Web Filtering On Squid 3 With QuintoLabs Content Security 1.4 And
Windows Active Directory Integration

This HOWTO will show you how to set up a Squid proxy server deployed on CentOS
or RedHat 6 Linux with web and content filtering done by QuintoLabs Content
Security with proxy users transparently authenticated by Windows 2008 R2
based Active Directory. This is the work in progress and all comments
are welcomed. The HOWTO is targeted at novice users and may sometimes seem
too thorough for more advanced gurus. No compilation magic will be involved
in our setup so any system administrator accustomed to Windows will be able
to easily follow the instructions.

[Andrew Robinson] and his co-workers are lucky enough to have a Keurig coffee maker in their office, though they have a hard time keeping track of who owes what to the community coffee fund. Since K-Cups are more expensive than bulk coffee, [Andrew] decided that they needed a better way to log everyone’s drinking habits in order to know who needs to cough up the most cash at the end of the month.

He started by tearing down the Keurig B40, making note of the various PCBs inside while identifying the best way to go about hacking the device. The coffee maker is controlled by a PIC, and rather than try to re-engineer things from the bottom up, he left the core of the machine intact and focused on the control panel instead.

He disconnected all of the unit’s buttons from the control board, routing them through an Arduino before reconnecting them to the machine. This essentially rendered the machine inoperable unless triggered by the Arduino, giving [Andrew] control over the brewing process. He wired in an RFID reader from SparkFun, then got busy coding his security/inventory system. Now, when someone wants coffee, they merely need to swipe their office access card over the machine, which enables the use of its control panel.

As you can see in the video below the system seems to work well. If we were to offer some constructive criticism, we would suggest ditching the laptop and rolling the RFID reading/verification into the Arduino instead – other than that, we think it’s great.

Filed under: arduino hacks, cooking hacks

Configuring CAS On Ubuntu For Two-Factor Authentication With WiKID

Single sign-on is a great technology. Requiring users to login to
multiple applications is huge hassle, encourages password reuse and
simple passwords. Security needs to focus on usability. If you can
make a user’s life better while increasing security, everybody wins. In this how-to we will set up the open-source CAS SSO product with the WiKID Strong Authentication Server for two-factor authentication for sessions and mutual https authentication
for host authentication. Obviously using two-factor authentication
for the login increases security because the user must have the factors
to get access, in this case, knowledge of the PIN and possession of the
private key embedded in the token. The CAS server is running on Ubuntu 11.04 Server and is using Radius
to talk to the WiKID Strong Authentication Server Enterprise Edition.

This article is about how to use the S/MIME encryption function of
common e-mail clients to sign and/or encrypt your mails safely. S/MIME
uses SSL certificates which you can either create yourself or let a
trusted certificate authority (CA) create one for you.

DARPA’s Shredder Challenge, a contest to reconstruct documents from a slurry of shredded paper, has been solved, suggesting that my grandmother may be barking up the wrong tree when she shreds the Campmor catalog. Two scientists with experience in computer vision and mobile technology, Otavio Good and Keith Walker, scanned each chunk for unique characteristics that allowed them to reconstruct the documents automatically on screen. They then put the pages back together by hand.

Their team won a $50,000 prize.

The contest consisted of five different documents (you can try a demo here but rest assured the real ones were a bit harder) and teams were a race to reconstruct them as quickly as possible.

So should gam-gam – or you – keep shredding documents? Good told the New Scientist:

So with DARPA’s documents reconstructed, are shredders now insecure? No, says Good. “The challenges that DARPA gave us were actually simple compared to if you have a bin full of lots of shredded pieces of paper. Reconstructing these documents was not easy at all. I don’t think you have much to worry about with your shredded documents.”

Looks like your secrets are safe… for now.

Stronghenge is an Out-of-Band Application Firewall that can inspect both HTTP
and HTTPS traffic for attacks against your web applications. Since Stronghenge’s
detection engine is based off of the most widely deployed IDS/IPS technology
worldwide, Snort, it’s easy to start using. Additionally, since it’s an Out-
of-Band solution it requires little to no modification to your existing network.
With Snort’s powerful regular expression support, you can implement a positive
or negative security model. With it’s standalone decryption engine for RSA algorithms and custom Snort
additions, it can be deployed as a single or multiple appliance configuration where
one device can do decryption where the other can do detection and blocking. However,
this tutorial will just cover how to deploy as a single appliance configuration.

Imagine this: you’re sitting in your local coffee shop sucking down
your morning caffeine fix before heading into the office. You catch
up on your work e-mail, you check Facebook and you upload that financial
report to your company’s FTP server. Overall, it’s been a
constructive morning. By the time you get to work, there’s a
whirlwind of chaos throughout the office. more>>

How To Password-Protect Directories With mod_auth_mysql On Apache2 (Debian Squeeze)

This guide explains how to password-protect web directories (with users from a MySQL database) with mod_auth_mysql
on Apache2 on a Debian Squeeze server. It is an alternative to the
plain-text password files provided by mod_auth and allows you to use
normal SQL syntax to create/modify delete users. You can also configure
mod_auth_mysql to authenticate against an existing MySQL user table.

Locks are always temporary hindrances. After deciding to open the RFID-secured lock in his department, [Tixlegeek] built a device to read and spoof RFID tags (French, Google translate here).

The system is built around an ATMega32 microcontroller with a 16×2 LCD display. A commercial RFID reader module takes care of all the sniffing/cloning duties, and a small modulation circuit handles pumping those bits over to a lock. Right now, the spoofer can only handle reading and spoofing 125kHz RFID tags with no encryption or authorization. A tag that’s more complex than the duct tape RFID tag doesn’t work.

[Tixlegeek]‘s little project does open up a few interesting avenues of exploring stuff that’s most certainly illegal. A smaller version of the project could be emplaced near a door or other RFID reader and left to crack a lock with a 32+62 bit password at 125 kilohertz. It wouldn’t be the fastest safecracker in the business, but it would work automatically as long as there is power.

If you’ve got any other ideas on what [Tixlegeek]‘s RFID spoofer could do, leave a note in the comments.

Filed under: security hacks

The crew at the Milwaukee Hackerspace are pretty serious about their beer. They used to have a fridge filled with cans, available to all at the hackerspace, but they decided to beef things up and create a secured beer dispensing system.

Like many others we have seen, their kegerator is built into an old refrigerator, complete with a tap built into the door. To ensure that interlopers are kept from their precious brew, they have secured the refrigerator using an Arduino and RFID tags to grant access. They use the same RFID key fobs members carry to gain access to the space for tracking beer consumption, unlocking the tap whenever a valid tag is swiped past the sensor.

They are still in the midst of tweaking and revising the system, but it looks good so far. It’s a great way to keep uninvited guests from their beer stash, while giving them a way to track consumption at the same time. We’re looking forward to seeing more details and code once things are completely wrapped up.

[via BuildLounge]

Filed under: arduino hacks, beer hacks, Hackerspaces

It seems that [pppd] is always rushing out of his apartment to catch the bus, and he finds himself frequently questioning whether or not he remembered to lock the door. He often doubles back to check, and while he has never actually forgotten to lock the door, he would rather not deal with the worry.

Since he finally had some free time on his hands, he decided to put together a simple device that would help end his worry once and for all. Using an ATtiny13, [pppd] designed a circuit that would detect when his door has been unlocked and opened, beeping every few seconds until the lock is reengaged. The circuit relies on a reed switch installed inside the door frame, which is tripped by the magnet he glued to his door’s deadbolt.

He says that the system works well so far, though he does have a few improvements in mind already.

Filed under: ATtiny hacks, home hacks

Setting Up ProFTPd + TLS On Ubuntu 11.04 (Natty Narwhal)

FTP is a very insecure protocol because all passwords and all data
are transferred in clear text. By using TLS, the whole communication can
be encrypted, thus making FTP much more secure. This article explains
how to set up ProFTPd with TLS on an Ubuntu 11.04 server.

Mounting Remote Directories With SSHFS On Debian Squeeze

This tutorial explains how you can mount a directory from a remote server on the local server securely using SSHFS. SSHFS (Secure SHell FileSystem)
is a filesystem that serves files/directories securely over SSH, and
local users can use them just as if the were local files/directories. On
the local computer, the remote share is mounted via FUSE (Filesystem in
Userspace). I will use Debian Squeeze for both the local and the remote
server.

Tiny Web Proxy And Content Filtering Appliance On CentOS 6 (Version 1.4)

This small HOWTO will show you how to set up a small virtual machine to speed
up and secure your home / small enterprise web surfing network using CentOS 6,
Squid 3.1 and QuintoLabs Content Security 1.4 applications deployed in a
VMware Virtual Player running on Windows 7 x64 as a host operating system.
This howto is targeted at novice users and may sometimes seem too thorough for
more advanced gurus.

How To Set Up SSL Vhosts Under Nginx + SNI Support (Ubuntu 11.04/Debian Squeeze)

This article explains how you can set up SSL vhosts under nginx on
Ubuntu 11.04 and Debian Squeeze so that you can access the vhost over
HTTPS (port 443). SSL is short for Secure Sockets Layer and is a
cryptographic protocol that provides security for communications over
networks by encrypting segments of network connections at the transport
layer end-to-end. In addition to that I will show how to make use of SNI
(Server Name Indication) to allow multiple SSL vhosts per IP address.

Restricting Users To SFTP Plus Setting Up Chrooted SSH/SFTP (Debian Squeeze)

This tutorial describes how to give users chrooted SSH and/or
chrooted SFTP access on Debian Squeeze. With this setup, you can give
your users shell access without having to fear that they can see your
whole system. Your users will be jailed in a specific directory which
they will not be able to break out of. I will also show how to restrict
users to SFTP so that they cannot use SSH (this part is independent from
the chroot part of this tutorial).

Using scponly To Allow SCP/SFTP Logins And Disable SSH Logins On Debian Squeeze

scponly
is an alternate shell that restricts users to SCP and SFTP logins, but
disallows SSH logins. It is a wrapper to the OpenSSH suite of
applications. With the help of scponly, you can allow your users to use
clients such as WinSCP or FileZilla
to upload/download files, but you refuse SSH logins (e.g. with PuTTY)
so that your users cannot execute files/programs. This tutorial shows
how to install and use scponly on Debian Squeeze.

They’re out there. Be afraid. They could be anywhere, everywhere, anyone. They are shadowy, deadly, mysterious, guided by intellects vast and cool and unsympathetic. Security consultants and antivirus firms whisper legends of them to their clients to scare them straight. They are the Voldemort of online security, except that everyone is all too eager to say their name: the Advanced Persistent Threat. Hide your children! You cannot stop them!

…well, actually you probably could, and pretty easily too, but apparently most folks can’t be bothered.

Vanity Fair just wrote breathlessly about “Operation Shady RAT”, which featured “a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer.” Military-industrial standard-bearer Northrop Grumman is “constantly under attack by cyber-gangs.” A few months ago Security firm RSA’s SecurID systems were the victim of “an advanced persistent threat, a slow and consistent attack used by hackers to obtain specific information.” The Pentagon is alive to the APT threat, and says it is beginning to focus more on deterrence than on defence, because “each year, a volume of intellectual property exceeding the size of the Library of Congress is stolen from U.S. government and private-sector networks.” Why, just this week, San Francisco’s government-owned BART system was hacked by—

…waaaaaait a minute.

One can never be sure, particularly in this arena, but it seems that BART’s police database was hacked by … a teenage French girl, who reported: “They had zero security.” Here’s the link she allegedly used to hack them. Don’t worry, it’s no longer active. Take a good look at that URL. Remind you of anything? It should, if you’re an XKCD reader:

Ah, SQL injection, that old canard. But wait, it gets even worse:

Seriously? Seriously? Plaintext? Who runs security for these jokers, Mr. Bean?

OK, so maybe the BART hack was a script kiddie enabled by morons. But what about “Shady RAT”? So glad you asked. Vanity Fair’s clueless hyperbole makes it sound like no one in the history of the Internet had ever sent an email that linked to a page with a browser exploit before. Earth to their editors: you’re about a decade-and-a-half behind the times. The attacker then used steganography to communicate with the compromised machines. Ooo, steganography, scary and hard to pronounce! Sure, that might have been amazingly sophisticated…ten years ago.

The RSA hack worked in exactly the same way: emails to employees with an enticing-looking attachment, plus a zero-day Flash vulnerability. And the tech media went crazy about the deadly APT attack on a security company. Are you kidding me? That’s an example of an “advanced persistent threat”? Adobe products are legendary for their insecurity. If that’s an APT, so was News Corporation’s kindergarten-tech-level hacking of cell phones.

But don’t just take my word for it: “Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case,” says Symantec security researcher Hon Lau. Or as IT World trenchantly put it, re APT attacks in general: “The striking thing is sophistication of the excuses of victims, not the techniques of crackers … Only 3 percent of attacks were considered too slick for the victims to have been able to stop. That leaves 97 percent of data breach victims trying to find something other than themselves to blame. “

There are genuine, sophisticated, brilliant black-hat hackers out there. Some of them work in groups. Some even work for nation-states and militaries, including, very likely, the people who hacked Google eighteen months ago. But most hacks are made possible because the victims allowed them; and we shouldn’t forget that security companies have every incentive to make the dangers seem as deadly and sophisticated as possible.

Organizations everywhere put up full-spectrum firewalls, draft byzantine and Kafkaesque security policies, send delegates to security conferences to talk very seriously in hushed voices about APTs, and make endless pointless and/or disastrously counterproductive demands in the name of security theatre, such as forcing people to use impossible-to-remember passwords

while storing those incomprehensible passwords in plaintext on databases vulnerable to URL SQL injection, as their employees open poisoned attachments sent by strangers. That’s like being so worried about whether an enemy nation-state has fired a cruise missile at your house that you forget you left your car parked overnight with the door open and the keys in the ignition. In Oakland. Worrying about APTs directed by, say, China is very sexy—if blatantly sinophobic—these days, but maybe organizations shouldn’t start worrying about the enmity of the Middle Kingdom until they’ve first established their ability to handle bored teenage French girls with a bone to pick.

Image credit: “Public Enemy / Minor Threat”, believekevin, Flickr.

A pair of security researchers have recently unveiled an interesting new keylogging method (PDF Research Paper) that makes use of a very unlikely smartphone component, your gyroscope.

Most smart phones now come equipped with gyroscopes, which can be accessed by any application at any time. [Hao Chen and Lian Cai] were able to use an Android phone’s orientation data to pin down what buttons were being pressed by the user. The attack is not perfect, as the researchers were only able to discern the correct keypress about 72% of the time, but it certainly is a good start.

This side channel attack works because it turns out that each button on a smart phone has a unique “signature”, in that the phone will consistently be tilted in a certain way with each keypress. The pair does admit that the software becomes far less accurate when working with a full qwerty keyboard due to button proximity, but a 10 digit pad and keypads found on tablets can be sniffed with relatively good results.

We don’t think this is anything you should really be worried about, but it’s an interesting attack nonetheless.

[Thanks, der_picknicker]

Filed under: android hacks, iphone hacks, security hacks

Xtables-Addons On Centos 6 & Iptables GeoIP Filtering

This tutorial will explain how to install aditional modules for the
kernel to use with iptables rules sets (netfilter modules).
Xtables-addons is the successor to patch-o-matic(-ng). Likewise, it
contains extensions that were not, or are not yet, accepted in the main
kernel/iptables packages.
Xtables-addons is different from patch-o-matic in that you do not have
to patch or recompile the kernel.

Setting Up ProFTPd + TLS On Debian Squeeze

FTP is a very insecure protocol because all passwords and all data
are transferred in clear text. By using TLS, the whole communication can
be encrypted, thus making FTP much more secure. This article explains
how to set up ProFTPd with TLS on a Debian Squeeze server.

Tales is a live media Linux distro designed boot into a highly secure desktop environment. You may remember that we looked at a US government distro with similar aims a few months ago, but Tails is different because it is aimed at the privacy conscious “normal user” rather than government workers. more>>

Tails is a live media Linux distro designed boot into a highly secure desktop environment. You may remember that we looked at a US government distro with similar aims a few months ago, but Tails is different because it is aimed at the privacy conscious “normal user” rather than government workers. more>>

Tails is a live media Linux distro designed boot into a highly secure desktop environment. You may remember that we looked at a US government distro with similar aims a few months ago, but Tails is different because it is aimed at the privacy conscious “normal user” rather than government workers. more>>

Tails is a live media Linux distro designed boot into a highly secure desktop environment. You may remember that we looked at a US government distro with similar aims a few months ago, but Tails is different because it is aimed at the privacy conscious “normal user” rather than government workers. more>>

Tails is a live media Linux distro designed boot into a highly secure desktop environment. You may remember that we looked at a US government distro with similar aims a few months ago, but Tails is different because it is aimed at the privacy conscious “normal user” rather than government workers. more>>

Tails is a live media Linux distro designed boot into a highly secure desktop environment. You may remember that we looked at a US government distro with similar aims a few months ago, but Tails is different because it is aimed at the privacy conscious “normal user” rather than government workers. more>>

How To Encrypt Directories/Partitions With eCryptfs On Debian Squeeze

eCryptfs
is a POSIX-compliant enterprise-class stacked cryptographic filesystem
for Linux. You can use it to encrypt partitions and also directories
that don’t use a partition of their own, no matter the underlying
filesystem, partition type, etc. This tutorial shows how to use eCryptfs
to encrypt a directory on Debian Squeeze.

When you think about hacking laptops, it’s highly unlikely that you would ever consider the battery as a viable attack vector. Security researcher [Charlie Miller] however, has been hard at work showing just how big a vulnerability they can be.

As we have been discussing recently, the care and feeding of many batteries, big and small, is handled by some sort of microcontroller. [Charlie] found that a 2009 update issued by Apple to fix some lingering MacBook power issues used one of two passwords to write data to the battery controllers. From what he has seen, it seems these same passwords have been used on all batteries manufactured since that time as well. Using this data, he was subsequently able to gain access to the chips, allowing him to remotely brick the batteries, falsify data sent to the OS, and completely replace the stock firmware with that of his own.

He says that it would be possible for an attacker to inject malware into the battery itself, which would covertly re-infect the machine, despite all traditional removal attempts. Of course, replacing the battery would rectify the issue in these situations, but he says that it would likely be the last thing anyone would suspect as the source of infection. While using the battery to proliferate malware or cause irreversible damage to the computer would take quite a bit of work, [Charlie] claims that either scenario is completely plausible.

He plans on presenting his research at this year’s Black Hat security conference in August, but in the meantime he has created a utility that generates a completely random password for your Mac’s battery. He says that he has already contacted Apple to in order to help them construct a permanent fix for the issue, so an official patch may be available in the near future.

[Thanks, Sergio]

Filed under: macs hacks, security hacks

[John Boxall] of Little Bird Electronics was thinking about combination locks, and how one might improve or at least change the way these locks work. Traditional combo locks can be implemented in a variety of ways, most of which we are all familiar with. Standard rotary padlock and keypad-based electronic safes work just fine, but he was interested to see how one might implement a single button combination lock.

[John] determined that the best, if not only way, to build this sort of lock would require him to measure button press intervals. In his case he decided to monitor the intervals between his button presses instead, but the concept is the same. He first tested himself to see how accurately he could press and release the button, leaving a one-second space between presses. After looking at the results he determined that he would need to incorporate at least a 10% margin for error into his code in order to compensate for human error.

He then created an Arduino sketch to test his idea, defining a set of key press intervals that could be used to ‘unlock’ his imaginary vault. It worked quite well, as you can see in the video demo below.

Now we’re not suggesting that you lock up your mind condition My Little Pony collection or your illegal arms stash with this type of lock, but it could be useful as an extra failsafe for certain projects/gadgets that you want to keep all to yourself.

Filed under: arduino hacks, security hacks