How to DIY the Zik/UE 9000/MDR-1RBT killer using Sennheiser HD 380 Pro

By now, most audiophiles would agree that Parrot Zik ($399.95), Sony MDR-1RBT ($399.99) and Logitech UE 9000 ($399.99) are the best and most advanced noise-cancelling wireless headsets one can buy in the market. They offer excellent sound compared to other wireless headsets like Creative WP-450 or conventional wired headsets like Bose AE2i and OE2i by far. But to some pure music lovers, those wireless headsets carry too much compromise to accept to please their ears. In my case, I would not choose those super-smart piece of hardware over a proper, carefully tuned wired headphone although I was very tempted to do so.

To be honest, my choice of headphones is always biased towards Sennheiser as they never let me down for picking them so as my choice of computers always being Dell. Whenever I'm looking for something new, I'd give them my first thought. So, there was no exception when I bought a Sennheiser HD 380 Pro to use during my daily commute and occasional trips. These closed cans give me the most pleasing music I could ever want from a headphone as well as passive noise cancelling as a bonus due to its well-designed earpads. Oh, did I mention that it comes with 2 year international warranty which provides better assurance than other standard local one year warranty?

Nothing's perfect and this is no surprise that HD 380 Pro isn't without some shortcomings. For starters, its 3.2-foot coiled cable is terrible. If you are in stationary position such as using with a receiver or with a laptop, the cable won't be too much of burden but if you are on the move, using the heavy headphone with coiled cable, this is unimaginably miserable having the cable hanging around or sticking out of your pocket.

So, I've got to do something about this otherwise it might just be used at home like its older brother, HD 202 accompanying TX-NR515. But one good thing about 380 is the cable is detachable and it uses standard 2.5mm plug on left earcup and 3.5mm plug to other sources. Now I have to find a shorter cable, preferably around 1m, any longer than this would give me same trouble again. I was lucky to find one such cable at local shop which cost me about five bucks and it does the job.

The straight 2.5mm end of this cable connects directly to the headphone without any modification.

At the beginning of this post, I mentioned the collection of wireless (Bluetooth) headsets which will set you back for $400 and even knowing this month is very good for shopping, $400 would make huge dent in my wallet. After I replaced the cable as necessary, I wanted to extra miles to transform this wonderful headphone to a "smart" headset. I happened to have a Sony MW600 as a gift when I purchased my last handset. This lovely Hi-Fi wireless headset can do everything that those $400 except NFC gimmick but has more practical FM radio. In simple way, this can be used as a Bluetooth receiver, remote control and inline mic.

What makes it more suitable for my little transformation project, it takes 3.5mm jack. Yes, marvelous it is, indeed. The end result is by connecting the new cable's 2.5mm end to headphone and 3.5mm end to the wireless control. Once I paired it with my handset, I instantly got a full-blown killer headset that can outperform any of those (super)pricey headsets. As a contingency plan, if the receiver's battery runs flat, I could still connect the headphone directly to all sources I want.

In the end, I've got a very nice sounding headphone converted to wireless headset. There are few things to note though. 380 Pro is a monster for MW600, reason being it is designed to drive 32Ω earphones now re-purposed to use with 54Ω. Also, 380 carries 500mW load rating so I'll be expecting shorter battery life than 8.5 hours from MW600, which is still more than enough for normal usage.

Manageable Network, Critical Security Controls and NIST SP 800

Now it is the time we are so close to leave 2012 and count down to the new year, I think this is the time when I might sum up what we've seen so far in NIST Special Publications, be it as final, revised or draft release (latest count at 25). As all security practitioners would agree, SP 800s are the definitive guidelines in order to achieve all perspectives of GRC no matter what IT, financial and legal obligations the corporations need to adhere to, such as SOX, HIPAA, PCI-DSS.

Before we get to the details of those documents, let's start from the very foundation: the enterprise network. Over the years as a network and security professional, one thing I always do on any network I have managed is the "documentation". You may have the state-of-the-art installation in top-notch data center, but without the proper and updated documentation, you are just a sitting duck. To be clear, documentation "is not" the thick user manuals you received from the vendors or other documents to serve the same purpose.

The IT network documentation should be one or more of the following documents.

• System configuration and procedure
• Asset inventory
• BC and DR
• Security policies and procedures

More granular list can be found here. So what is my point of bring up the issue of not having appropriate documentation? These are my answers to that.

1. You can't scale your infrastructure according to data growth
2. You can't protect your network if you don't know what you have
3. You can't sustain working environment if you don't have contingency plans

Having said that, implementing a successful documentation is not a mundane task if you follow a structured approach like this one published by NSA. The document (currently at version 2.2, published on 5 April 2012) itself is aptly named as The Manageable Network Plan and the page worthy of all your attention is at 3. You will see there are several milestones for you to counter.

1. Prepare to document
2. Map your network
3. Protect your network
4. Reach your network
5. Control your network
6. Manage your network, Patch Management
7. Manage your network, Baseline Management
8. Document your network

Now we can assign certain NIST SPs to each of the milestone to accomplish. These will also align with SANS 20 Critical Security Controls Version 4.0 in respective criteria.

CSIS: 20 Critical Security Controls - Version 4.0

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises

The following mapping is to help you get your milestones in organized manner.

Milestone	Security Control	SP 800
Prepare to document
Map network	1	53
Protect network	5,13,19	53,94,153
Reach network		117
Control network	12,14,16	53
Patch management	4	53,40,137
Baseline management	2,3,6,10	53,121,124,147,164
Document network

Note - Mainly focused on documents released in 2012. Other related publications should be consulted too.

Voilà. Now you are on better side of the network management and you can move forward with optimizing what you have in hand. Let's split the tasks into 3 types of management:

1. Risk Management
2. Security Management
3. Governance

For each management, we can map them in same way as above milestones.
Risk Management

Milestone	Security Control	SP 800
Backup strategy	8
Incident response and disaster recovery plans	18	34,61,83
Training	9	16,50

Security Management

Milestone	Security Control	SP 800
Virus scanners and HIPS	5
BYOD/BYON	5,17	124
Data-at-rest protection	17
NAP/NAC	1,5
SIEM	14	92
Perimeter defence	11,13	41
Policies and procedures
App whitelist/blacklist	2
Remote access security	7	48,97,121

Governance

Milestone	Security Control	SP 800
Configuration and Change Management	3,10	128
Audit strategy		55

Once you arm yourself with these milestones and controls, you could tackle not only today's network-related issues but also future expansion, effectively and efficiently. You will be ready for upcoming Bring-Your-Own-Device or Bring-Your-Own-Network in Generation Z workplace with flexible and comprehensive procedures while keeping your shields up without falling victims of hacktivism.

Here we are. Merry Christmas and Happy New Year !!!

A walk to the past

I wanted to know where I have been and how far back I did go my Internet history. Unfortunately, some of my own archives were lost during several migration and transition between systems after systems. That's true if you are wondering. There was from time way before the Cloud to dump all your archives and no ubiquitous use of NAS and in fact I was quite young to see the value of backup. To make the things worst, most of the data was kept on floppy disks and sometimes files are compressed and spanned to several disks.

Eight years ago, after I finished my days at high school I had an urge to possess a representation of myself on the Internet so I made the very first domain registration. Thanks to this wonderful archive, I am able to see the time I had registered the domain.

Back then I had no clue what to publish and it took me another year to start piecing things together to put on my website. As a beginner, I had very little knowledge on HTML and fancy scripting like CSS and Java scripts so the site contents were almost static. I also decided to make the site as a portal to other sites which the visitors could reach additional information so I simply put the URLs of the sites I browsed most often.

Since I've lost the original templates of the site, I tried to dig up some resources that I could depend on and I discovered some of the design I used in 2005.

Some of you may notice that the page was designed in original Dreamweaver, long before acquired by Adobe. Actually the design did have some extent of CSS to keep the layout consistent on different resolutions which later added some scripts to determine the browser it was served to optimize.

I believe most of the Internet users would remember 2004 as the birth of Gmail and it was some form of privilege to get access to it because that was by invitation only and I've got mine in November 2004. So I used that to garner more traffic to my site by adding gmail-lite later for people who had restricted access at the time.

Later the site was used to serve as a test bed for some of my projects in undergraduate diplomas and degrees. While most of my classmates had to demonstrate the projects from their laptops during the presentation, all I had to do was to give the instructors/moderators the link. From these times, I enjoyed a form of remote storage so that I don't need to worry about the laptop failure or accidental file lost due to viruses. I would keep copies of class work on the hosting site and modified the folder permission to restrict from being browsed externally. As the words got out to the instructors, I no longer could use same excuses as my classmates.

After sometimes, I got too busy with my study and lost track to keep the site updated so I've let it drift. But all the time, I want to continue what I have started and took a first chance when I can contribute contents myself rather than passing along just the links. Truth be told, passing links become mainstream of what people mostly do today, known as Social Network.

How "remote" are we going to be?

My "À bientôt" from last post took a longer detour than expected as I've set a goal to finish ITIL as the last-minute 2012 milestone, 2 months after CISSP. In addition, most of my previously so-called private network as well as UC were now migrated fully to the Cloud, which also consumed good chunk of time to get back on the keyboard. Since I fulfilled my own tasks, now it's the time to start a new blogging journey.

Let's start off with a simple question, how often you use remote control software for business as well as personal purpose? I'll give you a sense of how much of these software usage I normally pick up for any given month. 70% of permitted internet traffic. While the use of such software comes in handy when you are out of office and you need to access some important documents which otherwise inaccessible without those software, where do you stand in terms of network security that you have to maintain? Is it too permissive?

There are plenty of remote access software available in the market. TeamViewer, LogMeIn, RemotePC, just to name a few. There are also collaboration applications like GoToMeeting, WebEx used occasionally whether during a tech-support session with vendors or setting up partner meetings. These are, as I said, very useful tool especially since they are free to use in most circumstances and the users require no or very low tech knowledge to use them. When it comes to portability, TeamViewer and WebEx have native apps for smartphones and tablets should the users decide to access from elsewhere.

So what makes their traffic so significant? Simply because they act like beacons, oh I like that term a lot. Their agents installed on computers need to sync with the servers to update all sorts of information like current IP, software updates installed (for LogMeIn), etc periodically. So even if there is no actual usage of them, there will be huge amount of inbound and outbound connections to their servers, did I mention they are using 80 or 443 regardless of additional proprietary port requirement?, which will essentially consume the resources on web proxy or accelerator in your network.

For starters, that puts us at a security crosshair for revealing two IPs at any time, one being local and another external IP which defeats the purpose of NAT firewall in place. Let's think about the scenarios that could happen even if they are remotely possible.

1. Man-in-the-middle attack
Now we know these remote agents are "talking" to their master servers, how resistant are they against MITM? Having read these documents from respective vendors, I feel bit more reassured.

TeamViewer Security Information (last update: 31st May 2012)
LogMeIn Security White Paper (last update: 24th March 2012)

Although they have taken all necessary steps to authenticate and secure the communication channels between the host and the user through their multi-layer architecture, what could happen if that were to be broken? What are at risks? Let me introduce another technology that comes in play when we deal with certificate and SSL before mentioning the risks. There is a security solution meant for DLP purpose, namely SSL decryption. If used maliciously, such technology can pose adverse threats to most of security measures put to defend beacon tunnels. Should the channels be compromised, we would lose both internal and external IPs at least, in worst case, the user's credentials.

2. Password breach
Users are the weakest link in the security chain, as always. Imagine a case of a user whose computer is already infected and has trojans or keyloggers whether by spear-phishing or negligent download. All of the user's credentials will be effectively sent to cybercriminals in indiscriminate manner, be it just remote software account or the account he is accessing on remote computer. What this breach can cause is not just only to his own remote computer but to whole network of which it resides, if it is a part of the corporate network. The attacker can access with same privilege as the user which could later elevate to higher access rights.

Every network is unique based on users and the business requirements. That makes it harder for you say no to everything you know dangerous to your network. In order to protect these remote access softwares, you might already know or have what it takes. Here's how. They are sorted by level of complexity involved, easiest comes first.

- Allow all or block all. (I know this does not count.)

- Segregate your network. If your network has a range of public IPs, dedicate specific IP to each of business unit or requirement. For example, set different IPs for finance, marketing, operations or executives, managers, directors, guests. From there, you can allow or disallow to specific group to use remote softwares.

- Educate the users. Conduct security awareness discussion targeted on the use of softwares and the impending security implications they may introduce to the business. Let the users know the consequence and associated penalties if this is part of the company security policy that they already agreed upon joining.

- Implement application white-listing. Although this approach has much wider benefits especially if your network does not have external users connecting to it, this can eliminate not just these softwares but can restrict the usage of any software in your environment.

- Keep all softwares updated. This includes to all softwares in the organization and can extend to the user's personal computer where they will be using it to access the remote computer. Software covers OS, application, anti-virus, internet security, remote access software. When using the software that can support logging, make sure the feature is enabled by default.

I believe above steps are known to all of you folks out there but do take a moment to reconsider what should we really allow to our network.

In case, if anyone is wondering what will be my milestones in 2013, I will be doing either CISM or CISMP depends on my interest at that point in time and also PMP. If I could juggle my time well, I will get back to programming ground with Python.

Everything 2.0

I've been sharing security issues related to enterprise setting in my previous posts and this time around I'll move my focus to the place where we live and love, our home.

Let's rewind a few years back, say 5 years? We organically had handful of cables connecting to entertainment equipments whether in living rooms or bedrooms. Remember those bulky cables like RCA, component cables, and for certain audiophiles, there were optical S/PDIF (TOSLINK) cables meshed behind the TV stand? Main contributors to these cable mess were VCR, DVD player, satellite receiver, home theaters and whatnot for living room.

Fast forward to the present day, those bulk of cables are now largely replaced by the adoption of HDMI for various devices, and there is one more, Ethernet cable or WiFi to offer the extension of Web 2.0 beyond our computing devices. If you happened to purchase anything ranging from Bluray player to Smart TV to AV receiver recently, you are in the club of Everything 2.0 which means they have either or both of network connection mentioned above.

Now, let me bring up the reason why I pick up these devices and how they are leveraging the same (if not, more) security awareness as in corporate networks. While connected to the Internet, the rule of thumb is that you are vulnerable whether you are at home or at office. In fact, if you are at office you are considerably safer than in your home (and if you don't get this feeling, make some noise to your IT boss) provided that there are layers of security such as firewall, IPS, email gateway and so forth. So the network services you receive at your workplace could do less harm to your personal life.

So we could put up a list of average household items that we might have for infotainment.

1. Smart TV
2. Apple TV
3. Set-top box
4. AV receiver
5. Bluray player
6. HTPC
7. NAS with DLNA support

And what makes me concerned of security at home with these toys? Network connection is one thing, yet another thing, they have something more serious, operating systems or firmware. For computers, we are more or less familiar to do software updates or even for smartphones we would naturally apply the OTA releases when pushed from the service providers. This is where the gap comes in. How often your instinct tells you to update your bluray player's firmware, with "Java" running inside, too common in almost all players and receivers sold today? And if your answer is somewhat between "No" and "should I?", you've been warned.

For customers of Hulu, Netflix or other pay-per-streaming services, these devices happily store your credentials as soon as you sign in. Another factor is that your home network is as secure as the strength of your home routers, in case you happened to own Huawei routers, please accept my sympathy. In addition, the release of Cloud-manageable home routers from Cisco - Linksys (yes, I mean EA series) which opened more possibilities to be exploited.

When I read this post about Java ME (embedded version 3.2), it gave me a chill because in near future, we may be seeing Stuxnet-like attacks to them as it was for Siemens SCADA. I dearly hope it doesn't materialize by any chance, if it were, the scale would be humongous.

So, in order to round things up, you have to ensure those devices listed above can receive updates, and better yet, apply the update automatically. Be on alert to periodically, if not religiously, check firmware updates for your home gateway. In some cases, if you have been using port forwarding (PAT) on your router to access other devices like wireless camera, make sure you put a STRONG password.

Over and out. À bientôt.