[SecurityRatty] tag: secondary

XRumer Spambot Cracks Captchas

Fri, 03 Oct 2008 07:40:21 +0000

We’ve known CAPTCHAs are insecure for some time, but now even the CAPTCHA-alternatives (often based on identifying cats from dogs or other animals) have proven insecure. Gmail, Windows Live hotmail and other popular sites were hacked as early as February. Recently another defeat has come in the form of XRumer, a spam bot that posts messages on blogs and through email in order to boost search engine rankings.

What’s the solution? Ars Technica suggests there might not be a good one, in part because malware distributors can go so far as to hire real people to do their dirty work:

Instead of trying to build better CAPTCHA-cracking programs, the malware industry went out and got itself some humans of its own. This effectively bypasses the primary security strength of the CAPTCHA system and leaves it entirely dependent on what we’ll call secondary security characteristics. CAPTCHAs are often complex (particularly these days), which does increase the chance that they’ll be misread (and returned incorrectly), while the font and display of the characters themselves are at least somewhat unfamiliar to the CAPTCHA crackers sitting on the other side of the world.

Sometimes those captcha phrases are pretty incoherent to me too. When I post over at Craigslist sometimes it says I’ve gotten its Captcha wrong, and I end up wondering if secretly I’m a bot?? Apparently not a very smart one either.

CCTV Firm Threatens The Researcher Who Found Vulnerable Products That Reveal Cam Images Without Authentication

Sat, 20 Sep 2008 04:22:21 +0000

A flaw discovered by security researcher Mike Stephens, affects The LookC 4×4 server and Pro IX server, which allows anyone to view static images from any camera connected to its servers. This product is installed in some primary and secondary schools. The flaw requires no authentication to exploit and vulnerable servers might be found via [...]

Identity Farming

Tue, 09 Sep 2008 01:42:18 +0000

Let me start off by saying that I'm making this whole thing up.

Imagine you're in charge of infiltrating sleeper agents into the United States. The year is 1983, and the proliferation of identity databases is making it increasingly difficult to create fake credentials. Ten years ago, someone could have just shown up in the country and gotten a driver's license, Social Security card and bank account -- possibly using the identity of someone roughly the same age who died as a young child -- but it's getting harder. And you know that trend will only continue. So you decide to grow your own identities.

Call it "identity farming." You invent a handful of infants. You apply for Social Security numbers for them. Eventually, you open bank accounts for them, file tax returns for them, register them to vote, and apply for credit cards in their name. And now, 25 years later, you have a handful of identities ready and waiting for some real people to step into them.

There are some complications, of course. Maybe you need people to sign their name as parents -- or, at least, mothers. Maybe you need to doctors to fill out birth certificates. Maybe you need to fill out paperwork certifying that you're home-schooling these children. You'll certainly want to exercise their financial identity: depositing money into their bank accounts and withdrawing it from ATMs, using their credit cards and paying the bills, and so on. And you'll need to establish some sort of addresses for them, even if it is just a mail drop.

You won't be able to get driver's licenses or photo IDs on their name. That isn't critical, though; in the U.S., more than 20 million adult citizens don't have photo IDs. But other than that, I can't think of any reason why identity farming wouldn't work.

Here's the real question: Do you actually have to show up for any part of your life?

Again, I made this all up. I have no evidence that anyone is actually doing this. It's not something a criminal organization is likely to do; twenty-five years is too distant a payoff horizon. The same logic holds true for terrorist organizations; it's not worth it. It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991 -- and might be an attractive option to existing intelligence adversaries like China.

Immortals could also use this trick to self-perpetuate themselves, inventing their own children and gradually assuming their identity, then killing their parents off. They could even show up for their own driver's license photos, wearing a beard as the father and blue spiked hair as the son. Iâm told this is a common idea in Highlander fan fiction.

The point isn't to create another movie plot threat, but to point out the central role that data has taken on in our lives. Previously, I've said that we all have a data shadow that follows us around, and that more and more institutions interact with our data shadows instead of with us. We only intersect with our data shadows once in a while -- when we apply for a driver's license or passport, for example -- and those interactions are authenticated by older, less-secure interactions. The rest of the world assumes that our photo IDs glue us to our data shadows, ignoring the rather flimsy connection between us and our plastic cards. (And, no, REAL-ID won't help.)

It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

This essay previously appeared on Wired.com.

EDITED TO ADD (9/9): Interesting commentary.

Security Matters: How to Create the Perfect Fake Identity

Thu, 04 Sep 2008 00:00:00 +0000

Let me start off by saying that I'm making this whole thing up.

Here's the real question: Do you actually have to show up for any part of your life?

Immortals could also use this trick to self-perpetuate themselves, inventing their own children and gradually assuming their identity, then killing their parents off. They could even show up for their own driver's license photos, wearing a beard as the father and blue spiked hair as the son. I’m told this is a common idea in Highlander fan fiction.

Our data shadows can live a perfectly normal life without us.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

My LA Times Op Ed on Photo ID Checks at Airport

Mon, 01 Sep 2008 01:15:41 +0000

Opinion

The TSA's useless photo ID rules

No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don't work.

By Bruce Schneier

August 28, 2008

The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government's no-fly list -- the list that is supposed to keep our planes safe from terrorists -- could just fly with no ID.

Now, people without ID must also answer personal questions from their credit history to ascertain their identity. The TSA will keep records of who those ID-less people are, too, in case they're trying to probe the system.

This may seem like an improvement, except that the photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value.

How to fly, even if you are on the no-fly list: Buy a ticket in some innocent person's name. At home, before your flight, check in online and print out your boarding pass. Then, save that web page as a PDF and use Adobe Acrobat to change the name on the boarding pass to your own. Print it again. At the airport, use the fake boarding pass and your valid ID to get through security. At the gate, use the real boarding pass in the fake name to board your flight.

The problem is that it is unverified passenger names that get checked against the no-fly list. At security checkpoints, the TSA just matches IDs to whatever is printed on the boarding passes. The airline checks boarding passes against tickets when people board the plane. But because no one checks ticketed names against IDs, the security breaks down.

This vulnerability isn't new. It isn't even subtle. I first wrote about it in 2006. I asked Kip Hawley, who runs the TSA, about it in 2007. Today, any terrorist smart enough to Google "print your own boarding pass" can bypass the no-fly list.

This gaping security hole would bother me more if the very idea of a no-fly list weren't so ineffective. The system is based on the faulty notion that the feds have this master list of terrorists, and all we have to do is keep the people on the list off the planes.

That's just not true. The no-fly list -- a list of people so dangerous they are not allowed to fly yet so innocent we can't arrest them -- and the less dangerous "watch list" contain a combined 1 million names representing the identities and aliases of an estimated 400,000 people. There aren't that many terrorists out there; if there were, we would be feeling their effects.

Almost all of the people stopped by the no-fly list are false positives. It catches innocents such as Ted Kennedy, whose name is similar to someone's on the list, and Islam Yusuf (formerly Cat Stevens), who was on the list but no one knew why.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can't get off. They can't challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn't been tried yet.)

But even if these lists were complete and accurate, they wouldn't work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren't on any list before they committed their terrorist acts. And if a terrorist wants to know if he's on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to "trusted travelers" to speed them through security lines. Just apply for a Clear card; if you get one, you're not on the list.

In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can't. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response -- security measures that aren't based on a guess about a terrorist target or tactic.

That's the TSA: Not doing the right things. Not even doing right the things it does.

Summarizing July's Threatscape

Fri, 01 Aug 2008 12:08:24 +0000

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

Heuristics for De-identifying Health Data

Thu, 31 Jul 2008 09:30:23 +0000

Before releasing personal health information for secondary uses, such as research or public health monitoring, organizations must de-identify the data they've collected. Several common heuristics are useful for this purpose, but they also have limitations.

CISA and CISSP Preparation

Thu, 31 Jul 2008 09:14:07 +0000

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

Do I meet the spirit, and not just the letter, of the experience requirements ?
Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

Perform an initial benchmark and assessment of your readiness
Read a “survey” level preparation guide cover to cover
Perform a secondary benchmark, and compare your readiness
Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks

For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials

I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials

There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts

Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

The Not-So-Sweet Life of Supplicants

Wed, 23 Jul 2008 11:23:00 +0000

There are plenty of integration and configuration challenges when we look at 802.1X, but one of the most notable issues is choosing the right supplicant to best serve your end users.

Some of the major obstacles we face with 802.1X center around creating a smooth end user experience. We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.” (Sometimes they go on a little further, but I’ll leave it at that.)

Why does it matter?

Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important.

What are some of the problems?

The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.

First of all, the time to authenticate and connect to the network is going to drastically increase. I say drastically- it’s only a few seconds- but I’m sure it feels like minutes to a new 1X end user.
In addition, we’re in a transition and growing period where we’re trying to integrate and authenticate multiple pieces- the machine and/or user as well as any other clients residing on the endpoint, so there can be single-sign-on issues. Not SSO in the traditional sense, but single-1X-sign-on vs logging in to authenticate and open the port, logging in again to get to network resources (such as Novell).
There may also be issues supporting multiple profiles, so end users may need to understand the concept of enabling 802.1X on an interface at their office, then disabling it when they go home.
Or perhaps, in a shared or lab-type environment, we may have multiple unique users logging in to the same endpoint device, so we have to make it easy for end users to log off so there’s a forced re-auth for the next user.

There are plenty more, but this hits on the major concerns of most organizations planning to implement 802.1X (wired or wireless).

How do we address the issues?

There are different ways to deal with the complexity of supplicant and end-user interactions. First and foremost, a good end user training program will be needed. There’s a learning curve, but eventually end users will get it- we just have to make sure the transition for ‘now’ to ‘got it’ is smooth and doesn’t overwhelm help desk resources.

As the operating systems and clients progress, we’re seeing more integration and the ability to share 802.1X information between disparate pieces of the endpoint.

In the meantime, there are also 3rd-party supplicants that can ease several of the pains. Cisco’s Secure Services Client (acquired from Meetinghouse’s Aegis supplicant) and Juniper’s Odyssey Access Client (acquired from Funk) both offer options and configurations not currently available in native OS supplicants. (For example, both offer the GINA shim for integrating Windows 1X login with Novell as well as multiple profile support.) Although I haven’t tried it, my understanding is you can still operate both of these clients independent of the controllers provided from the same vendor.

Is it a deal-killer?

It can be. The struggle to provide a smooth transition for end users is often a deal-killer for organizations looking at deploying 802.1X. Although there are ways to combat most of these obstacles; often the time, planning and money required to proceed make it unattractive enough to abandon the project. In most cases, the more heterogeneous the endpoint environment is, the less attractive the solution becomes. In an all-Microsoft environment, you can have an 802.1X framework up in a matter of hours. With a mix of authentication directories, endpoint OSs and user expectations, you could spend weeks or months ironing out the details.

The good news.

Yes, there’s some good news here. The increased adoption of 802.1X is continually leading to increased integration of the software, operating systems and clients on endpoints. While 802.1X may never reach ‘plug-and-play’ status, pretty soon the integration will reach a point where configuration is simplified enough for more wide-spread adoption, even in the most diverse environments.

Just hang tight, we’ll get there!

# # #

Heinemann-Raintree Reports a Year And A Half Old Breach in Their E-commerce Website

Tue, 22 Jul 2008 18:24:22 +0000

Heinemann-Raintree, publishers of PreK-Secondary nonfiction books for the library and classroom, maintains websites where customers can purchase products online. In January 2007, an unauthorized person was able to obtain access to the database that contains the product information used by the Heunemann-Raintree websites. Heinemann-Raintree informed their customers about this breach in a letter sent in [...]