You May Not be as Secure as You Think
As laptop and notebook computers continue to increase in sales, more users are looking for a more portable method of connecting to the Internet. The current technology of choice is the 802.11 family of wireless connection specifications, generally known as Wi-fi, which almost all wireless network connections use (with minor use of Bluetooth and Infra Red connections).
From the initial development of the wireless networking specifications it was realised that it was not a suitable security practice to be broadcasting all network traffic for any passing wireless-enabled computer to collect, and so research began on methods to protect the technology.
The first effort to improve the security of the connections revolved about the Wired Equivalent Privacy, commonly known as WEP. This particular technology provided an encrypted link for all legitimately connected wireless clients, and which would prevent unauthorised connections from capturing network traffic. Unfortunately, once a client was allowed to connect through WEP, they were able to capture all the network traffic, unencrypted, and the encryption method used to develop WEP was rapidly broken, effectively making WEP useless as a means for protecting wireless network connections.
The followup protection technology, Wi-Fi Protected Access, which is known as WPA, and WPA2 for the complete implementation, began to be implemented in early 2003. Designed around a stronger encryption process, WPA encrypted each client's connection individually, in an effort to prevent clients from viewing the unencrypted traffic for other connected clients. As a means to overcome some of the shortcomings from WEP, the system was designed so that encryption keys would change over the time of the connection.
Over recent weeks a fairly active security discussion looked at methods to overcome the protection offered by WPA, and possibly that offered by WPA2. One method in particular allows a user who has been granted a connection to perform an attack which is known as ARP cache poisoning. Basically, ARP poisoning is when a system connected to the network pretends to be another for the purpose of obtaining the traffic to the victim's system.
Even though WPA is not meant to supply protection to the network layer that ARP poisoning works on, by being able to conduct ARP poisoning it removes the protection that WPA does offer, removing its promise of maintaining a secure link between client and wireless access point. Technology such as IPv6, IPsec (which has had issues recently), and static ARP records can help mitigate the effects of an ARP attack, as can the use of SSL / SSH / VPN traffic at the highest level. A number of network monitoring tools can also be used to detect odd behaviour on a network segment, which can indicate an attempted ARP poisoning attack.
Unfortunately, all of this technology is useless if it is never turned on. Quite a significant percentage of business and home wireless access points, and the associated networks, have not applied any security protection and even if they have, a still not insignificant proportion will use the default security settings, including the default administrator passwords.
While companies and some home users will be taking steps to prevent connection of unknown clients to their wireless networks, major public access points are becoming more common, and will become more of a concern as attacks against wireless connections develop their capability. With coffee shops, fast food restaurants, and a range of community wireless access opportunities (Adelaide CBD, Macedonia, and numerous cities worldwide) providing more and more chances to connect to a wireless network, the false sense of security that pervades is likely to lead to significant information theft and data compromise in the future.
In other news, it has been a strange week for security disclosure; a number of vulnerabilities were announced and picked up on by the larger IT news sites which affected outdated products or which targeted specific examples of a much greater vulnerability. Products from vendors such as Google, Apple and Microsoft were caught up in this odd round of disclosure, and investigation into the claims usually resulted in identification of a misdiagnosis or overreaction. It definitely looked to be a week where the media was notified first (who then swallowed it completely), then the vendors whenever a vulnerability was disclosed.
Google's interface to various online messaging services, Google Talk, had a fairly quiet vulnerability disclosed which could cause the Windows version of the application to crash on receipt of a specifically formatted email. Subsequent investigation suggested that, while it was a real vulnerability, the impact was low and for the vulnerability to work a number of key conditions had to be manually set. Other reporting about Google indicated that they had quietly fixed a reported vulnerability with their GMail webmail service. Again, the vulnerability required a number of fairly specific nonstandard and detailed steps to be taken for a victim to be vulnerable to losing control of their GMail account.
Google also fixed a Cross Site Scripting issue with Google Base, their new data collation service. The vulnerability allowed an attacker to gain access to a victim's account details, which could then provide access to sensitive information in GMail, Ad Sense or Ad Words. It is felt that this issue was related to a vulnerability quietly closed at the end of September (alerted on 12 October) by Google.
Apple's vulnerabilities included a set of real vulnerabilities, and a set of vulnerabilities which would have more correctly been attributed to the underlying Operating System (Windows in this case). The Quicktime media player could have been used to execute arbitrary code if a user could be tricked into running a certain media file, but it only affects the Windows versions (solution is to upgrade to the latest version). This vulnerability was not widely reported, while a vulnerability which affected Apple's iTunes was. Upon investigation, it turned out to be the result of a specific Windows call not being fully called correctly and which a number of other applications had also been discovered to be vulnerable. The impact would be iTunes opening an unexpected application in response to specific calls from within the application, so if you expected a certain CD burning application to open, it could open Excel instead. Even though numerous applications from a range of vendors were found to make this specific Windows call incorrectly, iTunes was singled out as the apparent only vulnerable application.
While researching methods to exploit the vulnerability fixed by MS05-047, an Indian researcher uncovered a vulnerability which affected a fairly specific range of Microsoft Windows versions and patch levels. The discovered vulnerability affected Windows 2000 and XP systems, with a fairly old set of patches, which is possibly why the discovery was posted publicly rather than withholding it until Microsoft had a chance to properly assess the impact. The result of the published exploit code was such that a system would exponentially consume system resources until it could recover (after some time), which could be extended indefinitely by making sustained requests against the target machine (which would be very noisy).
Unfortunately, the overreaction from the industry media to the recent vulnerabilities only provides more confusion and misinformation to readers, especially when significant vulnerabilities or other vulnerabilities affecting the same applications are being overlooked. It was suggested that a lot of these were attempts by 'security' companies trying to increase business or to keep their names in the news for a little while longer.
At least the issues raised by Sony's rootkit haven't dropped out of the press, with continued focus on the removal tool that Sony has supplied, as well as other protection software used by additional CD titles. This continued focus has found some very concerning elements, especially the insecure ActiveX component which is supplied to the user who is trying to clean their system of Sony's malware (which can be used to remotely reboot a system, gain administrator level access, or execute code of choice). While Sony has started taking steps to withdraw the affected disks from sale, and refund customers affected by the issue, it still remains to be seen what the long term effects will be. Lawsuits have already been launched in the USA and Italy over this issue, with a number of companies now forbidding all music CDs from being played through their computer systems in an effort to prevent possible future compromise.
Of more interest with respect to Sony's rootkit are accusations that the anti-virus companies (in particular Symantec) were complicit in ensuring that their products did not pick up on the rooktit's presence, and actually went out of their way to ensure this was the case. While detection and removal of rootkits is generally left to specialised tools, a lot of people consider their anti-virus vendor to be capable of protecting them from all evil.
21 November 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.