M and L Adventures » Security

DD-WRT Vulnerability

Lauren — Tue, 28 Jul 2009 01:44:20 +0000

For all of my readers who are DD-WRT users you may want to stop using v24 SP1, SANS Internet Storm Center (ISC) has a brief post about a DD-WRT vulnerability that will allow an attacker to run programs with root privileges on a vulnerable router. In other words, this is a really bad vulnerability. Root privileges in Linux is the equivalent to admin privileges in Windows. With root access, a hacker could do anything with your router. Since your router controls what you do on the Internet, that could be really, really bad. The SANS post has a link to the dd-wrt forum which provides additional details regarding the problem as well as some options on how to mitigate it and/or patch the DD-WRT firmware. I highly recommend checking it out right now. Now that I’ve stressed it enough, here’s the link to the SANS ISC page: http://isc.sans.org/diary.html?storyid=6853&rss.

Related Posts:

s:

Linksys WRT54GL Cross Site Request Forgery (CSRF) Vulnerability

More Secure OpenID

Lauren — Thu, 03 Jan 2008 22:21:51 +0000

OpenID is a very cool authentication idea. It allows you to have single sign-on (i.e., login once using one user name and password for multiple websites/applications) for sites that support OpenID. The ability to only login to one site and then only provide your OpenID URL to other sites you would like to authenticate to (prove that you are who you say you are) is very nice. For one, it alleviates the problem of having to remember multiple user names and passwords (I hope you use different passwords for different sites…at the very least different passwords for financial sites). For two, it saves time. Unfortunately, every site I use does not yet support OpenID so I still end up having to deal with multiple user names and passwords.

Like all things with computer security, OpenID is not without its fair share of problems. One of the biggest problems is a result of OpenID’s main benefit, single sign-on. Single sign-on is great as long as no one is able to compromise your user name and password. However, if someone manages to compromise your user name and password then they’ve compromised every site for which that single sign-on is used. Therefore, it is imperative that your OpenID account has a very strong (read long, random, mixed case, numbers, and special characters) password.

It is also important that you don’t fall victim to a phishing attack that tricks you into thinking your logging in to your OpenID account when you’re not. Otherwise, it doesn’t matter how strong your password is if you simply give it away to a fake site. In order to ensure the OpenID provider site you’re logging into is legitimate you should examine the SSL certificate to make sure it belongs to your OpenID provider and has been signed by a trustworthy certificate authority (e.g., Verisign, Thawte, etc.).

Another concern with OpenID that I won’t cover in this article because its out of scope is privacy. The jest of the issue is that your OpenID provider can basically track every site you use your OpenID account with. A few other concerns with OpenID exist. I recommend that you checkout Security Now episode 111 if your interested in learning more about OpenID concerns.

Wouldn’t it be great if there was a way to easily and effectively reduce some of the risk with OpenID? Two-factor authentication provides the solution. For those of you who are not familiar with what two-factor authentication is, I’ll give a brief explanation. Two-factor authentication is when you provide more than one form of evidence that you are who you say you are. Generally, people just provide a password which is something you know. However, two other common factors of authentication exist—something you are (biometrics) and something you have (security token/fob, smart card, etc.).

Two-factor authentication is a great solution because it ensures someone can’t easily steal your account by guessing, cracking, or stealing your OpenID password. The second factor means that would need to possess your security token as well. Security tokens work by providing a random string of typically six digits periodically (most tokens do so every thirty seconds). The current six digits being displayed by the token (which only you have) must be appended to the password (which hopefully only you know). Additionally, a two-factor authentication mitigates the risk of falling victim to a phishing site because the password the phisher stole is only good for thirty seconds.

Luckily for all of us Verisign is a free OpenID provider which offers support for two-factor authentication. They call their service Personal Identity Provider (PIP). To take advantage of their service you need to have a supported security token (i.e., a little key-chain device which provides a random number every thirty seconds). Luckily, you can buy one of these devices through PayPal for only $5. As an added benefit, this security token works not only with PIP but also with PayPal and eBay.

A Firefox extension, SeatBelt, automatically fills in your OpenID URL in websites with the appropriate form field. The extension also provides some useful security and OpenID management capabilities.

In conclusion, OpenID is a great solution for trivial sites like blogs and forums as long as you are aware of the dangerous that exist and take the necessary precautions. I still wouldn’t recommend OpenID for financial and medical sites but for pretty much everything else it is great. I know I can’t wait till more of the sites I use start to take advantage of it.

In case your wondering, I’m not getting paid anything to write this post nor do I make any money if you sign up for an account or buy a security key. I just think Verisign is offering a really good, secure OpenID solution that not many people know about. I just wanted my readers to know that this is an available solution. Plus, if enough people start using OpenID more sites are likely to offer it is an login option. Before I forget, you can find a list of OpenID enabled sites at the OpenID directory.

No related posts.

AJAX Security Considerations…

Matt — Fri, 10 Aug 2007 12:19:50 +0000

As many of my blog readers know AJAX is a very popular web development technology right now. AJAX offers web developers the ability to provide desktop application like functionality in web applications. Without AJAX many of the tools I use every day such as GMail, Google Reader, and Google Maps just wouldn’t be near as fun or easy to use. Don’t worry, I do occasionally use non-Google sites that make heavy use of AJAX, I just can’t think of them right now.

However, as recently reported by security researches from SPI Dynamics at the Blackhat USA 2007 security conference, the benefits of AJAX don’t come without significant security risks.

One of the main problems with AJAX is that a lot of traditional server side code is now executed on the client side. This provides would be hackers with a ton of insight on how your application functions. Once equipped with these details it is much easier for hackers to trick web applications into doing things they’re not designed to do.

The presenters at Blackhat showed the audience how a mock AJAX travel site could be tricked into selling tickets cheaper and also tricked into blocking ticket sales for the same airplane. I think these two examples show exactly how important it is for web developers to secure AJAX.

My recommendation on this subject is to not stop developing with AJAX but to take the time and effort to learn about the security problems associated with this web development technique and the ways to avoid the common pitfalls–doing so will make the web a safer place for each of us.

Just so you know where to start more about AJAX security, Darknet offers some good insight on securing AJAX by explaining some of the common ways to attack AJAX applications.

[via Ars Technica]

Related post
Related Posts:
s:

Wireless Network Security Tips

Wireless Network Security Tips

Matt — Sat, 21 Apr 2007 16:54:52 +0000

This post describes some best practices for securely configuring your home wireless network. A few high-level PC security tips are thrown in for good measure. I’ve been on a bit of a security kick lately…more than usual anyway. I’ve always been a bit of a security fanatic but lately I’ve been learning a whole lot more. Working as an IT auditor by day and just naturally being attracted to technology, security is of great interest to me. I’m also becoming a huge fan of the open source DD-WRT firmware as I start to use more and more of its features on my home network.

A lot of security topics exists that I’d love to write about sometime, but securing your wireless network is one that should be useful to most of my blog readers. Plus, this is a natural progression from my recent post about How to Flash the WRT54GL with DD-WRT Firmware. This post will not cover the intricate details of the hows and whys of wireless security nor will provide a ton of details on how to circumvent (i.e., crack) common security settings. Maybe I’ll cover those topics at a later date. For now, I just want to tell you about what security settings you should use on your home or small business wireless network to ensure no one is able to sniff (see what your doing on your wireless connection) or use your wireless connection without your permission.

Table of Contents

Select Your Encryption Method

Select Your Password

Disable SSID Broadcast

MAC Filtering

Turn Off UPnP

Change Default Router Log-In Settings

Setup Your Firewall

Patch Windows Client

Configure Client Devices

External Resources

Select Your Encryption Method
The first thing you must decide on is what encryption to use. The decision is pretty simple; pick the strongest form of wireless encryption that your network will support (excluding the Radius methods for reasons noted below). Remember, even if your wireless router supports the strongest encryption but some of the wireless cards joining the network does not then you will have problems connecting from those machines if you don’t pick a level of encryption supported by all of your devices. Most people with remotely up-to-date hardware will not have trouble supporting all of the encryption levels mentioned below.

Below I’ve listed the DD-WRT’s wireless encryption security mode options (these will be available in most other wireless routers) from strongest to weakest:

WPA2 Radius Only

WPA2 Radius Mixed

WPA Radius

WPA2 Pre-Shared Key Only

WPA2 Pre-Shared Key Mixed

WPA Pre-Shared Key

Radius

WEP

Disabled

All of the RADIUS methods are too complex for most home users because they require a separate Radius server for for authentication. RADIUS is designed for a Corporate type environment.

The DD-WRT firmware provides a second option for WPA Algorithms (for WPA security modes) or Encryption (for WEP security modes).

The WPA preferred order is:

AES

AES + TKIP

TKIP

The DD-WRT help file suggests using WPA2 Mixed/TKIP+AES for maximum interoperability. So if you’re having trouble getting WPA2 AES to work on your network, try this configuration. Also note that WPA2 TKIP is not supported. Don’t worry, any form of WPA is very secure.

For WEP, the preferred order is:

128-bits 26 hex digits

64-bits 10 hex digits

Below is a screenshot of the encryption settings I recommend:

Note: Both forms of WEP are easy to hack due to poor implementation of the RC4 Stream Cipher; don’t worry what this means right now, just know its really insecure. Also, note some people call 128 bit 105 bit WEP and 64 bit WEP 40 bit because they subtract the 24 initialization vector (IV).

Select Your Password
Password selection is of vital importance as well because if someone can easily brute force your password (quickly determine your password by trying all possible values) then the strongest form of encryption is worthless. Some people claim WPA has been broken, but in reality all that has really happened is someone sniffed a lot of packets and then carried out a dictionary or brute force attack and correctly guessed the password. A WEP password doesn’t really matter as a WPA password because a hacker with a little time and some free tools can quickly determine your WEP password due to the improper implementation of the encryption algorithm.

So, how can you make it practically impossible to brute force your password? The answer is simple…use a long, random password. The longer the password the more time brute forcing takes to work (as in thousands of years for a strong password). Basically, brute forcing tries all possible combinations of letters and number (or a predetermined sub-set of them) until the combination works so the longer the password the more guesses required. Randomness protects against dictionary attacks. A dictionary attack is just like it sounds. A very large list of common passwords is tried; therefore, you don’t want to use any words that may be in a dictionary.

Because you are not required to enter your wireless password more than once on each client you want to connect to your wireless network, you can easily select a very long and complex password and not worry about having to memorizing it. GRC has an excellent random password generator perfect for wireless security. Use the 63 random printable ASCII character for ultimate security. Why 63 characters? Its the maximum length accepted by WPA.

Although I trust GRC’s Ultra High Security Password Generator, I still hit the refresh button a few times to collect a small selection of passwords. Then, I cut and pasted tidbits of each password to ensure its security–I know you think I’m crazy.

Of course, you must store this password in a protected place to keep others from finding it. I recommend putting it on a portable storage device such as a CD or USB drive. If you want to be ultra secure, and geeky, store the password in an encrypted form with a tool such as TrueCrypt.

WEP requires you to use an exact password length so you won’t be able to use the full 63 character long password generated by GRC’s Ultra High Security Password Generator. 26 hexadecimal characters equates to 13 alpha-numeric characters and 10 hexadecimal characters equals 5 alpha-numeric characters. If you must use WEP, you can just select the appropriate subset (26 characters for 128bit WEP and 10 characters from the 64bit WEP) from the 64 random hexadecimal characters section of the password generator.

Disable SSID Broadcast
Hiding Your Service Set IDentifier (SSID) doesn’t provide much security because anyone using a tool such as Kismet can still find your SSID, but at least your wireless network ID will be hidden from the average Joe. If you do hide your SSID, your network will not show up when you scan for wireless networks in Windows or OS X so you must manually type in the SSID name you selected on each client when you first time connect to your network.

MAC Filtering
MAC Filtering is a way to limit what network cards can connect to your network. Every networking device has a unique MAC address assigned to it during the manufacturing process. To set up MAC filtering, you will need to determine the MAC address of every device you want to connect to your network and enter this information into the router.

As you can tell, I have MAC Filtering disabled. Why? Its takes quite a bit of time to setup and it doesn’t provide much security. The idea behind MAC filtering is good, but its flawed because a user is able to change their MAC address to anything they want. So, a someone wanting to access your network would use a good wireless sniffer (i.e., Kismet) to determine what MAC addresses are connected to your network. They would then change their MAC address to one of those allowed addresses. Because MAC addresses are supposed to be unique, your access point will get confused if two clients with the same MAC address is connected to it. So, a smart hacker will kickoff the original machine whose MAC address they stole using a common Denial-of-service (DOS) attack or simply wait for that machine to disconnect.

You must decide whether or not MAC Filtering is worth the trouble because it does provide some protection.

Turn Off UPnP
Another worthwhile security measure is turning of Universal Plug and Play (UPnP) on both your PC and your router. UPnP is bad because it lets software automatically open ports on your router without your knowledge. To make it even worse, you can’t tell which ports have been opened. The idea behind UPnP was to make it easy for network software/devices to work without a user having to manually configure Port Forwarding.

The problem is that malware could also use this auto-configuration feature to open ports behind your back in order to communicate with the outside world. Additionally, UPnP has several major vulnerabilities in the past such as buffer overruns that could lead to remote code execution. Although the known vulnerabilities have been patched, turning off UPnP would prevent any future exploits.

The easiest way I know of to turn off UPnP on your PC is to use the UnPlug n’ Pray utility.

Go to the Applications and Gaming tab and the UPnP sub-tab to disable UPnP.

Note: I believe most routers not running the DD-WRT firmware have a similar option to disable UPnP. If not, disabling it on your PC should be enough as long as Windows, as it has bad habits of doing, doesn’t decide to turn the feature back on.

It is important to reset your router to factory defaults to undo any ports opened by UPnP when it was enabled. Please note that resetting your router to factory defaults will also reset any of your custom options, so think twice before doing this. Be sure to reset your router before completing the rest of the security steps or else you’ll probably have to re-do them. See the following two pages on the DD-WRT wiki for information on how to perform a reset: Factory Defaults & Reset and Reboot.

I am uncertain, but simply rebooting (not resetting) your router may also undo the ports opened by UPnP. One way to ensure all your important ports have been closed is to check out the Shields Up web service. If you want to do a full port scan check out NMAP.

Change Default Router Log-In Settings
Changing the User Name and Password used to configure your router is very important (this is the info you type in when going to 192.168.1.1 o whatever your router’s internal IP address is). The default router user names and passwords are widely known…you can easily find a massive list of them. Symantec published an article on a very interesting concept they coined “Drive-By Pharming: How Clicking on a Link Can Cost You Dearly.” The basic concept is Cross Site Request Forgery can be used to log in to your wireless router if you haven’t changed the default log-in settings. Once access has been gained to your router, your DNS Server setting can be changed to a malicious DNS server. This is a major problem because DNS associates domain names (web site addresses) with server’s IP addresses. A malicious DNS server could associate your-bank.com with spoofed site that looks just like your bank’s site and collect your user name and password when you try to log in. However, the simple change of your router’s user name and password protects against this attack.

Go to the Administration tab and the Management sub-tab to change the default settings. While your there, go ahead and disable all Remote Access as well.

Setup Your Firewall
Firewalls are set rules for what can come in and out of your network. One of the main benefits of all routers is Network Address Translation (NAT). Basically, it only allows connections into your network if one of your computers made the initial request. Sometimes you will need to use Port Forwarding to allow connections through certain ports for services running behind your router that you won’t make the initial request…for instance you’re running a web server on your network that needs to accept connections on port 80. If you recall, UPnP automatically configures port forwarding which could open up ports you don’t want open.

Stateful packet inspection (SPI) provides an extra layer of security to NAT routers. I recommend enabling SPI, blocking anonymous Internet request, filtering multicast, and filtering IDENT. You can set all of these by going to the Security tab and the Firewall sub-tab.

Patch Windows Client
One thing I do recommend is downloading the following patches from Microsoft: The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) and Wireless Client Update for Windows XP with Service Pack 2.

The first update “enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access.”

The second update “enhances support for Wi-Fi Protected Access 2 (WPA2) options in Wireless Group Policy. This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list.” Please note that this patch was never included in any automatic updates from Microsoft. Unless you specifically went to Microsoft to download this patch, your system will not have it (as far as I know anyway). Don’t ask me why Microsoft didn’t include this in their standard update cycle.

Configure Client Devices
You should configure Windows to only connect to Access Points because Ad-Hoc (computer-to-computer) networks are dangerous. To do this go to Start > Control Panel > Network and Internet Connections >Network Connections then right-click on Wireless Network Connection device and select properties. On the Wireless Network Connections properties screen select the Wireless Networks tab and then the Advanced button. Make sure to select Access point (infrastructure) networks only and uncheck Automatically connect to non-preferred networks.

You will also need to add your network to the preferred networks list by going back to the Wireless Networks tab and selecting Add. Then type in the appropriate information for you wireless setup.

External Resources
To learn more about Wi-Fi security, I recommend listening to the following episodes of Security Now:

Episode 10: Open Wireless Access Points

Episode 11: Bad WiFi Security (WEP and MAC address filtering)

Episode 13: Unbreakable WiFi Security

Episode 14: Virtual Private Networks (VPN): Theory

Episode 15: VPN Secure Tunneling Solutions

Note: Each Security Now podcast also have text transcripts.

I also recommend checking out the following articles:

Wireless Security

Wireless LAN Security

Hacking Techniques in Wireless Networks

I realize this is a long, fairly technical post so feel free to ask any questions, correct any mistakes, offer suggestions, or anything else using the commenting feature below. If nothing else, just let me know if you found this post useful. Thanks!

Note: Although I touched on a few ways to get around wireless security, I do not advocate doing so. I mentioned some of the techniques because the best way to secure against attacks is to know what attacks are out there.

Related post
Related Posts:
s:

AJAX Security Considerations…

D-Link DWL-G710 Wireless Range Extender Review