I finally gave in last week and bought a Nook Tablet. After spending all of 10 minutes checking out the stock interface, I rooted it using Snowball-mod. It strips the tablet down pretty close to the barebones Android system, and provides root-level access. Having the ability to ssh both from and to my mobile device is awesome. It makes me feel like I’m carrying a tiny Linux box around in my pocket (which is pretty accurate).
The folks over at XDA-Developers (where the Snowball-mod instructions are located) are pretty amazing. You should check out the site if you are interested in hacking on mobile devices.
Even with the stripped down Nook, I’ll be installing CyanogenMod as soon as it is available for the Nook Tab. I’ve been running it on my phones for a couple of years, and I’m quite happy with it.
If you missed it, Ed Skoudis and Tom Hessman put together a great network forensics challenge over at the SANS site complete with a .pcap file, .jpg file with interesting EXIF data, and a very funny backstory. The entry date has passed, but you can still download the data and make your own conclusions. I’ve attached the response I submitted so you can compare it to your own conclusions. Have fun!
I was up on the pfSense firewall site the other day. I was really intrigued by two features it offered. The first was the ability to run Snort directly on the firewall. The other was that it supported several embedded/small footprint platforms.
As an infosec professional, being able to run Snort at home without spinning up another machine seemed to have some obvious benefits. Running on an imbedded platform also drew me in, since my home firewall had been a home license of Astaro running on relatively loud, hot, and large standard PC hardware.
It seemed like pfSense was going to be a really neat system to check out, but there was one problem. The option to run on an embedded platform isn’t compatible with running Snort. Snort generates so much write activity that it will kill an embedded system’s flash card quite quickly, so the Snort package is disabled for the imbedded install.
I was all set for disappointment until I heard Carlos Perez mention on an episode of Pauldotcom Security Weekly that he was running the full non-embedded pfSense on an Alix board (embedded platform) by using a Microdrive (basically a hard drive that plugs in to a Compact Flash interface). With that glimmer of hope, I decided to order up the hardware and give it a shot myself. I’m happy to say that I my home firewall is now running the full non-embedded pfSense distribution on an embedded hardware platform. The better news (for you) is that I’ve decided to write up a little tutorial to help others do the same.
For hardware you will need a system board, a Microdrive, an enclosure and a power supply. I chose an Alix 2D13 for my system board. It has three ethernet interfaces and a miniPCI slot to add wifi. You can get this as a kit with an enclosure (in black, silver, red or blue), CF card (which will go unused in this tutorial) and power supply from Netgate for just under $200. The Netgate enclosure is very nice. I highly recommend them. This covers everything but the Microdrive.
For the Microdrive, you will need a CF-compatible Microdrive and a USB Compact Flash reader. This one is a little tougher. Many people are selling PATA/IDE Microdrives through eBay and other online outlets. The issue with those drives is that they use the physical layout of a CF card. Even though they will physically plug in to a CF slot, the data is being transmitted using PATA/IDE protocol. These drives are used in devices like iPods. Make sure the drive you get is a true CF. I ordered one from Amazon for about $30, but they are starting to get rare. As for the reader, if you don’t have one already, your local big box store probably has a 12-in-1 media reader for $15 that will work.
For software, download and burn the latest version 2.0 .iso of the i386 architecture from pfSense, currently named pfSense-2.0-RC3-i386-2011062101650.iso.gz. Ignore all of the nanobsd and memstick files, those are for embedded systems.
Now for the tricky bit, the installation. Plug your microdrive into your CF reader and make sure you can read it with your regular OS. Then insert the CD you burned, restart your computer and boot off of the pfSense CD. The pfSense CD is a combination live CD and installer. Make your way through the installer and install pfSense to whatever device is assigned to your Microdrive. In my case, it was device da1. I created a 500 Mb swap partition and allocated the rest to data. I wasn’t sure how much swap pfSense might need, so I pretty much guessed.
If you have an issue where pfSense won’t get past the interface assignment stage because you don’t have a separate interfaces for the LAN and WAN, tell it you want to set up VLANs and create two VLAN interfaces.
After completing the install, restart your system and boot back into pfSense off of the CD. This time, instead of choosing to install the system, choose the option to drop into a console. At this point, you will be at a standard *nix shell prompt.
The last step is to correct for the fact that the Alix system will assign a different device name to the Microdrive than your PC does. Create a temporary directory (I did “mkdir /tmp/mount”) and mount the data partition off of your Microdrive (“mount /dev/da1s1a /tmp/mount” for me). I used the /tmp directory because many directories are read-only because of running from the CD. Edit the fstab file from the Microdrive (“vi /tmp/mount/etc/fstab”) and change the device names to match the format of ad0s1a (that’s a zero after the d). Since I had a data and a swap partition that were listed as da1s1a and da1s1b in my fstab, I changed them to ad0s1a and ad0s1b.
Shut down the system, pull the Microdrive, install it into the Alix board, and apply power. If everything goes well, after about 20 seconds you should see the three LEDs on the front panel do their best Cylon imitation. Once that show is over, hook a PC up to the LAN port, assign an address in the 192.168.1.x range, and you should be able to pull up the web interface at 192.168.1.1.
I just finished building an Arduino-based server room environment monitor using a kit from Sproutboard. It is a pretty nice kit for the cost. The kit plus the Arduino and ethernet shield from Sparkfun comes in at under $250.
For that $250 and a bit of manual labor, I am able to see ambient temperature, humididty, incoming A/C temperature, if the lights are on, if the door is open and whether there is water on the floor, all from a basic webpage. The system itself has a buzzer for an audible alarm if any conditions are outside your specified parameters (positive test for water on floor, ambient temp > 80, etc). I also built a quick script for my Nagios system that pulls data from the web page so I get email/SMS alerts as well.
The code is really easy to work with. If you have ever done any C/C++ work you should feel right at home. I spent some time modifying the code so the system works exactly as I want it to. Can’t do that with many off-the-shelf systems.
I liked the system so much that I bought several more to send out to our remote offices. Some of our remote sites have a “server room” that is little more than a storage closet. It will be nice to have hard numbers on what the temperature is in those rooms.
Looking downt the road a ways, I will probably be adding a single-chip smoke detector, and I might hook up an AC-powered relay plugged into an outlet that isn’t powered by our generator. That will allow me to get alerts when we lose utility power.
You can also adapt this same system to monitor your house, control a greenhouse, etc. The Sproutboard site has lots of ideas. Check it out.
Like many IT professionals, I use nagios to monitor many systems and services. Some of these are security related (the SIEM system just registered an incident), while others can span both operational and security disciplines (the web server is down…why is the web server down?).
While all of the geeks I work with are able to get email alerts 24/7 through the magic of smart phones, there were still potential gaps in this method of notification. What if the email server is down? How about if the active sync server, firewall, internet connection, or core switching is down?
Getting alerts via SMS seemed like a great solution to this problem. My initial route to this functionality was using the cell provider’s email-to-SMS gateway. This provided alerts that went out if the mail or active sync servers were down, but didn’t really address a failure at the firewall, internet connection or switching infrastructure.
Some people I bounced ideas off of suggested using a cellular modem (a.k.a. air card). This did seem possible, but getting the system to dial out when needed seemed overly complex. A Verizon MiFi was also suggested. While that lacked the complexity, I was worried that the always-on connection could function as a back-door into the network. What I really wanted was a way to send SMS messages directly via the cell network.
Since I have an android phone with root access, I was hoping to find a way to use Android’s native debugging system (adb) to create a text message using the adb shell and a simple shell script. I failed to find a way to do this. I’d still like to figure out a way to make this happen, so please leave a comment if you have solved this puzzle!
Giving up on the Android route, a little googling led me to gnokii. gnokii is designed to have some pretty wide-ranging functionality, but all I wanted it for was the ability to send an SMS message via an attached cell phone. I went down several blind alleys before I got a working system set up, but I did finally get it running. I happy to say it works exactly as I had hoped. Click here for the full tutorial.
I have been using a DNS blacklist from http://www.malwaredomains.com with BIND 9.3.x to redirect spyware communication to an internal honeypot machine. I got an alert this morning that the system was no longer responding to DNS requests. When I tried to manually start named, I found that I was getting an error due to an underscore in one of the entries in the blacklist.
Depending on where you get your information, underscores are either completely not-RFC compliant, or a normal and accepted part of DNS. What I didn’t understand was why I wasn’t one of half a million users of malwaredomains.com running into this same situation? If underscores are bad, malwaredomains.com should have gotten quite a few complaints before I jumped in. If underscores are ok, why is my BIND falling over when it finds one?
It turns out that prior to 9.3, even though there is a configuration option to check domain names for validity, BIND either didn’t check the names or checked in a different way that didn’t choke on underscores. Now in version 9.3, the checking has been turned on/expanded and it isn’t very happy when it finds that nasty underscore.
This is too bad, because anyone running a BIND server in an Active Directory environment will tell you that there are some DNS records with underscores in the names that are pretty important to the proper functioning of AD. I have a feeling this will be biting a lot of people migrating from older versions of BIND.
Whether or not underscores are ok, I needed to get my server running again. I got named up temporarily by deleting the offending record, but that wasn’t a permanent solution. One of my scripts would be downloading a new copy of the list at midnight. The record in question was a legitimately bad host that could be successfully resolved by a client, so I decided against modifying my script to parse the blacklist post-download and filter out any records containing an underscore. Instead, I did some research and then added the following two lines to the “options” section of my named.conf:
check-names master ignore; check-names response ignore;
Restart named and poof! everything’s happy again.
UPDATE (10/01/10): After some correspondence between myself and the maintainer, malwaredomains.com has started adding the “check-names ignore;” on each line of their file that contains an underscore. Sweet!