My host machine is Ubuntu Linux 9.10, AMD quad-core, 3.5G of DDDR3 ram. I have two 160GB SATA disks in a non-RAID configuration. I know it’s far from ideal but I try to split VM’s between these drives to help I/O performance. I am using Virtualbox 3.1.6, non OSE. I’ve been using the command line tools to manage my VM’s lately. It can seem daunting at first (it was for me) but you will soon become accustomed to the syntax.

I began by creating a virtual disk for my first 2008 vm and then creating the actual vm:

VBoxManage -q createhd --filename win2k8.vdi --size 20000 --format VDI --variant standard
VBoxManage -q createvm --name win2k8-test1 --ostype Windows2008_64 --register

Don’t forget the –register, that option registers the vm in VirtualBox’s XML config, otherwise you have to do that separately with the registervm command. Next we take care of the basic settings – RAM, remote access via RDP, disk controllers, etc. You can also change available VCPU’s here if you’d like (default is one):

VBoxManage -q modifyvm win2k8-test1 --memory 1024 --vrdp on --vrdpport 3392
VBoxManage -q storagectl win2k8-test1 --add  sata --name "Sata Controller"
VBoxManage -q storagectl win2k8-test1 --add ide --name "Ide Controller"
VBoxManage -q storageattach win2k8-test1 --storagectl "Sata Controller" --port 0 --device 0 --type hdd --medium /storage/bangel/vbox-disks/win2k8.vdi
VBoxManage -q storageattach win2k8-test1 --storagectl "Ide Controller" --port 0 --device 0 --type dvddrive --medium /storage/bangel/isos/en_windows_server_2008_datacenter_enterprise_standard_x64_dvd_X14-26714.iso

Notice, I had to add an IDE Controller for the virtual DVD drive because VirtualBox does not support DVD drives on SATA interfaces. After the SATA/IDE controllers were setup, I attached my VDI file to SATA, and the Server 2008 ISO to the IDE Controller.

A side note: I didn’t do this until much, much later, but it was probably the most useful thing I did all day:

alias vboxmanage='VBoxManage -q'

You realize how much of a pain it is typing CaMeLCaSe commands w/ tab-completion when you have to do it dozens of times in a row. The -q option suppresses the Sun copyright notice.

And we’re ready to to install our new server into the vm. If you’re running VirtualBoxon your local machine (with keyboard, mouse, display) you can start it up via the VirtualBox GUI or with the “VBoxManage startvm” command. On my setup, I generally start a GNU screen session and do:

VBoxHeadless -s win2k8-test1

This will allow me to connect to the vm via RDP client from anywhere on my LAN. Remember above we configured port 3392 for RDP. Proceed through the installation process and it’s multiple reboots. Don’t forget to install the Guest Additions! The display resolution and mouse input were screwy until I did. It’s as simple as:

VBoxManage -q storageattach win2k8-test1 --storagectl "Ide Controller" --p0rt 0 --device 0 --type dvddrive --medium /home/bangel/Documents/VBoxGuestAdditions-7-OldX.iso

Reboot, then start the install of about 80 Microsoft patches, which will require many hours and multiple reboots of the vm. Once you’re all patched up, you’ll have to do the whole process again for your second 2008 server, but not really. This is where the magic of virtualization really shines:

VBoxManage clonehd /storage/bangel/vbox-disks/win2k8.vdi win2k8-test2.vdi --format VDI --remember

Bam! You just made a new virtual disk and it’s registered in the VirtualBox MediaManager with the –remember option. Using the “clonehd” function also updates the disk’s UUID so it won’t conflict with your source VDI. I also made a manual copy using ‘cp’ so I could easily deploy more Windows 2008 Server vm’s based on this disk image. Run through these now-familiar commands:

VBoxManage -q createvm --name win2k8-test2 --ostype Windows2008_64 --register
VBoxManage -q modifyvm win2k8-test2 --memory 768 --vrdp on --vrdpport 3393
VBoxManage -q storagectl win2k8-test2 --add sata --name "Sata Controller"
VBoxManage -q storageattach win2k8-test2 --storagectl "Sata Controller" --port  0 --device 0 --type hdd --medium /home/bangel/.VirtualBox/HardDisks/win2k8-test2.vdi

And your second Windows 2008 server is ready to boot, completely patched and up to date with Guest Additions installed. Notice I set the RDP port to 3393. In my next post I will be discussing the VirtualBox network setup for these two vm’s and the addition of a new vm: a linux-based router distro called Vyatta.

Side-by-side shot of the two Win2k8 VM's via RDP Client

Online information about consumers comes from several sources. Public records such as campaign contributions, property sales and court cases are increasingly posted on the Internet. At the same time, marketers are collecting information about consumers’ Web browsing and buying habits. And then there are the thousands of online communities such as Facebook and Twitter, where users supply the personal information themselves.

Garfinkel concludes that what is necessary is an “online passport”: A global, ubiquitous electronic-identification system, backed by business and government alike. Currently there are a myriad of systems to verify our online personas: your banks each have one, every e-mail account you use is different, any company you do business with online and your facebook and myspace. Now each of these systems is designed and implemented in different ways by different people and contain their own strengths and weaknesses. While I see the benefits of a single, well-designed and strong authentication system, I also see it’s drawbacks. It creates a single point of failure. Sure we can pass laws protecting it and standards for auditing it. But what happens when an attacker gets a hold of your credential? Instead of just having access to one account, he has access to all of them. Because now every government office and online retailer trusts that single system, and nothing is ever 100% secure.

Anyway, it’s a good read and contains a good discussion of the legal history of privacy and how it’s evolving and will continue to evolve. Discussion is what we need; a solution to the privacy problem will not be a quick and easy fix. Read the full thing here.

Related Blogs

• Related Blogs on Anonymity
• Right of a blogger’s anonymity: a selection of views | Journalism …
• Local SA meeting busted, anonymity destroyed. « Trudging the …
• Nightjack: the cloak of anonymity and the mankini of hypocrisy …

• Related Blogs on Privacy
• Privacy Lives » Blog Archive » Events of Interest: Fordham …
• Google and Personal Privacy – Is it really that bad? You Decide …
• Blue Herald » Blog Archive » Goodbye Privacy

• Related Blogs on Security
• Security and Hacking: Reporting Cyber Crime | The Blog Herald

From the abstract:

All four of the most popular webmail providers — AOL, Google, Microsoft, and Yahoo! — rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

The testing methodology seems sound and the paper contains a lot of interesting statistics on the most commonly used secret questions and how and by whom they can be compromised. For example, if a site allows the user to submit their own question/answer pair, the paper conlcuded that 24% of these are vulnerable to guessing with no other knowledge except geographic location, another 23% are vulnerable to guessing by coworkers, clients or family members. Another paper on this topic is available here. It focuses on financial instutions and the impact of the social networking phenomenom. They concluded that 33% of banking institutions’ security questions were “guessable” and that 12% of their question sample was “automatically attackable” via data commonly contained on facebook/myspace/etc. profiles.

Related Blogs

• Related Blogs on passwords
• Creating Secure Passwords You Can Pronounce « Begin Linux Blog
• Free Presale Passwords – Friday, May 29 |

• Related Blogs on Security
• Security and Hacking: Reporting Cyber Crime | The Blog Herald

Today we are going to walk you through simple AES encryption of your Linux swap partition. All data stored in your SWAP file will be seamlessly encrypted with a different random key, every time you boot. This will render any examination by a malicious person worthless.

I will be doing this using Ubuntu 9.04, but this should work will any newer Linux distribution with little or no modification. You will be able to do this with a fresh install, or a previous install.

In our install /dev/sda2 is our swap partition, if yours is different you will need to substitute it.

and here is how we do it…

Boot the system, and shut down any non-critical programs.

Become root:
sudo -s

Install cryptsetup (This would already be installed if you followed our /home encryption tutorial found here.):
apt-get install cryptsetup

Turn the current swap partition off:

swapoff -v /dev/sda2


Open /etc/crypttab in nano:
nano /etc/crypttab

Add this line to /etc/crypttab:
cswap /dev/sda2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

Open /etc/fstab in nano:
nano /etc/fstab

Find the line for the swap file and comment it out by putting a # sign in front of it. It should look like this when your done:
#UUID=879b3256-03e3-3be2-765a-0329a2aa162e none swap sw 0 0


Add this line to /etc/fstab:
/dev/mapper/cswap none swap sw 0 0

At this point, if you have any other partitions encrypted, reboot and you should be done. However you could try the following…

Create the device /dev/mapper:
/etc/init.d/cryptdisks start

Turn the swap partition back on:
swapon -a

You can see your current swap partitions by doing:
cat /proc/swaps

Your swap partition should be fully encrypted now.

Please watch for our upcoming series on WI-FI security.

Related Blogs

• Related Blogs on AES
• Off Site Encrypted Backups using Rsync and AES

• Related Blogs on Encryption
• Script-o-matic » Old Encryption Traces
• Aura

• Related Blogs on ubuntu
• Developer's Kanundrum » Blog Archive » Upgrading Ubuntu Feisty …
• Debootstrap Ubuntu Jaunty PV DomU at Xen 3.3.1 F10 Dom0 ( kernel …
• Ubuntu: Anime Convention with Ubunchu « DoctorMO's Blag

Being so small I wanted to encrypt the hard drive with luks, in case it was stolen or lost. Initially I used the alternative install ISO to do this. The install was complicated due to the installer complaining about the lack of a CD drive, and the performance hit was just too big. So, I decided use the Netbook Remix and do just /home encryption, as that is where most settings and personal files should be stored.

The regular desktop ISO and the netbook IMG do not offer encryption during installation, so here is how I accomplished it.

Download the Desktop ISO or Netbook Remix IMG.
Write the ISO or IMG to your media (in my case I used a usb thumb drive).

Boot into the LiveCD from your USB stick (or CD if you have a CD drive).

Start the installation, and choose to manually partition your drive.

Make two partitions. One for your / and one for swap. I have a 160gb HDD and did the following:

/dev/sda1 – 30gb – ext4 – mount as /
/dev/sda2 – 2gb – SWAP

Leave the remaining space unallocated, it will be used for your future /home.

Go ahead and install as normal.

When I created my user, I chose to have it login automatically, since once we are done a password will be required to mount /home anyways.

Once done, boot up into your fresh install.

You will need to connect to the Internet.

I went ahead and updated my install.

Then go to (System> if your using the Desktop version) Administration> Software Sources,

Make sure all the repositories are enabled, and up to date.

Now open a terminal.

Become root
sudo -s

Install the package ‘cryptsetup’
apt-get install cryptsetup

Install the package gparted
apt-get install gparted

Run gparted
gparted

Using gparted, partition the unallocated space as ext3, I used /dev/sda3

Now create the luks partition

cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda3

Setup the device mapper
cryptsetup luksOpen /dev/sda3 home

Create the file system
mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home

Mount the partition
mount -t ext3 /dev/mapper/home /mnt

Copy your home dir
cp -axv /home/* /mnt/

Unmount the partition
sudo umount /mnt

Edit /etc/fstab to use the new encrypted home dir
nano /etc/fstab

Add this line to the bottom of /etc/fstab
/dev/mapper/home /home ext3 defaults 1 2

Edit /etc/crypttab to decrypt the new home dir on boot
nano /etc/crypttab

Add this line to /etc/crypttab
home /dev/sda3 none luks

Reboot. Now you should be using your new encrypted home dir.

To remove your old /home files, you will need to boot back into the livecd and run the following in a terminal:
sudo -s
mkdir temp1
mount /dev/sda1 temp1
cd temp1/home/
rm -rf *


Now you should be all done. If you had any sensitive data in the old /home you may wish to install a secure delete program like ‘wipe’ while running off the LiveCD and do a secure delete.

I plan to do encryption of the swap file as well, please check back for that future post.

I would like to thank Kilobit for the Acer Aspire One to play with.

I used this post as my refrence, when initially trying /home encryption.

You can find me as ‘Dox’ or ‘TheDox’ on efnet in #ubuntu and #wifi.

Related Blogs

• Related Blogs on AA1
• Ubuntu 8.10 on the AA1 – follow-up review « Linux Daily

• Related Blogs on Acer Apire One
• Acer Aspire One 751 Shows Up in Germany | Eee PC – Blog
• Acer Aspire One 751: 11.6-inch, Intel Atom Z520 with US15W Express …
• Acer Aspire One 751 Laptop | MYBESTLAPTOP

• Related Blogs on Acer Aspire
• Acer Aspire One 751 Shows Up in Germany | Eee PC – Blog
• Acer Aspire EL 1600 nettop India price, features | DWS Tech
• Acer Aspire One 751: 11.6-inch, Intel Atom Z520 with US15W Express …

• Related Blogs on Encryption
• Script-o-matic » Old Encryption Traces

• Related Blogs on netbook remix
• Ubuntu 9.04 Netbook Remix » SoftSift
• Ubuntu 9.04 Netbook Remix Review | AppleDifferent
• Ubuntu Netbook Remix 9.04 at Mostly Harmless
• Free Music

• Related Blogs on ubuntu
• Developer's Kanundrum » Blog Archive » Upgrading Ubuntu Feisty …
• Debootstrap Ubuntu Jaunty PV DomU at Xen 3.3.1 F10 Dom0 ( kernel …
• Ubuntu: Anime Convention with Ubunchu « DoctorMO's Blag

Last Thursday wired.com, through the FOIA,  obtained 100’s of pages of  documents that detail seven years of the FBI’s use of malicious software in tracking down hackers, hitmen, extortionists and terrorist suspects. The released documents, available for download here, are of course heavily redacted. The software is called CIPAV, or “computer and internet protocol address verifier.” From the documents it’s capabilities include: reporting a computer’s IP address, MAC address, open ports, a list of running programs, the operating system type, version and serial number, preferred internet browser and version, the computer’s registered owner and registered company name, the current logged-in user name and the last-visited URL. After sending this information to FBI servers via covert channel, the software sits quietly and monitors your internet use, reporting the IP addresses of every connection made while on the Internet.

Some of the cases in which CIPAV was used include:

• In 2005, Danny Kelly, an unemployed engineer, used anonymous e-mail to demand money from Verizon and Comcast, in exchange for not cutting cables in their network. He had cut a total of 18 cables between 2004-2005.
• Also in 2005, CIPAV was used to identify a hacker who had compromised thousands of computers at Cisco Systems, NASA JPL, and US Government Laboratories. The hacker was later found to be a 16 year-old from Sweden.
• A European hitman using an anonymous and encrypted e-mail service to solicit business.

At first glance, it seems the feds have gone blackhat in their zealous pursuit of wrongdoers, but the documents indicate that search warrants were applied for and obtained in every case. Even if some of our 4th Amendment protections are in place, I don’t see how they can be sure it’s on the right machine. The documents indicate that the spyware actually takes advantage of security vulnerabilities to install itself… the same method used by viruses and other malware. What happens when an innocent third-party gets his machine infected by visiting some secret FBI trojan-installer website? Are the feds going to call him up and tell him how to remove their spyware? No, but they’ll still be receiving private information sent by the trojan. Maybe it won’t be admissible in court, but they’ll still have it. The only upside is it’s NOT a virus/worm and it does NOT self-propagate. One document even indicates the FBI e-mailed the trojan to a suspect’s yahoo.com account. I haven’t read the entirety of the FOIA release, but there are some interesting items, if you can read through all the redactions. One document even indicates that the FBI is hacking suspects’ WiFi, another reason to use the strongest-available encryption and authentication protocols.

So how do you protect yourself (from accidental infection of course)? Well first I’d recommend not using Internet Explorer, which has a history of security vulnerabilities. Also, running a non-windows operating system may be of help. In one of the documents, the FBI was concerned their attempts to install the trojan may have been detected. A suspect in the hacking of a bank in Cincinnatti visited the trojan site, but “the CIPAV did not deliver its payload because of system incompatibility.” You can safely infer that this trojan will not function on a unix-based operating system, such as Linux or FreeBSD.

Lastly, use anti-spyware and antivirus software that was developed outside of the United States. We don’t know if the FBI has backroom deals with U.S.-based security products vendors. i.e. “Please don’t add our trojan to your virus detection list or your company will be aiding the terrorists and helping kill children.” How could they refuse? So use Avast or AVG for your antivirus (both Czech companies) and Comodo (Great Britain) firewall can be configured to detect covert communications, even over port 80. Security doesn’t have to be difficult. It’s mostly common-sense and a small investment in time to educate yourself. Take the initative, your personal information will appreciate it, I know mine does.

Related Blogs

• Related Blogs on civil rights
• fotowarung.bazuki.com » Blog Archive » U.S. civil rights activist …
• SnarkyBytes » ABC’s Anti-Civil Rights Agenda

• Related Blogs on malware
• Fox News Boycott » Malware in FoxNews.com Ads?
• Boredom Results in Twitter Malware Attack | Malware Blog | Trend Micro
• Search for Twitter Worm News Snowballs to More Malware | Malware …

• Related Blogs on Privacy
• Privacy Lives » Blog Archive » Events of Interest: Fordham …
• Google and Personal Privacy – Is it really that bad? You Decide …
• Privacy International’s Official Response On Deep Packet …

Wikipedia defines “critical infrastructure” as “assets that are essential for the functioning of a society and economy.” After the terrorist attacks of September 11, 2001, the US Government’s Critical Infrastructure Protection program made the decision to include fiber optic communication networks as part of our country’s critical infrastructure. Cell phones and landlines, the internet, local networks, emergency services, voice and data. Our society’s communication and connectivity depend on these thousands of miles of hair-width strands of glass.

City of Palo Alto fiber route

So how secure is our critical fiber optic infrastructure? Well, are you strong enough to lift a manhole cover? Yes there are millions of manholes, which one is the right one? Almost every network service provider publicly publishes maps of their fiber optic routes as part of their product marketing. Don’t believe me? Google it. I remember Qwest (SP Telecom, anyone?) laying their 18,500 miles of fiber starting in the early 90’s. And a majority of that fiber runs right along with Southern Pacific’s old railroad tracks. It’s pretty easy to spot those.

Even if we found a way to secure the millions of manhole covers and vaults in our cities and towns, how do we secure the thousands of miles of fiber runs that go through America’s heartland? Any basic risk assessment would identify and quantify this vulnerability. But no one is talking about it because no one knows what to do. There is no easy solution. This incident was obviously purposeful and well-coordinated. Yet it was also purposefully easy to repair the damage. We were lucky. What happens with a real attack? Next time a bomb could go off in a fiber vault. Good luck splicing that. We’ll be in even more trouble when an attacker discovers it’s easy as renting a cage in a telco hotel and filling it with 42U’s of C4.

This is a new take on a very old scam. This type of social engineering exploits a natural human weakness. We trust our friends. And we assume that our friends trust their friends, and so on. This turns trust verification into a never-ending web-of-trust based solely on who you’re linked to on myspace or facebook. You want to try this out yourself? Get a good-looking picture of a young woman and create a profile. I bet you’ll rack up more friends than I have, and in a shorter time. And none of them know anything about you, except that “oh this is a friend of so-and-so, she must be cool.”

Ask yourself if you really know all the people on your friends list? Do you know them well enough to be comfortable telling them when you’re out of town? Or on which nights you’re coming home late? Looking over my friends list, I’m guilty. I’ve added people that I’ve never met personally only because I’m linked to them through a real friend. I may be one-degree away from knowing them, but I have no clue who any of their friends are.  The solution is to verify. Trust your friends: the ones you go out with on Friday nights or talk to on the phone during the work day. Unless you’re an uber-geek that is going to trade signed public-key’s with your friends, a simple phone call should suffice to verify who’s who on facebook.

Related Blogs

• Related Blogs on identity theft
• You Can Be A Victim of Identity Theft
• Nigerian Email Scams – Be on the Look Out! | Identity theft …
• Tips For Choosing An Identity Theft Prevention Service
• Are You Looking For An Identity Protection Plan?
• Internet Safety – Part 4: Identity Theft | Technology Heaven
• Free Music

• Related Blogs on Security

• Related Blogs on social web
• Blog of Change » Re-imaginging through the social web
• Social Web Incubator Group | Social Web Strategies
• #IA09 – join us April 27th! | Social Web Strategies
• Social media for higher revenues | Social Web Strategies
• Identity Theft and the Social Web | MindHack

Related Blogs

• Related Blogs on identity theft
• You Can Be A Victim of Identity Theft
• Nigerian Email Scams – Be on the Look Out! | Identity theft …
• Tips For Choosing An Identity Theft Prevention Service
• Are You Looking For An Identity Protection Plan?
• Internet Safety – Part 4: Identity Theft | Technology Heaven

• Related Blogs on Security
• Ghost Bar Dallas

• Related Blogs on social web
• Blog of Change » Re-imaginging through the social web
• Social Web Incubator Group | Social Web Strategies
• #IA09 – join us April 27th! | Social Web Strategies
• Social media for higher revenues | Social Web Strategies
• Identity Theft and the Social Web | MindHack

I’ve recently returned from a long hiatus from the ‘net. Working in the IT industry and being an all-around computer geek my entire life, a prolonged absence from modern technology (especially the Internet) was a strange experience. Since I’ve always been a strong believer in personal privacy, and in how this privacy can be enjoyed and protected online, my absence presented me with a unique opportunity to view privacy and anonymity on today’s Internet and compare it to that of three years ago.

Only a few short years ago if you were somewhat careful, it was next to impossible for someone online to get your personal information: Use shell accounts and proxies, don’t let your home IP get out; Use a made-up online persona and free e-mail accounts for forums and mailing lists; Follow good password policies; Be careful using your credit card. The list of simple things we did to protect ourselves is no longer as useful today. For the last three months I’ve been slowly learning Web 2.0 and it’s ramifications for online privacy.

Web 2.0 is the Social Web. People are now linked together in a myriad of ways. You subscribe to your friends twitter feeds and know where they are what they are doing as soon as it happens. Maybe you send a tweet or two now and then yourself. You have a facebook and myspace profile with hundreds of friends, colleagues and acquaintances. And don’t forget that the purpose of these social networking sites is to expand your network of social connections as large as it can. A tagged photo, a Digg or an occasional Stumble can all leak out a little bit more about you, the real you. It will be even worse when cloud computing takes off. With the social web no longer limited to online communities such as chat and forums, mediums where we could keep our online identity at a safe distance from our real one. The line that separated the virtual world from the real world is blurring.

So what does all this mean? It means that online activity will begin to have a more profound effect on your real life. A few recent examples of this have caught my eye and I have no doubt we will be hearing stories like these more and more. The Cisco Fatty lost his new job by tweeting his honest opinion of his new employer. Google just reported that they accidently shared some users Google Docs and Spreadsheets with people that had no permission to see the documents. That was only an accident, what happens when the hackers start hitting the cloud? We’ve all read about the Lori Drew Myspace case, where a Missouri mother was convicted for using a fake myspace account to cyber-bully a teenage girl to suicide. But the ruling could have far-reaching effects on online anonymity: the next time you put a fake name and throwaway email in a online form, you may be committing a federal crime.

So what can be done to protect your online anonymity? Well you can simply not participate in Web 2.0, as difficult as that may become. Or  you can take some simple steps to protect yourself. I signed up for facebook a couple of weeks ago, but not before reading and re-reading this article on facebook privacy. Be pro-active. Do research on what privacy options are available on specific sites, and implement them. Keep your professional and personal networks as walled off from each other as possible. Make sure that drunken photo of you someone tagged on facebook is NOT shared with your boss and coworkers. And always, always, think before you tweet.