Friday, March 23, 2018

7 good habits for securing your windows 7

Old laptops running windows 7 are sitting there catching dust. Depends on your style, you can trade them with the latest cutting edge PC, or you can get value out of them with memory upgrades and proper usage. Besides, if some installed softwares have to be run on old windows platform like windows 7, upgrading the operation system won't be an option.
windows 7
windows 7

Old operation system pose security risks to you network. The vendor is less actively support these branches, so bug fixes are released less frequently. The bright side is, hackers are less interested in these old systems as well, so less dark energy is dedicated to explore holes in these old platforms. As a result, both defender side and attacker side are less interested in these old gears, they just move into to those new lubricate battle fields.

Defending windows in-depth sometimes do need PHD degree, however, with good habits, we can still practically put these old but not obsolete windows 7 boxes into use.

  1. Use normal account instead of admin account for your everyday work, set a strong password.
  2. enable automatic windows update, make sure the latest bug fixes and system enhancement are installed . Microsoft is the key player on defending windows operation system. As long as vulnerabilities are found on windows, microsoft will keep patching the existing operation system. These patching are critical to keep your PC safe from malwares. In order to control your computer, malware have to gain privileges in order to run command line/shellcode to install payload. Some sort of system bug has to be there to aid the privilege escalation, either some buggy code allowing buffer overflow or sql injection to reveal use/pass of admin from database, etc. Windows updates fix those buggy code which the hackers are looking for.
  3. Avoid using IE, uninstall active X components, use other browsers like chrome or firefox instead. It sounds mean to microsoft, however, active X might be one of the major reason microsoft is called "evil" in popular culture. Hackers are working hard to gain privilege to run malicious code in order to install malwares, windows's active X give them such privilege for free. As long as windows found needed active X components, IE are allowed to run codes and install programs on the host in the background without asking for permission. This opened door for drive by infection -- just by browsing a webpage with malware content, your IE can download and install them with the aid of active X without your notice. Microsoft itself stopped using active X in Edge browser, which is the replacement of IE. Unfortunately, at the time of this post, Edge browser haven't been ported from windows 10 to windows 7, so other browsers like chrome and firefox is better on windows 7 from the perspective of security.
  4. Use Windows Defender to protect against spyware and potentially unwanted software, keep the windows defender up to date. Other choices are third party anti-virus (anti-malware) software like Norton. You can use windows defender alone or use both (risking conflict), the bottom line is you have to have one. These anti-malware software find malware signature by scanning your computer and catch them. Windows Defender used to be scored much lower than its competitors, but since windows 10, it has caught up.  Microsoft's own anti-malware product windows defender has the advantage of being free and intimate to windows, which is a proprietary operation system. It might have better chance to detect rootkit since it knows the windows source code.
  5. enable windows firewall. Windows firewall can help prevent hackers or malicious software from gaining access to your computer through the internet or a network. 
  6. Only install softwares from reputable source. The difference between bad softwares and malwares are just you perception. A non-professional developer can write a program that provides bugs for hacker to explore, it can slow down your computer by consuming too much resources, it can refuse to be uninstalled, or even sending your sensitive data somewhere out to the internet. Blocking rogue applications' inbound and outbound traffic with windows firewall rules can prevent them from ringing home before we find way to erase them from disk.
  7. Avoid visiting dangerous websites. If you have to visit them, use guest account instead.

Thursday, March 22, 2018

Enable firewall logs on MacOs High Sierra

Mac OS X v10.5.1 and later include an application firewall you can use to control connections on a per-application basis (rather than a per-port basis). This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.

application firewall
application firewall

To enable it, go to System Preferences -> Security & Privacy -> Firewall
You can choose a few firewall options. The most secure or restricted option is block all incoming connections. With this option selected, hackers on the wild can not connect to your computer, they can not even discover your existance.

However, if you have malware already installed on your computer, such as a keylogger, Adware, backdoor, (in practice, this kind of malware is rare on Mac OS X, but there is no guarantee the landscape won't change in the future), even blocking all incoming connections won't help here. The keylogger/adware/backdoor will initialize an outcoming connection to give away your sensitive data, which the firewall won't block. These out bounding traffic are generally small, easy to hide in normal traffic such as your web browsing traffic.

Installing an expensive IDS/IPS/UTM device in your home network is the ultimate solution. However, if you have some experience with stateful firewall, you can detect the suspicious outbound traffic by reviewing and searching firewall logs on both the end-point and the gateway (some oddness can easily stand out, like mid-night traffic.). IDS/IPS/UTM in essence are collection of searching and matching actions in automation.

By default, the firewall log on Mac Os High Sierra is empty, this is because even after you turns on firewall which enables log, the firewall log option is throttled. You have to change the default settings from throttle to detail or brief.

/usr/libexec/ApplicationFirewall/socketfilterfw --getloggingopt

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail

Once the default settings are changed, you can view the firewall logs either from command line

tail -F /var/log/appfirewall.log

application firewall log
application firewall log

or from Finder -> Application -> Utilities -> Console.

Wednesday, March 21, 2018

ifconfig output on MacOs High Sierra

In a typical Mac OS X, type ifconfig in command line will give a long list of interfaces.

network>ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000 
inet6 ::1 prefixlen 128 
inet6 xxx prefixlen 64 scopeid 0x1 
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC29: flags=0<> mtu 0
EHC26: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
ether xxx 
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (none)
status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether xxx 
inet6 xxx prefixlen 64 secured scopeid 0x8 
inet xxx netmask 0xffffff00 broadcast 192.168.2.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether xxx 
media: autoselect <full-duplex>
status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr xxx 
nd6 options=201<PERFORMNUD,DAD>
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether xxx 
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether xxx 
inet6 xxx%awdl0 prefixlen 64 scopeid 0xc 
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether xxx 
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en2 flags=3<LEARNING,DISCOVER>
        ifmaxaddr 0 port 9 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 xxx%utun0 prefixlen 64 scopeid 0xe 
nd6 options=201<PERFORMNUD,DAD>
network>


The following are the explanations about these interfaces:


lo0 is the loopback device, which is used for entirely internal communication such as between two applications running on localhost.

gif0 The gif interface is a generic tunnelling device for IPv4 and IPv6. It can tunnel IPv[46] traffic over IPv[46]. Therefore, there can be four possible configurations. The behavior of gif is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel. It is the mac os X default interface, not a security concern.

6to4 interfaces
6to4 interfaces

stf0 is SixToFour interface. 6to4 is an Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to version 6 (IPv6), a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks. It is a default interface, not a security concern.

EHC29
EHC26
XHC20
With macOS High Sierra you can use Wireshark to capture USB traffic.  The interface needs to be manually brought up/down to enable/disable packet capture for the specific controller via ifconfig. The capture interfaces are named based on the underlying controller type followed by the bus number:

$ ifconfig
EHC26: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
EHC29: flags=0<> mtu 0

$ ioreg -w0 -rc AppleUSBHostController
+-o XHC1@1400
+-o EHC2@1a00
+-o EHC1@1d00

The format above is @ where the most significant byte of the location is the bus number.  For example, if the device your interested in is connected to the XHCI controller XHC1@1400 then you would enable packet capture via "sudo ifconfig XHC20 up” and disable via “sudo ifconfig XHC20
down”.  Once the interface is up then Wireshark will be able to capture/decode/filter USB traffic for that controller.
These interfaces are MacOs High Sierra default, not security concern.

en0

en1
en2
physical network interfaces. Typically, one of them is the Ethernet interface, one of them is the Airport wifi interface, one of them is the bluetooth interface.

Firewire port
Firewire port

fw0 is networking over firewire. You can connect a Firewire cable between two Macs, and OS X can use that cable as a network connection.

Mac thunderbolt port
Mac thunderbolt port

bridge0 is thunderbolt bridge. You can connect two Thunderbolt-equipped Mac computers using a Thunderbolt cable, then use internet protocol to communicate between the computers.

PPP (PPPSerial)
PPP (PPPSerial)

p2p0 peer to peer serial connection interfaces. If your MacOs have been connected to arduino through USB port, you will have this entry.

awdl0 AWDL (Apple Wireless Direct Link) is a low latency/high speed WiFi peer-to peer-connection Apple uses for everywhere you’d expect: AirDrop, GameKit (which also uses Bluetooth), AirPlay, and perhaps elsewhere. It works using its own dedicated network interface, typically “awdl0". By having multiple interfaces, Apple is able to have your standard WiFi connection on en*, while still broadcasting, browsing, and resolving peer to peer connections on awdl0.




oracle VirtualBox
oracle VirtualBox

utun0 it is the tunnel interface. If you have VirtualBox installed, guest operation system in virtualBox will use this interface to communicate with host operation system. TUN (namely network TUNnel) simulates a network layer device and it operates with layer 3 packets like IP packets. TUN is used with routing. Packets sent by an operating system via a TUN device are delivered to a user-space program which attaches itself to the device. A user-space program may also pass packets into a TUN device. In this case the TUN device delivers (or "injects") these packets to the operating-system network stack thus emulating their reception from an external source.

vment* - is used by VMWare Fusion to provide networking to your virtual machines, and there's likely to be one per VM you have set up.

ports and protocols on Mac OS X

mac os x use Darwin unix at the core, which is heavily influenced by BSD. The following is the ports.

network>cat /etc/protocols
#
# Internet protocols
#
# $FreeBSD$
# from: @(#)protocols 5.1 (Berkeley) 4/17/89
#
# See also http://www.iana.org/assignments/protocol-numbers
#
ip 0 IP # internet protocol, pseudo protocol number
#hopopt 0 HOPOPT # hop-by-hop options for ipv6
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # internet group management protocol
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st2 5 ST2 # ST2 datagram mode (RFC 1819) (officially ``ST'')
tcp 6 TCP # transmission control protocol
cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk>
egp 8 EGP # exterior gateway protocol
igp 9 IGP # any private interior gateway (Cisco: for IGRP)
bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring
nvp 11 NVP-II # Network Voice Protocol
pup 12 PUP # PARC universal packet protocol
argus 13 ARGUS # ARGUS
emcon 14 EMCON # EMCON
xnet 15 XNET # Cross Net Debugger
chaos 16 CHAOS # Chaos
udp 17 UDP # user datagram protocol
mux 18 MUX # Multiplexing protocol
dcn 19 DCN-MEAS # DCN Measurement Subsystems
hmp 20 HMP # host monitoring protocol
prm 21 PRM # packet radio measurement protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
trunk-1 23 TRUNK-1 # Trunk-1
trunk-2 24 TRUNK-2 # Trunk-2
leaf-1 25 LEAF-1 # Leaf-1
leaf-2 26 LEAF-2 # Leaf-2
rdp 27 RDP # "reliable datagram" protocol
irtp 28 IRTP # Internet Reliable Transaction Protocol
iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4
netblt 30 NETBLT # Bulk Data Transfer Protocol
mfe-nsp 31 MFE-NSP # MFE Network Services Protocol
merit-inp 32 MERIT-INP # MERIT Internodal Protocol
dccp 33 DCCP # Datagram Congestion Control Protocol
3pc 34 3PC # Third Party Connect Protocol
idpr 35 IDPR # Inter-Domain Policy Routing Protocol
xtp 36 XTP # Xpress Tranfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
tp++ 39 TP++ # TP++ Transport Protocol
il 40 IL # IL Transport Protocol
ipv6 41 IPV6 # ipv6
sdrp 42 SDRP # Source Demand Routing Protocol
ipv6-route 43 IPV6-ROUTE # routing header for ipv6
ipv6-frag 44 IPV6-FRAG # fragment header for ipv6
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Resource ReSerVation Protocol
gre 47 GRE # Generic Routing Encapsulation
dsr 48 DSR # Dynamic Source Routing Protocol
bna 49 BNA # BNA
esp 50 ESP # encapsulating security payload
ah 51 AH # authentication header
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
swipe 53 SWIPE # IP with Encryption
narp 54 NARP # NBMA Address Resolution Protocol
mobile 55 MOBILE # IP Mobility
tlsp 56 TLSP # Transport Layer Security Protocol
skip 57 SKIP # SKIP
ipv6-icmp 58 IPV6-ICMP icmp6 # ICMP for IPv6
ipv6-nonxt 59 IPV6-NONXT # no next header for ipv6
ipv6-opts 60 IPV6-OPTS # destination options for ipv6
# 61 # any host internal protocol
cftp 62 CFTP # CFTP
# 63 # any local network
sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK
kryptolan 65 KRYPTOLAN # Kryptolan
rvd 66 RVD # MIT Remote Virtual Disk Protocol
ippc 67 IPPC # Internet Pluribus Packet Core
# 68 # any distributed filesystem
sat-mon 69 SAT-MON # SATNET Monitoring
visa 70 VISA # VISA Protocol
ipcv 71 IPCV # Internet Packet Core Utility
cpnx 72 CPNX # Computer Protocol Network Executive
cphb 73 CPHB # Computer Protocol Heart Beat
wsn 74 WSN # Wang Span Network
pvp 75 PVP # Packet Video Protocol
br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring
sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary
wb-mon 78 WB-MON # WIDEBAND Monitoring
wb-expak 79 WB-EXPAK # WIDEBAND EXPAK
iso-ip 80 ISO-IP # ISO Internet Protocol
vmtp 81 VMTP # Versatile Message Transport
secure-vmtp 82 SECURE-VMTP # SECURE-VMTP
vines 83 VINES # VINES
ttp 84 TTP # TTP
#iptm 84 IPTM # Protocol Internet Protocol Traffic
nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP
dgp 86 DGP # Dissimilar Gateway Protocol
tcf 87 TCF # TCF
eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
ospf 89 OSPFIGP # Open Shortest Path First IGP
sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol
larp 91 LARP # Locus Address Resolution Protocol
mtp 92 MTP # Multicast Transport Protocol
ax.25 93 AX.25 # AX.25 Frames
ipip 94 IPIP # Yet Another IP encapsulation
micp 95 MICP # Mobile Internetworking Control Pro.
scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
encap 98 ENCAP # Yet Another IP encapsulation
# 99 # any private encryption scheme
gmtp 100 GMTP # GMTP
ifmp 101 IFMP # Ipsilon Flow Management Protocol
pnni 102 PNNI # PNNI over IP
pim 103 PIM # Protocol Independent Multicast
aris 104 ARIS # ARIS
scps 105 SCPS # SCPS
qnx 106 QNX # QNX
a/n 107 A/N # Active Networks
ipcomp 108 IPComp # IP Payload Compression Protocol
snp 109 SNP # Sitara Networks Protocol
compaq-peer 110 Compaq-Peer # Compaq Peer Protocol
ipx-in-ip 111 IPX-in-IP # IPX in IP
carp 112 CARP vrrp # Common Address Redundancy Protocol
pgm 113 PGM # PGM Reliable Transport Protocol
# 114 # any 0-hop protocol
l2tp 115 L2TP # Layer Two Tunneling Protocol
ddx 116 DDX # D-II Data Exchange
iatp 117 IATP # Interactive Agent Transfer Protocol
stp 118 STP # Schedule Transfer Protocol
srp 119 SRP # SpectraLink Radio Protocol
uti 120 UTI # UTI
smp 121 SMP # Simple Message Protocol
sm 122 SM # SM
ptp 123 PTP # Performance Transparency Protocol
isis 124 ISIS # ISIS over IPv4
fire 125 FIRE
crtp 126 CRTP # Combat Radio Transport Protocol
crudp 127 CRUDP # Combat Radio User Datagram
sscopmce 128 SSCOPMCE
iplt 129 IPLT
sps 130 SPS # Secure Packet Shield
pipe 131 PIPE # Private IP Encapsulation within IP
sctp 132 SCTP # Stream Control Transmission Protocol
fc 133 FC # Fibre Channel
rsvp-e2e-ignore 134 RSVP-E2E-IGNORE # Aggregation of RSVP for IP reservations
mobility-header 135 Mobility-Header # Mobility Support in IPv6
udplite 136 UDPLite # The UDP-Lite Protocol
mpls-in-ip 137 MPLS-IN-IP # Encapsulating MPLS in IP
manet 138 MANET # MANET Protocols (RFC5498)
hip 139 HIP # Host Identity Protocol (RFC5201)
shim6 140 SHIM6 # Shim6 Protocol (RFC5533)
wesp 141 WESP # Wrapped Encapsulating Security Payload (RFC5840)
rohc 142 ROHC # Robust Header Compression (RFC5858)
# 138-254 # Unassigned
pfsync 240 PFSYNC # PF Synchronization
# 253-254 # Use for experimentation and testing (RFC3692)
# 255 # Reserved
divert 258 DIVERT # Divert pseudo-protocol [non IANA]

network>

Why I stopped publishing blog posts as information provider

Now the AI can generate content. Does that mean the web publishing industry reaches the end? ChatGPT said: ChatGPT Not at all. While AI can ...