Tag Archives: security

Install Tor using apt-get on ubuntu- trusty 14.x


I went to turn on Tor on an ubuntu-64 “trusty” 14.x guest and ran into problems. There appears to be a bug
that critically affects the traditional methods using gpg, so here is some information on how to avoid this.

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. There is a very neat Python
controller library for use with Tor called stem.

The problem

To install Tor on an ubuntu, the following instructions can be found:

$ sudo nano /etc/apt/sources.list.d/tor_repo.list

and then add the following lines:

deb http://deb.torproject.org/torproject.org trusty main
deb-src http://deb.torproject.org/torproject.org trusty main

The critical problem then occurs as you try to add the appropriate keyring and key used to sign the packages:

$ gpg –keyserver keys.gnupg.net –recv 886DDD89

$ gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add

There appears to be a bug with gpg and guests involving not correctly resolving DNS for the gpg commands. The symptom that I was getting was

$ gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add –
usage: gpg [options] [filename]
gpg: can't open `–': No such file or directory

The fail in the pipe is due to there not being anything actually exported by gpg. You can test this with:

$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg: WARNING: nothing exported


So, take another approach. Use different packages to avoid any of this problem.

$ sudo apt-get update

$ sudo apt-get install deb.torproject.org-keyring

$ sudo apt-get install tor

which will get you something like:

The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 63 not upgraded.
Need to get 5,268 B of archives.
After this operation, 7,168 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
Install these packages without verification? [y/N] Y
Get:1 http://deb.torproject.org/torproject.org/ trusty/main deb.torproject.org-keyring all 2014.08.31+b1 [5,268 B]
Fetched 5,268 B in 0s (22.3 kB/s)                     
Selecting previously unselected package deb.torproject.org-keyring.
(Reading database ... 128038 files and directories currently installed.)
Preparing to unpack .../deb.torproject.org-keyring_2014.08.31+b1_all.deb ...
Unpacking deb.torproject.org-keyring (2014.08.31+b1) ...
Setting up deb.torproject.org-keyring (2014.08.31+b1) ...


    The following extra packages will be installed:
  libseccomp2 tor-geoipdb torsocks
Suggested packages:
  mixmaster torbrowser-launcher socat tor-arm apparmor-utils obfsproxy
The following NEW packages will be installed:
  libseccomp2 tor tor-geoipdb torsocks
0 upgraded, 4 newly installed, 0 to remove and 63 not upgraded.
Need to get 1,707 kB of archives.
After this operation, 8,053 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
WARNING: The following packages cannot be authenticated!
  tor tor-geoipdb
Install these packages without verification? [y/N] Y
Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libseccomp2 amd64 2.1.0+dfsg-1 [34.8 kB]
Get:2 http://deb.torproject.org/torproject.org/ trusty/main tor amd64 [1,024 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ trusty/universe torsocks amd64 1.3-3 [73.0 kB]
Get:4 http://deb.torproject.org/torproject.org/ trusty/main tor-geoipdb all [575 kB]
Fetched 1,707 kB in 2s (749 kB/s)
Selecting previously unselected package libseccomp2:amd64.
(Reading database ... 128043 files and directories currently installed.)
Preparing to unpack .../libseccomp2_2.1.0+dfsg-1_amd64.deb ...
Unpacking libseccomp2:amd64 (2.1.0+dfsg-1) ...
Selecting previously unselected package tor.
Preparing to unpack .../tor_0.2.7.6-1~trusty+1_amd64.deb ...
Unpacking tor ( ...
Selecting previously unselected package torsocks.
Preparing to unpack .../torsocks_1.3-3_amd64.deb ...
Unpacking torsocks (1.3-3) ...
Selecting previously unselected package tor-geoipdb.
Preparing to unpack .../tor-geoipdb_0.2.7.6-1~trusty+1_all.deb ...
Unpacking tor-geoipdb ( ...
Processing triggers for man-db ( ...
Processing triggers for ureadahead (0.100.0-16) ...
Setting up libseccomp2:amd64 (2.1.0+dfsg-1) ...
Setting up tor ( ...
Something or somebody made /var/lib/tor disappear.
Creating one for you again.
Something or somebody made /var/log/tor disappear.
Creating one for you again.
 * Starting tor daemon...                                                                                                                  [ OK ] 
Setting up torsocks (1.3-3) ...
Processing triggers for ureadahead (0.100.0-16) ...
Setting up tor-geoipdb ( ...
Processing triggers for libc-bin (2.19-0ubuntu6.6) ...

Now you have Tor installed, just start it.

$ sudo /etc/init.d/tor start

Starting tor daemon...

It also appears that there is some confusion as to the defaul port the service is running on. I found it to be running on 9050, not 9150 as some
articles are reporting. I haven’t yet found an easy way to determine this but trial-and-error proved it to be true.

Recent OS X security vulnerabilities

Serving up some issues for OS X that were catalogued on Dark Reading. There are some serious concerns. I missed the keychain vulnerability which is very worrisome. I know a good many who are using password safes with standard copy and paste UX in their use.

The past several months have been full of bad news for Mac and iOS. Here’s a quick rundown of the highlights:

  • Keychain vulnerability: Reported to Apple a year ago, revealed to the public in June, and still not fixed, researchers discovered a vulnerability in Keychain on Mac OS X. Attackers could poison Keychain and steal the data it stores, which included passwords and tokens for a variety of applications, including iCloud and Facebook.
  • Gatekeeper vulnerabilities: At the Black Hat Las Vegas conference in August, Synack director of research Patrick Wardle detailed proof-of-concept exploits that circumvent Gatekeeper, Apple’s mechanism for preventing unsigned code from running on Mac. At the Virus Bulletin Prague conference in October, Wardle showed that Apple did not repair the problem with OS X El Capitan, released Sep. 30, and told Forbes that “Gatekeeper is no obstacle at all.”. A researcher snuck unsigned malicious code past Gatekeeper by wrapping it into a signed installer package. Gatekeeper only checks the installer package, not what’s in it — so it’s vulnerable to what is essentially a basic piggybacking attack that any good lesson in social engineering cautions against.
  • DYLD_PRINT_TO_FILE vulnerability: Discovered in July, patched in mid-August, this was a bug in an environment variable in Mac OS X Yosemite that enabled root access.
  • Tpwn vulnerability: Publicly disclosed in mid-August before it was patched, Tpwn was a memory corruption bug in the kernel of OS X Mavericks through Yosemite, that would allow local privilege escalation and grant attackers root access.
  • KeyRaider: In late August, the KeyRaider iOS malware stole 225,000 legitimate Apple accounts and slammed devices with ransomware, data theft, and phony purchases. The malware was secretly wrapped into unauthorized iOS apps, downloaded from a China-based third-party website, and thus it only affected jailbroken iOS devices.
  • AirDrop vulnerability: Disclosed in mid-September, a vulnerability in both Mac and ioS — patched in the new iOS 9 — lets attackers bomb any iOS and Mac device within Bluetooth range with malware, via the Airdrop file-sharing feature.
  • XCodeGhost: In late September, attackers showed they could hit non-jailbroken iOS devices too. XcodeGhost is a Trojanized version of Apple’s application development software, Xcode. Attackers uploaded it to Chinese cloud storage service Baidu Yunpan — a regional, third-party alternative to the Apple Store where download times are shorter for iOS and Mac developers in China. Innocent app developers then used XcodeGhost to write apps and upload them to the official App Store, never knowing that those apps were malicious. Originally, it was thought that only about 40 apps were infected with XcodeGhost, but that number was later increased to 4,000, including WeChat, ride-hailing app Didi Kuaidi, and music sharing app NetEase Music.
  • YiSpecter: In early October, researchers at Palo Alto Networks discovered about 100 apps in the iTunes App Store abusing Apple’s private APIs — used only by Apple itself and not available to app developers — in order to circumvent the Store’s security tools. YiSpecter download, install, and open applications, replace on-board apps with unwanted downloads, and force apps to show advertisements.
  • Yanked apps: Last week, Apple pulled some ad-blocking apps from its App Store after discovering that some of those apps installed root certificates that expose all traffic, including encrypted traffic, from the device to the application. Apple is allowing the app developers to resubmit to the store after they make alterations.

Dmail enters ring for making users feel like they have control of their email

Dmail is now in the Chrome store. Delicious Science, which last year acquired social bookmarking service Delicio.us, has released this Chrome extension that provides Gmail messages with the ability to self-destruct.

After installing the extension, Gmail users can send a message to anyone, whether or not that person uses the Dmail extension, and configure the message to deny access after a period of an hour, a day, a week, or never. In addition, a “Revoke Access” button provides a way to immediately disable access to a protected message.

If the recipient has the Dmail extension, he or she can read the message in Gmail until it expires or is revoked. Dmail has designed the extension so that the neither Gmail nor Dmail servers ever receive both the decryption key and encrypted message. Only the recipient and sender can read the email legibly.

The accessibility of Dmail’s source code — Chrome extensions are just collections of JavaScript, HTML, and image files — may help security skeptics decide whether or not to trust Dmail. The software relies on Gibberish-AES, a JavaScript library for OpenSSL-compatible AES CBC encryption.

However, the presence of JavaScript modules for tracking and analytics suggests this software isn’t intended for people who want serious security; rather, it appears to be aimed at people who would like to feel they have more control over their data than regular email affords.

Concerns about real security would include the relatively weak encryption being used in the package. A further question is what is yet the friction offered to authorities who seek the keys to a message from all of the parties involved. But the package has addressed accessibility concerns with the wider community.

Don't put your auth tokens in your R source code

I’ve been working with the great open data source which is BLS. You can get some of the data with the v1 API, but to use the v2 API you need to have a token. That simply takes a registration and a validation. Cheers to BLS. And cheers to Mikeasilva

So, now you have your API token and you want to go grab some data into some R and cook it up. So you might do something like:

payload <- list('seriesid'=c('LAUCN040010000000005','LAUCN040010000000006'),
                'registrationKey'= 'MYVERYOWNTOKENREGISTEREDTOME')
response json

Sadly, when you check your code into github, or share it with someone else, they have your API token. A better way exists, padawan. Go to your home dir

> normalizePath("~/")

in the R console will tell you if you don't know. So will a simple

in a shell, but if you know what a shell is you knew that already :). In your home dir, edit a new file called .Renviron, unless it already exists, which questions why you are reading this post. In .Renviron, you can enter key-values per line:


and, beautifully, you can grab any and all of these values in your R code with the following:

myValueOfInterest <- Sys.getenv(KEY)
[1] "character"

so you can easily pass it as a parameter to those connections. All much better than embedding it directly into the source. N.B.: If you happened to include your home dir as part of your project dir, don't commit the .Renviron. Also, go change your project directory to something more sensible like a child dir. While you're at it, look at some of the other methods available via Sys, e.g.:


Now your interaction with the v2 API is more like:

payload <- list('seriesid'=c('LAUCN040010000000005','LAUCN040010000000006'),
                'registrationKey'= BLS_API_TOKEN)
response <- blsAPI(payload)
json <- fromJSON(response)
response json 

FB slips new data use policy for review the night before Thanksgiving

Well, FB is at it again. They mailed users at 11 p.m. on the Wednesday before Thanksgiving with an update to the [Data Governance documents](https://www.facebook.com/notes/facebook-site-governance/proposed-updates-to-our-governing-documents/10152304935685301). You can leave any comments by 9:00 AM PST on November 28, 2012. Continue reading FB slips new data use policy for review the night before Thanksgiving

Facedeals stirring up privacy concerns

[Facedeals](http://redpepperland.com/lab/details/facedeals) has been getting attention lately for a new technology that uses FB data to match video of customers coming into shops and determine identity and likes, then send customers contextualized coupons for that store. There are many concerns coming from privacy advocates and even FB is keeping silent on this. Continue reading Facedeals stirring up privacy concerns

Run down on current cloud based IAM standards

There has been some activity on cloud based IAM lately, most recently with the release of the new Intel Cloud based IAM solution. It looks pretty expensive for high volumes, but it might make sense for something that has total cost recovery or for small, elastic groups of transitory users. In HE, I am thinking about alumni or prospective students specifically. But in addition to writing about this, I wanted to make an updated rundown on the standards, since there is now movement on SCIM. Continue reading Run down on current cloud based IAM standards