HTTPS

В момента над 50% от уеб трафикът използва защитени HTTPS връзки към уеб сървърите. Как да защитите и вашият собствен сайт и как да настроите вашият  уеб сървър, така че да имате висока степен на защитеност може да Ви помогне https://www.ssllabs.com.

В кръга на шегата, това което ме изуми е резултатът на някой институции в .gov домейна ….

Traceroute Through the Cisco ASA

Source: http://www.packetu.com/

The Cisco ASA has some interesting characteristics when dealing with traceroute.  With most traffic, including ICMP echo, outbound traffic can be inspected to allow the incoming traffic associated with the same flow.  Inspecting “ICMP” or even “ICMP Error” does not result in traceroute functioning through the ASA.

The first thing that we need to look at is how traceroute works.  Traceroute uses two different types of ICMP packets.  Windows systems use an ICMP with incrementing TTL’s to illicit an ICMP TTL exceeded message from each hop along the way.  Linux and Cisco use a UDP port with pseudorandom destination port.  With the UDP method, an incrementing TTL is still used to illicit a message from each hop along the way.  However, the message that is produced is an “ICMP unreachable port-unreachable” message.

To understand how traceroute works, it is important to understand the function of the TTL field in the IP packet header.  This field is an 8 bit value that works with routers to keep packets from looping forever as a result of network configuration issues.  The way this is accomplished is that each router along the way decreases the value by 1.  Normal traffic may start out with a TTL of 64, 128, 255 or any other non-zero value.  As the traffic traverses a router, this TTL in the IP header is reduced by one.

When a router decreases the value to zero, it drops the packet.  When this happens the device will respond with an “ICMP TTL exceeded” if it is in response to an ICMP packet.  If it is in response to a TCP or UDP packet, it will respond with an “ICMP Unreachable Port-Unreachable”.  It is worth noting that the device can usually be configured to not respond at all.

Traceroute takes advantage of this behavior and generates a series of packets.  The first packet(s) will have a TTL of one and be dropped by the first router.  The next packet(s) will have a TTL of two and be dropped by the second router.   This is used to build a map of the network.  If there is a device configured not to respond traceroute will indicate the presence of a device, but its IP address will not be identified.

With our default ASA configuration, let’s see if traceroute will work.

Windows PC

C:\Documents and Settings\paul>tracert -d www.google.com

Tracing route to google.navigation.opendns.com [208.69.36.231]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14    16 ms    24 ms     7 ms  208.69.36.231

Trace complete.

As we can see, there is no intermediary information.  So we know that we are not receiving the ttl exceeded messages from the routers in the network.  The ASA requires special configuration to permit the traffic.  The first challenge is to permit these TTL exceeded and port unreachables back into the network.  This can be done only by using an ACL bound to the outside interface.

ASA Config

//create an ACL that permits the incoming ICMP
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any any unreachable

//bind the ACL to the outside interface
access-group outside_access_in in interface outside

Now let’s test traceroute again.

Windows PC

C:\Documents and Settings\paul>tracert -d www.google.com
Tracing route to google.navigation.opendns.com [208.69.36.230]
over a maximum of 30 hops:

  1     3 ms     3 ms     4 ms  71.30.192.1 <— Not My ASA
  2     3 ms     6 ms     3 ms  151.213.31.168
  3     4 ms     3 ms     4 ms  75.90.222.23
  4     4 ms     4 ms    15 ms  75.90.222.25
  5     6 ms     6 ms     5 ms  151.213.254.36
  6     7 ms    10 ms     7 ms  12.118.104.17
  7     7 ms     7 ms     5 ms  12.122.132.98
  8    36 ms     8 ms    28 ms  12.123.7.250
  9    10 ms     6 ms     6 ms  12.122.132.17
 10    26 ms    10 ms    14 ms  192.205.33.194
 11    27 ms    18 ms    12 ms  154.54.3.242
 12    26 ms    14 ms    11 ms  38.112.35.122
 13     8 ms     9 ms     6 ms  38.104.102.62
 14     7 ms     7 ms     6 ms  208.69.36.230

Trace complete.

Now that looks much better.  However, I can see that my ASA is not listed in the path.  That is very strange.  Upon investigation, I determine that the ASA itself does not decrease the TTL as it passes traffic.  Firewalls often play by slightly different rules than a router and this is one of those exceptions.  However, we can change this behavior using the set connection option in the modular policy framework (MPF).

ASA Config

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# set connection decrement-ttl

Now, let’s test traceroute again.

Windows PC

C:\Documents and Settings\paul>tracert -d www.google.com

Tracing route to google.navigation.opendns.com [208.69.36.231]
over a maximum of 30 hops:

  1     1 ms     *        1 ms  75.117.163.238 <— My ASA
  2     3 ms     3 ms     4 ms  71.30.192.1
  3     8 ms     3 ms     3 ms  151.213.31.170
  4    47 ms    31 ms     4 ms  75.90.222.23
  5    94 ms     4 ms     8 ms  75.90.222.25
  6     5 ms     4 ms     6 ms  151.213.254.36
  7    18 ms     5 ms     6 ms  12.118.104.17
  8     9 ms     6 ms     5 ms  12.122.133.98
  9     7 ms     7 ms     8 ms  12.123.7.110
 10     7 ms     6 ms    32 ms  12.122.133.13
 11    11 ms    11 ms    22 ms  192.205.33.194
 12    59 ms    48 ms    36 ms  154.54.3.234
 13    15 ms    12 ms    13 ms  38.112.35.122
 14    13 ms     5 ms    17 ms  38.104.102.62
 15     8 ms     6 ms     5 ms  208.69.36.231

Trace complete.

We can now see an extra hop (75.117.163.238 is an address on my ASA), but there are missing statistics (see the *). This is a result of the fact that the ASA is not responding to all of the traceroute packets.  This is due to the rate-limiting of ICMP on the ASA.  We can adjust this as well.

ASA Config

ciscoasa(config)# icmp unreachable rate-limit 10 burst-size 5

Now let’s test this one more time.

Windows PC

C:\Documents and Settings\paul>tracert -d www.google.com

Tracing route to google.navigation.opendns.com [208.69.36.230]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  75.117.163.238 <— My ASA
  2     6 ms     5 ms     4 ms  75.117.160.1
  3     5 ms     5 ms     4 ms  151.213.31.168
  4     5 ms     4 ms     6 ms  75.90.222.23
  5     9 ms     7 ms     7 ms  75.90.222.25
  6     6 ms     5 ms     8 ms  151.213.254.36
  7    10 ms     8 ms    14 ms  12.118.104.17
  8    19 ms     9 ms     8 ms  12.122.133.98
  9    12 ms     7 ms    30 ms  12.123.7.110
 10     8 ms    10 ms    29 ms  12.122.133.9
 11    38 ms    47 ms    14 ms  192.205.33.194
 12    12 ms    48 ms    32 ms  154.54.3.246
 13    15 ms    42 ms    14 ms  38.20.40.174
 14     8 ms     7 ms    26 ms  38.104.102.62
 15     9 ms     8 ms    11 ms  208.69.36.230

Trace complete.

Now we can see solid statistics on the first hop.  Now our ASA is working correctly with traceroute traffic.  I want to show one more example of a way to break traceroute.

Let’s set the IP Audit Attack policy on the outside interface.

ASA Config

ciscoasa(config)#ip audit name myattack attack action alarm drop
ciscoasa(config)#ip audit interface outside myattack

Now we can run our test again.

Windows PC

C:\Documents and Settings\paul>tracert -d www.google.com

Tracing route to google.navigation.opendns.com [208.69.36.231]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2    19 ms    19 ms     4 ms  75.117.160.1
 ^C

We can see the issue has resurfaced.  If we have logging enabled, we can see the IDS engine is detecting this as a “land” attack.

ciscoasa(config)# show log | inc IDS
%ASA-4-400008: IDS:1102 IP land attack from 75.117.163.238 to 75.117.163.238 on

Let’s disable just this one signature.

ASA Config

ciscoasa(config)# ip audit signature 1102 disable

Now we can retest this once again.

Windows PC

C:\Documents and Settings\paul>tracert -d www.google.com

Tracing route to google.navigation.opendns.com [208.69.36.230]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  75.117.163.238
  2    11 ms     8 ms     4 ms  75.117.160.1
  3     9 ms    13 ms    11 ms  151.213.31.168
  4     7 ms     8 ms    10 ms  75.90.222.23 
 ^C

Now you can see that we have a successful traceroute configuration on our ASA.  So if I were to receive a lab question that says to make sure traceroute will work through my ASA, that question can mean several things.  If I get such a question on the lab and it is vague, I will verify with the proctor exactly what a successful traceroute means.  I will also keep in mind that if I enable ids on the ASA that I should probably re-check the traceroute to verify it still works.

6 линка, от които ще научите какво знае Google за вас

Шест връзки, които показват някои от данните, с които Google разполага за всеки потребител.

1. Вижте какво мисли Google за вас

За да показва подходящи реклами, Google събира данни за вас и създава профил. Можете да контролирате и редактирате информацията, Google има за вас тук:
http://www.google.com/settings/ads/

Google има инструмент, известен като Google Analytics, който помага на издателите да видят кои страници сте разгледали на сайта им, колко пъти сте го посетили, колко време сте се задържали и т.н. Можете да се откажете, ако не искате да се събират такива данни за вас:


http://tools.google.com/dlpage/gaoptout

2. Вижте историята на местоположенията си

Ако използвате Android, мобилното устройство може да изпраща вашето местоположение на Google. Можете да видите цялата история на посетените от вас места тук:

https://maps.google.com/locationhistory

3. Вижте цялата история на търсенията си:

Google запазва всяко едно от търсенията, които сте правили. При това те записват всяка реклама, на която сте кликнали. Този списък е на разположение в настройките на вашия профил:

https://www.google.com/history/

4. Как да получавате месечен доклад за сигурността и неприкосновеността на личните си данни

Google предлага страница за дейността на вашия акаунт, в която са описани всички услуги на Google, които използвате. Можете да получавате месечен доклад, който ще бъде изпратен на електронната ви поща:

https://www.google.com/settings/dashboard

5. Научете всички приложения и разширения, които имат достъп до данните ви в Google

Страницата за дейността на акаунта ви предлага списък на всички приложения, които имат някакъв вид достъп до вашите данни. Можете да видите точно какви разрешения са издадени на приложението и да отмените достъпа до данните си тук:

https://security.google.com/settings/security/permissions

6. Изтеглете всичките си данни

Google ви позволява да експортирате всичките си данни: отметки, контакти, файлове, профилна информация, клипове в YouTube видео, снимки и още:

https://www.google.com/takeout

Бонус:

Google пази и историята на търсенията ви в YouTube. Можете да го намерите тук:

https://www.youtube.com/feed/history/search_history

Източник: cloudfender.com

„Бекдор“ в устройства на Linksys и NetGear

Източник: http://www.opennet.ru/

Eloi Vanderbeken е съобщил за наличие на бекдор, позволяващ получаване на пълен досъп над устройствата през WAN интерфейсът им. Става дума за безжичните рутери Linksys WAG200G, Linksys WAG320N и Netgear DM111Pv2. Изследователят е забелязал наличието на отворен TCP порт 32764, който е приемал свързване отвън даже когато в настройките на устройството му е казано да не пуска административният си интерфейс през WAN. Нормално при свързване към този порт се вижда неразчитима бинарна последователност.

След направеният reverse engineering на firmware се видяло, че през този порт е реализиран управляващ протокол позволяващ четене на NVRAM, преглед и промени на настройките, стартиране на команди и запис на файлове във временната директория. Има публикуван демонстрационнен  скрипт, отварящ административният уеб през WAN и показващ текущата парола на администратора.

Освен изброените по-горе устройства, бекдорът може би съществува и в моделите NetGear DG934, Netgear DG834, Netgear WPNT834, Netgear WG602, WGR614, DGN2000, Linksys WAG120N, WAG160N и WRVS4400N но все още не е потвърдено!

QuickLock Is The Quickest & Most Convenient Way To Lock Your Mac

QuickLock is a terrific little tool from ThinkDev that makes it quick and convenient to lock your Mac when you leave your desk. It sits in your menubar out of your way, and a click (or a keyboard shortcut) is all it takes to keep your Mac safe.

With the latest version of QuickLock, users can enjoy a brand new interface and a number of new features. Best of all, it’s completely free.

QuickLock is a must-have if you use your Mac in an office, a classroom, a library, or another public place where you might leave it unattended for a while. You probably already use a password to ensure no one can gain access to your computer while you’re away from it, and the quickest and easiest way to activate that password and lock your Mac is with QuickLock.

“QuickLock is the absolute best way to lock your Mac,” ThinkDev says. “Unlike OSX’s hot corners, QuickLock works with a simple keyboard shortcut or menubar click, and never gets in the way of your workflow.”

And here’s what’s new in its latest update:

– Completely redesigned user interface
– Revamped user experience
– New icon
– Great new animations for locking/unlocking
– An awesome screen bounce or lock animation when typing
– Upgraded security features
– New display features
– Major bug fixes and improvements

Because QuickLock’s new features are currently in beta testing, you can get a copy of the app and try them out completely free. Just visit the QuickLock website and download it to get started.

ThinkDev has another awesome app that called QuickRes, which has been developed to make it super simply to switch between display resolutions on a Retina MacBook Pro. Like QuickLock, it sits in your menubar.

QuickRes is the best way to switch between screen resolutions on your Mac. With the MacBook Pro with Retina Display, you can set your resolution all the way up to an extreme 3840 x 2400! With other Macs, you can set your resolutions to things you’ve never seen before, including a HiDPI mode, which is as close as you can get to a Retina Display on a standard display.

A free version of QuickRes can be downloaded from the Mac App Store, but due to Apple’s restrictions, it only allows you to switch to one resolution — and you have to go into System Preferences to switch back. The paid version, however, let’s you switch between resolution as much as you like.

It’s just $1.99, but Cult of Mac readers can get 50% off for a limited time.

Related Stories

How Apple Could Create An iTV Experience With Siri [Concept]Apple Screws ‘Bang With Friends’ And Pulls It From App StoreDevelopers From Nearly Every Continent Will Be Attending WWDC 2013Ravensword Shadowlands Makes The Jump From iOS to Mac OS XChallenge Your Friends And Enemies With Free iOS Game, Star Trek Rivals

Original article – 

QuickLock Is The Quickest & Most Convenient Way To Lock Your Mac

Apple’s iOS Devices Receive Pentagon Approval

Apple’s iOS devices have today been cleared for use on United States military networks by the Defense Department, Bloomberg reports. The move comes after Samsung’s new Galaxy S4 and the latest devices from BlackBerry gained government clearance earlier this month.

The Defense Department said in a statement today that it has approved iOS devices — including the iPhone and the iPad — running Apple’s latest iOS 6 operating system. These will join the 41,000 Apple products already in use by the Defense Department.

The Pentagon has traditionally relied on BlackBerry devices, which are famous for their security, and it has more than 470,000 of them in its network. But BlackBerry’s latest smartphones will now face competition from the Galaxy S4 and the iPhone when it comes to government use.

The military wants its employees to have the freedom to use commercial products on its networks, and it even plans to create its own mobile app store by hiring contractors to build a system capable of handling as many as 8 million devices.

Source: Bloomberg

Related Stories

How Apple Could Create An iTV Experience With Siri [Concept]Apple Screws ‘Bang With Friends’ And Pulls It From App StoreDevelopers From Nearly Every Continent Will Be Attending WWDC 2013Ravensword Shadowlands Makes The Jump From iOS to Mac OS XChallenge Your Friends And Enemies With Free iOS Game, Star Trek Rivals

Source: 

Apple’s iOS Devices Receive Pentagon Approval

A Harry Potter Spell Can Be Used To Hack Your Mac!

Inside every Mac — the one I’m writing this one, the one you’re reading this on, the one next to you at the cafe — is a little chip called the SMC, or system management controller. If you’ve ever had a problem related to your Mac’s performance or power supply, resetting the SMC is usually the first thing people suggest.

For most of us, worrying about the ‘security’ of our SMC is pretty harmless. While your SMC can be hacked, it’s a Mission Impossible style process that is only really likely to occur if you’re so important that the techno-elite of another country’s government decides they want to know what’s on your laptop.

Here’s where it gets funny, though. Let’s say China did want to hack your Mac’s SMC… how might they start? By entering the name of a Harry Potter spell!

According to a fascinating write-up by Dan Goodin over at Ars Technica, ever Mac SMC has secret settings that can be accessed by entering the word “SpecialisRevelio.”

If you’ve read the Harry Potter novels by J.K. Rowling, those words might seem familiar: it’s the name of a spell that reveals hidden charms and hexes.

It’s nothing for you to worry about. Any Harry Potter style attacker would have to have physical access to your Mac, and an incredible degree of sophisticated computer knowledge to compromise your machine through your SMC. Besides, you can always thwart an attack by pulling out your wand and shouting “Expelliarmus!” at your Mac during boot-up to neutralize the attack.

Source: Ars Technica

Related Stories

How Apple Could Create An iTV Experience With Siri [Concept]Apple Screws ‘Bang With Friends’ And Pulls It From App StoreDevelopers From Nearly Every Continent Will Be Attending WWDC 2013Ravensword Shadowlands Makes The Jump From iOS to Mac OS XChallenge Your Friends And Enemies With Free iOS Game, Star Trek Rivals

More – 

A Harry Potter Spell Can Be Used To Hack Your Mac!

Use Siri To Generate A Super Secure Random Password [iOS Tips]

As you may know, Siri is backed by the seriously amazing knowledge web site, Wolfram Alpha, which makes dynamic computations about your search terms based on a its own collection of built-in data, special algorithms, and other secret fancy methods. Or, to put it another way: magic.

Anyway, Siri taps into Wolfram Alpha and can come up with some great stuff, like calculating tips for you, for example. Siri’s connection to Wolfram can do even more than that, like generating a secure password for you. Here’s how.

Click and hold the Home button on your Siri-enabled iPhone, iPod touch, or iPad, and say, “Wolfram password.” You can also say, “WolframAlpha password,” if that floats your boat. Either way, you’ll get a screen that will show your input to WolframAlpha as, “generate a random password.”

Below that, you’ll see the default password length of eight characters, followed your random password, along with the Whiskey-Tango-Foxtrot way of expressing it. YOu’ll then see an additional six other passwords you can use, along with some really cool info about the properties of the given password, along with a measure of your password entropy, a measure of how tricky it will be to guess the password, even with modern computing force.

Interesting tidbit: the eight character password I generated to try this out would take about 229 years to guess, if a brute force attack generated 100,000 passwords per second. Sweet! That’s got to be more secure than the one I have now! And no, I didn’t use the one in the screenshot above for anything. Sheesh.

Via: Everything iCafe

Related Stories

iOS Glitch Allows Spaces To Be Added To Home Screen Without JailbreakGoogle Announces Google Play Game Services To Rival Game Center [Google I/O]Siri Will Now Laugh At Her Own Crappy Jokes [Image]Google Now Is Getting Way More Powerful And Siri-LikeGoogle Announces New Version Of Google Maps For iOS And Android Coming This Summer

See the original post: 

Use Siri To Generate A Super Secure Random Password [iOS Tips]