Wireless security

Patch Tuesday – Microsoft Fixes Eight Security Flaws

All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.

The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:

MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)

It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."

We can only hope.

Security Baseline for Small Businesses

Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.

The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:

• Physical access to servers, backup, and network equipment is restricted and controlled.
• Backup power sufficient to allow for graceful shutdown of servers is in place.
• The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
• If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
• File servers are protected by appropriate anti-malware applications.
• Mail servers are protected by anti-spam software or this is implemented at the gateway.
• Password policy requires strong passwords, frequent changes, and is enforced.
• Desktops use screen savers and they are password protected.
• Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
• Desktops have appropriate anti-malware applications installed.
• Company policy regarding appropriate use of the Internet is in place and enforced.
• Data is backed up and media is stored securely off-site.
• Encryption is implemented and in use for the storage of sensitive information.
• Procedure is in place for denying access to personnel upon termination of employment.

What do you think? Too much? Something left out?

Discussion welcome.

WPA-TKIP Now Vulnerable to Attack

In my How to Secure Your Computer series of articles, I issued Maxim #13, “WiFi Security–The Only Way is WPA“. However, TKIP–which is one of the protocols used under the WPA certification standard–is now vulnerable to attack, so I feel it prudent to modify my stance a bit and shed a little light on the subject. Certain media reports would have you believe that WPA has been cracked; this isn’t the case. (See “WPA Not Cracked, But Still Vulnerable.”) Steve Gibson’s latest episode (#170) of Security Now! explains in great detail the TKIP hack and why it’s much to worry about–at least, not yet.

Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.

Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.

While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP;  3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.