Receive new posts as email.
| Sun | Mon | Tues | Wed | Thurs | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator.
Entire site and all contents except otherwise noted © Copyright 2001-2009 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.
Powered by
Movable Type
Wi-Fi makes it possible to find a stolen laptop with a pin on a map: Last week, I heard a story of a laptop theft that made me sit up. I talked to the victim (still distraught), who had her laptop stolen when a young man in a group of four in a coffeeshop walked up to her and grabbed it. (She grabbed it back once, and he snatched it again.) The four men scattered, and they weren't found. She had, apparently, no backups and no way of locating the stolen item.
The trick here, of course, is that once the horse is out of the barn there's little that you can do. If you plan, you might be able to recover that stolen laptop; reports of recovery are quite encouraging with the right software installed. This dovetails with my interest in Wi-Fi because software makers are starting to pair Skyhook Wireless's Wi-Fi positioning system and software with recovery software.
The basic idea is that you pay a relatively modest one-time fee or yearly subscription fee to have difficult-to-remove software running on your computer at all times. The computer checks in at frequent intervals to see if it's been marked as stolen. Once it has, it activates various recording and transmission modes, sending (depending on the package) anything from Web camera snapshots to IP data. A few packages now offer Wi-Fi positioning info, too. (I wrote an article for the Seattle Times that appeared last Saturday that wasn't focused on the Wi-Fi aspect.)
The assumption lies in most thieves of this kind being technically unsophisticated and having a laptop join a network in order to use it. Some laptops may be set (Windows and Mac OS X have options) to join any available network, too. While this is a security issue when the laptop is in your hands, it's an advantage when it's roaming.
Programs that use Wi-Fi location information that I've tested or use include Undercover (Mac OS X, $49 one-time fee) and MacTrak (Mac OS X, $24.95 per year); there's also Laptop Cop ($49.95 per year, Windows XP/Vista). There are plenty of others, too, mostly for Windows, that lack location scanning. Computrace LoJack for Laptops notably has a BIOS agent preinstalled on many major Wintel brand computers that can be activated and not disabled without BIOS being wiped!
Each package has the same fundamental working methodology, but offers different front-end features. Orbicule's Undercover takes screen shots and Web camera pictures, capturing that along with identifying network data and Wi-Fi scans. If a laptop remains unrecoverable, it goes into a simulated failure mode, and then activates a kind of screaming stolen laptop alarm if the machine is taken into a known Apple repair shop or Apple Store.
GadgetTrak's MacTrak sends information directly to you via email and/or Flickr, uploading Web camera photos and providing network details, as well as a link with the calculated coordinates.
Laptop Cop has a variety of extra, including remote file deletion, remote file retrieval, and full-on capture of everything a thief is doing, including keystrokes. (These options are available in some other Windows packages, too, but not in Undercover nor MacTrak. GadgetTrak plans to add Wi-Fi positioning to its higher-end Windows product at some point.)
Each of these firms works with your local law enforcement agency to provide data; in the case of MacTrak, GadgetTrak is happy to work with police, but you can also take the information the company's software sends you to officers directly.
After a rash of thefts among friends and acquaintances, I've installed recovery software on each of my computers, as well as arranging both local and remote backups.
Alternatives with no software installed: If you haven't installed recovery software, you're not entirely out of luck. Many people now run remote backup software, such as Mozy or CrashPlan, or use synchronized storage like Dropbox, Microsoft Live Sync, or Apple's iDisk. And many of us have email software that regularly and automatically checks for messages.
In all of those cases, the current IP address of the computer is recorded whenever a request is made. With your account information in hand, you may be able to log in directly to one of the services, and retrieve the IP address. Or, you can call the company or use customer support to get this information as long as you're the valid account holder. Some firms may require law enforcement to contact them directly.
Police can take an IP address, use that to determine the Internet service provider at which that address is located, and then get the street address that corresponded at that point in time (IP addresses are sometimes reassigned when a modem is rebooted or over time). A warrant may be required.
If you have remote backup software installed, you might get the benefit of having files backed up even if your machine can't be recovered. My friend David Blatner wrote up his own laptop-theft article after his machine was stolen. He had CrashPlan running, and the thieves reconnected to a network after taking his machine, and this gapped much of the difference between a month-old local backup he had made and what was on the stolen machine.
In an oddball case last year, an Apple Store employee who had the remote access software Back to My Mac installed, which allows remote screen-sharing and file transfer, was able to snap shots of a thief and transfer photos he and a collaborator had put onto her computer. That was a sort of one-in-a-million shot.
Posted by Glenn Fleishman at 2:55 PM | Permanent Link | Categories: Security | No Comments
I'm a little taken aback at AirTight's marketing campaign: A crack in WPA's security model discovered by German academics isn't the end of WPA security. In fact, it's more likely the end of any reason to use TKIP, the weaker of the two encryption algorithms available in modern WPA/WPA2 compliant Wi-Fi systems, that was developed entirely to enable older 802.11b devices to have a forward-upgrade path back in 2003 to a newer security model. See my article from 7 November 2008, "Don't Panic over WPA Flaw, But Do Pay Attention."
AirTight's advertisement for a webinar and white paper asks a different question. The subject line, "Is WPA Encryption Broken Forever?" No, because it's not broken now. The company goes on to ask, "I this the tip of the iceberg?", which is much more reasonable.
The marketing release says, "Roughly 90 days ago, the WLAN industry was abruptly shaken when two German researchers announced a crack in TKIP (Temporal Key Integrity Protocol), an encryption protocol used with the WPA wireless security standard." Not so much. There was a lot of interest, and once details came out, everyone relaxed. The vulnerability can be patched, but the correct solution is to leave TKIP in favor of AES-CCMP, something already recommended years ago for all enterprises and security-minded organizations.
AirTight writes, "Researchers were able to exploit this new vulnerability and inject arbitrary packets in the TKIP protected client in as little as 15 minutes. This method potentially creates hooks for new exploits in what was once considered the accepted security upgrade from WEP." The first part of that? Not so much, either. Researchers were able to inject non-arbitrary packets: They had to create packets of the same length as those that were being used as a model, and packets were only a few bytes long. Arbitrary packet injection without any explanation implies the ability to, well, inject any data into a packet. That's just not the case.
The last sentence, "creates hooks for new exploits" is a reasoned statement that's worth considering. There are likely other flaws in TKIP that haven't been exploited that could provide a way to claw out more data or inject longer packets that could do some harm. TKIP's model is a repaired version of WEP, and thus TKIP inherited some of the weaknesses. The WPA flaw that the folks in Germany wrote about could be repaired by a couple of minor changes in how bad packets are handled, and a faster TKIP key rotation.
With little security news, AirTight may be trying to make a little hay, but they should keep that to a small pile.
Posted by Glenn Fleishman at 9:20 AM | Permanent Link | Categories: Security | 1 Comment
WEP in 24,000 packets: I forgot to mention in all the hubbub about the WPA flaw discovered by two German researchers last week that they also combined a variety of WEP-cracking techniques to reduce the number of packets necessary to extract a key. The fellows from two technical universities examined and improved previously known algorithms and code for extracting a WEP key, and optimized the process.
Erik Tews and Martin Beck's paper, Practical Attacks against WEP and WPA (now available for download), walks through how they re-examined and combined processing attacks. But the takeaway is that WEP, already known to be very broken is, well, very very very broken. Previous attacks, per their analysis, required from 32,000 to 40,000 packets to be processed to gain a 50-percent likelihood of key recovery. They moved that down to about 24,000.
WEP is still widely used in certain quarters, by home users who don't care about security but simply are setting up a no trespassing sign (which is enforceable by law in many states and countries now); by those who know no better; and by retailers who use systems that are either expensive to upgrade or must be replaced to stop using WEP.
Retailers who accept credit cards may not deploy new systems with WEP starting 1-April-2009, and must discontinue all use of WEP by 30-June-2010 according to new guidelines set by the credit industry giants.
Posted by Glenn Fleishman at 9:15 AM | Permanent Link | Categories: Security | No Comments
WPA isn't as broken as reported: If you read the coverage early this week on two German researchers' paper on a vulnerability in Temporal Key Integrity Protocol (TKIP), the weaker of two encryption and integrity algorithms in the Wi-Fi Protected Access (WPA) certified standard (and part of the underlying 802.11i protocol), you'd think that TKIP was broken. It's not.
As I wrote Friday, don't panic, but do pay attention. I'm posting about this again just to be clear.
The flaw that was discovered does not allow a WPA-protected network's key to be recovered. It does allow short packets (network data quanta) used typically for network identification purposes to have their encryption keystream recovered: that's the overlay of per-packet encryption derived from a key that two Wi-Fi components use to protect information sent to one another.
With a recovered keystream, a single packet of the same length can be sent back into the network (using another flaw) to fool a client (but not an access point).
That's not to say that WPA keys (both the weaker TKIP and strong AES-CCMP) cannot be recovered. That's just not part of this weakness.
As was theorized back in 2003, in an article Robert Moskowitz allow me to post on my site, choosing a weak passphrase could lead to a key that can be cracked through brute force. Moskowitz was part of the IEEE 802.11i security task group, and he knew of what he spoke.
His advice? For effective security, choose a passphrase that's at least 20 characters long and contains no words found in dictionaries of any language.
Substituting 3 for e and 0 for o isn't a good choice, by the way: Brute-force attackers build dictionaries with common substitutions. Changing "camel back liposuction" to "!cmale bc@@k lippppo___!!sction" would make much more sense. Anyway, which among us manually enters a passphrase more than once per client?
Within a couple of years, effective brute-force methods appeared that could crack shorts keys that used only words found in dictionaries. There are pre-computed dictionaries that combine the SSID (network name) and billions of short key combinations. (The network name is used as an element in creating the key, but "linksys" and other default network names are often unchanged by users. Apple names its networks by default with part of the base station identifier, making a brute-force crack probably a million, maybe a billion times harder.)
ElcomSoft recently updated their "key recovery software" to use the graphical processing unit (GPU) in modern computers, which the company said in press releases--they haven't gotten back to a request I made for a briefing weeks ago--could improve key cracking by a factor of 100. Their software is also distributed, so you could conceivably put 1,000 computers on the task.
How does Elcomsoft's breakthrough affect the 2003 advice on passphrases? Security experts I've talked to, including Erik Tews, the co-author of the paper on the new WPA flaw, said that 20 characters should still require such a vast amount of time even with all the horsepower that one could throw at it, that there's no risk.
If there were a risk, you could increase a passphrase to 22 characters in length, and suddenly push the time to crack out by another factor of 100 (more or less; dissenting opinions welcome).
Average users can bypass all this by buying Wi-Fi gear that uses Wi-Fi Protection Setup (WPS), which uses for its source material a passphrase longer than the 20-character minimum, and employs excellent methods of securely exchanging key material over the untrusted network.
Of course, as I discovered when reviewing the excellent Linksys WRT610N (concurrent dual-band 802.11n router) for Macworld magazine, there's surprisingly no precise standard for WPS interface implementation. That is, the Wi-Fi Alliance defines the way in which WPS works on a protocol level, but not how the details are presented to a user.
Apple has two methods neither of which match up correctly with Linksys's three or four methods (depending on how you count). It's frustrating. Apple never responded to a comment about the mismatch; Linksys said they're looking in how to improve compatibility in future releases.
Posted by Glenn Fleishman at 2:11 PM | Permanent Link | Categories: Security | No Comments | No TrackBacks
The flaw in WPA is minor but important, and won't affect home users or most networks (yet): I spoke yesterday to Eric Tews, one of the co-authors of a paper covering a WPA flaw that he'll present next week in Japan at PacSec, a security conference. Tews and his collaborator Martin Beck, who discovered and tested the flaw, found that it's possible to use weaknesses that remain in WPA's TKIP encryption type (the weaker of two available in WPA2) to decrypt certain data.
I wrote about this at great technical length at Ars Technica--see Battered, But Not Broken--but let me provide the high-level summary here.
The flaw is not a generic crack: it doesn't allow a WPA key to be recovered, nor does it work on all data passing the network. The flaw only affects packets encrypted using the TKIP system, which is a backwards-compatible upgrade to 802.11's original WEP system. It's also only possible at this point to recover the original text for short packets--those with predictable contents that are quite short. And it requires the use of 802.11e, the Quality of Service (QoS) standard that prioritizes voice and streaming data above that of normal data to provide voice quality and avoid video and audio stuttering.
With the Tews/Beck technique, short packets with mostly predictable content can be cracked through first applying a WEP-style crack that gets an attacker most of the way there, and then using a very slow method of determining the value of the remaining unknown bytes. This allows the keystream--the cryptographic overlay used to encrypt data as it flows, not the network key itself--to be recovered and used to "replay" arbitrary data, such as a changed packet. While TKIP includes replay protection, the graduate students found that the QoS queues would let them replay the same keystream, sidestepping this protection. (Their flaw discovery is very very clever, combining the use of three interrelated protocols' weaknesses.)
The solution for the flaw at present is to use AES, an encryption option that's part of WPA2 (and 802.11i, the underlying standard). If your network comprises all WPA2 devices, which nearly all equipment sold starting in 2003 is capable of, then you can opt to set routers to use just the AES type. For home networks or small offices, this would mean choose WPA2-PSK or WPA2 Personal in most cases. (While Windows lets you choose to identify a WPA2 key as TKIP or AES, the router is what controls which algorithms are acceptable.)
And because the crack potentially allows only the injection of changed packets for very specific network stuff, it's likely that you'd never see this used against a home network because there's very little you could do with such a flaw. On a corporate network, someone might try to redirect traffic through certain kinds of short forged messages, and that could be a problem.
However, corporate networks should be using robust enough equipment that the keys used for network communication are frequently swapped out, which disrupts this crack; and corporations may already have standardized on WPA2's AES, which is immune to any attack of this kind.
In the end, you should be wary, but not freaked out. Switching to AES has a price: older computers won't be able to join your network. But in 2008, the odds are increasingly low that anyone concerned about security would have a Wi-Fi adapter so old that it couldn't use WPA2.
Posted by Glenn Fleishman at 9:30 AM | Permanent Link | Categories: Security | No Comments
It's always in threes: Three big pieces of Wi-Fi news today, folks, and I'll post more information as I have it.
Wayport is being purchased for $275m by AT&T: This is a purely logical move, because Wayport not only has 10,000 McDonald's that they operate the Wi-Fi service for under a direct contract and resell to AT&T for the telecom's customers, but Wayport is also the managed services provider--the outsourced company--that handles AT&T's "internal" Wi-Fi network of Starbucks, Barnes & Noble, and other locations. The deal is cost conservation, bringing outsourced expense inhouse. With the close of the deal, AT&T's Basic footprint--free to its broadband, laptop 3G, iPhone, and some BlackBerry users--expands from 17,000 U.S. to 20,000 U.S. locations, sweeping in premium hotels and other locations.
Is TKIP dead, already? A report in advance of the PacSec conference from IDG News Service says that researchers have found a non-brute-force method of sending data to a Wi-Fi client that it accepts was transmitted by an access point. I've gotten more information than the IDG reporter, and the attack works only on small packets and only with the weaker TKIP key type that's part of WPA and WPA2. The stronger AES key method isn't vulnerable. This isn't a generic vulnerability, and is likely to be of concern only to corporate users.
Virgin America has press flight set for 22-November: I'll be on the plane if all goes well. The promotional flight of the one Wi-Fi equipped craft will be followed each week by an additional plane being unwired with the whole fleet set for Internet access by Q2 2009.
Posted by Glenn Fleishman at 9:28 AM | Permanent Link | Categories: Air Travel, Hot Spot, Security | No Comments
ElcomSoft accelerates cracking WPA/WPA2 keys: The Russian firm offers what it delicately terms password recovery software. They've now paired their WPA/WPA2 key crackin with the power of graphic processing units (GPUs), the brains that drive video cards, and which can carry out certain kinds of calculations vastly faster than CPUs, a computer's main processor. (Apple plans to tap GPUs for Snow Leopard, Mac OS X 10.6, due out next year.)
ElcomSoft claims a 100fold increase in the ability to brute force extract a WPA or WPA2 key. Further, their software can be used in a distributed fashion. A network of computers with fast graphics cards could provide the equivalent of multiple supercomputers' worth of focused cracking power.
Short WPA/WPA2 passphrases (which are hashed into keys) have long been known to be at risk to cracking and dictionary attacks. Five years ago, Robert Moskowitz let me publish his paper on weak passphrase choice, which showed how words in dictionaries used for passphrases could be broken if the phrase was overall less than 20 characters. Passphrases are hashed using a formula that includes the SSID (network name). Crackers have precompiled large dictionaries that use common SSIDs.
ElcomSoft uses brute force, which require untold billions of attempts. Shorter keys, even with high degrees of entropy, could fall very fast.
But longer keys increase the difficulty of cracking inordinately. An 8-character WPA/WPA2 passphrase might fall in hours or even minutes, but a 9-character key would take some factor longer; a 16-character key might still need thousands of years to crack even with government-grade effort.
WPA/WPA2 Enterprise shouldn't suffer from this weakness, because these systems generate long keys that aren't derived from passphrases.
ElcomSoft's Distributed Password Recovery starts at $599 for up to 20 clients, and scales to 10,000 clients.
Posted by Glenn Fleishman at 5:53 AM | Permanent Link | Categories: Security | No Comments | No TrackBacks
The credit-card industry has finally revised rules to make WEP persona non grata: The PCI Security Standards Council was founded by Amex, Discover, JCB, Visa, and MasterCard, and each organization agreed to adopt the standards that the group decides on. The latest update of the Data Security Standard (DSS), drafted early this year, was adopted and released yesterday, and profoundly alters Wi-Fi security practices for any company that accepts any of major credit card. A summary can be downloaded under PCI DSS Summary of Changes.
The new rules prohibit the use of the highly broken WEP (Wired Equivalent Privacy) standard as part of any credit-card processing--such as from a store terminal to a server--after 30-June-2010, and prohibit any new system from being installed that uses WEP after 31-March-2009. In practice, WEP has remained in relatively wide use among retailers as of last year because many individual and chain stores continue to use ancient point-of-sale gear. The supplier side changed slowly, too, with WEP still included as a standard feature long after WPA was widely available starting in 2004 in business and consumer Wi-Fi gear and computers. The use of WEP is what led to the TJ Maxx parent company network invasion.
The DSS sets both security and audit standards: Merchants must conform to the document's guidelines, and if examined by their merchant card issuer, must be found to conform. If not, they could have the ability to process cards turned off, which makes it hard to be a retailer of any kind.
An analysis of the changes in SearchSecurity states that 802.1X as being required, but I believe that may have been a typo. The SearchSecurity article notes that "802.1x" and "802.11x" are cited as examples of industry best practices in the summary document. However, in both the summary and full version of the DSS, I see "802.11i" listed, which is a generic way to refer to WPA2 with TKIP and AES keys.
This would seem to indicate that the DSS would allow the use of WPA and WPA2 Personal, as is noted in Section 2.1.1. That same section, however, recommends the use of AES, which is only available in WPA2 compliant hardware. There doesn't seem to be any mention of 802.1X or WPA/WPA2 Enterprise elsewhere in the document or its summary.
Posted by Glenn Fleishman at 2:27 PM | Permanent Link | Categories: Security | No Comments
Apple adds secure enterprise logins for iPhone: The iPhone 2.0 software, available through a download link for existing 2G iPhones today, adds promised support for the 802.1X port-based authentication required in any company that's even remotely serious about its network security. 802.1X isolates connecting to an access point from gaining access to the network to which the access point is connected. A special client, known as a supplicant, must provide the right credentials for a device to be approved for access. Cryptography binds the process. (Instructions for manually installing the software are over at Wired. The update will likely be pushed out via iTunes to current owners tomorrow, and is included on the iPhone 3G, which goes on sale starting today over the international dateline and tomorrow in the U.S., Europe, and elsewhere.)
Apple splits its 802.1X support into two pieces. There's basic support built into the iPhone 2.0 software, found in the Settings application's Wi-Fi section. Click Other. Click the None label next to Security, and the WPA Enterprise and WPA2Enterprise options appear. Select either, and the main login screen lets you enter the network's name (SSID), a user name, and a password. This basic method is limited to WPA Enterprise and WPA2 Enterprise, the two most common (and most secure) forms of 802.1X.
Most enterprises will want much more control over this process, and Apple provides the iPhone Configuration Utility, currently available in its most complete form only as a Mac OS X application, and in more limited forms as Web 2.0 applications for Windows and Mac OS X.
The utility serves two purposes: creating configuration profiles, including for multiple Wi-Fi networks and VPN connections; and allowing iPhones in an enterprise to run internally developed iPhone software. The Wi-Fi profiles allow you to create WEP or WPA/WPA2 802.1X configurations, and include support for choosing allowed EAP messaging types, configuring authentication elements associated with a given EAP type, and adding server certificates and names for better authentication control.
Once created, these profiles can be distributed throughout a company via email or as a direct download to the iPhone via an intranet Web server. Apple chose not to encrypt them, which means that certain information that's not secured--such as the shared secret for certain VPN connections--could be disclosed to someone who had access to the profile or could download it off the local network.
Posted by Glenn Fleishman at 3:51 PM | Permanent Link | Categories: Phones, Security | 1 Comment
TechRepublic notes some interesting features in IronKey's secure USB drive: The IronKey is a seriously secure device, designed with a variety of physical, hardware, and software elements that make it as unhackable as possible: it's got its own hardware encryption chip built in, uses robust flash memory, and can sense physical intrusion. But it's got one more element that Selena Frye highlighted in a recent column: secure browsing.
IronKey runs its own network of secure, anonymous servers that mask your identity. You can choose to change your exit point with a click, and keep track of throughput in case a given link is slowing you down. The IronKey plug-in for Firefox, invoked with a click, also stores all settings and caches on the flash drive.
Like Frye, I have long wanted to recommend an option for people who already use SSL/TLS protection for their email service, and don't need a VPN. IronKey appears to be the right recommendation.
IronKey works right now just with Windows XP and Vista, but their FAQ states they are are working on Mac and Linux components. IronKey comes in 1 GB, 2 GB, and 4GB configurations for $79, $109, and $149, respectively, including a year of "Internet protection," which covers secure browsing and a few other features. There's no information on the cost of the subscription fee after the first year, a notable omission.
Posted by Glenn Fleishman at 2:26 PM | Permanent Link | Categories: Road Warrior, Security | No Comments
The latest news from Wi-Fi security vendor AirTight is that airports leak data: The folks at AirTight regularly suit up, carry Wi-Fi monitoring gear around, and report on how bad people are at securing networks--laughably, often at Wi-Fi and security conferences. Their latest bit of PR has a lot of bad news in it, worth reporting. They found that in testing across 14 U.S., Canadian, and Asian airports, that they found unsecured and WEP-protected networks on 80 percent of the visible non-public networks. They believe that some of those networks are used for logistics and operations. (They wisely didn't probe too far; they could have wound up in the pokey in some states and countries.) They scanned 478 access points.
They also found that 10 percent of the laptops they scanned--out of a total of 585 Wi-Fi clients--had an ad-hoc network in place. That's the "Free Wi-Fi" network you see whenever you're in public, which is spread by people connecting to the network, which is then advertised to other people. While the network itself may just be an artifact of Windows XP's damaged ideas about how to advertise network availability, connecting to another laptop via an ad hoc method creates the potential that any viruses you or they have will be shared.
Posted by Glenn Fleishman at 3:14 PM | Permanent Link | Categories: Air Travel, Security | No Comments
Apple adds enterprise features to the iPhone, including 802.1X, and opens it to developers: Today's announcement from Steve Jobs was full of surprises, including the fact that Apple licensed Microsoft's ActiveSync for full Exchange support, and the level at which developers will have access to iPhone hardware and information.
The 2.0 software, free to all current owners of iPhone, will be available in June, which kind of tips the hand as to when we'll see a 3G iPhone, too, I imagine. iPod touch owners will pay a "nominal" upgrade fee, as Apple books iPhone revenue over 24 months and iPod revenue as units are sold.
Apple will pile in all the stuff that enterprises demanded from Research in Motion in the Blackberry platform--and that RIM built in--including support for 802.1X (including WPA2 Enterprise) for authenticated Wi-Fi login, two-factor authentication, certificates, and additional VPN types. They're also adding "remote bricking," a critical feature that allows a stolen or misused phone to be remotely and securely wiped.
On the developer side, Apple is opening up the whole puppy in a way that I didn't expect. I assumed the firm would put limits on whether the cell data connection could be used by apps, but not restrict the Wi-Fi side. The announcement puts nothing off limits except VoIP over cell data, although there's a list of characteristics that software can't contain, such as being malicious or a bandwidth hog. All software is distributed and installed via App Store, available on an iPhone or in iTunes for synchronization. This includes free software. Apple will therefore vet, and ostensibly be able to halt use of programs that exhibit behavior they deem bad. Jobs said, "We can turn off the spigot if we need to." Every app will be signed by a developer certificate.
Developers can have access to location information provided by Google (cell towers) and Skyhook (Wi-Fi) for use in their programs. No mention was made of privacy settings for such. Skyhook's Loki toolbar requires that you grant permission to Web sites that want to obtain your location details; I expect a system-wide approach to that, too.
No mention was made today of a few particular problems with iPhone security, such as the ability to tunnel and traverse a VPN across multiple network media, such as using an iPhone for a secure connection while you travel from work, across the EDGE network, and to hotspots. This likely could be built on top of the enterprise features. You'd also need policy management, such as disallowing certain kinds of connections without a VPN being active or over non-trusted Wi-Fi networks.
Certainly, this is a big step forward for corporate users, mobile applications, and consumer ease on the iPhone platform. The beta is available today to developers; you can become a developer for $99. Amazingly, Apple's developer site crashed and is still unavailable two hours after the press conference ended.
Posted by Glenn Fleishman at 1:05 PM | Permanent Link | Categories: Cellular, Enterprise, Future, Hot Spot, Location, Security | No Comments
Posted by Glenn Fleishman at 11:18 AM | Permanent Link | Categories: Security | No Comments | No TrackBacks
McAfee researchers show that a common setting for the WPA Enterprise supplicant in Windows leads to credential ownership: I was aware of this problem when WPA Enterprise first started to become available, because some early gateways equipped to handle the port-based authentication protocol (802.1X + WPA, essentially) lacked certificate-authority (CA) signed certificates. What this means is that the operating system and supplicant, which have the root certificates installed to validate the CAs, which in turn validate certificates signed by the CAs, can't provide the out-of-band confirmation that a certificate presented by the authenticator to create a tunneled PEAP or EAP-TTLS session is valid. Got that?
Today, it's likely that you either have a CA-signed certificate, your IT department has preinstalled the root certificate needed on your machine, or you're using an outsourced provider (like WiTopia) which includes root certificates to install on your systems. I say likely, but Brad Antoniewicz and Josh Wright apparently have found that it's not entirely common.
The weakness they document is based on a setting in Windows supplicant for PEAP: Validate Server Certificate. When unchecked--its default state is checked--the authentication is bypassed. The researchers note that there are similar settings in other supplicants, covering both PEAP and EAP-TTLS.
With validation bypassed, an AP can spoof the protected network (becoming the authenticator in 802.1x parlance) and the researchers' modified FreeRADIUS server software (FreeRADIUS-WPE) can handle the authentication server component. The client doesn't notice, or a user isn't prompted to confirm or simply clicks through when prompted to trust a certificate that's unsigned. The credentials are then sent in the clear using EAP, which has no integral encryption, within the forged tunnel.
Easy solutions noted above: Only trust validated certificates; configure supplicants to require validation; install root certificates as needed when using self-signed certificates or those issued by firms outside of your operating system's chain of trust.
Posted by Glenn Fleishman at 12:36 PM | Permanent Link | Categories: Security | 1 Comment | No TrackBacks
Schneier on leaving his Wi-Fi network open: Bruce Schneier is a security savant, and I usually admire his writing. In this case, he wrote something quite stupid for Wired. He explains that he leaves his Wi-Fi at home unsecured and wide open. He walks through technical and legal and practical reasons why closing the network isn't of interest to him. But he only mentions the most important bit in passing: ". If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."
Right.
And how, Mr Security Guru, might I do that? Readers taking his advice without knowing that he's set up encryption for his computer's data across the open network--which is what I assume he's done--would be exposing themselves to risk. He's also wrong about risk profiles. The risk profile at a Wi-Fi hotspot is smaller because of the time dimension (how long someone might attack your computer) and the population dimension (how many people might attack your computer over time).
I don't advise opening your home network because securing your desktop computers and even laptops is so much of a hassle most of the time, that simply disabling local network access--over which more attacks can be launched because many firewalls consider the local network a trusted network and lower their defenses--is the lowest-hanging fruit for average users' protection.
Also, Schneier's discussion with "several lawyers" led to his summary that if someone misused your network, you might wind up plea bargaining over child porn suits or paying the RIAA thousands of dollars to settle, even if you're not at fault. But his conclusion: "I remain unconvinced of this threat, though." I do not.
Finally, Schneier dismisses concerns over ISPs who don't allow their networks to be shared. (Note that although he mentions Fon, he doesn't note their Roadrunner cable deal, which provides their private/public router service to a much larger potential audience with legal sharing ability.) Schneier writes, "But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn't a big risk either. The worst that will happen to you is that you'll have to find a new ISP." He is unaware of the near-monopoly in many parts of the US, even in cities where a duopoly exists. In many cases, a cable firm that drops you can't be replaced by any other broadband provider.
Open networks constructed properly with good security are a great addition to the arsenal of access. Implicitly advising everyone to open their APs--not so good.
Posted by Glenn Fleishman at 1:13 PM | Permanent Link | Categories: Cluelessness, Security | 4 Comments | No TrackBacks
The research paper is a few months old, but apparently just being publicized: Researchers at Indiana University modeled how wireless routers, if targeted with a virus, could spread such a virus among other routers. There are a lot of variables involved: whether the administrative password on the router was changed from its default; whether no encryption, WEP, or WPA/WPA2 is enabled; and the heterogeneity of router models, as viruses aren't one size fits all. Even though the paper is weeks old, the notion seems to have captured the mind of technology sites, which are all writing about it. (Some event sparked the paper's rediscovery?)
In their modeling, they looked at wardriving data that let them figure out how close Wi-Fi routers were. They found that there is likely enough density for tens of thousands of routers to be infected over a period of days. In Chicago, for instance, they found 48,000 contiguous routers assuming a 45-meter maximum interaction distance.
The wardriving data let them also determine which routers had which modes of encryption enabled to determine the speed and possibility of attacks. They assumed that routers protected by WPA are immune, which is reasonable; there's no known generic hack for WPA, only cracks that involve precomputed large databases of keys based on default network names (SSIDs).
Their assumption on administrative access to a router is predicated that someone who hasn't changed the router's SSID is likely also to have left the password unchanged. For the rest, they assume that 25 percent of passwords can be guessed with 65,000 attempts, which conforms to other password research. Routers, they found, don't have a mechanism to delay and disable password access due to failed attempts.
One thing I don't see addressed in the report is how many different worms would be required based on the many different models of Wi-Fi routers and the many firmware releases for each. There's an assumption buried that I don't see in which a certain homogeneity of routers--seeded by DSL providers, for instance, and aided by Linksys's dominance in the market?--has to be in place to be sure that enough security holes exist, are unpatched, and can be exploited.
Posted by Glenn Fleishman at 1:43 PM | Permanent Link | Categories: Home, Security | 1 Comment | No TrackBacks
Sophos certainly did a great PR job: Dozens of articles have appeared in the last few days trumpeting Sophos's survey conducted for The Times of London. They found that 54 percent of those asked admitted that they've used someone else's Wi-Fi connection without their permission. What's strange about this is two things: The Times characterizes the question asked incorrectly and doesn't note the sample size. On Sophos's site, they provide both the precise question asked and the sample size, which was a meager 560 people.
The Times wrote, "It discovered that 54 per cent of computer users have secretly used someone else’s wireless broadband connection without paying for it." But the question asked according to Sophos was, "Have you ever used someone else's Wi-Fi connection without their permission?"
There's a vast difference, as I have written about for years. The question doesn't encompass whether someone hacked a network to use it--unlikely that very many people would do that at all--so we're talking about people accessing networks that aren't protected with some form of encryption. Some of these networks are open on purpose; many not. It's a very imprecise question, and worse in the Times's inaccurate restatement. We don't know that anyone stole access who answered this question; the Times assumes they did.
With this small a survey size, and no information provided on demographics, this reveals essentially nothing about people's behaviors. In the UK, accessing a network without permission is illegal; the Times notes just 11 people have been arrested for such actions. I'd like to see a sample size of 20,000 regular users of the Internet outside their homes. I expect the number is much higher than 54 percent. But it still doesn't really tell us much except that it's easy to use Wi-Fi when a network is intentionally or unintentionally left unprotected against access.
A Sophos manager has this rather specious soundbite, too: "Stealing Wi-Fi internet access may feel like a victimless crime, but it deprives ISPs of revenue."
Posted by Glenn Fleishman at 1:33 PM | Permanent Link | Categories: Cluelessness, Legal, Security | No Comments | No TrackBacks
The BCC reports that British Telecom uses WEP on its home networks: I'm not sure whether BT enables WEP by default on their home Wi-Fi routers, or if you can't upgrade to use WPA or WPA2 at all. However, this makes the WEP crack that will be discussed by AirTight researchers at ToorCon this weekend all the worse. I tend to think of WEP as so 20th century--something used only in despair. In fact, this BBC article makes clear that WEP is still in wide circulation because of compatibility issues.
I think of Windows XP as the default operating system for Windows users; there are still plenty of pre-XP home users out there, too. (WPA can be used on some pre-XP systems, depending on drivers and other factors.) The other day, a colleague received email from a graphic designer who uses Mac OS 8.6 and is still happy with it, but is considering updating. That's a nearly decade-old system release. I suppose I'm too sanguine about WEP's availability.
Posted by Glenn Fleishman at 8:14 AM | Permanent Link | Categories: Security | 2 Comments | No TrackBacks
InfoWorld has a write-up on an upcoming Toorcon presentation by Vivek Ramachandran and Md Sohail Ahmad: The AirTight Networks researchers have developed an attack they call Caffe Latte; it uses a laptop's attempts to connect to WEP-protected networks as the jimmy that lets the cracker into a position to force the laptop to issue tens of thousands of WEP-encrypted ARP requests, which are used to crack the network key. Caffe Latte lets the attacker then act as a man in the middle, providing Internet access from another network while examining the victim's computer or installing payloads. This attack can be used anywhere: while whiling away your time at a cafe, you could be cracked, hence the fancy name.
Update: Astute readers noted that this specific attack first appeared on Darknet.org.uk as Wep0ff in January 2007. I'm not sure from the InfoWorld article whether there are any differences between that tool and the Toorcon presentation. Another update: See comments; Ramachandran says their attack is different, and the full details will be revealed at the conference.
The application of this attack is interesting, because although the article and Ramachandran/Ahmad's Toorcon description talk about business use of WEP, actual WEP use by corporations is pretty limited. Most companies of any scale are using some form of 802.1X or other credential-based logins which can't be subverted by this attack. Companies in retail and logistics are apparently the most vulnerable, because early Wi-Fi built into retail point-of-sale systems and scanners used in warehouses are still in wide use, and can only support WEP. If a cracker can associate the cracked key with a company by scanning the victim's hard drive or using other intrusion tools, then they can go to that company and enter their network at will, too. That's what led to the TJ Maxx/Marshall's parent company break in.
The broader implications are that if you ever attached to a WEP-protected network and stored the key, your laptop is now vulnerable to this attack. This may lead people to turn their Wi-Fi radio off when not actively attached to a network when out in public. (It's a good idea for reducing battery drain, too, of course.) The researchers are using an older form of WEP attack, it seems like, as they suggest it could take up to 30 minutes to break the WEP key in this manner; other researchers revealed a method that works in as little as under two minutes back in April.
The vulnerabilities exposed by this attack arise because the IP ranges associated with Wi-Fi networks are often considered trusted networks by firewall software. Most firewall software requires that you agree or disagree that a particular network range represented by a Wi-Fi network that you connect to is trusted or untrusted. I suspect most users add the network to their trusted category when they connect to a network, assuming it to be safe--maybe the case when it's a home network. Which means that popular private addressing ranges starting with 10.0 or 192.168 are already approved in your firewall. With the attacker managing to appear to your computer like a WEP network it's already joined, they may not be blocked from probing for the many weaknesses typically found on most Windows computers through outdated software and drivers.
Posted by Glenn Fleishman at 4:08 PM | Permanent Link | Categories: Security | 2 Comments | No TrackBacks
Yours truly and his colleagues at Take Control Books have just released the latest updates to our electronic books on Wi-Fi: My two books (one co-authored with Adam Engst) on Wi-Fi are now ready for purchase in their latest updated flavors. Wi-Fi Networking News readers can get 30 percent either or both titles by following the links below, or using coupon code CPN71005WNN. (Discount appears at checkout. You can jump straight to a checkout cart with both books and the discount by clicking here.)
Take Control of Your 802.11n AirPort Extreme Network covers using Apple's latest, fastest AirPort Extreme technology to its best advantage, including mixing older and newer Wi-Fi gear, and designing the best network architecture for homes and small offices. Includes details for Mac OS X 10.4, Windows XP, and Windows Vista setup. This revised edition covers the newer gigabit Ethernet version of the AirPort Extreme with N. This edition includes a new, separate section explaining how to set up a network with multiple base stations either via Ethernet or via wireless using Wireless Distribution System. (171 pages, $10 before 30% discount)
Take Control of Your Wi-Fi Security offers a comprehensive look at securing a Wi-Fi network for homes, home offices, and small businesses. We cover how to evaluate your risk, which security options to choose, and how it all works, including WEP, WPA, WPA2, 802.1X, WPS, and many, many more acronyms. The book guides you to setting up a secure network, and keeping secure on the road with SSL/TLS, SSH, a VPN, and other methods. We also detail how to secure an iPhone, and the ways in which it simply can't be secured for in-transit data. (114 pages, $10.00 before 30% discount)
We've also released the 2004 edition of The Wireless Networking Starter Kit (2nd edition) at no cost as an electronic download. While the information is outdated in places--and the Take Control books refresh those details--we still think it's a good guide to the principles of Wi-Fi, how to set up a network, and how to use hotspot networks safely.
Posted by Glenn Fleishman at 11:31 AM | Permanent Link | Categories: Book review, Security, Self-Promotion | No Comments | No TrackBacks