Advertisement

Use Ubuntu’s “hostapd” to monitor your smartphone

I don’t like smart-phones at all. I do not like how people use them in bars and restaurants. I also don’t like that the phone is always online. Especially not since all kinds of “apps” and background processes are constant leaking information about me. Call me a fool, but I’m worried about my privacy. Since my friends nowadays refuse to send me SMS (they solely rely on WhatsApp) I was getting socially isolated (showing up at canceled events and so on). That is why I recently gave up my stubbornness and decided to buy a smartphone as well. Still everyday I am wondering what (and how) my smartphone is communicating over the Internet. To get an answer to this question I decided to investigate this.

Parts

SitecomWL113WirelessNetworkUSBAdapter wireshark

I had the above Sitecom (WL-113) USB wifi dongle laying around that could serve as an access point for my phone so that I could peek into the communication on my PC using the excellent open source Wireshark software. This is a diagram of the infrastructure:

wl-113_network

I am running Xubuntu 14.04 and I connected my USB dongle.

Preparation

First I ran “lsusb” to confirm the adapter was identified.

maurits@nuc:~$ lsusb
...
Bus 002 Device 024: ID 0df6:9071 Sitecom Europe B.V. WL-113 rev 1 Wireless Network USB Adapter

And yes it was. Great! Now to see what the system says about it when I connected it. Running “dmesg” showed me the driver that was loaded:

maurits@nuc:~$ dmesg
...
[20068.576242] usb 2-1.4: new high-speed USB device number 24 using ehci-pci
[20068.669492] usb 2-1.4: New USB device found, idVendor=0df6, idProduct=9071
[20068.669498] usb 2-1.4: New USB device strings: Mfr=16, Product=32, SerialNumber=0
[20068.669501] usb 2-1.4: Product: USB2.0 WLAN
[20068.669504] usb 2-1.4: Manufacturer: Sitecom
[20068.744236] usb 2-1.4: reset high-speed USB device number 24 using ehci-pci
[20068.837283] ieee80211 phy12: Selected rate control algorithm 'minstrel_ht'
[20068.837521] zd1211rw 2-1.4:1.0: phy12
[20068.855382] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready

To see whether the adapter was really there I ran “ifconfig -a” and yes it was and it was named “wlan0″:

maurits@nuc:~$ ifconfig -a
...
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5387 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:634228 (634.2 KB)  TX bytes:634228 (634.2 KB)

wlan0     Link encap:Ethernet  HWaddr 00:00:de:ad:be:ef
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I did get a little curious of what the dongle would look like on the inside, so I Googled for “zydas wl-113″. I found the following image on Wireless-Forum.ch:

wl-113

I also found a guy who had a Sitecom WL-113 with a Ralink 2571WF chip inside (probably not a “rev 1″ model). But I am pretty sure mine has a ZyDAS 1211 as in the above picture (but I did not open it up). Before we can do “nice” things with it we need to see whether it supports “master mode“. This means that the dongle goes into a mode in which it behaves as an access point. Ubuntu has a tool called “iw” (install it with “sudo apt-get install iw”) that allows you to list the supported modes (amongst many other things) like this:

maurits@nuc:~$ iw list
Wiphy phy12
    ...
    Supported interface modes:
         * IBSS
         * managed
         * AP
         * AP/VLAN
         * monitor
         * mesh point

Bingo! Our dongle supports “AP” mode (many devices do not). You may want to try to put the adapter in master mode with the following command:

maurits@nuc:~$ iwconfig wlan0 mode master
Error for wireless request "Set Mode" (8B06) :
    SET failed on device wlan0 ; Operation not permitted.

But that fails. After reading the web a little I found that this does not mean that the dongle does not support it.

Installing “hostapd” the host access point daemon

You just need to install “hostapd” program using “sudo apt-get install hostapd”. Before you can start the hostapd application you need to take a few steps. First I had to create the “/etc/hostapd/hostapd.conf” file with the following contents:

interface=wlan0
bridge=br0
driver=nl80211
ssid=MyNetwork
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=YourPassPhrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Now edit the file “/etc/default/hostapd” and uncomment the “DAEMON_CONF” line and make it:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

If we want the PC to temporarily act like a router we need to enable IPv4 forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Now you can start the “hostapd” access point software with:

sudo hostapd /etc/hostapd/hostapd.conf

If all goes well it should show:

maurits@nuc:~$ sudo hostapd /etc/hostapd/hostapd.conf
Configuration file: /etc/hostapd/hostapd.conf
Using interface wlan0 with hwaddr 00:00:de:ad:be:ef and ssid "MyNetwork"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

If it does not work you may want to run the following:

sudo nmcli nm wifi off
sudo rfkill unblock wlan

This is because network manager has detected the wlan interface and grabbed it. If you need debug output you may run:

sudo hostapd -d /etc/hostapd/hostapd.conf

If you need even more debug output you may run:

sudo hostapd -dd /etc/hostapd/hostapd.conf

If this fails with the following message:

hostapd_free_hapd_data: Interface wlan0 wasn't started

Then execute:

sudo service hostapd stop

If it says it started (using “sudo hostapd”), but you actually don’t see the Wifi network on your smartphone then reconnecting the dongle and starting all over again may help. Note that the “hostapd” service will automatically be started on next boot.

Bridging to get Internet access

bridge_configuration

Now you may want to configure a bridge between eth0 (your Internet connection) and wlan0 (your dongle access point). First we remove the IP address from eth0 using. Then we add eth0 to bridge br0 (which already contains wlan0). After that we bring the bridge up, let it do DHCP and which also adds a default route to the gateway using:

sudo ifconfig eth0 inet 0.0.0.0
sudo brctl addif br0 eth0
sudo ifconfig br0 up
sudo dhclient br0

Now you should still be able to surf the Internet while you also have a software access point running on your computer. If you want to undo the bridge configuration you may run:

sudo ifconfig br0 down
sudo brctl delif br0 wlan0
sudo brctl delif br0 eth0
sudo ifconfig br0 down
sudo dhclient eth0

Permanent configuration (persist on reboot)

The IPv4 forwarding setting can be made permanent by uncommenting the following line in “/etc/sysctl.conf”:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

If you want to make the bridge configuration permanent you can add the following to “/etc/network/interfaces”:

manual wlan0
manual eth0

auto br0
iface br0 inet dhcp
        bridge_ports eth0

Note that this wont work since the network manager will still grab the wlan0 and execute “rfkill”. To avoid this you can turn off the network manager completely (and permanently) with:

sudo service network-manager stop
echo "manual" | sudo tee /etc/init/network-manager.override

To re-enable the network manager simply do the opposite:

sudo rm /etc/init/network-manager.override
sudo service network-manager start

Capturing with Wifi with Wireshark

Now we can start Wireshark on the wlan0 interface using:

sudo wireshark wlan0

And we get nice output:

wireshark_dump

Using this tool I can record and analyze the communication of the apps I installed on my smartphone.

Links/sources

Figuring all the above out was not possible without the following websites:

Block Google and Facebook to improve Firefox privacy

firefoxFirefox, a browser built by the Mozilla foundation, is in my opinion the best browser on the web. It is available all major operating systems including Linux and Android. Unfortunately Firefox is not available for iOS. Firefox is “Committed to you, your privacy and an open Web” and on the Mozilla website they tell us that Firefox is:

  • Trusted: Designed to protect your privacy
  • Flexible: Designed to be redesigned
  • Fast: Faster than ever

On the Firefox privacy page Mozilla says:

We build Firefox with a mission to put you first, above all else.
We do it to keep you in control. We do it so you can browse without worry.
And we do it because no one else will. – Mozilla

I think it is widely accepted (and true) that your privacy is much at risk when you are surfing the Internet. Firefox will protect your privacy (to some extent) if you tell it to, but you do have to tell it to do so. You can do this by clicking the menu button and clicking “Preferences”. This screen has a privacy tab and I strongly recommend you to set the settings as strict as shown on the screenshot below:

privacy

Pay extra attention to the “Accept third-party cookies” and “Tell sites that I do not want to be tracked” options. Unfortunately this last feature just informs any third party of your preference, but it does not actually block the tracking. This is where AdBlock Plus comes into play.

ad_block_plus_logo

Download Adblock Plus here. After installing you can configure the AdBlock Plus icon (red stop sign) to be present in the toolbar (or not) by clicking the menu icon, clicking “Add-ons” and then the “Extension” tab on the left and then the “Preferences” button of AdBlock Plus. On the bottom there is a list of checkboxes and one is “Show in toolbar”.

adblockplus

It is very convenient to have the AdBlock Plus icon in the toolbar (left from the menu icon) so that you can quickly disable it if that is needed. It may for instance happen that a site no longer shows you Facebook “Like” buttons and you are very desperate to “Like” something.

ad_block_plus_settings

For the best experience I would disable “Show tabs on Flash and Java” and disable “Count filter hits”. In the filter preferences I have added three subscriptions and unchecked “Allow some non-intrusive advertising”, like this:

adblock_filter_preferences

Most people install only “EasyList”, which is easy to find and mainly blocks advertisers. I also recommend the “Adblock warning Removal List” to avoid any warnings that may appear due to the usage of AdBlock Plus. The other subscription you should have is “Fanbox’s Annoyance List” which sounds unimportant, but actually blocks all Google and Facebook tracking (and many other “annoying” things). These subscriptions may not be available from the user interface, but this should not stop you. You can find them on the following link:

https://easylist.adblockplus.org/en/

AdBlock Plus will block the loading of elements that match the rules that are defined in the subscriptions. These elements can be visible or invisible (scripts or transparent tracking pixels). This does not only improve your privacy online, but also makes websites load faster. It actually matters a lot as you can see from a quick experiment I did using Firebug. I executed a full page refresh on several websites with and without AdBlock Plus enabled. Below a graph showing the loading time of the website with AdBlock Plus enabled compared to the loading time of the website without AdBlock Plus enabled. You can see that all sites load faster with AdBlock Plus enabled (<100%), since the browser has to load less elements from the website:

website_loading_times

This is the data I collected in my (single) run along some popular websites, which is used to draw the above graph:

           website   total   onload   total ABP   onload ABP   total   onload
washingtonpost.com   12.06     6.98        5.12         4.72     42%      68%
       nytimes.com   11.35     5.72        6.84         4.28     60%      75%
             nu.nl    5.17     4.07        2.29         1.63     44%      40%
     microsoft.com    3.41     2.85        2.69         2.15     79%      75%
   mail.google.com   10.19     1.15        8.47         1.12     83%      97%
        google.com    1.58     1.06        0.89         0.84     56%      79%
           cnn.com    9.48     5.45        3.09         2.17     33%      40%
           bbc.com    3.42     3.05        2.09         1.82     61%      60%

So the bottomline is this: by protecting your privacy better, surfing the Internet will go faster. This is a well-kept secret that I share with you “because no one else will.”

About privacy and the ethics of blocking ads

Some people argue that you should not install ad blocking software, because blogs can exist because banners bring income to the writers. Although I doubt that this is true (direct advertising and editorials pay a magnitude better and cannot be blocked), I want to focus on the opposite: websites stealing from their visitors. By using “free analytics”, “like buttons”, “JavaScript-driven ad engines” and “web-shop tracking” many, if not most, websites are sharing very sensitive (privacy related) information about their visitors with third parties (without the visitors consent). This information can be stored and used to identify and profile visitors. The bad thing is that many site owners do not even realize their behavior is unethical (and in some cases even forbidden by law). In my opinion this unethical behavior makes using blocking software ethical.

Panda 4.1 impacts organic traffic from Google

Here is a screenshot of my Google Webmaster Tools search statistics for the past 3 months (sorry for the Dutch dates and text):

panda41

It seems that LeaseWeb Labs was affected by an update of Google’s ranking algorithm named “Panda”. Every now and then Google adjusts the ranking of websites to avoid search engine spam.

Google launched Panda 4.1 on September 25, 2014 and told us it would be a “slow rollout” that would go into the following week. No one really expected the rollout to continue into this week but it has and the fluctuations and ranking changes you are seeing are likely related to that. – searchengineland.com

As you can see in the above graph we have lost 10-20% of our search traffic from Google. We believe that update 27 (version 4.1) of the Panda ranking algorithm is to blame. Although Google may be optimizing their algorithm continuously, updates with high impact do not occur often. It is believed that on Friday 8 August 2011 7% of the queries were affected by an update. Until the May update this year there was never such a big impact of any update. In September we have seen another update and although the impact is said to be smaller, it seems bigger on our site. Below an overview of this years algorithm updates (source):

Update   Name        Date         Queries affected
26       Panda 4.0   2014-05-20   8%
27       Panda 4.1   2014-09-25   4%

So it this really bad? No, not at all! Google needs to fight search engine spam and every honest site benefits from that, so this is also good for us. And we are not completely dependent on Google search traffic. It is estimated that about 40-50% of the total visitors of this site come from Google. So this small loss of organic traffic is hardly visible in our total traffic graph (from the “Count-Per-Day” WordPress plugin) as you can see below:

panda41_2

Did we learn any lesson from this? No, not really. We will just continue to make good (unique) content and trust that Google will keep rewarding us with lots of visitors.

Browse safer by disabling SSLv3 in Firefox

vulnerable poodle sslv3

You may be at risk! A man-in-the-middle attack may be effective between you and any site that runs on HTTPS. This is explained two days ago by Google in their publication about the POODLE attack. It explains that SSLv3 has a vulnerability and negotiation of this protocol can be enforced by a man-in-the-middle. That man-in-the-middle is able to read (part of) the plaintext of your secure communication with the server. You can click the above image (that links to https://www.poodletest.com/) and if you are vulnerable you will see a poodle.

Fixing the vulnerability is also very easy. If you run a server you may want to check out my post on fixing the POODLE issue in Nginx and Apache. Even transfers from browsers that are not fixed can then no longer be intercepted  and decoded by a man-in-the-middle.

firefox poodle fix

But you should also fix this issue in your browser right now! In Firefox you simply type “about:config” in the address bar and then “tls” in the search bar. Change the value of “security.tls.version.min” from “0” to “1” as the above screenshot illustrates:

Mozilla says that it is making Firefox 34 safe from POODLE by disabling SSLv3 by default. – betanews.com

This change is so easy (only costs a few seconds and requires a browser restart) that I would not wait for Mozilla to release Firefox 34. If you run another browser, and you are looking for a guide, you may want to check out tomsguide.com.

Fix Ubuntu SSLv3 POODLE issue in Nginx and Apache

Are you running an HTTPS website on Ubuntu (or any other Linux) with Nginx or Apache? You may be at risk! A man-in-the-middle attack may be effective. This is explained yesterday by Google in their publication about the POODLE attack. POODLE is an acronym for “Padding Oracle On Downgraded Legacy Encryption”. The attack uses a fall-back to the 18 year old “SSLv3″ protocol. The security researchers propose that the easiest “fix” is to disable this legacy SSL variant. Fortunately only a small part of your visitors will be impacted:

All modern browsers and API clients will support TLSv1 and later. Disabling SSLv3 will inconvenience WindowsXP users who browse using Internet Explorer 6 – nginx blog

The attack is registered as CVE-2014-3566. Now let’s quickly look at the commands we need to execute:

Disable SSLv3 on Apache

1) We need to edit the file that holds the Apache SSL configuration:

sudo nano /etc/apache2/mods-enabled/ssl.conf

2) Find the following line:

SSLProtocol all -SSLv2

3) Add the option “-SSLv3″ so that the line will look like this:

SSLProtocol all -SSLv2 -SSLv3

4) Now restart Apache to make the change effective:

sudo service apache2 restart

Disable SSLv3 on Nginx

1) We need to search in all virtualhost configuration files for the use of the “ssl_protocols” directive:

maurits@nuc:~$ grep -R ssl_protocols /etc/nginx/sites-*
/etc/nginx/sites-available/default:    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

2) We need to edit each file that holds the “ssl_protocols” directive:

sudo nano /etc/nginx/sites-available/default

3) Find the following line:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

4) Remove the option “SSLv3″ so that the line will look like this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

5) Now restart Nginx to make the change effective:

sudo service nginx reload

Bonus: Disable SSLv3 on HAProxy

1) Edit the “/etc/haproxy.cfg" file and find your “bind" line. Append “no-sslv3". For example:

bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3

2) Now restart HAProxy to make the change effective:

sudo service haproxy reload

IMAP/POP3/SMTP

You should disable SSLv3 on all applications you run, so also on your IMAP/POP3/SMTP daemons. Think about Courier-imap, Dovecot, Sendmail and Postfix. For more information read this post on AskUbuntu.

Testing your server

A server that does not support SSLv3 will give the following output when trying to force a SSLv3 connection:

maurits@nuc:~$ openssl s_client -connect www.nginx.com:443 -ssl3 < /dev/null 2>&1 | grep New
New, (NONE), Cipher is (NONE)

A server that is still supporting SSLv3 (and may thus be vulnerable) will give the following output:

maurits@nuc:~$ openssl s_client -connect www.google.com:443 -ssl3 < /dev/null 2>&1 | grep New
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA

NB: You can also test other services with this command, but then you need to change 443 to the appropriate port number.