May 19, 2017

Don't panic! New exploits and malware are released every day!

I work in an industry where security is kind of a big deal. Without getting into specifics, or naming company names, we'll just say that the companies I work with a lot are in the financial sector. Because of that, I've found that their security is pretty damned hard core, and their vendor risk assessment crews are even more hard core.

Knowing all that, you can probably assume that I get a lot of risk assessment questionnaires asking about the company I work for and our security practices. On top of their annual, or semi-annual risk assessments whenever news breaks out of some fancy new malware, their pucker factor goes up exponentially and I get bombarded with questions asking about what we're doing about it.

Although I completely understand where they are coming from, the truth is in the world of network security, threats like this are always out there. There are always viruses, Trojans, worms and other nasty things hackers are trying to do to cause chaos, damage systems, steal information or to steal money. The difference with these cases is that they are famous and they've made the news cycle.

This latest crazy threat that has everyone in a tizzy is WannaCry(Or WCry, or Wanna Decryptor). If you have been living under a rock, it's your typical ransomware that encrypts all your files and asks you to pay a ransom to have your files unlocked. In reality, it's no different than CryptoLocker that came out in 2013. One might argue that the difference is how it was spread using a vulnerability that the NSA had been using for years.

Guess what folks, I have news for you. Shit like this comes out every day. In fact, WikiLeaks has been leaking all of the CIA's exploits  for the past few months. The Hacker News reported yesterday that two of the CIA's tools affect all versions of Windows! WannaCry only affected Windows 2008 and below! Get ready for an epic shitstorm of hacks now that the United State's Government's secrets are all over the web!

Long story short, DON'T PANIC! Stuff like this happens every day. The best thing you can do is prepare for it. Keep your systems patched, make sure your antivirus/anti-malware is up to date, use firewalls, beware of phishing scams, and make sure you have reliable backups! You know, all the recommended security shit you are supposed to do, and not be lazy about! If you maintain a decent security posture, you can prevent a lot of this sort of thing, or be able to mitigate against it should you be affected.

Do you agree? Disagree? Let us know in the comments.


May 18, 2017

Goodbye ExtraTorrent! Hello Zooqle!

Yesterday I posted that ExtraTorrent was closing up shop. In that post I mentioned a possible mirror, but that turned out to not be real. None of the download links worked. ExtraTorrent really is gone apparently.

That being said, if you like to torrent stuff, there are some alternative sites out there. Not all of them have RSS capabilities though. Well, I found one that does offer RSS! It's called Zooqle!



My only gripe with Zooqle is that they make you register. It's not that big of deal, but I recommend that if you register with any Torrent site, you do so while connected to a VPN connection. I also recommend NOT using your personal email address, and use one dedicated to Torrenting that also uses encryption like ProtonMail!

One thing I certainly do love about Zooqle, besides its RSS support, is the lack of intrusive advertising. One of my biggest problems with ExtraTorrent were their annoying redirect ads and pop-under ads. I respect having ads on your website. For many sites, that's their only source of revenue. I just had intrusive ads!

Now that ExtraTorrent is gone, which site or sites do you use? What alternatives do you recommend? let us know in the comments!


May 17, 2017

ExtraTorrent is down for good... Or are they?

Earlier today, TorrentFreak broke with the news that the famous BitTorrent site, ExtraTorrent was shutting down operations including all mirror sites.

From TorrentFreak:
Popular torrent site ExtraTorrent has permanently shut down. The abrupt decision was announced a few minutes ago in a brief message posted on the site's homepage. This means that after the demise of KickassTorrents and Torrentz.eu, the torrent community must say farewell to another major player. 
In a surprise move, ExtraTorrent decided to shut down today, for good.
Users who access the site’s homepage are welcomed by a short but clear message, indicating that the popular torrent index will not return (the message appears intermittently).
 
“ExtraTorrent has shut down permanently.” 
“ExtraTorrent with all mirrors goes offline.. We permanently erase all data. Stay away from fake ExtraTorrent websites and clones. Thx to all ET supporters and torrent community. ET was a place to be….” 
TorrentFreak reached out to ExtraTorrent operator SaM who confirmed that this is indeed the end of the road for the site.
If you browse to ExtraTorrent.com or any of their mirrors, you see a page like this:


Not long ago though, this message popped up on the ExtraTorrent Facebook page leaving many of their followers confused:


If you browse to the link that is circled in red above, it takes you to ExtraTorrent.cl which appears to be a live mirror. i haven't tried any of the downloads though.

So are they down or not? Is this just some kind of ruse to stop people from trying to DDoS their servers? If you have the goods, and know what's going on, let us know in the comments!

[EDIT] It looks like they really are gone. The site mentioned above is a fake mirror and the links don't work. If you are looking for an ExtraTorrent alternative, you should check out our post on Zooqle.

May 9, 2017

US Government Recently Passed New Pirate Watch List

With the new Trump administration comes an increase in the crackdown of online piracy, and with that the Office of the US Trade Representative has published its annual piracy watch list, also known as the Special 301 Report. In this 81 page report, around two dozen countries are listed has hotbeds for online piracy.

From ExtraTorrent:
The Office of the US Trade Representative has published its yearly piracy watchlist officially named Special 301 Report. The document highlights countries failing to comply with the copyright protection standards of the United States. Apparently, the enforcement of IP rights is a priority for the Trump administration. In the report, Canada and Switzerland are listed among the two dozen of other countries. 
USTR publishes its report listing countries that aren’t doing enough to protect US intellectual property rights every year. The latest report is the first under the administration of President Trump, but slightly differs from Obama’s: China, Russia, Ukraine and India are major threats, while even Canada and Switzerland remain in the list.
Switzerland is a popular country to host pirate related websites due to their Logistep Decision.That decision was a ruling from the Swiss Federal Supreme Court that prohibits companies from harvesting IP addresses of file-sharers because the Swiss Federal Supreme Court views IP addresses as private data.

May 4, 2017

I've switched from BitLocker to VeraCrypt for full disk encryption because SCREW MICROSOFT!

"Damn!" you are probably saying to yourself, "That's a pretty harsh title to a blog post." Yeah, I suppose you are right. Still though, it's pretty accurate. I'm not really a fan of Microsoft at all, and whenever possible I really like to use alternatives. In the case of drive encryption though, I think it just makes sense from a security perspective.

Allow me to explain, you see it was only a few years ago that Edward Snowden leaked information about the NSA's PRISM program. One of the interesting things that came with that leak was that the NSA was working with companies like Microsoft and Google to bypass security built into their platforms so they could illegally access users data. Backdoors if you will. 

So now that we know this information, how can we actually trust anything that Microsoft puts their name on to truly secure our data? Sure, it's probably safe from the average hacker, but it's certainly not safe from Big Brother!

That's why I've opted to ditch BitLocker, and go with the open source alternative of VeraCrypt. Besides, even if BitLocker is safe from Big Brother, I still feel that VeraCrypt is probably more secure because of it's PIM feature. That's just my opinion though.

The only drawback I see from this change is that VeraCrypt's boot time is slightly longer, but that is tolerable in my opinion.

What do you think about this? Let me know in the comments.

May 2, 2017

Why haven't we found aliens yet? (Infographic)

Have you ever wondered why we haven't found conclusive evidence of aliens yet? Well, this infographic hopes to shed some light on that question. Check it out!


[Mobile users: click the image to view]


[H/T Imgur]

May 1, 2017

I've replaced TrueCrypt with VeraCrypt on my VPS

A couple of days ago on Saturday I talked about VeraCrypt being the only real alternative to TrueCrypt, I also mentioned that I was still using TrueCrypt on my Linux VPS private email server. Well, after writing that post I wanted to see if VeraCrypt could mount a TrueCrypt volume, and it turns out it can!

So I went ahead and installed VeraCrypt on my VPS. The setup is almost identical to the TrueCrypt CLI version. After the install, I changed my mount scripts from:

truecrypt --mount /secret/secret.tc /var/vmail

To
veracrypt --truecrypt --mount /secret/secret.tc /var/vmail

Boom! Easy peasy lemon squeezy!

According to VeraCrypt, you can convert an existing TrueCrypt volume by performing any of these functions, but you must select TrueCrypt mode to do it:

  • Change Volume Password
  • Set Header Key Derivation Algorithm
  • Add/Remove key files
  • Remove all key files

I haven't tried it yet, but changing the password and or key files to convert it to a VeraCrypt volume via the terminal version should be as simple as running the following on your original TrueCrypt volume while it's dismounted:

veracrypt --truecrypt -C tc-volume.tc
Not wanting to risk corrupting all of my emails, I think I will hold off on doing that until I'm ready to change my password again, and I'll make sure I have a good backup first! Still though, even if it doesn't work, at least I can mount that volume now with VeraCrypt!

Edit: I've verified that the above command does in fact work to change the password and upgrade your TrueCrypt volume to the new VeraCrypt format via the cli/terminal! If you were wondering how to upgrade a TrueCrypt voume to a VeraCrypt volume via command line, there you go!

Apr 29, 2017

Serious Alternative to Truecrypt: VeraCrypt

As many people know, TrueCrypt has been discontinued since 2014. The developers said that TrueCrypt had some unfixed security issues. In 2015 the Fraunhofer Institute for Secure Information Technology conducted an audit on the last stable release of TrueCrypt, and although they did find a number of bugs, they came to the conclusion that it is still secure when data is at rest.

That being said, since TrueCrypt is no longer being developed, if you are still using it you should move to something that is actively being developed. Now, there are lots of encryption solutions today. Most modern operating systems have some form of disk encryption built in now. Microsoft has BitLocker, Linux has LUKS. You get the idea right? What if you really liked the way TrueCrypt worked though? What if you liked that TrueCrypt was multi-platform? Then in my opinion, you only have one serious alternative.

That alternative is VeraCrypt! From their page:
VeraCrypt picks up from where TrueCrypt left and it adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks. 
VeraCrypt also solves many vulnerabilities and security issues found in TrueCrypt. It can load TrueCrypt volume and it offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format. This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. 
This is acceptable to the legitimate owner but it makes it much more harder for an attacker to gain access to the encrypted data.
Now, to be fair, there is another fork of TrueCrypt called CipherShed, but they only have a pre-compiled version for Windows. If you want to use it on Mac or Linux, you need to compile it yourself. Not to mention, they don't issue releases as frequently as VeraCrypt.

Some cool things I like about VeraCrypt are that the layout is very similar to that of TrueCrypt, and I'm already used to that. Also VeraCrypt offers some other encryption algorithms that TrueCrypt did not. Those algorithms are Camellia and Kuznyechik.



They also have some other hash options.


I'll be honest, I am still using TrueCrypt on my VPS email server. I'm not terribly worried about it because it should still be able to protect my emails at rest if my VPS is shutdown to reset the root password without my permission. Still though, I'm making plans to migrate to a new VPS when Ubuntu 18.04 LTS comes out, and when that day comes I'm going to make the switch to VeraCrypt!

Do you still use TrueCrypt? Do you think you will make the change to VeraCrypt? Why or why not? Let us know in the comments!



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam