Security


IT Security recently named “The 59 Top Influencers in IT Security“.  I am very honored to be held in such regard and named along with others on the list.  *smile*

Looks like someone was in the news lately, and immediately after the Super Bowl at that.  Meaning that plenty of drunk and stuffed manly men were watching our superstar hand model who, when asked is he was a “hacker”, claimed:

“Yes, but the good kind.  We’re there to help and protect.”

So I received the FON wireless access point in the mail today (surprisingly quick) and wanted to test it out to see how it would work. I wanted to know what administrative interface it had, how the public and private SSIDs worked and overall what the security of the device is.

The results were rather good so I wanted to give you some details here. The way the FON device works is that, once you plug it in, it broadcasts two SSIDs (by default these are FON_AP and MyPlace). The FON_AP is the public SSID that allows others to connect to. This is what makes your FON device an pseudo-public access point. I saw pseudo-public because of the Linus vs. Bill description listed above. The MyPlace is the private SSID that uses WPA2 with a pre-shared key (PSK) out of the box. The PSK is the serial number on the bottom of the device. The PSK can be changed as we will show later but most people will not making brute force cracking that much easier.

The first thing you do once you plug it in it to connect to either the FON_AP or MyPlace SSIDs and, as the manual states, browse to http://wifi.fon.com/ What I noticed is that before registering your device it allows you to visit http://www.google.com (and probably other URLs as well.) If you try to hit other sites it will redirect you to wifi.fon.com until you actually register the device, which is rather easy. You simply login using the same username and password you used to obtain your FON device and answer a few questions. The questions ask for the address you are located at; assumingly so FON can put you on their map but also a minor personal privacy risk. Of course there’s nothing that forces you to enter the real address, other than personal morals, because there is no way for FON to determine if you are telling the truth or not.

Once the device is registered it is now open for business. I wanted to see if someone connecting to the public (FON_AP) side could access other devices on my home network and vice versa. I first connected to the FON_AP side, which required I login because I registered as a Linus. I received an IP address of 192.168.182.2 with a gateway address of 192.168.182.1. DNS servers were obtained from DHCP so they did show the internal IP addresses of my home network. (Remember I plugged this device into the home network which includes many more computers and is not limited to the cable modem as the manual suggests.)

I tried to port scan 192.168.182.1 the device itself and could not although the DNS servers for the FON device were internal devices I could not ping or port scan them from the 192.168.182.x network. This meant that all DNS queries were sent from my client to the access point (AP) and then routed to the proper server. I tried pinging and port scanning other devices within my home network but received to replies. I tried to traceroute to the Internet and received an ICMP reply from the gateway (192.168.182.1) then a blank hop (Request timed out) and then a reply from my ISPs router. This meant that the FON device must have a static route set within it to only allow public traffic out to the Internet and not internally.

I was impressed at the security here thus making it almost impossible (outside of malformed DNS requests or exploitation of TCP) to compromise my internal devices or the FON box itself.

I then connected to the MyPlace (private) side of the network to see what could be done. I was given an IP address of 192.168.10.223 and a gateway address of 192.168.10.1. In this situation I could ping devices in the public (FON_AP) side of the network but not vice versa. When I tracerouted to the Internet I had the same results as when connected to the public side of the AP, and could ping other devices on the home network. It appears that once on the private side of the AP there are no access list rules.

I port scanned the gateway address (192.168.10.1) and found the following services open: 25/tcp, 21/tcp, 53/tcp, 110/tcp, 4444/tcp, 5190/tcp, 8080/tcp. This is interesting because when you put 192.168.10.1 into your web browser it shows the AP Management Console. I netcat to port 80/tcp which is shown as open has a META HTTP-EQUIV redirect to “/cgi-bin/status.sh”. Connecting to other open services on the AP results in an open port but a dropped service. (I’m curious if you need to connect from a specific IP address to access these services or if there is some other trick.)

You have five management options before you: STATUS, Public WiFi, Private WiFi, Change Password, and Advanced. In order to administer the AP you need to login (you are prompted for and “openwrt” password), but the manual does not provide you a password for doing this. Remember that the FON device is running the Linksys or Buffalo firmware (currently Linksys WRT54G (pre-v5), WRT54GL, WRT54GS and WRT54GSv4, or Buffalo WZR-RS-G54, WHR-HP-54, and WHR-G54S). If you remember, the default login and password for the Linksys AP is “admin/admin”. It worked!

Now you can change the public and private SSID of your AP and the WPA PSK for the MyPlace (unless you have already renamed it) side of the network. The private network supports: WEP, WPA, WPA2, or WPA/WPA2 Mixed (default). The public AP SSID will always start with “FON_” but you can change the suffix (default of “AP” to anything).

Update: Serge Mankovski noted the following:

FON suggests connect FON router to the local network of your Internet router. It makes any user connected to the FON WiFi access point a member of local network. To my surprise, Advanced Firmware from FON.net allowed users connected through FON access mechanism were able to connect to my internal network! It opens up Fonero internal network to attacks from users connected to their access points.

I’m at SecurityOpus this week. It has some interesting talks because Richard knows many hardworking people in the industry. I’m enjoying most of all (as always) bumping into others I know and meeting new people. There should be after con drinks shortly and then dinner with some out of town friends.

Unfortunately, work calls and I haven’t been able to sit through all the presentations, but check out the speaker line up as some interesting tools have been released such as wicrawl from MRL and the presentation on RFID Malware Demystified (PDF) by Melanie Rieback.

I was listening to one of the TED conference talks and one of the speakers said something that was very interesting and yet obvious at the same time.

He said that, within the US, thousands of automobiles are stolen every year, but none of them are post office trucks. Why is that? Because there is no market for them. Also, in S. Africa, no white Volvos are stolen. Same reason.

This reminds us about the obvious, that when addressing risk you can either mitigate the risk or eliminate the data that the market demands. Why spend money on protecting a system if you can eliminate the need to protect it in the first place?

When looking at how best to protect information systems, security professionals will turn to the technology as a solution, in the same way some people look at “encryption” as the savior of data security. The mindset should instead be to examine the black and grey markets for what information is in high demand and eliminate it first, before pouring tons of money into protecting it.

I just upgraded WordPress from 2.0.3 to 2.0.4.  It seems like a very minor change but according to the website there are over 50 security fixes.  Don’t forget to upgrade your software as well.

Friends don’t let friends run unpatched software.  heh.

I traveled today on the first day of the “no liquids, gells, etc” airline ban. I don’t care about the details about the alleged people that were caught attempting to bring liquid explosives on airplanes. The fact is that all of our lives are being forever inconvenienced by this fact, at NO additional security to the airline passengers.

If you want details check out Bruce Schneier’s blog. Testing shows that TSA does not prevent any more weapons from getting past security than they did before 9/11. And ever since the “shoe bomber” we have been in a reactionary mode where all we can do is inconvenience the travelers while providing them with only a sense of security, not actually protecting them.

First was the “shoe bomber” which meant we all had to x-ray our shoes regardless if they had metal in them or not. Now we are not allowed to bring liquids onto planes. How are they going to enforce this? I can think of about 50 different ways to smuggle both explosives and liquids through the metal detector (because they are not metal) and that’s without even trying.

What good does a false sense of security provide us?

Won’t you join me by listing some items you could use to easily transport liquids through security?

  • Urine/bladder bag tied to leg
  • Fake pregnancy belly (women only)
  • Small containers in your pockets
  • Lining on the inside of your shirt and pants
  • False fat suit allowing you to pack on mass
  • Small tubes/containers strapped to body beneath clothing
  • Falsely labeled liquid medications

Update: Someone should create a website “airportcontraband.net” or “whatismugglepastTSA.net” and have people just list the things they smuggle through the airport and past TSA. Frequent fliers know better than anyone how easy it is to get just about anything onto planes.

Why is it that people feel they should never get injured while traveling via plane? People die in car accidents all day long and nobody cares, we still drive our cars on Friday nights. For some reason people feel air travel should be free of death or risk, as if the metal tube flying through the air is some magical Willy Wonka elevator that protects them from all harm.

I don’t understand why people think they are safe on modes of transportation they do not directly control but feel perfectly safe on things they control and are familiar with. When we get into a cab we are not in control and yet still are not afraid (ok, well some cab rides can be scary.)

Is it the familarity factor?  Do we fear things that that are unfamilar to us?  Why is it that putting up veils or security, by not permitting liquids on planes, somehow makes us feel safer.  There is a psychology PhD waiting to be written on this.

Well, here I am at Defcon 14. I was almost a no show until some friends convinced me to go. Last night I was up until 4 AM talking with friends and catching up.

This morning I had breakfast with a friend and recruiter who pulled Joel Scambray (author of Hacking Exposed) in to talk. Joel is just an all around nice guy and really down to earth. We talked about MS, credit card security, books (his 5th Edition came out this summer.)

Arriving at the Con I met up with some Security Metrics friends and people from MRL. How awesome is this that I get to meet others I enjoy spending with with … all in one place.

I needed to connect to the Internet and the Riveria hotel is ghetto with no broadband. So I connected to the Con access point and thought you would enjoy this image.

defcon.jpg

Johnny2k sent my a link to Engadget saying that:

In case anyone needed more proof that we’re all living in a Philip K. Dick novel, a pair of hackers have recently demonstrated how human-implantable RFID chips from VeriChip can be easily cloned, effectively stealing the person’s identity.

This was not a “theoretical” attack but actually performed in person and live at HOPE 6, a hacker conference, going on in NYC. These types of systems, much like DRM, suffer from a common flaw in that even if authentication is built into the system you are sending the authenticated message and giving the authentication key to the same person.

I saw this the other day in an office building and tought how funny it was.

wireless.jpg

Next Page »

Follow

Get every new post delivered to your Inbox.