simple security

After spending an hour with the Verizon support guy, I was able to get the Airlink AR315W router to work. But now after 3 hours of use it is completely dead, void of any life. I am buying a Netgear now.

Here is an article on how Adam Laurie, technical director of the security and networking firm The Bunker, used infrared to hack a hotel's network to watch premium content for free, to see other guests' bills and to control various things like the minibar .

Hotel TV systems are the most serious target from a privacy standpoint because they are connected to databases that contain information about guests.

Laurie said the vulnerability lies with how hotels have implemented the backend of infrared systems, placing control of the system at the user end, where the TV is located, rather than at the server end with administrators.

Laurie found that the backend systems in many hotels around the world don't have password protection or other authentication schemes to prevent unauthorized users from gaining access to them through the TV. And they fail to use encryption to protect data as it's transferred and stored.

The only hardware an intruder needs is a laptop running Linux, an infrared transmitter and a USB TV tuner. Laurie said the attack can also be performed using the infrared port built into many laptops.

When a client (could be a PC browser) first talks to a website over SSL (Eg. eBay), they perform a process known as handshake. Here is what happens:

1. Client sends in a ClientHello message with the version number of SSL the browser uses and the ciphers and data compression methods it supports.
2. Server acknowledges with a ServerHello message. This message contains a session ID and the ciphers and compression schemes that the server and client have in common.
3. Server sends its public key encapsulated within its certificate
4. Server concludes the negotiation with a ServerHelloDone message
5. Client sends a ClientKeyExchange message that it created using the server's public key. It contains the session ID chosen by the client. This session ID is encrypted by the client using the server's public key.
6. At this point both the server and the client send the ChangeCipherSpec message indicating to each other that they are ready for encrypted transmission
7. Both send Finished messages containing the digest of the communication so far.
   
8. Handshake complete. Secure session established.
   

Since the client initiates a communication, it is the clients responsibility of proposing a set of SSL options to use for the exchange.

This is the application layer security. You could be trying to login into your bank's site, or might be trying to purchase something from Amazon. This process happens everytime a new secure session needs to be established between your client (browser) and a server. Pretty much the entire ecommerce between end-users and online businesses depends upon this..

I spent around 2-3 hours trying to install this Airlink AR315W router, but couldnt get it to connect with my Verizon DSL. Googling or Yoddling (searching on Yahoo) didnt help much either. All the links that came back, are from link farms which are filled with Google ads. No luck :(

I tried both, PPPoE as well as Direct connect options, but they always came back with "No connection". In my older Netgear router, I didnt have to enter a username/password for the PPPoE connectivity. But the Airlink router asks me for a username/password. So I had to dig up my records to find it. Anyways to cut a long story short, even with the username/password, it didnt connect.

I tried calling their support. After the phone rang 15 times, I got the voice mail with a message stating "All our representatives are busy dealing with other customers, please leave your name, brief message and number. We will get back to you". I havent heard from them since morning. The airlink folks dont even have any support forums or message boards. Even the manual didnt contain any elaborate troubleshooting steps. Goddamn.

Lesson #1: Always buy stuff from reputed brands. Never ever fall for cheap stuff.

I was able to install Gentoo finally on my server. No issues whatsoever now. Even the network card is up and running. Seems that it needed "tulip" in the list of modules to be loaded at startup. Now how would a user figure that out? One word answer: Community. Just to a search on the net for your issues and mostly likely you will see someone take the pains the explain a solution.

Now comes the tough part of installing: Apache, Java, PHP, Perl, Tomcat, CVS, MySQL etc etc. Might even install a wiki.

At this point I am not sure, how would I keep up with the security patches from the Gentoo dev guys. Need to figure out that one.

Man won over machine. Gentoo installed. The only part left to debug, is why doesnt the eth0 interface get configured and loaded. Phew! Goodnight.

Application layer	BGP, FTP, HTTP, HTTPS, IMAP, IRC, NNTP, POP3, RTP, SIP, SMTP, SNMP, SSH, SSL, Telnet, UUCP, ...
Transport lr.	DCCP, OSPF, SCTP, TCP, UDP, ...
Network lr.	IPv4, IPv6, ICMP, ARP, IGMP, ...
Data link lr.	Ethernet, Wi-Fi, Token ring, FDDI, PPP, ...
Physical lr.	RS-232, EIA-422, RS-449, EIA-485...

Its 12.15 AM as I am writing this entry. This has been my 3rd attempt in getting gentoo to install. I got all the way through, till about the genkernel part and once the genkernel completes, I dont see the /boot/initrd directory (or file) being created. Now that the frustrating part. Did a quick google search and nothing noteworthy came up!!!

I thought, I had found nirvana in Gentoo.. but seems like all other things in Linux, this one too needs late night tweaking to get it to work. Aaah, I am exhausted.

I just ordered the Airlink AR315W wifi router + the USB adapter for my desktop. The router was selling for $19.99 and the usb adapter for $14.99 on Fry's Outpost.

I did a Google search on the adapter and didnt see any horror stories, so went ahead and ordered it. As far as I can tell, its a great deal and would give you WPA protection besides faster speed with 802.11g - 54mbps, than 802.11b. Check out one of earlier entries on how to protect your network using WPA

I will blog about how well it works after I install it and try it out.

One more thing, they are also selling a 200 GB harddisk with 5 year warranty for under $60 bucks. Go for it, while it is cheap. I plan to use it as my Network Attached Storage. (I once paid $100 for a 512 MB hard disk waaay back in 1998)

There was a serious security flaw discovered in Greasemonkey. Check it out here. Although, I havent read the entire email thread myself, the bottom line is that uninstall Greasemonkey for now.

I guess, this all started out when Joe Gregario wrote an article in XML.com about putting his private key in the Greasemonkey script to decrypt secure content.

So one thing to keep in mind is not to jump on something which promises to be cool and secure, without letting it get tried and tested by the world out there. Same is said about security algorithms also. Dont try to invent your own algorigthm. Use an existing one.

Other than the fact that Winnie the Pooh like to drink honey out of a honey pot, a honeypot in the security world refers to a computer that is setup as a trap for hackers/crackers. It is a computer that is attached to a network with an aim to record the techniques that hackers use to gain unauthorized entry into a network. It acts as a decoy.

Honeypots are designed to capture any activity that happens, so that it can be later played back or analyzed to protect other more valuable machines in the network. Honeypots are used for detection, prevention and also to learn various hacking approaches.

Honeyd is a Honeypot program that creates virtual daemons on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

So all you budding hackers/crackers out there. Next time you "break" into a system, dont consider that to be something boastworthy. You might have broken into a honeypot and all your activities might have been recorded, without your knowledge.

So I tried installing Gentoo over a period of 10 days. Yeah! I just performed a step or two each day for about 10 days. Now when I boot up that machine, I am not able to login to my gentoo server. I am sure, I must have missed a step or something. Ouch. So, I'll need to sit down and do the installation all the way from start to finish in one shot.

Expect the posting to be light until I get Gentoo installed. (hopefully over the weekend).

I've noticed that since about the past 6 months, most of the spam that I receive also contains a virus or a known exploit. This is just to warn you guys that dont even consider opening an email that you suspect to be spam. It might contain a virus and/or exploit which might do funny things with your computer even without your knowledge.

Looks like Paul Kedrosky's domain kedrosky.com has been snapped up by domain squatters. I did a whois lookup and it seems that he let it expire. Ouch!

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: kedrosky.com

  Created on..............: 09 Jul 2001 10:00:00
  Expires on..............: 09 Jul 2005 13:05:11

Registrant Info:
  Kedrosky & Assoc.
  System Administrator
  1400 - 700 W.Pender Street
  Vancouver, BC V3K1K7
  CA
  Phone: (604) 638-2525
  Fax..:
  Email: ********@yahoo.com

I used to read his blogs regularly. Too bad, now its gone.

About a month ago, I bought a second hand server from craigslist. Nothing fancy, just a dual proc 1 GHz box with 1 GB RAM and other usual stuff. Last week I tried to install Fedora RC 4 onto it. But right after the installation, when the OS tried to boot for the first time, it would hang midway. Both the keyboard and the mouse would freeze. I tried reinstalling Fedora a couple of times before finally giving up and restarting my search for a Linux distro (I even downloaded Solaris 10, but didnt end up using it).

I settled on Gentoo after reading a couple of reviews. The power of Gentoo is the flexibility it offers the user to select and choose whatever the user wants to install, without forcing it down the users throat like some other friendlier distros. Aah, finally I can install some package with full control of what goes along with it. Ofcourse, this means that the installation goes a lot slower and is a much more conscious effort for the user. Gentoo forces the user to choose each option along the installation path. The documentation that came along, explains why we need to do what we need to do and gives some fundamental knowledge about the same.

I'll probably post a review once I am done installing it. So far so good.

So lets say you are on a Windows machine and want to know which ports are open and which executable created and/or is listening on that port. Well, here is one command that can display it all:

netstat -b -v -o -n -a

Here is what the options mean:

• -b : Displays the executable involved in creating each connection or listening port.
• -v : When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.
• -o : Displays the owning process ID associated with each connection.
• -n : Displays addresses and ports in numeric form.
• -a : Displays all connections and listening ports.
  

The apache webserver can be setup as a reverse proxy. A reverse proxy helps with inbound requests. When a client makes a request to your site, the request goes to the proxy server. The proxy server then sends the client's request through a specific passage in the firewall to the content server. The content server passes the result through the passage back to the proxy. The proxy sends the retrieved information to the client, as if the proxy were the actual content server

Here are the steps to setup an apache server as a secure ssl proxy

Basic 2.0.50 Apache setup: (for a higher version of apache, replace you version number string from the setup below)

• Download Apache 2.0.50 from: http://apache.roweboat.net/httpd/http-2.0.50.tar.gz
• Become 'root' user
• Extract all files from the gz archive
  
• gzip -d -c httpd-2.0.50.tar.gz | tar xvf -
• Setting up ssl-aware apache
• cd apache-httpd-2.0.50
• ./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-ssl--enable-proxy --enable-proxy-connect --enable-proxy-http --enable-rewrite
• make
• make install
• Now start your httpd server
• /bin/apachectl start
• Test installation by typing http://localhost
• Now stop httpd server
• /bin/apachectl stop
• Configuring Apache for SSL Proxy support
  
• Add the below specified lines to your apache config located in /conf/httpd.conf
• LoadModule proxy_module modules/mod_proxy.so
• LoadModule proxy_connect_module modules/mod_proxy_connect.so
  
• LoadModule proxy_http_module modules/mod_proxy_http.so
• Add the proxypass directive
• ProxyPass /abc https://someotherserver
• Get a "real world" certificate from verisign or thwate or someone else and install it into apache
• mkdir /conf/ssl.key
  
• mkdir /conf/ssl.crt
• cp real-world.crt /conf/ssl.crt/.
• cp real-world.key /conf/ssl.key/.
• make sure you specify the correct servername in the ssl.conf (located in /conf/ directory)
• Add the following line to under the in the ssl.conf
• SSLProxyEngine on
• Starting apache with SSL enabled configuration
• To start apache with ssl enabled :httpd -D SSL
• Test installation by typing https://
• Secure your proxy server !!!

This site explains it all, in a step by step format.

In most of the corporate networks, these days, they dont allow you to mail executable files like .exe, .scr, .dll etc. The mail filter on the server is going to detect that you tried to send out an executable and bounces back the mail in your inbox. Sometimes zipping up the file before attaching it to the email does the trick. But these days the mail filters are getting smarter and can look inside a compressed file as well.

This is mainly done for security reasons. In the past few years, the network admins have learnt that viruses and/or spammers trick the users into clicking on executable stuff in the mail and then take advantage of buffer overflow exploits.

So what do you do if you really really want to send someone an exectuable attachment? If you use PGP, GPG, or S/MIME to encrypt your mail before sending it out, then it would sail right past the mail attachment blocking filters.

ps: If you want a free personal digital certificate to use S/MIME, check this out from Thwate: http://www.thawte.com/html/COMMUNITY/personal/index.html