Here's a quick link to a story about anti-WiFi paint. It seems there are some legitimate criticisms, and it may not be all that new in some circles, but it certainly gets one thinking about interesting possibilities.
Recently in Networking Category
Here's an interesting story making the rounds today about an Ohio man who used a commercial spyware program on an (ex?) girlfriend. He expected it to track her activities on her home computer, but instead ended up getting an ongoing screenshot feed from a computer in a hospital pediatric cardiac surgery department, where she works. He sent the file to her Yahoo! Mail account. She opened it and unknowingly installed the software on a work computer.
Needless to say, instead of getting juicy details on her online activities a la Joey Greco, he ended up with a feed of sensitive data, including PII and ePHI. While this was indeed an unintended result, he is still on the hook for big fines and possible jail time.
There is a lot of blame to spread around here for sure. There are also many questions (some rhetorical) that popped into my head as I read this:
- How did he convince her to run the installer and infect the PC? Obviously, he had an advantage over a random malware spreader since she knew the sender. Still, it must have required at least a small amount of social engineering skill. She didn't even know she had infected the system (or didn't think it wise to tell anyone).
- Does the hospital have a webmail policy? Do they have the tools to enforce it? Blocking access to Yahoo! Mail at the gateway would have nipped this problem in the bud, at least for the hospital.
- Did the PC in question have adequate anti-malware protection? By the looks of things, whatever they were using was insufficient.
- What else could the hospital have done to prevent the leak of ePHI in accordance with HIPAA regulations? Of course SIM comes to my mind, but SIM would need to rely on feeds from web gateways, AV servers, DLP systems, firewalls, etc.
- The hospital is actually lucky here in that the person who stole the sensitive information had no nefarious plans for it. They were shown the weakness of their defenses without having to pay for an audit and without the need to pay ransom or experience worse consequences. They should view this incident as a gift and use it to improve their security stance.
- The stalker / boyfriend was clearly in the wrong no matter how you slice things. I imagine it's just as illegal to spy on a private citizen this way as it is to do it to a hospital. To borrow from an old saying: Spyware doesn't steal information - people do.
There has been a lot of discussion about the internal struggle of the Indian intelligence community views of implementing Hauwei's Telecom products throughout India's core infrastructure and views of India's DOT and Government owned BNSL on the matter.
According to the Economic Times and Gulf Base.com , "The Indian communication ministry has warned state-owned telco BSNL that telecom networks supplied by Chinese equipment major Huawei must be tested for trapdoors, blackboxes, malwares, and also, if it is susceptible to remote hacking before they can be allowed to be operational." "In fact, Huawei was also the sole company that was shortlisted for BSNL's 25 million lines in Western India, but the PSU now plans to award this contract, worth $1.5 billion, to French-Indian combine Alcatel-ITI. BSNL has identified this as an alternate solution as the telco cannot award this contract to Chinese equipment major Huawei on security grounds as the West zone shares sensitive boundaries with Pakistan." India is very competitive in the design of telecom components but China remains the leader in bulk manufacturer of telecom equipment. While Huawei is fastly becoming one of the world's largest Telecom providers to China, India, Africa, and Europe, there still remains this concern that the company is linked to Chinese supported cyber war initiatives funded by the Chinese military. ZTE, China's second largest telecom provider and the world's 6th largest cell phone provider, is trying to grow its market in the EU. ZTE is now ready to provide China with its approved 3G Network. This year China is also coming up with its own 586 Billion Dollar stimulus package to help its economy. While Huawei is accused of being linked to cyber warfare or cyber intelligence gathering, ZTE has had its share of accusations. In 2007, ZTE was accused of being involved or linked in hacking to some German Government files, and there was trouble with a deal with the Philippine Government. Its an interesting contrast being two of the world's fasting growing telecom providers implementing ADSL, WiMAX and LTE networks and 4G phones, or is it this embedded portal for the Chinese military for cyber intelligence gathering. I believe at one time Microsoft was accused of providing cryptology plugins for the NSA, or involved with the development of Vista and maybe that ZTE, Huawei, or any one else does not have any choice in the matter when it comes to the concerns of its government's national security issues. Perhaps maybe it is a 'Cyber Arms Race' having back doors into some of the world's largest networks is probably too tempting for any intelligence security agency. These are some of risks that nations have to be concerned about when it comes to their own interests of national security and sovereignty when purchasing software or networking infrastructure. Who is your business partner and what risks are you willing to take? The reality is just like our economies - all the networks and software are interconnected.
Milworm posts Profinet POC:
Milworm posts Profinet DCP Wireshark vulnerability
or
PCAPR.NET pcap entries - "Convert any packet into a DoS generator"
What is Profinet: PROFINET is the open industrial Ethernet standard of PROFIBUS & PROFINET International (PI) for automation. PROFINET uses TCP/IP and IT standards,and is, in effect, real-time Ethernet.
Other Links:
SIEMENS Industrial Ethernet
PI International
Is it too early to declare that nothing has come of the hype around the wildly successful conficker worm's purported April 1st surprise? So far, press reports like this one seem to indicate a lack of any April Fool's Day fireworks.
Experts are quick to point out, however, that whatever the owner of this enormous botnet has planned doesn't necessarily need to be executed today. While that is true enough, I wonder who's side time is on.
Despite their popularity and longevity as a genre of malware, individual botnets tend to have an expiration date. This is natural. The lifecycle curve generally starts with a big push of initial infections (if the writers are lucky), AV updates and platform patches, and then a gradual slope downward as the worm becomes trivial to block or remove. Malware variants are, of course, a problem but can vary in the success of their continued evasion.
So far conficker has done a great job in its initial phases, but its success may precipitate its downfall. The amount of publicity and awareness combined with the widespread availability of removal tools and information are going to gradually reduce the size and value of this particular botnet, perhaps more rapidly than most.
In that case, doesn't it make sense for the botnet owners to strike while the iron is hot? A day or a week won't make too much difference, but I think if we don't see the horsemen of the Internet apocalypse in a week or 2, we can probably get a good night's sleep - the end is not nigh. Of course, this worm and others like it are still a huge issue and need to be continually addressed, but there's something about this whole 4/1/9 conficker scare that smacks of y2k fever.
In what appears to be an interesting security first, a DNS blacklist organization has discovered a botnet that resides on about 100,000 Linux-based routers and DSL modems.
The ultimate problem, it seems, comes down to unpatched router firmware and default passwords. Botnets and most malware take advantage of users who fail to keep things up to date. The twist here, however, is that this code isn't targeting users who forgot to turn on Windows Update, but rather users who are not keeping their router firmware updated and those who don't change the default passwords on these devices.
I guess we shouldn't be surprised. Most users don't take basic security measures on their PCs. Why should we expect them to give a second thought to their routers? Still, the potential for malicious botnet activity from unsecured routers is probably quite substantial. Expect to see a lot more of it in the future.
Most folks in the security business realize that peer-to-peer (P2P) file sharing exposes organizations to certain risks. Because P2P applications are often used to share pirated media such as music and movies, it is all too easy to underestimate the nature of those risks. The impact of P2P file sharing can easily extend beyond resource consumption, viruses, and threat of litigation from the entertainment industry.
Two examples of serious information breaches through P2P file sharing have recently been publicized. In the first case, blueprints of the presidential helicopter Marine One were accessible through P2P file sharing on the computer of a defense contractor. Other sources indicate that this data had been shared as far as Iran and other hostile nations. This is particularly surprising not only due to the highly sensitive nature of the information but also due to the fact that defense contractors are typically required to adhere to stringent security policies.
The second case involves a Dartmouth College finding that turned up a treasure trove of health related information from many sources over a handful of popular P2P sharing networks. This information included highly sensitive patient records, pre-signed prescription forms, social security numbers, and patient billing information. The impact to HIPAA compliance is obvious, but real world exploitation of this data is potentially even more serious.
It goes without saying that sensitive information must be secured. We often focus on outsider threats, but peer-to-peer file sharing can be a trojan horse that can originate with a non-malicious insider. The implications of this vulnerability can be much greater than might seem obvious.
WiMAX - LTE and Cloud Computing
This month ABI Research published that new Combo Chips will be released that will cover both WiMAX and LTE communications many of the service providers will be offering both technologies depending on geographic location.
What is WiMAX? An industry standard also known as 802.16 intended for Broadband Wireless Networks Metropolitan Area Networks. Wireless MANS offer an alternative to DSL, Cable Modems Fiber Optic links an effort to link homes and businesses to core telecommunication networks. Wireless MAN MAC offers full quality of Service (QOS). http://wirelessman.org/docs/02/C80216-02_05.pdf.
3GPP LTE - A new radio interface that can use wide radio channels and delivers extremely high throughput rates. 3GPP Release 8 offers the ability to integrate with non-3GPP networks and optimization for all IP service providers. http://www.3gamericas.org
PDFs/EDGE_HSPA_and_LTE_Broadband_Innovation_Rysavy_Sept_2008.pdf.
While both technologies continue to evolve (or will likely merge by 2013), we could see wireless broadband sustained transfer rates well above 100 mbps.
Padmasree Warrior, CTO of Cisco Systems, envisions a content rich MEDIANET with the ability for full content collaboration. "It's not the device or the network, it is the experience." Users will not be discouraged by download speeds or degraded graphics. Users will now to be able to have My Channel, your personal broadcast channel offering rich multimedia content with family, friends, co-workers and business peers, as well as with those in your immediate surroundings. Padmasree Warrior sites that core infrastructure networks will able to support 10 trillion bits/sec - with no difference in the wireless networks from wired networks for end user experience and no Public and Private IPs -- just the Network. Mobilize '08
With the increase in wireless speeds and the availability of Wireless MAN MAC's, this would accelerate the use and need for multimedia resources in Cloud Computing offerings, virtual computing resources, storage and applications available world wide would enhance world experience of collaboration and the need for language translations of world content data.
The growth of wireless devices continues to explode. Padmasree Warrior states that in comparison to the world population growth where there are 4 new babies born every second, the mobile computing world shows 30 new mobile devices are purchased every second. At least for the immediate future, Ms. Warrior sees this to be a sustained growth rate of wireless technology throughout the world, as the rest of the world catches up to the explosion of the availability of information and the ability of end users to participate not only in a one way viewing of content but the ability to publish and manage content.
There have been warnings about development and local computing resources moving away from the end user into the cloud where end users have less control over local computing resources and the security and privacy of their information is a concern. The Pew Internet Study says that a majority of internet users are already using cloud resources of some form (internet mail and storage), and that most users use these applications for the freedom of being available worldwide, the ease of application use, and the ease of sharing information. However 68% of the users said they would be very concerned if their information was analyzed and used to market their online behavior.
There have been other responses concerning local user application and information security. The majority of users find it increasingly difficult to protect their information and to keep up with the security updates for their Network Operating System and Applications.
The Washington Post published an article this month about Judges urging for a standardization on cell phone tracking policies. Depending on the district you are currently located in with your cell phone or GPS enabled device, there are different policies for tracking your activities.
The International Association of Privacy Professionals and Federal Computer Week have both published articles concerning a paper that was publish by the Constitution Project, calling for Electronic Communications Act to be updated to include safeguards for cloud computing. The publication, "Liberty and Security: Recommendations for the Next Administration and Congress", states that privacy information is on a weaker footing if maintained by service providers then when it resides on the local computer. That there is a number of conflicting judicial decisions regarding this has created uncertainty for service providers and law enforcement.
One thing is for certain -- as our networks continue to expand from a polar or bipolar world and as information becomes more easily accessible and published, the custodians of the data and service providers of applications will continue to be the focus of attacks, worldwide end users will continue to be Phished to gain access to the zeta bytes of access privileges, collaboration neighbors and the access to weave in and out through the various provider networks and customer data.
In closing I just wanted to add a reference to global management of information, and real time event reporting in a high transaction world is eventually managed by a global provider, that is to a James Bond movie called "Tomorrow Never Dies" .
NFL and College Football are in full swing this season. Coaching staffs spend an enormous amount of time building teams and implementing their defensive strategies that have the ability to react on each offensive confrontation. The offense continues to learn the defensive reactions to threats, and the defense continues to show different defensive strategies and alignments. The offense is constantly sending the defense false routes hoping the defense will spend as many resources as possible on a false attack. As the offense continues to progress toward the goal, the defense continues to strengthen their stance. Some of the fieriest battles are fought down in the Red Zone before the goal.
Information defensives should not only have strong perimeters, but as the offense gets closer to the goal line the defenses should get stronger and stronger showing a variety of defensive strategies. The defense should be interwoven into the business process and strategies. Many information defenses rely on strong perimeters but have softer controls near the goal where an attack could have the largest impact. It is key for the defense to work with business and data owners to know where the Red Zones defenses need to make goal line stance to prevent the business goals from being impacted. The defense needs to provide a variety of different looks, and offer their attackers false weaknesses to trigger alerts and trap their intruder into making a mistake. The defense needs to be layered - not having one line of scrimmage but layered lines of scrimmages that are configured differently using different players or defensive configurations. Information defensives have to detect not only outsider threats but insider threats from the outside in and from the inside out.
The problem is the information scrimmage is not played on one field, it is played concurrently on a number of fields throughout the world in a distributed environment 24 hours a day with a super highway running between the playing fields. The perimeter could be distributed in Beijing, Berlin, Dehli, or New York, with data flowing back and forth through multiple service providers. The perimeter is now PDA's on Broadband Networks where requests are sent to message services and relayed from worldwide information stores. Information security managers need to make the defensive strategy integrated with the business goals and processes. Information defensive strategies in business are equally as critical as those defensive strategies integrated in college and professional sports.
It's x's and o's, ones and zeros, check and checkmate.
In the new edition of PCI 1.2 DSS requirements, WEP Security has been removed from the accepted list of security strategies for wireless communication only devices - only WPA and WPA2 are now accepted. Companies have until June 30, 2010 to replace their wireless communication with 80211i. This week it looks like WPA TKIP will soon join WEP on the list of prohibited wireless security strategies, although the PCI 1.2 Standard recommends stong encryption like AES. Erik Tews and Martin Beck plan on speaking at PacSec conference on how they can crack WPA TKIP in 12 to 15 mins. TKIP, Temporal Key Integrity Protocol, was initially created as a stepping stone for companies with older wireless devices that need to move off WEP security easily without the purchase of new hardware. WPA Message Integrity (MIC) or Michael was never strong because of hardware concerns.
Martin Beck and Eric Tews have published papers: Practical attacks against WEP and WPA.
Glen Fleishman has also written a nice review of the WPA crack.
In the document Practical attacks against WEP and WPA, they say they collect traffic until they get an ARP request or response. Ethernet addresses are not protected by WEP or TKIP, then they use their chopchop attacks to decrypt the unknown plaintxt bytes of the packet.
The Message Integrity (MIC) prevents replay attacks because on 2 failures the MIC is shutdown, there is a 60 second communication penalty and then the keys are renegotiated.
They use 802.11e to send the keystream over different queues and avoid the MIC. This is only successful if the rekey interval is long and chopchop is able to complete the decryption of the packet without rekeying. They state that TKIP is not much different from WEP, and that the same WEP attacks can be used against TKIP.
Glen Fleishman concludes in his article that if TKIP is set to rekey on the AP at a regular interval - not 3600 seconds - say 120 seconds - that it makes the attack harder to accomplish. Choose a long network key 20 characters that are random.
I am sure that most Network Administrators, Security Analysts and Auditors have their old wireless routers and clients updated and have moved to AES-CCMP. There may be those that have client devices, appliances, notebooks, or tablets that use 802.11b and to save money have moved to some firmware upgrades that allows WPA TKIP.
This new release on the exposure of weakness of TKIP will hopefully move the process for modernization of the Wireless environment as a must have.
| Subscribe |
| Syndicate |
