Tag Archive for Networking

RB | September 11, 2009
No comments

802.11n Ratified -Yawn

wifiReuters is reporting that today (09-11-09) the IEEE Standards Board has ratified the IEEE 802.11n™-2009 amendment. This vote ends a seven year effort to, “enable rollout of significantly more scalable WLANs that deliver 10-fold-greater data rates than previously defined while ensuring co-existence with legacy systems and security implementations” according the the IEEE. The 560-page document is scheduled to be published in mid-October 2009. Bruce Kraemer, Chair of the IEEE Wireless LAN Working Group said in a press release “The performance improvements achieved via IEEE 802.11n stand to transform the WLANieee_logo user experience, and ratification of the amendment sets the stage for a new wave of application innovation and creation of new market opportunities.”

Kelly Davis-Felner, marketing director of the Wi-Fi Alliance (WFA), told Network World that “The core interoperability is totally preserved with the [existing] draft certification program.”  Ms. Davis-Felner says,  ”Existing draft-11n products should work seamlessly with future products based on the final standard. No existing products will have to be retested in the updated certification program.”

Today’s ratification marks the high-point for other 802.11 wireless products. This approval will green-light the development and deployment of 11n products in the enterprise. There is no longer a reason for firms deploying greenfield WLAN’s to roll put anything but  802.11n.   The WFA expects  11n shipments to rise to 45% of all 802.11 shipments in 2009, and 60% in 2012 based on data from market researcher ABI Research, according to Davis-Felner. But how long will 802.11n last?

wigigNetworkWorld is reporting that Microsoft, Intel and other manufacturers have formed the  Gigabit Wireless Alliance (WiGig) to create anew wireless specification with a data speed of up to 6Gbps. WiGig is also actively involved with the IEEE’s 802.11ad task group. And if WiGig is to slow, James Buckwalter, a professor at the University of California San Diego has developed s a silicon-based amplifier that transmits 10Gbps wireless in 100 GHz frequency bands  according to NetworkWorld. Coverage could also be over a kilometer, which beats traditional WiFi’s 100 meters.

rb-WiFi abgn logo

The formal ratification of the IEEE 802.11n standard is a good thing. However we have been recommending that clients seriously consider this technology in greenfield installs with Wi-Fi approved 802.11n since the beginning of the year.

Category: Networking, wi-fi | Tags: ,
RB | September 7, 2009
No comments

Feds Still Aim to Federalize Net

securitySenator Jay Rockefeller (D-WV) has released a revised version of his bill that would federalize the Internet (I covered this topic earlier here ). The current draft would allow the president to “declare a cyber security emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Section 3 (2) (B) Defines “Cyber” as any matter relating to, or involving the use of, computers or computer networks. Section 201 (2) (B), permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.”

“I think the redraft, while improved, remains troubling due to its vagueness,” Larry Clinton told CNET “It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill.” said Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board.

Senator Rockefeller

A Senate source familiar with the bill told CNET that the president’s power to take control of portions of the Internet is comparable to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.

Section 201 (5) the bill requires the White House to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government. The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco told CNET . “As soon as you’re saying that the federal government is going to be exercising this kind of power over private networks, it’s going to be a really big issue,” he says.

“The language has changed but it doesn’t contain any real additional limits,” EFF’s Tien says. “It simply switches the more direct and obvious language they had originally to the more ambiguous (version)…The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There’s no provision for any administrative process or review. That’s where the problems seem to start. And then you have the amorphous powers that go along with it.”

Rb-

If your network is determined to be “critical” by the Feds, there is likely a new set of regulations coming from the same people who are giving themselves failing grades for their own cyber-security. These new rules could impact staffing decisions, disclosure policies and open the door to a government can take over your IT systems. This bill requires watching by anybody that uses or manages computers, a private network or the Internet. It is likely they will sweep it in as pork on sort other unrelated bill, to limit public discussion.

Contact your representatives in DC.

Category: Networking | Tags: , ,
RB | September 2, 2009
No comments

Internet Over the Hill

BirthdayThe Internet is 40 years old. On September 2nd 1969, in a lab at the University of California, Los Angeles, two computers passed test data through a 15-foot gray cable. The network became known as ARPANET. Stanford Research Institute joined the network a month later followed by UC Santa Barbara and the University of Utah by year’s end, and the Internet was born.

National Geographic has a video for the party  Happy Birthday Internet

Category: Networking | Tags: ,
RB | September 1, 2009
No comments

Standard Set For Securing Printers

securityAccording to the Institute of Electrical and Electronic Engineers networked printers and other hardcopy peripherals (such as copiers and multifunction devices) are vulnerable to attack thereby compromising even the most comprehensive security protocols.

To address this situation, the IEEE Standards Association (IEEE-SA) recently approved IEEE 2600™, “Standard for Information Technology: Hardcopy System and Device Security.”  This standard defines security requirements (all aspects of security including but not limited to authentication, authorization, privacy, integrity, device management, physical security and information security) for manufacturers, users and others on the selection, ieee_logoinstallation, configuration and usage of hardcopy devices and systems; including printers, copiers, and multifunction devices. Issues addressed by the standard encompass authentication, authorization and the privacy of data sent to and from devices and residing on them, as well as such areas as data integrity and device management.

IEEE 2600 identifies security exposures for these hardcopy devices and systems and instructs manufacturers and software developers on appropriate security capabilities to include in their devices and systems and instructs users on appropriate ways to use these security capabilities. “The device sitting in the hallway often gets overlooked, but printers have computers and disks in them, and they are in the network,” says Larry Kovnat, product security manager for Xerox, which helped spearhead the printer security standards initiative. “You’ve got to treat them like another computer node and make sure you put the right controls on them.”

The 2600 Profile requirements includes a Common Criteria checklist for laboratories evaluating printer security. “It includes strong use of encryption for transmission, data in motion, data on network data stored on disk/reprint, or secure printing,” Kovnat says. “It calls for an audit log with authentication services: Who’s logged into the device, and what have they done? It tracks their activities. And it includes an overwrite function that gets rid of residual data on the disk.”

Kovnat told Dark Reading that Xerox drove the requirement for separating the fax and computer networks in a printer. “We were very concerned about leakage between the fax network and the computer network,” he says.

Aaron Weaver, a security researcher who developed a proof-of-concept for a cross-site printing attack that remotely hacks printers using JavaScript, possibly take full control of the printer, all using an HTTP POST command tells Dark Reading that a security standard for printers is a good first step toward locking down these neglected devices. “It’s great that they are moving to some sort of security standard to build printers to,” Weaver says. “But there’s a long way to go in educating the end user. A lot of people don’t even know there’s a hard drive in printers.”

Weaver also warns that the new printer standard’s alignment with Common Criteria doesn’t guarantee security either. “It doesn’t mean that [the printer] is not going to have vulnerabilities, or that there’s not going to be some sort of hole in the products,” he says.

There are also social engineering risks to these devices. “How easy is it for me to go into an organization and just pull out and swap the hard drive? I can say, ‘I’m the printer repairman,’” Weaver says.  But if the hard drive were encrypted according to the 2600 Profile standards, then the data would be useless to the thief, he adds.

Prior to IEEE 2600, there were no standards to guide manufacturers or users of hardcopy devices in the secure installation, configuration, or usage of these devices and systems. Xerox’s Kovnat says the goal of the new standards is to raise the bar for printer security. “Security in printers has been inconsistent. This sets the bar at a high level for the minimum security.” According to the IEEE this standard is necessitated by several laws governing information security, including HIPAA,  the Safeguards Rule in the Gramm-Leach-Bliley Act, and  parts of the Sarbanes-Oxley Act all of which could be adversely affected by a failure to provide adequate hardcopy security.

In addition to the main standard, four additional standards are being developed to create protection profiles concerning the security requirements of different types of devices. A protection profile is a document used as part of the certification process according to the Common Criteria for Information Technology Security Evaluation, an international standard (ISO/IEC 15408) for computer security. A protection profile is a combination of threats, security objectives, assumptions, security functional requirements, security assurance requirements, assumptions, and rationales.  “This profile makes it easier for IT departments to identify which products will best meet their security requirements,” Kovnat stated in a press release.

The four protection profiles being developed to work with IEEE 2600 include:

  • IEEE P2600.1™, “Standard for a Protection Profile in Operational Environment A”, concerns hardcopy devices in restrictive commercial information processing environments that need a relatively high level of document security, operational accountability and information assurance. Critical information in such environments includes trade secrets and that subject to legal and regulatory considerations.
  • IEEE P2600.2™, “Standard for a Protection Profile in Operational Environment B”, concerns hardcopy devices in commercial environments that need moderate document and network security and security assurance for day-to-day proprietary and non-proprietary information concerning enterprise operation.
  • IEEE P2600.3™, “Standard for a Protection Profile in Operational Environment C”, concerns hardcopy devices in a public-facing environment in which document security is not guaranteed, but access control and usage accounting are important. Such environments include retail copy centers, public libraries and Internet cafés.
  • IEEE P2600.4™, “Standard for a Protection Profile in Operational Environment D”, concerns hardcopy devices in a small, private information processing environments where most security elements rely on the physical environment, but basic network security is needed to protect a device and its network from misuse from outside of the environment. Such environments include small offices and home offices.

IEEE 2600 Sponsors:

rb-

I first covered this topic in 2007, in this post, The Secret Lives of Copiers, since then the IEEE has caught up with me.  Some of the recommendations for better control of sensitive printing include:

  • Require employees to use the secure print feature for confidential documents, which requires a authentication (password swipe card or biometric reader) be used at the device in order for the print job to be processed.
  • Look for an MFP that offers encryption so that any data in transit or at rest on the device’s hard disk will be protected.
  • Select a product with complete separation of the fax telephone line and the network connection. Unprotected fax connections in multifunction devices can be an open back door into the network.
  • Look for an image overwrite security option, which electronically “shreds” information stored on the hard disk(s) of devices as part of routine job processing. The electronic erasing can be performed automatically when each print job is completed, or reset manually as needed. Soo if it is possible to bypass the hard disk and print straight from RAM (which is more secure but takes longer) or buy a model without a hard disk.
  • Disable the reprint option – Some printer models let users hit a button that prints another copy of the previous job. Obviously you don’t want that capability when someone’s printing a secure document.
  • Do not ignore virus protection  there is malware out there that can take control of a printer or steal the documents being sent to the device. One way to reduce risk: Get a model with a proprietary operating system.
Category: Networking, Security | Tags: , , ,
RB | August 28, 2009
No comments

WPA Gone in 60 Seconds

securityJapanese researchers have identified a WPA hack which could give hackers a way to read encrypted Wi-Fi traffic  in less than 1 minute. Toshihiro Ohigashi (Hiroshima University) and Masakatu Morii (Kobe University) presented a way to break the WPA (Wi-Fi Protected Access) encryption system at the Joint Workshop on Information Security.  The researchers outlined their work in paper called “A Practical Message Falsi cation Attack on WPA“  on August 7, 2009.

wifiThe new attack builds on 2008 research from Darmstadt University of Technology graduate sstudents Martin Beck and Erik Tews who proved that WPA Temporal Key Integrity Protocol (TKIP) could be attacked. The Beck-Tews attack only worked on short packets in a WPA implementations that supported 802.11 quality of service (QOS) features and took between 12 and 15 minutes to work.

The new threat utilizes a “man in the middle” (MITM) attacks on WPA TKIP systems. The MITM attack  uses the the “chopchop” attack on a short packet (like ARP broadcasts), deciphers its 64-bit Message Integrity Code (MIC), and can then craft whatever packet it wants. The new packet is coded with the proper checksums and passed along to the access point, which should accept it as genuine. Dragos Ruiu, organizer of the PacSec security conference where the first WPA hack was demonstrated told IDGNews, “They took this stuff which was fairly theoretical and they’ve made it much more practical.”

Both attacks work only on WPA systems that use the  TKIP  algorithm.   The new attack does not work on newer WPA2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm. Kelly Davis-Felner, marketing director with the Wi-Fi Alliance, said that people should now use WPA2. She told IDGNews,  WPA with TKIP “was developed as kind of an interim encryption method as Wi-Fi security was evolving several years ago.”

Enterprise Wi-Fi networks typically include security software that would detect the type of man-in-the-middle attack described by the Japanese researchers, Robert Graham, CEO of Errata Security t0ld ars technica. He continues, the development of the first really practical attack against WPA should give people a reason to dump WPA with TKIP, he said. “It’s not as bad as WEP, but it’s also certainly bad.”

rb-

This is only an issue of the WLAN is secured at all.  Motorola published a report in April 2009  that says 64% of companies are neglecting WLAN security. The report claims that only 47% of companies are using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) encryption on their wireless networks.

These attacks highlight the weaknesses of TKIP-based WLAN encryption. WPA TKIP was developed to fix the worst of the security holes in the first Wi-Fi encryption protocol, WEP. Wi-Fi-certified products have had to support WPA2 since March 2006 . Users should move to AES-CCMP which requires WPA2 Personal for home and small office networks or WPA2 Enterprise for larger networks. Using AES-CCMP may requires that some network equipment installed before 2003 be reviewed as AES supports key lengths up to 256 bits, which may not be compatible with older hardware. Any remaining equipment of this vintage may need to be  be upgraded to newer Wi-Fi adapters, switched to Ethernet only, or retired. WPA2 has not shown any vulnerabilities to date. There is no real good reason to try to secure your WLAN with WPA-TKIP anymore.

Category: Security, wi-fi | Tags: , , ,
« Older Entries   Recent Entries »

Switch to our mobile site