Signal – Getting Started with Secure SMS

Signal

You’ve probably heard of Signal lately; on the news, on Facebook, or somewhere else on the Internet. My sister “tried” to use it, but only ended up missing a bunch of text messages from me. So this post is for my sister and anyone else interested in securing their text messages.

Why Would I Want Secure Text Messages? Are People Really Reading My Texts?

These are two of the most common questions that I get about this. A lot of you Apple users just love your iMessage. Guess what?!? Signal is, for all intents and purposes, the same thing as iMessage except for the following very big differences:

  1. It’s available on both iOS and Android, as well as your Desktop (Windows, Linux and MacOS).
  2. The messages, photos, videos, and even the calls sent between users are only viewable by those users.
  3. It’s Open Source. This means that the software code that was used to create it is freely viewable on the Internet, and anyone can contribute to the development of the program.

Getting Started with Signal

  1. Getting started with Signal is easy. The application is available on both the Play! Store on Android and the App Store on iOS. Once you’ve set it up on your mobile device you can install it on your desktop computer to send messages to other Signal users.
  2. When you first open Signal you’ll need to go through a basic registration where it will validate your phone number.

That’s it! You’re done.

You’ll want to send future texts using the Signal app so don’t forget to update the shortcuts on your phone screen. You may also need to make Signal your default SMS app, which it will prompt you to do when you launch the app.

What If My Friends Don’t Have Signal?

The Signal app allows you to send messages to everyone, even if they don’t have the Signal app. The only issue is that the messages between you and those people will not be secure, and functionality like video calling won’t work.

Easily Generate Security Keys With WordPress Salt Generator

Locked Vault

I was migrating some WordPress websites this weekend on to our new Website Hosting platform at Rogue Security. Normally I wouldn’t do a lot of it manually, but was having an issue with one of the websites and realized it would be easier to install a fresh copy of WordPress. Well, while configuring the wp-config.php I was at the Authentication Keys block, and hidden in the comments of that block is a link to the WordPress Salt Generator.

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org sec$
 * You can change these at any point in time to invalidate all existing cookies. This will force all users $
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '<random-characters>' );
define( 'SECURE_AUTH_KEY',  '<random-characters>' );
define( 'LOGGED_IN_KEY',    '<random-characters>' );
define( 'NONCE_KEY',        '<random-characters>' );
define( 'AUTH_SALT',        '<random-characters>' );
define( 'SECURE_AUTH_SALT', '<random-characters>' );
define( 'LOGGED_IN_SALT',   '<random-characters>' );
define( 'NONCE_SALT',       '<random-characters>' );

What is a Salt?

Great question! a salt is random data/characters that is used as additional input for one-way hashing algorithms. Yeah, that was a lot so here is an example. When you create a new account on Facebook you must enter a username and password. After submitting that information, Facebook store the username in the database as it’s written in plain-text that is human-readable. However, Facebook takes the password that you entered and adds a salt to it, encrypts it using a hashing algorithm such as MD5 of SHA256 and then they store it in the database. It doesn’t matter how or where the salt is placed in the password.

A hashing algorithm will produce the same output given the same input. In other words, every time I use the SHA256 algorithm with my name as the input, it’s going to produce the exact same output. My Python script below shows that.

46df21c3bf897655ba14e556391adf6a78fc3c5cc681d883be97de47456488ed

No matter how many times I run this script with my name as the test_string it will never generate a different string, unless I change the hashing algorithm, of course.

The salt doesn’t change your password, it changes how your password is stored. Remember how my name will generate the same hash every time I check it? Well so will your password. If a malicious actor knows the hash of your password, it can still be just as useful as the actual password, more so if it hasn’t been salted prior to encryption.

WordPress Salt Generator

The WordPress Salt Generator is a simple page for generating a complete set of secret keys for your WordPress installation. If you’re using it for WordPress security purposes then you simply load up the page linked to above, and copy the generated keys into your wp-config.php file. These keys are also automatically generated during a standard installation so you only really need to do this if you are doing a manual install. If you don’t fill them out, they will be automatically generated for you during the first run.

Other Uses

So, how else might they be useful?

The page generates 8, 64-bit strings that are pseudo-random. You could easily connect to this page with a little Python, parse the data and have a quick subset of secret keys that can be used for just about anything. Need some quick licenses created? Pull up the page, copy a key. You have yourself randomly generated license keys (just make sure you check for duplicates).

Do you like complex passwords? I do. Some of my passwords are actually 64 random characters so this is perfect for that.

What is a Non-Fungible Token?

Crypto Kitty

I want to do a larger post on cryptocurrency and blockchain technology itself, but today I want to talk about non-fungible tokens (NFT), and how they relate to it all.

Non-fungible?

Good question. fungibility is a property of a good or commodity whereby each unit is interchangeable due to the fact that each unit is generally indistinguishable, and/or shares the same set of properties. The units must be substantially equivalent for fungibility to exist.1 Money, for instance, is a fungible commodity as their is a system of interchangeable units (dollar bills and coins). If a unit of something is non-fungible, it can’t be interchanged based on its equivalence as each unit is distinguishable from another unit.2 Units can still be traded, but without any equivalence.

So what’s a non-fungible token?

A non-fungible token, simply put, is a token that is generated in blockchain. The token is unique due to how hashing algorithms work, and can often be represented as as an item, object or character.

For example, cryptokitties.co, which represents itself as a crypto-collectable as opposed to bitcoin. Crypto-collectables are a type of non-fungible token. In the example of cryptokitties, each token generates a random kitty collectable. These collectables can be breed, traded, sold and bought on the marketplace. You can even link your kitties to other projects in the “kittyverse” such as KotoWars, a card battle game where you use your own cryptokitties; catatonic.club, an autonomous kitty breeding tool; or view your kitties details over at Kittyhelper.co.

How are they related to bitcoin?

Both bitcoin and non-fungible tokens are built off of the same technology, blockchain. Where as bitcoin uses blockchain as a digital ledger for currency, non-fungible tokens use blockchain for validation of trades, creations, and sometimes even death.

Why would I want one?

Although they don’t necessarily have an interchangeable value, they still contain value. Each non-fungible token represents the value of whatever crypto currency is used as the underlying market driver.

How do I get one?

Start out by finding a crypto-collectible that you’ll enjoy collecting.

Other then cryptokitties.co, there you might want to check out HyperDragons, MLB Crypto Baseball, Blockchain Cuties, Known Origin and MegaCryptoPolls just to name a few. If you have an interest, there is likely a crypto-collectible that exists to cover you.

References

1 https://en.wikipedia.org/wiki/Fungibility
2 https://en.wikipedia.org/wiki/Non-fungible_token

International Women’s Day – March 8, 2021

I have had and have a lot of strong and amazing women in my life. I’m lucky to have them because they’ve made me who I am today. I hope that you are all celebrating the woman in your life for everything that they do, not only for us as individuals, but also for what they do to guide, educate, and innovate in today’s society while continuing to be badass and beautiful!

Find out more by heading over to internalwomensday.com.

#IWD2021 #ChooseToChallenge

Setting Timezone In Ubuntu Command Line

Hourglass In Rocks

You may have just setup your new Ubuntu Server setup, or perhaps you have a Virtual Private Server on Digital Ocean that sets up with the default UTC time zone. Regardless of your reasoning you should always have your server(s) and user(s) system time set with the appropriate time zone, and preferably synced entirely for devices that exist on the same network, check out the Cybersecurity Breakout below for more info on that, or skip it for find out how to set the time zone in Ubuntu.

Please note, these instructions should apply to most, if not all, Debian-based operating systems.

Cybersecurity Breakout

Cyber attackers have found every way feasible to successfully infiltrate their targets. This has included the use of date/time based attacks that attackers can use to create behaviour, often undesirable, in software, such as the creation of a race condition. Your Windows and MacOS computer has settings that you can configure to either manually or automatically set your time zone. Depending on your network, you may even have a device (like a router) that actually has a built-in time server known as a Network Time Protocol (NTP) server

The timedatectl Command

The timedatectl software controls your system’s date and time. It has a variety of commands, but we’ll only be touching the few that are relevant to our query. Check out the man pages for more. Without further ado, let’s get started.

How-To Set Time Zone in Ubuntu via Command Line

The following instructions assume that you already have command line access to your Ubuntu device.

Total Time Needed :

15

Minutes

Steps to Setting The Time Zone In Ubuntu Via Command Line

timedatectl software

Step 1 – Check Current Time Zone

You probably already know that the time zone is incorrect, but you need proof. Using the status command, you can find out how your current time is configured. (Running the timedatectl software without any commands will produce the same output.

bastion@server:~# timedatectl status

set-timezone command

Step 2 – Set A New Time Zone

The timedatectl software has a command called set-timezone that can be used to modify the time zone of your Ubuntu server without having to modify any files. You’ll need the appropriate time zone format for the time zone that your device exists in. Make sure that if you’re device is in Toronto, then is gets the America/Toronto time zone even if you live in Phoenix, Arizona. You’re setting the time zone for the device, not yourself. You can find a list of time zones on the Ubuntu man pages.

bastion@server:~# timedatectl set-timezone America/Toronto

The set-timezone command will update the time zone as found in /etc/timezone. After running the set-timezone command you can review that file to ensure the proper changes were made.

bastion@server:~# cat /etc/timezone
America/Toronto

show-timesync command

Step 3 – Turn On Time Sync

Setting your time zone is now done, but you may also wish to have your time synced with an external service like we mentioned previously. Not a problem, timedatectl, can help us with that too.
the show-timesync, and set-ntp commands will help us here.

bastion@server:~# timedatectl show-timesync

show-timesync provides you with details in regards to your current time sync configuration. You’ll want to confirm that you have servers listed under SystemNTPServers.

bastion@server:~# timedatectl set-ntp true

The set-ntp command turns time syncing with your NTP server, on.

Congratulations, you’re done! You don’t need to reboot for these changes to take effect, however, I always recommend you do so when making system changes.

What is Net Zero Emissions?

Thawing icebergs in the ocean.

My local paper, today, has a story about the U.S. and Canada working towards net-zero emissions by 2050; and it got me thinking, as everything does. What does achieving net-zero emissions? How is it done? and What does it achieve? Let’s chat.

As you can see it’s not as simple as it sounds, but it’s easier to do then it looks. Whether you’re a consumer, business or other organisation, we can all do something to help offset carbon and other greenhouse gas emissions.

If you’re interested in purchasing offsets as an individual, business, or other; check out Purchasing Carbon Offsets Guide for Canadians. Produced by the David Suzuki Foundation and The Pembina Institute, you’ll find a table on page 10 that provides a list of vendors along with assessed offset results.

References

https://en.wikipedia.org/wiki/Carbon_neutrality
https://www.offsetguide.org/understanding-carbon-offsets/
http://www.offsetguide.org/understanding-carbon-offsets/what-is-a-carbon-offset/
https://www.cbc.ca/news/technology/faq-carbon-offsets-1.5008339

WordPress Stuck in Maintenance Mode

WordPress Stuck in Maintenance Mode

This one caught me a little off guard. I was working on updating a client WordPress site this morning; it had 2 themes that we hadn’t removed that needed an update. Instead of deleting them, I chose to update them. Without thinking I clicked away to another part of of the WordPress administrator area and ended up getting stuck with the following on every load and reload of the page. I even restarted NGINX in a desire to find a quick fix.

I’ve now learned that WordPress has a built-in maintenance mode that it kicks itself into during updating of plugins and themes. We would rarely ever see a reference to it as updates typically go very quickly, and without a problem. Except when they don’t. Luckily, the WordPress developers built a very simple mechanism for driving this maintenance mode that anyone with access to the WordPress website files can access.

How To fix wordpress stuck in built-in maintenance mode

In order to fix this error you must have access to the underlying WordPress website files. You may have access to these files via File Transfer Protocol (FTP) or through your Web Hosts Control Panel.
The solution to this problem is to delete the .maintenance file from the root folder of your WordPress install, in other words, the top most directory on your web host with WordPress files.

Total Time Needed :

5

Minutes

Steps to remove .maintenance file from wordpress

Step 1 – Navigate to your WordPress Directory

Login to your Web Hosting Control Panel, FTP Client, or SSH Client and navigate to the top-most WordPress directory that is hosting your website. On my web host, my files are located at /<server_directories>/roguesecurity.ca/public_html/.

Step 2 – Delete .maintenance file

Look for a file called .maintenance (The period before the word is required). Once found, simply delete this file from the directory.
Once you delete this file, return to your web browser and clear your browser cache, and reload your website.

Congratulations. That’s it! If your website is still displaying a maintenance mode message after deleting this file, double check that you’ve cleared your browsers cache. You can also try a different browser. If it works in a different browser then we know the fix worked, and the not working browser will correct itself over time.

How Is The Texas Power Grid Failing?

2021-02-24 // Edit: Turns out that an unregulated power grid how more issues then I originally thought, check out the update at the bottom to find out about why some Texas residents are now dealing with extreme power bills like the one this person received for $16,752.

The United States as three power grids: the west coast power grid, the east coast power grid, and Texas. Texas is a large state and, at some point, in its history it decided that it should be on its own power grid that is separate from the rest of the U.S., and not all counties in Texas are being powered by that standalone grid.

Combining natural gas, nuclear and wind, it’s quite impressive. They’ve touted it for years. You may have heard a lot in the news about the cold temperatures freezing the wind turbines and preventing them from turning. They’re getting a lot of the blame. According to the Electric Reliability Council of Texas (ERCOT) themselves, wind and nuclear only accounts for 20% of electricity generation.

Turns out, the major issue in Texas right now is actually liquid in natural gas pipes freezing, and preventing the flow of gas and is likely the cause of brown-outs. This is a phenomena called freeze-off. Natural gas is non-renewable source of energy and is a significant and potent producer of greenhouse gas when released into the atmosphere.

Here comes an opinion; Texas is the leading producer of natural gas in the nation, and you know that an event like this, as well as a failure of this magnitude, will have lasting affects on an already strained industry.

Wind turbines aren’t just used in warmer climates. I wonder if anyone has considered calling someone up here in Canada and asking how we might handle our wind turbine farms? I’d be curious for someone to calculate the amount of Solar/Wind energy needed to power Texas, and then determine how much that would cost to operate. Then, compare that to operational costs of a complete Natural Gas solution. That’s a project for another day…

De-Regulated Power

Apparently the Texas power grid is more interesting then I realized. Somewhat like your mortgage, the residents of Texas are able to choose to pay wholesale prices (variable rate) for electricity, which is generally less expensive then standard pricing, but doesn’t necessarily have the same consumer protections. This leads to less costs when the price of electricity is down, but, as we now see, when the cost of producing electricity increases, so will these wholesale prices.

This isn’t much of an issue if you can afford it, but many can’t, and this includes a larger proportion of black, brown, Hispanic and other minorities. Inadvertently, this de-regulated energy producer is marginalizing its customers by not providing them with appropriate protections from situations that are out of their control.

mapping a network drive in Windows command line

Mapped Storage

My friend Randy was always on me about using the command line more, and I’m glad that I listened to him. A command line interface (CLI) are often times so much more powerful then its graphical user interface (GUI) cousin, with less errors. I’ve leaned more towards using the command line for technical work as oppose to the GUI and that includes administration within Windows. Sometimes I’ll use the built-in CMD, and other times I’ll use PowerShell.

Mapping a network drive in Windows through the command line interface is not hard and anyone willing to take one step at a time. Without further ado, let’s dig into it.

How to Map a Network drive in windows from the command line

You may wish to map a network drive in Windows via the command line if you are having issues mapping it via the GUI, or if you prefer to take control of your setup and learn a few things while you are at it. Perhaps you’re adding a new network storage device and testing out different configurations. You’ll very likely want to single-pane view of the command line interface.

Total Time Needed :

10

Minutes

Steps to Map a network drive in windows from the command line

Step 1

In Windows search, located in the Windows Taskbar, type ‘cmd’ (without the quotes). The Command Prompt app should pop-up in the start menu. You will want to then click, Run as administrator, in order to launch the command prompt window with the appropriate privileges.

Step 2

At the command prompt, which will display a flashing white cursor when the command prompt window is selected, type in the following command to view current mapped drives.

C:\Users\User> net use

Make a note of any drive letters that are already in use. This information will be located in the Local column. You can’t map a new drive to a drive letter that is already in use. If you’d like to delete a mapping to re-use the drive letter, you can use the following command:

C:\Users\User> net use <driveLetter>: /delete

for example, the following command would delete the mapping to drive letter S.

C:\Users\Justin> net use s: /delete

Step 3(a) – Drive Mapping (no credentials)

Now we can map our network drive. You only need to select one way of mapping your drives from the 4 that I’ve outlines here, (a) through (d) below.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share>

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L.

C:\Users\Justin> net use L: \\Storage\Media\Movies

Step 3(b) – drive mapping with credentials

If you configured your shared drives to required a username and password, we can modify our command by adding the /user: switch.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share> /user:<username> <password>

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L, using justin as the username, and supersecurepassword1 as the password.

C:\Users\Justin> net use L: \\Storage\Media\Movies /user:justin supersecurepassword1

Step 3(c) – drive mapping with persistence

You probably don’t want to have to keep mapping or logging in to your new drive every time that you boot up your computer. That’s where the /persistence flag comes in.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share> /persistence: {yes|no}

Here is how the Microsoft Documentation describes the /persistence flag: (It) Controls the use of persistent network connections. The default is the setting used last. Deviceless connections are not persistent. Yes saves all connections as they are made, and restores them at next logon. No does not save the connection being made or subsequent connections. Existing connections are restored at the next logon. Use /delete to remove persistent connections.

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L, and maintain persistency across each reboot.

C:\Users\Justin> net use L: \\Storage\Media\Movies /persistent: yes

Step 3(d) – Complete drive mapping

In a perfect world you will want to have properly credentialed shares and any user that connects will do so with their own username and password, with persistency. Here is how we bring it all together.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share> /user:<username> <password> /persistence: {yes|no}

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L. The connection will use justin as the username, and supersecurepassword1 as the password. Finally, the connection will be persistent so that user, justin, won’t have to login to the drive every time they log in and out of their Windows account.

C:\Users\Justin> net use L: \\Storage\Media\Movies /user:justin supersecurepassword1 /persistent: yes

That’s it! Once you’ve completed the steps you should be presented with a success message, and have your new drive mapped in Windows.

I hope you found this how-to helpful. If you did I’d love to hear about it. Leave a comment below!