Your Weakest Security Link? Your Children, or is it?

A while back I came across a fairly good article on the need for consciousness regarding children and computer. However I miss a few paragraphs (or even chapters) regarding necessary steps (even without children).

None of this is of course the childrens' fault, however it does provide a good opportunity to discuss computer security hygiene, and with it the lack of knowledge and focus on security and privacy in current and new generations.

To start off, the article that inspired this post: Your Weakest Security Link? Your Children - WSJ

What do you do when the biggest threat to your cybersecurity lives under your own roof?

It’s a fact of life online: a network is only as strong as its weakest link. For many people, that weakest link is their children. They inadvertently download viruses. They work around security to visit sites their parents don’t want them to. They run up huge bills using their parents’ one-click ordering.

Segregated WiFi networks
My largest concern with the article is that it does not mention the need for a wifi guest network. You should never, ever, allow external devices outside your control, or lower security devices like tablets and smartphones directly onto your LAN, these devices simply doesn't need it and should be in a separate security zone on the firewall, if you need access to local resources, use OpenVPN to set up a connection from wifi zone to lan zone, or for certain other elements open up specific ports/applications to pass through.

My usual setup involves flashing a router/accesspoint with dd-wrt (a linux based firmware). This allows setting up guest networks / virtual wireless interfaces (although not all devices will allow anything but public / WEP encryption, i.e. no WPA on the virtual interfaces, as these are by definition low security zones, this is however fine). The most important thing is that the guest network is

  • AP isolated, i.e does not allow traffic between individual devices on the network
  • only allows traffic through NAT to wan (internet), i.e. not LAN devices
  • QoS is enabled as to not interfere with your normal use

The guest network should further be restrictive in what traffic it allows, normally your visitors only require HTTP(s), POP3s, IMAPs, SMTPs, SSH (people shouldn't use non-encrypted transport channels for reading mail so the non-secured alternatives are blocked), and maybe a few other protocols, so the firewall should ensure to be restrictive as a starting point.

A proper network setup remove the primary issues discussed with children's devices being connected to network, its not any better allowing other unsecured devices onto it, so why don't you do it properly in the first place?

In fact, with todays growth of the Internet of things, you will also want a dedicated device-network that is internal (no AP-isolation, but doesn't allow traffic to lan or wan) for TV communication with speakers etc. I simply don't get people plugging this directly into the regular network. That only leads to situations such as Samsung voice-recording / surveillance everything you say.

Disk encryption
Disk encryption is necessary in order to avoid passing through the security schemes using known passwords mentioned in the article. I remember in the good old days when NTFS first got here, and how easy it was to brute-force SAN files. Without disk encryption, separating profiles (e.g. in windows 7) won't help you as anyone can boot a live OS (Linux ftw) giving access to all files, including configuration files. But quite frankly, multi-user systems are difficult to secure, hardware today is cheap, you shouldn't let your kids use your own hardware in the first place, but set up own systems for them.

Seven proxies
Be restrictive in what kind of data you allow to flow through your network. Use Proxies, proxies, and even more proxies, filter all network access appropriately through firewalls, and more importantly, make frequent use of jump servers / gateways.

If you are worried about certain types of virus intrusion, also get a firewall device supporting intrusion detection/prevention systems and an appropriate license to keep this updated. If you are concerned about your childrens internet use, all web traffic should also be forced through a proxy (such as squid) on the firewall level.

Separate core devices of the network and don't allow traffic into it even on the regular LAN without going through a jump server / gateway, e.g. using OpenVPN. I actually use this myself, for instance even though I connect my laptop to the regular wifi network, I won't get access to my Virtual Machines without being logged into the VPN. Only certain specified services are exposed by default.

Cloud services
Cloud services are great, I mean, truly, with the number of devices we have today, how else can we keep data available for our own use? The one caveat, you really, truly, REALLY, MUST run the cloud service yourself. ownCloud is a great application, that have multiple clients across operating systems and platforms for this use. File storage, calendar, contact information and a good news reader. Not much more to ask for, and if there is, there is likely already an app for it.

Don't ever allow friends or family to use iCloud, DropBox, google drive or whatnot. Of course, promote using these services to your enemies, you might want to get access to their data some day.

Gentoo, qemu+kvm and virt-manager: Automating guest base install

Updated 2014-12-23: Update file links to gitweb.

I recently got myself a new server that is, amongst others, intended to use for kvm/qemu virtual machines that I administer using virt-manager. As most of the guest VMs will be running Gentoo linux, and the installation procedure is nice and command-line based it enable quick installation of an up to date system without using an image by utilizing a few simple bash scripts that require a minimum of user interaction during install in order to get a base OS.

It goes like this: After booting the Gentoo live-cd we reset the root password to get a known password and start sshd to allow me to upload the script files.

passwd
/etc/init.d/sshd start

Once this is done we upload the script files using scp:

scp *.sh root@192.168.0.62:/

At this stage we edit the config.sh file using nano that is part of the live CD:

nano /config.sh

I rarely change much in the config file, but other users will naturally want to adjust this to their own environment. As for the drive layout I normally default it to
xda1: 5MB - spare for MBR
xda2: 100MB - /boot
xda3: 4096MB - swap
xda4: residual - /

xda is used in place for vda (if Virtio) or sda (if SATA) in this case. The underlying drive is an LVM2 logical volume created using

lvcreate -L 125G -n myVM vg0

A little trick on getting to use the LVM drive directly in virt-manager is to create a storage group for the directory of the volume group (/dev/vg0) which allows me to allocate the logical volumes directly to the drive as a virtio disk.

Attempting to run /host.sh without a drive setup it will naturally abort and we get a warning about missing drive configuration. Once this is configured (I normally use cfdisk /dev/xda) it is time to run:

/host.sh

The first thing that happens then is that the filesystems are configured appropriately (ext4) and a stage3 is downloaded and extracted, along with setting up the necessary mounts to enter the chroot. No more interaction is then necessary until we enter the chroot using:

chroot /mnt/gentoo /bin/bash
/chroot.sh

At this point the rest of the install instructions are being run, installing a regular gentoo-sources kernel with grub2 and setting up syslog-ng and cronie. Additionally I use Monkeysphere to set up the public keys for logging into the system as my user so this is automated as well as adding the user to wheel group (the latter two steps being optional in config file, but if you haven't looked into Monkeysphere before I recommend doing so)

Once this complete it is just a matter of running

exit

to get of the of the chroot, and

reboot

and we have a working base-install of a VM once it gets back up. Then I can start making any adjustments for the service the VM is supposed to provide from here.

As for the actual scripts:gitweb

How Microsoft once again demonstrates not caring about security

On June 27 Microsoft announced they would stop sending security bulletins by email. The announcement stated:

As of July 1, 2014, due to changing governmental policies concerning
the issuance of automated electronic messaging, Microsoft is
suspending the use of email notifications that announce the
following:

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

In lieu of email notifications, you can subscribe to one or more of
the RSS feeds described on the Security TechCenter website.

This change is speculated to be related to a Canadian anti-spam regulation, although the normal course of action would normally be receiving explicit approval for sending these announcements. Some questions have also been asked about the timing of the announcement, as the regulation was known well in advance. Whatever the reason for suspending these services, on July 3rd, Microsoft reversed its course with the following message:

On June 27, 2014, we notified customers that we were suspending
Microsoft security notifications by email due to changing
Governmental policies concerning the issuance of automated
electronic messaging. We have reviewed our processes and are
resuming security notifications by email commencing with the
release of this monthly Advanced Notification Service (ANS) mailing.

Now, a prudent reader might ask why receiving emails constitute a security relevant matter, after all they offer to keep sending announcements through an RSS feed. That brings us to the more interesting matter. Microsoft, rightly so, use OpenPGP digital signatures for the notification emails to make it possible to verify the authenticity of the sender and verify that the message has not been altered in transit. The OpenPGP signed email communication channel is the only available option provided by Microsoft with these capabilities and in order to grab focus on this property, they include the following in their own bulletins:

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key
at
<https://technet.microsoft.com/security/dn753714>.

So far so good; Microsoft is using OpenPGP and they are announcing their public key. Other people should do this as well.

Sadly it goes downhill from here: Despite Microsoft announcing a HTTPS website for the acquiring the public key used for these announcements, upon attempting to contact this URL, a HTTP 302 redirect is used with the following Location: http://technet.microsoft.com/security/dn753714 , i.e .without any protection from TLS at all. This opens up possibilities of various man-in-the-middle attacks, hence removing the possibility validating the provided public key.

Of course, this shouldn't normally be an issue, as OpenPGP keys rely on object security which is self-contained together with the key material itself - which is why keys are normally distributed through various keyserver networks. Before using any OpenPGP key the key will have to be validated by the participant, either directly with the owner of the key or through the Web of Trust (WoT).

If we are to trust that we have not been MiTMed just now, Microsoft is linking to public key information presented as a 4096 bit RSA key for Certificate and Signing use with a 4096 bit subkey for Encryption.

And here is the kicker; The key was created on 2014-06-03, i.e. it is a relatively new key, and it does not contain any certifications from any Microsoft employee or signature from earlier keys used for Microsoft Security Advisories as you would normally expect.

To add insult to injury, despite the emails containing references to the aforementioned website and key, the following Microsoft announcements on July 10 and 11 were actually signed by the key 0xF0B7406D which is not referenced as a key used for current Microsoft announcements. This key actually does contain a small number of signatures from external users, but as with 0xA92965F2 none from any Microsoft employee. As to whether the key is authentic your guess is still as good as mine.

So why is it so important that the key used for security announcements is signed by individual Microsoft employees, and in particular the members of the security team?

These employees are the only individuals that can reasonably make an assurance about the use of a team key. Additionally, as proper key validation procedures require ID-checks and a personal assertion about the key ownership, for others to get a trust path to the key in question, these members of the team will need to have their own keys verified by other participants in- and outside of the IT industry.

Users that wants Microsoft to try to get its act together when it comes to communication security (to allow a broader scope is probably utopia) should send messages to them through channels such as Twitter (@msftsecresponse). My own posts have not been answered so far.