Wireless

When a “Fix” is Not a Fix - The Fix is In

In my previous post, I discussed the Time Warner/SMC modem enormous security flaw.

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

New Aircrack Just Released

If you’re like me, you’re always hunting for the free tools out there you can add to your arsenal to keep (or in my case, test) the security of your network. Just out, a great addition to my toolset, is a new update to the well-known tool, aircrack-ng

Why have such a tool, used by the bad guys? Because it’s used by the bad guys to get into your network. It’s updated to crack more protocols, including WPA/PSK. It was one of the first tools to provide a way to crack WEP.

I have about three hundred tools in my toolkit, and only three of them are commercial tools. I’ve had to build a spreadsheet to keep up. I also use Backtrack running in VMWare. You can download VMWare’s free product, the VMWare Viewer, if you have an image (like Backtrack) you just want to run.

I also noticed, while on Vmware’s site, that you can download VMWare server for FREE. They’ll give you some serial numbers, and you can try out all sorts of tools in safety.

It’s good to know how things work.

Check out this Article on Wireless

I don’t usually promote other articles - it’s kind of “cheating,” but short of copying and pasting the entire article, I’ve got to send you in the direction of Lisa Philfer’s article on “Five Steps to Eliminate Rogue Wireless Access.”

It’s really well written, and as an added bonus, points you toward some cool FREE tools for wireless monitoring. Not just the standard Wireshark, Kismet and Netstumbler, but a page full of neato tools by Xirrus.

When vendors offer up these types of tools, it makes me MUCH more likely to visit and examine their paid products.

She’s got some great suggestions for watching out for and dealing with rogue access points, not just the usual vendor shill. Bravo!

Adventures in Auditing #1

I’m still amazed that folks are going about their business believing that bad things won’t happen. Is it human nature? I thought I’d share with you some of my latest adventures in traveling about and auditing various companies. Just when I think it’s strange, it get stranger.

I was doing an audit and I routinely check for wireless connections. The manager had assured me that their policy was: no wireless. OK, but I check anyway. It’s the nature of my work: controls should be in place and they should be working. Essentially a very simple rule.

Behold, a Linksys wireless router popped up with an obvious default configuration. I followed my trusty wireless signal scanner downstairs through several departments until I came upon it sitting out in the open near a group of desks.

I headed back upstairs and asked the manager about it. His face flushed, and he said, “Where is it?” He followed me downstairs, I pointed out the router, and he reached over and yanked the network cable right out of the wall, looked around, and said, “Who plugged this in?” When no one responded, he took the casing off and stomped on it. A silence ensued.

He was peeved. Glad it wasn’t my router. Not because of the router, mind you, but the person who owned it was obviously going to have a discussion with this manager before long.

Back upstairs, his dignity somewhat restored, the manager asked about my wireless signal scanner, and I promptly demonstrated its virtues (electronics can be soothing). Canary makes a great one that scans for b/g and n networks, giving me the type of encryption AND the SSID so that I don’t have to even open my laptop. It has a visual meter so I can home in on the source of the signal and actually find the access point without my laptop (which is rather obvious).

I was ready to give it to him in hopes of escaping any further compliance corrections, but he seemed calmer at that point and thought getting one of his own was a smashingly good idea. (Sorry, I couldn’t resist).

Wireless: Get Ready to Kiss WPA Goodbye

The word is out in InfoSec circles that a practical attack method against WPA - enabled wireless access points has been announced and is to be presented at PacSec in Tokyo this week.

It used to be that only a dictionary attack against WPA-encrypted packets using a weak pre-shared key (PSK) was available; if you had a PSK of more than 8 characters, you could be reasonably assured that you were secure. Now, Erik Tews will be presenting his attack method, which uses a combination of protocol weaknesses and cryptographic weaknesses to compromise TKIP encryption. The attack lets the attacker inject seven packets into the network, per decrypt window.

There’s far reaching ramifications to this attack, but in short terms, this presentation means the days of WPA are numbered. Some of the attack code is known to be already available.

The attack focuses on TKIP encryption, and you may think that with AES enabled, you are safe. Not, however, if your router defaults back to TKIP to enable older clients to connect. Not all routers allow you to disable this feature, either. On some equipment AES is called WPA2 and TKIP is WPA. The WPA spec leaves support of CCMP(AES) optional while the WPA2 spec mandates both TKIP and AES capability.

What to do today (and believe me, I’m checking my home router, and will be auditing routers to this effect in the future; best believe that PCI will update their requirements quickly, as well)? Check your APs (access points) as follows:

Use only AES
Disable Negotiations to TKIP from CCMP(AES).
If you must use TKIP, rekey every 120 seconds.

Interestingly, the amount of time he is estimating is 15 minutes to crack WPA.

What to do going forward? Plan on upgrading your wireless access points sooner rather than later. It won’t be long before some joker is using this attack to break into businesses.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

Kill Your WEP Now

The announcement on Tuesday that indicted 11 people for “the largest data breach in history” was an interesting read:

The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

What was the common technical denominator of the attacks? Wireless networks. Think wireless cash registers, connecting to local servers, and from there transmitting the information to corporate databases.

TJX had no firewall between their insecure wireless network and their corporate network. They were using WEP, a wireless protocol that can be cracked with trivial (10 minutes) effort.
BJ’s failed to encrypt customer data when transmitted or stored on BJ’s computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. (There was an unsecured access point at a store).

Although the Attorney General said that “They used sophisticated computer hacking techniques that would allow them to breach security systems,” later on the Feds commented that
“The alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.”

So they drive around, found the signal they could crack, installed sniffers and probably got all the way into corporate networks. You have to know that sniffing would not capture millions of numbers - I’m still betting they got into corporate databases. All it takes is one open wireless access point if you don’t have them secured from your network.

Sadly, of the 11 people indicted, only three are in custody in the United States.

There’s a BIG Difference Between Hannaford and TJMaxx

One of my readers has commented about how badly Hannaford and TJMaxx have been treated by the media and Internet commentary because of their data breaches.

From my perspective, concerning the data breaches, I can only speak as an auditor and an engineer, not having been inside either company’s network, but, like you, I can read the news and read between the lines.

And I think that Hannaford was doing a good job and TJMaxx was not. Why?

TJMaxx was not PCI compliant, and Hannaford was. Big deal, you say, we all know about compliance! It’s the “Gentleman’s C.” Absolutely. But Hannaford cared enough to make the effort, at least, and get in line with some basic good security practices.

They were NOT storing Social Security numbers, names addresses and PIN numbers. They were doing it right.

TJMaxx, on the other hand (and a bigger company, at that) was using WEP at all their stores, and wasn’t even baseline with their information storage practices. Didn’t even try to put compensating controls in place (like a firewall between the stores and the corporate network). Have they even done anything different? Nothing in the news about that.

Hannaford was out there replacing hardware in a hurry to get rid of the malware. When was the last time a company replaced hardware in all their stores? Not cheap, and an enormous effort. Maybe it was driven by reputation risk, but that’s 150% more than we know about TJMaxx’s efforts.

Hannaford was the victim of a sophisticated attack, probably (??????) from Russia, and possibly with inside help. (More on the Russians, later.) Could they have caught it? We’ll know more, I hope, and soon.

TJMaxx let a script kiddie and his pals in, because they didn’t want to upgrade their registers and hardware until they absolutely had to. The money that went to banks and fines and external auditors for the next 20 years could have covered it. Easily. They took a risk, and had a “plan” for compliance. Their acquiring bank let them do that because it was better than no plan at all.

They’ve paid the fines and settled the suits, but they’ll be an object lesson for a long time to come.