I love when it says when you insert a floppy, cd, ZIP disk, etc it will detect the kind of content and then, for your convenience, automatically start the appropriate program.  In other words, we’ll be virus-ready and malware-prone just for you!  This is one of the ways Conficker spread.  Haha.  Remember kids, usability is the enemy of security.

1. Verified he had the latest firmware for his router (Linksys WRT54G version 2.2)
2. Established wireless security for WPA2 Personal (TKIP + AES) – (don’t use WEP – it doesn’t truly secure anything)
3. After this, his wired PC wouldn’t work anymore – at least it wouldn’t do DNS anymore.  So I changed the router to assign OpenDNS servers to the machines.
4. Changed the wireless channel from 6 (default) to 1 – there are a lot of people in Keith’s neighborhood that are on channel 6.  Take a look at my post about wireless routers for information on why this causes a problem.

Anyway, he was able to use wireless if he didn’t put any security encryption on it.  The danger of this is that anyone with a little bit of know how (easily found on Google search) could potentially read all the traffic his laptop would send to the router – this is just how radio works (actually, this is possible with WEP encryption, too.  So use WPA or WPA2 with a strong password).  People could then use the information to get access to his online banking site, paypal.com, or any number of other things he may not want them to have access to.  The potential danger is pretty high.  The likelihood of Keith getting attacked is, let’s be honest, small in his neighborhood.  However, its like leaving your home without locking the door.  If you get robbed while you’re away and there are no signs of forced entry, you are going to feel like a tool.

Also – you’re paying for your connection.  Not having your connection secured means anyone that can pick up the signal can use your Internet.  They might slow you down or make you liable for illicit activity on your network that you had nothing to do with.  They aren’t helping you share the burden or the responsibility, why should you make it available to them?

Enter the All Ways On Wireless at the Ronald Reagan International Trade Center in Washington, DC.  Its a pay-for public WiFi, I’m not against paying for it.  Its actually running quite nicely and the regular, non-VPN enabled all-day pass works just fine with my VPN (another reason I like OpenVPN).  However, when I went to purchase my day of access, it led me to a non-encrypted web page to type in my credit card details.  Seeing as the radio frequency traffic between my laptop and the wireless access point is not encrypted and completely open to anyone that knows how to look, I essentially broadcast my credit card details out for that potential someone to steal.

Be wary of public wifi access spots that make you enter credit card details without leading you to a secure web page (that’s when you see https:// in the address bar, or that little padlock in the status bar of your browser).  I don’t think my details are now in the hands of some nefarious identity theif, but its a lot more possible now that I’ve given them out over unencrypted radio transfer.  Someone taking this information wouldn’t even be recorded as a data breach in the All Ways On Wireless financial system – since essentially they didn’t hack into their database they just listened to the freely broadcast, unencrypted traffic.

When will companies start taking security of information more seriously?  I tried to go to their website (www.allwayson.net) but strangely enough, you can’t even get to their website from their own public wifi gateway.  I wonder if its even up anymore, or if it changed and noone set up any forwarding address.

This isn’t the end-all guide to checking the credibility of a website, but give it a shot if you come into something you question.

The Level 2 tech wanted data directly from the console link. Supposedly, this gives them more information than what the Sonicwall is capable of logging on its own. The Sonicwall tech support assured us that our Sonicwall TZ170w did ship with a console cable (it didn’t). Sonicwall wasn’t going to send us one; they just insisted that ours shipped with the cableand it was up to us to find it. We actually had to contact a Sonicwall reseller we know (BNA Computing) and Kevin over there was kind enough to ship us an extra he had. I should mention at this point that we had 4 brand new Sonicwalls in our office that we were configuring for a client and none of them had a console cable with them either.

Just so happens earlier this month I went up to the Astaro Corporation US Headquarters in Burlington, MA. I’d been talking to my area sales director, Colin Martin, and it turns out that not only did we go to the same high school, we graduated the same year! I hadn’t seen him since I was 17, it was great to meet up with him again. So as I was talking about a potential project for one of my clients, this issue with our own Sonicwall came up. He offered a demo unit so I could take a look at the Astaro for my own office. What are the odds that we went to high school together? Haha… it was fun. I actually found out about Astaro through the Security Now podcast.

So far, I like the ASG a lot. Its flexible, has a lot of features, and the interface, though a bit complicated, is much better than the Sonicwall interface. I feel like I have more power! haha. And the ASG came with the console cable! :)

GParted did the job! I was able to resize my partition. At first I was a bit nervous booting into GParted (I used the automatic boot, worked fine) because I saw a lot of command-line text as it was booting. And then I saw a Linux bash prompt. I cringed, thinking “Oy, I’m going to have to learn some esoteric command line stuff in order to resize this partition…” and just a couple seconds after that I saw a GUI interface come up. Hmm, quite nice. I clicked on my drive, found my partition and was able to actually just use the mouse to resize my partition with a click on the edge of the partition and then dragged it larger. Very nice! I was able to use some finer controls below the graphic interface with some numbers in it (representing the size of the partition) to leave myself 8 GB of space at the end of the drive (that’s 8192 MB). I decided I would put the virtual memory here in a 4GB virtual memory file, leaving 4 GB of space left on that partition as well. Following the prompts on the screen I was able to do what I needed to resize the partition! I was very happy as I’ve been searching for a free partition manager for years. I’m glad the folks at Clonezilla led me to GParted.

So what about the actual whole drive encryption? Well, this is currently only available to do in Windows. Since I’m using XP, I was okay with this. I installed TrueCrypt version 5.1a and started going through the prompts to encrypt the whole drive. OK, before you try this on your own, you’re going to need the ability to burn a recovery CD. The program will not allow you to finish whole drive encryption until it can verify that you’ve created a TRD (TrueCrypt Recovery Disk). So if your laptop won’t burn CDs (like my refurbished one here doesn’t) then you’ll need a USB key or some other means (I used a mapped network drive) to move the .ISO file to another computer to be able to burn the TRD. You’ll also be asked to choose a passphrase of 20 or more characters! Ouch… well, I decided to use 3 of my strong passwords strung together. You can get by with less, but I don’t recommend it. Just DON’T FORGET YOUR PASSPHRASE, or you will lose access to all data on the drive. Important data should be backed up somewhere, maybe an offsite file backup like MozyPro.

One of the things I was worried about was the data. The whole idea of whole drive encryption is to make sure the data on the hard drive is encrypted and not readable. But when you write data to a drive, there is a possibility of data still being read off the drive, even if it has been overwritten (see this article for a little more information on this). I don’t have much information on my laptop that I’m worried about, so in essence I’m not overly concerned with the data on my own drive. However, I am concerned with the data on my customers’ drives. Many of them are bound by HIPAA and have access to an abundance of sensitive data. Laptops get stolen. So, not encrypting your data is not quite like leaving your car door unlocked in the Bronx, it’s more like leaving the car door locked (because you try to be careful with your laptop), but having built the car so you don’t need a key to start it – just a big red button that says ‘Start’.

Luckily, TrueCrypt offers 3 methods of wiping the drive as it encrypts the drive. I was pretty happy to see this as an option. I was trying to figure out how to use Darik’s Boot and Nuke system to wipe the data on the drive, then encrypt it – but that wouldn’t help me because after a wipe I’d have to replace all the data on the drive. Well, TrueCrypt offers a 3-pass, 7-pass and a 35-pass option for wiping the data ‘beneath’ the data the operating systems can use. I was happy to use the 7-pass option. When I started, it said it would take 8 hours to complete! Well, good thing I started the process late at night. After an hour of operation, I went back to check the computer and it said only 7 hours left! It was accurate – and typically I find the time estimations of software to be very inaccurate. So I went to bed, safely secure in the knowledge that my system would be ready when I woke up. And it was!

I didn’t notice any speed enhancement with the TrueCrypt drivers for access to my hard drive (nor do they actively advertise the fact), but I didn’t think they’d be noticable anyway. Maybe with a faster drive, like 7200 RPM or a nice SATA interface you may notice a difference. But I just don’t need my laptop for much more than writing here on IT Legends, so I don’t need that faster hard drive.

Well, my nifty 120 GB drive arrived! I was very happy with it. Now, how to get my operating system from the old 30GB onto the new 160GB? Clonezilla! I tried the Clonezilla Live CD, and this did a good job of a device-to-device partition transfer. It’s not quite as polished of an imaging product (but its free!) as something like, say, Acronis or Ghost, but if you know just a little Linux then you can get your way through it. The one thing I didn’t like was that Clonezilla did not auto-resize the destination partition. So I have my new 120 GB drive running in my system with a nice, small 30 GB partition and 90GB of unpartitioned space! Now I have to decide if I’m going to partition that space into a new volume or try to resize the partition.

Turns out that the developers of Clonezilla already thought of this potential, and have released a Live CD with a dual-boot scenario that will also load GParted – a Linux-based partition utility. So I’m going to give this a shot and let you know how it goes.

Oh, by the way, in order to image the existing data from my laptop onto the new drive, I was able to use a USB adapter to connect my new drive to the laptop so it could be accessed and written to. So yes, Clonezilla supports USB drives. For laptops, I’d recommend:
Nippon Labs EN-25USB External Enclosure