One of the annoyances that we have is wireless cards on our corporate computers that are looking for any access point named starbucks (no encryption) while connected to our domain. Anyone with a powerful antenna could park outside, set call their access point starbucks and the computers that are looking for starbucks would connect to that evil rogue access point. Personal firewalls should still protect, but it just looks bad.
So we’ve been looking for ways to disable wireless cards while the laptop is connected to our network. We went through a thing a few years ago with devcon. Unfortunately a VP said we couldn’t disable wireless cards on computers connected to our domain because it would inconvenience the user.
We just now ran across a setting in the dell truemobile card that will do what we want “Disable Upon Wired Connect”. And I’m finding articles dated 2002 with this info. I picking the wrong search term leads to disappointment.
I’m still left with a problem. I hear the path to this value in the registry is dynamic based upon how many network interfaces you have. That will make it hard to change. The second problem is about half of our network cards are Intel and I dont know of a similar setting in those cards.
Archive for February 2006
Disable Wireless on LAN Access
Bluecoat
Bluecoat came out today to pitch their caching proxy with antivirus and url filtering. The antivirus piece is a single engine. You can pick from multiple vendors for an AV engine, but there will be only one. They are doing nothing that I can see to address the problem of zero day viruses and targeted viruses. Their comment is that multiple antivirus scan engines slow things down too much. That is not what scansafe.net’s service claims. I think the Bluecoat solution would still let viruses through. Its probably better than what we have, but is the difference woth the change?
To Encrypt or not to encrypt
I ran across a blog entry “IPSec Everywhere, Bad Idea” on another blog. It seems that the post author went to a company that was very proud that they had implemented internal domain isolation using IPSEC.
I’m not entirely sure if the author jumped to the conclusion that this mean they were using encryption. Perhaps they were. However, Microsoft recommends implementing domain isolation through the use of IPSec ESP-NULL. This means that you are authenticating the people who are talking to you. Not encrypting all the traffic.
This technique is an alternative to 802.1x that may be easier to implement. Microsoft has a paper on this called Improving Security with Domain Isolation.
There are alternatives. 801.1x, personal firewalls, access lists on the router and pix blades within your core switches. This one seems relatively easy to deploy. Is a cure all? Of course not. There are still problems of the infected machine that is part of your network. Network authentication does not equal a clean machine. It just means that the computer is known.
Untrusted devices should not be allowed access to the trusted servers.
Symantec Antivirus and 64 bit
I just got off the phone with Symantec regarding their 64 bit Symantec Antivirus client.
The Symantec knowledge base article on the subject says that it cannot BE a parent server and as a client it cannot do VDTM. Silly me, that made me think that the 64 bit client could be managed. Support tells me they are still working on that and claimed that it would be like a SAV 9 server trying to manage a SAV 10 client. This is very aggravating as we’ve been waiting for a SAV 10 server to be in production in order to deploy the x64 antivirus.
The other news from that call is that no patches are available for x64. I could not get them to commit to whether that software was vulnerable to the RAR vulnerability in 10.0.2 x86 architecture or not.
[update]: They just sent me a document on how to configure the SSC to managed x64 bit computers. Its just like I remembered. Disable vdtm. Schedule liveupdates direct to symantec.
Google Desktop Search
Sparked by EFFs latest fear-mongering, many people want to know how to disable Google Desktop’s ability to search across multiple computers. The articles I’ve read say this is off by default, but I dont use the Google Desktop, so I cant say for myself.
The following is from the Google Desktop Google Group:
If you’re using Google Desktop for Enterprise, please note that the
Search Across Computers feature is not available for Google Desktop for
Enterprise, so there is no need to configure the Enterprise version of
Google Desktop at this time. Once this feature is made available for
Enterprise, it will also be configurable via the Google Desktop
Enterprise administrative template.
If you’re a system administrator using the consumer version of Google
Desktop, you can disable the Search Across Computers feature by
creating a DWORD value of disallow_ssd_service = 1 in the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Google Desktop\Enterprise\
Please note that you will need to create this key.
You may need to restart Google Desktop to apply the change. To verify
that the change has taken place, restart Google Desktop and visit your
Google Desktop Preferences page. In the “Gmail and Search Across
Computers” tab, the ability to place a check in the “Search Across
Computers” check box should now be disabled.
Symantec False Positive on AVCenter webpage
I learned about this over in a thread over at BroadBandReports.com. It seems that if you go to the writeup for the new Macintosh worm Inqtana.a over at the Symantec (SARC) AVCenter you get a virus detection of OSX.Inqtana.A in that temporary internet file. This of course is a false positive.
I am using the 2/17 rev 18 virus definitions. 2/18 rev 5 is out and reportedly that solves the problem.
Ask Roger: Wireless Hotspots
Dear Roger, Our users are taking the provided laptop on the road with them, and they would like to connect to wirelessly to the hotel network. I’ve heard somewhere recently that wireless access via hotspots introduce new/different vulnerabilities. I dont want these people or their computers 
catching some virus on the road and brining it back to infect the corporation. Should I just disable the wireless cards and be done with it?
There are several problems that you should be aware of when using a wireless hotspot.
1. The Evil Twin. How do you know that the wireless access point you are using actually belongs to the hotel network? It it a fake access point in the next room belonging to someone who wants to look at your data?
Solution: A lot of this is knowing what too look for and being suspicious. Dont provide any information unless you are convinced that it is a legitimate connection. For example if you are required to register, make sure its a valid SSL certificate that is signed by a root CA. If you dont have to authenticate or provide a credit card number, then use the connection but treat it as untrusted.
If its work related, you may have a national carrier such as T-Mobile or AT&T. Perhaps that client is used to set up these connections in a trusted manner.
2. Lets say you avoid the evil twin. Do you trust your network provider and those working for him. You dont know if they are flaunting the law and collecting passwords.
Solution: Not much you can do about this other than treat the network as untrusted. Only authenticate through encrypted channels (SSL or VPN). Remember that if you open your mail client, it may have a password saved in there that it will send in clear text. You dont want the attacker to get your username and password.
3. The hotel network may not be set up properly. An article last fall revealed that test showed a significant percentage of hotel networks are not switched. This means that anyone on the network could see anyone else’s traffic. Anyone in the hotel could look at the traffic you were sending. So you need to worry about protecting against everyone not just the network owner.
Solution: Same advice as number 2. You may just want to do everything over the VPN if possible.
4. The hotel isn’t using a WEP key. To use it you configured your laptop to connect to a SSID, lets say its THEHOTEL. Now your computer is always looking for a network named THEHOTEL as long as your wireless card is enabled. All an attacker would need to do is name their access point THEHOTEL, and they are connected to your computer over a wireless network, and you probably wouldn’t even notice.
Solution: Configure your Wireless card to only configure to encrypted networks when you are done using this network. This is a manual process. If you are really lucky your wireless drivers can be configured to only connect with access points with specific hardware addresses. Of course that could be spoofed as well.
As always good computer security practices can help to mitigate your exposure. Personal firewalls, common sense, Antivirus.
Message Labs January Intelligence Report is out
Message Labs January Intelligence Report is out. Its worth taking a look at.
http://www.messagelabs.com/Threat_Watch/Intelligence_Reports/January_2006?CMP=EMC-MLI-REPORTS
Below is one graphic from the report. It shows that 7 vendors were able to stop Nyxem.e heuristically (Message Labs, ISS, Kaspersky, Panda, esafe, fortinet, mcafee, nod32). After that the minimum windows of vulnerability was 3.5 hours before the first non-heuristic virus detection was available. Symantec brought up the rear releasing an update 35 hours after the initial detections. 15 hours after the virus was in wide circulation.
Kaspersky Update befowls Exchange with Sybari
This morning at 11:40 our Exchange 2003 server updated the kaspersky antivirus scan engine. That is part of Microsoft (Sybari) Antigen. A few minutes later I began receiving emails about a scantime timeout and when I checked I saw that no mail was being delivered anymore.
After spending an hour on hold with Microsoft waiting for support I changed tactics and called my TAM. He told me I was still 35th or so in the phone queue (down from a couple hundred) and that the problem was a bad Kasperski virus definition update. (that is what I suspected). I disabled Sybari scan jobs (once I could get into its admin gui) and updated Kasperski to a newer definition set. All told two admins wasted three hours on this today and our company couldn’t send or receive email for most of that time.
While bad virus def updates have hosed our server in the past (usually its kaspersky), I have never had this kind of hold time. I am really unhappy with the quality of support now that Microsoft owns Antigen.
