Securing your Wireless Access

Blood is thicker than water. But water is more refreshing. That’s a free pearl of wisdom for you. Enjoy!

More wise words can be found in this month’s Bench Test, which looks at the NVD 2910 network dome from Genie CCTV. What did our experts think? If you read it, you will know. It’s that easy!

The Access Control Doctor is in as well. Today he’s banging on about biometric access systems. Nice work, doc!

Visonic’s Tony Mann provides us with an installer-focused piece on the move towards wireless security systems. Compelling.

And we’ve got helpful video from the folks at CSL DualCom – which you can also download to your mobile telephone. A la mode!

There are also many other stories! Nice.

www.info4security.com, www.ifsec.co.uk

Microsoft issues a report that overall internet worms have increased by over 98% over the previous quarter.  Internet worms have gone from the 5th greatest threat all the way up to number 2nd on the list.  Worms are getting into personal computer and telling them that their computer is infected or redirecting them to other sites trying to get them purchase items.  On the bright side overall computer vulnerabilities have decreased over the same time.  Microsoft found that overall computer security vulnerabilities have decreased by over 30% in the last 6 months.  We believe this will actually start to increase with the release of Windows 7.  Computer security holes and vulnerabilities will be found in Windows 7 and it is only a matter of time before hackers start to go after Windows 7.  The more we educate user about computer security the safer the internet becomes.

Microsoft Story

I found this interesting article about identity theft and what are the 5 major ways Identity Theft occurs.  The first one is that people don’t change-up their daily routine.  If people are watching you and your routine doesn’t change they have any easy way into your world.  The next two are ones we have talked about several times in social networking and computer scams.  Part of our guide to social networking is that you should never post sensitive data on you page and make sure your profile is set to private.  Computer and internet scam are running wild all over the internet.  Several computer security experts say that scareware and spyware has grown by over 600% in the last year.  The fourth way is through hackers (internal and external) stealing sensitive information of customers.  We hear stories all the time about credit card companies or financial companies losing customer data.  I wish I could say that is going to slow down in the future but I expect it to actually grow over the next several years.  I also expect that Identity Theft will grow by over 15% in the next and 20% the year after that.  The last method is through Healthcare moving to electronic records.  I agree that in the move to electronic records that we will see more identity or fraud from this activity.  I just wanted to share what the article said are the five vulnerabilities for identity theft and that we have to agree with all of them.  The biggest threats rights now come from the internet and internet scams.  The internet is full of spyware and scareware that is waiting to steal your identity or to harm your computer.

Article Link

KEAMANAN JARINGAN NIR-KAWAT (WIRELESS SECURITY)

Jazi Eko Istiyanto Pengajar Program Magister Ilmu Komputer
Universitas Gadjah Mada e-mail: jazi1elins@yahoo.com

PENDAHULUAN

Dengan meluasnya penggunaan PC, Internet, dan telepon seluler maka kita dapat mengharapkan munculnya ubiquitous computing di mana komputer/dan komputasi ada di mana-mana: di setiap tempat, di setiap peralatan, pada setiap orang.

Permasalahan yang muncul di antaranya adalah interoperabilitas antar system, antar muka system dengan instrument, system operasi yang real-time, bandwidth jaringan, coverage area, keamanan data, dsb.

Keamanan data menjadi permasalahan penting ketika orang bisa mengendalikan peralatan rumah tangganya secara remote menggunakan teknologi seluler, apalagi bila nanti dicapai interoperabilitas antara Web Internet dengan WAP telepon seluler, sehingga orang dapat mencek status pintu rumahnya (terkunci, terbuka, tertutup tidak terkunci) dan kemudian mengaktifkan actuator pintu (membuka kunci, menutup, mengunci, mengaktifkan alarm) melalui telepon seluler, warung internet, ataupun dari PC yang terhubung ke Internet di kantornya.

It’s every schoolboy’s dream: an easy way of looking through walls to spy on neighbors, monitor siblings, and keep tabs on the sweet jar. And now a dream no longer…

Researchers at the University of Utah say that the way radio signals vary in a wireless network can reveal the movement of people behind closed doors. Joey Wilson and Neal Patwari have developed a technique called variance-based radio tomographic imaging that processes the signals to reveal signs of movement. They’ve even tested the idea with a 34-node wireless network using the IEEE 802.15.4 wireless protocol, the protocol for personal area networks employed by home automation services such as ZigBee.

The basic idea is straightforward. The signal strength at any point in a network is the sum of all the paths the radio waves can take to get to the receiver. Any change in the volume of space through which the signals pass, for example caused by the movement of a person, makes the signal strength vary. So by “interrogating” this volume of space with many signals, picked up by multiple receivers, it is possible to build up a picture of the movement within it.

In tests with a 34-node network set up outside a standard living room, Wilson and Patwari say they were able to locate moving objects in the room to within a meter or so. That’s not bad, and the team says there is ample potential for improvement by increasing accuracy while reducing the number of nodes.

The advantage of this technique over others is, first, its cost. The nodes in such a network are off-the-shelf and therefore cheap. Other through-wall viewing systems cost in excess of $100,000. The second advantage is the ease with which it can be set up. Wilson and Patwari say that adding a GPS receiver to each node allows it to work out its own location, which should dramatically speed up the imaging process. Other systems have to be “trained” to recognize the environment.

Wilson and Patwari have even worked out how their system might be used:

“We envision a building imaging scenario similar to the following. Emergency responders, military forces, or police arrive at a scene where entry into a building is potentially dangerous. They deploy radio sensors around (and potentially on top of) the building area, either by throwing or launching them, or dropping them while moving around the building. The nodes immediately form a network and self-localize, perhaps using information about the size and shape of the building from a database (eg Google maps) and some known-location coordinates (eg using GPS). Then, nodes begin to transmit, making signal strength measurements on links which cross the building or area of interest. The received signal strength measurements of each link are transmitted back to a base station and used to estimate the positions of moving people and objects within the building.”

That’s ambitious, but if they do get their system to the point where it can be used like this, it raises another problem: privacy.

How might such cheap and easy-to-configure monitoring networks be used if they become widely available? What’s to stop next door’s teenage brats from monitoring your every move, or house thieves choosing their targets on the basis that nobody is inside?

Of course, in the cat-and-mouse game of surveillance, it shouldn’t be too hard to build a device that disables such a monitoring network. But only if you know it’s there in the first place.

There are fun and games galore to be had with this idea.

Source

A new trojan spreading across the internet is designed to steal your bank account information and money.  This new trojan will infect IE 6, 7, 8, Firefox and Opera running on Windows.  This new trojan obtains your username and password of your bank account and then starts to withdraw money from your accounts.  What makes this trojan so dangerous is that it creates a fake webpage that displays your bank account information as if nothing was missing but in reality your money is being withdrawn. This kind of trojan will start to be common place in the near future as more computer users don’t protect themselves.  Computer security is critical to anybody access the internet and everybody should have spyware software installed.  If you are doing online banking then spyware software is even more critical to computer security.

Trojan Story

Microsoft has released several new patches for Windows on Tuesday.  The majority of them are critical and need to be installed immediately.  Remember that computer safety and security starts with updating your computer.  Please visit Windows Update and install all critical patches today.

Internet Safety Center

I had an opportunity this week to be involved in some testing of Motorola’s AirDefense wireless security solution at a client where we were conducting their annual PCI Security Assessment.  I wrote in a post a while back about wireless IDS/IPS and discussed my findings from that testing a couple of years ago.  With everything in technology, as time passes, things change.  Fortunately, things change for the better, but there are still potential pitfalls.  This should not be viewed as an endorsement of the AirDefense solution.  It just happens to be the solution that we were able to test.

Again, as I have stated previously, I am not going to delve into the details of how to accomplish making a network device ‘stealthy’ because I do not want to give anyone ideas or a leg up.  However, it should be noted that doing this is not difficult.

Two years ago, we configured some wireless access points to be very stealthy and located them around a facility and then had AirDefense attempt to locate and identify them.  While AirDefense was able to identify half of the rogue access points and that they were potentially rogue access points, it was not able to confirm that these devices were in fact within the confines of the facility.  The bottom line, half of the devices were not identified, so you had a 50-50 chance of finding a potentially rouge access point.  Not very good odds in the security business.

It is now two years later and I am going to conduct a very similar test.  First, this test was not quite as similar as I would like as we used cable/DSL routers with integrated wireless b/g access points.  The reason the testing will not be similar to the last time is that the test devices being used this time have built-in firewalls that protect the wireless versus the access points that we tested with the last time which had no built-in security features beyond WEP.  One of these devices we kept stock, using only the vendor supplied security capabilities.  On the other device we loaded up DD-WRT and made significant changes to make the access point and device itself as stealthy as possible.  In addition, we only have two devices to use versus a variety of devices two years ago.  However, using vendor firmware and DD-WRT should give us a good set of tests.

In our first test, we plugged the routers in (electrical as well as network WAN port on the router) and let them run in native, non-stealthy mode so that we could see how AirDefense would respond for our baseline.  As expected, AirDefense performed flawlessly and found and identified these devices without a problem and about two minutes later delivered the security alerts to the client’s security and networking personnel.  Unfortunately, our client is in the process of implementing more AirDefense sensors because they just moved into their new expansion space and we were located there.  As a result, AirDefense could not specifically locate the wireless.  However, with a few more sensors, they could have narrowed the search area and somewhat triangulated on the location of the rogue devices.

For our second test, we configured both devices to be as stealthy as possible.  Because of the limitations of the vendor configuration software, we were not able to configure that unit as stealthy as the one running DD-WRT.  The client reset the AirDefense database and we plugged everything in again.  The router running the vendor software was identified very quickly just as in the original test.  The DD-WRT device took some human intervention to determine that it was likely a rogue device.  However, the good news is that this time the DD-WRT device was found by AirDefense unlike two years ago when most of these devices were not found.

During our debrief regarding the testing with the client’s security personnel, we identified some frustrations with AirDefense.  The biggest is that, with the prevalence of wireless, the sensors are flooded with signals out in their retail locations.  While AirDefense claims that with an appropriate number of sensors it should be able to sift through the chaff of signals, my client’s experience is that it does not.  They have spent a significant amount of time attempting to tune the system so that spurious signals have a minimal impact, but they have found that all it takes is adjacent retailers or even homeowners to add wireless and AirDefense goes on alert, regardless of the number of sensors.  This client has installed AirDefense at only 20% of their locations, but they tell us that the number of daily alerts can be mindboggling and a lot of work to clear.  While the client’s staff has slugged through these alerts day after day, management is obviously very concerned about maintaining this level of diligence going forward as the rollout completes.

Another problem that they run into is with the coffee shops that are located within their retail locations.  However, it is not with the separate access points that these locations operate as they have been tuned out.  No, it is the coffee shop’s customers’ notebooks and netbooks that are the problem.  Most of these devices’ wireless are mis-configured and are acting as access points as well as wireless clients.  This creates the bulk of their alerts within their retail facilities and masks a lot of the real alerts.

The other point that the client’s security personnel wanted passed along to others is that an AirDefense type of solution is not a guarantee that you will identify every rogue access point.  Most of this problem is related to the human element.  All it takes is a lapse in diligence and you can end up with problems.  This was brought home the week before we arrived when the client’s resident wireless security guru was on vacation.  While on vacation, a couple of alerts were written off by their back up because of this person’s inexperience.  Turned out that these alerts were real problems and required action when they were uncovered when the guru got back.  There will be more remedial education for all other security personnel on the AirDefense system.  However, the bigger change will be making sure that the guru is not the only one making the call on what gets investigated.  With that responsibility spread out to more people, it is hoped that coverage will be more consistent when the team is not together.

In the end, I am glad to report that wireless IDS/IPS is advancing.  However, it is not a silver bullet nor do I expect it to ever be a silver bullet.  It still requires humans to make the call on what to investigate and what to ignore.  That requires skill and experience with the tool in a particular environment.  And that skill and experience takes time to develop.  So, just because you have implemented wireless IDS/IPS, does not mean that you are immediately protected.  Your security personnel will still have to ramp up on the tool in your environment.

Like most families in 2007, his family probably has at least one computer at home, if not more. Many children and adolescents have loads of school work requiring excessive computer use. Well, even if your children use the World Wide Web to chat and download games, still need to be protected. There is plenty of parental control software on the Internet. Options available for mom and dad in question, but it are prudent to heed the following advice.

Protecting your children:

• Be aware of your child’s friends and if they start to mention someone not go to school or at home. Internet Safety for Kids is necessary.

• Limit your use of the Internet. Give each child one hour a day can cut the chances of encounter dangerous situations and it increases family time. Internet Safety for Children is very important.

• Most parents know the best way to find out is to “ask”. If you have any questions or advice to give, ask your kids for 10 minutes to talk. Wireless security and computer security is very important nowadays you must protect your computer.

• Do not scold them. Do you remember what it was to be 13 and want independence? Let your pre-teens and teens to make some of their own decisions, while assisting them.

• Remember young people to not give any personal information without checking first.

• Change team assigned to time depending on the age of your child. Having a child? Clearly they need more time online than eight year old.

• Verify that the warning signs: if the 11-year-old knows how to clear the browser cache and set their own passwords, you may want to keep an eye.

Every now and then, some hacker or researcher discovers a major security gap in an existing protocols, used all over the place. We knew that Bluetooth was considered ‘open’ some time ago, wireless protocols are a running gag, and now it’s the widely used DECT’s turn.

A group of German researchers found out sime time last year that the DECT algorithm – DECT Standard Authentication Algorithm, or DSAA – was not as unbreakable as assumed for some time. Not a real surprise, and not a real fear though – is it? I mean, what kind of conversations would you have that are ‘not for my ears’, right?

But what if your banking details are ‘war-DECT-ed’?

All sorts of hardware use the DSAA for communication, not just your home phone or a baby monitor. Portable cordless payment terminals, used in airports, restaurants, and shops use the DSAA as well. We are just waiting for the first war-DECT-ed creditcard fraud to show up in the news. Wonder how long the banks will allow themselves to use a 15-year old, never upgraded protocol. Check out https://dedected.org for more info.

Ah – apparently, some electronic sliding doors use DECT. Time to set your own opening hours.

You know the importance of the shoelace, at the same time you should definitely know about the annoyance of it. To come out of this trouble a new concept has been designed and dubbed as “No Shoelace But Better” that lets you come out of your common problems that have been associated with shoelace. Once you have started to use this, you will not experience frequently the trouble of tying and untying the lace to come loose. Instead, this concept can completely wrap around the foot with a piece of material that can be adjusted by the user with the Velcro strap.

Click to know about USB to SATA Adapter

Although it looks so simple, yet it brings all-important functionalities as a running shoe. This simple concept has been designed by Seon-Keun Park and Jin-Sun Park.

[ More ]

Today, I got a link to this Wired article on my Twitter feed. The article calls for people to leave their wireless networks unencrypted for two reasons: it’ll make you feel good to go against the terms of service, and what comes around goes around, so you’ll be able to find more free access points if more people do this. I’m not saying it’s wrong to share, but be very careful…

I would love a world in which everyone just leaves their wireless connection open for passers by to use. It would save a lot of hassle with different connections and loads of money while you’re traveling. On the other hand, I would also love a world in which people would leave their front door open and put a sign in the window if they weren’t home, so travelers could use their house instead of a hotel. (Imagine walking through Manhattan searching for a place to stay for the night in such a world.) I think most people would not call for participating in that right now.

The biggest objection to leaving your wifi ‘open’ is security: unless you are using an SSL connection (https-websites) anything you transmit through an unsecured connection can be captured and read easily. Googling ‘wifi sniffer’ returns nearly half a million results, a lot of which offer free software to capture and analyze unencrypted web traffic. So you don’t have to be a computer genius to listen in. It may not matter a lot to you, but I like my privacy and the thought of being confronted in the hallway with a neighbor that tells me ‘that was a nice chat you were having with your sister last night’ doesn’t sound too appealing to me. Also, one leaked password may lead to the next and to the next… and eventually may lead to identity theft.

That brings me to the second objection: leaving your wireless connection open in a city environment will most likely attract neighbors looking for a free ride. So in addition to offering a nice access point to people who happen to pass by and need a ‘cup of bandwidth’, you’ll most likely be serving some of your neighbors permanently. I don’t like to be taken advantage of: it’s great if someone occasionally hitches a ride, but if a neighbor would car pool with me on a daily basis I’d expect him to pay some of the gas as well.

The risk of getting caught up in a lawsuit is too big. Risk is chance times impact. The chance for this to happen is small, but the impact may be very large. Leaving your connection open means you can’t control what activity goes on anymore. I guess you’d eventually be able to get away with indicating that your network is open and you don’t know who was on it, but a. I’m not sure, and b. being right eventually is little consolation if copyright infringements or even distribution of child pornography through your connection gets you sued.

So leaving your WiFi open is not such a good idea.Here is the secure way to go for your home network:

• Use WPA encryption (WEP is broken, MAC address filtering does little or nothing) with a nice strong password (I personally use more than 60 random charaters).
• Disable the option to administer the router over the web, unless you know what you’re doing and have a very good reason to keep that option open.
• Disable Universal Plug and Play (UPnP) because it has serious security flaws
• Go stealth! Check whether your computer is hidden from the internet for example at GRC

(The first one of these points is enough to make the wireless end secure… the other three protect you from the internet.)

If you do need or want to share a wireless connection with the world, you can protect your own traffic from being sniffed by using a Y-configuration. This physically separates the open network from the encrypted one.

While I would love the world to be different, I’ll keep locking my front door, closing the car when I park, keeping my credit card number to myself as much as possible and having my wireless connection secured.

E-SPIN enhanced vulnerability management portfolio & upgraded become
IT/business skill certification center

Aug 04, 2009 Kuala Lumpur. Malaysia. E-SPIN Partner and Solution Quarterly
Update. To cater for our group accelerate grow and business expansion. We
are excite to announce that E-SPIN is successful enhanced our vulnerability
management, security assessment, and penetration testing solution portfolio
to incorporate worldwide best of breed industry de factor point solution
from offensive application exploitation and development, wifi /wireless
security assessment, hostile and malware reverse engineering and source code
analysis, to global grade network assessment point solution to complete our
vulnerability management, security assessment, and penetration testing
portfolio. We are become one stop shop for corporate and government
client, as well as reseller and consultant partner who are looking for one
stop support related to vulnerability management, security assessment and
penetration testing, whether engage E-SPIN for the purchase, service,
support or even certified training. We become authorize sole or partner to
distribute, marketing, support full range of product and service from
Immunity, eEye Digital Security, CACE Technologies, Hey-Rays, Tenable, D
Square Security, Enable Security, please surf our website for more detail
information for each point solution.

We have upgraded our E-SPIN training center to become KRYTERION Certified
Secured Online Testing Facility and IT/Business Skill Certification Testing
Center. From now onward, we have the end to end capability to perform
consulting, solution development, application integration, project
management, maintenance support and upgraded our training become certified
training by partnering with the world various IT/business professional and
association certification examination as part of our training course
offering. For instance, we can conduct certified examination at our training
center or at client site (for special group training session) after the
training with our certified proctor staff present. For IT security
professional, they can undertake our GIAC certification, for IT Management
can undertaking our ITIL certification, please surf our website for complete
certified training list.

Stay tune for E-SPIN Group of Companies News update. The News is published
via various E-SPIN News Channel, from E-SPIN New Section, Press Release,
Blog, Twitter, Facebook to LinedIn.

# # #

E-SPIN SDN BHD (www.e-spincorp.com , www.espin.com.my ) is a leading
enterprise IT solutions and outsourcing service provider deliver end to end
IT solutions (hardware, software, service), E-Business and Web Solutions,
business process and technology outsourcing services from consultancy,
solution development, application integration, project management, certified
training, to maintenance support for corporate, government and military
agencies.

Hackers have found a new way to hacker computers by using you WiFi connection.  The are now able to hack updates going to your computer to gain access to your computer.

Hackers using Wifi

Home Security is popular now. Numerous examples have been observed where individuals have expended profound amounts of money in order to gain the current gimmicks which will be exploited for protecting their places.

Their households were easily plucked again and again. They made some mistakes which showed to cost them a lot. On one hand they didn’t ensure whether or not the construction of the house was battened and well-constructed and, secondly, they were excessively confident about the home security systems.

Windows and Doors

To secure home wholly, all external thresholds have to be robust with dead bolts and padlocks installed in them. If the doorways are not robust enough to resist a shove or kick by intruders they should be made iron. You should make sure that the strike plates are in the right place, check over that the border is secure with shafts fitted strong and verify that the hinges are placed on the inner part of the door. If you have the door that opens outward utilise non-removable pegs on the hinges and insure if the re-enforcers are installed about the doorhandle and dead bolt so as to keep it from giving away when the doorway is manhandled. Provided there are french doors, apply flush bolt or flog bolt locks to fasten them. Redundant home security with slide rod locks is necessary if there are glass doorways and sliding glass doors. Windows can be fastened with track locks or cane bolt locks, twofold screw window locks etc.

Intruders Alarms

Burglar alarms present super home security hardware made in order to warn you if intruder wants to get into your home. Despite that they are very expensive, they assist to frighten off a future intruder from being captivated by producing a loud sound. Their shape varies from really simple ones which simply let loose noise to startle the thief and warn the owner of the house, to those refined ones that are coupled to the local authority. Occasionally people use the alarms to warn them by calling their cell phones when they are away from their house. Some warning devices could be connected to the Net and send emails to the homeowner who can control them from mobile phones. So, wired and wireless warning devices with whopping range of lineaments, cost and specs have been proposed to the proprietors. Insure you pick up the versatile alarm system that is safe and sound, dependable and with good after sales servicing and provisory emplyed people to facilitate you with installing. Be sure that animal proof movement sensors are established for preventing of common false alarms.

Look Out that  you are perpetually conscious and studious and do not act incautiously by leaving the windows and doors unbolted since burglars might easily get into your household. In that way you will not inner lose your belongings but you could likewise put in danger those you love. Make sure you do not make any compromise as home protection is essential for the insurance of  your safety.

If you need to add wireless capability to an ELK M1 Automation Controller, you have two options.  The first option is to use the ELKM1XRF2G wireless receiver.  The ELKM1XRF2G will allow you to have up to 144 wireless sensors, from GE Security.  The sensors, however, have to be the crystal, and not the SAW, type of transmitter.

The second option is to use the GENX548E wireless receiver. The GENX548E can handle up to 48 wireless sensors from GE Security, and can be either the crystal or SAW type of transmitter.

In mid 2007, I was involved in a case which really puzzled me. The system admin of a company’s network detected a rouge wireless AP by accident (he turned on his notebook computer which had its WLAN turned on and it detected a wireless signal which was not supposed to be there in the 1st place – apparently the premise was not installed with any wireless AP for security reasons). The witty system admin notified the authority and we went in with some CSI-like gear. We managed to locate the AP which was planted at the ceiling of the premise – the AP was connected to the LAN and equipped with a Yagi antenna. Our further investigation revealed that the antenna could transmit signal up to 2km. I was shocked by this event, to think that a perpetrator could actually be sitting in a car at the carpark of the building and access the data from the network while enjoying his McChicken. Even more disturbing is the fact that this kind of attack cannot be detected easily. We suspected that the rogue AP and antenna was installed with insiders help but we failed to ascertain that (due to some political pressure, of course). It remains a mystery on how much data was actually stolen from the network and the extend of the damage.

During war-driving exercise conducted by my company, we normally detect hundreds of WLAN signals around the city. The exercises show that almost 60% of the WLANs are not secure. Typical problems are such as SSID is visible and indicates the company’s name, APs are still using the default admin username and password, and using weak and outdated encryption such as WEP.

Payment Card Industry (PCI) Security Council last week released a guideline for secure wireless LAN implementation targeting especially companies that handle payment-card transactions (storing, processing and transmitting cardholder data). I applaud this effort since WLAN is known to be the most vulnerable network setup. It covers things like encryption usage, password management, regular audits, network demarcation from the ones which does not handle cardholder data, scanning for rogue AP and so on. Even though the guideline is targeted for companies which handle payment-card transactions, it can be easily adopted by companies at large which implement WLAN.

A new virus described as providing naked pictures of an ESPN commentator is spreading rapidly across the internet.  If you get an email about naked pictures of Erin Andrews don’t open it.  You will get a virus and not pictures.

Internet Safety Center