Thursday, April 5, 2007

Dynamic Security is the only solution. Need I say more?

Don't use WEP for Wi-Fi security, researchers say

Peter Sayer


April 04, 2007 (IDG News Service) The Wi-Fi security protocol WEP should not be relied on to protect sensitive material, according to three German security researchers who have discovered a faster way to crack it. They plan to demonstrate their findings at a security conference in Hamburg this weekend.

Mathematicians showed as long ago as 2001 that the RC4 key scheduling algorithm underlying the WEP (Wired Equivalent Privacy) protocol was flawed, but attacks on it required the interception of around 4 million packets of data in order to calculate the full WEP security key. Further flaws found in the algorithm have brought the time taken to find the key down to a matter of minutes -- not necessarily fast enough to break into systems that change their security keys every five minutes.

Now it takes just three seconds to extract a 104-bit WEP key from intercepted data using a 1.7-GHz Pentium M processor. The necessary data can be captured in less than a minute, and the attack requires so much less computing power than previous attacks that it could even be performed in real time by someone walking through an office.

Anyone using Wi-Fi to transmit data they want to keep private, whether it's banking details or just e-mail, should consider switching from WEP to a more robust encryption protocol, the researchers said.

"We think this can even be done with some PDAs or mobile phones, if they are equipped with wireless LAN hardware," said Erik Tews, a researcher in the computer science department at Darmstadt University of Technology in Darmstadt, Germany.

Tews, along with colleagues Ralf-Philipp Weinmann and Andrei Pyshkin, published a paper about the attack, showing that their method needs far less data to find a key than previous attacks: Just 40,000 packets are needed for a 50% chance of success and 85,000 packets for a 95% chance, they said.

Although stronger encryption methods have come along since the first flaws in WEP were discovered, the new attack is still relevant, the researchers said. Many networks still rely on WEP for security: 59% of the 15,000 Wi-Fi networks surveyed in a large German city in September 2006 used it, with only 18% using the newer WPA (Wi-Fi Protected Access) protocol to encrypt traffic. A survey of 490 networks in a smaller German city last month found 46% still using WEP and 27% using WPA.

In both surveys, over a fifth of networks used no encryption at all, the researchers said in their paper.

Businesses can still protect their networks from the attack, even if they use old hardware incapable of handling the newer WPA encryption.

For one thing, the researchers said, their attack is active: In order to gather enough of the right kind of data, they send out Address Resolution Protocol requests, prompting computers on the network under attack to reply with unencrypted packets of an easily recognizable length. This should be enough to alert an intrusion-detection system to the attack, they said.

Another way to defeat such attacks, which use statistical techniques to identify a number of possible keys and then select the one most likely to be correct for further analysis, is to hide the real security key in a cloud of dummy ones. That's the approach taken by AirDefense Inc. in its WEP Cloaking product, which was released Monday.

The technique means that businesses can cost-effectively protect networks using old hardware, such as point-of-sale systems, without the need to upgrade every terminal or base station, the company said.

If a network supports WPA encryption, though, users should rely on that instead of WEP to protect private data, Tews said.

"Depending on your skills, it will cost you some minutes to some hours to switch your network to WPA. If it would cost you more than some hours of work if such private data becomes public, then you should not use WEP anymore," he said.


Five best practices for mitigating zero-day threats like Windows ANI

Jaikumar Vijayan


April 03, 2007 (Computerworld) The Windows animation bug (ANI) caused widespread concern because exploits against it became widely available before Microsoft Corp. could release a patch. But like other zero-day threats before it, there are measures companies can take to at least try to mitigate the risk from unpatched vulnerabilities, security experts said.

The measures are not a sure bet. And in the end, patching a flaw is still the most reliable way of protecting against exploits seeking to take advantage of it, they said. But deploying multiple layers of defenses is vital to dealing with threats for which no immediate fix is available.

Among them are the following:

Restrict e-mail attachments

One of the ways hackers hope to exploit the ANI flaw -- which Microsoft patched earlier today -- is by trying to get users to click on malicious attachments in spammed e-mails. One way of dealing with this sort of an attack vector is by having strict policies in place for filtering out e-mail attachments.

Security experts have for a long time now advised companies to filter out gif, JPEG, WMV and pretty much most attachment types they don't need from inbound and outbound e-mails. When deciding which attachments to allow and which to deny, it's a mistake to assume that only certain attachment types are maliciously used, said Russ Cooper, senior information security analyst with Cybertrust Inc.

"Don't go on the basis of whether something is benign or not," Cooper said. After all, both gif and JPEG attachments were once considered benign until hackers started hiding malicious code in them. "Instead, look at what you need for your business," he said.

If there is a business need for accepting e-mails with attachments -- from a business partner, for example -- see if there's a way to restrict them to just that business partner. Or if you need to exchange zip files, for instance, consider the possibility of renaming the extension to something that just your company and your business partner knows -- and permit only attachments with that extension into your network, Cooper said. "Then you can put gif, JPEG and even animated cursors if you have a need for them into those attachments," he said. "If you say 'I only want to allow these attachments and nothing else,' you have eliminated every zero-day" threat via e-mail attachments, he said.

Disable HTML e-mail

Hackers and other bad guys like HTML e-mail because it allows them to more easily hide and deliver attack code to a desktop. For instance, several of Microsoft's e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML can help mitigate this risk, Cooper said. By doing so, you are also blunting a lot of the phishing attacks that attempt to get users to click on URL links to malicious sites, he said.

Keep an eye on the LAN

Consider tools that don't rely on virus signatures alone to detect infected systems. Instead, implement a way to quickly detect a compromised system by any anomalous behavior it might exhibit, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry.

Also have a way to limit the damage an infected system can do to other LAN-connected systems, he said. BT Radianz, for instance, uses a tool that allows it control over the connections a desktop makes with other systems within the LAN. "Under the previous model, you could go anywhere in the network once you are within the network," Hession said.

Now, there are rules that specify what parts of a network to which a system is allowed access. The rules also spell out what systems that same system can connect to based on the user's business requirements. Such control can help mitigate the risk of an infected computer spreading malicious code to other systems within a network. "You need to smarten the intelligence within the local network" to detect zero-day attacks faster, he said.

Filter outbound traffic

It's not enough just to inspect the traffic that's coming into your network; it's vital also to keep an eye on what's going out. Many Trojans or bot programs that get installed communicate with a remote system for further instructions on what to do next or what to download. Using outbound proxies or firewalls to look for and block such communications is one way to prevent Trojans and bots from calling home, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md.

Consider implementing a "default deny" capability at the perimeter, Cooper added. The idea is to permit only specific traffic in and out of a network gateway, while blocking everything else by default, Cooper said.

"What we are talking about is inbound and outbound rules on your router" to block, for example, outbound IRC attempts and SMTP requests, he said. To get an idea of what traffic to permit through the network, log all inbound and outbound router activity for a period of time and use that information to decide what's permissible and what's not, he said. "If you are worried about breaking functionality, allow everything that has been going through anyway and deny everything else," he said. "It's a great starting point."

Increasingly, Trojans and bot programs have begun using well-known ports such as Port 80 to communicate with the remote systems controlling them. That makes it harder to detect such traffic using outbound filtering, Hession said.

Turn off JavaScript; don't give users administrative privileges

Turning off JavaScript would have prevented some of the Web-embedded ANI exploits from reaching the user via the browser, Ullrich said. Restricting administrative privileges would have mitigated the fallout from an exploit by ensuring that a remote hacker wouldn't gain full administrative control of a system.

Ultimately, "you are less likely to go into emergency patch mode if you have other measures in place" for dealing with such threats, said Ken Dunham, director of Verisign Inc.'s iDefense rapid response team.

Such measures include content filtering at the gateway for ANI files, using updated antivirus software, using snort signature to identify and initiate responses to possible attacks from remote sites and user education, Dunham said.


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc