OS-X-Security-And-Privacy-Guide

Total Page:16

File Type:pdf, Size:1020Kb

OS-X-Security-And-Privacy-Guide OS-X-Security-and-Privacy-Guide Latest commit a158350 a day ago drduh Clean up browsing and plugins sections. Warn about Tor global panopti… … Describe a few more services, and suggest 'Yosemite-Stop-Launch'. 14F27_launchd.csv 13 days ago Fix #… 15B42_launchd.csv Add 10.11.1 services csv. 18 days ago InstallESD_Hashes.cs Add list of InstallESD hashes. 20 days ago v 2 months LICENSE Initial commit ago Clean up browsing and plugins sections. Warn about Tor global README.md a day ago panopti… read_launch_plists.py Uniform program name, rename csv to build number. 18 days ago README.md This is a collection of thoughts on securing a modern Apple Mac computer using OS !".!! #$l Capitan#% as well as steps to improving online pri&acy. This guide is targeted to 'power users( who wish to adopt enterprise)standard security% but is also suitable for novice users with an interest in improving their pri&acy and security on a Mac. There is no security sil&er bullet. A system is only as secure as its administrator is capable of making it. + am not responsible if you break a Mac by following any of these steps. +f you wish to ma*e a correction or impro&ement% please send a pull re,uest or open an issue. -asics .reparing OS +nstalling OS o /eco&ery partition 0irst boot 0ull disk encryption 0irmware password 0irewall o Application layer firewall o Third party solutions o 2ernel le&el packet filtering Ser&ices Spotlight Suggestions 3omebrew 45S o 3osts file o dnsmasq o dnscrypt Capti&e portal Certificate authorities OpenSSL Curl 3TT. Web browsing .lugins .6.76.6 OT/ Tor 8.5 8iruses and malware System +ntegrity .rotection 6ate*eeper and protect .asswords -ackup Wi)0i SS3 .hysical access System monitoring o Open Source Monitoring Tools o Open-SM Audit o 4Trace o 5etwor* Miscellaneous Additional resources Basics The standard best security practices apply. Create a threat model o What are you trying to protect and from whom9 +s your ad&ersary a three letter agency :if so% you may want to consider using Open-S4 instead;% a nosy ea&esdropper on the networ*% or determined apt orchestrating a campaign against you9 o Study and recogni<e the threat and your attack surface. 2eep the system up to date o .atch% patch% patch your system and software. o Subscribe to announcement mailing lists :e.g.% Apple security)announce; for programs you use often. $ncrypt sensiti&e data o +n addition to full disk encryption% create one or many encrypted containers to store passwords, *eys and personal documents. o This will mitigate damage in case of compromise and data exfiltration. 0re,uent backups o Create regular backups of your data and be ready to reimage in case of compromise. o Always encrypt before copying backups to external media or the #cloud#. Click carefully o >ltimately% the security of the system can be reduced to its administrator. o Care should be ta*en when installing new software. Always prefer free and open source software :which OS is not;. Preparing OS X There are se&eral ways to install a fresh copy of OS . The simplest way is to boot into /eco&ery Mode by holding Command and R *eys at boot. A system image can be downloaded and applied directly from Apple. 3owe&er% this way e=poses the computer?s serial number and other identifying information to Apple o&er plain !""P. Another way is to download OS X E# $apitan %&.%%.% from the App Store or some other place and create a custom% installable system image. The application is code signed% which should be &erified to ma*e sure you recei&ed a legitimate copy. $ codesign -dvv /Applications/Install\ OS\ X\ El\ Capitan.app Executable=/Applications/Install OS X El Capitan.app/Contents/MacOS/InstallAssistant Identifier=com.apple.InstallAssistant.ElCapitan Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=280 flags=0x200(kill) hashes=4+5 location=embedded Signature size=4169 Authority=Apple Mac OS Application Signing Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Info.plist entries=31 TeamIdentifier=K36BKF7T3D Sealed Resources version=2 rules=8 files=151 Internal requirements count=1 size=124 OS installers can be made with the createinstallmedia utility included in Install OS X El Capitan.app/Contents/Resources/. See Create a bootable installer for OS @osemite% or run the utility without arguments to see how it wor*s. +f you?d li*e to do it the manua# way% you will need to find the file InstallESD.dmg% which is insideInstall OS X El Capitan.app. /ight click, select Sho' Pac(a e $ontents and navigate to $ontents ) SharedSupport to findInstallESD.DMG. @ou can &erify the following cryptographic hashes to ensure you ha&e the same% authentic copy by using a command li*e shasum -a256 InstallESD.dmg and so on. @ou can also 6oogle these hashes to ensure your copy is genuine and has not been tampered with. See InstallESD_Hashes.csv in this repository for previous &ersions. InstallESD.dmg (Build 15B42) SHA-256: 6275929722c35674fce90d2272d383d49696096e8626ee7f7900dd0334167a9a SHA-1: 306a080c07e293b6765ba950bab213572704acec Mount and install the operating system to a temporary ima e% or use the 6>+ appMager8alp7Auto4M6. hdiutil attach -noverify -mountpoint /tmp/installesd ./InstallESD.dmg hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "OS X" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage hdiutil attach -noverify -mountpoint /tmp/os -owners on /tmp/output.sparseimage sudo installer -pkg /tmp/installesd/Packages/OSInstall.mpkg -tgt /tmp/os This part will ta*e a while% so Aust be patient. @ou can tail -F /var/log/install.log to check progress. Optionally% install any other packages to the image% such as Wireshar*. hdiutil mount Wireshark\ 1.99.5\ Intel\ 64.dmg sudo installer -pkg /Volumes/Wireshark/Wireshark\ 1.99.5\ Intel\ 64.pkg -tgt /tmp/os hdiutil unmount /Volumes/Wireshark See Mager8alp7Auto4M67wiki7.ackages-Suitable)for)4eployment for ca&eats and check outchilcote7outset to instead processes packages and scripts at first boot. When you?re done% detach% con&ert and &erify the image. hdiutil detach /tmp/os hdiutil detach /tmp/installesd hdiutil convert -format UDZO /tmp/output.sparseimage -o elcap.dmg asr imagescan --source elcap.dmg 5ow% elcap.dmg is ready to be applied to one or multiple Macs. @ou can further customize the image to include premade users, applications and preferences to your liking. *nsta##ing OS X One way to install the OS image is using another Mac in Target 4isk Mode. +f you don?t ha&e another Mac, create a bootable >S- dri&e from the $l Capitan application bundle% and boot the Mac you wish to image to it by holding the Option *ey at boot. Alternati&ely% you could also create a second partition on your existing Mac and use that. +f you don?t ha&e an external dri&e or >S- stick to use% it?s possible to create a small partition with Dis( +ti#ity and use that. There are se&eral guides online on how to do this. To use "arget Dis( Mode% boot up the Mac you wish to image while holding T and connect it to another using 0irewire% Thunderbolt or >S-)C. /un diskutil list to identify the connected disk, usually /dev/disk2 Erase the disk to Journaled 30SC diskutil unmountDisk /dev/disk2 diskutil partitionDisk /dev/disk2 1 JHFS+ OSX 100% Restore the image to the new &olume sudo asr restore \ --source elcap.dmg \ --target /Volumes/OSX \ --erase --noverify \ --buffersize 4m Alternati&ely% open the Dis( +ti#ity application% erase the connected Mac's disk, then drag elcap.dmgin to restore it to the new partition. +f you?&e followed these steps correctly% the target Mac should now ha&e a new install of OS . +f you want to transfer any files, copy them to a folder li*e /Users/Shared on the mounted disk image% e.g. cp Xcode_6.1.1.dmg /Volumes/OS\ X/Users/Shared Recovery partition We?re not done yetD >nless you ha&e built the image with Auto4M6% or installed OS to a second partition on your Mac% you will need to create a reco&ery partition in order to use 0ile&ault full disk encryption. @ou can do so using Mager8alp7Create)/eco&ery).artition)+nstaller or by following these steps. 4ownload /eco&eryH4>pdate.dmg RecoveryHDUpdate.dmg SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c SHA-1: 1ac3b7059ae0fcb2877d22375121d4e6920ae5ba Attach and e=pand the installation% then run it hdiutil attach RecoveryHDUpdate.dmg pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/OS\ X/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist Where /Volumes/OS\ X is the path to the target disk mode booted Mac. This will ta*e se&eral minutes. /un diskutil list again to ma*e sure Recovery !D now exists. Once you?re done% eAect the disk with hdiutil unmount /Volumes/OS\ X and power down the connected Mac. First boot On first boot% hold Command Option P and R *eys to clear 58/AM. Wait for the loud% obnoxious gong and *eep holding while the Mac reboots once. When OS first starts, you?ll be greeted by Setup Assistant. 4o not connect to networking yetE skip that part of the setup for now. When creating your account% use a strong password without a hint. 4on?t use your real name for your account as it?ll show up as So-and-so's Macbook through sharing services to local networ*s.
Recommended publications
  • CIS Debian Linux 7 Benchmark V1.0.0 - 12-31-2015
    CIS Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 http://benchmarks.cisecurity.org The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics, suggestions, and recommendations (the “SB Products”) as a public service to Internet users worldwide. Downloading or using SB Products in any way signifies and confirms your acceptance of and your binding agreement to these CIS Security Benchmarks Terms of Use. CIS SECURITY BENCHMARKS TERMS OF USE BOTH CIS SECURITY BENCHMARKS DIVISION MEMBERS AND NON-MEMBERS MAY: Download, install, and use each of the SB Products on a single computer, and/or Print one or more copies of any SB Product that is in a .txt, .pdf, .doc, .mcw, or .rtf format, but only if each such copy is printed in its entirety and is kept intact, including without limitation the text of these CIS Security Benchmarks Terms of Use. UNDER THE FOLLOWING TERMS AND CONDITIONS: SB Products Provided As Is. CIS is providing the SB Products “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty regarding: (a) the effect or lack of effect of any SB Product on the operation or the security of any network, system, software, hardware, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any SB Product); or (2) the responsibility to make or notify you of any corrections, updates, upgrades, or fixes. Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any SB Product, and full title and all ownership rights to the SB Products remain the exclusive property of CIS.
    [Show full text]
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • M3AAWG Tutorial on Third Party Recursive Resolvers and Encrypting DNS Stub Resolver-To-Recursive Resolver Traffic Version 1.0 September 2019
    Messaging, Malware and Mobile Anti-Abuse Working Group M3AAWG Tutorial on Third Party Recursive Resolvers and Encrypting DNS Stub Resolver-to-Recursive Resolver Traffic Version 1.0 September 2019 The direct URL to this paper is: www.m3aawg.org/dns-crypto-tutorial Document 1 of 2: This document is intended to be accompanied by the paper “M3AAWG Companion Document: Recipes for Encrypting DNS Stub Resolver-to-Recursive Resolver Traffic (www.m3aawg.org/dns-crypto-recipes),” which provides detailed instructions and processes. This document was produced by the M3AAWG Data and Identity Protection Committee. Table of Content Executive Summary 3 Introduction 4 Recommendations for M3AAWG and Its Audiences 7 I. Is the Use of Alternative Third Party Recursive Resolvers and Encryption of Stub Resolver-to- Recursive Resolver Traffic “In-Scope" for M3AAWG Remit? 9 1. DNS Is an Operationally Critical Core Internet Protocol 9 2. DNS and Messaging/Anti-Abuse Work 9 3. User Privacy and Opposition to Pervasive Monitoring 10 4. M3AAWG Membership – Many M3AAWG Members Have a Keen Interest in This Topic 10 II. Recursive Resolvers (Default ISP, Third Party Alternatives and Dedicated Personal Recursive Resolvers) 11 5. How Do Recursive Resolvers Normally Work in an ISP Environment Today? 11 6. A Typical Day in a Typical User's Life Online: Many Different Internet Service Providers, Many Different Recursive Resolvers 12 7. How Can I Even Tell What Name Servers I Am Actually Using Right Now?" 13 8. Intentionally Configuring an Alternative Third Party Recursive Resolver 15 9. Well-Known Third Party Recursive Resolver Providers 16 10. Picking the Right Third Party Recursive Resolver Service 17 11.
    [Show full text]
  • A Letter to the FCC [PDF]
    Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) Amendment of Part 0, 1, 2, 15 and 18 of the ) ET Docket No. 15­170 Commission’s Rules regarding Authorization ) Of Radio frequency Equipment ) ) Request for the Allowance of Optional ) RM­11673 Electronic Labeling for Wireless Devices ) Summary The rules laid out in ET Docket No. 15­170 should not go into effect as written. They would cause more harm than good and risk a significant overreach of the Commission’s authority. Specifically, the rules would limit the ability to upgrade or replace firmware in commercial, off­the­shelf home or small­business routers. This would damage the compliance, security, reliability and functionality of home and business networks. It would also restrict innovation and research into new networking technologies. We present an alternate proposal that better meets the goals of the FCC, not only ensuring the desired operation of the RF portion of a Wi­Fi router within the mandated parameters, but also assisting in the FCC’s broader goals of increasing consumer choice, fostering competition, protecting infrastructure, and increasing resiliency to communication disruptions. If the Commission does not intend to prohibit the upgrade or replacement of firmware in Wi­Fi ​ ​ devices, the undersigned would welcome a clear statement of that intent. Introduction We recommend the FCC pursue an alternative path to ensuring Radio Frequency (RF) compliance from Wi­Fi equipment. We understand there are significant concerns regarding existing users of the Wi­Fi ​ spectrum, and a desire to avoid uncontrolled change. However, we most strenuously advise against prohibiting changes to firmware of devices containing radio components, and furthermore advise against allowing non­updatable devices into the field.
    [Show full text]
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Ubuntu Server Guide Basic Installation Preparing to Install
    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
    [Show full text]
  • 4.4 IT Infrastructure 4.4.1 Does the Institution Have a Comprehensive IT
    4.4 IT Infrastructure 4.4.1 Does the Institution have a comprehensive IT Policy with regard to: 1. IT Service Management ITS Centre for Dental Studies & Research is focused towards the applications of new technologies for easing up the day-to-day jobs and functions performed within and outside the campus. To achieve the same we at ITS CDSR are running many application to facilitate the routine works including the OPD & IPD, Resource management through ERP, and effective complaint handling and resolutions using Cloud Hosted Complaint Management System. Seamless 24*7 availability of Internet plays a vital role for effective use of the mentioned applications. A core IT staff team provides immediate resolutions to the user complaints and maintain the application uptime. 2. Information Security • Server Level Security: Quick Heal End Point Security Server Edition is installed on all the Servers to protect the Information from all Threats. • Client Level Security: All the desktop machines are installed with Quick Heal End Point Security to protect the client side Information from various Threats. • Network Level Security: The Campus Network is protected using UTM Device which protects the entire network from breaches and intrusion attacks from Internet. • Backups: o Server Side: Daily backups of all the Servers a taken by the Server Staff on External Hard Drives. o Client Side: Daily backups are taken by the staff members of their data on External Hard Drives. 3. Network Security • Installation of Unified Threat Management (UTM) Device: The campus wide network is protected from the Threats which propagate from Internet using the UTM device which offers following facilities: o Firewall o Gateway Level Anti-Virus o Gateway Level Anti-Spyware o Gateway Level Anti-Malware o Intrusion Detection/Prevention System o SSL and IPSec VPN’s Note: Please find detailed UTM Policy implementation for Authentication, Web & Application Filtration, Quota Management, QoS, and Data Transfer Limits in ANNEXURE I.
    [Show full text]
  • Online Security for Independent Media and Civil Society Activists
    Online Security for Independent Media and Civil Society Activists A white paper for SIDA’s October 2010 “Exile Media” conference Eric S Johnson (updated 13 Oct 2013) For activists who make it a priority to deliver news to citizens of countries which try to control the information to which their citizens have access, the internet has provided massive new opportunities. But those countries’ governments also realise ICTs’ potential and implement countermeasures to impede the delivery of independent news via the internet. This paper covers what exile media can or should do to protect itself, addressing three categories of issues: common computer security precautions, defense against targeted attacks, and circumventing cybercensorship, with a final note about overkill (aka FUD: fear, uncertainty, doubt). For each of the issues mentioned below, specific ex- amples from within the human rights or freedom of expression world can be provided where non-observance was cata- strophic, but most of those who suffered problems would rather not be named. [NB Snowden- gate changed little or nothing about these recommendations.] Common computer security: The best defense is a good … (aka “lock your doors”) The main threats to exile media’s successful use of ICTs—and solutions—are the same as for any other computer user: 1) Ensure all software automatically patches itself regularly against newly-discovered secu- rity flaws (e.g. to maintain up-to-date SSL certificate revocation lists). As with antivirus software, this may cost something; e.g. with Microsoft (Windows and Office), it may re- quire your software be legally purchased (or use the WSUS Offline Update tool, which helps in low-bandwidth environments).
    [Show full text]
  • Dns / Opennic / Dnscrypt
    dns / opennic / dnscrypt Serial: 2015111401 What is DNS ● Domain Name System ● In simple words when you are looking for hackerspace.gr you 're looking for the IP of the server that hosts the hackerspace site. ● But how ? How DNS works public/open dns ● Goodle dns – 8.8.8.8 2001:4860:4860::8888 – 8.8.4.4 2001:4860:4860::8844 ● OpenDNS – 208.67.222.222 2620:0:ccc::2 – 208.67.220.220 2620:0:ccd::2 ● norton dns/comodo/dns advantage/dns.watch ● fdn/freeDNS/Verisign ● BUT THEY ALL track what you are watching!!!! https://www.opennicproject.org/ ● OpenNIC is an alternate network information center/alternative DNS root which lists itself as an alternative to ICANN and its registries. ● Total DNS Neutrality ● Have A Say In Your DNS ● Protect Your Privacy ● No More ISP DNS Hijacking ● No Cost (Gratis) ● Freedom From Government Intervention openic website/wiki New Top Level Domains .bbs .ing .dyn .micro .free .neo .fur .null .geek .oss .gopher .oz .indy .parody 1. How does opennic work? . 82796 IN NS ns9.opennic.glue. 82796 IN NS ns3.opennic.glue. 82796 IN NS ns8.opennic.glue. 82796 IN NS ns4.opennic.glue. 82796 IN NS ns10.opennic.glue. 82796 IN NS ns6.opennic.glue. 82796 IN NS ns7.opennic.glue. 82796 IN NS ns2.opennic.glue. ;; Received 174 bytes from 94.242.59.170#53(94.242.59.170) in 126 ms 2. gr. 172800 IN NS gr-br.ics.forth.gr. gr. 172800 IN NS gr-at.ics.forth.gr. gr. 172800 IN NS estia.ics.forth.gr.
    [Show full text]
  • Cnvision 4.5 User Guide
    USER GUIDE cnVision HUB FLEXr, HUB 360r, CLIENT MAXr, CLIENT MAXrp, CLIENT MINI, CLIENT MICRO System Release 4.5.x Accuracy While reasonable efforts have been made to assure the accuracy of this document, Cambium Networks assumes no liability resulting from any inaccuracies or omissions in this document, or from use of the information obtained herein. Cambium reserves the right to make changes to any products described herein to improve reliability, function, or design, and reserves the right to revise this document and to make changes from time to time in content hereof with no obligation to notify any person of revisions or changes. Cambium does not assume any liability arising out of the application or use of any product, software, or circuit described herein; neither does it convey license under its patent rights or the rights of others. It is possible that this publication may contain references to, or information about Cambium products (machines and programs), programming, or services that are not announced in your country. Such references or information must not be construed to mean that Cambium intends to announce such Cambium products, programming, or services in your country. Copyrights This document, Cambium products, and 3rd Party software products described in this document may include or describe copyrighted Cambium and other 3rd Party supplied computer programs stored in semiconductor memories or other media. Laws in the United States and other countries preserve for Cambium, its licensors, and other 3rd Party supplied software certain exclusive rights for copyrighted material, including the exclusive right to copy, reproduce in any form, distribute and make derivative works of the copyrighted material.
    [Show full text]
  • NSA's MORECOWBELL
    NSA's MORECOWBELL: Knell for DNS Christian Grothoff Matthias Wachs Monika Ermert Jacob Appelbaum Inria TU Munich Heise Verlag Tor Project 1 Introduction On the net, close to everything starts with a request to the Domain Name System (DNS), a core Internet protocol to allow users to access Internet services by names, such as www.example.com, instead of using numeric IP addresses, like 2001:DB8:4145::4242. Developed in the \Internet good old times" the contemporary DNS is like a large network activity chart for the visually impaired. Consequently, it now attracts not only all sorts of commercially-motivated surveillance, but, as new documents of the NSA spy program MORECOWBELL confirm, also the National Security Agency. Given the design weaknesses of DNS, this begs the question if DNS be secured and saved, or if it has to be replaced | at least for some use cases. In the last two years, there has been a flurry of activity to address security and privacy in DNS at the Internet Engineering Task Force (IETF), the body that documents the DNS standards. The Internet Architecture Board, peer body of the IETF, just called on the engineers to use encryption everywhere, possibly including DNS. [4] A recent draft [6] by the IETF on DNS privacy starts by acknowledging that the DNS \... is one of the most important infrastructure components of the Internet and one of the most often ignored or misunderstood. Almost every activity on the Internet starts with a DNS query (and often several). Its use has many privacy implications ..." Despite seemingly quick consensus on this assessment, the IETF is not expecting that existing industry solutions will change the situation anytime soon: \It seems today that the possibility of massive encryption of DNS traffic is very remote." [5] From a surveillance perspective, DNS currently treats all information in the DNS database as public data.
    [Show full text]
  • DNS and the DNS Cache Poisoning Attack
    Lecture 17: DNS and the DNS Cache Poisoning Attack Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) June 25, 2021 3:21pm ©2021 Avinash Kak, Purdue University Goals: The Domain Name System BIND Configuring BIND Running BIND on your Ubuntu laptop Light-Weight Nameservers (and how to install them) DNS Cache Poisoning Attack Writing Perl and Python code for cache poisoning attacks Dan Kaminsky’s More Virulent DNS Cache Poisoning Attack CONTENTS Section Title Page 17.1 Internet, Harry Potter, and the Magic of DNS 3 17.2 DNS 5 17.3 An Example That Illustrates Extensive DNS 13 Lookups in Even the Simplest Client-Server Interactions 17.4 The Domain Name System and The dig Utility 28 17.5 host, nslookup, and whois Utilities for Name 42 Lookup 17.6 Creating a New Zone and Zone Transfers 45 17.7 DNS Cache 48 17.7.1 The TTL Time Interval 51 17.8 BIND 56 17.8.1 Configuring BIND 58 17.8.2 An Example of the named.conf Configuration File 64 17.8.3 Running BIND on Your Ubuntu Laptop 68 17.9 What Does it Mean to Run a Process in a 70 chroot Jail? 17.10 Phishing versus Pharming 73 17.11 DNS Cache Poisoning 74 17.12 Writing Perl and Python Code for Mounting a 81 DNS Cache Poisoning Attack 17.13 Dan Kaminsky’s More Virulent Exploit for 92 DNS Cache Poisoning 17.14 Homework Problems 99 Computer and Network Security by Avi Kak Lecture 17 Back to TOC 17.1 INTERNET, HARRY POTTER, AND THE MAGIC OF DNS If you have read Harry Potter, you are certainly familiar with the use of owl mail by the wizards and the witches.
    [Show full text]