The New GlobalProtect VPN Client

The new GlobalProtect VPN client will be made live in the coming weeks. This version has a number of usability enhancements (it looks prettier), so it is worth documenting those visibility changes.

The task bar icon has changed and shows as either (connected) :-

Or (unconnected) :-

The login panel has changed :-

The “you are connected” dialog has also changed :-

This can be closed by clicking on the icon in the task bar.

The settings page can be opened by clicking on the cog icon, but the result doesn’t look different enough to grab a screenshot of.

The client on macOS is very similar although the icon is colourless.

Posted in General, VPN | Leave a comment

Using The VPN For General Internet Protection

Using the VPN is generally seen as a way of using UoP services remotely in a relatively safe way, but it does actually offer another advantage for using generic Internet services – because the VPN goes through the UoP firewall, it offers protection against Internet threats above and beyond what is normally offered by most Internet routers.

In addition, all traffic between your computer and the VPN end point is encrypted allowing the use of untrustworthy networks.

Threat Protection

The firewall performs scanning of any traffic that isn’t encrypted looking for viruses, spyware and attempts to exploit web browsers. Such malicious content is blocked to keep you safe.

Network Encryption

Not all networks are equally trustworthy – networks in some public locations (“free WiFi here”) are unprotected and hackers have been known to capture the traffic looking for “interesting” data.

The easy way to solve this issue is to use a VPN that encrypts all traffic between you and the VPN endpoint.

Privacy

So perhaps you don’t want us knowing that you’ve visited that site. Perfectly reasonable except that :-

  1. We don’t know who visits that site.
  2. We don’t care who visits that site.
  3. Even if we were interested, there is too much work on to figure out who visits that site.
  4. Formal requests to identify who visits that site would be refused.

If anything, using the UoP VPN is a better guarantee of privacy than using a third-party network without a VPN. Unless it becomes a legal matter.

Posted in Firewall, General | Tagged , | Leave a comment

How to spot a phishing email

It claims that there is an important meeting, and contains a link for details.  The email may even use your name (so called ‘spear-phishing’).  However, the link provided leads to a fake website designed to capture your login details so that your account can be hijacked.   These sites can look very realistic.

Most of this advice can be used to identify more general “dodgy” emails – spams, scams, and attempts to spread malicious software.

Where is the link actually going to take me?

Move your mouse cursor so it hovers over the link.  Now look at the bottom of the window,  you should be able to see the URL of the destination site.  Even to the non-expert, these URLs can look very suspicious, messy and not at all related to any known organisation – it’s a phishing site!

Here’s an example

Common phishing techniques:

  • Begins with ‘Dear User’, ‘Dear Sir or Madam’
  • Urgency – the message urges you to take action quickly – without thinking
  • Surprising – e.g. Why is the Vice Chancellor asking me to pay an invoice?
  • Fake link – the link leads to an unfamiliar and suspicious-looking URL
  • Unprofessional Formatting
  • Poor use of English

The use of any one of these in an email should increase your suspicion of it; the absence of some does not indicate that the email is trustworthy.

Reporting

If you receive a message like this, please delete it.  If you’re ever concerned that an email might be malicious, or if you think you might have given your account details away, please contact the IS Service Desk on ext 7777 or send a report to the servicedesk@port.ac.uk email address.

If you do report a suspicious email, you may wish to take a look at obtaining the “original view“. There is a lot of extra information contained within email headers that can be useful for identifying the source of an email and normally forwarding an email loses such information.

 

Posted in Email, General | Tagged | Comments Off on How to spot a phishing email

Checking The Safety of Websites

With all the different dodgy web sites out there, and all the emails trying to encourage us to visit them, it is perhaps time to look at some web sites that can be used to check the trustworthiness of web sites.

The first (and frankly the main reason for this posting) is https://www.scamadviser.com (Scamadviser). Visit this site, enter a website address (such as www.port.ac.uk) and see their assessment of how trustworthy a site is.

It is certainly worth checking if you are about to hand over some money to a web site you have never used before. Just check the location bar at the top of your browser window :-

Different browsers and operating system all look different of course, but there should still be somewhere within your browser that shows the current location and it will look somewhat like the above.

In a similar way, the “Web of Trust” website (https://www.mywot.com) also allows you to check on the trustworthiness of a particular web site. It can even be added to the browser as an extension.

On a different subject, Snopes is a web site dedicated to checking on the validity of certain kinds of news stories – in particular those stories spread over social media. For instance the story about gangs throwing eggs at cars to obscure the windscreen has been shown to be false.

Posted in General | Comments Off on Checking The Safety of Websites

Apache: Reducing Information Leaked Through The Headers

Apache by default announces all sorts of information about itself when you make a connection to it :-

$ lynx -head http://some-server-fqdn/
HTTP/1.1 302 Found                                                                                                                                                                                                                             
Date: Thu, 31 May 2018 12:18:22 GMT                                                                                                                                                                                                            
Server: Apache/2.2.15 (CentOS)                                                                                                                                                                                                                 
Location: https://t-oala-idp-01.iso.port.ac.uk/                                                                                                                                                                                                
Connection: close                                                                                                                                                                                                                              
Content-Type: text/html; charset=iso-8859-1        

This can be fixed by simply changing the ServerTokens Apache configuration option to “minimal”. This is found in either security.conf or in global.conf somewhere under /etc/apache2 (or elsewhere if Apache has been set up in a strange way).

Make the change and restart Apache in the usual way – apachectl configtest and then apachectl graceful.

Posted in Technical | Tagged , | Comments Off on Apache: Reducing Information Leaked Through The Headers

Apache: Disabling Directory Indexes

One of the features of Apache that can cause security issues (or at least those who audit security issues may complain about it) is the ability to produce a file listing of a directory if there is no index page in place :-

This can be turned off by removing the Apache option “Indexes”; search the Apache configuration directory (assumed to be /etc/apache2) for a file containing that word :-

# find . -type f -exec grep -li Indexes {} \;
./sites-available/observium.iso.port.ac.uk.conf
./sites-available/nss.eps.is.port.ac.uk.conf
./mods-available/autoindex.conf
./mods-available/userdir.conf

Check each file for an active Indexes option :-

Options Indexes FollowSymLinks

And remove the “Indexes”.

Restart Apache in the usual way (apachectl configtest and if that comes back Okay, then apachectl graceful).

Posted in Technical | Tagged , | Comments Off on Apache: Disabling Directory Indexes

Apache: Disable the ETag Header

By default, the Apache web server has an information disclosure vulnerability where the ETag header shows information about the file containing the object in question. This can contain an “i-node” value which in combination with the use of NFS can permit certain forms of attack.

Whilst not especially serious, it is worth disabling this header given how easy it is to do (and the security people will stop complaining about it). Simply add :-

FileETag None

to an Apache configuration file and restart in the usual way. You can make this change in almost any of the files commonly found under /etc/apache2 but two possible locations where it is ready to go are :-

  1. For Ubuntu/Debian-derived Linux systems, look at /etc/apache2/conf-enabled/security.conf (it is present but commented out)
  2. For SLES-derived Linux systems, add the line to /etc/apache2/conf.d/local.conf

Of course with any Apache change you will need to restart it (and preferably in a safe manner) :-

✓ root@pm-log2# apachectl configtest
Syntax OK
✓ root@pm-log2# apachectl graceful  

 
 

Posted in Technical | Tagged , | Comments Off on Apache: Disable the ETag Header

Apache: Disabling TRACK and TRACE Methods

By default Apache supports a number of HTTP methods in addition to the ones we normally use – GET (to get objects) and PUSH (to push form data although you can send form data with GET too). These additional methods are mostly harmless, but two do leak information about a server that you may not want an attacker to know.

Fortunately turning this off is a single line configuration change; simply add the following to one of the Apache configuration files :-

  TraceEnable off

And you will be protected (and won’t receive any more nasty messages about that bit of configuration).

You can make this change in almost any of the files commonly found under /etc/apache2 but two possible locations where it is ready to go are :-

  1. For Ubuntu/Debian-derived Linux systems, look at /etc/apache2/conf-enabled/security.conf (it is present but commented out)
  2. For SLES-derived Linux systems, add the line to /etc/apache2/conf.d/local.conf

Of course with any Apache change you will need to restart it (and preferably in a safe manner) :-

✓ root@pm-log2# apachectl configtest
Syntax OK
✓ root@pm-log2# apachectl graceful  

 

Posted in Technical | Tagged , | Comments Off on Apache: Disabling TRACK and TRACE Methods

Apache: Blocking “Dangerous” Files

There are all sorts of “dangerous” files that can appear within a web server’s document root; some are merely potentially dangerous but some can be genuinely dangerous. For example, if someone uses an editor to change a .php file, it is possible that a backup file for that script will be created within the document root called something.php~, and because this isn’t a genuine php file, it won’t be interpreted by php so the source code of your php script could be visible publicly :-

This is not something you want to see!

To protect against a whole set of similar attacks, blocking access to certain file “patterns” is a sensible precaution. The following can be added to a .htaccess file or to the main Apache configuration file (preferred) :-

<FilesMatch "(^\.htaccess|\.sql$|\.svn$|\.git$|\.DS_Store|.*~$|\.old$|\.bak$)" >
  Order allow,deny
  Deny from all
</FilesMatch>

The contents of the “FilesMatch” directive is effectively a list of regular expressions alternatives (grouped by enclosing in “(” and “)” and separated with “|” = standard syntax). For the benefit of documentation the individual clauses are :-

  1. “\.htaccess” (files containing the string “.htaccess”) – blocks access to Apache options file.
  2. “\.sql$” (files ending in “.sql”) – blocks access to SQL files.
  3. “\.git$” (files ending in “.git”) – blocks access to git repositories which are contained within directories named “.git”.
  4. “\.svn$” (files ending in “.svn”) – blocks access to svn repositories as above.
  5. “\.DS_Store” (files containing the string “.DS_Store”) – blocks access to OSX “droppings” left in directories.
  6. “.*~$” (files ending in “~”) – blocks access to emacs style editor backups.
  7. “.*old$” (files ending in “old”) – blocks access to a typical backup file.
  8. “.*bak$” (files ending in “bak”) – blocks access to vim style editor backups.

The configuration can be added to any Apache configuration file in the global context (rather than specific to a particular virtual server), but suggested places are :-

  1. For Ubuntu/Debian-derived distributions: /etc/apache2/apache2.conf (at the end of the file).
  2. For SLES-based servers, /etc/apache2/conf.d/local.conf

Once the change has been made, check the configuration with apachectl configtest. Providing that returns no errors, restart Apache gracefully with apachectl graceful.

Posted in Technical | Tagged , | Comments Off on Apache: Blocking “Dangerous” Files

Processor Bugs: Meltdown and Spectre

There has been lots of stories relating to two new severe security vulnerabilities (one of which is in every Intel processor for over a decade); the trail of stories starts here. The details of the vulnerability are very highly technical so this post will concentrate on the less technical aspects.

As the original papers highlight, this is a result of a decades long policy across the industry of increasing complexity in pursuit of performance over security.

What Is Vulnerable?

For Meltdown, practically everything with an Intel processor; it is known that patches for Linux and Windows are being prepared. macOS was patched in December (if you have patched recently!).

Information on the vulnerability of other processors to Meltdown is a bit varied at present. It may be that AMD processors are vulnerable under certain conditions (although AMD have claimed that they are not vulnerable).

It is probable that Spectre is effective on rather more processors – AMD, and possibly some ARM processors (smartphones).

What Is The Effect?

In short, this is unknown. Technically Meltdown allows an attacker to access parts of kernel memory from any user process. This by itself sounds not so bad, but it allows an attacker to defeat defenses that have made whole classes of old attacks no longer viable. Essentially in combination with other attacks, the machine can be totally compromised.

In the case of Spectre, the effect is to be able to use the same sort of side-channel to view data from other processes address spaces, and in addition to escape “sandbox restrictions”. This means data leakage.

However this requires an attacker to be in control of data that controls the execution path through the victim’s code. Which is generically a hard thing to do, although in some cases (browsers) it is likely to be quite easy. Expect browser (and other application) patches to be released shortly … and apply them!

What Does The Meltdown Patch Do?

With the rumour that the the Meltdown patch causes a performance hit of 5-30%, there is some concern over it.

Technically the Meltdown patch is a work-around for the problem – it moves the kernel address space out of the user address space. Every time a system call is made, the processor has to reload the memory management unit, which takes time. Thus the performance hit.

How exactly this will effect performance remains unknown to a certain extent. Essentially applications that make very heavy use of system calls will notice a performance hit, and those that don’t will probably not notice a hit. In terms of desktop applications, it is likely that the web browser will be hit, but most other applications are likely to be unaffected.

It is likely that servers will notice the effect the most, and it is likely that only on heavily loaded servers will the effect be noticeable.

Summary

This is a serious set of vulnerabilities, and there is a significant risk of those vulnerabilities being used. In addition the mitigation for Intel processors has a significant risk of causing a performance issue.

However there is no reason to panic – patches are currently being prepared for release or have been released already.

There are many sources of information on these vulnerabilities being published; not all of which can be assumed to be totally correct (this posting included).

Links to further information :-

Posted in Technical | Tagged , | Comments Off on Processor Bugs: Meltdown and Spectre