For years now I’ve used telnet as a quick and easy way to check to see if the most basic network functionality of a service like http is working. I.e. I telnet to port 80 and see the raw server communication. Very helpful in debugging network services. Where it fails is when you get into SSL services. Telnet to port 443 and sure you’ll see you connect, but your not going to be doing an SSL handshake.

So I finally did a little googling and ran across this gem:

openssl s_client -connect www.example.com:443

And now I have SSL handshake and my raw plaintext interface that telnet provided.

Works great for all my ssl service troubleshooting (imap/pop/https/etc..).

Found the info at this site:

http://advosys.ca/viewpoints/2006/08/testing-ssl-with-command-line-tools/

So it’s been over two years since my last post.  Been very busy in my life and haven’t had time to do as much tinkering and computer stuff at home as I usually would.  That’s not to say I haven’t done anything, just haven’t documented it.  Here are a few things that happened in the last two years:

  1. I changed jobs, I now work in computer, network, and systems security full time.  I’m loving it!  Finally getting to really practice what I preach in the security field.  Georgetown was fun and a great time to grow my general systems experience, but I’m enjoying the focus on computer and network security.

  2. Got a new car, this actually happened about three years ago, but I never posted about it.  The Chevy Blazer was taken out by it’s imploding supercharger and deemed not worth my time, effort, and money to repair.  Given it was early 2009 and car dealers were giving away cars I got a great deal on a new 2009 VW Tiguan SE with AWD.  Still love the car and making small upgrades to it as the years go on to make it more mine.  I did actually stand up a page for that work here: My SUV Project (Tiguan).

  3. I made some network and computer upgrades at home as well.  I replace my original first generation MacBook Pro 15″ (Intel Core Duo 2Ghz) with a late 2010 model MacBook Pro 15″ (Intel i7 Dual Core) with HD display and 8GB of ram.  It’s currently triple booting MacOS X 10.6, Fedora 16, and Windows Ent 7.  I have a post on how to setup triple boot in the works.  I also upgrade my old Promise NS4300N 2TB NAS box with a new NetGear ReadyNAS Pro 6 12TB.  Much faster and a lot more storage plus so many options.  Finally I’ve kept the network up with technology and run full WiFI a/b/g 300mbps+ and GigE wired via NetGear WNDR4000 and assorted GigE switches paired with FiOS internet.  Finally I upgraded my workstation piece by piece to get it up to a Sandybridge i7 and 16GB ram so that I can build out a new HD+CableCard MythTV network using VMs, the NAS box, and the new Silicon Dust HD Prime. I’ll have a post later documenting my network general gear later as well as posts on how I setup MythTV.

  4. I’ve got a Barnes and Noble Nook Color as well.  It’s a great little device and hoping to take better advantage of it this coming year.  And yes, it’s rooted.  Running stock Nook Software but with the added benefit of sideloaded and standard android market apps too.

  5. And last but not least, still being a dad and husband working away enjoying watching the kids learn and grow (as I learn and grow).

 

Well, looks like I won’t have to lug my heavy MacBook Pro 15″ to work anymore. I work with computers a lot, and it’s generally helpful to have a laptop with me on my commute in and out of work. It’s also nice to have a laptop at work in case I need to do some emergency work outside of the office. It’s also nice to be able to have a full size laptop at home to sit on the couch and catch up on tech news, newsgroups, mailing lists and chat with my friends who are scattered around the world.

I have two laptops, my old good friend the Sharp MM20 ultralight I bought new 3 years ago, and a nice MacBook Pro issued to me by work. Though I love the Sharp, it has a small screen and limited power for relaxing and playing on the net at home, hence I use the MacBook at home. I love the MacBook (Core Duo 2Ghz, 2GB RAM, 160GB HD), but the thing weights a ton (though it’s not much heavier than the smaller 13″ MacBooks) and is not much fun to lug around in a bag on my commute in and out of work. Ok, you might say that I should just leave the MacBook at home, catch is I need some of the admin tools and gui provide by the MacBook to manage Apple specific resources at work. So for the past year I’ve lugged the MacBook into work every day. It’s nice having the power, but it’s just too heavy (why did Apple not develop a 12″ MacBook Pro? The 13″ is just not a replacement for that).

Well, things have changed. My work replacement cycle computer has arrived and I now have a Mac Pro desktop at work. A nice one at that: Two Dual Core 2Ghz Xeon Chips, 4GB of Ram, Two GeForce cards for dual 1600×1200 displays, and a 250GB HD). Coupled with VMWare Fusion and it’s a great workstation for my needs. I can easily manage Mac and Linux resources from one machine, do development work, testing work, and I’ve got my trusty command line when I need it.

So out of retirement comes my old Sharp MM20 laptop (1Ghz Transmetta Efficeon CPU, 512MB RAM, 20GB HD, Ati Radeon Graphics 16MB Ram, 10.4″ LCD). It’s not a screamer but it’s very light, think 1.9lbs! That’s with the normal battery! Barely even feel it in my bag. I decided it was time that I see what Fedora 7 had to offer. All my personal machines currently have Fedora Core 6 installed and since I was bringing this back to active service I wiped it and started fresh with Fedora 7. The install went smooth (I’ll do a write up later) and, with some minor tweaks, looks and runs well. Now this laptop doesn’t have incredible 3D acceleration ability, but I couldn’t help giving the “Enhanced Desktop” ie compiz a try. Wow, it’s perfect. That is what this little laptop need to make it more effective. Though it’s not perfectly smooth on transitions, I think it’s smoother than without compiz enabled. Also, the small screen isn’t as limited with access to the mac expose like affects. A quick mouse pointer to the upright corner brings a collage of all open windows, allowing easy and quick selection and navigation. With a refreshed standard battery, this should be a great travel companion as I commute or walk around work outside of office. Not to mention, even though it is three years old, people are amazed at how small, light, and slick looking the Sharp is. Too bad they don’t make them like they used to.

Interesting article, and I would love to see this presentation at the BlackHat conference. Jon Ellch and David Myanor will be showing off how they can hijack a MacBook laptop in about 60 seconds using vulnerabilities in the wireless card driver. There are a couple of things that make this interesting:

1. All that has to happen is that your wireless card be turned on. You don’t have to be connected to a network. If you wireless card is on, you are a target, period.

2. In theory, there is nothing to say that BlueTooth is safe from this either. I would imagine that similer vulnerabilities could be found in Bluetooth drivers as well.

3. This is not Mac OS specific! Though they used a Mac for the demo, they have also discovered vulnerabilities in Windows. And I see no reason that it couldn’t affect Linux/*BSD as well.

4. Firewalls and anti-virus programs won’t and can’t protect you from this. This is a much lower level attack and will always bypass this. The only way to protect against it is either through better device driver security or not using wireless. SELinux/SEBSD/SEDarwin may help this somewhat, but again drivers are usually in the OS kernel and once you’re in the kernel it’s hard to stop attacks. I’ll have to look into the SE* solutions and see if they might be used to help mitigate this attack (though I’m doubtful).

Currently, there isn’t much you can do to protect yourself. Just turn off wireless when you don’t need it. Apple’s patches just came out, but there was no mention of a fix for this. The researchers are talking to Apple, Microsoft, and others to get this fixed. Also, they are not showing how they did it, just that they did it, so no current “in the wild” exploits are known of at this point.

Ok, I recently have been given the opportunity to play around with a new MacBook Pro 15″ laptop (Mac OS X 10.4 – Tiger). So far I’m impressed, clean easy to use user interface with a nice Unix/BSD system underneath. In the process of getting it set up, I did go through and take care of some security issues to make sure I was happy. Some of these are obvious, some less so:

I. Click on the Apple Icon on the top left and select System Preferences

1. Click on Security
a. Set a master Password, and don’t forget it, this is used to recover lost accounts and such.
b. Turn on FileVault, this is a great security item, but will slow down your computer and could make crash recovery harder. I haven’t done this one yet.
c. Check require password to wake computer.
d. Check Disable Auto Login, don’t make it easier for someone who steals your laptop, it can happen.
e. Check Require password to unlock secure system preferences, this will help against trojans and such that could attack MacOSx.
f. Check user secure virtual memory, this is mostly for a multiple user system. I haven’t done this yet myself.
g. Check disable remote control infrared receiver, less critical, but if you aren’t using, why enable it?

2. Click on Bluetooth
a. Disable Discoverable, you don’t need to advertise that you are a possible hacking target. Most bluetooth devices you use don’t require your desktop to be discoverable. Only when you are trying to send files and such to the desktop for the first time with a device does this need to be enabled. After a pairing trust is setup you don’t need this enabled again for that device.

3. Click on Network
a. Select Airport and then options, then check Require admin password for Computer-to-Computer networks. There have been attacks in the past where machines (in that case, Windows) were able to create a computer-to-computer network while sitting in the airport without the need for the users’ intervention. It’s best to set this option just to make sure it doesn’t happen without your express consent.

4. Click on Sharing
a. Turn on “Remote Login” this turns on the ssh daemon so you can ssh into your box like you normally do with linux.
b. Choose Firewall and turn it on. By default, it seems MacOSX doesn’t turn on its firewall. I personally prefer to have it up and running. You can then enable different remote services though the firewall below that. I enabled Remote Login – SSH, iChat, and Network time.
c. Under Firewall Advanced, enable Block UDP Traffic and Stealth Mode. So far, neither of these have blocked traffic such as iChat Video/Sound or anything else, so better to block unwanted traffic.

5. Click on Startup Disk
a. Make sure that the lock icon on the bottom is selected. Unless you are reinstalling your base OS, no reason to have this easily changed.

Those are the preference you can change via gui. Here are some to change via command line Terminal:

II. Start Terminal, you can find this by clicking on the search tool (magnifying glass in the top right corner) and using the term terminal.


1. Set a root password. There is a root user on MacOSX, and by default it’s disabled from normal use. But I’m paranoid, so unless I know the root password I don’t like it. You can set it by using the command “sudo passwd root” which will then ask you for the new root password. You may want to set this to the same as the masterpassword. I’m not positive, but they may be linked, I haven’t researched it that far yet. Warning, this will enable the root user account. I still prefer having the password set to something I know vs being blank and disabled. Consider this optional and your preference.

2. If you’re using SSHD for remote login, make it more secure. Using “sudo vi /etc/sshd_config” set “Protocol 2″, “PermitRootLogin no”, and “AllowUsers username” to your “username” for your main account if you only want that account to ever be able to SSH into your Mac. This is very important if you enable the root account like I did in step 1.

3. Double check the sudoers file. By default, it’s set up pretty well, only root and admin users can use sudo (which means do anything as admin/root all powerful user). You might want to double check it to make sure “sudo vi /etc/sudoers”.

4. Change your users directory permission. By default, your new users directory is readable by any user on your computer. Though there may not be another user on your computer, it’s best to change that to only be accessible by you. In the terminal you could type in “cd ..” which will put you in the /Users folder. Type ls -l will give you a list of users, most likely just a Shared and your username. Then issue the command “chmod 750 username” username being your actual username. This will give you full control over your directory, but no other users besides root has access full access and admin users have read access. I would go with chmod 700 to block other admin users, but I don’t know about Mac OSX enough and what other system level problems that might cause with software daemons running.

Well that’s what I found, if you know something I missed, or a mistake I made please let me know. So far I haven’t found anything impaired by these settings for normal day-to-day use, but I’m only starting to play with Mac OS X.

Copyright © 2015 · All Rights Reserved · Cafaro's Ramblings