How to create a Ubuntu Desktop on Azure

We have multiple Linux offerings on Azure for the server but none for the desktop. How can we build one hassle-free?

Photo by XPS on Unsplash

Azure offers a variety of Linux servers including RHEL, CentOS, Debian and Ubuntu. But no desktop. As developers, it would be nice to have access to a development VM on the cloud with a GUI and software like Visual Studio Code and Chrome.

On this post, let's see how to install the necessary software to transform an Ubuntu server into a functional Ubuntu desktop including the necessary procedures to RDP into it from Windows, Mac and Linux.

What we will do

On this tutorial we will install the following tools:

• LXDE, a lightweight desktop manager so we can interact with our VM using a GUI.
• Xrdp  - to connect to it remotely using RDP.
• A browser - Chromium or Firefox from the default repos.
• Command line tools of your choice. I like having tmux, git, Vim and Ranger.

If you need Visual Studio Code, please follow this tutorial.

Creating the Instance

The base image for our desktop will be Ubuntu Server 18.04 LTS. As this is a server image, it doesn't contain a GUI. We will install it ourselves as long as a browser and a tool to connect remotely via RDP. By default we can connect to it via SSH using our WSL or Putty. In Azure, click "Create a Resource" then select Ubuntu Server 18.04 LTS.

When this post was created 18.04 was the last LTS but now we have 20.04. Feel free to use it if you prefer. The steps are exactly the same!

Configuring the VM

Now let's configure the VM. Here we will set the username, password, VM name, resource group, region, etc that are adequate to you. For example, my configuration is show below:

Setting up Disks

The next step is disk setup. I selected Premium SSD with 10GB as seen below:

Setting up the Network

For the network interface, I created a new VNet/Subnet and requested a new IP. Note that the IP will only be available to us after creation. You also need to open inbound ports for SSH (22) and RDP (3389) as we'll need them later to access our instance remotely later: 

Review and Create

Review and if everything's correct, click on Create to proceed:

After a couple of minutes the instance should be created and running.

Connecting to our Instance

Once our instance is deployed, let's connect to it. Depending on how you configured during creation, it can be accessed via username/password or via SSH. You should use Azure's overview window to get important information as IP address and username.

To access it, click the Connect tab from where you should see:

Because I configured ssh and uploaded my ssh key, I simply have to open my WSL and enter the following command:

# connect to my remote server using ssh
ssh bruno@<my-ip>

This is the output of my first connection to that VM:

If you chose to provide an username/password during creation, you're still good to connect via SSH. The only difference is that you'll have to provide your password upon connection.

Diagnosing Connection Issues

If for some reason you get:

ssh: connect to host 13.66.228.253 port 22: Resource temporarily unavailable

it's because the port 22 (SSH) is not open for connection externally. And that's a good thing! It pretty much tells us that our connection is being blocked by a firewall. By default in Azure, VMs are wrapped into a Network Service Group (NSG) which is an extra layer of protection to our cloud artifacts. It basically provides full control over traffic that ingresses or egresses a virtual machine in a VNet.

In order to expose that port, click on the Networking tab to change the inbound rules:

To add a new one, we click the Add inbound port rule button and enter the rule as below:

Security Considerations

Please note that it's recommended that you only expose ports that are essentially necessary to to security threats. In our example, we should only expose ports 22 (SSH) and 3389 (RDP). It's also recommended to configure your NSG to restrict access to your IP only.

Once that's done, try to connect again with:

# connect to my remote server using SSH
ssh bruno@<my-ip>

Installing the Required Tools

With the VM up and running and with SSH access to it, it's time to install the required tools to make our server more user friendly. Remember, we'll have to install a desktop manager, some CLI tools and Firefox.

Updating the system

The first thing to do should be updating the system and the list of packages available to your Ubuntu instance with:

# Updating the package Sources
sudo apt update && sudo apt upgrade -y

Installing the CLI tools

The next step is to install useful CLI tools to work (some of them are already pre-installed with the Azure/Ubuntu image):

# install basic terminal tools
sudo apt install tmux git ranger vim

Installing LXDE

Now, let's install our desktop (LXDE). The good news is that Canonical, the good folks behind Ubuntu, already provide a metapackage called lubuntu-desktop that contains not only LXDE but Firefox and other very useful GNOME tools. We install it using the following command:

sudo apt install lubuntu-desktop -y

Please note that this installation take a while as ~2GB of files have to be downloaded and installed on your server.

Setting up Xrdp

The last and final step is to install Xrdp. As previously mentioned, this tool is required to connect to our instance using RDP. This installation downloads ~8Mb and runs very quickly after the above commands. Type the following on the shell:

# install xrdp
sudo apt install xrdp -y

Next step is to start the xrdp service so we can connect to it via RDP.

# start the xrdp service
sudo systemctl start xrdp

Connecting via RDP

All should be good to go now so let's try to connect to our machine. Simply enter the IP address on the RDP information and hit connect. On mine, I got the prompt:

Note that if when creating your VM on Azure you selected SSH, you have to setup a new password for your user. This is done with:

# setting up a new password for our user
sudo passwd bruno

LXDE 

If you enter your password correctly, you should login to your LXDE session. This is my awesome LXDE session running on Azure. By clicking on the blue icon above you'll have access to all the software included with the metapackage:

Persisting Changes

What happens after a reboot? Will the VM still run Xrdp? No. Unless we make the service permanent. If that's what you want, do that by running the below command on the terminal:

# permanently enable the Xrdp service during boot
sudo systemctl enable xrdp

Final Thoughts

The cloud is an awesome environment to test new things out. On this example I used Azure but you could reproduce pretty much everything here on your cloud provider of choice. It's also important to remember that two of the most fundamental aspects of a Linux system are customization and extensibility. So, installing/changing a GUI, trying out different software, adding/removing repos, etc should be simple on the cloud as is on a local VM. And that shouldn't prevent us from being creative and using our imagination.

I encourage you to play with Azure or your preferred cloud provider and experiment not only with a Ubuntu Linux VM but other operating systems. It's all a few clicks away and a fantastic learning experience!

References

• LXDE
• lubuntu-desktop
• Ubuntu Metapackages 
• Network Service Groups (NSG)
• Azure - Available disk types
• Azure - VMs Types and Sizes

See Also

• My journey to 1 million articles read
• 20 tips to manage Linux VMs on Azure
• How to create a CentOS VM on Azure
• Why I use Fedora Linux
• How I fell in love with i3
• 5 tools for Azure Development on Linux 
• Windows Subsystem for Linux, the best way to learn Linux on Windows

Integrated security vulnerability alerts on GitHub - Why it matters

How GitHub's integrated security vulnerabilities could help developers using the platform?

Last week during GitHub Universe 2018, GitHub announced support for security vulnerability alerts for Java and .NET platforms. It's a significant contribution for the .Net and Java communities on GitHub because it simplifies, clarifies and alerts organizations and project owners about vulnerabilities on dependencies used on their code base.

Sounds complicated? Let's review what the announcement says:

With security vulnerability alerts, organization owners and repository admins receive a notification when any of their projects has a dependency with a known vulnerability.

How it works

By tracking public vulnerabilities in packages from supported languages on MITRE's Common Vulnerabilities and Exposures (CVE) List, GitHub notifies repo owners and alerts them of the risk.  By default, security alerts will be sent to owners and people with admin access in the affected repositories.

Apart from alerts, you should also see on your dashboard something like the below on the Insights tab, Alerts navigation menu of your GitHub repository:

GitHub now alerts about public vulnerabilities on your project

Apart from the above, other nice additions were added:

• You will get weekly emails summarizing security alerts for up to 10 of your repositories
• Most of that is configurable within GitHub
• Works for both public and private repos
• More importantly, GitHub never publicly discloses identified vulnerabilities for any repository.

Fixing the vulnerability

But knowing of potential vulnerabilities is just the first step. The next step is to address the issue and update the packages. Since .Net users usually update their packages using the Nuget package manager with packages located on Nuget.org, let's look at a concrete example: how to fix a recent vulnerability on Microsoft.Data.OData.

Microsoft.Data.OData is a very popular package. With 33+ Million downloads, it's being used in multiple 3rd party packages and probably you're using it on your projects too. Here's what I see on Nuget.org:

According to GitHub, CVE-2018-8269 was opened just last month and includes a vulnerability on every version < 5.8.4. Here's what the issue says:

A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.

So let's update the dependency and patch the vulnerability.

Updating Microsoft.Data.OData

As you know, the update of a package can be done in multiple ways. Using Visual Studio or from the command line with:

Using the Package Manager:
Install-Package Microsoft.Data.OData -Version 5.8.4

Using the .NET CLI:
dotnet add package Microsoft.Data.OData --version 5.8.4

Once you've done that, rebuilt and redeployed, you're protected from CVE-2018-8269 at least =) .

Conclusion

Bugs security issues are always being found and fixed on libraries that we use. Reason why we should always try to keep our packages up to date.

But it's not trivial to scan all packages we use against the CVE database. Note that the CVE above does not state which version it applies to. Imagine how difficult and time-consuming it would be monitoring all the dependency chain ourselves. That's why this service from GitHub is very much appreciated!

Let's leverage this very useful feature for our benefit and keep our code secure.

And please, spread the word!

References

• GitHub - Developers at the center of the universe
• GitHub - About security alerts for vulnerable dependencies
• MITRE's Common Vulnerabilities and Exposures (CVE) List
• Common Vulnerability Scoring System v3.0

See Also

• My journey to 1 million articles read
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Securing our front-end
• How to create stronger passwords
• Integrated security vulnerability alerts on GitHub - Why it matters

Why you should consider using 1Password

Using an online password manager has its advantages. Let's review them.

This is a very good week for 1Password users. AgileBits reports that they have integrated the 1Password online password manager with Troy Hunt's Have I Been Pwned? (HIBP) service. I mentioned Troy in this blog a couple times and I always point his blog and his HIBP service here and to people who are somehow interested in their security online.

Have I Been Pwned?

HIBP allows you to search from 500 million passwords collected from various data breaches. Checking your passwords against this list is crucial to keep your data safe. Apart from passwords, ut can also check if your email account, a website you use or a domain has been compromised in a data breach. And there's a lot of data there. We're talking about half a billion leaked passwords.

So, HIBP has my password. Does it mean I was hacked?

Not necessarily. If it's a common password, maybe it was being used by someone else. If it was a complex one, probably.

HIBP tells me my email address has leaked, was I hacked?

Also not necessarily. But unfortunately, it's highly probable that your email is already in the hands of spammers.

Is it safe? 

Well, if Troy with all his expertise in the field cannot be trusted, who else can? Also, AgileBits and lots of other people use his services. Don't see why we shouldn't. For more info, check this FAQ.

Are my passwords kept secret?

Yes. HIBP doesn't have access to your password. Here's what AgileBits reported:

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash. To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

If my passwords wasn't leaked, am I safe?

No. This is only a dataset of know breaches. Obviously there's way more circulating out there that neither Troy nor other researches have yet reported. Also, don't forget that a website you use may yet be exposed to a security breach meaning that your credentials can be leaked in the future. As a suggestion, keep returning to the site to make sure that your account hasn't leaked. You can also use the NotifyMe feature or even the RSS feed.

How does it work?

If you want to learn more, the video below shows how the feature works.

Benefit for 1Password users

This integration is immensely beneficial for 1Password users and I would be very happy to see more integration with HIBP. Basically because the service will notify you upfront that you're using a weak password.

Conclusion

This is a very welcome feature to 1Password and I sincerely hope that more websites integrate with that tool. I also urge you to start using that service or any tool that generates more secure password. In the meantime, let's all thank Troy for his awesome work, shall we?

References

• 1Password online password manager
• Troy Hunt
• Have I Been Pwned

See Also

• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Integrated security vulnerability alerts on GitHub - Why it matters

For more posts about Security on this blog, please click here.

Have I Been Pwned? Website

Read more at MobileSyrup.com: Canadian 1Password integrates ‘Pwned Passwords V2,’ now checks against 500 million passwords

Have I Been Pwned? Website

Read more at MobileSyrup.com: Canadian 1Password integrates ‘Pwned Passwords V2,’ now checks against 500 million passwords

---

[Update June 16th, 2020]: Good news! Dropbox also released its password manager!

About the Freedom Mobile Hack

It seems that everyday some company is hacked (for the same reasons). Let's see why.

Mobile syrup reported in 2018 that an anonymous hacker posted a very detailed post on Freedom Mobile's subreddit about how they managed to access customer sensitive data on FreedomMobile.ca. While this wasn't confirmed, let's stop and evaluate certain aspects of the hack from different sources.

The Code

According to the report, the hacker mentioned it only took them 23 lines of code.. While anyone can guarantee this source is reliable, depending on how it was implemented, it indeed may have been possible to build a simple python script to perform username enumeration and password bruteforcing if the necessary prevention mechanism isn't in place.

The Login Widget

I inspected the code as soon as the news was out and collected some data. On Feb 15, 2018, the login screen just after the news offered that apart from username/password, we can also login using Phone number / PIN. If you were the hacker, which login you think would be easier to guess? A password (that can be anything) or a PIN composed of 4 numeric chars? 😉

Reviewing the Phone Number widget

I'm interested about this Phone number / PIN thing because PINs are usually simple and often are used to access your device from the phone. So, they should be numerical. Let's see what the source tells us:

From the screenshot we see that:

• they're using Angular which has its flaws. Are they running the latest version?
• some validations happen in the front-end (I hope they revalidate in the the web server);
• that specific validation is done using Regex (pinRegEx).
• the min/max length: 4 chars (see the red box on the right there);
• the "PIN not valid" on the left shows up for non-numeric chars;

Estimating the Complexity

So, a mobile number and 4 numeric chars. How complex can that be?

• mobile numbers are public.
• PIN requires 4 numeric characters = 10 ^ 4 or 10,000 combinations

Brute Force

So, knowing your phone number, it takes the hacker, on the worst case, only 10,000 guesses. And it can get better. For example, if your pin were 1220 (Dec, 20) it would have taken me 10% of the time to guess your password.

Username Enumeration

The above has nothing of fancy, complex or undocumented. In fact, username enumeration and password bruteforcing are present in OWASP's CSRF Prevention guide and are part of OWASP's top 10 web application risks.

The hacker confirms it:

Source: https://mobilesyrup.com/2018/02/12/freedom-mobile-security-breach/

No brute force prevention

Sight. No brute force prevention. No account lockout? No MFA? No alerts. Probably not. Worse, the company ignores the issue, states the corporate jargon and returns the responsibility to users (as if a system based on 4 digit numeric PINs, no bruteforce or password enumeration prevention were secure enough):

“We continue to strongly encourage our customers to use unique PIN numbers that are not easy to guess, and to change their PINs frequently to best protect their personal account information. (...) meeting customer demands for a resonable login process.”

Shared Responsibility

Before we wrap up, there are two more things about this hack that are worth questioning:

• who's responsible the decision to simplify the login by using the phone/PIN widget?
• who's responsible for not preventing brute force without any lockout mechanism or alert on the login operation?

While I don't want to discuss who's responsible for what, I don't see the developers deciding how people should perform the login on the company's website. Certainly the ability to brute force such a crucial aspect of the application was missed or ignored by the business. It's definitely a shared responsibility.

Conclusion

So, even if we assume that the hack didn't happen, 10k combinations without any prevention against CSRF, username enumeration and/or password bruteforcing is not acceptable. Everyone loses when companies try to simplify security aspects for its users but do it wrong ignoring the most critical web application security risks. In time, if you haven't read yet, check OWASP's CSRF Prevention guide.

References

• MobileSyrup.com - Hacker uncovers Freedom Mobile customer login vulnerability
• Reddit - /r/freedommobile security Breach

See Also

• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Integrated security vulnerability alerts on GitHub - Why it matters

For more posts about Security on this blog, please click here.

Web Development best practices: 9 tips for stronger passwords

Stronger passwords are a good practice to make our own systems secure. Let's see 9 tips to keep safe.

We already discussed how to secure our front-end and how to create stronger passwords for ourselves. On this post, I will approach how we, developers, can make integrate those concepts in our applications to reduce the risks of our users' accounts being hacked due to weak passwords.

Tip 1 - Expect stronger passwords

It is time applications start demanding stronger passwords from their users and inform them on how secure is their password (more on that later). So, when accepting user-entered passwords, if you don't mind, I will repeat what was written before on this blog removing what's not applicable:

• Use passwords with at least 8 characters;
• At least one number, 1 capital letter, 1 lowercase letter, 1 non-alpha character;
• Use complex passwords that include numbers, symbols, and punctuation;
• Use a variety of passwords for different accounts or roles;
• Do not allow dictionary words as passwords, e.g. apple;
• Do not allow sequences of characters, e.g. 3333, abcdabcd;
• Do not allow personal information in passwords, e.g. your birthdate;
• Do not allow setting the password as the associated service, e.g. Gm@il or Dropbox123;
• Combinations of those above;

Tip 2 - Have a password and confirm password box

This is somehow trival. We don't want users entering a password they don't remember. So, ideally, we should have a Password / Confirm password section when creating an account.

Tip 3 - Provide feedback on how strong the entered password is

Once all information entered, please provide a feedback to the user regarding how safe is her password. For example, KeePass provides us this input:

Source: KeePass

And Twitter:

Source: twitter.com

Tip 4 - Recycle passwords

Yes, ideally we want users to change passwords every X days. I don't see that feature on most of the sites but it would be good to start having that featured enabled by default on websites so that rists on data leaks is automatically reduced. Outlook.com has that nice feature:

Tip 5 - Enable MFA

Multi-factor authentication greatly helps securing accounts. We already discussed that on a previous post. Enabling something for your app may not be complicated and assuming you don't want / can't use SMS, you could use a secondary email address for example. For example, this is Gmail's MFA:

Source: gmail.com

Tip 6 - Avoid Leaking Information

This should be common sense already but unfortunately it isn't. Web applications are still leaking a lot of information. For example, password hints usually allow:

How strong is that hint?

In case you have to have this feature, prefer to present options to the user in a dropdown as opposed to allowing him intering his own. Users are not good at creativity and usually provide very easily guessable password hints as:

Other approaches should suffice in order to not have a password hint:

• allow different recovery options, such as reset tokens sent to secondary e-mails;
• avoid password hint and just provide a safe forgot password service;

Tip 7 - Validate if password has been exposed

Troy Hunt's Have I been pwned? service provides a very interesting functionality: a database with X records that you can check against to validate if a used password.

Tip 8 - If possible, generate a strong password for your users

I know, this is controversial but how else can we go to make our users create strong passwords? Will they have creativity to respect all those constraints? Will they even be able to remember those passwords? Why not have a password generation built into our site to allow the creation of strong passwords for them?

Tip 9 - Test how secure is a password is

We can always use tools to inform us how secure our password ares. When online, we have how secure is my password. Or even better, why not integrate our application with such a service?

Conclusion

On this post I presented multiple tips to use withing your application or recommend a product or service you like to add. Bring these discussions to your team. And why not do like GitHub and integrate security breaches into your application for the benefit of your users.

References

• Troy Hunt - Password managers don't have to be perfect

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Securing our front-end
• How to create stronger passwords
• Integrated security vulnerability alerts on GitHub - Why it matters
• Send emails from ASP.NET Core websites using SendGrid and Azure
• Creating ASP.NET Core websites with Docker

ASP.NET - How to allow anonymous requests on secure endpoints

How to allow unauthenticated requests on authorized endpoints using ASP.NET? Let's take a look.

Photo by Philipp Katzenberger on Unsplash

In a previous article, I described how to extend the ASP.NET pipeline with custom security. Turns out that certain endpoints were still required to operated unauthenticated. How do we allow those requests to be processed? The solution relies on:

1. Decorating the security attribute with the AllowAnonymous as discussed on the previous post.
2. Detecting the current request is an ActionExecutingContext and allowing the request to proceed conditionally.

Let's see how we can write a custom RequirePermission attribute to solve that problem.

Writing a custom ActionFilter Attribute

Writing a custom ActionFilter attribute isn't complicated. Here's one code that demonstrates how to do that elegantly:

Using the Attribute

Next, we ca use our attribute to decorate our actions so it runs as soon as our endpoint is hit:

Conclusion

This was a quick post extending the previous discussion on how to implement custom action filters to have a better control over the requests agains our application. On this post I explained how you could intercept requests on your application and react to them using these attributes. For a complete understanding of the project, please the original discussion

See Also

• My journey to 1 million articles read
• Adding Application Insights telemetry to your ASP.NET Core website
• Send emails from ASP.NET Core websites using SendGrid and Azure
• Creating ASP.NET Core websites with Docker
• Building a custom security framework with ASP.NET applications 
• Hosting NuGet packages on GitHub
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Integrated security vulnerability alerts on GitHub - Why it matters
• Building and Running ASP.NET Core apps on Linux 

How and why use stronger passwords

The number of online attacks increases and weak passwords is one of the main reasons. Learn how to create stronger passwords and be safer online.

Passwords are probably the most sensible aspect of our lives today. With more and more leaks happening every day, it's strongly recommended to start thinking about stronger passwords for our personal online accounts and our applications. So how can we leverage existing tools in a non-complex way to enhance our online protection?

Let's take a look.

What you should do

Let's start with simple basic tips for everyone. For starters, this is what we should be doing:

• Using passwords with at least 8 characters;
• Using complex passwords that include numbers, symbols, and punctuation;
• Using a variety of passwords for different accounts or roles;
• Using a secure password tool;

What you should not do

It's also important to remember what we should not do. For example, below I list somethings we should not be doing:

• using dictionary words as passwords, e.g. apple, cat, Raptors, etc;
• use sequences of characters, e.g. 3333, abcdabcd;
• use personal information in passwords, e.g. your birthdate;
• reutilize passwords;
• avoid setting the password as the associated service, e.g. Gm@il or Dropbox123;
• combinations of those above;

Other interesting tips to increase our protection are:

• Avoid storing passwords on devices that you take out of home;
• Use a password manager to securely keep track of your passwords (see the section below);
• Setup MFA/2FA when available (see the section below);
• Use a secure password generator to generate stronger passwords (see the section below);
• Never remember a password!

Use Password Managers

While the  above tips are good to start and have in mind, let's now see concrete examples in how we can increase the complexity of our passwords and how we can protect them from external access. Utilizing stronger password demands a better memory. In case you don't have one as me, I  strongly recommend the utilization of a password manager like 1password, KeePass and it's forks KeePassX and KeePassXC. That's why I never remember my passwords! =)

And because I need to access my passwords on Linux and Windows machines, I'm currently using KeePassXC. I also advocate for files on disk instead of services like LastPass because you cannot trust anyone else nowadays =). How safe is LastPass data for example? Well, they were hacked before...

Using KeePass

Since KeePass is one of the most familiar out there, let's provide a very quick introduction on it. The rest, I'm pretty sure you can figure out. Also, if you're using one of its forks, should be the same, just varying the visual look and feel.

Step 1 - Create your password database

The first step is to create your password database. Launch KeePass, 

Step 2 - Start adding your passwords

See? KeePass not only manages our passwords but also helps us generating a very complex passwords for us.

Step 3 - Keep using it!

Yes, keep using it! Add all your accounts to this file and keep it safe on your disk, doing periodical backups. And sice KeePass is remembering your passwords for you, you have no excuses for sharing passwords or using simple passwords. Plus, backing up this file online is safer as the file is encrypted and assuming you didn't choose a very simple password for the file, it should take a long time for someone to crack it.

Which takes us to the next tip...

Recycle Passwords

Another relevant tip is recycling passwords. You may have already figured out that it's a technical term for not reusing the same passwords. But why? Yes, you should recycle your passwords every 3 months or so. It helps against data leaks. Or, if your service has something like a password expiration policy, even better:

Source: Outlook.com

How to create stronger Passwords

Most password managers have a very useful tool to generate passwords. After getting familiar with KeePass, I suggest getting acquainted with the Password generation tool.  To access it, do:

Tools -> Password Generator:

As we can there there are lots of intresting options here:

• You can set the length of the generated passwords;
• You can set/unset multiple options (I would recommend checking at least 4 of them);
• You can provide patterns, certain characters;
• You can strengthen entropy by clicking on the "Advanced" button

And, by clicking on the "Generate" button, KeePass will generate a password for you. It will even tell you how strong your password is (92 bits in this case). Remember to keep an eye on the bar. It will tip you how strong your password is. In theory, we should have the tool generate passwords for us as their algorithm handles better the complexity required.

Enable multiple-factor authentication

Multiple-Factor Authentication (MFA) and it's simpler form Two-Factor Authentication (2FA) is a way of logging in that requires more then a password. Example: a text message or a verification e-mail with a random code on a different email account are sent and the user will only be allowed access if she enters the right code..

MFA adds a very strong security component to our online accounts since it reduces dramatically the chances an unauthorized user can access our accounts. Many recent hacks such as the celebrity hack could have been avoided if MFA was enabled. But Apple have learned from the episode and now advise users to protect themselves using 2FA:

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Example 1 - Enabling MFA for an Apple ID

The majority of the most used websites currently offer MFA. As an example, here's what you need to do to enable MFA on you Apple ID.

Source: https://support.apple.com/en-ca/HT204915

Example 2 - Enabling MFA on GitHub

In GitHub, go to your profile -> security, and click:

Then you choose one of the options below to get your code:

How Secure is your Password?

Speaking of strong passwords, how secure is a  92 bits password compared to my own password? According to howsecureismypassword.net:

• your simple password like "Apple123" is broken instantly;
• a complex password as that one generated above would be broken in 52 quadrillion years;

Just access that type and enter your password to get a quick feedback on how long it would take for someone to crack your passwords:

Source: https://howsecureismypassword.net/

Spot the difference? Few hours x 52 quarillion years. But wait! There are techniques to speed up this process but we will not cover them now. The objective of that was to illustrate the importance of creating and using stronger passwords.

Conclusion

On this post I presented many suggestions on how to create strong passwords, store, transport and additional protection layers such as MFA. Please, start use them all and make your information safer. As a final note, consider using stronger passwords and enabling MFA on all your accounts.

See Also

• My journey to 1 million articles read
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Security Boundaries
• Securing our front-end
• Integrated security vulnerability alerts on GitHub - Why it matters
• Dropbox officially debuts its password manager

Why use Firefox

Understand why Firefox is still the best browser for those looking to keep their privacy online.

If you have been following this blog, you may know that I've been discussing the importance of security and privacy. If not, please read how we are being tracked without consent everywhere: by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Turns out we're living in difficult times for those seeking privacy

My Favorite Firefox Features

Apart from its privacy-first commitment, let me list my favorites of  Firefox.

Performance

This version of Firefox is 2x-faster than a year ago, significantly faster than Chrome. Do not believe? Check the video below for a quick comparison between the performances of Firefox and Chrome.

Lightweight

Firefox made significant improvements to its new engine and now uses 30% less memory than Chrome:

Source: https://www.mozilla.org/en-US/firefox/quantum/

Development Tools

Every developer deserves an awesome development environment. Firefox Quantum ships with a completely revamped DevTools with multiple improvements included. Check more on this blog post to find out more.

Source

Privacy Considerations

As previously said, Firefox is the only browser committed to privacy. Even Brave who marketed themselves as the best privacy-oriented browser were caught replacing ads with their own and probably also tracking you.

Beautiful UI

And, my last personal favorite: the new Photon UI. Simply gorgeous:

Source: https://hacks.mozilla.org/2017/09/firefox-quantum-developer-edition-fastest-firefox-ever/

Mobile

I've used many browsers on different mobile devices and honestly, never have been completely satisfied. Lately, I've been using Firefox Focus and if you want speed, privacy in a lightweight browser, you got it there:

Source: https://www.mozilla.org/en-US/firefox/focus/

Contributions to the Open Standard

Apart from Firefox, Mozilla has been doing very important advances in open science in:

• Gaming: WebAssembly & WebGL;
• MDN: extensive documentation on web technologies including HTML, CSS, and APIs for both Web sites and progressive web apps.
• WebVR: an incubator for virtual reality on the web;
• Servo: an amazing parallel browser engine 
• Rust: an amazing open-source programming language that focuses on speed, memory safety and parallelism.
• Open Codecs: if you use Linux, you know what I mean...
• Speech and Machine Learning

Conclusion

If you agree with me and thing that it's time for a more open web, more privacy and security, join me and millions of other users and start using Firefox again! So what are you waiting for? Go get your Firefox right now!

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Privacy and Ethics
• Security Boundaries
• Why use Fedora Linux
• Windows Subsystem for Linux, the best way to learn Linux on Windows

The Laws of security

Understand how important it is to understand the 10 Laws of security and their impact on development

Continuing on a previous discussion about the book Stealing the Network, How to Own the Box and your online security, I would like to follow up on a very interesting section of the book: the laws of security. But what exactly are they?

The Laws of Security

According to the authors, the 10 laws of security are:

• Law #1: If someone can persuade you to run his program on your computer, it’s not your computer anymore.
• Law #2: If someone can alter the operating system on your computer, it’s not your computer anymore.
• Law #3: If someone has unrestricted physical access to your computer, it’s not your computer anymore.
• Law #4: If someone is allowed to upload programs to your web site, it’s not your web site any more.
• Law #5: Weak passwords trump strong security.
• Law #6: A machine is only as secure as the administrator is trustworthy.
• Law #7: Encrypted data is only as secure as the decryption key.
• Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.
• Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
• Law #10: Technology is not a panacea.

If you are a developer, devops or sysadmin, I would like to ask you: have you seen any of these rules before?  

The Laws of Security and Developers

Now that we know these rules, in order to rethink them from a development standpoint, let's consider these questions:

• Do we, while writing our code, think about how could make our code safer?
• Do we, while reviewing other people's code, think about how to make our code safer or which are the vulnerabilities in it?
• By knowing those rules, how could we protect our companies by writing safer code? Are we doing our best for them?
• By knowing those rules, how could we write safer code protect our users from threats and even from themselves? Are we doing our best for them?

Unfortunately, the answer is probably NO for most of the above. Or maybe a false yes (I do but, you know, not exactly sure if it's right.) That's okay! Our objective here is to foster the discussion in the first place. Next, work on incorporating cybersecurity paradigms into our lives so that we these patterns, tools and techniques become part of our habitual skill set.

Conclusion

Security is hard. We need to disseminate this knowledge and educate our families, users, managers, co-workers and everyone else around us so they can be constantly thinking about risks and threats, how we can mitigate them and why we should be discussing them. We always think about threats in the real world so, why neglect the virtual one?

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Security and Ethics
• Privacy and Ethics
• Security Boundaries
• Integrated security vulnerability alerts on GitHub - Why it matters

Stealing the Network

Let's review how the excellent book Stealing the Network is still very relevant

I recently re-read Stealing the Network, How to Own the Box. Written almost 10 years ago I'm impressed as to how it still is super up to date. Describing fictional attacks to websites, networks, and even printers, it proves that no system is safe enough. The book also shows how dangerous it can be not restricting access and patching our systems and devices.

Laws of Security

One interesting aspect from the book is the discussion of the Laws of Security. They can summarized as:

• Client-side security doesn’t work;
• You cannot securely exchange encryption keys without a shared piece of information;
• Malicious code cannot be 100 percent protected against;
• Any malicious code can be completely morphed to bypass signature detection;
• Firewalls cannot protect you 100 percent from attack
• Any intrusion detection system (IDS) can be evaded;
• Secret cryptographic algorithms are not secure;
• If a key isn’t required, you do not have encryption—you have encoding;
• Passwords cannot be securely stored on the client unless there is another password to protect them;
• In order for a system to begin to be considered secure, it must undergo an independent security audit;
• Security through obscurity does not work

And how much of that affects developers? Let's see.

Relevant Info for Developers

I recommend that developers read this book as it provides concrete examples on common threats we face today in our applications:

• sql injection
• social engineering
• exploit information
• malware, trojans, viruses and worms
• honeypots

The book also presents valuable knowledge (despite superficial) to topics like:

• network reconnaissance
• logging best practices
• disassembly
• tracking
• network problems

Conclusion

Security and technology are moving on a fast pace. But while some attacks get more sophisticated, old techniques are being used over and over again. Developers who are not concerned about how secure their code is should stop and reflect how dangerous that behaviour is for them and for their companies.

Security is hard and shouldn't be neglected. The threats are real and happening all the time.

See Also

• My journey to 1 million articles read
• How and why use stronger passwords
• Security and development: how much is being done?
• Security is only as strong as the weakest link
• The Laws of security
• Security and Ethics
• Privacy and Ethics
• Security Boundaries
• Integrated security vulnerability alerts on GitHub - Why it matters

For more posts about Security on this blog, please click here.