Daily Archives: February 12, 2016

Security for Wireless Devices

Posted on February 12, 2016 | 3 comments

 

WirelessThis subject  of securing wireless devices      conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts:

  • Even back in 2013, 98 percent of U.S. small businesses used wireless technologies in their operations according to an AT&T poll.
  • The Internet of Things (IoT) is rapidly expanding, and it is based firmly on wireless. For example, many home and office security systems are wireless.
  • Mobile phones are becoming the main avenue to the Internet for an increasing number of people all over the world.

So it makes sense that wireless security should be a big concern.

Wireless technologies are more vulnerable than wired technologies

Keep in mind that many businesses have wired and wireless networks. Wireless devices are vulnerable to any attacks that may be made on wired devices. But there are many more threats to wireless networks. This is because wireless transmits data over the air. The air cannot be secured. So wireless technologies must incorporate more safeguards against eavesdropping and man-in-the middle attacks than wired technologies.

For example, man-in-the middle attacks in a wireless environment are child’s play. An attacker connects to the Internet and configures a laptop to look like a legitimate wireless access point (AP). Victims wanting Internet access unwittingly connect through the bogus AP. Furthermore, the attacker can launch a de-authentication attack, causing devices already connected to a legitimate AP to drop their connection and to automatically reconnect to the attacker’s AP. The attacker now has unlimited access to data transmitted by any attached user since wireless operates at Layer 2. Layer 3 protections such as encryption, network authentication, and virtual private networks (VPNs) cannot protect against this scenario.

Two wireless devices can communicate without involving the access point. This is clearly not a possibility in the wired world. So not only must there be protection against external threats, but also against other devices attached to the AP.

Denial of Service attacks are a danger to any network, but especially with the restricted bandwidth of wireless networks.

Wireless Security measures that don’t work

Some sources recommend wireless security measures that are not effective for business. Here are three examples:

  1. Most wireless configurations provide MAC filtering. Here, an administrator enters a list of the MAC addresses (Layer 2 addresses) of authorized devices. A device with a MAC address that is not on the list is blocked. But any attacker with sniffing software can easily find authorized MAC addresses since MAC addresses in Layer 2 headers are not encrypted. The attacker simply changes his own MAC address, via widely-available software, to an authorized address, and he’s “in”.
  2. In setting up a wireless network connection, there is normally an option to hide the SSID (Service Set Identifier). This keeps the connection from appearing on a list, but does not prevent anyone from using the connection.
  3. Static IP addressing stops attackers from being assigned DHCP addresses. It does not block a knowledgeable attacker.

Recommended strategies to implement a wireless network

There are different approaches depending on the size of the organization and the level of in-house IT expertise:

  1. Create a completely isolated wireless network: Users must authenticate and have acceptable security software before they can connect to the Internet or, for that matter, to any local network resources. This approach requires a Network Access Server.
  2. Forward all web traffic to a proxy server which provides authentication and authorization.
  3. Require users to access resources through a virtual private network (VPN). VPNs provide encryption from the user’s location to the destination router (remote-access VPNs) or from the user’s router to the destination router (site-to-site VPNs). There are numerous implementations of VPNs including PPTP, L2TP, IPsec, and SSH.

Using end-to-end encryption would be ideal. However, not all intervening software and hardware may support encryption.  For example, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text. The next best alternative is to require users to connect to the company network through VPNs .

Of course, authentication is critical. IEEE 802.11i Wi-Fi Protected Access II (WPA2) should be used. For authentication, there are alternatives:

  • Pre-shared key (PSK) – This is normally used only in a home environment and provides Advanced Encryption Standard (AES) encryption.
  • EAPOL (Extensible Authentication Protocol over LANs) with 802.1X and an authentication server such as RADIUS or DIAMETER: There are open-source RADIUS servers that could easily accommodate the needs of most businesses.
  • EAPOL with EAP-TLS: The majority of implementations require client-side X.509 certificates.

A hardware or software card or token can be used in combination with the above authentication techniques, depending on the vendor.

Finally…

Educate your users about the dangers of using public wireless. Be aware of “shoulder surfing” in public wireless areas. An attacker doesn’t necessarily have to be a computer genius.

3 Comments

Posted in Encryption, Hacking, Hacks, Network, Security, Technology

Tagged , , , , , ,

DNI announces CTIIC leadership

Posted on February 12, 2016 | 1 comment

DNI_Ugoretz_Tonya_370Director of National Intelligence James Clapper has named a career FBI analyst and an Iraq War veteran to head up the cyber intelligence center that the White House ordered created after the massive hack of Sony Pictures Entertainment.

Tonya Ugoretz, the FBI’s former chief intelligence officer, will head the Cyber Threat Intelligence Integration Center. She has done stints at the CIA, Department of Homeland Security and National Intelligence Council, and is listed as an adjunct associate professor at Georgetown University.

Maurice Bland, who most recently was the National Security Agency’s associate deputy director for cyber, will serve as Ugoretz’s deputy. Bland has done two combat tours in Iraq and Afghanistan, according to his official biography.

Ugoretz and Bland could be talking face-to-face with President Obama following the next large-scale hack of U.S. assets.

Clapper also tapped Thomas Donahue, a nearly three-decade veteran of the CIA with a PhD in electrical engineering, as CTIIC’s research director. The center will “build understanding of cyber threats to inform government-wide decision-making,” Clapper said in a statement.

The White House announced the creation of CTIIC last February. It is based at the Office of the Director of National Intelligence, and is modeled after the National Counterterrorism Center in an effort to “connect the dots” on cyber threats. Michael Daniel and Lisa Monaco, respectively the top White House advisers on cybersecurity and counterterrorism, have been the driving forces behind CTIIC, according to an administration official involved in the agency’s standup.

CTIIC is meant to fill a void in the bureaucratic chain of command wherein Obama had no one entity to turn to for an all-source briefing on foreign cyber threats. That void became abundantly clear to White House officials after the digital destruction of Sony Pictures’ IT systems in November 2014.

The agency got off to a rocky start. House lawmakers were irked that they didn’t get a heads-up on its creation, and DHS officials were worried that the new agency might encroach on their own work.

But several months later, agency turf battles that appeared ready to unfold have been quieted, and there is agreement on Capitol Hill on the need for CTIIC, according to the administration official. The omnibus package funding the government this fiscal year includes money for CTIIC; the exact amount of funding is classified.

“CTIIC is vital because the foreign cyber threats we face as a nation are increasing in volume and sophistication,” DHS Deputy Secretary Alejandro Mayorkas said in a statement. “The CTIIC will help DHS better understand various cyber threats and provide targeted intelligence community support” to the department’s own cyber threat center.

Bland’s battlefield experience could come in handy, as there is increasingly a cyber dimension to kinetic war. A key to the “surge” of U.S. troops in Iraq in 2007 was an accompanying surge in cyber weapons that the NSA unleashed, as journalist Shane Harris reported in his book “@War.”

Bland’s LinkedIn profile touts his experience “leading numerous efforts regarding the organization of cyber units, policy, and authorities related to cyber operations.”

1 Comment

Posted in Data Breach, Hacking, Hacks, Network, Security, Technology

Tagged , , , , , ,

Drone Technology Will Revolutionize Security

Posted on February 12, 2016 | 1 comment

 

DroneAccording to John Minor, Campus Safety Magazine advances in drone technology will revolutionize campus security.

And he is on target, so to speak. Done technology will also revolutionize the tactics and techniques for the military and law enforcement in a world becoming increasingly more violent and crime prone. Gone are the days when commanders and cops sent out scouts to surveil and predict enemy or crooks movement. Now, they can put up a drone eyeball and kill the enemy and effectively stop the crooks. Drone bomb drops are now feared by the Islamic Terrorists and likewise, legitimate law enforcement surveillance technology like wire taps and drones will also send shivers up the spines of drug cartels, mafia members, and street thugs. Information is power and drones will certainly send timely information/intelligence to those who keep us safe because.

Commercial drones can be expected to become a key part of future security and surveillance systems, and serve as an especially good fit for the security needs of universities and schools. Drones offer many benefits that stationary cameras cannot, and act as a fast-launching, easy-to-operate, portable and cheap replacement. Unlike fixed video surveillance systems, drones can be deployed at a moment’s notice, and monitor hard-to-reach and high-risk locations. The technology can also provide first responders with real-time situational awareness during campus emergencies. Drones offer a more comprehensive security surveillance system, and could likely be used for many security applications–potential areas including banks, transportation, construction sites, and more. Some of these applications are already underway, such as at BP, which uses drones to inspect the security of oil facilities in Alaska. The company employs 6-foot-long, fixed-wing Puma Aerovironment drones to conduct aerial surveys, and was the first company to obtain FAA approval to do so.

See additional information on drones:  The Digital Age

1 Comment

Posted in Network, Security, Technology

Tagged , , , , ,