Reinventing the Web

Tim Berners-Lee
Tim Berners-Lee

We’ve seen some successful technical “reinventions” of the Web such as HTTPS/2 and HTML5 making sites faster and more responsive, but this “Web’s Creator Looks to Reinvent It” initiative is not new, but I will come to that later.

There are a number of issues that have concerned many people, not just in the IT Security industry, but many regular internet users.

Snowden’s leaks, whatever you may think of the rights and wrongs of him making these disclosures, the lengths government agencies go to snoop are a concern to anyone that understands them.

Facebook have been accused of meddling in US elections and Google has been caught out manipulating Brexit searches. There are many other cases, promises that they are not, it’s too complex to understand etc.. But really do you belive them, maybe you don’t care.

Google does have many alternatives, a couple are duckduckgo.com which addresses the bias and startpage.com which address the privacy issues, but neither have picked up many users, maybe if the close to half of English users who support leaving the EU were aware there was an alternative un-biased search engine they would use it. I tend to use Google a lot, as I use a lot of tools that they only have (Dorks etc.), But I am sure that is not the case of the loyalty shown by the majority of users, I think just familiarity and lack of knowledge of an alternative.

Facebook, now that’s an interesting one, they really have a monopoly in the Western world, there were a few competitors in the early days, but they are all gone now. Facebook has become a huge part of peoples lives, I default to skype if needing to contact friends or family, but there are some who will only respond to Facebook messenger contact.

There have been a number of open source alternatives, and to reinvent the Web as Tim Berners-Lee suggests an open source alternative to Facebook is what would be needed. The most upto date and vibrant alternative is the diaspora project, much of the initial funding came from Mark Zuckerberg (Facebook founder). It works, I have set up a few diaspora servers myself, but it is impossible now to unhook a large enough proportion of the population from Facebook, and get their involvement in anything else now, it is the nature of social networking.

Put it another way, not one of the top ten celebrities on facebook have a diaspora* account. I bet none in the top 100, but it would take me too long to confirm that.

I suspect that this very well meaning group of the technically able can create alternatives, but they do not have the ability to get people to switch over?

Enabling HSTS

HTTP Strict Transport Security is a very simple to deploy addition to HTTPS, it doesn’t enforce SSL itself but it uses pre-populated lists such as Google’s here.  Allowing clients browsers to check against, simply that the site only delivers content over https://, with no exceptions, this ensures that Man in the Middle attacks are not possible. While the only possible vulnerability this site would have had for an MitM attack would be on the contact me page, it’s nice to see the shiny A+ compared to my old banks B rating.

ssllaps-hsts

for me it’s just an exercise and vanity, but as you can see it will be nice when the banks follow suit, as they are mostly really insecure (don’t online bank on public WiFi, really don’t do it till they start employing HSTS and stop using insecure cyphers).

The steps to enable HSTS for Apache

Enable Headers and restart Apache:

$ sudo a2enmod headers
$ sudo service apache2 restart

Make sure the site is serving all content over https / port 443, either in your vhost config with something like:

<VirtualHost *:80>
 ServerName yourdomain.com
 Redirect permanent / https://yourdomain.com/
</VirtualHost>

or adding this to your .htaccess:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Check for any mixed content issues (insecure stuff loading in your now secure page), this tester will point you in the right direction.

And again in the .htaccess, add the required header itself.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

15552000 is about 6 months in seconds, and satisfies the ssllabs tests, lower will work for Google, even as low as 6 weeks, but as enabling  HSTS is difficult to reverse, it will make little difference and you might as well earn an A+ rating.

Run a test at https://www.ssllabs.com/ssltest/analyze.html and check near the bottom for:

Strict Transport Security (HSTS) Yes
 max-age=15552000; includeSubDomains; preload

If you see that, all is good, add your domain to be included in the Google Chrome’s HSTS preload list here https://hstspreload.appspot.com/

All the other browsers “feed” from the centralised list, as of today I’ve not been added, there is no reason I won’t be.

Using an SMTP mail relay to secure a network

Small businesses with Exchange Server or other mail servers tend to have their mail server physically located in their office (in a DMZ), which is great for performance and communicating with each other, but they tend to run all their anti-spam and virus filtering on the same server. This brings up a number of issues.

  1. Windows Server anti virus and anti spam products tend to be resource intensive.
  2. Legislation in most locals require that all email is archived for x number of years, if you receive 80% spam on your email, it means that to.
  3. Your DNS MX record is being advertised to the world, while security through obscurity is never the answer, why advertise your public IP.
  4. RBLs will blacklist your public IP if you are found to have a spam producing virus, causing your outbound mail to bounce, it can take weeks to get off GMail and Hotmail’s spam lists.
  5. Some ISPs are not reliable, while a small office maybe unhappy about not having internet access for half a day, missing emails can have a greater business impact.
  6. It’s rare, but some ISPs will block port 25 which is used to relay mail between servers if they see what they consider as abuse, normally sending a warning first.

mail_relay

The answer to these risks is hosting a mail relay off-site, maybe even 2 if you want that resilience, but over the last 5 years, apart from reboots forced by updates taking 10 minutes every few months, I’ve not seen a customer impacting outage.

Your office mail server can block all incoming and outgoing SMTP traffic except between the mail relay, deleting the most obvious spam and all the viruses before the mail is delivered to your office. Also filtering outgoing email, ensuring you are not spreading viruses in the company’s name, and enforcing any other security policies you may have in place. Most abuse against an Exchange Server is against port 25, the public will not even see it exists. It will make it far less obvious what your public IP is.

You can block on your firewall all smtp traffic on the network except between the Server and the Relay, if someone brings in a an infected laptop and joins your network, it wont get you RBL listed, and the ISP wont block your port 25.

I have for more than a decade used Symantec Endpoint Protection for this purpose, but their SMTP relay can only be installed on bare metal or in a virtual machine, also for some strange reason require separate IP addresses for inbound and outbound and the costs are not so low for these to be hosted outside the office, and the performance and usability is no better than a free mail relay package such as MailScanner, which can easily be installed on a small cloud instance, as a guide I have 50 (heavy) users using one $20 a month DigitalOcean instance, and the processor and memory never goes over 20% and 600 (more regular) users using 2x $40 instances at different data centers.

This mitigation in no way suggests that you do not run anti-virus software on the workstations, this is still essential as not all virus infection come from email, and you should still have anti-spam filtering to fine tune the removal of the less obvious spam as it is simplest to set the relay to only delete the obvious, Microsoft own filter is usually ample for this.

While MailScanner itself is free, some of the RBL and signature subscriptions can be pricey, but a default installation which include amongst others Clam AV. Spam detection and Spamassassin is fine in most cases, also unlike Symantec’s pricing model, most additions to MailScanner are not charged at a per user license model.

This model works just as well in a distributed environment if you have a co-located mail server. Even adding a mail relay to a heavily firewalled website that wanted to hide the real IP of the host which was previously being leaked in automated emails from the site leading to a level 3/4 DDoS attack.

If you want assistance in setting such a configuration up, I am always available for hire, and if you have a suggestion to improve on this model, I am always willing to learn.

Hacking the Hackers

Well not quite hacking as most people think of it, but technically it is, and it’s great.

There is a common theme when you have cleared up some malware for someone, likely they have spent a while confused by what’s going on,  and again by the cleanup, maybe hit in the pocket and if it’s the first time, they can take it personally, if their confidentiality was breached it will be very personal.

Often when i get into conversation with victims, they will say “can’t we hack them back?”, when a mail server was recently hacked and hurt a client’s reputation by sending out millions of spam, the question was “can’t we bounce the spam back at them?”, in nearly all cases even if we could, we wouldn’t know who “them” was.

What I might do if they now have a firewall in place is get them to enjoy looking at their audit reports, at the wasted effort hackers are going to as the firewall deflects all the bad actors, such as this:

audit

While that can give some satisfaction, tying up the resources of the criminal hackers bots, it really is nothing compared to what Illusive Networks have developed, while honeypots are not a new idea, often designed to monitor the behaviour of automated attacks, Illusive have developed a system that will trick human hackers into believing they have stuck gold, giving them access not to just a fake network and server, but to the data as well, drawing them in deeper, taking advantage of a addictive behaviour problem seen in criminal hackers.
illusiveWhy I call this hacking, well it is, this is social engineering,  human hacking, ironically it’s well known that humans are easier to hack than machines, so Illusive really have turned the tables.

Current offerings are not for small businesses, but I do hope someone does develop something similar for the majority. Apart from what I expect is a very effective proactive  method of defense, there will be a certain satisfaction for intended victim when looking at those audits.

You can read more about Illusive Networks here at TechCrunch.

Switching a WordPress site over to HTTPS/SSL

WordPress.com, the official hosted version of WordPress have switched over to enforcing SSL, while this is mostly a political statement, there is some merit, firstly you might actually have some forms which should be secure, allowing users to communicate using the secure channel https provides, secondly there Google have started giving a slight boost to your PageRank when they see SSL in place.

ssl

But if you host your own server, you need to enable and provide a certificate yourself.

First check Apache is listening on 443

netstat -ntpl | grep 443

Create a Certificate Request

If all you need is secure forms and a green padlock as I have used here you can use a Rapid SSL Certificate @ $12.99 a year here.

You can also get a suitable free certificate from StartSSL, I have a walk through here for that.

https://www.digicert.com/ssl-certificate-installation-ubuntu-server-with-apache2.htm

Here is a great walk through on enabling SSL and copying the certificate and key over to your server.

To redirect http URLs to https, do the following:

 ServerName www.example.com
 Redirect / https://www.example.com/
ServerName www.example.com
 # ... SSL configuration goes here

Quite often we see that while everything else is working, a firewall might be blocking port 443, check to see if IPTables is blocking

iptables -L -n

If not add the rule

iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/etc/init.d/iptables-persistent save

check to see if UFW is blocking

ufw status

If you don’t see HTTPS or SSL listed

UFW allow https

If your padlock is broken, likely you have some non-ssl content that manually needs having it’s url altered. To check for non HTTPS content use this Why no Padlock tool.

This of course is another one of my reminder walkthroughs, that I will update as I find better instructions, and welcome any improvements.

CISSP PMP

XSLT Plugin by Leo Jiang