JDPFu.com 2025

It had to happen eventually. Regardless of how careful we all are, if we run MS-Windows-something, our PCs will get infected. One of my family members, who lives a few states away, got infected with at least 1 virus, probably a botnet and a keylogger too.

I’m working on a plan to deal with the issue over Thanksgiving. Below are the initial thoughts.

Open WiFi is convenient, but not secure. All of us need to help people and businesses providing Open WiFi understand the issues so they will stop providing it.

The real problem is that most people do not understand how insecure Open WiFi is. There’s a new Firefox extension that grabs social network connection credentials from people around on an open wifi network. That extension works on Windows, Mac OSX, and soon, Linux. It is named FireSheep and anyone can get the FireSheep extension here AND it is trivial to use. This extension lets the nearby cracker act as if they are you on the social websites. They can post to twitter as you, they can update photos on facebook. For all important uses, they ARE you with just a click of a button.

The Fix – Easy

What is the fix? It is simple, just enable a trivial WPA passphrase for the WiFi access point. That’s it. This method is useful for all those small businesses to prevent most of the hijacking computer attacks, while still not really causing issues for their clients. For a simple example passphrase, Starbucks could use … er … “starbucks.” That would be enough to foil the FireSheep extension.

Not Secure Enough for Home or Business WiFi Networks

Ok, so this fix is just for places that provide an open wifi hotspot for clients and definitely should not be used by any business for their private network or by any of us in our homes. For small businesses and homes, you really want to follow my WiFi Security Checklist.

The Best Fix

Another way to solve this issue – a better way – is for all websites with a login to use SSL encryption for everything, all data. No exceptions. 10 yrs ago, that would have been computationally unreasonable. These days, having everything SSL encrypted adds about 3% overhead to bandwidth and compute requirements. That isn’t a big deal for almost any website to handle. The newest CPUs from Intel include special instructions to make AES encryption/decryption even less computationally intensive – becoming a non-issue.

If you have a website with encryption, please force SSL connections. There are some very easy ways to do this without touching the website. Simply use a reverse proxy like pound to provide the SSL connection handling, then forward the request to the back end web servers. This web site, jdpfu, uses pound to proxy both SSL and to perform load balancing of traffic across 3 server instances. Connections with logins stay on the same server instance, so there’s no session confusion between the different server. All the web servers read and write to the same DB instance. SSL connections are all handled in pound and the application doesn’t know anything about it.

If you need help setting up pound, let me know below.

The 7 Uncommon Uses of iptables over at linuxaria shows fairly easy to use solutions for the following:

1. Block known dirty hosts from reaching your machine; block spammers and other known bad networks
2. unlock a pre-determined port, once someone “knocks” ; ie "port knocking_
3. use a restricted externally, but a high port on the server – port forwarding
4. use your proxy only for external access, not in the local LAN – I’ve done this with PAC files
5. Limit the number of ssh connections to 10
6. Limit ssh to have just 1 session every 15 seconds
7. Give multiple directives with a single command

Fail2ban can be used to address some concerns, but you may need to limit the connection count and rate from some IP addresses that could be considered system abusers.

The BBC is reporting that internet connectivity with Burma (Myanmar) has been effectively shut down in advance of the first elections held there in 20 years.

Only 200 PCs Needed

If the BBC report is true, it would only take 200 relatively low speed internet connected PCs to take the country of Burma off line. Let me explain. In the BBC story about Burma, it is stated the entire country is connected to the internet over a 45Mbps link, that’s a DS3 to the network and telecom people. It isn’t much bandwidth for an entire country.

To take any network or servers off line, all that any attacker needs to do is effectively cause your network to be too busy for user connections to get through. Just like a busy signal on your telephone. Doing that’s isn’t very hard.

Only 15 PCs connected with common home bandwidth could take down the country of Burma. That isn’t many PCs is it. Even the slowest broadband connections have 256 Kbps, which means only 200 PCs are needed with that upstream connectivity to take Burma effectively off line. If a botnet controller wanted to attack an IP and they have 100,000 PCs, that translates to 25 Gbps. Most companies, even with large pipes like a Fortune 100 company has, would be taken off line. 200 PCs is a small number and could be quickly blocked, which is why botnet owners have 100,000 – 5M PCs.

If you want to learn something about Linux, there are a wide range of learning materials available out there.
Much is for beginners, but there are some intermediate and advanced course materials available too.

The best place to begin is with the documentation from your distribution.

• CentOS Docs
• Redhat Docs
• Debian Docs
• Ubuntu Docs

Internet search engines will find lots of documentation for other distros too, but knowing that Distro-Z is based on Distro-Y means that the documentation for Distro-Y probably works for Distro-Z too. A concrete example – Ubuntu is based on Debian, so if you use Ubuntu and can’t find the document under Ubuntu, look for it under Debian.

Eventually, you will want know something that isn’t in those documents. To address this, each major distro also has forums and email-list-servers.

• CentOS
• Debian
• Ubuntu
• Fedora

Be certain to spend at least 45 minutes searching the forums for your question and answer before you post. Read the Acceptable Use Policies for each forum too. Basically, if you are on-topic, respectful and cordial, then you won’t have any issues.

Some general information about Linux and HowTos also exist.

• Linux Documentation Project – All things Linux (How Tos, Guides, etc)
• HowToForge.com – Famous for Perfect Desktop X and Perfect Server Y how-tos.
• Atlanta Linux Enthusiasts – find your local LUG (Linux Users Group)
• Linux Hardware Compatibility List Not all hardware is happy with Linux
• LPI Practice Exams and Tutorials
• Linux Certification Documentation Project
• Linux Professional Institute Tutors
• GNU/Linux Manuals Claims to be suitable for LPI Exam Prep

Because Linux is very much like UNIX, much of the information and techniques used and documented for UNIX systems over the last 30+ years will work on Linux. Don’t be afraid to read UNIX How-To Guides that you find out there.

Books – I find that anything written in a book is out of date by the time it gets published. That doesn’t mean you don’t want a classic like UNIX System Security in your collection, just that the details of an implementation covered in the book are probably out of date. The architecture coverage is probably just fine.

Just because you can do something doesn’t mean it is a good idea and doesn’t impact your security. When you read any online information that tells how to do something – ask yourself how it impacts your privacy and system security.

We just published a new permanent article on Security Settings for Web Browsers that may be interesting to some readers. It lists 23 things you can do to be more secure while surfing the web on the internet.

These are the things that I do. Some will be difficult for people who spend 4+ hrs a day on the internet to use, but not impossible.

The article provides a list of what your should set, not how you should make those settings in your browser. A little internet searching or checking the Help for your browser will let you easily make most of the settings.

This Saturday (tomorrow) I’ll be presenting to the DC404 crowd how to get system monitoring working on Linux in 5 minutes. Sadly, the presentation is running about 30 minutes because I really only need 5 minutes to show a complete install. Come and check it out, say hello.

There isn’t really much to it because SysUsage is really easy to setup and run. It works on desktops, laptops and servers, but there is no GUI for setup so you will need to use a terminal or console. With newer releases (OS or SysUsage) the dependencies may change, but it is still really easy to setup. This is so simple there really isn’t any excuse NOT to have performance graphs for all your Linux machines.

In a recent study, it turns out that about 1/3rd of all companies with 1,000+ users experience data loss or data leaks The study says this number is probably low, since it is self reported. The data loss can be from stolen laptops or misplaced flash drives or non-working backups. We all know that we should protect the data better, but for some reason it is determined to be too much hassle.

Then your company looses or inadvertently releases some sensitive data. That data was worth a few million or more.

Now you’re working a plan to encrypt all portable devices and trying to ensure no data get release without appropriate approvals first. Yes, it is too late, but this is a prophylactic for the next time.

Every laptop should probably be full drive encrypted. You know that already, now you just need to do it. Here’s how I did it – a compromise solution.

For the last few years, I’ve heard powershell for scripting by IT professionals in the MS-Windows community. Never looked at it until a few days ago. See, I confused cscript with PowerShell scripting. I couldn’t get the hang of cscript and wasn’t able to get it to accomplish what I needed the last time I tried. In June, I actually wrote some .BAT scripts for a client. If I knew then what I know now about PowerShell, I’d have been much happier and written those scripts in PowerShell, assuming it is pre-installed on Win2003 Server.

In my limited time with PowerShell, here are my impressions.

• UNIX has text processing, MS-Windows uses object processing – sorta like the difference between PERL and Ruby scripting.
• Most of the syntax is Perl-like – with some differences. Get used to $var.action calls.
• Pipes work like you’d expect from UNIX, except ….
  • generally, we don’t use `grep`, rather, the regex is used as part of the prior command
  • | `wc -l` becomes action.count – basically, if you want to get a count of something.
  • functions are Perl/Bash-like, except the argument passing is C-like (int x, int y). That is better than Perl, IMHO.
• Objects mean access to the registry, COM, and WMI. That’s a plus AND a minus. How to query a GUI program? That’s the problem.
• As usual, rather than reuse existing commands, Microsoft decided to use, longer, more complex commands. `ls` is `get-selections`, but they did include aliases in the tool. That means that many of the normal UNIX commands used in shell scripts have aliases, but those are not the preferred method name to be used.

As long as you don’t need to press a button inside a GUI, PowerShell can probably be useful.

Mindset Change

To me, the main limitations of PowerShell really aren’t with the language, rather, it is with my mindset and having to change from UNIX/File processing to object processing. Also, the tools on UNIX/Linux systems tend to support command line options to get things done. In MS-Windows, command line options to GUI programs are usually extremely limited – next to worthless. In Linux/UNIX, there are hundreds and hundreds of small applications and tools that come with the system suitable for script use.

References

A few years ago, PowerShell was called msh, Microsoft Command Shell. Here’s an overview.

Here’s a PowerShell Tutorial if you are interested in going further.

Read where someone is porting PowerShell to UNIX/Linux systems. Yep, it is called Pash. According to the project page, it is 40-50% complete and running on Windows, Linux, Mac and Windows Mobile platforms.

VMware is using PowerShell (they call it PowerCLI) as an interface into their ESX virtualization system.

Summary

In summary, it seems that Microsoft has been working hard for years to remove some of the biggest complaints against their systems – the lack of real, usable scripting. Seems they could advertise it a little more widely. Personally, I’d prefer a Perl library that encapsulated all this and for Perl to be included with MS-Windows installations so I don’t need to learn yet another language. Still, msh/psh/pash or whatever they call it this year is a step in the right direction.

Get the free ebook/PDF from Microsoft’s site about being secure online Microsoft is sponsoring the ebook, it is not written by them.

The first download in the list appears to be the complete ebook, so there’s no need to grab each chapter. It is in PDF, so be certain you have a non-Adobe PDF reader program. We don’t like Adobe stuff here due to security concerns.