Wahoo! I just passed the final exam on the Cisco Certified Security Professional (CCSP) track. It was the final of 5 exams which I have taken over the pass 3 years, and to be honest I'm glad to have finished them, as it allows me to focus a little more on Information Security Management and the process side of things.
At least I get a well earned break from reading those thick Sybex books!
29 June 2007
22 June 2007
Home WiFi Jamming
To conclude a trilogy of WiFi Security blogs this week, I’m going to touch on an accidental home encounter I had with WiFi signal jamming. As we become ever more WiFi enabled, particularly in the UK, where there has been a bit of WiFi explosion of late, with whole areas of cities becoming WiFi enabled. There is little doubt in my mind that we will become more and more dependant on WiFi networks. Anyone who has read any formal IT Security book will know about the CIA Triad, Confidentially, Integrity and Availability, well security wise this post is going to be about Availability, i.e. jamming the WiFi signal. Now you might think WiFi jamming sounds a bit far fetched and that it would require a lot of expensive equipment and expertise, but as I accidently discovered recently, it does not have to be.
A couple of weeks ago I finally gave in and bought my kids a Nintendo Wii, well I figure it keeps them physically active while playing the video games, which sounds like a fair trade off to me. Anyway I placed the Wii under the main household TV and then tried to connect the Wii up to my home WiFi network, which would allow the Wii to receive software updates, weather forecasts and even browse the web through the Wii’s Opera web browser, however I soon discovered the Wii wouldn’t connect to the WiFi network.
So after an or so hour of troubleshooting, by temporary stripping down all my WiFi security, and then actually plugging the WiFi Router in downstairs as close as possible to the Wii’s location, I discovered the Wii could only pick up my WiFi network signal from a maximum distance of 10 centimetres! Even then the bandwidth (network speeds) appeared to be far too slow. Well I gave up with it for the day as the kids wanted to play Wii Sports. I just thought I had a dodgy WiFi card built into my Wii, but later that night I had an epiphany while watching Satellite TV upstairs in bed.
You see I have Satellite TV, which feeds into the main TV, however earlier this year I wanted the ability to watch all those lovely Satellite TV channels on the bedroom TV as well, so I bought a cheap "Technika" TV broadcasting solution from the local supermarket for £20 ($40), instead of paying over odds with the Satellite TV company for a second set top Sat Box. The equipment consisted of a broadcast unit which attached to the SCART OUT of the downstairs Satellite TV box, which sends TV pictures, Sound and even the remote control infra red signals to a receiver, which connects to a SCART IN on the bedroom TV. My epiphany was the theory that TV broadcast unit was somehow jamming the WiFi signal, especially considering the Wii and TV broadcast unit both resided under the main TV. So I switched off the TV broadcast unit and immediately the Wii connected to the internet.
The following day I did some experiments with my laptop, I noted with the TV broadcast unit switched on, in parts of the house it dropped the WiFi network signal strength by two thirds, while downstairs it wiped all connectivity to the WiFi network.
So it is possible to have effective WiFi jamming at a very cheap cost, I imagine with some customisation you could increase the range of the WiFi jamming and make it a mobile device.
I can think of numerous bad uses for WiFi jamming, especially using it as a decoy while performing other attacks, but perhaps one good use could be to enforce a no-WiFi policy, although you’d probably need to check the broadcasting laws first.
A couple of weeks ago I finally gave in and bought my kids a Nintendo Wii, well I figure it keeps them physically active while playing the video games, which sounds like a fair trade off to me. Anyway I placed the Wii under the main household TV and then tried to connect the Wii up to my home WiFi network, which would allow the Wii to receive software updates, weather forecasts and even browse the web through the Wii’s Opera web browser, however I soon discovered the Wii wouldn’t connect to the WiFi network.
So after an or so hour of troubleshooting, by temporary stripping down all my WiFi security, and then actually plugging the WiFi Router in downstairs as close as possible to the Wii’s location, I discovered the Wii could only pick up my WiFi network signal from a maximum distance of 10 centimetres! Even then the bandwidth (network speeds) appeared to be far too slow. Well I gave up with it for the day as the kids wanted to play Wii Sports. I just thought I had a dodgy WiFi card built into my Wii, but later that night I had an epiphany while watching Satellite TV upstairs in bed.
You see I have Satellite TV, which feeds into the main TV, however earlier this year I wanted the ability to watch all those lovely Satellite TV channels on the bedroom TV as well, so I bought a cheap "Technika" TV broadcasting solution from the local supermarket for £20 ($40), instead of paying over odds with the Satellite TV company for a second set top Sat Box. The equipment consisted of a broadcast unit which attached to the SCART OUT of the downstairs Satellite TV box, which sends TV pictures, Sound and even the remote control infra red signals to a receiver, which connects to a SCART IN on the bedroom TV. My epiphany was the theory that TV broadcast unit was somehow jamming the WiFi signal, especially considering the Wii and TV broadcast unit both resided under the main TV. So I switched off the TV broadcast unit and immediately the Wii connected to the internet.
The following day I did some experiments with my laptop, I noted with the TV broadcast unit switched on, in parts of the house it dropped the WiFi network signal strength by two thirds, while downstairs it wiped all connectivity to the WiFi network.
So it is possible to have effective WiFi jamming at a very cheap cost, I imagine with some customisation you could increase the range of the WiFi jamming and make it a mobile device.
I can think of numerous bad uses for WiFi jamming, especially using it as a decoy while performing other attacks, but perhaps one good use could be to enforce a no-WiFi policy, although you’d probably need to check the broadcasting laws first.
19 June 2007
Are WiFi BotNets Possible?
Following from my blog about unsecured Home WiFi networks and just how widespread they are in "home user" land. I have been wondering whether it might be possible to create a kind of "WiFi BotNet".
Let’s say the attacker setup in a metropolitan area, constructed an antenna to boost the WiFi range of their device, allowing the attacker to scan and connect to any unsecured or low security WiFi networks over a significant range. Going from my own experience, there should be plenty of unsecured WiFi access points within a metro area. From this point I have two theories.
One trick could be to try and connect to several WiFi networks at the same time and create a kind of mini BotNet, perhaps by the attacker fashioning a network access point, this could provide major bandwidth and anonymity for the attacker. I need to investigate this theory further.
Or the other way, which I think could be easily possible, is to automate connecting to each unsecured WiFi network in turn, do bad stuff while connected, like send out Spam, then disconnect and move onto the next scanned unsecured WiFi access point. Again it would be almost impossible to trace back the attacker.
Let’s say the attacker setup in a metropolitan area, constructed an antenna to boost the WiFi range of their device, allowing the attacker to scan and connect to any unsecured or low security WiFi networks over a significant range. Going from my own experience, there should be plenty of unsecured WiFi access points within a metro area. From this point I have two theories.
One trick could be to try and connect to several WiFi networks at the same time and create a kind of mini BotNet, perhaps by the attacker fashioning a network access point, this could provide major bandwidth and anonymity for the attacker. I need to investigate this theory further.
Or the other way, which I think could be easily possible, is to automate connecting to each unsecured WiFi network in turn, do bad stuff while connected, like send out Spam, then disconnect and move onto the next scanned unsecured WiFi access point. Again it would be almost impossible to trace back the attacker.
18 June 2007
Badly Secured Home WiFi
It still amazes me just how many home users and small businesses out there are using unsecured home wireless networks. I visited a friend over the weekend to help out with a computer related issue, I booted my laptop up, enabled my WiFi card, and I immediately picked up several WiFi access points, of which two had no encryption, no passcode required! One of the SSIDs was even called "NetGear". I also picked up a small business WiFi network called "WEP", oh dear, lol.
It's frightening what some home WiFi users are leaving themselves exposed to. Anyone in the vicinity could easily use their WiFi connection to visit "dodgy and illegal websites”, should this activity be discovered by the authorities, who will track them down through via the ISP, it will be on the WiFi owner’s door which the police will be knocking. It also begs the question if someone wanted to "get away" with visiting dodgy websites, by deliberately leaving open their WiFi connection and playing the fool, could that be a legal "get out" clause? Who knows when it comes to computer crime laws, which is well behind the times in the UK, in a population approaching 60 Million, there is on average of less than 10 people a year being prosecuted under the Computer Misuse Act, with computer related crime tending to end up under either theft or fraud charges and convictions.
So just how are these unsecured WiFi networks originating, as these days most ISPs are providing WiFi routers with the ISP configuration with WPA encryption preloaded as standard. Well it comes from the days when all the ISPs provided, was a standard DSL router/modem, home users would themselves trundle down to their local PC Supermarket (*cough* rip off *cough*), and buy a WiFi Router from the ever NOT so knowledgeable shop assistant. They would just chuck the WiFi Router in at home and just be ever so pleased to eventually get it working with their DSL provider and home devices. So they either over look security completely or probably didn't know enough about it or even how to go about configuring it.
Perhaps manufactures should enable security by default on their products (some may do now). As a Cisco Security guy, I know the Cisco line is to disable all security features by default on their Routers, Cisco take the stance it’s the end user's responsibility to secure the product for use. However I must admit I don't know what the default settings are like on the Cisco LinkSys range of products these days, which is aimed at home market.
Whether or not manufacturers are providing enough security as default on their WiFi products is just half the puzzle, as I think it's more about getting the message "home" to those "home users" - forgive the pun.
It's frightening what some home WiFi users are leaving themselves exposed to. Anyone in the vicinity could easily use their WiFi connection to visit "dodgy and illegal websites”, should this activity be discovered by the authorities, who will track them down through via the ISP, it will be on the WiFi owner’s door which the police will be knocking. It also begs the question if someone wanted to "get away" with visiting dodgy websites, by deliberately leaving open their WiFi connection and playing the fool, could that be a legal "get out" clause? Who knows when it comes to computer crime laws, which is well behind the times in the UK, in a population approaching 60 Million, there is on average of less than 10 people a year being prosecuted under the Computer Misuse Act, with computer related crime tending to end up under either theft or fraud charges and convictions.
So just how are these unsecured WiFi networks originating, as these days most ISPs are providing WiFi routers with the ISP configuration with WPA encryption preloaded as standard. Well it comes from the days when all the ISPs provided, was a standard DSL router/modem, home users would themselves trundle down to their local PC Supermarket (*cough* rip off *cough*), and buy a WiFi Router from the ever NOT so knowledgeable shop assistant. They would just chuck the WiFi Router in at home and just be ever so pleased to eventually get it working with their DSL provider and home devices. So they either over look security completely or probably didn't know enough about it or even how to go about configuring it.
Perhaps manufactures should enable security by default on their products (some may do now). As a Cisco Security guy, I know the Cisco line is to disable all security features by default on their Routers, Cisco take the stance it’s the end user's responsibility to secure the product for use. However I must admit I don't know what the default settings are like on the Cisco LinkSys range of products these days, which is aimed at home market.
Whether or not manufacturers are providing enough security as default on their WiFi products is just half the puzzle, as I think it's more about getting the message "home" to those "home users" - forgive the pun.
13 June 2007
Who's the IT Security Expert?
So I'm the author of the ITSecurityExpert blog, but what's my background?
Well I'm based in the UK, so although I sing from the same hymn sheet as my US counterparts security wise, there are sometimes little twists with my view points. For instance in the UK we are governed by the Data Protection Act law, and there’s those pesky European laws to consider. Although I must stress I’m a Security Professional from a “techie” background rather than a background of “Law” or there I say it, “Quality”.
I've been in IT Security for over 15 years, to be honest at first I didn't realise I was doing IT Security, but looking back I certainly was. In the nineties I spent several years designing, building and implementing locked down (secured) Servers, Workstations and networks, which I installed onto Royal Navy battleships and submarines for a third party company. These IT systems didn't house anything exciting like weapon systems, just a boring engineering maintenance application. Still it was good fun going on board all those ships, as well as the social beer drinking side of things.
I have spent two years at a top UK Grammar (very posh) School, building a new secure Server room, physically separating the staff and pupil networks, and tracking down some quite clever pupil hackers etc. I have spent a few years running a European WAN for an American company, which kick started my Cisco side of my career, as I redesigned a secure WAN using Cisco Routers and Firewalls, by the way I’m a Cisco command line sort of guy rather than a web interface user. I recently spent 5 years at a blue chip document management company, which provided outsourced document management solutions, mainly to the financial sectors (i.e. household name banks). I started out designing, implementing secure solutions, but I soon ended up responsible for IT Security Management. Typical solutions were bank statement printing and credit card application document scanning. In fact it’s fair to say I learnt most of my security “know-how” by working with and having my sites and solutions security audited by a particular banking client, who consider themselves one of the world’s biggest banks with the best security (well they would say that).
Career highlights so far, well I once hit the European IT press for creating Europe’s first Satellite VPN in 2003. http://www.computerweekly.com/Articles/2003/09/26/197514/satellite-vpn-a-cheaper-way-to-fast-web-links.htm
I've had involvement in a real life major disaster recovery event, when in December 2005 the Buncefield Oil Depot in the UK exploded! It badly damaged my then employer’s primary solution site. The explosion was the largest explosion in peacetime Europe and it finished several businesses, however thanks partly to my IT system design, and my input within prior COB testing, the business was able to carry on providing solutions to it's clients (and their customers) unaffected, operating from a DR site.
Buncefield Explosion http://news.bbc.co.uk/1/hi/uk/4517962.stm http://www.computerworld.com.au/index.php?id=1048608389
At the moment I am employed by a large UK outsourcing company, I am responsible for securing several sites throughout the UK, including a hosted solution site which takes “a great deal” of online payments. So as well as the usual office level security, I’m dealing with PCI compliance, application development security and web application (web 2.0) security.
To go with my career security experience, I hold one or two certifications; to be honest I can be a bit of a cert junkie. I am a CISSP and I'm one exam short of my Cisco CSSP, which I plan to complete in the next couple of months. Cisco wise I hold Cisco Firewall Specialist, Cisco Information Security Specialists and the old CCNA, so I consider myself well versed with network level security. On the IT side I’m a Master CNE, and an MCP - I took the MCP exam as a bet, which I won.
As well as the technical side of Information Security, I tend to focus on educating the users, as I see them as the greatest security weakness of all. I have just started to produce a Podcast for home users to help them understand the basic security issues, so they can protect themselves at home. My podcasts aren’t meant for my fellow Security professionals, they cover stuff they should already know! Actually this is a good juncture to clear up the name, I regard myself as an IT Security Expert to the average Joe, I am certainly not pushing a status of "IT Security Expert – I know all!” to my fellow security bloggers, who in most cases are much further up the security tree than I, especially within those specialist security areas. Information Security covers a huge array of topics, I don’t think anyone can claim to be an “expert” across the board, and I certainly don’t.
Why blog? As I said in a previous blog, being in the Security business can be a lonely profession, especially if you work on your own, which I do most of the time. The Security Blogospheres to which I’m now a part makes an excellent forum for me to bounce my views and ideas with cutting edge security professionals, while providing an excellent place for me to develop and evolve my own security knowledge further. I also like to think I can contribute something back to the community. I believe in keeping an open mind, sharing ideas, respecting view points, not flaming and above all staying secure.
Finally I just like to thank Martin McKeay (Cobia) and at Alan Shimel (Still Secure) for allowing me to be a part of the Security Blogospheres, respectively the “Security Roundtable” and “Security Blogger’s Network”.
http://networks.feedburner.com/Security-Bloggers-Network
http://www.mckeay.net/
http://www.stillsecureafteralltheseyears.com/
Well I'm based in the UK, so although I sing from the same hymn sheet as my US counterparts security wise, there are sometimes little twists with my view points. For instance in the UK we are governed by the Data Protection Act law, and there’s those pesky European laws to consider. Although I must stress I’m a Security Professional from a “techie” background rather than a background of “Law” or there I say it, “Quality”.
I've been in IT Security for over 15 years, to be honest at first I didn't realise I was doing IT Security, but looking back I certainly was. In the nineties I spent several years designing, building and implementing locked down (secured) Servers, Workstations and networks, which I installed onto Royal Navy battleships and submarines for a third party company. These IT systems didn't house anything exciting like weapon systems, just a boring engineering maintenance application. Still it was good fun going on board all those ships, as well as the social beer drinking side of things.
I have spent two years at a top UK Grammar (very posh) School, building a new secure Server room, physically separating the staff and pupil networks, and tracking down some quite clever pupil hackers etc. I have spent a few years running a European WAN for an American company, which kick started my Cisco side of my career, as I redesigned a secure WAN using Cisco Routers and Firewalls, by the way I’m a Cisco command line sort of guy rather than a web interface user. I recently spent 5 years at a blue chip document management company, which provided outsourced document management solutions, mainly to the financial sectors (i.e. household name banks). I started out designing, implementing secure solutions, but I soon ended up responsible for IT Security Management. Typical solutions were bank statement printing and credit card application document scanning. In fact it’s fair to say I learnt most of my security “know-how” by working with and having my sites and solutions security audited by a particular banking client, who consider themselves one of the world’s biggest banks with the best security (well they would say that).
Career highlights so far, well I once hit the European IT press for creating Europe’s first Satellite VPN in 2003. http://www.computerweekly.com/Articles/2003/09/26/197514/satellite-vpn-a-cheaper-way-to-fast-web-links.htm
I've had involvement in a real life major disaster recovery event, when in December 2005 the Buncefield Oil Depot in the UK exploded! It badly damaged my then employer’s primary solution site. The explosion was the largest explosion in peacetime Europe and it finished several businesses, however thanks partly to my IT system design, and my input within prior COB testing, the business was able to carry on providing solutions to it's clients (and their customers) unaffected, operating from a DR site.
Buncefield Explosion http://news.bbc.co.uk/1/hi/uk/4517962.stm http://www.computerworld.com.au/index.php?id=1048608389
At the moment I am employed by a large UK outsourcing company, I am responsible for securing several sites throughout the UK, including a hosted solution site which takes “a great deal” of online payments. So as well as the usual office level security, I’m dealing with PCI compliance, application development security and web application (web 2.0) security.
To go with my career security experience, I hold one or two certifications; to be honest I can be a bit of a cert junkie. I am a CISSP and I'm one exam short of my Cisco CSSP, which I plan to complete in the next couple of months. Cisco wise I hold Cisco Firewall Specialist, Cisco Information Security Specialists and the old CCNA, so I consider myself well versed with network level security. On the IT side I’m a Master CNE, and an MCP - I took the MCP exam as a bet, which I won.
As well as the technical side of Information Security, I tend to focus on educating the users, as I see them as the greatest security weakness of all. I have just started to produce a Podcast for home users to help them understand the basic security issues, so they can protect themselves at home. My podcasts aren’t meant for my fellow Security professionals, they cover stuff they should already know! Actually this is a good juncture to clear up the name, I regard myself as an IT Security Expert to the average Joe, I am certainly not pushing a status of "IT Security Expert – I know all!” to my fellow security bloggers, who in most cases are much further up the security tree than I, especially within those specialist security areas. Information Security covers a huge array of topics, I don’t think anyone can claim to be an “expert” across the board, and I certainly don’t.
Why blog? As I said in a previous blog, being in the Security business can be a lonely profession, especially if you work on your own, which I do most of the time. The Security Blogospheres to which I’m now a part makes an excellent forum for me to bounce my views and ideas with cutting edge security professionals, while providing an excellent place for me to develop and evolve my own security knowledge further. I also like to think I can contribute something back to the community. I believe in keeping an open mind, sharing ideas, respecting view points, not flaming and above all staying secure.
Finally I just like to thank Martin McKeay (Cobia) and at Alan Shimel (Still Secure) for allowing me to be a part of the Security Blogospheres, respectively the “Security Roundtable” and “Security Blogger’s Network”.
http://networks.feedburner.com/Security-Bloggers-Network
http://www.mckeay.net/
http://www.stillsecureafteralltheseyears.com/