« Ripping Passwords With Your Friend John | Main | Reprise: Leopard vs. Vista on Security »

May 6, 2008

Zeroshell and My Interop Security Hangover

Carla Schroder in the first of two parts on how to set up Zeroshell, a small Linux distro designed to provide encryption and security for your wireless network:

“Zeroshell is designed to run on small form-factor routerboards like PC Engines WRAP, Soekris, VIA, and Alix. It also runs from a CD, and you can install it to a hard drive. This is a good way to put older smaller hard drives back to work. The hard drive installation is a hack using the Compact Flash image, so it will take over your entire hard drive. Data, configurations, and logfiles go on a separate partition or a separate device, such as a USB drive.

“Zeroshell includes FreeRADIUS, the popular network authentication server. RADIUS (Remote Authentication Dial-In User Service; despite the name, it works for all networking) authentication is a good way to control access to your network, both wired and wireless. It provides a central authentication server that can operate with any number of network access points. Zeroshell makes it easier to set up good strong wireless authentication with FreeRADIUS. I’m assuming you already have at least one working WAP on your network, and either bridging or routing in place so your wireless clients can access network resources, and you want to add some real security.”

(Link)

Some tangential thoughts:

I remember when I set up my first WAP at home. It wasn’t the most convenient arrangement: A Linux server provided a shared printer, we had a Linux desktop, a Windows desktop and a Linux laptop. With WEP enabled on the WAP, the networked printer couldn’t talk to the Linux laptop, and Samba performance was dreadful.

So WEP got turned off and everything app on the laptop that didn’t provide some sort of encryption on its own went through an SSH tunnel. That was seven years ago or so, but I can still look at my muttrc to see the SSH tunneling stuff.

In general, I’ve treated every wireless network connection as a potentially hostile one since then. On my laptop, I’m careful to make sure my bookmarks for sensitive sites point to the SSL version, I make sure IMAP runs over SSL, etc. etc.

One thing I haven’t gotten around to doing has been just setting up some sort of VPN connection for myself on my home connection, so I can just reduce all that hassle to a single concern.

Last week at Interop, I was my usual careful self when I wasn’t working through the corporate VPN, but my laptop did briefly come up on an unencrypted network and I hadn’t shut down Pidgin. So it went through at least one sign-on sequence to several IM services in the clear.

I didn’t think much of it at the time, but I did go back to my room that night to do some work, where one of my AIM accounts did the whole “Someone has logged on to this account from another computer” thing.

I booted the other user off and promptly changed my passwords (all of which, I can happily report, had the benefit of not being like any of my other passwords), but it was a little stunning to realize that just a few moments of exposure and a single unencrypted sign-on had caused an account to be compromised. I’ve been acting like a paranoiac for years, but up until about five seconds after the moment that message came up telling me someone who wasn’t me was signed on to one of my accounts, I’d been guiltily thinking that maybe I was taking myself a bit too seriously.

So I got home on Thursday night, and by Friday at noon I’d set up my DD-WRT-based router to provide me with that VPN I’d been putting off.

Posted by mhall at 4:16 PM | Add Comment