Protect against vulnerability CVE-2016-5696 in CentOS 6.8

This guide on how to protect against Off-path TCP vulnerability CVE-2016-5696 in a CentOS 6.8 machine.

Run the following command to check the kernel version that your box is running:

uname -r

Run the following to verify your Centos version details:

cat /etc/redhat-release

Below is a screenshot for the outputs for the above commands from my CentOS 6.8 box.

release information screenshot CentOS 6.8

Workaround against the attack:

Open your sysctl.conf file:

vi /etc/sysctl.conf

edit config file command CentOS 6.8

Below is a screenshot of my default sysctl.conf file which does not contain “net.ipv4.tcp_challenge_ack_limit”.

default sysctl.conf in CentOS 6.8

Now add the following line at the end of the config file:

net.ipv4.tcp_challenge_ack_limit = 999999999

Below is a screenshot after editing the config file.

edited-config-file screenshot in CentOS 6.8

Save and exit the file. (Press ESC and then type :wq and hit Enter in your keyboard).

Use the command below to verify if the value of net.ipv4.tcp_challenge_ack_limit is 999999999.

sysctl -p

sysctl -p in CentOS 6.8

If you are able to see the line in the above screenshot, this means that it will make the exploit extremely hard to perform (practically impossible). The above is a workaround to mitigating the Off-Path TCP attack in a CentOS 6.8 machine and will also work for redhat 6.8.

The Fix:

If you are not looking for the workaround but for a permanent fix, then you can upgrade your Linux kernel to 4.6 or above.

If this article helped you, do leave a comment below and like us on Twitter and Facebook. Cheers!

Source: Bobcares

References: Redhat Portal, Redhat Shared Ack Vulnerability

7 reasons NOT to buy the Freedom 251 mobile

Here are 7 reasons NOT to buy the Freedom 251 mobile now:

Reason 1:No SAR mentioned

It wont burn a hole in your wallet but will burn one in your pants. 

There is no mention of the SAR value anywhere in the website which is suspicious. According to the Indian law, every phone that is to be sold in India must have a SAR value less than 1.6W/kg.

[Note: If you need to see the specifications of the phone, you can find it here.]

Reason 2: Actual manufacturer logo hidden with whitener. You gotta be kidding me???

According to bgr, the device is actually manufactured from a company “Adcom” and the logo was essentially masked with Whitener ink(see picture below). I mean who does that before such a huge launch? Atleast they should have re-branded the device or changed the mobile shell casing.  I would love to meet the PR guy of Ringing bells in person someday and say “Hey, nice try douchebag“.

freedom-251-ripoff
Image Source: BGR.in (See below for credits)

 

Reason 3: No proper Wiki Page

Here is a screenshot that I took a few hours before the launch of the device on 18th Feb 2016:

Freedom 251 - Wikipedia page as on 18th feb 2016

Here another screenshot of the manufacturer Wiki page that I took on 18th Feb 2016 a few hours before launch.

Ringing Bells Private Limited - Wiki page

It sounds like the Ringing Bells is just a re-seller who basically has no idea what they are doing or this is an elaborate scheme to market as the cheapest phone.

Reason 4: Not accredited by ICA

The phone is not accredited by ICA (Indian Cellular Association) and so legally it cannot be sold in India.

Reason 5: Website lacks basic security and optimization

Here is one major security problem that will make you think twice about entering your personal information in their website:

  • The website uses Plain Text form of Authentication which basically means the data is send across your PC to their server in plain-text format. So, basically any hacker who has access to your network can easily sniff your username and password

I did a whois lookup on the domain freedom251.com and found it is registered on through registrar Bigrock.in and also it is hosted on Amazon EC2. For those who are not aware, websites such as www.quora.com run on Amazon cloud and have little or no downtime and handle traffic well. The best part is Amazon’s EC2 are well known for its strong network infrastructure and the fact that you can be easily upgraded to a larger instance depending on your website and traffic requirements. I wonder how the mobile manufacturer’s website was unable to handle the traffic and was down couple of times/had to shutdown service on the launch date itself.

freedom 251 domain lookup info

I really hope they did not choose the AWS free tier micro instance for hosting their website to handle such huge amount of traffic.

Reason 6: Long Shipping period

According to Ringing Bells, If you place the order for the mobile today, you will get it only after 4 months. Since most of you already know that its not a Ringing Bells product and its actually from another manufacturer Adcom, you should have already guessed the reason behind the 4 month waiting period. I believe that its one of two reasons:

  • Make customers place the order and accordingly import the Adcom mobiles from China and courier it to the customer (and obviously hide the Adcom branding with whitener before shipping).
  • Its possible that they were trying to adopt the marketing technique from Chinese manufacturer Xiaomi and failed miserably. The difference was that Xiaomi had the mobile shipped and stocked in India to be delivered without the long waiting period unlike the Freedom 251.

Reason 7: User Interface

Looking at the device user interface, it closely resembles Apple’s iOS. Matter of fact the device itself reminds me of my ancient Iphone 3Gs.

There are 1000s of twitter users already angry with the turn of events. What do u think about the turn of events? Do, leave a comment in the comments section below, I would love to hear from you.

Feel free to share this article in facebook, twitter, google+ by clicking on share buttons you see in this page. Do subscribe to get future updates! 🙂

Sources: bgr.in,