How to Survive

From 23C3 Public Wiki

Jump to: navigation, search

Contents

Securing your System:

http://www.williamhpeters.net/syb_eng.png


How do I know, what services are secure?

  • Bugtraq
  • Mailinglists
  • Usenet

Tools to find out what services are running

Disabling services in Windows / Linux / Mac

  • Linux (System V style init)

'/etc/init.d/$service' stop or '/usr/sbin/$service' stop

  • FreeBSD, NetBSD and others (RCng-style init)

'/etc/rc.d/$service' stop

  • Windooze

'/ Start / Systemsettings / Services' -> Properties of service -> Stop

Good documentation about disabling services in windows (only german?) http://www.dingens.org/ && http://www.ntsvcfg.de/

Another (detailed) documentation on how to disable unnecessary windows services: http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

  • Mac (OS X)

Go to System Preferences -> Sharing -> Services and uncheck all the things you don't need running. On the second tab you can also enable your firewall (which would be the 'smart thing' to do).

Physical Security

Introduction

In principle one should protect the software, but don't forget the risks of physical access. Because what good are secure ports, if it is rebooted or stolen? With one 40Mb boot CD all your security measures can be ignored.

You'll find here basic information which you can use to protect your system from both the physical dangers of the Congress and against physical access from drunk hackers.

Prevention of theft

First we will discuss protection against theft, because this a very important aspect of physical security: If a laptop or harddisc is stolen, there is a financial damage through the loss of the hardware. But often the greater damage is the loss of the data stored on the hardware (if no backup was made before the congress). And the data will then be in the hands of someone, who might use this personal, classified or business data as the thief sees fit.

Attention: This year hardware will not be labeled anymore, so watch your hardware closely!

Under no cirmustances you should count on the security of the products from Kensington! These are only a partly effective simulation of security, which can not stop thiefs who can cut card-board. If you want to know more about this topic, you can ask the lock-pickers, of which a sizeable number should attend the congress.

Being prepared, in case shit happens

But if you take other variables, for example the normal "Verpeilungsfaktor" (german, "mess-around factor"), into account, you should always assume that it is possible that your computer or your data get lost. There is no such thing as a absolutely secure system! (Also every system needs regular care in terms of security updates etc.)

Therefore you should as a matter of principle make a backup of all important data! Additionally it is important in case of theft to note down all your serial numbers in advance somewhere (especially of your hard disk, using hdparm -I, because data thefts might steal your disk only) if they are not already on your hardware invoice (which you should have available if you should need to contact the police).

The most simple rule for decent security is: Never lose sight of your laptop. The best thing is to carry it around with yourself all the time (greatly increasing the ability to take notes during lectures as a side effect). In addition you can as well ask trustworthy persons to guard your (portable) computer. This is especially useful if the box is hanging "hard wired" on the network, transfering large files, while you rather want to go to a lecture. Also it might be a bit awkward to take it with you to the lavatory. But everyone has to decide for him-/herself the level of initimacy with one's computer.

What to do if your equipment is away

First of all, don't panic!

Check the area around you , sometimes people put equipment under the desk or shift it to the next desk and/or it may get buried under lots of other stuff.

If you can't find it, ask the people around you and ask your friends, maybe someone put the equipment in a safe place for you.

If the equipment is still missing, please contact HonkHase via DECT 113. He will clarify the next steps, e.g. complaint of an offence at the police to possibly get the money back from an insurance company, check the outgoing equipment at the exits of the 23c3, search for it in the whole building, note your contact details to check if your equipment popped up at the end of the congress as "lost+found" stuff, etc.

BIOS-Password

In order to ensure that nobody can break your password barriers with simple physical access, for example by booting a Knoppix live CD or something like that, you should prevent that directly in the BIOS. To do this, configure your BIOS to allow hard disk boots only and protect this setting with a BIOS setup password.

Some more or less smart people can in individual cases (insecure BIOSes) still boot from other media. Therefore we suggest (at least for the time of the congress) to set up a general boot password in the BIOS.

Note: In this text we will assume that you already know about password security (e.g., don't use passwords like "root", "$PASSWORD", "GoGetNaked", "hackme", "Jenny" or "Oak"...)

Macintosh Computers

Set an Open Firmware Password: http://docs.info.apple.com/article.html?artnum=106482

Please note that this also applies to Intel-based Macs although they're using EFI.

Bootloader configuration

As another security measure you should take care that it is not possible to override the normal boot process by adding "init=/bin/bash" to the kernel parameters in your (Linux) boot loader. This would fire up a bash with root privileges and even without a prompt for the root password.

This step is very important! You can as well configure it so that you are only asked for the password if you want to add special parameters.

LILO security

To configure LILO for using a password, edit the /etc/lilo.conf:

password=""

If you want to be promted at boot, if you try to append stuff to the kernel:

restricted

start "/sbin/lilo -p" and provide the password you want to use. It will be stored in /etc/lilo.conf.shs (or something)and gets encrypted.

If you want to use special characters, you have to change the heyboard layout:

/usr/sbin/keytab-lilo.pl de > /boot/de.ktl

and add the following line to /etc/lilo.conf:

keytable = /boot/de.ktl

GRUB-Securtity

First you should create a password using /sbin/grub-md5-crypt, which is returned as an MD5 hash. Then you add in GRUB's configuration file /boot/grub/grub.conf the line "password --md5 <hash>", replacing <hash> with the password returned by grub-md5-crypt.

An additional "lock" will make it necessary to enter the password everytime you want to start an image. You should use this, if there are "other" operating systems available on your computer which don't have privleges management. They could be used to override your protection.

Access control for the running System

Leaving a running system unguarded is a big risk for the security of your system. The most important rule is: "Never leave an open rootshell!" You should however log out "normal user" sessions as well before leaving your box.

There has been a case (ask the guys of the Chaostreff Heidelberg) where someone went to the men's room leaving his root session open...

If you don't want to take your equipment with you everytime you go to take a leak, you should definitely, before handing your box over to others to guard it, close or lock all sessions.

*nix

There are tools like xscreensaver or vlock, which can be used for this. Additionally, most window managers have a special "lock session" function.

TODO: A xlock/vlock function on ACPI "lid close" would be a cool thing.
      You'd have to edit /etc/acpi/default.sh,
      find out if a user is logged in on a vc or an X server
      and then run vlock resp. xlock (maybe parse "w" output?)

Small script to lock all open X11 displays - very simple, works for me, though

If a person has physical access to a box where these preparations have been made, i.e. there are no open sessions, there are still ways of attacking. Here you should make sure your login.defs and login.access are configured reasonably (see the man page and the commented example files).

Additionally you can limit the consoles where root is allowed to log in in the configuration file /etc/securetty. A little "security by obscurity" hint: Don't allow it on the first console, this one's going to be tried most possibly. You could for example just allow console 13; seldom someone thinks of trying it there. It should be clear that manual "brute force" logins are nearly impossible, but you never know. Maybe somebody was looking over your shoulder... (My computer science teacher always sent everybody out of the room when he was entering important passwords.)

Another thing worth mentioning: Even when all consoles are locked and the passwords theoretically unguessable, most recent notebooks and desktops are equipped with Firewire, which can be quite a lot of fun as well: http://www.ccc.de/congress/2004/fahrplan/event/14.de.html (German only) And who knows, maybe somewhere in the RAM there's a clear text copy of the necessary password...?

Mac OS X

 An extensive OS X security whitepaper is available from Corsaire
Screensaver/suspend lock

You should enable a password prompt when waking from sleep or screensaver. Do so by going to 'System Preferences' -> 'Security' and enable 'require password to wake this computer from sleep or screensaver' option. More options like 'disabling automatic login', 'logging out after a specific period of inactivity' and 'requiring a password to change any of secure system preferences' can also be enabled here.

Keychain Access

Also, you might want to prevent people from accessing your keychain (where all your passwords, from safari, IM clients, etc are stored). Start the Keychain utility (it's under Applications -> Utilities -> Keychain Access). Select the 'login' keychain from the sidebar and go to the menu 'Edit' -> 'Change Settings for Keychain "login"'. There you can choose to lock your keychain as you suspend your computer or after a specific time of inactivity.

By default, the password used to unlock your keychain is the same as the one you use to login to the system. You can change it in Keychain Access by going to the menu 'Edit' -> 'Change Password for Keychain "login"'. If you have some room left in your menubar you can also add the keychain status icon there (enable it via the Keychain Access preferences).

Pair your Mac with your Remote

Just point your remote at your IR-Receiver (mostly next to Power-LED) and press <Menu> + <Next> for 5 Seconds. (a big acknowledgement screen will appear, showing a chain and a remote control)

Other OSs

TODO: What about other operating systems?

Saving your data from others, deletion or yourself ;o)

To prevent access to your data if your hard disk gets ripped out, you can enable password protection on some disks, which will prevent write and/or read access if the right password is not provided.

If you want to be sure that one cannot access your data with other methods, you can for example use dm-crypt to encrypt your hard disk or single partitions (e.g. /home, /tmp and swap). You can find links to the "Disk Encryption HOWTO" and the "Encrypted Root Filesystem HOWTO" below under "Additional Information". Reiser4 will support file encryption as well.

For Mac OS X there is an option called FileVault, which cares automatically and transparently for encryption.

Checklist

  • Set BIOS-Password (at least setup password)
  • LILO/GRUB-Password (at least restricted!)
  • Password security (characters, non-trivial, etc.)
  • Never leave a rootshell open!
  • Backup all important data!
  • Watch over your hardware, or ask someone trustworthy to do so
  • Think of more access control
  • Set security extensions of harddrive
  • Consider using cryptoloop or other tools

Annotations

This manual should not scare you off from bringing your hardware to the Congress. You should however take some common sense for security with you, because the environment called "23C3" is not really comparable to the protected little LAN at home.

Of course there is no reason to get paranoid, even though security and paranoia go hand in hand a bit. But be careful: Just because you're paranoid, this doesn't mean that nobody will break into your box or is after you.

Have fun on the Congress, aleχ (translation by Scytale)

Other information

Links to HOWTOs:

Surfing

Generally use a secure Browser, e.g. [Firefox] (the following text is about this browser). Assume that there will be many people at the congress who try to exploit security holes in e.g. Internet Explorer. Firefox is not rockhard secure, but it is a much better bet, than IE. (Turn off JavaScript)

Something about encryption on the web: (Firefox colors its URL yellow when a site is encrypted)

Unencrypted - HTTP

Don't give personal data, when surfing unencrypted at congress, e.g.:

Username and password for ANYTHING
Cookies with user/pass (if you get logged in automatically)
Personal data like address, name, gender, sexual desires ;o)

It could be a good idea to delete all your cookies before congress. If you need a backup of them, they are in ~/.firefox/default/$chaos/cookies.txt. In preferences you can choose to be asked if a site wants to give you a cookie.

Use the SSH feature called "SOCKS port forwarding" ([ssh -D]) to tunnel HTTP connections through your SSH host at home.

Encrypted - HTTPS

Encrypted connections generally have the advance that the data cannot be read by anyone sniffing on the network, because they are transmitted encrypted to the web server. You need to take some safety measures, though:

It is possible, that others try to intercept your connection ([Man in the Middle Attack]), by placing themselves between you and the web server to read the data in cleartext. You can prevent this by adding a static ARP entry for the gateway (NOC#SecureNet) and by not simply clicking away messages of your browser that the certificate has been changed (which is a quite clear sign). But there are some sites, for example even this Wiki, which don't have their certificate signed by one of the common authorities. Therefore a warning message appears for them as well. You could load the page once before the Congress and tell your browser to accept this certificate automatically.

Reading mails

Webmail

Use an encrypted connection, like described above! Otherwise, you'll have to get your password from a blackboard. ;-)

POP3/IMAP

Use encryption! Simple MD5 and other stuff isn't enough. Use SSL/TLS, checking certificates validity (see your mail retreival agent documentation for info on how to set it up).

SSH

Use it to open a secure connection to your home PC. You can also use it to tunnel other TCP/IP connections through your home network .. and be sure to know your home-servers fingerprint/or authenticate with keys ..

How to tunnel?

IRC

Everything you write is blown out on the net, unencrypted. So DON'T authorise yourself against any bots/Nickserv/Chanserv etc. on the congress. If you need to authorise yourself against any service use SSL.

What should I do before coming to the Congress?

  • Make backups of everything, since you can never be guaranteed 100% security anywhere (short of unplugging your PC from the power outlet).
  • Choose your password carefully. Anything written in a dictionary of any kind is insecure, and so are easy combinations. You should never have the same password as your username.

Useful programs

  • Chat client: An IRC client, e.g. mIRC or X-Chat.
  • Network diagnosis: nmap
  • Ethernet configuration: dhclient / pump
  • Browser: Any decent Web browser, e.g. Firefox, Konqueror, or Galeon. Internet Explorer not recommended.
  • IPv6 support: (supported natively)
  • IPsec support: (there will be a VPN gateway)
  • WLAN drivers
  • Wi-fi tool: Wavemon
  • Sleep: Alarm clock
  • Screensaver: Any screensaver with password locking, e.g. vlock, XLock, or Xscreensaver.
  • SSL tunneling: stunnel

Useful hardware

  • Notebook
  • DECT phone. Just talk to the POC
  • Coffee cup with closeable lid (save that keyboard and no wasting of coffee)
  • Junction Box for power outlets (think about the others and take more with you than you think you need)
  • WLAN card
  • Camera (but please respect other peoples privacy!)
  • USB stick
  • $Multimediatool aka geek gadget (MP3-player, PMR, PDA, bluetooth stuff, etc.)
  • Be sure to have your laptop ready for the video projector, if you will hold a lecture
  • Please tell us beforehand if you bring BIG hardware with you
  • Bring switches (100+), cables, power sockets with you!
  • Network cables are always useful (for bonding people or stuff together, or connecting computers)
  • Project documentation
  • 80€ Entry fee
  • Scholar ID (if you want to save money)
  • Lavalamps
  • The urge for wanting to know more and more and more and.....

DO NOT

Just think of the netiquette in reallife. Don't be rude, stupid, selfish and whatnot. If you have any problems, contact the Infotresen, an (arch)angel, or the CERT. This is just an exerpt of stuff NOT to do:

  • Arpstorm
  • POP3 / telnet without encryption
  • (Private) FTP without encryption
  • Take photos of others without their permission
  • Social hacking (don't trust anyone)
  • No private Wi-fi accesspoints and NO dhcpd
  • Ask Tim for (angel)T-shirts, it's no more his job
  • No game servers, no LAN-partying, no nasty big audio equipment, no big drug consumption equipment
  • Connect coffe machines elsewhere than in the coffee-rack
  • Don't stick anything to the walls
  • No nails, screws, etc. into the walls
  • Carry around a magnet with 2 megatesla in your pants *g* (e.g. modern computer tomographs have 2T)
  • Order food to the BCC. See FAQ
  • Sleep in the BCC. Please get some Accommodation
  • Hack someone's bluetooth enabled phone. She or he could be outside in the queue...

Other Information

  • Read the FAQs, the congress reader, ask the Infotresen
  • medical help in the CERT
  • wRTFM (Write the f'ing manual)
  • Ask the (arch)angels
Archived page - Impressum/Datenschutz