Thursday, July 30, 2015

HOWTO : Flash CyanogenMod 12.1 ROM to OnePlus One

Hardware : OnePlus One 64GB (Black) (CyanogenMod 12, Android 5.0.2)
Desktop : Ubuntu Desktop 14.04.2 LTS
Accessories : OTG USB cable and 32GB USB thumb drive

I am running Ubuntu Desktop 14.04.2 LTS. However, the android-tools-adb is out of date to operate with Android 5.1. So, we use OTG USB to copy all the required files to the OnePlus One ("storage" directory) instead of using adb command.

Step 1 :

Install Android tools :

sudo apt-get update
sudo apt-get install android-tools-adb android-tools-fastboot


Step 2 :

Enable the Developer options at OnePlus One :

"Settings" -- "About phone"

Then tap on "Build number" for seven times

"Settings" -- "Developer options"

Enable Android debugging
Enable Advanced reboot
Disable Cyanogen recovery


Step 3 :

Unlock the bootloader :
*** Please note that all user data will be destoryed for this step ***

sudo adb reboot bootloader

or

Reboot to bootloader by selecting "Bootloader" from OnePlus One

Then,

sudo fastboot oem unlock

OnePlus One will be reboot.

Step 4 :

TWRP Recovery (TeamWin Recovery) for OnePlus One :

https://twrp.me/devices/oneplusone.html

Download the latest TWRP for OnePlus One :

https://dl.twrp.me/bacon/
e.g. twrp-2.8.7.0-bacon.img

Then rename it to twrp.img and copy to "storage" directory of OnePlus One.

Flash TWRP Recovery :

Reboot to Fastboot by selecting "Bootloader" from OnePlus One

or

sudo adb reboot bootloader
sudo fastboot devices
sudo flash recovery twrp.img


* Make sure your computer has been allowed to communicate with the OnePlus One (there will be a pop up for your to confirm).

OnePlus One will be shutdown and then you boot it up to TWRP Recovery by holding "Volume Down" and "Power" button.

Step 5 :

CyanogenMod 12.1 Nightly ROM (Android 5.1.1) for OnePlus One (There is no stable CyanogenMod 12.x ROM for OnePlus One) :

http://download.cyanogenmod.org/?device=bacon&type=nightly

Copy the CyanogenMod ROM, such as cm-12.1-20150729-NIGHTY-bacon.zip, to "storage" directory of OnePlus One.

Flash CyanogenMod ROM :

Reboot to TWRP Recovery. Select "Backup". To backup the OnePlus One stock ROM (CyanogenMod 12).

Select "Wipe". To delete all data EXCEPT "System" and "Internal storage" as your CyanogenMod 12.1 ROM is there. This step must do, otherwise; your flash will be failed due to "incorrect signature".

Select "Install". To select "/0" and then "/storage", select the CyanogenMod 12.1 Nightly image file.

Step 6 :

Get Android 5.1 Google Play :

sudo apt-get update
sudo apt-get install git


git clone https://github.com/cgapps/vendor_google.git

For OnePlus One, you need to get :

~/vendor_google/arm/gapp-5.1-arm-2015-07-17-13-29.zip

Copy the gapp-5.1-arm-2015-07-17-13-29.zip to "storage" directory of OnePlus One.

Boot to TWRP Recovery and select "Install" to install Google Play.

Now you can configure your OnePlus One with CyanogenMod 12.1 ROM and download the Apps from Google Play.

Optional :

If you want to replace the TWRP Recovery with the CyanogenMod Recovery, you can enable "Cyanogen recovery" at "Developer options". When the next Nightly update is available, you can OTA it and it will replace the TWRP Recovery with CyanogenMod Recovery :

Enable Cyanogen recovery

You can consider to lock your bootloader back too :

sudo fastboot oem lock

*** If you unlock the bootloader, all your data will be destroyed ***

You can also consider to turn off the "Developer options" and disable "Advanced root" as well as "Android debugging".

Remark

CyanogenMod stated that the recent Stagefright vulnerabilities has been fixed in CyanogenMod 12 and 12.1 Nightlies before the time of this writing. Please refer to here.

Since Android ROM may have vulnerabilities, it is better to buy Google Android products as it will provide the most latest fix or update to their devices. Or you can consider to flash responsible 3rd party ROM developers, such as CyanogenMod. However, my Google Nexus 5 (5.1.1) does not have the fix OTA at the time of this writing. So sad.

UPDATE on August 06, 2015

I confirmed that CyanogenMod 12.1 Nightly for OnePlus One is fixed the Stagefright vulnerabilities by using Google Play - Stagefright Detector by Zimperium INC while OnePlus One v5.0.2 (Cyanogen OS version 12.0-YNG1TAS2I3) and Google Nexus 5 v5.1.1 (Build number LMY48B) are still vulnerable to Stagefright vulnerabilities.

That's all! See you.

Friday, July 17, 2015

HOWTO : Disable TLS/SSL RC4 On Firefox

This article and accompanied youtube video are showing you that TLS/SSL RC4 is now considered vulnerable. If you are running website that using RC4 cipher, please consider to disable it. If you are using Firefox, you can disable it by using the following command :

At the url address field, enter "about:config" and then search for "rc4". After that, change all the entries from "true" to "false". Please note that there should be 4 entries for RC4.

To check your server, please click here.

To check your browser, please click here.

That's all! See you.

REFERENCE

RC4 NOMORE

Tuesday, July 14, 2015

HOWTO : Play Youtube With HTML5 Instead of Flash

Recently, Hacking Team (a team of hackers which help governments to monitor and hack their citizens) has been hacked and some (at least 3 at the time of this writing) Flash player 0day expolits by Hacking Team were disclosed. Flash is now considered as vulnerable for all systems as it has no fix at the moment.

Firefox has been disabled the Flash from being played unless you enable it. How to watch Youtube videos? I suggest you to install "Youtube Flash-HTML5" add-on if you are using Firefox. You can enable Flash or HTML5 at anytime.

That's all! See you.

UPDATE

According to Google Project Zero, Flash v18.0.0.209 is also vulnerable.

Monday, July 13, 2015

HOWTO : Performance Test on Croissants

Croissants is an Intrusion Detection and Prevention System and it is running AF_PACKET as inline mode.

Hardware

Croissants :

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600

The performance of C2750 is similar to Xeon E3-1220L. Please refer to the comparison page at here.

Laptop(A) :

Model : Lenovo Thinkpad X200
RAM : 4 GB

Laptop(B) :

Model : Lenovo Thinkpad X201s
RAM : 8 GB

Software

Croissants

Croissants is installed with nsm_install_4core_16ram (version 0.1.5 dated July 13, 2015).

sudo apt-get update
sudo apt-get install glances


Laptop(A) and Laptop(B)

sudo apt-get update
sudo apt-get install iperf


Connection

Laptop(A) --- Croissants --- Laptop(B)

Laptop(A) is set to 111.111.111.111 IP address and it is acting as server of iperf.

Laptop(B) is set to 111.111.111.112 IP address and it is acting as client of iperf.

Make sure Laptop(A) and Laptop(B) are pingable.

Performance Test

Croissants

glances

Laptop(A)

sudo iperf -s -p 80

Laptop(B)

sudo iperf -c 111.111.111.111 -p 80 -P 50

Result

Crossiants - about 920 Mbps
Laptop(B) - about 820 Mbps

That's all! See you.

Thursday, July 02, 2015

HOWTO : Protect My Home Network With Croissants 2



What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10Gbps traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low power consumption x86 computer, such as Intel Avoton C2750 Octa-Core CPU with 8GB RAM or more. This CPU is only running at 20W. I recommend to use at least 8GB RAM for home security purpose. More memory and faster as well as more cores Intel CPU for Home Office or larger business is suggested.

What Is My Home Network Looks Like?

I have 10Mbps internet connection. I do not run with any modem. I have a home router (TP-LINK TL-WR1043 v1.x with stock firmware). I have two home switches (TP-LINK TL-SG1008D, it is like a hub more than a switch in general).

I have a Linux web server, a Windows 7 desktop, several Linux boxes and some Mac machines as well as a Time Capsule. I connect these boxes to the home switches. I disabled the wireless function on my home router and use Time Capsule as wireless router and Time Machine for Mac machines.

I implement two IPS on my home network. The IPS is connected between ISP and the home router. The other IPS is connected between home router and home switches. Therefore, I can monitor the traffic outside and inside my home network. I do not trust internet and intranet at all.








What Is The Hardware?

I use Asrock Rack C2750D4I motherboard with one more Intel Gigabit Desktop LAN card as my IPS.

Since Asrock Rack C2750D4I motherboard comes with 2 network interfaces, I need one more Intel Gigabit Desktop network interface on each box for monitoring purpose.

I installed 32GB RAM and 320GB Hard Drive on each box as IPS.

Internet -- IPS -- router -- IPS -- switch -- PCs and Time Capsule (including web server)

How About The Installation?

I select Ubuntu 14.04.2 LTS Server as the OS of the IDS/IPS. Since the network interfaces of Asrock Rack C2750D4I are Intel i210, the name of the interfaces on Ubuntu 14.04 is p119p1 and p121p1. While the Intel Gigabit Desktop network interface is eth0.

Install Ubuntu Server on the Asrock Rack C2750D4I as usual. Make sure you only connect the network cable to one of the network interfaces. I recommend you to install the OpenSSH when asks. Update and/or upgrade the Ubuntu Server when necessary.

Download the Croissants from here. The current version at the time of this writing is version 0.1.2 dated July 01, 2015.

Please follow the instructions on the official site to install. Configure the nsm.conf. Make sure to remember the password of MySQL as it will be asked when install. The username and password of control panel (Snorby) will also be configured. At the end of the installation, you will be asked for the time zone. Please select UTC. By the way, you may notice that there will have some error warning on the screen when installing. You just ignore it.

After the installation is completed, you can plug in the other network cables. Then, reboot the box. One more important thing is that you should configure your router to either DHCP or static IP addresses. If you selected DHCP, make sure it is reserved for the monitor interfaces (that is the Intel Gigabit Desktop network interfaces). The p119p1 and p121p1 do not have any IP address.

If everything correct, you can access to the monitor interfaces by using your browser, such as http://192.168.20.180. Enter your pre-set username and password when login. At the top right corner, select "Settings" to configure your time zone. Make sure you enter your password at "Current password (we need your current password to confirm your changes)" and then update the settings.

At this moment, your two boxes are in IDS mode. How to enable it to IPS mode?

You may need to change the name of the Intel Gigabit Desktop network interfaces when they are changed unexpected. You can change the name back to eth0 with the following command :

sudo nano /etc/udev/rules.d/70-persistent-net.rules

How To Configure To IPS?

Log in to the two boxes via ssh or terminal. Then run the following command to configure the DROP rules.

sudo nano /etc/pulledpork/dropsid.conf

I suggest to append the following lines at the end of the files. They will block most unwanted traffic.

# HTTP request header invalid
1:2221013
# HTTP missing host header
1:2221014
# masscan port scanner
1:2017615,1:2017616
# DOS possible ssdp amplification scan
1:2019102
# DoS attacks -- UDP & ICMP Invalid checksum & packet too small
1:2200075,1:2200038,1:2200076,1:2200024
# IP & TCP Invalid checksum
1:2200073,1:2200074
# TCP packet too small
1:2200033
# stream established retransmission packet before last ack
#1:2210021
# stream established packet out of window
#1:2210020
# GPL attack response id check returned root
1:2100498
# COMPROMISED & DROP & CINS Active Threats
pcre:ET\sCOMPROMISED
pcre:ET\sDROP
pcre:ET\sCINS
# MALWARE, TROJAN, WORM, MOBILE_MALWARE, Amplification DoS, DDoS
pcre:ET\sMALWARE
pcre:ET\sTROJAN
pcre:WORM
pcre:ET\sMOBILE_MALWARE
pcre:ET\sSCAN
#pcre:ET\sSHELLCODE
pcre:Amplification
pcre:ET\sDOS
pcre:ET\sEXPLOIT
pcre:ET\sUSER_AGENTS
pcre:ET\sWEB_SERVER
pcre:GPL\sSNMP
#pcre:SURICATA\sSTREAM
pcre:ET\sCURRENT_EVENTS
pcre:ET\sWEB_SPECIFIC_APPS
# Outgoing basic auth base64 http password
1:2006380
# Quantum Insert Attack (by NSA)
# (SURICATA STREAM reassembly overlap with different data - 2210050)
# (LOCAL QI 302 and possible inject - 12345)
# https://github.com/fox-it/quantuminsert/tree/master/detection/suricata
1:2210050,1:12345
# GPL WEB_SERVER 403 Forbidden
1:2101201
# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935
# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937
# SURICATA HTTP Host header ambiguous
1:2221015
# ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
1:2016149


*** Please remember that you may enable some already disabled rules by the captioned setting. If you encounter any false positive alert, you can disable such rule(s) by the following.

sudo nano /etc/pulledpork/disablesid.conf

Append the following at the end of the file, for example.

# TROJAN 1.1.1.1
1:2017000
# DELETED
pcre:ET\sDELETED
# MOBILE_MALWARE Google Android Device HTTP Request
1:2012251
# MALWARE WhenUClick.com Weather App Checkin (2)
1:2000915
# SURICATA STREAM alerts
#pcre:SURICATA\sSTREAM
# SURICATA STREAM
#1:2210000-1:2210049
#1:2210051-1:2210057
# SURICATA STREAM alert when downloading
1:2210021
1:2210020
1:2210029
1:2210045
1:2200074
1:2210038
1:2210044
# ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack
1:2014445
# ET WEB_SERVER WebShell
1:2016683
1:2016992
# ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
1:2009207
1:2009205
1:2009208
# ET TROJAN UPX compressed file download possible malware
1:2001046
# ET TROJAN VMProtect Packed Binary Inbound via HTTP
1:2009080
# ET WEB_SERVER Fake Googlebot UA 1 Inbound
#1:2015526



After that, you can reload the rules by the following command.

sudo nsm_cronjob_rules_update

or

sudo nsm_rules_update

How To Delete All Testing Traffic?

It is very easy to delete all testing traffic if you want to. However, it only delete all the traffic in the Snorby and leave all other setting untouched.

sudo nsm_snorby_db_reinstall

In addtion, I also suggest you to install anti-virus program on your Windows boxes for play safe. Meanwhile, you can classified the traffic on Snorby too.

The last thing should inform you that you are recommend to set the QoS at your router. Otherwise, the bandwidth will be consumed by one of the connections.

How About Performance Tuning?

You can follow this guide to tune the IDS/IPS to make it running more smoothly.

To have a more secured IDS/IPS, you can append the following line to the "/etc/fstab".

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0

Then run the following commands before reboot. If you encountered any error, please do not reboot your boxes or you cannot boot them up.

sudo mount -a
sudo mount -o remount /


Hope you enjoy your secured home network.

That's all! See you.