3 posts tagged “security”

I'm in the process of moving our work website from externally hosted to in house. Being as security conscious of a company as we are, I opted to go with OpenBSD 4.1 since it is very, very secure out of the box. With only two security holes in the last 10 years in the default install, it was the best choice.

OpenBSD is definately for the server and admin crowd. There is no gui; in fact, OpenBSD has the leanest install program I have seen in a long time. My first task was to figure out how OpenBSD wanted to be partitioned. Tutorials on the internet were of differing standards as to how one does this, but after attempting to install it three times I finally figured it out.

After the install comes updating. OpenBSD does its updating by downloading the source for the kernel and the userland binaries and then compiling them. So, I did that about three times before I finally got the CVS to download everything and then compile. Overall, OpenBSD took over eight hours to install by the time I figured everything out.

The best thing about OpenBSD is, though, that since I'm following -stable, I can take that machine that I went through hell to install and make an install image from it. I made my own release of -stable, copied the files to my Ubuntu box at work, and made an installation ISO out of it.

Now I can install OpenBSD 4.1-stable on my new servers at work, and be safe in the knowledge that they are that much safter.

If anyone can't tell, I'm big on computer and network security. I've got a linux firewall instead of a regular D-Link or Linksys $100 router, I've got Intrusion Detection programs on both the router and a central logging server to alert me of any problems on my Windows and Linux boxen, I don't use dictionary words for passwords... but I only have WEP on my router.

Part of this is because I'm cheap, and my wireless card for my laptop (which is seriously about to be deprecated to a server due to it almost falling apart now) only supporting 802.11b. Despite this, my wireless router is still hooked up to my 'Green' network, as my router calls it and has full access to all the other computers. I can segregate my wireless network by adding in a new NIC into my router box, but I don't. Why?

Because, like almost everyone else running wireless routers, I'm lazy. The damn things should just work. A little over a month ago (or maybe two, I'm bad with time), I did a bit of wardriving at work while we checked out a remote location for disaster recovery. On the way there and back, I picked up over 140 wireless routers. All I had was was a copy of BackTrack, a Prism wireless card, and an external antenna.

Amazingly, people in the country almost always had WEP installed. This is in part, I believe, because of the wireless broadband providers around here. The ISP I worked for almost set up at least WEP on the routers, and because cable and DSL won't service these rural customers, they are left with wireless service. A good amount of them were also running WPA. So, ultimately, I wasn't that suprised.

What did suprise me was driving through town on the way back. Almost 70-80% of people had nothing on, not WPA nor even WEP. I even found a router called 'FREE HACKED WIRELESS' (or something close to that regard, I don't have the logs in front of me) along with other funny wireless names. What was scary was that people would even change the default wireless network's name, but not enable encryption!

Why am I rambling about this? Mostly because wireless routers should be more secure out of the box. WPA has helped a lot in regards to keeping your network closed, but most routers are not set up with any security by default. WEP itself is just a minor deterrant to keep peopel off of your network. Tools are available online (or, in the case of BackTrack, on the LiveCD itself) with great documentation on how to use them, along with full tutorials on WEP/WPA cracking. What's a person to do?

Turn Off Wireless If You Don't Need It
Most people go into a store and grab the first router they see, and it's becoming harder and harder to not get a wireless router. Heck, some ISPs ship out router/modem/wireless combo boxes! If you don't don't have a wireless card in any of your computers, find out how to disable the router's radio and do so.

Use WPA instead of WEP and Use A Random Passphrase
For the first part, WPA is only crackable against a dictionary attack, whereas WEP  is easily cracked no matter how well you randomize your password. Because of flaws in WEP, all a cracker needs is enough encrypted packets to find out they key. It doesn't even take that long on a half-way decent machine. Second, if you use WPA, use a strong passphrase, and make sure that it is either a nice sentence or completely random. WPA is easily cracked when you use a dictionary word, but random passwords should not show up in dictionaries.

How do you minimize damage if someone maliciously breaks into your network and wants more than bandwidth?

Encrypt/Tunnel Your Connections
This is the easiest, and I've already covered how to browse securely. If you segretate your network into a wired and wireless, you can use a VPN or SSH tunnel to encrypt all of your traffic so no one can see what you are doing. This won't protect your machines on the network. For that you will need to...

Split Your Network Apart
We do this at work. Higher-grade routers allow you to split your network into different parts. For example, IPCop can split your network into a 'Green' (trusted completely, usually a wired network), 'Blue' (slightly less trusted, recommended for wireless networks),  and 'Orange'  (firewalled DMZ) networks. Each is seperated from the other networks by the router, so if  you have all your machines on the Green network and your wireless router on the Blue, they can't access each other. So even if someone breaks your encryption and starts sniffing around, they will only see what is on the wireless router. Couple that with a VPN connection or tunneling, and they can't see anything at all!

So, stop being lazy and secure your wireless. Maybe I'll do that this weekend when I rebuilt my network at my new house. Maybe.

I'm completely at a loss for what I want as my first post on Vox, so I'm going to put something up that I've been working on on-and-off for my Blogger blog.

I recently went on two trips, a wedding and then a business trip, and both involved getting internet access at the hotel. The hotel we stayed at at the wedding had free wireless internet, which was completely unencrypted and definately visable from the other hotels grouped around it. The second hotel had strictly wired internet which required me to sign up. Neither of them really gave me a huge amount of confidence in them keeping my information safe. What does one do? If you have broadband and a dynamic DNS account (I suggest DynDNS.org, I've used them for years without a problem), you have some options!

Remote Desktop

This is the easiest thing to set up. All you need is a broadband connection back home, a router, and a spare computer. If you don't want to spring for an extra Windows license for the machine, you can install Ubuntu Linux and use FreeNX to run a fully encrypted session through your home's internet connection. I prefer this solution over regular Windows XP Remote Desktop because it is faster, and there is less chance someone will hack your Linux box as opposed to a Windows XP machine sitting on the internet.

Tunneling via VPN

There are a couple of ways that people can tunnel their internet connection. The one that will give you the most control is a VPN. Both times I used OpenVPN to connect back home, and I did all my browsing via a remote Linux box. The tunnel kept everything encrypted just like a corporate VPN, and since I did everything through a remote computer's browser, there was no chance of my passwords being sniffed across the network. VPNing also does not restrict you to what is on a single machine. If you use iTunes or SlimServer to stream music across your network at home, you can access them just like you could if you were at home.

You can also have OpenVPN force all your traffic through the secure VPN connection. This way you do not have to set up a remote computer to do your surfing (in a normal non-tunneled VPN, all of your internet requests go through the ISP you are connected to, in this case the hotel). This is fine as long as you don't do any large downloads as that will quickly kill your VPN's bandwidth.

To set this up, I recommend replacing your home router with an IPCop linux router and installing the Zerina OpenVPN plugin for it. This will set up a VPN server (and a much nicer router than what most $50-$100 routers are) in less than 30 minutes. For your clients, you can install the command-line OpenVPN client for Linux (Ubuntu/Debian users should be able to just do a 'sudo apt-get install openvpn' if you have the extra repos set up), and Windows users can use the OpenVPN GUI.

TOR + Privoxy

This is a good last-ditch effort if you don't have broadband at home or can't set up either of the above options. TOR (The Onion Router) is a software router that takes all of your traffic through other random TOR servers out on the net. What this does is find a single TOR server, sends the request to it, which finds another TOR server and sends the request through it, so on and so on until you reach your destination. Slow, yes, but it gets the job done.

Privoxy allows you to set up a SOCKS4/5 proxy to filter different programs through TOR. You can point your IM programs, browsers, or anything else that supports SOCKS proxies to your local Privoxy install, which then pushes it through TOR. Brilliant! This will not speed up a TOR connection at all, but it gives you a good measure of protection from packet sniffers.

Well, I hope that this helps those road warriors out there a bit. In this day and age, the tools to do identity theft are free and getting easier and easier to use. The above suggestions on keeping your information private should help keep you a bit safer when it comes to the internet.