How to list a range of IP addresses with the Linux seq command

Ever needed to convert IP addresses that someone has written down into a list?
eg: 10.0.0.47 to 52 and 192.168.243.5 to 12

Try seq, as follows:

$seq -f "10.0.0.%g" 3 6
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6

Or for my example:

$seq -f "10.0.0.%g" 47 52 ; seq -f "192.168.243.%g" 5 12
10.0.0.47
10.0.0.48
10.0.0.49
10.0.0.50
10.0.0.51
10.0.0.52
192.168.243.5
192.168.243.6
192.168.243.7
192.168.243.8
192.168.243.9
192.168.243.10
192.168.243.11
192.168.243.12

You could then redirect the output too:

$seq -f "10.0.0.%g" 47 52 ; seq -f "192.168.243.%g" 5 12 > ips.txt

Hope this is useful.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Viewing HTTP Headers on Linux with curl

If you want to identify the configuration options for STS etc, you will need to look at HTTP Headers. From Linux you can use curl. For HTTPS sites, you may want to consider the –insecure option if you have other cert issues to contend with.

~$curl -I https://jervis.ws/
HTTP/1.1 200 OK
Date: Tue, 26 Apr 2016 20:43:16 GMT
Server: Apache
Link: ; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Browser Separation with Integration using VirtualBox

seamless-modeSeamless window integration of two separate operating systems, with isolated network stacks.

Ransomware poses a real risk to every day web surfers. There are multipule attack vectors, drive by downloads, compromised sites and malvertising to name just a few are all huge areas of risk. This leads some to want seperation or sand boxing of their web browser, either for some of their browsing or all of it.

The main motivation here is separation for risk reduction and security, not privacy/anonymity.

With browser security under screwtany, things are improving however with problem after problem with 3rd party addons and browser plugins, scripting issues, 3rd party code includes and so on, the web is full of risk areas before you even consider malvertising compromised sites or cross site scripting.

Moving beyond ad or script blocking

sandpitBy utilising VirtualBox, you can build a (mostly) separate computer for your browser. Minimising risk through separation using a Virtual Machine Sandbox.

Whilst using a physically separate computer provides better security to your ‘main’ system, it is impractical in the majority of cases. Creating a Virtual Machine sandbox, with some clearly understood elements of integration between the two systems provides much better functionality and end user experience, whilst maintaining a significantly higher level of security.

Why not other approaches?

As a former user of No Script, I became a little tired of picking through the many scripts to try and unpick what web developers were thinking in a drive to make the sites function again. I was also very aware of a quick ‘allow all on this page’ one lazy day could undo years of time consuming script inspection. This is not the solution for the faint hearted and not something I could recommend to may.

Ad Blocking? Ok so this protects against some threats such as Malvertising, however it does not address any other risk factors and therefore leaves massive areas for bad actors within the browser. We are also now in a world of Ad Blockers, Ad Block Blockers and Ad Block Blocker Blockers.

Sandboxing via Sandboxie? This does not stop the browser reading files on your system.

Physically separate system? Ok, but lets face it, who runs a separate PC for ALL of their browsing…. not many. If you are doing any amount of browsing from your PC then this option could help secure the browsing.

What do I need?

You will need to download and install VirtualBox. You will also need either a Windows Licence and media, or a copy of Linux. I have used both Windows and Ubuntu in this browser isolation technique successfully. I recommend having an ISO image of the disk for easy build and rebuild should you wish.

Configuring Virtual Box

Once you have created a basic Virtual Machine selecting either the Windows or Linux templates, you will need to make some changes. These adjust the security and functionality. Some improve security and separation, whilst others create openings between the Virtual Machine and your host computer.

Which of these changes you make is personal preference, and down to your use case and requirements. For example, if your worried about malware within the browser reading clipboard content on the host OS, or if you are worried about file encryption malware.

When you access web content, you are likely going to want to download files. If your then going to need these on your ‘main’ system, you will need a seamless way to export these files. Consider setting up a share between the VM and your host system. You should create a sub folder for this, and share this to protect your other files and the rest of your host PC from any security risks. Eg: have a temporary downloads folder, accessible from both systems.

Create Share with VM

When configuring your networking, you have several options.

NAT – The VM will share your PC’s IP address. However your PC and the Browser will each have an IP address on an internal NAT network. You will need to factor in host firewall security.
Bridged – Your host PC will push the browser VM to the main network (either wired or wireless depending on your configuration). You will then be able to protect the two systems from each other as if they were separate network devices. Review your hosts Windows Firewall security configuration. (Likely the best option)
Internal – Not appropriate.
USB – See below, under “Looking for better network separation?”

Configure Virtual Networking

You will then need to install either Windows or Linux. eg: Ubuntu. In this case, I have installed Windows 7.

Install Windows 7

Whichever OS you install, you can install the guest tools to unlock integration including clipboard and folder sharing. Even if you do not want these features, you can switch them on and off, the tools will help ensure your guest VM behaves correctly.

Install VirtualBox Tools

Consider how you wish to interact with your browser, eg: you may wish to copy links from the host to the guest… or you may wish to copy webpage text from the guest to the host. Set this to your requirements, just remember that if the guest can read your host clipboard, then it can read your clipboard all the time. This type of risk is reduced later with read only disks and snapshot reverts.

Clipboard Settings

As per the above, configure a set sub folder to be shared with the VM if you want to seamlessly move files. However if you share too much, the guest browser VM will have access to it.

Test Folder Share

Once you have your system installed, updated and correctly configured it is best to take a snapshot. This will save the state of the system by creating a differencing image file, where any new disk writes are stored. Your live VM will behave normally but you will be able to revert to the snapshot.

Take new snapshot

Once you are up and running you will find you need to patch / update your browser and browser guest operating system. I would recommend when you need to do this, you revert the VM to a known clean snapshot, perform the updates and take a new snapshot. Once you are happy all is well you should delete any snapshots that are no longer required as managing these will be come more complex and slow performance over time.

Delete unneeded snapshots

When you want to refresh your browser, eg: clean the session, drop any malware stuff etc from the guest OS, then revert to a known clean snapshot. You may choose to do this daily, and/or after visiting untrusted content etc etc.

Revert to or restore snapshot as needed

Investigate the display modes to play with seamless window integration.

seamless-mode

Desktop 1

Looking for better network separation?

If you would like even clearer network separation, then consider this. VirtualBox is loading a USB kernel driver into your host OS. So remove all the network cards from the VM, now the system does not share the host systems network adaptor at all. Now connect a USB Ethernet Adaptor to the PC, and create a USB filter.

USB Ethernet

USB Ethernet

Immutable images vs Snapshots

My original option was to use the VirtualBox immutable image setting for the main guest drive, and then the differencing file would be automatically thrown away when the system went through a full power off and power on cycle. (All changes are lost when the virtual machine is powered on the next time, as this is when the temporary differencing file is removed). I noticed issues however where this was not removing the differencing files correctly and I was ending up with several, or I would revert the image to ‘normal’ mode to install updates, and these updates would go into a differencing image. I therefore recommend snapshots at this time, which also helps keep this straight forward as you will need to be used to reverting and creating new snapshot for the patch/update process.

Thoughts?

Would like to here your thoughts and ideas, please comment below.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

VeraCrypt takes a minute to pre-boot authenticate

VeraCrypt PIM 2VeraCrypt is a free disk encryption software, that is based on TrueCrypt 7.1a.

If you are suffering slow boot up with VeraCrypt, you password takes ages to be accepted or slow pre boot authentication then read on…

When I first tested VeraCrypt with Windows 10, I had problems with it taking around a minute to process the password in the pre-boot environment. After a couple of boots, I wondered if this was really a workable potion at this time.

I then found this was due to the “Personal Iterations Multiplier”, PIM. It is a parameter that was introduced in VeraCrypt 1.12 and whose value controls the number of iterations used by the header key derivation function.

As shown in the screenshots, it is possible to set this value as you wish, some quick tests showed setting the value to 1 took less than a second. Therefore, I recommend reviewing the documentation and then selecting an appropriate value if you are suffering from this problem.

https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20%28PIM%29

VeraCrypt PIM 1

Facebooktwittergoogle_plusredditpinterestlinkedinmail

letsencrypt quick setup – Ubuntu and Apache

Note to self following a quick setup on a development box….

Setup:

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto --apache -d example.com -d www.example.com --email admin@example.com --agree-tos

To renew:

/opt/letsencrypt/letsencrypt-auto renew

Quick cron hack for renewals:

echo "/opt/letsencrypt/letsencrypt-auto renew" >> /etc/cron.daily/letsencrypt-cron.sh
chmod +x /etc/cron.daily/letsencrypt-cron.sh

Test with:

/etc/cron.daily/letsencrypt-cron.sh

Thanks to Adam for the head start: https://www.adamcouch.co.uk/2016/02/20/lets-encrypt/
More here: https://letsencrypt.org/

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Windows Media Creation Tools

Note to self, and to you…  🙂 Some quick links to:

Microsoft Windows Media Creation Tools

Windows 7 (Media Download) – https://www.microsoft.com/en-gb/software-download/windows7
Windows 8.1 – http://go.microsoft.com/fwlink/p/?LinkId=510815
Windows 10 – http://go.microsoft.com/fwlink/?LinkId=691209

Windows USB/DVD Download tool
The Windows USB/DVD Download tool allows you to create a copy of your Windows 7/8 ISO file on a USB flash drive or a DVD. To create a bootable DVD or USB flash drive, download the ISO file and then run the Windows 7 USB/DVD Download tool. Once this is done, you can install Windows 7 or Windows 8 directly from the USB flash drive or DVD.

https://www.microsoft.com/en-us/download/windows-usb-dvd-download-tool
http://wudt.codeplex.com/

Windows 7 – Updating Windows Update
For those looking to do an in place upgrade from a new Windows 7 system to Windows 10, you may need to update windows update. See this page.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Implementing Security Zones with Home Routers for the IoT early years

With the inevitable increase of internet connected devices, mainly due to the surge in Internet of Things (IoT) products, the number of vulnerable (or potentially vulnerable) devices is ever increasing. Today we have everything from internet connected thermostats and door bells to toy dolls and cars.

Security zones with home NAT/Firewall routers

NOTE: All references to router(s) in this article refer to a home / consumer grade NAT/Firewall router designed to be placed on a home internet feed, therefore it will have a stateful packet inspection firewall, it does not just route traffic. 

If you’re worried about the security implications of next generation devices within your network, then implementing security zones within your small (most likely home) network could be a route forward. I first stumbled across this technique 3 years ago when it had been implemented within a small business in an attempt to create additional access points to improve WiFi coverage. They were running into connectivity issues between systems, inadvertently caused by the zones they had accidentally created. However, if implemented carefully, and tested to ensure it is functioning as expected, it may prove a useful tool.

In this example, there are three home / consumer routers that have been connected together to provide differing security levels. As a photo does not clearly describe the number networks created and their relationships, this is drawn out in logical form.

You should remember that this post makes some assumptions around the default behaviour of your routers, and you should complete some tests to ensure the separation is as expected.

This same setup could also be created with less or more routers, to suit your requirements (most likely two routers). Also remember that different routers have different feature sets and therefore may provide more or less networks per router than covered here. It is worth noting that whilst this is a low cost and practical solution for the home network with security aware users or specific segmentation requirements, it is not a large enterprise solution.

This logical view shows the networks created by the 3 router configuration, this allows you to see the inter-network connectivity in a two router configuration, eg: RED and GREEN, but also in larger 3+ router designs.

Implementing Security Zones with Home Routers

The RED network is formed by the LAN behind the initial router connected to the internet feed. This is the lowest security zone in the design other than the internet zone itself, and its resources are subject to access from higher security zones.

The GREEN and YELLOW networks sit at the same security level as each other, therefore access between them is blocked as they are created by separate routers (at the same level). They are both able to access the RED network, and the Internet zone.

Within each coloured area, there are several networks created, these are:

  • WIRED – The Ethernet sockets on the router, or any cabled devices connected to them.
  • WIFI – The internal wireless network offered by the router.
  • GUEST – The optional guest wireless network feature available on some routers.
  • Others? Yes, there could be more, consider a router with additional wireless networks available to configure, or a DMZ network socket for example. You would need to review how these work on the model of router you have, and maybe draw your own basic logical diagram.

Same router – network security zones

Access between WIRED and WIFI networks on the same router is normally allowed and unrestricted. Some routers provide ‘Wireless isolation’ which is designed to block inter-device access on the same wireless network. In some cases this blocks access to wired devices and all other wireless devices, in others access to wired devices is ALLOWED however access to other wireless devices is blocked. If you wish to utilise wireless isolation on a wireless network, check the manufactures manual and perform some tests to ensure you’re familiar with the implementation.

Access between the GUEST wireless network and the WIRED and WIFI networks should be blocked by the router, however remember that in the case of the GREEN and YELLOW GUEST networks, they are likely to be able to access the RED WIRED and WIFI networks.

More detail on zones

Detail on zone boundaries - Click to enlarge

Detail on zone boundaries – Click to enlarge

Deploying devices into a 2 router design

When deploying devices into this design, you will need to consider what they need access to, what needs access to them and also what access you want to ensure is blocked. This will help you select an appropriate network zone, so let’s consider some example devices and zones:

  • Trusted Laptops GREEN WIFI
  • Printer RED WIRED
  • Wired PVR / Hard disk Recorder RED WIRED
  • Wireless TV GREEN WIFI
  • Tablets GREEN WIFI
  • Phones GREEN WIFI
  • Visitor/Guests RED GUEST
  • Thermostat GREEN GUEST
  • Door Bell GREEN GUEST

As we want no access to our trusted laptops from guests or untrusted devices, we will connect the trusted laptops to the GREEN WIFI network. It’s likely phones and tablets may fall into the same zone, so they will here. But if you want to block their access to internal network resources, eg a NAS, then consider connecting them to a different zone, eg: GREEN GUEST.

We want to connect our IoT devices, they require no access to our computers, just to the internet. Therefore we will connect these to the GREEN GUEST network, with isolation enabled.

In order to cater for our visitors/guests, we would like them to connect to a network that is also isolated, but if we provide them with the same passphrase as our IoT devices (GREEN GUEST), it will become harder to change. Therefore we will give them access to the RED GUEST wireless network. This will separate the untrusted devices across two guest networks, the ‘owned’ IoT devices onto the GREEN GUEST and visitors on to the RED GUEST, neither should be able to access the other. We can now enable wireless isolation to protect every guest from every other guest, and every IoT device from every other IoT device.

Should we want devices that we can make connections to, but those devices can’t connect to internal GREEN WIFI devices then these can be connected to the RED WIRED or WIFI network. Access will be allowed outbound through the green router for GREEN WIRED and WIFI devices, into the RED network but access from a RED device to a GREEN would be blocked by default. Placing the PVR and Printer into the RED WIFI or WIRED zones allows green devices to connect to view recordings or print files, but does not allow a compromised printer of PVR firmware access to the internal GREEN network by default.

Adding a 3rd router (YELLOW) into the design would create additional networks if required.

Closing thoughts

You should note that this is only as secure as the router firmware and its configuration. In most situations, you will be able to add rules that bypass the security covered here.

In summary, chaining or stacking home/consumer routers can provide an interesting array of networks with differing security characteristics, which can be used to build interesting home networks. It is also a great way to learn about how some of these security features work and interact.

In a future post I will be exploring this network segmentation / zoning using a different approach.  Stay tuned.

Facebooktwittergoogle_plusredditpinterestlinkedinmail