Recently in Security Category

As a follow-up to my Asterisk 1.8 encryption fun, I wanted to check out Asterisk 10 and see if I could get SIP-S and SRTP working. I fired up an antique Celeron box with 512MB of RAM with the FreePBX distro CD. An hour later, it was running Asterisk 1.8 and I was talking between extensions. No encryption yet.

At this point, I started to appreciate PBX-in-a-Flash a little more because that distro does a full ./configure, make, make install for Asterisk and Dahdi. The stock FreePBX distribution doesn't, but it does get things up and running quick.

After getting FreePBX running, I downloaded libsrtp and Asterisk 10. I had the same trouble with libsrtp in the Asterisk ./configure as before, so Google the error and add -fPIC etc. to the Makefile. After a couple of attempts, Asterisk finished configuring and making and installed and started. I could make calls back and forth.

However, when I first added tlsenable=yes and a path to my certs to my sip_general_custom.conf and restarted Asterisk 10, it did nothing for TLS. Asterisk wasn't even listening on port 5061. And AES encryption on an IAX2 trunk back to my production Asterisk box failed with the following error:

WARNING[1248] /usr/src/asterisk-10.0.0/include/asterisk/crypto.h: AES encryption disabled. Install OpenSSL.

OpenSSL was installed. On further investigation, I discovered that the res_crypto module was not loading or loadable.

OpenSSL-devel was not installed. So I went back and did a yum-install openssl-devel and recompiled and reinstalled Asterisk 10. Then TLS worked fine.

For the record, here are the packages I installed for Asterisk 10 on a FreePBX 2.9.0.9 distro. Dahdi and Asterisk-Add-Ons are not covered here.

zlib-devel-1.2.3-3.i386
libxml2-devel-2.6.26-2.1.2.8.el5_5.1.i386
sqlite-devel-3.3.6-5.i386
doxygen-1.4.7-1.1.i386
keyutils-libs-devel-1.2-1.el5.i386
e2fsprogs-devel-1.39-23.el5_5.1.i386
libsepol-devel-1.15.2-3.el5.i386
libselinux-devel-1.33.4-5.5.el5.i386
krb5-devel-1.6.1-36.el5_5.6.i386
openssl-devel-0.9.8e-12.el5_5.7.i386
mysql-devel-5.0.77-4.el5_5.4.i386

Another thing: You can add your SIP parameters (like tlsenable=yes) to the SIP configuration page that's available in FreePBX now, instead of hand-editing /etc/asterisk/sip_general_custom.conf.

Next: An selinux policy for Asterisk?

Finally, Asterisk supports encryption of phone calls and signalling in version 1.8. It's about time. So now, those of us running FreePBX can just hit the encryption checkbox and everything will run fine. Not so much. FreePBX 2.9 incorporates encryption options for extensions, but it assumes you've done all the legwork and configured all the prerequisites. (Tested with varying levels of success on Asterisk 1.8.1.1, FreePBX 2.9.0.7, Bria 3.2.1 62387 (iPhone version works fine, too), snom370-SIP 8.4.32, Aastra 57iCT/3.2.2.1136, and Xlite 4.0.9). My Asterisk install is based on PBX in a Flash, but I do my own recompiling, which pretty much voids its warranty and script upgrade functionality. So proceed at your own risk. (Since this is Asterisk, though, you knew that already.)

To get encryption running in Asterisk, take things step by step. Asterisk encryption is really two types of enrcryption: SIP-S, or SIP over TLS for signalling -- traditional PKI using OpenSSL; and SRTP for the voice traffic. Each is configured independently under each extension. Asterisk Encryption is not end-to-end. It is extension-to-Asterisk, and maybe Asterisk-to-Asterisk on trunks. Asterisk encryption is not foolproof, and it will not encrypt calls to the PSTN. It's still vulnerable to MITM attacks with faked certs, and to a compromise of your Asterisk install. Also, just because your connection to Asterisk is encrypted and the lock symbol shows up on your phone doesn't mean the other extension (or trunk) on the other side of Asterisk is also secure.

The key for SRTP is exchanged over the SIP channel, so if SIP's not encrypted, what's the point of bothering with SRTP? If you want to see what you're missing by not using encryption, download Cain from oxid.it and run it while you register the Bria softphone client and make a call from your windows computer. You get hashes of your SIP passwords and recordings of your phone calls, all from a GUI Windows program. If you have a network tap or span port in the right spot, you can intercept every call and signal between your Asterisk server and its SIP endpoints.

To get started, Asterisk 1.8 requires libsrtp. (You can thank Cisco for making it available, too.) You'll need to download, configure, make, make runtest, and make install before you hit ./configure on your Asterisk source. (Yes, recompiling Asterisk is necessary.) Then, when you do ./configure on your Asterisk source, you'll get an error when it finally gets to checking your libsrtp availability. Google the error phrase, and you'll learn what to change in the CFLAGS line of your libsrtp Makefile. Recompile and reinstall libsrtp, then reconfigure Asterisk. Then in your Asterisk source, make menuselect and select libsrtp under resources. Don't forget to make sure your other cool Asterisk features (like gtalk) are still enabled before you save and exit. Then recompile and reinstall Asterisk. There are plenty of tutorials for these steps on the Interwebs.

Once Asterisk is running again, you can start by getting a certificate for TLS. I am not going to do yet another certificate from self-signed CA howto here. There's an excellent one over at madboa. It's nice for Asterisk to now include a CA/Cert script, but you should really understand how SSL works. I know people who send private keys via email.

Another note about certificates: even if all your workstations are in a friendly LAN with the same DNS suffix, use the fully-qualified Domain Name (FQDN) for your Asterisk certificate. Some endpoints (Bria, I'm looking at you) require FQDN and cannot validate the certificate if you're getting to your Asterisk server by a short name. Using IP addresses for the registrar in your endpoints? That won't work either. You'll need the CA cert on some endpoints but not others. (Snom phones like certs in DER format; Asterisk and Aastra like PEM. To copy from PEM to DER, try this:

openssl x509 -in input.crt -inform PEM -out output.crt -outform DER

Once you get your CA and certificate, your sip_general_custom.conf file should have lines as follows. (In FreePBX, sip_general_custom.conf is the one you can hand-edit safely.)

tcpenable=yes ; If you don't have TCP enabled for SIP now, go ahead and enter this and test it.
tlsenable=yes
tlsbindaddr=0.0.0.0
tlsclientmethod=tlsv1
tlscertfile=/etc/asterisk/keys/asterisk.crt ; concatenate the key file to the bottom of the cert file so they're together.
tlscafile=/etc/asterisk/keys/asteriskCA.crt
tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

Some say put "ANY" there for tlscipher. I suggest you want encryption that's strong but compatible with your endpoints. For valid strings, look here: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. To see which one your endpoint is using, you'll need to do a network capture via Wireshark. If there's no shared cipher between your endpoint and Asterisk, you'll see something like this in your logs:
/var/log/asterisk/full:[2012-01-03 13:59:30] VERBOSE[29926] tcptls.c: == Problem setting up ssl connection:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Also, you'll need to trust your self-signed CA in Linux. (Seriously, don't set tlsdontverifyserver=yes -- it's just lame.)

If you're on Fedora or CentOS, the folder is /etc/pki/tls/certs.
# ln -s myAsteriskCA.cer `openssl x509 -hash -noout -in myAsteriskCA.cer`.0
then verify:
# openssl verify -CApath /etc/pki/tls/certs /etc/asterisk/keys/myAsterisk.cer
should get you a:
/etc/asterisk/keys/myAsterisk.cer: OK
Once you have a certificate in place, restart Asterisk and see what comes up:
/var/log/asterisk/full:[2012-01-02 23:37:26] VERBOSE[24700] tcptls.c: SSL certificate ok

Then you can try connecting with TLS. In FreePBX, you go to the particular extension you want to test and select TLS Only and reload. Each endpoint is different. Once TLS is successful, you can try setting the extension to use SRTP encryption in FreePBX.

Notes on Phones:

Each phone is different. Bria was easy, so you may want to start with that to see if Asterisk is working correctly. In account settings, domain needs to be a FQDN that matches what you've assigned the certificate. You also need to import the your CA cert into Windows' CA certificate store. For signaling transport, select TLS. For SRTP, select "Make and accept only encrypted calls" for Media Encryption. With any luck, when you hit the apply button, you should see "All accounts are active." While Bria for Windows validates certificates, it's optional on the Bria for iPhone/iPad.

The other software phone, 3CX, has settings for TLS but gets caught in an SSL handshake loop when trying to register, in spite of a shared cipher suite.

For the SNOM 370 to connect via SRTP successfully, I had to set RTP/SAVP to Mandatory. (Identity | RTP in the Snom Menu.) If you have multiple SIP accounts to the same Asterisk server in your SNOM phone, having any one ID configuration incorrect can break them all (Error message "Not acceptable here" whenever you dial). Also set the SRTP Key to 80-bit; 32-bit is the SNOM default, which doesn't work. (This has changed in Asterisk 10: Add option encryption_taglen to set auth taglen only 32 and 80 are supported currently.)

Also, disable RTCP support in SNOM if you don't want Asterisk to crash when it's doing SRTP.

user_host1!: my.asterisk.net;transport=tls
user_host2!: my.asterisk.net;transport=tls
user_srtp1!: on
user_srtp2!: on
user_symmetrical_rtp1!: off
user_symmetrical_rtp2!: off
user_server_type1!: asterisk
user_server_type2!: asterisk
user_savp1!: mandatory
user_savp2!: mandatory
empty_tls_client_cert!: off
xcap_via_tls!: true
tls_server_authentication!: on
user_auth_tag1!: off
user_auth_tag2!: off
support_rtcp!: off

On Aastra 6757iCT I got TLS working, and SRTP for inbound. Unfortunately, when SRTP is active, dialing out doesn't work at all, with "call failed" every time so far. I've gone through most of the DTMF options, inluding SIP, and still no joy. The difference between CA certs and Trusted Certs on the TLS support page is not clear to me. Aastra says to put your CA root & intermediate certs in CA Certs and Trusted Certs on the TLS support menu. For my mode -- persistent TLS -- I have only trusted certificates, a PEM file with concatenated public certs of my Asterisk server and its issuing CA.) Also, you need to manually set all the ports to 5061 for TLS. The others phones switched ports automatically. Relevant lines:

sip local port: 5061
sip local tls port: 5061
sip proxy port: 5061
sip registrar port: 5061
sip outbound proxy port: 5061
sip srtp mode: 0
(SRTP disabled -- so dialing out can work.)
sip transport protocol: 4
sips trusted certificates: asterisk2.pem
sips persistent tls: 1

I'd like to make more progress on the Aastra, but it requires even more reboots than the Snom.

Finally, run Cain again to see if your phones are encrypted for SIP and Voice. Even when SRTP is encrypting voice traffic, you can tell that a call is happening and how log it lasts. If you can't get a tap, you can do a TCP dump to a .cap file on your Asterisk server and then open it with Wireshark. Then you can take a look to see if the data looks encrypted.

Leftover vulnerabilities: This configuration still uses passwords for client authentication. You can use client-side certs if you want. Certificate Authorities are vulnerable. Bria (at least on Windows) uses the Windows Certificate Authorities that come installed. SNOM phones ship with CA certs aboard. (You still have to upload your own certs to the SNOM phone.) SNOM has no mechanisms for a certificate revocation list, so compromised CAs can be used to impersonate your certificates in a MITM attack. Aastra makes you upload any CA certs for trust.

Finally, for the SNOM phones that have the OpenVPN client, using the OpenVPN connection back to your Asterisk server and encryption within the (encrypted) VPN connection should provide some additional level of security.
(Assuming you haven't left your private keys exposed someplace.)

The secure PBX is not connected to the PSTN. And when you say man-in-the-middle attack, think government-in-the-middle. It's gender neutral.

Some things are trivial in Linux/Unix and more complex in Windows. In Linux, it's md5sum filename. In Windows, there are free tools from Microsoft (fciv.exe), but no built-in commands that are super-easy to script.

So what are you to do if you need to collect file details and hashes for every folder within the subfolders of a directory? If you're doing it with VBScript, you'll need a free library available from XStandard. Once you register, you'll get a dll that you'll need to register. (It's 32-bit only, so if you're on a 64-bit box, you'll need to do this:
C:\WINDOWS\SysWOW64\regsvr32.exe XMD5.dll
and then to execute the script:
c:\windows\SysWOW64\cscript.exe FolderReportMD5.vbs )

Anyhow, this script is derived from the Sapien sample scripts. (While there are many free editors out there, I think Sapien's PrimalScript is worth every penny if you'll be doing a lot of Windows scripting.)

And since my MT template doesn't handle code well, here's a link to the text file.

'**************************************************************************
' File: FileListMD5.vbs
'
' Comments: This script uses the MD5 library available here:
' http://www.xstandard.com/en/documentation/xmd5/#api1
' This script runs through a directory tree and writes file attributes to a csv file.
' To run on x64 use C:\WINDOWS\SysWOW64\regsvr32.exe XMD5.dll and then execute via
' c:\windows\SysWOW64\cscript.exe FolderReportMD5.vbs
' Based on Sapien's sample script for FolderProperties.
'**************************************************************************
Set objFSO2 = createobject("scripting.filesystemobject")
'where to put the file list?
Set objFile = objFSO2.createtextfile("c:\scripts\" & "FileList" & ".csv")
q = """"
'write the header line of the CSV file.
objFile.WriteLine(q & "FilePath" & q & "," & q & "FileName" & q & "," & q & "DateCreated" & q _
& "," & q & "DateLastAccessed" & q & "," & q & "DateLastModified" & q & "," & q & "FileSize" & q &_
"," & q & "MD5Hash" & q & "," & q & "FileAttributes" & q)

'where to start
strSource="C:\folder"

Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objFolder=objFSO.GetFolder(strSource)

Call ProcessFiles(objFolder)

Sub ProcessFiles(objFolder)
Set colFiles=objFolder.Files

For Each file In colFiles
'it's a good idea to clear out the vars on each loop
strFingerPrint = "blank"
strPath = File.Path
Set objMD5 = CreateObject("XStandard.MD5")
strFingerPrint = objMD5.GetCheckSumFromFile(strPath)
Set objMD5 = Nothing
wscript.Echo strFingerPrint
wscript.Echo "File Name:" & vbTab & File.Name
wscript.Echo "Short File Name:" & vbtab & File.ShortName
wscript.Echo "File Path:" & vbtab & File.Path
wscript.Echo "Date Created:" & vbtab & File.DateCreated
wscript.Echo "Date Last Accessed:" & vbtab & File.DateLastAccessed
wscript.Echo "Date Last Modified:" & vbtab & File.DateLastModified
wscript.Echo "File Size:" & vbtab & File.Size
wscript.Echo "File Attributes:"
strFileAttributes = " "
if File.Attributes AND 0 Then wscript.Echo " Normal"
If File.Attributes And 0 Then strFileAttributes = strFileAttributes & " Normal"
if File.Attributes AND 1 then wscript.Echo " Read-only"
If File.Attributes And 1 Then strFileAttributes = strFileAttributes & " Read-only"
if File.Attributes AND 2 then wscript.Echo " Hidden"
If File.Attributes And 2 Then strFileAttributes = strFileAttributes & " Hidden"
if File.Attributes AND 4 then wscript.Echo " System"
If File.Attributes And 4 Then strFileAttributes = strFileAttributes & " System"
if File.Attributes And 8 Then wscript.Echo " Volume"
If File.Attributes And 8 Then strFileAttributes = strFileAttributes & " Volume"
if File.Attributes AND 16 then wscript.Echo " Directory"
If File.Attributes And 16 Then strFileAttributes = strFileAttributes & " Directory"
if File.Attributes And 32 Then wscript.Echo " Archive Bit is set"
If File.Attributes And 32 Then strFileAttributes = strFileAttributes & " Archive Bit is set"
If File.Attributes AND 1024 then wscript.Echo " Alias"
If File.Attributes And 1024 Then strFileAttributes = strFileAttributes & " Alias"
if File.Attributes AND 2048 then wscript.Echo " Compressed"
If File.Attributes And 2048 Then strFileAttributes = strFileAttributes & " Compressed"

'finally, write the line to the csv file
objFile.WriteLine(q & File.Path & _
q & "," & q & File.Name & q & "," & _
q & File.DateCreated & q & "," & q & File.DateLastAccessed & q & "," & q _
& File.DateLastModified & q & "," & q & File.Size & q & "," & q & strFingerPrint & q & "," & q & strFileAttributes & q)

Next
'process Subfolders
Call ProcessSubFolders(objFolder)

End Sub

Sub ProcessSubFolders(objFolder)
Set colSubs=objFolder.SubFolders
For Each folder In colSubs
ProcessFiles(folder)
Next

End Sub

Intel introduced the low-power, affordable Atom chipset a couple years ago. The earlier models included the Atom 230 and 330, running single and dual-cores, respectively, at 1.6 GHz. Frugal with power at 8 watts, it could even run 64-bit. The first-gen Atom motherboards/chipset kits had two chief weaknesses: they maxed out at 2 GB of RAM, and they used RealTec network-interface cards (at least the Supermicro mboards did). RealTecs sometimes crash Linux when the incorrect driver loads, and the RT NICs don't do jumbo frames. The crashes are patchable but it adds a couple hours to your install. (Do not, repeat not, buy the old models no matter how cheap they are. Stick to the D510 series.)

Intel has since released the Atom D510. The processor is up to a 13-watt draw, runs at about the same speed, and still runs 64-bit. What makes these chipsets better is that they max out at 4 GB of RAM and use genuine Intel Gig NICs that are widely supported and can run jumbo frames. This is a big leap, because the configured price of a fully-built mini-server around the platform remains the same. Supermicro has some great Atom motherboards that can support a home or small office doing various things. (The D525 has since come out. Compare the two here.)

Newegg has some good deals on the Supermicro Atom Rack Server and the tower server for about $70 less. Or you can just buy a motherboard and roll your own. My tower server with D510 runs just under 40 watts with 4 GB of RAM, CD, and hard disk.

What can you do with it? There are a number of Linux and BSD appliances that are free.

1) Run your own telephone switch. FreePBX is an awesome, OS-included version of Asterisk that has a clean web GUI. PBX-In-a-flash is based on FreePBX but has a few extras (nonstandard enhancements like dial weather by airport code and dial your local tide schedule) thrown in. Why would you want to run your own PBX? You can do stupid phone tricks, like really cheap phone service at $.01/minute and $1.50/month per number with Vitelity, for one. Or your own conference line. Or your own trunks over VPNs to other offices. Or just blacklist phone numbers and send telemarketers to their own voice-mail hell.

Keep in mind that to light up your home phone lines, you may need an additional analog card from Sangoma or Digium. (FXS and FXO are different, but can run on the same card.) Once you figure out how cool SIP is, you'll want to replace your house phones with SIP phones. However, you can get started with SIP free using the Xlite soft phone. The iPhone/iPod/iPad version is $7.99. It's perfectly true that you can make phone calls cheap with a Linksys PAP2T or Vonage, but if you're a telephone control freak and want to wage war on telemarketers, Asterisk is for you.

2) Run a great firewall like pfSense. It's based on FreeBSD but has a great Web GUI so you can avoid learning the subtle differences between BSD and Linux. pfSense comes in embedded and full. For the Atom server, running the full version is no sweat. And I run SNORT inline on two interfaces with no issues. A full SNORT IPS signature subscription for home use is just $30/year. And pfSense does not just IPSEC point-to-point VPNs, but also WebVPN. Try that on your Cisco ASA 5505, and you'll be paying a couple grand for the equipment, licenses, and subscription. Check out the plugins for pfSense and you'll see how much you can do with one small box. pfSense 2.0 is almost out of beta and there's a 64-bit version. (Plugins include FreeSwitch, an open-source competitor to (open-source) Asterisk, so if you want, you can even run a PBX on your firewall.)

3) Storage: Run FreeNAS and you'll be able to scale reasonably out of the box. The Atom Motherboard has six SATA slots and two GB NICs that do jumbo frames. Hello iSCSI. With 2TB disks, that's 12 TB of storage. FreeNAS offers CIFS (Windows), Apple (AFP), iSCSI, and NFS mount points. Add a serious SATA RAID card to get even more disk IO performance out of your little Atom box. Obviously, I would recommend the tower server case for FreeNAS because it has room for more disks.

4) Run Apache/PHP/MySQL applications. Run Fedora, CentOS, whatever. You can run your own apps at home on top of your favorite flavor of Linux/BSD. One of my favorites is Gallery2. There's even semi-free apps (free for no enterprise features) like Movable Type (you're reading this on an MT platform), and even run more than one on the same mini-Server.

5) Collect data. Run a weather station. Run a log server. Run a crazy blog and see who hits it with which keywords. Collect IPS events from multiple firewalls and correlate them.

So you want to require strong encryption in Apache's httpd 2.0? So strong that Firefox is the only browser that can connect?
In /etc/httpd/conf.d/ssl.conf, edit the two lines as below:
SSLProtocol TLSv1
SSLCipherSuite HIGH
Then go to
/etc/httpd/conf/httpd.conf and edit your

<Directory> </Directory> 

What this does is make browsers do
TLSv1 DHE-RSA-CAMELLIA256-SHA only.

You can then watch your SSL handshakes fail from IE and Chrome. If you want to require strong encryption across browsers, edit ssl.conf to look like this:

SSLProtocol TLSv1
SSLCipherSuite AES256-SHA

Then you'll have reasonably strong encryption.

Working with Bluecoat files in the raw can be time-consuming. Findstr and grep only work so fast. Windows grep is slow. I know SQL syntax OK, so I tend to dump logfiles into databases to analyze them for activity. There are certainly other ways to do it, such as using a reporting tool for Bluecoat. (Splunk's free Bluecoat application, e.g.).

Theoretically, Bluecoat logfiles are the same as W3C web server log files that logparser can consume via the -i:W3C directive.

You can see the fields in a Bluecoat log below.

#Fields: date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id

For some reason, Bluecoat leaves two spaces between cs(Referrer) and sc-Status, so all the columns to the right of sc(Referrer) past that will be one off. BlueCoat also leaves spaces in cs-categories and surrounds them with quotation marks, so you need to specify -dQuotes:on. Logparser doesn't have a quick and easy way to handle the double-spaces issue, so I wrote a VB Script to handle it. (VBScript is pretty quick at text handling and it's much faster than using search and replace in WordPad or Notepad on a 500-1000 MB File.)

Here's the VBScript:
'start

Set objFSO = CreateObject("Scripting.FileSystemObject")
'change this line to wherever you want to read the input from.
Set objTextFile = objFSO.OpenTextFile("c:\myBluecoatlog.log",1)
Set objNewFile = objFSO.CreateTextFile("c:\myCleanBlueCoatlog.log")
Do Until objTextFile.AtEndOfStream

myString = objTextFile.Readline
objNewFile.WriteLine(Replace (myString, " ", " "))
Loop
'end vbscript
Here's the logparser file:
-------------------start
SELECT TO_LOCALTIME(TO_TIMESTAMP(date, time)) AS date,
time-taken,
c-ip,
cs-username,
cs-auth-group,
x-exception-id,
sc-filter-result,
cs-categories,
cs(Referer) AS Referer,
sc-status AS scStatus,
s-action,
cs-method,
rs(Content-Type) AS ContentType,
cs-uri-scheme,
cs-host,
cs-uri-port,
cs-uri-path,
cs-uri-query,
cs-uri-extension,
cs(User-Agent) AS UserAgent,
s-ip,
sc-bytes,
cs-bytes,
x-virus-id

INTO BlueCoat4
FROM c:\myCleanBlueCoatlog.log
------------------end
And here's the command line for logparser. (Save the logparser file as c:\scripts\log\bluecoat.sql)

logparser file:c:\scripts\log\bluecoat.sql -i:W3C -o:SQL -server:sqlservername -database:BLUECOAT -createtable:ON -dQuotes:ON

Statistics:
-----------

Elements processed: 613076
Elements output: 613076
Execution time: 241.20 seconds (00:04:1.20)
About 2500 lines/sec. Processor utilization is almost zero for SQL and logparser, so it's all about disk time.

The above is from a file that's 310,935,417 bytes large. That means BlueCoat logs are about 507 bytes per line, or 0.5k per line before compression. The last time I checked BlueCoat gz compression, it was about 15% of the original file size. Compressed, the line would cost you 76 bytes.

Niether did I. Hardly anyone knows, because few people take DHS seriously, and nobody outside of the Federal government has said "Cyber" since the nineties. I attended a computer security conference recently and listened to a panel of current and former federal officials speak about "Cyber" security. They might one day be able to secure government systems, but they're a long way off from protecting you and me online. One of the few things they can do to protect us is to stage a public awareness campaign -- thus we have Cybersecurity Awareness Month.

Why doesn't Google have a Cybersecurity graphic? Online providers don't want you to think about security. Banks don't want you to think about online security. If you thought about security when you signed up for online banking, you might not do it. Without the regulatory agencies, the banks would leave you liable for all losses -- event those caused by the bank's own security lapses, as happened in the UK.

A banking-industry consultant at the same conference said two striking things:

1. Bank marketers fought tooth and nail against FFIEC regulations requiring two-factor authentication for online banking logons. (That means you need your password AND something else to log on.) Banking marketers want to make easy for you (or a hacker) to log on and transfer funds.


2. Banking customer service representatives are just as dumb as the customers when it comes to online security.

If your bank account gets hacked, your bank isn't going to be of much help. They might get some money back, but in most cases, they won't. Your money's gone. The same goes for any other account of yours that gets hacked, whether it's Facebook, GMail, or Yahoo. Nobody's going to help you much.

So take the time now to do a few things to ensure your online security.

1. Use antivirus and make sure it's up to date. If you're on Windows, there are several free antivirus packages available, such as Microsoft Security Essentials , Avast , and Avira . Password-stealing viruses infect computers every day. If you want to tweak out on antivirus effectiveness comparisons, go here.


2. Patch your computer. It doesn't matter if you're windows, mac, unix, linux or bsd. Patch.


3. Change your banking password. Change your email password, because all your password resets go there. Change your security questions, because those reset your passwords. If you're using the same password from college, and your college system gets hacked and reveals your password, then they will find your other accounts.


4. Realize that you are a hundred times more likely to fall for a phishing email than you are to click on an online ad. (Phishing emails are now so common that you might get one that coincides with a recent transaction, making you think it's real.) Now that banks have increased their online security, the hackers are targeting you -- the soft spot.


5. Also realize there are are now office buildings full of professional hackers working in shifts trying to get to your money. (Another panelist, Chris Roberts, talked about research he had done observing the building in an unnamed country in Eastern Europe. Some of his work is available on McAfee's hacker-commerce site.)


6. Don't use unsecured wireless networks. Secure your home wireless network. (Replace WEP encryption with WPA or WPA2.)