Lab Notes

Musings on Wi-Fi security issues, our product plans, and the general state of the world. Follow up with your comments and complaints to Lab Notes's .

July 2005 Archives

Cisco: OK, Now We're Suing

The Black Hat conference session on hacking Cisco routers that Cisco wanted to cancel has happened, despite their efforts. Now they, along with ISS, are filing a restraining order to keep further details of the hack from leaking out.

Apparently, the topic of the conference session was not a generic how-to about buffer overflows and the like, but the discussion of a specific flaw in Cisco IOS that "could bring the internet to its knees." The speaker, Michael Lynn, quit security research firm ISS rather than be told that he could not give the talk. Now he's facing the full force of Cisco's legal department.

By Periodik Labs on July 29, 2005 9:17 AM | Permalink

Russian Spammer Found Dead

Vardan Kushnir, "Russia's most prolific spammer," was beaten to death in his Moscow apartment. Apparently this is not the result of vigilante justice, but rather part of a robbery attempt.

via Macintouch

By Periodik Labs on July 28, 2005 8:29 AM | Permalink

Cisco: On Second Thought, Don't Hack Us

Cisco pulled a talk entitled "The Holy Grail: Cisco IOS Shellcode Remote Execution" from this week's Black Hat Conference. It seems they had second thoughts about training hackers how to exploit their software. According to the article, Cisco went so far as to send workers armed with razor blades to cut out any related material published in the conference show guide.

By Periodik Labs on July 27, 2005 5:40 PM | Permalink

Windows Genuine Advantage

Microsoft has announced that users users will need to verify that they possess a legitimate copy of Windows XP before downloading new features. The good news in there is that no proof will be required in order to download security updates. Because hackers frequently use compromised machines to launch further attacks, having all Windows XP machines up to date — even those with pirated copies of the operating system — benefits everyone.

By Periodik Labs on July 26, 2005 1:44 AM | Permalink

Muni Wi-Fi Security

Writing in Mobil Pipeline, Frank Bulk asks, Will Muni Wi-Fi Nets Be Secure? At the moment, it looks like it will be up to users to use VPNs or higher-layer encryption to provide their own protection. This is nothing new for users of small-scale hotspots like those in coffee houses — as I write this I'm sitting on an open access point in London, VPN-connected to our office back in Berkeley. What is new with muni Wi-Fi networks will be the scale of the deployment. There will likely be thousands of new Wi-Fi users, a tempting target for thieves and hackers.

via Wi-Fi Net News

By Periodik Labs on July 25, 2005 1:55 AM | Permalink

A Safer, But Still Problematic, Browser

In the rush to fix security related bugs last week, Firefox's developers introduced new (non-security related) bugs. That's a problem with hurrying to fix security problems: without adequate testing, you may create more problems than you solve. It's a dilemma &mdash you can fix flaws you know exist, while possibly creating flaws you don't know exist.

In this case, I think the Firefox team did the right thing. It's more important to ship a secure piece of software than it is to ship a feature-rich piece of software. They'll have a fully fixed version (1.0.6) available this week.

By Periodik Labs on July 22, 2005 1:04 PM | Permalink

A Safe Browser?

Although it ain't exactly news, news.com's Art Manion writes that it doesn't matter what browser you use, you face security trouble. Internet Explorer, of course, has had myriad problems, and recently Firefox has been getting in on the act. Now comes the news that popular Firefox extension Greasemonkey has a major security hole.

The Greasemonkey flaw allows web sites to which the user connects to download any file on the user's hard drive. The nastiest part of the whole thing is that the flaw is by design — an API that gives websites download access to user's files. The Greasemonkey development team is recommending that all users update to version 0.3.5 or remove Greasemonkey altogether.

By Periodik Labs on July 21, 2005 5:27 AM | Permalink

Death Penalty for CardSystems

Frank Herbert wants the death penalty for hackers, and Visa is giving what may be the death penalty to CardSystems Solutions [NY Times, free registration required]. CardSystems, if you will recall, is the credit card processing company that allowed the compromise of millions of credit card numbers and security codes.

Visa has determined that CardSystems violated Visa policy on data protection, and will no longer allow CardSystems to process Visa transactions. Without the ability to accept Visa, which accounts for over half of all CardSystem transactions, its hard to imagine that they will be able to remain in business. It's good to see Visa taking the matter so seriously.

via Payment News

By Periodik Labs on July 20, 2005 8:29 AM | Permalink

Security Through Stupidity

When ordering a new system, Skippy was asked by Dell, "federal law requires that we ask what will this server be used for?"

This is sad. The PATRIOT Act has more than its share of problems, but requiring computer vendors to ask what the systems they sell will be used for is not one of them (at least for systems like the kind that Dell sells — supercomputers have long had various restrictions to keep them out of the hands of somebody planning to use one to design a nuclear bomb). Dell is simply taking advantage of people's concerns about terrorism to gather marketing data. One more reason I will never buy another Dell.

By Periodik Labs on July 19, 2005 9:42 AM | Permalink

Worse Than Death?

John Tierney fantasizes about giving hackers the death penalty [NY Times, free registration required]. The article is a response to the German court that punished the hacker responsible for the Sasser worm with 30 hours of community service. While the death penalty might be a tad harsh, it would be nice if the German criminal justice system could find a slightly more effective deterrent for computer vandals that cause untold millions of dollars of damage.

By Periodik Labs on July 18, 2005 11:32 AM | Permalink

AirPort 4.2 Software

Apple has released new software for AirPort Extreme and AirPort Express base stations. Included in the update in AirPort Extreme firmware version 5.6, which seems to fix a major problem with WPA Enteprise security. The release is available for Panther, Tiger (10.4.2 is required), and Windows. Some basic testing with an AirPort Extreme-equipped PowerBook [Mac OS X 10.4.2] connecting to an AirPort Extreme base station [firmware version 5.6] worked just as it should. If your own experience is different, please .

As mentioned earlier, Apple included some AirPort client updates in Mac OS X 10.4.2. In addition to the new features, it turns the update fixes a bug that prevented roaming between two WPA Enterprise protected access points. If you've got AirPort hardware, both the AirPort 4.2 and Mac OS X 10.4.2 are recommended updates.

By Periodik Labs on July 15, 2005 10:23 AM | Permalink

A Hotspot that Roams

The New York Times covers the Junxion Box, a Wi-Fi access point that uses cellular data networks as its back haul carrier. It's endorsed by Willie Nelson's tour manager, so you know it's good. Once they add WPA to this thing (and support Cingular's EDGE card), I'll place my order.

One more fun item from the article, where once again, Verizon doesn't get it. Jeffrey Nelson, executive director for corporate communications at Verizon Wireless, says:

These are really cool machines. They finally give users a reason to buy our overpriced data plans, so we're working on a way to shut them down. We hate our customers.

Well, maybe he didn't say exactly that, but it's how I interpreted his actual comments, "We're not surprised that people are building services like this and trying to attach them to our network. It verifies how cool and how important our network is. We're going to protect that investment." Hopefully what he really meant is that Verizon will work to support this kind of use rather than trying to prevent it.

By Periodik Labs on July 14, 2005 10:11 AM | Permalink

Mac OS X 10.4.2

Apple today released Mac OS X 10.4.2, which includes the following AirPort fixes:

With this update, logging out of Mac OS X automatically disconnects the computer from an AirPort network if it is using WPA Enterprise security settings (this does not affect WPA Personal WEP-secured networks).
The AirPort menu extra displays more information when you enable a Software Access Point with this update installed.
Adds support for AES encryption of WPA-PSK networks, which are supported by many wireless access points. [editor's note: Apple's own AirPort access points do not yet support AES]
The Try Again button behaves as expected when attempting to join a third-party, WEP-enabled wireless access point with this update.
Improves reliability when associating with wireless networks after waking from sleep.
Improves WPA2 wireless encryption support for AirPort Extreme cards.

I'm curious why AES is available only for WPA-PSK, and what is meant by the improvement in WPA2 support. I suspect they refer to the same thing — and that "improves support" was used because without AES for WPA Enterprise, AirPort is not yet fully WPA2 compliant.

By Periodik Labs on July 13, 2005 9:29 AM | Permalink

Equifax CEO Likes His Privacy, Not Yours

The CEO of Equifax, a company that has based its business on selling private information of millions of Americans, says we're known for our stand on privacy." What's more, he thinks it's unconstitutional for the government to tell Equifax that it must allow Americans to see what information the company has collected on them. And my favorite quote, on whether Equifax has experienced security breaches: "We haven't had one of any significance ... at least in my time." Did the Equifax marketing and communications department not talk to the guy before scheduling this speech?

On the whole, the comments immediately brought to mind the CEO of Verizon, who was shocked that cell phone users liked talking on their cell phones. Time for Media Relations 101?

By Periodik Labs on July 12, 2005 9:16 PM | Permalink

When Management Sets the Wrong Security Culture

Winn Schwartau describes

By Periodik Labs on July 11, 2005 1:43 PM | Permalink

The Cure for Anti-Social Wi-Fi Users?

Plagued by Wi-Fi users who sit for hours at a time without buying anything, coffee houses may have soon have solution. Project PlaceSite aims to turn Wi-Fi hotspots into social hotspots.

By Periodik Labs on July 8, 2005 10:21 AM | Permalink

Wi-Fi Theft Arrest

A man in Tampa Bay was arrested for Wi-Fi theft. Not the theft of Wi-Fi equipment — the theft of Wi-Fi bandwidth. He was sitting in a car with a laptop outside the house of a user with an open network, and was arrested under a law that makes unauthorized access to a computer network a crime.

From the sounds of the original article, the man wasn't arrested because of the network break-in, but rather because the homeowner was concerned about a possible prowler. After seeing the man "hunched over his computer" outside his home late at night, the homeowner called police. The police didn't care for the man hanging around either, so the arrest was made. At least, that's my theory — the charge was a pretense to roust a creep.

By Periodik Labs on July 7, 2005 9:09 AM | Permalink

Wi-Fi Politics

Dueling political views expressed via SSIDs (assuming that the two views are mutually exclusive, of course). From a purely technological standpoint I have to give the edge to "Support Our Troops!", whose administrator knows that spaces are legal characters in SSIDs.

By Periodik Labs on July 6, 2005 9:18 AM | Permalink

Time to Ditch WPA for WPA2?

NewsFactor quotes an industry exec saying "If a company can't migrate to AES, which requires faster processors in the AP, then the company should consider using a virtual private network." AES is the encryption method specified by WPA2, and its presence is one of the primary differences between WPA and WPA2.

While adding a VPN on top of WPA won't hurt security — although it could hurt performance — it probably won't help much either. When a computer security system breaks, it is rarely a result of flaws in the encryption. More often, weaknesses elsewhere in the system are exploited — poorly chosen passwords, leaked data, or the misuse of strong encryption in a way that renders it useless (e.g., WEP). WEP failed because it was deployed with little if any peer review. Flaws were not caught until it was already in the marketplace. TKIP, which is based on the same core encryption as WEP, received a greater amount of peer review. As of today, I am aware of no published attacks on TKIP.

There's no reason to ditch your TKIP equipment. AES is where the industry is heading, and any new equipment purchased should include AES. Most Wi-Fi vendors are shipping AES-capable hardware today (Apple being a notable exception), so for most users, AES support comes "for free".

By Periodik Labs on July 5, 2005 10:39 AM | Permalink

Happy Independence Day

Corriente office is closed today in honor of the July 4th holiday. See you on Tuesday...

By Periodik Labs on July 4, 2005 7:00 AM | Permalink

Running Without Administrator Privileges

Here's a Wiki site devoted to running Windows applications without Administrator privileges. Running as an administrator at all times leaves your Windows machine open to a whole host of vulnerabilities. Most applications should not require these privileges — you don't need to be an administrator to create a spreadsheet or check your email. Still, many Windows users log in as an administrator every morning.

The problem is that every application that is launched by an administrator — whether intentionally or inadvertently, as in the case of trojans or other malware — runs as an administrator. Longhorn will have tools to help users protect themselves, but there are things that users can do today to protect themselves on XP.

By Periodik Labs on July 1, 2005 11:07 AM | Permalink

« June 2005 | Main Index | Archives | August 2005 »