David Piniella

Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science

2014.09.02

To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone. Interceptors look to a typical phone like an ordinary tower. Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says. “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip. We even found one at South Point Casino in Las Vegas.”

via Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science.

BYOD is a huge security problem in organizations, but this is just a friendly reminder: if you’re out in the world, you have to expect attacks.

Categories : Security

Official Gmail Blog: A first step toward more global email

2014.08.25

But all that could change. In 2012, an organization called the Internet Engineering Task Force IETF created a new email standard that supports addresses with non-Latin and accented Latin characters e.g. ?????.????. In order for this standard to become a reality, every email provider and every website that asks you for your email address must adopt it. That’s obviously a tough hill to climb. The technology is there, but someone has to take the first step.

via Official Gmail Blog: A first step toward more global email.

The TL;DR is: Google is enabling non-latin chars in email addresses (cf RFC6530). Whether this will encourage widespread acceptance of this is going to be interesting to see; like IPv4, everyone’s gotten used to The Way We Do It Now. And like IPv6, I doubt there’s going to be much switchover unless it’s forced.

One obvious benefit would be to employ char-sets in the email header as part of heuristic anti-spam measures in a more nuanced way (as opposed to “anything non-LATIN-1 gets more weight when spam/ham score is being calculated”) — you’d be able to say “well, we have customers in Russia, so Cyrillic is OK, but we have no market in Asia so Asian languages have a higher spam score”.

Categories : News

Tags : breaking the internet mail security spam

Schneier on Security

2014.08.08

Schneier on Security. One of the best infosec blogs out there.

Categories : News Security

Tags : links security

Linux user auth against Active Directory

2014.07.30

Enabling user authentication on linux against Active Directory, using ubuntu, sssd and AD 2008 (should work with 2003r2)
1. Install the software you need:

apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli

2. vi /etc/sssd/sssd.conf and put this in it:

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

3. chmod 0600 /etc/sssd/sssd.conf

4. vi /etc/realmd.conf and put this in it:

[service]
 automatic-install = no

5. run kinit Administrator@YOURDOMAIN.ALLINCAPS.TLD
6. run realm –verbose join yourdomain.allincaps.tld \
–user-principal=ubuntuserverhostname/Administrator@YOURDOMAIN.ALLINCAPS.TLD –unattended
You should have more content inside sssd.conf now, in the [domain/YOURDOMAIN.ALLINCAPS.TLD] section.
7. vi /etc/sssd/sssd.conf and comment out the line use_fully_qualified_names = True

You should now be able to su – to a domain user.

That’s it, you’re done: you can login to your linux box by authenticating to your Active Directory domain.

Additional (and optional) stuff is below, like adding groups and restricting logins based on groups.

Additional settings inside /etc/sssd/sssd.conf [domain] section to enable groups:

 [domain/yourdomain.allincaps.tld]
 ad_domain = yourdomain.allincaps.tld
 krb5_realm = YOURDOMAIN.ALLINCAPS.TLD
 realmd_tags = manages-system joined-with-adcli
 cache_credentials = True
 id_provider = ad
 krb5_store_password_if_offline = True
 default_shell = /bin/bash
 ldap_id_mapping = True
## comment out
#use_fully_qualified_names = True
## these will need to be created manually or you will need to modify pam to 
## mkdir them with pam_mkhomedir.so or use oddjob-mkhomedir, see below
 override_homedir = /home/%u
 fallback_homedir = /home/%d/%u
##group settings##
 ldap_group_uuid = objectGUID
 ldap_user_uuid = objectGUID
 ldap_group_member = member
 ldap_user_member_of = memberOf
 ldap_user_uid_number = uidNumber
 ldap_group_nesting_level = 1
 ldap_force_upper_case_realm = True
 ldap_user_principal = userPrincipalName
 ldap_user_object_class = user
 ldap_user_gid_number = gidNumber
 ldap_group_modify_timestamp = whenChanged
 ldap_group_object_class = group
 ldap_group_name = cn
 ldap_user_name = sAMAccountName
 ldap_ns_account_lock = userAccountControl
 ldap_user_home_directory = unixHomeDirectory
 ldap_user_modify_timestamp = whenChanged
 ldap_group_gid_number = gidNumber
 ldap_referrals = false
 ldap_group_nesting_level = 0

Test that groups are working by su’ing to an AD user and typing in “groups”, which will show you what groups your user is a member of.

To make the homedirectory autocreate:

1. edit /etc/pam.d/common-session (/etc/pam.d/session-auth in RHEL)and add this line before any pam_ldap or pam_krb5 lines:

#autocreate user homedirs
 session required pam_mkhomedir.so umask=0022 skel=/etc/skel

To limit login by AD group:

Create a file that will have the group names allowed to login:
```
vi /etc/login.allowed.per.ad.group
```
and populate it with group names, one per line (I created an AD group called linux-login, to limit which users were allowed to login), like so:
```
root
wheel
domain\ admins
linux-login
```

edit /etc/pam.d/common-auth (in RHEL this is /etc/pam.d/system-auth) and add this line to it:

auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.allowed.per.ad.group

To allow an AD group to have access to sudo:

visudo
add the AD groups

%domain\ admins ALL=(ALL) ALL

%linux-sudo ALL=(ALL) ALL

Further reading:
Allow/Deny login per group:
http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html

Various bits, mostly to do with LDAP authentication, but can be translated for use with AD/sssd/pam (e.g. homedir creation)
https://help.ubuntu.com/community/LDAPClientAuthentication

http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/

http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/

http://linux.tvortex.net/2011/10/sssd-against-active-directory-2003.html

https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server

Tags : active directory AD authentication centralized authentication linux networking security sssd ubuntu

The App I Used to Break Into My Neighbor’s Home | Threat Level | WIRED

2014.07.25

What I didn’t tell my neighbor was that I spent about 30 seconds in the stairwell scanning his keys with software that would let me reproduce them with no specialized skills whatsoever. The iPhone app I used wasn’t intended for anything so nefarious: KeyMe was designed to let anyone photograph their keys and upload them to the company’s servers. From there, they can be 3-D printed and mail-ordered in a variety of novelty shapes, from a bottle opener to Kanye West’s head.

via The App I Used to Break Into My Neighbor’s Home | Threat Level | WIRED.

Categories : Security

Tags : link security

Search

Contact

Call:

Email: firstname @ lastname . net

Technical How-To

All How-to instructions

Juniper / JunOS How-to
Firewall How-to
Cisco / IOS How-to
Networking How-to
Linux How-to

David Piniella Network and Security Consulting security
	Mysterious Phony Cell Towers Could Be Intercepting Your Calls \| Popular Science 2014.09.02 To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone. Interceptors look to a typical phone like an ordinary tower. Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device. “Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says. “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip. We even found one at South Point Casino in Las Vegas.” via Mysterious Phony Cell Towers Could Be Intercepting Your Calls \| Popular Science. BYOD is a huge security problem in organizations, but this is just a friendly reminder: if you’re out in the world, you have to expect attacks. Categories : Security Tags : justified paranoia security that's weird Official Gmail Blog: A first step toward more global email 2014.08.25 But all that could change. In 2012, an organization called the Internet Engineering Task Force IETF created a new email standard that supports addresses with non-Latin and accented Latin characters e.g. ?????.????. In order for this standard to become a reality, every email provider and every website that asks you for your email address must adopt it. That’s obviously a tough hill to climb. The technology is there, but someone has to take the first step. via Official Gmail Blog: A first step toward more global email. The TL;DR is: Google is enabling non-latin chars in email addresses (cf RFC6530). Whether this will encourage widespread acceptance of this is going to be interesting to see; like IPv4, everyone’s gotten used to The Way We Do It Now. And like IPv6, I doubt there’s going to be much switchover unless it’s forced. One obvious benefit would be to employ char-sets in the email header as part of heuristic anti-spam measures in a more nuanced way (as opposed to “anything non-LATIN-1 gets more weight when spam/ham score is being calculated”) — you’d be able to say “well, we have customers in Russia, so Cyrillic is OK, but we have no market in Asia so Asian languages have a higher spam score”. Categories : News Tags : breaking the internet mail security spam Schneier on Security 2014.08.08 Schneier on Security. One of the best infosec blogs out there. Categories : News Security Tags : links security Linux user auth against Active Directory 2014.07.30 Enabling user authentication on linux against Active Directory, using ubuntu, sssd and AD 2008 (should work with 2003r2) 1. Install the software you need: apt-get install realmd sssd samba-common samba-common-bin samba-libs sssd-tools krb5-user adcli 2. vi /etc/sssd/sssd.conf and put this in it: [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 3. chmod 0600 /etc/sssd/sssd.conf 4. vi /etc/realmd.conf and put this in it: `[service] automatic-install = no` 5. run kinit Administrator@YOURDOMAIN.ALLINCAPS.TLD 6. run realm –verbose join yourdomain.allincaps.tld \ –user-principal=ubuntuserverhostname/Administrator@YOURDOMAIN.ALLINCAPS.TLD –unattended You should have more content inside sssd.conf now, in the [domain/YOURDOMAIN.ALLINCAPS.TLD] section. 7. vi /etc/sssd/sssd.conf and comment out the line use_fully_qualified_names = True You should now be able to su – to a domain user. That’s it, you’re done: you can login to your linux box by authenticating to your Active Directory domain. Additional (and optional) stuff is below, like adding groups and restricting logins based on groups. Additional settings inside /etc/sssd/sssd.conf [domain] section to enable groups: [domain/yourdomain.allincaps.tld] ad_domain = yourdomain.allincaps.tld krb5_realm = YOURDOMAIN.ALLINCAPS.TLD realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True ## comment out #use_fully_qualified_names = True ## these will need to be created manually or you will need to modify pam to ## mkdir them with pam_mkhomedir.so or use oddjob-mkhomedir, see below override_homedir = /home/%u fallback_homedir = /home/%d/%u ##group settings## ldap_group_uuid = objectGUID ldap_user_uuid = objectGUID ldap_group_member = member ldap_user_member_of = memberOf ldap_user_uid_number = uidNumber ldap_group_nesting_level = 1 ldap_force_upper_case_realm = True ldap_user_principal = userPrincipalName ldap_user_object_class = user ldap_user_gid_number = gidNumber ldap_group_modify_timestamp = whenChanged ldap_group_object_class = group ldap_group_name = cn ldap_user_name = sAMAccountName ldap_ns_account_lock = userAccountControl ldap_user_home_directory = unixHomeDirectory ldap_user_modify_timestamp = whenChanged ldap_group_gid_number = gidNumber ldap_referrals = false ldap_group_nesting_level = 0 Test that groups are working by su’ing to an AD user and typing in “groups”, which will show you what groups your user is a member of. To make the homedirectory autocreate: 1. edit /etc/pam.d/common-session (/etc/pam.d/session-auth in RHEL)and add this line before any pam_ldap or pam_krb5 lines: #autocreate user homedirs session required pam_mkhomedir.so umask=0022 skel=/etc/skel To limit login by AD group: Create a file that will have the group names allowed to login: vi /etc/login.allowed.per.ad.group and populate it with group names, one per line (I created an AD group called linux-login, to limit which users were allowed to login), like so: root wheel domain\ admins linux-login edit /etc/pam.d/common-auth (in RHEL this is /etc/pam.d/system-auth) and add this line to it: auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.allowed.per.ad.group To allow an AD group to have access to sudo: visudo add the AD groups %domain\ admins ALL=(ALL) ALL %linux-sudo ALL=(ALL) ALL Further reading: Allow/Deny login per group: http://www.cyberciti.biz/tips/howto-deny-allow-linux-user-group-login.html Various bits, mostly to do with LDAP authentication, but can be translated for use with AD/sssd/pam (e.g. homedir creation) https://help.ubuntu.com/community/LDAPClientAuthentication http://www.chriscowley.me.uk/blog/2014/06/17/new-linux-active-directory-integration/ http://funwithlinux.net/2014/04/join-ubuntu-14-04-to-active-directory-domain-using-realmd/ http://linux.tvortex.net/2011/10/sssd-against-active-directory-2003.html https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server Tags : active directory AD authentication centralized authentication linux networking security sssd ubuntu The App I Used to Break Into My Neighbor’s Home \| Threat Level \| WIRED 2014.07.25 What I didn’t tell my neighbor was that I spent about 30 seconds in the stairwell scanning his keys with software that would let me reproduce them with no specialized skills whatsoever. The iPhone app I used wasn’t intended for anything so nefarious: KeyMe was designed to let anyone photograph their keys and upload them to the company’s servers. From there, they can be 3-D printed and mail-ordered in a variety of novelty shapes, from a bottle opener to Kanye West’s head. via The App I Used to Break Into My Neighbor’s Home \| Threat Level \| WIRED. Categories : Security Tags : link security	Pages About Contact Resume Blog Search Contact Call: Email: firstname @ lastname . net Technical How-To All How-to instructions Juniper / JunOS How-to Firewall How-to Cisco / IOS How-to Networking How-to Linux How-to Categories Categories Archives Archives Recent Posts today I found this slightly useful Installing Cacti for network monitoring MACSec Redux Weaponizing nessus Network monitoring Meta Log in Entries RSS Comments RSS WordPress.org
« back

security

Mysterious Phony Cell Towers Could Be Intercepting Your Calls | Popular Science

Official Gmail Blog: A first step toward more global email

Schneier on Security

Linux user auth against Active Directory

The App I Used to Break Into My Neighbor’s Home | Threat Level | WIRED

Pages

Search

Contact

Technical How-To

Categories

Archives

Recent Posts

Meta