What do you think this is?

just thoughts of a restless mind...

(ISC)2 Learn - a new opportunity

(ISC)2 Learn - a new opportunity

In September 2018 (ISC)2 announced a Free GDPR course for members. What started as a single free course was very recently rebranded as the Professional Development Institute. The plans are for up to 30 (!!) new courses in 2019.

The courses

At the moment there are three courses available for free to (ISC)2 members. This is a great value provided by (ISC)2 and it is my understanding that they will be offered to be purchased by non-(ISC)2 members; a great thing although I could not confirm it.

I completed all three available courses and here is my review.

Building a Strong Culture of Security

Creating a Security Education, Training and Awareness Program is probably the subject out of the three I’m most familiar with. A SETA program tries to affect the organization’s security and move it to a more security-sensitive one. This course lays down this concept very nicely. The content of this course was refreshing and engaging. I found it to be very well organized. Maybe the great course could be improved by having less webinars and more engaging content.

I would strongly recommend this course to anyone planing to start a SETA program. Not only the knowledge provided will help you built an effective and efficient program, but also the discussion around cultural issues is a perspective you don’t want to miss.

GDPR for Security Professionals: A Framework for Success

I am quite familiar with GDPR but I followed the course with interest. I always suggested that GDPR is more an organizational / legal thing than a security one and the course confirmed my perspective. Due to my familiarity with the subject I didn’t expect to learn much more. I have spent a fair amount of time with (ISC)2’s webinars and articles that have appeared in the InfoSecurity Professional Magazine, so some content was duplicate for me. Still, the course provided interesting material and it builds nicely the information to create knowledge. Some minor content issues do not affect much the quality of the course; I would recommend it to everyone who is starting a GDPR program.

Is it late for such a course? Maybe yes or maybe not. A lot of the content is “lessons learned” from others who have implemented GDPR so not only you get a plan to start working with, but also some knowledge about what has worked and what not for others in their journey. My major objection is regarding the “knowledge check”. These quizzes actually only check one’s ability to find something in the regulation - I believe even a high school student could do that so it doesn’t add any value.

DevSecOps: Integrating Security into DevOps

The area of DevSecOps is the one I’m least familiar with out of these three. I found this course to be more polished than the others and more engaging. Obviously, due to my lower familiarity with the subject, it provided me with more information and knowledge than the other two. Unlike the other courses that build more than 30% of their content using (ISC)2 webinars and InfoSecurity Professional Magazine articles, this course does not. It utilizes a lot of content by external entities such as Puppy, Splunk and OWASP and seems to be better compiled.

I found myself mumbling several times “don’t tell me! tell that to the developers”. I will definitely use information from this course in my future engagements, but the fact is that I would like every DevOps person to attend this course so that we get to the same page without me preaching.

Conclusion

This is a great initiative by (ISC)2. I hope they do indeed offer these courses to non-members (or to associates / members without certification). There is great value there and one’s experience / seniority level is not important; there are always subjects we could use more information about. I am eager to find out what other courses will be offered, and I’m sure that with the appropriate feedback any quality issues will be rectified satisfactorily.

We (ISC)2 members already had the Safe and Secure Online program, the excellent InfoSecurity Professional Magazine, the multiple events and webinars, the Vulnerability Central and others that I probably forget.

In my perspective (ISC)2 deserves every penny of my subscription. Even though there recently was a 50% raise (ouch!), I still think that the value provided is well worth the membership fees. I always recommend to my team members to plan ahead to be part of this organization. Now with this great extra offering, I will do so even more.

Tagged in : education, security, privacy

Private and secure browsing

Private and secure browsing

GDPR is supposed to let us take back control of our private data. In reality though many websites either don’t allow that to happen through their selection of cookies, or constantly present to us the same requests until we accept the most invasive option. At the same time there is a known security risk related to every day broswing: browser - served malware, sometimes caused or enabled by the insane amount of 3rd party uncontrolled scripts that are served to us on the websites we visit. We need to find ways to browse securely and protecting our privacy as much as possible.

Tor network and browsing

TOR stands for The Onion Router which is a solution for protecting one’s privacy and anonymity. It is the most commonly used solution by privacy-sensitive people such as journalists, activists and whistleblowers. But you don’t have to belong in these categories to use Tor, you may find other reasons such as concerns about surveillance and tracking. The Tor Project provides - among others - a specifically crafted browser to facilitate as easy as possible use of Tor.

Balance

Security -and privacy- comes at a cost. This cost in our case is either on performance or on ease of use. For some people that cost is too much, for others it’s not. But I think we can take that cost so much down that it becomes negligible. I will briefly explain how end users can improve their security and privacy, depending on the cost they’re willing to accept.

Implementation options

There are two roads one can follow. The one is to use a privacy and / or security oriented system altogether, and the other is to just use the Tor browser. These are not mutually exclusive, as one may opt to use a security oriented system AND the Tor browser on top of it if the system itself doesn’t provide it out of the box.

Use a privacy - oriented system

Solutions like that are not science fiction anymore. I would like to mention Whonix. This is a full operating system that need to be installed.
If working every day in such an environment doesn’t meet your needs, you may prefer to use a live CD for a while. Tails is such an option and you can boot ot it, do whatever you need in a privacy sensitive way and then go back to using your computer as usually. These solutions may require a significant change on the way you perform your every day work though. They provide traffic - based privacy by utilizing the Tor Network, but also operating system - level security by using a hardened setup, compartmentalization, sandboxing and other similar techniques to protect against browser-served malware.

If operating system - based security is important to you, you may want to have a look at Qube OS and the NSA - provided TENS. Although none of these include the Tor browser by default, all options below can be used with these operating systems too.

Using your preferred operating system

Some people prefer to not change their habits and keep using whatever they are accustomed to: Windows, MacOSX and Linux systems all can be your standard operating system and you can still use some options provided here - all of them based on the Tor Browser:

Option 1: Always use Tor Browser

Although this may be the easiest to implement solution - you just download tor browser for your operating system - it has three drawbacks:

  • The overall performance is bad; due to the constant use of the Tor network for browsing
  • There may be sites that you would prefer to keep been logged in instead of authenticating every time; for me it’s Twitter, LinkedIn and my mail
  • You have no protection against browser-served malware, other than what the browser provides.

You may choose to use this setup for a while, but I would guess that if your privacy requirements are such that you need to be on Tor network all the time, it may be worth considering the use of a privacy - oriented system to start with.

Option 2: Use Tor Browser on your computer for specific sites

In that scenario you use the browser you’re used to and you only switch to the Tor browser to visit sites that you find too invasive. In my case that would be all news sites. In order to do that you need to have the two browsers open while you use them. Every time you want to read or do something in a more private environment, you copy the link from your standard browser and open it in the Tor browser. If you opt for that solution I suggest using add-ons in your everyday browser that would remove tracking code. Here are some - most of them available for Chrome and Firefox:

Although this solves the performance problems and the inconvenience of constantly authenticating in everyday-sites, it leaves you wide open to browser-served malware. Still, I think this will be -by far- the most commonly used scenario.

Option 3: Use sandboxed Tor Browser

This is more complex to set up and depends on your operating system. It offers you pretty good protection though as it also protects against browser-served malware. I am interested to see what Microsoft’s solution will look like regarding their Windows Sandboxing option for Windows 10 (Pro or Enterprise - so not for Home users). Third party solutions for Windows already exist. One of them is Sandboxie but as don’t use Windows outside of my work environment these are not things I have spent any time evaluating.

Linux - my O/S of choice - has many options. One may start from simple sandboxing and go up to complex isolation and compartmentalization. The easiest sandboxing solution would be firejail and there even is a specific Tor Browser profile. I suggest a private jail with a separate network stack and its own IP address. One might want to look into Docker for complete compartmentalization.

Option 4: Use a dedicated virtual machine

If you already have a virtual machine set up for whatever reason, you may even use that. Since I already have one on KVM- used as a testbed and having a whole (but small) partition of my SSD for its storage it didn’t make any sense to set something different up. The performance impact is close to zero due to KVM’s passthrough storage option. You may need to make sure the VM starts on system boot, and it should shutdown or suspend on your system shutdown. On my openSUSE Leap 15.0 that last step is taken care of by the service virt-guest-shutdown.

In my case I just created a simple desktop shortcut to launch the torbrowser from the virtual machine.

Here is the snippet of my .ssh/config file:

Host priv
HostName 192.168.122.91
IdentityFile ~/.ssh/priv.ssh.pem
ForwardX11 yes

and here is the command executed by the desktop shortcut

ssh priv ‘~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser && exit’

Simple, of course, and the only prerequisite is to use key-based authentication to ssh on the VM and to install the tor-browser there.

Tor browser settings

The settings for the Tor browser I suggest, regardless of the setup you choose, are the following:

  • Addons (in case they are not installed by default):
      • HTTPS everywhere
      • Noscript
      • A URL cleaner (see above)
  • Configuration (in the section Privacy & Security):
      • Always use private browsing mode (default Keep until: I close Tor Browser)
      • Accept third party cookies and site data: Never
      • Use Tracking protection: Always
  • Advanced settings (these are the ones I changed from the default value)
      • privacy.trackingproection.pbmode.enabled = true
      • privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts = true

Conclusion

As you can see there are several ways to use Tor browser to protect your privacy while online, depending on the time you want to invest on setting them up and the architecture that works best for you.

Opinions? Are you going to use any of these options? And if yes, which one?

Tagged in : privacy, security, linux, virtual machines

Google+ is dying, be prepared

Google+ is dying, be prepared

As you may have heard, Google+ is going to die. This is a good thing since there were some security / privacy issues last year. Google decided to kill the product instead of trying to fix it, which is understandable and a respectful decision.

Still, at some point Google+ was used as an authentication provider for several services. Google was kind enough to send us a message saying that Google+ is discontinued, and according to this message:

If you sign in to sites and apps using the Google+ Sign-in button, these buttons will stop working in the coming weeks but in some cases may be replaced by a Google Sign-in button. You’ll still be able to sign in with your Google Account wherever you see Google Sign-in buttons

Notice that “in some cases may be replaced”? That means that you may lose access to your profile, and when Google+ is decommissioned, you may not even be able to know which services have such a profile for you. That is a privacy risk that you should not be willing to take.

If you don’t want that to happen, you actually need to act fast. Especially since the only way to figure out who uses Google+ for your sign in, is to use the Google+ mobile app.

The instructions, provided by Google are straight forward. Still, since they rely on your access to your Google+ account AND the Google+ mobile application, I suggest you act fast.

Tagged in : privacy