The Synthetic Librarian

A common problem in security is deciding how to scan PCs that are suspected to be infected with a computer virus. One approach is to use anti-virus software already installed on the PC, however mistrust of that anti-virus software may be wise considering that there exist a number of viruses that disable or alter anti-virus software. An alternative approach is to boot the computer from some other media (CDROM, Floppy Disk, USB Mass Storage, PXE) and run an anti-virus program from that media. This approach increases the trustworthiness of the the anti-virus software but brings up the question of how to ensure that the latest anti-virus definitions are available.

Knoppix is a bootable linux distribution that comes with Clam Anti-virus and support the downloading of anti-virus definitions to a ramdisk. Thus, you can boot from the CDROM which has a complete read-only operating system installed already and then run the included virus-scanner which will get the latest virus updates over the net. This provides you with a safe and easy method to initially respond to suspected infections.

Knoppix can be obtained by direct download from a number of mirror sites or via BitTorrent.

Wireless ethernet (WI-FI) makes Internet access convenient, easy, and more pervasive. However, the nature of WI-FI exposes users to dramatically increased security risk compared to traditional ethernet connections. Wireless connections can be intercepted and “sniffed” by any party within range of the signal. An attacker need not have physical access to a victim’s computer or LAN and could even be mobile (wardriving). One way to mitigate the risk associated with wireless Internet access is to encrypt the WI-FI connection. There are several commonly supported methods for WI-FI encryption. WPA2 (aka 802.11i) is the latest method but you must download and install special software to enable WPA2 support in Windows XP.

Prior to WPA2 there were WEP and WPA. WEP has many known weaknesses. WPA is improved but it is widely reported that WPA is only secure “if you do it right.” WPA2 is the latest standard and offers improvements over WPA that make it easier to “get it right.”

WPA2 support is available under Windows XP but only if you download an install special software from Microsoft. Microsoft Support has an article that explains the process. You will need to prove that your version of Windows XP is “genuine” before you are allowed to download the WPA2 software. And how do you prove that? You need the Microsoft Genuine Advantage thingy that they recently started forcing users to install in order to get updates.

When I tried to the download the WPA2 software I was asked to copy a code from a windows dialog box into the download page. It was not at all clear what that code meant or what generated it. The bizarre public-relations-speak wording on the download page made me guess that it had something to do with the recent “windows genuine advantage” campaign and the activex control that all Microsoft customers must have in order to get software updates.

After copying the code, I was able to download the WPA2 software and install it. The install went smoothly and after a reboot I was able to switch my laptop and Linksys WRT54G wireless access point over to using WPA2.

One question that comes to mind is: why isn’t the WPA2 software available through windows/microsoft update?! The genuine advantage software seems like a genuine disadvantage if I am going to be required to manually download all software updates myself.

One final note, beyond implementing WPA2 there are others steps you can take. You can enable MAC address filtering, disable SSID broadcasting, change your pre-shared key often, and run an encrypted VPN over your encrypted wireless connection.

Version 2.4.1 of Snort, the open-source intrusion detection system, has been released. This version “addresses a bug in TCP SACK processing that could result in a DoS for some text based logging methods.”

The new version can be downloaded from http://www.snort.org/dl/current/snort-2.4.1.tar.gz

A number of serious vulnerabilities affecting Linksys WRT54G routers/wireless access points have been made public. You need to upgrade to firmware version 4.20.7 or later to compensate. If you have a linksys firewall/router of any model, you should check to see if there are any updates for your firmware now.

The most recently vulnerabilities (idefense IDs: 304, 305, 306, 307, 308) are fairly scary. A remote attacker could overwrite your firmware, change your firewall configuration, download your configuration info without logging in, and a few other slightly less nasty things.

More information is available at the Linksys Info site (not an official Linksys website).

Just last week I noticed that my access point had mysteriously been reconfigured back to factory defaults. The date of the 4.20.7 firmware is the middle of August. That means that these problems have been known for a while. That makes me seriously worry that my firewall might have been compromised. However, I could find no other sign of compromise and there was no unusual activity on my router (of course a fake firmware could disable the blinking lights so I wouldn’t notice).

Note that the WRT54G is actually running the Linux operating system and that linksys has publicly released their source code (as is required by software license). The bug that allows an attacker to overwrite your firmware means that an attacker could build his own customized version of the linksys firmware from source, and then upload it to your router. You would be none the wiser, but the attacker could “own” your network. He could turn your firewall into zombie computer used to attack other networks; he could steal your passwords; he could see all the files on your shared folders; he could attack your LAN that you thought was safely behind your firewall.

Some advice that you should follow after updating the firmware on your linksys device:

• Disable remote admin of the linksys device
• Disable remote admin via wireless
• Change your firewall password
• Make sure you use WPA or WPA2 with TKIP or AES for wireless encryption
• Disable wireless SSID broadcasting (not really helpful, but it is something
• Use wireless MAC address filtering. Permit only those MACs you know.
• Disable Universal Plug and Play (uPnP) unless you are using it.
• Disable SES: SecureEZSetup.