1 / 26

Don't Get Cracked on Hostile WiFi

Mackenzie "maco" Morgan http://ubuntulinuxtipstricks.blogspot.com DC LUG 15 Jul 2009 (also presented in Oct 2008 @ Ohio Linux Fest). Don't Get Cracked on Hostile WiFi. Scenario. Open WiFi Security conference Hackers everywhere. Disclaimer. You won't be low-hanging fruit

rosalia
Download Presentation

Don't Get Cracked on Hostile WiFi

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mackenzie "maco" Morgan http://ubuntulinuxtipstricks.blogspot.com DC LUG 15 Jul 2009 (also presented in Oct 2008 @ Ohio Linux Fest) Don't Get Cracked on Hostile WiFi

  2. Scenario • Open WiFi • Security conference • Hackers everywhere

  3. Disclaimer • You won't be low-hanging fruit • But won't stop OSI Layer 2 attacks

  4. Before You Go • VPN • Firewall & services • Users & passwords • DNS • Hashes • Tripwire & Chkrootkit • Disable SHMConfig in xorg.conf • Phone a friend

  5. VPN • Creates encrypted tunnel • Termination point • DD-WRT on your router at home • School network • Online services

  6. Firewall Goals • Drop all inbound on all interfaces • Minimal outbound ports on wireless interface • VPN port • DNS • Whitelist outbound ports on tunnel interface

  7. Firewall & Services • UFW alone is insufficient • Cannot do outbound • Need to edit /etc/ufw/before.rules and /etc/default/ufw • Outbound matters • No phoning home • Drop, not reject – takes longer to port scan • No external services • Are you going to SSH into the laptop you're holding? • IPv6 firewall is ip6tables, not iptables

  8. Default drop in UFW /etc/default/ufw IPV6=no DEFAULT_INPUT_POLICY="DROP" DEFAULT_OUTPUT_POLICY="DROP" DEFAULT_FORWARD_POLICY="DROP" But that's not enough... /etc/ufw/before.rules has these lines by default: # connection tracking for outbound -A ufw-before-output -p tcp -m state --state\ NEW,ESTABLISHED,RELATED -j ACCEPT -A ufw-before-output -p udp -m state --state\ NEW,ESTABLISHED,RELATED -j ACCEPT

  9. Other Example Rules # DNS -A ufw-before-output -p udp --dport 53 -j ACCEPT # Ping -A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT # Allow VPN running on port 4500 through wireless interface -A ufw-before-output -p 50 -d x.x.x.x -o wlan0 -j ACCEPT -A ufw-before-output -p udp -d x.x.x.x --sport 4500 --dport 4500\ -o wlan0 -j ACCEPT # Allow outbound SSH, HTTP/S, Jabber, and IRC on tunnel interface -A ufw-before-output -p tcp -m multiport\ --dports 22,80,443,5222,6667 -o tun0 -j ACCEPT Port numbers for protocols can be found in /etc/services

  10. Users & Passwords • Temporary strong password for you • Disable unneeded users • passwd -l • Set /bin/false as shell in /etc/passwd

  11. DNS • Hardcode DNS servers you trust • /etc/dhcp3/dhclient.conf prepend domain-name-servers 208.67.222.222; prepend domain-name-servers 208.67.220.220; • DNS Sec if you're really paranoid

  12. Hashes • Not-from-repository binaries • Configuration files • Will come in handy later

  13. Tripwire • Tripwire will notify on: • New files • Changed files • Removed files • False positives on updates

  14. Chkrootkit • Limited list of binaries it checks • Checks for log and interface tampering

  15. SHMConfig • Used for configuring synaptics touchpads with synclient, Gsynaptics, or Qsynaptics • Creates area of 777 memory • Turn it OFF!

  16. One Last Thing... • Test your setup • Netstat • Nmap (or Zenmap)

  17. While There • Bluetooth • Wireshark • Logs • Physical Security

  18. Bluetooth • Can't really firewall it off • Blacklist the module • /etc/modprobe.d/blacklist • Add line "blacklist btusb" • Don't forget your cell phone

  19. Wireshark & Logs • Watch /var/log/kern.log • Look for connection attempts

  20. Physical Security • Theft of hardware isn't the only threat • Don't leave your laptop unattended • Don't let any untrusted person touch it • Use the buddy system to protect the laptop • DVDs, CDs, and flash drives: • Autorun off • Use the shell; don't double-click

  21. Afterward • Verify binaries • Check environment variables • Check for new services • Change password again • Use Netstat to check for oddly-open ports

  22. Verifying binaries • From repositories • rpm -Va • debsums -c • Compare hashes of non-repository binaries with ones from before • Tripwire may false-positive if you update; these can clear those false-positives

  23. If You're Really Worried... • Reinstall!

  24. New Security Features • Shadow 4.1 • SHA-256 and SHA-512 for /etc/shadow • MD-5 and SHA-1 are no longer recommended by NIST • Touchpads can be configured otherwise • Syndaemon for some stuff • xorg.conf or .fdi files for hal/devicekit • Synclient losing SHMConfig requirement

  25. Questions?

  26. See Also • DNS Sec: • http://ubuntuforums.org/showthread.php?t=492489 • NSA SNAC Guide: • http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf • man iptables • IANA ports list: • http://www.iana.org/assignments/port-numbers

More Related