Cybersecurity

Signal – Getting Started with Secure SMS

Signal

You’ve probably heard of Signal lately; on the news, on Facebook, or somewhere else on the Internet. My sister “tried” to use it, but only ended up missing a bunch of text messages from me. So this post is for my sister and anyone else interested in securing their text messages.

Why Would I Want Secure Text Messages? Are People Really Reading My Texts?

These are two of the most common questions that I get about this. A lot of you Apple users just love your iMessage. Guess what?!? Signal is, for all intents and purposes, the same thing as iMessage except for the following very big differences:

  1. It’s available on both iOS and Android, as well as your Desktop (Windows, Linux and MacOS).
  2. The messages, photos, videos, and even the calls sent between users are only viewable by those users.
  3. It’s Open Source. This means that the software code that was used to create it is freely viewable on the Internet, and anyone can contribute to the development of the program.

Getting Started with Signal

  1. Getting started with Signal is easy. The application is available on both the Play! Store on Android and the App Store on iOS. Once you’ve set it up on your mobile device you can install it on your desktop computer to send messages to other Signal users.
  2. When you first open Signal you’ll need to go through a basic registration where it will validate your phone number.

That’s it! You’re done.

You’ll want to send future texts using the Signal app so don’t forget to update the shortcuts on your phone screen. You may also need to make Signal your default SMS app, which it will prompt you to do when you launch the app.

What If My Friends Don’t Have Signal?

The Signal app allows you to send messages to everyone, even if they don’t have the Signal app. The only issue is that the messages between you and those people will not be secure, and functionality like video calling won’t work.

Easily Generate Security Keys With WordPress Salt Generator

Locked Vault

I was migrating some WordPress websites this weekend on to our new Website Hosting platform at Rogue Security. Normally I wouldn’t do a lot of it manually, but was having an issue with one of the websites and realized it would be easier to install a fresh copy of WordPress. Well, while configuring the wp-config.php I was at the Authentication Keys block, and hidden in the comments of that block is a link to the WordPress Salt Generator.

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org sec$
 * You can change these at any point in time to invalidate all existing cookies. This will force all users $
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '<random-characters>' );
define( 'SECURE_AUTH_KEY',  '<random-characters>' );
define( 'LOGGED_IN_KEY',    '<random-characters>' );
define( 'NONCE_KEY',        '<random-characters>' );
define( 'AUTH_SALT',        '<random-characters>' );
define( 'SECURE_AUTH_SALT', '<random-characters>' );
define( 'LOGGED_IN_SALT',   '<random-characters>' );
define( 'NONCE_SALT',       '<random-characters>' );

What is a Salt?

Great question! a salt is random data/characters that is used as additional input for one-way hashing algorithms. Yeah, that was a lot so here is an example. When you create a new account on Facebook you must enter a username and password. After submitting that information, Facebook store the username in the database as it’s written in plain-text that is human-readable. However, Facebook takes the password that you entered and adds a salt to it, encrypts it using a hashing algorithm such as MD5 of SHA256 and then they store it in the database. It doesn’t matter how or where the salt is placed in the password.

A hashing algorithm will produce the same output given the same input. In other words, every time I use the SHA256 algorithm with my name as the input, it’s going to produce the exact same output. My Python script below shows that.

46df21c3bf897655ba14e556391adf6a78fc3c5cc681d883be97de47456488ed

No matter how many times I run this script with my name as the test_string it will never generate a different string, unless I change the hashing algorithm, of course.

The salt doesn’t change your password, it changes how your password is stored. Remember how my name will generate the same hash every time I check it? Well so will your password. If a malicious actor knows the hash of your password, it can still be just as useful as the actual password, more so if it hasn’t been salted prior to encryption.

WordPress Salt Generator

The WordPress Salt Generator is a simple page for generating a complete set of secret keys for your WordPress installation. If you’re using it for WordPress security purposes then you simply load up the page linked to above, and copy the generated keys into your wp-config.php file. These keys are also automatically generated during a standard installation so you only really need to do this if you are doing a manual install. If you don’t fill them out, they will be automatically generated for you during the first run.

Other Uses

So, how else might they be useful?

The page generates 8, 64-bit strings that are pseudo-random. You could easily connect to this page with a little Python, parse the data and have a quick subset of secret keys that can be used for just about anything. Need some quick licenses created? Pull up the page, copy a key. You have yourself randomly generated license keys (just make sure you check for duplicates).

Do you like complex passwords? I do. Some of my passwords are actually 64 random characters so this is perfect for that.

Setting Timezone In Ubuntu Command Line

Hourglass In Rocks

You may have just setup your new Ubuntu Server setup, or perhaps you have a Virtual Private Server on Digital Ocean that sets up with the default UTC time zone. Regardless of your reasoning you should always have your server(s) and user(s) system time set with the appropriate time zone, and preferably synced entirely for devices that exist on the same network, check out the Cybersecurity Breakout below for more info on that, or skip it for find out how to set the time zone in Ubuntu.

Please note, these instructions should apply to most, if not all, Debian-based operating systems.

Cybersecurity Breakout

Cyber attackers have found every way feasible to successfully infiltrate their targets. This has included the use of date/time based attacks that attackers can use to create behaviour, often undesirable, in software, such as the creation of a race condition. Your Windows and MacOS computer has settings that you can configure to either manually or automatically set your time zone. Depending on your network, you may even have a device (like a router) that actually has a built-in time server known as a Network Time Protocol (NTP) server

The timedatectl Command

The timedatectl software controls your system’s date and time. It has a variety of commands, but we’ll only be touching the few that are relevant to our query. Check out the man pages for more. Without further ado, let’s get started.

How-To Set Time Zone in Ubuntu via Command Line

The following instructions assume that you already have command line access to your Ubuntu device.

Total Time Needed :

15

Minutes

Steps to Setting The Time Zone In Ubuntu Via Command Line

timedatectl software

Step 1 – Check Current Time Zone

You probably already know that the time zone is incorrect, but you need proof. Using the status command, you can find out how your current time is configured. (Running the timedatectl software without any commands will produce the same output.

bastion@server:~# timedatectl status

set-timezone command

Step 2 – Set A New Time Zone

The timedatectl software has a command called set-timezone that can be used to modify the time zone of your Ubuntu server without having to modify any files. You’ll need the appropriate time zone format for the time zone that your device exists in. Make sure that if you’re device is in Toronto, then is gets the America/Toronto time zone even if you live in Phoenix, Arizona. You’re setting the time zone for the device, not yourself. You can find a list of time zones on the Ubuntu man pages.

bastion@server:~# timedatectl set-timezone America/Toronto

The set-timezone command will update the time zone as found in /etc/timezone. After running the set-timezone command you can review that file to ensure the proper changes were made.

bastion@server:~# cat /etc/timezone
America/Toronto

show-timesync command

Step 3 – Turn On Time Sync

Setting your time zone is now done, but you may also wish to have your time synced with an external service like we mentioned previously. Not a problem, timedatectl, can help us with that too.
the show-timesync, and set-ntp commands will help us here.

bastion@server:~# timedatectl show-timesync

show-timesync provides you with details in regards to your current time sync configuration. You’ll want to confirm that you have servers listed under SystemNTPServers.

bastion@server:~# timedatectl set-ntp true

The set-ntp command turns time syncing with your NTP server, on.

Congratulations, you’re done! You don’t need to reboot for these changes to take effect, however, I always recommend you do so when making system changes.