Logic’s Last Stand

May 23, 2010

Idle Threats – Wireless Security Misconceptions

Filed under: Computers — Tags: , , , , , — Zurahn @ 7:46 pm

There has been a lot of confusion for a long time on the relative effectiveness of wireless security, even among the otherwise tech-savvy crowd. Last week, the other developers at work got on a conversation relating to wireless, and the typical dismissal of WPA and WPA2 was thrown into the mix as well. Simply put, this is wrong.

This attitude likely stems from the genuinely broken Wireless Equivalent Privacy (WEP) standard. WEP uses the RC4 cipher, which over time has had an increasing number of weaknesses found, but that’s not really the primary problem with WEP. RC4 is a stream cipher, so it requires an initialization vector in order to produce proper pseudo-random results. WEP’s initialization vector is too short, and not sufficiently random, and this is the source of the most successful attacks. WEP can be cracked in a matter of a couple minutes on an active wireless connection.

Wi-Fi Protected Access (WPA) is a protocol created to address the critical weakness in WEP. WPA required the use of the TKIP protocol for encryption, while WPA2 refers to WPA with the use of CCMP with AES for encryption. There have been proof-of-concept attacks against certain configurations with WPA with TKIP due to somewhat similar issues as WEP, but to a much lesser extent. The short conclusion is that with insufficiently short key renewal times, a connection with TKIP could potentially be broken in about 12 minutes. Set a key renewal time of less than 12 minutes, and there is no issue.

Meanwhile, WPA with AES encryption (WPA2) has had no such proof-of-concept attacks and remains, with a sufficient password, is perfectly safe.

There is also some confusion as to the nature of personal versus enterprise, as if having the distinction means one of them is insufficient. Enterprise is there for the use of an authentication server (RADIUS) such that user account-specific certificates are distributed. It’s irrelevant to the home or small business user, and it’s not a concern for safety.

Perhaps it’s a bit naive, but I do believe we can, with dedication and sacrifice, keep our mouths shut unless we know what we’re talking about. Someday, someday…

April 9, 2010

E-mail Security – Still an Issue

Filed under: Computers — Tags: , , , , , , — Zurahn @ 11:29 pm

While scam e-mails are often fairly easy to spot, it’s not a given that a ruse is going to be executed in text-only, poorly written english by a supposed Nigerian prince. Malware is big business these days, and e-mail scams are getting more professional. Take this example as detailed by Panda Labs. From start to finish it’s a perfect impersonation of an IRS e-mail, insofar as it can be for requesting detail that the IRS would not request over e-mail.

The main focus I’d like to address is that while on the Internet you can look at a web-address, and if it’s over TLS/SSL, you essentially have a guarantee that it’s the site you requested (if it says https://mail.google.com you known you’re at Gmail, for example), the same is not true of e-mail. It’s not uncommon for scam e-mails to just send from a random free e-mail account, but that’s the equivalent of the blatant Nigerian 419 scam. More professionally an e-mail can say it’s from irs.com, whitehouse.gov, bankofamerica.com or anywhere else. E-mail headers are spoofable. You can change any of that information at will, by design. For example, take a look at how easy it is to do in PHP

$to      = 'sucker@gmail.com';
$subject = 'Your account information';
$message = "Don't be a pussy, we're legit";
$headers = 'From: support@wellsfargo.com' . "\r\n" .
	   'Reply-To: support@wellsfargo.com' . "\r\n";

mail($to, $subject, $message, $headers);

As simply as that, you can send out an e-mail with false information in the header. There’s no point at which the headers are verified for consistency due to the nature of the protocol. They’re a convenience, not an assurance. The reason this does not work with websites is twofold. In general, the server does not request you, you request it. Someone can’t simply spoof a server response and send it to you anytime. It is possible, though, to act as a man-in-the-middle and intercept your request to a website and respond fraudulently. This is a genuine concern at public Wi-Fi hotspots, and less-so on private wired networks.

The protection to this is the aforementioned TLS/SSL which is an encrypted connection. The connection is negotiated based on IP address and a certificate verified by a root authority. For example, say Google gets a certificate from VeriSign at IP address 22.33.44.55. If a man-in-the-middle attempts to intercept the request, the TLS connection will fail and you’ll get a warning. IP addresses cannot be spoofed for a TCP/IP connection (though they can be spoofed in individual packets) due to what’s referred to as a three way handshake. When you request a connection to a web server, you send a SYN packet containing your IP address. The server subsequently responds to that packet with a SYN-ACK packet, sent to the IP address in the SYN packet — if it is spoofed, it will go to the wrong address and you won’t receive it. This will cause the connection to fail, because in order to complete the transaction, you must respond to that specific SYN-ACK packet with a SYN-ACK-ACK packet to confirm the connection.

Why not TLS for e-mail? Well, again, web-pages are received upon request, whereas e-mails are unsolicited; however, there is the option of assymetric e-mail signing such as OpenPGP which allows you to encrypt or sign your e-mails with a signature verifying the identity of the sender. This is not part of the e-mail specification and limited in scope of use thereby limited its usefulness.

Furthermore, it’s not just a matter of responding to e-mails that is a problem, it’s doing anything with the contents therein, including following links or downloading attachments. In great part by Adobe’s poor security practices combined with the profileration of their products, malicious PDF and Flash documents have become a primary vector of attack. There have been a slew of vulnerabilities in Adobe Reader (and FoxIt reader oft also affected) of late that allow execution of arbitrary code, meaning just by opening a PDF document, you can be infected. This is largely, though not entirely, thanks to Adobe’s ridiculously stupid idea to include JavaScript as a part of PDF files, meaning you can have scripting in PDFs. You can, and should, disable this in your settings (or better yet, not use Adobe Reader. Ever.).

Flash is embedded in web-pages, and will continue to be a larger attack target as time progresses. Following links can lead you to sites with malicious Flash files embedded, again meaning arbitrary code could potentially be executed without your knowledge or approval. If you’re not on the latest version, the more likely there is for an issue.

The attack vector isn’t necessarily just some random person, either. As detailed in a recent Security Now episode, just because it’s from someone you know doesn’t mean you can trust it, even if the header is not spoofed. One of the most lucrative assets a blackhat can get his hands on is an e-mail address. If someone gets into the e-mail of a friend or family, he can then use the information there to try to coerce you into sending money. Their life is contained in that e-mail account, likely years worth of personal information; from that, it isn’t difficult to be convincing.

Lastly, e-mails themselves can include HTML and display like webpages. In Outlook, for example, you get a preview pane such that if you just click the title of an e-mail, the contents are displayed immediately below. Convenient, but a terrible idea. Again, web-pages can contain exploits. You can, and should, switch to text-only display of e-mails.

It’s almost a cliche to warn about e-mail and the dangers of attachments, but it’s more of a problem now than ever. It’s not just don’t download and run .exe attachments anymore.

E-mail safety in summary:

  • Do not trust any unexpected e-mail
  • Do not trust e-mail headers
  • Switch to text-only mode in e-mail
  • Verify via other means any request for money, even if you know the person
  • Never open unexpected attachments
  • Do not open spam
  • If you open spam, do not reply

All that, or, you know, switch to Linux.

November 28, 2009

Why, Java, Why?!

Filed under: Computers — Tags: , , , — Zurahn @ 3:53 am

Looking at some of the site statistics at The VG Press, it shows 82% of users reporting Java support enabled. One must then ask, WHY? Why do you have Java enabled? Java is a cross-platform language that in terms of what it provides as a browser is Java applet support.

Here are some examples of Java applets from Sun’s website:

http://java.sun.com/applets/jdk/1.4/index.html

If you can see those, you ought to go and disable Java now. For the most part, Java has disappeared from the web. A few uses remain in some web-based games, and speedtests as an alternative to flash, but that’s pretty much it. There is no reason to have it enabled by default.

I frequent ChessGames.com which uses an applet to allow to view games, so I have it selectively enabled for that singular site. This is what I would suggest to do with Java, if you need it at all in your web browser.

To do this in Firefox, you’ll require the NoScript extension. NoScript disables JavaScript, Java and other plug-ins and dynamic content by default, and allows you to selectively enable them.

Disable Java in Firefox

If you just need to disable Java entirely, that’s an options in your preferences (Edit->Preferences) under the Content tab.

To do this in Opera you’ll need to go to your preferences (Toos->Preferences) then under the advanced tab go down to Content. Disable Java system wide is an option there, which you’ll want to do. Then click Manage Site Preferences in order to selectively enable it.

Disable Java

Set site preferences

Enable Java for that site

To do this in Internet Explorer, I only have the option to globally disable Java, and no way to selectively enable it, as it’s not an option for Trusted Zones. For disabling Java, you’ll go to Internet Options (Tools->Internet Options), then under the Advanced tab scroll down until you see “Use JRE 1.X.X for applet” and uncheck it.

Disable Java

Java has had a long history of security issues, and even that notwithstanding, the more plugins you have running, the more possibility there is for something to go wrong, as well as the more that has to be loaded. For the majority of cases, I’d suspect Java goes completely unused, so letting any old site make it available is wasteful and potentially harmful.

February 15, 2009

Enemies of Information

Filed under: Computers, Philosophy, Politics — Tags: , , , , , — Zurahn @ 8:53 pm

The Internet has very quickly gone from a niche hobby to a revolutionary worldwide connection of information and ideas.  We all started at different points when it comes to our exposure to it, leaving mixed feelings on its place and purpose.  At the heart of the direction of the Internet on every level, there are two diametric philosophies: politicization leading to corporatizing, proprietizing and homogenizing, versus the free software movement pushing toward transparency, collaboration, expression and freedom.

Whether it’s from simply the software side where GNU and Linux has been growing steadily in quality and marketshare both on the OS side and just free and open-source projects such as Audacity, GIMP, Firefox and many others thriving on Windows itself, or within the realm of legislation in the debate over net neutrality and the importance of the freedom and anonymity of web users and web content.

So, this story is par the course, but no less misinformed, misleading and downright wrong than any other on the side of enforcing the unenforcable on the Internet.

The first thing to note about the article is that the purported security risks relate not the structure of the Internet, but the passing of information itself.  It’s not that the Internet is insecure, it’s that Windows is insecure.  How many of those 12 million computers were running Linux?  There will never be a perfectly secure OS, but the point is that the vulnerabilities were in software, not distribution.  Hilariously, the article says Conficker succeed by “easily sidestepping the world’s best cyberdefenses.”

For one, the answer to my earlier question on Linux is zero, because Conficker is Windows-only.  Second, Conficker is a worm, which means it spreads by scanning ports then exploiting a service, in this case port 445 — a known malware hotspot that should unless absolutely necessary be blocked for all incoming traffic.  A single obvious firewall setting stops it easily, and merely passing your connection through a router at default settings will likely do the trick on its own.  World’s best?  It’s not impossible to run a secure Windows machine, just as it’s not impossible to infect a Mac.

The second important point is that their solution never once mentions security in terms of technology or programming.  Security by law enforcement is just absurd.  Perhaps a result of American self-absorbtion, but it always seems to be forgotten that the Internet is worldwide.  Good luck with that driver’s license methodology in stopping scams from Nigeria.

There are inherent security problems with the architecture of the Internet due to its initial roots, the article actually has that correct, but they are way off base in terms of what those weaknesses are.  The problems are the public protocols, which have been forced to be updated, the most obvious example being HTTP which was designed as plaintext, but due to security issues SSL encryption was built on-top.  Similarly, DNS has never exactly been the most immutable, hence the push for DNSSEC, a replacement with security in mind.

What’s holding DNSSEC up?  Most ISPs can’t handle the increased overhead.  Redesigning the Internet would do nothing to improve the stubborn western ISPs who have neglected investing in infrastructure and instead opted for milking the consumer as much as possible.

And ultimately, nomatter how you structure the Internet, you have to accept that fact that you can’t ignore the problem of the Dancing Pigs — most users are going to do what they want, security be damned.  This is inherently and necessarily an Operating System problem if anywhere.  The truth is, the underlying problem with security is not in protocol — the security in that is only supplementary, at least in terms of something along the lines of a worm or virus infection — but rather, PEBKAC, and nomatter what you do, that will forever and always be the case.

I can improve the security of how the user interfaces to the Internet by an order of magnitude by changing your login–don’t run as a super-user (Administrator) and that will severely cripple the vast majority of existing issues.  Sandbox to eliminate nearly everything else.  Add on continual improvement toward phishing and malware reporting in browsers themselves and we can do this.

Meanwhile the underlying philosophical concepts are just as harmful, with the article stating, “users would give up their anonymity and certain freedoms in return for safety.”  Who is it here that has not witnessed the incredible depletion of American freedoms under the guise of security and the devastating consequences?  Never more evident has it been the accuracy of Benjamin Franklin’s statement, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”

The Internet is by necessity neutral and anonymous.  A cumulative database of all the knowledge of all of mankind available to every individual connected is already one of the most important progressions in history and can only become more essential with time.  Legislation and propaganda by those who know the least what they’re trying to undermine are not only ignorant, but treasonous; not to a nation, but to mankind.

November 22, 2008

Safe Web Browsing with Sandboxie

Filed under: Computers — Tags: , , , , , , , — Zurahn @ 6:05 pm

The web browser is your interface with the Internet, and consequentially all the bad code that is transmitted with it. Your security is primarily compromised by through the browser, as in most Windows machines you’re running programs as a root/Administrator user with far too much access.

One method of protecting yourself is to run a Virtual Machine. This is an emulated Operating System, but that’s a bit overkill. You need to give it all the resources to run the operating system itself when all you want to run is one program.

At the same time, while I still recommend using anything but Internet Explorer as an improvement in security, it’s not as if Firefox, Opera and others are perfect. Ideally the programs you use that are connected to the web can only affect that connection to the web and itself, and nothing on your own system, such as files/folders, the registry or anything else that could potentially do harm, regardless of any exploit found in the browser itself.

This ideal is fully realised in the program Sandboxie.

I wrote a program in college for a report on web security that allowed me to replace Internet Explorer with Notepad via ActiveX code embedded in a web-page. Sandboxie completely thwarts this kind of exploit.

You can set specific directories as accessible for a browser, such that you can still download files to your computer yet not expose anything at all important.

Sandboxie also adds the ability to right-click any program and have it run in Sandboxie quickly and easily. Additionally, for heavily used programs such as a web-browser, you can set program shortcuts to run directly in Sandboxie by right-clicking the shortcut, then adding the Sandboxie shortcut before your program shortcut in the shortcut text field, so that it looks something like this:

“C:\Program Files\Sandboxie\Start.exe” “C:\Program Files\Internet Explorer\iexplore.exe”

This, finally makes Internet Explorer secure.

If you’re thinking, “What about Trojans?” well, good question for one. When installing programs, you can create give the .exe only access to the installation directory and nothing else, allowing an installation while sandboxed and protected. Consequently, it can be used as a method of avoiding registry bloat.

The only downside here is that the program is essentially a 30-day trial before it starts begging for money. But given the amount of time spent with malware issues, the amount of resources wasted on antivirus, 20 Euros is a pretty good investment for near web invulnerability.

October 5, 2008

Passwords Must Be Not Stupid

Filed under: Computers — Tags: , , , , — Zurahn @ 2:40 am

When you create a password, it’s often recommended to use a variety of character mixed with numbers, special characters, upper and lower case, etc. because all these things create a higher level of diversity and thereby the number of combinations required to brute-force determine your password.

Not only is it often suggested, though, it’s often demanded. Guess what, as soon as you make those things mandatory, you’ve just made everyone’s passwords weaker.

When you add parameters of what a password must be, such as limiting the length to a specific number, requiring a certain special character or characters and require upper and lower case, those are all guaranteed to be in the password now, significantly limiting the combinations required, which was the entire point of enforcing it from the start.

Every requisite is essentially a hint. Take a look at this Government of Canada registration form:
Registration form

Just from this, you know that for any given password you know the approximate length, the variety and even the set of available special characters from which to select.

As an example of the issue, let’s use a 4-digit pin number. Let’s say our pin number is 1862

There are 10,000 combinations. Meaning there’s a 1/10000 chance of randomly guessing the number.

Lets add a restriction now: each number must be different so predictable options such as 9999 are weeded out. Well then, we now have only 5,040 combinations.

Hey, we don’t want pin numbers like 1234 so let’s not allow 3 consecutive numbers either. Well, we’re down to 4,410 combinations.

We also want to make the numbers varied, so let’s require at least one digit to be between 0-2 and another to be between 7-9. That brings us down under 1,000 combinations.

All in all, our limitations have weakened the pin number 1862, which fits all requirements, by more than 10-fold. At the cost of eliminating weaker passwords, we’ve weakened all passwords.

August 11, 2008

Epic Security Fail

Filed under: Computers — Tags: , — Zurahn @ 5:32 am

One of the websites I tried to use for a free PHP host was IsMyWebsite. Well, I’m glad I did, because I got to be witness to one of the most ridiculous security failings ever.

Previously I already had to complain about their passwords being passed from page to page through GET headers, they’ve outdone themselves. This morning I and every other IsMyWebsite user was sent an e-mail for forgotten passwords suggesting we choose just one of the accounts registered under our e-mail…which included every username and password for the site.

And in case you’re wondering, the change password form doesn’t work.

Create a free website or blog at WordPress.com.