Thursday, August 21, 2014

Implementing a free StartSSL cert for Synology NAS

I have a plugin for Chrome called Download Station Extension (http://www.download-station-extension.com/, also available for Safari and Opera) which allows me to tell my Synology NAS to download and initiate torrent downloads among other things. It is excessively handy.This extension supports all types of downloads that are supported by Synology's Download Station, application developed by and built into the Synology base OS. (http://www.synology.com/en-global/dsm/home_multimedia_download_station) . You can tell your Synology box to go download files quickly and easily, including: 
  • BitTorrent (both .torrent files and magnet links) 
  • Usenet news NZB files 
  • http, https, ftp, sftp and ftps downloads 
  • YouTube videos 
  • Some supported filehosting websites 
The extension does this by logging into the "Download Station" app on your Synology using your. This is great, however, there is one significant caveat. The Download Station Extension will only use http until you have a trusted SSL cert installed. In order to protect the credentials to your Synology and use SSL/https, this plugin needs a certificate that is trusted by your browser. And in order to do that, you need to install an SSL certificate on your Synology NAS that comes from a real Certificate Authority (CA).

Now, to be clear, your Synology does have a SSL certificate already, but it's a "self-signed" certificate, meaning your server generated the certificate and it also validated it as being a good, trusted certificate. 

A post in the Synology Community Site describes how to go the process of installing a free StartSSL cert, however it involved significant ssh command line work, operating with openssl directly. Turns out Steps 1-6 in this guide are no longer necessary. You could probably still do the requisite work through ssh/openssl, however, according to the Synology guide here, you no longer have to ssh into the box to generate a certificate signing request or process the certificate returned from an SSL cert provider. 

Based on that, here's what you need to do.
  1. Go to the Synology guide, and perform steps 1-7. Proceed to the next step.
  2. Use the Synology Community Site post by GNOE Inc. and perform steps 7-8.8 to generate the StartSSL-based (free) cert.
  3. Go back to the Synology guide, and perform the last steps on the page, 1-3.

Make sure that the SSL certificate domain matches the domain you're using to access your NAS through the Internet. If the SSL cert and the domain don't match, you'll still get SSL cert errors and you won't get the benefits of this whole process.

Hope this guide helps!

Chris

Friday, February 28, 2014

Moving a Windows 7 VM from Parallels 8 to VirtualBox 4.3 on OS X Mavericks using VMWare Fusion

My first Macbook Pro was a 1st Intel generation, early 2006 model, that I bought from someone local on Craigslist in 2009. (Example to the right.) I cut my teeth there and got used to the Mac-isms and the Apple-isms about running OSX. That machine was't going to run any virtual machines well, so I never installed VirtualBox, Parallels or VMWare Fusion.  That machine wouldn't install anything newer than 32-bit Snow Leopard. No Lion and no Mountain Lion. This was frustrating enough, and then software application makers moved to 64-bit entirely, so then I wasn't able to run the software either.
So, in early 2013, I bought a new Macbook Pro and now I had the horsepower to run VMs. Woo hoo!

Parallels pushes their marketing heavy on the Mac world. They have a lot of features, and seemed to have a lot of people who have used the product successfully. So I bought it too.

Fast forward to late 2013, and the release of Mavericks. Before I installed Mavericks, Parallels started warning me about Parallels 8 compatibility with Mavericks. I scoffed. All of the reviews said it ran just fine, and it has, but I have become increasingly resentful of having to shell out $50 for an upgrade, for little benefit. 

So, I decided to try to convert my Win7 VM in Parallels to a Win7 VM in VirtualBox. I ran into a few issues. Here's how I did it successfully (I'll list what didn't work, after):

Step 1) Shutdown the Parallels VM, not just sleep, actually shut the machine down.


Step 2) Convert Parallels machine (.pvm) to VMWare (.vmwarevm) virtual machine

To do this, you'll need to first, download and install the VMWare Fusion trial through the normal means. Here's a YouTube walkthrough:


Next, once you get it installed, choose to "Import" an existing machine. This will make VMWare Fusion go look for existing virtual machines on the system. Of course, in this case, my Windows 7 Parallels instance exists, so it found it right away. (Not sure why it listed it as a "Recent Item", though.)



Click on Continue. You'll be asked what you want to call this new VM. It will use the same base name, but then provide the VMWare extension .vmwarevm for the new virtual machine. You don't really need the whole machine, I don't believe, but the process does create the .vmdk disk image inside the directory named YourNameHere.vmwarevm which we will need in the next step.


Of course, click save.

At this point, I fired up the Windows 7 virtual machine under VMWare Fusion and everything went swimmingly. I just wanted to make sure the new disk image was viable. Because of that, and because I didn't want to create any other issues I didn't install the VMWare extensions. I simply shut the machine back down again and moved on to Step 3.

Step 3) Convert a VMWare disk image (.vmdk) file to a .vdi file which VirtualBox understands

First, install Oracle VirtualBox. You can get it from here: https://www.virtualbox.org/wiki/Downloads

Second, we'll convert the VMWare Fusion disk image in .vmdk format to VirtualBox-import-capable .vdi disk image using a VirtualBox utility called VBoxManage.

You'll need to run this command either from the directory that the .vmdk file is in, or you'll have to put in the full path to the .vmdk file. Mine was ~/Documents/Virtual Machines.localized/Windows 7.vmwarevm

  VBoxManage clonehd --format VDI Windows\ 7-0.vmdk newimage.vdi

I then moved the .vdi image to my VirtualBox VMs directory.

    mv newimage.vdi ~/VirtualBox\ VMs/

Third, start up VirtualBox and set up a new VM and choose an existing disk image.

Here's the "New" screen:


And this is the area where you'll choose "Use an existing virtual hard drive file". You'll have to then find the .vdi file and it will end up populating the area below the radio button.


Click on Create.

That's it. Fire up the new VirtualBox VM and install the extensions.

Once you're satisfied with the fact that it booted and you're running Windows in VirtualBox on Mavericks on your Mac...you'll have to remove your Parallels instance. Windows will start barking that it is counterfeit. You'll have to reactivate your license on this VM.

Thursday, February 6, 2014

How to Install Metasploit on Mavericks 10.9.1 (in 2014)

I've been struggling with getting Metasploit installed in my Mavericks (10.9.1) based MacBook Pro. The instructions I found weren't lining up with my experience, so I thought I'd write up my experience and how I was able to get it installed.

My instructions are from my experience, but I got a lot of help from resources such as DarkOperator's instructions here:

http://www.darkoperator.com/installing-metasploit-framewor/

He developed a script to a bunch of this work for you, however, I haven't tried it. I noticed that it is using an older version of ruby in the 1.9.3 tree.
https://github.com/darkoperator/MSF-Installer/blob/master/msf_install.sh

1. Install Xcode on Mavericks 10.9.1

Go to https://developer.apple.com/xcode/ to download and install. Move to Step #2, unless you want to read through my experience.

Other sites will tell you to install the command line tools by using the command line (don't do this yet):

xcode-select --install

When you do this, it looks promising:


But it will eventually fail with the following message:

"Can't install the software because it is not currently available from the Software Update server."

Other sites will also tell you that you need to check the "Command Line Tools" box in the XCode Preferences/Downloads tab. Notice it doesn't exist in XCode 5.


Turns out, you don't need to install the command line tools, as they're included with XCode 5 (reading comments from this thread: http://www.computersnyou.com/2025/2013/06/install-command-line-tools-in-osx-10-9-mavericks-how-to/) . Verify they're installed by checking for gcc and g++.



CGMbPR:~ cgrant$ gcc -v
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
Target: x86_64-apple-darwin13.0.0
Thread model: posix
CGMbPR:~ cgrant$ g++ -v
Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 5.0 (clang-500.2.79) (based on LLVM 3.3svn)
Target: x86_64-apple-darwin13.0.0


Thread model: posix

2. Install homebrew.

The install URL for homebrew has been updated, so use this on the command line:


ruby -e "$(curl -fsSL https://raw.github.com/Homebrew/homebrew/go/install)"


I did the following, so you don't have to. If you tried to use the URL listed on many other guides, you'd see this:



CGMbPR:~ cgrant$ ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"
-e:6: syntax error, unexpected '<'
 ^
-e:7: syntax error, unexpected '<'
 ^
-e:9: syntax error, unexpected '<'
   
     ^
-e:10: syntax error, unexpected '<'
   
     ^
-e:10: syntax error, unexpected tIDENTIFIER, expecting end-of-input
   
                                              ^


3. Install wget (and git, maybe?)

Run this on the command line (no sudo required):

brew install wget

I had installed the full installer for Mac OSX for the native Github client prior to starting this install, which I believe installed the command line versions of git, so I didn't actually run the brew version. I also didn't change the path to make the /usr/local/bin versions come first in the search path. It doesn't seem to have caused any issues yet. So, I didn't install brew-managed git, but if you wanted to or hadn't installed git yet you should execute this:

brew install git


4. Install Ruby Version Manager (rvm) and ruby 2.1.0, apparently

Run this on the command line (no sudo required):

\curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby

This is what it looked like for me:



CGMbPR:~ cgrant$ \curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby
######################################################################## 100.0%
Downloading https://github.com/wayneeseguin/rvm/archive/stable.tar.gz

Installing RVM to /Users/cgrant/.rvm/
    Adding rvm PATH line to /Users/cgrant/.profile /Users/cgrant/.bashrc /Users/cgrant/.zshrc.
    Adding rvm loading line to /Users/cgrant/.bash_profile /Users/cgrant/.zlogin.
Installation of RVM in /Users/cgrant/.rvm/ is almost complete:

  * To start using RVM you need to run `source /Users/cgrant/.rvm/scripts/rvm`
    in all your open shell windows, in rare cases you need to reopen all shell windows.

# Chris Grant,
#
#   Thank you for using RVM!
#   We sincerely hope that RVM helps to make your life easier and more enjoyable!!!
#
# ~Wayne, Michal & team.

In case of problems: http://rvm.io/help and https://twitter.com/rvm_io

rvm 1.25.15 (stable) by Wayne E. Seguin , Michal Papis [https://rvm.io/]

Searching for binary rubies, this might take some time.
Found remote file https://rvm.io/binaries/osx/10.9/x86_64/ruby-2.1.0.tar.bz2
Checking requirements for osx.
Installing requirements for osx.
Updating system.
Installing required packages: autoconf, automake, libtool, pkg-config, libyaml, readline, libksba.....
Certificates in '/usr/local/etc/openssl/cert.pem' already are up to date.
Requirements installation successful.
ruby-2.1.0 - #configure
ruby-2.1.0 - #download
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 9475k  100 9475k    0     0   661k      0  0:00:14  0:00:14 --:--:-- 1346k
ruby-2.1.0 - #validate archive
ruby-2.1.0 - #extract
ruby-2.1.0 - #validate binary
ruby-2.1.0 - #setup
ruby-2.1.0 - #making binaries executable.
ruby-2.1.0 - #downloading rubygems-2.2.1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  401k  100  401k    0     0   215k      0  0:00:01  0:00:01 --:--:--  215k
No checksum for downloaded archive, recording checksum in user configuration.
ruby-2.1.0 - #extracting rubygems-2.2.1.
ruby-2.1.0 - #removing old rubygems.
ruby-2.1.0 - #installing rubygems-2.2.1............
ruby-2.1.0 - #gemset created /Users/cgrant/.rvm/gems/ruby-2.1.0@global
ruby-2.1.0 - #importing gemset /Users/cgrant/.rvm/gemsets/global.gems.....
ruby-2.1.0 - #generating global wrappers.
ruby-2.1.0 - #gemset created /Users/cgrant/.rvm/gems/ruby-2.1.0
ruby-2.1.0 - #importing gemsetfile /Users/cgrant/.rvm/gemsets/default.gems evaluated to empty gem list
ruby-2.1.0 - #generating default wrappers.
Updating certificates in '/etc/openssl/cert.pem'.
mkdir: /etc/openssl: Permission denied
cgrant password required for 'mkdir -p /etc/openssl': 
Creating alias default for ruby-2.1.0.
Recording alias default for ruby-2.1.0.
Creating default links/files

  * To start using RVM you need to run `source /Users/cgrant/.rvm/scripts/rvm`
    in all your open shell windows, in rare cases you need to reopen all shell windows.


CGMbPR:~ cgrant$ source /Users/cgrant/.rvm/scripts/rvm


5. Install the rest of ruby

This first step took quite a while.
rvm requirements

Here's what it looked like for me:


The guide I was looking at suggested I run the following, which I did.


brew install autoconf automake libtool libyaml readline libksba openssl

Everything was installed already.



The next step was to run this command:

rvm install ruby-1.9.3-p392

I skipped this step because it looked like ruby-2.1.0 was installed earlier. (**Turns out ruby-1.9.3 is required for metasploit, although this isn't the most current version. I cover this later.**)

rvm gemset create msf



Other sites would have you run the following command, but looks like I have 2.1.0 installed so I modified it appropriately.

Unused:

rvm use ruby-1.9.3-p392@msf --default

Changed, used:
rvm use ruby-2.1.0@msf --default




Verify the install with the following command:
ruby -v



6. Installing metasploit

So, I did the following:

sudo su
cd /opt
git clone https://github.com/rapid7/metasploit-framework.git msf


CGMbPR:~ cgrant$ sudo su
sh-3.2# cd /opt
sh-3.2# git clone https://github.com/rapid7/metasploit-framework.git msf
Cloning into 'msf'...
remote: Reusing existing pack: 232980, done.
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 232985 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (232985/232985), 198.63 MiB | 436.00 KiB/s, done.
Resolving deltas: 100% (163073/163073), done.
Checking connectivity... done

Checking out files: 100% (6515/6515), done.


7. "bundle install" - ruby gems

As I understand it, running bundle install installs the necessary ruby gems. This didn't work for me out of the gate.

 

This is the error you get when you don't have Postgresql installed first.

8) Install and Configure Postgresql

brew install postgresql --without-ossp-uuid


As it told me to do, I ran the link command to start postgresql on login:


ln -sfv /usr/local/opt/postgresql/*.plist ~/Library/LaunchAgents

I then fired up postgresql

launchctl load ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist

You then need to create a user for metasploit to use for the database:

createuser msf -P -h localhost

Then create a database called msf with msf as the owner

createdb -O msf msf -h localhost



9) Finish the ruby gems needed for metasploit to function

Then we need to finish with the gems metasploit needs to use.

gem install pg sqlite3 msgpack activerecord redcarpet rspec simplecov yard bundler





A little while later...


10) Linking metasploit to Postgres


First edit the Postgres configuration file:

sudo vi /opt/msf/config/database.yml


Add the following to the file and save

production:
 adapter: postgresql
 database: msf
 username: msf
 password: 
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5


11) making sure the shell environment is set up

source /etc/profile
source ~/.bash_profile

12) executing Metasploit, or so I thought

/opt/msf isnt' in my path so I'll execute it from the directory

I changed directories and it tells me ruby-1.9.3-p484 isn't installed


13) installing ruby-1.9.3-p484


Well, I'll see if I can take the shortcut route and just install ruby 1.9.3-p484 even though ruby-2.1.0 was installed earlier.

rvm install ruby-1.9.3-p484


14) execute msfconsole again...bundle install



Okay, so now one of the gems isn't installed.

Executing

bundle install



15) Okay, executing msfconsole again...and it worked!



It worked! I freaked out a little first, then I realized that this was by design. All good!

Just to make sure...execute msfconsole again:


SUCCESS!!!

Okay, maybe that was just a fluke:

Execute msfconsole again:


Looks like its working...



Friday, November 22, 2013

Reputation.com responds to Adobe breach, bravo!

Reputation.com emailed account holders on November 22nd , saying the following: 

(I apologize, they don't have this on their website or I'd link to it, so you'll just have to take my word for it.)
"We recently learned that a list that potentially contains email addresses, encrypted passwords and answers for security questions for Adobe Systems customer accounts has been published in numerous places on the Internet. Out of an abundance of caution and concern for our customers, we obtained a copy of this list of purported Adobe account information and cross-checked it against our customer account information.
You are receiving this email from us because your email address and possibly other compromising information is on this list. Because many customers use the same user names and passwords for multiple accounts, we wanted to alert you to this issue and remind you to log in and change your Reputation.com password if you believe it is the same as your Adobe account login information."
This is a great move from Reputation.com. They took a problem that wasn't theirs that affected a significant number of people and considered what it meant to their customer base. Based on that they took a risk, but did the right thing. They sent an email with their concern to their customers and made the recommendation to improve security and change passwords. This has the likely affect of reducing Reputation.com's account compromise issues, improving the customer experience and also reducing their overhead to support their customers.

Overall, a great idea, and so trivial to execute.

Bravo.

Tuesday, November 5, 2013

Epic hack on a Limo Service broker(?)

http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/

(I think they're a broker for other local services.)

This is an epic hack, really. A treasure trove of information, from the who's who on the national and international stage. Key facets of the hack:

  1. 241,000 high- or no-limit American Express cards with expiration dates. High value in the underground card number sales markets.
  2. Travel schedules for national/international figures. Very interesting for some.
  3. Sometimes, companion information for national/international figures. Interesting or very interesting for some as well.
  4. Personal details about national/international figures, like Donald Trump wanting/needing a clear front seat (for a bodyguard or what?), or an alias people use when getting picked up.

The credit card numbers are a very impressive haul. Not so great for this company's PCI compliance, or American Express. Wonder if the business will stay afloat. This is a small organization, I'm assuming. One that has entered into the world of online payment processing and application development (with ColdFusion). In this case, making money took precedence over security of the platform, or the data...and they are paying for that decision.

Saturday, October 26, 2013

ST:TNG S4E3: Brothers, "private key" holds up over time, I think

Here's some Saturday morning fun.

I ran across a snippet of Star Trek: The Next Generation that is fun, from a security perspective. In Season 4, Episode 3, titled "Brothers" (YouTube), Data takes over (technical) control of the Enterprise in at the start of the episode and hurtles the ship and crew across the galaxy at warp 9.3 to some unknown destination. In order to do this, he has prevented others from taking over the ship again. (Sounds like a hacker, doesn't it?) Data has impersonated Picard and made sure all capabilities to enter in new commands are restricted.

Here's the dialog:

Data (impersonating Picard): Computer, establish a security code for access to all functions previously transferred to bridge.
Computer: Enter code.
Data (impersonating Picard): 17346721476C3278977763T732V 731171888732476789764376 lock 

Looking at this, I was curious if this code was sufficiently long to protect what Data wanted to do in this situation. After all the NCC-1701-D was built in the 24th century (2364 is where the ST:TNG series started). They have to have had significantly faster computers at that point.

So, some math. Looks like we have 10 digits and no distinction between upper or lower case, so 36 possible characters. The security code was 51 characters long.
  • 10+26 = 36 possible options 
  • 51 characters long 
  • Possible combinations: 2.351947044600255e+79
  • Or: 23,519,470,446,002,552,619,480,849,617, 690,081,539,337,173,577,026,375,375, 550,590,789,301,897,093,185,536

So, how long would would it take for a computer of the 24th century to crack this code through brute force (on average)? Well, we don't know, because ST:TNG used fictional computing measurements called quads, so there will be a gap in our assessment. Here's how it would lay out given our current way of thinking about computing power, using the GRC password checking tool, Haystack:


So...we find out it would take us 76.92 million trillion trillion trillion trillion centuries to look for the entire search space for this password, assuming we could guess 100,000,000,000,000 potential matches per second. For an average, we'd half that, but that's still a lot of time. I'd say Data has a chance at success in locking out the crew from taking back the ship!

And, if they had additional controls over guessing, like monitoring for failed attempts and time delays for additional guesses, he'd be good to go. Data would have little fear of the silly crew with their computer trying to guess the code in any reasonable time.

We find out later that he has been summoned by his father/builder/creator with a homing beacon, as his father's death is imminent. In the end, the show implies his dad passes on, and his unstable android brother Lor is back on the loose, with the custom emotion chip built by their father for Data, installed in Lor's brain.

Good fun!
Chris

Monday, June 17, 2013

Apple's iOS7 features good, but timing shameful...

(Full disclosure, I have an iPhone.)

Apple recently announced that they're going to add three features to try to make their phones and tablets less attractive to thieves. iOS7 will force you to re-enter your Apple ID to:

  1. erase data
  2. turn off Find My iPhone
  3. reactivate the phone after it has been erased remotely

I'd contend that Apple's long coveted iPhone has actually created this smartphone theft problem in the first place. Prior to everyone wanting the "cool smartphone", phone theft occurred, but it wasn't at the same scale. Once the Apple marketing machine kicked in and the iPhone/2/3/3GS/4/4S/5 came out and Apple fanboys and fangirls were acting snobbish about how superior their phone was to everything else on the market, people needed to have them. Those that are less scrupulous would then find ways to steal other's devices.

While I applaud the addition of these features by default, there is nothing preventing them from including these features now. You don't need a wholesale OS upgrade to get these featuresApple should have turned this on years ago, and we should not praise them for turning this on now. They could have helped to fix this problem any day of any week of any month for the last several years. I can only theorize why they haven't. Could it be that they were letting thieving and the drama that goes along with it help to drive up demand of their prized, and significantly profitable, devices?

One can only theorize...

In the mean time, read up on the Prey Project, and how you can activate some of these features on your phone today, like asking for an Apple ID to remove programs: http://preyproject.com/blog/2013/04/tip-stop-prey-from-being-deleted-on-iphone-ipad

Chris