As outlined in more detail by Michael Coates on DevWebPro, FireSheep utilizes a program called Winpcap that sniffs the unsecured network for session identifiers. With these session identifiers, FireSheep can pretend to be the user who actually belongs to the stolen session identifier, and thus gains access to the particular website. BlackSheep utilizes the same Winpcap tool. However, BlackSheep instead seeks out evidence of a FireSheep sniffer. Upon finding this evidence, BlackSheep notifies you that there is a FireSheep user on the network.

The key word is "notifies". That’s all BlackSheep is capable of doing. In fact, it is all that anyone is capable of doing as long as these authentication systems are in use. However, as mentioned in any number of articles about FireSheep, this vulnerability only exists on unsecured wifi networks. The path that data typically takes over traditional Ethernet and secured wireless networks does not allow this method of sniffing for session identifiers. BlackSheep can not encrypt or protect your session from getting hijacked – attempting to do so would break the communication between you and the website you’re attempting to access. Thus, in the end, BlackSheep merely notifies – it does not protect.

Despite its failure to block FireSheep from gaining access, BlackSheep is the best solution to protecting yourself from hijacked sessions when using unsecured wireless networks.

Firesheep is a Firefox add-on that does the hacker’s work for any laymen computer user. By sniffing the unencrypted data in wireless networks, Firesheep grabs users’ authentication cookies from thin-air, and then does the necessary work to allow an user to utilize these cookies to gain unauthorized access to website accounts. This process is nothing new, and is just one of the many perils of the unsecured wifi network. Although this plugin appears to have been developed for awareness purposes, it will now give additional people the capability to cause serious harm. Not all sites can be hacked in this way, but a long list of sites that can be are found in the options menu of the plugin. This same options menu allows additional sites to be configured given the proper information.

Although computer users can easily do things to combat these issues on unsecured wireless networks (VPN), there are still a vast majority of unaware computer users that would see no problem with using an unsecured wireless network. Giving the ability to a larger base of evil doers to exploit these computer users is not a good thing. Although sites like Facebook may eventually put in place authentication and session methods to combat this particular security issue, this tool still equips malicious users the ability to do damage now until that point and on other/future sites that fail to make changes themselves.

This also brings up the question: is it a website’s or user’s responsibility to make the connection between them secure? How far does the obligation of either party to foster this secure connection reach?

Mr. Nichols’ suggests that ISPs should take the initiative and restrict access to those users who appear to be infected with malware, viruses, etc. He points out that Comcast has begun to notify their users when suspected of being infected. However, Comcast is the poster child for what happens when you impede the openness of the Internet. In case you missed it, they got into hot water when they restricted peer-to-peer file transfers on their network. Thus, it comes to no surprise that although Comcast may be thinking in parallel with Steven. Unlike Steven, Comcast knows firsthand the ramifications of going beyond simply notifying users of their infection.

A pillar upon which the Internet stands is freedom/open use. However, there is no legal entity over the Internet, and thus no governing body on which to create and enforce laws. Because of this, the Internet has often been compared to the Wild West. It’s a solid comparison. Like the Wild West, we are generally responsible for protecting our own property and health. There are a lot of uneducated Internet users that do not adequately protect themselves from malware and other malicious software. Should we round all these people up and quarantine them? What did they do wrong to deserve this, other than simply being unaware that their actions would lead to their infection?

It’s not an issue of whether or not these people should be allowed to be online and contribute the spread of malicious code and general evil-doing. The issue is that the Internet is an open and free environment, and we should maintain that at all costs. Let us utilize the tools and practices available to keep ourselves clean, and then educate and equip the malware ignorant masses of the same. There should be no bar to measure up against when it comes to riding the Internet.

A reverse situation is possible, too, where someone watching YouTube videos or playing online games on his lunch break would cause callers to have a bad experience. And it would be a real pain if it were necessary to make a company-wide announcement every time the phone rang.

So David Sims talked to officials at VoIP Insider about how to take VoIP calls into account, and they told him, “[Y]ou should calculate the total bandwidth needed to send and receive your calls. You can do this by multiplying the number of anticipated simultaneous calls times the packet size of the voice codec you will be using (like G.722 or G.729).”

Then, depending on how things look, the officials said, “[Y]ou may want to prioritize or even segment your voice traffic.” (This can also serve as a good precaution against unforeseen Internet problems even if the situation seems under control.)

If problems still exist after all this, it may be time to rework the VoIP cost analysis. Specifically, the cost of more bandwidth will have to be weighed against the cost of using traditional phones. It’s possible VoIP won’t represent such a great deal once the added expense is factored in.

The good news is that most organizations with decent Internet connections shouldn’t encounter a lot of problems when using VoIP tech. It’s just best to think about this sort of stuff before going through with any transitions; no one will win if all of a company’s phones are accidentally transformed into little more than paperweights.

The first answer is, if you don’t they will. Everyday malicious and sometimes just overly curious people use their computers to run automated testing scripts that look for system vulnerabilities to record and potentially later exploit. Sometimes the people running the scripts just want to find problems and notify the administrators that they need to be fixed. However, not all administrators are so lucky. If businesses do not take a proactive stance and run penetration tests on their own network to find and fix problems, it is likely that they will be the recipient of an attack that could have been prevented.

Today, its easy to run penetration tests, the Metasploit Framework provides fully automated network penetration testing. Some time ago, to test exploits on your own machines you’d have to go find them from obscure websites, download them, and sometimes even compile them. Today the Metasploit Framework can replace these time consuming tasks with a single tool.

Using Metasploit to find security holes may sound dangerous, but as long as you have your data backed up and are properly monitoring your systems there is little chance it will have any noticeable impact on your network. Metasploits is designed to find vulnerabilities, exploit them, and open a remote shell on the affected machine(s) if possible. It is possible that in doing this a service may be shut down and have to be restarted, but that is usually the worst of it. Also any printers on the network may print out some random data as Metasploit looks for vulnerabilities. As long as users are aware that the test is being run and it has the potential to cause minor annoyances for a short time, your testing should go smoothly.

Another question often asked is, “I keep my servers and desktop systems up to date, why would I need to?” This is a perfectly reasonable question, but the proper response is, “Why assume, when you can test and know?” Why not run a simple automated test to check for vulnerabilities so that they can be found and fixed before they are exploited by malicious tools. Nothing will ever prevent attackers 100%, but by using the Metasploit Framework, you can get one step closer.

Download the Metasploit Framework here.

Funny Pictures

So here are some of the generic statements (aka “facts”) that I see daily:

• Cloud is not secure
• Application  XYZ failed therefore the cloud is a failure
• You are crazy if you put mission critical applications in the cloud

I could go on and on but you get the point.  So let’s discuss these “facts” one at a time.

Cloud is not secure

This one drives me nuts!  I heard a well respected industry analyst at a well respected conference declare “I just don’t understand how you can put customer data in the cloud.  When you buy Amazon, you don’t buy security”.  I raised my hand and asked, “When you buy a rack of servers from IBM, are you buying security?”.  The point is, you don’t buy security, you architect for it.  Whether you are using a SaaS, IaaS, or PaaS provider, you must understand what security features are addressed, what isn’t, and what the risks are.  Then you must design to mitigate those risks.  It is not different than what you should be doing on-premise.  Understand your requirements, and build (or buy) the appropriate solution.  So to sum it up, the cloud by itself is often not secure enough.  You may outsource your infrastructure but don’t outsource your brain.  There are still things you must do to secure your systems and services in the cloud.

Application XYZ failed therefore the cloud is a failure

Whether it is GMail, Tmobile losing Sidekick data, Ma.gnolia database crashes, or Coghead going out of business, any failure of an off-premise solution seems to feed the myth cloud computing is too risky.  However, we continue to fail miserably each day with our on-premise solutions but we can keep it from the press because it is behind our firewall!  In each one of the above mentioned failures, the issue lies with operational issues on the side of the provider and not issues with the cloud infrastructure itself.  I would argue that GMail, which is free, is at least as reliable than most corporate Microsoft Exchange implementations (at least for the companies that I have worked for in the past).  Also, if you are using SaaS solutions, you should have a mitigation strategy in place for lost data.  Outsource the business processes but not your brain!  You still need business continuity, disaster recovery, record retention policies, etc.  And when did on-premise become so perfect? How many companies do you know keep the lights on by having employees run around with duck tape and bailing wire plugging up the holes in the bottom of the boat.  Let’s face it, most failures are due to issues in architecture, design flaws, missed requirements, human error, weak controls, or poor implementations.

You are crazy if you put mission critical applications in the cloud

This one really drives me nuts.  The problem here is semantics and we really should be careful what we say.  It is one thing to say mission critical apps don’t belong in the public cloud and another to say it doesn’t belong in any cloud (which is how it often gets interpreted).  But even the term mission critical means different things to different businesses.  Even though you and I might not see Twitter as a mission critical application to our business, it is for others.  Some companies exist solely because they leverage Twitter’s APIs to deliver their products and services.  Now we all know Twitter’s track record of reliability.  But their performance and up-time was failing miserably before they moved to the cloud.  It improved once they migrated to Amazon.  Twitter’s problem is a flawed architecture, it is not a cloud computing issue.  I have written in the past about our secure hybrid cloud solution for processing micro-payments.  As a startup, I would argue that I would be crazy not to build this in the cloud.  In an era where it is difficult to raise money, my costs would increase ten-fold had I opted for an on-premise solution.  I would have to build or lease at least two data-centers and staff them accordingly.  Instead I can use a combination of cloud vendors coupled with a sound architecture to secure these transactions and meet all regulatory requirements.  If I already had an existing data-center, I would not have been forced to look beyond the opinions of others and try to solve the security and compliance requirements that my business required.  I just think that many people’s opinions about the cloud are focused primarily on their specific business models or domains.  So what may be true for their world does not necessarily apply across the board. We tend to generalize too much.

Summary

There are many opinions out there about cloud computing and there are many smart people offering them.  Unfortunately, many of these these smart people have not rolled up their sleeves and tried to solve real business problems in the cloud (nor do they need to).  In my case, as a matter of survival, we had to find out for ourself.  By no means, do I consider myself an expert in cloud computing.  But I do believe that spending a year actually working on delivering enterprise solutions in the cloud from scratch does entitle me to challenge the opinions that are deemed facts.  At the end of the day, it all comes down to knowing your business and technical requirements and applying sound architectural practices to provide a secure and compliant solution, whether it is in the cloud, on-premise, or both.

Comments

LinuxQuestions.org came in my help, suggesting simply to delete some network files because apparently those files get corrupted when the battery runs out.

To fix it type the following comand on the command line sudo rm -rf ~/.gconf/system/networking or follow this step by step guide.

1. From the regular Aspire One options page, go to the Files panel

2. Click on the triangle to see more icons

3. Click on MyFiles, which opens a file manager window.

4. In the menu bar, select View->Hidden files, to show a tick in the box. (Sorry, I’m translating from a German display, so the option names may not be spot on.)You should be in the “My Disk:///” directory.

5. Find folder “gconf” and click on that

6. Find folder “system” and click on that

7. You should now see folder “networking” listed as one of the folders.

8. DELETE IT! (Right click on the networking folder, and select option delete.)

Okay, once you have recovered from the fear of deleting goodness-knows-what-file because you are just following some internet instructions, you have to re setup your wireless connection:

1. Shut down all those windows, and go back to the regular Aspire One options page.

2. Click “Settings” on the bottom right.

3. Click icon for “Netwrok Center”. If this works, and a window pops up then it’s going well.

4. Click on “New”, and follow the on screen instructions to connect and re-setup your WLAN or LAN.

Comments

“Here at the amazing HAR2009 hacker conference + camp, I have the pleasure of operating a camp-wide GSM network.

Under license of the Dutch regulatory authority, we operate two BTS with two TRX each, forming the network 204-42. The BTS are positioned on the top of a hill, with the antennas mounted back to back on a tree, each covering about half of the HAR2009 camp site. Every transceiver runs at 100mW transmit power, which is the maximum output as per our license.

From that tree, we run AC power and a single E1 line down to the GSM tent, where it runs into the Linux PC that runs our OpenBSC software. “

For those of us who aren’t mobile phone networking experts, BTS stands for Base Transceiver Stations, TRX stands for transceivers and BSC stands for Base Station Controller.

OpenBSC is a GPL implementation of major components of a GSM network. Welte is one of the key developers behind OpenBSC, which aims to:

• provide a basis for experimentation and security research with GSM from the network side
• document, publicized and point out any security related issues that we find as part of that
• learn more about GSM networks on a lower level, particularly the practical aspects with real-world equipment

Unfortunately, the project is not interested in:

• building a stable/reliable BSC/MSC for deployment in actual networks
• building something that follows the GSM spec to the last detail
• disrupting actual commercial GSM network

Since a government issued network bandwidth license is required to run a GSM network in most countries, few of us will never run our own open source GSM networks.  Although it seems that countries like Russia allow the use of licensed frequencies for low-power indoor use.  So the title of this blog is squarely targeted at readers in Russia.  Kidding aside, I wonder while Welte and team aren’t interested in building a distribution that does fully implement the GSM specification.  The use of OpenBSC on Linux could be targeted at telecom operators in emerging markets.  Considering the growth in mobile phone usage in emerging markets, and network operator’s constant search for cost reduction, there could very well be a business here.

Any takers?

*Well, if you can get a government issued bandwidth license

Comments

It’s an unexpected update, given that version 2.8.1 was released less than two weeks ago. But good to see that the community involved in WordPress development is on the case and with a quick fix.

The announcement post says this about the issue:

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.  Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin.

I’m updating and I recommend you do, too, if you run WordPress.

Comments

Dave’s Answer:

The way that Mac OS X and its underlying Unix foundation are designed, it’s relatively easy to set up account and computer names and related on first run, but can be quite complicated to change them once you’ve gotten apps installed, documents created and otherwise have used the machine for a while.

In fact, I recently changed the admin account on a MacBook, including the home directory, and it took almost half an hour of careful steps, most done from the Terminal at the command line, before I was convinced it was done correctly and wouldn’t blow up on the new owner of the system when they tried to restart or log in. (if you’re trying to do that, you might well find that the Apple support docs are insufficient for 10.5 and above too)

Changing the name of your used iMac on the network shouldn’t be quite so difficult because there’s a place in the System Preferences to do just that, but what is a bit tricky is that you have to change the name twice for it to work.

First off, go to Apple –> System Preferences…. You’ll see this:

What you seek here is “Sharing”, almost exactly dead-center in the window.

Click on it and you’ll jump into the sharing configuration window:

As you can see, I already have a name collision on my network, which is why this computer is identifying itself as “Dave’s MacBook Pro (2)”: the “(2)” is added by Mac OS X when it finds another computer on the network with the same name. Not so good, but let’s fix things in order. First, click on the “Edit…” button:

Change the computer name here to what you want to have as your computer’s identity on the local network, and click “OK”.

Now, while you’re at the main Sharing window, change the name here too:

If you close this window and restart the computer, you should find that your iMac now identifies itself with the new name you’ve specified.

Good luck with your new Apple iMac!

Comments