Networking

When a “Fix” is Not a Fix - The Fix is In

In my previous post, I discussed the Time Warner/SMC modem enormous security flaw.

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

New Aircrack Just Released

If you’re like me, you’re always hunting for the free tools out there you can add to your arsenal to keep (or in my case, test) the security of your network. Just out, a great addition to my toolset, is a new update to the well-known tool, aircrack-ng

Why have such a tool, used by the bad guys? Because it’s used by the bad guys to get into your network. It’s updated to crack more protocols, including WPA/PSK. It was one of the first tools to provide a way to crack WEP.

I have about three hundred tools in my toolkit, and only three of them are commercial tools. I’ve had to build a spreadsheet to keep up. I also use Backtrack running in VMWare. You can download VMWare’s free product, the VMWare Viewer, if you have an image (like Backtrack) you just want to run.

I also noticed, while on Vmware’s site, that you can download VMWare server for FREE. They’ll give you some serial numbers, and you can try out all sorts of tools in safety.

It’s good to know how things work.

Check out this Article on Wireless

I don’t usually promote other articles - it’s kind of “cheating,” but short of copying and pasting the entire article, I’ve got to send you in the direction of Lisa Philfer’s article on “Five Steps to Eliminate Rogue Wireless Access.”

It’s really well written, and as an added bonus, points you toward some cool FREE tools for wireless monitoring. Not just the standard Wireshark, Kismet and Netstumbler, but a page full of neato tools by Xirrus.

When vendors offer up these types of tools, it makes me MUCH more likely to visit and examine their paid products.

She’s got some great suggestions for watching out for and dealing with rogue access points, not just the usual vendor shill. Bravo!

Adventures in Auditing #1

I’m still amazed that folks are going about their business believing that bad things won’t happen. Is it human nature? I thought I’d share with you some of my latest adventures in traveling about and auditing various companies. Just when I think it’s strange, it get stranger.

I was doing an audit and I routinely check for wireless connections. The manager had assured me that their policy was: no wireless. OK, but I check anyway. It’s the nature of my work: controls should be in place and they should be working. Essentially a very simple rule.

Behold, a Linksys wireless router popped up with an obvious default configuration. I followed my trusty wireless signal scanner downstairs through several departments until I came upon it sitting out in the open near a group of desks.

I headed back upstairs and asked the manager about it. His face flushed, and he said, “Where is it?” He followed me downstairs, I pointed out the router, and he reached over and yanked the network cable right out of the wall, looked around, and said, “Who plugged this in?” When no one responded, he took the casing off and stomped on it. A silence ensued.

He was peeved. Glad it wasn’t my router. Not because of the router, mind you, but the person who owned it was obviously going to have a discussion with this manager before long.

Back upstairs, his dignity somewhat restored, the manager asked about my wireless signal scanner, and I promptly demonstrated its virtues (electronics can be soothing). Canary makes a great one that scans for b/g and n networks, giving me the type of encryption AND the SSID so that I don’t have to even open my laptop. It has a visual meter so I can home in on the source of the signal and actually find the access point without my laptop (which is rather obvious).

I was ready to give it to him in hopes of escaping any further compliance corrections, but he seemed calmer at that point and thought getting one of his own was a smashingly good idea. (Sorry, I couldn’t resist).

Wireless: Get Ready to Kiss WPA Goodbye

The word is out in InfoSec circles that a practical attack method against WPA - enabled wireless access points has been announced and is to be presented at PacSec in Tokyo this week.

It used to be that only a dictionary attack against WPA-encrypted packets using a weak pre-shared key (PSK) was available; if you had a PSK of more than 8 characters, you could be reasonably assured that you were secure. Now, Erik Tews will be presenting his attack method, which uses a combination of protocol weaknesses and cryptographic weaknesses to compromise TKIP encryption. The attack lets the attacker inject seven packets into the network, per decrypt window.

There’s far reaching ramifications to this attack, but in short terms, this presentation means the days of WPA are numbered. Some of the attack code is known to be already available.

The attack focuses on TKIP encryption, and you may think that with AES enabled, you are safe. Not, however, if your router defaults back to TKIP to enable older clients to connect. Not all routers allow you to disable this feature, either. On some equipment AES is called WPA2 and TKIP is WPA. The WPA spec leaves support of CCMP(AES) optional while the WPA2 spec mandates both TKIP and AES capability.

What to do today (and believe me, I’m checking my home router, and will be auditing routers to this effect in the future; best believe that PCI will update their requirements quickly, as well)? Check your APs (access points) as follows:

Use only AES
Disable Negotiations to TKIP from CCMP(AES).
If you must use TKIP, rekey every 120 seconds.

Interestingly, the amount of time he is estimating is 15 minutes to crack WPA.

What to do going forward? Plan on upgrading your wireless access points sooner rather than later. It won’t be long before some joker is using this attack to break into businesses.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

Kill Your WEP Now

The announcement on Tuesday that indicted 11 people for “the largest data breach in history” was an interesting read:

The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

What was the common technical denominator of the attacks? Wireless networks. Think wireless cash registers, connecting to local servers, and from there transmitting the information to corporate databases.

TJX had no firewall between their insecure wireless network and their corporate network. They were using WEP, a wireless protocol that can be cracked with trivial (10 minutes) effort.
BJ’s failed to encrypt customer data when transmitted or stored on BJ’s computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. (There was an unsecured access point at a store).

Although the Attorney General said that “They used sophisticated computer hacking techniques that would allow them to breach security systems,” later on the Feds commented that
“The alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.”

So they drive around, found the signal they could crack, installed sniffers and probably got all the way into corporate networks. You have to know that sniffing would not capture millions of numbers - I’m still betting they got into corporate databases. All it takes is one open wireless access point if you don’t have them secured from your network.

Sadly, of the 11 people indicted, only three are in custody in the United States.

It’s Not Your Mother’s Firewall Anymore - Part II

There are some amazing firewall appliances out there - application-level firewalls that monitor for web attacks, intrusion prevention features where the firewall can block an IP that is performing suspiciously, etc. These are complex machines and software that require training and daily monitoring. It’s definitely not a “set it and forget it” arrangement. Too many small businesses are treating it that way.

A firewall is only as good as where you put it and how you let traffic IN. I’ve seen organizations that put special applications behind their firewalls and left the rest of their network behind routers. Thank heaven there’s not enough bad people to find configurations like this. A firewall should be between your Internet router (usually managed by your Internet services provider) and the rest of your network. I’ve had business managers tell me a well-configured router is the same as a firewall. NO. No. No. Routers are meant to route traffic. It’s like calling a really good door with no lock a locked door.

Next, what traffic are you letting into your network? By default, NOTHING should come in. NADA. All ports should be closed. Knock on your door, rattle the knob, bang on it even, they should not get in. Some employees want to access their email, or their machines from their home network (that’s a WHOLE other article). OK, firewalls have this nifty feature called a segregated subnet (a DMZ). Put your spam-catcher and Web-accessible mail on a server in the DMZ. Put your FTP server where customers drop off files on your DMZ. Segregate the Domains if you are using Windows.

What about customers? Put the web server for them in the DMZ (NOT the database. NO. Just say NO. Tell the auditor to say NO).

Create what’s called an “extranet” for clients who need to access certain things on your network. Don’t allow them free access via a router to everything you have. You don’t know who has gotten into their network. Put a firewall between your network and the extranet.

Run a college or university, where it’s all about “open access?” Put your critical financial applications and records behind a firewall inside the school network. They can whoop it up out there, with some protection, but not where it really counts.

You may say, hey, everybody knows this stuff already, but I have seen organizations in the last year that have had exactly these issues. Scary, but true. Part III will be on firewall rules.

It’s Not Your Mother’s Firewall Anymore - Part I

In the northern part of Maine, (north of Portland, where I live) folks go about their business without locking their doors or even leaving their cars running while they go into the store. (When it’s -10 degrees, it’s good to have the car run a little more). This describes the fundamental trust the people there have in their community and their neighbors. If you drive by a sign on a driveway that advertises fruits or vegetables for sale, often there will be no person there to collect the money, just a basket with a “thank you” tag. During the winter, folks on the highway will pull over and run down the bank to help a car that has just slid off the road.

The bigger businesses do lock their doors, because they don’t know everyone who might come into their store, and don’t trust unknown people to care or pay for their merchandise.

Fifteen years ago, many businesses did not have a firewall between them and the Internet. You couldn’t pay for something online, or do business-to-business operations. The value of the information was lower, and there was a higher level of trust.

The other issue that came along was the limitation of IP4 addressing. NAT (Network Address Translation) allowed networks of any size to use non-internet routeable subnets as long as they were behind a firewall that had an outside (Internet-facing) legal IP address. (It’s why you don’t see addresses on the Internet for the 10.x.x.x, 172.16.x.x and 192.168.1.x).

Turns out that NAT and firewalls made perfect friends; behind a NAT enabled firewall, a huge network could exist and have all private IPs that the Internet cannot route to or see. The firewall acts as a gatekeeper and monitor, with an internal NIC (Network Interface card) that has an internal private address and an external NIC for Internet communications.

Today, I can ping a server in Russia on my desktop, and that server in Russia could ping me back, if I were not behind a firewall. My Northern neighbors, many of whom have a computer at home, can also ping that far away server. Our “neighbors” on the Internet are people we do not know, and many of them have the ability to “break in” without ever having to knock on our doors or even try the lock. There is zero trust on the Internet.

What does this have to do with IT Auditing, for heaven’s sake? Well, I see too many firewall configurations set up without any safeguards against the bad Internet neighbors. And I see too many auditors who say, “Oh, you have a firewall, that’s good.” They never ask to see the configuration and examine it carefully. (Security by checklist) Management seem to think that just having one is enough. They don’t send their folks to be trained on how to use it, or they outsource the management of their firewall and never inspect the rules or the logs.

Eigen’s Security Rules of Thumb #2: You can outsource function, but you cannot outsource responsibility.

I’ve seen outsourced firewalls that allowed every single IP address of the vendor access into the firewalled company’s network. It was easier for them to get to other network devices they managed, but there were no access controls as to who on their network could come in, or any logging, either. No one from the company looked at the configuration until I came along and said, “Why do they need that?”