Tuesday, July 12, 2011

Cell Phone Security

Now, before I delve into such a general topic; lets discuss the general transition that (I feel) technology is taking....


Obviously the giant monster sitting on under or near your desk is going out of style. Laptops nowadays are becoming powerful enough for the average user, and even gamers in many cases, and while the desktop form factor will likely be around for ages to come....its easy to see that the markets are concerned with portability. So, what does this have to do with phones? Well, many things. First of all, modern cellphones are personal computers in the purest sense of the word. They perform tasks that would normally require a lot more work on our part, such as calling people from wherever we are, tethering to your computer for internet, banking and so many other things I can't even fathom. Add to this the fact that there are a staggering number of smartphones out there (14.7 million were sold in 2010 q2 alone) and you have a question that I pray to god someone brought up in the development meetings for blackberry, iphone, and android "Are they secure?".

For the most part, yes, "apps" run in sandboxed environments in most cases and on operating systems such as android, the apps fully disclose what they want permission to access and a confirmation box has to be ticked by the user, even if its a newer version of a previous app. Apps, due to their sandboxed nature, cannot access the storage space or memory currently in use by another app (I.E. a game your playing cant look at your bank statement). However, while this is technically secure, there is a serious problem. People. When you are storing your bank account information and social security number and all of that on a desktop or laptop with PROPER antivirus and very strict user access controls/application firewall, you don't have to worry so much about it (although the latter I would suggest keeping off digital media period). Now think about what would happen if that computer was a few inches in size and could fit in your pocket? Think about someone swiping it off of a counter or table? Your lack of a password, hard drive encryption, and clear thinking have led to your device being compromised despite your investment in security software.


What is my point? Keep sensitive data off of portable devices wherever possible. Your social security number, and credit card information have no business being on your smarthpone. If you are in a situation where you absolutely have to have them, make sure your device is password protected and you have purchased software that allows for remote wiping of the phone. Many security suites offer both cellphone antivirus (a whole other subject) and features such as phone tracking, remote wiping, and etc. Just keep this rule of thumb in mind; whenever you install that app on your phone that can unlock and start your car, and whenever you put sensitive data on your phone, just take a fraction of a second to think about the possible consequences. Cell phones get stolen in staggeringly large numbers, its not a risk worth taking.


So, don't go investing in $50 worth of security software unless you ABSOLUTELY need to keep sensitive data on your cellphone in the first place, this also applies to tablets as well....seeing as the operating systems on them aren't much more than glorified smartphones themselves.

Saturday, May 21, 2011

Securing your laptop Part 1

Most people view laptops as disposable items. Who cares if your laptop is stolen, you can just buy a new one....and hey....you can even get a faster one while your at it! However, most people don't realize how much of a hassle a stolen laptop can be until, unfortunately, it is stolen. A stolen company laptop can lead to a lost job, a stolen personal/home business computer can lead to a trashed credit history. Horror stories like this one are becoming commonplace, and the worst part is, they are easily avoidable.

The truth is, you don't have to have your entire customer database on your laptop. This is not only insecure, but unnecessary. If you have enough business to justify a database, you have enough business to justify a true VPN tunnel to access your database remotely. Having sensitive data on your laptop is the security equivalent of writing it down on a piece of paper and putting it in your purse or wallet. The best way to make sure important data doesn't get stolen is to keep it off of mobile devices in the first place, but in some situations you just have to (such as PII, as PII seems to end up everywhere). So what do you do?

When talking about security, especially mobile devices, encryption is the golden standard. If you think your data is safe with windows bitlocker....think again.....as a computer tech I am asked countless times to recover data windows has encrypted and while it isn't easy, it isn't as hard as it SHOULD be. So, I will discuss the system I use with my personal laptop in the hopes that I can help the less technologically prevent what could be a disaster.


So, first, as with anything involving security....you have to assess what information you have on your laptop and decide weather encryption is necesarry, and if so what kind of encryption. For this example I will be using truecrypt primarily because it is multi platform (making the sharing of encrypted data much smoother) but also because it performs very well which is important when you are encrypting your whole file system.

So, what data should I encrypt?

Put yourself in the shoes of someone that would benefit from stealing your laptop. What data will they be looking for? What damage could they do with said data?

Normally, data falls into one of the following categorys
PII (personal identifiable information), Authentication (logins for websites and such), Classified (such as documents that could damage your buisness interests should they fall into the wrong hands). Any data that an adversary (or attacker) could use to impersonate, harm, or gain an advantage over you should be considered sensitive data and should at the very least be encrypted.



Before you begin, It is important to know how your solution will affect you and anyone else who either uses your computer or has access to your data. In our example, our computer (my personal laptop) is a single user private computer. My laptop contains a lot of sensitive information in the form of private key hashes for my personal VPN as well as several services involving my personal network and work. Some of these are integrated into windows (such as the VPN information) and while it is encrypted, someone could attempt to brute force the service as a whole if they get my hashed key. I of course use a strong password, but I don't want this to be a single point of failure, and I wan't it to be as hard as possible to get the hash should my laptop be stolen. A good security solution protects data while compromising performance, a great solution is completely and totally transparent.

With modern processor technology, processors can actually encrypt and decrypt data on-the-fly. This is good for everyone who needs to encrypt file systems because it allows you to store the encrypted data in the computers hard drive and then decrypt it into the RAM as needed. This also keeps you swap files clear of all decrypted data. This makes it viable to use things like encrypted containers

Encrypted containers are like a .zip file only without compression (files inside are full size) and encrypted. This is the most convenient way of keeping files secure. They can be copied, deleted, sent, and shared just like any other file but contain no watermarks at all that they are in fact file containers. You can even name a file with another extension (such as .wmv or .mp3) and still decrypt it, making the system even more obscure and harder to detect. A talented hacker might get the idea it is a an encrypted volume, but thanks to TrueCrypt's lack of header or footer data it would be quite the feat.

But, when dealing with computers (which are notorious for leaking data into every nook and cranny) sometimes data that shouldn't be cached gets cached. Such as a recently opened file, or even the password to decrypt your file container. Programs like Truecrypt do their best to keep this at a minimum if not eliminate it completely, but this is a severe point of failure for many programs that use encrypted file containers. This also doesn't rule out an adversary putting a key logger on your computer and then using it to capture your key when you type it in to decrypt a file. At this point if the adversary manages to steal your computer, any encryption you have will be null and void. This, again, is a single point of failure (which we are trying to avoid if you don't see the recurring theme). While Its great to have sensitive files in encrypted containers, we want another layer of security.


So, how about encrypting the whole filesystem? Windows partition and all.

With programs like truecrypt, this is now very very easy. A truecrypt boot-loader is installed which will (again) decrypt the information on the hard drive on-the-fly. The bootloader will prompt you for your password whenever you start the computer, and then the hard drive will behave exactly like one that isn't encrypted. This won't stop someone from using your computer if you are already logged in, but when coupled with encrypted file containers it makes it extremely difficult to get at information. And if an advesary steals a computer that is turned off, the hard drive (with exception to the boot-loader) will look like gibberish.



So, first, download and install truecrypt from here and install it.

Once the program starts, select create volume and after selecting the "encrypt system volume" option, hit next. I wont re-invent the wheel here. The wizard for this program explains everything neatly and clearly and even someone who isn't tech savvy can very easily do this. I will make one note however:


As always, back up your important data. If the truecrypt bootloader is damaged and your recovery CD (which you will create during the wizard) is damaged as well, you will effectively loose access to all data on the hard drive you are encrypting. This is by design, obviously. And no, even if you remember your password, your master hash (which is both unique and hundreds of characters long) will no longer exist. It is very important that you make a flash drive or CD with your rescueCD files on it. Note that even with the rescue CD you still have to enter your password to decrypt the hard drive. However, in the 6+ months I've been doing this I have never had any problems with the bootloader, so don't let this discourage you. (you should have backups anyways)

If you perform this correctly, it will first restart the computer to test the bootloader (by entering your password) and then directly after that, start the encryption process. Note that on a 500gb computer this can take upwards of 10 hours as even the empty/slackspace on the hard drive is encrypted. After that process completes, every time you start the computer the bootloader will prompt you for your password. IF for some strange reason the bootloader doesn't work, don't panic, the rescue CD will allow you to permanently decrypt the drive should something go wrong.


After that step is complete, you should then create one (or several) encrypted file containers to secure any sensitive documents or data. Even though your whole hard drive is encrypted at this point, anyone who walks up to your computer while it is on will not notice (as the encryption is transparent) and will be able to use your computer like it isn't encrypted as long as they don't shut it down. Viruses will also still be able to access data like the drive is unencrypted.


A good guide for creating file containers is here, again truecrypt has awesome documentation and I will not re-invent the wheel. On one note though, it is important both for obscurity and security purposes that you do not cache either the file container location or password from within truecrypt. This will leave someone completely in the dark as to the location of the container and add an aditional layer of security. If you want to take this even further, check this out.



So, presuming everything works to plan, you now have a very secure laptop. What we have achieved is what is referred to as in defense-in-depth. We have created multiple layers of obstacles for a potential adversary to overcome, and hopefully keep your data out of the adversary's hands. Keep in mind though, that there is no such thing as absolute security....and if a laptop is stolen and not recovered it is important to assume that all data on it has been compromised however likely/unlikely that may be. One good solution is to purchase a subscription to a service like laptop lowjack, as once you recover the computer you can tell weather or not your data has been compromised in addition to retrieving the laptop.


Bear in mind though that this isn't an idiot proof system. This system relies both on the strength of your passwords (remembering 30 character passwords isn't hard, just get creative with it and make sure you use a full mix of numbers and characters such as / , . ' : ' " \ and etc) and the common sense of the administrator. If you have all of your passwords stickynoted to the top of the laptop, all security is null and void.


In either case, I hope this helps some people.....and happy computing!

Monday, April 18, 2011

Open source POS terminal

For those of you who are unfamiliar with retail terminology, a POS is a point of sale. A term belonging to what is essentially a computerized cash register. A problem with running a small business is the lack of affordable POS software packages, the cheapest ones running in the $500-$1000 just for the software. For people like my client in this case, this is simply to much money.


In this case, the client runs a mobile vending service. He is a sort of convenience store on wheels, and currently....has no way to keep track of his inventory or for that matter ring up purchases for customers. Since he doesn't have a large variety of products, the need for a bar code scanner isn't really necessary....however since he already has one I will attempt to get it working with our POS. The only real requirements are an inventory management suite and a POS terminal, which for this application we will use squeeze and lemon respectively.


Since we aren't quite sure how this will work (it surely is something I have never done before) I will be installing Ubuntu 10.10 on a virtual machine and attempt to install lemonpos on that so we can see how it works.

The Installation
As with all open source projects, you can obtain the source code directly from the projects website (http://lemonpos.org) but in this instance to make it easier for someone who isn't so linux savvy, and also to make updating easier, I will use the snaptic GUI in order to install both Mysql which is required for running the database, and lemon (which squeeze is packaged with.)



As you can see, synaptic automatically marks the prerequisite packages.


At this point, I am going to go ahead and mark mysql-admin for installation as well. It isn't quite as powerful as commandline for doing msql operations, but it takes off the edge for less experienced users.

All thats left to do now is hit apply, and depending on how fast your internet is, grab a drink.



During the install, mysql installer will prompt you for your mysql root password, make sure you remember it. This will allow you to log into mysql and manage all of your databases. I already have mysql installed however, so I don't have a screenshot of it.

Once the install process finishes, don't start lemon or squeeze up yet. Neither of them will function properly without a database specifically designed to work with lemon. Thankfully, the lemon devs included a handy script in order to create said database. This script is locate
in /usr/share/kde4/apps/lemon/ . cSimply run the following commands

'cd /usr/share/kde4/apps/lemon'
'cat lemon_mysql.sql | mysql -u root -p'

This script will then prompt you for your Mysql password (the one you entered earlier) and create a databased populated with the basic lemonpos necessities (such as a default user account).



After this step is done, start up mysql admin and login to your server using the username root and the password you set earlier, the default address will work unless your database is on another computer.

From Open Source Thinking: A project log
When you login, you will be greeted by the mysqladmin main screen. The script we ran earlier automatically created a database and user account with proper permissions to access it. All we need to do here is change the password to something you will remember (via the users screen, edit the user "lemonclient"), and then close mysql-admin.



At this point our database is ready to go, and we can fire up squeeze (the lemonpos managment interface).


When you first start up squeeze, a prompt will prompt you (ironically) for your database info. If you ran the script included with lemonpos the username will be 'lemonclient' the password will be the one you set in mysql-admin and the default database option of 'lemondb'. After entering this information, just hit accept and login to squeeze with the username; admin and password; linux.


Once you login you will see the squeeze main screen, if the buttons along the top aren't grayed out then you installed lemon properly and should be able to use the main program (lemon) once you enter in some inventory.


Overall I am quite impressed with the whole package, It is simple and rather easy to use. I did run into a few problems that were mainly due to the nature of running things on a virtual machine (It didn't want to connect to a remote database through my NAT) but aside from that I can tell that it is a powerful tool. You can run as many POS computers off of the same database up to the number of connections to the database allowed. Just for fun, I cloned by virtual machine twice and had 2 concurrent transactions happen at the same time with the same item, and the database turned out just fine thanks to the way lemon works.

It probably isn't necesarry to go over the functions of adding/removing inventory and actually checking someone out because frankly.....its very self-explanatory.






Friday, April 15, 2011

Project #1. Computer imaging system


Currently, the only computer manager on the payroll is the IT administrator (my mentor). She is responsible for managing all computers, all but 1 server, and other technological systems. In addition to this she also teaches classes. On a lot of days, she doesn't even have the time to fix computers in classrooms. Needless to say, she doesn't have time to reinstall one windows computer....none the less 5 or 6. Currently there are anywhere between 5 or 6 desktop computers in classrooms that are currently inoperable, and many many more with viruses. Currently antivirus software is installed on most computers, but since there is no time for our IT person to dedicate a specific amount of time to each computer...


We have about 86 laptops and desktops total, 26 Dell Dimension E521, 50 ish (I dont have the list with me at the moment) Opteron 740s, 8-10 HP 5420s and 5410s and a few HP 620s (all of the laptops run the same OS and for the most part, the same hardware.


So, there are about 3 million industry solutions to manage problems like this......but there is this one thing...


Budget= $0

So, deep freeze, norton ghost, and all of the other industry standard solutions immediately get thrown out the window and we are back to square one.


There is good news, we have an IBM Eserver laying around. It has 2x 72.8gb 15k SCSI 320 drives, 3.6ghz hyperthreading Xeon processor, and around 8gb of ram. As far as a server can get, it isn't that shabby, so at least we have something REAL to work with.

So, what about that solution you were talking about?


Well, we have several problems:
  • Computers haven't be re-imaged in quite a while
  • Computers are currently loaded with factory bloatware
  • Antivirus software has been disabled by students/is out of date
  • Computers are very slow result of both viruses and bloatware
  • NO volume licensing for windows (Although we will try and remedy this at a later step)
But, we also have:
  • Our internal network is rather fast (for the most part, our internet is another story)
  • We only have 5 different variations of computers and operating systems

So, the solution.......
In this case, we chose to go with a PXE/TFTP server....specifically FOG (Free Opensource Ghost). If you are not familiar with PXE, it stands for Pre eXecution Environment. PXE allows you to boot a kernal via a TFTP (Trivial File Transfer Protocol) server, which then allows you do other things, such as in our case, deploy a pre-cloned image to our server via a NFS server. FOG can also do much more than that. Once FOG is loaded up and functioning, It can perform virus scans on the clients local hard drives, quick and low-level formats, even hardware inventory.....all without discs or flash drives or anything of that sort.

There is some client side setup however, all of the clients on the network need to have their BIOS configured so they boot from PXE first on every boot. On our Dell 740 and E521s, this is as simple as enabling PXE in the devices menu, and then moving the integrated NIC to the top of the boot device priority list. When you turn on the computer at this point, it will boot from the PXE server first....check if it has an active task (which is determined by MAC address) and then, if there is no task, it will boot to windows.

Here is how it works:
For a great guide on installing FOG, see their wiki....It is stuffed full of knowledge and was a very large help while deploying this project.

After your FOG setup is done, you need to create your images. This is a much more complex task, and I wont cover it in this article. But as always, Google is your friend, and there are many more sysprep tutorials out there than the average topic.

Thursday, April 14, 2011

Welcome

To introduce myself, I am 18. Currently attending ACC and persuing a certificat in information security. I have an A+ comptia certification, and a love for technology and a fascination with the way computers talk to each other.


I have done work on several websites in the past, the one I am the most proud of is my high school robotics team www.chaprobotics.com (I did not work on their current website) which was a Joomla! based (joomla is an amazing CMS by the way).



Currently I work at staples easytech as a level 2 tech and intern at the St. Francis IT department as what I would define as the "Co-administrator".


Just to give you a little background, I attended St. Francis in the 6th and 7th grade. I spent most of this time annoying the hell out of my computer teacher (who happens to be my mentor at this time) and the father of my girlfriend (who was my english teacher). Needless to say, I feel right at home for the most part.


While I plan on having this as a resource for people who want to know more about going into IT with a background in open source software, I plan on posting about my personal solutions as well.


My post may be short and sweet, but I hope that many of you find them informative.