WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me

Home surveillance systems can get really expensive, and many times don't provide everything your looking for.  My goal was to set up a functional reliable home surveillance system, that I could view on my mobile device, provided motion detection image capture, and the ability to support multiple cameras.

iPhone Software:
I found icam in the apple app store.  This app caught my eye because of its simplicity. It also does not require a subscription, in app purchase, or ads.

Server Software:
The server software (icam source) works with the app and is free on the company website.  For free software it is very stable, and can also push notifications during a motion event. I set mine up to archive the image captures to external hard drive, so those images are backed up to the cloud.

Cameras:
These cameras have worked flawlessly for me.  They don't have a ton of bells and whistles, but perform great in low light and have been super reliable.

Update:
If you are getting public proxy busy or the app is trying to get you to pay for proxy access take a look at your local home router. You will probably have to forward a range of ports to allow your iPhone app to connect to your home server when you on another network. 

IMPORTANT NOTE #1 - If your router only allows you to forward a single port at a time, change the port range from 12000-12100 to 12000-12005 in the iCamSource and add 6 port forwarding rules in your router, one for each port.

IMPORTANT NOTE #2 - If you are running iCamSource(s) on more than one computer on the same network then you will need to use (and forward) a separate port range for each computer. (We recommend using 12000-12100, 12200-12300, 12400-12500, etc.)

Fremdschämen (external shame)



A fun German word I ran across that has no english translation. In fact it looks to be a recent addition to the German language, but does an outstanding job of expressing a very german feeling.

 Have you ever watched someone make a fool of themselves, only to find yourself cringing in embarrassment for them? Then you’ve most likely experienced fremdschämenThis German word is made up of two parts, with fremd meaning “foreign” and schämen meaning “to be embarrassed.” The term is typically used to describe someone who feels embarrassment on behalf of someone else. The corresponding noun for this feeling is Fremdscham.

Fremdschämen (pronounce: "Fremmd-Shamen") is the German word for the sentiment of joint embarassment. In the literal sense it means "external shame".

Use it in a sentence!Today's example was prompted by the Eurovision Song Contest, always a good opportunity to feel embarassed for others.


"Bereits nach den ersten Klängen des diesjährigen Beitrags von Großbritannien zum Eurovision Song Contest zuckte das Publikum innerlich zusammen. Ein europaweites Fremdschämen machte sich breit."


"Right after the first notes of Great Britain's contribution to this year's Eurovision Song Contest, the audience winced innerly. A feeling of Fremdschämen spread throughout Europe."  
Too harsh? You be the judge.


Enjoy!


If online security is complicated, then online privacy is imposible. The public is slowly learning the difference between these two topics. Unfortunate situations such as the infamous fappening has brought both of these topics to the attention of the cyber muggles.

Online security can be reduced to 1s and 0s algorithms and ciphers, there is a finite outcome when you are looking at crypto.  Math dose not lie, and we have the ability to create a secure cyber world.  Where security breaks down is the implementation.  Complicated software (open and proprietary), lack of proper vetting, and some times just laziness are a  few of the causes.

Online privacy on the other hand is much darker and deeper then anyone wants to admit.  From the government to politicians to the telco companies to advertisers, your privacy is a commodity that is sold, stolen, and bartered for.  Free google email is a perfect example.  If you sign up for email (which I have) you should understand that your email will probably be secure, but you are giving up privacy through google targeted marketing bots that crawl every email you get.

But there are groups looking out for the publics interests even if they didn't now they needed it.

  • The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in the United States.
  • The American Civil Liberties Union (ACLU) is a nonpartisan non-profit organization whose stated mission is "to defend and preserve the individual rights and liberties guaranteed to every person in this country by the Constitution and laws of the United States."
Below I have listed some links to privacy and security audits that have been performed for many of the services we use today.  I though they where interesting and wanted to gather what I could find in one place.

Well they have used up all the awesome vulnerability names, hence the POODLE Attack (Padding Oracle In Downgraded Legacy Encryption). Twitter security chatter has increased around the POODLE Attack and there has been a CVE number assigned CVE20143566.  

Links to both the google paper and the CVE.
High Level Explanation:
The quick and dirty is even if a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around server side interoperability bugs. In the google security advisory, they discuss how attackers can exploit the downgrade dance and break the cryptographic security of SSL 3.0.

The only real work around is to disable SSL 3.0 but for many web admins supporting legacy clients, Window XP running i.e.6 for example, disabling SSL 3.0 is not an option. 

If you end up enabling SSL3.0 you can enable TLS_FALLBACK_SCSV. This forces a more controlled negations of ssl between the client and the server limiting the possibility of clients and servers skipping protocols during the SSL negotion.

I will add more specifics to the F5 and how you would enable the TLS_Fallback command, as well as how to order your SSL protocol and cypher strengths.

***UPDATE***
According to F5 they do not currently support the TLS_FALLBACK_SCSV cipher. There is talk about an engineering hot fix that may include support but there is no solid ETA.  F5 is recommending you disable SSL 3.0 where you can.


OpenSSL command to test if a webserver supports SSL3.0:

openssl s_client -connect target:443 -ssl3
If the command makes you enter more information, then you just made an SSLv3 connection. If the command returns you to a prompt right away, then SSLv3 is disabled on that target host.

Another Defcon and Holly Shit there where lot of people. I registered Friday morning and they had run out of badges. Defcon has out grown the Rio, and to support that theory where rumors the Con would be moving. For conventions over 14,000 attendees the options narrow.  On the Defcon Wikipedia page and the Defcon DC News site they list Defcon 23 will be at both the Paris and Bally's hotels.  Not sure how that will workout, but it definitely needs a larger facility.  This may be mis information though, remember Defcon is canceled every year.

The theme this year at least the talks I attended was Botnets... Botnets... Botnets...  The first talk I attended was Domain Name Problems and Solutions with Dr. Paul Vixie. His talk was a deep dive into how Botnets and other nefarious entities are exploiting DNS. The industries movement to provide convenient and low priced DNS names are fueling the fire.  He also went into analysis of DNS meta data and how it is used in DNS RPZ or a (DNS Firewall.) 

Don't DDOS Me Bro: Practical DDOS Defense presented by Blake Self and Cisco Ninja, was one of the better talks I attended.  They spoke about Layer7 DDOS detection and defense, and brought some real world data from their site soldierx.com.  They presented some examples of multi layer defenses from F5 rules to Apache tools. They also released their DDOS monitoring tool RoboAmp that will run on a Raspberry Pi.

Lastly and trust me it was a tough talk to get to was Catching Malware En Masse: DNS and IP Style. OpenDNS presented tools and techniques they have developed to identify bonnet and malware traffic on the internet.  They also presented an awesome 3D visualization engine they use to graph and identify this rouge DNS and IP traffic. 

Between the parting and binge consumption there was a lot to take away from this years Defcon. It was good catching up with old friends and meeting new ones, and I can wait till next year.

If your familiar with F5 you understand the need for a quick and dirty virtual lab on your lap top.  From testing code upgrades to writing and testing iRules you'll quickly learn how important a lab is.

To get started your going to need a few pieces that will make up your virtual lab.  Most of the following will work on a Mac or PC, but I am running a mac, so i apologize in advance if some of the configuration is different.

Software needed:

  • F5 LTM Software: virtual lab edition is $99 you can also ask your F5 sales team for a trial lisc.
  • Hypervisor: I am using VMWare Fusion
  • Virtual Router: Vyatta (Brocade bought them but you can still find the open project iso.)
  • Servers: Use what you feel comfortable with.
Step 1) Install Virtual Software (VMWare)

Step 2) Go to Preferences > Network and create several virtual machine networks.  These vm networks will work like VLANs  and you will assign virtual nics for devices that will operate in those networks.

Step 3) Install and configure your F5 Virtual Lab software.  You will want  to configure at least three network connections, one for management, server side and client side. Make sure you make the gateway IP the IP address you will assign the interface on the Vyatta router.


Step 4) Install and configure your Vyatta virtual router.  This will allow your PC to communicate with all of the networks as well as bridge the server network to the internet for updates and package installs.  Here is a great guide I found for vyatta commands.

Step 5)  Install and configure your servers configuring their nice to participate in the server VLAN.

Step 6) Build a Virtual server on the F5 using an IP address on the client network, and your pool member that exists in the server network.

You should be up and running and able to play with the F5.

So everyone's heard of Amateur Radio, but certified Amateur radio operators are becoming a rarity. It's not hard to speculate why Amateur radio is disappearing, just go to a restaurant or visit the mall you'll see every other person focused on their cell phone.

Even though our nation's cellular networks are growing and becoming more robustAmateur radio operators still provide an important public service.  The largest disaster response by U.S. amateur radio operators was during Hurricane Katrina. More than a thousand ham operators from all over the U.S. converged on the Gulf Coast in an effort to provide emergency communications assistance. Subsequent Congressional hearings highlighted the Amateur Radio response as one of the few examples of what went right in the disaster relief effort.

A good way to be introduced to Amateur radio is to attend a local Amateur radio group event.  I have included a link to help find your local group.

The next step is to get certified.  Many local chapters provide Amateur radio certification tests. Also this year at Defcon they will be offering the exams right at the convention. 

The Defcon guys provided a terrific study resource to help you with the exam.

Finally you'll need a radio. For my first radio I decided to play it safe and bought a low-priced hand held to get a feel for ham radio.  Here it is:


  • Frequency Range: 136-174 / 400-480MHz; 25KHz/12.5KHz Switchable
  • 128 Channels 50 CTCSS and 104 CDCSS; Channel Step: 2.5/5/6.25/10/12.5/25KHz
  • Dual-Band Display, Dual Frequency Display, Dual-Standby; A/B band independent operation
  • Comes with all necessary accessories, backed up by 12 Months Seller Warranty






I have searched high and low for a decent low-priced alternative for Visio on the Mac, and I think I have finally found one.

yEd Graph Editor is a powerful desktop application that can be used to quickly and effectively generate high-quality diagrams. Create diagrams manually, or import your external data for analysis. Thier automatic layout algorithms arrange even large data sets with just the press of a button.


The install is strait forward and works great, but us network guys want cisco icons.  The network icons that come with are a little weak.  So I found a German website that had the Cisco default icons as .svg files.  Here is the link to the download cisco_svg_icons.

Next how to install the icons.

  1. Open yEd Editor Go to Edit --> Pallte Manager
  2. Create a new Click New Section (name it)
  3. Highlight newly created Section and click import symbols
  4. Select .svg symbols and import them.
That's it... You should have a diagram tool that will let you make professional looking network diagrams.

Let me know if you have any better alternatives.


Version 2 GeoIP and Network whitelisting iRule.  

Implementing version 1 of the iRule has highlighted a few short comings.  In version 2 I have added a stop gap measures to manually add IP space to an additional data group.  This allows time for F5's Geo-IP database update process and your companies change managment.

Prior to the deployment of version 1 we identified issues with RFC1918 IP space.  Because private IP space is not defined in the Geo-IP database the version 1 irule blocked server to virtual server communication if sourced from a private IP.  

The second short coming is frequency of Geo-IP database updates.  F5 is timely with their  Geo-IP database updates, but unless your running their Application Firewall Module updating is still a manual process. IP space is being reallocated on a daily basis which means you will always be playing catchup.  This is why I added the manual network data group.  This group can be used as a stop gap as well as letting you add any private IP space you may want to add.

Here is the rule:
# Geo-IP_Network_Whitelist_acl_rule
#
# v2.0 - May 9 2014
#
# BIG-IP versions 11.x (tested on 11.3.8)
#
# Purpose:
#   This rule should be added to a network virtual server to catch all requests
#   which  don't match an allowed GeoIP country code or IP network/host.  This
#   creates a white list of networks and hosts that are allowed to connect to
#   the virtual server. By default, log entries are written to /var/log/ltm.
#
#   The rule expects the following two data groups to define which allowed country
#   codes (example: ca, us), or defined allowed networks (example: 10.0.0.0/8)
#   are allowed to connect to the virtual server.
#
#   Clients that match on either the Network or GeoIP data group will be allowed
#   to connect to the default pool. Clients that do not match will be rejected and
#   see a web page not available.
#
#   The data group names should be:
#
#   geo_allowed_country (string Data Group List)
#   geo_allowed_network (network Data Group List)
#
#
#
#
# This event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
 if { [class match [whereis [IP::client_addr] country] equals geo_allowed_country] } {
    # do nothing
         log local0. "Geo-IP Code accepted from client: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
 } elseif { [class match [IP::client_addr] equals geo_allowed_network] } {
    # do nothing
         log local0. "Network accepted from client: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
  } else {
  reject
  log local0. "Client request rejected: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
 }
}


Enjoy!




*Update* Cisco has posted their Security Advisory for the Heartbeat vulnerability http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

It is curious to see how different company choose to incorporate and document opensource software in their products. But that is a different rant for a different time.

Today is the day engineers around the world hit the internet looking through pages and pages of documentation.  I have done some research and wanted to add what I found to hopefully shorten someones search.

Cisco ASA 8.4 code is running openssl 0.9.8f Safe
F5 LTM 11.3, and 11.4 are running openssl 0.9.8y Safe
  • To view for your self SSH to your LTM log in as root and run "openssl version"
F5 LTM 11.5 is running openssl 1.0.1e-fips Vulnerable

Here are some more links about the Vulnerability



I came across an iRule that identifies multiple connection attempts from an IP address and throttle their connection. Because it is an iRule you can completely configure both the connection limit, timeouts, and even the message your F5 will send the user.


when RULE_INIT {
# This is the max requests allowed during "interval" specified below.
set static::maxRate 125;
# Below is the lifetime of the subtable record in seconds.
# This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds
# Note: do not use very high timeout because it increases memory utilization especially under high load.
# Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory,
# Because the records expire more quickly and the table does become too large.
set static::timeout 3;}
when HTTP_REQUEST {
set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
    if { $getCount equals "" } {
       # log local0. "New one:  getCount=$getCount [IP::client_addr] [clock seconds]"
       table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
       } else {
    if { $getCount < $static::maxRate } {
       table incr -notouch -subtable requests [IP::client_addr]
       } else {
    if {$getCount == $static::maxRate } {
       log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount requests in $static::timeout seconds."
       table incr -notouch -subtable requests [IP::client_addr]
       }
   HTTP::respond 501 content "We apologize but your request/sec limit has exceeded the set threshold.  Please wait 30 seconds and refresh the page."
   #drop
   #return

Update coming soon a more advanced irule that accounts for rfc1918 ip space as well as data groups that allow multiple geoip country codes.

This iRule will allow you to block requests to your website from IP address that are not from the US. GeoIP blocking is flexible and a way of white listing traffic to your servers.  It does have it's limitations though.

GeoIP Databases change all the time.  To keep the F5   GeoIP database up to date wouldn't be practical.

Some may consider this a security measure. But to limit IP traffic from a limited geographic area is not an affective security measure. Real bad guys will proxy or use un willing victims to carry out their attacks.

when CLIENT_ACCEPTED {
if {not ([whereis [IP::client_addr] country] eq "US")}{
reject
}
}

The following is a list of Country Codes you can test with.


Whether you think he's a hero or a traitor Edward Snowden's revelations have generated an import conversation around privacy.  Here is his first Video from exile at South by South West.


Let us know what you think of Snowden





Yelp has released their top 100 places to eat in the country, as determined by the Yelp community.

Yelp's data team crunched the data using the Wilson Score to compile a list of highly rated places to eat. The method takes into account many of the same factors the everyday yelper uses, such as restaurant rating and number of reviews.
Here is a link to Yelp's Blog Post:  http://bit.ly/1el9NJj

Bone Appetit!




Interesting post on gigaom.com today. Netflix and Comcast have come to a peering agreement and Netflix is paying for the privilege. First lets understand what this means, according to wikipedia:
In computer networking a peering agreement is a voluntary interconnection of administratively separate Internet networks for the purpose of exchanging traffic between the users of each network. The pure definition of peering is settlement-free, "bill-and-keep," or "sender keeps all," meaning that neither party pays the other in association with the exchange of traffic; instead, each derives and retains revenue from its own customers.
So why is this significant? These types of agreements have been between the big internet players, the Level 3's, and AT&T's of the world. What makes this more insidious are the reports that Comcast and Verizon have targeted Netflix traffic. Here is a post on Arstechnica.com discussing there discoveries. Also Comcast and Verizon have refused to install Netflix's free bandwidth solution Open Box on their networks.

What does this mean? This mans that Comcast and Verizon may be altering Netflix traffic to force them into a payed peering agreement. The fact that they do not want to work with Netflix is appalling. For the short term Netflix has agreed to pay Comcast, so Comcast should allow Netflix to work.  In the long term this agreement sets a precedent for ISP's to discriminate or targeted traffic. And at the end of the day threatens Net Neutrality.



The new season of House of Cards reminds me how good TV can be, and this speech given by Kevin Spacey is inspirational and exciting. I know it's been around the internet, but the message is important and we need to keep it in our social feeds.


Touch ID is an awesome feature and has been the best implementation of consumer biometrics I have used. But for some it is troubling. For those who suffer the ability to train your Touch ID, in essance give it more data about your finger print would be benificial. Well Steve Gibson of  the Security Now podcast has stumbled across just that, an undocumented way to train your Apples Touch ID. I will embed part of the security now podcast showing Steve training his iPhone 5s, as well as a nice guide imore.com put together.

Security Now Episode 440

  1. Launch the Settings app and tap on General.
  2. Tap on Touch ID & Passcode and enter your numerical passcode when prompted.
  3. Now tap on Touch ID.
  4. Here you see a list of all your registered fingerprints. Place one of yourregistered fingers on the Touch ID sensor. The registered print will pulse grey. Continue placing and lifting each registered finger as many times as you'd like to train Touch ID further.