Installing Spotify on Fedora 24

I’ve recently been using Spotify on PS4 and wanted to get it on my desktop. Unfortunately, the official instructions from Spotify are for Ubuntu and other Debian-based distros.

Thankfully, there’s a way around all of that using rpmfusion. Below are the commands you will need to run in order to get it installed.

$ sudo dnf install --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
$ sudo dnf install lpf-spotify-client
$ lpf update

Installing Pi-Hole on Fedora 24

A few months ago I decided to move away from Windows 10 and go back to a Linux-based desktop. I chose Fedora 24, based on my Red Hat experience. Regardless, I’ve been wanting to install Pi-Hole for a while and finally got around to it. There are a couple caveats, but overall, it’s a pretty seamless install.

First, ensure that you are completely up to date before you begin:

$: sudo dnf update -y

Once you are all up to date, simply open a terminal and run the following command:

$: curl -L https://install.pi-hole.net | bash

Pi-Hole will run through the script and tell you everything is groovy, but that’s not actually the case on Fedora. There are a couple things you need to do.

Step 1: Symlink the pihole binary to /usr/sbin/pihole:

# ln -s /usr/local/bin/pihole /usr/sbin/pihole

Step 2 (only if you were previously DHCP):

Remove duplicate ONBOOT setting in network script. The Pi-Hole installer attempts to make your IP Configuration static if it wasn’t already. This will leave you with two ONBOOT settings. Leave ONBOOT=none and remove the others.

Step 3: Update your lists:

$: sudo /opt/pihole/gravity.sh

Now, you can log in to your router and point the DNS servers to your Pi-Hole box. In my case, Pi-Hole is running on my desktop @ 192.168.1.20. Therefore, I logged into my router and set the DNS server to 192.168.1.20.

screen-shot-2016-11-05-at-8-25-21-pm

Now, all of the traffic on my network will be protected from ads, removing the need to install an ad-blocker on every browser/device. I’m also shielded from ads on devices that can’t install ad-blockers, such as my PS4.

I hope this was informative and helps someone out there who had the same issue I had.

Thus far, I’ve only been using it for 10 minutes and already 2% of my traffic has been blocked due to ads. Hallelujah!

screen-shot-2016-11-05-at-8-30-25-pm

Cheers!

Phish Food: Chumming the Waters on Social Media

Most of us are willing to help others in times of need. We want to trust in others to do the same and generally want to see the best for others. Perhaps the innate desire to trust in and help others is an evolutionary trait humans developed to help us survive, or perhaps we do it simply because of our internal convictions. Either way, more often than not, we want to help others when asked. This is precisely why social engineering attacks are extremely successful methods of infiltrating companies. Whether it’s a phone call to the front desk of an organization trying to get information about those who work there, or an email with an attachment claiming to be an unread fax, most of us let our trust get the best of us which could end up costing the company.

One of the most famous and successful hackers, Kevin Mitnick, relied on social engineering to carry out the majority his hacks. To this day, many hackers are able to gain access to networks and sensitive information utilizing very similar techniques. In fact, many penetration testers will tell you that the easiest way into a network is to simply ask for credentials. This can be in the form of a phishing email, phony website, or, in my experience, even a spoofed phone call from a ‘help desk’ employee.

Before social media, it was sometimes quite difficult to gather enough information about a target to craft a convincing phising campaign. However, with the advent of Facebook, LinkedIn, and the multitude of other social media sites, it is now much easier (no more dumpster diving!). Typically, an attacker will utilize Open Source Intelligence (OSINT) tools to profile an organization. These tools use multiple techniques to scour the Internet for any information pertaining to the target individual and organization. Because many of us today are so apt to share everything on social media, and because these OSINT tools are free and easy to use, the profiling process is much quicker and yields a lot of valuable data.

After an attacker has gathered information about their target, they craft a convincing phishing email. Perhaps the email is spoofed to look like it’s coming from the CEO of the company, asking for their password to be sent to them because they are out of the office and it’s extremely urgent. Or, perhaps the attacker has stood up a website that looks like the victim’s webmail access portal. The attacker then convinces the victim that it’s an “upgraded portal with more functionality” and the victim has been “specially selected out of a handful of people to help test it.” No matter the vector of the attack, the end goal is the same: steal credentials.

Let’s stop making it easy for attackers and start utilizing the same tools the hackers use to get a better idea of what’s out there. First and foremost, if at all possible, do not share any information about the organization you work for on social media (this includes LinkedIn). Also, try to avoid listing your corporate email address anywhere on the internet. Go through each of your social media profiles and beef up the privacy settings to ensure that none of your details are available publicly. Then, Google yourself. See what comes up. Many times you will find data that may have been published years ago that you simply forgot about, just make sure to go back and clean it up. Finally, after you feel that you have sufficiently erased yourself from the Internet, run some OSINT tools on yourself and your organization. The three tools that I like to use are Maltego, FOCA Pro, and Shodan.

While social media is a great tool to keep us connected in both our personal and professional lives, it can also be a tool used by attackers if your privacy settings are configured properly. Let’s stop chumming the waters for phishing campaigns and be more cognizant of what we are sharing online. By over-sharing, we are putting both our personal and corporate assets at risk.

You Can’t Secure What You Don’t Know About

Do you know how many assets are on your network right now? I’m talking exactly how many, without a shadow of a doubt. Don’t feel bad if you can’t answer this with a confident “of course I can!” If you can’t, you are in the (unfortunate) majority. Although at first glance, you might think “of course I can answer that, my agent-based software-updating software tells me I have 2,000 workstations and 1,000 servers” or “of course I can answer that, there are 3,457 computer objects in Active Directory” but in reality, it’s not that easy.
The unfortunate truth is that many organizations have no idea how many devices are on their network, or what individuals are doing on those devices. For example, how many organizations disable all open ports throughout their building and only enable them upon request? Furthermore, out of those who answer “yes, I do that” to the previous question, how many are securing existing ports in use to automatically disable if it detects a different MAC address on that port? If these safeguards are not implemented on physical network ports, any visitor (or employee) can connect whatever network device they want. Think of all the open physical wall jacks in your building, if they are all hot, all of those ports are ways folks can start infiltrating your network.
I’ve personally seen an employee plug up a Linksys router on an open port in a conference room because they wanted WiFi for their phone. Think about that, a completely open access point directly plugged in to your internal network. The only way it was discovered was an access point/WiFi reconnaissance scan conducted by the security team. Who knows how long it had been on the network, who had connected to it, or what those individuals did while on the network. So, with all that said, are you really comfortable relying on Active Directory or your agent-based A/V or agent-based patching solution to tell you what’s on your network?
You cannot secure what you do not know about, thus, finding the unknowns in your network and maintaining a complete asset inventory is the first step in building a secure network. A great way to start identifying what is in your network is by conducting asset discovery scans. Typically, asset discovery is bundled in with vulnerability scanning that is conducted during hours of low network activity. By scanning daily, and alerting on any new assets that appear on your network segments, you can ensure that you are not only building a list of known assets, but also discovering any unknowns that may be on your network. By taking this first step of discovery of both assets and the vulnerabilities on those assets, you are building the foundation for a secure network.

A Month with Project Fi

ProjectFi

I’ve been using the Google Nexus devices since the launch of the Galaxy Nexus. I’ve just found them to be exactly what I need, without the bloatware that other manufacturers install, and at a great price point. I recently purchased a Nexus 6p, as my Nexus 5 was feeling a little dated. With the purchase, I decided to try out Google’s new cellular service: Project Fi.

Prior to the switch, I had been using T-Mobile’s $30/mo plan that included unlimited data and texts, and 100 minutes of talk time. When I initially switched to T-Mobile about 2 years ago, the service was lacking in rural areas, but over the past year their coverage had vastly improved. The 100 minute limitation was beginning to be a problem, however, as I transitioned from working in an office to being 100% remote. This is what led me to give Project Fi a look.

With Project Fi, you get unlimited minutes and texts and pay $1/100MB. Their cheapest plan is $30 and gives you 1GB of data. Plans go up $10/GB from there. Additionally, if you don’t use the data that you pay for, they will refund you what you didn’t use.

My first issue with Project Fi is that it does not work with Google Apps accounts. My main Google account is a Google Apps account, so this is a slight annoyance in that now I have to have two accounts tied to my phone. However, this is minor. Signing up was a breeze, and within a couple days I had my SIM card. The initial activation is also very simple, the Project Fi app walks you through it and you should be up within 5 minutes with little to no interaction needed.

Project Fi does an excellent job of trying to send all data through a Wi-Fi connection. Since I work remotely, I’m almost always on Wi-Fi, so I don’t use that much cellular data at all. However, even when out and about, if your phone is near an open hotspot that Google deems “trusted”, it will automatically connect as well as fire up a VPN connection to keep your data secure while on the public Wi-Fi. This all happens seamlessly without any user interaction needed.

Halfway through the month, I installed an app called “Fi Spy” that allows you to not only see which network you are on (Sprint or T-Mobile), it also allows you to switch at any time by inputting a carrier code into your dialer. Now, Project Fi will do this automatically from time to time to ensure you get the best service, but I like having the ability to see which network I’m on, as well as switch manually if need be. I will say that the T-Mobile network is much faster than the Sprint network. I also had issues sending MMS messages when connected to the Sprint network.

At the end of the month, using the 1GB plan, Google actually owed me a refund for .27GB unused of my 1GB allotment. This resulted in a $2.70 refund. The Project Fi app will allow you to track your cellular data usage throughout the billing cycle. I’ve gotta say that I did my best to stay under that 1GB mark the first month, and it paid off (literally). This month, however, I’m going to be over.

Screenshot_20151217-103839

Overall, I’ve been very pleased with the service and support. I have no reason to go back to T-Mobile, nor switch to any other carrier at this time. If you have a Nexus device, I definitely recommend Project Fi.

 

Installing and Configuring OSSIM 5.0

Coming from a Linux background, and being in InfoSec, I always try to stay on top of the Open Source Community’s offerings to our space. I have installed/managed AlienVault in the past, but I haven’t used it in a few years and wanted to see just what I could come up with on my home network. If you wanna follow along, by all means:

  1. Download the latest version of OSSIM here: http://downloads.alienvault.com/c/download?version=current_ossim_iso
    1. For the paranoid, get the MD5 sum here and make sure it matches!: https://www.alienvault.com/open-threat-exchange/projects
    2. In my scenario, the MD5 Checksum is 80d915f3dfb5aedab31b5981efff582f. If you are using Linux, it’s easy to determine the MD5 checksum of the file. Just open a terminal and use the md5sum command. If you are on Windows and have PowerShell 4, execute Get-FileHash <file> -Algorithm MD5. On < 4, run an obnoxious script.
  2. Fire up your VM software of choice (VMware Workstation, VirtualBox, Hyper-V) and build yourself a VM with the aforementioned .iso. Truth be told, an appliance like this is best installed on physical hardware, but if you just wanna check it out, using a VM is fine.
  3. Install OSSIM
    1. 2015-05-02 19_52_57-OSSIM - VMware Workstation
  4. Give yourself an IP (preferably outside of the DHCP range of your router).
    1. 2015-05-02 19_56_18-OSSIM - VMware Workstation
  5. Create a nice password.
    1. 2015-05-02 19_57_19-OSSIM - VMware Workstation
  6. Let ‘er eat.
    1. 2015-05-02 19_59_45-OSSIM - VMware Workstation
  7. And we’re done! Navigate to the web console, just like it tells ya’ to!
    1. 2015-05-02 20_07_49-OSSIM - VMware Workstation
  8. Fill out some basic info to get started.
    1. 2015-05-02 20_09_29-AlienVault OSSIM [alienvault - 192.168.1.100]
  9. That’s it for now. You’ll get prompted for a wizard which you should follow if you’re new to all this. I’ll keep you updated as I work through it and apply more of the features to my home network.
    1. 2015-05-02 20_12_24-AlienVault OSSIM
  10. This is super cool. Automatically deploy HIDS to your hosts!
    1. 2015-05-02 20_18_18-AlienVault OSSIM
  11. And automatically load log management plugins based on OS and vendor of network components.
    1. 2015-05-02 20_22_11-AlienVault OSSIM

How to Update Tripod

My wife is a brilliant photographer and uses the Tripod WordPress theme to run her site. The issue is that their documentation is kind of lacking, so I figured I would document the process in hopes to help others.

It’s actually pretty simple, it’s just not mentioned in their documentation as “Update”.

  1. Make a backup! SFTP to your server and copy down your entire directory to your local machine. You will also want to login to your phpMyAdmin to make a backup of your database.
  2. Update your WordPress to the latest version.
  3. Optional: Install Maintenance Mode plugin and set your site in maintenance mode.
  4. Download the latest version of the theme from envatomarket/themeforest.com. If you download the full version + documentation. It will come a .zip. Unzip it.
  5. SFTP to your site and delete the tripod theme ( ../../../wp-content/themes/tripod)
  6. Go to Appearance > Themes > Add New > Upload Theme > Choose File and choose the File named tripod_installable_theme_v_x.x.zip and click Install Now.
  7. Activate theme and make sure everything looks good.
  8. Optional: Disable Maintenance Mode.

Hopefully this helps you out. If you need assistance, just comment and I’ll do my best to answer your questions.

Brightness Adjustment for Yoga 13 – Ubuntu

You may have noticed that even though the brightness icon is appearing on your screen, it’s not actually adjusting the brightness. Here’s how to fix it.

From command line, run the following:

sudo gedit /etc/default/grub

Add the following lines to the end of the file.

#For adjusting brightness on Yoga 13
acpi_blacklight=vendor

Save and close the file.

From terminal, run:

sudo update-grub

Finally, blacklist the other device:

sudo gedit /etc/modprobe.d/blacklist.conf

Add the following lines to the end of the file. Save and close it.

#For adjusting brightness on Yoga 13
blacklist ideapad_laptop

Now, save your work and reboot.

Wireless Drivers for Yoga 13

I have a Lenovo Yoga 13 and love it, except for the fact that I couldn’t get wireless working on Ubuntu. That is, until now. Thankfully, a github user by the name of lwfinger has a solution. If you have an internet connection, via a USB dongle, simply perform the following in the terminal:

apt-get install git
git clone https://github.com/lwfinger/rtl8723au
cd rtl8723au
make
sudo make install
sudo modprobe 8723au

If you don’t happen to have internet connection, just grab this package and copy it to your home folder, then run the following:

tar xzvf yoga13realtekwireless.tar.gz
cd yoga13realtekwireless
make
sudo make install
sudo modprobe 8723au

lwfinger also has the Bluetooth driver if you visit his github site.

Use Java Whitelisting To Further Secure Your Organization

If you were to ask any sysadmin what their biggest vulnerability is at the desktop level, they are most likely to say “Java.” In fact, Java has such a bad reputation for being exploited that it’s the butt of many IT jokes. Typically, if you mention Java to a sysadmin, you will very quickly hear a disappointed sigh in response.

Unfortunately, it’s almost impossible to get rid of across the organization because so many business processes rely on Java-based applications. Thankfully, starting in Java 7u40, Oracle has allowed sysadmins to control Java with a whitelist. The whitelist acts almost like a firewall in that the default rule is deny-all. You can whitelist Java applets based on domain or signing key.

This new capability allows sysadmins to secure their organization with a few .vbs scripts, some GPO, and a .jar file.

Software Prerequisites: Java JDK, Java JRE

Disable Java Cache

Throughout my testing, it has become apparent that disabling Java cache yields the best results. I would recommend doing this prior to starting the implementation of the Java whitelist. Below are User Login .vbs scripts that will disable Java Cache for XP and Windows 7. I am by no means a .vbs expert, so you may be able to tweak this into one script to handle both operating systems.

Link to XP

Link to 7

Generate a Code-Signing Certificate & Java Keystore

You will need to sign your white list .jar file in order for it to be processed by Java. I was able to generate a code-signing cert from our local CA in our Windows Domain. Getting that cert into a Java Keystore is a little tedious, but not difficult. Here’s what I did:

  1. Use Certificates MMC Snap-In to export certificate with private key (Example: C:\Users\username\cert-and-key.pfx)
  2. Open cmd.exe, navigate to the JDK bin directory (C:\Program Files\Java\jdk1.7.0_45\bin)
  3. Import .pfx to Java keystore with the following command
    1. Keytool -importkeystore -srckeystore C:\Users\username\cert-and-key.pfx -srcstoretype pkcs12 -destkeystore C:\Users\username\mykeystore.jks -deststoretype JKS
    2. Make note of the alias (something like le-codesigningcertificate-*) and copy it to a safe place.

Create the whitelist (DeploymentRuleSet.jar)

Now comes the fun part: creating the actual whitelist. The whitelist is basically a .xml file, packed into a .jar file (think tarball) and signed with your certificate. Oracle has a great example of said .xml file here: https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

I’ve found it easiest to create the ruleset.xml file in the JDK bin directory as to avoid any issues with absolute paths in the following commands. Once you have your ruleset.xml created, it’s just a matter of creating the .jar file, signing it, and sticking it in the right place. The following commands assume you are in the JDK bin directory, and your ruleset.xml is also in that directory.

  1. Create the .jar file by issuing the following command:
    1. jar -cvf DeploymentRuleSet.jar ruleset.xml
  2. Sign the .jar file (you will need the alias from the previous section for this step):
    1. jarsigner -verbose -keystore C:\Users\username\mykeystore.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar <paste alias from previous section here>
  3. Copy whitelist to correct location:
    1. Windows: copy DeploymentRuleSet.jar C:\Windows\Sun\Java\Deployment\
    2. Mac: cp DeploymentRuleSet.jar /etc/.java/deployment/

Confirm whitelist is being applied

The whitelist should get applied as soon as the .jar file is copied to the correct location. To test this, open the Java Control Panel and navigate to the Security Tab. You can then click on the “View the active Deployment Rule Set” link to see what whitelist is taking effect.

javasecuritytab

Further Notes

This took me a couple of tries to get right, so don’t get discouraged if you don’t get it right the first time. One very valuable piece of the Java whitelist is that it allows the sysadmin to specify which version of Java to run on each site. Therefore, if your organization has an application that is limited to a specific Java version, you can now lock down that version of Java to that specific application, while allowing all other applications to run the latest version of Java.