Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Control 14: Wireless Device Control

Published: 2011-10-20
Last Updated: 2011-10-20 18:27:04 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

Mobility is one of the biggest challenges for information security professionals. Now we are in our offices with many customers that use wireless technology and not only laptops, but phones, tablets and other devices for corporate use. How can we provide access to the company's wireless network to devices that have staff members and third people?

We have to select a proper authentication and cypher mechanism for the wireless network. Known authentication schemes are:

1. PreShared Key (PSK): This is known as the standard "personal network" authentication scheme. The client must supply the PSK to gain association and connectivity to the wireless network.

2. Certificates | Username/password: This is known as the "Enterprise" authentication scheme. The client must supply valid credentials to log-in, including but not limited to username and password and certificates. RADIUS is mandatory for this type of authentication and it must include the appropiate dictionary to interact smoothly with the network equipment you have in your company. 802.1X is the best option you can use to enforce secure authentication to the wireless network. To determine which level of security you want to implement in the authentication level, there is a wide range of authentication protocols within the Extensible Authentication Protocol standard to choose from like:

  • Lightweight Extensible Authentication Protocol (LEAP): This is a propietary Cisco protocol which sends the authentication information using MS-CHAP, which makes it vulnerable to password cracking attacks. I have seen this implementation in my country widely deployed because it is easy and fast to implement. I mention this option because it should not ever be used in corporate production environments.
  • Protected Extensible Authentication Protocol (PEAP): This is a protocol that encapsulates the authentication information (Username and password) in a TLS tunnel so it travels secure to the authentication server. It is an interesting alternative with a reasonable degree of complexity for implementation, because it is not necessary to deploy certificates on all clients that connect to the network, which easily allows mobile devices like phones and tablets connect to the network without major trouble.
  • EAP-Transport Layer Security (EAP-TLS): This is a protocol that provides great authentication security to the wireless network, because apart from the username and password it requires that each client has a valid certificate issued in the certification authority's domain. One of the cons it has is the difficulty of implementation in mobile devices, since not all operating system versions support it and in some cases require additional software to work. This protocol is vulnerable to man-in-the-middle attacks.
  • EAP-Tunneled Transport Layer Security (EAP-TTLS): The difference with the previous protocol is the way that clients can authenticate, because is discretionary for the client device  to present a valid certificate from the domain certificate authority. In this case, the server is the one that authenticates to the client with a valid certificate within the domain certificate authority. Once the secure tunnel is established, the client authenticates sending the username and password. This protects the information against eavesdropping and man-in-the-middle attacks. Many operating systems would need as well additional software to sucessfully authenticate to the wireless networks using this protocol.

How can we protect the WLAN traffic against eavesdropping? Known protection mechanisms are:

1. Wired Equivalent Privacy (WEP): It's a weak security algorithm that uses the RC4 stream cipher for confidentiality and the CRC-32 checksum for integrity. The vulnerability of this protocol lies in the stream cipher algorithm used, as the same key for encryption of traffic can not be used more than once. Because in practice there is no such scheme implemented for this protocol that allows different keys for each packet, you can get the encryption key for the network by monitoring wireless network packets. There are several documented attacks about this protocol and many tools as aircrack and kismet that implements them. This protection mechanism is deprecated and should not ever be used in production environments where unauthorized access is critical.

2. Wi-Fi Protected Access (WPA): This protocol is part of the IEEE 802.11i standard. The encryption key problem is solved by using Temporal Key Integrity Protocol (TKIP) generating 128-bit key per packet transmitted on the network. This protocol was deprecated by IEEE in January 2009.

3. Wi-Fi Protected Access 2 (WPA2): This protocol is also part of the IEEE 802.11i standard. As TKIP is insecure, WPA2 replaces it with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). It combines the Counter-Mode block cipher mode (CTR) for data confidentiality and Cipher Block Chaining Message Authentication Code (CBC-MAC).

Which combination of authentication and encryption scheme should you choose? It should be done according to the level of risk to which you are exposed. I always recommend Enteprise PEAP authentication with WPA2 because it is not  difficult to implement and provide a good level of security with a broad level of interoperability for devices that want to connect to the network. If you are paranoic, you can always use enteprise authentication with EAP-TLS/EAP-TTLS with WPA2.

Please don't forget to review the quick wins list for this control. They are really helpful when developing a plan to implement a Wireless Device Control Architecture.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

1 comment(s)
ISC StormCast for Thursday, October 20th 2011

Evil Printers Sending Mail

Published: 2011-10-20
Last Updated: 2011-10-20 03:56:13 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

A reader reported receiving the following e-mail (modified to anonymize):

Subject: Fwd: Scan from a HP Officejet #123456

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 28628D
Images: 4
Attachment Type: Image (.jpg) Download

I do not have a printer like this, but it is possible that a multifunction device will send scanned documents as an e-mail in this form. In this case, the links, which I simulated above using a blue underlined font, both lead to a now defunct URL: http://freebooksdfl (dot) info/main.php . The domain is marked as "suspended for spam or abuse" in whois. One of our handlers reports seeing similar e-mail but not being able to capture any of the content on related links so far.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: malware spam
10 comment(s)

Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services

Published: 2011-10-20
Last Updated: 2011-10-20 03:22:04 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Observing never ending port scans against my systems was one reason I started back in 2000. Still today, DShield shows that these scans continue to happen today. It is the goal of a port scan to find vulnerable services. Later, the attacker will use this recognizance to exploit these services.

In order to protect yourself, two basic measures need to be taken:

1 - limit listening services.

As part of your standard configuration, you should turn off all unneeded services. A service that is not running can not be attacked. Of course, you will also need to monitor any changes to this standard configuration. The control of listening services should not stop at controlling services commonly installed on the particular host, but the control should include rogue services as well.

Here are a few ideas to review listening services on hosts:

  • review the output of "netstat" regularly. Netstat will show any listening services. Of course, in the case of rogue services, an attacker may use root kits to mask these services from tools like netstat.
  • review ephemeral port usage. If a port is used by a listening service, it can not be used as an ephemeral portal for outbound connections. You will see a "gap" if you plot all used ephemeral ports on a system.
  • regular port scans. Periodically scan your systems for listening ports. However, be aware that an attack may have masked the use of the port and will only respond to requests from a particular source
  • Network monitoring: Tools like "pads" are able to detect new services on a network passively. This may enable you to detect hidden services as soon as the attacker connects to them. 

2 - applying firewall rules.

Back in 2000, firewalls were a lot less common then they are today. Today, systems arrive with host based firewalls. Many times, the firewall is already enabled to block all inbound traffic by default. In addition to host based firewalls, a well designed network should include network firewalls and take advantage of capabilities in devices like switches to further limit network traffic. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

3 comment(s)
Diary Archives