Saturday, 16 February 2013

Security of embedded devices - saved config

Many routers offer the ability to save a configuration file, to restore to the router later. This can serve as a backup. However, it also exposes the config of your router to anyone who might have access to your computer. There are much easier attack vectors for routers, but this is definitely one of them. I have tested with two routers, the Belkin F5D7230-4 and the Apple AirPort Extreme 802.11g.
The Belkin revealed the WPA password, network name, DHCP leases, everything really apart from the admin password to the router itself, all in cleartext. Anyone who might gain access to your computer essentially has your router's config. This is what I expect from Belkin which don't make the best quality routers.
The AirPort offered the ability to encrypt the file however it wasn't selected by default, and even if I did, all that was encrypted was the actual password to the router and the WPA2 password. All the other info was available, and changeable. For example, if you had access, you could change values in the config file and reset the router, causing the person to re-upload their config file which had your settings changes in it (or alternatively, you could just use AirPort Utility as it saves your password).
The unencrypted file revealed the WiFi password however didn't reveal the base station password.
Overall, this isn't a major attack vector however I would encrypt these files if you can and also take care when allowing physical access to devices as once you have physical access, you can gain access to the system.

Thursday, 14 February 2013

Setting up a new WiFi router: Part 2: The Initial Setup

So, in this blog post I'll be setting up the AirPort Extreme using AirPort Utility 6. As much as I dislike version 6 it is the most common version so that is what I'll be using.
Choose "AirPort Extreme..." or "AirPort Express..." or "Time Capsule..." and this will connect your computer to the network. Then, open up AirPort Utility if it hadn't already opened.
For the first step, set a network name (SSID). This should be something easily memorable and unique. For "Base Station Name", this is the name that appears in the AirPort Utility and in the "Shared" sidebar of the Finder (and also in iTunes if you have an Express). For "password", this is the WiFi network password. Make it alphanumeric with at least one capital letter, and at least 8 characters long. This also acts as the "admin" password to access the AirPort Extreme via AirPort Utility.
Now, it's time to wait. AirPort Utility will set up the base station and save info to the station for you, as well as going to your cable or DSL modem and connecting to your ISP's network.

Tuesday, 12 February 2013

Bizarre and stupid errors

Just a compilation of bizarre and stupid errors/crashes, Windows and OS X.
I don't even know what happened here. Just booted up my G5 and there it was.

Nothing needs to be said about this one.
Taking a trip back to Mac OS 9, here we have, well, a frankly ridiculous suggestion for how to get the Memory control panel to run.
Er Logic? Logic? Hello? Anyone home? (This was actually caused by a lack of video memory. Why, I don't know).

Ah the joys of working with Access. What is an "fmain cont error" I'd like to know?

Monday, 11 February 2013

Setting up a brand new WiFi router: Part 1: The Introduction

So, in this series of posts, I will be purchasing a brand new  WiFi router, reviewing it in a separate post, and showing you how to set it up. The setup will be Mac oriented however I'm sure it will work for both Windows PCs and Linux boxes.

The router I have selected is the TP-Link TL-WDR3500, which is a dual band Gigabit Ethernet WiFi router. It is a relatively cheap router compared to other dual band routers (update: it may also be an Apple AirPort Extreme, haven't decided yet).

The series will start with Part 2 (Unboxing and initial setup), then we'll go to Part 3 (USB sharing and advanced security), and finally Part 4 (port forwarding and other stuff). It will focus on common security mistakes made by people who have just bought a new router, and will also go into finding your way around the web interface.

Also, I will be doing some opinion coverage of MWC 2013, and at some point in the future I'll be doing a "Bizarre Errors" post and maybe a review of Everything Everywhere (EE) and their Bright Box (no, not their OM4G 4GEE, but their ISP arm, which I may be setting up for a relative).

Thursday, 31 January 2013

Apple vs. Samsung - Apple appeal denied

So, as I'm sure you already know, Apple's appeal against Samsung has been denied in the latest of twists to this piece of courtroom drama. I personally believe that the Galaxy Nexus shouldn't have been banned, but some of Apple's other cases were actually OK.
But what does it actually achieve? Nothing. Well, nothing apart from making a few lawyers very rich. This won't stop Samsung's market share increasing, nor will it stop Apple from making huge profits. It's just one way for Samsung and Apple to burn lots of cash.
Samsung and Apple should stop fighting each other in court. It does nothing for the customer, nothing for the shareholder, nothing for Tim Cook as a CEO. I'm sure Google has some sort of say in Samsung's involvement in patent trials.
Anyway, enough of the tech news reporting and back to irregular posting.

Friday, 25 January 2013

WiFi Names

It seems there are four categories of WiFi network names. Some of them, well, are just wrong (e.g. someone was prosecuted for a racist WiFi name in the US).
  1. The default names. TALKTALK-123456, linksys, NETGEAR etc. These are from people who either can't be bothered renaming or those who don't know how to. Often targeted by leechers.
  2. The funny (or not) names. Virus.exe, keylogger, Abraham Linksys, Series of Tubes, Get Off My LANd etc. These are from people with a sense of humour they need to express. I used MI6 Surveillance Van 42 for a while for my legacy G network.
  3. The references. Archangel Network, Skynet, AnswerToLife etc. These are usually from people who are fans of a particular TV show, series of novels or film. (AnswerToLife's password was, incidentally, fortytwo.)
  4. The personal names. Anything really that has a personal meaning or is an inside joke.
I've always been wary of networks named "Free Wi-Fi", as these can be hackers masquerading as Wi-Fi hotspots (yeah I know, paranoid). However, there is an increasing trend of hackers masquerading as "linksys" and "NETGEAR".

Saturday, 19 January 2013

Why OS X Server is still a decent server OS

OS X Server has been getting a lot of flak since Apple came out with Lion Server in 2011. Whilst there were some teething issues, now that we are on 10.8 most of these are gone. So, it's a good OS right?
Not according to a lot of people. Common criticisms are:
  • "kiddy OS"
  • "terrible for the enterprise"
  • "cheap for a reason"
  • "just a pretty GUI"
To take the enterprise criticism first: I agree. It's not made for the enterprise. Apple knew that most Windows/Linux sysadmins would never consider Apple servers, and with the demise of the Xserve they've made that clear. Apple would have to be insane to sell an enterprise server OS for £13.99 (plus ML).  It is made for home and small business users that don't have a dedicated sysadmin who's on call 24/7, who don't run a high traffic website, who just want it to work with their Apple products.

"kiddy OS". OK. As I've said above, it's not for running the next YouTube. It's for a simple server. It still offers Terminal, if you want to get into the Unix side of things. And for most people, setting it up is very quick and easy. Explain how this is a bad thing?

"just a pretty GUI". Again, it's simple and easy to set up. And it's based on Unix.

To sum up, it's like Windows Home Server. This never got this criticism, and OS X Server is more reliable, and cheaper, than WHS. Call me an Apple fanboy if you will (God, I hate that term) but Server isn't that bad, and it works with not just my Apple products, but also my Nexus 7, Ubuntu and Windows PCs etc.
People who dislike OS X Server are welcome to make their argument in the comments.

Sunday, 13 January 2013

FileVault - Resetting master password

This article is about resetting a FileVault password. While researching this I saw a post in Apple Support Communities:
First, turn off "FileVault" on any and all accounts created while the current "master password" has been in effect. This may take some time, and requires sufficient free space on the hard drive.

The "master password" is associated with the "FileVaultMaster.keychain" and "FileVaultMaster.cer" in the computer's main "/Library/Keychains" folder. If these files are removed, the system will think that a "master password" has not been set. It might be a good idea to keep the files backed up somewhere if you happen to have any backups of old "FileVault" sparse images somewhere, in case you need to get in to them and happen to remember the old "master password" at some point.

Anyway, after removing those files, it should be possible to set a new "master password" from the "Security" pref pane. If "FileVault" is subsequently turned on, the disk images will be created, incorporating the new "master password".

And I had to try it out myself. It worked great on OS X Leopard (maybe great isn't the word). Resetting the admin password is easy, and this is another security hole in FileVault. You can simply use the Cmd+S method:

  1. Hold down Cmd+S to go into single user mode.
  2. Type fsck -fy
  3. Type mount -uw /
  4. Type passwd <username> where username is the user you want to reset
It would seem the only real way to secure a Mac against physical access is to set an EFI or Open Firmware password.