Snekul's Blog

BitLocker with preboot authentication on Microsoft Surface Pro

May 132013

So you got your fancy Microsoft Surface Pro. Great. Now you want to do full-disk encryption with pre-boot authentication in case your device gets stolen. BitLocker can do this, but out-of-the-box this capability is turned off in BitLocker. Further, since the Surface can be used without the keyboard attached, you have to enable an additional option to force the PIN option as there is a failsafe to keep you from accidentally locking yourself out.

NOTE: To enter a PIN, the keyboard needs to be attached to the Surface before powering it on. Attaching it at the PIN entry screen does not work. Once you’ve entered the PIN, you can detach the keyboard if desired. A USB keyboard will also work, again, it needs to be attached before powering it on.

CAUTION: BitLocker with preboot authentication is mostly worthless if your device is just asleep. If your device is liable to be in danger–such as being unattended–be sure to hibernate or power off the machine. If security is of the upmost importance, use the power options to set the machine to not use sleep, but only to hibernate.

Here are the instructions for the Surface Pro, click the thumbnails to see the screenshots. If adapting these instructions for other devices, the TPM chip likely needs to be configured first. This is not applicable to the Surface, as it is already on and running.

(If you’re managing multiple Surfaces via Group Policy on Active Directory, go to the Group Policy Management MMC snap-in on your management workstation, create a GPO that will be applied to the Surfaces, open it to edit it, and then skip to step 4. Repeat steps 9 and 10 on each managed Surface you wish to configure. Scripting of BitLocker deployments is possible, but beyond the scope of this post.)

1. Go to the desktop on the surface

2. Hit the windows-key and R to open a command prompt.

3. Type in “gpedit.msc” to open the Local Group Policy Editor. Acknowledge or enter your credentials when UAC pops up. 4. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

5. Double-click on the “Require additional authentication at startup” setting and set it to enabled. Set all options as desired (leaving the default selection that allows for everything works fine).

6. Double-click on the “Enable use of BitLocker authentication requiring preboot keyboard input on slates” setting and set it to enabled. Failing to set this setting will hide options that allow for PINs. If “Require additional authentication at startup” was configured to require PINs and this setting is set to Not Configure or Disabled, BitLocker will error with a message that the settings on the system are in conflict.

7. If you desire to use typical passwords (called enhanced PINs in BitLocker) instead of numerical PINs, double-click on the “Allow enhanced PINs for statup” setting and set it to enabled.

8. Consider setting the “Configure the minimum PIN length for startup” or the “Configure use of passwords for operating system drives” options if managing multiple Surfaces or you need to force these settings for whatever reason. Otherwise be sure to pick a secure password or PIN on your own.

9. Go to the Control Panel. If in the category view, click on “System and Security” and then the “Manage BitLocker” option. If in the large or small icons view, double-click on the Bitlocker Drive Encryption icon.

10. Hit “Turn on BitLocker.” At this point the onscreen prompts will adequately guide you and the built-in help is actually useful. Follow the onscreen prompts. When you get to the BitLocker startup preferences, be sure to choose the PIN option.

Google reader discontinued? Nooooooo!

Software No Responses »

Mar 142013

Google Reader had to be the website I spent the most time at–catching up on security and technology news. With Google’s announcement that Google Reader will be unavailable after July 1, 2013, I decided to try out many of the alternatives.

For me, the web-based client was very useful, unfortunately I felt none of the web-clients really had the features I was looking for. Many of the desktop apps seemed bloated or slow (or ran on Java, a far worse offense). The browser-based ones that used client-side plugins seemed to be the best option for me. Of those, Feedly stood out–all the critical feature of Google Reader I need are there.

Feedly is being very helpful and posting transition instructions for disheartened Google Reader users. It can easily import your Google Reader feeds and you can be moved over in no time. They also have apps for Android and iOS.

Now let’s just hope this isn’t the beginning of the end for RSS in general.

Disable Guest Session and/or Remote Login on Ubuntu 12.10 (Quantal Quetzal)

Linux 3 Responses »

Nov 122012

In Ubuntu 11.10 and above, Ubuntu has a guest session enabled by default on all computers, even on an upgrade from a release without the guest session. This is part of the new display manager added in the Ubuntu 11.10 release called lightDM. In some environments, a guest account may present an unacceptable risk. Starting in Ubuntu 12.10, an option for “Remote Login” is available in addition to the guest session. This too may represent an unacceptable risk in some environments. While I’m personally not too concerned with having an option to connect to remote workstations and servers at the login screen, utilizing the feature does require giving up some information to Canonical and require setting up a Ubuntu One account.

To disable the guest session and/or remote logon in Ubuntu 12.10 (Quantal Quetzal):

Open a terminal window.
Type “sudo nano /etc/lightdm/lightdm.conf”
Type in your sudo password.
Add the following in a new line at the end of the file if you want to disable the guest session: allow-guest=false
Add the following in a new line at the end of the file if you want to disable the remote login option: greeter-show-remote-login=false
If you choose to disable both, your lightdm.conf file should probably look like this:[SeatDefaults] greeter-session=unity-greeter user-session=ubuntu allow-guest=false greeter-show-remote-login=false
Hit CTRL-X to exit nano.
Hit Y to save the file.
Hit Enter to accept the original filename and overwrite the file.
On the terminal, type “sudo restart lightdm” to restart the display manager. Doing so will require you to log in again and may close running apps, so save your work before doing so.
The guest session and/or remote logon options should now be disabled.

Using Aide on Ubuntu 12.04 LTS (Precise Pangolin) and Debian 7 (Wheezy)

Linux, Security, Software No Responses »

Sep 272012

Aide is an integrity monitoring app, or host-based intrusion detection system, that can be used to monitor changes to the file-system on Linux. It can be used to detect changes to the file-system that were not authorized or expected. It can be run on-demand or as part of a cron job. It hashes each file with one or many hashing algorithms and puts the file hashes into a database. This database is then used to compare against future runs of the application.

These instructions were tested on Ubuntu 12.04 LTS (Precise Pangolin) and Debian 7 (Wheezy), but are likely applicable for a larger range of Debain and Ubuntu versions and distributions based on them.

Note: Ideally Aide should be running on a system before it goes into production. If deploying afterwards, be sure the computer is trusted and clean, otherwise it may not do any good to be running Aide.

Aide has been heavily customized for Debian and Ubuntu using scripts and pre-built configurations. This is a good thing, but the documentation leaves much to be desired. By default, a large number of rules are included to help reduce the number of false alerts. For example, log files are expected to change, but they should generally GROW in size. Databases generally are also expected to change. Many rules are included and you can write your own if necessary. By default, the Aide package on Debian/Ubuntu installs a complex script in cron.daily. Of course, it doesn’t work the first time without some help.

Installation and Configuration

To install aide, simply type:

apt-get install aide

That part was easy. On some systems you might need to configure the mail subsystem, there’s plenty of help on Google for that.

If you try to run aide, something funny happens.

root@ubuntu:/# aide Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db for reading

More about how to actually run the application later.

Next let’s edit some configuration files. Feel free to substitute your favorite text editor.

nano /etc/aide/aide.conf

This file has the general Aide configurations. The settings in here can be left alone successfully. However, we’re going to look at this line:

Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger

I don’t know about your thoughts on hashing algorithms, but this is too many and increases the time it takes the application to run putting unnecessary load on the system. Really, just sha512 should be fine right now, but for safety’s sake we’ll pick two. I’d recommend sha512 and one of the other ones without known collisions, I picked tiger. So the line would then be:

Checksums = sha512+tiger

Hit ctrl-x to exit nano and type y to save the file giving it the same name.

Next, let’s edit the variables used by the custom scripts that run aide:

nano /etc/default/aide

This file contains fairly decent instructions, so I’ll just point out the following lines should be considered.

MAILTO=root

Consider replacing this with an email address you’d like to have receive daily reports.

COPYNEWDB=no

Consider changing this to yes for some deployments. If left as no, the cron script will always compare the file-system to the aide database that you manually create. If changed to yes, it will compare to the last time the cron job was run. For a daily report of changed files, setting this to yes is helpful. Additionally, logs are kept that can be read for looking at changes over time. Lastly, you could manually copy a database off to another location for checking over a longer period. In all of my deployments, I set this to yes.

FILTERUPDATES=no

Consider changing this to yes to have the email report–but not the full log–ignore changes found in /var/log/dpkg.log for updates, (e.g. from apt-get upgrade). This setting is mostly that of personal preference and depends on the purpose of the deployment of aide.

FILTERINSTALLATIONS=no

Consider changing this to yes to have the email report–but not the full log–ignore changes found in /var/log/dpkg.log for new package installs, (e.g. from apt-get install). This setting is mostly that of personal preference and depends on the purpose of the deployment of aide.

Feel free to look over the rest of the file for settings you might like. Once done, hit ctrl-x to exit nano and type y to save the file giving it the same name.

Before running aide for the first time, let’s consider a change to the cron script itself. The script runs the savelog command to rotate logs. The script is set to only save 7 logs. That is likely too low for most installs. In the file /etc/cron.daily/aide, look for the line:

[ -f "$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGFILE" > /dev/null

In savelog, the -c flag stands for cycle. Change the 7 after the -c to your preferred number of logs to keep. Keep in mind that the cron script generally runs daily. Once done, hit ctrl-x to exit nano and type y to save the file giving it the same name. Beyond the above change, I do not recommend making any changes to the cron script.

First Run

Now we’re ready to run aide for the first time. We need to call a special script that will generate the file /var/lib/aide/aide.db.new when ran. Type:

aideinit

Let the process complete. You now have a file-system database located at aide.db.new in the /var/lib/aide directory. However, aide needs something to compare to, so let’s rename that file to simply aide.db. Without this rename, the cron job will fail to run successfully.

mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Now whenever the cron script runs, it will compare against aide.db successfully. You could stop here if you wanted and wait to make sure it works. To manually kick off the cron job type:

/etc/cron.daily/aide

If you make a large number of changes to a system, run the cron job manually as listed above. If you chose NOT to have the aide database copied over after each cron run, you should copy the new database over the old one:

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Understanding Results

Keep in mind that you will find changes on many systems between runs. You’ll have to use sound judgement to decide if each change is a problem or not. You can write custom rules to exclude expected changes. Generally I review the results and learn what changes to expect. Typically you’ll find additional log files that aren’t included in the defined rules. Some databases are also expected to change as are files residing in user’s home directories on most systems. I watch home directories as my systems do not have end-user log ons, and I’d want to know if something unscrupulous was put into a home directory.

Logs from aide will appear in the /var/log/aide directory. If you set an email address earlier, they will also be sent to that email address.

Additional Ideas

While I will not dive into much more detail, you should occasionally copy off aide.db files to external media and run occasional scans on those databases. An attacker can compromise the aide executable, scripts, or databases in order to cover their tracks, so consider keeping a list of the hashes of the aide scripts and executable and compare them from a trusted system.

Installing Cisco AnyConnect Client on Ubuntu 12.04/12.10 x64

Linux, Software 3 Responses »

May 022012

As seems par for the course for me, I had trouble getting the Cisco AnyConnect client to work on my Ubuntu 12.04 (Precise Pangolin) and 12.10 (Quantal Quetzal) x64 installs. First, since Sun Java is no longer an easy install on Ubuntu, the auto-configuration options doesn’t seem to work after a fresh install as it is dependent on Java. Second, the install fails on x64 without certain dependencies being installed.

To install Cisco AnyConnect Client on Ubuntu 12.04 or 12.10 x64:

Open terminal window. We’ll need to install some dependencies.
Enter: sudo apt-get install ia32-libs lib32nss-mdns
Enter your password.
After those packages install, open a web browser and go to the HTTPS address of your VPN.
Login to the web interface.
Let the web application fail auto-configuration and click the link to download the installer manually.
Use the terminal window and navigate to the location where vpnsetup.sh was downloaded. Typically this command would be: cd ~/Downloads
In the terminal window enter: chmod +x vpnsetup.sh
Then enter: sudo ./vpnsetup.sh
The client should now be installed.

Update 5/6/2012

A comment from Al Holt points out an alternative solution that is probably preferable for most. While I have a security policy forcing the use of Cisco AnyConnect integrated with an RSA Two-Factor appliance, most of you probably don’t have to go that route. In that case, the use of a built-in package, openconnect, is probably preferable. For standard Ubuntu, just add the package Network-Manager-Openconnect-Gnome which will install everything you need. A good blog post about it can be found at http://www.humans-enabled.com/2011/06/how-to-connect-ubuntu-linux-to-cisco.html.

Update 11/12/2012

The above instructions–both mine and the option to use openconnect, are also applicable for Ubuntu 12.10 (Quantal Quetzal) x64. I have updated the post to reflect this.

Disable Ubuntu 12.04 (Precise Pangolin) Guest Session

Linux 2 Responses »

May 012012

In Ubuntu 11.10 and 12.04, Ubuntu has a guest session enabled by default on all computers, even on an upgrade from a release without the guest session. This is part of the new display manager added in the Ubuntu 11.10 release called lightDM. In some environments, a guest account may present an unacceptable risk.

To disable the guest session in Ubuntu 12.04 (Precise Pangolin) or Ubuntu 11.10 (Oneiric Ocelot):

Open a terminal window.
Type “sudo nano /etc/lightdm/lightdm.conf”
Type in your sudo password.
Add the following in a new line at the end of the file: allow-guest=false
Your lightdm.conf file should probably look like this:
[SeatDefaults] greeter-session=unity-greeter user-session=ubuntu allow-guest=false
Hit CTRL-X to exit nano.
Hit Y to save the file.
Hit Enter to accept the original filename and overwrite the file.
On the terminal, type “sudo restart lightdm” to restart the display manager. Doing so will require you to log in again and may close running apps, so save your work before doing so.
The guest session should now be disabled.

Installing Ubuntu 12.04 on an Aluminum iMac as the only OS

Linux 8 Responses »

Apr 302012

I previously detailed installing Ubuntu 10.10 as the only OS on my 24” Aluminum Intel iMac, circa August 2008. After much experimentation on the machine, I decided with the next release of a Ubuntu LTS I should start with a clean slate. As long as you use the proper ISO from Ubuntu for install on an Intel Mac, the install process is basically identical now to that of the typical PC install. The ISO for Macs has been “adjusted to work properly on Mac systems.” These ISOs can be differentiated by the “+mac” designation at the end of the filename. As noted on my previous 10.10 install, the regular CD has two boot options—one is BIOS-based and the other UEFI. This is called a multi-catalog CD. Unfortunately, Mac’s EFI isn’t quite compatible with UEFI. Additionally, some Macs refused to boot a multi-catalog CD. As such, the “+mac” version has only the BIOS-based boot loader, and the Mac’s BIOS emulation does just fine booting it. The “+mac” CD can be used just fine on any BIOS-based system. The ISOs are otherwise identical.

Normally I do all my OS installs via USB. This is generally much, much faster on USB 2.0 systems when using an adequately fast flash drive. Trying to install Ubuntu onto a Mac from a USB stick proved to be enough of a pain that I went back to using the optical drive. This is primarily because the Mac wants to boot via GUID partitions from USB and most utilities for creating a USB installer will only make MBR partitions (these utilities may also not be aware of the changes made to the Mac ISOs, I can’t find any good information on this). Solving this problem wasn’t worth my time, so I opted to burn the ISO image to CD and use that for install.

I went ahead and burned a ubuntu-12.04.1-alternate-amd64+mac.iso (direct ISO link) CD from the ISO image. The standard Desktop CD Mac version (direct ISO link) should be fine as well, but my instructions are for the alternate install. I prefer the Alternate Install media which gives me a bit more control over the setup of the system. I booted the Mac from the disc by holding the “C” key during startup. I then ran the “Install Ubuntu” option from the boot menu. At that point I went through the install prompts as you would on any system—in my case taking over the entire hard drive. I left the partition options as the default for taking over the entire drive, which created a large EXT4 and small swap partition. The only other atypical thing I did was to encrypt my home directory via the installer prompts, but this is clearly optional. I indeed installed Grub to the MBR when prompted. The system clock was set to UTC when prompted. The install CD ejected and I rebooted.

The first boot went fine. To get the most out of the system, I had to install proprietary drivers. I did this by hitting the “Dash Home” and searching for “additional drivers.” I launched the “Additional Drivers” program. Ubuntu searched for additional drivers and presented them. I activated the Broadcom STA wireless driver and the ATI/AMD proprietary FGLRS graphics driver.

While I didn’t do heavy testing of all features, it appears the system would have been usable without the proprietary drivers, it just wouldn’t have been able to do 3D graphics and wireless. It appears on 12.04 the wireless wouldn’t work after install without installing the proprietary drivers—there may be open-source ways around this issue, but I’m not opposed to commercial software. I also didn’t test the Firewire ports as I don’t need them.

If you’re interested in the various other Ubuntu builds, I’ve only found a “+mac” ISO for Lubuntu. However, once any Ubuntu build is installed, they can be “converted” by installing the proper packages. For example, on Xubuntu, this is xubuntu-desktop.

Update Aug. 24, 2012

I’ve updated the links above to point to Ubuntu 12.04.1. This is an updated ISO with patches and bug fixes integrated.

Crazy Spam

Multifarious, Security No Responses »

Mar 232012

Several people received this crazy email sent to an email distribution list:

From: <redacted>
Date: 2012/3/23
Subject: You have been betrayed by your Friend
To: <redacted>

You have been betrayed!!! It’s a pity that this how your life is going to come to an end as your death had already been paid for by someone who is very close to you from all investigations.
I have ordered 3 (three) of my men to monitor every move of you and make sure you are not out of sight till the date of your assassination.
According to the report I gets, you seem to be innocent about what you have been accuse but I have no business with that, so that’s why am contacting you to know if truly you are innocent and how much you value your life.
Get back to me if you sure want to live on, ignore this mail only if you feel it’s a joke or just a threat.
Don’t forget your days on earth are numbered, so you have the chance to live if only you will comply with me.
WARNING: Tell no one about this mail to you because he or she might just be the person who wants you dead, and if that happens, I will be aware and am going to make sure you DIE instantly.
I will give you every detail of where to be and how to take any actions be it legal or illegal, that’s only when I read from you.
You need to stay calm and act unaware of this situation and follow instructions because any move you make that is suspicious; you will DIE as your days are numbered.

Most Security Pros Wouldn’t Bet On The Security Of Their Networks

Security No Responses »

Feb 282012

Darkreading posts the results of a survey of security professionals.

http://www.darkreading.com/authentication/167901072/security/perimeter-security/232601617/most-security-pros-wouldn-t-bet-on-the-security-of-their-networks.html

How to make Thunderbird more Secure

Security, Software No Responses »

Jan 232012

Ghacks has a nice article titled “How to make Thunderbird more Secure.”

Older Entries