March 2005 Archives
has an article detailing "the six dumbest ways to secure a wireless LAN"
. While these security measures won't make your Wi-Fi network less secure, they don't do much to make it more secure. MAC address filtering and SSID hiding will keep a casual user (of the "fire up my laptop and see if I can connect to an open Wi-Fi network" variety) off your LAN, anybody with a modicum of Wi-Fi savvy will be able to get right on. He's also right about LEAP: password data is not encrypted in transit, making offline password-guessing attacks trivial. Where he's wrong is his description of EAP-FAST. It is, in fact, an open standard
. What's more, EAP-FAST should work with any 802.1X-capable access point. The nice thing about EAP — from an access point maker's standpoint — is that the access point doesn't need to know anything about EAP protocols. The access point merely acts as a relay — it's the client and server that do all the EAP heavy lifting. Any access point that supports EAP-TTLS, PEAP, or LEAP should work just fine with EAP-FAST.
By Chris on March 31, 2005 12:04 PM
From the security-is-a-rich-tapestry file: Macintouch
readers are reporting that the Mac OS X Quark Xpress
installer changes permissions of every file in the /Applications directory to world read/write/execute. Thus far there are no obvious exploits for this bug, but it does demonstrate that even non-security related applications can have security flaws. All
software developers need to think about how to secure their applications, not just those in the security space.
By Chris on March 30, 2005 9:47 AM
By Chris on March 29, 2005 10:13 AM
The frequency with which attacks are launched on our server here is alarming (dozens a day), but she's holding fast. Nobody is making a concerted effort to target us, these are just scripted attacks banging against random hosts hoping to find a weakness. I can't imagine what a sysadmin at a company that is a specific target
must have to put up with on a daily basis.
By Chris on March 28, 2005 11:00 AM
I don't know much about the merits of the case, but if I were a Vonage employee I'd be pretty shaken by this. It's easy when you are sitting in front of a computer screen to deal entirely in abstractions, but this drives home the point that internet telephony is far more than just a cool techno gadget — people's lives may be depending on it.
By Chris on March 25, 2005 10:02 AM
By Chris on March 24, 2005 10:44 AM
By Chris on March 23, 2005 9:18 AM
By Chris on March 22, 2005 10:55 AM
Microsoft has documented their "Trustworthy Computing Security Development Lifecycle"
, the "process that Microsoft has adopted for the development of software that needs to withstand malicious attack" (doesn't all software need to withstand malicious attack?). This paper details the changes that Microsoft has made to its normal design/program/test/release software development cycle to ensure the security of their products.
There's very few software companies that take security as seriously as Microsoft does today. They've heard and understood the criticism of their products, and it's great that they've developed this detailed development methodology. That said, I think that their conclusions regarding the SDL's effectiveness may be overblown. For instance, they cite going from 62 critical bugs in Windows 2000 Server to 24 in Windows Server 2003. I wonder how much of this reduction is due to their high falutin' development plans and how much is due simply to avoiding buffer overflows
. Searching their source code and replacing strcpy() with safestrcpy() probably accounted for a number of these bug fixes. I particularly like the SQL Server chart, pre- and post-SDL — "after we fixed a bunch of bugs, there were fewer bugs!" Well, duh!
By Chris on March 21, 2005 10:00 AM
This highlights the my favorite feature of my iSight
: there's a ring around the lens that, when twisted, physically closes an aperture in front of the lens. I can easily verify that the camera is switched off, thus enabling me to dance naked in front of my computer worry-free.
By Chris on March 18, 2005 11:15 AM
writes a column for the New York Times called The Security Adviser
. Last week's column (which I can't link to because the Times wants money for the article
) was about security issues associated with ID cards. In the article, Clarke argues against creating a system of national ID cards, and gives several good reasons:
- They don't prove identity very well — the 9/11 hijackers had legitimate (although fraudulently obtained) Virginia driver's licenses.
- Privacy is at risk — Clarke says that he would be willing to give up private financial information in order to obtain an ID to speed him through airport, but doesn't want the IRS having access to that info
- Accurate verification is difficult — good fakes are not hard to make, and the people in charge of validating the cards are not well trained or well paid
I'll add another, even better reason not to rely on ID cards as an anti-terrorism tool: they would be ineffective. Even if Clarke's concerns are addressed, an ID card still would only prove identity not intent. If Osama bin Laden walked through airport security with an ID card, he would be promptly arrested. We know who he is and what he has done. The problem is that Osama will not be going through airport security, he'll be sending subordinates with no terrorist history. They'll be let right through — their ID cards will validate, and we'll know who they are but not what they are planning.
I'm not arguing against ID cards, but as the title of this post says, proving identity is just part of the security equation. Before we implement an anti-terrorism ID system we need to address the issues raised by Clarke, and develop a system that can identify terrorist before they board an airplane (or buy a gun, or get a job at a chemical plant). If only that idea was as easy to implement as it was to write. I won't be holding my breath waiting for it.
By Chris on March 17, 2005 11:28 AM
- Reduced privilege mode becomes the default
- No cross-domain scripting and/or scripting access
- Improved Secure Sockets Layer (SSL) user interface
- Possible integration between IE 7.0 and Microsoft's Windows anti-spyware service, which currently is in beta
All of these are welcome additions. I'm particularly intrigued by the SSL UI changes. The article gives no details, but I presume that they involve noting more visibly whether a site is SSL protected and whether the site really is what it purports to be. This should help prevent phishing attacks.
Another feature to be added is International Domain Name (IDN) support. Microsoft dodged a bullet by being slow to adopt this technology, which has bitten other browser vendors
. By waiting, Microsoft gets the chance to do it right the first time around.
By Chris on March 16, 2005 11:33 AM
By Chris on March 15, 2005 3:15 PM
Looks like the name "Evil Twin"
has caught on. The attack on Wi-Fi users — where a malicious access point is placed in range of users and given the SSID of a network that the users trust, tricking them into connecting — has gotten more coverage
, this time in PC World
. It's good to see some coverage there. PC World is a consumer-oriented publication, and there is a lot of ambivalence about Wi-Fi security in that space.
By Chris on March 15, 2005 2:59 PM
By Chris on March 14, 2005 11:09 AM
The IDN spoofing attack is based on the fact that there are Unicode characters that, when rendered by the browser, appear to be other characters (the IDN proof of concept used "www.paypal.com" with the first 'a' being a Cyrillic letter that appears as a Roman 'a' in many fonts). The Unicode Consortium is also addressing long-known problems with encoding UTF-8. With UTF-8, there are multiple ways to encode the same information. If the decoding application isn't careful (and it can be difficult — Unicode encoding and decoding is notoriously arcane), subtle securlty flaws can be introduced
The work is just in the specification phase, and the recommendations are already being implemented by software vendors. The IETF
has been mandating UTF-8 support
for years now, so it is very widely deployed. It will be a while before even a majority of software vendors have implemented the full range of fixes.
By Chris on March 14, 2005 11:05 AM
By Chris on March 11, 2005 10:54 AM
Windows WP SP2 and Windows Server 2003 are vulnerable to the LAND attack
. This one is an oldie — it was originally identified in 1997 (OK, so that's not that long ago in geologic time, but in internet time...). Fortunately, having Windows Firewall enabled blocks the attack.
The reappearance of bugs like this highlights the importance of regression testing
, which confirms that new software modifications don't unfix previously fixed bugs. It also highlights the importance of institutional memory. This attack is over seven years old — it's very possible the Microsoft engineer who re-introduced the vulnerability was not working at the company back then, and was not even aware that the LAND attack existed. Having the old hands around who know what not
to do is just as important as hiring the young guns for any software development company.
By Chris on March 10, 2005 4:53 PM
- Remote Administration The Elektron Settings application now supports connecting to the Elektron server over the LAN, rather than being restricted to running on the same machine as the server. This means that you can stick your server in a closet and administer it from your desktop — no more need to be sitting at the server or using something like VNC to configure it. To keep things secure, the connection between the server and the Elektron Settings application is encrypted using SSL.
- Session Timeouts You can now configure the length of time that a user may be logged into the network. Enabling this feature sends a RADIUS "Session-Timeout", requiring the client to re-authenticate after a fixed period of time. This increases security by forcing the per-client encryption keys to be regenerated at regular intervals. One caveat: this feature requires that your access points support the Session-Timeout attribute, and not all do. If your access points do not, then it will simply be ignored.
- MAC Address Authentication Since first releasing Elektron eight weeks ago, we've been surprised by the number of requests we are receiving for this feature. It's a simple (but not very secure) method of limiting access to the wireless network based on the MAC address of the client's Wi-Fi card. For organizations that need some form of control over who accesses their network, but can't upgrade their users to recent WPA Enterprise capable equipment (K-12, you know who I'm talking about!), this feature will keep out casual users. It does not provide encryption, and it is easy to spoof for anybody with even a small amount of technical expertise, so we don't recommend its use unless you absolutely cannot deploy WPA Enterprise.
- Command Line Account Configuration Elektron now includes a command line tool for adding and removing Elektron user accounts, and for changing the passwords on those accounts. This allows you to script the account management process, and even create different front-ends for it. For instance, the Elektron manual includes an example CGI demonstrating a web page that allows a user to change their Elektron account password.
- LEAP Support In addition to PEAP and TTLS, Elektron now supports LEAP for authentication. There is some older equipment out there that only supports LEAP, and now you can authenticate this equipment using Elektron.
While the whole shebang looks similar to the previous release on the outside, in the inside it's a pretty big upgrade. We'd appreciate everyone who could shake it down and let us know
(via the support email address) about any problems encountered. This is a beta release, so don't deploy it on a production server. Since this is infrastructure software we prefer to do infrequent but well tested beta releases. We've been banging on it for weeks now, but there is no substitute for real-world testing. So please, download it and give it a try today!
By Chris on March 9, 2005 11:41 AM
The prisoners employed multiple layers of security to conceal their messages. First, they used urine as poorman's invisible ink — when the paper containing the message is heated, the "ink" becomes visible. Next, the message was written using seemingly innocuous phrases that were really coded instructions — "eight pound seven ounce baby boy" meant "the murder is approved". Finally, the shape of the alphabet letters in the messages concealed a secondary message containing a sequence of A's and B's (the initials of the Aryan Brotherhood). By breaking this sequence into clusters of five characters, the secondary message could be translated, provided the recipient had the cheat sheet for mapping each cluster to a single letter.
By Chris on March 8, 2005 11:08 AM
has an fun read on how to hack Coke vending machines
. While some of the security implications of leaving a publicly available debug mode enabled are obvious — one of the possible options is "Coin Payout Mode", which will dump the contents of its coin holding mechanism — there's also trade secret issues. Vending machines are literally the business of nickels and dimes, and the debug mode mode leaves sales information open for all to see, including owners of competing Pepsi vending machines. Just dial 4-3-2-1 and you're in.
By Chris on March 7, 2005 11:12 AM
, we have a simple "enter your serial number" scheme that doesn't require any online activation. So far, this seems to be effective enough at preventing piracy. In our niche — security software targeted at businesses — there is, like all software markets, a threat of piracy. However, it far less than for some other types of software. If Corriente was in the business of developing games, I'm sure we would spend a lot more time on anti-piracy measures. As it is, I'm glad we get to devote our engineering efforts to improving our products, not making them harder to steal.
By Chris on March 4, 2005 9:26 AM
By Chris on March 3, 2005 10:29 AM
After quite a bit of back and forth with several different customers, we've come to the conclusion that there is a problem with the latest AirPort Extreme firmware, version 5.5
. WPA Enterprise security is broken in a way that prevents legitimate users from accessing the wireless network. It is important to note that the issue does not
allow unauthorized users access to the network. The current solution is to downgrade the firmware on the AEBS to version 5.4
The problem presents itself when AirPort Extreme clients — the problem does not seem to affect original 802.11b AirPort clients — connect to the network for the first time. A "bad pairwise master key" error is generated, and no connection from the new client can commence until the base station has been rebooted. In addition to Elektron, we've observed the same behavior when authenticating against two other RADIUS servers.
By Chris on March 2, 2005 12:09 PM
The interview is a complete train wreck. Rather than acknowledging the problem and identifying the steps the company is taking to prevent a recurrence, Baich instead tries to spin the story. It's not a "hack", it's "fraud" because the thieves didn't break into the computer system, ChoicePoint sold them the personal information (like the folks who have had their identities stolen care about semantic differences). What's more, he says "this type of fraud happens every day." Somehow I wish the guy in charge of keeping my personal information safe wasn't so cavalier about keeping it secure.
Baich doesn't stop there: "We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this." Actually, Rich, you initially only disclosed to affected California customers that their identities had been stolen, and then months after the fact and only because California law requires you to do so. "That's such a negative impression that suggests we failed to provide adequate protection." Umm, Rich? You sold 145,000 identities to identity thieves. How exactly does that not suggest that you failed to provide adequate protection?
While I am not one of the people who received a warning letter from ChoicePoint, I am sure that I am — like millions of other Americans — in their database. If you have ever bought insurance or applied for credit, there's a very good chance that ChoicePoint has a file on you.
ChoicePoint's response to the theft is a classic case of what not to do and should be required reading for business school students. When a company has a security breach, it needs to own up to it immediately and take responsibility for making sure that it never happens again. I've been lucky in that past, working for companies that, when a security-related software bug was found, promptly notified their customers and took corrective action. We haven't yet had to deal with this kind of problem here at Corriente (knock on wood!), but we do have plans in place for dealing with it should the need arise — and those plans don't include "don't say anything and hope no one notices!"
By Chris on March 1, 2005 11:26 AM