Lab Notes

Musings on Wi-Fi security issues, our product plans, and the general state of the world. Follow up with your comments and complaints to Lab Notes's .

March 2005 Archives

Six Dumb Ways to Secure a Wireless LAN

George Ou has an article detailing "the six dumbest ways to secure a wireless LAN". While these security measures won't make your Wi-Fi network less secure, they don't do much to make it more secure. MAC address filtering and SSID hiding will keep a casual user (of the "fire up my laptop and see if I can connect to an open Wi-Fi network" variety) off your LAN, anybody with a modicum of Wi-Fi savvy will be able to get right on. He's also right about LEAP: password data is not encrypted in transit, making offline password-guessing attacks trivial. Where he's wrong is his description of EAP-FAST. It is, in fact, an open standard. What's more, EAP-FAST should work with any 802.1X-capable access point. The nice thing about EAP — from an access point maker's standpoint — is that the access point doesn't need to know anything about EAP protocols. The access point merely acts as a relay — it's the client and server that do all the EAP heavy lifting. Any access point that supports EAP-TTLS, PEAP, or LEAP should work just fine with EAP-FAST.

By Periodik Labs on March 31, 2005 12:04 PM | Permalink

Quark XPress Installer Flaw

From the security-is-a-rich-tapestry file: Macintouch readers are reporting that the Mac OS X Quark Xpress installer changes permissions of every file in the /Applications directory to world read/write/execute. Thus far there are no obvious exploits for this bug, but it does demonstrate that even non-security related applications can have security flaws. All software developers need to think about how to secure their applications, not just those in the security space.

By Periodik Labs on March 30, 2005 9:47 AM | Permalink

The Fingerprint Sharing Alliance

An group of telecom industry giants has formed to share real-time information on network attacks. The idea is that these competing companies have a common interest in stopping online threats. By aggregating attack information, they can respond more quickly and effectively to emerging threats. With the ever-increasing number of network attacks, this is an idea whose time has come.

By Periodik Labs on March 29, 2005 10:13 AM | Permalink

Access Monitoring and SSH on Mac OS X

A Macintouch Reader Report with tips on finding out who's trying to break into your Mac OS X box, and how.

The frequency with which attacks are launched on our server here is alarming (dozens a day), but she's holding fast. Nobody is making a concerted effort to target us, these are just scripted attacks banging against random hosts hoping to find a weakness. I can't imagine what a sysadmin at a company that is a specific target must have to put up with on a daily basis.

By Periodik Labs on March 28, 2005 11:00 AM | Permalink

Texas v. Vonage on 911 Service

Leading VoIP provider Vonage is being sued by the state of Texas for failing to inform users that 911 emergency calls do not work with their service. A teenager tried to call 911 from her home after armed robbers shot and wounded her parents, but had to run to a neighbor's house when the call failed.

I don't know much about the merits of the case, but if I were a Vonage employee I'd be pretty shaken by this. It's easy when you are sitting in front of a computer screen to deal entirely in abstractions, but this drives home the point that internet telephony is far more than just a cool techno gadget — people's lives may be depending on it.

via Om Malik

By Periodik Labs on March 25, 2005 10:02 AM | Permalink

More Municipal Wi-Fi

Wi-Fi Networking News covers developments in Milwaukee, Ithaca, and Hartford. Check their archives for the would-be-funny-if-it-wasn' t-true efforts of telcos working to undermine these kinds of projects.

By Periodik Labs on March 24, 2005 10:44 AM | Permalink

Don't Reverse-Engineer in France

A French court has found a man guilty of using reverse-engineering to find security flaws in an anti-virus product. The man, Guillaume Tena, found the flaws in Tegam's anti-virus software. As a software vendor, I can appreciate a company wanting to keep its trade secrets secret, but it is difficult to comprehend a security company trying to punish someone who is helping to make their product more secure. A hacker disassembling software in order to pirate it is one thing, a security researcher looking for software flaws is something else entirely. The correct response for Tegam would have been to thank Tena for his efforts and offer him a job.

via Schneier on Security

By Periodik Labs on March 23, 2005 9:18 AM | Permalink

Apple Fixes Safari IDN Flaw

Apple has posted Security Update 20005-003, which includes a fix for the IDN URL-spoofing bug in Safari. It's available via Software Update.

By Periodik Labs on March 22, 2005 10:55 AM | Permalink

Security Development Lifecycle

Microsoft has documented their "Trustworthy Computing Security Development Lifecycle", the "process that Microsoft has adopted for the development of software that needs to withstand malicious attack" (doesn't all software need to withstand malicious attack?). This paper details the changes that Microsoft has made to its normal design/program/test/release software development cycle to ensure the security of their products.

There's very few software companies that take security as seriously as Microsoft does today. They've heard and understood the criticism of their products, and it's great that they've developed this detailed development methodology. That said, I think that their conclusions regarding the SDL's effectiveness may be overblown. For instance, they cite going from 62 critical bugs in Windows 2000 Server to 24 in Windows Server 2003. I wonder how much of this reduction is due to their high falutin' development plans and how much is due simply to avoiding buffer overflows. Searching their source code and replacing strcpy() with safestrcpy() probably accounted for a number of these bug fixes. I particularly like the SQL Server chart, pre- and post-SDL — "after we fixed a bunch of bugs, there were fewer bugs!" Well, duh!

via Michael Howard's Weblog

By Periodik Labs on March 21, 2005 10:00 AM | Permalink

The Trojan Webcam

A Spanish college student infected a woman's computer with a trojan horse and then used her webcam to spy on her. He was caught and fined a total of EUR4,000. Pretty creepy stuff, and he was only caught because he accidently sent his purloined pictures to her email address when me meant to send them to his friends.

This highlights the my favorite feature of my iSight: there's a ring around the lens that, when twisted, physically closes an aperture in front of the lens. I can easily verify that the camera is switched off, thus enabling me to dance naked in front of my computer worry-free.

via Schneier On Security

By Periodik Labs on March 18, 2005 11:15 AM | Permalink

Identity Is Just Part of the Equation

Richard Clarke writes a column for the New York Times called The Security Adviser. Last week's column (which I can't link to because the Times wants money for the article) was about security issues associated with ID cards. In the article, Clarke argues against creating a system of national ID cards, and gives several good reasons:

They don't prove identity very well — the 9/11 hijackers had legitimate (although fraudulently obtained) Virginia driver's licenses.
Privacy is at risk — Clarke says that he would be willing to give up private financial information in order to obtain an ID to speed him through airport, but doesn't want the IRS having access to that info
Accurate verification is difficult — good fakes are not hard to make, and the people in charge of validating the cards are not well trained or well paid

I'll add another, even better reason not to rely on ID cards as an anti-terrorism tool: they would be ineffective. Even if Clarke's concerns are addressed, an ID card still would only prove identity not intent. If Osama bin Laden walked through airport security with an ID card, he would be promptly arrested. We know who he is and what he has done. The problem is that Osama will not be going through airport security, he'll be sending subordinates with no terrorist history. They'll be let right through — their ID cards will validate, and we'll know who they are but not what they are planning.

I'm not arguing against ID cards, but as the title of this post says, proving identity is just part of the security equation. Before we implement an anti-terrorism ID system we need to address the issues raised by Clarke, and develop a system that can identify terrorist before they board an airplane (or buy a gun, or get a job at a chemical plant). If only that idea was as easy to implement as it was to write. I won't be holding my breath waiting for it.

By Periodik Labs on March 17, 2005 11:28 AM | Permalink

IE7 Security Enhancements

Microsoft Watch has some details on the features in the upcoming Internet Explorer 7 release. Among the security-related features are:

Reduced privilege mode becomes the default
No cross-domain scripting and/or scripting access
Improved Secure Sockets Layer (SSL) user interface
Possible integration between IE 7.0 and Microsoft's Windows anti-spyware service, which currently is in beta

All of these are welcome additions. I'm particularly intrigued by the SSL UI changes. The article gives no details, but I presume that they involve noting more visibly whether a site is SSL protected and whether the site really is what it purports to be. This should help prevent phishing attacks.

Another feature to be added is International Domain Name (IDN) support. Microsoft dodged a bullet by being slow to adopt this technology, which has bitten other browser vendors. By waiting, Microsoft gets the chance to do it right the first time around.

via Scoble

By Periodik Labs on March 16, 2005 11:33 AM | Permalink

Hashes, Illustrated

Steve Friedl has a great explanation of how cryptographic hashes work. In an earlier post on the break in SHA-1, I tried to explain what a hash function is how why it is important. Steve does a much better job.

via Michael Howard's Weblog

By Periodik Labs on March 15, 2005 3:15 PM | Permalink

Meme Alert: The Evil Twin

Looks like the name "Evil Twin" has caught on. The attack on Wi-Fi users — where a malicious access point is placed in range of users and given the SSID of a network that the users trust, tricking them into connecting — has gotten more coverage, this time in PC World. It's good to see some coverage there. PC World is a consumer-oriented publication, and there is a lot of ambivalence about Wi-Fi security in that space.

By Periodik Labs on March 15, 2005 2:59 PM | Permalink

New Linksys MIMO Gear

Linksys released new 802.11g equipment using MIMO antenna technology. The claim is that not only will you get a speed boost and increase in range by building a network with their new equipment, but when using standard 802.11g gear in conjunction with their new equipment as well.

By Periodik Labs on March 14, 2005 11:09 AM | Permalink

Unicode Consortium Working to Fix Exploits

The Unicode Consortium has begun to address security issues with unicode character encoding and display. This comes on the heels of the IDN security breach that allows attackers to spoof legitimate web sites like PayPal.

The IDN spoofing attack is based on the fact that there are Unicode characters that, when rendered by the browser, appear to be other characters (the IDN proof of concept used "www.paypal.com" with the first 'a' being a Cyrillic letter that appears as a Roman 'a' in many fonts). The Unicode Consortium is also addressing long-known problems with encoding UTF-8. With UTF-8, there are multiple ways to encode the same information. If the decoding application isn't careful (and it can be difficult — Unicode encoding and decoding is notoriously arcane), subtle securlty flaws can be introduced.

The work is just in the specification phase, and the recommendations are already being implemented by software vendors. The IETF has been mandating UTF-8 support for years now, so it is very widely deployed. It will be a while before even a majority of software vendors have implemented the full range of fixes.

By Periodik Labs on March 14, 2005 11:05 AM | Permalink

Migrating To Airtight WLAN Security

Glenn Fleishman has written a great overview of some of the history and protocols involved with Wi-Fi security for Mobile Pipeline, while over at Wi-Fi Networking News, he has a comprehensive review of Elektron.

By Periodik Labs on March 11, 2005 10:54 AM | Permalink

An Old Attack Is New Again

Windows WP SP2 and Windows Server 2003 are vulnerable to the LAND attack. This one is an oldie — it was originally identified in 1997 (OK, so that's not that long ago in geologic time, but in internet time...). Fortunately, having Windows Firewall enabled blocks the attack.

The reappearance of bugs like this highlights the importance of regression testing, which confirms that new software modifications don't unfix previously fixed bugs. It also highlights the importance of institutional memory. This attack is over seven years old — it's very possible the Microsoft engineer who re-introduced the vulnerability was not working at the company back then, and was not even aware that the LAND attack existed. Having the old hands around who know what not to do is just as important as hiring the young guns for any software development company.

By Periodik Labs on March 10, 2005 4:53 PM | Permalink

Elektron 1.1b2

We posted the second beta release (and first openly circulated beta) of Elektron v1.1 today. It is available for download right now.The most notable new features are:

Remote Administration The Elektron Settings application now supports connecting to the Elektron server over the LAN, rather than being restricted to running on the same machine as the server. This means that you can stick your server in a closet and administer it from your desktop — no more need to be sitting at the server or using something like VNC to configure it. To keep things secure, the connection between the server and the Elektron Settings application is encrypted using SSL.
Session Timeouts You can now configure the length of time that a user may be logged into the network. Enabling this feature sends a RADIUS "Session-Timeout", requiring the client to re-authenticate after a fixed period of time. This increases security by forcing the per-client encryption keys to be regenerated at regular intervals. One caveat: this feature requires that your access points support the Session-Timeout attribute, and not all do. If your access points do not, then it will simply be ignored.
MAC Address Authentication Since first releasing Elektron eight weeks ago, we've been surprised by the number of requests we are receiving for this feature. It's a simple (but not very secure) method of limiting access to the wireless network based on the MAC address of the client's Wi-Fi card. For organizations that need some form of control over who accesses their network, but can't upgrade their users to recent WPA Enterprise capable equipment (K-12, you know who I'm talking about!), this feature will keep out casual users. It does not provide encryption, and it is easy to spoof for anybody with even a small amount of technical expertise, so we don't recommend its use unless you absolutely cannot deploy WPA Enterprise.
Command Line Account Configuration Elektron now includes a command line tool for adding and removing Elektron user accounts, and for changing the passwords on those accounts. This allows you to script the account management process, and even create different front-ends for it. For instance, the Elektron manual includes an example CGI demonstrating a web page that allows a user to change their Elektron account password.
LEAP Support In addition to PEAP and TTLS, Elektron now supports LEAP for authentication. There is some older equipment out there that only supports LEAP, and now you can authenticate this equipment using Elektron.

While the whole shebang looks similar to the previous release on the outside, in the inside it's a pretty big upgrade. We'd appreciate everyone who could shake it down and let us know (via the support email address) about any problems encountered. This is a beta release, so don't deploy it on a production server. Since this is infrastructure software we prefer to do infrequent but well tested beta releases. We've been banging on it for weeks now, but there is no substitute for real-world testing. So please, download it and give it a try today!

By Periodik Labs on March 9, 2005 11:41 AM | Permalink

Prison Cryptogaphy

A year ago (I'm a little behind in my reading!), the New Yorker covered efforts to quell prison violence by reining in the Aryan Brotherhood. Mixed in with a harrowing account of prison life is a description of how inmates used cryptography to communicate murder plans in plain view of the guards.

The prisoners employed multiple layers of security to conceal their messages. First, they used urine as poorman's invisible ink — when the paper containing the message is heated, the "ink" becomes visible. Next, the message was written using seemingly innocuous phrases that were really coded instructions — "eight pound seven ounce baby boy" meant "the murder is approved". Finally, the shape of the alphabet letters in the messages concealed a secondary message containing a sequence of A's and B's (the initials of the Aryan Brotherhood). By breaking this sequence into clusters of five characters, the secondary message could be translated, provided the recipient had the cheat sheet for mapping each cluster to a single letter.

By Periodik Labs on March 8, 2005 11:08 AM | Permalink

Hacking Vending Machines

i-hacked.com has an fun read on how to hack Coke vending machines. While some of the security implications of leaving a publicly available debug mode enabled are obvious — one of the possible options is "Coin Payout Mode", which will dump the contents of its coin holding mechanism — there's also trade secret issues. Vending machines are literally the business of nickels and dimes, and the debug mode mode leaves sales information open for all to see, including owners of competing Pepsi vending machines. Just dial 4-3-2-1 and you're in.

via This is not your practice blog

By Periodik Labs on March 7, 2005 11:12 AM | Permalink

How Not To Annoy Legitimate Customers

The holy grail of any software anti-piracy scheme is to keep pirates from using your software while at the same time not annoying your paying customers. Susan Bradley says that Microsoft erred on the side of annoying customers with their Windows XP OEM registration system.

With Elektron, we have a simple "enter your serial number" scheme that doesn't require any online activation. So far, this seems to be effective enough at preventing piracy. In our niche — security software targeted at businesses — there is, like all software markets, a threat of piracy. However, it far less than for some other types of software. If Corriente was in the business of developing games, I'm sure we would spend a lot more time on anti-piracy measures. As it is, I'm glad we get to devote our engineering efforts to improving our products, not making them harder to steal.

By Periodik Labs on March 4, 2005 9:26 AM | Permalink

Simple Mobile Security for Paris Hilton

Lance Ulanoff of PC Magazine has some tips for Paris Hilton to help keep her data safe in the future, and it's good advice for everyone. Well, maybe not everyone — hopefully tip #10 applies to a very small number of people!

By Periodik Labs on March 3, 2005 10:29 AM | Permalink

AirPort Extreme Issue

After quite a bit of back and forth with several different customers, we've come to the conclusion that there is a problem with the latest AirPort Extreme firmware, version 5.5. WPA Enterprise security is broken in a way that prevents legitimate users from accessing the wireless network. It is important to note that the issue does not allow unauthorized users access to the network. The current solution is to downgrade the firmware on the AEBS to version 5.4.

The problem presents itself when AirPort Extreme clients — the problem does not seem to affect original 802.11b AirPort clients — connect to the network for the first time. A "bad pairwise master key" error is generated, and no connection from the new client can commence until the base station has been rebooted. In addition to Elektron, we've observed the same behavior when authenticating against two other RADIUS servers.

By Periodik Labs on March 2, 2005 12:09 PM | Permalink

ChoicePoint Fraud "Happens Everyday"

Rich Baich, the Chief Information Security Officer at ChoicePoint has been interviewed by SearchSecurity.com. ChoicePoint is the company in trouble for providing sensitive personal information on 145,000 Americans to criminals.

The interview is a complete train wreck. Rather than acknowledging the problem and identifying the steps the company is taking to prevent a recurrence, Baich instead tries to spin the story. It's not a "hack", it's "fraud" because the thieves didn't break into the computer system, ChoicePoint sold them the personal information (like the folks who have had their identities stolen care about semantic differences). What's more, he says "this type of fraud happens every day." Somehow I wish the guy in charge of keeping my personal information safe wasn't so cavalier about keeping it secure.

Baich doesn't stop there: "We worked with (authorities) and did the right thing disclosing the breach where a lot of companies may not have ever disclosed this." Actually, Rich, you initially only disclosed to affected California customers that their identities had been stolen, and then months after the fact and only because California law requires you to do so. "That's such a negative impression that suggests we failed to provide adequate protection." Umm, Rich? You sold 145,000 identities to identity thieves. How exactly does that not suggest that you failed to provide adequate protection?

While I am not one of the people who received a warning letter from ChoicePoint, I am sure that I am — like millions of other Americans — in their database. If you have ever bought insurance or applied for credit, there's a very good chance that ChoicePoint has a file on you.

ChoicePoint's response to the theft is a classic case of what not to do and should be required reading for business school students. When a company has a security breach, it needs to own up to it immediately and take responsibility for making sure that it never happens again. I've been lucky in that past, working for companies that, when a security-related software bug was found, promptly notified their customers and took corrective action. We haven't yet had to deal with this kind of problem here at Corriente (knock on wood!), but we do have plans in place for dealing with it should the need arise — and those plans don't include "don't say anything and hope no one notices!"