Security advice

Similar Messages

• Wireless security advice

  Hey everyone,
  I have inherited a unsecured wireless network with the following setup -
  1x WLSE express (v2.13.1)
  28x AP 1210
  10x AP 1130
  Windows 2003 Active Directory
  I was wondering what would be the best security / encryption solution to implement without spending a dime. I have reading alot about PEAP as well.
  Any suggestions / advice would be appreciated.
  Regards,
  Mark

  PEAP uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a Wireless laptop, and a PEAP authenticator, such as Microsoft Internet Authentication Service (IAS) or any RADIUS server. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MSCHAPv2, that can operate through the TLS encrypted channel provided by PEAP. The PEAP authentication process consists of two main phases:
  Here is the URL for the PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service. It may help you
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
  Follwing URL contains Different types of Authentication which are use in wireless.
  http://www.cisco.com/en/US/docs/wireless/access_point/1300/12.3_7_JA/configuration/guide/b37auth.html#wp1035193

• Buying Used Macbook Pro; Need Security Advice

  Howdy--
  While on vacation last week, my sister in law accidentally spilled water on the table that ran into the back of my early 2011 13" i7 MBP.  My wife and I have the same machines, so I was able to remove the SSD and RAM to the her machine, which tested fine.  I then took the machine down to my local Apple dealer (TD Curran) and they confirmed that the machine is basically a brick.  They suggested that I start with the logic board replacement ($530 + $150 = $680), but that other components may have failed, too--so this number could grow higher. 
  So I looked at my local Craigslist postings to see if there was a similar machine, and I found a couple.  Here is where I need your help:
  1.  I plan on wiping whatever drive they have and using it in the DVD bay as a secondary storage device and using my SSD as the primary hard drive.  If the laptop ends up being stolen and the original owner locks the machine down somehow, are they only able to do that if the original hard drive is in place?  I'm only buying the machine for the non-hard drive/RAM components, but would these components somehow allow the original owner to lock the machine down?  This is already a giant S&*T burger for everyone to eat, and I'm certainly not interested in paying $500-1000 for a used machine that is effectively bricked because it was stolen.  What are my options?  What should I be on the look out for?  Is remote lock out only possible if the original hard drive is still in place?
  2.  I have the original installation DVDs that came with my early 2011 machine.  Will these work on any early 2011 machine or will they only work on my machine?
  3.  If the used machine is a late 2011 machine without the installation disks, are there any options for either getting these are burning new ones?
  I understand that this might be a time to upgrade from my i7 chipset, but I am not willing to give into the glued RAM in the newer MBP machines.  Therefore, I want to stick an older machine where I can still get at the RAM--and the SSD--with relative ease.
  Thanks for your help, and please let me know if I can answer any questions.

  I tend to agree with you.  However I'm in a pinch and I need a solution, which given my circumstances is a used machine off Craigslist.  I'm trying to figure out what that might mean if the machine gets locked somehow.  I spoke with my local Apple dealer, and they indicated that I might want to make sure that the machine's password is reset via the Security and Privacy settings, make sure FileVault is turned off and that they are logged out of iCloud and that my iCloud login details are entered and accepted prior to leaving with the laptop. 
  Would you agree that these items should safeguard me against the machine getting locked out if it does end up being stolen? 
  Would you recommend any other preemptive steps.

• Security advice on mandatory access control

  Hi,
  i'm trying to optimize my arch setup and also want to improve my security so i came across the MAC-stuff and would like to hear your oppinion.
  My usercase is normal browsing/coding/multimedia stuff so nothing so special.
  I try to maintain my system with care and and only install/run stuff i really need and trust somehow.
  Now reading the wiki i found articles about these MAC-solutions, but i couldn't figure out how much these could improve my system considering the fact,
  i have to somehow configure all the stuff more or less. - Is it really worth dealing with them as a normal user and if yes, which one?
  Unfortunately neither the wiki nor google helped me with general recommendations so i put my hope in your experiences
  Greetings
  Knusperkeks

  I can only talk about tomoyo because I'm not familiar with other mac systems. My reason for choosing it was that everything needed was already on the repos.
  brebs wrote:AppArmor files use a convenient BASH-like syntax, and can have common requirements grouped for easy specification.
  Tomoyo's syntax can be a little tricky since it requires a good amount of escaping and it can get tiresome after a while so I guess apparmor might be easier in that regard. Tomoyo does allow you to make permission groups that you can use how many times you want, or you can specify it as global permissions, it all depends on how common certain things are.
  I don't know about apparmor but tomoyo allows you to get into the nitty gritty details of what each program can do, up to the point where it can get tiresome. I didn't elaborate much on it in my last post because I don't want to discourage anyone from trying it or any other mac system.
  With tomoyo you can specify if a program is allowed to read/write/unlink/truncate/rename files, mkdir/rmdir directories, which chmod values it can use, which values it can use with chown, if you allow it to use tcp/udp/unix sockets, which ioclts it can use, just to name a few common things that will show up in policy files.
  Tomoyo can learn all this by recording what a program accesses, then you want to use an utility (tomoyo-patternize) to reduce the amount of rules. Many things can be reduced to a simple rule (image access to a program's config directory). This is where the trouble starts because the config file tomoyo-patternize uses is very bare. You will also find that you may need to take into account not only the program itself but also the toolkit it uses and other things like fontconfig.
  One problem that might be common to both tomoyo and apparmor is that if a program's behavior changes slightly, then things will break in subtle ways and you will only find out when you are short on time and really need things to work, unless you are more lax where you allow programs to have free reign, and then you may be leaving some security whole open.
  I'm not using tomoyo now but it can be a nice tool to use when you want to find out what a program is doing. Like I said in my previous post, pick the low hanging fruit first, there are other things that can be set and almost forgotten and will not break anything, then give mac a try and be sure to check regularly if you have to update the security policy.

• [SOLVED] Security Advice

  Hiya, I've just reinstalled Arch with a new desktop and I've been setting up security on it properly for the first time, so far I have:
  Set a decent password to the bootloader
  Set partition mount options as in the Security Arch Security Wiki
  Set Filesystem Permissions properly
  Setup a seperate user to run instead of root
  Setup sudo and restricted su
  Set password Hashes
  Setup the simple stateful firewall as in the wiki
  My laptop is a simple desktop/production machine for coursework.
  I'm going to deny root login from the console and restrict password attempts to 3 tries. I'm also soon going to look into some sort of filesystem monitoring like tripwire or network monitoring I can understand, and something to allow me to test for holes.
  My passwords are quite long and use symbols characters, numbers, and don't mean anything.
  I'm wondering about port knocking, where a series of knocks have to be done in the correct order, I'm confused however as to whether this is advisable for a personal machine like mine or if it's really just for servers and my simple stateful firewall is enough.
  I also have slight confusion regarding grsecurity for kernel hardening, it has boxes on the wiki of options and configuration, but I don't understand where those changes and configurations are made to. This is assuming I choose grsecurity because I'm torn between that and SELinux because I've heard of it more.
  Finally is there a better way for me to have sudo set up for this laptop other than using the ALL (ALL) setting for my user, other than root I am the only user on this machine.
  Thanks,
  Ben.
  Last edited by Ben9250 (2011-04-18 13:34:03)

  Thanks for the helpful replies!
  When I meant production machine, it's basically a personal laptop but I do most of my university work on it (backing it up to my windows gaming machine in case I break something) It's on the wireless but it doesn't connect to anything but my home network and university networks.
  Regarding the C{}FLAGS, milomouse: I maintain one of the r-studio packages on the AUR. I read the information in the wiki's and the Gentoo links, would I be correct in assuming hardening my CFLAGS would involve finding my processor and the safe ones?
  With grsecurity what I meant was I didn't understand if the kernel settings given on the wiki went simply into changing some configuration file for the current kernel and then reboot and that would be job done, or if I had to recompile and install a kernel - I've tended to leave kernel stuff alone. [EDIT] However, I've done a bit more reading, I think I've answered this question for myself but I'd prefer it if someone could kindly confirm, just so I don't go and do something catastrophic: With these kernel options for grsecurity or TOMOYO, if my kernel - the standard arch one, does not already have those options set for it, then what I would have to do is use the abs to alter a stock kernel configuration using a .conf file or menuconfig, and make sure the relevant options are enabled and basically do a build like I would normally with the AUR, and then install it and alter the boot-loader accordingly to point to this altered kernel?
  I'm quite liking the look of TOMOYO, it's a bit of learning for me but I'm finding it attractive how it's all set up, and the learning mode, and real-time tomoyo-queryd allowing real time alteration of the setup during updates. I'm wondering about grsecurity with tomoyo, because grsecurity is a patchset, would it be possible to use tomoyo for MAC, and then other bits from grsecurity, for example the parts that fight chrooting and linking? The reason I ask is because some pages I've read haven't been too enthusiastic about RBAC compared to other methods, but maybe that's more opinion, I don't know the technical reason it's grounded in.
  Thanks,
  Ben.
  Last edited by Ben9250 (2011-04-15 19:12:58)

• D0 I need security for my computer?

  I have heard that there are no viruses that can attack Mac os.
  Does this hold true with spyware, worms, malware etc?
  DO I need to get a firewall or anti spyware software to e secure?

  Mac's are less vulnerable out of the box than Windows machines by design but that doesn't mean they are invulnerable.
  There are many many more Windows machines in the world than Macs which has made them the primary target for those that derive perverted satsifaction from trying to disrupt things for others. As Macs get more popular, they will be more actively targetted and there is no doubt that vulnerabilities will be discovered and some sad people will try to exploit them with malware.
  Make sure you run Software Update on a regular basis because Apple are pretty good at plugging those holes that are discovered.
  Read the security advice on Apple's web site and be aware of what you are doing as you open up services on your Mac's firewall.
  I think that this article (http://www.thexlab.com/faqs/malspyware.html) is a pretty good summary of what to do.
  So far, in four years of OS X use, I have not experienced any ill effects from malware. That doesn't mean I shouldn't continue to be careful - just like in all aspects of life
  Enjoy your Mac!!

• Sharing the same keychain across multiple user accounts

  Hello, Anyone know how to do this? Thanks in advance!

  I have tried, without success to share a keychain between two accounts. In Keychain Access -> Edit -> Keychain List there is a Shared checkbox next to each keychain. If I click on that, the keychain disappears from the list of Keychains that you see when you open Keychain Access (and if necessary, click on Show Keychains). The keychain does not show up on any other account, either. The keychain is still there in ~/Library/Keychains.
  Seems pretty useless, as does Apple's article "Mac OS X 10.4 Help -- Administering keychains for multiple user" at <http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1775.html>.
  Some idiot in the security world recommended that we split our account into administrator and non-administrator, and normally log on only to the non-administrator account. This forces me to try to share files, folder, and keychains, so I can get any work done while logged on from the administrator account. Mostly, I don't think Unix, or Mac OS X, was designed to share things. (This is not a Mac versus PC statement. I only have one account on the PCs I'm forced to use at work -- it may be just as hard or harder on a PC.)
  This security advice is stupid! Don't do it. Do everything on one account or you will waste hours and hours trying to bridge the gap between them.
  But I would like to know how to share a keychain, since Apple's help files SAY you can. Only it does not work.

• Time capsule 1st generation - extension with air port extreme

  My parents use a time capsule (1st generation) as wireless lan device. As they run a boarding house they wish to provide free internet access to all of their guests (in all rooms). Therefore I bought an air port extreme station to extend the network as this product now (finally) includes the option »guest network«.
  The question is the following: *Should I keep the time capsule as basic device connected to the modem and use the air port extreme as extension or do you recommend to set it up vice versa?*
  I checked the range of the time capsule: It can be used in already in the first floor but not in the second anymore.
  I am really unsure how I should approach this topic and I hope more expirienced users can provide some help to this issue. Maybe you can also give me some security advice. In order to protect kids from misusing this new possiblity I was thinking of using opendns to block certain websites. Maybe there are also betters ways of doing this?

  Need a bit more info.
  Now this is what happens when I plug it in:
  Plug it into power?? The main router?? Sorry I am unclear what you are plugging it into.
  It sounds like you have not done the setup.
  The TC should be in bridge and plugged into the current modem router you have.. and powered on full time.
  If you cannot access it via the utility, I strongly suggest you buy the apple usb to ethernet dongle.. which helps air people no end.. or use any other computer that has a real ethernet port.
  Otherwise set to factory and start over. (this will not do anything to what you already have on the disk).
  Hold in reset and power on the TC.. wait about 10sec until the front led rapidly flashes. .then you can connect the computer.. and do the setup.. choose bridge in the Network section of the utility and update the TC.
  Then you can plug it into the main router and access it and internet at the same time.. either by TC wireless or the main modem wireless.
  Please note. .Gen1 TC is only going to last very little time.. it is already well past the average lifespan.. many died at 2years.. most gone by 4years.. plan on storing nothing important on it.

• Monitoring access to Office documents

  You become aware that someone has had unauthorized access to confidential Mac Office Word files on your OSX 10.4.9. You are in a panic.
  Is there any way to confirm whether the person has copied your Word files? (for example, could Terminal be used for this?)
  Note: cmd-i tells you when last a file has been modified or opened, but copying and transferring files is not logged here.
  MacBook Pro   Mac OS X (10.4.9)  

  Hi letthedogout,
     Well, there's good news and bad news. The good news is that OS X ships with one of the most advanced auditing systems in the world. Apple's CommonCriteriaTools are, aside from some relatively paranoid security advice, Apple's packaging of Sun's BSM Auditing. Of course that's a little heavy duty and there are some lighter weight approaches to security such as Tripwire or process accounting.
     Did I mention that there was some bad news? All of the above security procedures have one thing in common; they are off by default. Without prior arrangement for the recording of information, the most I can suggest is to use last access time to pinpoint the time of the event and look at all events in all logs occurring at that time. You might get lucky and see a secure shell access or something like that. The /var/log/secure.log file will show you if an elevation of privileges was involved in the breach.
  Gary
  ~~~~
     If built in great numbers, motels will be used for nothing
     but illegal purposes.
           -- J. Edgar Hoover

• Fn (function) key

  Hi
  I have just bought lenovo s10 yesterday and i have uninstalled some pre-installed applications such as norton...and other and today i discovered that when i pressed fn + left or right arrow key and it will increase volumn and decrease...and on the monitor it will show the "indicator" showing the meter of the volum...similar to when you pressed fn + up or down arrow and it will increase the brightness of the screen...but it does not appear anymore...for the "indicator"...can i "reinstall" it if i have accidentally uninstalled that application?
  Regards

  Also notice that both the Energy Management tray icon and the nice green and blue screen overlay for the Fn key combinations disappear if the user logs in to a limited user account. The hotkeys still work ... but it is disappointing to me, that such a basic feature does not work if the user follows the most elementary security advice, and set up a limited account for her everyday work - especially on a netbook using random Wi-Fi hotspots for Internet access.
  Hans

• Authentication failure during deployment

  I'm using an ant target to do remote deployment of our app to an OC4J container.The ant target looks as follows :
  <target name="iasDeploy" description="Deploys">
       <java jar="D:/MAVEN-WORK/eportal-lib/oc4j_remote_deploy.jar" fork="yes" maxmemory ="512m">
  <jvmarg value="-Djava.protocol.handler.pkgs=HTTPClient"/>
  <arg value="http://wblv-ep-sp05.mycompany.com:1822/Oc4jDcmServletAPI"/>
  <arg value="ias_admin"/>
  <arg value="admin_dev3"/>
  <arg value="deploy"/>
  <arg value="/app/oracle/product/oc4jext10.1.2-d3"/>
  <arg value="D:/MAVEN-WORK/acme-ear/target/acme.ear"/>
  <arg value="acme"/>
  <arg value="oc4jext1012d3.wblv-ep-sp06.mycompany.co.za"/>
  </java>
       </target>
  When I run this task I'm getting the following authentication error message :
  iasDeploy:
  [java] Initializing log
  [java] Servlet interface for OC4J DCM commands
  [java] Command timeout defined at 600 seconds
  [java] Executing DCM command...
  [java] Executing command deploy /app/oracle/product/oc4jext10.1.2-d3 D:/MAVEN-WORK/acme-ear/target/acme.ear eportal oc4jext1012d3.wblv-ep-sp06.telkom.co.za
  [java] Command = DEPLOY
  [java] Reading application's ear file
  [java] Ear file was successfully read
  [java] Opening connection to Oc4jDcmServlet
  [java] Setting userName to ias_admin
  [java] Sending command to DCM servlet
  [java] HTTP response code = 401, HTTP response msg = Unauthorized
  [java] #### HTTP response is NOT ok
  [java] Closing connection to Oc4jDcmServlet
  [java] #### DCM command did not complete successfully (401)
  [java] #### Authorization failure. Please, check your username/password.
  [java] Java Result: 401
  Total time: 4 seconds
  However when I use my browser to go to http://wblv-ep-sp05.mycompany.com:1822 , I connect successfuly using the same username/password specified in the ant target.

  Hi Maclemon,
  That's a helpful answer but I ran out of yellow stars
  SSH is allowed in Server Admin > Settings > General, and 'all users and groups' have the same access for all services under Server Admin > Settings > Access.
  id root shows
  uid=0(root) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 20(staff), 4(tty), 80(admin), 29(certusers), 5(operator)
  Security advice: direct root ssh login should be disabled under any circumstances unless explicitly necessary. (eg creating a OD Replica)
  In fact I am trying to create an OD replica. My interpretation of the documentation is that if SSH is checked under erver Admin > Settings > General then the Replica should have sufficient access. Am I missing a step here?
  In fact when I try to create a replica I get the follwoing message in Server Admin on the replica "Error while writing settings (Could not connect to teh Open Directory Master using SSH)". At this point the OD master shows the message mentioned in my OP.
  Many thanks for your interest,
  b.

• How to join free public wifi that's computer to computer?

  There's a signal in my airport menulet labeled "free public wifi" but if I try to join it, it shows up in the airport pane of the network preference as "computer to computer" and I can't get to the internet with it.
  Does anyone know what this means? or how to access this network? Thanks.

  Hi Marlene
  This is apparently a fake service that exploits wireless networking. You should not connect to it.
  Airports - a threat to identity security
  Read down to the bottom of the article for Mac security advice on how to secure your wireless networking.
  Also:
  http://www.tek-tips.com/viewthread.cfm?qid=1239991&page=1
  regards roam

• You very own OpenID server! What's it running?

  I'm looking into setting up my own OpenID server, and am pleasantly surprised to see so many options across so many languages!  So this leads me to having to ask: what do you use any why?  Any security advice you can give about it?  Possible exploits?
  Mod-edit: thread re-opened based on this clarification of the question
  My concern is old code.  There was a vulnerability found on March 2012, for example; see here: http://en.wikipedia.org/wiki/OpenID#Authentication_bugs
  OpenID suggests a few projects here: http://wiki.openid.net/w/page/12995226/ … y%20server
  If we think in the scope of what the wiki suggests, here's what's available (and the last modification dates to the code):
  Community ID, Feb 17, 2010: http://sourceforge.net/projects/communityid/ (author's website is offline)
  Prairie, September 22, 2008: http://barnraiser.org/prairie
  phpMyID, July 23, 2008: http://siege.org/phpmyid.php (author declared the project dead)
  Janrain php-openid, seems to be recent: http://janrain.com/openid-enabled/
  Clamshell, August 1, 2008: http://wiki.guruj.net/Clamshell!Home
  InfoGrid id-lid, looks current, but looks like an API more than a server/service: http://infogrid.org/trac/wiki/Projects/ig-lid
  SimpleID, January 26, 2012: http://simpleid.sourceforge.net/
  As I'm sure you gathered, many of these projects are years out-of-date.  For a server/service that will help me log into accounts, I do not want to fall to security vulnerabilities (we're talking identity theft, here), and I've only found one or two out there that could meet my needs.
  Last edited by ngoonee (2012-08-30 05:16:14)

  ngoonee wrote:
  Come on synthead, you've been around long enough to know that such open-ended questions lead nowhere.... Dustbinned for deletion.
  EDIT: reopening on synthead's request and direct clarification.
  Thanks a lot, I really appreciate that   I should have been more descriptive in my post.
  So I decided to try SimpleID on my webserver, and when trying to use it to log into Stack Overflow, I get this (please note: censored URL):
  Stack Overflow wrote:
  Unable to log in with your OpenID provider:
  The OpenID Provider issued an assertion for an Identifier whose discovery information did not match. Assertion endpoint info: ClaimedIdentifier: https://-censored- ProviderLocalIdentifier: https://-censored- ProviderEndpoint: https://-censored OpenID version: 2.0 Service Type URIs: Discovered endpoint info: [{ ClaimedIdentifier: http://specs.openid.net/auth/2.0/identifier_select ProviderLocalIdentifier: http://specs.openid.net/auth/2.0/identifier_select ProviderEndpoint: https://-censored- OpenID version: 2.0 Service Type URIs: http://specs.openid.net/auth/2.0/server http://simpleid.sourceforge.net/type/version#0.8.1 http://specs.openid.net/extensions/ui/1.0/mode/popup http://specs.openid.net/extensions/ui/1.0/icon },]
  Other services also throw errors, but nothing as descriptive as SO's.  What could be the matter here?
  Last edited by synthead (2012-08-30 05:21:28)

• No Sound in Fedora Linux with flash-plugin-9.0.115.0

  Hi ... I've checked everything I think I can ... I have alsa
  configured and that works ... confirmed with mplayer:
  mplayer -ao alsa:device=INTERNAL
  http://wnyc2.streamguys.com:80
  Yet no sound from flash ???
  Flash 7 was working fine ....
  Thoughts???

  kcell,
  thanks for the reply. Actually you are a bit ahead of me. I
  have a single web-server and I'm not actually trying to cross
  domains! However, the security advice says (page 4 of the link I
  gave in my original post)
  "A URL policy file authorizes data loading from its own HTTP,
  HTTPS, or FTP server, whereas a socket policy file authorizes
  socket connections to its own host."
  So because I'm using a socket connection I still need a
  crossdomain.xml. For this sockect connection I am going to open up
  port 843 (as Adobe recommends) on my web-server for this policy to
  be loaded when calling flash.socket.connect(...).
  However, that isn't actually my problem. What I've also done,
  I think, is added a line to my crossdomain.xml file that will
  define a meta-policy, to prevent clients from other domains
  accessing my server (also recommended by Adobe). The line is:
  <site-control
  permitted-cross-domain-policies="master-only"/>, but I don't
  think my SWF is reading the file because I get that error message:
  Warning: Domain 192.168.5.201 does not specify a meta-policy.
  Applying default meta-policy 'all'. This configuration is
  deprecated. See
  http://www.adobe.com/go/strict_policy_files
  to fix this problem.
  Sory about the excessive waffle!

• Can't startup computer after 10.4 install...

  Hi, I just installed 10.4 from a DVD on my trusty G4 Quicksilver, and now the when I try to restart I get the grey Apple and spinning timer, then the Apple turns to a "No symbol" (Zero with a slash through it) and nothing else happens... Luckily I still have 10.2.8on another drive or I'd be out of luck. Any idea what I need to do to fix this? Go back to 10.3.9? I checked the permissions (ok), and even ran the installer again - no luck.. Any advice appreciated!

  Macworld Mac Basics Superguide
  A straightforward guide to getting started with Mac OS X.
  Helpful tips on getting started with Safari, Mail, and other included software
  Detailed tips and information about using the Finder, the Dock, and Apple's Spotlight search tool
  Running and switching between programs
  Setting up system preferences and user account
  Vital troubleshooting and security advice
  If you're switching to the Mac from Windows, you'll find helpful guides to the Mac equivalents of familiar Windows features
  And much more!
  Let Macworld's team of experts show you how to get the most out of your Mac.