In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.
Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.
Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.
While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP; 3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.
For the past couple of years, Microsoft has been issuing a semi-annual report on the security threat landscape. The latest version of the Security Intelligence Report (SIR), v5, was released last Monday. Microsoft appears to be taking security seriously these days: “…during the frst half of 2008 (1H08), there were fewer disclosures of Microsoft vulnerabilities than for the industry as a whole; in fact, Microsoft vulnerabilities were down 33.6 percent in 1H08.
“However, it is alarming to see that more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, and nearly half of all industry vulnerabilities are rated as High Severity. Additionally, 1H08 showed how threats are increasingly affecting a variety of vendors beyond Microsoft. Issues now cross multiple vendors and illustrate how different technologies behave together and then create complex, blended threats.”
At 150 pages, the SIR is no light read; it’s a thorough analysis of the security threat landscape based on several well-known industry sources as well as “Telemetry from several customer-focused Microsoft security products and services, including the Malicious Sofware Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services, representing a total user base of several hundred million computers…”
The announcement, Microsoft Security Intelligence Report Volume 5 is Now Available, posted on the Microsoft Malware Protection Center blog, describes a couple of interesting key findings from the report.
There’s an old saw in security circles: “complexity is the enemy of security.” The more complex something is, the more likely there will be flaws to exploit. Too, there are times when you just don’t need the strength of AES encryption. Case in point: the company I work for utilizes a practice management and documentation system to keep track of service tickets, inventory, server & network configurations, and other customer information. Since the software is web-based (which makes it a potential attack target), we needed a simple method to securely store client passwords and remote access configurations. The solution was Iron Key (not to be confused with the secure flash drive of the same name), a free version of Silver Key–a program for creating self-extracting encrypted files.
The program is perfect for safely sending files over the Internet, even those that contain sensitive personal and financial information. For example, say you have an electronic copy of your tax return that you need to email to your accountant; easy, just drag and drop it onto Iron Key, set a good passphrase and send it along. Your accountant does not need any cryptographic software in order to decrypt the file; all he needs is to run the file and enter the right password, which you can tell him over the phone.
It doesn’t get much simpler than this.
Less than a month after the clickjacking exploit came to light, sporadic reports of users falling victim to the attack are beginning to surface. Dennis O’Reilly’s column in Windows Secrets Newsletter, Issue 172, contains this report from a reader:
Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn’t accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.
When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.
Just yesterday, I received a report from another engineer at our office that he had witnessed a clickjacking attempt on his own machine when he clicked a button on an antivirus blog. Instead of going to the previous page, as expected, he receive a pop-up for the “Antivirus XP 2009” malware download. I had him disable IFRAME handling in Internet Explorer and install NoScript on Firefox. That fixed the issue.
Just as Opera completed patches for critical vulnerabilities in its browser, researchers discovered another remote code execution bug. In its recent article, “Opera scrambles to quash zero-day bug in freshly-patched browser,”
The Register reports:
Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims’ browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that’s based on the same weakness.
Until Opera releases version 9.62, which should be “very, very soon” according to Opera spokesman Thomas Ford, your best bet is to disable iFrames and turn off scripting. Open opera:config and select Extensions|iFrames. Change the setting from “1” to “0.” Similarly, change Extensions|Scripting from “1” to “0.”
Bear in mind that the above temporary workaround is going to break a lot of sites that use scripting. It would be simpler if Opera had some way to designate “trusted sites” (or a plug-in like NoScript), but I’m not aware of any way to do this. Hit the comments and let me know if there’s a better workaround (I haven’t used Opera since my conversion to Firefox four years ago).
Everyone agrees that it just isn’t safe out there on the Wild, Wild, Web and while Microsoft has made huge strides in securing Internet Explorer, the fact that IE continues to use ActiveX scripting technology makes it the least secure browser. I often recommend that people not use IE unless they have to and if they have to, to run it in a sandbox or virtual machine. An application sandbox such as SandboxIE protects your system from malicious scripts by allowing them to run only in the protected area.
There’s a much better approach, however: switch to Firefox and take advantage of the free Firefox add-on, NoScript. NoScript takes a “default deny” approach and prevents all scripts on a site from running unless you explicitly permit them. NoScript is also effective against the latest clickjacking attacks. My article, “How to Protect Yourself from Clickjacking,” over at Dave’s Computer Tips describes the configuration options for both IE and Firefox with NoScript installed.
Switch to Firefox, install NoScript, and enjoy secure computing.
Microsoft just released a critical update for a “privately reported” vulnerability in the server service:
This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Exploits are already being detected, according to the Microsoft Malware Protection Center:
Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.
I’m going to update the servers right now. Everyone should do the same.
This is an interesting and sensible approach to security. I would call these the “Logics of Cyber Security” because they’re so basic they could well be the principles upon which all cyber security can be based. The paper’s authors call them “first principles,” defining such as “…a basic foundational proposition or assumption that cannot be deduced from any other proposition or assumption”–in other words, logics. (You can read the orginal article, “A Thematic Approach to Cyber Security Using First Principles” and the link to its latest revision at https://wiki.cac.washington.edu/pages/viewpage.action?pageId=7481170&navigatingVersions=true. Note: The article hasn’t been updated since February, 2008.)
Here’s a simple overview of these principles.
DENY — default deny is an absolute must when making shared resources available via servers, network storage, and the Internet. You block everything until you are able to determine whether the entity attempting access is authorized. Another method of denial is encryption. This could be used to provide more granular application by, for instance, denying access to certain resources if the otherwise authorized user has no security clearance for the resource.
DISCRIMINATE –there are several ways one can discriminate between authorized and unauthorized access attempts, the simplest being a password; smart cards, biometrics, and security tokens are other examples, all of which should result in the access attempt being classified as either authorized or unauthorized.
DETECT — some means to detect unauthorized access attempts must be in place. In a Windows environment, one could activate auditing at both account level and resource level. Intrusion detection systems, both network and host based are designed for this purpose.
DESTROY — when unauthorized access attempts are detected, rules must be activated that effectively disrupt the attempt before the resources are compromised. This could be accomplished by dropping the connection, blacklisting the IP, etc.
The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:
Dear Microsoft Customer,
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Director of Security Assurance
Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.
Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.
There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).
Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.