hack of the month

Of course it’s even harder to remember acomplicated password, and that's one ofthe reasons why compromised systemscan sometimes be traced back to the useof a 'weak' password.

When you ask someone to guess yourpassword, you'll imagine a person typingin one guess after another. Most peoplewould try to guess film names, friend’snames, places they've visited and wouldprobably give up pretty soon.

A hacker, on the other hand, has a dif-ferent approach. He/she will let comput-ers do the hard work by using passwordcracker programs to send thousands of

possible words as fast as the victim’s com-puter can process them, and the programwon't stop until it has either gainedaccess or run out of words to try (whichcould be in the 100 000's) This tech-nique is commonly known as 'dictionaryattacks'.

In order to increase the success chance,the hacker will add dictionaries and otherword files into the crack database, creat-ing a huge quantity of possible pass-words.

These dictionaries can be added orremoved in order to customise the attackand reduce attack time. For example, if an

attacker was trying to gain access to acomputer in France he may add the'French words' and 'places in France'wordlists. Or if the website was film relat-ed, he may add in 'actor's names' or'movie titles'.

Many hacker sites now contain cate-gories of word lists, including commonpasswords and dictionaries of foreignwords. These downloaded files appear astext files and would be unlikely to drawattention if used within a company.

Crackers also share passwords to sys-tems that they've compromised withother hackers and if your password isn'tchanged at regular intervals it may alsoend up displayed on hacking websites,with information on how and where touse it.

Over the last few months we have seen a significant increase in the variety of word lists which are availableincluding, slang terms and acronyms.

PasswordsDavid Duke, Cryptic SoftwareThe 'strength' of a password, i.e.: how easy it is to guess, can be judged on theamount of characters and the mixture of numbers and other keyboard symbols used.A password made from a single world, such as 'earth' is of very poor strength compared to '3ar7%' which is harder to crack.

In fairness to the industry some vendorsat least have been awake to the problemfor some time, and there are several initia-tives to develop common protocols andinteroperability standards.

Before examining some of these ini-tiatives both by single vendors andindustry groups, it is worth noting that,as with so many issues in IT, we havebeen there before. In the late 1980s andearly 1990s the emergence ofclient/server computing created a needfor new management products to cope

with an increasingly distributed anddiverse computing environment. Therewere many complaints then that a pro-liferation of point products was makingend-to-end management harder ratherthan easier.

This provided a cue for a new genera-tion of system management vendors, ledby Tivoli, to create an integrated frame-work approach that would provide a sin-gle view of the whole network. At firstthis approach was an almost unmitigatedsuccess, and Tivoli enjoyed explosive

growth, but after a while problems didemerge. As IT environments became evermore complex, the size of the manage-ment framework itself became an issue,and ironically in some cases increasedrather than diminished the total cost ofowning a network.

There were problems when compa-nies merged and found that they had tointeroperate with other managementproducts not embraced by the frame-work. It became necessary to break theframework down, and allow customersto install components of it on theirown, almost point style, rather thanhaving to commit to a huge softwarepackage in one go. The emphasisswitched more to common standardsand protocols allowing different ven-dors’ management products to interop-erate and co-operate, rather than havemegalithic integration frameworks.

Bearing all this in mind, it is interestingto note that Tivoli, now part of IBM, istaking a slightly different line with securitymanagement, focusing much more strong-ly on high level standards that transcendindividual products. At the same timeIBM has a big security idea — autonomic

Lack of integration undermines IT securityPhilip Hunter

The IT security industry stands accused of focusing too much on “best of breed”point products at the expense of proper integration, and as a result exposing organi-zations to unnecessary costs and threats. The Royal Mail recently vented its disqui-et in public when its group head of security, David Lacey, complained of the effortneeded to make any new product or solution work properly within the existing secu-rity structure. “I’m not interested in best of breed, only in how things fit together,”Lacey bemoaned.

5

feature

6

management. The idea is to identifypotential security threats in advance andalert security managers so that proactiveaction can be taken. The longer termobjective is to provide self healing securitymanagement and fix the problems automatically.

This approach above all relies oninteroperability, for it is impossible forthe network to do anything unaided byhumans if its components cannot com-municate with each other. But ratherthan a framework, IBM is forgingalliances with other vendors to ensurethat their products work properlytogether. Current partners includeEnterasys Networks for intrusion detec-tion, Sanctum for protection againsthigh level application attacks such asidentity theft, and Tripware for detect-ing changes in files that might signifyan attack. The new autonomic featuresare delivered in the latest security man-agement software, IBM Tivoli RiskManager 4.1.

Even this approach brings the danger ofcreating security factions or ghettos, foragain what happens when two companiesmerge and one of them is in bed with adifferent set of vendors? Nonetheless it isa step in the right direction.

Of the dedicated security vendors,Symantec has been among the strongestchampions of multi-vendor integration.In October 2002 the company releasedits Symantec Security ManagementSystem, with, like IBM, an emphasis onproactive control. Symantec is also creat-ing a third party interoperability pro-gramme to be formally announced inearly 2003, answering to some extent thecall from the Royal Mail’s Lacey.

A rather different slant is being takenby the security vendor AsitaTechnologies, with its Gx security boxdesigned specifically as a platform forintegrating third party security prod-ucts. This is designed to host other ven-dors’ security applications in a highlyrobust and secure system based on adedicated security operating system. Itis an interesting approach worthy ofconsideration, but does beg some ques-tions, such as whether this is a security

version of the framework and how wellit will work with third party productswithout significant collaborationbetween Asita and the vendors con-cerned.

There is recognition from some ven-dors, including IBM and Symantec, thatthe long term future lies with open stan-dards. According to IBM’s security busi-ness unit manager for northern Europe,Peter Jopling, there are three distinctgroups of standards — Web security ser-vices, Federated Identity Management,and Java middleware for connectingapplications with security processes.Together these three components will beneeded to provide defence in depth with-in future open networks without clearboundaries, according to Jopling.“Enterprises have got to go with vendorswho can prove adherence to these stan-dards,” he said.

There is also a growing convictionthat there must be a single open set ofstandards for exchange of informationbetween security components of alltypes. As a result there is increasingmomentum behind the SecurityAssertion Markup Language (SAML),which is being developed and promotedby the non-profit making Organisationfor the Advancement of StructuredInformation Standards (OASIS).SAML, belonging to the larger XMLgroup of data description standards,defines a common structure for authen-tication, authorization and configura-tion information. The eventual hope isthat SAML will greatly ease the task ofintegrating security between two net-works that are based on products fromdifferent vendors. It is also hoped thatSAML will further the elusive goal ofsingle sign on. SAML supports singlesign on by providing proof of authenti-cation via whatever front identificationmechanisms are deployed, such as pass-words, smartcards and biometrics.

But perhaps most important of all,SAML is designed for the securityarchitecture of the future based onroles, policies, and information flows.It defines services for association ofgroups and roles with rules governing

permissions. The idea is that rights willbe granted on the basis of what usersare doing at the time rather than juston who they are. Similarly the degree ofaccess allowed to particular informa-tion may vary according to circum-stances such as the nature and locationof the application requesting it ratherthan the identity of the user.

One of the first implementations ofSAML is the EASI (EnterpriseApplication Security Integration) frame-work from Quadrasis, a subsidiary ofHitachi. Again the use of the word frame-work may ring alarm bells, but Quadrasisinsists that no vendor will be excluded.Any product supporting SAML shouldinteroperate with EASI.

As always there are questions that willneed answering during the evaluationstage, before adopting a serious packagesuch as EASI. These include how easy itreally is to integrate and manage thirdparty solutions, and what the impactsare on performance. It also relies onSAML being widely supported by othervendors, which does admittedly look agood bet.

It is worth also bearing in mind theunderlying reasons for integrating allyour security products, and these are toreduce cost and risk. The cost of securitymanagement has certainly escalated asenterprises have exposed their networksto external Web access and to businesspartners. There is certainly great potentialfor reducing costs if all products andsecurity functions can be administeredfrom a single point.

It has also become clear that a disinte-grated approach to security is more vulner-able. One could say that the hole is greaterthan the sum of its points. Indeed blendedthreats have emerged partly to exploit theweaknesses created by point security prod-ucts that fail to co-operate properly. Suchblended threats can have the combinedproperties of viruses, worms, Trojan horsesand malicious code, and utilise multiplemethods of both attack and self-propaga-tion. The damage that such threats canachieve has already been demonstrated bythe likes of Nimda and CodeRed, whichboth succeeded precisely by exploiting the

There can be few people involved with ITthat have not seen an article describingthe weaknesses in WLAN security.AirSnort, war-driving and war-chalkingare common phrases whenever WLANsecurity is discussed. In this article we willdescribe how WLANs can be secured andgo through some of the technical aspectsof the various standards.

Note: A lot of publicity around WLANmentions something called the Service SetID (SSID), but we should be very clear thatthis has nothing to do with the security ofWLANs. The SSID is always available inthe clear and does not provide any security.Knowledge of the SSID should not have anyimpact on a securely implemented WLAN.It is fun though!

StandardsWhen discussing WLAN security thereare four standards or specifications thatshould be considered. • IEEE 802.11b describes the imple-

mentation of the most commonWLAN products in use today. Itincludes aspects of the radio imple-mentation and also includes a specifi-cation for security. It describes the useof Wired Equivalent Privacy (WEP)based around a 40-bit key.

• IEEE 802.11i is a working group(WG) that is actively defining a newsecurity architecture for WLANs tocover future generations of WLANsolutions, such as IEEE 802.11a andIEEE 802.11g. These specificationscover the radio aspects of the imple-mentation but not the security features.

• Wi-Fi — The Wi-Fi Alliance is a non-profit international associationformed in 1999 to certify interoper-ability of wireless Local Area Networkproducts based on IEEE 802.11 spec-ification. Currently the Wi-FiAlliance has 193 member companiesfrom around the world, and 522products have received Wi-Fi certifi-cation since certification began inMarch of 2000. The Wi-Fi specifica-tions also specify the use of WEP.

• Wi-Fi Protected Access (WPA) is anew specification from the Wi-FiAlliance. It is based around a subset ofthe upcoming IEEE 802.11i standardand is designed to be forward compati-ble with that standard when it becomesratified. It should be noted that somevendors, such as Cisco Systems, haveimplemented pre-standard versions ofthese security features already.

Security policyBefore discussing the technicalities ofWLAN security we must not overlookthat a properly designed and implement-ed security policy will be essential ifsecure WLANs are to be achieved. Theremust be clearly defined policies in placethat describe how WLANs are to beimplemented and these policies mustclearly mandate which security featuresmust be configured. For instance, atCisco Systems we have very widespreaduse of our WLAN technology and it isclearly mandated that all access points(APs) must have encryption enabled, andthey must use LEAP for authenticationand dynamic WEP keys. LEAP is a ver-sion of Extensible Authorisation Protocol(EAP) and will be discussed later in thisarticle. It is often referred to as EAP-Cisco Wireless.

A very important part of the securitypolicy will cover the issue of rogue APs. Arogue AP can be defined as one which isnot configured or installed according tothe security policy, either maliciously oraccidentally. The detection of rogue APscannot only be done on the radio side, itmust also be done on the wired side ofthe network. A radio-based system willnot scale to detect remote rogue APslocated in remote offices or employee’shome offices.

AuthenticationThere are two recommended approachesto authentication within WLANs, that isto do the authentication at either layer 2or layer 3 of the 7 layer ISO stack. Layer3 schemes are based on IP addresses andthe most common example of suchschemes would be based on VPN tech-nology such as IPsec. These are common-ly used in public or extranet typenetworks, but because of the increased

feature

7

Wireless LAN Security:Things You Should Knowabout WLAN SecurityKevin Regan, Cisco Systems

Given the well-publicised security holes in baseline wireless LAN (WLAN) standards, just how should security-conscious network managers proceed with safeguarding their wireless environments?

gaps inevitably left when security tech-nologies operate in isolation.

It is less widely appreciated that disinte-grated security can also be highly deleteri-ous to performance. This is because itleads in turn to a disorganized approach to

fixing problems. Security fixes are oftenissued by different vendors and imple-mented in a piecemeal fashion withoutmuch fine tuning or integrated testing.The result is a deterioration in perfor-mance, contributing to the slow and

unpredictable response times now endemicwith many public Web-based applications.It has to be remembered that performance,security and cost are just shades of the over-all IT management problem and should bebalanced against each other.