Wifi Security

[overwraith]

Hey all, I got a question. Let's say I was at a coder kata, trying to get my dev environment set up on a laptop, so I could actually participate in this coding exercise, and while I am doing this, I connect to the wifi that the event hosts so graciously provide, and then within seconds... Bam! My AV dies, and seconds later my laptop blue screens. So naturally I am thinking to myself, wonderful, one of these dick-wads knows shell code. Am now rebuilding that laptop, completely blowing everything away.

Now the question, how would I implement some sort of security/firewalling on a thouroughly untrusted network. Is there a wifi device which can support firewall rules, or something that can tolerate such an untrusted connection? Obviously the right answer is don't connect to someplace which isn't secure, but that doesn't really help me particpate in a public event like this. Aparently the solution to keep your electronics in your house under lock and key is not the most palletable solution here.

[Xcellerator]

Hmmm... Sounds very annoying. I've been thinking about your question though, its quite an interesting one. I guess in Windows you could use the built-in "Windows Firewall" to block ALL inbound/outbound connections except for those from a VPN that you've got running back home? Pretty sure you can do that in advanced firewall settings in control panel. Your machine would basically ignore everything that didn't originate from a specific IP address (in this case it'd be your machine running a VPN back home). So in effect you would HAVE to tunnel EVERYTHING through that VPN to be able to access anything on the internet. In linux you can achieve a similar thing with iptables.

Another option (which I do whenever I need WiFi away from a protected hotpot on my laptop) is to use WiFi tethering on your phone, assuming you got a model that supports it and have a data plan that would be able to handle whatever it is your trying to achieve. Basically anything which means you connecting your laptop only to a network that you control, so even a Pineapple would work (but may look a little suspicious...). A general rule of thumb is to only connect directly to a open AP if you really need to.

Another idea that just occurred to me would be to run a VM on your laptop and plug in a USB WiFi adapter. Then you can forward that USB to the VM and connect to the WiFi through that (rather than having the VM use the hosts connection, you'd need to turn that off in virtualbox/vmware settings). Then set up a shared folder from the VM to the host to transfer any files that you need. If they screw up the VM, who cares? Restore it from a snapshot if you have to.

I'm sure other people can come up with some better ideas, but those are what I could come up with in the time it took me to type this!

Good luck fixing your laptop.. ;)

[overwraith]

Thanks for the reply Xcellerator. Those are some good ideas. Perhaps there's some tutorials online for something like this. I will have to look unless you know where some links are. Let's keep this thread going a while to see if there's any more good solutions.

Does anybody know the bandwidth that a raspberry pi is capable of? If there's a solid linux OS for it, and some ability to make some sort of firewall, and it's reasonably secure that could be another option. The only real problem I see with Raspberry pi's is that they aren't specifically designed for security, they are more of a hobbyist thing, which makes 'em more susceptible to hackery.

[Xcellerator]

A raspberry pi is a pretty good idea too. The standard OS for the pi is called "Raspbian" which is just an ARM version of Debian (which is what Ubuntu, Mint, Elementary, etc are all based on). So with that you could use iptables as I mentioned. I've just found http://makezine.com/projects/browse-anonymously-with-a-diy-raspberry-pi-vpntor-router/. Which looks quite interesting. I think this is pretty much the best way to set up a Raspberry Pi to do what you want (and it looks quite fun too!). They use Raspbian in it too, so you can still use iptables (just make sure your firewall rules don't conflict with TOR/VPN that you'll set up!). Other than that, I guess its the usual "change the default password", "don't run unnecessary services", etc.. I guess if you were really security concious you could look into recompiling the linux kernel under Raspbian with the SELinux module added in. But if you're just using the Pi for what they set up in that article, (i.e. not running Apache or other internet-facing services I think you should be *pretty* good out of the box).

As usual, "how secure" is always a comparison and you can never be 100% safe, just like you can never be 100% anonymous. But you can get damn close...

[overwraith]

You're right about the 100 % thing. But you can make it darn hard can't you? I guess I would be wondering if there is actually any metasploit modules designed with the raspberry pi architecture in mind. Mind you I don't know shell code. Shell code and ASM is hard. I have some of the books and would like to learn, I just have to learn a few more things first. Getting better at JS and SQL is necessary for future employment. Everything else is just hobbies, so they necessarily take a back seat.

[cooper]

You're in a seemingly public area and for some reason decided to connect to the Wifi for... reasons. Think long and hard about what those reasons are, because the second you connect you open yourself up for attack. Always. It's because of this I actually bought that Chromebook of mine: I can't take my work laptop with me to such events because I've got code on there which very much shouldn't be out in the open. The fact that it's a millstone in terms of size and weight didn't help either. Before you even go to such an event, update everything and lock down your laptop. You should be doing this even when you're not planning to connect to an untrusted network, so make it a routine to at least once a week briefly go over the various settings and make sure everything's up to date and setup correctly.

One thing that helped me immensely in preparing for such events was to participate in a RAD-race. With that event you get 16 hours over 2 days to develop something (they tell you the 'something') and you must do all your work without any external resources. So if it wasn't already on your system, you must either build your own or create it from what is on your system, them's the rules. If you've got a team member (it was solo or 2-person teams) you could set up a network, but you'd make the network and you can only connect to it what you bring, so an external server is allowed, but you can't hook it up to the internet. As a result, I now *always* have the javadoc for the components I've used more than once AND those components' source code on my system meaning I can do all my dev work without network availability. Sure, internet is nice to look up answers to problems, but you should be able to work around it.

Back to your situation. If you did like me and put all the static docs locally on your system, you don't need to be connected to the network constantly so the question then becomes "why do so in the first place?" You could just connect briefly to get an answer to a problem, disconnect again and continue working. You should be running a firewall that blocks all incoming connection attempts since there's no valid reason for you to want to honour them, even on a trusted network. You could use a Pi for this, but it's just another item to bring in order to allow you to keep running what amounts to a misconfigured device.

[overwraith]

Those are all good points cooper. Luckily there wasn't anything on the laptop of importance. I was in the process of installing Visual Studio, but I don't think they can do anything with that. Probably... I do know how to download java docs, that's one of the first things my high school java teacher taught us years ago (when I was in high school, now I am a college grad). You're right about the mis-configuration thing, however it could be really useful if it was configured correctly. It seems that something on the laptop was probably faulty in order to let them in. You would think Microsoft would have fixed whatever issue that was, but you know them. You need a server/client socket in order to remotely execute shell code like this correct? The laptop basically had nothing on it. It was a completely clean OS. I should have set the laptop up before hand on my own, and just not connected, however there are a lot of compilers out there that would routinely need updated/installed in order to be competitive in one of these code activities since everybody on every team has differing skill sets.

Perhaps the question is how do I make a web bot that routinely gathers instillation software, and crafts some sort of automated build/install procedure for all the darn compilers out there.

[digip]

Best pre setup I would go with, use a VM with external wifi card, or better yet, remove the HDD, and boot a live CD/DVD with an external USB storage or SD card, and when done, nuke the card. In the event you get jacked, it's a live disc, reboot. Just change the default passwords and lock everything down before going on the network. Setup your firewall before connecting and close any ports and services not essential for use, and hope that nothing is open or a 0-day showing it's head on the network afterwards.

[overwraith]

That's a good one digip. The problem I see is that I am mostly a Windows guy. I would have to essentially make the VM a Windows box.

I do confess, I have always had problems with live disks. Sure they are absolutely great to get from a Linux distributer, but is it possible to make one's own without resorting to neuro surgery? Are there any layman's tutorials for creating custom live disks, or is it not possible without in depth knowledge?

[cooper]

The only thing I've seen for that is "streamlined" installers for Windows 7 (after that I never looked again) but what sucks about those is that you still need to wait for the installation to complete. Having a (mostly) up-to-date disk image around helps in that regard and can be quite useful when you regularly need to reset a system to a known-good point.

Downloading javadoc is trivial. It's the second 'download' button in the Additional Resources section. The C# API documentation in my experience is a lot harder to come by, and a lot less convenient to traverse as you're looking for the method you need. To each their own I guess.

Without a network connection into your system an attacker can basically do little more than DOS you (by filling your network pipe with traffic your system will instantly discard, but it still needs to arrive before it can do so) so if you simply setup your firewall to deny all externally originating (i.e. non-localhost) incoming connection attempts only connections that you initiated yourself are allowed. At this point a nefarious person would need to get you to visit an untrusted website (say), get infected via something running there (flash app or something) and that infection would need to make the outbound connection to the attacker's machine. Not impossible, but it takes quite a bit more effort, and it's far easier to combat by simply running AV and keeping your software up to date.

[digip]

I used to use a live XP disk all the time at work for browsing the web, and they have newer versions of(similar to) UBCD4WIN tools, that avoid the use of AIK (Auto install kit) to build live win 7 discs, although, I'd still probably go full VM, just for windows 7 compatibility since a live windows disc will be less than all the bells and whistles and a subset of tools you choose to load on the disc - not a full blown everything goes kind of environment. With linux, you can go tiny file systems and smaller footprint with laptops that have like 8 or more gigs of ram, and get away with a really speedy linux live system and no HDD while using nearly everything you would from a native install with enough memory, which makes convenient for traveling with too since if it gets stolen, no files, passwords, etc, stored on the hardware. You can also make encrypted USB storage disks and nuke them afterwards, or even persistent encrypted linux installs to USB, and keep the USB key separate from the laptop when traveling.

​I haven't tried this, but touts a win7 live disk setup - http://www.technorms.com/8098/create-windows-7-live-cd

I have used UBCD4WIN in the past for XP with OperaUSB installed(and latest opera 30 USB will run on XP still) if you wanted a live windows system with web browser. - http://www.ubcd4win.org/downloads.htm

Customize your own Kali ISO - http://docs.kali.org/development/live-build-a-custom-kali-iso

Kali encrypted disk setup - http://docs.kali.org/installation/kali-linux-encrypted-disk-install

Kali Live USB with Persistence - http://docs.kali.org/downloading/kali-linux-live-usb-persistence

Kali Mini ISO - http://docs.kali.org/installation/kali-linux-network-mini-iso-install

You can always just burn and boot off DVD as well but the USB installs let you customize a bit with persistent storage. This of course is Linux only.

For windows env with tools for programming like .net and such, I'd still go VM so you can run everything like you would natively, just make a copy from another system, in the event the laptop gets destroyed and you need to nuke, you have a copy of the VM on a home backup or such.

Finally, and this may be overkill, but if you need a development box at all times, setup one in the cloud, and make it only accessible over VPN. Only issue is, if you get owned, anyone with access to your machine, gets access to your cloud machine, but your machine being "secured" is the key to begin with, which depending on the network you are using, you're at the mercy of your environment. I haven't tried Docker yet, but I know work uses it for deploying kali boxes on jobs. https://www.docker.com/