Wednesday 17 December 2008

Even Phishing Emails warn of Phishing Emails

I received a Phishing Email targeting customers of a UK bank just moments ago. I wouldn't normal post such things up, but I found this one particularly amusing and a bit of a phishing Email first, because the email actually warns of suspicious Emails and phishing! I thought the phrase "A new Second Level Password" particularly funny. The scam email finishes with another warning about "suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank - please ignore it and contact us now", it all rather like a 1970s Monty Python sketch!

Phishing Emails always target one of two human emotions, Fear or Greed. This one is targeting Fear; its objective is to scare the receiver into thinking their bank account security (their money) has been compromised, so encouraging the user to click the link through to a bogus website impersonating the bank site, where the users banking credentials are harvested unknowingly.  "Greed" based phishing Emails usually offer free prizes, free holidays or just straight up cash, for example telling the receiver they have won the European Lottery, or that Nigeria millionaire who needs you to pay the bank transfer fees in order to send that a large oil inheritance you have due, not that the user has ever entered any lottery nor has any connection with Nigeria what-so-ever.

Perhaps I shouldn't be making light of these scam Emails, as even though most people are aware of these types phishing email scams today, there are always one or two who do get sucked in and caught out.  This is why these scam emails are still common place in our mailboxes, it is simply because they do work
 
(I have removed the bogus website links)
"Dear Customer,

Latest News

ALERT MESSAGE: SUSPICIOUS E-MAILS - PHISHING FOR DEBIT CARD NUMBERS AND PASSWORDS:

Please be informed that currently fraud e-mails are sent to customers and non - customers of Alliance & Leicester Commercial Bank requesting to provide their online banking details.

In any case you should not provide any of your personal information or banking details.

A new Second Level Password has been sent to all our Retail customers in your online

Please activate the new one.

Start now the Alliance & Leicester Commercial Bank authentication process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Alliance & Leicester Commercial Bank would never ask you to give through e-mail or any other mean any private and confidential information.

If you receive in your mailbox a suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank,

please ignore it and contact us now.

Alliance & Leicester Commercial Bank Online Billing Department."

Tuesday 16 December 2008

No such thing as a Secure Web Browser

The big security story in the main stream news today, has of course been the security vulnerability with Microsoft's Internet Explorer web browser (Serious security flaw found in IE) The vulnerability can be exploited by deliberately engineered or compromised regular websites, allowing the attacker to invisibly access the host PC system, from which point a whole series of further possible attacks can be run, such as stealing website usernames and passwords. At this time Microsoft aren't saying when they will be releasing a patch to fix this issue, which is really unfortunate, as this vulnerability has been known about for at least week from my own knowledge.

The solution to problem being eagerly suggested on TV and radio news, is to download, install and then use different web browser, as they are not affected by this flaw (which is completely true), and are safe & secure. I have problem with the latter, which I heard said and implied on several occasions today, this is a highly misleading statement, as there is no such thing as a "secure web browser".


A couple of weeks ago I spoke with some nice chaps from OWASP (Open Web Application Security Project), a non-profit making and "The" world recognised authority on web application / website security. At the time I was taken back and found it astonishing that at their last OWASP "brain storming" event, which was attended by some of the world's leading web (site) application experts, not one of the web browser companies or organisations sent a representative, despite them all being "VIP" invite to the event. OWASP rightly recognise the architects and developers of web browsers play a key role with the overall security of web sites (web applications) on the internet, and the big flaw discovered with IE really highlights this.

The leading used alternative web browser on Windows systems at this moment is Mozilla Firefox (click here to download it), which is completely free to download and pretty easy for any novice to install and start using. Personally I switched from using Internet Explorer (IE) to Firefox several few months back, mainly because I found it was generally a better web browser to use than IE, and I particularly found the array of security related browser plug-ins extremely useful. So I'm a Firefox convert, but I think it would be a completely wrong and dangerous statement for anyone to state or suggest Firefox is more secure an Internet Explorer, all web browsers by their nature, open source or not, are bound to have vulnerabilities present which are currently unknown and are yet to be exploited. You cannot ever get 100% security, and this law especially applies to software applications.

So what's my advice to IE users? Well I'm not quite going to be a sheep and bleat what I've heard others are advising the masses today, which was to just switch to another web browser application, and hey I'm certainly neither pro nor anti Microsoft either...

My advice is if you are using Internet Explorer, make sure you have "PROTECTED MODE" ENABLED (IE7 or 8 with Vista) and set the Security Zone to "HIGH".

And then make sure you are taking the usual security measures on your PC, such as enabling the local (Windows) firewall, applying all Windows patches & updates, and installing and keeping up-to-date anti-virus / anti-spyware software. Until a patch is released, be especially cautious when browsing "dodgy" type websites, setting the security zone to high, allows you to accept or deny any scripts being executed through the web browser, which is how this and other vulnerabilities are exploited.

Sure, this could an opportunity to give Firefox or another web browsers such as Safari, Opera, Chrome a try out. Using a different web browser will fully protect from this particular flaw, but do not assume your new web browser is any more secure than using Internet Explorer. We tend to know a great deal about the security issues and weakness with IE, mainly due to it being the worlds most popular, therefore the most attacked web browser. Firefox has also had (no doubt will have further) it's fair share of serious security vulnerabilities too - Mozilla Foundation Security Advisories, but these tend not to get same level media coverage, and to be fair here Firefox vulnerabilties have tended not to be exploited to the same high degree as IE vulnerabilties at present, but if everyone switched to Firefox and it became the worlds most popular browser...

So if you are Firefox user (like me), make sure you exercise all the usual security precautions on your PC, firewall, patches, security software etc. And for any techie who is truly paranoid, you could do what I do when researching the real dodgy websites, which is to run your web browser in a Virtual Session.

Finally I have no doubt Microsoft will release a patch for this issue in the next few days anyway, it's just a real disappointment they couldn't of patched the problem last week as part of the usual security patch release cycle.

EDIT 17-Dec-08: Since the original post, Microsoft has released a patch for this vulnerability - http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

Tuesday 9 December 2008

Recommended Business WiFi Encryption

I was forwarded an interesting wifi security tech question yesterday which resulted in a debate about whether hiding a WiFi SSID made you secure. I just couldn't resist answering the question, and as usual went off on a security mission with my answer. Lots of positive comments on my answers and my general advice around home and enterprise wifi security, so I'd thought I'd post it up on my blog for all to see. 

Original Q. "I've been having an ongoing debate about the the practice of hiding SSIDs in a corporate environment.  I'm curious to know if hiding SSIDs is widely (emphasis on widely) considered a best practice or whether there are equal arguments on both sides.  My thoughts are that if you couple high grade encryption (WPA2) with some form of authentication (802.1x?) then hiding the SSID is unnecessary - and in fact makes it harder for valid users to find the network."

"Hiding the SSID can keep out the casual WiFi browsing neighbour, but will not prevent the “school boy” level of WiFi broadband thieves from finding out details of your WiFi network, you know those guys who steal WiFi for downloading illegal games, music and other unsavourily whatnot…

The SSID name plays an important part of the WPA-PSK encryption process, as the name is used to uniquely create (or salt as it is referred to) the hash of the WPA passphrase in order to protect against bruteforce attacks, as each bruteforce attempt needs to be hashed 4096 times, meaning it takes ages to try combinations for the passphrases, although it is doable if you have power and time on your hands.  I have rainbow tables (like a hash answer cheat sheet) for top most popularly used SSID names against pre-computed hash values, which allows me to bruteforce passphrases extremely quick, so I can quickly crack poor WPA-PSK passphrases for the most commonly used SSIDs like “NetGear”.  

So therefore my advice, for commercial companies using WiFi always goes with the enterprise WPA encryption options instead of using WPA-PSK (static key/passphrass). At home, go with a long and unique SSID name and decent random passphrase which will prevent rainbow table hash bruteforce. If you are super paranoid at home, go with 20 char+ random SSID name, hiding it doesn’t make any difference to those with the capability of breaking in.

Another point already made, do not name the SSID after your family name or company/department, you shouldn’t advertise what it is to the world, unless you are offering a guest WiFi network.

And yes, we all know WEP is has been broken for 6 years, any WEP key can be cracked in a couple of minutes no matter length and complicity of password and SSID name you used.

Also in the corporate environment, best practice is to scan for WiFi rogue access points at least once a quarter, or even buy a device with continually scans if you have a particularly sensitive site to protect, this is regardless of whether you use WiFi or not at the site.

Oh MAC address filtering is a waste of time too, MAC addresses can be easily spoof (in fact they are impossible to prevent from being sniff), applying a sniffed MAC address to a network card within any OS is easy." 
 
Response - "Thank you for your informative response.  While I’m quite knowledgeable of Microsoft’s products (AD, Exchange, etc.), I’d consider myself an intermediate when it comes to wireless security.  When setting up WAPs, I’ve always used WPA-PSK because that’s what I know to do.  I assume that Enterprise WPA is more secure, but I don’t know what it is.  Is there a website that you could point me to help learn more about this?  I understand that there’s a thing called 802.1x authentication that, for example, would let me require authentication against my Active Directory.  I envision a wireless user establishing the connection, and being prompted to enter their AD credentials, or perhaps it takes what’s cached from when you login to the computer.  Again, any good concise references to this stuff would be greatly appreciated."

"To recap, WPA-PSK (Pre-Share Key) is a personal mode designed for home and small office users who basically do not have any authentication servers available, i.e. Active Directory. WPA-PSK operates in an unmanaged mode using a pre-shared key (PSK), and uses a passphrase to create the encryption key, this the big weakness, as it’s vulnerable to bruteforce attacks. If you have to use this mode within the business setting, I recommend a passphrase of at least 13 characters and regularly changing of that passphrase. BTW the passphrase can be up to 95 characters in length.

By Enterprise modes, I was referring to WPA & WPA2 with IEEE 802.1X and EAP, which operates the WLAN in a managed mode. It uses IEEE 802.1 authentication framework and EAP (Extensible Authentication Protocol) to provide authentication between the client and authentication server. In this mode each user is assigned a unique key to access the WLAN. In answering your question, it uses single-sign on with AD or it can prompt, or it can be setup to use certicates.

Something else I should mention about enterprise modes is WPA-TKIP.  TKIP encrypts each data packet for each individual user at a time, making the encryption extremely difficult to break.  WPA uses the RC4 encryption cipher, where as WPA2 uses the AES encryption cipher, which provides a stronger degree of encryption than RC4. Recently TKIP was proven to have several minor weaknesses with it, in that it’s possible in inject a few packets, and decrypt ARP frames in around 15 minutes, although this is not over concerning and a major flaw, however in my view it is always best to completely avoid such potential issues and go with WPA2 AES option given a choice.

You can use digital certificates with WPA-EAP-TLS, and there’s PEAP authentication as well; all have single sign on capabilities with Active Directory, LDAP, NDS and even with NT Domains."