Please don’t feed the “Free Public WiFi” troll!
29 Nov 2006 03:54:05 pm
A couple of weeks ago I was at a training up in Seattle and saw the open wireless SSID “Free Public WiFi”; I tried to connect but didn’t get an IP and disconnected. Than last week I was in LAX and saw the same SSID, after trying to connect and failing to get yet another DHCP address. I checked and noticed that this was an ad-hoc network (computer to computer).
At first I just thought it was a strange coincidence but then today I was on the phone with one of our sales guys who was in Eugene (Oregon) and he mentioned that he was trying to get on a wireless network with the same name.
A quick Google search shows that I’m not the only one noticing these networks popping up all over the place. Apparently if you configure Windows XP to connect to an ad-hoc network (as everyone who tries to connect to one of these networks is doing) than it adds them to the list of preferred networks and tries to connect to them in the future (broadcasting out the SSID for everyone else to see).
For those of you running Vista whenever you connect to a new network you are given the option of whether to save the connection (the default is not to). So long as you tell it to not save the connection your computer shouldn’t broadcast this network in the future.
Aside from just being obnoxious this could have some security implications for you. For example if you aren’t running a software firewall (or if you are but have made exceptions) anyone could connect to an ad-hoc network you are broadcasting and attempt to access your computer.
The solution appears to be simple. Configure your client to connect to only infrastructure networks. I think this should be the default anyways considering the infrequency that users connect to ad-hoc networks.
Cheers,
Erik
By : Erik | Category: Networking | Comments [ [1]] | Trackbacks [0]
One Media, Multiple Vistas
18 Nov 2006 08:44:35 am
Okay actually 2 medias, x86 and x64…
Under Windows XP you had different media for each version of XP and each licencing (i.e. Retail vs. MSDN vs . VLA vs. OEM). Multiply that out times the various availabilities and there were something like 12 different pieces of media a support team may need to do XP installs.
Fast forward to Vista. We’ve known for some time that they rolled the various versions into a single piece of media but the answer that I couldn’t get was whether there would be different media for Volume Licenses, MSDN & Retail.
The good news is that with RTM being available this week I can test and confirm for sure. So I downloaded the retail ISO from the connect site as well as the MSDN site and hashed both of them. I’m happy to report that the hashes are the same! I’ve been able to install on my work laptop using my VLA key, in the lab using my MSDN key and on my computer at home using my retail key!
I’m guessing that with OEM licenses it’s not going to be as straight forward, but hopefully they’ll follow the same builds internally (so at least you’d only need one piece of media per manufacturer).
Cheers,
Erik
By : Erik | Category: General | Comments [ [1]] | Trackbacks [0]
Password security, why is it such a big deal?
18 Oct 2006 11:23:04 am
Some time back I wrote an internal article on password security for our users and figured the information would be worthwhile to post here. The article is intended for the end user. Yes I’m sure 90% of you who actually read this know most of it, but I figured it would be worthwhile if you were looking for some information to give the users you support some suggestions.
Besides, as most of us who’ve done work in security know weak passwords trunk strong security so it’s good to revisit this topic periodically.
I thought about editing the article and making it more applicable for a public blog but after giving it some thought (and looking at my schedule the next week+) I’m thinking it would be easier to just post it as is and pull out any internal information.
Username plus password equals you.
From a technology perspective the way that we identify you as you is by a unique combination of your username and your password. Any actions carried out by your network account is tantamount to you carrying out the action; therefore there are a couple of simple steps that are essential for every employee to follow:
1. Do not share your username and password with anyone (up to and including MIS).
2. When you are logged into a computer or any of our network services do not let anyone use the computer.
3. If you are not at the computer log off or lock it.
Okay, I promise not to give out my password to anyone and I will not let anyone use my account. I’m safe now right?
Committing to these things are a fantastic start and before I go any further I want to congratulate you for taking this to heart. Really, pat yourself on the back before you read further.
Okay now that we’ve covered the basics in comes the “bad guy”; this bad guy has the intention of doing damage to company systems and/or soiling your good name by doing something bad while pretending to be you (i.e. surfing for porn).
The bad guy performs a brute force crack against your password (that’s computer speak for having a program make thousands of guesses a second trying to figure out what your password is). If your password is weak he’s able to gain access to your account within minutes. This isn’t a worse-case scenario; it’s something that happens very frequently.
But you said “weak password”, so there is such a thing as a “strong password”?
Absolutely. Passwords can be created so that they are very hard to break by following some simple rules:
1. Use longer passwords
2. Use a mixture of character types (upper and lower case letters, numbers and punctuation)
In comes the challenge.
As passwords get longer and more complicated they get harder to remember. So how do you make passwords that are both strong as well as easy to remember? Passphrases!
Passphrases are passwords that contain information and are formatted in a way that are easy for you to remember. For example, consider the password "Makeit20@password.com". This password utilizes upper and lower-case letters, two numbers, and two symbols. The password is 20 characters long and can be memorized with very little effort; perhaps even by the time you finish this article. Moreover, this password can be typed very fast. The portion "Makeit20" alternates between left and right-handed keys on the keyboard, improving speed, decreasing typos, and decreasing the chances of someone being able to discover your password by watching you.
What are some strategies for choosing a good password/passphrase?
Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: YankDwto#t0wn
Expressions inspired by the name of a city:
City Expression: I love Paris in the springtime
Password: IL0vepint*ST
City Expression: Chicago is my kind of town
Password: Cim_Y_K0t
Foods disliked during childhood:
Food: rice and raisin pudding
Password: ricNr4iPudng
Food: boiled broccoli
Password: bo1%Brocc
Transformation techniques:
Technique: Transliteration
Illustrative Expression: photographic
Password: foTOgrafik
Technique: Interweaving of characters in successive words
Illustrative Expression: iron horse
Password: 1hrOrnSe!
Technique: Interweaving of characters in successive words
Illustrative Expression: file drawer
Password: FdirL4wer
Technique: Substitution of synonyms
Illustrative Expression: coffee break
Password: jaVa*rest
Technique: Substitution of antonyms
Illustrative Expression: stoplight
Password: starTdark
Note: Obviously, you shouldn't use any of the passwords used as examples in this article. Treat these examples as guidelines only.
But I don’t have anything important on the computers; so this doesn’t matter for me right?
Unfortunately in the modern age of computers nobody is an island. With nearly all computer equipment interconnected on a massive world-wide network (a.k.a. “The Internet”) problems on one machine can create problems for others, or worse spread the problem.
You’ve probably seen reports in the news recently of Viruses spreading over the internet. This type of thing is quite commonplace and will only continue to be that way until everyone realizes that security does matter for them.
But I digress, back to the topic at hand…
So you said you were going to make things easier for us, how?
One of the biggest pain points is that passwords have to be constantly changed; a big part of the reason that passwords need to be changed frequently is because of how easy it is to break “poor quality” passwords.
Our plan moving forward is to do a couple of things. First increase password security company-wide through the use of education (like you reading this article) as well as by technical means (forcing you to use stronger passwords by requiring them to be longer) and finally when the password security has been raised reducing the frequency by which passwords must be changed.
In addition we are considering/evaluating technologies that will allow us to integrate usernames/passwords between our systems so that you have less to remember (i.e. using the same username/password for our business system as you do on the network).
Thanks to http://www.securityfocus.com/infocus/1554 for some of the great examples.
Cheers,
Erik Szewczyk
By : Erik | Category: General | Comments [ [3]] | Trackbacks [0]
How to enable Vista’s Network Map for Domain Members
16 Oct 2006 10:24:13 pm
For those of you who have had a chance to play with Microsoft’s Windows Vista there is a handy new feature called the “Network Map”. Vista uses the Link Layer Topology Discovery protocol (LLTP), a layer 2 protocol that gathers information about neighboring devices to create (among other things) a top-down map of your network segment.
However this feature is disabled by default on domain member machines, reason being that if you had it enabled in the enterprise on every machine it could pose a security risk (and lets just face it, this isn’t exactly something I want enabled across the enterprise). However for your IT department or in smaller domains you may want to enable this feature. To do so you’ll need to make some quick group policy changes.
If you haven’t already create a GPO and link it to the OU that computer account(s) reside in. Click on “start” and in the search box (or a run dialog) type “MMC”. Click on “File” and “Add/Remove Snap-in…” and add the “Group Policy Management” snap-in to your console. Drill-down and edit the policy you wish to change and browse to Computer Configuration>Administrative Templates>Network>Link-Layer Topology Discovery. Here you will notice 2 policies, “Turn on Mapper I/O (LLTDIO) driver” and “Turn on Responder (RSPNDR) driver”. If you enable the mapper driver it will allow the client(s) to connect out over the network and look for other devices, if you enable the responder it will allow other machines to locate these client(s).
I do not recommend enabling functionality while on public networks.
Cheers,
Erik Szewczyk
By : Erik | Category: Active Directory | Comments [ [1]] | Trackbacks [0]
Cisco PIX 7.x MPF configuration for Exchange ActiveSync
16 Oct 2006 09:09:27 pm
We recently (finally) upgraded our Microsoft Exchange server to SP2, a nice feature that adds for us WM5 folks is the Exchange Server ActiveSync Push capabilities. Basically our device sends a long lived https query to the server which waits until something new shows up (or the timeout period expires) before sending a response.
However we quickly discovered that we were not getting “pushed” the mail, but we were getting a long string of Event 3033 Application Log errors on the Exchange server (The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [540].)
Our firewall configuration is a little atypical in that we are basically using 2 firewalls. A Cisco PIX (515e) directly connected with an ISA server sitting on the DMZ. Yes I realize that it’s a bit redundant to have a firewall behind the firewall, it’s this way because when we originally deployed ISA we weren’t quite comfortable yet with sticking a Windows server directly on the internet (if we were to do it again I’d stick it on the outside). Needless to say things have yet to change and for lack of a compelling reason to do so they will probably remain the same for some time to come.
Now Cisco PIXes are pretty much a staple when it comes to corporate firewalls and the default timeout for TCP connections is 60 minutes, in addition we have plenty of customers running them with Exchange and were not having issues on their end so you can imagine our confusion. I scrubbed through the ISA configuration and made sure the HTTPS timeouts were at least 45 minutes (2700 seconds), the default maximum heartbeat interval for Exchange, but they were still failing.
Fortunately one of our other engineers who is good with PIXes came up with a better way of doing it using the Modular Policy Framework (MPF), keep in mind that this only works under 7.x:
class-map HTTPS
match port tcp eq https
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_2
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect icmp error
inspect icmp
class HTTPS
set connection timeout tcp 0:45:00
Basically, we create a new class map for HTTPS traffic, then apply it to our policy map (“class HTTPS”) and set the timeout option to 45 minutes. Since we were unable to find a config out there (Google, etc.) relating to HTTPS timeouts with MPF I wanted to make sure to post for those of you running into similar issues.
As I mentioned we do have a lot of other clients with PIXes in front of their Exchange servers, however none with ISA on the DMZ so my hunch is that our issue may be related with this configuration. I’d love if someone else with a similar configuration could confirm/deny my theory.
Erik Szewczyk
By : Erik | Category: Exchange | Comments [ [8]] | Trackbacks [0]
