Secure My Wireless Blog

The GhostNet: cybersecurity = national security

2009-04-08T09:54:00.001-04:00

Malware and cyber attacks are no longer the province of alienated hackers and international crime syndicates. National governments are using the same tools to spy on dissidents and rival nations. Recent research by the CitizenLab :: Version 4.0 has unmasked a far-reaching

suspected cyber espionage network of over 1,295 infected hosts in 103 countries. This finding comes at the close of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions that consisted of fieldwork, technical scouting, and laboratory analysis.

Using freely available Windows malware and some customized command and control software, the developers of GhostNet (who at the very least speak Chinese) have managed to penetrate an incredible number of sensitive governmental and political groups. Not surprisingly, China denies playing a role in 'GhostNet' cyberspy ring and of course, it is very difficult to prove the exact origin of these attacks. Listen to an interview with the researchers on the podcast Unmasking ‘GhostNet’ | WBUR and NPR - On Point with Tom Ashbrook.

Free Anti-Virus Software

2009-02-12T08:06:00.003-05:00

Although anti-virus programs won't protect you from many wireless network exploits, they will help detect malware after it's been installed, and are an important part of any security toolkit. Anti-virus programs are not perfect, however:

They don't detect all malware, and really only can detect viruses that have already been released in the wild. This means that you can still be infected even with an anti-virus program installed.
Many anti-virus programs add a huge amount of overhead to your system. Although there have been improvements recently, the Norton Anti-Virus suite was notorious for using tremendous amounts of system resources (processor cycles and RAM, mostly). Some benchmarks indicate that installing Norton cuts processor performance in half. This means that, if you have a 2 GHz CPU, installing Norton is like downgrading to a 1 GHz processor!
You must maintain your virus definitions regularly. Often, the update is a scheduled task that fires off when you boot up, slowing down performance and delaying the time until you can use your computer. Many people will cancel the updates out of frustration.

Having said all that, installing anti-virus software is a good idea for most Windows computers, and you should be able to scan files or your hard drives on a regular basis to be sure you haven't been infected. Here are some free programs that can do the job:

Windows: AVG Free.
Macintosh: iAntiVirus program for Intel Macs from PCTools.
Linux/Unix: F-Prot

In my Open Source & Linux Blog, I describe how you can Virus scan Windows using a Linux live CD using F-Prot.

Google's new Chrome browser is not secure

2008-09-29T12:06:00.000-04:00

Google’s new open source browser, Chrome, made a big splash when it was introduced earlier this month: Meet Chrome, Google's shiny new browser - CNET News. Perhaps the bloom is off the rose now that we’ve had a chance to take a closer look at the security, or lack thereof, in the new browser:

Early security issues tarnish Google's Chrome browser, note several publications, including PC World. Most alarmingly, Chrome is a security nightmare, indexes your bank accounts. Computerworld calls Chrome: Google's biggest threat to your privacy.

Since the product is in beta, it’s too early to say that Chrome is a complete disaster, but it should certainly be avoided when you want to log in to your bank or any other site that requires a password that you like to protect.

One of chrome’s most notable features is an impressive speed up in JavaScript performance. You can realize most of these benefits by using the The WebKit Open Source browser, which is based on the same HTML engine as Chrome: the Konqueror Web Browser from the K Desktop Environment, or KDE, project.

Surf safe!

More Gmail & Cookie hacks, plus a solution

2008-09-02T11:24:00.001-04:00

Now there’s another Good Reason To Go Full-Time SSL For Gmail: a new exploit that captures session cookies to give hackers access to your Gmail account.

Details here: Gmail Account Hacking Tool | Hacking Truths (since the original article is not available, I’ve posted the text below).

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

This is Google’s (and all web application developers) responsibility, because only the app developer can ensure that all transactions between the client and server are secure. To Google’s credit, they now offer an option to permanently switch on HTTPS. Details here: Enabling the HTTPS setting - Help Center

Update

This exploit is also a problem for financial institiutions -- as if they don’t have enough problems already: CookieMonster nabs user creds from secure sites • The Register

The solution: web application developers need to take the following steps:

Write their applications to ensure that all communication between the browser and the web server happens over SSL (https protocol, on port 443).

When the application uses cookies, mark all sensitive cookies (cookies that contain passwords or other authentication data) as secure, i.e., to be sent over encrypted connections only.

Clearly these are fixes that are not available to the end user. Only web developers can implement these basic security precautions. In the meantime, here’s what you can do as an end user:

Perform transactions that require a secure connection only on a secure network. The best option is a wired-only network. Since these are becoming more and more rare, it’s important to ensure that your wireless network is completely locked down with good encryption (WPA) and strong passwords.

Contact your bank or favorite email provider and request that they use https (SSL) and secure cookies to protect your account.

Surf safe!

Here’s the full text of the article Gmail Account Hacking Tool | Hacking Truths from hungry-hackers.com, which was offline earlier:

Gmail Account Hacking Tool

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.

11 charged with massive ID theft

2008-08-06T13:41:00.002-04:00

Boston has become somewhat of a hub for what is looking like the biggest ID theft in US history (to date, of course). The US Attorney General Michael Mukasey annonunced yesterday here in Boston that a ring of 11 were charged with massive ID theft in a series of successful attacks on the wireless networks of major retailers:

“They then hacked into the networks of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority, Forever 21, and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords, and account information, officials said.”

The ring is notably international, which shows how this type of crime is not in any way limited by geography. Note in the following quote that the hackers used better security than their victims:

“The defendants - one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin - allegedly concealed the data in encrypted computer servers they controlled in Europe and the United States.”

The key to the operation: breaking into the networks of these large retailers through the weakest link in the perimeter, their poorly secured wireless network.

nmap scanning

2008-07-25T14:30:00.003-04:00

One of the most useful tools for IP networks is nmap, available as an open source command line program, with various "graphical" front ends for the different platforms.

Here's how to do a quick network scan of your wireless router to see what machines are using your air space, and then what services are available on each box.

I use two commands. Use sudo to ensure you get all the info:

sudo nmap -sP 192.168.X.*

then,

sudo nmap -sV 192.168.X.Y

You'll need to replace X and Y with the correct numbers for your router. To find out what IP address space you are in, run ifconfig (UNIX/Mac) or ipconfig for Windows at the command prompt.

Ping Scan

Here's the nmap command to ping all the devices attached to your router, including wireless connections (nmap doesn't care how the devices are attached to the router):

sudo nmap -sP 192.168.X.*

This checks all 256 addresses in the Class-C address space 192.168.X, where X is an integer from 0 to 255. Most retail browsers use this type of address space; a high-end corporate or data center router might use a Class B address.

192.168 is a private, reserved Class B network that limits access to the addresses inside from external visitors by default. See Private Network (http://en.wikipedia.org/wiki/Private_network) for all the geeky details.

So, here's how to ping scan all the devices attached to your router:

neil@shubuntu:~$ sudo nmap -sP 192.168.3.*
[sudo] password for neil:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-07-25 14:54 EDT
Host 192.168.3.1 appears to be up.
MAC Address: 00:17:3F:45:09:30 (Belkin)
Host 192.168.3.3 appears to be up.
MAC Address: 00:1E:52:76:17:CC (Apple)
Host 192.168.3.5 appears to be up.
Host 192.168.3.7 appears to be up.
MAC Address: 00:E0:29:86:CE:02 (Standard Microsystems)
Host 192.168.3.8 appears to be up.
MAC Address: 00:0D:93:EA:68:2F (Apple Computer)
Host 192.168.3.9 appears to be up.
MAC Address: 00:19:1D:F6:63:C6 (Nintendo Co.)
Nmap done: 256 IP addresses (6 hosts up) scanned in 11.005 seconds

Version Scan

Now that you know what's out there, responding, you can check each address to see what services are running on each box. This is particularly useful for diagnosing problems, or identifying an intruder.

Let's take a closer look at the Macs on the network:

neil@shubuntu:~$ sudo nmap -sV 192.168.X.3

Starting Nmap 4.53 ( http://insecure.org ) at 2008-07-25 13:53 EDT
Interesting ports on 192.168.X.3:
Not shown: 1710 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7 (protocol 2.0)
88/tcp open kerberos-sec Mac OS X kerberos-sec
548/tcp open afp Apple AFP (name: SilverSurfer; protocol 3.2; Max OS X 10.4/10.5)
5900/tcp open vnc Apple remote desktop vnc
MAC Address: 00:1E:52:76:17:CC (Apple)
Service Info: OS: Mac OS X

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.634 seconds
neil@shubuntu:~$ sudo nmap -sV 192.168.X.8

Starting Nmap 4.53 ( http://insecure.org ) at 2008-07-25 13:55 EDT
Interesting ports on 192.168.X.8:
Not shown: 1713 filtered ports
PORT STATE SERVICE VERSION
548/tcp open afp Apple AFP (name: gforce; protocol 3.2; Max OS X 10.4/10.5)
MAC Address: 00:0D:93:EA:68:2F (Apple Computer)

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.679 seconds

HoverIP: Free Network Tools for Windows

2008-07-11T23:44:00.001-04:00

HoverIP v1.0 beta

HoverIP is a powerful set of IP utilities, all inside a single box !

With HoverIP you can display your IP configuration (on all network cards), perform different tasks like NSLOOKUP, PING, TRACEROUTE, SCAN PORTS or network, and manage your ROUTES in a very convenient way !

Important Note : HoverIP will not work with Windows 95 and has not been tested on all Windows platforms.

Go to the HoverDesk Freeware page, or download HoverIP directly.

Mac OS X users: no need to download anything for the same features. Just run Apple's Network Utility. Quick tip: open Spotlight (Apple-Space) and start typing Network Utility -- by the time I got to the letter "e" I could just hit Return to launch it as the Top Hit.

Airlines rolling out inflight wi-fi

2008-06-24T15:24:00.003-04:00

American Airlines is about to roll out inflight Wi-Fi for airline passengers.

The service is called gogo, from Aircell. Aircell is the only company authorized by the FCC and FAA to use cellular frequencies for inflight communications, and holds 20 patents, according to Wikipedia, so you're not likely to see much competition in the space anytime soon.

It's in testing now, and will be rolled out shortly. It's only offered between certain cities. (Flight must be over land, to transmit to and receive from the towers). American Airlines will offer it first, followed by Virgin.

This site includes a video showing how this works, as well as a review by Walt Mossberg, who rated it at 600kbps down and 250kbps up. (It will be interesting to see how well the speed holds up, when there are more users).

The service costs $13 for long flights, and $10 for medium flights.

I guess airlines wanted to get this released so they'd have another revenue stream. In this economy with these high fuel prices, they need it.

Most data theft tied to basic security flaws

2008-06-11T08:45:00.000-04:00

Just like locking your car doesn’t prevent a determined car thief from taking your ride but prevents the majority of casual joyriders from “borrowing” your wheels, basic computer security precautions will stop all but the most determined data thieves, according to a new study that finds that Most data theft tied to basic security flaws.

As with most other approaches to security, such as physical or property security, the goal isn’t to prevent absolutely every type of attack or exploit -- which is basically impossible -- but to discourage all but the most determined bad guys. The typical data thief is not very technically sophisticated, but instead casts a broad net for easy pickings: computer systems without patches applied, without basic firewall services, without basic wireless security.

The moral of this story? If you take the time to configure the most essential security precautions, you will prevent the vast majority of security exploits.

WEP is worthless. Don't use it.

2008-03-16T12:50:00.003-04:00

Is WEP wireless security better than no security at all? Probably, but not by much. Don't use WEP for Wi-Fi security, researchers say. It will prevent casual crackers from hacking into your network as they drive by, but if they stop for a traffic light, or to roll down the window and point the Pringles can at your WiFi router, they are in.

Instead, use WPA security to encrypt your wireless traffic. For details, see my post on How To Secure a WiFi Router for the Best Wireless Security. To better understand what all the letters & numbers mean (WPA, WEP, PSK, 802.11b, etc.), see Keith's post on 802.11 Alphabet Soup.

Connect a Mac (Tiger 10.4) to a WPA Wireless Network

2008-03-16T12:17:00.006-04:00

In my previous post, I reviewed the best settings to secure my wireless network. Now it's time to connect my Mac laptop, gforce, running Tiger (OS X 10.4.11), to my WiFi (802.11g) wireless network. Boot up, and follow these steps:

Turn on AirPort. I use the AirPort menu to do this, on the right side of the menu bar. The "fan" icon changes from a hollow outline to grayed-out "radio waves".
Select Other... network from the AirPort menu. This is required because I turned off SSID broadcasting when I secured my WiFi router.
In the Network Name field, type the secret but memorable SSID.
Select WPA Personal from the Wireless Security drop-down menu. Note: the specific WPA security protocol is set by the wireless router; you need to match the setting on the router with this menu pick.
Enter your fearsomely strong passwor d. Tip: unless you think someone is spying on you with high resolution optics, you can check Show password. It certainly reduces the typos.
Click [OK].

That's it! You are online. Test it out by opening your favorite browser and surfing to you your favorite search engine.

The Closed Network dialog. Enter the SSID here.

After you select WPA, you can enter the password.

Tips

If you can't see the AirPort menu, you can turn it on here: System Preferences > Network tab; select Show: AirPort; check Show AirPort status in menu bar.
Also, while you are making changes to the AirPort preferences, you should consider selecting By default, join: Preferred networks. If this doesn't work as expected, select the line corresponding to the SSID you selected, move it to the top of the list, and click the [Edit...] button to ensure the WPA password is set correctly.
If you think you might be having problems with interference or a poor signal, perform these steps right next to the wireless router to bathe your AirPort card in the strongest signal possible..
Save your WPA password in your Keychain, where it will be safely encrypted, so you don't have to enter it every time.

How To Secure a WiFi Router for the Best Wireless Security

2008-03-16T00:49:00.005-04:00

What is best setting to secure my wireless network? What's the safest way to secure my Wifi enabled router? The steps below describe what to do for most routers that support WiFi 802.11g or better.

Connect your network, wired only: connect the router to your (cable/fios/phone) modem, which is of course connected to your ISP's wire. Note: in some case, the router & modem are the same device. Connect a properly-configured computer to your router, probably with a Cat-5 Ethernet cable. Check the LEDs on the computer, router, & modem, if required.
Boot up and open a browser. Can you connect to the Internet? Test with a quick trip to your favorite search page. If you can't connect wired-only, you'll never get the wireless working!
Log into your router's web interface using your web browser. If you know your computer's IP address, the router is usually the same address, except the last number after the right-most dot is a "1" -- for example, 192.168.2.1 (the 1 at the end is your router's address in your LAN's address space).
Enter your password to access your router's administrative features. If you didn't need a password, or you used the default password, change it now to a safe password!
Go to the Wireless section on your router's administrative pages. Your browser may use different terms, like WiFi instead of Wireless.

Set your wireless network up as follows:

Hide it from Casual Snoops

These options won't protect you from a hardcore hacker (like that 14-year old kid who lives a few doors down) but will hide your network from the lazy & unprepared (i.e., most everyone else). In the Channel & SSID section of your router's Wireless/WiFi administrative pages:

Change the SSID (or Network Name) to something memorable, besides the default. This isn't a password, so you can use the name of your dog, or other dictionary words. If someone guesses this, they still have to get past your impossible to guess password to use your WPA network.
If possible, turn off the option to broadcast the SSID.
Apply or Save the changes. For my Belkin router, that means the router needs to reboot and I have to log in.

Now, to connect to your wireless network, you have to know the SSID you set. Just don't use the default name.

Set up WPA Encryption

WPA encryption is the way to go. WEP sucks, so don't use it. WPA makes it impossible for people to connect to the network without the password, and also encrypts all the traffic so others can't snoop on your traffic and snort up your bank password.

Select WPA as your security/encryption mode (also WPA2-Personal PSK)
I recommend WPA-PSK authentication & TKIP encryption. Make sure these selections are compatible with your wireless card (AirPort for Macs).
Set an fearsomely strong password.
Save/Apply your changes.

Now, breath easy. You are locked down. Let's do a few more things to make sure your net is tight.

Turn off remote management. If you turn this on, chances are that you will be owned eventually.
Turn off UPNP (Universal Plug 'n Pray -- I mean, Play). If one of your devices requires this, your network can't be considered secure.

That's it. Save any changes, and now try to connect with your laptop.

Stay tuned for tips on what to do if you have a device that requires UPNP or WEP, or other inadequate security measures that would otherwise compromise your security.

Wireless hack = heart attack

2008-03-12T23:08:00.003-04:00

Worried that your notebook is vulnerable to wireless hackers? Did you feel like you were having a heart attack when you realized that hackers had gained access to your gmail account? At least it was just a feeling, and not the real thing. But not for long: according to the New York Times, A Heart Device Is Found Vulnerable to Hacker Attacks. The researchers "were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal — if the device had been in a person" -- people like Vice President Dick Cheney, who is one of the most notable users of the Medtronics device.

Fortunately, you don't need a Secret Service detail equipped with WiFi jammers and automatic weapons to protect you from this threat. "The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists" and the equipment used for the hack had to be within two inches of the pacemaker -- basically, you'd have to press it against the victim's chest to be within range. If you got that close, more traditional methods of interrupting the victim's heartbeat might be utilized.

This is, however, a perfect example of how:

Wireless transmission capabilities, with connections to the Internet, are appearing in all kinds of devices, and not just your laptop/cell phone/PDA.
No one is thinking about securing these devices.

Let's hope that manufactures start securing these devices, especially the ones that are attached directly to vital organs.

Wireless Trends for 2008

2008-03-06T11:41:00.005-05:00

For some great information on 802.11n and other wireless trends, AirWave's webcast Wireless Trends 2008 - What You Need to Know is available on Airwave's Webcast Library page.

Some highlights from the webinar:

802.11n will be ratified in Q3 of 2009
It's safe to purchase 802.11n devices now. These devices will "with just the slightest doubt" be compatible with the final standard.
With 802.11n, you can expect performance of 4-6x times that of 802.11g
Note that Gigabit Ethernet is a requirement, otherwise your wired LAN will be slower than your wireless link.
There will be no need to replace your 802.11g equipment
Don't try to run 802.11g and 802.11n at the same time in the same channel

For recent performance test results of 8.02.11n products, see this article in Network World.

Mobile Smartphone Users Targeted by Trojans

2008-03-06T10:38:00.003-05:00

McAfee has an article on Symbian mobile users in China being targeted with a Trojan that targets users of the QQ network. (QQ is a very popular Instant Messaging network in China).

McAfee notes that the Trojan contains a number of different pieces of malware. Also, they note that it was written to make a profit, not to forward the notoriety of the hacker.

McAfee also has some information on a Trojan targeting Windows CE devices that was recently discovered as well. The software, WinCE/InfoJack, was created to report information about the phone's OS and version back to a website. It also disables some of the phone's security, allowing unsigned applications to install without warning.

With the growing popularity of smart mobile phones, this activity will only increase. Users should be careful where they download software and applications from. If you get any suspicious SMS messages to your phone, don't start clicking the links.

Digital Picture Frames, USB Hard Drives Found Already Infected with Trojans

2008-02-18T16:02:00.002-05:00

This is a little off the wireless topic, but important for security nonetheless: A recent article in the San Francisco Chronicle mentions that many USB photo frames have been found to contain Trojan Horses. When plugged into users' computers, these Trojans can get automatically installed without the user knowing. Antivirus software may not help because they don't yet have signatures for these Trojans.

A similar problem regarding USB hard drives was discussed last year at Slashdot.org.

What's the solution?
If you run Windows, disable autorun. A few sites on how to do that are here and here. Don't trust any free software already on these devices or hard drives.

Mac and Linux users generally are safe, because autorun is unsupported or disabled by default.

Vulnerabilities Found in Many Wireless AP's

2008-02-18T15:31:00.002-05:00

A security software firm (Codenomicon) tested their software on various Bluetooth, Wi-Fi, and WiMax devices and found a very high vulnerability rate. In their whitepaper [PDF], they tested several brands of Wi-Fi Access Points (although they don't say which brands) and found vulnerability rates ranging from 25%-75% for their tests.

Take the report with a grain of salt, however, since they may be biased to sell their testing software.

Home users should consider setting up a DMZ for their wireless access points.

Corporations should consider a Wireless Security solution on top or their existing wireless infrastructure, such as Aruba Networks or AirWave (Aruba has recently announced they will be acquiring Airwave).

Gmail still not 100% safe even over SSL... beware of SideJacking

2008-02-08T22:41:00.001-05:00

What is SideJacking? It's a new term for hijacking your browser session.

SideJacking was listed as one of The Five Coolest Hacks of 2007.

What's new here is that your Gmail account can be compromised even when SSL is being used.

From the Errata Security Blog:
"SSL is not always complete. A good example is Gmail. In theory, using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default - but they become unencrypted if SSL fails."

And, how would SSL fail? A wily hacker just needs to send a few RST (reset) packets to thwart the SSL communication on port 443. (If there's not already a tool to make this process easy, don't worry, there will be).

So, what's the solution?
Until Google fixes these weaknesses, VPN tunnels are your friend. Basically, the only 100% secure (or as close as you can get) way to connect to the internet securely is to connect over a VPN tunnel to your home machine, then browse to the internet on that machine. This was also covered on GRC's SecurityNow podcast some time ago.

You can also run LogMeIn or GoToMyPC on your home computer. These encrypt communication from your laptop to the host computer. Connect to your home computer that way and then do your browsing.

You could also connect with an SSL VPN box at your company, and if it's configured, browse from there.

Hopefully Google will fix the security weaknesses. I should mention that Gmail is still the best major free web-based email solution, since MSN and Yahoo force SSL for the password entry, but don't encrypt the pages after that point. Gmail lets you conduct the whole session over SSL even after you're logged in.

Lastly, another protection is to make sure you log out of Gmail when you're done. That way, if you go to a coffee shop and you're browser is open when you wake up your laptop from suspend mode, it won't automatically connect, potentially exposing your session id. And if you do use Gmail there, log out when you leave, since that way if someone just stole your session id but hasn't yet used it to compromise your account, it's ok because you've just invalidated it.

I plan to do some testing on Firefox soon to see if it pops up its warning "Although this page is encrypted, the information you have entered is to be sent over an unencrypted communication and could be easily read by a third party" when SSL is blocked during a Gmail login.

For more information on browser security, check out this page from Michael Horowitz' site.

What NOT to do with your Wireless LAN

2008-02-06T21:18:00.000-05:00

In this classic blog post, The six dumbest ways to secure a wireless LAN, ZDNet's George Ou describes the worst way to secure your WLAN. From the article:

For the last three years, I've been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If that weren't bad enough, many "so called" security experts propagated these myths through speaking engagements and publications and many continue to this day.

Also don't miss his Wireless LAN Overview for beginners.

TrueCrypt ships version 5.0 today

2008-02-06T21:10:00.000-05:00

Version 5.0 of the free, open-source and cross-platform encryption program TrueCrypt is now available for download and installation for Windows, Mac OS, and Linux.

TrueCrypt:

Creates a virtual encrypted disk within a file and mounts it as a real disk.
Encrypts an entire hard disk partition or a storage device such as USB flash drive.
Encryption is automatic, real-time (on-the-fly) and transparent.

Further information regarding features of the software may be found in the documentation.

Recommendations for a Safe Browser

2008-01-15T06:46:00.000-05:00

I enjoyed the post on 'Safe' and 'Promiscuous' Web Browsers.

It was also stated in this followup post what browsers he uses: “Normally my primary promiscuous browser is Firefox, and my secondaries are using REALLY old and obscure versions of Netscape and Safari--ones that no one uses.”

I say, 'to each his own.' I don't think the average user wants to bother finding and running old versions of browsers. First there's the compatibility issue of getting it to run on your OS (make it old, but not TOO old), and then there are sites that just won't display or function correctly when you visit them.

If users don't want to get that complicated, I recommend another solution that will nip this in the bud. Run Firefox with the AdBlock Plus and NoScript extensions.

AdBlock plus is great, it automatically blocks most advertisements on web pages. That's where most of these exploits are coming from, anyway, so by blocking them right off the bat, there are less threats out there to worry about.

The second extension I recommend is NoScript. This prevents any script from executing on any webpage. Obviously, this makes some sites not display or function properly, so when you're on a site you trust and want to interact with, you can select to either temporarily or permanently whitelist it. The NoScript extension is so secure that it can even be a pain in the neck sometimes, such as when you visit a site and try to register, then realize you need to whitelist it so the "submit" button will work, for example. When you whitelist it, it reloads the page and sometimes the text you just typed in disappears. So it's helpful to remember to whitelist when you first load the page!

An alternative to NoScript, if you find it too annoying, is the extension FlashBlock. This extension prevents flash from running on any sites you visit. Where a flash window would be, a 'play' button appears that you can click if you want the animation to run. Like NoScript, you can also whitelist sites.

I doubt you could get much more secure than the AdBlock/NoScript combination for a browser, but hey, to each his own. Personally I do not recommend running old software. It can have old vulnerabilities you wouldn't think of, and even though these vulnerabilities may not be often targeted, the Internet is so vast, how do you know you're not going to come across an old web page with a vulnerability on it, and get compromised? Also, many newbie users have their Windows Updates turned off and their antivirus out of date. I've seen enough PC's infected with exploits I thought weren't even around anymore so I recommend to stay current with whatever you use.

Sears.com installs spyware

2008-01-07T08:54:00.000-05:00

Although this isn’t specifically about a wireless networking issue, this horrifying story illustrates how important it is to keep your computer safe from spyware and malware. It doesn’t matter how good your wireless encryption is if everything you with your browser is sent to some anonymous marketing research company. Why, exactly, does a market research company need my bank account user name and password, anyway?

This story appears on the CA Security Advisor Research blog:

Sears.com: Join the Community – Get Spyware

Check out the Sears Update: Privacy Policy, Scorecard, and Genetic Heritage for more information on the source (“genetic heritage”) of the spyware and more details about the issues this software raises.

For the weasel-like corporate spin from Sears on this clear breach of consumer privacy, see this update: Sears Update: Response to Rob Harles, VP SHC Community.

Fortunately, this year I was able to do my Christmas shopping without going to Sears. It will be a long time until I favor them with my business again.

Security Researcher Promotes Concept of 'Safe' and 'Promiscuous' Web Browsers

2007-12-21T16:55:00.001-05:00

In this brief article (http://www2.csoonline.com/exclusives/column.html?CID=33396) we find an excellent tip for safe surfing that applies to wired and wireless networks:

It involves having two browsers: One, which he calls the “promiscuous” browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking.

Also, you can read the commentary on Slashdot here: http://it.slashdot.org/it/07/12/21/1317217.shtml

Secure Email on the Road

2007-12-14T17:53:00.000-05:00

If you use a laptop and you need to check your email on the road -- in other words, using a network or a computer that you can't be sure is safe -- you need to establish a secure point-to-point connection to your server for both sending and receiving email. In an earlier post, I described the safest way to connect to Gmail on a public network; this post describes a similar approach for email at your domain.

There are several ways to check your email over a secure connection:

Use your email provider's web interface, and connect to the web mail page using SSL (https, not http).
Use SSL to connect your email client (Outlook, Thunderbird, etc.) to your mail server.

Note that either option requires that your email provider supports these secure connections. For my company (Cadent), I use DNS Made Easy's IMAP and SMTP services. I haven't found better pricing anywhere else, and their service has been tremendously reliable.

How To Send Email Securely

The approach I describe here will work on any wireless network, or any insecure wired network, to protect your email login and downloads. Otherwise, your email transactions, especially your login, are transmitted in clear text, which means anyone who's watching can see your user name and password.

That's right, the default setup for most email programs is to transmit everything, including your login, unprotected in the clear! To protect your email accounts, you only need to configure your email client once to use a secure connection, and then you will be safe every time you use that email client software.

Web Mail

If your email provider offers a web mail page, use it, with SSL. Our company's email provider, DNS Made Easy, offers webmail in two flavors: SquirrelMail and and some email services even build their own

This approach works quickly and easily. Just use SSL by adding an "s" after the "http" like this:

https://webmail.mydomain.com

That's right, substitute your domain. This approach works exactly the same way as the safest way to connect to Gmail on a public network, so see that post for details.

Secure IMAP with SSL

Your communications with your incoming email server need to be protected so an eavesdropper can't steal your password and read all your email. I'm a big fan of using the IMAP protocol for my incoming email, instead of POP. That's really a separate discussion, but for now you should know that IMAP is really the way to go if you check your mail from more than one computer.

Here's how to encrypt the traffic between your email program and your incoming IMAP email server:

Use a provider (such as DNS Made Easy) that supports an IMAP SSL connection; or, for a corporate email system, ask your IT guy to set it up (he really should, anyway).
In your current email client (Outlook, Thunderbird, etc.) open the account settings dialog box. Usually, this opens a tabbed or many-sectioned dialog box. Select the tab for your incoming or receiving email server.
Check or select the "SSL" encryption option. Note: this may be hidden under "Advanced" or some similar secret place -- one of the reasons why most people don't do this.
Enter your

That's it! Now, click [OK] to save your changes, and now try checking your email. Even better, send yourself an email from another account, like Gmail, and make sure it comes in correctly.

Here are some links to step-by-step instructions for different mail clients:

Check your mail client's online help for current details.

Secure SMTP

You need to protect your connection with your outgoing (SMTP) server so spammers don't hijack your user name and password to use your account to send spam. Because of this problem, many ISPs don't allow you to use their SMTP servers unless you are connected through their network, even if you need to authenticate with a username and password. One of our ISPs, Verizon, is an example of this approach. So, even though I need a user name and password to send email via Verizon, I usually can't do this when I'm on the road, unless I'm at a client's that uses Verizon, too.

So, here's what I did:

Set up a secure SMTP server at DNS Made Easy.
In my mail client, I opened the account settings dialog box, and went to the outgoing (SMTP) server settings.
I selected the "SSL" option for encryption.
I typed in my username and password.
Just to be safe, I changed the SMTP port to a port that only accepts SSL, in my case, port 465 -- this may be different for your SMTP server.
I clicked [OK] to save my changes.

I sent a test message to confirm everything worked and I typed my strong password correctly. All set! I'm ready to take this show on the road.

Strong Passwords

2007-12-12T11:08:00.000-05:00

One of the foundation stones of a secure wireless computing, or any computer security for that matter, is strong passwords. Here are some of my favorite tools for generating strong passwords:

The Security Guide for Windows - Random Password Generator: this web-based tool generates passwords of any length you specify (the default, 8 characters, is an excellent choice). Other great features include: “no similar characters” (e.g. i, l, o, 1, 0, I); and the option to generate multiple passwords with one click, which is very handy if you need to set up several accounts all at the same time.
GRC’s Ultra High Security Password Generator generates long (63+ characters) password strings, using Hex, ASCII, and alphanumerics, every time you refresh the page. Plus, the page itself is transmitted via SSL! There’s plenty to read about each password string, as well as information on WPA keys and technical details of how the password is generated. Plus, check out the GRC | Security Now! podcast, where this password generator page is often mentioned -- a great computer security podcast.
Finally, you may need a place to store all these passwords. I use the open source Keyring for Palm OS to keep all my passwords close at hand, safely encrypted. This Palm OS program also generates passwords, so you might not even need the web sites noted above.

Let me know if you’ve found a password generator that works for you.

Neil