[SecurityRatty] tag: utilities

Ethernet and WiFi and Bluetooth, oh my!

Wed, 15 Oct 2008 17:16:48 +0000

Customers have long requested a way to configure a computer to automatically disable its wireless NIC when its Ethernet is in use. Many third-party utilities can do this for you, but neither XP nor Vista have a built-in way to accomplish this, nor will Windows 7. Although having both NICs enabled first appears to cause a security issue, in reality that would be true only if both of the following were also true:

The user is logged on as a local administrator
The user, or some code the user runs, enables IP routing

By default, all forms of IP routing (including NIC bridging) are disabled. Only local administrators (or group policy) can enable them. So the risk, actually, is minimal.

If you have a stroll through group policy, you'll discover this setting: "Prohibit installation and configuration of Network Bridge on your DNS domain network" (more here, here). This setting allows you turn a computer into a router that bridges two networks. The bridging works only when one of the interfaces is in the same DNS namespace it was in when the bridge setting was enabled, and it works only when the Windows firewall is disabled on both interfaces (never a good idea). Additionally, regardless of the group policy setting, the function doesn’t even appear as an option when the user is logged in as a non-admin. The group policy setting simply removes the option from people who are local admins of their computers. So here's a way you can remove the ability even for local admins to enable routing.

However, let me admit that I wish we did have a way to implement your request, but for an entirely different reason: IP address preservation. Consider what happens when I'm on my own corpnet in my office. I put my laptop in its dock, which is connected to the Ethernet. I never bother disabling my wireless (I'm lazy). So whenever I'm in my office I'm taking up two IP addresses: one on the Ethernet and one on the wireless. Such wasteful profligacy, I know! (Note this isn’t a problem for any Bluetooth adapter, which always uses APIPA in its default configuration; I can’t imagine a scenario where you’d want Bluetooth to use DHCP.)

If you agree with me that this is something we should address post Windows 7, not for "security" reasons but as a good general networking practice of being conservative with address allocation, please speak up. Now's the time for your input.

5 password utilities for portable freedom

Mon, 29 Sep 2008 20:00:00 +0000

Password managers are a huge help in dealing with our exponentially growing numbers of accounts. But stand-alone apps introduce a new problem: If you aren't sitting at the PC with the software installed, you can't get to your credentials. Luckily, you have alternatives. These five password tools are all accessible either from a portable device (such as a thumb drive) or over the Web.

U.S. at risk of cyberattacks, experts say

Tue, 19 Aug 2008 08:50:01 +0000

Experts say the recent computer attacks on Georgia signal a new kind of cyber war. The U.S. is not fully prepared for a large-scale, coordinated attack, experts say. Such attacks can be mounted anonymously and cheaply from anywhere in the world. A cyberattack on the U.S. could hobble utilities, transportation and other infrastructure

Long Island Proposal Snags Again, on Poles

Mon, 28 Jul 2008 07:07:26 +0000

Long Island proposal still mired: The plan to put Wi-Fi up across two Long Island counties has seemed doomed to me from the start. The company that won the bid was untested, and its other in-deployment or in-proposal networks are off the table. Expertise aside, it needs tens of millions to build such a network, and financing for company-funded metro-scale projects is not available. The counties involved have pledged no purchases of services. And, perhaps the final stroke, the local utility says that E-Path doesn't meet the test of being a telecom and paying less than $10 per year for pole placement, but instead must pay the all-comer rate of $50 per year.

This is a critical distinction. Telecoms are covered under the Telecom Act of 1996 that requires non-discriminatory access to utility poles to avoid incumbent local exchange carriers (ILECs) and utilities from being gatekeepers that prevent competitive service from emerging. There are a series of tests in the law and local qualifications, too, that allow a firm to be a registered telecom. An FCC decision last year ruled that companies that mix telecom and unregulated information services on the same wires aren't disqualified from getting the Telecom Act deal, however.

But E-Path seems to meet none of the criteria except their desire to pay $10 instead of $50 per year per pole. Utility poles have held up many other municipal networks. We're not hearing more about them these days because such networks are now being built on a smaller scale for different purposes, where the number of nodes and their placement is rather different than networks built with the intent of providing indoor coverage.

Cablevision, by the way, qualifies as a telecom, this article states, which helps them in placing nodes for their planned $300m network across their coverage territory. They can also mount nodes in-line with their cable lines, using power from their cable plant on the lines already.

E-Path appears to have a variety of communication problems as well. The article notes, "Tortoretti said his Washington, D.C., attorneys disagree with LIPA's interpretation. But the attorney Tortoretti said represents E-Path, Charles Rohe, said he couldn't speak about the company or the dispute."

Later, E-Path's "chief executive said he hopes the county will help with his LIPA dispute." But an aide to the Suffolk County executive said, "That's not really our issue. That's out of our control."

Correspondent Craig Plunkett, quoted near the end, points out that if the counties were to change their minds and want to buy services on the network, the proposal would have to be rebid (appears as the sound-alike "rebuild" by accident in the online article at this moment).

Is More Regulation Always the Way to Go?

Wed, 23 Jul 2008 20:00:00 +0000

Over in the US, Senator Obama has recently been talking about his stance on Cyber terrorism. While there were many interesting points in his proposals, I wanted to home in on his comments regarding the protection of national infrastructure. You don't need to be a technological genius to have figured out that computers pretty much run every aspect of our daily lives these days -- transportation networks, utilities, broadcast information... you name it. It's fair to say, then, that if you could find a way of compromising those computers you could really mess up everyone's day....

For your hacking pleasure - Cold Boot utilities released!

Wed, 23 Jul 2008 09:32:00 +0000

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

The Long Road Towards an ISO 27001 "Tipping Point" (and a true Reader's Poll!)

Mon, 21 Jul 2008 20:00:00 +0000

So, in conversations with customers of late, I've observed a steady increase in talk of plans to soon adopt ISO 27002, or active work to get the standard implemented in some fashion. This isn't necessarily surprising, particularly when you're talking with highly regulated companies or those more apt to understand information risk management, overall (e.g., those in banking, insurance and utilities, or more recently, thanks to PCI DSS, retail). Because, as I suspect most would agree (and speak up if you don't!), 27002 provides an incredibly broad and deep view into the types of security controls an organization should at least consider when building a security and information risk management program.

What has certainly come as more of a surprise, though, is...

Best Security Tools: Free online Web utilities

Mon, 23 Jun 2008 05:30:09 +0000

Have you ever needed to PING a host, run trace a Web route, or see what information you're exposing to Internet without having to reconfigure the security on your perimeter devices? Have you tired of having to call your managed security services provider to let them know it's you creating the anomalous behavior, not an attacker? Then maybe you should check out one of the free, online Web services providers.

Best Security Tools: Free online Web utilities

Mon, 23 Jun 2008 05:30:09 +0000

Have you ever needed to PING a host, trace a Web route, or see what information you're exposing to the Internet without having to reconfigure the security on your perimeter devices? Have you tired of having to call your managed security services provider to let them know it's you creating the anomalous behavior, not an attacker? Then maybe you should check out one of the free, online Web services providers.

Fun Reading on Security - 4

Tue, 17 Jun 2008 07:36:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #4, dated June 17, 2008.

So my next iteration of fun reading on security, logging and other topics.

"Security-as-control" vs "security-as-assurance" - a very useful idea (more here), which is often confused with bad results (e.g. "secure" software = has password authentication OR has has no overflow bugs)
Rich Mogul grabs GRC by the balls and kicks it, hard, again. A Burton Group guy comes and helps him by doing a nice roundhouse kick in its butt. Still, it doesn't die, as more people kick it ... Maybe 'cause Andy "loves or hates it?"
Good advice from Andy IT Guy: "We need to step back from time to time and evaluate what we are doing to determine if it still makes sense." (more)
BBC on cloud security, actually interesting. More on the same subject, albeit with a dumb name
Breach disclosure laws and security study by CMU, that SANS called idiotic ("What a silly study. It measures the wrong outcome. What matters about data breach notification is what it does to the quality of defenses.") AND "badly flawed" as well. More fun comments on it are here. More discussion of this complicated subject. Rick kicks it too here.
Along the same line, "Data breaches at retailers are the top cause of credit and debit card theft, accounting for about 20% of all incidents." Wow!
"The biggest issue in both Audit and IT is a lack of strategic thought." (maybe) When I read it, it reminded me of the old wisdom from Ms Trunk: "if you think you are a 'strategist' - check maybe you think that 'cause your execution sux"
A very fun read: "Facing The Monster: The Labors Of Log Management." I am happy that log management has been granted a monster status :-)
Role of compliance for SCADA security puzzles me: think about it - you need a law to make people protect systems that control utilities EVEN THOUGH you already demonstrated (kind of) that hackers can explode generators remotely. So, people fear fines from regulators more than exploded power generators? Yep.
Is it time to regulate the security of cloud computing?
"How to Sell Security" by Bruce Schneier - a MUST read. BTW, FUD is NOT dead, and won't be dead. Ever!
OMG, this is huge and will grow: PCI Compliance and Virtualization (think "only one primary function per server" mandated in PCI). Same source on costs of PCI (also fun!) - still, IMHO, PCI is cheaper than properly securing your environment ... And while we are on the subject of PCI, check out Rich's "The Good (Yes, Good) And Bad Of PCI" and the discussion that followed.
New wave of compliance is incoooooooooooooming. Take cover!!!
Please shut up about ALL security being rolled into the network. Hoff says it best here. If you want to join this bandwagon, say "all NETWORK security will be in the network." (you'd probably still be wrong, but less embarassed :-))
Finally, some "Unintentional hilarity" from David: this is sooooo the world we live in :-)