Wednesday, March 27, 2013

Tightening Java

Oracle's Java has been shown to be chock full of holes, but some people need to have it. This doc will outline some changes you should make to tighten it up a bit. To make these changes, open the Java control panel.

Set daily update checks

With the recent spat of security reports, you want to keep Java up to date. By default, it only checks for updates once a month. Change that to daily in the Update tab:

Move the slider

Next, go to the security tab and move the slider to High. If you don't have a slider here, your java needs to be updated via the Update tab:

Enabled online certificate checks

Finally, click on the Advanced link on the Security tab and enable both the enable online certificate validation and Check certificates for revocation using Certificate Revocation lists. The former tells Java to check online for the status of any certificate presented to it, and the latter tells java to chek online to see if a Certificate Granting Authority has issued a revocation for a given certificate. With these options checked, a bad certificate may be allowed.

Disable elevated priviledges for self-signed certificates

Anyone can make a self-signed certificate, so you want to disable granting elevated privileges for those.

Posted by bil at 9:41 AM
Edited on: Wednesday, March 27, 2013 11:34 AM
Categories: Other Software, Work

Monday, March 25, 2013

Increasing Browser Security

There's been a rash of browser exploits the last year or two, mostly centered around Java, Adobe's PDF Reader, and Flash. "Best Practices"® suggests disabling all of them, which is fine, but doesn't really address what most people need, which is a way to use plugins they need when they need them, but block them the rest of the time. It is important to keep in mind that much malware gets picked up when visiting major websites. A cracker finds a hole in a web site, and then inserts a piece of malware that can take advantage of security flaws in Java, Adobe's PDF Reader, or Flash, and your browser executes that code as your visit the website. Major sites such as NBC have hosted such malware, and for a while, Google served up malware in sponsored ads.

Here's what I've come up with, for what it's worth, as a means for reducing my risk, in term of tightening Firefox and Chrome. I'm not an expert, but these measures are pretty easy to do and can help reduce your exposure.

Use Two Browsers

Don't use the browser you like to use for general web surfing for anything that is a security risk. If you use chrome for your daily dose of youtube and facebook, use Firefox or Opera for your banking and accessing personnel data. Using a second computer or a virtual machine is much safer, but isn't really practical for most folks. Firefox and Chrome are arguable the two most secure browsers at the time of this writing.

Keep everything up to date

It's hard to keep everything up to date, but you need to do that. An easy way is to use Qualys's Browsercheck. Make that your homepage, and then when you start the browser it will scan your system for updates to your browser and the plugins you have installed.

Use OpenDNS or Google's DNS servers with your laptop

OpenDNS provides free DNS services, and one thing they do is redirect you from known or suspected malware sites and help protect you from phishing schemes. Googles's DNS service also offers some additional protections compared to the typical ISP. UNC's campus DNS servers also provide this kind of protection.

Browser Settings

Enable Click to Play

For a couple of years now, I've used the >ClicktoPlugin extension with Safari. This blocks flash, html5, java and other popular plugins from automatically loading, and presents an icon that you can click to play the plugin if you so wish.

I just found out that this same functionality is available in Firefox and Chrome, see this Krebs on Security blog article for more info, but here's how to enable it in Firefox (I'm quoting Krebs):

Open a browser window and type “about:config” without the quotes. In the search box at the top of the resulting window, paste the follow “plugins.click_to_play”, again without the quotes. Double click the entry that shows up so that its setting under the “value” column changes from “false” to “true” (hat tip to F-Secure.com for this advice).

And in Chrome

From the main menu, click Settings, then in the search box type “click to play,” and click the highlighted box labeled “content settings.” In content settings, scroll down to the “plug-ins” section, and change the default from “run automatically” to “click to play”.

Block Popup Windows

Use Firefox's preferences to block popup windows. If you need popups for a particular site, you can enable an exception. Chrome <a href="https://support.google.com/chrome/bin/answer.py?hl=en&amp;answer=95472">does this by default</a>.

Plugins

There are a lot of plugins out there you can use to help tighten security. Here's a short list of the ones that seem to me to be the least intrusive and easiest to use. Powerusers and Geeks will likely want to use more sophisticated plugins.

LastPass

LastPass is a free service and plugin that stores your passwords, encrypted, in a little database, and will fill in web forms with your id and password as well as other data. You can choose to store the passwords in their cloud, or you can store them locally, and it can sync passwords between browsers. Similar programs are KeePass and 1Password. The real advantage to this approach is that you use a long, strong password that is unique to each web site and service you visit, and you don't have to remember any of them. When you need a password, you unlock the vault, LastPass fills it in for you, and you're done.

HTTPS Everywhere

The Electronic Freedom Foundation has made a plugin that will test and use HTTPS if it is availabe for all the web sites you visit. It's called HTTPS Everywhere, and is available for Chrome and Firefox. This will help keep your broswer sessions from being sniffed or highjacked when you're in the coffee shop.

Web of Trust

Web of Trust uses user feedback to rate how trust worthy a given web site is. The backend is social, so what it relies on is what other people think about the web site you're about to visit.

QuickJava

QuickJava for Firefox makes it easy to enable and disable Java, Javascript, Cookies, Image Animations, Flash, Silverlight, Images, Stylesheets and Proxy from the either the Statusbar or Toolbar. It is not as complete a solution as NoScript for Firefox or NotScripts for Chrome, but does not require as much technical savvy to use. You left click on an icon to enable the plugin or option, blue means enabled, red means enabled. This is a good one to use if you know, for example, that you need Java but don't ever need Flash. But be aware that this extension blocks plugins silently, you won't be prompted to load those that are blocked.

Additional Info

For additional settings, see the following web sites:

CERT on Securing Your Web Browser.

Cornell's IT on Enhance Your Web Browser's Security.

Thanks to Alex Everett for helping with this article.

Posted by bil at 10:42 AM
Edited on: Tuesday, March 26, 2013 12:43 PM
Categories:

Thursday, December 27, 2012

Encypting folders in OS X

encfs is a user level file system that provides strong encryption of files, and which works with Fuse to allow mounting encrypted folders as if they were a remote drive. The result is an easy to use method of creating a space to store sensitive data, but without creating a monolithic disk image that has to be backed up in it's entirety every time it gets touched. I've been using an encrypted disk image for this for a few years now, and the load on Time Machine or, in my case, Crash Plan, is pretty high. Also, this system will allow you to create an encrypted space in dropbox or other cloud storage system.

First, some caveats. If you do this and lose your password, you lose access to the encrypted files. Period. No ifs, ands, or butts. I strongly suggest that you also make an unecrypted copy of these files on a DVD or external drive that you can physically secure and do so on a regular basis. Finally, I can't really say whether doing this is better or worse than other approaches, but it seems to be a good idea to me.

Installation

There are a few sites out in the internet that have versions of fuse for OS X, but my favorite is OSXFuse on github. This fork is actively being updated, unlike macfuse, and has macfuse compatibilty layer. Get both fuse and sshfs from there--we're not talking about sshfs now, but it's a handy thing to have--it lets you mount any system you can use ssh to connect to as a mounted drive. Install the osxfuse package, this provides the hooks for user level file systems, it's a simple package install. An alternative fuse for OSX is fuse4X, but I haven't tried that one, see http://fuse4x.github.com

To get encfs, one possibility is to install boxcryptor. It's a nice wrapper, if you want a decent GUI for this, it's a decent option. Also, a hat tip to them for putting up information on how to do this, those were very helpful. You could also build the source found at http://www.arg0.net/encfs, and there are installers for in in brew, darwin ports, and fink (although the latter is not up to the current version). I just took the easy way out and used boxcryptor. If you use boxcryptor do make sure to do a custom install and uncheck the OSXFUSE option, since the main project page is a newer version.

When you run boxcryptor, it will lead you through creating one encrypted folder, I went ahead and put that into dropbox. When you do the install on a second machine with dropbox, it will find that folder--just click on the BoxCryptor.bc folder and it will prompt you for a password, and that folder will mount in the sidebar. Put stuff in, and it gets encrypted on the fly, dismount the folder when you're done.

But you can also use the command line to make other encrypted folders, for example:

mkdir ~/Crypt
encfs /Users/hays/Crypt.raw /Users/hays/Crypt

will make an encrypted folder that can be mounted to ~/Crypt as a fuse drive. In a shell, that folder will ~/Crypt, but in Finder, it will appear as OSXFUSE volume 0 (encfs) in that same dir. If you drag that folder to the Finder's sidebar, it will reappear there each time you mount the encrypted volume.

You may find this a little confusing at first--the key thing to remember is that any files that you place directly in the Crypt.raw folder will not be encrypted--the encryption occurs when you put files and folder into the mounted FUSE volume, and the encrypted files are stored in the Crypt.raw folder.

This latter bit is a bit more secure than boxcryptor's free version in that file and folder names are encrypted as well as the contents. To mount the filesystem:

encfs -i 20 /Users/hays/Crypt.raw /Users/hays/Crypt

You'll be prompted for a password, eh voilà!

Again, I want to stress that it is important to keep backups of whatever data you encypt in this manner--last spring I spent about an hour in a cold sweat trying to remember my password for an encypted disk image that contained my tax data.

Posted by bil at 11:29 AM
Edited on: Thursday, December 27, 2012 11:46 AM
Categories: Other Software

Monday, December 17, 2012

Installing Splunk forwarder on OS X

Splunk has a component called a forwarder, think of this as a thin client that forwards log data to a splunk server (the indexer, in particular). Here's a basic installation procedure for OSX. For this we will be using the darwin tarball, rather that the OS X dmg. The latter stores all of the data and configure inside of the OS X app bundle, and this strikes me as a Bad Idea (tm).

Also, since splunk isn't FOSS, so you'll need to go up to splunk.com to get a copy. I'll assume you already have a server step up somewhere--if you don't, there's no point to doing this.

Some general notes

The darwin forwarder installs in /opt. This is good in general, since it keeps the installation away from Apple's version of unixy goodness, but it might cause some issues if you use Darwin ports. I don't know if it does, since I don't use Darwin ports.

You have an option to use SSL to connect to the server. You should do this, but in my case, I found it better to try things out in a test setup without using SSL since setting up the certs can be a pain.

Initially, we'll try this running the splunk forwarder as root, but then we'll cut over to a different user. Running process as root if you don't have to is not a great idea.

You might also check out this:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Deployanixdfmanually

Installing Splunk forwarder

So your first step is to get the splunk universal forwarder. Go ahead, I'll wait here.

Sudo to a root shell:

sudo /bin/bash

We'll do this all as root, so be careful with your typing.

Make a directory for this:

mkdir /opt

cd /opt

Assuming you downloaded the splunk forwarder through the browser, it should be in Downloads, copy it to /opt (but keep in mind that you'll be installing a later version than this, so the names will change).

cp ~/Downloads/splunkforwarder-4.3.1-119532-Darwin-universal.tgz /opt

Unpack the forwarder and enter the directory:

tar -xvzf splunkforwarder-4.3.1-119532-Darwin-universal.tgz

cd splunkforwarder

Start splunk

/opt/splunkforwarder/bin/splunk start --accept-license;

Open a second terminal window,

sudo /bin/bash

cd /opt/splunkforwarder/var/log/splunk

tail -f splunkd.log

You can check this window to see how well your forwarder is working.

Add your server to the configuration, you'll be prompted for your splunk userid and password for this, so it will be admin and whatever you changed your password to from changeme. Also, the ip number of your server is likely to be different:

/opt/splunkforwarder/bin/splunk add forward-server 192.168.1.11:9997

Now, let's add a couple of logs to foward to the server:

/opt/splunkforwarder/bin/splunk add monitor /var/log/secure.log

/opt/splunkforwarder/bin/splunk add monitor /var/log/system.log

If everything goes well, at this point you should be able to look at the system.log and the secure.log from your splunk server's web interface.

Adding SSL Support

This is the best simple explanation I've found for using SSL with splunk. For this method, we're relying on splunk to make the CA, and then producing signed certs with passwords for some additional security.

http://splunk-base.splunk.com/answers/5518/what-is-the-recipe-for-creating-new-ssl-certs-for-forwarding-with-no-auth

Make a space to store the certs out of the way of the default installation:

mkdir /opt/splunkforwarder/etc/certs

chmod og-wrx certs

Posted by bil at 6:00 PM
Categories: Other Software, Work

Update to Timelox for OpenSSH 6.1p1

I just patched openssh 6.1p1 with the timelox code, I've posted the installer tgz file up at:

https://wwwx.cs.unc.edu/~hays/dev/timelox_and_TheHand/files/openssh-6.1p1.timelox.installation.tgz 

This will likely be the last of these I do, since sshguard does a better job of the same thing. If you're curious about this, see Timelox and TheHand.

Posted by bil at 3:55 PM
Categories: My Software