cedric's bazaar - security

authentication

anonymous@undisclosed.example.com (Anonymous) — Wed, 06 Jul 2016 06:16:19 +0000

Management of password

Password Safe
pass (my choice).

Do not store passwords in the browser or on Internet.

pass can also generate passwords (with pwgen). Do not hesitate to generate strong passwords for each services you are using, since you won't need to remember them.

With pass the passwords store can be a git repository, consequently it is possible synchronizes your passwords between different computers.

Two Factor Authentication (2FA)

Different methods:

One Time Password (OTP): by SMS, with Google Authenticator or backup codes;
specific application on your smarthpone or watch;
YubiKey (my choice).

With the YubiKey you will be able to:

use the 2FA with services such as Google, GitLab, GitHub, Bitbucket, Dropbox;
generate One Time Password;
unlock your smartphone;
upload your GPG private key on it and then for example to protect your passwords store (pass uses GPG for the encryption).

cryptography

anonymous@undisclosed.example.com (Anonymous) — Mon, 04 Mar 2013 13:18:41 +0000

Asymmetric-key cryptosystems

Primality tests

Fermat primality test

Miller-Rabin primality test

Jacobi primality test

Symmetric-key cryptosystems

security, cryptography

privacy

anonymous@undisclosed.example.com (Anonymous) — Fri, 24 Nov 2017 21:52:49 +0000

Web

Browser

Your browser is the first exposed.

use Firefox or Iceweasel and check that it is always up to date (with the extensions and plugins);
add DuckDuckGo HTML and/or Startpage to your list of search engines;
Extensions:
- HTTPS Everywhere;
- Privacy Badger;
- uBlock Origin;
- uMatrix;
- FoxyProxy.
configurations in about:config with the file user.js:
Firefox preferences:
- in the privacy tab precise that you do not want to be tracked by sites;
- do not accept cookies from sites and allow (for session only) sites you trust ( example);
install Tor/Privoxy and use FoxyProxy to switch faster between Tor and the “no proxy” mode;
do not use Tor without HTTPS on sensible sites;
avoid using Google DNS (even if they are fast and reliable). Prefer French Data Network DNS resolvers (80.67.169.12, 80.67.169.40).

Another good solution is to use the Tor Browser which is based on Firefox and pre-configured with the best settings for your privacy and uses the Tor network by default. No technical knowledge is required.

If you are using a public computer I recommend you Tails.

Firefox preferences

User preferences

Privacy

Browsing advices

check for the “lock” icon on the status bar (depends on the browser) that shows that you are on a secured web site. Also check that the URL begins with “https” in the location bar when making transactions online;
always check the URL before clicking on a link;
phishing:
- use the navigation bar history to prevent malicious URL;
- check that your browser is able to automatically fill in login forms with your information;

Social networking

limit the usage of social networking services;
check your public identity, for example by searching your name in Google (you can use Google Alerts or a script you wrote);
disable Google search history and Google location history;
when possible, use two-factor authentication (possible with Google and Github for instance);
do not log into private services on public computers;
do not hook all your online services together;
do not share your phone's location data;
do not upload geotagged photos in the region your living (check the configuration of your smartphone and/or tablet);
do not allow people to tag your face;
do not share your Likes, +1s or whish lists. Prefer the use of bookmarks;

Email

ensure that after a POP the fetched messages have been removed from the server;
when possible uses GnuPG to encrypt (and sign) your emails;
consider the use of alternatives like Bitmessage;

Instant messaging

Alternatives to well known spied systems:

DukGo or another Jabber/XMPP service. Use Off-the-Record (OTR), easy with Pidgin or Kopete;
a worth watching project: TIMB;
another interesting project: Ricochet;
IRC.

System

Of course, this list is not exhaustive.

/etc/hosts

The content of my /etc/hosts file is based on this very good example.

DNS

Choose the Domain Name Server you want to use.

Solution 1

Probably the best solution. Lets you add your DNS servers with a higher priority than the DNS servers provided by the DHCP.

resolvconf is a set of scripts and hooks managing DNS resolution.
The configuration of the internet connection is specified in the file /etc/resolvconf. It is possible to edit this file, but any change manually done will be lost as it gets overwritten next time something triggers resolvconf.
A solution is to use the file /etc/resolvconf/resolv.conf.d/head in order to ensure a DNS server is always the first one in the list.

# apt-get install resolvconf
 
# cat /etc/resolvconf/resolv.conf.d/head
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# French Data Network DNS resolvers
nameserver 80.67.169.12
nameserver 80.67.169.40
 
# resolvconf -u

Solution 2

If your interface is configured statically then you can change your DNS by this manner:

# vim /etc/network/interfaces

Add this section:

iface eth0 inet static
address 192.168.1.11
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 80.67.169.12 80.67.169.40

Restart the interface and check:

# ifdown eth0
# ifup eth0
# exit
$ nslookup cedricbonhomme.org
Server:         80.67.169.40
Address:        80.67.169.40#53

An alternative is to use the NetworkManager.

Services providers

bring a special care to the choice of service providers you use. For example if your country is under surveillance (like France), avoid as much as possible services from this country (Orange, SFR, etc.). A good idea is to configure Tor in order to never use an exit node in this country;

steganography

anonymous@undisclosed.example.com (Anonymous) — Sat, 26 Jun 2021 22:36:39 +0000

Installation of Stegano

For the examples you need to install Stegano.

sudo pip install Stegano

You can read the documentation of Stegano (included in the sources).

Steganography

Steganography is the art and science of writing hidden messages.

Some steganography techniques:

Physical steganography;
Digital steganography;
Network steganography;
Printed steganography.

We will dive into digital steganography.

The following sections will present some techniques of digital steganography.

Simple steganography art

In computer science a well known method of hiding data (message) is to concatenate these data to an archive. For example, if I want to hide a text file in a music file:

$ zip text-to-hide.zip text-to-hide.txt
$ cat Stop_And_Stare.ogg test-to-hide.zip > OneRepublic_-_Stop_And_Stare-1.ogg

Now you can still listen the song. If you want to recover the text, you just have to unzip the song.

Using the red portion of a pixel

An other simple method is to use the red portion of a pixel to hide ASCII messages.

For example the pixel P1 = (R, G, B) will become P1' = (ord(ascii_character), G, B).
We are working at the byte level.

Simple example of implementation

def hide(img, message):
    """
    Hide a message (string) in an image.
 
    Use the red portion of a pixel (r, g, b) tuple to
    hide the message string characters as ASCII values.
    The red value of the first pixel is used for length of string.
    """
    length = len(message)
    # Limit length of message to 255
    if length > 255:
        return False
    # Use a copy of image to hide the text in
    encoded = img.copy()
    width, height = img.size
    index = 0
    for row in range(height):
        for col in range(width):
            (r, g, b) = img.getpixel((col, row))
            # first value is length of message
            if row == 0 and col == 0 and index < length:
                asc = length
            elif index <= length:
                c = message[index -1]
                asc = ord(c)
            else:
                asc = r
            encoded.putpixel((col, row), (asc, g , b))
            index += 1
    return encoded

Least Significant Bit method

The least significant bit (lsb) is the bit position in a binary integer giving the units value, that is, determining whether the number is even or odd. The lsb is sometimes referred to as the right-most bit, due to the convention in positional notation of writing less significant digits further to the right. It is analogous to the least significant digit of a decimal integer, which is the digit in the ones (right-most) position.

The data are inserted in place of the less significant bit. For each RGB component there are 256 possible values and we vary only the least significant bit. Consequently the LSB technique has a very little impact on the colour of the pixel.

For example the pixel P1 = (R, G, B) = (00000000, 00000001, 00000000) will become P1' = (R, G, B) = (00000001, 00000000, 00000001)
We are working at the bit level.

Simple example of implementation

def hide(img, message):
    """
    Hide a message (string) in an image with the
    LSB (Least Significant Bit) technique.
    """
    encoded = img.copy()
    width, height = img.size
    index = 0
 
    message = message + '~~~'
    message_bits = "".join(tools.a2bits_list(message))
 
    npixels = width * height
    if len(message_bits) > npixels * 3:
        return """Too long message (%s > %s).""" % (len(message_bits), npixels * 3)
 
    for row in xrange(height):
        for col in xrange(width):
 
            if index + 3 <= len(message_bits) :
 
                # Get the colour component.
                (r, g, b) = img.getpixel((col, row))
 
                # Change the Least Significant Bit of each colour component.
                r = tools.setlsb(r, message_bits[index])
                g = tools.setlsb(g, message_bits[index+1])
                b = tools.setlsb(b, message_bits[index+2])
 
                # Save the new pixel
                encoded.putpixel((col, row), (r, g , b))
 
            index += 3
 
    return encoded

This is a very simple example showing how to hide a string in an image with the LSB method.

Steganalysis

Steganalysis of the LSB method

Below the original image and the steganalysed one.

Below the same image with a hidden text and its steganalysis.

This technique simply consist to replace odd components by 255 and even number by 0. This means that the pixel (132, 247, 123) become (0, 255, 255).

Steganalysis of the LSB method with sets

You must install Stegano before running these commands.

First, we will hide a message in a picture with the simple LSB method and with the LSB method + sets.

$ cd stegano
 
# LSB with The Eratosthenes set
$ slsb-set --hide -i ./examples/pictures/Montenach.png -o ~/Montenach-enc-gen.png --generator eratosthenes -f ./examples/lorem_ipsum.txt
 
# LSB only
$ slsb --hide -i ./examples/pictures/Montenach.png -o ~/Montenach-enc.png  -f ../examples/lorem_ipsum.txt

The selected generator Sieve of Eratosthenes (–generator eratosthenes) will generate the set of points. This set of points will be used in order to select the pixels where the informations will be hidden.

The following will generate the corresponding steganalysed pictures (left column):

# Steganalysis of the original image
$ steganalysis-parity -i ../examples/pictures/Montenach.png -o ~/Montenach-steg.png 
 
# Steganalysis of the image with hidden text (LSB only)
$ steganalysis-parity -i ~/Montenach-enc.png -o ~/Montenach-enc-steg.png 
 
# Steganalysis of the image with hidden text (LSB + Eratosthenes)
$ steganalysis-parity -i ~/Montenach-enc-gen.png -o ~/Montenach-enc-gen-steg.png

Compare the pictures 1 and 2 and compare the pictures 1 and 3, left column.

Reveal the message

$ slsb-set --reveal --generator eratosthenes -i ~/Montenach-enc-gen.png -b ~/file-gen.txt
$ slsb --reveal  -i ~/Montenach-enc.png -b ~/file.txt
$ cmp ~/file-gen.txt ~/file.txt 
$ cat ~/file.txt 
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nam placerat fermentum
lorem, at porttitor metus congue eu. Mauris vitae tell
.
.
.
$ slsb-set --reveal --generator fermat -i ~/Montenach-enc-gen.png -b ~/file.txt
Impossible to detect message.
 
$ slsb-set --reveal --generator mersenne -i ~/Montenach-enc-gen.png -b ~/file.txt
Impossible to detect message.

Bibliography

security, steganography, python

tools

anonymous@undisclosed.example.com (Anonymous) — Sat, 26 Jun 2021 22:47:06 +0000

Useful tools you really need on your computer:

pass
2FA
GnuPG
Emacs

Useful applications for your Android smartphone;

Signal
Orbot
Element