Many Android applications communicate with severs using some form of REST API secured with TLS/SSL (so it’s “https” protocol). If it is your application or an open source application you know what’s going on from the source, but for third party application you still may be wondering (hopefully for legit reasons:-), what is this application sending to the server and what it gets back. With help of few free tools it’s fairly easy to monitor encrypted traffic on your local computer (linux, but it will work on other systems too). Continue reading Intercept https communication from an Android application
Category Archives: Security
Secret Sharing Is Caring Too
In todays digital world passwords and other types of secrets are omnipresent and they secure access to various assets dear to our hearts, some of those can have tremendous tangible or moral value. For such assets it’s worth to select really good and strong password, which basically means long and hard to remember. How to ensure ourselves in case of memory failure? We can write it down and lock in secure place, share with trusted person etc., but still there is one point of of failure – secure place can be robbed, that person can betray us. Can cryptography provide us with better options? Yes it can with help of method called Secret sharing – we can split secret into n parts – called shared secrets – and distribute them to different places/people. Later we (or someone else) need to collect k (k > 0 and k <= n) shared secret to recover original secret. k is called threshold and it is defined when generating shared secrets – so we for instance generate n=5 shared secrets, but only k=3 will be needed to recover original secret.
I believe you can easily imagine many other real life scenarios where secret sharing can be useful and for sure it’s used in many applications and systems today. Cryptography provides several algorithms for secure (by design) secret sharing. Most common is Shamir’s Secret Sharing based on linear algebra approach. There are many tools and libraries for Shamir’s scheme (and further advancements of original algorithm), you can for instance try ssss, which provides command line tool that you can easily install into your Linux and also there is an online demo. Another family of secret sharing schemes is based on Chinese Reminer Theorem, where especially Asmuth-Bloom scheme is interesting. I have not seen many implementation for Asmuth-Bloom secret sharing so I created one in Rust. Continue reading Secret Sharing Is Caring Too
Ethereum local playground
In past article I’ve talked generally about blockchain technologies, in this article we will look into Ethereum from user perspective. We will build local playground, where we can test many functions of Ethereum(Ethers transfers, using and writing smart contracts and more) without spending real Ethers (and thus real money). This guide in intended for users with Linux OS. Continue reading Ethereum local playground
Blockchain madness
Some technologies I really notice only when they hit me directly into the face. That’s the case of blockchain – I have been looking into Bitcoin several years back and found it quite interesting (especially from cryptographic perspective – as interesting usecase for applied cryptography), but never expected that it’ll reach such extensive grow in popularity as we have seen in past half year or so. This forced me to looked again into these technologies and get bit more detailed understanding about blockchain technologies, why it’s so popular now and particularly look at recent development and on next big player in this area Ethereum project.
In this article I’ll share some initial thoughts of mine about blockchain, what I think it is and why it matters. In later article(s) we’ll look into Ethereum from purely practical perspective. We will build a local playground for Ethereum, where we can try immediately some basic functions of the system. Continue reading Blockchain madness
Do We Trust Cloud Storage For Privacy?
With more generic offerings from cloud storage providers – up to 50GB free, cloud storage is tempting alternative to store some of our data. I have some data, which I really do not want to loose. I already have them stored on several devices, however additional copy in cloud could help. But how much I can trust cloud providers to keep my data private, even from their own employees. Not that I have something super secret, but somehow I do not like idea, that some bored sysadmin, will be browsing my family photos. Or provider use my photos for some machine learning algorithms.
Main providers like Dropbox, Google do use some encryption, however they control encryption keys, so they can theoretically access your data any time and in worst case provide them to third parties – like government agencies. From what I have been looking around only few providers like Mega or SpiderOak offer privacy by design – which means all encryption is done on client and they should not have any access to your keys (zero knowledge). However how much we can trust that their implementation is flawless or that there are not intentional back-doors left? There has been some concerns about Mega security couple years ago, but no major issues appeared since then.
So rather then trusting those guys fully, why not to take additional step and also encrypt our data, before sending them to cloud? Additional encryption will not cost us much CPU time on current hardware (from tests – 11% of one core of old AMD CPU) and will not slow down transfers, because they are rather limited by Internet connection bandwidth. And on Linux we have quite few quality encryption tools like gpg or openssl, which can be relatively easily integrated into our backup/restore chains. In the rest of this article I’ll describe my PoC shell script, that backs up/ restores whole directory to MEGA, while providing additional encryption / decryption on client side. Continue reading Do We Trust Cloud Storage For Privacy?
Decoding Audio Captchas in Python
For good or bad many sites are now using CAPTCHAs to determine if visitor is human or computer program. Captcha presents a task – usually reading some distorted letters and writing them back to a form. This is considered to be hard for computer to do, so user must be human. To improve accessibility visual captchas are accompanied by audio captchas, where letters are spelled (usually with some background noise to make letters recognition more difficult) . However audio captchas are know to be easier to break. Inspired by this article [1] I created a python implementation of audio captchas decoding using commonly available libraries and with just a general knowledge of speech recognition technologies. Software is called adecaptcha and I tested it on couple of sites, where I got 99.5% accuracy of decoded letters for one site and 90% accuracy for other site (which has much distorted audio). Continue reading Decoding Audio Captchas in Python
Hiding Secret Message in Unicode Text
An art of hiding secret message into another innocent looking message is called steganography and it is an old discipline, where techniques like invisible ink, micro dots have been used. With rise of digital technologies new possibilities for stenography appeared and attracted interest of computer scientists and fans. Common approach is to hide secret information into multimedia files – pictures, music, videos …. Main advantages here are omnipresence of media today, significant size of media file, so there is enough space for additional information and the nature of the media format, which often enables to hide information in very clever way( if you change last bit of color information for a pixel in an image it is unidentifiable by human eye). But we can also hide secret messages in regular text, especially if we are using Unicode text encoding (which is now very common).
Protecting Django Application Against Brute Force Password Guessing
When you bring your web application live, you can expected various types of attacks – one could be a brute force scanning of possible logins. As a standard mean of prevention against such types of attacks login should be temporarily disabled after some number of unsuccessful attempts. For Django nice package called django-lockout exists.
Main advantage of this package is that it keeps history of unsuccessful login attempts in memory (using Django cache system), so checks are very quick. django-lockout is fairly easy to implement, however I’ve found one issue, when it is used together with django admin site.
Continue reading Protecting Django Application Against Brute Force Password Guessing