pisa journal · 11 flixster multimedia movies - 36,000,000 open 12 netlog school belgian 32,402,580...

Professional Information Security Association MAR-2008

Issue 7

Privacy ProtectionPrivacy ProtectionPrivacy and Security Issues of Social Networking ServicesPrivacy and Security Issues of Social Networking ServicesISO Addressing Privacy ProtectionISO Addressing Privacy Protection

OpenVPN Enterprise SolutionOpenVPN Enterprise SolutionExperiences with Email Relay HoneypotExperiences with Email Relay HoneypotDigital Imaging Forensic Digital Imaging Forensic –– Uncover the TruthUncover the TruthInternational Standards for Information SecurityInternational Standards for Information Security

PISA Journal

www.pisa.org.hk

Professional Information Security Association

Page 2 of 34 An Organization for Information Security Professionals

IssueIssue 7MAR-2008

P I S A J o u r n a l


Copyright 2008 Professional Information Security Association.

All rights reserved.

Softcopy available at http://www.pisa.org.hk/publication/journal/

Editor: [email protected]

Membership Benefits 34Active in External Affairs 33Program Snapshot 30

ForensicsDigital Imaging Forensic – Uncover the Truth 25

Security InfrastructureOpenVPN 企業方案15

HoneypotExperiences with Email Relay Honeypot 12

StandardsInternational Standards for Information Security9

ISO Addressing Privacy Protection 7Privacy and Security Issues of Social Networking Services3






Wallace Wong CISSP, CISAProgram Committee

Privacy Protection

called “Social Networking Sites (SNS)” or “Social Networking Websites”. Facebook is one of the most popular SNSs in Hong Kong at the end of last year. There are several types of SNS worldwide. From specific one for building business networking such as LinkedIn, to general one for making friends including Friendster, there are around 26 SNS (Table 1) with different target groups each with over 10,000,000 registered users. As a result, this type of databases contains vast, updated and “real” user-driven data (still called Web 2.0) and could therefore provided many opportunities not limited to advertisers, businesses and legal entities. To simplify the discussion, most of the examples are referring to Facebook.

Privacy and Security Issues of Social Networking Sites

RR ecently, the incident of suspected leakage of indecent photos has heightened the public awareness on privacy and security issues on classified data. However, concerns should also be placed on the most popular form of websites

What kind of information is being STORED in SNS?

From the latest version of Facebook privacy policy (effective as of December 6, 2007), the known information stored in Facebook under section “The Information We Collect” includes “name, email address, telephone number, address, gender, schools attended and any other personal or preference information” during registration, “browser type and IP address” during entering, “personal profile, form relationships, send messages, perform searches and queries, form groups, set up events, add applications, and transmit information”during usage, “backup copy of the prior version (of information)” during update and “information from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation (e.g., photo tags)”. Thus, the above information consolidated by Facebook is transferred to and processed in the United States are under consent of “all” users.

Although above section in the privacy policy has “disclaimer” such as,“We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site”, you may still doubt about why so many people provide so much personal information, including English with full Chinese name, systemic picture (figure 1), birthday with year to reveal the age, relationship status with partner’s profile (figure 2), “resume” with information of employer and position (figure 3), primary and secondary schools studied with years, associated organization or even with mobile numbers and home address). If only your trusted friends can access these data, it may be convenient for them to know your status. But if everyone can access these data, you may only be living in danger until you know it is too late.

figure 1: profile picture

figure 2: marriage status

figure 3: work info






　 Name Focus Focus Description Popularity Registered Registration1 MySpace General - Worldwide 300,000,000 Open, age limit

2 hi5 General Teens 98,000,000 Open

3 Habbo General 86,000,000 Open, age limit

4 orkut General 67,000,000 Open, age limit

5 Facebook General - 62,000,000 Open, age limit

6 Friendster General - - 50,000,000 Open7 Classmates.com School - 40,000,000 Open

8 Bebo General - 40,000,000 Open, age limit

9 Blogging - 40,000,000 Open

10 Xanga Blogging - 40,000,000 Open

11 Flixster Multimedia Movies - 36,000,000 Open12 Netlog School Belgian 32,402,580 Open

13 Tagged.com General - - 30,000,000 Open14 Reunion.com Family - 28,000,000 Open

15 Broadcaster.com Multimedia - 26,000,000 Open

16 Cyworld School Teens South Koreans 21,200,000 Open17 MyHeritage Family - 20,000,000 Open

18 Friends Reunited School UK 19,000,000 Open

19 LinkedIn Business - - 17,000,000 Open20 BlackPlanet General 16,000,000 Open

21 imeem Multimedia - 16,000,000 Open

22 Plaxo Business - - 15,000,000 Open23 LiveJournal Blogging - - 12,900,000 Open, OpenID

Latin American & Asian

Chat Room & user profiles

Worldwide (~33)

Owned by Google now; initial target in US

Brazil and India

Canada, UK, USA & NZ

School, college, work and the military

UK, Ireland, NZ & Pacific

Windows Live Spaces

Blogging (formerly MSN Spaces) Blogs and "metro" areas

European youth, formerly called Facebox.

Family & friends locating to keep in touchVideo sharing and webcam chat

Family-oriented social network service

College, work, sport & streets

African American community

African-Americans

Music, Video, Photos, Blogs

Table 1: “List of social networking websites” over 10,000,000 registered users(Developed from source of Wikipedia dated 16/02/2008)

Privacy Protection







How will the information be USED?

Comparing the details in section “Use of Information Obtained by Facebook”, Facebook “may use information in your profile without identifying you as an individual to third parties”. For other people (including third-parties) “who see your name in searches, however, will not be able to access your profile information unless they have a relationship to you that allows such access”.This indirectly implies privacy issue for default view and search by everyone of new user without adequate warnings during account setup process.

Who are SHARING your inform-ation?

Explicitly specified in the section of “Sharing Your Information with Third Parties” of the Privacy Policy, “we share your information with third parties only in limited circumstances where we believe such sharing is 1) reasonably necessary to offer the service, 2) legally required or, 3) permitted by you.”

“Beacon” is one of the business solutions that track your actions taken at external websites (figure 4) and would be shared with your internal Facebook friends (figure 5) in the “News Feed and Mini-Feed” (also called “Aggregator” or “Stalker” with another similar controversy before).

According to the “Help Topics: What external sites are affiliated with Facebook?” dated 17 February 2008, Beacon would capture actions taken at around 20 external websites, these include putting up something for auction on eBay, adding an awesome classic movie to your queue on Blockbuster.com, etc.

In fact, this technology relies on the use of web bug(similar to 1x1 pixel) in GIF or PNG image format (or an image of same colour as background) which has embedded in the HTML homepages of these third-party websites. When Facebook first launched the Beacon, all users have no choice but to use it compulsorily. In view of the public pressure, Facebook finally allows users to opt-out using Beacon since 5 December 2007. Users could select the options of “Don't allow any websites to send stories to my profile” or individual controls under their “Privacy Settings for External Websites”.

One of Facebook “disclaimers” regarding third party developed applications which reads as “Platform Developers may require you to sign up to their own terms of service, privacy policies or other policies, which may give them additional rights or impose additional obligations on you”. These applications make use of the social engineering, i.e. to invite your friends to install the applications. Once you have accepted your friend’s invitations, you would expose your privacy and security loopholes to the platform developers very easily.

figure 4: external website figure 5: internal Facebook friends

Privacy Protection







Obviously, privacy cannot override everything. According to the privacy policy, Facebook would share account or other information in order to comply with law, to protect Facebook’s interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This issue should really be understood by net citizens to make a balance.

Conclusion

Knowing there are two core principles in the privacy policy which are “You should have control over your personal information” and “You should have access to the information others want to share”, only few users will adopt the best practices to control their privacy settings as follows:•Beware of password security even SSL has been deployed during login•Beware of photo and video in the form of uploading and tagging by yourself or others•Provide only minimum required information in “Profile” menu.•Tune your “Profile” section again under “Privacy”menu (different from “Profile” menu) •Change the “Search” section, such as coverage from “Everyone” (default) to “Only my friends”•Adjust personal activities published in “News Feed and Mini-Feed” as well as “Poke, Message, and Friend Request” sections.•Customize any unauthorized accesses in “Applications and Ads” and “External Websites”.

© copyright Wallace Wong, 2008

References

1. Facebook Privacy Policy

http://www.facebook.com/policy.php

2. A report about SNS from the the European Network and Information Security Agency (ENISA)

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf

3. Facebook privacy issue from Electronic Privacy Information Center (EPIC)

http://epic.org/privacy/facebook/

4. Best practices of recommended privacy settings in Facebook by Sophos

http://www.sophos.com/security/best-practice/ facebook.html

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.

Copyright & Disclaimer

Privacy Protection







Antony Ma CISA, CISSP Program Director

Privacy Protection

Personal data leakage as occurred in the Independent Police Complaints Council (PICC) incident was a vivid example of his statement. Controversies over on privacy related issues definitely increases with the advance of technology, particular personal electronic devices.This article introduces the works done by International Standard Organisation (ISO) SC27 (Sub-Committee 27 IT Security) on privacy protections and related IT controls. ISO established Working Group 5 (WG5) "Identity Management and Privacy Technologies“ to deals with the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and privacy protection.

ISO Addressing Privacy Protection

HH arvard Professor Lawrence Lessig in his book Code 2.0 discussed various privacy issues in cyberspace and said “… in principle, the data are there. In practice, they are costly to extract. Digital technologies change this balance radically. They not only make more behaviour monitorable, but also more searchable.”

ISO groups on Privacy, Authentication & Identity Management

WG5's goal is to harmonise aspects for identity management, biometrics and privacy in the context of information technology with a set of international standards. Currently, WG5 is working on three major international standards. There are:

(1) "Working Document on Privacy Framework"(2) "Working Document on Authentication Assurance" (3) "Working Document on Identity Management"

Although some of the standards are still in drafting and commenting stages, it is still a good reference to know the current international developments. The first standard drafted by WG5 is “ISO 29100 A Privacy Framework”which discusses aspects relevant to the right of an individual to control the collection, transfer, use, storage, archiving, and disposal of his/her personally identifiable information (PII). The tries to set out core principles on how to consistently build systems and categorise PII in order to ensure the information privacy of an individual by preventing inappropriate use of an individual’s PII.

Challenges of Privacy Protections

Protecting personally identifiable information poses difficult challenges to IT system and system administrations. These challenges are the result of government regulation and dynamic nature of electronic personal data. Regulations from EU and US increased management awareness on privacy protection. However, these regulations are still evolving and sometimes unable to keep up with technology advancements. For example, behavioural information like Internet search history and driving records are being kept and could reveal the lifestyle of an individual. How the current regulations should address these new developments is still unclear. The workgroup on data privacy recognise these challenges and developed a set of principles to guide the development of IT security controls. These core principles and key factors will be useful for company and professional in designing system processing PII.

Core Principles

Privacy standardisation will enable system operators to design, implement and maintain information and communication systems that will properly handle and protect PII. The framework set out the key principles and can serve as a basis for desirable additional privacy






standardisation initiatives, for example for a technical reference architecture and specific technologies implementation. This draft document sets out 11 core principles:

1. Consent and Choice2. Accountability3. Purpose Specification4. Collection Limitation 5. Use, Retention and Disclosure Limitation6. Data Minimisation7. Accuracy and Quality8. Openness, Transparency and Notice 9. Individual Participation and Access

10. Security Safeguards11. Compliance

Along with these principles, the standard also discussed privacy-protection security measures with reference to

ISO/IEC 27002:2007 (Code of Practice for Information Security Management).

Closing

The awareness for privacy protection is increasing due to the growing adaptation of data capture facilities like mobile phone and RFID. The deliverables of ISO working group on "Identity Management and Privacy Technologies” will be helpful for security professionals in designing secure system. The draft ISO 29100 “A Privacy Framework” when finalised will be a good reference for IT security industry.

© copyright Antony Ma, 2008

Privacy ProtectionISO Addressing Privacy Protection

Contribution toContribution to PISAPISA JournalJournal

• To contribute to the next issue and make your publication public

• To join the Editorial Committee of this professional publication

Next Issue:Sep-2008

Please contact the Editor ([email protected]) Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.







Lydia Chan Hong Kong Representativefor ISO/IEC JTC1 SC27

Standard

International Standard for Information Security

II SOSO, the International Organization for Standardization, was founded in 1946. It is a vast network of national bodies representing countries from all around the world. At the end of 2006, there are 158 national ISO members. ISO’s declared mission is to be the leading value-adding platform and partner for the production of globally and market-relevant international standards.

The ISO, IEC (International Electrotechnical Commission) and the ITU (International Telecom-munication Union) coordinate the established World Standards Cooperation (WSC). The Joint ISO/IEC Technical Committee, JTC 1, was established in 1987 to develop information technology standards in accordance with ISO/IEC JTC 1 Directives.

One sub-committee (SC) of JTC 1 is SC 27. SC 27 is responsible for “Information technology – Security techniques” and provides standardization of generic methods, techniques and guidelines for information, IT and communication security.

SC 27 has 5 Working Groups (WG):WG 1 - Information security management systemsWG 2 - Cryptography and security mechanismsWG 3 - Security evaluation criteriaWG 4 - Security controls and servicesWG 5 - Identity management and privacy technologies

JTC 1 SC 27 WG 1 is responsible for the development of several well-known standards including: ISO/IEC 27001 and ISO/IEC 17799 (now known as ISO/IEC 27002).

All national bodies have the right to subscribe to participate in the work of technical committees and sub-committees. National bodies can be recognized as being either a Participating member (P-member) or an Observing member (O-member). P-members would participate actively in the work, with an obligation to vote, and to participate in meetings. O-members have no power of vote, but have options to attend meetings, make contributions and receive committee documents.

Development of an International Standard

International Standards (IS) are developed by ISO technical committees (TC) and sub-committees (SC) within their respective fields of expertise. Regular meetings are conducted and various correspondences are exchanged to process work in the development of International Standards. An International Standard is the result of a collective agreement among the national member bodies of ISO.

The need for a standard is usually expressed by an industry sector, which communicates their need to a national member body. The national member body proposes the new work item to ISO. Once the need for an International Standard has been recognized and agreed, a project (or work item) will then be established, which typically enters into a six stage project development lifecycle for the International Standard to be finalised and published. The project lifecycle stages are described in Table 1.

The initial development of an International Standard can take several years. A factual life cycle example of an International Standard currently undergoing development within JTC 1 SC 27 WG 1 is ISO/IEC 27000 “Information Security Management System – Overview and vocabulary” (See Note 1). Work within ISO commenced on ISO/IEC 27000 in early 2006 and is expected to be finalised in 2009. Table 2 outlines the history of the development and the anticipated timetable/approach through to the eventual publication of ISO/IEC 27000.

Dale Johnstone Australia Representativefor ISO/IEC JTC1 SC27






StandardsInternational Standard for Information Security

Table 2:

ISO Standard Development – ISO/IEC 27000 Timetable

Table 1:

ISO Project Development Lifecycle Stages

STAGE NAME DESCRIPTION PRODUCT NAME

STAGE 1PROPOSAL

Confirms that a particular standard is needed. A new work item proposal (NP) is submitted for vote by the members of the relevant TC or SC to determine the inclusion of the work item in the programme of work.

New work item Proposal

(NP)

STAGE 2PREPARATORY

Comprises the preparation and consideration of one or more working drafts until consensus has been reached in a working group of experts. A working draft that is considered as the best technical solution to the problem will be sent to committee members for review.

Working Draft(s)(WD)

STAGE 3COMMITTEE

Committee draft is distributed for comment and voting by P-members of the TC/SC. Successive committee drafts are continuously considered until consensus is reached on the technical content. Once consensus has been attained, the text is finalized for submission as a draft International Standard (DIS).

Committee Draft(CD)

STAGE 4ENQUIRY

Draft International Standard (DIS) is circulated to all ISO member bodies for voting and comment within defined period. A submission is approved as a Final Draft International Standard (FDIS) if a two-thirds majority of the P-members of the TC/SC are in favour and not more than one-quarter of the total number of votes cast are negative.

Draft International Standard

(DIS)

STAGE 5APPROVAL

Final Draft International Standard (FDIS) is circulated to all ISO member bodies for a final Yes/No vote within a defined period. The text is approved as an International Standard if a two-thirds majority of the P-members of the TC/SC are in favour and not more than one-quarter of the total number of votes cast are negative.

Final draft International Standard

(FDIS)

STAGE 6PUBLICATION

Once a Final Draft International Standard has been approved, only minor editorial changes, if and where necessary, are introduced into the final text. The final text is sent to the ISO Central Secretariat which publishes the International Standard.

International Standard(IS)

STAGE DESCRIPTION

PROPOSAL New Proposal Submitted April 2006

PREPARATORY Working Draft May 2006

COMMITTEE

September 2006

April 2007September 2007

Final Committee Draft

ENQUIRY Draft International Standard

APPROVAL Final Draft International Standard

DOCUMENT RELEASE

SCHEDULE

1st Committee Draft

2nd Committee Draft3rd Committee Draft

April 2008 (Anticipated)

September 2008 (Anticipated)April 2009

(Anticipated)






It is important to note that the above example timetable could be extended due to additional document drafts being required throughout the development lifecycle. Additional drafts are generally required when the level of consensus among the national bodies is yet to be obtained. For each additional draft the timetable will generally be extended for a period of 6 months.

ISO has also established a general rule that all ISO standards should be reviewed at intervals of not more than five years to ensure the content of the International Standard continues to be relevant and applicable to the content of the document.

Note 1: ISO/IEC 27000 falls into a very unique category with this International Standard being classified as a freely available standard. This means that unlike most international standards produced by ISO which must be paid for, ISO/IEC 27000 will be freely available for all to access at no charge when it is expected to be published in 2009.

© copyright Lydia Chan, 2008



StandardsInternational Standard for Information Security

HK$50 eachPurchase Order: mail to the EXCO ([email protected])

Available Size: S, M, L, XL

www.PISA.org.hk

PISA Polo Shirt3D embroidery logos and wordings.






Warren Kwok CISSP Program Committee

Honeypot

current sessions to TCP port 25 of the relay decoy. The whole setup was hooked up to a 2M/2M Dedicated Internet Access line.

Experiences with Email Relay Honeypot

AA n email honeypot configured as open relay decoy (fake open relay host) was set up by our office for over six months to understand how spammers abuse open relay hosts. The platform used for the Mail Transfer Agent (MTA) was Sendmail 8.14.1 running on Fedora Core 7. A firewall was deployed to limit the number of con-

Configuring an Open Relay Decoy

To set up an open relay decoy, the first thing to do is to switch on relay capability on the MTA. Prior to Sendmail version 8.9, open relay was used in the default configuration file /etc/mail/sendmail.mc which could be traced back in the line:

FEATURE (‘promiscuous_relay’) dnl

It will be quite easy to add this line back to sendmail.mc and then generate sendmail.cf to get a working open

relay. However, adding the above line means relay everything without any control by the administrator. A better option is to maintain control of relay function via the file /etc/mail/access which specifies which domain or IP address can use Sendmail for relaying. To enable open relay for all incoming IP addresses from the Internet, the leading prefixes of IP addresses 1 – 223 are permitted to relay in /etc/mail/access as shown in Figure 1. It is not necessary to enter IP address range with leading prefixes of 224 – 255 since the IP addresses are used for multicast (Class D, 224 - 247) or experimental purpose (Class E, 248-255).

Figure 1. Configuration for open mail relay in the file /etc/mail/access






Once open relay configuration is in place, the next task is to make sure Sendmail will not attempt delivery once upon receipt of email messages. To this end, the following two lines are added in /etc/mail/sendmail.mc

define(`confCON_EXPENSIVE', `True') define(SMTP_MAILER_FLAGS, e)

The first line tells Sendmail to hold the queued mail for later delivery if delivery method is marked expensive. The next line further confirms delivery method as expensive. This prohibits Sendmail attempting queued mail delivery unless the sendmail –q option is invoked manually. Of course, the administrator never runs sendmail –q, so the mail queue time will be set to infinity. Additionally, there is a cron task to move emails in /var/spool/mqueue to other protected directories on a per minute basis. This ensures that if sendmail –q is run inadvertently, there is no queued mail in the default mail queue directory so the chance of flushing spam emails out is reduced to minimal. It should be noted all these settings and configurations

HoneypotExperiences with Email Relay Honeypot

should be tested carefully otherwise the host will become a genuine open relay.

Another factor we have to consider is the storage capacity of the relay decoy. Due to limited size of 250 GB hard disk in use, the maximum number of concurrent sessions to the relay decoy is set to 20 and the maximum number of recipients in a single email is limited 10. In the early days of operating the relay decoy, the default threshold of 128 concurrent sessions in the firewall was adopted resulting in an average of 170K spam emails (occupying 800 MB storage) captured in a single day. Obviously, a low threshold on concurrent sessions is preferable in order to avoid the relay decoy running out of storage space in a rapid pace. In fact, Sendmail can limit the incoming sessions but from a security viewpoint, the task should be handled by a firewall instead of an application itself. Also, from our observation, we find that spammers try to deliver to the maximum number of recipients in a single spam email. A screen shot of spammers depositing spam emails to a maximum of 10 recipients at a time is shown in Figure 2.

Figure 2. Spammers trying to send to a maximum of 10 recipients in a single spam email






References

Sendmail Configuration http://www.sendmail.org

Article on Fighting Relay Spam the Honeypot Wayhttp://fightrelayspam.homestead.com/files/antispam06132002.htm

Holding mail in the queue for Sendmailhttp://www.wurd.com/cl_email_sendmail.php

Linux Mail-Queue mini-HOWTOhttp://tldp.org/HOWTO/Mail-Queue.html

Difficulties of Operating an Open Relay Decoy

Spammers are skeptical and careful. The relay decoy accepting emails destined for other domains might not satisfy them. Thus, before they deposit large amount of spam emails to an open relay host, they send test emails to ascertain that the test emails can be delivered. If the test emails can not be received, the relay host will be abandoned. Hopefully, their test emails are usually having patterns of senders sending to themselves (single recipient) or including the IP address of the relay host in the subject line or message body. Some scripts can be tailor-developed to scan messages for regular patterns and allow such emails to go through. In this regard, an administrator should dedicate considerable efforts to tackle the challenge of operating an open relay decoy to stop delivering spam emails while fooling spammers that their test emails can get through.

Statistics

Between 1 July and 31 Dec 2007, the relay decoy captured a total of 6.3 million spam emails deposited by spammers. The top ten target domains for spam mail delivery are given in the table below:

Based on IP addresses captured, the top ten countries with spammers attempting relay are shown as follows:

Ranking Recipient Domain Spam Messages %1 yahoo.com.tw 2,377,529 37.742 163.com 548,003 8.703 hinet.net 527,795 8.384 hotmail.com 290,536 4.615 sina.com 118,889 1.896 yahoo.com 115,855 1.847 126.com 66,998 1.068 pchome.com.tw 65,200 1.049 163.net 60,411 0.95

10 gmail.com 56,986 0.91

Ranking Country Spam Messages %1 China (cn) 3,195,579 50.702 Taiwan (tw) 1,092,409 17.303 USA (us) 284,631 4.504 Brazil (br) 181,690 2.805 Korea (kr) 93,395 1.486 Romania (ro) 51,688 0.827 Thailand (th) 40,442 0.648 India (in) 35,172 0.569 Italy (it) 24,641 0.39

10 Philippine (ph) 16,274 0.25

Conclusions

Owing to resource constraints, the relay decoy imposes a limit on the number of incoming sessions and the maximum number of recipients in a single email. If the limits are relaxed, a very huge number of spam emails in terms of tens of millions could have been captured. Nonetheless, it is not surprising to find spammers target spam emails at the world largest email service providers such as yahoo.com, hotmail.com and gmail.com in view of the large number of users subscribing to their free email services.

Throughout the monitoring period, amongst the tens of thousands IP addresses logged, none of them is from IP address space assigned to Hong Kong. A logical and sensible answer is that the majority of Internet Service Providers in Hong Kong have banned their users connecting to port 25 in the outgoing direction thereby prohibiting them from accessing open relay hosts.

© copyright Warren Kwok, 2008

HoneypotExperiences with Email Relay Honeypot






OpenVPN 企業方案

OpenVPN簡介

虛擬網絡 (Virtual Private Network，簡稱 VPN) 是一種

技術，讓用戶透過使用電訊公司的公共網（例如互

聯網），與位於遠端的辦公室網絡建立聯繫，使用

戶如置身於該辦公室網絡一樣，可以使用辦公室網

絡內的各種資源。所有傳遞於用戶及辦公室網絡間

的資訊及數據，在 VPN中均經過加密處理，保證安

全。如果把虛擬網絡用於辦公室及辦公室之間的聯

線上，則可以代替傳統的租用線路 (Leased line)，是

一種成本低，但又安全的辦公室連接方案。

許多人一提到 V P N 技術，就會想到 IPSEC ( I P

Security)。IPSEC一向都是VPN的標準技術，它的安

全性之高，相信沒有人會懷疑。但是IPSEC也是出名

難纏的，在一些較複雜的網絡中(例如有 Proxy 啦、

N A T 啦，等等 ) ，許多時均無法使用。

近年，新興了以SSL (Secure Sockets Layer) 為基礎的

VPN技術。大家都知道，SSL是網上交易常用的加密

協定。多年來SSL的安全性及可靠性已經被確立起

來。OpenVPN 便是以SSL作為加密基礎的開放源碼

VPN軟件。

簡正修 (Bernard Kan) CISSP GCIA GCIH CWSPVice Chairperson

圖 1

ExternalFirewall

Internet

InternalFirewall

DMZ:172.16.254.x

RAS:172.16.253.x

VPN Server

.128

Email Server

.21

Internal:172.16.230.x

ApplicationServer

AdminServer

.31 .32

VPN User

Network Topologyof mycompany.com

WorkstationsNetwork

編者按：無論你在公共WiFi、或其他不可信賴的第三方網絡上連線，虛擬網絡 (Virtual Private Network，簡稱 VPN)均可提供加密的訊道，保證不被竊聽通訊內容。一些網絡服務供應商有提供VPN服務，但是，有否想到自己也可以DIY，度身自建VPN服務？

本文作者將會介紹價廉物美的OpenVPN，帶大家由一台Linux主機開始，建立一台安全、可靠及適合企業用的VPN裝置，質素可以媲美市場上的商業產品。既然說得是給企業使用，所以作者除了介紹怎樣安裝主機，還會透個一個企業個案，說明企業的安全政策及要求，怎樣在安裝過程中實現出來。

在作者文章後，編者還簡介OpenVPN在低階的家用寬頻路由器硬件上的實現(見第24頁)。







圖 2

以OpenVPN構建企業用的VPN主機或裝置的好處，

筆者也說不盡那麼多，總之是價廉物美就是了。以

下筆者便以一個企業的個案例子，介紹大家整個裝

設過程。呵呵，筆者事先說明，本個案純屬虛構，

如有雷同，實屬巧合。

OpenVPN 個案環境及方案需求

企業 mycompany.com 的網絡包括有互聯網對外連

線，一個內部防火牆及一個外部防火牆。這個 VPN

的方案中，有三個網段需要考慮：

位於外部防火牆的DMZ (Demilitarized Zone)

位於外部防火牆的RAS (Remote Access Segment)，

及

位於內部防火牆的主機網段 (Internal Segment)

如圖1所示。

因為VPN主機是在互聯網上對外開放的，所以

mycompany.com的管理層要求它的安全性做得越高越

好，必需包括以下措施：

採用最新可靠的操作系統內核 (Kernel)及 OpenVPN

軟件包

停用不需要的系統服務

採用 Chroot 環境

使用防火牆保護

使用電子證書作用戶認證

投產前系統安全掃瞄

我們透過分配不同網段的IP位址 (e.g. 172.16.0.x,

172.16.1.x 及172.16.2.x)給用戶，再配合防火牆的規則

來控制用戶的權限。

以下是筆者完成整個方案的步驟：

1.安裝 Linux 主機及基本網絡設定(以 Fedora 7 Linux為

例)

2.停用不需要的系統服務及完成安全加固 (Security

Hardening)

3.安裝 OpenVPN 軟件及設定主機VPN服務

4.產生及安裝 CA 證書及VPN主機證書

5.設定OpenVPN主機防火牆設定

6. OpenVPN 客戶端設定

7. OpenVPN 連接測試

以下我們便順著這個次序來講解。

由於步驟1及步驟2是基本功夫，筆者在這裡簡略帶過

便算了。筆者從 Fedora 7 的標準安裝 (Standard

Installation) 開始，安裝好系統後停掉了大多數的系統

服務，只剩下 SSHD ，再下載了 Bastille[3] ，執行

Bastille的指令稿 (Scripts) 來協助安全加固整個 Linux

系統。由於 Fedora 7是比較新的 Linux distribution，暫

時並沒有發現什麼嚴重的系統漏洞，打補丁的功夫在

這裡便略過了。漏洞管理(Vulner-ability Management)

是企業一個需要獨立處理的課題，長命功夫長命做

嘛。 VPN主機的IP位址設定為 172.16.253.128，如圖

2。

VPN用戶方面則分為三個類別：

基本用戶(Basic User) – 經VPN可連上電郵主機高級用戶(Advanced User) – 經VPN可連上應用系統主機及電郵主機

系統管理員

(Administrators) – 經VPN可連上所有主機






步驟3: 安裝 OpenVPN 軟件Fedora Linux中我們可以借助 “yum＂這個程式來安裝軟件包。以下所有的過程，都是在Linux系統下，以root的

身份來操作，並且網絡已經開通，可以連到互聯網上去。安裝 OpenVPN的過程如下:

[root@vpn-host etc]# yum install openvpnLoading "installonlyn" pluginSetting up Install Process::

=============================================================================Package Arch Version Repository Size =============================================================================Installing:openvpn i386 2.1-0.19.rc4.fc7 fedora 356 kInstalling for dependencies:lzo i386 2.02-2.fc6 fedora 63 k

::Total download size: 419 kIs this ok [y/N]: y::Installed: openvpn.i386 0:2.1-0.19.rc4.fc7Dependency Installed: lzo.i386 0:2.02-2.fc6Complete![root@vpn-host etc]#

看!只是一個指令便完成了下載軟件包及安裝的事情。爽!

步驟4: 產生及安裝 CA 證書及VPN主機證書由於本個案的用戶是採用電子證書認證，我們必須先產生 CA (Certificate Authority) 證書及VPN主機證書。我們先

切換到目錄 “/usr/share/openvpn/easy-rsa/2.0＂，修改 “var＂檔案，填入一些基本資料，如圖3所示。


圖 3






接著便再始執行產生主機證書的步驟：

----------------[root@vpn-host 2.0]# source ./varsNOTE: If you run ./clean-all，I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/2.0/keys[root@vpn-host 2.0]# ./clean-all[root@vpn-host 2.0]# ./build-caGenerating a 1024 bit RSA private key::[root@vpn-host 2.0]# ./build-inter vpn-hostGenerating a 1024 bit RSA private key::The Subject's Distinguished Name is as followscountryName :PRINTABLE:'HK'stateOrProvinceName :PRINTABLE:'HK'localityName :PRINTABLE:'HongKong'organizationName :PRINTABLE:'My-Company'commonName :PRINTABLE:'vpn-host'emailAddress :IA5STRING:'[email protected]'::[root@vpn-host 2.0]# ./build-dhGenerating DH parameters，1024 bit long safe prime，generator 2This is going to take a long time.................................................................................[root@vpn-host 2.0]#

產生證書後，我們建立 “/etc/openvpn/keys＂這個目錄，並把 “/usr/share/openvpn/easy-rsa/2.0/keys＂中所有檔案都抄進去。

在 “/etc/openvpn＂目錄中，我們建立 “server.conf＂設定檔，內容如下：port 1194proto udpdev tunca keys/ca.crtcert keys/vpn-host.crtkey keys/vpn-host.keydh keys/dh1024.pemtls-auth keys/ta.key 0server 172.16.0.0 255.255.255.0push "route 172.16.254.0 255.255.255.0"push "route 172.16.230.0 255.255.255.0"client-config-dir ccdkeepalive 10 120comp-lzochroot /etc/openvpnuser openvpngroup openvpnpersist-keypersist-tunverb 3ifconfig-pool-persist /etc/openvpn/ipp.txtstatus /var/log/openvpn-status.loglog /var/log/openvpn.logmanagement localhost 7505plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so "login login USERNAME password PASSWORD"


注意：

OpenVPN的缺省(default)設定是使用 UDP 1194 埠，有時為

了兼容ISP或公司的防火牆過濾，要使用TCP 80 或TCP 443

等常用埠。server.conf 的設定可能要適當修改，如：

port 443proto tcp







圖 4

這個設定檔設定主機使用於 ”/etc/openvpn/keys” 中的密鑰作認證用途，使用Chroot環境及UDP 1194 連接埠。用戶除了必需擁有電子證書外，還需要對系統上的用

戶帳號及密碼作認證。認證成功後，路由設定會自動加到

用戶端的電腦上。

這個設定檔的內容，便滿足了 mycompany.com 個案安全上需求的大部份。另外，為了令到主機的

安全性更加穩固，這裡還使用了一個叫做 “tls-auth HMAC” 的設定。使用了這個設定，所有往來用戶端和主機間的封包，均會被一條共用的密鑰所

加簽。使用這個設定後，用戶端和主機都不會對沒

有有效加簽的封包作回應，系統便不怕受到黑客們

的攻擊。要使用 “tls-auth HMAC” 這個設定，我們先在主機產生一個密鑰檔案：

# openvpn –genkey --secret ta.key

透過安全的途徑，我們把這個檔案分發到主機及用戶

端OpenVPN的設定目錄中。

主機上，設定檔需要加入這項設定：

#Server

tls-auth ta.key 0

用戶端則加入這一項設定：

#Clients

tls-auth ta.key 1

這個在後面講述用戶端的設定時將會見到。最後，我

們把 OpenVPN設定成自動啟動，並且啟動它，如圖4

所示。再檢查 “/var/log/openvpn.log＂檔案，便知道

OpenVPN已經成功啟動了。

[root@vpn-host openvpn]# cd /var/log[root@vpn-host log]# tail -30 openvpn.logMon Nov 12 17:51:13 2007 OpenVPN 2.1_rc4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 26 2007Mon Nov 12 17:51:13 2007 MANAGEMENT: TCP Socket listening on 127.0.0.1:7505Mon Nov 12 17:51:13 2007 PLUGIN_INIT: POST /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so] [login] [login] [USERNAME] [password] [PASSWORD]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Mon Nov 12 17:51:13 2007 Diffie-Hellman initialized with 1024 bit keyMon Nov 12 17:51:13 2007 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key fileMon Nov 12 17:51:13 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Nov 12 17:51:13 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticationMon Nov 12 17:51:13 2007 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]Mon Nov 12 17:51:13 2007 TUN/TAP device tun0 openedMon Nov 12 17:51:13 2007 TUN/TAP TX queue length set to 100Mon Nov 12 17:51:13 2007 /sbin/ip link set dev tun0 up mtu 1500Mon Nov 12 17:51:13 2007 /sbin/ip addr add dev tun0 local 172.16.0.1 peer 172.16.0.2Mon Nov 12 17:51:13 2007 /sbin/ip route add 172.16.0.0/24 via 172.16.0.2Mon Nov 12 17:51:13 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]Mon Nov 12 17:51:13 2007 chroot to '/etc/openvpn' and cd to '/' succeededMon Nov 12 17:51:13 2007 GID set to openvpnMon Nov 12 17:51:13 2007 UID set to openvpnMon Nov 12 17:51:13 2007 Socket Buffers: R=[110592->131072] S=[110592->131072]Mon Nov 12 17:51:13 2007 UDPv4 link local (bound): [undef]:1194Mon Nov 12 17:51:13 2007 UDPv4 link remote: [undef]Mon Nov 12 17:51:13 2007 MULTI: multi_init called，r=256 v=256Mon Nov 12 17:51:13 2007 IFCONFIG POOL: base=172.16.0.4 size=62Mon Nov 12 17:51:13 2007 IFCONFIG POOL LISTMon Nov 12 17:51:13 2007 Initialization Sequence Completed[root@vpn-host log]#






步驟5: OpenVPN主機防火牆設定

除了使用外部防火牆外，我們還使用Linux系統內建的防火牆軟件iptables來保護主機。這叫做「多層防護」(Defense in Depth) 嘛! 以下便是我們在主機上啟動 iptables 所使用的指令稿。特別值得注意的是，我們透過 iptables 的規則，限制了不同類別的用戶可以連接的主機。不同類別的用戶，登入VPN後都分派有不同網段 (Network Segment)的 IP 位址，這個 IP 位址便決定了用戶可以連接那台主機上。

-----------------------#!/bin/bashecho "1" >> /proc/sys/net/ipv4/ip_forward

# Loopback addressLOOP=127.0.0.1

# Delete old iptables rulesiptables -P OUTPUT DROPiptables -P INPUT DROPiptables -P FORWARD DROP

# Delete old iptables rulesiptables -P OUTPUT DROPiptables -P INPUT DROPiptables -P FORWARD DROP

# Set default policiesiptables -P OUTPUT ACCEPTiptables -P INPUT DROPiptables -P FORWARD DROP

# Prevent external packets from using loopback addriptables -A INPUT -i eth0 -s $LOOP -j DROPiptables -A FORWARD -i eth0 -s $LOOP -j DROPiptables -A INPUT -i eth0 -d $LOOP -j DROPiptables -A FORWARD -i eth0 -d $LOOP -j DROP

# Allow local loopbackiptables -A INPUT -s $LOOP -j ACCEPTiptables -A INPUT -d $LOOP -j ACCEPT

# Allow incoming pings (for trouble shooting) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow OpenVPN services# Assume we use UDP 1194 for OpenVPN portiptables -A INPUT -p udp -d 172.16.253.128 --dport 1194 -j ACCEPT

# Allow administration server to connect ssh and management portiptables -A INPUT -p tcp -s 172.16.230.31 -d 172.16.253.128 -m multiport --dport 22，7505 -j ACCEPT

# Elementary user rulesiptables -A FORWARD -p tcp -i tun0 -s 172.16.2.0/24 -d 172.16.254.21 -m multiport --dport 25，110 -j ACCEPT

# Advanced user rulesiptables -A FORWARD -p tcp -i tun0 -s 172.16.1.0/24 -d 172.16.254.21 -m multiport --dport 25，110 -j ACCEPTiptables -A FORWARD -p tcp -i tun0 -s 172.16.1.0/24 -d 172.16.230.32 -m multiport --dport 80，443 -j ACCEPT

# Administrator rulesiptables -A FORWARD -i tun0 -s 172.16.0.0/24 -j ACCEPT

# Keep state of connectionsiptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED，RELATED -j ACCEPTiptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPTiptables -A FORWARD -m state --state ESTABLISHED，RELATED -j ACCEPT

# Masquerade traffic from tunneliptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADEiptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADEiptables -t nat -A POSTROUTING -s 172.16.2.0/24 -o eth0 -j MASQUERADE

[root@vpn-host log]# -----------------------


注意：

iptables 開放的埠要與server.conf 的設定對應，此例使用OpenVPN的缺省設定(UDP 1194)。






步驟6: OpenVPN 客戶端設定好了，現在是用戶端的設定。我們首先要做的，是為 mycompany.com的系統管理員產生用戶電子證書，並且在

VPN 主機上開立帳戶。

企業 mycompany.com 的資訊安全政策中，有一項帳戶相關的政策，便是所有重要系統的用戶，都必須要經管理

層每年確定一次。這個過程我們英文叫做作 “User Recertification＂。在本個案中，我們可以透過設定用戶電子

證書的有效期，來協助實現這個政策。當用戶的電子證書過期了，便無法再登入 VPN 主機，他便必須要重新申

請一個新的電子證書，讓管理層重新確認他的帳號，這樣我們便可以達到定期重新確認用戶的目的。

要更改電子證書的設定，並產生用戶電子證書，我們在 VPN主機上先切換到目錄 “/usr/share/openvpn/easy-

rsa/2.0＂，並修改其中設定如下：# In how many days should certificates expire?export KEY_EXPIRE=365

本個案中，我們的系統管理員叫做 Peter，以下便是產生他的用戶證書的過程：

[root@vpn-host 2.0]# source varsNOTE: If you run ./clean-all，I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/2.0/keys[root@vpn-host 2.0]# ./build-key peterGenerating a 1024 bit RSA private key......................++++++writing new private key to 'peter.key'-----You are about to be asked to enter information that will be incorporated::The Subject's Distinguished Name is as followscountryName :PRINTABLE:'HK'stateOrProvinceName :PRINTABLE:'HK'localityName :PRINTABLE:'HongKong'organizationName :PRINTABLE:'My-Company'commonName :PRINTABLE:'peter'emailAddress :IA5STRING:'[email protected]'::[root@vpn-host 2.0]#

接著，我們在主機上為Peter開立一個系統帳戶。我們還為 Peter輸入一個隨機產生的密碼，登入VPN時將要用到

它。另外，如果我們不想用戶登入VPN主機，我們可以為帳戶請定一個叫做 “nologin＂的 Unix shell。

[root@vpn-host keys]# which nologin/sbin/nologin[root@vpn-host keys]# useradd peter -s /sbin/nologin[root@vpn-host keys]# passwd peter Changing password for user peter.New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.[root@vpn-host keys]#

我們再為 Peter設定他登入 VPN主機後所獲分配的 IP 位址。這個很重要，因為他的IP位址決定了他登入 VPN後，能夠連接及使用什麼主機。這些在我們在前面設定防火牆時，早已經設定好了。我們建立這個檔案: “/etc/openvpn/ccd/peter＂。它的內容只有一行：“ipconfig-push 172.16.0.9 172.16.0.10＂。這便是 Peter 登入VPN主機後所獲分配的 IP 位址及閘道位址。

[root@vpn-host /]# cat /etc/openvpn/ccd/peterifconfig-push 172.16.0.9 172.16.0.10[root@vpn-host ccd]#







最後，我們再在 Peter的用戶電腦上安裝 OpenVPN GUI Win32版本的軟件，如圖5所示。

按幾下 Next 完成安裝後，再把 peter.crt，peter.key，ca.crt，ta.key 及 client.ovpn檔案放到 “C:\Program Files\Openvpn\config＂目錄

中。

“peter.crt＂及 “peter.key＂是Peter的電子證書及密鑰檔，“ca.crt＂及＂ta.key＂是VPN主機的電子證書及共用密鑰檔，

“client.ovpn＂是用戶端的設定檔，內容如下：clientdev tunproto udpremote vpn-host.mycompany.com 1194nobindpersist-keypersist-tunca ca.crtcert peter.crtkey peter.keycomp-lzoverb 3auth-user-passtls-auth ta.key 1

接著我們便可以啟動VPN用戶端軟件，登入VPN主機了，如圖6、7所示。


圖 5

圖 6 圖 7






圖 8


圖 9

我們可以試 PING 主機的 IP位址

172.16.0.1，如圖9所示。

BINGO!! 我們再試試連上電郵主機 172.16.254.21 的 25埠：> telnet 172.16.254.21 25

在 VPN主機上我們透過 “tcpdump＂軟件觀察到以下連線：[root@vpn-host openvpn]# tcpdump -nn -v host 172.16.254.21tcpdump: listening on eth0，link-type EN10MB (Ethernet)，capture size 96 bytes

21:42:37.026628 IP (tos 0x0，ttl 127，id 24970，offset 0，flags [DF]，proto: TCP (6)，length: 48) 172.16.253.128.1294 > 172.16.254.21.25: S，cksum 0x47dc (correct)，2090928:2090928(0) win 64240

21:42:37.033657 IP (tos 0x0，ttl 128，id 8205，offset 0，flags [none]，proto: TCP (6)，length: 44) 172.16.254.21.25 > 172.16.253.128.1294: S，cksum 0xe748 (correct)，1781926647:1781926647(0) ack 2090929 win 64240

21:42:37.045355 IP (tos 0x0，ttl 127，id 24972，offset 0，flags [DF]，proto: TCP (6)，length: 40) 172.16.253.128.1294 > 172.16.254.21.25: .，cksum 0xfecd (correct)，ack 1 win 64296

3 packets captured3 packets received by filter0 packets dropped by kernel[root@vpn-host openvpn]#

如圖8所示，Peter 被分配的IP 位址是 172.16.0.9。

成功了 !! 我們看到 IP位址 172.16.253.128 嘗試連接上 172.16.254.21 的25埠。但為什麼會由 IP 位址172.16.0.9 變成了 172.16.253.128呢? 這其實是因為 iptables 做了 NAT (Network Address Translation) 的原故。但又為什麼電郵主機沒有回應呢? 呵呵，筆者在這裡賣個關子，讓讀者們自已想想吧…(答案在下頁)

至於其他VPN用戶，開立帳戶及安裝用戶端的過程都是一樣，只要按用戶的類別，分派不同網段的IP位址便可以了。

總結各位讀者，我們來到這裡，VPN主機基本上已經設定完成，只要在投入生產前再進行漏洞掃瞄，確定安全上沒有問題便可以了。這將是 mycompany.com 企業中一個安全可靠，價廉物美的VPN方案。

©版權所有簡正修, 2008









[1] James Yonan, OpenVPN HOWTO, October 2006.http://openvpn.net/howto.html

[2] Markus Feilner, OpenVPN: Building and Integrating Virtual Private Networks, PACKT Publishing, May 2006.[3] Bastille Security Hardening Scripts

http://www.bastille-linux.org

參考

互聯網上的一些有心人，設計出取代寬頻路由器出廠的韌體的程式，可讓用戶安裝自選的程式，加強路由器功能，其中一個較受歡迎的項目叫做OpenWRT (http://openwrt.org/)，已有現成的OpenVPN套件可供下載安裝。

要知道OpenWRT是否支援你的寬頻路由器的品牌和型號(Asus, Belkin, Buffalo, Linksys ...)，可到這網頁查詢：http://wiki.openwrt.org/TableOfHardware

如果是支援的話，你就可以著手改裝你的寬頻路由器。不過，你必須有心理準備，改裝韌體會令你的保養合約無效，同時，改裝前你必須備份原裝的韌體、熟讀還原的步驟，以備不時之需。

OpenWRT上安裝OpenVPN的步驟大同少異，以下祇點題式的補充在OpenWRT上的注意事項：

1. 改裝寬頻路由器韌體的細節，可參考以下兩個網站的資料：http://forum.openwrt.org/viewtopic.php?id=1800http://martybugs.net/wireless/openwrt/openvpn.cgi

改裝寬頻路由器使用OpenWRT韌體後，要啟動寬頻路由器的 SSH服務，好讓我們使用shell。

2. OpenWRT己停用不需要的系統服務，可省卻加固部分。

3. 在OpenWRT上安裝軟件的命令與Fedora Linux稍有分別。在ssh shell內輸入以下命令：# ipkg install openvpn

4.要令OpenWRT每次起動路由器便起動OpenVPN，可產生或編輯起始檔案 /etc/init.d/S50openvpn，內容如下：#!/bin/sh/ust/sbin/openvpn --config /etc/openvpn

5.產生及安裝 CA 證書及VPN主機證書與上文同。又可參考 http://wiki.cacert.org/wiki/OpenWRT6. 設定OpenVPN主機防火牆

假設OpenVPN使用 UDP1194埠，在OpenWRT的iptables firewall做些設定，編輯/etc/firewall.user檔，加上：### Allow OpenVPN connectionsiptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPTiptables -A input_rule -i $WAN -p udp --dport 1194 -j ACCEPT

(其中 $WAN 是firewall.user檔內定義的WAN網絡界面的變數代稱)

7.OpenVPN 客戶端設定和連接測試與上文同。

答案: 因為mycompany.com的外部防火牆，還沒有開通容許測試中的VPN主機連接生產中的電郵主機。

驚喜！寬頻路由器上安裝OpenVPN

如果可以在一部數百港元的寬頻路由器上安裝OpenVPN，每次起動路由器便起動OpenVPN，豈不省去一部電腦的成本，更省力和更省電費？






Anthony Lai CISSP, CEH Program Committee

Forensics

sized with abundant tools. The truth behind the an image can be a serious social concern when it comes to identification of a fact. Recent incidents on Southern China Tiger (華南虎), celebrities’ “private photo collection” have heightened one forensically interesting topic – how trustworthy a piece of evidence from digital image is. In Blackhat USA 2007, Dr. Neal Krawetz had a good session on this.[1] In this article, I extract some key points from the presentation and try to illustrate with examples. Digital imaging forensics also founds its application in the detection of intellectual property violations.

Digital Imaging Forensic – Uncover the Truth

AA picture is better than a thousand words. With the convenient distribution channel, a picture can easily become the talk of town when it is accessible on the Internet. Netizens are easily impressed by photos which possess a topic of public interest, like terrorist attack, politics or jokes. Yet digital images can be tweaked or even synthe-

Example: 911 Tourist

This is a controversial argument over this over 911 Tourist photo (Figure 1). People claims it was taken by a tourist in the top roof of WTC when a hijacked plane was heading to the building. In fact, this “tourist's” gallery has other interesting photos. [2] I illustrate the forensic process to examine this photo.

Image Forensics Analysis Step by StepTo analyze an image, we start from observation, basic image enhancement, image format analysis and finally carry out more advanced forensic techniques.

Observation and Basic Image EnhancementLet me summarize in Table 1.

Basic Photo Forensics - Image Format AnalysisExiftool [3] can be used to list out the metadata of photo:1.Date and time of photo taking2.Model of camera3.Aperture and Shuttle speed4.Resolution5.File type6.Last modified date and time of the photo file

Exiftool showed the following metadata of the 911 Tourist photo (Figure 2), but it could neither identify the model of camera nor the original creation date and time.

Observation

Brightness and Contrast

Color Adjustment

Sharpen and BlurScaling

Basic Image Enhancement (We could use tools to edit the image)

Highlights and Shadows – Have the same lighting and shadows?Color tones in anti-aliasing – With clear edges and their colors do not match the new image background?Reflections – the object with proper reflection?Scale – Combined with reasonable scale?Roots – Objects spliced into an image may appear to be floating? Is it rooted to the background?

Invert – Invert portions of an image to make it negative

Items – The items like text and environment in the image could identify specific region, culture or time?

Normalization and Histograms – normalize a photo with wider color rangeTable 1

Figure 1






I use Exiftool against a control photo I took for my dog Lucky below (Figure 3).

In Figure 4, Exiftool could report that the photo of the dog was taken by Canon Powershot S50 on 6 April 2003. The last modification date was on 18 Nov 2007 saved as other file type.

NOTE: with Adobe Photoshop, this information could be changed if the photo was modified. However, we could still take this as our preliminary study.

Advanced Technique: Understand its compression history

The tool JPEGsnoop [4] can be used to search and identify the compression signatures of an image. The tool can discover the history of the image being processed and re-saved with various software and tools. When run against the “911 Tourist” photo, the tool reported that it had been

ForensicsDigital Imaging Forensic – Uncover the Truth

Figure 3

Figure 2

Figure 4






processed with Photoshop, MS Paint, MS Visio and Apple Quick-Time (Figure 5). The assessment suggested that the image is an edited sample.

When JPEGsnoop is run against a photo I took in the Blackhat 2007 pre-conference training, it reported that the truth (Figure 6) – the photo was taken with Canon 20D and was original.


Figure 5

Figure 6






Advanced Technique: Error Level Analysis

Error level analysis tells if an image was added or modified. It involves re-saving an image at a known error rate (90%, for example), then subtracting the re-saved image from the original image to see every pixel that changed and the degree to which it changed. The modified versions will indicate a different error level than the original image.

A tool called Error Level Analyzer (ELA) by Noah[5]. If you load an image and hit 'Work', it will create a heat map showing when each pixel changes as jpeg quality decreases from 100 to 0. In this mode, a change is by default considered relevant once the sum of the changes to the r, g, and b values exceeds 10. If you would like to use a threshold other than 10, simply type it into the text box on the toolbar.

If, after loading an image, you move the track bar, the difference for a particular compression level will be shown. Each tick is five levels, going from 0 on the left to 100 on the right. By default the differences will be exaggerated by a factor of 10 to highlight differences. If you wish to using a color scaling factor other than 10 simply type it into the text box on the toolbar.

Load = Load an image - brings up standard load dialog Save = Save the image being displayed - brings up standard save dialogWork = Generate a heat map Trackbar = Display diff for a specific compression level Text box = (heat map mode) the change threshold

(diff mode) the color scaling factor.

When using ELA to check the “911 Tourist” photo at 75% compression level, we got the heat map in Figure 7.

Figure 7

We could see an explicit red mark in the bottom-right column from the overall heat map. It exhibits that the right-bottom data mark does not have the same error level as other pixels. You could say it was added or modified. For more advanced tricks, we could simply re-save again and again to align the error level of the “tourist” with the background’s.

When using ELA to analyse the photo of Lucky the dogat the compression rate of 25%, the heat map (Figure 8) showed an evenly distributed error.

Figure 8







Next, I added some text to the photo of Lucky the dog, resulting in a new photo (Figure 9).

Figure 9

The ELA analysis of this photo (Figure 10) showed the added/modified part with different heat map distribution.

Figure 10

Summary

The above illustrations serve as a start point of the basic digital imaging forensic and analysis. If you are interested, please read Dr. Neal Krawetz's presentation and other references.

© copyright Anthony Lai, 2008

References[1] A Pictures’ Worth by Dr. Neal Krawetzhttp://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html

Get more details and there is a book titled with Adobe Photoshop Forensichttp://www.hackerfactor.com/blog/index.php?/categories/1-Image-Analysis

[2] 911 Tourist - He traveled to many placeshttp://urbanlegends.about.com/od/mishapsdisasters/ig/Tourist-Guy/

[3] Exiftool – Reading metadata of an imagehttp://www.sno.phy.queensu.ca/~phil/exiftool/

JPEG Quantization Table (Q-Table) For Various Brands of Camerahttp://www.impulseadventure.com/photo/jpeg-quantization.html

[4] JPEGsnoop – Study the Q-Table and compression history of an imagehttp://www.impulseadventure.com/photo/jpeg-snoop.html

[5] Error Level Analyzer from Noah – Product heat map to identify any modified section in an imagehttp://www.tinyappz.com/wiki/Error_Level_Analyser









We Contribute. We Achieve.

Source Code Review Seminar(Mar-2008) The event was coorganized by PISA and OWASP. The speaker analyzed the approaches to review code with illustrated cases from US online banks. The usual interface of a code review tool was demonstrated.

Speakers: Mr. Robert Rachwald and Mr. Nevin Ng, Fortify Software

Event

Snapshot

Seminar: Live! Wi-Fi Attack and Defense (Feb-2008) The event was organized by PISA, WTIA,ISOC, coorganized by WDC and e-Zone and sponsored by Cyberport. Over 180 participants occupied the Function Rooms of Cyberport.

Hacking demonstration and clear illustrations help the participants understanding the issues. We called for strong encryption, good bye to WEP.

The Panel had a very open discussion on the challenges and opportunity of a WiFi city.

(from left) Ken Fong, Larry Leung, Charles Mok (moderator), Jim Shek and S.C. Leung

The attentive audiences travelled all the way to Cyberport in a Saturday afternoon.

Speakers:

(upper photo from left) Ken Fong, Alan Ho

(lower photo from left) Sang Young, Anthony Lai






We Share, We Progress.

Visit to Digital Magic(Dec-2007)

The Digital Magic in Causeway Bay is the earliest and the most well established studio in Hong Kong. With the state of art equipment and a very high calibre team, they handle a lot of film post processing and TV advertise-ments were processed here.

Event

Snapshot

Bruce Schneier Talk - The Psychology of Security (Nov-2007)

Mr. Bruce Schneier, CTO of BT Global Service gave a stimulating talk on the psychology of security. He cited a lot of experiments in psychology about human (wrong) perception of security and how these perceptions affect our judgement. His current research opens a new study area for information security.

Charles Mok

Hon. Sin

Chung Kai

Francis Fong

Lento Yip

PISA Annual Dinner (Jan-2008)

Our guests and members enjoyed a wonderful even-ing of PISA Annual Dinner. Among the guests we had Hon. Sin Chung Kai (ITFC), Tiger Wong (HKPF), Cari Wu (OGCIO) Chales Mok (ISOC HK), Francis Fong (HKITF), Lento Yip (HKISPA), Edmon Chung (DotAsia), Abert Wong (AiTLE),

Francis Fong

Lento Yip

Wilson Yuen (Hon. Advisor) and Ricky Lou.






Anti-Virus Security Experience Sharing Session (Nov-2007)

Raymond Ng led a closed door discussion on anti-virus security protection. The interaction was exceptionally good.

We Exchange. We Collaborate.

Event

Snapshot

Next ChangesNext Changes

War Driving on Tram(Nov-2007)

The War Driving Team of PISA and WTIA took out their annual war tramming from Kennedy Town to Shaukiwan. The survey plotted the profile of WiFi security development in Hong Kong.

1. BCP certification by Dr. Goh Moh Heng (Apr 2008)

2. iSCSI application and security by Alex Wu (Apr 2008)

3. PCI Security (May 2008)

Do not miss these great events. Please register as member to join these events free of charge.






Delivering public talks on Information Security

• PISA gave a talk on “Strength and Weakness of Native Wi-Fi Security Protection” at the Hong Kong Clean PC Day organized by the HKCERT (Nov-2007)

• Howard Lau spoke in the IT Security Seminar for 600-700 parents in Tuen Mun Schools (Jan-2008)

Our vision provides us our destination. Our missions provide us the directions.

Giving Expert Opinions on info-sec issues

PISA and WTIA were invited to 新聞透視 “Wi-Fi 危機”, Pearl Report “Wireless Woes” (Jan-2008)

PISA was invited to Pearl Report “Mobile Menace” and 新聞透視 “電腦黑客” (Mar 2008)

• Howard Lau was interviewed by TVB 事必關己, ATV 時事追擊and Ming Pao on Data Protection (Feb 2008)

Howard Lau at the Tuen Mun schools talk

JIM SHEKJIM SHEK

KEN FONGKEN FONG






to be the prominent body of professional information security practitioners, and utilize expertise and knowledge to help bring prosperity to the society in the Information Age

Vision

Many Ways

Successful Career NetworkingEnjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical inform-ation and ideas for keeping your knowledge up to date

Professional RecognitionYou Can Benefit

Continued Education

Check out job listings information provided by members. Get information on continuing education and professional certification

Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.

Sharing of InformationFind out the solution to your technical problems from our email groups and connections with our experienced members and advisors.

Realize Your PotentialDevelop your potentials and cap-abilities in proposing and running project groups such as Education Sector Security, WLAN & Bluetooth Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials

http://www.pisa.org.hk

Membership Requirements

• Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee.

• All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association

Qualifications Relevant ExperienceFull 500 Recognized Degree in Computing

discipline, OR other appropriateeducational / professional qual.

3 years Info-Sec workingexperience

Associate 300 Tertiary Education Info-Sec related experience

Affiliate 300 Interested in furthering any of theobjects of the society

Nil

Student 100 Full-time student over 18 years old Nil

MembershipType

AnnualFee (HK$)

Requirements


Benefit from the immediate access to professional recognition by using post-nominal designation

Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.

Enquiry email:[email protected]

Membership Application Form:http://www.pisa.org.hk/membership/member.htm

Code of Ethics:http://www.pisa.org.hk/ethics/ethics.htm

MembershipInformation

pisa journal · 11 flixster multimedia movies - 36,000,000 open 12 netlog school belgian 32,402,580...

Documents