Paul Ducklin’s blog

Windows 7 security - A great leap forward or business as usual?

Security by accident, or security by design?

I can't imagine blaming anyone other than the author for last week's iPhone virus outbreak. The virus wasn't an accident -- the self-confessed creator wrote and disseminated the virus quite deliberately.

However, the virus only infects apostate iPhones whose owners have removed Apple's restrictive software cocoon -- so-called jailbroken devices. Additionally, the virus only infects iPhones which have not been properly secured after liberation. So there are many who blame the virus on the the jailbreakers, claiming they brought the problem on themselves.

And a few observers have even blamed the virus author's mobile phone operator, claiming that the company should have been using Network Address Translation (NAT) on its 3G network as a security measure which would have prevented the virus.

This is a curious argument, and it begs two questions: what is NAT, and what security purpose, if any, is is supposed to serve?

You can read about traditional NAT, which was first codified as RFC1631 in 1994, in RFC3022, published in 2001. NAT's primary objective was to make 32-bit IP numbers go further, in order to buy us time to update to IPv6. (Given that IPv6 adoption is still very limited, 15 years later, NAT has obviously achieved this goal.)

The basic idea is simple: take a single, public IP number issued by your ISP, and assign this number to a router at your network edge. Give all the PCs inside your network a range of non-unique, private IP numbers, and let the router translate all outbound packets so they appear to come from the network address of the router itself. Similarly, let the router translate and redirect all reply packets to the network address of the originating PC. And there you have it: Network Address Translation.

One side-effect of this behaviour is that inbound connection requests must be aimed at the router, since it has your network's only public-facing IP number. Until you instruct the router which inbound requests should be forwarded to which internal servers, inbound connections can't be accepted -- the router simply doesn't know where to send them.

So, as RFC3022 points out, "traditional NAT can be viewed as providing a privacy mechanism, as sessions are uni-directional from private hosts and the actual addresses of the private hosts are not visible to external hosts." In other words, by default, NAT limits the extent to which your network structure is visible to outsiders, and prevents outsiders from connecting into your network.

However, it is a large -- and, in my opinion, unwarranted -- leap of faith to consider NAT to be a security measure. Indeed, the original RFC authors seem to agree, warning that "unfortunately, NAT reduces the number of options for providing security." In particular, NAT makes it much more difficult to track troublesome behaviour back to source -- including security violations -- since the IP address of any offending host is masked by the NATting router.

In short, NAT is a necessary evil in contemporary networking, since we don't have enough IPv4 addresses for every device on the internet. Used responsibly, NAT can increase your resilience to external attack, because of its systematic resistance to unwanted inbound connections. But it is a snake-oil substitute for a proper network security regimen. It was designed to help the internet stretch further, not to make it more secure.

In particular, the PCs inside a NATted network enjoy no protection from each other because of NAT. Even if NAT helps to stop a virus like Conficker from sneaking into your LAN through your router, it won't stop the virus from wandering around inside your LAN if it gets in via other means. Indeed, when Conficker was widespread earlier this year, most organisational outbreaks I dealt with seem to have entered quietly on infected USB keys, and then spread liberally across the intranet -- whether the network was NATted or not.

Remember: security doesn't happen by accident.

(Nor do viruses, so don't try to shift the blame away from the people who create them in the first place.)

Image source: NJV's Flickr photostream (Creative Commons)

Posted on November 18th, 2009 by Duck
Filed under: Safety online

                                         

Queensland: sun, sand, surf -- and security

You're probably expecting me to comment on the iPhone virus sneaking through Australia at the moment, but not everyone is head-over-heels in love with reading about iPhones, so that can wait.

Right now I want to report on my latest outing to a Sophos Signature Series Luncheon, this time in Brisbane, Queensland.

My fellow presenter was Steve Bignell of the Queensland Police Service (QPS), which is planning to take community policing into the wireless age by going on wardrives around towns and cities in Queensland. Those with insecure networks can then be advised of the risks they face.

Wardriving involves driving around, scanning for wireless networks, and recording any publicly-visible aspects of their configuration. Almost any device with a WiFi chip, such as a PSP, DS Lite, mobile phone, PDA, netbook or laptop, can be used. Numerous free software packages exist to perform the WiFi scanning and recording.

Note that wardriving isn't immoral or illegal (though I am not a lawyer), at least if you are only listening in. The WiFi spectrum is unregulated, so those who exercise their freedom to transmit within the WiFi wavelengths implicitly authorise anyone who is in range to listen to what they have sent out. WiFi transmissions really are public, and that is by design.

When QPS first announced their wardriving ideas, back in July 2009, reactions were mixed. In particular, some observers imagined that their goal was to wipe out free internet access, assuming that the police would be unashamedly opposed to free Wifi since open access points can provide anonymity for carrying out or co-ordinating criminal activity, from spamming, through credit card fraud, all the way to terrorism.

But the Queensland coppers are not trying to be wowsers or kill-joys. Most of the insecure networks they find are not open by design, but by accident, and represent data leakage problems just waiting to happen. As more and more users rely on connecting work laptops to their home networks, WiFi insecurity poses an ever-increasing risk.

If you want to ensure security and confidentiality when using a public transmission medium such as WiFi, you must take positive steps. QPS wants the public to become aware of the steps they should be taking.

Unfortunately, there are still a few old-school myths out there about what represents a satisfactory minimum for WiFi security, so let's bust the three most common myths very briefly.

Firstly, hiding your network name (known as the SSID, or more properly the ESSID, for Extended Service Set Identifier) does not increase security. It can increase safety, by preventing passing visitors from latching onto your network by mistake. But the ESSID is passed unencrypted to the access point whenever a legitimate user connects to your network. So -- as the Kismet screenshots on the right reveal -- your ESSID is both exposed and confirmed whenever anyone connects successfully.

Secondly, Media Access Control (MAC) address filtering, which restricts access to users with specifically-numbered network cards, doesn't increase security, either, though it helps to prevent inadvertent connections. Currently-active clients can be enumerated with a WiFi sniffer, thus exposing the list of MAC addresses which are allowed to connect to your access point. Since you can adjust the MAC address of most WiFi cards with software, an attacker can easily spoof an authorised network card and connect to your access point.

Thirdly, WEP (Wired Equivalent Privacy) encryption simply isn't good enough. Due to a cryptographic weakness in the underlying protocol, WEP passwords can be recovered using statistical techniques from an astonishingly small amount of network traffic. In a recent experiment, I sniffed the WiFi traffic generated by downloading the latest Firefox security update (about 9MB). From this captured data alone -- about 2 minutes' worth on a 1.5Mbit/sec ADSL line -- I was able to recover the WEP key in under 20 seconds.

Use WPA (WiFi Protected Access) as a minimum. Two encryption systems are supported: TKIP and CCMP. Since TKIP is based on the RC4 encryption algorithm, which contains the flaws through which WEP can easily be broken, I recommend that you choose CCMP, which is based on the as-yet-untarnished AES encryption algorithm.

Act today. Don't wait for The Man to warn you that your WiFi is insecure!

802.11 number plate is a "share and remix" image from Woody1778a's Flickr stream

Posted on November 9th, 2009 by Duck
Filed under: Cryptography, Cybercrime, Diary, Privacy, Safety online

                                         

How many zombies in Australia?

As you may have seen, we declared 31 October 2009 to be International Kill-A-Zombie Day. Unsurprisingly, we suggested, amongst other things, that you scan your PC with an up-to-date anti-virus.

The cynics amongst you are probably thinking, "But you would say that, wouldn't you?" Yes, we would indeed! We're saying it because there are still millions of PCs out there which aren't properly protected, which are infected with malware, and which are contributing inadvertently to global cybercrime.

I recently carried out a thought experiment to estimate the number of zombies in Australia (population approximately 22 million, or about one-third of the UK and one-fifteenth of the USA). I made an informed guess at the number of spams each day worldwide, the percentage of spam originating from Australia, and the average number of spams a zombified PC might send each day -- bearing in mind that not all zombies are programmed to send spam, that some ISPs throttle outbound spam, and that uplink bandwidth on most Australian ADSL connections is artificially restricted.

From these figures (details and justifications on request) I guessed that Australia has about 80,000 active zombies at any moment. I'll further guess, based on the intelligence accumulated by SophosLabs about active infections -- in other words, where malware has successfully evaded any existing security measures -- that the vast majority of zombies on these infected PCs are not new, and would be easily detectable with an up-to-date anti-virus.

Since the free Sophos Threat Detection Test can coexist with your existing anti-virus, you don't need to uninstall anything first. Give it a try. You may be surprised at what shows up.

Also, if you aren't yet using an endpoint firewall, remember that this class of product can provide an important second line of defence against the harm caused by zombies. Unlike border firewalls, which see packets after they have left their sending PCs, endpoint firewalls know which applications and processes have produced what traffic. This means that they can block communication by new, modified or unknown programs and thus prevent zombies from sending out spam or personal data from your PC.

Note that most border firewalls and routers, whether at home or at work, routinely block inbound connections. This is sensible, because it helps prevent outsiders from hacking into your network. But don't make the mistake of assuming this alone can protect you from zombification.

Even though zombies are generally described as "malware allowing cybercrooks to issue malicious commands to your PC", this sort of remote control does not require the crooks to connect in to your computer. Most zombies work by connecting out from your PC to download instructions on what to do next. A firewall which merely prevents inward connections cannot stop data leakage via a connection which was initiated from the inside.

(By the way, "zombie" above means the same as "bot". So 31 October 2009 was also International Kill-A-Bot day -- two for the price of one!)

Posted on October 31st, 2009 by Duck
Filed under: Cybercrime, Malware and spam, Safety online

                                         

ACMA 1 Phone spammers 0

In Australia, offences against the Spam Act are enforced not by the State or Territory police forces, but by a federal body called ACMA -- the Australian Communications and Media Authority.

And on Friday, 23 October 2009, ACMA had something to get excited about, when the Federal Court in Brisbane agreed that two companies and three individuals should collectively be fined a whopping AU$15,750,000 (that's just a fraction under nine million of your British pounds!) for SMS-related spamming offences.

Despite the severity of the punishment, it's hard to feel any sympathy for the offenders when reading the allegations as presented by ACMA, namely that "the respondents were engaged in a complicated scheme to obtain mobile phone numbers from members of dating websites, using fake member profiles, in order to send commercial electronic messages by SMS".

The court accepted ACMA's arguments that:

• after the numbers were obtained, unsolicited messages were sent to the mobile phone numbers offering the opportunity to chat via SMS using services described as the 'Safe Divert' or 'Maybemeet' services;
• the chat was not offered by genuine members of dating websites but employees of the respondents' companies;
• consumers were charged up to five dollars per message; and
• when users questioned whether the messages were from a real person, they were told that it was a real person who was using the "Safe Divert" service to keep their mobile phone number private.

ACMA claims that the scheme generated more than AU$2 million, so the fines imposed recover not only the proceeds of the offence, but will also, one hopes, have both a punitive and a deterrent effect.

Interestingly, just a week before this judgment, ACMA called for public feedback on its proposed new rules for blocking unwanted high-cost services delivered via SMS. It's hard not to feel some outrage against the mobile phone companies for apparently so willingly accepting their share of the revenue from ultra-expensive SMS message services -- especially in the abovementioned case, which was, in ACMA's opinion, "particularly malicious and deceitful as it deliberately and systematically preyed upon vulnerable people, offering false hope and expectations".

Ironically, the window for feedback to ACMA on the control of unwanted mobile premium SMS ended at 17:00 last Friday, the very same day as the court victory up in Queensland.

With this in mind, I'd like to urge ACMA to extend the deadline and allow further time for people to give their feedback. The nature of the deception in the abovementioned case, and the amount of money made by the respondents, ought to be enough to encourage many more consumers to weigh in with their opinion.

Prevention of consumer abuse through SMS-oriented spam will always be better than cure. And prevention will surely be improved through a system which enforces:

• greater consumer protection against unscrupulous mobile premium services;
• greater pressure on the mobile phone operators to show some kind of consumer-centric discrimination in the premium services with which they choose to do business; and
• better default security settings to prevent the young and vulnerable signing up to services which cost way more than they are worth (and which often quietly commit the user to open-ended contractual subscriptions which allow charges to be gouged indefinitely).

If ACMA does extend its deadline, please consider responding.

Posted on October 26th, 2009 by Duck
Filed under: Cybercrime, Malware and spam, Safety online

                                         

Social networking in the antipodean spotlight

Dear Diary,

I've just returned from Aotearoa, where I have been speaking at events in the Sophos Signature Luncheon series. Now in their fifth year, these Signature Luncheons bring together experts and thought leaders in IT security for frank and open debate about the future of computer security in Australia and New Zealand.

We kick off these events with two or three short, invited presentations over food. Then we facilitate informal discussion under the Chatham House Rule. Simply put, this rule says you can tell other people what was discussed, but you mustn't say which person or organisation said what. The idea of the rule is obvious: to encourage openness and the sharing of information.

When we started the Signature Luncheons, the main topic of interest was how to keep the bad stuff out. Key issues under discussion included developments in anti-virus and anti-spam technology, the unfolding of the arms race against the Bad Guys, and the possible role of government and legislation in dealing with cybercriminals.

We're still concerned with all of these things, but today's security concerns are as much about keeping the good stuff in as about keeping the bad stuff out. So, at the latest New Zealand luncheons, we concentrated on the former. How do you prevent the escape of data which rightly belongs only inside your own network?

Few of us actually intend to lose our laptops, or to have them stolen, or to send out sensitive data to the wrong email address -- yet data escapes in embarrassingly large quantities in all of these ways. Cryptography, of course, is an important tool in preventing this sort of unwilling data leakage.

Nevertheless, encryption is shrouded in myth. Is a longer password invariably more secure, for example? Can all ciphers ultimately be broken? I gave a talk aimed at busting some of these myths -- on the right you can see me attempting to explain why a one-time pad is provably secure, and, ipso facto, invulnerable to a brute force attack.

But willing data leakage, exemplified by the casual attitude which many of us have to social networking, cannot easily be counteracted by technology alone. My fellow presenter in New Zealand was Paul Blowers, a Wellington-based security architect in the law enforcement and intelligence fields. He expounded on the dilemma which many organisations face: how to embrace social networking without giving away the crown jewels.

Social networking can genuinely enhance your business, for instance in recruitment, marketing and customer support. Even law enforcement can benefit: police in Queenstown, in New Zealand's south, celebrated their first Facebook arrest back in January 2009. On the other hand, even the well-meaning use of social networking sites by employees can result in the exposure of information which might better have been kept private.

Should you block social networking sites outright? Having conducted casual audience polls at our Kiwi luncheons over the past few events, it seems as though far fewer organisations think so these days, at least in New Zealand.

In my opinion, this is a sensible move.

Informed employees who make reasonable use of social network sites during their working hours almost certainly pose less risk than ill-informed staff who cannot post at work yet are able to post at will -- including about their work, their employer and their colleagues -- after hours, either from home or from an internet cafe.

Posted on October 25th, 2009 by Duck
Filed under: Cryptography, Diary, Safety online