General: December 2005 Archives
USA Weekend, a slick weekend magazine found in many newspapers, had a brief article on going wireless securely. They advise checking with your router manufacturer for secure wireless configuration instructions. They specifically recommend changing the router password from the default, disabling SSID broadcast and enabling WEP or WPA encryption. They also mentioned a product I haven't heard of, McAfee wireless home network security software.
I hadn't heard of this McAfee software before, so I checked it out. The link is long and looks like it might not be a permanent link, so rather than linking to it and having the URL be dead, I'll let you search for it at McAfee's site. Looks like for $50 you get antivirus, personal firewall and wireless security piece. The wireless security is able to manage specific routers with specific firmware (check list before buying), so that the encryption keys are rotated automatically multiple times per day. It was not clear from the manual if it cost extra to have multiple computers on your network, and also how much trouble it is when friends come over and want to use the wireless network.
It looks like McAfee is trying to sell wireless security through fear, and also the notion that they are making it easier than the wireless vendors. I really dont think that is the case.
There I go again. I was trying to write a positive note about a mainstream mag talking about wireless security, but I get sidetracked.
Today's incident handler over at SANS recommends sending a peremptory warning to everyone in the world who might have your email address, that you might go ape if you are sent just one holiday greeting via email. Now, I agree that e-greetings (particularly flash and powerpoint nonsense) suck. Is spamming everyone you know really the best solution?
To put this under the umbrella of security awareness is really fishy to me. It seems more like forcing your opinion that plain text email is best onto everyone else under the guise of security.
ComputerWorld's Sharktank column tells the story of security implemented wrong:
DECEMBER 13, 2005 (COMPUTERWORLD) - At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. "All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade," says fish. "It seems that the use of a security badge was no longer adequate protection.
"So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are)."Present all three, and the door beeps and lets you in."
One by one, the doors are brought online. The technology works, and everything looks fine -- until fish decides to test the obvious.
After all, the average member of the public isn't likely to forge a security badge, guess a multidigit number and fake a thumb scan. "But what happens if you just turn the handle without any of the above?" asks fish. "Would it set off alarms or call security?
"It turns out that if you turn the handle, the door opens.
"Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default."
That reminds me of a story Eric Cole tells of a company that spend millions installing biometric readers for access. The company is all proud of it, so while he is taking a tour they have him try it. In spite of not having access, the door opens. After nearly having a heart attack, they discover that the security system was left in a "open for anything" mode after the install.
Don't merely test that it something correctly provides access. Test that it correctly denies access as well.
Strange that this would come up now, I was just wondering whatever happened to the idea of a Masters degree wrapped around SANS conference tracks. I saw they now have a website up http://www.sans.edu.
About four years ago, they mentioned working on a program that awarded degrees through Mary Washington University. I guess that fell through. That's too bad, because I'm not sure that we'll ever see the SANS degrees accredited. (see update at end of post) I dont see anything about accreditation on their website. Employers generally dont provide tuition reimbursement for this. I also wonder if this degree will have some stigma associated with it even if it does get accredited.
Definitely something to keep an eye on. First class instruction with direct application to doing security in a company. Plus if your conference fees can come out of the corporate educational assistance budget rather than the departmental training budget so much the better. :)
Two factor authentication is when you combine multiple methods of authentication to prove who you are at login. With a ATM, you have the ATM card and you know your personal identification number (PIN). So you've proven who you are with something you have and something you know.
When you log into your company's VPN you might use a RSA SecurID card as well as a PIN. But what happens if the PIN is written down and stored with the card? Anyone who finds the card has the PIN as well. You have essentially reduced your two factor authentication to one factor authentication blowing the security that your company paid for by implementing SecurID.
Two factor authentication can be reduced to one factor authentication based on user behavior.
Back in November, I wrote about the Microsoft pr push for Windows Mobile 5 as a blackberry killer. Its been something we've been looking at more with the RIM/NTP judgement hanging over everyone's head. I've learned a couple of interesting things since then.
Jason Langridge (MSDN)
1. Direct push is really http get heartbeats.
2. Requires opening 80 or 443 on the firewall. Microsoft feels that most companies will be fine with this because they already got insecure for rpc over https.
"By eliminating the NOC, isn’t this solution less secure? This is among my favorite questions, and it’s usually followed up with some hand-waving about the connection to the enterprise "somehow" getting "hijacked." The answer is, it is exactly as secure as the last online purchase you made with your credit card, exactly as secure as the last time you checked your email with OWA, and exactly as secure as the last time you used Outlook with RPC-over-HTTP. That is, we use SSL (which itself negotiates over-the-wire encryption using RC4 or 3DES) to communicate between the device and the server. I suppose that you could run this with SSL disabled, but you also risk a concussion if you run top-speed into a brick wall. Just a little fyi."
First - bad analogy with making a credit card purchase online. If someone plays man in the middle and gets my credit card information, I'm not liable for fraudulent charges. Is Microsoft indemnifying me against hackers who get in through this new entrance into our network?
Second - Exactly as secure as OWA. External access to owa is protected by SecurID login on the ISA 2000 server. This solution doesn't offer that protection. Requiring securID would ruin the ability to have an appearance of push email.
Third - As secure as RPC over HTTPS. Sadly that is true. We have not been able to use RPC over HTTPS because Microsoft has not provided support for securID authentication.
The question I would have is can the clients (phones) be given client certificates so that the ssl authentication is mutual?
Sometimes you have to open ports into the company to enable business functionality. Email and vpn are the primary examples. Each new entrance to the enterprise makes the network more difficult to defend. Given the difficulty in getting ISA in place, I dont see this happening particularly. Competing solutions may cost more, but they dont require use to open ports into our enterprise.
