riches to each other. It is a variant of the Millionaire’s Problem[2][3] whereby two millionaires wish to compare their riches to determine who has the most wealth without disclosing any information about their riches to each other.

Basically, let’s check to see who you are without disclosing information. Another fun example of maths. Assuming that Alice begins the exchange:

Alice:

  1. Picks random exponents a2 and a3
  2. Sends Bob g2a = g1a2 and g3a = g1a3

Bob:

  1. Picks random exponents b2 and b3
  2. Computes g2b = g1b2 and g3b = g1b3
  3. Computes g2 = g2ab2 and g3 = g3ab3
  4. Picks random exponent r
  5. Computes Pb = g3r and Qb = g1r g2y
  6. Sends Alice g2b, g3b, Pb and Qb

Alice:

  1. Computes g2 = g2ba2 and g3 = g3ba3
  2. Picks random exponent s
  3. Computes Pa = g3s and Qa = g1s g2x
  4. Computes Ra = (Qa / Qba3
  5. Sends Bob Pa, Qa and Ra

Bob:

  1. Computes Rb = (Qa / Qbb3
  2. Computes Rab = Rab3
  3. Checks whether Rab == (Pa / Pb)
  4. Sends Alice Rb

Alice:

  1. Computes Rab = Rba3
  2. Checks whether Rab == (Pa / Pb)
  • If everything is done correctly, then Rab should hold the value of (Pa / Pb) times (g2a3b3)(x – y), which means that the test at the end of the protocol will only succeed if x == y. Further, since g2a3b3 is a random number not known to any party, if x is not equal to y, no other information is revealed.

Pretty neat documentation on OTR. Props to them.

Diffie–Hellman key exchange (D–H) – Elaborated for OTR Implementation.

 is a method of securely exchanging cryptographic keys over a public channel

Or as I prefer to explain it:

Diffie helman is a mathematical algorithm to exchange a shared secret between two parties. This shared secret can be used to encrypt messages between these two parties.

This “methodology” (its a protocol) is used to “salt” a passphrase (or key). The following implantation on how it works:

The simplest and the original implementation of the protocol uses the multiplicative group of integers modulo p, where p is prime, and g is a primitive root modulo p. These two values are chosen in this way to ensure that the resulting shared secret can take on any value from 1 to p–1. Here is an example of the protocol, with non-secret values in blue, and secret values in red.

  1. Alice and Bob agree to use a modulus p = 23 and base g = 5 (which is a primitive root modulo 23).
  2. Alice chooses a secret integer a = 6, then sends Bob A = ga mod p
    • A = 56 mod 23 = 8
  3. Bob chooses a secret integer b = 15, then sends Alice B = gb mod p
    • B = 515 mod 23 = 19
  4. Alice computes s = Ba mod p
    • s = 196 mod 23 = 2
  5. Bob computes s = Ab mod p
    • s = 815 mod 23 = 2
  6. Alice and Bob now share a secret (the number 2).

Both Alice and Bob have arrived at the same value s, because, under mod p,

{\displaystyle A^{b}{\bmod {\,}}p=g^{ab}{\bmod {\,}}p=g^{ba}{\bmod {\,}}p=B^{a}{\bmod {\,}}p}

More specifically,

{\displaystyle (g^{a}{\bmod {\,}}p)^{b}{\bmod {\,}}p=(g^{b}{\bmod {\,}}p)^{a}{\bmod {\,}}p}

The following values are then stated:

  • g = public (prime) base, known to Alice, Bob, and Eve. g = 5
  • p = public (prime) modulus, known to Alice, Bob, and Eve. p = 23
  • a = Alice’s private key, known only to Alice. a = 6
  • b = Bob’s private key known only to Bob. b = 15
  • A = Alice’s public key, known to Alice, Bob, and Eve. A = ga mod p = 8
  • B = Bob’s public key, known to Alice, Bob, and Eve. B = gb mod p = 19

hm.PNG

This is literally all available on Wikipedia by the way.

It is imperative to understand that Diffie-Hellman is just a function to compute a shared key, not a full protocol. To actually use it, you need to design a protocol on top of it; OTR actually signs the DH key with its “long term key”.

Perfect Forward Secrecy (PFS)

Again, this is bundled in the OTR implementation. In the simplest form:

PFS is a property of secure communication protocols in which compromise of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of secret keys or passwords. If forward secrecy is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised in the future, even if the adversary actively interfered.

To get a better understanding of this, it can be stated that:

A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm. This means that the compromise of one message cannot compromise others as well, and there is no one secret value whose acquisition would compromise multiple messages.

There are many iterations of this, the current notable method being Double Ratchet.


Basic Understanding = Done.

Now that you’ve got a basic understanding of why it is important to want to encrypt your data, and an example of how this is accomplished, let’s look at your options.

Again this post is about picking an app to secure messaging. It is not intended to go into depth on how encryption works etc.

So, how do we know what to use, and what not to use? Well you could use CryptoCat or an application listed here.

The answer is: whatever application meets your suited requirements. There is no 100% answer to this question.

Personally I use Signal for a few reasons:

  1. It’s easy to tell people to install;
  2. Implements OTR Ratchet;
  3. Curve25519 improvement to D-H and;
  4. It’s just really easy to use.

Thanks!

Make sure you check out my blog post about Fighting For Internet Freedom.

Come visit me on Stack Exchange:


Profile for Michael Nancarrow on Stack Exchange

 

Errors? Typos? More facts needed?

Hyper-Text Markup Language; WYSIWYG.

Today I received the following question:

Hi Michael,

I have a school assignment to make a website about a topic I like, and would like to make a nature website. I am unsure how to code a website and the class isn’t really helpful, could you assist?

Also you’re so cool.

Thanks,
Jamie

I am paraphrasing, of course. I will answer this question, in the most simplistic and non-technical method possible. It’ll section this post into the following segments:

  1. Selecting an IDE;
  2. Confirming what “WYSIWYG” means;
  3. Confirming what “CSS” does and;
  4. Beginning the project.

Selecting Your IDE/Tool

The first thing you’re going to require is a text editor (or an “IDE“). I surmise you’re using Windows, and not Mac OSX (or any other operating system). In my opinion, a good  IDE will do for you:

  1. Will use HTML and CSS Syntax Highlighting;
  2. Will auto-complete (generally using TAB) the command and;
  3. Will “wrap” functions together.

On the other end of the spectrum, a bad IDE will not perform any of these functions. Whilst application such as Notepad, Wordpad and Word could act as a base for your HTML, I would recommend not using these.

To further demonstrate the difference between a good and bad editor; this is a basic text editor (Notepad):

npad

Notepad

There is no syntax highlighting, nor is there tabbed completion. Notepad++ on the other side has these features by default:

npadpp.PNG

Furthermore, Notepad++ takes it further with a tabbed completion function allowing you to see all available commands:

prp

Here is a list of available IDE’s available for free on Windows:

 


What is this “WYSIWYG” term?

What you see is what you get, in its acronymic form WYSIWYG, is defined as:

WYSIWYG (pronounced “wiz-ee-wig”) editor or program is one that allows a developer to see what the end result will look like while the interface or document is being created. – Source

Meaning that every alteration to the underlying HTML or CSS, such as making text bold, should replicate to a “live” view for you.

There are mixed answers on should I use a WYSIWYG editor if I am new to web-design, and my answer is this: if you’re more a visual learner, there is no harm using a WYSIWYG editor as it allows you to both edit code, and (generally) drag the content to suit.

To test this theory, the following “website” was made using the WYSIWYG Web Builder toolkit, and took me less than 2  minutes to perform:

wysiwyg.PNG

The HTML Code to this website can be viewed using the “View Source” option. The following is a snippet defining the Marquee component (the small box under the header):

<marquee direction="left" scrolldelay="90" scrollamount="6" behavior="scroll" loop="0"style="position:absolute;left:148px;top:65px;width:248px;height:38px;z-index:40;" id="Marquee1"><span style="color:#000000;font-family:Arial;font-size:13px;">Go on, it's free.<br></span></marquee>

So as you can see, there are large benefits to using a WYSIWYG editor (due to the lenght of the code), but ensure you understand the code before you rely on an editor.


What are “the basics”?

Before I begin with my own lesson, I will supply some amazing examples for you:

  1. HTML5 Introduction;
  2. HTML Document Tags;
  3. HTML5 Style Guide and Coding Conventions;
  4. HTML5 New Elements and;
  5. HTML Lessons

Now, you should be aware of Cascading Style Sheets (“CSS”);

A cascading style sheet (CSS) is a Web page derived from multiple sources with a defined order of precedence where the definitions of any style element conflict.

Or more simply put, defines tags applied to HTML. So before you begin, I would recommend do some planning on what each page does, and what you want it to look like. When creating a website locally, I like to edit my folder layout to be:

nanky@DESKTOP-52QRCAE:~/documents/website$ ls
/css /docs /images /pages /vid

The reasoning behind this is each folder has a clear purpose:

  • /css – is responsible for the CSS for the website pages;
  • /docs – my documents (more on this just below);
  • /images – is responsible for all the images in the site;
  • /pages – houses the HTML documents and;
  • /vid – for any videos stored on the site.

Documenting the process is very important in any project. Most people use GIT or Google Docs, but a basic Nano document will suffice.

Cascading Style Sheets “CSS”

Without CSS, you will find yourself with a basic ASCII website, with little to no style (not that this isn’t good). Before continuing, we need to have a slight argument:

External style sheet

External style sheets are just that, external to the HTML file and referenced in the code:

<link rel="stylesheet" href="https://www.url.of.housed.content-css">

Therefore allowing the CSS to live externally, and has easier version control.

Internal style sheet

Internal style sheets use the “Style” tag to define the tags, and are situated in the header portion of your HTML.

This is the most convenient method for me, however, has a few issues:

  • Larger HTML files and;
  • Harder to maintain.

Here is an example:

<style>
body {
    background-color: purply-blue;
}

h1 {
    color: grape-flavoured;
    margin-left: 420px;
} 
</style>

Psh… this is the format I traditionally use.

Inline style

Inline style sheets are style tags, in the actual format of the tags. For example”

<h1 style="color:red;margin-left:45px;">My Main Menu Heading</>

This ties the single “H1” tag to have the properties above mentioned. This is useful if you wish to override the default style of the “H1” tag.

The basics of CSS, hit me.

I will not go through all the tags you can use, and all the options for CSS (that would take me weeks of documenting), but I will tell you that there are a plethora of CSS examples online.

For example, let us set a tag for our three headings:

<style>
h1 {
 text-decoration: overline;
}

h2 {
 text-indent: 50px;
 text-decoration: line-through;
}

h3 {
 color: green;
 text-decoration: underline;
}
</style>

Then, we can go ahead and call the code:

<h1> Test </h1>
<h2> Indent! </h2>
<h3> Green! </h3>
h1

Resulting Code

This will apply to every tag defined in the CSS sheet. Let’s take YouTube’s “www-roboto” CSS for example:

@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/WxrXJa0C3KdtC7lMafG4dRTbgVql8nDJpwnrE27mub0.woff2)format('woff2');unicode-range:U+0460-052F,U+20B4,U+2DE0-2DFF,U+A640-A69F;}@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/OpXUqTo0UgQQhGj_SFdLWBTbgVql8nDJpwnrE27mub0.woff2)format('woff2');unicode-range:U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/1hZf02POANh32k2VkgEoUBTbgVql8nDJpwnrE27mub0.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/cDKhRaXnQTOVbaoxwdOr9xTbgVql8nDJpwnrE27mub0.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/K23cxWVTrIFD6DJsEVi07RTbgVql8nDJpwnrE27mub0.woff2)format('woff2');unicode-range:U+0102-0103,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/vSzulfKSK0LLjjfeaxcREhTbgVql8nDJpwnrE27mub0.woff2)format('woff2');unicode-range:U+0100-024F,U+1E00-1EFF,U+20A0-20AB,U+20AD-20CF,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:400;src:local('Roboto Italic'),local('Roboto-Italic'),url(//fonts.gstatic.com/s/roboto/v16/vPcynSL0qHq_6dX7lKVByfesZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2212,U+2215;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/ek4gzZ-GeXAPcSbHtCeQI_esZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+0460-052F,U+20B4,U+2DE0-2DFF,U+A640-A69F;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/mErvLBYg_cXG3rLvUsKT_fesZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/-2n2p-_Y08sg57CNWQfKNvesZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/u0TOpm082MNkS5K0Q4rhqvesZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/NdF9MtnOpLzo-noMoG0miPesZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+0102-0103,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/Fcx7Wwv8OzT71A3E1XOAjvesZW2xOQ-xsNqO47m55DA.woff2)format('woff2');unicode-range:U+0100-024F,U+1E00-1EFF,U+20A0-20AB,U+20AD-20CF,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:local('Roboto Regular'),local('Roboto-Regular'),url(//fonts.gstatic.com/s/roboto/v16/CWB0XYA8bzo0kSThX0UTuA.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2212,U+2215;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/ZLqKeelYbATG60EpZBSDyxJtnKITppOI_IvcXXDNrsc.woff2)format('woff2');unicode-range:U+0460-052F,U+20B4,U+2DE0-2DFF,U+A640-A69F;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/oHi30kwQWvpCWqAhzHcCSBJtnKITppOI_IvcXXDNrsc.woff2)format('woff2');unicode-range:U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/rGvHdJnr2l75qb0YND9NyBJtnKITppOI_IvcXXDNrsc.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/mx9Uck6uB63VIKFYnEMXrRJtnKITppOI_IvcXXDNrsc.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/mbmhprMH69Zi6eEPBYVFhRJtnKITppOI_IvcXXDNrsc.woff2)format('woff2');unicode-range:U+0102-0103,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/oOeFwZNlrTefzLYmlVV1UBJtnKITppOI_IvcXXDNrsc.woff2)format('woff2');unicode-range:U+0100-024F,U+1E00-1EFF,U+20A0-20AB,U+20AD-20CF,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:normal;font-weight:500;src:local('Roboto Medium'),local('Roboto-Medium'),url(//fonts.gstatic.com/s/roboto/v16/RxZJdnzeo3R5zSexge8UUVtXRa8TVwTICgirnJhmVJw.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2212,U+2215;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0TTOQ_MqJVwkKsUn0wKzc2I.woff2)format('woff2');unicode-range:U+0460-052F,U+20B4,U+2DE0-2DFF,U+A640-A69F;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0TUj_cnvWIuuBMVgbX098Mw.woff2)format('woff2');unicode-range:U+0400-045F,U+0490-0491,U+04B0-04B1,U+2116;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0UbcKLIaa1LC45dFaAfauRA.woff2)format('woff2');unicode-range:U+1F00-1FFF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0Wo_sUJ8uO4YLWRInS22T3Y.woff2)format('woff2');unicode-range:U+0370-03FF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0b6up8jxqWt8HVA3mDhkV_0.woff2)format('woff2');unicode-range:U+0102-0103,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0SYE0-AqJ3nfInTTiDXDjU4.woff2)format('woff2');unicode-range:U+0100-024F,U+1E00-1EFF,U+20A0-20AB,U+20AD-20CF,U+2C60-2C7F,U+A720-A7FF;}@font-face{font-family:'Roboto';font-style:italic;font-weight:500;src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v16/OLffGBTaF0XFOW1gnuHF0Y4P5ICox8Kq3LLUNMylGO4.woff2)format('woff2');unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2212,U+2215;}

Far too much data to try and explain on a post – this will all come with time. (Yes I know it is simplistic code for those who know how to do this, that’s not the point).

Here are a few basic reference points you might like:


What is HTML, and how do I use it?

If you are unsure what HTML is (and I’d hope not!) it stands for Hyper Text Markup Language:

Hypertext Markup Language, a standardized system for tagging text files to achieve font, colour, graphic, and hyperlink effects on World Wide Web pages. – Source

Basically, it is the “language” used to interpret websites and render them within browsers.

Hint: On Chrome? Press Ctrl + Shift + J and go to Elements, it will show you live HTML of this blog.

Before diving in, there are a few core statements about HTML:

  • Whenever you <open> a bracket, </close> it. Get it?
  • Try to make the code readable, add comments <! — comment –>

So without further delays, jump in and read the HTML Reference guide.

I will list a few examples of basic codes you will need.

br

The BR tag is a break entry, and allows you to string text across multiple lines:

<p> This is a paragraph. </p>
<p> This is a paragraph, <br>
across multiple lines</p>

b, i and u

Most likely depreciated (Last time I did a website was 4 years ago), these tags format text:

<p style="color:red;margin-left:20px;"> <u>Julie</u>:<b> Michael </b> you're such a <u><i>cool</u></i> dude, <br>
<i> dude.</i>
</p>

See how I added inline styling to the text, as well?

table, tr and td

Editing tables is easy. TR is table tow, and TD is the table cell:

<style>
table, th, td {
 border: 2px solid black;
}
</style>
</head>
<body>
<table>
 <caption>Should we eat cookies?</caption>
 <tr>
 <th>Yes</th>
 <th>Then eat</th>
 </tr>
 <tr>
 <td>No?</td>
 <td>Don't touch</td>
 </tr>
 <tr>
 <td>Hell Yeah</td>
 <td>Eat them all!</td>
 </tr>
</table>
</body>

Note the “caption” tag adds a title to your table, should you wish it!

PHP? XML? Javascript?

Do not even concern yourself with this at present. If you’re really interested in learning, this is something you should pursue.


To summarise Jamie (and I apologise, this is not my best writing at 2am, but it’s the only time I had free), get yourself a good IDE tool (Brackets!) to make yourself familiar with syntax (it really helps highlight when you’ve not closed a tag correctly!) and tags.

Then, draw out how you want the website to look. Perhaps try using a WYSIWYG Editor and deconstruct the code to get an understanding of it.

Lastly, please use external CSS sheets in the beginning, and don’t go too complex. If you’re up late at night coding, always use the <!— This code does this —> command to ensure tomorrow, you remember what it is.

There are a plethora of tools out there to help you, from Videos to tutorials online, so have patience and catch up. Do your CSS first, set the ground before the building. If you get stuck, reach back out to me.

 

For others who want more explicit information on a topic (I am happy to expand this post if you really want), or corrections, use the following form:

Cloud Services, please encrypt locally beforehand.

I know that I made a post outlining why local backups aren’t for me, but they sort of are. The entire concept of “the cloud” can be rather complex, or simple, depending on how much you want to think about it – but in summary, it is defined as:

cloud service is any service made available to users on demand via the Internet from a cloud computing provider’s servers as opposed to being provided from a company’s own on-premises servers.

Storing items such as entire servers on AWS infrastructure, to personal data in a personal cloud storage service have all become popular in 2017 – even though a number of reputable cloud services have been compromised recently.

So, why? To many, it’s a simple method of storing data to be accessed via multiple devices, and is a form of “data backup”. Poppycock!

In this post I will briefly touch on some popular cloud providers, and some basic steps to secure your personal data.

Known Cloud Services Providers

Continue reading

Backups and Me Don’t Mesh. Here’s why.

It goes without saying, the content stored on most users computers (that is, in the user directory) is important, regardless the content. That’s why it is imperative to have frequent backups of the data should something occur, such as Crypto.

Nowadays, there is a plethora of cloud services readily available to store your data in “the cloud“, free of any dangers – or so they say. But does that mean the era of local backups redundant? No! You should still take action to secure the integrity of your data locally should there be any issues.

Continue reading

RansomeWare, oh the joys it brings.

RansomeWare has been on an upward trend, notably so in Quarter 3 and 4 of 2016. The main targets shifted from phishing links with a drop of 50% (Source: Proofpoint) to RDP. According to Webroot, two thirds (66%) of Ransomeware Infections in Q1 2017 where delivered by RDP.

For those who are unfamiliar with the term, Ransomeware can be summarised as:

Ransomware is a type of malicious software that blocks access to the victim’s data or threatens to publish or delete it until a ransom is paid.

Source: RansomeWare – Wikipedia

However, RansomeWare is categorised  as a form of cryptoviral extortion; it is an act of CryptovirologyMoti Young published his findings of cryptoviral extortion (Cited entries can be read here) where the process was further discussed in 3 key phases:

  1. [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
  2. [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
  3. [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with his private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext to the attacker (the asymmetric ciphertext).

 

Looking at the latest WannaCry breakout, the process can be defined as the following 5 steps:

Trend Micro – WannaCry Blog Post

The process adopted here follows the ruleset of Moti’s assumption, whilst also leveraging SMB faults to spread through networks.

Further investigation on this fault will be documented at a later stage.

On a side note, WannaKey? This tool may help recover WannaCry files.

Continue reading