Essential Computer Security

There may be a large number of people out there in the world- people with jobs and lives who don’t lurk around computer security web sites or fish through computer magazines in all their free time- who may be unaware that the long awaited Windows XP Service Pack 2 (SP2) will be released by Microsoft soon. But, whenever Microsoft has to push back a release date it becomes front page news around the globe so its possible that even those people know. Regardless, Microsoft has released the release candidate (RC1) which is typically the last phase prior to a public release so we can expect to see SP2 available in the next month or two I would guess.

One of the most talked about additions in SP2 has been the Security Center and the changes Microsoft has made to a number of different features in the name of security. When Windows XP was first released it was hailed as the most secure yet. Windows XP Home edition, although it still lacks some of the most important security features of its Windows XP Pro sibling, was a quantum leap better in stability and security than its Windows home operating predecessors such as Windows 98 or Windows ME (Millennium Edition).

But, one of the chief complaints has been that there are still insecure features that are enabled by default while the security features such as the built-in firewall are disabled by default. This means that users must know enough to determine that they want the security feature turned on and then figure out how to navigate through Windows to find the feature and enable it. Its a little like selling a car with brakes, but having them be disabled until the user finds the right switch to turn them on.

Windows XP Service Pack 2 includes many new or modified features designed to make the operating system more secure such as:

• Managing IE add-ons
• Stopping malicious scripting in IE
• Blocking pop-up ads
• More secure Outlook Express email
• A vastly improved firewall
• New Security Center feature
• Modified Automatic Updates configuration
• Disabled Windows Messenger Service
• Restrict ability of network services to propagate threats

Below is a more detailed explanation of each of these new and improved security features:

• Internet Explorer Updates
  • Manage Add-Ons: Many programs install a plug-in or add-on which adds some functionality to the Internet Explorer (IE) web browser. Many users go about happily clicking OK and may install add-ons they don’t really want or need and some malicious programs might secretly install add-ons. This utility allows you to view the add-ons installed on your system as well as add-ons that have been used by Internet Explorer but not installed. You can enable or disable the different add-ons from this utility as well.
  • Pop-Up Blocking: Yes, you read that right. Internet Explorer will finally have the ability to block those annoying pop-up ads. Most other web browsers have already had this functionality, and many Internet Explorer users have adopted tools like the Google Toolbar which is a plug-in you can add to Internet Explorer to block pop-up ads among other things, so the annoying advertisers have already been busy trying to find other ways to get their ad in front of you. But, there are still plenty of sites with pop-up ads and this new feature will help make sure you don’t have to see them.
  • Modified Scripting Functionality: Unscrupulous sites can use scripting to accomplish a variety of mischievous, if not outright malicious, actions. With the current IE it is possible for a web site to open new windows that aren’t even visible on the screen or to open new windows that don’t have the normal status and toolbars which make them difficult, if not impossible to close via normal means. After SP2, IE will not allow developers- mischievous, malicious or just mis-guided- to do these sorts of things.
• More Secure Email: SP2 makes changes to the way Outlook Express works that will help protect most users from unknowingly or accidentally infecting their systems with viruses or Trojans. Outlook Express will block a variety of file attachment types such as EXE or COM files which are executable and may contain malicious code. Graphic images are blocked by default, but allow you to right-click and download them anyway. This can help prevent the display of potentially offensive pictures in spam email.

• New and Improved Firewall: EDIT: This section has been revised after I learned that some of the information I had regarding the improved firewall was incorrent.
  This is one of the best updates in SP2 in my opinion. The Internet Connection Firewall (ICF) that comes with Windows XP is not intuitively named or configured and is disabled by default. With SP2 the firewall gets a new name, Windows Firewall, and a number of significant changes that improve its functionality. Primarily, the Windows Firewall is enabled by default and is monitored through the Security Center. It also allows you to enable or disable it on an interface by interface basis rather than the all-or-nothing approach of ICF. This firewall is leaps and bounds better than ICF but probably not sufficient to replace a 3rd-party personal firewall such as ZoneAlarm.
• New Security Center: With SP2, Windows XP adds a new option in Control Panel called Security Center. The main screen of the Security Center displays information on the current status of your firewall and antivirus protection as well as whether or not automatic updates are enabled. Each item can be green (On), red (Off) or orange (Unknown). Windows does not come with antivirus software, but it will check for 3rd-party antivirus software and let you know if it is running and up to date. The firewall portion favors that you simply use the Windows Firewall. When I disabled the Windows Firewall and ran my ZoneAlarm Pro instead the firewall check turned orange. Security Center was able to tell me that ZoneAlarm Pro is installed, but it was unable to verify it was running or properly configured so it marks the status orange. Regardless, this is a handy step in the right direction. It gives even novice users a sort of “one stop shopping” place to look to see whether their system has the basic protective measures turned on or not.
• Automatic Updates: Automatic Updates are not new. Microsoft has long offered the option of enabling Automatic Updates so that your Windows system could periodically phone home and learn of any new critical updates that might be available. Depending on how you configure it, these updates can occur without your intervention while you’re snug in your bed, thereby keeping your system more or less proactively patched without any effort on your part. With Windows XP a little icon would appear in the Systray asking the user whether they wanted Automatic Updates turned on or not, but with SP2 the question of Automatic Updates is made much more obvious and harder to ignore. Hopefully this new approach will lead more home users to enable this feature.
• Disabled Windows Messenger Service: This is not to be confused with the Microsoft MSN Messenger instant messaging program. The Windows Messenger Service is used to communicate between network devices and send alert messages and such to administrators. It is arguably unneccesary for home users and has been hijacked by spammers as a means for popping up unsolicited messages on users machines. Disabling it by default will stop this annoying spam from showing up on your computer.
• Stop Network Attacks: In the past year or so flaws in the Remore Procedure Call (RPC) and Distributed Component Object Model (DCOM) technologies have resulted in a variety of malware including the MSBlast and Nachi worms. These threats were able to exploit these vulnerabilities to spread across network connections from computer to computer. The changes made by SP2 will help to reduce or eliminate exploits like these.

I could go on and on. This isn’t so much a patch or update as it is a completely new version. Rather than calling it Windows XP Service Pack 2 they could just drop the “Service Pack” part and call it Windows XP 2. With Windows XP SP2 Microsoft has finally made some tremendous strides in providing a more secure operating system by default rather than simply including some questionably functional security features buried somewhere within the operating system.

There is no question that every Windows XP user should acquire and install this update once it becomes available. Windows XP Home users will still be lacking in a number of very key security features that exist in Windows XP Professional (see 5 Steps To Secure Windows XP Home), but with SP2 it will be significantly more secure than without it. Not only will applying SP2 add all of this new security functionality, but it will apply all of the patches for the operating system up through the date they publish the Service Pack so the system will be protected against all of the known vulnerabilities through that time.

One of the biggest issues facing users will be acquiring the update. I have heard reports that it is in the 200Mb range, however the RC1 version that I downloaded was a 475Mb download which would take approximately 20 to 45 hours to download on a standard dial-up connection. While broadband use is growing rapidly, there are still a vast majority of users- the very users who need the updated security the most- who are using slow dial-up connections to access the Internet.

Perhaps Microsoft will offer to ship the CD for free to registered users by request. I have contended that Microsoft should partner with distribution outlets like Blockbuster Video or Best Buy or Target or something to offer Service Packs and other large updates on free CD’s for the taking the same way the ubiquitous America Online CD’s are pushed. If neither of those things occur, you might consider downloading it at work if you have highspeed access and won’t be violating the AUP (acceptable use policy) of your employer, or find a friend with broadband access and a CD burner to help you get the patch.

Tags: Windows XP by Tony Bradley
Comments Off

For many people SLR is camera talk. It means “single lens reflex”. The first time these people hear ASLR they might just assume that it stands for “advanced single lens reflex” and represents the next big wave in digital photography. Well, I won’t rule out the possiblity that the camera industry will steal the acronym, but for the purposes of this article ASLR stands for “address space layout randomization”.

Many exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit.

With previous versions of Windows, these memory locations were known or easily discovered by attackers and malware developers. With Windows Vista, Microsoft made it into more of a shell game- with 256 shells.

To be fair, Microsoft did not invent the ASLR technique. The PaX Project pioneered techniques like ASLR and DEP (another function incorporated into Windows Vista) as a Linux patch in 2001.

Regardless of its origins, its inclusion in Windows Vista by Microsoft means that exploits and malware that work in Windows XP have only a 1 in 256 chance of succeeding in Windows Vista. In addition, there is a probability that a failed attempt initiated against one of the other 255 memory locations will actually crash the system. Crashed systems are bad, but the fact that the system will crash makes it virtually impossible for an attacker to simply automate an attack that tries all 256 memory locations in order, and also alerts the user that something peculiar is going on.

By itself, ASLR is not a ’silver bullet’ defense, but the inclusion of ASLR in addition to other security functions such as DEP (Data Execution Prevention) and the security aspects of UAC (User Account Control) help Vista to defend itself against many threats that would work on Windows XP and other prior operating systems. In Windows Vista, there is a 1 in 256 chance that a given threat will be rendered powerless.

Tags: Vista Security Features by Tony Bradley
Comments Off

Tags: Books on Windows Vista Security, S-Z by Tony Bradley
Comments Off

Convenience at a Price

Wireless networks have the potential to make enterprise networking much more efficient and cost effective. It is much easier to set a user up with a wireless network connection than to run Ethernet cabling from the nearest switch, through the walls and install a network jack at their desk. Wireless networks also help resolve the fairly ubiquitous problem of having too few network connections in conference rooms, and the fact that the conference room network connections are always at the least functional location possible.

The convenience of wireless networks comes with a price though. Wired network access can be controlled because the data is contained within the cabling that connects the computer to the switch. With a wireless network, the “cabling” between the computer and the switch is called “air”, which any device within range can potentially access. If a user can connect with a wireless access point from 300 feet away, then in theory so can anyone else within a 300 foot radius of the wireless access point.

Threats to Wireless Network Security

Aside from the threat of unauthorized users accessing your network and eavesdropping your internal network communications by connecting with your wireless LAN (WLAN), there are a variety of threats posed by insecure, or improperly secured WLAN’s. Here is a brief list with descriptions of some of the primary threats:

• Rogue WLAN’s – Whether your enterprise has an officially sanctioned wireless network or not, wireless routers are relatively inexpensive, and ambitious users may plug unauthorized equipment into the network. These rogue wireless networks may be insecure or improperly secured and pose a risk to the network at large.
• Spoofing Internal Communications – An attack from outside of the network can usually be identified as such. If an attacker can connect with your WLAN, they can spoof communications that appear to come from internal domains. Users are much more likely to trust and act on spoofed internal communications.
• Theft of Network Resources – Even if an intruder does not attack your computers or compromise your data, they may connect to your WLAN and hijack your network bandwidth to surf the Web. They can leverage the higher bandwidth found on most enterprise networks to download music and video clips, using your precious network resources and impacting network performance for your legitimate users.

Protecting Your Network from Your WLAN

LAN segmentation is used by many organizations to break the network down into smaller, more manageable compartments. Using different LAN segments or virtual LAN (VLAN) segments has a number of advantages. It can enable an organization to expand their network, reduce network congestion, compartmentalize problems for more efficient troubleshooting, and improve security by protecting different VLAN’s from each other.

The improved security is an excellent reason to set your WLAN up on its own VLAN. You can allow all of the wireless devices to connect to the WLAN, but shield the rest of your internal network from any issues or attacks that may occur on the wireless network.

Using a firewall, or router ACL (access control lists), you can restrict communications between the WLAN and the rest of the network. If you connect the WLAN to the internal network via a web proxy or VPN, you can even restrict access by wireless devices so that they can only surf the Web, or are only allowed to access certain folders or applications.

Secure WLAN Access

Segmenting your WLAN from the rest of your network will help to protect the internal network from any issues or attacks on the wireless network, but there are still other steps you can take to protect the wireless network itself. By encrypting your wireless communications and requiring users to authenticate before connecting, you can ensure unauthorized users do not intrude on your WLAN and that your wireless data can not be intercepted.

Wireless Encryption
One of the ways to ensure unauthorized users do not eavesdrop on your wireless network is to encrypt your wireless data. The original encryption method, WEP (wired equivalent privacy), was found to be fundamentally flawed. WEP relies on a shared key, or password, to restrict access. Anyone who knows the WEP key can join the wireless network. There was no mechanism built in to WEP to automatically change the key, and there are tools available that can crack a WEP key in minutes, so it won’t take long for an attacker to access a WEP-encrypted wireless network.

While using WEP may be slightly better than using no encryption at all, it is insufficient for protecting an enterprise network. The next generation of encryption, WPA (Wi-Fi Protect Access), is designed to leverage an 802.1X-compliant authentication server, but it can also be run similar to WEP in PSK (Pre-Shared Key) mode. The main improvement from WEP to WPA is the use of TKIP (Temporal Key Integrity Protocol), which dynamically changes the key to prevent the sort of cracking techniques used to break WEP encryption.

Even WPA was a band-aid approach though. WPA was an attempt by wireless hardware and software vendors to implement sufficient protection while waiting for the official 802.11i standard. The most current form of encryption is WPA2. The WPA2 encryption provides even more complex and secure mechanisms including CCMP, which is based on the AES encryption algorithm.

To protect wireless data from being intercepted and to prevent unauthorized access to your wireless network, your WLAN should be set up with at least WPA encryption, and preferably WPA2 encryption.

Wireless Authentication
Aside from just encrypting wireless data, WPA can interface with 802.1X or RADIUS authentication servers to provide a more secure method of controlling access to the WLAN. Where WEP, or WPA in PSK mode, allows virtually anonymous access to anyone who has the correct key or password, 802.1X or RADIUS authentication requires users to have valid username and password credentials or a valid certificate to log into the wireless network.

Requiring authentication to the WLAN provides increased security by restricting access, but it also provides logging and a forensic trail to investigate if anything suspicious goes on. While a wireless network based on a shared key might log MAC or IP addresses, that information is not very useful when it comes to determining the root cause of a problem. The increased confidentiality and integrity provided are also recommended, if not required, for many security compliance mandates.

With WPA / WPA2 and an 802.1X or RADIUS authentication server, organizations can leverage a variety of authentication protocols, such as Kerberos, MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), or TLS (Transport Layer Security), and use an array of credential authentication methods such as usernames / passwords, certificates, biometric authentication, or one-time passwords.

Wireless networks can increase efficiency, improve productivity and make networking more cost effective, but if they are not properly implemented they can also be the Achilles heel of your network security and expose your entire organization to compromise. Take the time to understand the risks, and how to secure your wireless network so that your organization can leverage the convenience of wireless connectivity without creating an opportunity for a security breach.

Tags: Blog by Tony Bradley
Comments Off

It seems like there are so many data breaches these days that the news of such events is more or less brushed aside. The public is becoming de-sensitized and just says “oh, another one of *those* new stories”. Recently, it was discovered that Monster.com, the popular job-hunting web site, was the victim of a breach into their systems which compromised an estimated 1.3 million accounts. Monster.com has issued this notice, which was also emailed out to registered members, and they have allegedly increased monitoring and security on their servers. [Read more →]

Tags: Blog by Tony Bradley
Comments Off

Have you received any emails lately about your eBay or Paypal account being suspended due to suspected fraud? Perhaps you have been notified by a financial institution (often a bank that you do not even do business with in the first place), that they have upgraded their systems and they need you to click on a link to enter your username and password for verification. These are examples of phishing attacks, or phishing scams. The email is the “bait” to lure you (the “phish”) into surrendering sensitive or confidential information such as your passwords or credit card numbers. You can protect yourself against becoming a phishing victim by following the 5 simple steps I outlined in this About.com Internet / Network Security article.

Tags: Blog by Tony Bradley
Comments Off