vpnc and Fritz!box

Posted on February 27, 2013 by Pablo Endres

Fritz!Box is a series of home routers from AVM, which can do a lot. Among the features is VPN support: site-to-site and client-to-site (road warrior).

I wanted to play with the road warrior setup, because it is always practical to have a way back into a network: for privacy if on a hot spot or just to be able to access hosts on it.

Fritzbox deliverers it own Windows / Mac VPN client (FRITZ!Box VPN Connection) which works pretty good, but as a Linux user I would really enjoy native support (so I don’t have to get access through a VM, which works pretty well by the way).

After multiple failing tests and toggling all possible vpnc configuration options, which aren’t that many by the way, it was time to play: find the differences!

Continue reading →

Do Reverse Proxies provide real security?

Posted on September 19, 2012 by Pablo Endres

Have you ever questioned the security best practices?

In the process of building / designing the infrastructure for a new project the following question was asked: “shouldn’t we use a reverse proxy to secure or protect the web servers?” Of course the first question I asked myself is “do reverse proxies provide real security?” or is this a best / common practice that has been adopted without foundation?

I worked with some fellow security experts to measure if the use of Reverse Proxies actually provides better security than exposing your web servers directly.

We used the OSSTMM 3 as the basis for the testing so we could measure the Attack Surface. Even though, measuring the Attack Surface with RAVs (the method outlined in the OSSTMM) seems complicated at first, it is actually pretty straight-forward once you understand the concepts.

The results of this research can be found in this paper. It also serves as a good tutorial on how to use the RAVs to measure the security of any scenario.

Adoption of Linux releases

Posted on May 16, 2012 by Pablo Endres

I’m impressed how some software Vendor have resisted to provide support for Red Hat Enterprise Linux 6 (RHEL6) and its derivates for their products. This week I ran into two examples:

a. Nexpose from Rapid7:
This is a Vulnerability scanner, which does a good job at what it does, even in the Community Edition. Actually it lets you scan up to 32 machines without restricting the plug-ins.
If you look at the requirements in their site you’ll find the following:

Microsoft Windows Server 2003 SP2 / Server 2003 R2*
Microsoft Windows Server 2008 R2
Microsoft Windows 7
VMware ESX 3.5 and 4.0
VMware ESXi 3.5 and 4.0
Red Hat Enterprise Linux Server 5.x
Ubuntu 8.04 LTS
Ubuntu 10.04 LTS

I don’t expect support for Ubuntu 12.04 which was released a couple of weeks ago but I would think that RHEL 6 would be supported, especially since its release date was more than 13 months ago (2010-11-10). It is very probable that a company building a new infrastructure (like in my case) would use the latest enterprise release and not one that is 5 years old, even if it will be supported for 5-8 years more.

To make matters worse, if you try to install on RHEL clones or derivates like CentOS and Scientific Linux the installer says that they are not supported.

Workaroud: change the contents of the /etc/redhat-release during the installation process to the one used by RHEL.

b. Zenoss from Zenoss, Inc

This is an Open Core monitoring system, which one could compare with Nagios + Cacti or commercial tools like HP OpenView.
I couldn’t find a requirements sheet on the commercial website but on the community edition there is support for a wide range of OSes and Linux distributions, again not including RHEL 6.

On the plus side it does offer support for CentOS (I would assume other RHEL clones) and its open core, so you can download the sources and build it yourself if you want to.

I’m wondering what other reason, besides cutting costs, would these vendors have for not supporting RHEL6.
Could it be the penetration rate or the market? I’m going to see if I can find more information regarding this and publish an update afterwards. Maybe I’ll even get a straight answer from the vendors themselves.

WebOS Security

Posted on April 23, 2012 by Pablo Endres

I had the pleasure of attending WebOS Developer Workshop in Mainz on Saturday Thgtwi (@thgtwi) did a great job with the organization. SuVuK(@SuVuK_open) did a nice report on the contents of the Workshop in his blog.

I took the opportunity talk about Security in the WebOS platform. I ran some tests based on WebOS 3.X, which is currently available for the HP TouchPad and is being opensourced as Open WebOS. The scope covers issues that can and should be applied to any mobile platform:

Architecture
OS / Platform
Authentication
Networking
Browser
Email
PIM
MDM
Other

I haven’t been able to complete the tests that I wanted to, some of them require Exchange to make use of the EAS policies, which I find interesting to see if the hold up to claims in the WebOS security white paper. I’ll post an update a soon as they are done.

The slides are available under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

If you have any comments or feedback, feel free to contact me..

Followup on mind control

Posted on April 2, 2012 by Pablo Endres

Mae Geri. Source: http://www.foto-harz.de/details.php?image_id=968

This post was originally going to be dedicated to Karate, but I stumbled upon a reflective article: “Mind Control” by Pete Herzog and decided to try to build on top of it.

Pete, makes reference that given the speed of our sensors and our brain we basically live in the past: 80 ms in the past to be precise. So since we live in the past, our mind has been made up before we actually know or realize it; this enables us to perform complex tasks in “mental autodrive” or mental cruise control and how much energy is necessary to change mental patterns,

Karate is a good example of how through repetition, we create complex rules and responses of body and mind through repetition and concentration. It is possible to calculate the distance to something, even in movement, to hit it with the intended force: so when practicing you control strength, but in a sticky situation you can actual hit with all your might to defend yourself.

I had the pleasure of attending a karate-do class by Akita Sensei on Friday. And he focused on perfectioning small details in techniques, for example a Mae-geri or front kick. The idea was to concentrate on a couple of details, like:
a) The standing leg: ensuring it was correctly flexed, not overturned, but rather looking perfectly forward
b) The hip: should stay in a straight line, instead of automatically going forward to cover more space
c) The knee: should go up to the right place, at the right time
d) After the kick: retract the knee to the original position

If we can willingly create and change these patterns or rule-sets, why to we still react in primitive ways to known prompts? How many rules have been created for us by society and the modern way of life? How may rules do we have in place without even knowing it?

Considering the effort needed to change these rules, even if we use some cool mind tricks likes those described here; do we really want to do it? Can we make changes that will kick in in auto-drive or under stress? How do we discover if there are other rules with a higher priority than those we are trying to build in?

Sadly I don’t have those answers for you, but I think that the 15-20 black belts that were in that class with me will also be trying implicitly to find the answers to those questions

Tools

Posted on February 13, 2012 by Pablo Endres

I’ve added a new section that contains some tools / scripts / quick hacks I’ve done over the last couple of years.

They are probably not my best coding, but they get the job done.

If they are helpful or useful for you let me know. If you have any suggestions or patches add a comment or contact me.

Implementing effective controls: Venezuela to block stolen mobile phones

Posted on September 21, 2011 by Pablo Endres

Even though a don’t agree with many of the decisions and laws created in Venezuela, I think this is great example of implementing a control for a big risk.

The Venezuelan telecommunications regulator Conatel, decided that operators have to implement mechanisms to block a mobile phone once reported stolen by its owner. This blacklist, so to speak, should work between the three main operators in the country and they even got RIM (the maker of the Blackberry devices) to agree on blocking these devices world wide.

Here is a link to the story in Spanish.

I remember from when I wrote my thesis back in 2003, that this feature is part of the original design of the GSM system, so these black lists could also be implemented at a worldwide scale. I also have information from a colleague from Romania that this system has been effectively implemented there and has reduced the theft rates dramatically.

So coming back to controlling risks; this measure if implemented correctly should reduce the risk of having a mobile phone stolen because it cannot be sold. The real impact should be seen in a couple of months once enough phones are effectively blocked and the repair shops have enough spare parts (I have no doubts that many stolen phones will be chopped up).

Update 22/01/2012: after a recent visit to Caracas I checked up on this issue. Seams like the actual bureaucratic burden does not let this policy to be correctly be implemented. I hope this gets better with time.

Empathy and MSN

Posted on October 22, 2010 by Pablo Endres

I’ve had some problems recently (the last couple of weeks) with Empathy on Ubuntu 10.04. All my MSN accounts just started giving my an “Authentication Failed”.

After checking with pidgin, which I use for other accounts, that my credentials were still working I found a post in the Ubuntu Forums that gave me a good solution:

$ sudo aptitude remove telepathy-butterfly
– Make sure you have telepathy-haze installed, if not
$ sudo aptitude install telepathy-haze
– Delete the accounts and recreate them with the new plugin

I’m not sure why this happened, but at least it’s working again.
Hope this helps someone else out there.

ooimpress and .pps files

Posted on October 8, 2010 by Pablo Endres

I’ve been working with Ubuntu lately at the day job and the Open Office setup is different than on Fedora. One special case is the opening of .pps files, which per default go into “presentation mode” which I normally hate to see (it just takes to long to see what you really what to see in the presentation.

This is a workaround I found around in the Web:
Create ~/bin/ooimpress-edit or if you want to use it system wide /usr/local/bin/ooimpress-edit; and add the following code into it

#!/bin/bash
ooimpress -n “$*”
exit

Use it when ever you think you need it. I set it up as default behaviour in the browser.

Enjoy

Lucid Lynx and Constantine multiboot

Posted on May 18, 2010 by Pablo Endres

As most of you know I’m a Fedora user, well started out some time ago as a Redhat user until they decided to have to spins: Redhat (stable for the enterprise) and Fedora (bleeding edge for the community). Back to the point, my main distro is Fedora but I like to give other distributions a spin to find the pros and cons.

I decided to install the new and shiny Ubuntu 10.04 “Lucid Lynx”, but there is no way I want to affect my main partitions!! Why should I this is Linux after all, it can boot from a secondary partition I can even put the bootloader at the beginning of the partition to make it totally independent!! Having done that already with Backtrack 4, Ubuntu 9.10 (karmic) and CentOS 5.x it should be as easy as 1 – 2 – 3 (Or simple as… got Jackson 5 ringing in my ear right now).

So the solution I had in mind was just to add a new partition with parted, install there and add the following lines to the /etc/grub.conf in my Fedora partition:

title Ubuntu 9.10 (Karmic)
rootnoverify (hd0,6)
chainloader +1

The problem is that Ubuntu 10.04 ships with grub-2 (technically speaking 1.98) and it just doesn’t work the same way. After a couple of re-installs and hours later I came out with this blog with a really detailed review of the distribution and with the solution I needed:

title Ubuntu 10.04 (Lucid Lynx)
root (hd0,4)
kernel /boot/grub/core.img
savedefault
boot

Just to make sure your a attacking the right error, this is was I was getting: Error 13 invalid or unsupported executable format