Active Topics
-
Camera phone competition March 2023 "Endless" (35)
to General by Maemish - 1 day, 22 hrs ago -
TLS 1.2 for N9 is ready (28)
to MeeGo / Harmattan by smartblu9 - 1 day, 23 hrs ago -
Maemo repository (3)
to Community by torsen - 2 days, 15 hrs ago -
Error after installing Leste on sdcard (11)
to Maemo 7 / Leste by Maemish - 3 days, 12 hrs ago -
Introducing ubiboot N9 (multiboot OS loader) (1,393)
to Alternatives by smatkovi - 4 days, 19 hrs ago - more...
| The Following 8 Users Say Thank You to stlpaul For This Useful Post: | ||
|
2011-06-15
, 14:43
|
|
Posts: 1,141 |
Thanked: 781 times |
Joined on Dec 2009
@ Magical Unicorn Land
|
#12
|
Use iptables/ip6tables to drop all incoming and outgoing connections over your wifi adapter, only allowing traffic out to your VPN/SSH tunnel server. And use that tunnel for everything.
Otherwise, don't use open wifi, use your 3G internet instead.
Otherwise, don't use open wifi, use your 3G internet instead.
| The Following 4 Users Say Thank You to stlpaul For This Useful Post: | ||
|
|
2011-06-15
, 14:55
|
|
Posts: 135 |
Thanked: 75 times |
Joined on Apr 2011
@ Buenos Aires, Argentina
|
#13
|
Originally Posted by stlpaul
That would be very effective. It would make virtually impossible to penetrate Maemo, and to sniff in/out traffic.
Use iptables/ip6tables to drop all incoming and outgoing connections over your wifi adapter, only allowing traffic out to your VPN/SSH tunnel server. And use that tunnel for everything.
Otherwise, don't use open wifi, use your 3G internet instead.
That's a must-do. Thanks!
PS: I didn't want to explain it because it was offtopic, but 3G in my country doesn't work with N900 3g freq spectrum :/
 |
|
2011-06-15
, 14:58
|
|
Posts: 162 |
Thanked: 64 times |
Joined on Mar 2011
|
#14
|
I don't think disabling sshd would actually change anything, openssh is pretty secure
|
|
2011-06-15
, 14:59
|
|
Posts: 135 |
Thanked: 75 times |
Joined on Apr 2011
@ Buenos Aires, Argentina
|
#15
|
Originally Posted by JadeH
Any problems with dropbear ssh implementation?
I don't think disabling sshd would actually change anything, openssh is pretty secure
|
|
2011-06-15
, 15:08
|
|
Posts: 560 |
Thanked: 422 times |
Joined on Mar 2011
|
#16
|
I'm intigued by this. The N900 is not just a Linux device but an ARM Linux device with no real java support, which means a virus is a lot less likely than say, for a winxp user. However, access by others on the same network via tcp/ip etc. might be possible, mightn't it?
When normal precautions are taken (no ssh, no non-ssl IM, etc.), is the decive is totally secure?
How vunerable is the N900, when connected to an open wifi network?
Can others access it via a connection protocol?
If so, to which areas/folders?
Can anything be done to improve the operating security of the device, to reduce/prevent access to file system, any ongoing phone calls or sms coversations?
I guess the worst case scenario would be an attack from a malicious N900 user - what steps could be taken before and after, as damage limitation and notification?
When normal precautions are taken (no ssh, no non-ssl IM, etc.), is the decive is totally secure?
How vunerable is the N900, when connected to an open wifi network?
Can others access it via a connection protocol?
If so, to which areas/folders?
Can anything be done to improve the operating security of the device, to reduce/prevent access to file system, any ongoing phone calls or sms coversations?
I guess the worst case scenario would be an attack from a malicious N900 user - what steps could be taken before and after, as damage limitation and notification?
| The Following User Says Thank You to demolition For This Useful Post: | ||
|
|
2011-06-15
, 15:13
|
|
Posts: 673 |
Thanked: 856 times |
Joined on Mar 2006
|
#17
|
How old is openssh within N900?
There are known exploits for older version of OpenSSH which don't require username/password knowledge.
TSL/SSL may be breached through redirections, especially if the logon page is loaded through basic http without SSL.
Don't use unencrypted login pages.
Basically, since the software running inside N900 is relatively old and therefore very well known to the attackers, you may have additional holes.
There are known exploits for older version of OpenSSH which don't require username/password knowledge.
TSL/SSL may be breached through redirections, especially if the logon page is loaded through basic http without SSL.
Don't use unencrypted login pages.
Basically, since the software running inside N900 is relatively old and therefore very well known to the attackers, you may have additional holes.
__________________
http://gpl-violations.org/faq/violation-faq.html
http://gpl-violations.org/faq/violation-faq.html
| The Following 4 Users Say Thank You to momcilo For This Useful Post: | ||
|
|
2011-06-15
, 15:30
|
|
Posts: 673 |
Thanked: 856 times |
Joined on Mar 2006
|
#18
|
Don't accept any new certificates within browser, chat application or mail client.
That may not be enough, comodo has issued certificates without checking identity of servers for such as yahoo, google, etc.
It may be possible that some of these certificates are not revoked (detected) yet.
http://threatpost.com/en_us/blogs/ph...-others-032311
EDIT: Tribute to Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Last edited by momcilo; 2011-06-15 at 15:34.
That may not be enough, comodo has issued certificates without checking identity of servers for such as yahoo, google, etc.
It may be possible that some of these certificates are not revoked (detected) yet.
http://threatpost.com/en_us/blogs/ph...-others-032311
EDIT: Tribute to Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=647959
__________________
http://gpl-violations.org/faq/violation-faq.html
http://gpl-violations.org/faq/violation-faq.html
Last edited by momcilo; 2011-06-15 at 15:34.
| The Following 4 Users Say Thank You to momcilo For This Useful Post: | ||
|
|
2011-06-15
, 15:46
|
|
Posts: 135 |
Thanked: 75 times |
Joined on Apr 2011
@ Buenos Aires, Argentina
|
#19
|
Originally Posted by demolition
This is a VERY interesting question. In fact, that was more or less what I intend to post but my poor english doesn't help a lot.
I'm intigued by this. The N900 is not just a Linux device but an ARM Linux device with no real java support, which means a virus is a lot less likely than say, for a winxp user. However, access by others on the same network via tcp/ip etc. might be possible, mightn't it?
When normal precautions are taken (no ssh, no non-ssl IM, etc.), is the decive is totally secure?
How vunerable is the N900, when connected to an open wifi network?
Can others access it via a connection protocol?
If so, to which areas/folders?
Can anything be done to improve the operating security of the device, to reduce/prevent access to file system, any ongoing phone calls or sms coversations?
I guess the worst case scenario would be an attack from a malicious N900 user - what steps could be taken before and after, as damage limitation and notification?
| The Following User Says Thank You to sr00t For This Useful Post: | ||
|
|
2011-06-15
, 17:06
|
|
Posts: 673 |
Thanked: 856 times |
Joined on Mar 2006
|
#20
|
Originally Posted by sr00t
Given the fact that the support for N900 was relatively poor when it comes to basic functionality (many unresolved bugs), it is quite reasonable the expect the security aspects were neglected too.
This is a VERY interesting question. In fact, that was more or less what I intend to post but my poor english doesn't help a lot.
In fact I can bet that SSL attack can be mounted against any of the devices such as 770, N800, N810, N900. Especially if the certificate trust store contains Comodo root certificates (Haven't check that yet!).
__________________
http://gpl-violations.org/faq/violation-faq.html
http://gpl-violations.org/faq/violation-faq.html
| The Following User Says Thank You to momcilo For This Useful Post: | ||
As root. Turn off sshd: