Microsoft out-of-band security bulletin for October 2008

Microsoft recently issued an out-of-band security advisory for a vulnerability in the server service that could allow remote code execution (MS08-067). Due to the criticality of the vulnerability, Microsoft has released a fix out-of-band (i.e., not on the regular Patch Tuesday).

It is strongly recommended that patches be tested and applied to all vulnerable systems you administrate as soon as possible. According to one source, targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 systems have been seen.

Advisories

MS08-67

SecurityFocus

Additional Information

Technet Blog

Steve
###

Blackhat Briefings: The Talks I Plan on Attending

The Blackhat Trainings just wrapped up and now everybody here is getting ready for the Blackhat Briefings.

After today's training I picked up my official annual Blackhat swag bag. While picking up my bag there were slews of people wandering around the Caesar's Palace Convention Center for the briefings. The number of people seems to have doubled since the trainings, which is typical.

Last week I had looked online at the list of presentations and had written down what I wanted to attend. This afternoon I reviewed my list against what was shown within the printed brochure. Assuming there's room, my plan is to attend the following presentations at the Blackhat Briefings for the next two days:

Day 1 - August 6

• 0900-0950 - Keynote: Complexity in Computer Security - Ian Angell
  
• 1000-1100 - Nmap: Scanning the Internet - Fyodor Vaskovich
• 1115-1230 - DNS Goodness - Dan Kaminsky
• 1345-1500 - Client-Side Security - Petko D. Petkov
• 1515-1630 - Xploiting Google Gadgets: Gmalware and Beyond - Tom Stracener
• 1645-1800 - MetaPost Exploitation - Val Smith

Day 2 - August 7

• 0900-0950 - Keynote: Natural Security - Rod Beckstrom
  
• 1000-1100 - Satan is on My Friends List - Shawn Moyer & Nathan Hamiel
  
• 1115-1230 - Visual Forensic Analysis and Reverse Engineering - Greg Conti & Erik Dean
• 1345-1500 - Hacking and Injecting Federal Trojans - Lukas Grunwald
• 1515-1630 - The Internet is Broken - Nathan McFeters, Rob Carter & John Heasman
• 1645-1800 - Pushing the Camel Through the Eye of a Needle - Haroon Meer & Marco Slaviero

For those of you in Twitterland - tweet me if you're going to any of the same presentations and want to say "hi" [twitter]

Steve Zenone
###

Productivity: Useful Meetings

Aaron, of the Dumb Little Man blog, just posted a helpful reminder that includes eight tips we all [should] intuitively know in order to keep meetings focussed and useful. I think we've all experienced "those" types of work meetings; whereby hours pass and very little progress, if any, has been made. The result is wasted time, wasted money, and often frustration and confusion.

Aaron writes:

The phenomenon of chronic, pointless meetings is also known as the Dilbert Meeting in some circles. Dilbert Meetings happen every day, wasting people's time and patience.

Meetings can be quite productive, but most organizers simply don’t take the steps to guarantee that a meeting will be useful.

Aaron then lists and expands upon the following eight points:

• Have a clear agenda
• Make sure that only attendees are people who need to be present
• Establish objectives for the meeting
• Have the attendees prepare in advance (if necessary)
• Keep it short
• Record key points and decisions
• Create action items and assign them
• Report progress and follow-up

I believe it's important for all of us who propose meetings to incorporate the above points into how we organize and run our meetings. The result will be better for the business, and better for the development and morale of those attending.

Steve Zenone
###

Security: Thoughts on Latest DNS Vulnerability

While on a quick trail run before work this morning, I was thinking about yesterday's announcement of a serious vulnerability in the DNS protocol. For those that don't know, yesterday Dan Kaminsky announced that there's a fundamental flaw in the DNS protocol. Shortly thereafter the United States Computer Emergency Readiness Team (US-CERT) issued a security advisory titled, "Multiple DNS implementations vulnerable to cache poisoning".

Since we're talking about a fundamental flaw within the DNS protocol itself, many implementations of DNS are considered to be vulnerable. DNS, in a nutshell, is what translates human readable and memorizable names, such as www.blackhat.com, to IP addresses that can get routed through the Net, such as 66.240.206.90.

BlackHat has made available a recording of the press conference at which Karminsky made the public announcement. Karminsky has also made available an online tool to check whether or not the primary DNS server you're using is vulnerable. A recent post on NANOG has a link to a perl script that allows one to run Karminsky's DNS checker against any nameserver.

I've heard a few individuals state that this latest vulnerability isn't critical in nature. We do know that Karminsky will be releasing full details of the vulnerability at next month's BlackHat in Las Vegas. It is also possible that exploit code could emerge prior since Karminsky did narrow down the area in which the DNS design flaw exists. Though Karminsky has stated, "This is not enough information to reverse engineer the flaw," I believe it's an extremely risky assumption for businesses to base delaying the patching of their vulnerable name servers upon.

Looking at a risk matrix, I see the this DNS vulnerability as a high risk:

Likelihood of exploitation: LOW/MEDIUM [ within 30 days]
Impact of exploitation: HIGH
-----------------
Risk Rating: HIGH

One individual I know had stated, "In terms of DNS, the world isn't any more dangerous today than it was yesterday." However, we're not just dealing with randomization of source ports which had been known publicly for several years (back in 2005). We're also dealing with the weak entropy in the DNS transfer id (DNS XID). I believe that the risk, or danger, has increased.

In some uncomfortable way, this latest issue with DNS reminds me of the levees in New Orleans that were known to have severe vulnerabilities. Eventually the threat (heavy rain) exploited (broke) the vulnerability (failing levees) resulting in negative impact (flooding, financial loss and loss of life). Ignoring the vulnerability with the levees didn't remove the risk or make things any "safer".

I'm interested to see what Karminsky produces at the upcoming BlackHat.

Steve Zenone
###

[UPDATE - 7/10/2008]: Yet another option to test your nameserver is to use the dig hack from Duane Wessels; from a unix shell type 'dig +short @nameserver-to-be-tested porttest.dns-oarc.net TXT'.

A vulnerable nameserver will display the following output:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"nameserver-you-tested is POOR: 22 queries in 0.6 seconds from 1 ports with std dev 0.00"

In turn, a better maintained nameserver will return the following:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"nameserver-you-tested is GOOD: 22 queries in 0.6 seconds from 1 ports with std dev 0.00"

Security: Instant Messaging and Enabling Business

I recently had a colleague ask me about the inherent risks in using Instant Messaging (IM) for business. Certainly, IM is an extremely effective way to communicate with team members and customers who may not be in close physical proximity. However, if used incorrectly, negative impact to the business can be massive.

There's consumer grade and business grade IM solutions. Services such as Yahoo IM are considered consumer grade. All text based IMs can either be routed through a core set of central servers and then on to the recipient, or through peer-to-peer connections. When you combine consumer grade IM services with traffic flowing in the clear (i.e., unencrypted) through central servers outside of the organization's control, you end up with a significantly elevated set of risks. Are these risks worth accepting?

Here are some of the more obvious risks that I see with using consumer grade IM for business:

• Vulnerable Clients -- advisories for vulnerabilities in chat clients are announced fairly often. Many of these vulnerabilities allow for the remote execution of code on the vulnerable client system
• Traffic can be viewed ("sniffed") -- by default, consumer grade IM clients send all of their traffic in the clear. There are plugins to provide encryption for some clients, however, all parties involved in the chat will need the crypto plugin enabled and configured correctly
  
• Data theft -- a nefarious employee could potentially move critical/restricted data to a location offsite
  
• Identity Theft -- The mechanism for consumer grade IM user authentication is weak. Grab the weak authentication traffic and an attacker now has valid login credentials. The stolen credentials can then be used to impersonate the victim and be used as a launch pad to further identify theft
• Provides IP info to attackers -- if an employee decides to go to an external chatroom with their IM client, their IP is now known to anyone else in the chatroom who may be interested...including a potential attacker. With the IP the attacker can focus their attack to a specific system
• Privacy...or lack thereof -- see all points above
• Social Engineering -- more likely to happen if an employee engages in conversations in non-business specific chatrooms

Another risk is in employees using IM for business on their home computers. Imagine, for just a moment, that an employee commits a crime against the business from their home and used IM to enable them to commit the crime. Your business won't have the authority or right to confiscate their home computer for investigation - your hands are tied behind your back. I'm sure you can start seeing where the dangers and risks start to go up.

Additionally, many chat clients will log all conversations to disk. What if confidential or restricted data is logged and stored on an individuals home computer? Other family members, or friends, may have access to that system, or perhaps the home computer is already compromised and under someone else's control (think botnet). Now the attacker can pull the chat logs and have unauthorized access to confidential or restricted data. The impact could be titanic to the business! Of course, confidential or restricted data should never be sent over IM in the first place.

In addition to having policies, procedures, and perhaps even guidelines on the proper use of IM for business, I believe the return on investment by providing an internal and redundant IM service to enable business is compelling and certainly worth considering strategically.

Steve Zenone
###

Security Toolbox: RatProxy

The good folks from Google have released a freely available open-source web application security assessment tool called RatProxy. The tool, which is still in beta, is designed to identify security vulnerabilities within web based applications.

Quoting from the RatProxy project documentation page:

"Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

Earlier this afternoon I downloaded the source code and compiled it to run on Ubuntu 8.04. After posting this blog entry I'll begin experimenting with RatProxy.

RatProxy Documentation Page [link]

Steve Zenone
###

The Coolness of Geek

Apparently, geek is becoming sexy. We've all known that geek was chic [pronounced sheek for those who think I'm saying chick]....but sexy, that's just hot! I think I've been waiting for this since the late seventies:

"The Nerd Girls may not look like your stereotypical pocket-protector-loving misfits—their adviser, Karen Panetta, has a thing for pink heels-but they're part of a growing breed of young women who are claiming the nerd label for themselves. In doing so, they're challenging the notion of what a geek should look like, either by intentionally sexing up their tech personas, or by simply finding no disconnect between their geeky pursuits and more traditionally girly interests such as fashion, makeup and high heels."
Newsweek, "Revenge of the Nerdette", 6/9/2008

As I sit here I get mini flashbacks of typing away on my TRS-80 in elementary school, writing my first snippets of code in BASIC, knowing that in the eyes of the masses I wasn't being cool. Then, in junior high, I graduated to the the Apple II, on which platform I launched my first BBS. Soon after I added multiple phone lines and had sister systems throughout the US. Ahh, the good 'ol days of the lawless wild west, shortly before William Gibson coined the term cyber in his 1982 book, Burning Chrome.

Newsweek Article [link]

-Steve Zenone
###

Equiped to Get the Job Done

I came across an article in USA Today titled, Some employees buy own laptops, phones for work. The article reports that more and more professionals are buying their own electronic equipment to get their work done. This includes equipment like cell phones and even laptops!

Nearly 40% of professionals recently surveyed by researcher In-Stat paid for a laptop that they regularly carried. Cellphone users often picked up their bill. And company-provided personal digital assistants (PDAs), cameras and Global Positioning Systems (GPS) are relatively rare, says the survey, released Monday.

As many organizations start to withdraw spending on materials and equipment, professionals are having to take matters into their own hands and purchase their own equipment. This reminds me of research done by Buckingham and Coffman. Their research paper summarized the twelve key factors in retaining star employees (there's a connection here - question #2 relates to employees having to purchase their own equipment).

In a nutshell, if employees can answer the below questions in the affirmative, then the work environment is probably very strong and productive:

1. Do I know what is expected of me at work?
2. Do I have the materials and equipment I need to do my work right?
3. At work, do I have the opportunity to do what I do best every day?
4. In the last seven days, have I received recognition or praise for good work?
5. Does my supervisor, or someone at work, seem to care about me as a person?
6. Is there someone at work who encourages my development?
7. At work, do my opinions seem to count?
8. Does the mission/purpose of my company make me feel like my work is important?
9. Are my co-workers committed to doing quality work?
10. Do I have a best friend at work?
11. In the last six months, have I talked with someone about my progress?
12. At work, have I had the opportunities to learn and grow?
    

As a manager, the above points are worth reflecting upon.

USA Today Article [link]
###

PCI Security Standards Council Mandates New Vulnerability Scoring

I recently learned that all Approved Scanning Vendors (ASVs) are required to use version 2 of the Common Vulnerability Scoring System (CVSS). Starting July 1, 2008, version 2 will be the new industry standard and all scans will be scored using this system.

Many of the ASVs that I have experience with continue to fail scans based upon false positives. Although PCI DSS requirement 11.3.1 necessitates a network-layer penetration test to be performed at least once a year and after any significant infrastructure upgrade or modification, the automated quarterly vulnerability scans will still show a compliance failure even if the flagged vulnerability is a false positive.

It'll be interesting to see how many merchants will move from compliance status of compliant to non-compliant after July 1.

Opinion: Responses to OpenSSL Vulnerability

As those of you in the IT Security world know, last week there was a serious vulnerability in Debian's/Ubuntu's OpenSSL random number generator [link].

The vulnerability in OpenSSL was announced by the Debian Project on Thursday, May 13th, 2008 [link]. That same day updated OpenSSL packages were released for Debian, Ubuntu and Debian-based distributions [e.g., link]. Shortly thereafter code was being posted to Full Disclosure and other lists to exploit this vulnerability on unpatched systems.

I was very surprised by people's reaction regarding this vulnerability. In particular, there was a noticeable amount of OS bashing; discrediting the affected operating systems. That irony is that majority of this negative publicity came from from other *NIX centric individuals who simply stood back while proudly saying, "look, my superior OS wasn't affected." It's funny that the elitist OS wars of past still continue continue today. It's also entertaining - but that's besides the point. Unfortunately, this type of negative publicity doesn't contribute to building and strengthening the communities that are working so hard to build incredible flavors of their OS of choice. In one way or another, some requiring more creativity than others, the family of *NIX operating systems share a common ancestry [see UNIX family tree image below].

Click on above image to enlarge [image: ZwahlenDesign]
For a more complete timeline, see Eric Levenez's UNIX History [link].

I can imagine Rodney King, while waiving a black flag with a the Linux penguin mascot, now saying, "People, I just want to say, you know, can we all get along? Can we get along?"

I agree, it's too bad that the code that made the latest OpenSSL vulnerability a reality existed. It also highlights the blind trust people generally place into the operating systems that they use. However, what I also clearly see is how the community quickly worked together and released fixes prior to exploit code being widely disseminated. Now, that's awesome! There was no Patch Tuesday to wait for. Rather, the fixes were created, tested, and distributed as soon as possible.

Without a doubt I'm very glad to have moved my desktop OS of choice to Ubuntu two years ago. Sure, I'd be happy with SUSE, Fedora, RedHat, FreeBSD, OpenBSD. I've used them all. However, for reasons that work for me I've settled on Ubuntu ... for now.

Security: Debian and Ubuntu OpenSSL Vulnerability

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

HowTo: Uncomplicated Firewall (ufw) in Ubuntu 8.04

I've recently upgraded several of my systems to Ubuntu 8.04 (Hardy Heron). While poking around, figuring out what has changed since 7.10 (Gutsy Gibbon), I came across the 'ufw' command, which is an acronym for Uncomplicated Firewall.

Personally, on my linux systems I've preferred working with iptables directly. Several years ago I started using 'fwbuilder' to manage my iptables. Nonetheless, I'm still interested in playing around with ufw to see what value it has.

Here's an ifw example using OpenBSD's PF syntax:

• Let's assume I want to allow all ssh traffic (22/tcp) from the 10.10.1.0/24 subnet to my host at IP 10.10.2.10:

sudo ufw allow from 10.10.1.0/24 to 10.10.2.10 port 22

• Is there a single host that's bothering you and you want to block it?

sudo ufw deny from {IP address}

If you're interested in testing ufw, the Ubuntu Unleashed Blog [link] has a useful guide on using the tool. Of course, you can always use the man pages as well [`man ufw`].

BlackHat and DEFCON

It's that time of year again when I start looking at the logistics involved so that I can attend both BlackHat and DEFCON. It's also the time when I start figuring out costs and hope that work will cover them under the training budget...which is an entirely another story!

The two-day training at BlackHat, Enterprise Security from Day 1 to Completion, if I register now will cost $2200 and runs from August 4th to the 5th (all of the trainings look interesting, but I believe the Enterprise Security will give me the forum to answer some questions I have as an IT security professional). Next, there's the BlackHat briefings from August 6th to the 7th for a cost of $1495 - again, this is if I register now. By registering for BlackHat I will be able to get into DEFCON for free. DEFCON runs from August 8th to the 10th.

Next there's the cost of the flight - I'm estimating about $250 roundtrip. Lodging from August 3rd to the 10th will be about $1600...then there's the $320 for food.

Here's the rough breakdown:

Airfare.............$250
Conference Fees....$3695
Lodging............$1600
Meals...............$320
Car Rental (maybe)..$320
========================
Initial Total......$6185

Now it's time for me to get the funding to cover the training expenses this week so that I can register before prices go up.

I look forward to catching up with many of my colleagues, friends, and Security Twits!

UPDATE [5/15/2008]: I've received approval from my management for the training. Now I'm working with purchasing to get the travel request fulfilled.

Firefox within MythTV

I recently setup a MythTV box with dual tuners. For those that aren't familiar, MythTV is essentially TiVo on steroids! I'm running Ubuntu 7.10 (Gutsy) as my operating system with MythTV v 0.21.20070820-1 as my personal video recorder (PVR). For keyboard and mouse I'm using a BTC 9019URF. I'm also using a Logitech Harmony 670 universal remote to control both my TV and MythTV box -- and it works flawlessly after configuring, testing, and tweaking.

Yesterday I decided I wanted to switch from Mythbrowser as my MythTV web browser to Firefox. Looking around on the web I saw that one simply needs to replace /usr/bin/mythbrowser with /usr/bin/firefox in within Web Settings -- it didn't work.

Here's the problem and what I did to fix it. First, when I made the change and tried launching the browser, nothing happened. The next logical step was to look at the logs (/var/log/mythtv/ mythfrontend.log). I ssh'd in to my MythTV box from another system and saw the following error:

Usage: /usr/lib/firefox/firefox-bin [ options ... ] [URL]

Ok - so some options are being passed to firefox which it can't handle. I went back into the Web Settings in MythTV and changed the browser back to /usr/bin/mythbrowser. I launched the browser and then ssh'd in to my MythTV box from another system and looked for relevant processes:

ps -ef | grep mythbrowser

What I saw, which shed light on the issue, was the following:

sh -c /usr/bin/mythbrowser -x 0 -y 0 -w 800 -h 600 -z 20 http://www.google.com/

See those screen commands, "-x 0 -y 0 -w 800 -h 600 -z 20"? Firefox doesn't like those. The quick solution was to create a simple script that acts as a wrapper to filter out those options. Simply do the following to create the wrapper (I was using tcsh when I did the following...use whatever you want; vi, pico, vim, emacs, whatever...and set the permissions correctly afterwards. This also assumes your firefox is located in /usr/bin -- of course, change this as necessary to match your system):

sudo echo "#\!/bin/sh \
/usr/bin/firefox --fullscreen $11 \
exit 0" \
> /usr/bin/firefox-wrapper
sudo chmod 755 /usr/bin/firefox-wrapper

Then, back on the MythTV frontend, go to Web Settings and change the browser to /usr/bin/firefox-wrapper.

I also installed the following addons and themes for Firefox:

• Mostly Crystal Theme
• Autohide Addon
• • Set mine to Autohide Menu Bar, and Show Always Navigation Toolbar & Tab Bar
• Better Youtube
• • Enable Theater View
• Download Statusbar
• Keyconfig
• • Will work on this ... but leaning towards just using the wireless keyboard/mouse for web needs
• Locatiobar
• • Enable "Show the favicon"
• PageZoom
• Tab Mix Plus
• • Check "Enable Single Window Mode"

I may experiment with using Smart Bookmarks Bar and NoScript.

I've now replaced Mytbrowser with Firefox on my MythTV box and am loving it!

Test Lab: iPhone, Ubuntu, and XP in VMware

I recently purchased an iphone. I was totally stoked - but I realized that there weren't any Linux native tools to activate my iphone. Apparently one needs to use iTunes to activate, and iTunes is made for Mac and Windows. Ultimately, to activate my iphone, I had to borrow a laptop running XP.

Now that my iphone is activated, I'm unable to upload mp3's using my computers running any native Linux tools (or XP in VMware). Oh yeah, and in order to jailbreak, from what I've researched, one needs either a Mac or Windows.

The most success I've had is with VMWare Server running an XP Guest on my Ubuntu box.

Here's what I started out with:

• Ubuntu 7.10
• VMWare Server 1.0.4 build-56528
• iPhone (1.1.13)

Within VMware:

• XP container with all of the latest patches
• iTunes 7.6

Before doing anything, I backed up my VMX file for my VM image of XP. Then, I edited the original VMX and added:

usb.generic.skipSetConfig = "TRUE"

The most success I've had is after I do the following:

1. Cable up iPhone to USB port -- Cancel out of camera import dialog box
2. Doing a `lsusb` shows the phone there. Ok, not a step, but a confirmation of sorts.
3. Startup VMware - turn on XP guest. While it boots XP...
4. In VM, go to VM | REMOVABLE DEVICES | USB DEVICES and make sure "Apple Inc. (port 1)" is checked
5. (Warning: Windows Talk) Log into XP
6. Go to the control panel, administrative tools, and launch the services app
7. Click on the "Apple Mobile Device" service. Hmmm..no options to start | stop | restart
8. So, back in VM, go to uncheck "Apple Inc. Iphone (port 1)"
9. Now recheck "Apple Inc. Iphone (port 1)". Windows will detect the new hardware
10. Back in Windows, go to services again and click on "Apple Mobile Device" again. Restart the service.
11. Awesome - iphone detected. Windows pulls up a window asking to import photos.
12. AHHH - blue screen! haha, so typical!!!!!

So, I still haven't figured this out yet. I've gone through the steps uninstalling Quicktime, Apple Software Update, and Apple Mobile Device Support ... and then reinstalling iTunes (which installs everything). I'll continue working on this. Any comments to help figure this out will be greatly appreciated!

Grouping Application Windows in Ubuntu/GNOME Taskbar

I just came across a blog posting on Tech-Recipe about grouping application windows in Ubuntu/GNOME taskbar. It's a useful optimization for newbies as well as the old-timers running a GNOME-based desktop. This feature allows a user to group application windows together in a way similar to Windows XP.

The way to enable application window grouping is simple. On my desktop I right click on the dotted vertical line between the quickstart icons and my open application windows. With my setup this is on the bottom taskbar (which is default with GNOME on Ubuntu). Select Preferences. You'll see a window similar to the image here. Under Windows Grouping yo have three choices; Never group windows (default), Group windows when space is limited, and always group windows.

[Enable Window Grouping on the Window List] -- Tech-Recipes Blog

Robotic Fly

According to the DeviceGuru Blog, Harvard faculty member Dr. Robert Wood successfully directed a project that created the world's smallest robotic fly. With a wingspan of 1.2 inches (3 cm) and a weight of 0.002 ounces (60 mg), the robotic fly can generate enough thrust to takeoff.

The "Flybot" will be showcased at New York's Museum of Modern Art starting Feb. 24. Funding for this project was awarded to the Harvard University Microbotics Lab from DARPA (the U.S. Defense Advanced Research Projects Agency). In turn, DARPA hopes to gain access to micro-miniature surveillance technologies.

I figure a picture can say a thousand words. Here's a video of the "Flybot" posted on YouTube: I find this fascinating, yet I'm also reminded of Big Brother in George Orwell's novel, Nineteen Eighty-Four. Specifically, I'm thinking about the potential misuse of technology by individuals and society. Nonetheless there's also countless benefits with such technology that are yet to be realized.

Robotic Fly to Descend on New York [DeviceGuru]
Design and the Elastic Mind [MoMA]
Harvard Microrobotics Lab [link]
DARPA [link]

OpenVPN and DD-WRT on Linksys WRT54GL

I've been running IPCOP as my home firewall for a couple of years. I was also running OpenVPN on my firewall to allow for remote road warrior VPN connections. The combination worked great; protecting my home network while providing secure remote access. Still, the geek in me wanted to consolidate my hardware and experiment with dd-wrt. After a little research I found out that there was OpenVPN support for dd-wrt. However, looking at the documentation and various forums I didn't see anything showing me how to set up a successful road warrior tunnel. After an evening of experimenting got it to work; DD-WRT and OpenVPN running on a Linksys WRT54GL allowing inbound road warrior connections using tunnel mode. Here's what I did.

First, this is what I had setup previously:

• DSL modem which plugged into
• Computer running IPCOP and OpenVPN which plugged into
• Switch and a separate WAP (a Linksys wireless access point)

I wanted to consolidate the last three pieces of hardware (firewall/OpenVPN, switch and WAP). My plan was to have the following:

• DSL modem which plugs into
• Linksys WRT54GL running DD-WRT and OpenVPN (also providing switch ports and a WAP)

So, I began my search through the DD-WRT website [link].

1. Download dd-wrt.v23_sp2_mini.zip
2. Download dd-wrt.v23_sp2_vpn.zip
3. Reset Linksys WRT54GL to factory defaults. The router will have a default IP of 192.168.1.1 with a blank username and password “admin”.
4. Update WRT54GL firmware with dd-wrt.v23_mini_wrt54g.bin (from step 1) using http (not https)
5. Log back into the router via the web console (username will now be 'root' and password remains 'admin') and update the firmware (Administration | Firmware Upgrade) a second time with dd-wrt.v23_vpn_wrt54g.bin (from step 2)
6. Here we run into a minor bug - upon reboot of the router you won't be able to access the web admin pages. No worries. Hold the reset button on the back of the router for five seconds. It'll reboot and you'll be able to access the web console successfully once again.
7. Login to the updated WRT54GL (router) with web browser and configure as needed (e.g., change root password, enable wireless security with WPA or WPA2, DynDNS, enable sshd, disable telnet, etc). Backup the config when done (Administration | Backup).
8. Reboot router (Administration | Management | Reboot Router)
9. Create OpenVPN certificates for server and client. I'm running Ubuntu as my OS and already had OpenVPN installed (`sudo aptitude install openvpn`). Instructions on how to create the certificates can be found here.
10. Log back in to router and go to ADMINISTRATION | COMMANDS
11. Enter the following into the command shell box (the idea for this step was found here). Paste your certificates in where it says “…INSERT YOUR OWN CONTENT HERE…”

cd /tmp

echo "
# Initial Options
daemon
dev tun
tun-mtu 1400
proto udp
port 1194
tls-server
mode server
server 10.5.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates and Keys
ca ca.crt         # Certificate authority (CA) file
dh dh1024.pem     # File containing Diffie Hellman parameters
cert server.crt   # Local peer's signed certificate
key server.key    # Local peer's private key

# Additional Options
keepalive 10 60
status openvpn-status.log
log openvpn.log
comp-lzo
cipher BF-CBC
max-clients 100
persist-key
persist-tun
verb 3
mute 20
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
...INSERT YOUR OWN CONTENT HERE...
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN RSA PRIVATE KEY-----
...INSERT YOUR OWN CONTENT HERE...
-----END RSA PRIVATE KEY-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
...INSERT YOUR OWN CONTENT HERE...
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
...INSERT YOUR OWN CONTENT HERE...
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf

12. Click on SAVE STARTUP at bottom of webpage.
13. Enter the following into the command shell for box to punch the right firewall holes

/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT

14. Click on SAVE FIREWALL at bottom of webpage and then Reboot router (Administration | Management | Reboot Router)
15. Setup OpenVPN clien. Here's a sample openvpn-client.conf file from my laptop:

tls-client
client
dev tun
proto udp
tun-mtu 1400
remote dyndns-hostname-or-ip-of-server 1194
ca /home/username/openvpn/keys/home/ca.crt
cert /home/username/openvpn/keys/home/client1.crt
key /home/userame/openvpn/keys/home/client1.key
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
route remote_host 255.255.255.255 net_gateway
route 10.5.1.0 255.255.255.0 vpn_gateway
route 10.5.10.0 255.255.255.0 vpn_gateway
#redirect-gateway

16. From outside of network test the connection

openvpn --config openvpn-client.conf

This is an over simplified explanation, but it should get you where you need to be. For troubleshooting purposes you may need to ssh to the router and look at the running processes to make sure OpenVPN is running (`ps | grep open`). As well, you may want to change the server ip within the server's config file as well as the route entries within the client's config above to match your network.

Now I'm able to VPN to my home network from anywhere and access my systems at home securely using DD-WRT and OpenVPN. I've also setup the Network Manager applet for Gnome on my Ubuntu boxes to establish an OpenVPN connection to my router/firewall as well.

-steve

UPDATE [2/15/2008]: I received a couple of emails asking how to setup dd-wrt with service from Comcast. I personally don't use Comcast, however, I did successfully setup a dd-wrt for a friend who does.

First, you will need to get the MAC address from the computer that you originally setup your Internet connection up with through Comcast. If it's a windows system, get a command shell and type “ipconfig” on that same system. On Linux or a MAC, type 'ifconfig' from a terminal. Write down the MAC (or HWaddr) address. It will look something like 00:16:6F:12::34:56.

Next, go to the web management front-end for your dd-wrt device. Click on SETUP | MAC ADDRESS CLONE. Select “Enable”. Within the “Clone WAN MAC” field enter in the MAC address you jotted down from above. Save settings and reboot for good measure.

That should do the trick for you.

UPDATE [5/13/2008]: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. Be sure to patch vulnerable systems. [link to advisory]