PhoneBoy’s Security Theater

This is one of the most crackpot ideas I've seen: create a .bank top-level domain and restrict it only to banks. Will that make phishing for bank information less possible? I don't think so. The problem is very simple: most people aren't observant of where they are connecting to or what might be showing in their browser's URL field. They also most certainly don't check the SSL Certificate to validate who signed it, or even to see if they are using SSL mode.

There's a reason companies like Verisign charge a lot of money for an SSL certificate: because they actually do some work to validate that the company signing up for an SSL certificate is actually who they say they are. If you check the SSL certificate for a secure site and it says Verisign signed it, you can be fairly certain you are talking to a company you think you are talking to.

Most phishing issues would go away if people were to simply be observant of where they connect. That means making sure the link you think you are clicking on is going to site it says. "Mouse over" the link and look at the lower part of the browser window. Does it match? Or better yet: don't click on a link that you received over email.

I never thought in my life I would spend almost the entire allowed 6 hour time on the CISSP exam, but I did. And I was oddly zen about the whole experience. Sure, I was a little nervous when I first walked into the testing room as I had no idea what to expect. One of the proctors, whom I met in a CISSP class nearly 6 years ago, checked my ID and paperwork and another proctor led me to a seat, which was to be mine for the course of the exam.

The usual electronic gadgets and gizmos were not allowed at your desk, and if they were present, they were to be switched off or set to vibrate mode and preferably up with the desk where you were permitted to put your snacks and the like (it was a 6 hour test with no lunch break). I left all my gear in the car, though I brought food and water in.

At 8:30, one of the proctors began reading the instructions, which involved filling out a scantron form with specific information. Once that was done and all the other instructions and the like were done, we broke the seal on our test and began. Nothing like filling out over 250 little bubbles.

Bathroom breaks, which I took at least 3 of, involved signing out, one of the proctors escorting you to the restroom (he didn't come inside), and him escorting you back and you signing back in. I guess they want to make sure you don't "cheat" in the bathroom. Fair enough.

And while the confidentiality agreement I signed as part of the CISSP exam process forbids me from getting into specifics about what was on the exam, I can say that I felt oddly zen about the experience. Once the test was underway, I stopped stressing about it. I took frequent breaks. I used earplugs. I was methodical and deliberate. I only made one "transcription" mistake (from book to scantron).

I took two passes through the material. The first pass was to answer the questions I was pretty sure about. On the second pass, I double-checked my answers both making sure I transcribed the write answer but that I actually chose the right answer. The ones I didn't know, and there were a few, I was able to make a semi-educated guess on most of them, the rest I just threw out a guess. It's not like the SAT's where you lose points for a wrong answer.

I walked out of the test feeling pretty comfortable with my performance. I'm sure I answered a few questions wrong, but that's life. Now I just need to wait for ISC2 to come back with my certification results so I can jump through the remaining hoops to be certified.

Meanwhile, I am exhausted after all that. Early bedtime for me.

From the latest SANS NewsBites:

The Pirate Bay, a website that helps users find files over BitTorrent peer-to-peer (P2P) file sharing software, has reportedly been the victim of attack; the intruder stole a copy of the site's user database.  User passwords are encrypted, but Pirate Bay's site operator encourages users to change their passwords nonetheless, and if they use the same password elsewhere, to change those as well.  The attacker got in through a hole in the site directory's blogging software.  Pirate Bay has a reported

1.4 million members.

http://www.theregister.co.uk/2007/05/14/pirate_bay_hacked/

http://www.securityfocus.com/brief/499

Guess even the pirates get hacked once in a while.  ;)

Russell Shaw reports that there is now a new "attack vector" utilizing Java and Quicktime on a web page. This is basically the security bug that was recently found against MacOS, but it's actually not against MacOS per-se, but rather Quicktime. That means not only is MacOS vulnerable, but Windows is potentially vulnerable too.

From nist.org article:

Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well. What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

The mitigation for this issue?  Disable Java, Uninstall Quicktime, or if you're a Firefox user, use the NoScript extension and ensure Java is disabled on untrusted sites. Not getting rid of Java or Quicktime, but I sure use NoScript. Yes, it's a pain, but these kinds of issues are precisely why I am willing to go through the trouble of running it.

Presumably, Apple is now aware of this issue and is working quickly to patch this issue both in Windows and MacOS.

Everyone blew this supposed "Mac" security issue out of the water, it seems. The Mac was "hacked," but it wasn't exactly specific to the Mac as the issue could be replicated in any browser on any system. It was a local exploit, at best, and it involved cross-site scripting, something that is inherently dangerous on all computers.

Please let me know when the Mac can be remotely rooted, though. That will be some serious news.

I am currently taking a CISSP Prep class online thru Global Knowledge. They are using a tool called iLinc for the class, and I have to say, I'm throughly unimpressed with the experience.

First off, the voice quality frequently goes from mediocre to worse. When the instructor drops off and comes back--which happens on more than one occasion--when the voice comes back, it chipmunks big-time until the voice buffer clears and everything returns to normal. The iLinc client has crashed on my relatively vanilla Windows XP machine a half-dozen times. Oh yeah, it requires Internet Explorer, which means Windows only. Yuck! The chat client stinks and they do a lousy job of providing ways for participants to give feedback. In a previous online class I took with Global Knowledge, they use a tool called Interwise, which required installing a Windows client, but seemed like it was much more stable.

Probably my biggest complaint with the whole experience is the instructor's Internet connection, which seems to be causing at least some of the issues. But it really sucks whatever it is.

Meanwhile, next week, I will be starting an online class with SANS on Intrusion Detection Systems. Their online class tool seems to be Java-based and should work on the Mac, which I would prefer for obvious reasons.

I've also played with WebEx, Lotus Sametime, and Windows LiveMeeting. They all have their issues. None of them provide an optimal experience and they all certainly aren't cross-platform. I do want to check out Unyte Meeting, which is working on a new version that has gone into public beta. The pertinent deets from their press release:

WebDialogs is seeking users to participate in the beta test, which will run through April 25, 2007. As a registered user, participants can sample Unyte Meeting’s unified voice, video and Web conferencing capabilities without charge for up to 1,500 minutes or until April 25—whichever comes first. To sign up, visit http://www.webdialogs.com/umbeta/ 

Unyte Meeting Spring ’07 is faster, yet still completely browser-based, with no downloads required for hosts, presenters or participants. The service is based on WebDialogs’ proprietary conferencing technology that is currently used in the market today by more than 200 brand names through 70 partner agreements.

I did play with their Skype remote desktop product, which I was suitably impressed with. Still waiting for them to come out with a Mac version of the "host" part of their application--the Mac client piece worked fine.

Meanwhile, all this training is paying a price on my ability to blog, so continue to expect light blogging over the next couple of weeks.

In my past life, I did a heck of a lot with Check Point FireWall-1, now called VPN-1 Power or something. I don't do much with it now except for use their VPN client to access work, but I do spend some of my day job reviewing stuff other people write about it.

One of the things I have to do in order to use my work computer on my home network is to actually allow my work computer to access a couple of things at home: namely my Mac sitting right next to it and my network printer. Unfortunately, the combination of the VPN configuration and the firewall software loaded on the laptop make this a challenge, but not difficult.

One of the things the VPN does is add all these routes to the routing table that essentially override the local routes. Now I can see why an enterprise might want to do that, but if you want to access local resources, then it creates a challenge.

What I was doing to correct this issue was doing all this by hand: looking at the routing table, removing the offending routes, and adding a few others. In smaller environments, the routes are going to always be to the same default IP. The problem with the implementation I am working with is the nexthop for these routes has a habit of being different each time I connect. I needed to look at the routing table manually before doing the surgery on it. The end result was that I could access the machines I needed.

Today, I got the bug to automate all this, so I decided to write a Windows Batch file to accomplish all this. Apparently, this was harder than I thought, but I wrote a batch file that:

• Looked at the routing table for a route I know the VPN will set. Fortunately Windows allows you to print only a specific route.
• Parse out all the junk that gets printed in addition to the information I wanted. This parsing turned out to be the most difficult, particularly in getting the information out of a FOR loop.
• Set routes, which is relatively easy once you have the information.

And FTW, I decided to also add in automatically logging into SecureClient. One batch script logs me in and mucks with the routing table. To find that information, I had to refer to a tome I wrote nearly four years ago. Yes, I know it was published in 2004, but I did a lot of the writing for it in 2002/2003. Damn publisher lead times. Anyway, I looked in a more recent Check Point book (on NGX) that I had lying around and it didn't even cover SecureClient on the command line. It's not the first time I found something in my own book that hasn't made it into other, more recent books, either.

Anyway, I am happy to say it's all working just fine. I do miss being able to use my SecureClient GUI (enabling CLI mode disables all that stuff), but I like how much easier the entire logging on experience is now. For those who are interested, I am posting my batch job after the break. If you're interested, click on thru and read my handy work.

@REM kill Echo
@echo off
setlocal EnableDelayedExpansion
set SCC="C:Program FilesCheckPointSecuRemotebinscc"
%SCC% setmode cli
rem %SCC% disconnect
%SCC% up username %1%
%SCC% connect "VPN Profile"
%SCC% status
%SCC% ep
@REM Trying to pull out VPN route and mess with routing table
@REM
@REM Did we find the netmask line?
set hitnetmask=0
@REM Let's pull out a route I know will be there:
@for /f "tokens=3" %%i in ('route print 192.168.0.0') do (
@REM After we found the netmask, the next thing we get is the route we want
@REM and make sure we get out of dodge
if !hitnetmask! EQU 1 (
call :set_nexthop %%i
GOTO :found_route
)
@REM The next line after the "netmask" line is the one we want.
if "%%i" == "Netmask" (call :set_hitnetmask)
)
:set_hitnetmask
set hitnetmask=1
GOTO :eof
:set_nexthop
set nexthop=%1
GOTO :EOF
:found_route
echo Nexthop is %nexthop%, deleting/setting the routes appropriately
echo on
route delete 192.168.0.0 mask 255.255.255.0 %nexthop%
route delete 192.168.0.2 %nexthop%
route delete 192.168.2.253 %nexthop%
route add 192.168.2.253 192.168.0.254
@endlocal

Being that I am in the Bay Area, and my Aunt and her kids live down in the Santa Cruz area, every once in a while I feel the need to go down there and see them. This time, I even gave them more than a few hours of notice that I was coming so I could see at least one of my cousins, whom complains she never gets to see me.

Anyway, after the usual discussions about my mom, the rest of the family, politics and religion, the conversation drifted into computers. Apparently, my uncle had bought a Linksys WRT54GS and was trying to use his laptop in the living room. He had bought one of those WiFi repeaters that Linksys sells because he was having signal issues. He was worried, rightfully so, about not having any of this secured.

The Linksys WiFi repeater is particularly difficult to configure, since it has no Ethernet port. It's even worse when you are trying to use it with WPA. I eventually gave up using it myself. I found that proper location of the WiFi router, hi-gain antennas, and third-party firmware such as DD-WRT resolved the vast majority of my issues. The main reason for the third party firmware: the ability to adjust your transmit power to at least 50mW. Unfortunately, he has one of the newer WRT54GS units. You know, the ones Linksys neutered so that it is difficult to flash third party firmware on them. Still, antennas and orientation will work wonders.

Later on, I had pulled out my MacBook to show some photos and videos I took with my various Nokia handsets. They really liked the FrontRow interface of the Mac. After we finished with that, I had iStumbler running and picked up a half dozen WiFi access points--most of them on channel 6. Of course their access point was also running on channel 6. I suggested changing to either channel 1 or channel 11. Of course, I suggested killing that WiFi repeater because even I have a problem configuring that thing. I can't imagine my uncle, who is a semi-computer literate person in his 60s, trying to accomplish this.

Then we got onto the whole spyware/virus/cookie thing. Like most people, they are running on their computers as administrator. That's dangerous, even for someone like me who knows what they are doing. It is not a very good idea for most people to operate in that fashion. Of course, Microsoft and application vendors make it difficult to do properly. You should also use Firefox instead of Internet Explorer and/or configure Internet Explorer with safer default settings to reduce your exposure risk.

Because the above was a lot of information, I am going to summarize in bullet form with links to tools and articles.

WiFi Hints

• Don't buy a repeater. They are almost never easy to configure.
• Buy a higher-gain antenna set for your router. If your router doesn't have detachable antennas, get a router that does.
• If you have a Linksys WiFi router, vertically mount the unit on the wall so the antennas and the rest of the unit is a flat plane. This maximizes the router's ability to broadcast. You may need a Linksys SM-1 mounting bracket to accomplish this. I bought them on eBay, but you can get them on Amazon.com and other places.
• Check what channel your neighors are using. Pick a less-crowded channel. Channel 6 is the default for most routers. Use a tool like NetStumbler (PC) or iStumbler (Mac) to find out what WiFis are in use in your neighborhood. Look for routers in channels 1, 6, and 11. Choose one of these three with the least amount of routers.
• If you're willing to spend money on new cards and new routers, go get one of the Draft-N WiFi routers and cards (from the same manufacturer). Your range should improve.
• Configure your router to use WPA. Use a totally random, long, secure passphrase from grc.com/passwords.

Protecting Your Windows XP Box

• If you haven't already, make sure Service Pack 2 is loaded.
• Enable the firewall if it's not already.
• Use Firefox!
• If you must use Internet Explorer, set your default security settings in Internet Explorer to HIGH. This can be done under Tools > Internet Options > Privacy tab. This will prevent sites you don't explicitly trust from running ActiveX controls, Javascript, or anything like that. You can then click on the Sites button to add the sites you trust. Yes, this takes a little due-diligence on your part, but you really block against unwanted things entering your platform via Internet Explorer.
• Use Limited user accounts on Windows XP. Each person that uses your PC should have an account that is a Limited user. This should stop most malware from doing anything to the computer aside from possibly deleting user data. It also prevents stupid user mistakes as well. They can still run programs, of course, but they cannot be permanently installed by a Limited user. One administrator account should exist on the computer, but nobody should use it on a regular basis except to install new software or browser plugins. User accounts can be edited by going to Start > Control Panel, then click on User Accounts, and then either create new accounts as appropriate, or editing the existing accounts and clicking on "Change my account type" and setting the type to Limited.

Of course, after my uncle and my cousin saw how sexy my Mac was, how you could also run Windows on it, and how easy it was to use, they were thinking maybe they'd buy a Mac next. Considering the price isn't all that different nowadays, it's worth it to buy a compuer capable of running two operating systems (MacOS and Windows) instead of just one (Windows).

I love the blogosphere. It's a conversation. Lately, it's been interesting. Today, I am responding to Mike Puchol at Whisher on my FON vs Whisher posting:

Thanks for sharing your concerns about Whisher, but I believe your analysis is not accurate in some aspects. First, Whisher works on top of FON, that means, you can share your Fonera with others through Whisher. That a few hackers can open the Fonera and reflash it does -not- mean the thousands of non-technical users out there will be able to do the same.

The Linksys routers that FON originally sent out are, in fact, very easy to hack. Just load new firmware. The LaFonera routers are a little more difficult, from what I've read.  I have no doubt that the FON hackers will find a way to make that process a little easier. I certainly don't need to hack a FON router except as a curiousity--I have more than enough WiFi access points already.

My understanding was that the service required WEP/WPA, which at least my Linksys FON router won't do. I believe the new LaFonera routers support dual SSID and thus would support the possibility of Whisher. I did order a new LaFonera to confirm that for sure.

1. Whisher is a LOT more than a WiFi finder/IM application. It offers controlled WiFi sharing, and more information about the signals present than any other application out there, such as average signal strength (useful for finding the best spot other people connected from) and availability. On top of that, file sharing over WiFi is also available, meaning you can transfer large amounts of data in very short time, and we made it as easy as drag & drop. It offers IM, of course, and this will improve over the next few weeks with some nice extra twists - but the you also get instant presence information about who is connected to the same WiFi as you are. Shall I go on? :) Geolocation of your buddies, local services that can be customized on a per-hostpot basis...

Knowing who is connected to the WiFi and providing some control over that is useful. I believe you get some of that information via the FON portal, but I haven't had any real users come use my access point since I am kind of in the middle of nowhere. Maybe they provide some control, but I doubt it.

Again, the file transfer, while I have no doubt it is fast and easy, is just not a compelling reason. Geolocation would be potentially interesting once a critical mass of Whisher-enabled hotspots is available, but right now, it's just a curiousity.

2. If you don't like to share your AP, then don't. You can still use all the other features that Whisher offers. If you do decide to share, you can do so in a controlled fashion, either you are OK with everyone having access to your WiFi, or you share in buddies-only mode, whereby only those in your buddy list will get your key. If someone wants to have access, they just need to ask you to add them to your buddy list, it's as simple as that. Finally, you can share in private mode, giving only your closest contacts VIP status, so not even your non-VIP buddies will be able to get in. Changing modes is basically clicking on a button - that is it, all done from the client.

Granular sharing is good, something FON lacks. However, I tend to either want to share with everyone or nobody. It's a much easier decision to make, and doesn't require software.

If you are worried about segregating your network from the public one, then just install a router with DD-WRT, which provides dual SSIDs, one you can share with Whisher in private mode, and the other in public mode. We have implemented a 'master' function, which is not yet available in the client, which lets you 'pool' access points, so that people connecting to any pooled node will join the same chatroom, have presence information, etc. about anyone connected on any of the other nodes. This way you could control both SSIDs with the client transparently. If you think FON is the only way to securely share WiFi, your analysis is not complete.

Actually, FON isn't exactly sure either. Dual SSIDs, which supposedly the latest LaFoneras support as well as DD-WRT firmware on Links devices, isn't the most secure either. In theory, if you somehow compromise the access point, you could potentially hop between networks. Even though the risk is fairly small, I don't personally take it. I run two physically different access points--one with FON and one without. In fact, I plug nothing into the FON access point except for the occasional test PC. I have them connected to different Internet connections as well. Even if someone does compromise the access point, there's nothing there for anyone to find.

3. Our business model is based on local & premium services, advertising, and other revenue paths we have identified. We don't plan to charge for the client, or resell access. The are many incentives for using Whisher, from the philanthropist thought of free WiFi, to wanting to create a closed network with your friends & family, and making it easy to manage.

I do have to agree that making it easy to manage a closed network of WiFis is kind of a neat idea. Whether or not other people will think it's a good idea remains to be seen.

You may want to work on creating a page or some documentation explaining to people how to more securely share their WiFi, and what place Whisher serves in that. A lot of people don't understand what WPA is and why using WEP or no encryption at all is an exceedingly bad idea (NEVER suggest WEP, always suggest WPA). I had to educate a neighbor about this recently as I went over to her house to help with with an unrelated issue. She had no idea that people could be using her network without her knowledge!

You can do "Free" WiFi with FON as well. All you have to do is create a local login and password in your FON portal and add that information to your splash page. Then anyone can use it.

In any case, I will be watching Whisher. I will probably load it up on a PC and make one of my routers Whisher-enabled, just because I'm a nice guy. Whether or not I will want to keep the client on at all times remains to be seen.

Ran across this. Oh man this looks like an interesting device.

ZTE’s Home Gateway H110 comes standard with an Ethernet and PCMCIA Card Slot for Broadband access [via EVDO/HSDPA], with multiple LAN interfaces including four (4) Ethernet, two (2) FXS, one (1) FXO and (2) USB ports. In addition the H110 supports Bluetooth, Print and File Sharing, multiple VPN/VLAN support, and offers a superior user experience with innovative QoS, and a feature rich GUI. Whether you are at home or on the road, whether it is network computing, entertainment, Internet safety, or voice communication, the H110 Home Gateway provides you the total communication solution.

This could prove to be quite an interesting device. It is a little out of my price range, but it does combine several useful features into a tiny little box, which makes it worth considering.