Kategoriarkiv: IT-sikkerhed

Kan Google dit Wi-Fi password?

Sikkerhedskopiering af programdata af Wi-Fi-adgangskoder og andre indstillinger til Google-servere
Sikkerhedskopiering af programdata af Wi-Fi-adgangskoder og andre indstillinger til Google-servere

Bruce Schneier skriver i dag på sin blog, at “Google Knows Every Wi-Fi Password in the World“. Hans indlæg lader sådan set ikke nogen tvivl tilbage – ja, Google kender (stort set) alle Wi-Fi passwords, og som et USAnsk firma vil det være forpligtet til at udlevere informationerne til NSA, hvis de bliver bedt om det (og forvent at det er sket).

Baggrunden er Android-indstilling, der sandsynligvis er ment som en god service[1] – Android kan lave backup af dine data til Googles servere. Det er praktisk, hvis du er nødt til at resette telefonen eller hvis du har fået en ny telefon.

Min anbefaling er at ændre indstillingen på din Android-telefon (screen dump til højre stammer fra min Samsumg Galaxy SII med Android 4.1.3) og derefter ændre password til dit trådløse netværk. Din WPA-PSK-nøgle bør være 63 tegn (det er maksimum) og der findes flere online WPA-PSK-generatorer, f. eks. her. Nu er vi jo i gang med at være paranoide, så forvent at de generede passwords også sendes til NSA, sammen med din IP-adresse – derfor skal du lave mange passwords og så vælge et tilfældigt (NSA vil stadig have det, men de skal bruge flere forsøg – generer eventuelt koderne fra dit arbejde, gem dem på en USB-nøgle og tag dem med hjem).

[1]Idet vi antager at Google rent faltisk forsøger at leve op til deres “Do no evil” slogan.

Ny pgp-nøgle

I lyset af de seneste ugers afsløringer af NSA’s aktiviteter, har jeg valgt at stramme lidt op på sikkerheden. Derfor har jeg lavet en ny pgp-nøgle. Den lider dog fortsat af samme svaghed som den gamle – den er baseret på RSA og RSA må betragtes som kompromitteret af NSA. Imidlertid er matematikken bag RSA fortsat valid, så NSA må bruge andre metoder – og her vil enhver ny nøgle sende dem tilbage til start.

Redigeret: Min beslutning er stærkt påvirket af denne artikel af Poul-Henning Kamp.

It’s how we all lose.

Bruce Schneier has a short notice on some of the more technical issues of the NSA Eavesdropping, as revealed by Edward Snowden, in this blog entry:

How the NSA Eavesdrops on Americans

Unfortunately, the press seems more interested in the whereabouts of Edward Snowden and the US hunt for his person, than for the actual eavesdropping. This is truly worrying and Bruce Schneier express it very clear in this sentence:

I don’t know what there is that can be done about this, but it’s how we all lose.

True enough – it’s how we all loose!

Upgrading Dell PowerEdge servers

Most Dell owners will be familiar with finding the Service Tag of a server, laptop or desktop, then to enter it at the Dell driver download page and be rewarded with a wealth of suggested patches and updates. Unfortunately, there will often be drivers and upgrades far beyond what is needed for exactly your server/laptop/desktop. And to add to the misery, unless you happen to use exactly the Windows version that Dell assume, you will probably have a difficult time, trying to get the upgrades installed.

For Dell servers however, there are some hope for the exhausted sysadm….

Recently I have had the privilege of upgrading two Dell PowerEdge servers, a 2970 and a 2900 respectively. The 2970 was running VMware ESX 4.1 and thus I managed to install the appropriate upgrades, using the CLI in ESX. Except that not all firmware upgrades were available in ESX (Linux) installers and had to be installed from a DOS boot cd.

In the end, I am not even sure, that I had everything upgraded 👿

The 2900 is running ESXi 5.1 and therefore has no CLI. New approach was needed and preferably something easier. And there is a surprisingly easy method!

  1. Download CentOS Live DVD – find your appropriate mirror site.
  2. Write iso file to a blank dvd
  3. Ensure your server is able to obtain an ip address and is internet connected
  4. Boot the server onto the CentOS
  5. Install Dell firmware update utility – see below

The use of CentOS is due to the Dell preference for Red Hat Enterprise Linux (RHEL), which you may not have at hand. CentOS is pretty compatible and for this purpose fully compatible.

How to install the Dell firmware update utility – in 8 lines or less:

# If proxy is needed, uncomment the next two lines and fill in as appropriate
# declare -x http_proxy="http://proxy:3128"
# declare -x ftp_proxy="http://proxy:3128"
wget -q -O - http://linux.dell.com/repo/hardware/latest/bootstrap.cgi | bash
yum install dell_ft_install
yum install $(bootstrap_firmware)
inventory_firmware
update_firmware --yes

That’s it! The last command 'update_firmware --yes' will detect what firmware updates are needed and install as necessary. Total downtime should be less than 30 minutes, if you have prepared as described above.

Update: Some updates are done, using the internal flash memory as a temporary boot device, e. g. the BIOS firmware update. Therefore the server must be rebooted and not powered off, after an update.

Update II (Sep. 19th 2012): I first performed this on an older PowerEdge 2900. Due to its age, it had only few updates of recent date. I just updated a much newer R610 and found that the Dell repository for the above update procedure, is some what out of date. 👿 So don’t expect to get the newest firmware, if your server is of recent date, but you’re still able to get a very precise inventory of your server from the above procedure and then use that inventory to identify the exact right upgrades for your server and then download them manually from Dell Support.

Sårbarhed i WPS-protokollen på trådløse routere

Skidt nyt til indehavere af trådløse netværk af nyere dato – Så nemt bryder man ind i beskyttede trådløse netværk.

Måske også for os andre: “Reaver er ikke kun i stand til at finde WPS-pinkoden, men kan også knække kodeordet til WPA/WPA2 i løbet af 4-10 timer. Hermed er der fuld adgang til routeren.” Knække WPA/WPA2 i løbet af 10 timer? Det lyder usandsynligt, men hvis det er sandt er det virkeligt skidt!

Hvis du har en trådløs router og anvender WPA/WPA2, så benyt følgende side til at generere en “Maximum WPA Security (63 characters/504 bits)” key – og gem den på en USB-nøgle, så du kan flytte den til besøgendes maskiner:

WPA encryption Key Generator

– og så skal du selvfølgelig slå WPS fra. Kig i manualen eller Google routernavn og -model og find en vejledning.

Hvis din router kun understøtter WEP skal du straks aflevere den på genbrugsstationen 😈

UPS

2011-03-05 08:08:25 +0100  Allowing logins
2011-03-05 08:08:25 +0100  Power is back. UPS running on mains.
2011-03-05 08:08:25 +0100  Mains returned. No longer on UPS batteries.
2011-03-05 07:17:04 +0100  Users requested to logoff.
2011-03-05 07:12:03 +0100  Running on UPS batteries.
2011-03-05 07:11:58 +0100  User logins prohibited
2011-03-05 07:11:57 +0100  Power failure.