Tom Olzak

Wi-Fi Sense Creates New User-dependent Security Issue

In Access Controls, Computers and Internet, Wireless Security on July 3, 2015 at 04:00

For those who haven’t seen it yet, Windows 10 includes a feature, WiFi Sense, that allows a user’s friends to share WiFi access with others.  For example, Bob might allow Alice to access his access point.  With WiFi access, she never has to log in again to use Bob’s network.

This doesn’t necessarily give Alice access to network resources, just the Internet.  However, access to the access point provides opportunities for using it to commit a crime while putting the blame on Bob.  And then there’s the chance that the barrier between Bob’s guest network and his internal network isn’t as strong as it should be.

WiFi Sense challenges arise when Alice decides to share the access capability with her friends.  According to an article in Extreme Tech,

“WiFi Sense will automatically connect you to detected crowdsourced WiFi networks, acquire network information and provide “additional info” to networks that require it (it’s not clear exactly what constitutes additional info), and can be used to automatically share your WiFi password with your contacts on Facebook, Skype, and Outlook.

That last feature is the potentially controversial one. When you turn on this feature of WiFi Sense (and it’s not clear if the feature comes activated or not), it will request permission to connect to Outlook, Skype, and Facebook on your behalf. Other users on your friends list who also run Windows 10 will have their contact information shared with you as well, assuming they also enable the feature.”

So whether questionable people might have access to Bob’s access point depends on how Alice sets the switches during initial access.

WiFi Sense Selection

WiFi Sense Selection

Microsoft apparently has two solutions to this, neither of them acceptable to those of us who attempt to help keep systems secure.  First, Bob can change the name of his SSID to include an opt out tag, as shown below,

WiFi Sense SSID Opt Out

WiFi Sense SSID Opt Out

Or he can set up the connection for Alice and make sure her sharing settings are properly set.  Both options rely on Bob or Alice making the right choices.  No one in security believes relying on human behavior for security is a good idea.

Microsoft, what were you thinking?

CryptoWall continues to spread

In Cybercrime, Data Security, Content Filtering, Computers and Internet, Ransomware on July 3, 2015 at 04:00

CryptoWall, an instance of ransomware, is a growing threat.  Attackers use it to hold an organization’s resources hostage until they get something of value.  This costs Americans millions… and it’s getting worse (FBI, 2015).

Ransomware, like CryptoWall and Cryptolocker, encrypts media on the infected machine and all media attached to the machine.  It then demands hundreds or thousands of dollars before the attackers agree to decrypt the hostage data.

Defense against this attack method is getting harder, as attackers find new ways to deploy CryptoWall and Cryptolocker.  Advanced attack techniques often leverage human vulnerabilities to bypass security controls.

The FBI provides a long list of defensive measures.  However, businesses should begin by implementing a short list of controls that protect against all types of advanced malware, not just ransomware:  Web filtering, spam filtering, email malware filtering, and (likely most important) deny users local administrator access.  This is in addition to best practices that should already be in place, including network segmentation with an application server abstraction layer (end-user device-to-application servers-to-database servers) to help isolate critical data from infected end-user devices.

Is email safer than a password?

In Access Controls, Computers and Internet, One Time Passwords, Password Management on July 1, 2015 at 20:02

According to a Register article, Small change to Medium takes large axe to passwords, Medium is providing an option to use email to login instead of passwords.  I registered at Medium to check it out and to see if I agree with the Register article about possible weakness.

Sign up is easy.  On the first screen, you choose whether to use a social network login (e.g., Twitter) or email.  I chose email.  After selecting topics I wanted to read about, Medium sent an email to me.  Using the email, I logged in.  No password, just a user ID.

I logged out and tried to log in again.  Medium asked me for my registration email using TLS 1.2 to encrypt the session.  I entered my email and almost immediately received a message from Medium.  The message provided a button I pushed, which took me to my home page at Medium.  Very fast, very efficient.

So is this safer than a password?  Almost everyone now accepts email as a secondary method of bypassing forgotten passwords.  It isn’t much of a stretch to use email as the primary authentication factor.  Further, users don’t have to write down passwords or remember a new password for every login.  But…

In an email-as-a-password world, email becomes a single-point-of-failure and a big target.  As long as users do better at password selection, this could still work.  What are the odds that we can train users (after trying for years) to use something other than 12345678 or Passw0rd.

Follow

Get every new post delivered to your Inbox.

Join 1,103 other followers

%d bloggers like this: