Lab Notes

Musings on Wi-Fi security issues, our product plans, and the general state of the world. Follow up with your comments and complaints to Lab Notes's .

May 2005 Archives

Jot Down Your Passwords

A Microsoft security guy says "write down your passwords." Given the choice between having the same password for multiple systems and writing down a different password for each system, he's got a point. However, this is a false dichotomy. There are a number of single sign-on systems available, and it's OK to reuse passwords in some situations. For instance, I have a single username and password that I use for all non-security related web site logins (e.g., the New York Times).
By Chris on May 31, 2005 9:44 AM |

Step 1: Turn Off Wi-Fi - Step 2: Profit!

A Seattle coffeehouse started turning off its free Wi-Fi on weekends and has since seen sales increase. It seems that a lot of laptop users were camping out for hours at a time without purchasing a single item. Delicious Monster may need new digs if this becomes a trend (although they apparently do buy a lot of coffee!).
By Chris on May 27, 2005 11:29 AM |

Wi-Fi Enabled Indy Cars

The Red Bull Cheever Racing Team will be broadcasting vehicle telemetry back to the pits during this year's Indy 500 using Cisco Wi-Fi equipment. Hopefully nobody at the track decides to microwave a burrito and ruin the team's chances of winning. Still, they should have better luck than the McLaren F1 team had with their new radio system.
By Chris on May 26, 2005 10:09 AM |

Encryption Software as Evdience of Guilt

A court in Minnesota ruled that the presence of PGP on a user's computer demonstrated crimial intent. While I'm glad that this guy was convicted, the evidence ruling makes no sense to me. Most people use encryption to prevent crime, not to commit crime — think of how many credit card transactions are protected by SSL every day. Every machine in the office here has multiple pieces of encryption software. Today, every Windows PC and Mac ships with extensive encryption capabilities. Given that you almost can't use a computer without using encryption, it's a strange and surprising ruling.
via Slashdot
By Chris on May 25, 2005 10:35 AM |

Elektron 1.1

Elektron 1.1 is available for download. It's a free upgrade for all licensed users. New in this release:
  • Remote administration, which allows you to stick your server in a closet and configure it from your desktop
  • Session timeouts so you can limit how long users are connected to your WLAN
  • MAC address authentication, our number one feature request from K-12 folks
  • On Mac OS X, Automator actions for things like adding new Elektron accounts
  • On Windows, a whole new UI for the Elektron Settings application, because we never really liked the old one
  • And of course, the obligatory bug fixes
The release notes, included with the download, explain everything in detail.
By Chris on May 24, 2005 10:55 AM |

Phishing With Honey

The Honeynet Project uses honeypots to learn how network intruders work in the real world. A honeypot is an intentionally under-secured computer placed on the internet to attract nefarious hackers. By observing how the honeypot is compromised, researchers learn the tools and techniques used by computer criminals, and thus how to combat them. Last week they published an interesting paper on recent phishing attacks. While the article is not written for end users, if you're a system administrator (and if you're reading this blog, there's a good chance you are), it has some good information on how to keep the door closed on phishers.
via Slashdot
By Chris on May 24, 2005 10:50 AM |

Elektron and WPA2

One common question we get asked is when Elektron will support WPA2. The simple answer: now. The authentication needs of WPA2 are no different from WPA, so no changes were necessary in servers that provide WPA authentication.
By Chris on May 23, 2005 10:58 AM |

The Mystery of serialnumberd

As part of my job, I spend a lot of time working with Mac OS X Server. Of course, that means I recently have been getting intimately familiar with Tiger, the latest version of Mac OS X Server. There's many nice upgrades — it's a great piece of software that I'm very happy with, but there has been one unwelcome upgrade that has had my attention today.
Like any good system adminstrator, one of the first tasks I perform when installing Mac OS X Server (or Windows Server, or a Linux server) is to configure the built-in firewall. Mac OS X comes preconfigured with firewall rules allowing basic network traffic, but most services are disabled by default. My interest was piqued when I found that one of the services enabled by default is an utterly undocumented service called "Serial Number Support" running on UDP port 626.
Like any service that I don't recognize and can't find any documentation describing, I closed off the firewall on that port. I restarted and check the status of the firewall — and Server Admin reported that the port is open! I checked my firewall rules, and they said it should be closed. Hmmm.
I checked to see if UDP port 626 actually was in use:
netstat -an | grep 626
Yup, somebody's listening for UDP packets on port 626. Who?
sudo lsof -nl | grep UDP
Shows a process called serialnumberd listening on the "ASIA" port . man serialnumberd helpfully says "serialnumberd is the daemon for the Serial Number Infrastructure." Now that I have a general idea as to what its purpose is, it's time to figure out what data is being transmitted. A packet sniffer did the trick.
The serialnumberd process broadcasts 32 byte packets on the local subnet (i.e., it sends them to IP address 224.0.0.1). The contents of these packets seem to indicate that it is looking for another server on the local subnet with a serial number of its own. I have only the one server, so I don't know what happens when it gets a response. I'm sure that Apple is using this mechanism to prevent piracy — that is, to ensure that every copy of Mac OS X server on a network has its own unique serial number. Working for a server vendor myself, I can see where they are coming from.
So what's the moral of this story? Don't punch holes in a server's firewall without telling the administrator, even if you are doing it for a legitimate purpose.. Other than killing the serialnumberd process (such as by replacing /usr/sbin/serialnumberd with a dummy script that does nothing, the effect of which is unknown), I can't see how to avoid having this port open on my server. What's more, I only knew about it because I was paranoid enough to go back to the firewall configuration and make sure that everything was kosher. For us, this is not a show-stopper because our Mac OS X server is behind our main firewall, but I would think twice about putting a server on the internet that has mysterious open ports that can't be closed.
By Chris on May 20, 2005 11:47 AM |

Faking a Fingerprint

The Chaos Computer Club has posted step-by-step instructions detailing how to create a fake fingerprint to fool biometric scanners. Interesting, but nothing new — people have been successfully fooling fingerprint scanners for years. Take a look at what a Google search for "fake biometric fingerprint" turns up.
via BoingBoing
By Chris on May 19, 2005 9:58 AM |

GAO Report on Wireless Security

The Government Accountability Office (GAO) has compiled a report detailing the security risks and possible solutions for the use of Wi-Fi by federal agencies [1.5 MB PDF]. The recommendations include:
  • Developing polices to control the deployment and use of wireless technologies
  • Training staff to recognize threats and avoid them
  • Deploying security tools such as wireless encryption and authentication, VPNs and firewalls
  • Enable continuous monitoring of wireless networks to determine policy compliance and detect unauthorized access
The report also notes that the GAO performed an unannounced audit of wireless networks at six different federal agencies. It states:
In all six agencies we found wireless devices operating in ad hoc mode. In over half of these cases the ad hoc networks could be detected outside of the building and could have provided access to the agency’s networks. We found these situations at agencies without monitoring programs as well as at agencies with extensive monitoring programs.
The GAO also found that these agencies suffered from rogue access points that could provide a launching point for an attack.
via The Wireless Weblog
By Chris on May 18, 2005 10:23 AM |

Mac OS X 10.4.1 and AirPort

Mac OS X 10.4.1 has been released. Among the AirPort releated fixes are:
  • Some third-party wireless DHCP servers might not provide an IP address to a computer through AirPort if the computer has a long computer name—this update addresses the issue.
  • Resolves a potential issue that could occur when moving from one access point to another within the same wireless network—the IP address could have been lost and not restored unless the DHCP lease was renewed or the computer put to sleep and then awakened.
Unfortunately, testing here indicates that this update does not fix a WPA Enterprise roaming bug that goes back many releases, to wit: connecting to one access point, picking up without closing the Powerbook or otherwise putting it to sleep, walking into range of another access point on the same network, and the AirPort client will get stuck in "Authenticating...". To complete the connection, the Powerbook must either be put through a sleep-wake cycle or Internet Connect can be used to disconnect and reconnect to the network.
By Chris on May 17, 2005 10:33 AM |

Windows Passwords and Tiger

A new knowledge base article has been posted on our support site, titled "Windows XP and Elektron on Mac OS X 10.4 Tiger Client". In a nutshell, Tiger (desktop version, Mac OS X Server is OK) does not create Windows passwords for user accounts by default — in fact, if you upgrade from Panther, any existing Windows passwords are wiped out. The only time Windows passwords are available on the desktop version of Tiger is when Windows Sharing is enabled and then only on user accounts that have been specifically enabled for Windows Sharing.
This affects Elektron for users logging in from Windows XP when Elektron is configured to use Mac OS X system accounts for user authentication. Without a Windows password available for these users, they won't be able to authenticate. The article describes how you can enable Windows Sharing to create Windows passwords for your users (and then disable Windows Sharing if you do not want to leave it running).
Interestingly, this new behavior in Tiger is not really new at all. This is how Windows passwords worked in Jaguar — no Windows Sharing, no Windows passwords. In Panther, Apple changed this behavior to always create Windows passwords regardless of the sharing settings.
By Chris on May 16, 2005 10:15 AM |

Writing Secure Web Browsers is Hard Part II

I'm not sure Internet Explorer is still looking better by comparison: not three days after Microsoft's security star raised question's regarding Firefox's security, Internet Explorer turns out to have yet another security flaw.
via Slashdot
By Chris on May 16, 2005 10:02 AM |

Cracking WEP: Step By Step

From Tom's Networking, a WEP cracking how-to guide. Not that any of us didn't already know that WEP is insecure.
via engadget
By Chris on May 13, 2005 10:25 AM |

Writing Secure Web Browsers is Hard

It strikes me as a bit of gloating, but he does have a point: there's nothing magical about Firefox. I use it everyday, but I'm careful with it in every way that I am with Internet Explorer. Writing any kind of software is hard, and users have to be vigilant regardless of the source of the software.
Where the blog entry in question jumps the rails is with the bold red statement:
The number of vulnerabilities in Firefox recently has been alarming. At first Firefox appeared to be an attractive alternative to Internet Explorer (IE) for security reasons, but IE is now looking better and better in comparison.
I personally don't think that this is the case. Bugs in Firefox make Firefox look bad; they don't make Internet Explorer look good.
The Firefox update was released yesterday.
By Chris on May 12, 2005 10:14 AM |

Investigatory Blogging

This is only peripherally related to the usual topics of this blog, but still an interesting exercise: DrunkenBlog has put together a definitive history and expose of the PearPC/MXS debacle. It involves the apparent misappropriation of open source code into a closed source product, the strange claims made by the "developer" of said closed source product, and how the open source community exposed it all.
By Chris on May 11, 2005 11:38 AM |

No, The Cisco System Is Self-Defending

How much did Cisco pay for this? I literally laughed out loud last night.
By Chris on May 10, 2005 9:57 AM |

Safari and Auto-Installed Widgets

One of the pretty new features of Tiger is Dashboard, a Konfabulator clone. In a misguided effort to make Dashboard widgets easy to install, Apple added support for a new "meta" tag in Safari that automatically downloads and installs widgets without any user intervention. The second half of that line bears repeating:
automatically downloads and installs widgets without any user intervention
What on Earth were they thinking? Between the Safari and Dashboard teams at Apple, dozens of people must have seen and known about this little "feature" before it shipped, and not one of them raised a red flag? This is the exact kind of security hole that has gotten Microsoft into hot water on multiple occasions.
It gets worse: once the widget has been installed, there is no way to uninstall it, according to Apple's documentation, which says "You cannot remove widgets from the Widget Bar or change their order." Thankfully, this is not true, as you can manually remove the widget by deleting its file from your Library/Widgets directory.
Mike Jackson has suggested a good work-around on Macintouch: changing the permissions of your widgets directory to read only. From Terminal.app, run the following command:
chmod 0550 ~/Library/Widgets/
With this change in place, Safari will download widgets to the desktop allowing you to install them manually later.
By Chris on May 9, 2005 9:33 AM |

Atheros JumpStart Goes Open Source

Wi-Fi Net News reports that Atheros has made their JumpStart code open source. JumpStart is their (previously) proprietary means of enhancing the security of WPA-PSK. Instead of using a static encryption key derived from a single shared password, encryption keys are generated dynamically using Diffie-Hellman. This gives a Wi-Fi network longer, harder-to-guess encryption keys, but without the strong user authentication of WPA Enterprise. It also requires hardware support from access point vendors, but based on the details posted by Atheros thus far, it looks like a step forward from plain WPA-PSK. Hopefully it will get some traction.
By Chris on May 6, 2005 12:46 PM |

Faraday Cage Redux

Another Wi-Fi signal blocking product: This time a UK firm is offering a transparent film called "Spyguard". To contain your Wi-Fi network, you install the film on your windows, and cover your walls using a paint with similar RF-blocking properties.
via NetStumbler
By Chris on May 5, 2005 8:58 AM |

Wi-Fi Insecurity in the PSP

The built-in Wi-Fi on the Sony PSP supports only WEP encryption, and there's some concern that it may lead to users deliberately downgrading the security of their Wi-Fi networks in order to link up with their PSP.
Sony has announced plans for a WPA firmware upgrade, but no word on whether WPA Enteprise will be supported. I'm hoping that it will, since that makes any PSP purchase we make here tax deductible (gotta test compatibility!)
via The Wireless Weblog
By Chris on May 4, 2005 9:44 AM |

WPA2 Client Update for Windows XP SP2

Yesterday Microsoft released a significant update to their WPA client. The update adds WPA2 features to Windows XP SP2, including support for Pairwise Master Key (PMK) caching and pre-authentication, both of which can significantly speed up roaming between secure access points.
Other new features in this update:
  • Wireless Provisioning Services Information Element support makes it easier for WISPs to host multiple networks using a single access point
  • Warnings about insecure networks appear when trying to set an open network as your preferred network should help users from inadvertently connecting to "evil twins"
  • Developer-related changes to WLAN support APIs of little interest to most users
  • Bug fixes, including a fix to an annoying delay when connecting to some WLANs
No updates to Elektron are needed to support the Microsoft upate, as 802.1X authentication between the client and the server did not change in the new release — the only 802.1X changes are related to how it is configured on the client.
By Chris on May 3, 2005 8:53 AM |

Pigeon-Empowered Wireless Internet

Three Israeli researchers with way too much time on their hands figured out that pigeons have greater bandwidth than DSL. They strapped some flash memory cards to three pigeons, flew them 100 kilometers, and compared the time it took to transfer the four gigabytes of data using the pigeons to the time it took to transfer it via DSL. The results were not too surprising: Netflix has made a business out of the fact that the USPS can still transfer large amounts of data more efficiently than a home broadband connection.
via Hack the Planet
By Chris on May 2, 2005 10:23 AM |
« April 2005 | Main Index | Archives | June 2005 »

Search

Recent Entries

Jot Down Your Passwords
Step 1: Turn Off Wi-Fi - Step 2: Profit!
Wi-Fi Enabled Indy Cars
Encryption Software as Evdience of Guilt
Elektron 1.1
Phishing With Honey
Elektron and WPA2
The Mystery of serialnumberd
Faking a Fingerprint
GAO Report on Wireless Security

Monthly Archives

February 2009 (1)
December 2008 (1)
June 2008 (2)
March 2008 (1)
January 2008 (2)
November 2007 (1)
October 2007 (1)
September 2007 (1)
August 2007 (1)
July 2007 (8)
June 2007 (16)
November 2005 (8)
October 2005 (13)
September 2005 (22)
August 2005 (23)
July 2005 (21)
June 2005 (26)
May 2005 (23)
April 2005 (23)
March 2005 (25)
February 2005 (23)
January 2005 (29)
December 2004 (32)
November 2004 (32)





Subscribe to Lab Notes