August 08, 2014

So you want to bring your laptop to DEF CON?

This week and last I have been attending back-to-back security "cons": Black Hat and DEF CON.  Needing to still stay in touch with co-workers and family, I brought my laptop.  Being a naturally paranoid person, I can explain to you a couple of the measures I took in taking my laptop to -- what has been affectionately labeled, "the most hostile network on the planet earth" -- and what you should and shouldn't do in taking your own kit to the con scene.

  1. "SHUT THEM ALL DOWN!!!"  I.e. you want to minimize your attack surface.  While this is good advice on any given day, its especially true if you're bringing your own box to Black Hat or DEF CON.  There are four command-line tools I used to "shut them all down": `netstat`, `chkconfig`, `lsof` and `service`.  (If you want to get technical, I used `grep` and `bash` too, but lets not be that guy today.)  How?  `netstat -nl | grep -v unix` will show you all the TCP and UDP ports listening.  `lsof -i 4UDP:$PORT` or `lsof -i 4TCP:$PORT` will tell you what process has $PORT open, which you then use to first stop the service from starting at your chosen run-level (using `chkconfig --level $RUNLEVEL $SERVICE off`) and then use `service` to stop it now (using `service $SERVICE stop`.)  Repeat until you have everything but your DHCP client running.
  2. Do NOT download ANYTHING while on the con's network.  Surfing the web is okay, provided you're not downloading whiz-bang new tools you learned about on the con's network, OR performing system updates (which my laptop kindly tried to get me to do.)  The reason is simple: DNS poisoning attacks or IP spoofing could allow another con attendee to redirect your request(s) to a hostile network or host.  The worst-case scenario here is that someone hijacks something like debian.linuxmint.com (or whatever your distro's repo is) and sends you forged updates that you then install... your box is now pwned.
  3. Use the lid of your laptop to protect your keystrokes from being observed while entering your password(s).  While cumbersome, this will in fact diminish the likelihood that your passwords will be observed without considerable effort while logging in.  As a recent talk at DEFCON intimated, Google Glass can be used to observe login credentials from up to 140ft (45 meters).
  4. Don't plug your USB devices into ANYTHING without either an intermediary, dumb, device between you and it.  This is because USB is inherently flawed and trusts the controllers it plugs in to.  In anticipation of this, I opted to bring two Tenergy Mo. 51037 battery packs with me to charge my phone and tablet.
  5. Just like your laptop, you should not download or install new software on your smart phone.  In fact, I went as far as turning off "mobile data", location services, wifi, and NFC (near-field communications) so I someone would legitimately have to hack the cellular service to get on to my phone.
A couple of additional notes about DEF CON:
  1. Bring cash -- no cards are accepted except at the Rio's facilities.  This means if you want to buy a cup of coffee but not at Star Bucks, you'd better have cash.
  2. Be prepared to wait in line for a *really* REALLY long time.  People this year were calling this "LINE CON".  Its actually absurd.  So much so that my plan for the remainder of DEF CON is to not attend talks, but to hang-out in the capture the flag arena, vendor floor and cyber cafe, then to buy the presentation videos and review them at a later date.
  3. Trust no one.  Seriously.  Especially not the Goons.  They are "goons", after all.
  4. If you aren't staying at the Rio, plan on hiking back to your hotel -- the line for the cabs is ABSURD.  OR, be willing to pony up the cash for a limo (its going to be 4x the cash, but worth not having to wait.  Consider pooling with others to diminish the cost of a limo.
Happy, and safe con attending!

October 10, 2013

Using PowerShell to add rules to Windows Firewall

 I have recently had need to make heavier use of the Windows Firewall (which, counter intuitively is quite a bit more robust than I originally gave it credit for being.)  Being fairly "anti-GUI", I began looking for ways to script rule creation.  I found a post on Patrick's SharePoint Blog that unlocked much of the mystery.  SO, I managed the following...
function Add-FirewallRule-Block {
    param (
        $ip,
        $port = "*",
        $proto = 6 #1 is ICMP, 6 is TCP, 17 is UDP
    )
   
    $fw = New-Object -ComObject hnetcfg.fwpolicy2
    $rule = New-Object -ComObject HNetCFG.FWRule
   
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Name = "block $ip"
    $rule.Protocol = $proto
    $rule.LocalPorts = $port
    $rule.RemoteAddresses = $ip
    $rule.Enabled = $true
    $rule.Profiles = 7 #all profiles (home, work, public)
    $rule.Action = 0 #0 is block, 1 is allow
    $rule.EdgeTraversal = $false

    $fw.Rules.Add( $rule )
}
To use this, you basically dump this in to a file in your path (I put it in C:\users\corey) with a name of "Add-FirewallRule-Block" and an extension of ".ps 1", and then you can call it like this:

# block all TCP connections from 191.23.11.12
Add-FirewallRule-Block 191.23.11.12
# block 5900/tcp from 191.23.11.12
Add-FirewallRule-Block 191.23.11.12 5900
# block 20/udp from 191.23.11.12
Add-FirewallRule-Block 191.23.11.12 20 6

A couple of comments I will make about the code itself:
  1. the $rule.Grouping line uses a resource offset in the firewallapi.dll... I have absolutely NO idea what resource this offsets to, but it was seen in numerous places on TechNet's 
  2. Edge traversal, as defined by Microsoft, "allows the computer to accept unsolicited inbound packets that have passed through an edge device, such as a network address translation." (Full article here.)

August 03, 2013

Coding the Liturgical Calendar

For a long time, I've wanted to integrate the Roman Breviary into a couple of projects (nothing public) but have never been able to find a suitable calendar, breviary or psalter implementation.  So I wrote one in python.  It requires the `dateutil` package, but other than that its standard python.  My principle use of this is going to be to create a JSON interface to get the current office, season, feast-day and reading from the 1962 Liturgical calendar.  I am working on a "modern" liturgical calendar, its just not my priority right now. 

November 30, 2012

Jamming Flagpoles

Today I read a report about Iran's alleged "flagpole jamming network".  Reading all of this, it became plainly obvious that, "of course this is a method they're using."  Here in the States, we already use flagpoles to conceal cellular communications towers.  You can see an example of such towers here.  So, it makes a certain amount of sense that tyrants (Islamofascists, Democrats, Republicans, etc.) would use similar means to conceal a "secret" jamming network.

The one problem I have with the story reported by Fox news is simply this: a jamming system requires both power and communications connectivity.  I.e. you can't just throw a flagpole in the ground and magically make it a part of a larger jamming network. Hasn't anyone reported seemingly excessive communications or electrical work being done around these flagpoles?  Instead of offering subjective reports about juvenile cancer rates, etc., why not identify the concrete things that would prove the purpose of these mystery towers?

Media.

November 16, 2012

How to make your OpenBox awesome

As a long-time Linux geek, I've discovered that there are nice aspects of GNOME/KDE, and then there's all the horrifying bits.  After almost 20 years of desktop Linux use, I've concluded that "lighter is better."  I.e. there's no real benefit to having all the bells and whistles turned on.  That's what lead me to OpenBox.

Anyone who has run OpenBox is familiar with ~/.config/openbox/autostart.sh... or at least they should be.  In case you aren't, here's the crux of it -- the autostart.sh script runs when OB starts-up, and its the vehicle through which you can start all the bits and pieces of the desktop that you might need.  Here's my autostart.sh:
#
# Openbox config for the ultimate desktop 


#### policykit manager
# allows us to manage networks and other things that require root priv.
(sleep 10 && /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1) &

#### gnome settings daemon 
# allows us to use the gnome tools for things like display and mouse
(gnome-settings-daemon) & 

#### mount encrypted disks and set desktop wallpaper
(/home/cjs/bin/mntenc && nitrogen --set-zoom-fill /home/cjs/mine/pics/backgrounds/current.jpg ) &

#### Enable power management
# we use xfce because the gnome-power-manager went away (as a systray icon anyways)
#(gnome-power-manager) & #this went away in Debian Sid around Dec '11
(xfce4-power-manager) &

#### Thunar Daemon
# handles automounting disks, etc.
(thunar --daemon) &

#### Tint2
# our panel
(tint2) &

#### Screensaver
(xscreensaver -no-splash) &

#### Synapse
# synapse is a key-stroke app-launcher, like Gnome-DO
(synapse -s) &

#### DropBox
# sync files between multiple systems
(sleep 2s && dropbox start) &

## Launch network manager applet
# 2012/01/07 -- this has been getting launched twice, presumably by gnome-settings-daemon?
#(sleep 4s && nm-applet) &

#### volumeicon 
# allows us to control volume from an icon in the system tray
(sleep 3s && volumeicon) &

#### Clipboard manager
# parcellite is a bigger/better utility
(sleep 3s && parcellite) &

## start xsnow!
#(sleep 3s && xsnow -notrees -nokeepsnow -nosanta) &

So, in case all of this is completely Greek to you, I've included comments.  This script works provided you've got tint2, parcellite, xscreensaver, dropbox, volumeicon, and thunar installed, and in your execution path.  This script also assumes that you've got the default GNOME desktop installed for such things as settings and authentication.  The point being is that you can use this even on the default Debian 6 install, and achieve a highly functional desktop without the overhead you'd experience with a full GNOME or KDE desktop.