USB Tether to iPhone from Linux

Once you connect your iPhone to the Linux host with a USB cable, you should get the usual Trust dialog, tap Trust, otherwise, the Linux host won’t be able to communicate with the iPhone via the USB cable.

After you trust the iPhone check the dmesg log for evidence of the iPhone being detected by the computer

[ 4670.866484] usb 1-2: new high-speed USB device number 6 using xhci_hcd
[ 4671.009493] usb 1-2: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.02
[ 4671.009498] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 4671.009502] usb 1-2: Product: iPhone
[ 4671.009505] usb 1-2: Manufacturer: Apple Inc.
[ 4671.009508] usb 1-2: SerialNumber:
[ 4671.039802] audit: type=1130 audit(1574722083.595:53): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=usbmuxd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 4671.065013] ipheth 1-2:4.2: Apple iPhone USB Ethernet device attached
[ 4671.065133] usbcore: registered new interface driver ipheth
[ 4671.073395] ipheth 1-2:4.2 enp0s20f0u2c4i2: renamed from eth0
[ 4676.306473] ucsi_acpi USBC000:00: PPM NOT RESPONDING

Umm.. enp0s20f0u2c4i2, okay, eth0 would have been fine, but you know… Or you can run ip link to find it.

$ ip link
...
3: enp0s20f0u2c4i2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000    link/ether 3a:53:9c:09:4f:de brd ff:ff:ff:ff:ff:ff

Now that the iPhone is linked with the computer, time to grab an IP address.

$ sudo dhclient enp0s20f0u2c4i2

No errors from dhclient let’s check if we got our IP address.

$ ip addr
...
5: enp0s20f0u2c4i2:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
     link/ether 3a:53:9c:09:4f:de brd ff:ff:ff:ff:ff:ff
     inet 172.20.10.2/28 brd 172.20.10.15 scope global dynamic noprefixroute enp0s20f0u2c4i2
        valid_lft 84663sec preferred_lft 84663sec
     inet6 fe80::ac11:fcb6:de39:d9b5/64 scope link noprefixroute 
        valid_lft forever preferred_lft forever

Looks good. Let’s test connectivity with a simple ICMP Echo Request.

$ ping cormier.co
PING cormier.co (104.27.175.48) 56(84) bytes of data.
64 bytes from 104.27.175.48: icmp_seq=1 ttl=59 time=21.8 ms
64 bytes from 104.27.175.48: icmp_seq=2 ttl=59 time=27.6 ms  
64 bytes from 104.27.175.48: icmp_seq=3 ttl=59 time=28.5 ms  
64 bytes from 104.27.175.48: icmp_seq=4 ttl=59 time=22.4 ms^C
--- cormier.co ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms  
rtt min/avg/max/mdev = 21.831/25.060/28.464/2.973 ms

Dec 3rd, 2019 • Filed under Linux, Networking

Benefits of Your Own Domain

If you have ever changed email providers, you know the pain of updating your email address with all the service providers to the new address, a number that is only increasing by every passing day, rinse and repeat if you want to change again. This gets old quickly.

To avoid this change of address any time you want to change providers, you can purchase a domain and get full control. Making things like moving to a new email provider a few record changes and no email change, all references will continue working, just now handled by the new provider.

Having your own domain allows you the flexibility to…

  • Use domain-level services. Test them without destroying content, rules, or mailboxes as it all takes place outside the email solution
  • Move email providers without a change of email address
  • Easily add additional aliases or mailboxes, if your email provider account allows for this.
  • Use domain-level email security, like DKIM or DMARC. More on this later in the article.

Acquiring Domain

You can purchase (register) domains all most anywhere these days and host them even more places, like Cloudflare and other providers. Depending on the provider host with, you will have to learn how they manage the zone for your domain. Some have more complex interfaces than others, I prefer consoles with less, but use what you are comfortable with.

Hosting the domain at another provider usually requires domain verification through a DNS TXT record and an update to the SOA record to point to new provider DNS servers. Your DNS registrar should have instructions on how to host your domain with a third party.

I purchase my domain from Hover and host them with Cloudflare. Whom you purchase and host domains with is completely up to you, there are hundreds of companies to choose from.

Email Routing

Routing email with your domain will require a specific type of DNS record(s), Mail Exchange (MX). These records route inbound email for the domain.

At one time you could use custom domains for free at a lot of email providers, but now it’s usually a premium feature.

Once you add your domain to your email provider, usually through DNS or file verification. File verification would require you having set an A record for the base domain, and set it to a location you control, so you can upload a file with specific content, an S3 bucket for example.

My MX records for Proton Mail are:

cormier.co    mail exchanger = 10 mail.protonmail.ch

Email Security

Properly setting up Sender Policy Framework, Domain Keys, and Domain-based Message Authentication will mitigate email spoofing attacks involving your domain.

Sender Policy Framework (SPF)

Sender Policy Framework is a technology that specifies which IP addresses can send for a given domain. At times you might want a service to send emails for your domain, Mail Chimp or email security solutions like Proofpoint.

v=spf1 include:_spf.protonmail.ch mx ~all

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail is used to sign outgoing email, it does this by affixing a digital signature, linked to your domain, to each outgoing email message. The recipient can verify this by looking up the public key through DNS.

v=DKIM1; k=rsa; p=MIGfMA0GCSqGS...

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Further extends on DKIM and SPF with policies, what to do if SPF and/or DKIM fails and the third check of alignment, DMARC checks the domain in the From field for aligning with other authenticated domains.

Like SPF and DKIM, DMARC uses the concept of a domain owner, the entity or entities that are authorized to make changes to a given domain.

SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. In addition to requiring that the SPF check pass, DMARC additionally checks that the envelope MAIL FROM (“5321.MailFrom”) aligns with From (“5322.From”) header field.

v=DMARC1; p=quarantine; rua=mailto:[email protected]

Verify

MXTools has all the necessary tools to verify if email security has been set up correctly and aid with troubleshooting.

Check SPF
Check DKIM
Check DMARC

Web Content (Optional)

It’s nice to have some type of web content at the root of your domain. For example, cormier.co, the A record points to a WordPress instance. So if someone pastes my domain into a browser, they end up at this blog.

This blog is hosted on a Linux instance, running WordPress, blah, blah, blah. Root DNS A record for my domain is a Cloudflare endpoint that proxies to my Linux instance.

 > cormier.co
   Server:        10.0.70.2
   Address:       10.0.70.2#53 
 Non-authoritative answer:
 Name:    cormier.co
 Address: 104.27.175.48
 >

You can point it anywhere, a public Amazon S3 bucket would work just as well as an WordPress instance.

Happy computing!

Nov 17th, 2019 • Filed under Best Practices, DNS, S3

Do Not Disturb: The iOS Feature Everyone Should be Using

Take control of that dopamine inducing device you carry everywhere with you, by silencing those notifications for when you need your attention the most, during the day when tasks need doing.

Smartphones, the wonderful devices invented at the turn of the century and really came in to their own with iPhone and Android. Not too mention the billions of notifications from Nokia, Motorola, and BlackBerry devices from years prior.

Settings > Do Not Disturb

Over the years the amount of time these smartphones steal time from us in the run of a day. From text messages, emails, phone calls (does anybody answer these?), and apps, all send notifications for your eye balls.

To avoid this I have been using the Do Not Disturb (DND) feature of Apple’s iOS. This feature allows me to silence notifications on a schedule, 8AM-5PM in my case. It also allows my Favorites to reach me, so necessary people can reach me if they need too.

You can also setup Auto-Reply messages if you like to inform contacts that you have DND turned on.

Once you have DND set to your liking, your day will be much smoother and you can check your notifications when you see fit. All the notifications will come in as normal, you just won’t see or hear them. But, still allow important Contacts through for emergencies.

Jul 9th, 2019 • Filed under Apple, iOS

Security Debunk: Security Challenge Questions

The security field has umpteen myths and quarks that people believe, giving them a false sense of security. One of the most common is security challenge-response questions.

This feature usually comes in the form of picking from a list of questions or supplying your own, and supply your answers.

In its basic form the challenge questions will be used as a poor mans two factor or as part of account recovery feature.

What is happening here?

People think that anybody but them would not be able to find or guess their the answers their personal questions. In reality this information is likely a click a way. Providing little to no additional security to your account, if anything making your account less secure, giving attackers an avenue to gain access to your account.

Attackers can obtain your information numerous ways, another breach if your information was among the millions of records stolen or leaked, social media, old account statements, etc.

Two Factor Authentication (2FA)

If you combine two components together you can improve your security posture greatly. A great example is bank ATM cards, this allows access to your bank account with position.

This would be a code from a virtual app, physical token, or text message to a mobile phone. My favorite physical token is Yubikey by Yubico. For virtual tokens I use LastPass Authenticator, but any 2FA app can be used, like Microsoft Authenticator or Authy.

Note: Text/SMS two factor methods have come under scrutiny recently do to attackers social engineering telco customer service agents to activate account on another SIM, aptly named SIM swap scam. This type of attack isn’t preventable by the user, as it’s an attack on the mobile carrier process not an attack on technology.

Tip

If you have to use security questions. Meaning there is no other service that provides what you want, consider choosing fake answers to your security questions. Answers that aren’t true will be harder to obtain or guess.

Happy secure surfing!

Jul 4th, 2019 • Filed under Access Control, Security

Tips for Hardening Your LastPass Account

LastPass is a great service, one I don’t mind paying for because I know the value obtained and time it saves, it’s worth it. It’s nice to be able to generate reliably secure passwords with easy and save them to a secure encrypted online vault.

The security of the LastPass Master account will be of the utmost importance, as these are the keys to the kingdom. Therefore, enabling a few features in LastPass can make your account much more secure. Some of these features might require additional setup outside LastPass, additional hardware/service, like the Yubikey, and/or Premium/Enterprise subscription, which can occur costs.

Country and Tor Restrictions

To start, let’s allow only logins to your LastPass account from select countries. Countries you know you will require access to your LastPass account. Also, disallow logins from VPN/Anonymous proxies and Unknown locations.

Click Show Advanced Settings if you don’t see the options in the screenshot below.

Disallow logins from Tor networks is a separate option.

LastPass Security Options

Adjust your security preferences as you see fit.

Two Factor Authentication

Enabling Two Factor Authentication (2FA) to have a physical device like YubiKey or virtual authenticator apps like LastPass Authenticator. Free accounts can use only virtual tokens.

LastPass Multifactor Options

Without providing the access code and credentials, access will be denied to the vault and account.

LastPass supports an array of 2FA methods. LastPass’s own authenticator. Salesforce. Google and Microsoft authenticators. Grid, a paper password type system. Smartcards, fingerprint readers, and more.

Session Management

LastPass has settings for auto log-off of other devices on login, preventing a session trail.

Proactive Steps

Click the Destroy sessions button under the Tools heading, this will open another tab to Your Active LastPass Sessions page.

Feb 9th, 2019 • Filed under Best Practices, Management, Security