Wireless security

Been doing some research lately on WiFi and security of it. So I have been doing some scans and out of the 3,655 WiFi access points I have observed, here is the breakdown on the security of them:

Count Encryption Type
859 Not Encrypted
760 [WEP]
680 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP]
519 [WPA-PSK-TKIP]
301 [WPA2-PSK-CCMP]
110 [WPA-PSK-CCMP][WPA2-PSK-CCMP]
101 [IBSS]
36 [WPA-PSK-TKIP][WPA2-PSK-CCMP-preauth]
31 [WPA-PSK-TKIP][WPA2-PSK-TKIP]
30 [WPA-EAP-CCMP][WPA2-EAP-CCMP]
28 [WPA-PSK-TKIP+CCMP][WPA2-PSK-TKIP+CCMP-preauth]
21 [WPA-PSK-TKIP+CCMP]
18 [WPA2-PSK-CCMP-preauth]
18 [WPA-PSK-CCMP]
18 [WPA-EAP-TKIP][WPA2-EAP-CCMP]
16 [WPA-PSK-TKIP][WPA2-PSK-TKIP+CCMP]
15 [WPA-PSK-TKIP][WPA2-PSK-CCMP]
14 [WPA-EAP-TKIP+CCMP][WPA2-EAP-CCMP]
12 [WPA2-PSK-TKIP+CCMP]
10 [WPA2-PSK-TKIP]
9 [WPA-EAP-TKIP]
8 [WPA2-EAP-CCMP]
8 [WPA2-EAP-CCMP-preauth]
8 [WPA-PSK-TKIP+CCMP][WPA2-PSK-CCMP-preauth]
8 [WPA-?]
5 [WPA-PSK-TKIP][WPA2-PSK-TKIP-preauth]
3 [WPA-PSK-WEP104+TKIP]
3 [WPA-EAP-TKIP][WPA2-EAP-TKIP]
2 [WPA2-PSK-TKIP-preauth]
1 [WPA-PSK-CCMP][WPA2-PSK-CCMP-preauth]
1 [WPA-EAP-TKIP+CCMP][WPA2-EAP-TKIP+CCMP]
1 [WPA-EAP-CCMP]
1 [WEP][IBSS]

It is amazing that nearly a quarter of them were unencrypted. What was even more interesting I saw a bunch of them on rural roads, so it was almost like “well no one lives around me, so why encrypt it”. So I would ask that everyone, no matter where you live, please enable encryption on your Wifi. In addition don’t use WEP, please use at least WPA and preferably WPA2. If I add in WEP as being basically “un-secured” you have over 44% of the WiFi access points not being “secured”. WEP just isn’t that strong, and with people doing banking and online shopping, you shouldn’t be doing any username, password or credit card info over a open or WEP encrypted WiFi connection.

Another factoid is the preference for WiFi channel:

Count Frequency (Channel)
1 2407 (??)
1 2472 (13 – Non US)
40 2457 (10)
41 2442 (7)
46 2432 (5)
52 2417 (2)
69 2447 (8)
141 2427 (4)
158 2452 (9)
229 2422 (3)
718 2462 (11)
731 2412 (1)
1428 2437 (6)

It appears that Channel 6 (aka 2437 Mhz or 2.437Ghz) is the “most popular”. Probably because that is what most routers come with as a default. It also appears that a lot of people don’t change their SSID either. I saw 214 “Linksys”, 106 “NETGEAR” and 22 “belkin54g”, which are all default SSID’s. 542 total were a combination of those 3 (spelling case and maybe a number added to it).

So in the end what does this all really mean? For one vendors need to be more proactive about helping inexperienced customers to properly secure their wireless network devices. In this day and age, routers should be sold “secure by default” and really not let the router connect to the Internet until the default admin password and ssid have been changed, and proper encryption has been set up. Why do I say this? Well there are ton’s of people who just buy a WiFi router, and don’t understand that if they don’t secure it that some one in their neighborhood could use their WiFi network, with or with out permission, and do something “bad” and the next thing you know the cops will be showing up at your door because the connection was traced back to your house, NOT your neighbor’s.

Some tips for SSID’s as well.

  1. Please don’t make the SSID your postal address, especially if you are in an apartment don’t tack on your apartment number.
  2. Don’t leave it as the default from the vendor. If you do this makes it a litter easier to guess that you haven’t done any security on it, and some one can now take control over it, because you more than likely have not changed the default password.
  3. Don’t name it your family name, or any ones name in your family. If you do, you can fall pray to some social engineering hacks
  4. Make it something that is not going to interfere with some one around you if you live in a crowded area.. Nothing like having 6 WiFi’s in a small apartment building all on channel 6 all with the SSID as Linksys and different passwords on all them, you will get horrible performance.

Changing passwords? lets make it as difficult as we can…

In this day and age of computer hacks and security problems, why do companies make it awkward to change usernames and or passwords? One example of an awkward procedure to change a password is on the VMware vCenter server. If like any good security minded person you have all  your passwords set to expire every 28 days or so, to change the password on the vCenter server you have to do some “command line fu” to change it. Heaven forbid that you have to change the username as well. So how do you do it? Well if you are running vCenter on a Windows 2008 server and connecting to a Oracle server (that actually holds all the data) there are a couple of things you need to do:

  1. Shutdown the vCenter server (disable it in the Services Control panel)
  2. Change the password for your vCenter user in the oracle DB
  3. Now here it the BIG gotcha. On the windows side you have to run a CMD prompt as an admin user. Just clicking on it in the start menu won’t do it. You have to right click on it and do “Run as Administrator”. If you fail to do this, the next step will fail and just piss you off even more. (The reason for this is the username and password are stored in the registry and I guess running cmd as normal user revokes all privs to modify the registry.)
  4. Now go to the location where VMware vCenter is installed and run the vpxd command with either a -p or a -P. If you use the lower case -p it will prompt you for the new database user password. If you use the -P option, right after the P you can put the new password on the command line.
  5. Now you should be able to start back up the vCenter processes.

Now if you need to change the userid, you need to use Regedit and go to :

  • HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VirtualCenter\DB (under My Computer)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware VirtualCenter\DB for 64 bit versions of Windows.

and change #2 to be the new userid.

This is documented in the VMware KB Article : Changing the vCenter database userid and password. But if you don’t pay attention go the run as part, you will spend a lot of time trying to figure it out even if you are logged in as an administrator.

 

If your password expires in Oracle while vCenter is up and running, it appears to continue to work while it is up. But if you reboot the vCenter server or restart the vCenter processes, it will “hang” and never start. They also need to make their error messages a little more detailed as to why it is ‘failing’ to start.

Who’s knocking on your door?

It seems that the new “thing” on the internet these days is port scanning for port 22 (aka SSH).  I was going through my firewall logs on my home router and over the last week or so, it is broken down as follows:

country cnt
China 2123
Germany 1827
Italy 1460
United States 1115
Russian Federation 838
Korea, Republic of 738
Austria 692
Poland 618
Spain 502
Colombia 453
India 441
Czech Republic 323
Ecuador 286
Romania 282
Belgium 256
Chile 228
Panama 201
Pakistan 199
France 198
Argentina 170
Canada 148
Switzerland 138
Ukraine 129
Taiwan 128
Venezuela 111
Mexico 111
Denmark 105
Hungary 101
Slovenia 87
Brazil 77
Guatemala 59
Uruguay 53
Estonia 50
Croatia 48
Singapore 36
Australia 32
Portugal 32
Hong Kong 29
Greece 25
New Zealand 24
Ireland 18
Netherlands 17
Serbia 15
United Kingdom 13
South Africa 12
Malaysia 9
Thailand 8
Peru 7
Moldova, Republic of 6
Azerbaijan 3
Turkey 2
Malta 1
Total 14585

As a comparison, attempts that were blocked that weren’t ssh only totaled 1430. So are these bot’s or people looking for rogue iPhone’s or just trying to find new vulnerabilities in SSH? The interesting thing is it appears that each source IP tries 3 times. The second try is 3 seconds after the first and the third is 6 seconds after the second.

An interesting IP is 217.70.139.42, which has tried 303 times since the 14th. The IP is from Germany and also appears on several SSH dictionary attacks. So is it time to start running services on non-standard ports?

Another Internet Explorer exploit

Just released, another exploit to Internet Explorer 6 & 7, that allows “hackers” to install software on your machine… What do the major Antivirus people say:

“To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft,” Symantec said.

How many mom and pop’s out there even know how to disable java script, and only visit sites they trust? Let alone make sure their antivirus definitions are updated. I have seen some virus trick Symantec’s AV in to thinking the definitions were up to date, and then I go to find hundreds of virus’ on my parents computer. This is just another reason why building the web browser in to the OS is a bad thing and why it should be sandbox’d off in to its own little area.

iPhone security patch

It seems that Apple finally released a patch for the iPhone about the security issue I wrote about back on May 1st (More Security Stuff)

From Apple’s Web Site:

WebKit

CVE-ID: CVE-2009-2797

Available for: iPhone OS 1.0 through 3.0.1, iPhone OS for iPod touch 1.1 through 3.0

Impact: User names and passwords in URLs may be disclosed to linked sites

Description: Safari includes the user name and password from the original URL in the referer header. This may lead to the disclosure of sensitive information. This update addresses the issue by not including user names and passwords in referer headers. Credit to James A. T. Rice of Jump Networks Ltd for reporting this issue.

Not sure when James reported it though. So I don’t know if I found it before him or not. Anyways, here is my suggestion, if you use an iPhone and have EVER logged in to a web site with a username and password, you need to change that password immediately and then apply the patch from Apple to your iPhone. I know there are some people who view my site that use an iPhone and are clicking on links from other websites, therefore sending your username and password to me as well.