My Travel Kit

Every geek has something like this, a travel kit for when you get asked by people “oh you know about computers can you email this photo from the top of a Spanish mountain?”

IMG_4051It’s nice to be able to say “yes I can”

_MG_5228_DxOMy basic travel kit consists of

  • Mobile phone charging battery (has 2x USB ports, 1 is a 2A port)
  • TP-Link WR703N running OpenWRT with 64MB RAM / 16GB Flash Mod from slboat (£25 delivered from China)
  • USB serial port that provides power and a serial console for the WR703R
  • USB 3G stick, unlocked has a PAYG 3 SIM in for UK usage
  • Short Micro USB cable for other gadgets and the wife’s phone and to charge the battery from a standard USB port
  • Apple Lightning cable for my gadgets, why can’t you use a standard Apple?
  • Short ethernet cable
  • Bootable 32GB memstick, gives me a few standard Linux options for fixing computers as well as a set of portable apps.

The WR703N is setup to run as an AP and access the internet via 3G dial up. Because it’s got a serial port on it I can tinker to solve lots of different problems without needing network access.

The OpenWRT install on the WR703N also dials into my OpenVPN hosted on this server. It means I can browse as if I am in the UK from anywhere in the world, It’s amazing how much better hotel wifi is when you can tunnel out of it and run a proper DNS server and web proxy.

The battery will run the AP for 4 days, drops to 2 days with the 3G dongle plugged in and working and gives portable data without having to pay a kidney a megabyte to the mobile carriers. The battery gives a couple of iPhone 5S / Nexus 5 charges and about a 2/3 charge on my iPad mini retina.

kit

Smoothwall in a heterogeneous network

Smoothwall is a Linux based UTM appliance, combining a firewall, web proxy and content filter. I have recently implemented Smoothwall for a customer, this implementation included Single Sign On (SSO) support for both Mac OS X and Windows. I didn’t find any good documentation on SSO with Smoothwall for both Mac OS X and Windows so I’ve written up my notes.

Windows has for a long time had SSO support via NTLM, meaning that Windows can (fairly) securely and transparently log in to other systems that are joined to the same Active Directory controller. This is done with a ticket based challenge/response authentication process built into Active Directory.

Mac OS X has had support for Kerberos SSO via Kerberos tickets to various systems since 10.3, it has been through a number of revisions and changes over the years. However it’s not until Mac OS X 10.6.8 that support for Kerberos authentication to web-proxies like the guardian filter in Smoothwall was introduced.

This is the final piece in the puzzle for this customer and now both Apple Macs and Windows desktops “just work” automatically authenticating with Kerberos tickets.

Kerberos SSO requires slightly more careful configuration than NTLM. The main thing to make sure about is that you are accessing the proxy via it’s fully quallified name, ie proxy.example.com not just proxy or it’s IP address.

In this case the customer uses a proxy.pac file, which also needs to contain the proxy server’s full name. Smoothwall includes an option to enable this but it didn’t seem to work in this case so I just made my own simple .pac file and uploaded it.

The configuration on the clients was simple just set the network proxy settings to URL auto-configuration and point it at http://proxy.example.com/proxy.pac

I think Apple are telling the truth about DROPOUTJEEP

When I first listened to Jacob “@ioerror” Applebaum talk from the 30c3 conference in Berlin I was impressed with the number and variety of different tools the NSA was using to monitor and spy on everything. One tool I was especially interested in being an iOS user was DROPOUTJEEP, sold as allowing full access with a 100% success rate in attacking iPhones but only with physical access.
dropoutjeep catalog pageThe physical access part and Apple’s flat denial got me thinking and combined with some practical knowledge about how iOS security works I am fairly sure I understand what DROPOUTJEEP is. I have broken into iOS devices to recover data and pictures for people, it’s simple for older iPhones if you have physical access.
The earlier iPhones (before the 4S) have bootloader flaws allowing an attack on the phone before the iOS kernel boots and the kernel security kicks in. This type of attack allows the injection of a custom ramdisk image containing unsigned code. I used a ramdisk and injection tool that was assembled from an open source iOS exploit and includes an ssh server, and tools to brute force crack an iPhone PIN code using the iPhone’s own crypto hardware to accelerate the process.
The DROPOUTJEEP catalogue page is from 2008, when the iPhone 3G was the new thing, check out the timeline on Wikipedia. Most people who had an iPhone at this time remember the Limera1n jailbreak, which at it’s core is a boot loader attack. This same boot loader flaw is still unpatched even after nearly 4 years. The Limera1n attack works on the iPhone 3G onwards and there are earlier boot loader attacks too. The SHAtter boot loader attack, while never used in a jailbreak was much discussed.These types of bootloader attacks allowing the upload of custom root disks, give full hardware, disk and keybag access ie total ownage. Once your ramdisk is loaded you can just mount the internal storage and extract the data or use additional exploits to install custom malware. Full disk encryption is only a recent development, ie iPhone 3GS onwards ref: http://support.apple.com/kb/HT4175DROPOUTJEEP’s need for physical access tallies to my mind with a boot loader attack. Boot loader attacks are simple, reliable and quick so perfect for an NSA black bag job.

All this is not to say that Apple can’t push remote code to an iOS device, remember Apple has the signing keys and can sign any code they like. There are reports from the early days of iMessage that Apple pushed custom remote code to a stolen iPhone to disable iMessage.

So I think that Apple are telling the truth about DROPOUTJEEP, but that is not to say they don’t cooperate in other ways when warrants or national security letters are involved.