And speaking of ACTA…
I made some remarks on ACTA and it's impact here.
As I noticed today the main news regarding ACTA is that Tribler Makes BitTorrent Impossible to Shut Down. Tribler still relies on the BitTorrent protocol, but in a decentralized manner. So, in a strange way, we'll be back to good old DC++ (or whatever utility you preferred back then) days.
This will always happen when chasing the effect and not the cause.
Of course Tribler is just one work around, and with some issues. For example, once you started downloading, your IP is known by your peers, and if one of them happens to be the long arm of the law... Luckily, there are other options.
Some thoughts on ACTA
Everybody is talking about it. Not talking about ACTA on a security blog / page / discussion board / forum / etc. is like not talking about the elephant in the living room. So here we go, but with a fresh perspective.
There are riots over the Internet, petitions and people gathering and manifesting against ACTA. But do they fully understand it? They were told that 'someone' is trying to get control over the Internet and things will never be the same again. How many of them actually read the entire act? Almost nobody. So, how can they identify that 'someone' who is taking over the Internet? Not knowing your enemy makes you an easy target, it's like going to war without a purpose. Of course they have a purpose if you ask them, they want their emails not being tracked down, they want freedom of sharing and stuff. What they don't know is that this is already happening at one level or another. And if they really want that, they can protect themselves and assure privacy for their communications, the technology is out there and it's free.
Webmin and Virtualmin installation on Debian
Now that we have a fresh and clean Debian installation we can proceed to Webmin and Virtualmin installation.
Althou installing Apache, MySQL and other stuff needed for a web server by hand is not hard and you can find a lot of support I prefer installing Webmin and Virtualmin to ease the administrative tasks.
If you're planning for a new server you should start with a fresh Debian installation with only the basic stuff on it.
Fast Debian installation of Webmin:
# wget http://www.webmin.com/download/deb/webmin-current.deb
# dpkg --install webmin-current.deb
You probably will miss some dependencies and will have to install them via 'apt-get install'. On my fresh Debian I was missing some perl modules so I did 'apt-get install perl', again dependecies missing, but with a 'apt-get install -f' (as instructed) I solved it.
Install a clean Debian on Virtualbox
I don't test my 'ideas' on live servers, nor do I keep unnecessary hardware around the house to play with them. So I use the other option in hand, a virtual machine. Despite the fact that this will be a VM installation of Debian, the idea for a very clean and basic installation is the same for a real hardware installation.
For my testing purposes I prefer Oracle VM VirtualBox instead of VMWare. First of all because it's free for home use and secondly it's smaller and faster for the applications I run. If you don't already have it installed you can download it from https://www.virtualbox.org/wiki/Downloads.
You might have noticed that I'm a Debian fan, these is the system I have worked for a long time so it's more of a habit now. For our clean installation we'll use the so called NetInstall version. It's a small ISO image (under 200MB), containing only the basics for the installation, the rest of the applications will be downloaded during the install phase. So you must have internet access during installation (if you read this article you surely do, but pay attention when installing on real hardware). So, download the latest version of Debian NetInstall from http://www.debian.org/CD/netinst/.
Start VirtualBox and let's create a new Virtual Machine, by selecting New:
New Virtual Machine
Installing TCPDump on DD-WRT
Now that we have JFFS enabled we can install new apps on our router. Note that the apps are installed into RAM and will vanish when you log out. You can write a script to automatically install your preferred applications during the log in process.
DD-WRT does not come with a repository but we can use the OpenWRT packages. Just run the following from the command line:
mkdir -p /tmp/smbshare/tmp/ipkg cd /tmp/smbshare/tmp/ipkg wget http://downloads.openwrt.org/whiterussian/packages/libpcap_0.9.4-1_mipsel.ipk ipkg -d smbfs install libpcap_0.9.4-1_mipsel.ipk wget http://downloads.openwrt.org/whiterussian/packages/tcpdump_3.9.4-1_mipsel.ipk ipkg -d smbfs install tcpdump_3.9.4-1_mipsel.ipk export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib" PATH="$PATH:/tmp/smbshare/usr/sbin"
We first install libpcap, a library used by tcpdump. You might get some warnings but it's fairly safe to ignore them. That's it, run 'tcpdump' from the command prompt and let the flow amaze you. We'll later discuss some options of tcpdump.
You can check the OpenWRT repositories for other great pieces of software ported and prepared for embedded devices: http://downloads.openwrt.org/whiterussian/packages/
Enabling JFFS in DD-WRT from SSH
I like DD-WRT, it offers the basic tools needed for a router but I'd like to install other apps as well. The problem with embedded devices is that the system is installed in the non-volatile memory (usually 2-4MB) and one can only use the RAM to install apps.
But first we need to map the RAM into a JFFS. There is an option in the web interface allowing us to do so but there goes all the fun. Plus there is a major issue with DD-WRT v24sp1 VPN builds having the JFFS feature removed, presumably due to conflicts between JFFS and bandwidth monitoring. And if we don't care about bandwidth monitoring we can enable JFFS from the command line.
nvram set jffs_mounted=1 nvram set enable_jffs2=1 nvram set sys_enable_jffs2=1 nvram set clean_jffs2=1 nvram set sys_clean_jffs2=1 nvram commit reboot
I noticed a "longer than usual" reboot after this operations. If we want to unmount the JFFS:
nvram set sys_enable_jffs2=0 nvram set sys_clean_jffs2=0 nvram set jffs_mounted=0 nvram commit reboot
The variables created in these operations can be deleted with nvram unset <var>.
Enabling DD-WRT web interface from SSH
With this article we're starting a new category regarding DD-WRT and micro-embedded devices.
I've been using DD-WRT (and other variants as Open-WRT, Tomato, etc. depending on the device) for quite a while and every now and then I need to re-enable the web-interface from the command line. For instance I found the web-interface not responding even thou it was enabled so I wanted to reinitialize it. Just log in via SSH (we all know Telnet is bad, right?) and do the following.
Stopping the web interface from SSH (if it is enabled):
nvram set httpd_enable=0 nvram set http_enable=0 killall httpd
Starting the web interface and setting the parameters (the long and safer version):
nvram set remote_management=1 nvram set http_wanport=8080 nvram set httpsd_enable=1 nvram set https_enable=1 nvram set remote_mgt_https=1 nvram commit reboot
So now just point your browser to https://your_public_ip:8080.
Notice we enabled https for remote management. Feel free to use any port you like and if you're a fan of security thru obscurity you might want to use an unassigned port from IANA.
ISO 27001 Domains, Control Objectives and Controls
ISO 27001 has for the moment 11 Domains, 39 Control Objectives and 130+ Controls. Following is a list of the Domains and Control Objectives.
1. Security policy
Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
2. Organization of information security
Internal organization
Objective: To manage information security within the organization.
External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
PCI DSS Control Objectives
Payment Card Industry Data Security Standard has six control objectives and 12 requirements:
1. Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
Requirement 10:Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
ISO 27001 Certification Statistics
How many companies have certified under ISO 27001? You can find the answer here. So, under 7300 as of mid-August 2011.
Now, in another report from April 2008, there were 4500 certificates. With the distribution: Japan (2550); UK (370);India (430); Taiwan (175); China(110); Germany (90); and then a group of countries (Hungary, Italy, USA, & Korea) at 60.
The distribution remained pretty much the same, with Japan holding more than half of world-wide certifications. Japanese are mad about productivity, so by adopting a standard they accept a set of rules that work.
