Bill’s Security Blog

MAC addresses have been devalued as a way of uniquely identifying a device on the network because of the ease with which MAC’s could be spoofed.

Researcher Dr Jeyanthi Hall, of Carleton University in Ottawa has discovered a way to uniquely ID wireless cards using properties of their transmissions, not of a specifically coded property.

This promises to reintroduce the ability to uniquely ID network devices.

Here’s the story and links:

Message: 1
Date: Thu, 07 Sep 2006 09:17:55 -0400
From: LiveAmmo Info Account
Subject: [SecurityNews] WiFi fingerprints could end MAC spoofing
To: securitynews@liveammo.com
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

http://www.techworld.com/security/news/index.cfm?newsID=6787

By Peter Judge
Techworld
05 September 2006

A new security technique promises to uniquely identify any WiFi device in the world, so hackers cannot hide behind a fake MAC address.

Every wireless device has a unique signal “fingerprint” produced by variations produced in the manufacturing process for silicon components, according to Dr Jeyanthi Hall, of Carleton University in Ottawa.

As a doctoral student, Dr Hall analysed the RF signals of fifteen devices from six manufacturers, and found it was possible to distinguish clearly, even between devices from the same manufacturer.

Using “transceiverprints,” Dr Hall got a detection rate of 95 percent, and a false positive rate of zero, according to papers [1] submitted to various conferences, including IEEE events on wireless and security.

She achieved this reliability in the task of “recognising” the transceiverprint from a pre-recorded set - a job which could usefully be built into a wireless IDS, she says in the paper. Beyond this, things could get even more exciting: “It would be interesting to identify the correct transceiver (from the set of all profiled transceivers), using the same set of transceiverprints,” she goes on.

Hall used a probabilistic neural network to work out the transceiverprint and compare it with stored prints.

Although the signal processing equipment and analysis software is specialised at present (see a brief by account [2] software vendor Mathworks) it could eventually be delivered on a more general-purpose signal processer system, Dr Hall hopes, according to a report in Electronic Engineering Times.

Limiting network access to specific devices using MACs has been a possible security technique for some time, and is included in many WiFi systems.

However, it has mostly been dismissed by security professionals, as it is easy to spoof the MAC address of a device. Comparing the MAC to a pre-recorded transceiverprint would make an access control list based on devices feasible again.

[1] http://www.scs.carleton.ca/~jhall2/publications.html
[2] http://www.mathworks.com/company/user_stories/
userstory10433.html
——————————

Bill

I heard on FOX News last night that there is a proposal floating around Congress to let the NSA perform wiretapping only After a terrorist attack.

Um… Ok.

That’s what happens when you let politicians get involved in national defense. Let the lawyers do their jobs, and let the executive branch do its job.

I guess these are the kinds of tactics of appeasement we should expect coming into an election year. Everyone has to look like they are addressing some concern, who cares if the remedy is useless, or worse yet, bad for national security.

Bill

Back in June I wrote several posts about the need to use encryption to minimize the threat posed by lost or stolen data files.

Window has some support for this now. The Microsoft solution incorporates data recovery in the event that the user looses the key.

But other tools exist to allow individuals and organizations protect their data. Given Microsoft’s track record, perhaps looking at a third party application may be ideal.

One such tool is SecurityVault by Rocket Software.
http://www.rocketsoftware.com/portfolio/vault/

Data is protected in a “lock box” that is protected by password and encrypted using 128 bit AES.

Here’s a feature overview from the vendor site:

• Each open lockbox appears as a unique drive letter on your computer. Using this drive letter, you can access the contents of your lockbox in exactly the same way that you access your regular disk drives.
• Create any number of lockboxes within which confidential information can be stored. For example, you may wish to create separate lockboxes for business and personal data.
• Optionally prevent your lockbox content from being ‘indexed’ by Google Desktop Search when your lockbox is open (lockbox content is always undetectable when closed).
• Open and close your lockboxes with the stroke of a key.
• When your lockboxes are closed, all trace of the data stored therein is removed from the system, including the filenames and directory structure of your secure content.
• Transfer lockboxes from machine to machine by simply moving the lockbox data file.
• Protects your data using a 128-bit Advanced Encryption Standard (AES) cipher.

I’m interested in the drive letter thing. Yeah you might be able to prevent Google Desktop Search from indexing it, but if there is malware on the machine that is targeted to read the contents of all mounted volumes, you are screwed. I wonder if an administrative share gets set up automatically :(

In either case, options exist for desktop and laptop data security…

Oh yeah, the vendor is working with USB manufacturers to see if they can start incorporating the software on new USB drives. That would be sweet. Almost one step from full disk encryption!

Transparency and ease-of-use will be required for widespread adoption, locally or in the enterprise. I haven’t done the research, but I would still really like to see a fully transparent disk encryption scheme. no user involvement needed.

Bill

As reported on the eWeek Security blog:

Digital Passports Land in U.S.
…
Right now, the only people receiving the new passports, which are embedded with an RFID chip that contains full passport information, including the photo, are only going to people served by the Passport Agency in Aurora, Colo.

A State Department spokesperson told eWEEK that the department plans to issue tourist e-passports at all of its domestic passport agencies by the end of 2006.

http://www.eweek.com/article2/0,1759,2005049,00.asp

We already know that RFID tags can be read from great distances. Supposedly these passports would have some kind of RF shielding, but who knows.

We also know that RFID is susceptible to MITM attacks unless an encryption mechanism is successfully implemented. But I haven’t heard that our passports will use anything like that.

Imagine walking through an airport with an RFID scanner, or getting through security by hijacking another passengers verification session?

The big worry here is that customs agents will begin trusting the device, the “technology” and not relying on good old-fashioned common sense.

Does the cost justify the security? I think this is another example where we are “appearing” to do something positive for security, but in reality, we are accomplishing nothing.

Bill

The eWeek security blog includes an interesting discussion of the Silica (c/o Immunity) hand-held pen testing device.
http://www.eweek.com/article2/0,1759,2003853,00.asp

The device has hundreds of attacks built in, and can be used by testers in a variety of ways.

The price, about $3,000 makes it an easy acquisition for attackers as well.

I like the idea of packaging up a pen testing tool box, but the value of human based penetration testing should not be discounted. The tool can only penetrate using the vectors and attacks stored in it. If the vendor is lax about adding new attacks, or the tester does not update the device regularly, critical vulnerabilities might be missed.

All in all, I’d like to get my hands on one of these for testing :)

Bill

As reported on eWeek

Federal Court Finds NSA Wiretaps Unconstitutional
A judge says the government’s actions violate the First and Fourth Amendments, the NISA and other laws, and orders an immediate halt to the program.

http://www.eweek.com/article2/0,1895,2005330,00.asp

I’d like to see this go to the supreme court for final decision.

I believe that the right for the Executive Branch to monitor these calls is within their constitutional bounds to provide the security of the Nation.

I believe in the right for people to have privacy in their affairs, but I do not believe that monitoring calls between US citizens and known terrorists is a breach of that right.

Bill