Security Woes

Crackers are always on the lookout for new chances to access your accounts, either if you’re a private / regular internet user, or a multinational corporation like Sony who recently fell victim to several attacks affecting their flagship console, the PS3, and their Playstation Network.

It began when their PS3 private keys, that sign all data transactions and operations, got public. I won’t digress here, you can find a lot of info on Google, just look for GeoHot / Sony. The latest attack to the PSN has managed a downtime of a week by the time I’m writing this, and only today Sony has come forth with a press release on this issue, as well as a FAQ, saying that all their entire PSN user base got their data compromised, including Credit Card data.

I’m yet to believe that Sony hasn’t released the full extent of the information about the attack, so for now there are three crucial steps that PSN users should follow:

 

  • If you’re using the PSN password in any other service / account, change it. Change it everywhere. You are probably using the same email address you used on the compromised PSN account.
  • Change the password of the email address you used on your PSN account.
  • Change your credit card number, or cancel the card and get a new one. If you can’t do this, be on the lookout for strange credit card transactions and never, ever, release the confirmation code to anyone. Sony states that the cc confirmation code wasn’t stored on their database.

Read the FAQ, they have more info there, but follow these three steps and when the PSN is up again, change your password for something unique, not used on any other account / service and remove your credit card number from the account.

 

Still on Security

With the advent of social networking and connected services, we’ve witnessed a lot of centralized authentication methods. It’s now usual for us to access services that use other site’s accounts to authenticate, like “Login with Facebook” or “Authorize on Twitter”.

This can be very useful because you don’t have to memorize a ton of different passwords but, if you see your Facebook, Twitter or Google account compromised, all those services using “third-party” authentication will be compromised as well… so what to do?

 

  • Use strong passwords. Having a password like your birthday date is not secure. Having your pet name, girlfriend, mom, dad, favorite actor is not secure. Any dictionary word is not secure. Use random stuff with numbers, signs, uppercase and lower case, like “1M4ecur3!?”
  • Use a password manager like 1Password for Mac or Keepass Password Safe for PC. Not only you’ll have an encrypted and organized password safe, but these apps can also generate random passwords.
  • Use HTTPS always when possible. This will encrypt your traffic to these sites. Twitter, Google, Facebook, all of them have HTTPS options, you just have to go to your account settings and turn it on. Facebook can even warn you by email and SMS when other devices accesses your account. Google has a 2 Step Authorization process for your account, using verification codes and an app for your mobile device that works like a token, giving you real-time generated verification codes.
  • Don’t use free Wi-Fi. Sure, it’s cool to use a free hotspot, but you never know who’s listening. People using free Wi-Fi are exposed to virus and password sniffing. This can happen in your neighbors unprotected Wi-Fi or even your school’s network.
  • The usual crap: use a secure OS. Mac OS X and Linux are secure by nature. If you must use Windows, turn on the system’s firewall and get another one, as well as an AntiVirus. Be sure that they’re always updated.
  • Don’t trust your passwords to anyone.

Remember, even with all these precautions you’re never totally safe.

 

Still on Squid integration with Active Directory

I wrote a post a few months ago explaining briefly how to integrate a Squid proxy with a Microsoft Windows Active Directory.

While with Windows XP and Vista the single sign on works flawlessly, with Windows 7 it needs a little tweak.

You’ll need to change your a GPO on your AD:

Computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Find “Network Security: LAN MANAGER Authentication Level”
Set it to “Send LM * NTLM – use NTLMv2 session security if negotiated”

This happens because Squid uses NTLMv2 after version 2.6 but it is Negotiated NTLMv2, rather than
straight NTLMv2 (dunno why). Windows 7 refuses to negotiate by default and accepts only NTLMv2.

You might come across with other issues in some apps like having to authenticate manually, Dropbox is one example but there may be others.

As usual, do this at your own risk!

Integrating Squid with Active Directory

Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant / deny access to the Internet by user / group validation, using single sign on.

The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.

In this solution will be allowing all users in the InternetOn AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http://www.partycasino.com/ or building a school network.

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
YOURDOMAIN = {
kdc = yourpdc
admin_server = yourpdc
default_domain = YOURDOMAIN
kpasswd_server = yourpdc
}
[domain_realm]
.yourdomain = yourdomain
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#####################################################

smb.conf

[global]
workgroup = YOURDOMAIN
server string = SQUIDPROXY (or any other name you want)
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = yourpdcIP
realm = YOURDOMAIN
dns proxy = no
[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

#####################################################

squid.conf

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
access_log /var/log/squid/access.log squid
emulate_httpd_log on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
acl interneton external ADS InternetOn

acl blocksites url_regex "/etc/squid/squid-block.acl"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access deny blocksites
http_access allow interneton
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

#####################################################

Start samba, winbind and squid by this order.

Synchronize your squid server with the AD

ntpdate yourprimarydomaincontroller

Initialise Kerberos

kinit administrator@YOURDOMAIN

Test Kerberos connection

klist

Join Squid Server to AD

net ads join -S yourpdc -U administrator

Validate Trust

wbinfo -t

Validate if the wbinfo_group.pl script is working

echo "youralloweduser InternetOn" | /usr/lib/squid/wbinfo_group.pl -d
(it returns OK or ERR if the user is in the InternetOn group or not)

You might have some problems with the winbindd_privileged directory. If that’s the case:

cd /var/cache/samba
chgrp squid winbindd_privileged
chmod 750 winbindd_privileged

The problem with this setup is that when you change the InternetOn members, Samba / Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.

clearcache.sh

#!/bin/bash
/etc/init.d/smb stop
/etc/init.d/winbind stop
rm -f /var/cache/samba/*.tdb
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/squid reload

Test this at your own risk. 🙂

LAN IPs on Mail.app Email Headers

Dear Apple,

please explain why is my computer (added to not be mistaken with the router’s IP) LAN IP address showing on the email headers of the mails I send with Mail.app.

Thanks!

Bellow, in red, my computer’s private LAN IP Address. In green my Router’s Public/WAN IP address which is “normal” to be included on most email headers.

Return-Path: <rsaramago@gmail.com>
Received: from ?XX.XX.XX.XX? (pa6-XX-XX-XXX-XXX.netvisao.pt [XX.XX.XXX.XXX])
 by mx.google.com with ESMTPS id 7sm502355eyb.8.2009.11.13.01.07.07
 (version=TLSv1/SSLv3 cipher=RC4-MD5);
 Fri, 13 Nov 2009 01:07:08 -0800 (PST)
Subject: Teste
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary=Apple-Mail-1-623152288
From: Ricardo Saramago <rsaramago@gmail.com>
To: Testy McTest <test@test.pt>
X-Mailer: Apple Mail (2.1077)

Update: I’ve clarified some descriptions above after some user comments, I realized that It wasn’t clear what IPs I was referring to.

It seems that this is common on most email clients, except for Outlook. This “issue” triggered my attention when I was looking into the mail headers from a mail I sent from Mail.app in response to a mail from Outlook and they were indeed different in this aspect.

The client’s computer Local IP address and the Router’s / Firewall / Modem / whatever public IP address are added by the SMTP Server to the Envelop’s “Received” line, which it probably gets from the EHLO.

Still, this isn’t secure as it allows malicious attackers to map a victims network very easy.

JoikuSpot – A WiFi Spot on your Mobile

JoikuSpot is a free mobile software solution that turns Nokia Smartphones to WLAN HotSpots.

JoikuSpot software is installed directly to the phone. When switched on, laptops and ipods can establish instant and fast wireless internet connection via smartphone’s JoikuSpot access point using phone’s own 3G internet connection.

Multiple devices can connect to JoikuSpot in parallel and seamlessly share the same 3G internet connection. JoikuSpot acts thus as an internet gateway to external WLAN devices.

Useful isn’t it? 🙂

Little Snitch 2.0 Beta 6

Little Snitch is a Mac OS X app that runs in the background and hooks with the kernel. As the name indicates, Little Snitch warns you when an application tries to make a network connection, asking you to decide if you allow, deny or add a permanent rule for that specific app in future connections.

A good amount of information on the connection being made is presented to the user, and on version 2 (still in beta), besides the improved network filtering, a visual Network Monitor has been implemented, allowing the user to have real time access to the connections as well as some some send / receive icons like Zone Labs’ Zone Alarm. The configuration interface has suffered some changes and it’s now more functional and user friendly than the previous version.

[tags]Little Snitch, Security, Networking, Mac OS X[/tags]

Jack?

I’m getting a few hits from someone with this user agent: JACK-O`-LANTERN/1.1

I’ve googled it and came and found nothing… Does anyone know who’s using this?

[tags]JACK-O`-LANTERN, User Agent, Browser, Search Engine, Crawlers[/tags]

Your Own Personal Mail Server

Are you sick of having all your mail spread arround on your computers? When you have more than one pc, or even if you check your email at work and then at home, it’s a nightmare to keep track of so many emails. And if you’re like me, I have multiple mail accounts, meaning more mail from diferent sources, well the solution isn’t spending all your day sending mail back and forward from one account to another. The solution is actually preety simple: IMAP!

This how to covers Ubuntu 6.06 Server (yes the server version of Ubuntu duh!) but it’s preety simple to adapt to other distros. Let’s start!

Be warned that you may loose some email messages in the process so test this first with a dummy account!

Assuming you have Ubuntu installed and updated, open a shell and type:

mkdir Maildir
(create this on your home folder)

sudo apt-get install dovecot

Let it install all the packages need for dependecies.

Dovecot is an open source IMAP and POP3 server, is very simple to install / configure and suports the Maildir format which is a standard and the one we’re going to use. Dovecot is very complete and has several options, most of them related to security, I’m not covering those so feel free to explore.

So, back to the shell and enter:

sudo nano /etc/dovecot/dovecot.conf

Now change the following:

# Protocols we want to be serving:
# imap imaps pop3 pop3s
#protocols = imap imaps
#protocols = imap imaps

to

# Protocols we want to be serving:
# imap imaps pop3 pop3s
#protocols = imap imaps
protocols = imap imaps

Save the file and run dovecot:

sudo /usr/sbin/dovecot

And now test your IMAP Server:

mutt -f imap://yourusername@localhost

You should get a little nagging about the certificates but after that you enter your password and you should be able to see your empty IMAP folder.

Now the next part is to get the email from the other accounts and for this we’re using a little app named Getmail. Getmail can check your POP and IMAP accounts, I’ll cover only the POP accounts but there’s some examples you can check. Getmail also features some very usefull mail sorting options you can check later.

So, if you’re using Ubuntu 6.06 “normal” then you should be able to download Getmail via apt-get:

sudo apt-get install getmail

If you’re using the Ubuntu server version you won’t get this package via apt-get unless you add the right repository or download the package and install it manually:

wget http://archive.ubuntu.com/ubuntu/pool/universe/g/getmail4/getmail4_4.4.3-1_all.deb

dpkg -i getmail4_4.4.3-1_all.deb

Now comes the lame part 😛

You’ll have to write a little configuration file for each of the POP / IMAP accounts you want to check. I’m going to give you an example for a regular POP account and for a GMAIL account.

Again, back to the shell and type:

cd
cd .getmail
touch gmailrc
sudo nano gmailrc

The configuration file for a GMAIL account:

[retriever]
type = SimplePOP3SSLRetriever
server = pop.gmail.com
port = 995
username = yourusername@gmail.com
password = yourpassword

[destination]
type = Maildir
path = ~yourhomedirectory/Maildir/

[options]
delete = true

Save it and repeat the process for a regular POP account:

touch ispmailrc
sudo nano ispmailrc

[retriever]
type = SimplePOP3Retriever
server = pop3.myisp.com
username = yourusername@myisp.com
password = yourpassword

[destination]
type = Maildir
path = ~yourhomedirectory/Maildir/

[options]
delete = true

Save and test it:

sudo /usr/bin/getmail --rcfile=gmailrc

If all goes well you’ll get a few messages like this:

getmail version 4.4.3
Copyright (C) 1998-2005 Charles Cazabon. Licensed under the GNU GPL version 2.
SimplePOP3SSLRetriever:username@gmail.com@pop.gmail.com:995:
0 messages retrieved, 0 skipped

This means Getmail is working, now send yourself some messages to your accounts to test it and run getmail again to check if it delivers to your IMAP folders. You can check it using Mutt like we did earlier.

By now everything should be working perfectly, we just have to automate the email checking. Let’s use crontab. Go to the shell and enter:

crontab -e

Now copy this line and save the file:

* * * * * /usr/bin/getmail --rcfile=gmailrc --rcfile=ispmailrc >> /dev/null 2>&1

(this has to be all in one line, don’t break it or it won’t work correctly!)

And we’re done! Now use an IMAP compatible client like Mozilla Thunderbir or Evolution and you’ll never have to worry with email again.

[tags]IMAP, POP, E-Mail, Email, GMail, Personal Mail Server, Linux, Ubuntu, Ubuntu Server, Getmail, Dovecot[/tags]

Ubuntu 6.06 and WPA

Last week after recieving the Ubuntu cds from Canonical as usual, I installed Dapper on my Asus A2 laptop. Installation went fine, except for the same old problem with my SMC 2835 wireless pcmcia card. Once again I had to go through all that process of getting my wireless connection working, but this time I took an alternative road.

– First of all install Automatix, this script will install the NDISWrapper and Gnome NetworkManager packages need to simplify the process.

– If you do a ifconfig you’ll probably see your wireless card listed as eth2, this will change later to wlan0.

– Make sure you have the NDISWrapper installed doing ndiswrapper on a terminal window. If you get a “command not found” error then something went wrong with Automatix, make sure you check the wreless networking packages. If you get an error response from the NDISWrapper that’s fine, it means you have it installed.

– This is one of the most important steps. Ubuntu loads the Prism54 kernel module, but this conflicts with the NDISWrapper, so you’ll have to sudo rmmod prism54 and then sudo gedit /etc/modprobe.d/blacklist and add the line blacklist prism54 to the file and save.

– Reboot.

– Now, download the SMC 2835 Windows XP drivers, unpack and install with Windows Wireless Drivers (System > Administration > Windows Wireless Drivers and then Install New Driver).

– By now your Wireless NIC should be listed as Wlan0 on ifconfig.

– You should have the Gnome NetworkManager applet on the Gnome panel near the clock, click it and choose “Connect to Other Wireless Network” and you’ll see WEP and WPA options. Just enter your Wireless Network SSID and password and you’re done.

You can probably adapt this mini tutorial to another wireless nic so let me know if this works with you.

[tags]Linux, Ubuntu, Dapper, Wireless, SMC, SMC 2835, NDISWrapper, Automatix, Gnome[/tags]

DNS and the B(L)IND

I recently changed my domain to this server. Everything went well except for the pain on the behind that was the DNS. After wating more than 72 hours for the TLDs to update (with no sucess), I had to change the DNS server where my domain was registred (again). Another problem I came across was with my ISP’s secondary DNS server. It had a different records than the primary name server, so once in a while I got no access to my mail accounts. Once I flushed the DNS cache everthing went fine, but minutes later I got the wrong ip adress AGAIN.

Now everything seems to be working fine, but I decided to catch up on some reading to refresh my knowledge on DNS. I found a very nice link collection on Linux Journal, check it out.

The Open Source version of DNS
OpenNIC: Democratic Name System DNS
Tutorials, Tips and Tricks, HowTo and other Articles
DNS Concepts
DNS HOWTO
DNS tricks and tips
DNS for Rocket Scientists
Internet Domain Name Structure
Domain Name System
Men & Mice – DNS Resources
Setting Up Your New Domain Mini-HOWTO
How to Use Domain-Based Blacklist Zones
Bind and Dnsmasq
freshmeat.net: Project details for Dnsmasq
Configuring BIND with Webmin – RimuHosting
BIND 9 Administrator Reference Manual
Berkeley Internet Name Domain (BIND)
Free DNS hosting
The Public DNS Service
List of free DNS hosting sites
Another list of free DNS hosting sites
Setting up Dynamic DNS at Home
How To Set Static and Dynamic DNS for Your ISP
Free Dynamic and Static DNS
Dynamic Network Services
Online Tools for the Beginner to play with
DNS, Network and other tools.
Expired Domain Name Search
E-Mail relay, DNS, Network and other tools

[tags]DNS, BIND, Dnsmasq, Zones, Domains, Networking[/tags]