Helm is not the Email Provider You Want

Helm is a new software as a service provider touted by tech publications such as Ars, Verge, Mashable, and GeekWire that sells you a box to install in your home that can be configured to allow you to self host email, calendar, a VPN endpoint, and file hosting among other services. It costs USD $400 for the hardware plus a recurring yearly USD $100 subscription fee. Helm does not publicly provide the source code or binaries that are run on the box. The only way to get insight into what is run on the box is to look at their open source attributions. Among the attributions includes free email hosting software employed both by small entities (such as HighGuard) and large multinational organizations. The attributions include Postfix, Dovecot, SpamAssassin, openVPN, openSSH, rsync, Duplicity, and even wpa-supplicant. It seems that they use very little home grown software, which is both a good thing and a bad thing.

The good:

The open source software they use is well maintained, well secured, and well known. When Dovecot was tested by Cure53 in 2017 it was graded “near impenetrable”. All of the other open source software I mentioned previously is also known for its well secured status. This package offered automatically configures everything you need for a variety of services without the end user needing to know anything about configuring any of those services.

The bad:

It is dubious whether or not an owner could actually send email from this device because virtually all internet service providers in the United States block the required port 25 that is necessary to send email outbound. They do this because decades ago before the decision to block was made, malware would use home computers to send inordinate amounts of spam email. The block is generally considered a good move, even if it restricts a home user from running their own email from home.

All of the base software is free. The operating system is GNU + Linux, which is free. The service costs $400 plus $100 yearly for free software when yet with very little knowledge you could set your own (better) server running all of the same software for as low as ten dollars per month. With a Digital Ocean virtual private server, barely any knowledge about Linux or email servers, and Modoboa you can have a secure running email service that includes support for a web based email client (something Helm does not offer) and shared calendars. A simple script automatically configures a VPN endpoint on the server for you to use. By following the easy to understand OwnCloud or NextCloud installation instructions you can have a working self hosted DropBox alternative for hosting and sharing files in your own personal cloud. You can even host your own websites from the server for free using software like WordPress or Joomla.

The takeaway:

Helm’s website includes a lot of marketing material that talks about the importance of reclaiming one’s own privacy and maintaining security. I agree wholeheartedly with these views but do not believe that purchasing a Helm home server is the way to go. The actual cost to value ratio of the features provided is much lower than purchasing your own virtual private server hosted in a data center and self hosting all of your content and services. Helm does not provide the same level of control that you would get from owning your own server, as they still control how you use the box and what exactly is installed on it.

SecGen is a Great Tool for training your PenTesters

SecGen is a tool designed by Z. Cliffe Schreuders that generates intentionally vulnerable virtual machines that act as black boxes for training purposes. It is very easy to set up and you can have a running target in 10 minutes. SecGen comes with over 100 preconfigured scenarios and supports CTF events. You are also able to design customized scenarios specific to training needs.

After installing its requirements including vagrant and Oracle VirtualBox, you can have a randomly selected online vulnerable black box just by running ruby secgen.rb run. If the virtual machine can’t be reached it may require configuring a host only adapter in VirtalBox. specific scenarios can be selected with
ruby secgen.rb -s [xml file] run.

SecGen can be found at

Michael Shows Us a Great Example of why RFID Blocking Wallets are Important

Some credit cards contain Radio Frequency IDentification (RFID) chips that enable the “tap to pay” feature on credit terminals for faster payment. Unfortunately, they also open up a new avenue of identity theft.

This video demonstrates just how easy it is to skim the RFID chip found in most credit cards today. In the video, the “attacker” uses a common wireless card scanner but in the real world, there are people who will use much smaller pocket sized equipment to read your cards from your pocket just by “accidentally” bumping into you while in line or in crowded places. An attack I’ve been made aware of is to ask someone for gas money at the pump, and when they accept, joyfully hug them and use the opportunity of close contact to read RFID chips from cards in their pocket.

This attack is ingenious because with pickpocketing, you can be caught stealing from someone much easier because you have to actively take something from them. Putting your hands into someone’s pocket is much more noticeable than bumping into them. With RFID scanning attacks, the attacker causes much less of a nuisance and is therefore much less noticeable.

The Death of Facebook Would Make Everyone Safer

With recent news regarding Facebook and Cambridge Analytica there has been an uptick in comments about the lack of safety provided by Facebook to their users. Websites like Facebook and LinkedIn are valuable assets for attackers when crafting spear phishing attacks because large amounts of personal data are available and can be used imitate company employees as a part of an attack on a company. If Facebook were to fall to the wayside like MySpace and Google Plus, attackers would have one less tool to use against their chosen victims.

There is an even more important effect that would be created if Facebook were to disappear. Many websites and services use Facebook as a way of authenticating and signing people into accounts. Without Facebook’s authentication service many users would have to fall back to using email accounts to authenticate online. Each site would be it’s own account which would lead to “account fatigue”. Account fatigue is the annoyance of having to keep track of a different username and password for every website users log into. To mitigate this, tools like LastPass and Keepass would likely see a steep rise in popularity. Any decent password manager includes a feature to create randomized passwords. This guides users towards having different and complex passwords for every site. This would reduce password reuse. A common attack is to gather usernames and passwords from stolen password databases and try the same username and password combinations on other sites in hopes that users use the same usernames and passwords, allowing the attacker to log in to accounts they should not have access to. Password managers make it easy to mitigate this risk because it is easy to generate a random different password for every website used.

Use LetsEncrypt to Enable HTTPS on your Web Server for Free

LetsEncrypt offers free SSL certificates for websites, allowing you to protect users who access your site.

This guide will go step by step moving an unencrypted HTTP website to using HTTPS on Nginx. For the purpose of this guide, I’ll be using the website There is no content there.

Lets start with the site in nginx.

server {
listen 80;
listen [::]:80;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
location ~ /\.ht {
deny all;

Right now the URL will show whatever is located at /var/www/guide/index/html on the server. To enable HTTPS we will need to get a certificate from LetsEncrypt using CertBot, then set up the site to use it and also redirect HTTP requests to use HTTPS in an intelligent manner. Lets start with getting the certificate.

Install Certbot with apt install python-certbot python-certbot-nginx, if you are using a distribution other than Debian, the package may have a different name or might not be available. The binary can be downloaded from the EFF.

Use Certbot to automatically create a challenge, request the certificate, download it, and install it.

certbot --nginx certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
Generating key (1024 bits): /var/lib/letsencrypt/snakeoil/0000_key.pem
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem

The certificate is generated and dropped into /etc/letsencrypt/live/ Now we can make changes to the config file for the site to take advantage of the certificate. The easiest way to do that is to change the top of the server block so that it will use SSL, then add a new server block that uses non-SSL to redirect unencrypted connections to HTTPS.

The new server block:

server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
access_log off;

Then put the old server block right below that with minor changes. Change the listen ports from 80 to 443 ssl and add the path to the cert.

server {
listen 443 ssl;
listen [::] 443 ssl;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
root /var/www/guide;
index index.html;
access_log off;
error_log off;
location /favicon.ico {
log_not_found off;
access_log off;
location ~ /\.ht {
deny all;

Google and Mozilla are pushing for HTTPS to be everywhere

If your default browser is Firefox or Chrome you have have notice recently that both browsers are starting to take a harder stance on insecure login pages.

Whenever inputting text to a field, or when on a login page not secured with HTTPS, both Firefox and Chrome have their own ways of notifying users that the data they are sending, such as passwords or credit card numbers could be intercepted by someone bad.

Chrome is showing “Not secure” next to the URL bar and Firefox puts a banner under the password field of text boxes.



Users on twitter are seeing these notifications and taking it up with the companies that run the sites.

Annoying Web Scanners with Zip Bombs

This one can be filed squarely under “so dumb it works”. This practice wont really do much to increase practical security of a website, but it does create roadblocks for the guys running the tools that look for holes in your security.

Zip Bombs are really large files that are basically empty, so that when you zip the file up it becomes way smaller. For example, is a 4.3 GB file that when fully decompressed is 4.5 PB (petabytes) of data. Thats 4,718,592 GB of data. When vulnerability scanners come in contact with these files they download it and try to unzip it to see whats inside, but because of the huge size of the file they crash or hang and give up with an error.

Vulnerability scanners are kind of annoying because they clog up your logs and don’t actually contribute to your site being any more popular. If your site ever does become vulnerable you could get hacked because everyone and their brother is trying to get in. By looking in access logs, we can see patterns of what resources bots are requesting and what their user agents are. With a simple bit of scripting, we can deliver a zip bomb to the scanner instead of a legitimate resource, wasting their time and hopefully crashing their software.

Read more at Christian Haschek’s blog.

Why to avoid IoT in the workplace and at home

The Internet of Things, commonly referred to as IoT, is a new market popping up that boils down to the idea of connecting everything to the internet, even if it doesn’t need to be. The downside of these devices is that many of them are not secure out of the box and many more are unmaintained. Many of the devices that are showing up on market dont even have a good reason to be connected to the internet.

Exhibit 1: Juicero

Juicero is a cold press juicer, but you cant just put whatever you want into it like a normal juicer. No, you have to buy their prepackaged bags of fruits and vegetables. Even worse, if your internet cuts out it stops working. The only value add to connecting this thing to the internet is that if there was a recall on a package, the Juicero wouldn’t squeeze it. The good news is that if your internet fails, you can just squeeze the juice yourself.

But lets stop talking about how dumb these devices are. They are serious security problems waiting to happen, too.

Exhibit 2: JideTech Onvif 2.4 Wi-Fi Security Camera

Amazon has since taken this camera down from their store, hence the Internet Archive link. This is probably my favorite example and the one I bring up most often when talking about how badly insecure IoT is. This is one of the cameras that make the Mirai botnet the most powerful botnet in the world. Security guru Rob Graham tweeted about buying this camera and watching with WireShark as it was infected very soon after plugging it in. It is vulnerable out of the box and was never patched, hence why amazon stopped selling it. Video

So now we know that IoT devices are worthless and insecure, what about your privacy?

Exhibit 3: Pillsy

Pillsy is a bluetooth enabled pill bottle that reminds you to take your meds. The idea of sharing what medication you take, or how often you forget to take it is a terrible idea. I don’t even want to imagine how much money information like that is worth to health insurers.


This is an expansion on one of the topics in my article on tips for your employees on how to secure a home network.


Tips for your employees on how to secure a home network

It has become very common for employees to work from home using company laptops or by working remotely with a home computer. This change can be good for comfort and productivity, but a home network rarely ever reaches the same level of security as a business network. Here are some tips to reduce data risk at home.

  1. Keep everything updated
  2. Dont use IoT (Internet of Things) devices
  3. Use a VPN
  4. Use ad blocking addons
  5. Disable UPnP (Universal Plug and Play) on your router

Keep everything updated

Just because a vulnerability gets patched doesn’t mean that hackers are going to stop trying to use that method of attack. Rather, bad guys rely on victims to leave their electronics unpatched, and try older, still working exploits, even though there is already a fix available. Everything in your house that connected to the internet, weather through a wired or wireless connection should stay as up to date as possible, so that old methods of attack wont work against you.


Don’t use IoT devices

It is very common for IoT devices to be highly vulnerable. The most powerful botnet named Mirai is made up of internet connected security cameras designed for home use. If you were to plug a vulnerable camera into your home network, the camera could become infected in less than two minutes and start slurping up all of your internet bandwidth every time it is directed to attack a target. The camera can also be used to spy on you. Other IoT devices are known to have vulnerabilities that put your personal data at risk, such as this kids toy designed to record audio messages, but could be used to snoop on the house, and had no security what so ever on the storage of the recordings.


Use a VPN

Most security minded clients I’ve had have required employees who from outside of the office to connect to company resources using a VPN. Some industries are required by law to not allow access in to the network from the outside. A VPN allows users to bypass this restriction.


Use ad blocking addons

The Google Chrome and Mozilla Firefox browsers have many different addons that block advertisements. Personally I recommend uBlock Origin [Chrome | Firefox]. ad blockers are good because they clean up web pages and speed up the time it takes to load a web page, but my reason for recommending blockers is because advertisements can carry malware. Let me give you an anecdote from my time working in helpdesk:

We had a high number of calls coming in for users getting hit with ransomware and every time it was the same story. “I just opened up the internet and suddenly I had the virus!” Sometimes people would be searching for something business related and would click a bad link in a Google search. Once I saw a government site that had been compromised give a a user a virus. Sometimes people fess up and say they were browsing Facebook and they clicked a link they should not have. I thought it was strange that at the same time there was this big uptick in infections, so many people were giving the same lame unbelievable story. I did some research and it turns out they were telling the truth. All of the infected users were opening Internet Explorer, which would load the default MSN homepage where ads were being served though Microsoft’s Bing ad platform. Someone had purchased ad space that contained malicious code that, by simply loading the advertisement would cause the computer to download and run the ransomeware virus. Had the users been using ad blockers, these bad advertisements would not have loaded and would not have infected the computers.


Disable UPnP on your router

This one is a bit more technical. Universal Plug and Play (UPnP) is a utility that allows computers inside the network to open up ports on the router to send and receive information. Each port is used for a different service, such as browsing the web or sending files. Every port open is another potential security risk for your network. Some viruses require UPnP to function and to disable it would stop the virus from working.