Just Your Average Site Defacement


, , ,

Given the following sub-headline in The Independent’s reporting of the NHS site defacements yesterday morning, and the description of it as an ‘unprecedented attack’ the public would probably be wondering how bad the threat is to their medical information:

‘One analyst, says the hacks ‘appear to be deliberately targeted at a British public institution and in particular at an institution dealing with something which affects every member of the public, their health’

Calling themselves the ‘Tunisian Fallaga Team’, these people did a few other sites back in 2015, some of them for leisure centres in Ireland and suchlike that are often considered easy targets. The sites would have displayed something like this:



There’s actually nothing unprecedented about this, and how exactly did The Independent make the conection between the Tunisian Fallaga Team and ISIS, when it was essentially an anti-war message? So, the article opens with classic scaremongering.
Since The Independent doesn’t reveal which sites were defaced (were they even on the .nhs domain?), they could well have been sites only incidentally related to the NHS, such is the level of privatisation in England – that nobody drew attention to the incidents for about three weeks, until yesterday, is telling.

But what about the impact? Well, there isn’t much, apart from some embarrassment. Almost all the NHS public-facing sites are completely segregated from the systems that store and process patient records, and there are multiple layers of protection for the latter. In short, the data is only accessible from within the network, and using clinical applications that are authenticated. The threats I’m far more worried about are a) insiders, and b) private firms who are given access to the data.

OpenPGP for Windows Phone


, , , , , ,

A couple of interesting PGP applications are available for Windows Phone, which would be useful if you trust the Windows 10 operating system enough to not to upload your cryptographic keys to Microsoft’s servers. I trust it enough for my secondary, less sensitive, email accounts.
OpenPGP for Windows is used for managing the user’s PGP keys and encrypting/decrypting messages. The companion application, OpenPGP Contacts, is used for fetching and storing the public keys for contacts.

Generating a PGP Key
If you already have a public/private key pair, it can be imported in OpenPGP for Windows. If not, it can be created in this application.


And key parameters:


However, I strongly recommend generating the keys on a physical Linux machine.

Previously I have submitted two public keys to keyserver.ubuntu.com, and have added that server in the OpenPGP Contacts settings, which enabled me to store both keys here.

Encrypt Message
The application has a basic text editor in which to type messages. Whatever is contained here is converted to ciphertext that’s copied to whichever messaging application.


Pressing the ‘+’ button in the ‘To‘ field will display the public keys stored by OpenPGP Contacts, and the text entered here will be encrypted using that key. The encrypted message can be shared with other messaging applications on the device, to send it as an email or text message.


Decrypt Message
To decrypt, simply copy and paste from the messaging application to OpenPGP application, and select the private key for the decryption.



PGP Message Encryption for Web Mail (Part II)


, , , ,

Halfway through doing my last blog post on PGP, this Web mail pop-up caught my interest:


Mailvelope is a browser extension which ‘brings OpenPGP encryption to webmail services such as Gmail, Yahoo and others’. Does it provide any advantage over the other method of encrypting text files? Well, kind of. Mailvelope stores PGP keys locally and converts a plaintext message into ciphertext without the user having to leave the browser – that alone is a major improvement on usability. I had a few problems with the setup, as the recovery key for GMX’s encryption didn’t export properly to PDF (basically I’ve lost it).

Mailvelope’s FAQ page states that keys are only stored locally, and explains that security depends on the endpoints being resistant to attack. It is transparent about the extension scanning all Web pages to determine whether it’s a Webmail service being displayed.
What’s less obvious is the correct procedure must be followed when composing emails in order for Mailvelope to provide confidentiality. Web mail services (especially Google) typically save messages as you type, which means the plaintext is stored on their servers, and that makes pretty much the entire conversation accessible to third parties. This means you absolutely must compose emails in Mailvelope’s pop-up editor instead of the Web mail interface. We’ll come to this.

Creating or Importing Keys
Since I already have generated keys for my Web mail accounts, I’ll import them here. The way to import a key from a file in the Import Keys page is to open whatever private key in a text editor, and copy it into the ‘Import key as text‘ box. The public key will be derived from this.



The key can be managed and the public key uploaded to Mailvelope’s server. Because the verification email needs to be decrypted using another program, and the plaintext link is malformed, I submitted my public keys to the Ubuntu key server instead.


Back to Web Mail
According to the setup dialogues, GMX doesn’t have access to the crypto key. When setting this up, do not lose the recovery key, as the encryption cannot be reset without contacting GMX’s technical support team.

Mailvelope also works with Outlook, displaying a small pad icon in the top-right of the content box. Click that icon before doing anything else.


The following window should then be displayed:


Compose the email in the following window and click the ‘Encrypt‘ button.



I was completely unaware misophonia was a widespread thing, and not just me being a prick, until I heard about this on the radio while driving home the other night. There are three specific sounds that ‘trigger’ me, that invoke a combination of intense annoyance, agitation, discomfort and anger. Imagine finding yourself strapped to a wheelchair at the front of an Ed Sheeran concert for 10 whole minutes, and multiply the discomfort level by 1,000, and you’d have a rough idea of what it’s like.

The current hypothesis is the brain is hard-wired for that immediate visceral reaction to a specific sound. Unfortunately this seems to happen between the limbic and nervous systems in the brain, and therefore likely cannot be dealt with through intellect or reasoning in the same way a typical annoyance could.

An MP3 file of white noise works wonders, I’ve found. There’s also /r/misophonia with some other tips.

PGP Message Encryption for Web Mail in Windows (Part I)


, , , , , ,

Since PGP/OpenPGP can decrypt the contents of files, generating ciphertext from plaintext, there is a workaround for anyone using Web mail that doesn’t support PGP or email clients with that feature. A full version of Gpg4win includes the core GPG components and the Kleopatra interface.

With this installed, the next step is to create a public/private key pair. To generate a key pair, launch Kleopatra, and select ‘File – New Certificate…‘.


The advanced settings allow for the selection of different key sizes. 2048 bits should be considered the minimum key length for a reasonable level security. A 4096-bit key wouldn’t provide much extra benefit, unless you were generating the keys on a hardened Linux machine and storing them on a Smart Card or security module. The point is a private key should be stored the same way a text file containing passwords would.


To export the public key, right-click the certificate entry and select ‘Export Certificates…‘. To export the private key, ‘Export Secret Keys…‘. The public key is the one you’d publish or share, and the private key is the one you don’t share with anyone. For the purpose of this demo, I have exported both to a folder in MyDocuments.

Encrypting a Message
Type the message as normal, and save to a local directory as a standard text file.


Next, navigate to the directory, right-click the file and select ‘Sign and encrypt‘. Here you can select ‘Encrypt‘ (without signing), and check the ‘Text output (ASCII armor)‘ to generate ciphertext that can be copied into a Web mail interface. The ciphertext is saved as an .asc file.


Decrypting a Message
The reverse process is used for decrypting a message. Save the ciphertext to a local directory as a text file. This time, right-click the file and select ‘Decrypt and verify‘.


Kleopatra should automatically select the relevant private key, if it’s present, and prompt for the password.