To begin with, it’s important to understand SSL certificates. If there’s any confusion, please refer to the following two articles that I wrote about SSL certificates: “SSL/TLS Certificates: What You Need to Know” and “SSL/TLS Certificates: Perspectives Helps Authentication.”

In the articles, I initially explain that untrusted certificates are insecure and ripe for phishing exploits. Simple because most of us just OK the untrusted certificate regardless of the warnings; we’re impatient and just want the Web page to be served up. That’s still a problem, but things just got a whole lot worse, and I’ll explain why in this article. A little background information first though.

Creating SSL certificates

I also mentioned in the articles that SSL certificates become trusted because they are provided by Certificate Authorities (CA) such as Verisign and Network Solutions. The logic behind all of this is quite simple. The CA authenticates the Web-site host so users can trust the secure Web sites provided by that particular hosting organization. People interested in cryptography call this a chain of trust The research team that discovered how to break SSL has an excellent definition of SSL certificates in their article “MD5 Considered Harmful Today“:

“A certificate is a document that contains both an identity and a public key, binding them together by a digital signature. This digital signature is created by an organization called a Certification Authority. This organization guarantees that upon creating the digital signature it has checked the identity of the public key owner (e.g. Web-site host) and it has checked that this public key owner is in possession of the corresponding private key.

Anybody in possession of the CA’s public key can verify the CA’s signature on the certificate. In this way the CA guarantees that the public key in the certificate belongs to the individual whose identity is in the same certificate.”

To avoid confusion, I wanted to clarify that SSL certificates are a subset of digital signatures. With that in mind, I’d like to continue using the term digital signature since the researchers do as well.

Why are digital signatures used?

I thought it might be a good idea to review why digital signatures are important to SSL. Digital signatures are used to create the chain of trust I mentioned earlier. The way digital signatures accomplish this is through the use of public-key cryptography. Public-key cryptography can be a whole discussion in itself, so please refer to the RSA article “What Is Public-Key Cryptography” for a helpful definition.

With public-key cryptography, we start to see how information from a CA if signed with its private key (something that only it has) is one method for the CA to prove its identity. This verification process consists of two parts — signature generation and signature confirmation:

• Digital signature generation is the result of hashing the message (consisting of the CA’s identity and the public key of the Web-site host) with the CA’s private key.
• Digital signature confirmation is accomplished by the Web browser during the HTTPS handshake between it and the secure Web site.

If everything is working properly, the Web browser will use the CA’s public key to decrypt the digital signature and verify the CA’s identity against the list of CA signature files (almost 300 to date) encoded in the Web-browser application.

Once the identity is confirmed the Web browser can initiate a SSL tunnel with the Web site using the public key sent in the CA’s digital signature. The following diagram depicts the normal HTTPS handshake (courtesy of the research team):

Trusted certificates are no longer a sure thing.

All is not well with the supposedly secure connections between Web browsers and Web sites using HTTPS. As is typical with IT security and especially cryptography, protocols and concepts that have been around for a long time slowly start to cause trouble. In this case the MD5 algorithm is one of those old timers.

The following is a brief outline of the attack taken from the article “MD5 Considered Harmful Today,” written by the team of cryptographers who discovered the potential exploit. The team consisted of Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger:

“Our attack scenario basically is as follows. We request a legitimate website certificate from a commercial Certification Authority trusted by all common browsers. Since the request is legitimate, the CA signs our certificate and returns it to us.

We have picked a CA that uses the MD5 hash function to generate the signature of the certificate, which is important because our certificate request has been crafted to result in an MD5 collision with a second certificate. This second certificate is not a website certificate, but an intermediary CA certificate that can be used to sign arbitrary other website certificates we want to issue.

Since the MD5 hashes of both the legitimate and the rogue certificates are the same, the digital signature obtained from the commercial CA can simply be copied into our rogue CA certificate and it will remain valid.”

Collisions are bad

As with many cryptographic concepts, encryption-based security relies on the fact that huge amounts of time and/or money are required to come up with a solution or in this case a collision. The term is actually appropriate, since a collision occurs when two different hashed entities like digital signatures end up being identical.

Since the strength of a digital signature is entirely based on the premise that it’s virtually impossible to have two identical digital signatures, collisions are a bad thing. Now guess what the researchers have been able to do. That’s right; they were able to figure out how to generate collisions for known hashes.

More importantly their approach doesn’t take that long and is definitely low budget. The research team used Arjen Lenstra’s Playstation lab at EPFL, which consists of 200 PS3s as shown in the image below (courtesy of Lenstra and EPFL):

I’d like to once again refer you to the article “MD5 Considered Harmful Today,” as the researchers do a much better job explaining the details of how they were able to reliably locate MD5 collisions.

What’s it all mean?

It means an attacker could mimic a secure Web site like Amazon.com, and there wouldn’t be any indication that the displayed Web pages weren’t from Amazon’s Web server. The URL would have https in it, the lock would shut, and the user would be none the wiser. Needless to say that sounds scary; still this exploit by itself is almost useless.

So what’s the problem? It becomes a huge concern when the MD5 collision exploit is used in concert with exploits that redirect traffic. Consider a blended attack that uses Kaminsky’s bug and the MD5 collision exploit. The attack could consist of redirecting a user to a malicious Web site that is mimicking the user’s bank portal.

Another attack vector could consist of two parts. First subvert a network by using the DNS Changer trojan. Ultimately service up fake DNS records, which happen to point a user’s Web browser to malicious Web sites, and well, you know the rest. The following diagram (courtesy of the research team) outlines the steps required to carry out a redirection/MD5 collision attack:

How to fix the problem?

That’s a good question. There’s woefully little that we as users can do to prevent these types of exploits. Just understanding what’s happening is our best defense at this time. So I wanted to make sure everyone knew where these digital signature files were located in the various Web browsers. Pay particular attention to the signature algorithm. That’s the private key algorithm CAs use to generate the digital signature file. The steps listed below show where the files are located in the Internet Explorer and FireFox browsers:

Internet Explorer

1. Start Internet Explorer.

2. Go to Tools and click on Internet Options.

3. Go to the Content tab and click the Certificates button.

4. Select the Trusted Root Certification Authorities tab.

5. Double-click a certificate of interest.

6. Select the Details tab and check the Signature algorithm.

FireFox

1. Start FireFox.

2. Go to Tools and click on Options.

3. Go to Advanced and click on the Encryption tab.

4. Click on View Certificates and select the Authorities tab.

5. Highlight a certificate of interest and click View.

6. Choose the Details tab and check the Certificate Signature Algorithm.

If you notice, in the above examples I kept highlighting the Equifax certificate. This particular certificate was the one exploited by the researchers. As you can see, Equifax is using MD5 as the signature algorithm.

This is where users have an option. If the SSL certificate is signed by a CA that’s still using MD5, the collision exploit is entirely possible. If the CA uses SHA-1 for its signature algorithm, the SSL certificates are not affected by this exploit. At least as of yet, there is some concern as SHA-1 has a similar collision problem.

Final thoughts

Whew, yet another major Internet issue that leaves users vulnerable to some potentially heavy-duty exploits. As with the DNS vulnerability, users are pretty much at the mercy of others as to when and how this gets fixed. Hopefully Certificate Authorities and Web hosts will stop using MD5 and even SHA-1, switching to SHA-2, which raises the bar and is recommended by the research team that found this flaw in SSL.

One thing I see in our favor is that on-line retailers will certainly drive these changes, because they certainly don’t want to lose our business.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

In protecting access to internal networks from the outside, sometimes we need to look at just what is occurring on the inside to get a good picture of what is going on. In particular, I want to focus in this post on Web-based remote access services. Don’t get me wrong – these services are great — I support a lot of my family with services like LogMeIn’s Free product. I like these tools because they are incredibly easy to use, they always work, and they work with any Internet connection. This is where my issue starts to take shape.

Web-based remote access software is brilliant in that it generally connects with outbound HTTPS traffic to the Web site that manages the service. The requesting client connects to the same Web site to authenticate initially and usually authenticate back down to the computer hosting the remote access. All traffic is usually SSL encrypted, and the services usually offer mechanisms that protect against authentication failures as well as a configurable authentication.

The products are good, but there is a very clear dividing line between the small office and home office (SOHO) and the enterprise on these tools. The SOHO can’t live without these tools. These products are simply a requirement. One good example in experience I had was providing full IT support for a church. Without these tools, the task would be futile as there were no funds available for any purchases.

The enterprise blocks these Web sites for outbound traffic without question. Tools beyond LogMeIn include GoToMyPc, WebEx, Bomgar, Goverlan, Remoteus, eBLVD, and more. Many of them may work in different mechanisms than LogMeIn, but it is important to know the field. For enterprise networks, users are crafty and may sign up for one of the services for a trial. What can be even worse is when these services are purchased autonomously from IT’s assistance.

What is your take on using these services? The arguments are plenty. These tools can allow information to leak from an organization, allow users to bypass Web policies, and possibly allow unknown individuals to be given console access on a system on your network. Share your comments below on how you address these Web-based remote access services.

Why you may ask? It’s all about deception. If the attackers have their DNS servers respond correctly for a majority of name resolution requests, most users aren’t going to suspect anything. Besides what the attackers really want are name resolution requests for legitimate Web sites that they have created malicious copies of.

If such a request is received, the attacker’s DNS server will then send the name record for the malicious Web site instead of the correct name record. Once the user’s Web browser downloads the fake Web site, it’s relatively easy to use one of several exploits to get personal information about the user or download additional malware.

This trojan has some notoriety in that DNS Changer targets Mac OS X as well as Windows operating systems. Some experts even say that DNS Changer influenced Apple to publically advise (but quickly retract) Mac users that antivirus software might be a good idea.

What’s also interesting about DNS Changer is the fairly intense scrutiny that it’s received throughout its existence. By watching closely, security analysts are learning right along with the malware coders what works and what doesn’t when it comes to malware propagation.

Even with three different versions of DNS Changer, the results are always the same: Compromised computers are configured to use the attacker’s DNS servers. Like the analysts, it’s a good idea for all of us to understand how the trojan works, simply because increased awareness reduces our risk.

Version 1

Security analysts first noticed version 1 in January 2008. Version 1 tries to take advantage of users who are attempting to download movies from a Web site. It’s the typical scam where the Web site points out that a special file or codec needs to be installed on the user’s computer in order for the movie to play. In reality, the codec is the dropper that starts the installation of the trojan and after asking the user for admin rights will install DNS Changer on the computer.

Version 1 perplexed security analysts because it was almost totally benign. It changes the DNS settings on the computer under attack and reports back to specified command and control servers, and that’s it. Still version 1 made trojan history in that it targeted Apple as well as Microsoft operating systems.

Version 2

Version 2 surfaced around July 2008 using similar drive-by dropper techniques to get installed. After being installed on a computer, version 2 attempts to determine the management username and password of any gateway routers on the network. If DNS Changer successfully determines the admin credentials, it then has access to the gateway router’s Web-based configuration.

The next step is to change the gateway router’s DNS server settings to that of the attacker’s DNS servers. After which all the computers that receive DHCP leases from the gateway router will get erroneous DNS server IP addresses, and as with version 1 any name resolution requests will be sent to the attacker’s DNS server.

This tactic has merit if you think about it. Even if the trojan is removed from the computer name, resolution remains compromised, because the gateway router continues to advertise the attacker’s DNS servers. Still, this version is losing its appeal. People are starting to understand the need to change default settings on their network-management devices, which removes version 2’s attack vector.

Version 3

Version 3 was just discovered this month, and the malware coders seem to have gotten it right this time. The trojan sets up ndisprot.sys (NDIS protocol driver) as a registered service, which in turn creates a working DHCP server on the compromised computer. The rogue DHCP server then tries to intercept DHCPDISCOVER packets from the remaining computers on the network, ultimately supplying the querying computer with DHCP responses containing IP addresses of the attacker’s DNS servers.

The trick here is for the rogue DHCP server to respond faster than the authorized DHCP server. If the DHCP client accepts the DHCP query response from the rogue DHCP server, it’s all over. The rogue DHCP server supplies an internal network IP address with a very long lease time as well as IP addresses for the attacker’s primary and secondary DNS server.

Version 3 has all sorts of implications. For example, what if a computer compromised with version 3 of DNS Changer connected to an open Wi-Fi hot spot? Any new arrivals may get erroneous DNS information from the rogue DHCP server. This variant also has a much better chance of succeeding, because it doesn’t have to try and guess default management credentials.

Thing to watch out for

SANS Internet Storm Center notes that “it’s probably wise to at least monitor traffic to 85.255.112.0 to .255, if not block it.” For now this appears to be the IP address range that’s being used by the malicious DNS servers. On individual computers, the user can easily determine the IP addresses of the primary and secondary DNS servers by using the ipconfig (Windows), ifconfig (Linux), or system preferences (Mac).

As for rogue DHCP servers on the network, there are applications such as DHCP Find that locate and report all pertinent information about any clandestine DHCP servers that are on the same network.

It appears that most antivirus applications have signatures for all three versions of DNS Changer, and that’s a good thing. So, make sure your AV application is up to date. Even so, please be cautious as DNS redirection can occur even if your computer is clean.

Final thoughts

All variations of DNS Changer are in the wild, but version 3 is the one to watch out for. If possible, I’d suggest setting up the computer’s working network interface to use static IP addresses for the DNS servers. OpenDNS is highly recommended for this, and their Web site explains exactly what to do. OpenDNS also eliminates several other potential problems such as Kaminsky’s bug.

If static DNS server IP addresses aren’t an option, typical of larger networks, the monitoring of traffic destined for the 85.255.112.0 to .255 subnet becomes important. Using some sort of rogue DHCP server monitor is also equally important.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

———————————————————————————————————

Earlier this month, I blogged about leveraging your IT community resources with user groups. In the Ottawa area, we created the Ottawa Windows Server User Group. In this group, meetings are held monthly to discuss topics of common interest as selected by the members or through member feedback. Guest presenters consist of members themselves, corporate sponsors, Microsoft IT Pro members, and external speakers.

From that initiative, the study group was born. The study group has the purpose of leveraging a group effort to achieve certification in a particular area. Groups that have been successfully held by the OWSUG covered the MCSE 2003 core server exam areas as well as the MCITP Enterprise Support Technician track for Windows Vista.

The study group meetings take place in a location to accommodate members. In our case, we were fortunate to have a Professional Training Center sponsor us and allow us the use of their classroom facilities in the evenings. Our sponsor is CTE Solutions. I will speak about our model in its current state to help guide you in creating a study group of your own in your local area. We have had much success with more than 65% of our study group attendees not only writing the certification exam but passing it and achieving certification.

The first thing I want to make clear is that study groups are an alternate form of the “self-study” methodology. They do not replace courses. In fact, courses reinforce what is learned at the study groups or vice-versa.

Once a topic is selected and the location is chosen, the topic materials are needed. This is usually where the study group members must kick in a fee. The fee covers the study group materials at a minimum. If the location is provided at a cost, this can be split among the members as part of the fee. (You may want to investigate free meeting spaces, such as those provided by a local public library.) The OWSUG has furthered the structure by requiring members to also front the cost of an exam voucher to actually attempt the certification exam. We also include a nominal $50 to cover an end-of-session celebratory party with excess going to the OWSUG user group to cover overhead. The user group functions on a volunteer basis with minimal corporate funding from sponsorships, if available.

The topic material has typically been an “exam focused” book available from Amazon, Chapters, or any outlet. Corporate sponsors occasionally supply these to the group as well. Alternative materials can be used such as E-Learning, member-compiled materials, presentations, user group forums like TechRepublic, MyITForum, etc.

Once all this has been worked out, take the topic material and break it down into sessions. We have found that a time period of 10-15 weeks per certification study group is generally acceptable by all members. Break the members into teams of no fewer than four. In each team, assign a leader and alternate who are responsible to keep the team informed of status and schedule.

Each week, one team presents their assigned modules as per the schedule. This has MANY benefits. Some of which include public speaking, presentation skills, and, of course, learning the topics themselves!

The study group should typically have at least one mentor. The mentor can be someone who is senior and already has job knowledge of the subject matter or someone who is certified. In our case, CTE Solutions has occasionally had a Microsoft Certified Trainer from their staff attend some groups and offer perspective and further insights to the material.

Members are encouraged while they study to post questions and thoughts to forums like the ones we host on OWSUG, TechRepublic, or other newsgroups. Outside content, which can be helpful from these sources, is often pulled in to enhance the process.

Included in the schedule, try to target a time frame for members to actually book the certification exam. This group push really helps!

At the end of it all, host a scheduled party and tear loose!

How do you prepare for certification exams? What do you think of this suggestion? Share your thoughts.

The Terminal Services Gateway is simply a HTTPS-based connection for remote desktop. It does this by providing native encryption, using port 443, allowing enhanced logging, policy configuration, and central controlling of the remote desktop connections. The Terminal Services Gateway is a new role that is made available with Windows Server 2008, and it can provide some features that network administrators may be excited to use. The fundamental point is that the connections use port 443, instead of 3389, for traditional connections. With 443 being used, there is a certificate exchange, which is a good thing. Further, the Terminal Server Gateway’s Web front end can manage connections to resources on different networks that may contain NAT addresses, which when managed point-to-point from clients and VPN based connections could be a mess. With the Terminal Services Gateway, this can be consolidated to a single host that has specific rules that all clients come into and through with the certificate exchange.

Terminal Services Gateway sparked some interest in me while reading this MSDN blog and in particular looking at the very handy chart of certificate types and RDP client levels. Luckily, having a private certificate authority infrastructure in place makes most things easy. But what got me on a tear about this entire configuration is that most organizations do point-to-point RDP. This configuration has very difficult traceability for connections across large environments as well as frequent over-assigning of permissions by group memberships to systems that are not needed. Lastly, the nice certificate exchange does not occur here either. The Terminal Services Gateway offers a next level of management for the RDP connections that are a requirement for infrastructure administrators and developers alike. This isn’t simply a right-click and we are there, however. The Terminal Services Gateway takes some planning and additional components, IIS for starters and some various Network Policy Services that are part of Windows Server 2008 as well.

It is worth going ahead and taking the time to configure the gateway for the enhanced security configuration. There may be some overlap and co-administration needed between the infrastructure administration and network administration teams, but the enhanced management and security of Terminal Services Gateway could be a welcome addition to securing this frequently used traffic on the internal network. More information on the Terminal Services Gateway can be found on the TechNet Web site.

It’s not much of a secret that I’m a technology geek. I did the normal nerdy things in high school and college. You know, the carrying a slide rule in my pocket protector sort of thing. The strange part was my being totally enamored by grammar and writing. Talk about a double whammy: ever been ostracized by mainstream and geek types alike? I’d almost given up on writing for anyone other than myself. Fortunately for me, several TechRepublic editors took a chance on me a few years ago. Never doubt the courage of Jason, Toni, and Selena.

In the beginning, I stumbled around, patiently being mentored by TR editors and you, the members. Please know that I’m eternally grateful for all of you showing me the way. I think, no I know, I learned a great deal and hopefully it shows.

That operation thing

Remember I mentioned that I’m glad to even be here. Well, that’s because this time last year I was recovering from heart surgery, a triple bypass to be exact. I guess (being there in body, not sure where the mind was) the operation was anything but smooth. So, I owe my being alive to Dr. Emery and his amazing medical assistant Ms. Cadwell.

I’m proud to say that even under the influence of major pain killers I was totally geeked out by the networking and wireless equipment that were all around me. Just ask the hospital staff who took care of me. They showed amazing patience while under a constant barrage of questions from me. Ultimately, I even wrote an article about my experience titled, “Wireless Technology Played a Big Role in My Surgery.”

Proud parent

Surviving a life-threatening surgery is what I would consider a major gift, yet it pales in comparison to the gifts my son gives me every day. For example when I was recovering, he uncomplainingly took care of me, went to college full time, and worked 35 to 40 hours a week. He even told me not to talk about this. Something about being embarrassed, but since when do I listen to anyone except my editors.

TR members

I’ve been involved with IT for longer than I care to admit, just because doing so makes me feel really old. Remember the discussion on the forum about punched cards and the “old fart’s club”? Having been around this long allows me to make somewhat informed hypotheses. One of which is that you the members of TechRepublic are by far the most knowledgeable and dare I say nerdy (good thing in my world) people that I know.

Wanting to understand all things about IT is a true kinship that I share with you the members. So please know that I especially appreciate your allowing me to tag along. In the year coming up I’d like to continue learning and sharing the amazing world of IT with you, but only with your help and patience.

Final thoughts

If there’s anything that I learned this year it’s to tell people you care about how you feel. Thus my wanting to make sure the TechRepublic staff, the TechRepublic members, and everyone who suffers through my writing understands how much I appreciate their allegiance. It’s a gift that I never thought I’d realize and will never disrespect. Thank you from my now well heart, and I wish the best of the New Year to everyone.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

————————————————————————————————

I will be getting the hardware for my trial femtocell service from local telco StarHub tomorrow. This close to Christmas, unfortunately, means that I won’t be able to get my first hands-on impressions out on TechRepublic before the holidays.

However, I will use this time to first introduce femtocell and then follow up with a more detailed appraisal at the beginning of January.

What is femtocell?

A femtocell is a small cellular base station that connects to a mobile service provider’s network via a broadband connection. The actual number of mobile phones that can be supported per femtocell varies, but general consensus seems to peg it at between two to five phones — at least for the initial generation of equipment.

In a nutshell, a femtocell is a miniature version of the celco’s cellular base station that resides within your office or residence. Some see it as another way to deliver on the benefits of fixed mobile convergence without having to invest in dual-mode handsets or be mired with potential difficulties of getting handsets to work over disparate Wi-Fi access points.

Personally, I am just looking forward to more reliable mobile reception, which can get a little flaky at times in the high-rise apartment where I live.

How does femtocell work?

As I mentioned earlier, femtocell operates like a mini-cellular base station. When a registered mobile device is within the proximity of the femtocell, the handset will switch over transparently to the femtocell network. While connected to the femtocell, users can continue to use the mobile handset for all their usual voice and mobile data services, including sending text messages.

The only difference is that the traffic will be passed along the connected broadband network to the Telco’s mobile network infrastructure. As such, a femtocell will obviously not work if the Internet connectivity is down.

What is the value proposition of femtocell?

There are certainly a number of value propositions to using femtocell, be it within the confines of a city or in a more rural setting. Within a city, it would not be unusual to encounter parts of a building or office with poor or erratic reception. The presence of a femtocell unit would certainly reduce or eradicate these wireless “dead spots.” Rural areas that are too sparsely populated for base stations to be economical would certainly benefit from the presence of femtocells as well.

In an organization where I worked previously, we wanted to equip the delivery staff with handhelds linked to backend ERP servers via GPRS. Unfortunately, we realized that a big portion of the office was a cellular dead zone, and attempts by the telco to add in repeaters or reposition the local base station proved to be in vain. In such a scenario, the presence of a few femtocell base stations would certainly have come in handy.

Potential problems with femtocell

Some potential challenges that might hinder the success of femtocell deployments would be interference from other femtocell units or base stations. In addition, evidence ironically seems to suggest slightly higher battery consumption from mobile devices when connected to a femtocell, likely due to mobile devices increasing their transmit power as they detect the slightly weaker signals from the femtocell transmitters.

Other challenges come in the form of access controls issues — I certainly won’t want my neighbor’s phone using my Internet connection! Fortunately, StarHub addressed this issue by allowing only a whitelist of mobile numbers that the femtocell unit will accept.

According to Anil Nihalani, Head of Mobile and Communications, femtocell technology is a nascent technology where the standards are still evolving, though it is a fast-developing one, with new upgrades and functionalities. It is clear that the company has high hopes for the potential of femtocell.

In conclusion

One thing is for certain: femtocell is very new technology. When StarHub rolled out 3G femtocell services in November, it became the first to do so on a commercial, nation-wide level. Indeed, the general expectation is that 2009 will see more commercial launches around the world, though many networks are already involved in limited trials this year.

I’ll reserve the rest of my thoughts until I have used femtocell for a couple of weeks. In the meantime, do you see yourself benefiting from femtocell?

——————————————————————————————————————-

It appears that the company Phorm and its application Webwise are alive and well. Phorm and several major British ISPs are putting a new spin on Webwise and how it will make everyone’s Internet experience better. For instance this is British Telecommunications Group’s (BT) take on Webwise:

“BT Webwise increases your protection against online fraud and makes ads that appear on participating websites more relevant to your interests. It’s completely free for BT Total Broadband customers and you don’t have to download or install any software for it to work.

BT Webwise automatically adds an additional layer of protection against online fraud by checking the sites you visit against a list of suspected fraudulent and untrustworthy websites. When you attempt to visit any website on the list, you’ll see a warning, so you can choose whether or not to visit it. It’s another way BT is helping to protect you online.”

It’s free?

Webwise requires massive amounts of hardware and software to check every single bit of network traffic that passes through the ISP. So, if you’re wondering why an ISP would offer this service for free, wonder no longer. BT explains that your advertising (hint hint) experience will be more personal:

“BT Webwise also personalizes the online advertising you see when browsing on participating websites by linking ads to your interests. For example, if you search for a weekend trip to Paris or visit pages related to Paris, BT Webwise would replace the standard ads that would normally appear with advertising relating to travel or hotels information. You won’t see any more adverts than you normally do — they’ll simply be more relevant.”

The reason it’s free to the ISP members is that Webwise will become a major revenue stream for the ISP. As I understand the process, advertisers will pay Phorm and Phorm will then pay the ISPs. So, the ISPs are hoping that members will go along with it.

Some history

Back in July of this year I wrote two articles about new technology that has the potential to track and shape everyone’s Internet traffic. “Deep Packet Inspection: What You Need to Know” discusses technology that enables real-time deep packet inspection (DPI) of traffic. DPI has allowed companies to develop behavioral targeting applications that can shape traffic and inject third-party vendor (TPV) advertisements. The article “Behavioral Targeting: What You Need to Know” discusses one such company, Phorm, and its traffic-shaping application Webwise.

Just to keep all of us on the same page, a high-level view of behavioral targeting might be helpful. Briefly, behavioral targeting first determines what you like, based on where you go on the Internet. Then, behavioral targeting selects advertisements that are most likely to influence you, displaying them on the new Web pages you ask for.

Back to the infamous cookie yet again

If your ISP uses Webwise, your browser is given a cookie from the Webwise Web site, even though the Webwise site was never visited. This cookie contains a unique identifying number (UID), which identifies you to the advertising network. Then every time you surf to a new Web site, the UID along with information about that Web site is captured by Webwise. The UID is then compared to a database of previously visited Web sites and information about your browsing habits. After which Webwise will return what it considers relevant advertising information to your Web browser.

Phorm is supposedly making Webwise an opt-in option now, which appears to be satisfying some of the privacy advocates. The reason I say some is that Webwise still installs a UID cookie for every Web page that you visit, even if you have opted out. Webwise still has to monitor all your surfing as it’s the only way the application can read the opted-out status of the cookie.

Therein lays the crux of the matter — mission creep. The ISP and Phorm can potentially track your whole Internet experience. Since DPI is being used, the tracking and scanning of information isn’t limited to Web browsing. E-mail and virtually any traffic of interest could be captured and analyzed.

Which ISPs are involved?

As of now BT, Virgin Media, and TalkTalk have conducted tests or are in the process of testing. All indications are that the ISPs will in the near future launch the Webwise program.

Preventative measures

There are options that you can use to avoid behavioral targeting cookies and DPI scrutiny. Encrypted tunnels through your ISP disallow the installation of behavioral targeting cookies. Also using VPNs, whether they are IPsec, L2TP, or SSL, will negate any effort by DPI to decipher the encrypted traffic. E-mail is another subject, and once again the only sure way to ensure its privacy is to encrypt the message. There are not a whole lot of options, but that’s because behavioral targeting applications are being placed only one hop away from your network perimeter.

Final thoughts

Whether this technology gains traction or not is going to depend on the legality of it and whether people are comfortable with having their Internet experience monitored. It appears that the British government doesn’t consider it a privacy or copyright issue. It will be interesting to see if the new spin Phorm is placing on Webwise will be sufficient to overcome member concern about privacy issues.

Regarding the members of the the three ISPs, I recently read the Register’s article “BT Silences Customers over Phorm.” One has to wonder about the logic behind that. I suspect it will be interpreted as BT having something to hide.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

For all networks, there is focus given on what traffic is permitted in from the Internet to keep the internal computing resources secure and reliable. As small office or home office (SOHO) users become more sophisticated and at risk for using different Web services, we can start to see a need arise for prohibiting what traffic can also leave a network. One way to tackle this subject is to set up a protocol control that prohibits configured outbound traffic from an internal network. For various reasons, the outbound traffic can be managed for free with the Untangle open source gateway.

Untangle’s protocol control module is a canned collection of 94 protocols and an associated application that can be either blocked and/or logged. Some of the available protocols to be managed on the gateway include:

• Instant Messenger: Eight of the top instant messenger Web products are included. This can help prevent an untracked leakage of sensitive company data by using an Internet-based instant messenger in lieu of an internally hosted, managed, and traceable system.
• E-mail: Three e-mail protocols such as SMTP, IMAP, and POP3 can be blocked from the internal SOHO network.
• Peer to Peer file exchange: Over 20 services offered for uncontrolled file exchange.
• Voice over IP, games, other VPN clients, and more: A various collection of Web-based services that the SOHO may not really need if not part of your standard offering.

The protocol control module is displayed like the other Untangle components in the virtual rack. Further, protocols and applications can be added to the list based on your specific needs. Figure A shows a page of the available applications for managements:

Figure A

Click to enlarge.

This is different from the standard Web filter module of the Untangle as it goes beyond port 80 and generic categories. The protocol control list allows specific Web-based services to be prohibited that may not be using ports 80 or 443. More information on the Untangle protocol control module can be found on the Untangle Web site.

“The Linksys WVC54GC wireless video camera insecurely sends initial configuration information over the network, which can allow a remote, unauthenticated attacker to intercept video streams, access wireless network authentication credentials, modify the device firmware, or cause a denial-of-service to the video camera.”

The following image of the Linksys WVC54GC is courtesy of Linksys:

That’s not good

Most Linksys devices use port 916 UDP for remote management commands. This vulnerability allows an attacker to craft a packet and send it to the Web camera, and the Web camera will return sensitive system information to the attacker. The information that’s sent back amounts to login credentials, wireless network connection information, including encryption keys and SSID, and normal system management information.

Keys to the kingdom

If the attacker is successful in retrieving the configuration information, owning the network just became a whole lot easier. Depending on where the attacker is physically located, access may be possible via the Internet or Wi-Fi. To add insult to injury the attacker also has access to the Web camera and who knows how embarrassing that could be.

Final thoughts

Please remember attackers always take the simplest approach to gain access to networks, and this attack vector is just that. The vulnerability applies to all Linksys WVC54GC cameras that are using firmware prior to version 1.25. It’s advisable to update as soon as possible. Why take the chance when updating the firmware is simple to do. This is yet another reminder to make sure firmware on all networking devices is up to date, because this exploit may not be confined to the WVC54GC.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!