The neglected WLAN security problem: Preferred Network List

March 4, 2008

A commonly neglected attack vector onto computers attached to a WLAN lies in the “Preferred Network List”, which is used to save the SSIDs of successfully connected networks. At a later time the computer connects to this network automatically. This also happens for unencrypted networks like the ones used for public hotspots (e.g: T-Mobile_T-Com). Under Windows and Kubuntu this behavior is activated by default, and Windows even does not store the MAC address of the access point what Kubuntus KNetworksManager does.

How does this help an attacker to attack a notebook which is connected to a WPA protected access point? It is quite easy. The attacker sends a faked deauthentification packet with the identification of the access point. This is easy as the WLAN control packets run unencrypted over the network even with WPA and without cryptographic authentication. The notebook will now try to reconnected again and it will choose the access point with the best reception – in our case the attacker with a tool like Karma sending the SSID of the real access point.

Often you here from so called experts to deactivate broadcasting of the SSID. This is a bad idea as you help an attacker even further, as in this case the notebook send actively probe requests if it doesn’t find an active SSID broadcast. This will tell the SSID of the networks you’re looking for to the attacker. Even Microsoft discourage from deactivating the SSID broadcast.

You want to see the attack live and you’re at the CeBIT? Then got to the Heise-Forum (Hall 5, booth E38) where Sebastian Schreiber from SySS will do a live hacking presentation on Tuesday, Thursday and Saturday at 13:00

spammers start using one-way IP addresses

It seams that botnet operators are finding a way to bypass real time blacklists, which lists IP addresses that did send spam in the past – which therefore are likely to still send spam. The Institute for Internet Security of the German University of Applied Sciences Gelsenkirchen did take a 24 hour sample with 17 million requests to the blacklist provided by iX. The analysis shows that one third of the queried IP addresses where only requested one time (about 459.000 of 1.351.000).

As the day, which was used for this sample, was a Saturday where a 95% spam ratio is normal, it is realistic to assume that most of this IP addresses were used for sending spam. This leads to the conclusion that a real time blacklist which lists IP addresses only for a short period can only reach a 66 percent hit rate. More is only possible with blacklists that block complete ranges permanently, like dynamic IP ranges lists.

Spamming goes to new level

February 24, 2008

Spammers normally send mails directly from infected PCs, for which blacklists are a good defense. This may change in the future as currently a test run of a new method is underway. “Project xddo” and “xddo Casino” are the subjects of the German spam mails, which are not send via infected PCs but via cracked accounts of mail server users. These official mail servers have static IP addresses and are often white listed which guarantees that the spam is delivered successfully ;-).

They really look like test spam mails which are really simple and similar, so checksum spam detection methods should be able to easily detect them as spam. An other specialty of the mails are a second To: entry in the header.

This new kind of spam is a direct result of the blacklists which seems to be successful enough at blocking dynamic IP ranges and infected PCs. This is basically a good thing, but it is now time for mail server administrators (specially of internet service providers) to also check the mails their customers send. They should also start checking the amount of undeliverable mails a users sends and if it goes over a specified amount the account should be disabled. The implementation of such a feature should be a priority as otherwise the danger of being added to a blacklist will rise otherwise dramatically.

Disk encryption broken due cooled memory

February 22, 2008

The hard disk and file encryption Systems Bitlocker (Vista), dm-crypt, TrueCrypt and Apples FileVault were previously known to be save. This is no longer the case! Researchers from the Princeton University published in their blog a video showing how to extract the password stored in the memory. The attack vector is in this case the DRAM, which does not lose the state after a power cut. It takes some seconds or even minutes, by cooling the memory (-50°C) this can be extended even further.

The researcher boot than a mini program which dumps the memory onto a USB hard disk. A second program searches in this dump than for the password. Take a look at the video it is really well done!

flash_movie

My first thought to be at least a little bit secure is not use the standby modus but to switch off the computer completely. This at least limits the opportunity for an attacker to a few minutes. But this is not a solution. A solution would be a special RAM for storing the password which clears the memory when the power is cut. This could be done by a capacitor which provides enough power to clear the memory.

Has someone a better/other idea?

Finally – Austria gets its own CERT

Many European nations have Computer Emergency Response Teams (CERT) for years now and finally Austria is on the way to play catchup. nic.at, the Austrian domain registry, plans to create it together with the Federal Chancellery of the Republic of Austria with four employees at the beginning. The Chancellor Alfred Gusenbauer declared: “The internet is a valuable infrastructure, which needs to be protect”. (Wow he truly go it!)

So much for the official version of it, but there is not all gold. The CERT should only be a information hub which provides international networking. So far so good, but what would be needed is a own infrastructure to react in cases of emergency otherwise no defense can be coordinated. But this is a typical Austrian solution, we will have our own CERT but it should not be that expensive as a real one.

Don’t forget multifunction printers!

If you hear about network printers and you think about “dumb” machine sitting in the corner your are mistaken. They are more like a low-end server running a standard operating system like Linux or BSD on standard hardware like the Xerox WorkCentre MFP with an AMD processor, 256MB of SDRAM and an 80GB hard drive and running Linux, Apache and PostGreSQL. Such a printer can be attacked like any other system in your network, maybe even easier as no anti virus software is installed.

What is the possible impact of a compromised printer? A compromised printer can do everything a normal computer could perform – like attacking other systems, sniffing passwords, …. – but there is one big difference: A printer gets normally all important documents send by many users for printing. It could easily send them over the internet to an attacker. The printer has an internal hard disk where it could store them to send them slowly into the internet. You say now you restrict your internet access and MFP have no access to it? Good, but than an attacker could use the internal FAX, do you also monitor that? Does this not sound scary? At least it does for me, so be aware that MFP systems need an own security strategy.

Let’s look at the current status. Most likely your printers have the same software version installed, which was installed when you got them, normally nobody installs security updates on printers. But even if you would like to do so you’ve the problem is that in contrast to your normal appliances the printer vendor does not really care about security and does not provide security updates in time.

So beside installing security updates and monitoring the download sites for your printer. (I don’t belief that most MFP vendors have a security announcement mailing list ;-).) I recommend to move your printers in a separated VLAN, which is only reachable via a firewall. This firewall is configured in a way that only the printing servers can talk to the printers, and the printers are able deliver the received/scanned documents. And only the employees responsible for maintaining the printers should be able to connect on the management ports (be it http(s) or telnet). The access of the printers to the internet should be limited to required “service calls” to the service company as some printers report to the service company that someone should come e.g. with a new toner.

And at last you should use nmap or even OpenVAS to look at your printers, you will see ftp, http, ssh and telnet open normally. Try to talk to your printer vendor representative and make them aware that IT security for printers is a concern of you. Maybe over the time the vendors get better with their security, if enough customers care about it.

The State of Wireless Security

February 21, 2008

I found following on Slashdot: Codenomicon has published a whitepaper which discusses the state and future of wireless security. They examine Bluetooth and Wi-Fi, and also take a preliminary look at WiMAX. The results are almost universally dismal; vulnerabilities were found in 90% of the tested devices. The paper also looks at methods for vendors to preemptively block some types of threats. Quoting: “Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope. This may be one reason why many major software vendors have been stuck randomly fixing vulnerabilities that have been found and providing countless patches to their clients to keep the systems protected.”

Update on the underwater cables “coincidence”

February 20, 2008

In my post “One is a coincidence, two are suspicious but three or even four are no coincidence!” I wrote about the four underwater cables which had “accidents”. Now there is some news to this topic.
The International Telecommunication Union (ITU) thinks that sabotage is a possible action. Wow – so this is more than a simply conspiracy theory! The leader of the Telecommunication Development Sector of the ITU, Sami Al Basheer Al Morshid, said that he will not rule it out before the end of the investigation. He said according to heise online (german) that some experts don’t believe that ships could tear the cables by accident as the cables are laid very deep and the areas are off limits for ships.

Good Worms – Just a stupid idea

The Worm Nachi inspired Microsoft by intruding into Windows systems, removing MSBlaster (aka Lovsan) and patching the security whole it used to gain access. This happened 2003 and now a researcher of the company published a document on how to deploy security updates by a good worm. They did research about better ways to find and attack … ah sorry … patch insecure computers. Microsoft claims that this would remove the need to provide central servers for security updates.

This is just a plain stupid idea! And I’m not alone – read what Bruce Schneier thinks about that idea.

Here are my thoughts:

  • Microsoft has a know history of releasing only security updates which work, and which introduce no additional functionality. So you don’t need to decide to update your systems, Microsoft takes care of it. Everything will work afterwards.
  • For an Intrusion Detection System it is really easy to decide between good and bad worms, the good worms have the better algorithms for attacking … ah sorry again … fixing your systems.
  • Firewalls have enough intelligent to realize the difference between the good worms probing and an malicious cacker.
  • All of you systems can be rebooted at any given time without problem, nothing critical can happen.
  • For removing the load on central servers we could not use something like Bittorrent, as it would be a documented protocol. It is better to use something which does not require an agent on the systems the user could configure.
  • We only need to deploy updates for security vulnerabilities which give an attacker root access, which we need for patching the system.

As we’re all so fond of this idea Microsoft is telling us now that they don’t work on this idea. As we all know Microsoft does not lye, this must be true.

Update: Martin McKeay from the Network Security podcast, which I listen to, also thinks that this is a bad idea – take also a look at his toughs.

iptables firewall scripts updated

February 12, 2008

I’ve just moved my iptables firewall scripts from the old server to my blog and I updated the scripts with some new tricks I learned in the last years. I’ve have (modified) versions of these scripts running on all of my servers, as it provides an easy starting point which saves much time. The rules are easy enough to understand and change and I’m not a fan of complicated iptables rules you won’t understand without a special GUI. If something is so complex it will have wholes in it! I hope with this scripts you will see that iptables is not complicated. Have fund and be secure.

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 33 queries. 0.051 seconds.