Category Archives: Information Security

Setting up OpenVPN Access Server for Ubuntu 13.11

About OpenVPN Access Server: https://openvpn.net/index.php/access-server/overview.html. I use OpenVPN-AS to self-host a really easy to use VPN for Windows, Linux, and Android devices.

Access Server release notes for 2.0.3: http://openvpn.net/index.php/access-server/download-openvpn-as-sw/532-release-notes-v200.html

on the server side:

sudo apt-get install openvpn bridge-utils openvpn-blacklist
openvpn --version

You should get (or later): “OpenVPN 2.3.2 x86_64-pc-linux-gnu”.

Check to verify that you will be downloading and installing the latest version of OpenVPN-AS by visiting this page and selecting your OS: https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

wget http://swupdate.openvpn.org/as/openvpn-as-2.0.3-Ubuntu13.amd64.deb
sudo dpkg -i openvpn-as-2.0.3-Ubuntu13.amd_64.deb

I use Ubuntu’s “Uncomplicated Firewall” (https://help.ubuntu.com/community/UFW) to mange my server-side iptables firewall. I added a rule to allow incoming TCP traffic over port 1194.

sudo ufw allow 1194/tcp
sudo ufw reload

Create a user on your server that won’t have administrative rights, that you’ll use to access your VPN:

sudo adduser ovpnuser

then on the client side:

Unfortunately, at the time of writing, “.ovpn” files are not supported through the gnome GUI as described here: http://askubuntu.com/questions/187511/how-can-i-use-a-ovpn-file-with-network-manager. So you will have to connect via command-line.

  1. Go to https://your_static_ip:1194 in your web browser.
  2. Log in with the above user credentials that you created.
  3. Click: “Yourself (user-locked profile)” to download the “client.ovpn” file.
  4. Open a terminal window and enter:
sudo openvpn --config /home/your_user/Downloads/client.ovpn

5. Verify that you’re using your remote IP address: http://ipchicken.com/

Advertisements

Encryption for journalists #TA3M

Techno activism

Techno-Activism Third Mondays (TA3M) is an informal meetup designed to connect software creators and software users who are interested in learning or teaching about censorship, surveillance, and various open source technologies for personal computing devices of all kinds. The New York based OpenITP nonprofit is the organization behind starting TA3M in December 2012, with New York, San Francisco and Berlin hosting their first TA3M events in January of 2013. Currently, TA3M events are held in at least 20 cities throughout the world, with many more launching every month.

Seattle hosted its first TA3M event in August 2013. In our November event, 35 people were in attendance to partake in presentations about Geeks Without Bounds involvement, Tor software development, and Tor use on personal computing devices.

Seattle journalists

For December’s TA3M in Seattle, I’ll be presenting on the use of specific open source encrypted communications applications for mobile and personal computing devices. The target audience for my presentation will be for people brand new to using these encryption-optional chat tools, but for people generally familiar with instant messaging platforms.

  • ChatSecure for Android and iOS, by The Guardian Project
  • Orbot for Android, by The Guardian Project
  • Pidgin for Windows, OSX, and Linux

The rough draft of my presentation can be found here.

Tentative event schedule here.

If you are planning to attend this free and open-to-the-public event, and have any questions that technical people such as me can help answer for you, please post questions in the comment section of this post.

 

Get Tomb 1.4 up and running on Ubuntu 13.10

Tomb is an excellent command line tool for maintaining encrypted files. Tomb files can be stored on an Internet-facing server so that they can be accessed from anywhere in the world using any SSH client. An adversary would have to compromise said server, gain administrative privileges, and brute force the Tombs (if they have the key files) in order to recover the contents of said Tombs. Someone that is more “at risk” than me should invoke an air gap between the Internet and their Tombs. Managing your Tomb’s key files is a different matter that I’ll discuss later.

Read about Tomb here: http://www.dyne.org/software/tomb/

Download Tomb onto your Ubuntu server.

wget https://files.dyne.org/.xsend.php?file=tomb/releases/Tomb-1.4.tar.gz

Rename the downloaded file.

mv .xsend.php?file=tomb%2Freleases%2FTomb-1.4.tar.gz Tomb-1.4.tar.gz

Download the SHA hash/checksum file.

wget https://files.dyne.org/tomb/releases/Tomb-1.4.tar.gz.sha

View the Tomb tar file’s SHA hash.

cat Tomb-1.4.tar.gz.sha

2621ac6b9180321e69743dc899645449b2b958c6aa46e4b2601c2e89131bbf29  Tomb-1.4.tar.gz

View the Tomb tar file’s SHA checksum and compare it to the above hash–if they’re the same, continue with installation.

sha256sum Tomb-1.4.tar.gz

2621ac6b9180321e69743dc899645449b2b958c6aa46e4b2601c2e89131bbf29  Tomb-1.4.tar.gz

Unzip the Tomb tar file.

sudo tar -zxvf Tomb-1.4.tar.gz

Change into the newly created Tomb Directory.

cd Tomb-1.4/

Install Tomb.

sudo make install

Check that Tomb installed by checking its version.

tomb -v

Tomb 1.4 – a strong and gentle undertaker for your secrets

Copyright (C) 2007-2013 Dyne.org Foundation, License GNU GPL v3+
This is free software: you are free to change and redistribute it
The latest Tomb sourcecode is published on
This source code is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Please refer to the GNU Public License for more details.

System utils:

Sudo version 1.8.6p3
cryptsetup 1.4.3
pinentry-gtk2 0.8.1
gpg (GnuPG) 1.4.14 – key forging algorithms (GnuPG symmetric ciphers):
IDEA 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256

Be sure to “shred” your Tombs or Tomb key files if you ever want to move them or delete them. If you’re moving your files, copy them first then shred the unwanted files. Do not simply move them.

sudo shred -f -v -z -u tomb.tomb.key

Malicious events from my Tor Exit Router

Updated Tor Exit Router display page: http://ipv4-tor-exit-1.okfn.us/

New to Tor? Read about it on Wikipedia: http://en.wikipedia.org/wiki/Tor_(anonymity_network)

Earlier this month, my ISP, CondoInternet, called me to inform me of an attack from an IPv4 address belonging to the Tor Exit Router (TER) that I operate. Immediately I was interested because I wanted to verify that the web host was not compromised. Fortunately and unfortunately, since no network traffic is being logged, I wasn’t able to verify any details from a network access perspective. CondoInternet’s NOC was very helpful and understanding, having stated that they are aware of what Tor is, and forwarded me the 4 complaints that they’ve received since I started running the TER over a year ago. Out of curiosity, I asked their NOC if there were any other TERs on their network, and I’m the only one (sad face).

Below are some snippets from emails that CondoInternet’s NOC forwarded me. They stated that they did not want me to contact any of the senders directly, which I’m happy to oblige. The most recent and most serious is first, since prior to this event, CondoInternet hasn’t felt like the malicious activity from the TER has been worth much attention.

Thu, 30 May 2013 16:49:32 -0700

Hello, our company servers were recently hacked by the IP address
216.243.58.198 which is a customer of CondoInternet. We are requesting that
you shut the user in question down and share all subscriber information
with our company for further litigation. Thank you.

Below is a snippet of our logs with further information of the hack.
vb_init.php is a malicious file which was uploaded to our server by the
offender and was used to take control of the server and steal our company
and customer data.

216.243.58.198 - - [27/May/2013:03:33:26 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 7810 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:33:35 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 8877 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:33:41 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 4641 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:34:15 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 22242 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:37:03 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 8884 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:37:09 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 10086 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"
216.243.58.198 - - [27/May/2013:03:39:48 -0500] "POST /x_admin/vb_init.php
HTTP/1.1" 200 15189 "http://www.[removed].com/x_admin/vb_init.php"
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0"

Here are the other three:

Mon, 13 May 2013 08:08:12 -0700

Please remove this script kiddie from your network IP Address:
216.243.58.198.

and

Thu, 25 Apr 2013 04:08:07 -0700

Dear Administrator(s),

We have detected an attack attempt from an IP address of your
responsibility (216.243.58.198) !

Sample:
Timestamp: 2013-04-24 22:55:59 (GMT)
Alert: COSED [CSG-GOP-009] WEB-ATTACK w3af User Agent
Source: 216.243.58.198 (60882)
Destination: [removed] (80)
Content:
GET /modules/istats/not-index.php HTTP/1.1
Host: [removed]
Cookie: PHPSESSID=1edd40fc052372b17b343f9be8203907
Accept-encoding: gzip
Accept: */*
User-agent: w3af.sourceforge.net
Connection: keep-alive

and

Wed, 24 Apr 2013 04:45:01 -0700

Dear Administrator(s),

We have detected an attack attempt from an IP address of your
responsibility (216.243.58.198) !

Sample:
Timestamp: 2013-04-23 14:24:59 (GMT)
Alert: COSED [CSG-GOP-009] WEB-ATTACK w3af User Agent
Source: 216.243.58.198 (38451)
Destination: [removed] (80)
Content:
ndor=exact&mids%5B%5D=2&mids%5B%5D=12&mids%5B%5D=20&mids%5B%5D=21&mids%5B%5
D=22&mids%5B%5D=23 HTTP/1.1
Host: [removed]
Cookie: PHPSESSID=0656e61c0d0780a526ae392dde555bd3
Accept-encoding: gzip
Accept: */*
User-agent: w3af.sourceforge.net
Connection: keep-alive

GET 
/search.php?skipValidationJS=0&action=results&id=bce23d0828f9ddc1c360fefd676
0594a&query=palavra-chave&andor=d%27z%220&mids%5B%5D=2&mids%5B%5D=12&mids%5B
%5D=20&mids%5B%5D=21&mids%5B%5D=22&mids%5B%5D=23 HTTP/1.1

CondoInternet has been an amazing ISP. Recently I upgraded to 1 Gbps, and so far I’ve been peaking at around 9.25 MB/s RX and 9.25 MB/s TX. I expect to have more complaints come in as more traffic passes through my TER.

This TER has processed over 160 Terabytes of Tor traffic. The known malicious events discussed above are mere kilobytes of data being transmitted. Open Knowledge Foundation America will continue to support The Tor Project by donating time (skill) and money (bandwidth). A few “bad apples” are not concerning given the state of the internet–authors and readers of information need trusted tools to remain safe online.

Disabling IP address logging in Apache

Much thanks to Micah Lee for speaking at HOPE Number 9 – Privacy Tricks for Activist Web Developers

This post covers, in slightly more detail, the actions needed that are described between 15:50m and 17:01m of the following video:

I’d really like to flesh out additional SOPs in order to work toward an open privacy specification.

Standard Operating Procedure for disabling IP logging of visitors to an Apache 2.2 vhost on Ubuntu 12.04. I performed the following steps on this WordPress blog, anon.is. If you maintain your own WordPress blog, you would need SSH and root/sudo access to your web server.

Confirm Apache version:
# apache2 -v
Server version: Apache/2.2.22 (Ubuntu)

Edit Apache’s config file:
# sudo vim /etc/apache2/apache2.conf

Locate the directives for defining log customization and add:
LogFormat "%l %u %t "%r" %>s %O" noip

Edit your virtual host config file:
# sudo vim /etc/apache2/sites-available/site

The default vhost config will have the following line:
CustomLog ${APACHE_LOG_DIR}/access.log combined

Replace the word ‘combined’ with ‘noip’ at the end of the line:
CustomLog ${APACHE_LOG_DIR}/access.log noip

Delete, via shred, your old access.log files:
# sudo shred -f -v -z -u /var/log/apache2/access.log*

Save your change and reload Apache:
# sudo service apache2 reload

Before this change, my visit to my blog looked like:
108.162.246.105 - - [29/Jul/2012:18:40:51 -0700] "GET / HTTP/1.1" 200 19663 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"

After this change, my log entry looks like:
- - [29/Jul/2012:18:45:49 -0700] "GET / HTTP/1.1" 200 19664

108.162.246.105 is CloudFlare — Micah discusses this issue in his talk. Since I’m using the CloudFlare CDN as a middleman between my blog and my blogs readers, CloudFlare does record all visitors. As far as I know, I have no control over CloudFlare IP logging. If I were not using a third-party service, I would have seen my actual originating IP.

It would be really awesome if I could find a way to log partial IP addresses, like the first two octets of an IPv4 address, possibly using Apache’s SetEnvIf directive. I also need to find out how to leverage this privacy-maintaining tactic when using an Intrusion Detection System in front of a web server, since it definitely stores all IP addresses with timestamps that can be compared to the reduced log file.

Questions: Intel S1200KP and 520 series SSD Full Disk Encryption

I’m writing this post to remind myself to pick up an Intel 520 Series SSD in *hopes* that the Intel S1200KP supports ATA passwords to utilize the 520’s AES, 256-bit, full disk encryption. I really want these two products to play nice for a couple of reasons:

  1. The S1200KP is mITX, has two SATA III ports, has two Intel GbE ports, and a 3 year warranty
  2. The 520 is SATA III and has a 5 year warranty (unlike the slightly cheaper 330 with a 3 year warranty)

The 520 series product spec includes:

Advanced Encryption Standard (AES) 256-bit EncryptionAES 256-bit encryption is an  industry standard in data security, providing a hardware-based mechanism for encryption and decryption of user data. Utilizing a 256-bit encryption key, AES encryption — when combined with an ATA drive password — helps protect user data.

But the S1200KP product spec isn’t verbose about ATA passwords:

3.9    BIOS Security Features

The BIOS includes security features that restrict access to the BIOS Setup program and who can boot the computer. A supervisor password and a user password can be set for the BIOS Setup program and for booting the computer, with the following restrictions:

  • The supervisor password gives unrestricted access to view and change all the Setup options in the BIOS Setup program. This is the supervisor mode.
  • The user password gives restricted access to view and change Setup options in the BIOS Setup program. This is the user mode.
  • If only the supervisor password is set, pressing the <Enter> key at the password prompt of the BIOS Setup program allows the user restricted access to Setup.
  • If both the supervisor and user passwords are set, users can enter either the supervisor password or the user password to access Setup. Users have access to Setup respective to which password is entered.
  • Setting the user password restricts who can boot the computer. The password prompt will be displayed before the computer is booted. If only the supervisor password is set, the computer boots without asking for a password. If both passwords are set, the user can enter either password to boot the computer.
  • For enhanced security, use different passwords for the supervisor and user passwords.
  • Valid password characters are A-Z, a-z, and 0-9. Passwords may be up to 16 characters in length.

More info:

The ATA Password is often referred to as an “HDD Password” in system BIOS.  If the system allows, it is recommended that both “User” and “Master” passwords are configured for maximum security.

Good news update! The S1200KP looks promising with the most current BIOS update!

Up-to-date BIOS
HDD password options!

It’s really odd though–Intel’s complete lack of documentation on how to use FDE for their own products. No benchmarks and no security reviews or whitepapers. Even on the Intel forums, people are bewildered. On third-party review sites, they mention the ability but don’t test it. Ridiculous.

I’ll see if the S1200KP can do it. It might be a month, but I’ll update this post when I do.

Installing Tomb in Ubuntu 12.04 LTS

The following guide was written since Crypto.is has been offline for a couple of months. The guide has been updated and tested for Ubuntu 12.04 x64.

This guide can be used in conjunction with my previous, related post, Installing and using Tomb in Ubuntu 11.10.

Tomb is a lightweight encryption tool for managing encrypted containers. It’s ideal for backing up password files somewhere on the Internet since you keep the keyfile separate, like on your USB memory drive. With the release of Google Drive, Google has provided an excellent service for your Tomb files (in tandem with Google Authenticator, a free multi-factor authentication service, you can better secure your Google-managed data). Ubuntu One is another cloud-based service which is also free.

Note: This specific blog post is licensed as Creative Commons CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.

# sudo apt-get update ; sudo apt-get install build-essential autoconf libtool libgtk2.0-dev libnotify-dev zsh pinentry-curses pinentry-gtk2 debconf git vim
# git clone git://github.com/cryptodotis/Tomb.git
# sudo vim /etc/apt/sources.list

Add to the bottom of your sources list:
deb http://apt.dyne.org/ubuntu dyne main
deb-src http://apt.dyne.org/ubuntu dyne main

# wget http://apt.dyne.org/software.pub
# gpg --import software.pub
# sudo apt-key add ~/.gnupg/pubring.gpg
# sudo apt-get update ; sudo apt-get install -y tomb

Check version:

# tomb -v

Then check out how to use Tomb here: Installing and using Tomb in Ubuntu 11.10.