Now that I've had some time to hack around with the Lenovo S10, I think someone will find some of this information useful. This entry is about re-installing Splashtop, Lenovo's Quick Start software on the S10.

What is Splashtop

Like I wrote before, the Lenovo S9,S10, and S10e, uses a streamlined Linux based environment that gets you from pressing power to surfing, chatting, Skyping, listening to music or checking out a photo gallery in 30 seconds or less. Oh and the not to be overlooked feature - it works!

The really interesting part is not that it's just one of those quick booting linux OS's like Ubuntu 9.04 is claiming to be. It actually is leveraged by the motherboard by using a small amount of flash memory which stores persistent changes to a location on the hard drive which unfortunately requires windows.

Re-installation

Let me say this right now - reinstalling splashtop is not fun! The only reason that this would happen to you is if you've deleted the files that came with the laptop or there was a problem with the hard drive itself. In mycase, the problem with the hard drive was me re-formatting the entire thing and installing Ubuntu Netbook Remix.

After a lot of research, here's how you do it:

• Install Windows XP on some partition of the hard drive. This could be interesting if you don't have an external CDROM. If you're good, you can try to install XP from a USB stick like I did with partial success.
• Install the latest Lenovo Quickstart software you can find here. NOTE: There may be an updated version that also works
• OPTIONAL: From Windows XP, upgrade the BIOS of the S10. See Lenovo's Support Site for the latest version.
• Download the patch that came from S10Lenovo.com here.
• Unzip the files and copy them to the C: drive of your computer.

This worked for my Lenovo S10 4231 but the guys at S10Lenovo.com have done a lot of good work on figuring out the quirks. On some S10's all you needed to do was install the newest Quick Start and you are on your way but for me the patch was the key.

If that doesn't work for some reason, I'd be interested in getting the feedback.

Last Security Warnings

I wrote last time that Splashtop was extreme functionality at the cost of security and after more research, it's still true.

In version 1.0.17.0, the Splashtop browser is based off of Firefox 3.0.6, the instant messaging software is based on an old version of Pidgin and Skype is Linux version 2.0.0.72. It's older software but it looks like someone is attempting to update it.

There are some good security precautions in place like you're not allowed to directly access the hard drive and you can't open a terminal and the persistent files are encrypted and signed so not just anyone can make changes to the config.

Still don't belive me? Here's an exploit proof of concept that can crash your browser and possibly allow an attacker to inject a payload:

Do not click if you have Firefox 3.0.8 or less!!

What's Next: BackTrack 4

I'm still working out some of the quirks of using the laptop with BT4 Beta and have gotten them pretty much ironed out but I just want to streamline the process a little better.

External Links

http://www.splashtop.com/ - Official Splashtop Website

http://s10lenovo.com - Great site for S10 hacking

http://hg.mozilla.org/releases/mozilla-1.9.1/file/cb01d655a1b1/content/xslt/crashtests/ - Exploit for Firefox 3.0.8 or less

http://s10lenovo.com/viewtopic.php?f=42&t=2283 - forum with more information related to Splashtop on the S10

This will be the first of a few entries about my new Lenovo Ideapad (NOT iDeapad) S10. It's a netbook with great support for Linux and an interesting "Quick Start" environment which is a super fast booting OS that's built into the motherboard. To be honest the only two reasons why I bought it was the low cost (<$300) and I've become a Lenovo fan boy ever since my Thinkpad T43.

Quick Start/Splashtop

The most intriguing part of this laptop is something that Lenovo calls Quick Start. It's a linux based ultra-fast booting stripped down OS that includes things like Pidgin, Firefox, and Skype. It's actually called Splashtop and is made by DeviceVM. The idea here is that the motherboard boots from a small amount of flash memory so that it's extremely quick to start up.

When I opened the S10 I immediately booted into their Quick Start environment, played around with it and then immediately installed Ubuntu's Netbook Remix. I tell you this so you can be very impressed by my radical anti-Microsoftic act (did I mention I'm an MCSE?) but also to tell you that you really shouldn't do this because the Splashtop OS requires files on the FAT32 windows directory. The revolution has a cost. :/

There are a few problems with Splashtop besides the fact that you can't make any customizations to the OS:

• It uses outdated software like Firefox 2 that can't be manually updated
• It requires that you have a windows partition to hold the applications

I just want to say again, I love the idea of a quick boot environment but it seems like Splashtop is going to be another example of when innovation takes precedence over security.

I'm not going to go into this anymore since one of my projects is to get Splashtop to play nicely with Linux and I'll be able to have some more information.

Ubuntu Jaunty Jackalope Netbook Remix

Ubuntu 9.04 Jaunty Jackalope was released last month and with this version comes the Ubuntu Netbook Remix distribution or UNR. This is a customized Ubuntu distribution that is specifically designed to make it easier to work with a smaller screen and to maximize the potential of the Intel Atom processor. I'd highly recommend it on a netbook compared to the standard Ubuntu install.

Installation was different but very easy. You need to download the 1GB .IMG file and install it to a USB drive. I found the easiest way to do this is to install the Ubuntu package "usb-imagewriter" which is a GUI that walks you through the steps of putting the image onto a pen drive. Once you've installed it, plug it into the netbook and install it like normal.

Once again, if you delete the FAT32 partition of the S10 hard drive, you will not be able to use the Quick Start environment.

Backtrack 4 Support

I've had this conversation three times now and all my friends want to know is "Does it work with Backtrack 4??" Really this just means does Backtrack support the wifi card to do packet injection. The answer is almost. The internal wireless card is a Broadcom BCM4312 chipset which requires you to use the closed source driver supplied by Broadcom. This causes some other configuration problems you'll need to overcome. I haven't played around with being able to inject packets yet. That will be a subject for another day though.

Next Steps

There's a lot of talk right now about the Splashtop option and a lot of netbooks are using it or something like it for the ultra fast boot. Because nothing comes with recovery CD's anymore, you have to download everything from Lenovo's website at 17kb/s. UNR is going to need some customizations especially for the security tools that I like. There is a BIOS update that came out just yesterday that fixes an issue I was having so more on that later. The biggest problem I'm having is getting people to stop laughing at a 6'5" guy trying to type on this tiny laptop. :)

External Links

http://www-307.ibm.com/pc/support/site.wss/product.do?doccategoryind=50520&template=%2Fproductpage%2Flandingpages%2FproductPageLandingPage.vm&brandind=10&familyind=431250&machineind=433197&modelind=0&partnumberind=0&subcategoryind=0&operatingsystemind=49979&validate=true - Lenovo S10 Support

http://www.splashtop.com" - Splashtop

http://www.canonical.com/projects/ubuntu/unr - more about Canonical's work on netbooks

http://www.s10lenovo.com/ - great site for S10 specific discussion

I know this isn't a new subject by any means but I think it's still interesting and most of the material that's useful out there right now is antiquated so I thought I'd write my own version.

Background

The reason I got into war driving was to:

1. Learn the specifics about the technologies (Kismet, gpsd)
2. Have something to do on the drive to Notacon
3. Be a geek

Hardware

Here is the list of hardware that I used:

• Laptop (Wireless card, serial port)
• Garmin eTrex - Craigslist $35
• Garmin eTrex serial cable - $8
• Edimax RT73 (optional) - $43

Software

Software I used:

• Kismet - wireless sniffing tool
• GPSD - receives GPS data
• Ubuntu 8.10 - OS
• GPSDrive - (optional) Maps your current location as you drive
• Festival - (optional) Text to speech plugin for announcing when an access point is found
• KisGearth - convert kismet data to KML for GoogleEarth
• Google Earth - place access points on a map

GPS Setup

• sudo apt-get install gpsd
• Telnet to gpsd server and type "r" to receive the coordinates and "b" to confirm the console settings
  >telnet localhost gpsd Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. >r GPSD,R=1 >b GPSD,B=9600 8 N 1
• Plug in garmin using the console cable
• In the garmin, page over to the setup > Interfaces and make sure the output format is NMEA and the transfer rate is 9600 baud
• If you are successful you should see coordinates pop up in console of GPSD

Kismet Setup

• sudo apt-get install kismet festival
• Configure kismet.conf for your wifi cards (see KismetWireless.net under the Capture Sources section for a listing of your network card)
  #Edimax RT73 Usb source=rt2500,wlan0,RT73 #Intel Ipw2200 for Lenovo T43p laptop source=ipw2200,eth1,Intel
• Configure kismet.conf for festival
  festival=/usr/bin/festival
• Configure kismet.conf to save waypoints for GPSDrive
  # Do we write waypoints for gpsdrive to load? Note: This is NOT related to # recent versions of GPSDrive's native support of Kismet. waypoints=true # GPSDrive waypoint file. This WILL be truncated. waypointdata=%h/.gpsdrive/way.txt # Do we want ESSID or BSSID as the waypoint name ? waypoint_essid=true
• Configure kismet.conf to save GPS data in the log files
  logtypes=dump,network,csv,xml,weak,cisco,gps
• Start kismet to use your wifi cards. (only put in the cards you've setup in the sources or leave blank)
  sudo kismet -C Intel,RT73

GPSDrive Setup

NOTE: GPSDrive is a fun tool to show you access points while you drive. It's unnecessary if you're going to be mapping the coordinates on Google Earth later

• Download the latest deb from the GPSDrive website or download the stable release with apt-get sudo apt-get install gpsdrive
• Before you go on your war drive, make sure you download the maps for the location you'll be driving, otherwise you won't be able to get the specific streets. I'd suggest getting used to how gpsdrive works because there's a little bit of a learning curve.

The Drive

This is a no brainer but I wanted to give a few tips that I learned:

• Plan laptop power settings before hand - make sure your laptop isn't going to shut off the hard drive after 15 minutes of inactivity
• Setup the equipment beforehand so it doesn't slide
• kitchen drawer sponge - a friend of mind gave me the idea of using that spongy material that goes at the bottom of a silverware drawer. Throw it on your dash and put your hardware on it so that it's not sliding around during turns.
• Secure the laptop however you can in your car
• Ideally buy a magnetic antenna to latch onto the top of your car so nothing is sliding around
• Test everything a couple of times before trying to do it in the car - reboot, unplug, undo everything because sometime or another it's going to happen and you're going to need to know what to do
• Make sure your GPS always has a good signal or your maps will be inaccurate

Importing into Google Earth

So you've finished your drive and you want to map out everywhere you've been. Google earth is perfect for this.

• Install google earth either from Google Earth's site or from the Ubuntu repositories
  sudo apt-get install googleearth
• Download an extract KisGearth
• Run kisgearth to use the kismet .xml file and .gps file. (You can use just .xml but using the .gps file as well makes it more accurate)
  ./kisgearth.pl --gps /var/log/kismet/Kismet-Apr-26-2009-6.gps -oN Kismet.kml -- /var/log/kismet/Kismet-Apr-26-2009-6.xml
• Open Google Earth and go to file>open and open the KML file you created

With a little luck you should have an accurate map of where all the access points are using Google Earth's satellites. Just for fun I've attached the KML file that I used for Notacon.

You can download it here.

External Links

http://code.google.com/p/kisgearth/ - Kisgearth

http://www.gpsdrive.de/download.shtml - GPSDrive

http://www.kismetwireless.net - Kismet

The sixth installment of the annual hacker convention, Notacon happened this last weekend. It drew the same crowd as other hacker cons like Defcon, Shmoocon, and Random but as the name implies, Notacon wasn't like the others. The general subject for the talks asked the question, what would geeks like to hear? So it ranged from rules of the board game GO to SQL injections to silly internet videos to healthy cubicle life to hacking consumer routers - all over the place.

The scene was the same as a standard con with all of the same characters we've grown to know and love. Because the talks were all over the place, some people didn't have interest in listening to them. This lead to more off the field antics where you had more time to take in the Lockpick village, check out HackerSpaces.org and the guys from PumpingStation:One, hang out with Deviant and have a go at his Gringo Warrior. There was a guitar hero/karaoke/Commodore64 game room that was a lot of fun. There was also a pirate radio that asked anyone to just walk in and talk.

PS:One

I don't get to really talk about these guys to many people around here because it's completely out of context in Rochester but Pumping Station One is the newest if not the only open hacker space in Chicago. One of the founders Eric who helped start HacDC teamed up with Rogue Clown and many others to create a not for profit organization, hold regular meetings, and find their own space which they just signed the lease for. You'll see a lot more of these hacker spaces popping up as the HackerSpaces.org team becomes more and more organized and provide templates for other people around the world.

Check them out here: http://pumpingstationone.org

DualCore

Dual Core is a nerdcore group from Cincinatti. Int Eighty is the rapper/frontman for the group and happens to show up at all the popular cons. If you haven't listened to them you may have the assumption that oh it's just another one of those nerdcore groups that focus on geeky lyrics and lack rapping skills but you'd be wrong. Eighty is a seriously skilled rapper who is into the hip-hop scene and the hacker scene. It's like if Emminem and Kevin Mitnick had an illegitimate child together. You know it'll be a party when DualCore is there.

External Links

http://notacon.org/ - Notacon's website

http://dualcoremusic.com/nerdcore/ - DualCore's website

http://pumpingstationone.org - PS:One website

http://hackerspaces.org - HackerSpaces.org

Here's the error you see in the event logs:

Only one usage of each sock address (protocol/network address/port) is normally permitted.

The whole event log looks like this:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 24/03/2009
Time: 7:13:42 AM
User: N/A
Computer: THISCOMPUTER
Description:
The Internet Authentication Service service terminated with the following error:
Only one usage of each sock address (protocol/network address/port) is normally permitted.

The issue is that your DNS server has allocated some of the ports used by the Internet Authentication Service which means that you can't log into your routers, or vpn users can't connect anymore, or whatever you were using IAS for does not work. It actually causes the IAS service to stop completely. You may have seen this when you opened the admin MMC:

There was an error getting connection to the datastore. The handle is invalid

The Fix

Straight to the workaround:

• Open up the IAS admin console (administrative tools)
• Right click on "Internet Authentication Services" and go to "Properties"
• Click on ports and write down the ports that it's using
• Open up regedit -- insert warning of death here --
• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
• Double-click the ReservedPorts value, type the range of ports used by IAS (1645-1646)
• Save it and restart the DNS Server service (you may need to reboot the whole server but not in my case)

Now when DNS restarts it'll make sure not to use those ports that you have already allocated for IAS and you're back working.

The Background

This is all caused by Dan Kaminsky so you should email him and tell him how many problems he's caused. (Just kidding but he still might enjoy that).

The real issue was the hotfix that Microsoft released MS08-037 which fixed a flaw in DNS servers and clients and was originally discovered by Dan Kaminsky. The MS08-037 security update randomizes the DNS transaction ID's of DNS servers, changes the logic when handling DNS caching, and most importantly to this error - randomizes the socket that the DNS server uses each time. That means that when DNS is running, it could be using that socket you have reserved for another application like IAS.

External Links

http://www.capslockassassin.com/2009/01/28/ms08-037-causes-port-conflicts-with-dns-and-ias-services/ - nice write up about the issue with screen shots

http://support.microsoft.com/kb/956188/ - MS support KB about the issue

http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx - MS08-037 security bulletin

Yesterday I passed my Certified Ethical Hacker test making me a CEH. I really don't put much personal information in this blog but since I wish I'd found more information about the possibility of self studying for the CEH before I took the exam, I'm going to write this entry in the hopes that someone else will find it before they take their's.

CEH's Perception

The Certified Ethical Hacker certification came around years ago but I first heard about it at Defcon 15. You can go look at what the CEH is and read why you need to get it but I'm more interested in writing about how I personally have seen it perceived.

One of the Goons at Defcon was making fun of the certification saying that he was going to start his own test to be a CEH - Certified Ethical Harpoonist and that the CEH cert was less than desirable. He used more colorful adjectives. Goons are at least two steps up from the "Humans" at Defcon so their opinion has some sway (especially among n3wbs and scene whores) no matter how beer fueled it is.

None of the people that I know or are friends with have the CEH cert and I've never really had a conversation with anyone saying how they're going to work towards it. Most look at the CISSP to be a manager or some of the SANS certs if you want to actually know how to hack. The best example of how CEH is not widely known or desired was I told a techie friend that I'd passed my CEH exam and his response was, "Congratulations. What's that?"

Why get the CEH?

So if it's been planted in my mind that the CEH is really not that big of deal and most people don't even know what the CEH is, why even go for it right? More than anything else it added a structure to the security projects I had been working on. Up til now, I was working on 15 different projects using all kinds of different technology from encryption games and anonymity utilities to programming projects and improving my soldering skills. I found the CEH study guide and looking through the table of contents, it seemed like something that could teach me new skills to wrap into my projects. So it just really put everything I had been studying into a specific achievable goal.

I would say to anyone expecting the CEH cert to open doors or make it easier for you to get a job, don't waste your time. In my opinion, CEH is the A+ of security.

Is Self Study an Option?

The short answer is a big maybe.

I'm lucky enough to work for a company that pays for my training. That being said, I really didn't want to take a week of to do the CEH training course knowing that the CEH really wouldn't do much for anyone. Since I'm on sabbatical for a few months, what better time to study towards something like this.

I bought the CEH review guide which in one of the first paragraphs of the books states something to the affect of

"This book does not contain all the information you need to pass the test."

Ok, I understand. I'll look at the information it's talking about and apply some real world examples. The review guide was missing a LOT of information. In fact, if I had no previous experience in security and was starting from scratch, the review guide wouldn't have even touched upon half of the subjects in the test.

I know what you're going to say, it's called a _REVIEW_ guide but in fact, there is no official book of information for the CEH which means that the only book to study from is this review guide. Maybe this is normal but for all the other certifications I have, there's always been a gigantic book that you studied from. So it was like having the cliff notes instead of the original novel and then trying to pass a 150 question exam. It wasn't like that, it WAS that.

The alternative to the review guide is that you hook up with the EC Council training and they tell you the secret subjects that you should study for in one of their week long training classes. Lets just say that thanks to the openness of the Internet, I was able to track down some more information to study.

Subjects not covered

I looked up as much information as I could and I talked to people in some forums and IRC channels that I frequent and they all basically said the same thing. "Nothing really surprising. Few gotcha questions. Pretty straight forward." And in response to did you self-study - "No." In fact out of the 5 or 6 people I directly talked to that had passed the CEH, they all shelled out the more than $1000 for the week training and then took the test.

The biggest item that I didn't study for was programming. They don't expect you to write any exploits or anything like that but you need to be able to debug C to point out locations for buffer overflows. I don't know C or C++ but can hack my way through so it was a stretch and not in any thing that I was studying. Luckily there were only two of these questions.

Conclusion

My major conclusion is the test material is really good for security professionals but if you're going to be able to pass the exam with the review guide, you are probably already in the security industry and this test will do nothing for you. If not, you'll end up spending the same amount of money re-taking the test that you would have if you did the week long training. The reason that I was successful was because of all the extra study materials I found and generally because I am a geek.

This is a simple solution for those of us wishing to use SSL whenever possible. Sites like Facebook, LinkedIn, The Pirate Bay, many more and hopefully soon to be many others offer an HTTPS as an option but only to those that try to use it.

HTTPS != Secure

I should probably say this because HTTPS/SSL is turning into a mindless buzzword.
Websites offering SSL do NOT...

• protect you from system attacks - a virus can be installed over SSL
• inherently hide the websites you're visiting - the browser URL will still be https://www.someweb2.0site.com/markmmanning
• mean that the website will always use HTTPS - Yahoo lets you connect using HTTPS and then automatically redirects you to HTTP after you've logged in

Websites offering SSL do...

• encrypt your web traffic from browser to web server
• protect you from attackers sniffing on your network

NoScript

NoScript R0ckz! I'm not even going to talk about them because you should know. Check them out here.

• Install NoScript
• Click on the the icon and go to options
• Click the Advanced tab and HTTPS
• In the "Force the following sites to use secure (HTTPS) connections:" add in all of your favorite websites
• Click ok and test it out

External Links

http://noscript.net/ - NoScript website
http://fscked.org/projects/cookiemonster - the reason why HTTPS doesn't mean you're secure. CookieMonster is a sidejacking tool with support for attacking SSL connections.

Nathan Evans did the last talk on the first night of Defcon called De-TOR-iorate Anonymity. It had a lot of people sweating on the Tor mailing list and even generated a huge debate about whether Tor should even be attempted to be used on a multi-purpose system versus a dedicated machine or virtual machine like JanusVM or AnonymOS. The information was pretty thick to process at the time, but a few minutes later, it finally sunk in. Here's how it works.

Overview of Tor

A quick review of how Tor works. Tor is a anonymity tool that creates a circuit of proxy servers to relay connections through. For instance, in the figure below we see Alice trying to connect to Bob. Alice sends traffic to node 1, node 1 relays that traffic to node 5, node 5 relays that traffic to node 8 and node 8 finally sends the request to Bob. If Bob replies, the data travels back the direction that it came. Simple enough?

Overview of Attack

Nathan's attack would fall under the "partitioning" label as the goal of the attack is to partition the Tor network smaller and smaller until it can find the entry node the user is coming from. Because this attack assumes you have control of the exit node, obtaining the entry node confirms the second node used as a relay thus showing every node in a user's circuit. This makes Tor as anonymous as a single proxy.

Circular Circuits

Nathan found that an attacker can create looped circuits. That is Node 1 relays to Node 2 and then relays to Node 3 but at Node 3 an EXTEND command is issued so the circuit length is increased infinitely. This causes the queue of traffic waiting to be relayed to fill up and the latency to increase by a large amount.

Why it works

Doing a DoS attack and measuring the latency is not new. It was actually talked about at last year's Defcon. The difference with this attack is the attacker actually creates circular circuits so nodes are actually looping traffic back to the beginning instead of relaying properly.

This is why the attack worked:

• Tor is hard coded to only uses 3 nodes in a circuit(debatable whether or not to change)
• Tor does not provide padding to keep latency at the same rate (and never will)
• Tor allows for infinite circuit lengths (to be fixed in proposal 110)

The Attack

To attack the network, he used the following environment

1. a "Bad Exit Node" owned by the attacker
2. Tor client used to generate circular circuits (Defined as "DoS Client")
3. Web server to act as the destination and to keep track of latency (Defined as "DoS Server")
4. Normal user that is using the Bad Exit Node ("Alice")

The attack is done by a denial-of-service attack on many nodes using circular circuits discussed above. If the user's latency stays low during a circular circuit creation, then the attacker knows that the entry node is NOT one of the DoS'd relays and tries different nodes. In this case, latency is measured by injecting a javascript command to ping a web server collecting stats. The process of generating circular circuits and recording the results is repeated until the user's latency increases substantially at which time the attacker knows that the entry node is one of the three nodes used in the last DoS attack.

Example

In this figure, you can see that Alice is trying to connect to Bob via nodes 1, 5, and the Bad Exit Node that is owned by the attacker. During this time the attacker is creating circular circuits between 1, 2, and 3 which generate large amounts of traffic causing a slow down.

The Fix

Tor has been been updated at least 3 times since writing this blog. Among many other bug fixes and feature additions are the changes related to Proposal 110. This is the proposal to change Tor to handle circular circuits. The proposal splits up relay requests into "Relay" and "Relay_Early." Relay requests do not have the ability to issue the EXTEND command that is used to generate the circular circuits and Relay_Early can as these would be the beginning of the circuits.

The 0.2.0.30 version also makes an addition to block "risky" extend cells.

Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv.

The fix is not complete. They are still implementing parts of proposal 110. They have to maintain backwards compatibility in case a version 1 circuit is created.

External Links

http://www.torproject.org - Tor Project Website
https://www.torproject.org/svn/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt - Details of the proposal for the fix
http://archives.seul.org/or/talk/Aug-2008/msg00148.html - just for accuracy's sake, Roger Dingledine's follow up to my explanation on the or-talk list
http://web.cs.du.edu/~natevans/ - Nathan Evan's website. Nothing there really
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-evans-grothoff.pdf - Original powerpoint presentation called De-Tor-iorate Anonymity
https://www.torproject.org/svn/trunk/ChangeLog - the always updating changelog of Tor

I was kind of excited about this years Tor talks because it was almost skipping over the details of what is Tor and going strait to some more advanced subjects. Roger Dingledine made a great presentation about the vulnerabilities of Tor where he went through each major security bug that was ever discovered. He is very honest about some of the future attacks like Latency Tables, SSL Website Fingerprinting, automatic control port authentication problems, attackers buying old certificate authorities so that SSL MITM attacks would be available anytime, and even how governments are starting to make laws forcing Tor admins to have an real time access to current Tor nodes.

Latency Tables

This was actually pretty interesting to me. Roger made a comment about how an attack would be easier if the attacker had access to a latency table which would keep track of the latency between one point to another on a global scale. This is a theoretical attack as no one has been able to do this effectively.

SSL Website Fingerprinting

This is the theory that it would be possible to document the size of an SSL encrypted web site request so that although an attacker cannot see the data going over the connection, it is possible to see what website the user is visiting. It could even be taken one step further where the table could not only have the initial website size but the first page, and then the redirected page after login. For instance, if someone visits their bank, they first get an initial login, and then a secondary authentication screen, and finally their actual online banking information. Each of those pages have a size that when put together, makes a pretty unusual fingerprint. If you tie this fact together with Mike Perry's SSL cookie exploit, one can imagine a situtuation where an attacker finds the website the user is visiting, inject an <img src="http://www.visitedwebsite.com"> where the cookie is sent in clear text and then a session hijack occurs.

Automatic Control Port Authentication

There has been an addressed issue that shows how an attacker could gain control of a Tor client's control port (which is what's used to generate tunnels) thereby granting the ability to redirect the tunnel or something even more malicious. The work around for this was to provide authentication done either by a password or by a session cookie. Clients like Vidalia now support the authentication mechanism but the problem currently is how is the authentication done at the boot time when a user installs Tor as a Windows Service. Roger didn't have an answer yet to this issue besides that it was currently being worked on.

Purchasing Old CA's

If you look in Firefox or IE or Opera or whatever, you'll see a pretty long list of pre-trusted certificate authorities that come when you install the browser. These are some of the most popular ones that have been trusted for years and come with the browser itself. It just so happens that a lot of these CA's are not even in business anymore but they're still in the browsers in case someone has purchased a certificate that extends through 2020. So what? Well the issue is what if an attacker purchased one of those old CA's, if they wanted to do a MITM attack with SSL, they could and the browser would have no problem with it. There was even a comment about how China is interested in purchasing one to help out with deep packet inspection even on SSL connections.

Governments and Law Enforcement

The last big issue that I thought was interesting to bring up was how some governments (see Germany and others) are pressuring Tor to provide "real time access to law enforcement." Whatever real time and law enforcement really ends up being. Roger makes the point that if it becomes this hard and this illegal, it may not be possible to run a Tor server in that country and it may be difficult to do so in the future.

External Links

http://www.torproject.org - Tor Project Website
http://www.kreativrauschen.com/blog/2007/11/09/german-bundestag-decides-to-implement-data-retention/ - Blog about the new German data retention logs
http://en.wikipedia.org /wiki/Data_retention - Wikipedia entry about data retention laws in other countries

I arrived Thursday morning to Las Vegas in an attempt to do some of the pre-Defcon social events this year. We posted our room availability on the Defcon forums and picked up two roomates to help with the costs; Riot and Matt.

I reserved the "deluxe" room at the Riveria which although being nicer, doesn't have any more space than the non-deluxe. It does look much more romantic but filling it with 4 guys takes care of that feeling pretty quickly.

Badges this year include an IR port, an SD slot, and supposedly a way to shut off all TV's in a certain radius, and a transmit mode that may allow you to talk to other badges as you walk around the floor.

Ethical Hackers

Ethical Hackers was doing a get together at Hofbrauhaus, a German brew house at 8:00pm. Dan who runs the site was putting it all together and had a $500 tab for us to use. The whole event was a lot of fun and had a lot of interesting people. Timmy of Red Rock Security, Brian of Cisco, Ed of Intel Guardians, David an extreme baby sitter, Collin of Training Camp, Mike the Military Vet, Naps, and a bunch of others of whom I may have forgotten their names. Check out ChicagoCon for anyone that will be in the area. Sounds like a very worthwhile event. I think the whole get together was a success.

EFF Summit

We also grabbed a few of the guys to make it back to the EFF Summit at the top of the Monaco tower back at the Riveria. Donations were $40 to get in and included a one year membership. Once the sound system was working at around 10:30 or 11:00, some of the EFF guys went up to talk about some of the cases that were won and some of good things that the EFF does. I think it was kind of preaching to the choir but the event went pretty well.

External Links

http://www.ethicalhackers.net
Red Rock Security
ChicagoCon
Intel Guardians

This weekend, my company threw their annual trip to the mountains which included a team building scavenger hunt through the small town community, a boat trip to the lake, and some after hour pranks. One such prank involved a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had left his laptop on the table and we agreed that it would be perfect to surprise him by changing the desktop background of his computer to the photo we took that night. At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was able to boot into his Ubuntu partition in minutes with root access.

And why am I telling you this? Because the reason I was able to access it so easily was because Grub was not password protected and I booted it into rescue mode which gave me root access to his entire hard drive. Although I thought it was hilarious, it was a good reminder to always lock it down. So this is how to password protect some or all of the entries in Grub.

Password Protect Grub Entries

This shows you how to password protect individual Grub entries

1. Generate your Grub password with the following command
> grub-md5-crypt Password: Retype password: $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
2. Copy the last string because this is what you'll use inside the Grub configuration file
3. Using your editor of choice, edit /boot/grub/menu.lst
4. Find the part that shows the different boot options at the bottom of the page where you'll see something like this:
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic
There are some options which are not an issue to boot but the recovery mode ones would be
5. Edit the section for the recovery mode so that it looks like this
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic password --md5 $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
This will force a password if a user attempts to boot into recovery mode but automatically boot into the default installation without one.
6. Save the menu.lst file and reboot to see if you were successful

Password Protect Editing Grub Entries

This is how to password protect all of Grub so that you cannot run your own commands. This is a big one because an attacker could edit the Grub entries to do something like print out your /etc/password file

1. Edit the menu.lst file
2. Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier
# e.g. password topsecret password $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30 # password topsecret

3. Go through each entry that you want to lock out from editing by adding the word "lock" right after the title

Load Alternative Menu On Password

This is a way of loading a separate boot menu when the user presses 'P' and enters a password.

1. Make a duplicate of menu.lst named menu-admin.lst. This will be the alternative menu
2. Edit the menu-admin.lst file so that you only have the entries you want. This is the only menu that will show so you may want to duplicate some of the original ones too.
title Ubuntu 8.04.1, kernel 2.6.24-19-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-19-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-19-generic title Ubuntu 8.04.1, kernel 2.6.24-18-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-18-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-18-generic

Disclaimer

This is NOT by any means, a very good security measure. It's just a way to stop a lazy attacker or your little brother. The rule still applies that if you have physical access to the box, you can do what whatever you want. If you want to be serious about protecting a system from physical attacks, you'll need to look at encrypting the entire hard drive.

External Links

http://www.gnu.org/software/grub/manual/grub.html#Security

I've been using the SonicWall devices for a little while now. I started getting into them after a recommendation from a friend and the TZ series has proven to be a good solution for small to medium sized businesses.

You can find more information about SonicWalls and the TZ series here but I'm going to go over how to setup an IPSEC VPN between two tz180's using the Standard SonicOS firmware. If you have the enhanced SonicOS, the steps are almost the same.

Overview:

• set the unique names of each device
• configure subnet, dhcp, etc
• create a VPN policy to connect to the other

NOTE: I'm not talking about setting passwords or security here - it's assumed that you've already setup the environment.

Set the Unique Name on each device:

1. log into the first device's web interface
2. click on VPN on the left side
3. under "Unique Firewall Identifier" create a name logical name like "USNY1"
4. log into the second device's web interface
5. click on VPN
6. under "Unique Firewall Identifier" create another name like "USNY2"

Configure Subnets for DHCP:

1. log into the first device's web interface
2. click Network > LAN
3. set the SonicWall LAN IP to something like 10.0.1.1
4. set the subnet mask to whatever is appropriate for your network like 255.255.255.0
5. repeat the sames steps for device 2 except make the ip and subnet different like 10.0.2.1 and 10.0.2.0/255.255.255.0

Setup VPN Policy:

Assuming you have the following configuration we can create the VPN policy:

Site 1
Device Name: USNY1
Subnet: 10.0.1.0/24

Site 2
Device Name: USNY2
Subnet: 10.0.2.0/24

Setup Device 1

1. On device 1 click on VPN > Settings
2. click Add under VPN Policies
3. Fill out the information as shown below:
   IPSec Keyring Mode: IKE using Shared Secret
   Name: USNY2 [name of your device 2]
   IPSec Primary Gateway Name or Address: the public IP address of device 2
   IPSec Secondary Gateway or Name or Address: left blank in most cases
   Shared Secret: Since you will only be typing it in twice and this is the basis of the tunnel's security, you should set it to be very strong. [https://www.grc.com/passwords.htm] Write it down!
4. click the Specify destination networks below and click Add
5. type in the subnet that device 2 is controlling - in this example 10.0.2.0/24
6. click OK

Setup Device 2 [Almost same as above]

1. On device 1 click on VPN > Settings
2. click Add under VPN Policies
3. Fill out the information as shown below:
   IPSec Keyring Mode: IKE using Shared Secret
   Name: USNY1 [name of your device 1]
   IPSec Primary Gateway Name or Address: the public IP address of device 1
   IPSec Secondary Gateway or Name or Address: left blank in most cases
   Shared Secret: same as the password you generated above
   - click the Specify destination networks below and click Add
   - type in the subnet that device 1 is controlling - in this example http://10.0.1.0/24
   - click OK
   
   

Check The logs:

If you've configured everything correctly, you should be able to watch the VPN tunnel negotiation process from the event logs.

1. click on Log > Categories
2. check "Log all categories" - this will record VPN functions
3. under Log click "View"
4. review the logs for the following events:
   SENDING>>>> ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x26D85F88) *(HASH, NOTIFY:DPD_ACK)
   RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x3AAF690F) *(HASH, NOTIFY:DPD_REQUEST)
   
   

Troubleshooting:

Phase 2 or Algorithm's Don't Match
If you see a log with this kind of message it is most likely caused by different encryption under the Phase 2 settings. Go back and make sure they match exactly.

IKE Initiator: Proposed IKE ID mismatch
This message is most likely caused by the firewall names being mismatched.  Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.

Dynamic IP's
If you're connecting two sites with dynamic IP addresses, I've read that you need to check the "Aggressive Mode" type of VPN but maybe someone can confirm that.

1. click VPN and click configure on the tunnel you created
2. under proposals change "Exchange" to Aggressive mode
3. click the Advanced tab
4. click Enable Keep Alive and Try to bring up all possible Tunnels
5. click OK

Other
If you're getting anything else check out the log events reference guide here -
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf.

External Links:

Sonicwall.com - Had to put a link to this
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf - great guide for easy event log decoding
https://www.grc.com/passwords.htm - a good strong online password generator for one time passwords

Clearing out the last logged on user from the login screen is is a very simple task that I like to set on my domains and as the local policies for workgroup computers. It helps out in two different ways: first as a matter of security because an attacker walking up to the computer doesn't necessarily know a user name to log in with and second it helps to teach the user what their user name is because we all know if we don't type it in every day, we forget it. [see saved passwords]

Overview

For those of you that know mostly what you're doing and just need a reminder, here it is. The policy setting you need to change is located under:

• Computer Configuration > Windows Settings > and Security Settings > Local Policies >Security Options
• Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

On a Windows Domain Controller

1. Under Administrative Tools open the Group Policy Management
2. Find the group policy you want to change select it, right click, and choose "Edit".
3. Expand Computer Configuration, Windows Settings, and Security Settings
4. Expand Local Policies node, and then click Security Options.
5. Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."
6. The setting will take affect on the next time the clients reboots. As a reminder, it can take varying amounts of time for group policies to be applied.

On a Local Vista Machine

1. In the Control Panel, click System and Maintenance and open the Administrative Tools
2. Open the Local Security Policy .
3. Expand Computer Configuration, Windows Settings, and Security Settings
4. Expand Local Policies node, and then click Security Options.
5. Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

External Links:

http://support.microsoft.com/kb/310125 - Link to the MS KB article

I was having dinner with some of the IT guys from a client I work for and I brought up the suggestion that they do MAC filtering for all of their network devices as an added security measure. The only problem was they were using Windows Server 2003 for the DHCP server which, natively, does not support MAC filtering. That's where the DHCP Server Callout DLL comes in.

This is a DLL that was created by the Microsoft DHCP team to allow access to certain parts of DHCP that were not before. In this case, MAC filtering.

Why filter MAC addresses

The idea of DHCP MAC filtering is that when a foreign system tries to connect to your network, they are not given an IP address unless their network card is on the list of allowed systems. In order for them to get on the network, they have to see a member of the IT department.

This protects a guest from accidentally spreading infections of spyware, viruses, or trojans not to mention it helps the IT department keep track of who and what goes on the network. [Please notice how I say accidentally because MAC spoofing would easily circumvent this security measure]

Install The Callout DLL

Overview:

• Install the DLL
• Create the necessary registry keys
• Populate the list of allowed or denied MAC addresses
• Restart the DHCP

Download and Install

1. Download and install the files: Download
   The MACFilterCallout.dll was installed to %SystemRoot%\system32 along with a file named SetupDHCPMacFilter.rtf.This includes very basic instructions.
2. Run the MacFilterCallout.msi and go through the steps to install it. All this does is extract the two files to your %systemroot%\system32\ folder.

Create the registry keys:

Choose one of two ways:
Option 1: Manually create the following registry keys:

Key Name	Key Type	Description
CalloutDlls	REG_MULTI_SZ	The location of the MacFilterCallout.dll
CalloutEnabled	DWORD	0 = Disable MacFilterCallout 1 = Enable MacFilterCallout
CalloutErrorLogFile	REG_MULTI_SZ	Log path. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt
CalloutInfoLogFile	REG_MULTI_SZ	Info log path. If this key is not present, no information messages will be logged.
CalloutMACAddressListFile	REG_MULTI_SZ	This is the name and location of the MAC filtering list you're going to be creating next.

Option 2: Merge the keys that I've made for you: Download

Download the file above, extract the contents, and merge the registry file that I created for you.

Here are the values the .REG file contains. Make sure they match up to your environment.

Key Name	Value
CalloutDlls	C:\windows\system32\MacFilterCallout.dll
CalloutEnabled	1
CalloutErrorLogFile	C:\windows\system32\MacFilterCallout.log
CalloutInfoLogFile	C:\windows\system32\MacFilterCalloutInfo.log
CalloutMACAddressListFile	C:\windows\system32\MAClist.txt

NOTE: If you are not using C:\windows as your windows directory, you will have to edit the registry to fit your system.

Create the MAC list

As I showed above, the key CalloutMACAddressListFile points to a location where you need to create a specially formatted text file that contacts which MAC addresses to filter.You can only choose to allow a certain set of MAC's or DENY them. Here is the format of that file:

MAC_ACTION = {ALLOW / DENY} 0cdc1c6d1266 05dc2de01023 ...

Note: You must include the { }'s around either the ALLOW or DENY action

Help Populating the MAC list

If you are going to use the ALLOW action you're most likely going to want to find all of the valid MAC addresses on the network. Here are some suggestions for ways you can do this:

• Nmap + ARP- with the command nmap -PR 192.168.0.0/24 or whatever your network is, it will do an arp scan of the network. Then doing an "arp -a > arptable.txt" gives you tab delimited file perfect for opening as a spread sheet and extracting the list of MAC addresses you need to use
• DHCP logs - use your existing DHCP server logs [usually under c:\windows\system32\dhcp\] to find all the MAC addresses in the last week.
• Switch logs - if you have a good enough switch, it will keep track of which MAC addresses are using the devices.

Note: Obviously be careful how you create this list. If the CEO of the company has a laptop that you happened to forget to put onto the allow list, he may not be happy with your new security measure.

Want to know what the MSI Installer REALLY does?

One major pet peeve of mine is when you download a program and it installs without telling you what it did. That's how this MSI works. Here's what it does:

• copies the dll to %system%/system32/
• copies the rtf to %system%/system32/
• registers BOTH the dll and the rtf as shared DLL's
• adds some interesting registry keys like on named "CompleteMacLevel" that I don't know what it does.
  

I know that may not help anything but it makes me feel a little better.

External Links

http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx - DHCP server team's blog with the original article

I just learned today that you cannot force the user of SSL on any part of an Exchange enabled website in IIS. You can still use SSL but apparently turning on the "Require Secure Channel(SSL)" option makes OMA not work. Here was the error I was getting:

If you have recently changed your password, the system may not yet have completed the change. Please wait a short time and try again. If this is not the case, your Exchange server mailbox has not been created. Please access your account via Microsoft Outlook or Microsoft Outlook Web Access to create your user mailbox. Please contact your system administrator for additional assistance.

I have to admit I've only set up the OMA site a half dozen times so there may be something out there that explains this issue better than I but I've found a bunch of websites that support this claim. One site makes a reference to a KB article that no longer exists.

The Steps

1. Open the IIS Management Console on the back-end Exchange 2003 server.
2. Right click the Exchweb virtual directory under the default Web site, and then click Properties.
3. Click the Directory Security tab.
4. Click Edit in the Secure Communications area.
5. Click to clear the "Require secure channel (SSL)" check box, and then click OK for all windows.

But I To Force SSL

The problem remains "What if you actually want to force SSL?" I had a hard enough time trying to have 50 users understand what the "S" in HTTPS meant. What I did was create a second site that was Exchange enabled. This site I forced SSL while the first site I left it optional. I sent an update to the end users explaining that there was a new mail website "https://www.website.com/mail" and made a few minor modifications [adding company logo] so that they could tell the difference in the hopes that they would think that new = upgrade. This way, if they used http instead of https, I could redirect them automatically.

External Links

http://www.petri.co.il/forums/showthread.php?t=10208 - Daniel Petri's website forum http://www.webservertalk.com/archive128-2004-3-166297.html - Forum article that makes a reference to the problem.