To enable the finger print reader on a Dell XPS M1530 in Ubuntu 8.10 follow these steps:

After installing from the normal repositories coming with Ubuntu 8.10, you would have to press enter after sweeping finger. (This bug: https://bugs.launchpad.net/ubuntu/+source/thinkfinger/+bug/256429) Therefore Jon Oberheide made an update that can be found here: https://launchpad.net/~jon-oberheide/+archive

Add the PPA repositories to your source.list (/etc/apt/source.list):

deb http://ppa.launchpad.net/jon-oberheide/ubuntu intrepid main
deb-src http://ppa.launchpad.net/jon-oberheide/ubuntu intrepid main

Update installer:

$ sudo apt-get update

And install:

$ sudo apt-get install thinkfinger-tools

Now the driver is installed and should be working. You can try it with

tf-tool --acquire
tf-tool --verify

This will ask you to swipe your finger three times and save the fingerprint to ~/.thinkfinger.bir

Now we need to configure PAM to use finger print reader to authenticate.
Open /etc/pam.d/common-auth:

sudo /etc/pam.d/common-auth

On Ubuntu 8.10 - Intrepid Ibex you should just edit the section of the file that contains the pam_unix.so line so it looks like this:

....
# here are the per-package modules (the "Primary" block)
auth	sufficient	pam_thinkfinger.so
auth	[success=1 default=ignore]	pam_unix.so try_first_pass nullok_secure
# here's the fallback if no module succeeds
....

Save the file and reboot. You should now see the option to “Swipe your finger” at login and when issuing sudo commands.

Security and encryption is getting ever more important in today’s computer networks, being it SSL secured web sites, encryption of data or mail, secure logon to mention just a few. But security is expensive, right? Not anymore….

StartCom, the vendor and distributor of StartCom Linux Operating Systems, also operates MediaHost™, a hosting company, which offered its clients, SSL secured web sites with certificates signed by StartCom for many years. That’s where the idea originated: Free SSL certificates!

StartCom Free SSL Certification Authority - Home.

This article from InformationWeek shows why you should avoid cordless phones for sensitive converstations.

Passive radio eavesdropping is a low-budget, relatively safe way for potential attackers to scout out targets. Anyone in your organization using a wireless headset or cord-less phone is potentially broadcasting sensitive material.

Tech Tracker: Can Passive Radio Eavesdroppers Listen In On Your Company? — Wireless.

Here is a great little gnome panel applet for organizing all your ssh sessions.
Ubuntu — Details of package sshmenu-gnome in hardy

sshmenu-gnome puts all your most frequently used SSH connections on a menu in your GNOME panel. Click on a host name to open a new gnome-terminal window with an ssh connection to the selected host. Set up options for port forwarding, etc. using the preferences dialog.

Here is a nice site that will give you an overview of sshmenu.

This is a How-To for setting up a Hamachi virtual private network on Ubuntu 7.10 (Gutsy).

Hamachi is a zero-config VPN client for Windows and Linux (currently Beta for Mac). It allows you to, very easily, create a virtual private network that can be logged into and accessed for all over the net. It does this by creating IP tunnels to each VPN client, making them directly accessable to all the other clients on the VPN. Hamachi also encrypts the connections it creates to allow for secure access.

Read more »

A while back I documented how to setup OpenVPN on windows. I recently found another way that is easier to do. Choose your poison.

The OpenVPN web site is here:
http://www.openvpn.org

and the Windows 2000/XP GUI can be found here.
http://openvpn.se/

If you are talking Windows, you can use the GUI, and a lot is done for you:

• Download and install it.
• It will set up a new ‘Network Connection’; go there in the control panel, find it (the description of it will be something like ‘TAP-Win32 Adapter V8′). Rename it to something obvious, like ‘VPN-1′ instead of the default generic name.
• Go to the OpenVPN menu item under programs and choose ‘Generate new OpenVPN static key’. It will do this and put it in the ‘config’ directory (c:\Program Files\OpenVPN\config\key.txt).
• Choose ‘OpenVPN configuration file directory’. You’ll get a folder with ‘key.txt’ and (I think) a readme file.
• If you are setting up the SERVER, create a text file called ’server.ovpn’ and put something like the following into it:

#
# server config for web2 server
#
dev tun
dev-node VPN-1
proto udp
ifconfig 192.168.3.1 192.168.3.2
secret key.txt
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
verb 4

6. If you are setting up a CLIENT, copy the key.txt file to the …OpenVPN/config directory on that machine and create another text file, called ‘client.vpn’ with the following complementary setup:

#
# client config for web2 server
#
dev tun
dev-node VPN-1
proto udp
remote <ip address of server>
ifconfig 192.168.3.2 192.168.3.1
secret key.txt
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
verb 4

As long as your ’server’ is at a static IP address (or if you use a DynDNS account) and your firewalls (if any) will pass port 1194 to that machine, you are all ready to go; you can open the link from the server end by right-clicking on the OpenVPN GUI icon in the system tray and choosing the ’server’ configuration and ‘Connect’. Then do the same thing with the client machine, with the ‘client’ configuration file. The first time you use this on an XP SP2 machine, Windows Firewall will pop up and ask you if it’s okay to let OpenVPN do its thing. Different but same general idea for other firewall software/hardware.

Test this in a LAN environment where you know the IP address of the two machines in question and have control over the firewall issues. Also, the docs on both sites above are excellent, as well as the stuff that comes with the OpenVPN package.

To route all your internet traffic (from e-mail and from my web browser) through that home machine when connecting to the internet from a wifi hot spot location, just add the ‘push “redirect-gateway def1″‘ option to the OpenVPN server configuration and set it (the server) to use the BRIDGING mode.

Use the ’shred’ command to securely delete files from the command line like this:

shred -z -u filename

Here is an easy way to securely delete files and folders from within the Ubuntu Nautilus file manager. You first need to download and install two packages; wipe and nautilus-actions like this from a terminal prompt:

sudo apt-get install wipe nautilus-actions

• Now copy and paste the schema text below into a text file on your desktop.
• Click on the new preferences menu “/System/Preferences/Nautilus Actions configuration”.
• Click the Import/Export button.
• Import the schema file you just created.
• Log off and back on.

You should now have a “Wipe Selected” option when you right click on a file, folder, or selected files/folders in the Nautilus file manager. Be careful since files that are wiped are not recoverable in any way.

Read more »

Seahorse is a good front-end to GPG that’s integrated into Gedit through a plugin enabling you to create GPG-signed messages directly within Gedit. Seahorse is also integrated into Nautilus, which means you can encrypt, decrypt or sign files by right-clicking on them and entering your passphrase. There is also a Gnome Panel launcher that makes it easy to encrypt, decrypt, and sign the clipboard.

To install it on Ubuntu Linux type the following at the command line (or use synaptic package manager):

sudo apt-get install seahorse

Here is a Live CD based on kubuntu designed to do digital forensics.

deft Linux - digital evidence & forensic toolkit - About deft

DEFT (acronym of “Digital Evidence & Forensic Toolkit) is a customized distribution of the Kubuntu live Linux CD.
It is a very easy to use system that includes an excellent hardware detection and the best open source applications dedicated to incident response and computer forensics.
Deft is meant to be used by:

* police
* investigators
* system administrator
* individuals

and all the people who need to use forensic tool but don’t know the open source operative systems and the Forensic techniques.

This site has a good write-up on how to to do digital forensics on a hard drive using Ubuntu.

Digital Forensics « The Ubuntu Guru

Sleuthkit is a bunch of command line tools for data forensics, and autopsy gives a nice graphical interface that runs through a web browser. Using autopsy I was able to easily search through all my old files.
All I had to do was enter the file type or keyword and all the
relevant files would be listed. Even deleted files could be listed at
the click of a button, and searched through by keyword or file type. (Using a tool like this only demonstrates further how important it is for a drive to be wiped with random data several times before being given away or disposed.)

Oh boy. This will tell you things about your Internet activity from the first day you started browsing the Internet. Can you handle the truth?

Foundstone, a division of McAfee, Inc.

Many computer crime investigations require the reconstruction of a subject’s internet activity. Since this analysis technique is executed regularly, we researched the structure of the data found in Internet Explorer activity files (index.dat files). Pasco, the latin word meaning “browse”, was developed to examine the contents of Internet Explorer’s cache files. Pasco will parse the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

This is Part 1 in a series of HOWTOs that will cover setting up a client-server VPN to connect several remote endpoints together onto a common private network. They will cover the setup of a FreeBSD Server (with dual NICS acting as a router), a FreeBSD client endpoint (with dual NICS acting as a router) for a remote office, an Ubuntu Linux laptop, and a Windows laptop. The VPN will tunnel a private LAN over a “hostile” network, and will allow remote users on the Internet to connect to the private LAN.
Read more »

This is Part 2 in a series of HOWTOs that will cover setting up a client-server VPN to connect several remote endpoints together onto a common private network. They will cover the setup of a FreeBSD Server (with dual NICS acting as a router), a FreeBSD client endpoint (with dual NICS acting as a router) for a remote office, an Ubuntu Linux laptop, and a Windows laptop. The VPN will tunnel a private LAN over a “hostile” network, and will allow remote users on the Internet to connect to the private LAN.
Read more »

This is Part 3 in a series of HOWTOs that will cover setting up a client-server VPN to connect several remote endpoints together onto a common private network. They will cover the setup of a FreeBSD Server (with dual NICS acting as a router), a FreeBSD client endpoint (with dual NICS acting as a router) for a remote office, an Ubuntu Linux laptop, and a Windows laptop. The VPN will tunnel a private LAN over a “hostile” network, and will allow remote users on the Internet to connect to the private LAN.
Read more »

This is Part 4 in a series of HOWTOs that will cover setting up a client-server VPN to connect several remote endpoints together onto a common private network. They will cover the setup of a FreeBSD Server (with dual NICS acting as a router), a FreeBSD client endpoint (with dual NICS acting as a router) for a remote office, an Ubuntu Linux laptop, and a Windows laptop. The VPN will tunnel a private LAN over a “hostile” network, and will allow remote users on the Internet to connect to the private LAN.
Read more »

Here is an excellent primer on getting started with OpenVPN.

Linux Magazine

OpenVPN (http://openvpn.net/) is a fast, open, free, and scalable SSL/TLS- based virtual private network (VPN) solution. OpenVPN can route, bridge, and scale to hundreds of clients, tunnel over a single port (UDP or TCP, even through HTTP and SOCKS5 proxies), traverse NAT with ease, use static or public key-based encryption, and authenticate via PAM or any other scriptable authentication mechanism. Best of all, OpenVPN is incredibly simple to configure, and it runs in most common operating systems, including *BSD (FreeBSD, NetBSD, and OpenBSD), Linux, Mac OS X, Solaris, and yes, even Windows.

This is one way to do it with a Windows box. Stay tuned for a “how to” for FreeBSD.

It’s A Tech World » How to configure OpenVPN

OpenVPN is a tried and true VPN solution. You can install and run this software without needing any help or connections from a third party. It is totally secure and infinitely configurable. The fact that it’s open source and free really makes it stand out though.

Read more »

Computer Networking Help - Advice From Experts - Configuring a free VPN solution in your home:

Microsoft has built in the ability to act as a VPN termination point right into Windows XP. Microsoft XP allows one connection to come in over the configured VPN via the PPTP protocol, using MPPE 128-bit encryption and Microsoft CHAP v2 authentication. It’s fairly easy to configure and can run on your existing LAN connection of your home computer. Below I will walk you through the steps of configuring the VPN server, allowing the protocol to pass through your Linksys router and finally how to configure your client to connect to the VPN.

The Perfect Linux Firewall Part I — IPCop

This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering web and email traffic.

Zfone

Quoting Phil Zimmermann -
14 Mar 2006 - I’ve just released Zfone, a new product that takes a new approach to make a secure telephone for the Internet.

I think it’s better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another Zfone client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors.

SSL-Explorer: The World’s First Browser-Based, Open Source SSL VPN

“SSL-Explorer is the world’s first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.”

Sony installing rootkits? This has gone too far.

Mark’s Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far

“At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad.”

If you have an old computer laying around, and have a couple of NIC cards, then this makes an excellent cheap firewall.

SmoothWall

“SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Linux is the ideal choice for security systems; it is well proven, secure, highly configurable and freely available as open source code. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use.”

The Six Dumbest Ideas in Computer Security

“These dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.”

How to install OpenSSH sshd server and sftp server on a Windows 2000 or Windows XP or Windows Server 2003
Read more »

Whitedust: Recent SSH Brute-Force Attacks

“Recently there has been surge of these attack attempts noticed by server administrators. This paper will attempt to briefly discuss these attacks, how they work, where they come from and most importantly, possible ways to stop them. This article is targeted towards the novice and intermediate.”

Security Guide for Windows - Random Password Generator

“The WinGuides.com Password Generator allows you to create random passwords that are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters, numbers and punctuation symbols.”

The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available

“The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update for computers that are running Microsoft Windows XP with Service Pack 2 (SP2) is available. This update enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access. These locations are otherwise known as “Wi-Fi hotspots.””

htaccess - Security for webmasters

“A .htaccess-file is a files that lets you do a whole lot off security tricks:”

WinSCP public key authentication

“The following steps detail how to use public key authentication with WinSCP on an OpenSSH server.

1. Download and install WinSCP. Choose the installation package to include public key tools PuTTYgen and Pageant.

2. Run PuTTYgen (Start/Programs/WinSCP3/Key tools/PuTTYgen).

3. Click on the SSH2 RSA (or SSH2 DSA; do not use SSH protocol 1 if possible) radio button under Type of key to generate:.

4. Click Generate.

5. Copy-and-paste the public key in Public key for pasting into OpenSSH authorized_keys2 file: into the ~UNIX_ID/.ssh/authorized_keys file on the OpenSSH server.

6. Enter and confirm a Key passphrase: and click Save private key.

7. Start WinSCP3. Under Session, enter the Host name, User name, and Private key file and click Login. You will be prompted for your private key passphrase, unless you have already added your private key to the Pageant ssh agent.“

Offline NT Password & Registry Editor

“# This is a utility to (re)set the password of any user that has a valid (local) account on your NT system.
# You do not need to know the old password to set a new one.
# It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD. The bootdisk includes stuff to access NTFS and FAT/FAT32 partitions and scripts to glue the whole thing together.
# Will detect and offer to unlock locked or disabled out user accounts!
# It is also an almost fully functional registry editor!“

This script appeared on one of the mailing lists. It shows you how to setup a script to automatically send an email to the offending ISP when an SSH attack happens.
Read more »

I’ve got a script that allows a person to try accessing my server three times. If after three times they are still failing, they automatically get added to the hosts.allow file.
Read more »

Sysinternals Freeware - Utilities for Windows NT and Windows 2000 - RootkitRevealer

“RootkitRevealer is an advanced root kit detection utility. It runs on Windows NT
4 and higher and its output lists Registry and file system API discrepancies that
may indicate the presence of a user-mode or kernel-mode rootkit. “

SC Magazine

“Lexus cars may be vulnerable to viruses that infect them via mobile phones. Landcruiser 100 models LX470 and LS430 have been discovered with infected operating systems that transfer within a range of 15 feet.“

Encrypting Shell Scripts - The Community’s Center for Security

Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep it
secure?
Read more »

Guarddog

Guarddog is a firewall configuration utility for Linux systems. Guarddog is aimed at two groups of users. Novice to intermediate users who are not experts in TCP/IP networking and security, and those users who don’t want the hastle of dealing with cryptic shell scripts and ipchains/iptables parameters.

Securing your workstation with Firestarter - The Community’s Center for Security

Firestarter is a GPL-licensed graphical firewall configuration program for iptables, the powerful firewall included in Linux kernels 2.4 and 2.6. Firestarter supports network address translation for sharing an Internet connection among multiple computers, and port forwarding for redirecting traffic to an internal workstation. Firestarter’s clean and easy to use graphical user interface takes the time out of setting up a custom firewall.

By Barry O’Donovan
Secure Communication with Stunnel LG #107

1. Introduction

Stunnel is an SSL encryption wrapper that allows what are normally plain text and insecure communications to be encrypted during transmission. Stunnel recently went through some major changes and the current version (4.x) has a completely different architecture than previous versions. In this article I will be dealing exclusively with the new version.
Read more »

The FreeBSD Diary - Upgrading to stunnel 4

stunnel is a great tool. It allows you to encrypt TCP connections inside SSL. And it’s available for both Unix and Windows. I use it to hide various traffic, including the cvsup I run to update this website and the zone files on my DNS servers. See stunnel - another way to avoid plain text passwords and stunnel - encryption and security for my previous articles.

Recently, stunnel 4.0 came out with many new improvements. Much to the annoyance of some users, the command line paramaters changed drastically. Personally, I thought that was a good thing. Version 4 uses a configuration file, and comes with enhanced capability. I like it.

Stunnel.org

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon’s code.

Microsoft Baseline Security Analyzer V1.2.1

MBSA is the free, best practices vulnerability assessment tool for the Microsoft platform. It is a tool designed for the IT Professional that helps with the assessment phase of an overall security management strategy. MBSA Version 1.2.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems.

Digital Matrix - AirSnare - Intrusion Detection software by Jay L. DeBoer

AirSnare is another tool to add to your Wireless Intrusion Detection Toolbox. AirSnare will alert you to unfriendly MAC addresses on your network and will also alert you to DHCP requests taking place. If AirSnare detects an unfriendly MAC address you have the option of tracking the MAC address’s access to IP addresses and ports or by launching Ethereal upon a detection.

Insider Secrets: Three things to do with your old PC - CNET reviews

Sure, a $50 Linksys box will protect your home network. But how about something a bit burlier? If your old system has a Pentium processor, 64MB of RAM, a hard drive, and a CD-ROM drive, it’s painless to build a pretty serious network firewall, called a SmoothWall.

IPCop 1.4.0 Final Release! :: IPCop.org :: The bad packets stop here!

IPCop Linux is a complete Linux distribution whose sole purpose is to
protect the networks on which it is installed. It is extremely easy for
anyone to install and configure. Frequently, the IPCop firewall can be
installed within 10 to 15 minutes.

Cheap Wireless Security for Unix - SSH Tunnel to a Proxy

I’ve been using wireless networks for a few years now, but only recently have I decided that securing them would be a good idea. These days just about everyone is using 802.11 networks, and the security designed into the protocol (WEP) is very easily compromised, even at it’s highest-bit encryption setting.

This article details a solution I came up with for creating and securing a wireless sub-network that has limited access to a main network. The ideal way would probably be to create a real VPN (possibly using ppp and ssh), but a solution adequate for most people can be created quite easily using an SSH tunnel and a proxy server.
Read more »

UnPlug n’ Pray - Disable the Dangerous UPnP Internet Server

“The FBI has Strongly Recommended that
All Users Immediately Disable Windows’
Universal Plug n’ Play Support”

This flaw in Microsoft OSs has been responsible for several Denial of Service attacks on our servers. Do yourself and the world a favor by downloading and running the ‘unpnp.exe’ file in the above link.

Follow the trail of this DDoS attack.

Distributed Denial of Service Attack: January-March 2004

Starting on January 25th, 2004, the number of hits per day at the www.fourmilab.ch exploded from the typical weekday level of around 650,000 first to 823,000 on the 25th, then 1,051,992 on the 26th and comparable levels on subsequent days (with the typical drop-off expected on the week-end).

perlcode.org - sm_dict

Now, each day included in the security output will be a list of dictionary attackers. The list includes those of the past 2 days as well, so attacks of the previous two days are always included.

It will tell you (daily, included with your FreeBSD security run output) about sendmail dictionary attacks. You can then add attacking hosts’ netblocks to your /etc/mail/access file to prevent future attempts.

TCP Wrappers Configuration Files

To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files: