Security failures: How not to install software (rant)

Recently I needed to install an Eclipse IDE on my dev system. The proposed way (it’s for openhab) is to
use the Eclipse Installer, since I hadn’t used it before it seemed quite interesting. And indeed it is! Eclipse installations on Windows are unfortunately quite unnerving… Unzipping packages and moving them around is something I really don’t enjoy, so using an installer seems pretty nice.

The first thing I noticed is it’s ability to install itself for later use (good idea!), the second was it behaves like most programmes (e.g. Chrome, Adobe Reader,..) and simply puts itself in a path which doesn’t require the UAC (e.g. my user folder). BAD!

What’s the use of acls on paths when every developer simply uses other paths… Really guys.

But you could’ve guessed, it got worse. After choosing my required IDE style (Java something) it started to download a whole bunch of jar files (nothing expected I suppose). Since this takes some time, I browsed through the web some more, yet after a while I checked the progress and saw the really bad stuff.
eclipse-installer-httpdownload

Cybersecurity war… it’s all over the news and devs are easily installing excutable software over http? Are we all that stupid?

Yet I guess when I can do things like this:

docker installer

nodejs install

It is really no wonder we get things like this Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store

Setup RaspberryPi with minified raspbian (minibian)

Today I finally got around to fiddle with one of my RaspberryPi again. I received a couple of Bluetooth LE USB Sticks on friday and thought about doing some iBeacon stuff.
But first I’ll a clean Raspbian so I won’t kill any other projects or run into issues with this.Since I’m kind of lazy I usually follow some tutorials instead of remembering all the required commands. Yet, today I figured why not just write it down so I have it always available.I’m using Minibian because I won’t need any of the GUI stuff and it’s just simpler than to strip down an existing image.

The only sideeffects are:

  • I have to resize the filesystem first before doing anything else (I forgot it way to often!)
  • I have to remember where to get the setup instructions for the WiFi module

Step 1 – Installation

Download Minibian

https://minibianpi.wordpress.com/

It’s really great work and all credits goes to Luca Soltoggio.

I usually just use 7Zip and extract the image to the disk, afterwards I put in an mSDCard and use Win32DiskImager to write the file to the SD Card.

If you’re on Linux you can use dd and probably won’t need any advice on how to do this anyway.

Step 2 – Preparations

Start putty and connect to raspberrypi via SSH. Login credentials are root/raspberry (another thing I tend to forget, but you can find it in the Minibian FAQ). Then since I’m lazy I use raspi-config, which is not installed by default. But that is no problem, just type in

apt-get install raspi-config -y

Be careful: Do not attempt to do an apt-get update beforehand!

After the successful installation just start the tool by writing

raspi-config

Now I first resize the filesystem and afterwards change the timezone to my local timezone. You can finish afterwards and agree to the reboot (it’s required for the changes to take effect)

Step  3 – Updates & Tools

Well done. Now you got enough space available to update your system!

    apt-get update && apt-get upgrade

In case of any questions answer with yes (y).

    apt-get dist-upgrade

After both Upgrade and Dist-Upgrade we should also update the Raspberry Pi firmware. First we install soome basic tools with

apt-get install nano sudo rpi-update usbutils -y

Then we use

rpi-update

for our firmware update needs.

Step 4 – Wireless Lan

After the next reboot we will have an completely update to date system. Awesome, but I want to remove the fiddly Ethernet cable which is always in my way.

In order to achieve this I bought some of the famous Edimax WiFi sticks. Those require some special firmwares and some tools which can be easily installed via apt-get

apt-get install firmware-linux-nonfree wireless-tools wpasupplicant -y

Afterwards we have to bring up the wifi device. First verify if it’s available

ip a 
iwconfig

It is usually named “wlan0” in this case just use

ip link set wlan0 up

to bring it up. Then you can either scan the list of available gateways first with

iwlist scan

or directly configure the /etc/network/interfaces file.

This is done with nano so we open the file directly in the nano editor

nano /etc/network/interfaces

There we at the following text

auto wlan0
allow-hotplug wlan0 
iface wlan0 inet dhcp
        wpa-ssid myssid
        wpa-psk mysecret

If you changed the ssid and secret accordingly you can close nano with Ctrl-X.
With

ifup wlan0

we can force the connection.

Step 5 – Security

In the first four steps we did all the basic setup stuff which is required to use the Raspberry Pi as a headless system. Yet, there are still some things to do.

We have lots of security issues, we haven’t changed the login credentials, we still use root all the time and we could use a firewall.

So bear with me for just a few additional steps. Even if you just plan to do fun stuff with your Pi, it is always worth learning how to do it right.

Since we did most of all the admin tasks with root, it is time to create our personal user account.

Type in

adduser myname

to create your default user.

usermod -a -G sudo myname

With the second command we allow ourselfs to gain additional rights with the sudo command. You’ll see this in action soon.
Now you should do a reboot and login with your new user.

To enhance our security we will switch to key based authentication. Since I already have a key, I can just use

If you don’t have a key pair follow the steps in this guide and copy the contents or your id_rsa.pub file into /home/myname/.ssh/authorized_keys

Paste your public key into this file and use Ctrl-X to save.

Well, we did it! We have key, unfortunately we also need to enforce the use of this key. Therefor we will modify the sshd config

sudo nano /etc/ssh/sshd_config

Change value “PermitRootLogin” from yes to no
And uncomment “PasswordAuthentication” (remove leading #) and change the value from yes to no.
Now restart the ssh server with

sudo /etc/init.d/ssh restart

The last step with regards to passwords is to change the root password. You can simply run

and enter the new password.

Finally! The most important part is done.
But we still want our firewall… these are the 3 simple steps for your new and shiny firewall.

sudo apt-get install ufw
sudo ufw allow 22
sudo ufw enable

That’s it!

MQTT and CoAP: What is it about?

When I was travelling home last weekend, I went into one of the well known newspaper shops available in nearly all german train stations. Usually I sweep trough the shelves and look for some news on the Raspberry Pi. Then I get bored because I’ve already read similar projects on a great blog. This time the german magazin iX came in my view with it’s headlines about IoT and immediately I got interested. It’s normally a good source for everything more enterprise oriented. One of the main articles in the current issue of iX is related to MQTT. I’m a big fan of this so called M2M protocol, it is easy to understand and super easy to implement.

But there is another cool kid called CoAP and from what I’ve seen many leave it on the side of the road because all the buzz is around MQTT. Now I would like to put it out on  the stage and into the spotlight. Just so nobody forgets it.

CoAP is an abbreviation for Constrained Application Protocol, it is pretty similar to a lightweight HTTP. It implements the same basic functions like GET, POST and PUT. In addition, there is an extension of CoAP which implements an observer mode of operation similar to the publish/subscribe paradigm realized in MQTT. CoAP uses unified resource identifiers (URI) and is designed to allow efficient mapping to common HTTP by translation proxies. The following figures showcase the different patterns of MQTT and CoAP:

Left: CoAP, Right: MQTT
Left: CoAP, Right: MQTT

The choice between those two protocols depends heavily on what you plan to implement in your specific use case. I for one would not use CoAP in a scenario where I want to loosely couple my massive sensor network with a centralized server (e.g.a broker). Yet, I would – in most cases – prefer to use CoAP if I need to pull information (e.g. a status) from a device.

Security

Although it is often forgotten: When we as makers want to be serious about the greatness of an internet of things, we have to care about security!

Luckily both MQTT and CoAP support encryption, MQTT through means of TLS and CoAP through DTLS a variant of TLS for UDP protocols.

Usage

After all this talk about how great it is I would like to give a few examples where it is already used.

Lightweight M2M is one of the current attempts to standardize M2M platforms and protocols, it is a relatively lightweight approach and depends heavily on CoAP. There are existing implementations by the Eclipse Foundation e.g. Leshan (LWM2M Server), Wakaama (LWM2M Client) and Californium (CoAP Framework).

And the awesome Particle Photon (ex Spark) also use CoAP for their family of microcontrollers.

I haven’t implemented CoAP in my projects yet though I definitely plan to. If you have experience with CoAP or LightweightM2M I would be pretty interested to hear about it!

Welcome to Thing Hub

Hi,

my nam is Tobias. I’m an avid IoT advocate, tech junkie and software developer. In my free time I play around with RaspberryPis, Arduino, Particle Photons and other IoT related technology.

This includes the lovely Node-Red, my mighty Cubietruck (running Owncloud) and of course the ESP8266.