Category Archives: Security

Wi-Fi Protected Access v3

Currently, the best way to secure your wireless networks is using Wi-Fi Protected Access v2 (WPA2). However there are still some issues regarding how this system functions. Last year’s KRACK vulnerability has proven that
this 13 year old security protocol needs redone.

At this year’s Consumer Electronics Show (CES2018), the Wi-Fi Alliance debuted the version 3 of WPA, increasing the security capabilities of the process in several ways.

WPA3 will now support 192-bit encryption natively (with an assumed 48-bit initialization vector) and the Dragonfly Protocol (aka: Simultaneous Authentication of Equals (SAE)). Even the link between the device and the router, for example in on a public network, will be entirely encrypted as well.

The Dragonfly Protocol (SAE) allows for a cryptographically strong shared secret for securing other data– e.g. network communication. SAE is resistant to passive attack, active attack, and dictionary attack. It provides a secure alternative to using certificates or when a centralized authority is not available. It is a peer-to-peer protocol, has no asymmetry, and supports simultaneous initiation. This will take most of the pressure off of users who do not create secure of varied enough network passwords and make linking devices (mesh networks) easier and just as secure.

The Wi-Fi Alliance has just finalized the spec on WPA3, so don’t look for it to enter the consumer realm in the current hardware cycle. Devices that feature WPA3 abilities are expected to reach the market in Q3 of 2018. WPA3 will only work if both devices are capable of using it and first party support from all major operating system vendors is expected in a timely manner. Until then and even after, WPA2 is not going away entirely. This cut over to WPA3 will be a natural and gradual process as new equipment and software come out that can utilize it.

While waiting for WPA3 firmware and hardware to be released to the public, currently the safest method of securing your WIFI is to utilize WPA2 security with AES encryption. While there are ways around WPA2, the likelihood of that happening compared to other security measures is quite low. Other best practices is to remember to rotate your password every few months or not broadcasting your SSID so people out snooping won’t even see your network. It’s also a good idea to log into your router and check the various devices attached to your network and take an inventory every few months as well.

¶Λ$$W0®d5

We’ve all been thru setting up a password and told to use upper and lower case letters, special characters, symbols and numbers. They can be annoying and make passwords difficult to remember.

Well you have a man named Bill Burr to thank for this concept. In 2003 Bill was a manager at the National Institute of Standards and Technology (NIST). He created a guide on how to create secure passwords, known as the “NIST Special Publication 800-63. Appendix A.”

Ever since then software and websites have relied on the suggestions of this document to create secure passwords. The only trouble is that when Mr. Burr wrote this document he was not well versed in computer security practices. The core idea is that a short password made up of random characters and symbols would be much harder to break down than a short password that’s more human friendly. And while that does hold true, short random passwords are not as secure as once thought.

Even though Mr. Burr has admitted that he now regrets most of what he did, it’s not all his fault. Fifteen years ago, we all knew much less than what we know now about what it takes to crack passwords.

The best passwords are long passwords that can be easily remembered phrases instead of shorter passwords with a random use of characters.

  • Example: P@55w0rd would take between 9 and 24 hours to brute force or solve.
  • Example: MonkiesdrivecarsonThursdays would take 17 octillion years to brute force

While including upper and lower case, numbers and symbols can help secure a password, ultimately password length with a minor mixture of randomness creates the most secure passwords.

No matter how secure your passwords are it’s always a good idea to change them routinely (at least once a year). And using a more human-friendly long password will take some of the sting out of remembering all new passwords again.

A Basic Evolution of the Virus

In the early days of networking computers, viruses were little more than proof of concept bits of code. Can I write a program or exploit a function where I can remotely open a CD drive on another computer or cause some other strange behavior?

These prank style antics grew bigger in scope and power and quickly began to spread around the Internet. Then the environment took a more sinister turn, by bulking up the things these viruses could do. Viruses became punishing programs that would eat up CPU speed, bloat up free hard drive space, spin drives faster than they were designed for and even delete user or operating system data.

They were deployed by people to punish others and destroy property and data. Without tangible rewards creating viruses start to get a bit bland. Viruses then started evolving to an end game or reward. Viruses that previously may have taken a computer offline either by design or by unmitigated spread of the infection fell out of favor. It was becoming more and more important to not have the target go offline or notice the infection. If the target went offline, the attacker wasn’t able to reap the benefits of the infection.

And what were those benefits? In that generation, most of the time it was stealing address book entries to sell to spammers. Personal information was rarely targeted, but corporate data was ripe for the picking.

This is the era of BotNet. Many viruses infect, spread and lay totally dormant. These infected computers are now slaves to the whims of the attacker. If an attacker wants to take down a large site with a DDOS attack, they can wake up 1,000’s of these sleeping infections to begin slamming a site with traffic. Each computer sending out just enough traffic not to be noticed but when combined as a whole their effects can be devastating. These “Bots” can also be put to task to sneak out little bits of Spam here and there. Not enough to get flagged by the normal detection practices of a modern ISP, but combined with the sheer numbers of those infected can wreak a lot of junk mail havoc.

The virus/malware industry has gone thru a major transformation over the years. Viruses have evolved from simple pranks to a hacker’s tool with which to make money, create mass damage or capture information. Viruses don’t say “Happy 1999!” on your screen anymore and stop there. These new viruses like to hide, wait and use the power of their combined infection numbers to make the criminals involved a lot of money.

HOW I GOT ON YOUR WIFI: WPS FAIL!

Router manufacturers have been developing ways to make their routers more secure but at the same time still easy to connect to. This led to the development of WiFi Protected Setup (WPS).

WPS allows you to connect to a router in two ways, either by providing an 8 digit pin code (that is printed on the router) or by pressing the WPS button on the router and opening up a short connection “window”. Both of these methods require physical access to the router and
thus should be secure from “drive-by” hacking. However, that is not the case.

While I would need physical access to push the WPS button, the pin code method is the default and first available under the standard. The biggest issue with this is that the router authenticates the pin in two 4 digit parts. There are 10,000 combination of 4 digit numbers
and since most routers, don’t time-out or ban me for hammering attempts they are extremely easy to run a brute-force attack on. Once I have the first 4 digit number, then I brute-force the second 4 digit number and I’m on your network. We highly recommend setting the connection passphrase setup to WPA2-PSK (pre-shared key) and setting that key to something long and randomized. To be even more secure, make sure you disable the WPS function on your router.

The End of Windows XP

Twelve years ago, Microsoft released Windows XP. After 3 Service Packs and well over 300 updates, Microsoft ended their official “Mainstream Support” for Windows XP on April 14, 2009 and it entered the “Extended Support” cycle for Windows XP. On April 8, 2014, Microsoft will end their “Extended Support” cycle for Windows XP closing the final chapter on one of the most successful operating systems in the history of computing.

Windows XP was so successful that it took nearly 30 months for their Windows 7 operating system to overtake the global Windows XP install base. Today Windows XP still enjoys an install base of ~35% or roughly 800 million of the world’s computers.

What  does  the  end  of  the  “Extended  Support”  cycle  for  Windows  XP  mean  moving forward?  The  Mainstream  Support  life  cycle  allowed  Microsoft  to  release  “hotfixes”, security  updates  and  provide  direct  commercial  and  end-user  support.  The  “Extended Support”  cycle  moved  the  product  into  only  receiving  security  updates  to  the  product and ended all other support. While Microsoft has made some allowances in the past for profound security-related issues for products outside of their Support Lifecycle system, on April 8, 2014, Microsoft will no longer be providing any new updates to Windows XP, including “hotfixes”, service packs or security updates.

This will expose Windows XP users to a myriad of new and evolving security, malware and virus threats. Microsoft Security Intelligence Report volume 14 (PDF) reports the following infection rates by operating system and service pack for the fourth quarter of 2012. While Windows XP Service Pack 3 has made a significant reduction in the amount of security vulnerabilities and infections on the XP platform, XP still leads the pack in infection rates across all Windows operating systems. The combination of large user base with lack of security patches leaves a large target on the venerable operating system.

To mitigate the risk moving forward, users must begin the transition from Windows XP when and where possible. The best option would be moving towards the latest operating system, Windows 8, as it is the most secure and reliable system Microsoft has yet to produce. That might not be an option for many people, so the next best option would be Windows 7. Between Windows XP and Windows 7 was Windows Vista, however, Vista is not an option as it is also nearing the end of its support life cycle.

Infection Attack Vectors Q4 2012

Infection Attack Vectors Q4 2012 by Operating System

If Windows XP must be used, for whatever reason, then a hardened security presence on the system must be maintained and updated regularly. There are many anti-virus, anti-malware and firewall software options available from Microsoft and third party vendors – both free and paid. The number of unprotected or under-protected Windows XP systems moving forward could create a ticking time bomb if left unchecked and unprotected.

We are urgently recommending the following actions be taken when and wherever possible:

  • Upgrade. Windows Vista and 7 will still be supported for a few years and Windows 8 even longer.

If you must continue to use Windows XP:

  • Make sure your copy of Windows XP is running Service Pack 3.
  • Stop using Microsoft’s Internet Explorer entirely. Use only a currently updated and supported web browser like Mozilla Firefox. Access to Internet Explorer can even be fully removed via the “Windows Components” feature in Add/Remove Programs.
  • Stop using Microsoft’s Outlook Express entirely. Use only a currently updated and supported email client like Mozilla Thunderbird or better yet a web-based email client.
  • Uninstall the Java runtime environment from your computer unless you absolutely cannot live without it.
  • Install a supported anti-virus client. Keep it updated and do a full system scan weekly.
  • Make sure Windows Firewall is enabled or use the one that comes with your 3rd party security software.
  • Limit your installation of programs off the internet to only trusted sites from trusted companies.

Red Condor E-mail Security

redcondorlogo“First Network Group, with EdgeWave’s Red Condor product, provides e-mail security for ISP’s and businesses…”

E-mail security is a necessity these days. However, preventing viruses, trojans, and spam from getting to the inboxes of your users can be difficult. Many solutions rely on your email server to do filtering.This can consume valuable resources on your server, and can eat up costly bandwidth on your internet connection. The filtering rules can also be very difficult to maintain and update, leading to malicious mail making it through your filter, or legitimate mail getting trapped by the filters.

First Network Group, with EdgeWave’s Red Condor product, provides e-mail security for ISP’s and businesses without having to install anything on local servers. A hosted solution is available that prevents unwanted email from even entering your network. Or, if you prefer, appliances are available that can be hosted inside your datacenter, but still separate from your mail servers. Both offer the same protection, which is backed by a team of EdgeWave engineers that continually update the systems to defend against new attacks. Many First Network Group customers are already usingRedCondor, and it has proven to perform betterthan alternatives, while still maintaining an attractive price.

Contact Randy Carpenter VP of IT Services at 1-800-578-6381, option 1 if you have any questions, or would like to order.