Securing Unsecure Protocols

Do you have an FTP server running? Maybe you still use telnet for something on your network. Perhaps, you are a VNC user. Maybe you host your own web server, or POP3 e-mail server. All of the protocols used to make the services on those server work, are unsecured, and can easily be intercepted and/or monitored by third parties.

I already told you about Filezilla in a previous post, which uses FTPS, a secure file transfer protocol, but what if you are a fan of Microsoft's IIS service for running your FTP, or another unsecured FTP server software that still uses ports 20 and 21 and sends your passwords in plain text. Some people just don't like switching their server software. Sometimes due to laziness, and other times because it is too much of a pain.

There is a solution my friends, and it comes in the form of Open Source. It is called STUNNEL. STUNNEL provides a secure wrapper for any unsecured protocol you have, and encrypts the data connection using SSL. Take for instance my web server. Behind my firewall it is listening on port 80. My firewall, however is only open to port 443 (The port https uses). When you type https://pdbauer.com in your browser your traffic on port 443 gets forwarded through my firewall to my web server where STUNNEL is listening for 443 traffic. STUNNEL then forwards that traffic to port 80 where my web server service is listening. The whole process is encrypted using a self signed SSL Certificate I made using OpenSSL. Of course, you can do the same with a purchased certificate from a certificate authority like Comodo, Verisign, Thawte etc.

You can do the same thing to secure your POP3 e-mail, VNC, and FTP servers. There are so many options available with this, it really is a great tool for the security conscientious.

Read more »

Throw Away E-mail

How many times have you been asked online to provide your personal information, such as your name, number and e-mail address? If you are like me, thousands of times, almost everyday. Each time you do it to, you have this aching feeling in your stomach, because you know you are about to get about a thousand spam e-mails now.

So, what are you supposed to do? Give them a fake e-mail address? Perhaps, but what if they require verification. You know, they send you an e-mail and you have to open it up and click on some link. What are you supposed to do then?

I'll tell you what I do, I go to a little website called 10 Minute Mail. The name says it all, they give you an e-mail address that is literally only good for 10 minutes. If you need additional time, there is a link that resets the timer. After the time is up, the e-mail address self destructs. No muss, no fuss, and more importantly, no spam!

This service is absolutely free. However, if you decide to use it, they ask for a small donation through paypal. The donation isn't mandatory, but it is a nice gesture

Read more »

FTP Attack Thwarted by Awesome Freeware

Last night, before I went to bed I noticed that there was a connection to my FTP server open. I know it was open because I use this really great Open Source FTP server software that puts an icon in the system tray. When there is an open connection the color changes in the icon. The only thing is, my FTP server isn’t advertised and I am the only one that should be using it. What’s that smell? Mmmmm, it smells like an attack!

I was just finishing up an install that required a reboot so I decided to just shut the server down for the night. They can’t get in if the server is not online.

This morning, when I booted it up, I immediately checked the FTP server logs, and sure enough from about 6:00pm until midnight before I shut it down someone was trying to access my server using different user names. They were trying all of the common ones, administrator, admin, anonymous, guest, user and so forth. Each attempt was thwarted though by this incredible server software.

The problem with regular FTP is that it is 100% unsecured. If you take a packet sniffer like Wireshark and run it while accessing a regular FTP server, you will notice that your username and password are both being sent across the wire in plain text. Anybody with a little bit of know how can use a packet sniffer, and pick up your username and password, then use that to access your server, or maybe other systems on your network.

The server software I use is Filezilla, and it offers connections using FTPS, where S stands for Secure. It uses self signed SSL certificates (up to 4096 bits) to secure the connection and the data transfer. You can even require that all users use the secure connection (Which is what I did, and is why the bad hackers couldn’t get in).

If you’re looking for an FTP solution, I highly recommend FilesZilla! It literally saved my server :-)

Read more »

Spam, the other, other white meat

Who doesn't love spam? If you are Hawaiian, then you really love spam. In fact, they even have spam sandwiches at McDonald's in Hawaii. There almost isn't anything more American than McDonald's, except perhaps apple pie, (Which McDonald's sells.)

Of course, I am not talking about spam the food though, I am talking about the annoying e-mails you get that ask you to enhance your body parts, or to buy Viagra really cheap. You know what I'm talking about!

According to TopTenReviews.com, in 2006 40% of all e-mail was spam. That is almost half of all e-mail sent over the Internet was junk!

Some e-mail systems like Google, Yahoo, MSN etc. have spam filters already in place to help filter the junk out. Often times, it isn't enough though, and if you like to view your e-mail on an e-mail client like Outlook or Thunderbird, if you get a spammed, you have to login to the website to report it. Outlook and Thunderbird do have their own little junk filters, but they only work on the client, and not that well.

What if there was a plugin you can install, but also uses filter rules from web servers on the Internet that categorize spam messages. These servers would get inputs form millions of other users across the Internet to help them better filter these spam messages. This plugin would essentially be a stand-alone spam filter server on your computer. If there was a third party plugin that did that, how much would you pay for it? $20? $30? or even $100?

Let's go with$0. Sound to good to be true? It isn't, it's open source!

I'm talking about Spamato! It comes as a plugin for Outlook, Thunderbird and even has an installer for Mac.

It runs as a service in the background, and connects to Spamato's servers on the Internet. It even has remote administration capabilities for use as a spam filter for your e-mail server (If I am understanding it correctly.)

Don't take my word for it, check it out on your own!

Read more »

Don't forget to wipe...

...You're hard drive that is.

You may have heard that when you delete a file on your computer, that the file isn't really gone. That is true, it isn't gone. The actual file is still sitting there waiting for someone with the right utilities (See my post about the Ultimate Boot CD) to find it and recover it. For some of you, this is a good thing. How many times have you right clicked a file trying to rename it or create a shortcut to it and accidentally hit delete?

For the rest of the people out there, with more sensitive information, or just plain files they shouldn't have, doing a simple delete just isn't secure enough. Even emptying the recycle bin every once in a while won't do the trick.

So what are you supposed to do when you really want to make sure that the data is gone and not recoverable? I mean, can't the FBI, The CIA and the NSA get it anyway?

Good question, that is actually still up for debate. I mean, they really aren't going to tell you what they can and can't do right? That just wouldn't be good "G-Man" business, and I also think it violates the first rule of spy club. "You do not talk about spy club!"

Anyway, back on topic... I also mentioned in my post about the Ultimate Boot CD (Seriously, it is a really awesome utility), that there is software on it that will wipe your entire drive. That is great and all, but what if you still want to use your computer, and don't want to have to re-install windows and all of your applications all over one illegal MP3?

No problem! Enter ERASER! Eraser is an Open Source, SECURE wiping utility, which has a number of methods to wipe that include the Gutmann method, and others recommended by none other that the US Department of Defense. You can also create your own method, using pseudo random data, or your personal combination of ones and zero's.

Eraser also gives you the option to right click on your recycle bin to securely erase the content there. The coolest thing though in my humble opinion, is that there are items that you have deleted before you found out about this handy dandy tool, and they are still floating around on your hard drive. Eraser lets you wipe the free space on your hard drive to clean that stuff up too.

I use this thing all the time, and have it installed on all of my workstations. If you are worried about your data getting into the wrong hands, then you need to install Eraser today.

Read more »

This CD is the Ultimate!

Once upon a time there was this guy, and he created a pretty cool bootable CD called the Ultimate Boot CD. This little beauty comes with a bunch of diagnostic tools, administration tools, and other IT goodies. Some of these goodies include secure disk wiping utilities, or tools to change local administrative passwords on Windows machines. You know, cool stuff like that. The only problem was a lot of these tools were Linux based, and unless you were a wizard of the command line, some of these tools might seem a little daunting.

Well, the Ultimate boot CD, just got more ultimatER (Is that a word? It is now!). There is a version of the Ultimate Boot CD made especially for Windows lovers, and more exclusively GUI lovers! This is called The Ultimate Boot CD for Windows!

You need to compile this puppy yourself (Don't worry, it's fairly easy). All you need to compile it is the executable that you download from their site, and a Windows XP Professional installation CD.

Once it has been compiled, it is smooth sailing from here on in. To use it, just put it in the CD drive and boot to the CD. There are a lot of the original tools Like Derek's Boot and Nuke which securely wipe a hard drive so even the NSA can't recover data off it (Use the Gutmann Wipe option), but there is also a whole GUI portion as well with network support.

One of the best utilities that I have used a lot of since I discovered it, is the free Symantec Ghost like program that allows you to create deployable disk images for FREE! The utility is called Drive Image XML. You can download it by itself, but you can't create deployable images with the downloaded version cleanly. (If you use the Ultimate Boot CD version, you can run sysprep on the image you are deploying first to remove the SID). Since the CD has network support, you can upload an image to a file server for later deployment. Can you smell it? That is the smell of FREE binary goodness transferring across the LAN!

Another thing you can do, which I mentioned in my post about encrypting your hard drive, is you can browse files of the current operating system on the hard drive (As long as it is a windows computer) and you don't even have to be an administrator :-)

You can also reset the local administrators password for the operating system installed on the computer (As long as it is Windows NT 4.0 or newer) using the Offline NT Password & Registry Editor.

Oh, it is so juicy all of the things you can do with this disk! This disk is a MUST have for any IT professional.

For a list of all the tools this puppy has, click here!

Read more »

2 Legit 2 Quit

I know, I know, the site has been down for a few hours. Don't worry. We didn't get taken down by any hackers, or the feds or anything like that. I've just been fiddling with the DNS settings over at GoDaddy so that bauer-power.net points correctly to Google's servers. The way I had it before, if you didn't notice, was my URL was forwarded to my free blogger URL, and masked the name. By doing it the way I'm doing it now, bauer-power.net will be the official name, with no masking required.

So why down for so long? Easy! When making these types of changes it can take a few hours for the DNS information to propagate. No biggy. I was still here, you just couldn't find me :-)

Anyhoo, hopefully there will be no more interruptions.

Read more »

FREE Full Hard Drive Encryption

So there you are at Starbucks sipping on your latte, and surfing on their incredibly high priced wifi with your brand new Alienware laptop thinking to yourself, "Self! This is a mighty good latte!".

A few minutes later, you slip into a latte induced coma (Work with me here.)

After about an hour or two you wake up with foam and cinnamon all over your face, and a splitting headache, but that isn't the trouble. The trouble is that someone snatched your new Alienware laptop with all of your sensitive personal information. Stuff like bank information, passwords, etc! No biggy right? I mean you have a pretty good password. Seriously, who is going to guess banana12 right?

WRONG!

With FREE software available on the internet (I will blog about it later), you can boot up to a CD and browse files, or even change the administrators password on your laptop. Then all of your sensitive information becomes their sensitive information which they will use to take you for everything you are worth (It's called Identity Theft, look into it).

Well, the bad guys can't get to your information if you take stronger precautions to secure your data. One of the best ways you can do that is with full hard drive encryption. And lucky for you, I have tested a FREE software that can do it.

CompuSec is a free security suite that among many other things, encrypts your hard drive (including the operating system) using a fast 256bit AES encryption. When the bad guys try to look at your files, all they see is a blank hard drive.

So lets go back to our scenerio then, the bad guy got your laptop, but you encrypted it using CompuSec... The joke is on him! Actually, that isn't true, he now has your $4000 Alienware laptop, but at least he doesn't have your personal information and you won't end up on Dateline's "To Catch an ID Thief."

Read more »

Blogging on the fly!

I am hosting this on Blogger.com as you may have already guessed (Haven't I already stated that I'm a total cheap skate?). Well, they have a cool little option to let me blog on the fly. They give me an e-mail address so I can post via e-mail, anywhere I am at. Like right now... I am e-mailing this in!

Talk about awesome! Thanks Blogger!

Read more »

Free Antivirus and Firewall: Thanks Comodo!

One of my pet peeves is people with antivirus that is not up to date. Seriously now, why even have antivirus if you are not keeping it up to date?

For those of you out there that don't have your antivirus up to date because you are too cheap to renew your license, then don't fret! You are in good hands. I am a cheap skate as well.

Comodo is offering some fabulous FREE security software. Two of them I personally recommend, Comodo Antivirus and Comodo Firewall! Both of them come with a free lifetime license, which means no renewal fees ever! This also means, you can stay secure and still be a cheap skate!

"Who is Comodo?" you ask?

To quote their website, "Comodo is the 2nd largest Certification Authority for ensuring Identity Trust & Assurance on the web." Basically, they are one of the many company's out their that secure websites for banks and other businesses that do online transactions. (Kind of like Verisign). They offer the free software to get their names out there, a sort of free branding advertising if you will. Don't worry though, this software isn't ad-ware, and you won't be getting annoying "Buy me!' advertisements.

I am currently using Comodo's freeware on all of my computers at home, and they are working great! Uninstall your old, non-updated Antivirus now, and get Comodo in there right away! Don't leave yourself open to an attack.

Read more »

Welcome to my Blog!

As many of you know, I used to host my own website from my home using this URL, but it largely goes unused.

For one thing, I don't do the consulting thing anymore mainly because I don't have the time, and also I was doing everything under the table. Another reason is liability. If something went wrong, because I wasn't incorporated, I left myself open to unlimited liability (Not a good idea).

Anyhoo, I got the idea to start my own blog because I was posting about software that I was testing out on MySpace, and their automated phishing system seemed to think I was a victim and blocked me for all of last weekend. I decided I probably needed a different venue for my software tests.

Anyway, I hope you enjoy :-)

Read more »