Kernel, Inc. - IT Management

New Post has been published on http://www.kernelops.com/crafty-phishing/

Crafty Phishing

It amazes me how crafty hackers are getting when trying phishing (pronounced: fishing) attacks. For those that are unsure, a phishing attack is usually a targeted email attack against an organization. The main goal of the ‘phisher’ is to infect your computer with malware for a higher purpose… that purpose could be to use your computer as a money mule system, indoctrinate you into a big bot-net to take over the world (Oh, if The Brain could see us now… not tonight Pinky!), steal some secrets, be a nuisance, etc.

One of our clients recently received an email with the mentioned attachment from the Better Business Bureau @bbb.org:

Better Business Bureau Phishing Email

The attachment would infect the victim’s computer with malware that appears to add the computer to a larger bot-net. Lucky for us, the company administrator is on point and quickly sent out an email to everyone within the company to NOT OPEN THE EMAIL. She also took it upon herself to send the email to the Better Business Bureau, who responded with:

Better Business Bureau Phishing Response

As it turns out, not everyone reads their email as a FIFR (First In, First Read) fashion…so, one of the execs ended up opening the email and, to our dismay, became a part of the bot-net that we warned y’all about earlier. The fix is simple… a virus scanner since the malware was old-hat and easily detected. But beware, there are very crafty malware writers out there and malware can go undetected for a very long time in Advanced Persistent Threat attacks and more.

New Post has been published on http://www.kernelops.com/cidr-notation-from-mac-os-x-shell/

CIDR Notation From Mac OS X Shell

I recently had a time-and-ahalf trying to find a simple shell script for retrieving the CIDR notation net address on Mac OS X. There are several apps on the App Store that will do this for you known as CIDR Calculators, but I needed a shell script to do this. I personally needed this to auto-configure Snort’s HOME_NET variable when Snort boots from a ‘.plist’ file, but I’m sure there are other reasons someone might want to use this.

First, what is CIDR notation?

Something to make note of first is, if you don’t already know the answer to this question you might have some trouble the remaining steps to implement this solution; they get fairly technical…

But anyway, CIDR notation is when you see your net address look something like this ’192.168.1.0/24′. Basically, the ‘/24′ is a shorthand reference to your subnet mask which probably looks something like this (at least in our example) ’255.255.255.0′ or on a Mac, using the ‘ifconfig’ command it probably looks like this, ’0xffffff00′ which is the same thing in hexadecimal format.

Next, why do we care about CIDR notation?

There are lots of different reasons you might want to find out the CIDR notation of your net address. As I stated, my reasoning is because Snort needs a HOME_NET variable set so it knows what to monitor traffic on. If I set Snort’s HOME_NET variable to ’192.168.1.5′ then it will only monitor traffic for that particular IP address; however, if I provide ’192.168.1.0/24′ then magically Snort will monitor traffic on my entire private network. Which is what I want in this case.

Now, let’s get to the nitty-gritty!

I’ll first show you the code, then break it apart, piece-by-piece, so you can understand what is going on–oh and, by-all-means, if someone has a better way of doing this please let me know! I searched and searched and couldn’t find another script based solution for OS X.

CIDR=$(while read y; do echo $y%.*".0/$(m=0; while read -n 1 x && [ $x = f ]; do m=$[m+4]; done < <(ifconfig en0 | awk '/mask/$4=substr($4,3);print $4'); echo $m )"; done < <(ifconfig en0 | awk '/inet[ ]/print $2'))

Eeeek! That looks intimidating! No worries, I’ll go over each portion. To summarize what is happening: we are converting the hexadecimal version of the subnet mask provided by ‘ifconfig [your interface]‘ to a number based on how many ‘f’ characters are in the hexadecimal string. In this case, each ‘f’ is worth 4 points; so loop over the hex string and add 4 to a zero-based variable every time an ‘f’ is encountered. Then get the inet IP address from the ‘ifconfig [your interface]‘ command, substring off the last octet and replace it with ‘.0/[the CIDR that we just calculated]‘. Sounds simple enough, let’s dive in!

The Breakdown…

#1. CIDR=

Here we are simply assigning the results of our entire command to a variable called CIDR so we can reference our CIDR notation net address later if desired. You could also ‘echo’ the results if you don’t need it in a variable.

#2. < <(ifconfig en0 | awk '/inet[ ]/print $2'))

Ok, here we are using an awk expression to get the inet IP address from ifconfig en0. The ‘< <( )' will pipe whatever results from within the parenthesis to whatever is on the left side of the arrows, which means in this case the left side (the rest of our function) will now get the string '192.168.1.5' to work with.

while read y; do echo $y%.*”.0/$(m=0; while read -n 1 x && [ $x = f ]; do m=$[m+4]; done < <(ifconfig en0 | awk ‘/mask/$4=substr($4,3);print $4’); echo $m )”; done

And, here is the remainder of the code that would be on the left side of the arrows. There are really two main parts to this command, first:

#3. while read y; do echo $y%.*".0/ ........ ; done

This is reading in the inet IP address string that got piped from our #2 command. The while loop is reading in the string in the 'y' variable and '$y%.*' is simply stripping off the last octet to leave us with '192.168.1'. Naturally, we now concatenate that substring command with ".0/" to set the stage for our CIDR number now. Which is our next step.

#4. < <(ifconfig en0 | awk '/mask/$4=substr($4,3);print $4')

Similar to what we've already seen from step #2, we want to get the subnet mask from the 'ifconfig en0' command which will result in '0xffffff00' and strip off the first two characters with 'substr($4,3)'; resulting in 'ffffff00' and pipe this string into the while loop on the left side of the '< <( )' arrows.

#5. m=0; while read -n 1 x && [ $x = f ]; do m=$[m+4]; done

This is our left side of the arrows from step #4 that 'ffffff00' is being passed. First, we need an empty variable created that will hold our incrementing CIDR number 'm=0;'. Next, the while statement will read in the passed string 'ffffff00' into individual characters called 'x' using the '-n 1 x' syntax. Then we also only want to perform our addition arithmetic if the character is an 'f' so '&& [ $x = f ];'. Finally, the inside of the while loop performs the arithmetic 'm=$[m+4];'.

#6. echo $m

Next, notice that inside our subshell, and after the while loop and awk pipe we finally echo the 'm' variable back, which will simply append the results into the string from step #3. Making step #3 look something like this essentially:

while read y; do echo $y%.*".0/24"; done since '24' is what got returned (in this case) from the subshell.

An that is it! Although the command is rather lengthy, it seems to get the job done. Obviously, some constants that this assumes is that your ifconfig field placements are the same, meaning your subnet mask doesn't show up before your inet ip address for some reason, and so on. Also, this seems to only work on Mac OS X, probably because of the varying versions of bash/sh across other *nix distos. I wasn't worried about other distros though because I'm only deploying Macs that need this functionality.

New Post has been published on http://www.kernelops.com/build-issues-with-osx-mavericks/

Build Issues with OSX Mavericks

So, I recently ran into some issues when trying to build just about anything from source on OSX Mavericks (10.9).  Of course, you need Xcode and the Xcode Command Line Tools installed, but that wasn’t helping.  I could run ./configure but this is what I would get when running make

/Applications/Xcode.app/Contents/Developer/usr/bin/make all-recursive Making all in src Making all in sfutil gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c getopt_long.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sfmemcap.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sfprimetable.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sfxhash.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sf_ip.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sf_iph.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sf_ipvar.c sf_ipvar.c:39:17: warning: unused function 'sfvar_list_compare' [-Wunused-function] static SFIP_RET sfvar_list_compare(sfip_node_t *, sfip_node_t *); ^ 1 warning generated. gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sf_textlog.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c sf_vartable.c rm -f libsfutil.a ar cru libsfutil.a getopt_long.o sfmemcap.o sfprimetable.o sfxhash.o sf_ip.o sf_iph.o sf_ipvar.o sf_textlog.o sf_vartable.o /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libsfutil.a(sf_iph.o) has no symbols ranlib libsfutil.a /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libsfutil.a(sf_iph.o) has no symbols Making all in output-plugins gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c spo_alert_arubaaction.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c spo_alert_bro.c gcc -DHAVE_CONFIG_H -I. -I../.. -I.. -I ../sfutil -I/usr/local/include/mysql -DENABLE_MYSQL -g -O2 -Wall -c spo_alert_cef.c In file included from spo_alert_cef.c:66: ../strlcatu.h:24:8: error: expected parameter declarator size_t strlcat(char *, const char *, size_t); ^ /usr/include/secure/_string.h:111:44: note: expanded from macro 'strlcat' __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest)) ^ /usr/include/secure/_common.h:39:62: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^ /usr/include/secure/_common.h:30:32: note: expanded from macro '_USE_FORTIFY_LEVEL' # define _USE_FORTIFY_LEVEL 2 ^ In file included from spo_alert_cef.c:66: ../strlcatu.h:24:8: error: expected ')' /usr/include/secure/_string.h:111:44: note: expanded from macro 'strlcat' __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest)) ^ /usr/include/secure/_common.h:39:62: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^ /usr/include/secure/_common.h:30:32: note: expanded from macro '_USE_FORTIFY_LEVEL' # define _USE_FORTIFY_LEVEL 2 ^ ../strlcatu.h:24:8: note: to match this '(' /usr/include/secure/_string.h:111:44: note: expanded from macro 'strlcat' __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest)) ^ /usr/include/secure/_common.h:39:53: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^ In file included from spo_alert_cef.c:66: ../strlcatu.h:24:8: warning: type specifier missing, defaults to 'int' [-Wimplicit-int] size_t strlcat(char *, const char *, size_t); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/secure/_string.h:111:44: note: expanded from macro 'strlcat' __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest)) ^~~~~~~~~~~~~~~~~~~~ /usr/include/secure/_common.h:39:31: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^~~~~~~~~~~~~~~~~~~~~ In file included from spo_alert_cef.c:66: ../strlcatu.h:24:8: error: conflicting types for '__builtin___strlcat_chk' /usr/include/secure/_string.h:111:3: note: expanded from macro 'strlcat' __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest)) ^ ../strlcatu.h:24:8: note: '__builtin___strlcat_chk' is a builtin with type 'unsigned long (char *, const char *, unsigned long, unsigned long)' /usr/include/secure/_string.h:111:3: note: expanded from macro 'strlcat' __builtin___strlcat_chk (dest, src, len, __darwin_obsz (dest)) ^ In file included from spo_alert_cef.c:67: ../strlcpyu.h:24:8: error: expected parameter declarator size_t strlcpy(char *, const char *, size_t); ^ /usr/include/secure/_string.h:105:44: note: expanded from macro 'strlcpy' __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest)) ^ /usr/include/secure/_common.h:39:62: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^ /usr/include/secure/_common.h:30:32: note: expanded from macro '_USE_FORTIFY_LEVEL' # define _USE_FORTIFY_LEVEL 2 ^ In file included from spo_alert_cef.c:67: ../strlcpyu.h:24:8: error: expected ')' /usr/include/secure/_string.h:105:44: note: expanded from macro 'strlcpy' __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest)) ^ /usr/include/secure/_common.h:39:62: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^ /usr/include/secure/_common.h:30:32: note: expanded from macro '_USE_FORTIFY_LEVEL' # define _USE_FORTIFY_LEVEL 2 ^ ../strlcpyu.h:24:8: note: to match this '(' /usr/include/secure/_string.h:105:44: note: expanded from macro 'strlcpy' __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest)) ^ /usr/include/secure/_common.h:39:53: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^ In file included from spo_alert_cef.c:67: ../strlcpyu.h:24:8: warning: type specifier missing, defaults to 'int' [-Wimplicit-int] size_t strlcpy(char *, const char *, size_t); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/secure/_string.h:105:44: note: expanded from macro 'strlcpy' __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest)) ^~~~~~~~~~~~~~~~~~~~ /usr/include/secure/_common.h:39:31: note: expanded from macro '__darwin_obsz' #define __darwin_obsz(object) __builtin_object_size (object, _USE_FORTIFY_LEVEL > 1 ? 1 : 0) ^~~~~~~~~~~~~~~~~~~~~ In file included from spo_alert_cef.c:67: ../strlcpyu.h:24:8: error: conflicting types for '__builtin___strlcpy_chk' /usr/include/secure/_string.h:105:3: note: expanded from macro 'strlcpy' __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest)) ^ ../strlcpyu.h:24:8: note: '__builtin___strlcpy_chk' is a builtin with type 'unsigned long (char *, const char *, unsigned long, unsigned long)' /usr/include/secure/_string.h:105:3: note: expanded from macro 'strlcpy' __builtin___strlcpy_chk (dest, src, len, __darwin_obsz (dest)) ^ 2 warnings and 6 errors generated. make[3]: *** [spo_alert_cef.o] Error 1 make[2]: *** [all-recursive] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2

My errors were apparently due to how OS X now treats header files and pulls them from a macro instead of a plain old .h file. In my research, it looks like replacing the strlcpyu.h strlcatu.h files located in my build applications /src directory contents with:

strlcpyu.h #ifndef HAVE_STRLCPY size_t strlcpy(char *dst, const char *src, size_t size); #endif

strlcatu.h #ifndef HAVE_STRLCAT size_t strlcat(char *dst, const char *src, size_t size); #endif

New Post has been published on http://www.kernelops.com/heartbleed-check/

Heartbleed Check

Well, the proverbial cat’s out of the bag and everyone knows about the vulnerability called ‘Heartbleed’.

If you don’t know what Heartbleed is or what it really means to you, I’ll briefly sum it up: Heartbleed is a vulnerability found in the technology that secures websites and tons of other communication technologies.  This vulnerability allows people to snoop the memory on the web server running the website you visit.  Ideally, the interested person could see passwords, user information, session information, etc.  OpenSSL, the specific cryptographic software that is vulnerable, is used on about 2/3 of the Internet!  The news has reported that banking sites, webmail, and practically anything with an https:// at the beginning of the web address (that’s what the little padlock in front of the address means) has been vulnerable for the last 2 years.  The recommended action is to change your passwords!

So, over the past few days I’ve been asked by relatives and friends whether their banking, webmail, or a site they frequent is now secure.  To help the everyone find out about if Heartbleed still affects the sites you visit, we’ve created a simple website for everyone to use to find out.

Simply type in the web address that you’re curious about.  For instance, www.bankofamerica.com.  The site will reply and let you know the results!

It can be found here, at: http://heartbleed.kernelops.com.

New Post has been published on http://www.kernelops.com/beautiful-data-with-reportifi-com/

Beautiful Data with Reportifi.com

Kernel is proud to introduce Reportifi.com (pronounced re-port-eh-fy).  It’s a beautiful web application that we’ve developed to help Total Merchant Services partners save time and money.  By far, the most useful feature we’ve packed into this web application gives business owners the ability to auto-calculate their sales rep’s commission based on the standard Total Merchant Services monthly commission summary data!

Quick Summary:

We’ve also put together some nifty features to help dive deeper into account retention, spend analysis, and more!  Reportifi.com gives you the ability to:

Automate data conversion into easy to understand graphs and charts

Save time with our Automatic data upload and calculations (including commissions!)

Give your sales team members access to their own account data to maximize account visibility

Customize data points for commission calculations

Analyze customer data to better understand account trends and usage

Maximize account understanding and profitability!!!

Diving Deeper:

As the saying goes, a picture is worth a thousand words (probably more!) and Reportifi.com currently provides Total Merchant Services partner’s with the ability to dive deeper into understanding their accounts through custom analytic algorithms that compare, contrast, and convert your account data into something that’s a little more useful… a picture.  Well, more like beautiful graphs, interactive charts, and formatted tables.  As a business owner, we know that you have better things to do than check on account activations for your sales reps and spending hours to calculate your reps commissions at the end of the month.  That’s no fun! 

So, let’s dive a little deeper and see what’s currently available:

The Dashboard

When logging in as an admin you’re presented with comprehensive breakdowns of your Total Merchant Services account data.  All of the graphs and charts have some level or interactivity to them, which will update other data on the page accordingly:

Clicking or Hovering over a graph will change the data presented accordingly

Each of the tabs will show a representation of your account data from Total Merchant Services and correlate the data into graphics and tables for easier understanding.

Merchant Matrix

One of the features we’re incredibly proud of is the Merchant Matrix chart and data table.  This table combines data from multiple sources within your Total Merchant Services account to create an interactive chart that translates to an account’s health.  Having this information gives you and your sales team the freedom to create a custom sales and account retention/management strategy:

Data converted into Merchant Matrix chart with table detail

A user can also hover over one of the larger circles which shows the account information, total authorizations, overall revenue, and aged days.  This information provides a sales rep with the ability to focus their attention toward accounts of a certain nature, which was previously a very painful process before Reportifi.com came along and connected the dots:

Account data converted into a Merchant Matrix Chart

User Management

Up until now, as an administrator, you’ve had to do all of the data calculation and information collection/dissemination for your sales team.  We feel for you, we really do!  That’s why we’ve created a user management section where you can manage your sales team members.  Once a team member has been invited, they get their own login credentials and can only see the Total Merchant Services data associated with their account.  That means Bob isn’t going to be able to see Alice’s data.  That would be bad.  This does mean that a team member can log in and see their commission data instead of you having to do the calculations manually and send it to them!  Yeah!!!

Inviting Reportifi Users

Of course, if you can add users, you need a way to modify or uninvite them from the application.  We’ve made that pretty darn easy too:

Managing Reportifi Users

Awesome Notifications

We’ve created an automated notification system that compliments all the simplicity that we’ve discussed above.  When Total Merchant Services updates your monthly data, we do the same.  After we’re done working our magic, we’ll send an email out letting everyone know that data has been updated and they should log in and check it out!!

Feature Enhancements

We’ve listed some of the notable features of Reportifi.com, but rest assured, we’re not stopping here.  We have a pretty rapid feature enhancement schedule and are always looking for crafty new ways to present your data and give you the tools you need to succeed, so please, provide us with feedback and the features you’d like to see next on Reportifi.com.

New Post has been published on http://www.kernelops.com/compliance-and-pentesting/

Compliance and Pentesting

One of the subjects I get asked time-and-time again about is compliance standards for certain industries and how securing their data comes into play.  It’s pretty important to know which compliance standards affect you and why!  So, here is a quick list of some of the compliance regulations which center around Information Security:

FISMA (Federal Information Security Management Act) of 2002

FISMA requires federal agencies to develop, document, and implement programs to provide information security that are in the best interests of the United States.  The same stipulations are passed on to government contractors and 3rd parties.

Many of the Information Security / Computer System standards & guidelines for hardening and securing systems are created by NIST and are publicly available for most major Operating Systems.  FISMA sets up a framework that companies need to follow to be in compliance and Kernel can help!

HIPAA (Health Insurance Portability & Accountability Act)

HIPAA was created to protect health information through security safeguards while providing access to that same information to the parties that need it, such as healthcare providers, insurance companies, etc.).  The information that HIPAA is meant to protect is called e-PHI, or ‘electronic protected health information’.  Specifically, the HIPAA ‘Security Rule’ requires the following from those that use/store/maintain e-PHI:

CIA (Confidentiality, Integrity, & Availability) of all e-PHI that is created, received, maintained, or transmitted.

Identify & protect against reasonability anticipated threats to the security and/or integrity of e-PHI.

Protect against ‘reasonably’ anticipated impermissible uses of information disclosure.

Ensure compliance

Some of the +’s for the Pentest Industry are:

Risk Analysis must be performed on a regular basis

Risk Analysis must be performed after any significant network systems changes such as upgrades, replacement, installations.

PCI-DSS (Payment Card Industry Data Security Standard)

PCI has become a pretty popular standard in the news considering the likes of the latest Target breach (and others!).  This is a standard that the Credit Card merchants (Visa, Mastercard, AMEX, etc.) created to protect credit card data.  Believe it or not, PCI standards really apply to anyone that does something with a credit card, from a gas station with a credit card swiping machine, to, well… Target sized companies!

PCI-DSS sets forth some standards:

Build & Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement strong access control measures

Regularly monitor & test networks

Maintain an Information Security Policy

There have also been some additions that many companies aren’t aware of:

Penetration Testing – A pen test should be performed at least ONCE annually and anytime there is a significant change or upgrade to the network or systems.

Code Review & Application Firewalls – Just like it sounds, mainly setup for companies to go through a legit code audit to avoid the pitfalls of a web application attack such as SQL injection, XSS, etc.

Wireless Security – Securing your wireless networks to transmit cardholder data.

The biggest thing to note is that the PCI industry actually imposes some pretty hefty fines if you claim to be PCI compliant but aren’t … say, a breach happens.  For those SMBs out there, the fine is set at $15,000 per incident!  So, if two customer credit card records are stolen, then you’re looking at a hefty $30,000 fine!  Of course, getting compliant isn’t always the easiest task and Kernel can help!

In Summary…

New Post has been published on http://www.kernelops.com/secure-your-email/

Secure Your Email

With 2014 upon us, I’ve decided to share some of the best practices Kernel has put in place to be as secure as possible in doing business, heck, just in general!  How about all that hoopla from Edward Snowden about the NSA/Government listening in on practically everything?!  If there is one thing to take away from 2013, it’s time to take YOUR security into YOUR hands by doing some very simple things to protect yourself and your online identity!

It’s said that there are about 2,000,000 e-mails sent each second throughout the world, so why not start with e-mail?  First, let’s talk about why email security is important:

E-mails are an extension of an actual conversation.  How would you like someone altering that conversation before it gets to your intended recipient?  An email actually travels through many servers before it gets to where it needs to go.  Anyone with access to those servers could get a look at your email and potentially alter it!

What if someone sent a message pretending to be you?  That’s a pretty uncool thing to do, but it happens!  A digitally signed certificate tells the recipient that the message DID come from you!

How about sending a message that is super-secret to someone?  Obviously, you wouldn’t want anyone to read that message except the intended person, so encrypt it!

These are some quick and easy benefits of adding a digitally signed certificate to your email, whether it be work related or for personal use.  There are a ton of reputable vendors that provide you with a FREE, yes, FREE digital certificate to help secure your email!  Here is a link so you can pick: http://kb.mozillazine.org/Getting_an_SMIME_certificate

From there, simply fill out the form and follow the directions provided.  You’ll get your certificate pretty quickly and be able to install it on your computer, smartphone, tablet, etc. to start digitally signing your emails and/or encrypting them!

Here are some more links that can be helpful in setting things up:

iOS:

http://www.utexas.edu/its/help/user-certs/1624

http://feinstruktur.com/blog/2011/12/12/using-smime-on-ios-devices.html

Mac:

(Outlook 2011) http://www.utexas.edu/its/help/user-certs/1511

(Apple Mail) http://www.utexas.edu/its/help/user-certs/834

PC:

(Outlook 2010) http://www.utexas.edu/its/help/user-certs/1512

Of course, this is just one of the solutions out there.  In my opinion, it’s one of the easiest for anyone to implement, hence the reason I gave it the showcase.  The other tried-and-true solution out there is PGP which stands for Pretty Good Privacy.  In my opinion, it’s not as simple to implement as a digital certificate is.

Stay Secure,

New Post has been published on http://www.kernelops.com/careers/penetration-tester/

New Post has been published on http://www.kernelops.com/crusade-k9-academy-website/

Crusade K9 Academy Website

A good friend of the company approached me about some email issues he was having with his current domain provider. Not only that, he was also ready to update his website since the last update was quite some time ago (in Internet years). Basically, it was missing all of the elements that make a current day webpage look, … well, current. I’m talking about the slideshows of images, columned layouts, etc.

After talking with Rob, the owner, there was one thing that was very clear to me: he liked the color scheme of his old site … noted! That’s exactly what was kept intact for his new site. He also wanted to be able to update the listings about his dogs going through training, graduating, deployed in the field, etc. All of his needs where easily accomplished with the WordPress Content Management System, which I am an incredible fan of. After running Rob through the ropes of how to manage things, he was ready to rock ‘n roll on his own in no time!

Oh yeah, we also migrated the email accounts from his existing domain/service provider to our servers!

If you’re curious about our work or in need of some super-awesome dog training, be sure to get ahold of Rob at http://www.crusadek9academy.com. Make sure to tell him we sent ya!

New Post has been published on http://www.kernelops.com/gitlab-post-receive-webhook/

GitLab Post-Receive WebHook

I’ve recently setup a GitLab v5.2 Server and had a surprisingly difficult time finding reference documents on how to create the Post-Receive webhook action script (not to be confused with ActionScript) to process the posted JSON data; so I thought I’d post a short description of my trials and tribulations to potentially help others.

First, for those unfamiliar with Post-Receive webhooks–these are simply URLs saved within the Project Settings->Hooks menu that tell GitLab (GitHub has these as well) to send a JSON data string to the desired URL whenever a `git push` is executed on the project repo.  And that’s essentially it.  There are plenty of things you can do with the data once you’ve received it (which we will talk about next); but your Git server has completed the hand-off and it’s now up to you to do the rest.

So, now we need to do something with the JSON data.  Typically, admins will use this data post as a trigger to execute a git command like: `git pull origin master` or something on their production server, thereby keeping their production environment up-to-date as pushes are made on the project repo.  This is exactly what I’ve done, but I feel there is another benefit in terms of security.  Rather than giving all the developers in the company SSH access to the server to SCP their development, or production, code; this solution will post their code to the web server for them.  So, if the developer wants to see their code in action (off their localhost), they HAVE to push to the git repo, thereby forcing version control.

Now, lets get into the actual code.  I’ve made my webhook parser in PHP since I’m running a PHP web server, but you can essentially make it in any language that will accept and read web POST data.  Note: I’ve posted this question on StackOverflow for discussion that has the code as well: http://stackoverflow.com/questions/17129781/gitlab-5-2-post-receive-webhook/17150806#17150806

<?php //you should make one of these scripts for every different project webhook you want - changing only the $wd variable ini_set("log_errors", 1); ini_set("error_log", "hook.log");   //use this to log errors that are found in the script (change the filename and path to a log file of your choosing), the command will make the file automatically error_reporting(E_ALL); ignore_user_abort(true);            //don't want users screwing up the processing of the script by stopping it mid-process $wd = "/var/www/firstproject";      //this is the only thing that needs to change from project to project //I'm sure there are other ways of handling the system call, this is just the method I've chosen //setup the function to make the system call where $cwd is the "Current Working Directory" function syscall ($cmd, $cwd) { $descriptorspec = array( 1 => array('pipe', 'w') ); // stdout is a pipe that the child will write to $resource = proc_open($cmd, $descriptorspec, $pipes, $cwd); if (is_resource($resource)) {           $output = stream_get_contents($pipes[1]);           fclose($pipes[1]);         proc_close($resource);           return $output; } } try{ //I fumbled around for awhile to finally find this part: GitLab uses the $HTPP_RAW_POST_DATA server variable to house its JSON data meaning your typical $_REQUEST, $_POST, and $_GET will be EMPTY! if( $HTTP_RAW_POST_DATA ){ if( $oData = json_decode( $HTTP_RAW_POST_DATA ) ){ //transform the string into an object so we can get to the 'ref' element   //now we want to split the ref string on "/", pop off the last element of the array (which will be the branch name), and do one quick validation to make sure a branch name actually exists //the actual 'ref' string will look like this: 'refs/heads/master' (or whatever branch was just pushed to instead of master)     if( ( $branch = array_pop( preg_split("/[\/]+/", $oData->ref) ) ) != "heads" ){ if( is_dir( "$wd/$branch" ) ){   //lets check if branch dir exists     //hey look, the branch directory already exists, so lets use it as our working directory and just run the pull command -- obviously we want to pull from the remote origin & branch name         $result = syscall("git pull origin $branch", "$wd/$branch"); } else {              //if branch dir doesn't exist, create it with a clone              $result = syscall("git clone ssh://[email protected]:443/cfarmer/firstproject.git $branch", $wd);          //change dir to the clone directory, and checkout the branch              $result = syscall("git checkout $branch", "$wd/$branch"); }         return 1; //this isn't necessary but I put it here for good measure, just to say we are done and everything got executed properly } else { throw new Exception("branch variable is not set or == to 'heads'"); } } else { throw new Exception("An error was encountered while attempting to json_decode the HTTP_RAW_POST_DATA str"); } } else { throw new Exception("HTTP_RAW_POST_DATA is not set or 'ref' is not a valid array element"); } } catch (Exception $e) { error_log( sprintf( "%s >> %s", date('Y-m-d H:i:s'), $e ) ); } ?>

Now, lets talk about what was done. The whole essence of this script is to create a web directory for each branch that our developers push to and to keep that working directory (on the web server) up-to-date with pushes to the repo (regardless of branch). So, the first task is the set the working directory that all the branch code should reside in (remember, on the web-server); this is on line 8 with the $wd variable. The working directory will end up looking like this; at then end of the script: “/var/www/firstproject/master” or “/var/www/firstproject/branch-name” Now, there is only one more place in the script that will need some editing; but I’ll continue explaining my code until we get there:  

     Line 12:  Function SysCall is designed to make system calls and pass the command to execute and the directory to execute the command in.  Remember this will be executed as the www-data user (unless otherwise specified).

       Line 25:  The first if statement within the try-catch block checks to see if $HTTP_RAW_POST_DATA exists.  This is the server variable that GitLab stores the posted JSON data in (not $_REQUEST, $_POST, or $_GET).

       Line 26:   Next we want to convert the server variable to an object by decoding the JSON string, this way we can reference the object elements like this: obj->property_name;

       Line 29:  Then we want to get the branch name from the 'ref' object property; so we split the string on forward slashes "/" into an array and pop off the last element which will be the branch name.

       Line 30:  Depending on if the directory already exists or not, we will either execute the pull command or clone the repo into a  new directory.  So, we need to check if the working directory + branch name already exist.

       Line 32:  If the working directory + branch name already exists then all we need to do is execute a 'git pull' from the remote origin on the branch name that was passed in the 'ref' property from that branch's working directory.

       Line 35:  If the working directory + branch name does not exist then execute a git clone on the repo (this is where you will need to get the clone address from the repo and insert it here) and tell clone to put it in a new directory called [branch_name] by using the $branch variable.

       Line 37:  Lastly, we want to checkout the proper branch from the repo, otherwise the clone will automatically checkout the master branch.

New Post has been published on http://www.kernelops.com/openerp-7-office365-hosted-exchange/

OpenERP 7 & Office365 Hosted Exchange

As we grow as a company, I’m always looking for some software to consolidate our functions.  I hate going to this Excel spreadsheet for most recent job applicants, this IP address to put quotes and sales orders together, that FQDN for project management… I think you get the idea.  So, I’ve started exploring the wonderful world of ERP systems.  Personally, I like open source software, mainly because it’s cheap … it doesn’t hurt that I’m pretty good at working my way around a Linux system as well!  My most recent foray into consolidation took me down the road of OpenERP, which is a nice, open source ERP system to manage pretty much all aspects of your business.  If you don’t know how to administer a Linux system, no biggie, there is a Windows version as well.  Regardless of which you use (I tested both), I ran into an issue with sending emails from the server using our Office365 Hosted Exchange account.  Believe it or not, the fix is pretty simple… here goes:

The issue:

The problem actually lies with STARTTLS when you’re setting up your outgoing server within OpenERP (Under Settings > General Settings > Configure Outgoing Email Servers).

Oddly, you’ll get a message letting you know everything is working right when you set it up:

However, when I went to create a user, email an invoice (or basically have the server communicate with the outside world), I received this:

Obviously, this poses a huge issue.  For whatever reason, the hosted exchange server wouldn’t work.  My guess is something about the encrypted transmission… I ran across all types of hypothetical resolutions on forums and other blogs such as making sure your python-jinja2 packages are up to date on your Linux distro, etc., but nothing fixed it.  Heck, I even submitted it as a bug to the OpenERP team.  I tested an SMTP connection using gmail, and that worked like a charm… my only problem was that it didn’t look overly professional to have my company quotes, invoices, sales orders, etc. with my @gmail.com address as the ‘from’ and ‘reply-to’ address.  So, back to the drawing board…

The fix:

The fix is actually pretty simple if you have the space on your server: create a local SMTP relay which forwards mail to your hosted Exchange account of choice.  The key here is that the server is local on your network since unencrypted traffic is going to be moving between your OpenERP server and the SMTP Relay server (if they aren’t one in the same).  From there, the SMTP Relay will encrypt the traffic and forward it to your Office365 hosted exchange account.  I tested this theory with a Windows 2008 R2 Server I had previously decommissioned.  The steps are pretty easy on a Windows machine, and not overly difficult on a Linux box.  Instead of going through all the steps, I’m going to refer you to a blog (click here) that I used to get the job done for Windows.

Once you’re done setting up the SMTP relay, it’s a simple matter of going back to your OpenERP and setting up the Outgoing Server information to your localhost (or whatever server you ended up installing the SMTP relay on):

From there, everything works like a charm!  Good luck!

New Post has been published on http://www.kernelops.com/microsoft-outlook-sendreceive-issues/

Microsoft Outlook Send/Receive Issues

New Post has been published on http://www.kernelops.com/apple-default-mail-web-client/

Apple Default Mail & Web Client

New Post has been published on http://www.kernelops.com/say-hello-to-internet-anywhere/

Say Hello to 'Internet Anywhere'!

What an exciting time for us!  Kernel can officially provide new and existing clients with Internet, in almost any location around the globe.  Not only do we provide the Internet, we also support it with our world-class staff.  How does it work you might ask?  Well, the answer is elementary, my dear Watson…

The technology we’re using is known as VSAT (or, very small aperture terminal) which relies on satellites sitting miles above our heads.  This means that as long as you have a pretty view of the sky, we should be able to provide you with Internet service no matter if you’re in the Himalayas or the Iraqi desert.  Even if you don’t have an immediate view of the sky (…and I’m not sure why you wouldn’t) we can make something work!

So we’ve gotten the technology portion out of the way, you might be wondering how it works (wait!  That’s still techno-speak!).  You’re probably even thinking something like “Well, I can’t even watch my satellite TV when it rains or snows…”.  You have a valid point, however there are a few issues that arise from bad-signal that satellite does suffer from:

It really depends on the technology being used.  Satellite TV providers use different satellites in space and altitude in many cases, plus, you also have to wonder about the guy that installed the dish on your roof.  The tech did go to Satellite school to do this stuff right?  …Probably not.  However, our technicians did!

Speaking of technology, the equipment is pretty much the same as your satellite TV stuff, just more advanced in my opinion!  There’s the dish that goes on a roof and points into space, then there is the line that runs from the dish to the modem, then the firewall (you do use a firewall on your network, right!?) and on to the rest of the stuff on your network.

To put this all to rest, yes satellite technology does suffer from weather conditions.  While your satellite TV is super sensitive, our satellite Internet is less prone to those problems, barring crazy events like Hurricanes, freak snow storms, etc.  In fact, we can tout a 99% uptime rate, which is pretty darn good!

New Post has been published on http://www.kernelops.com/the-kilgore-chamber-of-commerce-website/

The Kilgore Chamber of Commerce Website

Recently we were approached by the Kilgore Chamber of Commerce in Kilgore Texas for a website redesign project.  After defining the project requirements with the Kilgore Chamber staff we gladly accepted the job and were confident we could design a modern website, making use of a content management system, that was exactly what they were looking for.

We systematically continued through the project scoping steps and discovered the need for a more highly blog centric CMS website than usual.  The new website features a blog category on almost every page, allowing the Kilgore Chamber staff to simply create a new post and direct it into a particular category to be displayed on that page.  This enables the site to be highly dynamic with continually updated content by the Kilgore Chamber staff themselves, rather than requiring, and paying, web developers each time they need content on their page changed.

After development, only one thing remained; training the Kilgore Chamber staff on how to use WordPress and update content on their new website.  The staff picked-up quickly, after only a couple training sessions and they were off creating their own blog posts in a matter of days.  All said and done, the Kilgore Chamber staff was a knowledgable and excellent group to work who has expressed their satisfaction with the website and the training received.

New Post has been published on http://www.kernelops.com/%ef%bf%bcgoing-where-no-it-company-has-gone-before/

Going where no IT Company has gone before

Our client needed some serious help: they operate in extremely remote parts of the world but need the typical IT services that the everyday business requires such as Internet connectivity, IT technicians, IT support, and security. Therefore, our client’s needs were three-fold as we saw it. The following were needed in order to be successful: reliable Internet, knowledgeable support, and robust security mechanisms.

Reliable Internet: Internet in many parts of the world, especially the remote ones, is not as reliable or as fast as it is in developed countries like the United States. Using a local Internet Service Provider, our client was lucky to see 70% uptime, for which quite a monthly premium was paid. Furthermore, depending on the country, local Internet traffic could be monitored by the government. This meant our client’s highly valuable data traffic to and from its corporate office back in the United States could have been monitored at any given time, in turn, costing them millions of dollars. As a result, Kernel worked with a US based satellite company to provide more reliable Internet service and also established a secure cryptographic tunnel to and from the remote sites and corporate office. Traffic is now secure and unintelligible to anyone attempting to listen in on data being transmitted.

IT management: Finding reputable IT technicians that are able to manage a mobile network was a difficult task for client X. Not only do you have to deal with background checks and experience, you also have to worry about ulterior motives of any individuals hired; are they funneling critical information to a competing organization for some extra money on the side? In stepped Kernel, providing full-time, on-site IT personnel to assist in network setup, management, and general computer troubleshooting. All at a fraction of the cost that it takes to hire, train, and retain an individual with the same experience on staff in a remote location.

Site Security: Security in this part of the word is not a joke. Dangers lurk around all corners and it’s important to keep documentation and records of site happenings. Prior to Kernel, our client’s security camera solution was a hodge-podge of devices sending their video to a large Windows XP machine with no redundancy. Furthermore, this solution was a misconfigured wireless system providing 50% of the video capture on a good day! Kernel, seeing this lapse in continuity, quickly provided a solution to minimize any potential downtime.

Wireless access points and wireless client bridges were quickly upgraded and configured correctly to maximize transmit distance (upwards of 5km) and security. Cameras were also outfitted with the correct mechanisms in order to provide resiliency for the harsh elements in the region. Many of the existing cameras required a functionality upgrade to enable them to pan-tilt-zoom in high resolution up to 100 yards away as well. Lastly, the server required redundancy and resiliency. Instead of utilizing the existing server, Kernel opted for a customized Linux Operating System based mini-DVR server, which allowed for viewing through any authenticated web browser. This allowed any person responsible anywhere in the world to access the security feeds of the site in real time.

In addition to the security cameras, Kernel also provided customized cell phone signal disrupters at this particular site due to the nature of threats. These customized devices are able to jam cell phone signals for a given range, thereby rendering any cell phone-operating device utterly useless.