Top
Features

A Hardened Open Source OS Firewall


256bit AES VPN Client built in


One year of high speed VPN service


True Plug and Play

No software to install and configure


Can be powered by a USB port


Can Block Malware


Optionally block web advertisements


Protect four of your devices at once


Works with wired and wireless Internet Connections


The Hardware is free for a limited time


 

Learn More
Why a Hardware Firewall?

Reduce your attackable surface area


Software firewalls are not as effective as hardware firewalls


Hackers have had the source code to popular software firewalls


Why let a single malicious packet even reach your computer?


In some countries your laptop is under Cyber - Siege.


Enables voip where voip is blocked


Access Websites where the Internet is censored


Encrypt all of your Internet traffic (Web, Email, Chat, DNS, Voip)

Purchase
Tuesday
Jan082013

Encrypted Voice Calls with Regular Off the Shelf Phones

DateTuesday, January 8, 2013 at 12:31PM
Occasionally in life you run into the tech equivalent of a “Hey, you got chocolate in my Peanut Butter!”.  For those of you who were not watching TV in the 80’s please see this video.
 
You can also download larger versions of the diagrams in this post here.

Last year when the tiny Obihai OBi100 became available it allowed us to create a simple, cheap and almost free method of providing encrypted voice communication using regular off the shelf $10 telephones.  The phone is actually the largest physical item in this bag of tricks, nothing else is bigger than a deck of cards.
 
Now would also be a good time to note that we have no financial connection with Obihai, we just purchase, use and like their products.


Ingredients

   
Lets start with the ingredients to this recipe.  First, the OBi100.  It is 3.5” x 2.6”.  
 

On the back there are three plugs; power, Ethernet, and phone.

 

Before we go on lets pause and look at a wonderfully simple bit of functionality available to us with no more effort than plugging the thing in.
 
On the bottom of each Obi there is a unique 9 digit number.  Lets say you and a friend each have one of these and they are each plugged in to the Internet anywhere on the planet.  If you pick up the phone attached to the unit and dial two asterisks followed by your friend’s 9 digit number, his phone rings.

Nice.  Simple.  Zero config voip phone calls.  But wait, there’s more.
 

Enter the Tiny Hardware Firewall

 

The THFW is 3.3” by 2.4” and weighs 50 grams. In the picture below it is velcro’d to my laptop.  
 
On the side of the THFW there are two plugs, one for power and the other is an Ethernet port.  Inside it has a wifi radio and a small computer.   It acts as a gateway, firewall, and a 256bit VPN client and runs on USB power.  Now you should see where we are going with this.  
 

Time for some  diagrams

In this scenario your access to the Internet is provided by some open access point.   We were working on a road warrior solution so everything is small and low powered.  We even found this cool little USB powered Ethernet switch. Fire up a laptop, turn off it’s wifi radio and plug the switch and THFW USB power ports into your laptop or some other USB power source.  Then plug an Ethernet cable into your laptop and the switch.  Plug an Ethernet cable into the switch and the THFW.  Now plug an Ethernet cable into the Obihai Obi100 and the switch, but don’t power on the Obihai yet.
 
You should have something that looks like the photo above in real life.  If you do this in a coffee shop you will get either strange or envious and knowing looks, maybe even a tech envy nod.  Just be prepared.
 
Leaving the real world for the warm embrace of a network diagram, this is what it looks like when scribbled on a napkin.
 
 
This diagram shows you and a friend on the left and the right separated by the increasingly hostile Internet, designated by the letter “I” in the tiny (not to scale) cloud.

In this diagram  “HotSpotVPN” is a HotSpotVPN encryption server in one of our datacenters, “SW” is the tiny USB powered Ethernet switch you saw in the photo above next to your laptop, the OBi is in green box and the THFW is talking to the AP via WiFi radio waves.  And yes, my laptop artistry is very sad indeed.  Hopefully you can pick out the phone.

 
Now hop on your laptop, log into the THFW, connect it to the access point and then and have it connect to a preferred voip optimized vpn cluster by entering the ip address in the preferred server field. (You can get the ip address from the help desk)  It is best to choose udp and use that if possible.  The voip will sound a lot better that way, however if you are on a restrictive network then you can fall back to tcp.  Drop outs will take longer to repair but at least you can make the call.
Click “Save & Connect to VPN”.
After the VPN is connected the status section will show the VPN as connected.   Your status section of the dash board will look like the picture below.
 
Now, all the Internet traffic of anything plugged into your switch is going through the vpn.  The tunnel is shown in red below.  
Now, turn on your Obi devices.  Please note that Obi traffic is shown in green.  When the Obi turns on it first talks to the Obitalk server.  
Also note that Internet traffic is only encrypted between the THFW and the HotSpotVPN VPN servers.  When it leaves the server it is not encrypted.  The trick is to keep the voip conversation encrypted from one Obi 100 to the other Obi 100.
Now just pick up the phone and  dial your friend’s 9 digit phone number preceded by **.  Each Obi will now know it’s own ip address and the ip address of the 9 digit target and the two units will talk to each other through the encrypted tunnel.
Now the voip data follows the green line from one Obi unit to the other, through the vpn and it is encrypted end to end, all with off the shelf hardware.  Nice.

Implementation Notes.

This implementation mimics a MUCH more expensive solution we provided to a client about five years ago at over 500 times the price of what you see here.  They were a roving band of international mergers and acquisitions specialists and spent a lot of time in countries where your laptop is under cyber siege from the instant you step off of the plane.  That said, this provides about 98 percent of the functionality of that solution.
 
Changes like this make me smile.
 
We actually use this internally but with smaller more expensive and occasionally wireless phones.
 

Other Features

 

This does not even scratch the surface of what you can do with this basket of tools.  Just a few options are:
  
  1. There are voip clients for smartphones, tablets and computers that work with the Obi.
  2. The Obi will also work with Google Voice with very little setup.
  3. The Obi’s will work with other voip servers, even one you set up in a vm in the cloud.
  4. The larger Obi’s also have an ATA built in to connect it to a land line.
If you have any questions just drop us a line at the helpdesk.
 
Glynn Taylor AuthorGlynn Taylor | Print ArticlePrint Article
Tuesday
Nov132012

What the hackers see when they look at you

DateTuesday, November 13, 2012 at 4:51PM

The first thing a hacker will do is some early reconnaissance.  It is the bank robber equivalent of “casing the joint”.  The reconnaissance software pokes and prods the target, checking to see if any doors or windows are unlocked, checking to see what model safe is in use if there is one.


Below is what Nmap shows about a typical Apple laptop running OS X Lion. In 136 seconds the hacker knows what operating system you are running and what services are available.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-26 09:32 EST
NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 09:32
Scanning 10.99.100.180 [1 port]
Completed ARP Ping Scan at 09:32, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:32
Completed Parallel DNS resolution of 1 host. at 09:32, 0.00s elapsed
Initiating SYN Stealth Scan at 09:32
Scanning ddv (10.99.100.180) [1000 ports]
Discovered open port 5900/tcp on 10.99.100.180
Discovered open port 88/tcp on 10.99.100.180
Discovered open port 548/tcp on 10.99.100.180
Discovered open port 44176/tcp on 10.99.100.180
Increasing send delay for 10.99.100.180 from 0 to 5 due to max_successful_tryno increase to 5
Completed SYN Stealth Scan at 09:32, 8.09s elapsed (1000 total ports)
Initiating Service scan at 09:32
Scanning 4 services on ddv (10.99.100.180)
Service scan Timing: About 75.00% done; ETC: 09:34 (0:00:35 remaining)
Completed Service scan at 09:34, 111.12s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against ddv (10.99.100.180)
Retrying OS detection (try #2) against ddv (10.99.100.180)
Retrying OS detection (try #3) against ddv (10.99.100.180)
Retrying OS detection (try #4) against ddv (10.99.100.180)
Retrying OS detection (try #5) against ddv (10.99.100.180)
NSE: Script scanning 10.99.100.180.
NSE: Starting runlevel 1 scan
Initiating NSE at 09:34
Completed NSE at 09:34, 0.22s elapsed
NSE: Script Scanning completed.
Host ddv (10.99.100.180) is up (0.00077s latency).
Interesting ports on ddv (10.99.100.180):
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
548/tcp open afp?
5900/tcp open vnc Apple remote desktop vnc
44176/tcp open unknown
2 services unrecognized despite returning data. 
If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port548-TCP:V=5.00%I=7%D=1/26%Time=4F2163F1%P=i686-pc-linux-gnu%r(SSLSe
SF:ssionReq,1B9,”\x01\x03\0\0Q\xec\xff\xff\0\0\x01\xa9\0\0\0\0\0\x18\0#\0G

——————-Snip———————-

SF:\x92\x84\x96\x97\rproto-version\x86\x92\x84\x84\x84\x08NSNumber\0\x84\x
SF:84\x07NSValue\0\x94\x84\x01\*\x84\x95\x95\x0e\x86\x86”);
MAC Address: 00:23:32:9B:33:7F (Apple)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=1/26%OT=88%CT=1%CU=38284%PV=Y%DS=1%G=Y%M=002332%TM=4F21646
OS:8%P=i686-pc-linux-gnu)SEQ(SP=F9%GCD=2%ISR=104%TI=RD%CI=RD%II=RI%TS=A)SEQ
OS:(SP=FB%GCD=1%ISR=FE%TI=RD%CI=RI%II=RI%TS=A)SEQ(SP=101%GCD=1%ISR=106%TI=R
OS:D%CI=RD%II=RI%TS=A)SEQ(SP=106%GCD=1%ISR=109%TI=RD%CI=RD%II=RI%TS=A)SEQ(S
OS:P=104%GCD=1%ISR=103%TI=RD%CI=RD%II=RI%TS=A)OPS(O1=M5B4NW3NNT11SLL%O2=M5B
OS:4NW3NNT11SLL%O3=M5B4NW3NNT11%O4=M5B4NW3NNT11SLL%O5=M5B4NW3NNT11SLL%O6=M5
OS:B4NNT11SLL)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%D
OS:F=Y%T=40%W=FFFF%O=M5B4NW3SLL%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IP
OS:L=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=0%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)

Uptime guess: 12.282 days (since Sat Jan 14 02:47:57 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OSs: Windows, Mac OS X

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.65 seconds
Raw packets sent: 1422 (66.616KB) | Rcvd: 1071 (44.908KB)

At this point the hacker would run something like Wireshark to “sniff”,  watch or record all the packets going in and out of your computer (email, http, chats) or fire up something like Metasploit to further probe and actually take advantage of any vulnerabilities you have and hack into your computer.

 

With the TinyHardwareFirewall this is not possible because the hacker won’t even see your computer, just the TinyHardwareFirewall.

Now lets run the same program on the same laptop with the Tiny Hardware Firewall in place.

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-26 09:26 EST

NSE: Loaded 30 scripts for scanning.
Initiating ARP Ping Scan at 09:26
Scanning 10.99.100.195 [1 port]
Completed ARP Ping Scan at 09:26, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:26
Completed Parallel DNS resolution of 1 host. at 09:27, 13.00s elapsed
Initiating SYN Stealth Scan at 09:27
Scanning 10.99.100.195 [1000 ports]
Increasing send delay for 10.99.100.195 from 0 to 5 due to 35 out of 86 dropped probes since last increase.
Increasing send delay for 10.99.100.195 from 5 to 10 due to 25 out of 62 dropped probes since last increase.
Completed SYN Stealth Scan at 09:27, 38.06s elapsed (1000 total ports)
Initiating Service scan at 09:27
Initiating OS detection (try #1) against 10.99.100.195
NSE: Script scanning 10.99.100.195.
NSE: Script Scanning completed.
Host 10.99.100.195 is up (0.00096s latency).
All 1000 scanned ports on 10.99.100.195 are closed
MAC Address: 00:24:8C:2D:C0:1B (Asustek Computer)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.62 seconds
Raw packets sent: 1748 (78.194KB) | Rcvd: 1013 (42.046KB)

 

The hacker does not see any open ports, services, or know the operating system your laptop is running.  All of the information about your laptop has been hidden by the Tiny Hardware Firewall.

 

Other things the TinyHardwareFirewall Can do:
  1. Scan for and block viruses, trojans, malware before any bad packets get to you.
  2. Block advertisements for faster loading websites and less chance of getting infected with drive by ad based viruses.
  3. Encrypt all of your traffic with 256bit AES encryption through HotSpotVPN.

 

 

Glynn Taylor AuthorGlynn Taylor | Print ArticlePrint Article
tagged in