not the disease. Shipping operating systems with unnecessary servicesenabled is irresponsible and risky at best.What role does RPC/DCOM play on theaverage home user’s computer? In thecase of WebDAV, why enable remotemanagement tools by default? Hasn’t his-tory taught us this same lesson over andagain?

End users cannot be required norexpected to harden their computer sys-tems. Its purely a pipe dream to everassume they can or will. The burden can-not simply be off-loaded to the ISPeither. Change must come from thesource and it must come in the form ofmore responsible software releases. Onlythose services absolutely necessary for thesystem to operate in a non-networkedfashion should be enabled by default. Todo otherwise continues to place users andthe Internet at increased risk of attack.

All virus writers look alikeWhen Jeffrey Lee Parson’s yearbook pic-ture was plastered on the front page ofnewspapers around the world, he quicklybecame the poster child – the livingembodiment – of every prejudiced stereo-type hurled on virus writers throughoutthe years. After all, he was fat. He certain-ly didn’t look like he had a girlfriend.Plus, he was young, into computers, andhung out on TrojanForge, an onlinewatering hole for script kiddies. The press

quickly branded him a loner and rubberstamped his existence with two words:virus writer, waxing long on the perceivedimplications of that title.

In fact, Jeffrey Lee Parson, overlookinghis penchant for peddling IRCbots, is apretty normal kid. He even (gasp!) has aclose-knit group of friends, has a goodrelationship with his parents, and doesn’tdevote all his waking hours to theInternet. His neighbours reportedly saidhe was a great kid. In fact, he considershis computer a “hobby” and prefershanging out with his buds.

Other virus writers add to the conun-drum. The author of the Welchia wormleft an uncharacteristically (according tothe stereotype) sweet message in the textstrings…“I love my wife & baby :-)”.Does that sound reminiscent of a pubes-cent sex-starved loner?

Of course, there are plenty of virusesthat do support the myth that all viruswriters are loners, losers and sexuallystarved. One has only to read the ‘poetry’contained in the Kriz virus to believe thatvirus writer has few, if any, friends and aless than winning outlook on life (andreligion). Certainly hundreds contain theF- bomb (or, if you prefer, F-Word), anestimation that could be used to supportthe theory that virus writers are angryand rebellious. Then again, one only hasto turn on prime-time TV to hear thesame type of rhetoric. Likewise, there are

several examples of viruses that includeaccusatory text directed towards mem-bers of the antivirus industry, those thatcontain political messages, and othersthat contain warm dedications to familyand friends. In short, the messages varywidely. If we carefully studied these textstrings left behind by the authors, wouldwe still conclude that “all” are lonely, sex-starved teens? Or could it just be that thevirus writers are as diverse as the peoplewho chase them?

The sins of our fathersSecurity is not and never will be a pas-sive endeavour. But it can be a far sim-pler proposition than it is currently andthe burden of protection lightened fromthe shoulders of end users where it doesnot belong. With equal parts of hind-sight and foresight, mixed in with a largedose of responsibility, it is possible tostop blaming the victims and take realsteps to modify the behaviour of prod-ucts and vendors contributing to theproblem.

Is it a coincidence that the latter part ofAugust saw our defenses probed andprodded by four successful threats? Ourweaknesses have been exposed andexploited, deliberately or not. Regardlessof past intent, it is nearly certain thatfuture worms and viruses will deliberatelytarget the soft-underbelly of products andresearchers.

wireless security

10

Best practicesSecurity policies can take many shapes andforms. Some are very formal and weightydocuments that have evolved over yearsand can be found on the desk of everyemployee in an organization. Other secu-rity polices are simply a loose collection ofdocuments on the company’s intranet.

Wireless security policiesBruce Potter

Security policies: The phrase that strikes fear in the hearts of many security professionals. Policy and policy enforcement is a critical part of any organiza-tion’s security posture. Unfortunately, many administrators find policy mundaneor frustrating. When it comes to wireless security, a clear and complete policy iseven more critical. Few other technologies can punch a hole into the core of anorganization’s network like wireless. Thankfully for security professionals andtheir employers, wireless networks are new, interesting, and dangerous enough toactually warrant interest in creating and enforcing a policy.

W

W I RE LESSW I RE LESS SECURITYSECURITY

Regardless of their manifestation, securitypolicies are, in their most basic form, a col-lection of best practices that employeesmust follow. An IT security policy guidesan employee with respect to secure com-puting activities with an organization’sresources. It also provides the organizationwith remediation activities should a userviolate the policy.

Due to the nature of wireless communi-cations and the risks therein, it is critical foran organization to have a security policyexplicitly dealing with wireless devices. Ihave seen instances where an organizationcatches an employee with a rogue accesspoint on their desk plugged into the corpo-rate network. However, because the organi-zation did not have a security policycovering wireless devices, the employee sim-ply claimed, “I didn’t know I shouldn’t havemy own access point.” While there mayhave been no malicious intent on behalf ofthe employee, he violated the security pos-ture of the organization. However the com-pany had no recourse for the employeebecause there was no explicit policy.

If you are not planning on deployingwireless, a policy that states “no wireless”may be sufficient. By explicitly indicatingno access points may be installed and nowireless devices may be active in users’ PC’s, employees are able to clearlyunderstand what they should not do.Without this explicit statement prohibitingwireless devices, users may just assumewireless is OK to deploy on their own. Tosecurity professionals, the idea seemsinsane, but remember that most users arenot nearly as security conscious as wewould like them to be.

Assuming that you decide to deploywireless, then your wireless security policyshould state what is and is not acceptableconfiguration and activity for wirelessusers. These guidelines will educate yourusers in how you intend your wireless net-work to be used. A wireless security policyis a means to make your users an activepart in your wireless security strategy.

Link level securityThe link level is the first building block inyour network’s security mechanisms. It

controls access to the local network; andwithout access to the local network,access to other networks cannot beachieved. Link level security mechanismsvary wildly. The best-known way to secure the link layer is WEP. However, WEP has some inherent flawsthat make it unacceptable to some organizations. More advanced link layersecurity may be required based on thelevel of risk and cost your organization iswilling to bear.

Regardless of how you do link level secu-rity, your wireless security policy shouldclearly spell it out. If your company has cho-sen to use static WEP keys (for whateverreason), it should be in the policy. However,if you have chosen a more advanced route,such as 802.1x authentication with TKIP, your policy should specify that mech-anisms such as WEP are not only notacceptable, but will not work with yourinfrastructure.

Network and application level securityTechnically, “wireless” security ends at thelink layer. Network and application layersecurity are not necessarily specific to wireless networks. However, in practice,some organizations may choose to addsecurity at higher layers in an effort to con-tain any cracks that may occur at the wire-less link layer. IPSec may be dictated fornetwork layer connectivity out of a wirelesssubnet. Or an SSL tunnel may be neededfor all intranet traffic sourced from the wireless network. Your wireless security policy should document any of thehigher-level security mechanisms required.

Even if no particular network or applica-tion level security is dictated by your organi-zation, your policy should still speak to theidea of defense in depth. Users of the policyshould be made aware that every bit of extrasecurity helps and to utilize network andapplication security whenever possible.

Client securityThe wireless client tends to be the forgot-ten leg in the wireless puzzle. A good secu-rity policy specifies an acceptable level ofsecurity protections to be deployed on

wireless workstations. For instance, manyorganizations choose to implement a host-based firewall on any wireless client. Thisassists in protecting the machine fromdirected network attacks. Your policyshould also make statements regardingkeeping patch levels current. With wormssuch as Blaster making the rounds, a wire-less PC is a prime target for infection.

By the very nature of wireless clients,mobility is a concern. When a user takestheir laptop home or to a coffee shop anduses a wireless network, their machinemay be more vulnerable than it is at work.The coffee shop and home networks ofthe world are often less protected thancorporate networks. Therefore, your secu-rity policy should cover what is acceptableoffsite use of a corporate machine.

Rogue AP and station monitoringAuditing a wireless network is importantin maintaining the long-term security ofthe system. Attackers may successfullyassociate a client to your network. Or anattacker may stand up a rogue access pointin an attempt to fool your users. Regardlessof your link-level security, both of these sit-uations can be detected if proper auditingis in place. Through commercial tools suchas AirDefense1 or open source tools such asKismet2, your operations staff can discoverin real-time rogue stations and accesspoints. Your wireless security policy shouldspeak to the specific operational auditingthat needs to occur in order to meet yourrequired level of security.

Not just WLANIf your organization uses other types ofwireless devices for business activities,they should be included in your policy.For instance, the Blackberry communica-tion device by RIM is a popular gadgetwithin many companies. Executives lovethe Blackberry because it allows them tostay in touch when they are on the road.However the Blackberry bears securityconcerns. Your policy may specify whattypes of communication can be transmit-ted over a Blackberry, possibly limitingexposure of sensitive or confidential

wireless security

11

spam & sobig

12

The author of the virus discussed inthis paper had a different idea: using avirus as the delivery mechanism to installanonymous proxy servers on thousandsof computers worldwide. Instead of seeking to control the hosts, the virusauthor merely intended to establish a network of relay points through whichthey could direct their own connections,concealing their true origin wherever theywent on the Internet. Whether or not theauthor intended it for the purpose ofspam, this proxy network has been co-opted by spammers who use it to constantly flood the Internet with a variety of unsolicited commercial email while hiding from potential retribution.

The information in this article is theresult of months of first-hand investiga-tion into the Sobig worm family byLURHQ’s Threat Research Group.

The evolution of spammethodology In the beginning of spam, spammerswould simply send email from their ownISP account. This quickly changed asangry users and sysadmins. hunted down

the spammers. They soon turned to newmethods to conceal their origins.

The disposable dialup account The first method, which served them wellfor many years, was the throwaway dialupaccount. A spammer would sign up for anaccount with an ISP on Friday, and letloose a torrent of spam over the weekend.By the time user’s complaints reached theISP’s sysadmins. on Monday morning,the spammer would have already aban-doned the account. However, dialupaccounts require a credit card to sign up,and the spammers found their credit wasno good with any ISP after a while.

The open SMTP relay When the Internet was non-commercial,people would set up their mail (SMTP)servers to allow anyone to send email

through them, regardless of the destina-tion. Spammers quickly discovered thatthis would allow them to leverage thebandwidth of large servers to send emailfor them. Instead of having to send eachemail slowly over the dialup line, theycould drop a single copy onto a relayingSMTP server along with a list of recipi-ents to copy the message to. This allowedfor quick distribution with no cost to thespammer. Unfortunately, the cost wasoffloaded onto the relaying mail adminis-trator, as spam would clog up the systemand prevent it from sending legitimateemail. Eventually the Internet adapted tothe problem and many ISPs began black-listing SMTP servers that acted as openrelays. Upon being blacklisted, the SMTPmail administrator would usually fix theproblem and kill off the spammer’saccess. This began to be a problem for thespammers. Another problem was thateven though the relay did all the work,the spammer’s origin would still belogged. Spammers responded by injectingphony headers into the message in order to obscure the true origin, but by-and-large their IP addresses would still beidentified by spam-hating admins. They would then lose theaccount they were spamming from, caus-ing an endless churn of work, as they hadto constantly open new accounts to spamfrom.

Spam & Sobig: arm in armJoe Stewart, senior security researcher, LURHQ Corporation

This is the sordid tale of how a lone computer virus opened the door for millionsof spam emails every day worldwide. In order for the reader to understand howthis happened, this article will explain some concepts in spam, viruses and back-doors. Viruses sometimes leave backdoors, also known as “trojans,” on systemsthey infect; this is nothing new. The idea is to give the virus writer control over a large quantity of infected computers, establishing a virtual army of computersto do his or her bidding.

The Sobig proxy networkhas been co-opted

by spammers.

Evolving spammer tricks

• Use of throwaway dial-upaccounts.

• Exploitation of the open SMTPRelay.

• Use of proxy servers.

business information. For every sanc-tioned wireless device used by your com-pany, your wireless policy should specifyacceptable configuration and usage

References.1AirDefense —www.airdefense.com/2Kismet – www.kismetwireless.net/

About the authorBruce Potter has a broad informationsecurity background that includes deployment of wireless networks. Trained in computer science at theUniversity of Alaska Fairbanks, he served as a senior technologist at several hi-tech companies. Bruce is the

founder and President of Capital AreaWireless Network. In 1999 he foundedThe Shmoo Group. Bruce co-authored802.11 Security published throughO'Reilly and Associates and has coauthored Mac OS X Security. He is cur-rently a senior security consultant atCigital.