How to determine your Ring Doorbell Pro firmware version

I have a love/hate relationship with my Ring Doorbell.  When I purchased it in 2016 it worked great for a year with minimal issues.  As it became more popular, I noticed the quality dropped with video freezes, black videos, and missed motion events.  This led me to the Ring Doorbell subreddit where I found a community of users who were also experiencing the same issues.  This made me feel a bit better (misery loves company, right?) but still disappointed that this $250 doorbell no longer lived up to its promise.

A number of the users who shared their negative feedback traced some of the poor service to firmware changes.  It soon became commonplace to post your issues along with the firmware version your device was currently running.  Pretty basic troubleshooting practice.  So it was much to everyone’s dismay when in late 2017, Ring decided to change how they displayed firmware versions.  In short, if your device is on the latest version the mobile app would only display, “Up to Date” as opposed to an actual firmware version number.  But without an actual firmware version number to compare with others, for all you know your device may actually be on an older version but hasn’t properly updated itself such that it merely *thinks* it is up to date.  Presumably, if it was actually out of date, it will display a version number, but this is useless as you cannot manually force an upgrade.  And again, you can’t compare with others to know which version you should actually be on.  This also makes it difficult to track changes that Ring is making and correlate them to your device’s performance improvements or degradations.  As you might imagine, there was a lively Reddit discussion on this.

Being in the information security field, I know that software version numbers are critical to confirming that my application is fully patched against any identified security vulnerabilities.  Naturally, I was disappointed by this change and soon looked for ways to determine the version number using, what else?  My Palo Alto firewall.

I knew my Ring Doorbell had to communicate with Ring’s servers in some way to check if it was running the latest firmware version.  I figured an easy way for Ring to do this is via user agent strings.  So I first checked the Monitor tab to see if the user agent of the device appeared in the URL Filtering view.  Sadly, the user agent field was blank suggesting that it wasn’t normal http traffic that this information was in.  Still feeling confident that the user agent must be somewhere, I decided to run a packet capture through the Palo Alto via Monitor -> Packet Capture.

  1. Navigate to Configure Filtering -> Manage Filters.
  2. Click Add and configure the Source with the IP address of your Ring Doorbell.  I have mine statically assigned via my DHCP server but this should be fairly easy for you to determine either in your wireless router or your Palo Alto firewall.  Click OK when done.

3. Back in the Configure Filtering menu turn Filtering to ON.

4. In Configure Capturing click Add and select firewall for Stage and give your packet capture a file name. In this example I’ve used ringdoorbell.  Click OK and your view should look like the one below.

5. Once you’re ready, in the same view set Packet Capture to ON.  You’ll receive a warning about packet captures degrading system performance and to remember to disable the feature once you’re done.  Click OK to proceed.

6. Now we need to generate some traffic through the doorbell to hopefully find the user agent string in the packet captures.  Start a Live View session through your Ring mobile app and let it run for at least 30 seconds.  Once completed, set Packet Capture back to OFF.

7. Click the Refresh button in the top right corner or reload the page to find your newly created packet capture file in the Captured Files view.  Click on it to download the file to your computer.

8. You’ve got a few options to view this file.  Since I’m on a MacBook Pro, I’ll walk through how to use tcpdump to quickly find the user agent.  You could also use Wireshark to accomplish this.

Locate the file on your system and use the following tcpdump command: tcpdump -nn -r ringdoorbell.pcap -A | grep -i agent

tcpdump -nn -r ringdoorbell.pcap -A | grep -i agent
reading from file ringdoorbell.pcap, link-type EN10MB (Ethernet)
User-Agent: Device/lpdv2/1.13.00069
User-Agent: Device/lpdv2/1.13.00069
User-Agent: Device/lpdv2/1.13.00069
User-Agent: Device/lpdv2/1.13.00069

Voila!  You can see that my user agent shows that my Ring is on firmware version 1.13.00069.  From here, I could look for ways to automate this or periodically run this check manually and compare with previous captures to see if I can correlate Ring issues with changing firmware numbers.  Another way to possibly do this is to use my favorite security tool Bro to extract this automatically in real time.

I hope that Ring strongly reconsiders this change and reverts back to displaying the full firmware version number.  But in the meantime, I (and now you!) have a way to accurately determine this value.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Palo Alto Firewall: macOS Updates NSURLErrorDomain error -1012

About a month ago, I enabled decryption on my Palo Alto firewall and limited it only to traffic to and from my MacBook Pro.  It’s worked well and provided great visibility into the vast amounts of encrypted traffic that we see nowadays.

So what’s this have to do with macOS?  Apple periodically releases updates and I had read that one was just released.  I checked my laptop and saw that I had a few updates to install for the iWork suite and Xcode.  Notably missing were notifications for the core macOS system updates.  I clicked on the “Updates” button again in the Mac App Store and received the following message.:

“Oh, the operation couldn’t be completed because of the NSURLErrorDomain error -1012?  Great, real helpful.”  I tried closing an reopening the App Store with no luck.  I thought maybe my laptop just wasn’t happy because I hadn’t rebooted in a while so I tried that, but still no luck.  I searched the interwebs and found a few forum posts, but nothing too helpful.  One post included lines from /var/log/install.log so I decided to check out what mine said.

2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Scan got error The operation couldn't be completed. (NSURLErrorDomain error -1012.)
2018-03-29 22:17:47-05 macbookpro softwareupdated[501]: Ramped updates marked
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Scan for client pid 501 (/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated)
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host: swscan.apple.com
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: Failed Software Update - Refusing invalid certificate from host: swscan.apple.com
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Elapsed scan time = 0.2
2018-03-29 22:20:23-05 macbookpro softwareupdated[501]: SUScan: Error encountered in scan: Error Domain=NSURLErrorDomain Code=-1012 "(null)" UserInfo={NSErrorFailingURLStringKey=https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog, NSErrorFailingURLKey=https://swscan.apple.com/content/catalogs/others/index-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog, NSLocalizedRecoverySuggestion=Make sure you’re connected to the Internet, and then try again., SUErrorRelatedCode=SUErrorCodeScanCatalogNotFound}

“Refusing invalid certificate from host: swscan.apple.com” — now we’re getting somewhere!  I knew immediately this was due to my Palo Alto decryption.  I checked my Monitor logs and confirmed that decryption was occurring on traffic to https://swscan.apple.com.

So how do I solve this?  A little digging and I found that Palo Alto maintains a predefined list of URLs to exclude from decryption in Device -> Certificate Management -> SSL Decryption Exclusion.   These are URLs that Palo Alto knows will cause issues if decryption is attempted.  Interestingly, searching for “apple” in this list showed a number of predefined apple.com URLs.  One was even described as “apple-appstore: pinned-cert” suggesting that perhaps Apple has updated the URL for this, causing my decryption to break my update process.

To add my own, I clicked “Add” at the bottom, and entered the following.:

Committed the change and tried updating my laptop once more.  This time, it worked!

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Eric’s Top 7 Ways To Get Ready For Security Awareness This Summer

Once upon a time, I believed that security awareness trainings were simply boring computer-based training videos that compliance requirements forced upon companies.  You’d simply “next, next, next” your way through and learn nothing of value.  However, in my current role I am directly responsible for developing the security program for my company and with a small team, I’ve realized how important it is to build a security culture to move my initiatives forward. To that end, security awareness trainings (if done properly) can be an effective method for educating employees and developing a security culture.

Given that I actually want people to learn about security and help me achieve my security goals, I set out to create an engaging and entertaining training.  Having done these for over a year now, I’ve found that people generally just aren’t knowledgeable about security and if you show them how it applies to their everyday lives and how to do things in a more secure manner, they become far more interested and engaged.

So here’s what I think makes for an effective security awareness training.

  1. Deliver it live and in-person.  Granted, this isn’t always possible, especially if you work for a large, geographically spread out company. But if you can do this, I highly recommend it.  We as security professionals don’t like sitting through computer-based trainings or vendor-purchased cookie-cutter security programs, so what makes us think our coworkers would enjoy it any better?  Doing it live puts a face to your company’s security program and allows for back-and-forth discussion and a chance for people to ask questions.  These are good things, I promise.
  2. Make it an integral part of new hire orientation.  By making this part of a new hire’s first day, it tells each new employee that your company takes security seriously and ultimately helps to build a culture of security.  Work with your HR department and explain why this is critical.  You’ll likely be able to lean on any compliance controls you may be required to follow (SOX, PCI, etc.) that mandate some kind of security training for new employees.
  3. Introduce the Security Team. Explain the purpose of the team and why the team exists.  I tell everyone that our team’s goal is to protect the company’s assets to enable the business to succeed.  That’s easily understandable and free of any technical jargon or fancy language.  It also ties it back to the business and its overall goal of wanting to succeed to increase profits.  If the team is small enough, mention names and roles.  If it’s large, outline the roles at a high level.
  4. Explain why security matters.  Give examples and then give more examples.  Talk about breaches and malware that’s been in the news.  In my training, I do this and cover interesting statistics and trends that have been reported by reputable security sources.  These include how long an attacker goes undetected on average and how often a weak password leads to compromise.  These statistics combined with my own commentary illustrate how security is critical to any business and that the struggle is in fact real.
  5. Discuss why someone would target your company.  If your company generates any kind of revenue or holds valuable assets and information, you can be certain that someone will target it.  Think about what your company does and what would be of most interest to an attacker.  I tell people that our company’s assets include our people, products, money, data, and brand reputation.  Each of these would be impacted by a security breach.
    The best way to drive this point home is by sharing a past security incident that occurred at your company to explain how the company’s already been successfully compromised.  Naturally, you should obtain the approval of your executive and legal teams prior to sharing this type of information.  One type of breach that most are comfortable with sharing is regarding any successful phishing scams as this is a common type of attack that most people have already experienced both in business and in their personal lives.
  6. Present the safeguards in place and provide actionable steps to secure company assets.  You’ve worked hard to implement some amazing security technologies and controls.  While not everyone will understand (or care) about each of these, highlight the more user-facing ones.  In my training, I discuss the importance of patching and the periodic  prompts to install updates, the convenience of our single sign-on solution, how to create strong passwords using passphrases, how to securely access mobile email through our MDM solution, the importance of using our secure file storage and sharing solution, and how to quickly lock their screen to limit unauthorized access.  These are all relevant and actionable steps that end users can take to secure valuable company assets.
  7. Most importantly, engage people and include them as part of the Security Team.  Present the material in an engaging manner.  While security is a serious topic, that doesn’t mean it has to be dry.  Use humor, tell stories, answer questions.  And always with a smile, even if HR scheduled for you to talk at 8 AM at the last minute. 😛  Easier said than done, sure, but this goes a long long way to keeping people interested in what is otherwise a typically bland topic for most.
    Finish by telling them that they’re not only part of their respective department/team but now that they’ve taken your training, they’re also part of the Security Team.  Explain that you can’t secure everything on your own and that you need everyone’s help to prevent and respond to security incidents.  Reiterate that security is not just one team’s responsibility, but in fact, everyone’s responsibility.

I’ve applied these methods for over a year in my own trainings and I’ve seen people engage my team in ways I never experienced in previous roles.  People ask for our opinions on security regarding technologies and processes and they actively report suspicious activities be it strange emails or abnormal computer behavior.  We’ve been told by others that they support security and are grateful for the efforts of my team.

This is truly amazing, and I have no doubt that these 30-45 minute trainings that I deliver a few times each month have played a significant part in this.  You may think you’re a 1337 haxx0r that can defend your company’s network on your own, but you’re fooling yourself if you do.  You may be the security expert and all around technical wizard, but if people don’t value security or understand what security’s purpose is, your own people will continue to be your biggest security hole.  Why not spend the time and effort to flip that around and make them one of security’s biggest assets?

 

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmailFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail