Archive for Company News

Securing Ubuntu Linux with ufw and tcpwrapper

Nerd Title:  Security Ubuntu Server with tcpwrappers and ufw.

We don’t write many cybersecurity related articles because there are plenty of other people out there also doing it, and well… we can’t be experts at everything. 

Still, once in a while we come up with a problem that has a solution so clean and elegant that we have to share it.  This article will quickly explain how to setup tcpwrappers and a firewall to automatically ban users attempting to connect from unauthorized IP addresses.   The process is simple, every modern linux distribution comes with a firewall of some kind, Ubuntu currently uses ufw.  It also supports a package called ‘tcpd’, or tcpwrappers. The solution we used was to install a base ufw rule limiting only ports for SSH, HTTP, and HTTPS traffic and block everything else.  It looks something like this:

root@acme.com:/root/# ufw status
Status: active

To Action From
-- ------ ----
22/tcp LIMIT Anywhere
443/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

This is a common configuration, but the downside is that everybody can knock on your door and attempt to login.  You can limit how much/how fast, but basically it’s open to the public.  This is where tcpwrappers comes in. You can search the internet about tcpwrappers, there are many online explanations and guides about it. Tcpwrappers has been around a long time, and they never changed the goofy name, but essentially it works by checking two files: /etc/hosts.allow and /etc/hosts.deny to see if you’re a good guy or a bad guy, and what to do with you.  This is where the fun comes in. (Note, you’ll need root permissions to do this.)

First you have to install tcpwrappers – “sudo apt install tcpd”

Then edit the /etc/hosts.allow file and add the services you would use, something like this (change your own hostnames or IP addresses you want to allow in):

ALL: 127.0.0.1
smtps: ALL
imaps: ALL
ALL: 43.79.214.93                 # Work Server
ALL: 71.60.242.15                 # Home
ALL: rockhouse.mynetgear.com      # Home
ALL: 172.210.145.232              # Testing Cloud Server

The IP addresses or hostnames with ALL: in front are allowed into the server for whatever port or service they connect to, as long as the firewall rule allows it. This is your “whitelist” of good guys to let in the door.  The big difference here is that unlike firewall rules, tcpwrappers allows for hostnames, so if you have a dynamic IP address using a hostname (like dyndns.org), you don’t  have to update the firewall rules each time.  Need to add a new remote host that should be allowed to access ssh? Add it here.

Next, edit the /etc/hosts.deny file and add the following string (it should all be on one line):

ALL: ALL: spawn ((/usr/local/bin/banip.sh %h; /bin/echo -ne "user = %u; client = %h; server = %H; process = %d; PID = %p date = "; /bin/date) >> /var/log/tcpwrappers.log &)

This single line blocks everybody from everything that isn’t in the whitelist above.  Notice also here tcpwrappers calls a shell script called /usr/local/bin/banip.sh.  This script calls “ufw” to write a firewall rule to ban the remote attacker forever.  You can put this wherever you want, but the script should look something like this:

#!/bin/bash
#This script attempts to ban ip addresses using Ubunutu's UFW
#
if [ `whoami` != "root" ]; then
echo "you must be root to run $ME"
fi
if [ "$1" = "" ];
then
echo -n "Enter the IP Address: "
read IP
echo -n "You entered $IP, correct? (Y/N) "
read ans
if [ "$ans" = "y" -o "$ans" = "Y" ]; then
echo "Blocking $IP"
ufw deny from $IP port 22
exit
else
echo "Ok, quitting."
fi
else
echo "Blocking $1"
ufw deny from $1 port 22
fi

This is a very simple script that takes an IP address and tries to ban it on port 22 for access using ufw.  If you run it manually without any arguments it will ask you for an IP address to ban.

This script will also create a logfile in /var/log/tcpwrappers.log that you can see where people have tried to gain access to your server and been shut out. 

Blocking 106.75.251.140
Skipping adding existing rule
user = unknown; client = 106.75.251.140; server = 45.33.101.254; process = sshd; PID = 78110 date = Fri 13 Nov 2020 04:54:48 AM UTC
Blocking 84-255-249-179.static.t-2.net
user = unknown; client = 84-255-249-179.static.t-2.net; server = 45.33.101.254; process = sshd; PID = 78153 date = Fri 13 Nov 2020 04:55:19 AM UTC
Blocking ns3268691.ip-5-39-81.eu
user = unknown; client = ns3268691.ip-5-39-81.eu; server = 45.33.101.254; process = sshd; PID = 78167 date = Fri 13 Nov 2020 04:55:36 AM UTC
Blocking 118.24.48.15

You can also see a list of banned IP addresses by typing “ufw status”.  If you’ve accidentally banned an IP you didn’t mean to, then you can unban it by using “ufw delete rule#”, where rule# is the actual line from “ufw status numbered” that you want to unban.  Note that this list can get rather long, as there are people with nothing better to do than write scripts to try to break into whatever servers they can find.  In the short time I wrote up this article, I had 32 attempts on my demo server alone.  If you need to reset, you can just type “ufw reset”, but that resets everything back to factory defaults.  You can use a quick script to do this also:

sudo ufw --force disable \
&& sudo ufw --force reset \
&& sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \
&& sudo ufw allow 22/tcp \
&& sudo ufw limit ssh \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 443/tcp \
&& sudo ufw --force enable

This has been a very fundamental explanation of how to easily allow remote access while also keeping the bad guys out at the same time, using a blend of the old  (tcpwrappers was written in the 1990’s) and the new.

Posted in: Company News

Leave a Comment (0) →

Coronavirus COVID-19 Disinfection on the Cheap

Coronavirus (COVID-19) has gathered significant attention worldwide because of how dangerous the virus is, how easily it spreads, and how difficult it is to detect.   So most people, whether government, professional, or civilian, are looking for an easy way to protect themselves and others as best they can.   Things like facial and toilet tissue, surgical masks, and hand sanitizers are selling out in stores and online.   As the number of cases in the US increase, so will the panic.  

But the military has dealt with this kind of thing for a long time, and the number one thing they rely upon for disinfecting is good old fashioned Sodium or Calcium Hypochlorite, also known as “bleach”.   There are many kinds of bleach, but Sodium Hypochlorite is typically referred to “Clorox” bleach. Both Sodium and Calcium Hypochlorite are widely available, but we prefer Calcium Hypochlorite because it typically contains more available chlorine per volume than Sodium Hypochlorite.  Bleach is a generic term which describes a chemical with the inherent properties of removing color, whitening, and disinfecting.   It does this by oxidation, which with “Clorox” is by a chemical reaction which causes the proteins in germs to lose their cellular structure, thus destroying them.

“So what?”  Everybody knows that bleach kills germs.   Yes, but did you know that even a small concentration of bleach kills germs?  You don’t need to dump a gallon of Clorox on everything to kill germs.   You can dilute it down to as little as .5% and still effectively kill germs on contact.  You can even dilute down to .05% and still be effective, but the exposure time becomes much longer.   So what do we (“not-healthcare professionals”) suggest for every day people to use this solution?  

Something as simple as a mini-spray bottle (think travel size pump hair spray bottle) with a .5% solution of Calcium Hypochlorite in water will be easily portable and moderately effective for most uses.   The dilution ratio doesn’t have to be exact, but it should be close.  If it’s a little higher that’s okay, but don’t go crazy.  The concentration will determine HOW LONG you must maintain contact with the solution, so start with a known concentration and then blend down.  Bleach is a reactive chemical, and deteriorates over time in higher concentrations, so choose a product that is individually sealed and use as needed.  The lower concentration of .5% should last for months in a sealed container.  For our mixture, we liked something like this pool product from Amazon.com.  It is 68% concentration in powder form in 1lb packs.  To make a 55 gallon drum of .5% solution, mix approximately 3 1/4 lbs of powder to 55 gallons of water.   Or for each gallon, add ~1 oz of Calcium Hypochlorate and mix thoroughly.    Remember that because it’s a solid powder it won’t mix easily in water, so if possible use warm water to help it dissolve more quickly and thoroughly.

So, fill the spray pump bottles and toss them in your pocket, your office drawer, your glove box, or backpack.  Spray on anything you want to touch, or on your hands after you’ve touched something you shouldn’t have.  Rub in thoroughly.  The .5% concentration shouldn’t discolor most fabrics or materials, but will definitely have a slight chlorine odor to it.  You can add scents to the mixture if desired to make it more tolerable for those sensitive to chloramine smells, but don’t add so much that it dilutes the solution to be ineffective.   

For more information see the US Army Public Health Command bulletin on Preparing and Measuring High Chlorine Concentration Solutions for Disinfection:  TIP_No_13-034-1114_Prepare_Measure_High_Chlorine_Solutions

Posted in: Company News

Leave a Comment (0) →

HID Signo Readers Announced.

HID announced an entirely new reader line today, called Signo.  What’s immediately noticeable is they are more sleek and stylish than the iClass R or RP models, but looking further, we found that there are some distinct differences that might just make switching to this new reader platform sensible.

For starters, the keypad reader model looks more functional, and the mullion keypad reader is a definite necessity.  The keypads are capacitive  touch style which should make them more reliable in harsh environments.

Dimensions for the readers is almost identical, with the Signo readers being a little slimmer, but probably not by very much.  See Feature Comparison Matrix.

What’s missing though, like in the RP series, is a long range parking lot reader like the R90.  This is a needed technology that should be added in the future (are you listening, HID?).

The Signo series seems to lump all the reader technologies in together, making the product selection a little less confusing than previous iClass reader selections.  This is most welcomed.  Supported technologies are 125Khz proximity, iClass, SEOS, Mifare, plus mobile credentials via Bluetooth and NFC, plus Apple’s Enhanced Contactless Polling technology for apple wallet credentials.  

Other features are better support for crypto keys (no more base encryption key in the wild, for now), automatic tuning/detuning for optimized read range, and OSDP support out of the box.  Reader tamper is now a dry contact relay (THANK YOU).   But the biggest thing installers are going to enjoy is that the Signo readers support remote management.  No more configuration cards to go around to every reader just to turn of the 125Khz prox read feature set.  This should have been done LONG AGO.   Firmware updates, configuration, and reader management can be done via mobile device or over OSDP (assuming your PACS supports it).

From our take, these readers appear to have been developed largely for the Campus environment (the Apple ECP is a dead giveaway), but certainly have the feature sets that would make them desirable in the commercial, government, and industrial markets as well.  We don’t  have any evaluation copies yet, but will definitely be looking at these for new projects where they fit and offer additional security, style, and convenience.

Feature Comparison Matrix

Reader RP40 Signo 40
Dimensions 3.3″ x 4.8″ x 1.0″ 3.15″ x 4.78″ x 0.77″
Read Range (typ)

iCLASS: 2.4″

125Khz Prox: 2.8″ to 4.3″

iCLASS: 1.6″ to 4″

125Khz Prox: 2.4″ to 4″

Power 85ma @ 16VDC 75ma @ 12VDC
Comm Wiegand & (optional) OSDP  Wiegand & OSDP
Reader Tamper Open Collector Output Dry Contact Relay
Configuration Programming Cards Mobile Device or OSDP
Weatherproof If optional gasket installed Yes
Certifications UL294, EAL5+ UL294, EAL6+
Price ~$200.00 ~$200.00

 

 

Posted in: Access Control, Company News, Security Technology

Leave a Comment (0) →

Why You Should Be Skeptical of Security Apps in the Cloud

The “Cloud” for most people has become an integral part of our daily lives.  It’s everywhere, yet many people couldn’t tell you what the cloud really is if you asked them.  It’s just there. 

In a nutshell, the cloud could be defined as “an internet server you don’t own, yet hosts your data”.   All this means is you’re using Software As a Service (SAAS), and someone else has developed the application, hosts it on their server, and you use it, or maybe even pay for it via subscription (like Ring or Canary).

Yet all too often, when we really closely inspect these services or applications we tend to find flaws, or sometimes downright intentional abuse, that leads to exposing more of our personal data than we would like.  In the case of  many apps for home or personal use, we can choose to accept some loss of privacy in exchange for the free or bundled software and storage.   However, in the business world this is rarely tolerated, and in some cases it’s against the law. 

For a fantastic example of this abuse, the Electronic Frontier Foundation has published an excellent article about Ring and its application that exposes multiple abuses of privacy.    The biggest takeaway from the article for us was that Ring appears to be using pinned certificates in a way that prevented data security experts from analyzing encrypted traffic generated from the application itself.   Now imagine an app from a state sponsored corporate entity like Huawei sending images, stored files, GPS data, voice recordings, or video from your phone or tablet to some server in another country.  See how big the risk is?

Click the link below to read the full article, but this summary puts it best:

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system.”

https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

 

Posted in: Company News

Leave a Comment (0) →

Quantum Resistant Encrypted Communications

If quantum computing can reduce previous calculation times of decades down to seconds, then what does that spell for current military, government, and corporate technologies that rely on encryption algorithms?   The current idea is that encryption isn’t unbreakable, it’s just not practical because by the time the message is encrypted, it’s no longer relevant and most likely the encryption key (or even mechanism) has changed.   With Quantum computing, this all goes out the window, as now brute force decryption could theoretically be done in real time.  This terrifies everyone, and rightfully so.  

What about Blockchain?   Under the bitcoin blockchain algorithm concept, the encryption difficulty is adjusted after every 2016 blocks are mined.  This is typically an incremental increase or decrease as more or fewer hardware resources are thrown at mining bitcoin.   Thus, if you added a super quantum computer (or cluster of quantum computers), the difficulty would proportionally (and drastically) increase with the number of blocks that were mined (just in a much shorter time frame).

On October 23, 2019, Bitcoin’s price fell from around $8200 per bitcoin to under $7400 in a matter of minutes, because Google announced that Sycamore, its quantum computing platform, had achieved “quantum supremacy” and passed an impossible test.  The premise is that it completed a test calculation in 200 seconds that would take the world’s most powerful supercomputer 10,000 years to finish.   While the claim is somewhat questionable, there is no doubt that quantum computing has taken a foothold and will only advance from here.

Google Sycamore Quantum Computer

Google Sycamore Quantum Computer

The problem here is that someone trying to break the encryption isn’t likely to be actively participating in the blockchain.  They’re just going to be trying to decrypt packets or streams, or whatever they are intercepting and trying to decrypt.  So unless the encrypted blockchain communications platform changed the encryption difficulty to a level that it couldn’t actively mine itself (thus defeating the point of encryption to begin with), the communications would always be deciphered by the quantum computer.   Thus… all encrypted communications would have to be done with quantum computers.   It’s another round of keeping up with the bad guys, and technology has to step up to meet the challenge.

The downside is that this is financially well outside the possibility for most businesses and private individuals, meaning we are back to the equivalent of clear text passwords and messages as well as unencrypted financial transactions.   This would be disastrous for the financial and credit industries, as well as creating havoc in terms of privacy act enforcement, worldwide (think GDPR). 

How this plays out is anybody’s guess right now and the technology isn’t quite there, but in the mean time, all one can do is hope that Google really means it when they say “Don’t Be Evil”.

 

Posted in: Company News

Leave a Comment (0) →

NSA Warns: Update Windows Or Else

For the first time I’ve ever seen, the National Security Agency has made a public announcement about a private company’s product, warning that all Windows users that are still using older versions of Microsoft Windows XP, Vista, Windows Server 2003/2008, or Windows 7 should upgrade or face serious remote exploit risks. Their advisory can be found here: https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/

Honestly though, if you’re still using Windows XP or Windows 2000 and it’s connected to the internet, you kinda deserve everything you get. I get it, there are still some ancient programs out there that never got upgraded and you just “can’t live without it”. And I can even understand if you’re still using Windows 7 (by the way, patch that too), but really, it’s been 18 years since Windows XP was released… stop clinging and move on.

Further information from the Microsoft CVE-2019-0708 security advisory:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used by the Remote Desktop Protocol (RDP) and will block attempts to establish a connection.
  • Enable Network Level Authentication. With NLA enabled, attackers would first have to authenticate to RDS in order to successfully exploit the vulnerability. NLA is available on the Windows® 7, Windows Server® 2008 and Windows Server® 2008 R2 operating systems.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
  • Note that Windows® 10 systems are already protected from this vulnerability, as it only affects the older versions of Windows® listed above.

Posted in: Company News

Leave a Comment (0) →

2019 Q3 and Q4 Class Schedule

The following North Carolina SP-FA/LV Exam Prep classes are set for the remainder of the 2019 calendar:

  • August 14, 2019 8:00A – 5:00P Greensboro ADI, 4500 Green Point Dr #103, Greensboro, NC 27410
  • October 16, 2019 8:00A – 5:00P Raleigh ADI, 2741 Noblin Rd # 101, Raleigh, NC 27604
  • December 11, 2019 8:00A – 5:00P Greensboro ADI, 4500 Green Point Dr #103, Greensboro, NC 27410

For additional information or registrations, contact National Training Center at (702) 648-8899 or sales@nationaltrainingcenter.net. Or register on-line at http://www.nationaltrainingcenter.net/index.xml.
Full NTC class schedule link: http://www.nationaltrainingcenter.net/instructor-led-training.xml

Posted in: Company News

Leave a Comment (0) →

Bitcoin Hacked! Hackers steal $70M dollars! And Other Sensational Journalism…

Bitcoin…  Another story.   The mainstream media, in their usual quest for drama and ratings, is in a fever pitch about the December 5 hack of Nicehash.com that resulted in the theft over over 4736 bitcoins (~$77M dollars as of this writing).  See here for what is claimed to be the blockchain identifier for the transfer:  https://blockchain.info/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq

The claim that seems the most ridiculous is that “Bitcoin is NOT safe, and is hackable!”.   This is nonsense, and it is like saying that the US dollar isn’t safe because your neighborhood Bank of America was robbed.  The fact is, nicehash.com didn’t have adequate security measures in place to prevent the hack (even with the most annoying Captcha I’ve ever used), and it probably has ruined the company.

Nicehash is was a very popular and easy to use mining service where people (including myself) can mine for Bitcoin (and other cryptocurrencies) using their PC or specialized hardware built for mining. Nicehash pays miners a “fee” for mining cryptocurrencies, and pays them on a round basis.  The nice thing was they paid in bitcoin, no matter what coin you were actually mining.  Naturally, they had to have a pretty large amount bitcoin to be able to make these payments, and they advertised it regularly on the web.

Nicehash also had a policy of not making payments to external wallets (meaning, under the control of the individual miner, and not on nicehash.com) unless they had a mining balance of .01 bitcoin or more. That’s about $170.00 and many miners had just slightly less than that balance that was stolen from the community wallet that nicehash.com paid miners from. And because Bitcoin transfers are generally not traceable to an individual, the money is gone. In short, everybody loses.

The trouble sets in when someone, somehow, found a way to get into their Bitcoin wallet and transfer the coins out to themselves.  The FBI is almost certainly involved, as well Interpol, Europol, and possibly some other European or Slovenian police agencies.

So why still invest in Bitcoin? Because Bitcoin is based on a blockchain technology that is very reliable and secure.  The concept of bitcoin and it’s blockchain is not hackable in itself. Rather, nicehash.com was hacked and lost their bitcoin.  There are different types of blockchain strategies, and some are more efficient, quick, secure, and anonymous than others.  Bitcoin was the first cryptocurrency to use this concept, and while you can “see” what address funds are transferred to and from, you cannot see “where” physically (geographically) or any other identifying information for who or where the funds were sent to or from.

So what is blockchain? Google is your friend here, as there are tons of videos and wikis about blockchain and how the different types all work.   But in a (very simplistic) nutshell, blockchain is the concept that all transactions in an ecosystem are using a distributed cryptographic ledger, and most importantly, the SAME ledger. This means that if Zack, Sally, Mike and Kim are all in a trading club and are sending money to each other, they each have a copy of the ledger, and when Mike sends Zack funds, it is recorded on all four ledgers and the ledgers all have to agree (using a cryptographic algorithm) on the transaction date/time, amount, and transferees bitcoin address. If they don’t agree, the transaction is invalid and the transaction is rejected, thereby preventing someone from just inserting a million dollar credit to their own ledger.  As you can also imagine, for something like Bitcoin that’s been logging and recording all these transactions around since 2009, that ledger can be quite large… about 2 gigabytes large… and still growing.

The cool thing is this technology can be applied to other types of transactions, such as deed transfers, contracts, information exchanges, or gaming, to name a few. Because the transaction is secure, encrypted, and shared, it is virtually “hackproof”.  What isn’t “hackproof” is anything stored online, like Nicehash’s wallet,  or any other online wallet that you yourself don’t have the private keys for and can transfer to cold storage.   Online wallets are very convenient.  Coindesk.com is very popular and has exploded in recent weeks due to the popularity and price spike for Bitcoin, but it’s generally not considered a good idea to keep large sums of Bitcoin stored there unless you have an immediate need for it.  Keep it in an offline wallet and use cold storage.

So in short, Bitcoin is just like any other fiat cash currency, the bearer holds the value, and if you don’t take steps to protect it, someone else can (and probably will) steal it.

 

 

 

Posted in: Company News

Leave a Comment (0) →

Door Handedness

One of the questions that comes up all the time in access control design layouts is door handedness.  It’s not a hard concept to understand once you see it graphically, but it’s sometimes tough to remember in the field if you’re not accustomed to working with door hardware on a daily basis.

While we would typically prefer security doors to swing into the secured space (easier to barricade if needed in an emergency and the hinges are typically on the secured side), usually the handedness of a door isn’t left up to security and is based more upon building code and/or the function of the space.

The following graphic explains it better than I’ve seen it anywhere, and shows you the door swing based upon being on the Outside (or “unsecured” side where the card reader or key would be).

 

Courtesy of Specialtydoors.com

Also, note from the table below that a Left Hand door isn’t the same as a Right Hand Reverse door, as the lock hardware has to change in order to be able to latch properly.

  • Left Hand:  Door swings inward to the Left, uses LH Hinge, LH Strike, LH Lock.
  • Right Hand: Door swings inward to the Right, uses RH Hinge, RH Strike, and RH Lock.
  • Left Hand Reverse:  Door swings outward to left, uses RH Hinge, RH Strike, and LH Lock.
  • Right Hand Reverse: Door swings outward to Right, uses LH Hinge, LH Strike, and RH Lock.

 

So next time someone says that a door is a “Right Hand Reverse” door, you’ll know that they really mean the door swings out to the right towards you if you’re standing on the outside.

 

 

Posted in: Company News

Leave a Comment (0) →

Kile Unterzuber Receives NCESA President’s Award

We are proud to announce Kile Unterzuber has received the 2017 President’s Award by the North Carolina Electronic Security Association.

“The recipient of the 2017 President’s Award has been an outstanding leader to the NCESA for many years.  His exceptional ability to lead the industry in educational advancement has been respected and admired for many years.  His leadership passion has provided direction and pathways for the organizations through top level education.    The never-ending work of this volunteer has earned him the reputation of an unselfish and highly accountable industry advocate.  With many years of industry experience, Kile has proven through his honorable and ethical character that community and industry service is essential. He has always dedicated himself to better the world around him and the industries he serves.” — Chris Lohr, President NCESA

Posted in: Company News

Leave a Comment (0) →
Page 1 of 2 12