How to generate GPG keys and encrypt files

GNU Privacy Guard or better known as GPG is public key cryptography implementation and it is free software replacement for the Symantec’s PGP cryptographic.
In this post I will show you how to generate new GPG key pairs and encrypt or/and signature files.

Generate new GPG key pair

At beginning we have to generate public and private key pair using gpg --gen-key. This introductions follow way how I did my GPG keys, but if you would like to know more about every step I recommend go to look at https://fedoraproject.org/wiki/Creating_GPG_Keys.

$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

Select 1 (default) and press Enter.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Default 2048 bits long key enough for me, so I press Enter.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

I use default value 0 (key does not expire).

Key does not expire at all
Is this correct? (y/N)

If you also choose no expire, then press y and Enter.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <[email protected]>"

Real name: Niko Kiuru
Email address: [email protected]
Comment:You selected this USER-ID:
    "Niko Kiuru <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Give your real name, email address and comment section is optional, I left it empty. And when your identify information is inputted, press O.
Now new key pair located in ~/.gnupg/ -directory.

List of keys

When we are created one key in keyring, we can list all our keys to terminal.

$ gpg --list-keys
/home/niko/.gnupg/pubring.gpg
-----------------------------
pub   2048R/AAAAXXXX 2015-10-04
uid                  Niko Kiuru <[email protected]>
sub   2048R/BBBBXXXX 2015-10-04

Pub section tell us my master key User ID, which are in my option AAAAXXXX.

Encrypt file

We are generate new key pair and we are looking for how it looks like from terminal. Now we will encrypt one file.
First write some text file which we would like to encrypt later.

$ echo "Hello GPG! I would like to encrypt this messages" > hello
$ cat hello
Hello GPG! I would like to encrypt this messages

Okay, now we have a file, and we are wrote some message from there. Next I would like to encrypt and signature that file by my GPG private key. When I encrypt file, I have to specify which is my master key’s User ID. Command gpg --list-keys show all my keys and I selected my key.

$ gpg -r AAAAXXXX -e hello

Encrypted file is named by hello.gpg which are binary format encrypted file. There is only one way to open this file, and it is decrypt file by your private key. Next we decrypt this file.

$ gpg hello.gpg

You need a passphrase to unlock the secret key for
user: "Niko Kiuru <[email protected]>"
2048-bit RSA key, ID BBBBXXXX, created 2015-10-04 (main key ID AAAAXXXX)

gpg: encrypted with 2048-bit RSA key, ID BBBBXXXX, created 2015-10-04
      "Niko Kiuru <[email protected]>"
Hello GPG! I would like to encrypt this messages

Print tells that I am signature file by myself, and at the end of print is my encrypted message.

Simple passphrase protected file

If you would like to protect some file in simple, you can also use symmetric protection which are protected via passphrase.
Write some file and encrypt it.

$ echo "Hello GPG! This file will be passphrase protected." > hello
$ gpg -c hello

Now you have to give some passphrase, and then file hello.gpg is the same file but encrypted. In default gpg use CAST5 cipher algorithm for encrypt symmetric files. You can decrypt hello.gpg by command gpg hello.gpg.

$ gpg hello.gpg
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

Source

https://fedoraproject.org/wiki/Creating_GPG_Keys
https://stackoverflow.com/questions/5587513/how-to-export-private-secret-asc-key-to-decrypt-gpg-files-in-windows

Nordea tunnusluvut-sovellus ja rootattu puhelin

Nordea julkaisi mennellä viikolla uuden tunnusluvut-sovelluksen, joka poistaa kokonaan tarpeen käyttää vanhaa paperista tunnuslukukorttia. Isolle osalle Android-puhelimen omistajista jäi kuitenkin karvas maku suuhun, kun Nordea oli tietoturvauhkaan vedoten estänyt sovelluksen käytön rootatussa Android-puhelimessa. Väitteen tietoturvauhasta tekee hauskaksi se, että tunnetusti Android-puhelinvalmistajat eivät ole ahkerasti päivittäneet vanhoja puhelinmallejaan, vaan he keskittyvät enemmän uusimpiin puhelinmalleihin ja niiden päivityksiin. Monet ovatkin tästä johtuen joutuneet turvautumaan kolmannen osapuolen kustomoituihin ROMeihin (ei virallinen käyttöjärjestelmä), jotka ovat tuoneet puhelimeen päivittyneemmän Android version ja näin ollen nimenomaan parantaneet omaa tietoturvaansa. Tunnetuimpana näistä toimii CyanogenMod. Kustomoidun ROMin asennus vaatii puhelimen roottauksen, eli toisin sanoen se antaa käyttäjällensä valtuuden kirjoittaa uuden ROMin vanhan päälle.

Tunnusluvut-sovellus ilmoittaa seuraavasti rootatun puhelimen,
suomeksi: “Laitteesi käyttöjärjestelmä näyttää olevan murrettu. Sovelluksen käyttö ei ole sallittua murretulla käyttöjärjestelmällä tietoturvasyistä.”.

Sama englanninkielisellä käyttöliittymällä: “Your phone seems to be rooted/jailbroken. Application usage is not allowed with such a device for security reasons.”.

Kuinka pääsen käyttämään Nordean tunnusluvut-sovellusta rootatussa Android-puhelimessa?

Android-puhelimessa ei ole mitään suoranaista tapaa tarkistaa onko puhelin rootattu tai ei, joka on hyvä meidän kannalta, jotka haluamme saada Nordean tunnusluvut-sovelluksen toimimaan rootatussa Android-puhelimessa. Alla on ohjeet, kuinka voit kiertää Nordean tunnusluvut-sovelluksen tekemän tarkistuksen rootatussa Android-puhelimesta.

Nordean tunnusluvut-sovellus yrittää etsiä su-binääritiedostoa /system/bin ja /system/xbin hakemistoista, joka kertoo sen onko puhelin rootattu. Yksinkertainen ratkaisu on siis nimetä uudelleen su-tiedoston nimi toiseksi kuin sen oletus on. Ohjeissani se on nimetty subackup nimiseksi.

Testattu:
– CyanogenMod 10.2.0-i9300

Pikaohjeet

Aja seuraavat komennot puhelimen Terminalissa tai adb shellissä, ja nauti Nordea tunnusluvut-sovelluksesta

$ su
$ mount -o remount,rw /system /system
$ cd /system/bin
$ mv su subackup
$ cd /system/xbin
$ mv su subackup
$ mount -o remount,ro /system /system
$ exit

Ohjeet vaiheittain selitettynä

Asenna Terminal Emulator.

Nosta Terminal Emulatorissa käyttöoikeutesi super-käyttäjän tasolle

$ su

Meidän pitää uudelleen nimetä /system-hakemiston alla olevaa tiedostoa. Oletuksena /system on mountattu vain lukuoikeuksilla, joten ensimmäiseksi meidän on lisättävä siihen mukaan myös kirjoitusoikeudet.

$ mount -o remount,rw /system /system

Siirrytään /system/bin-hakemistoon ja muutetaan su tiedoston nimeksi subackup. Sama tehdään myös /system/xbin-hakemiston alle.

$ cd /system/bin
$ mv su subackup
$ cd /system/xbin
$ mv su subackup

Muutetaan /system-hakemistoon takaisin vain lukuoikeudet ja poistutaan hallitusti super-käyttäjän oikeuksista

$ mount -o remount,ro /system /system
$ exit

Tämän jälkeen Nordean tunnusluvut-sovellus ei enää herjaa rootatusta puhelimesta.

Hide Apache server signature

In default Apache write server signatures to HTTP-responses. In production server this is not recommended, because this feature gives more attacking area to criminals. In this post I will show you how to hide unnecessary Apache server signatures.

Tested on Ubuntu 14.04 and Ubuntu 12.04.

At beginning

you can watch how your server HTTP-response looks like now. Do HTTP-request e.g. with curl:

$ curl -I http://yourdomain.com

There is your HTTP-header and now you see exactly what all informations Apache gives to client. We still want to limit information of our server from outside.

Hide Apache signatures

At first open Apache configuration file apache2.conf

$ sudoedit /etc/apache2/apache2.conf

Add two lines on below to apache2.conf

ServerTokens Prod
ServerSignature Off

Save file and reload Apache daemon

$ sudo service apache2 reload

Hide also information of PHP

If you are using PHP HTTP-header also contain some information of PHP. Here is the way how to hide it.

Open php.ini

$ sudoedit /etc/php5/apache2/php.ini

In default expose_php is set to On, but now you take it Off

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off

After changes you have to reload Apache

$ sudo service apache2 reload

Now you’re a little further safe.

WordPress quickly upgrade from command line

WordPress has their own guide to upgrade wordpress, but in this post I will show you how I upgrade my all wordpress sites.

I using Ubuntu 14.04 server and I update wordpress from command line.

Backups

Before upgrade we backup our database and wordpress directory.

$ mkdir -p ~/backup
$ mysqldump -u user -p <database name> | gzip -9 > ~/backup/$(date +"%Y%m%d")_wordpress.sql.gz
$ tar -zcvf ~/backup/$(date +"%Y%m%d")_wordpress-dir.tar.gz /home/niko/public_html/

Download wordpress

$ cd /tmp/
$ wget https://wordpress.org/latest.zip
$ unzip latest.zip

Overwrite all new files

Remember change current directory to where wordpress located in your server.

$ cd ~/public_html/
$ cp -avr /tmp/wordpress/* .
$ rm -rf /tmp/wordpress /tmp/latest.zip

Open http://your_domain.com/wp-admin/upgrade.php in a browser and run that script. It makes all needed database conversions. If something fails, you still have your backups in ~/backup/ directory.

Source

http://www.cyberciti.biz/tips/howto-upgrade-wordpress-from-linux-unix-shell-prompt.html

How to install Ruby on Windows

In this post, I’ll tell how you can install Ruby script language on Windows.
This post is made for 64-bits architecture’s, but 32-bits is installing mostly same way.

Download and install

1. Download Ruby 2.0.0 x64 (http://rubyinstaller.org/downloads/).
2. Double click Ruby setup icon, and follow setup wizard to forward. HOX! Remember tap on “Add Ruby executables to your PATH”.
3. When setup is complete, run next command by command line:

> ruby -v

If you got response like: ruby 2.0.0p481, congratulations your Ruby works correctly! If not.. damn, then something went wrong..

Ruby DevKit

Ruby could use some native C/C++ extensions, so we need to install Ruby DevKit to get Ruby working as we would like it work.

Download Ruby development kit (http://rubyinstaller.org/downloads/), and extract it into Ruby path root (C:\Ruby200-x64\DevKit\).

Run next commands on command line:

> cd C:\Ruby200-x64\DevKit\
> ruby dk.rb init
> echo -- C:\Ruby200-x64 >> config.yml
> ruby dk.rb install

Now you should are able to run native C/C++ extensions by Ruby.

© 2016 Niko Kiuru

Theme by Anders NorenUp ↑