Blog: Security and Compliance

I was experimenting with options for iPhone passwords - those enforced from the Exchange server.  I created a custom mailbox policy that required alphanumeric passwords.  I fiddled with it a while to see what the options meant and then went back to the original policy that just required a 4-digit PIN.  However, I was unable to go back to a numeric PIN (it kept requiring 4 characters including a special character) until I Reset All the iPhone settings (which erased my e-mail setup, network settings - including the WPA key, etc.).

So, if you're tempted to test a longer and/or alphanumeric and/or complex password on your iPhone and may want to go back to what you originally had, be prepared to Reset the phone (you don't lose applications or data but you lose all your custom settings).

 

We have been migrating the users at one of our Lubbock IT support customer's locations to a Barracuda Web Filter.  A user reported a problem accessing an SSL site over the non-standard port 8080 (https://site.com:8080).  I found an article on Barracuda’s knowledgebase on how to allow this port.  The article said to go to Advanced->Expert Variables, but Expert Variables wasn’t an option in the web UI.  I called Barracuda support and they instructed me to put “&expert=1” at the end of the URL to reveal this hidden, super secret section.

It’s still a mystery why they hid this section of the UI, or didn’t put the instructions in the knowledgebase article..  There are several other options in this section that would be nice to change, like the SNMP community string (default “public”) and the NTP server.


 

Here are a couple tips for working with Cisco sticky MAC addresses on port security:

If a mac address has been assigned by port security to one port and the device is then moved to another port you have to clear the mac address off of the old port before the new port will allow this device to pass traffic even if the new port does not have port security enabled.

Also if you are seeing a duplicate mac address and seeing two interfaces interchangeably locking each other out when the other is enabled you might check to see if someone has two ports on a phone plugged into these ports. I ran accross this at a customer site recently where it was creating a loop on the two interfaces.


 

ICBA and Visa are providing a free Data Breach Toolkit available to all ICBA member banks.  The toolkit was developed due to the recent data breach at Heartland Systems, and is designed to help community banks answer customers' questions following a breach of credit and debit card account information.  The toolkit provides member banks with customizable materials, including cardholder letters, statement inserts, FAQs and media statements.  You can login to receive your toolkit at http://www.icba.org/publications/visa.cfm?ItemNumber=37529


 

The iPhone currently supports the following security policies from Exchange (note: you must have Exchange Server 2003 SP2 or Exchange Server 2007 SP1 or greater):

  • Remote Wipe
  • Enforce password on device
  • Minimum password length
  • Require alphanumeric password
  • Require complex password
  • Inactivity time in mimutes

When you perform the remote wipe from Exchange, it restores your iPhone to factory default (note: this could take up to an hour).  The gotcha – after you perform remote wipe, be sure to “remove mobile device partnership” with your iPhone; otherwise, the next time you try to sync with Exchange it will wipe (restore to factory default) again . . .


 

Yesterday, Heartland Payment Systems, Inc. disclosed a data breach that could be bigger than the TJX Companies, Inc.'s January 2007 breach.  Heartland, one of the largest payment processors in the country, said  they discovered the intrusion last week after being alerted by Visa and MasterCard of suspicious activity.  The company says they believe intruders planted malicious software designed to steal card data on the company's network sometime last year; however, the company has not yet released when the card companies informed them of the breach, when the breach took place in 2008, how long the intruders remained undetected, or how many cards might have been compromised.  Heartland claims no merchant data, cardholders' Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.

When a card is stolen, crooks typically "validate" the card with certain types of small transactions.  It has been noted that these types of transactions have increased nearly 20% over the past few months; however, it is not clear yet if this is related to the Heartland breach.  Currently, Heartland processes more than 100 million card transactions per month.

This is the second known compromise involving a large payment processor over the past few week.  On December 23rd, RBS WorldPay announced its systems had been breached by unknown intruders resulting in the compromise of personal information belonging to about 1.5 million card holders.  Payment processors are a prime target for cybercriminals due to the volume of transactions and information.


 

Technical press has recently printed headlines such as:

"No longer safe: WPA encryption cracked in 12 to 15 minutes" - ZDNet
"Once Thought Safe, WPA Wi-Fi Encryption Is Cracked" - PCWorld
"Researchers Crack WPA Wi-Fi Encryption" - Slashdot
"WPA cracked in 15 minutes or less, or your next router's free" - engadget

However, the details seem to indicate a much more limited vulnerability.

The "crack" is limited as follows:

  1. Access points running QoS (or WMM - Wireless MultiMedia)
  2. Small control packets such as ARP packets
  3. Only traffic using TKIP
  4. Only packets from the access point
  5. Requires 12 minutes & fails if the group key is renewed during that 12 min period

[more]No data decryption is actually involved.  However, if TKIP is being used, a DoS attack is possible by generating packets with correct checksums but erroneous packet authentication info (Message Integrity Code values).

Recommendations:
  1. Disable TKIP if possible (use AES)
  2. Disable QoS (and/or WMM) to prevent replay attacks if possible
  3. Configure to reduce the group key renewal period to less than 12 minutes

Also, since WPA is susceptible to brute force attacks, you can use Steve Gibson's key generation site www.grc.com/passwords - I am paranoid enough to generate the password/key on a network other than the one that uses the external router I'm getting the key for.


 

Sans.org published a notice today that there is a 0-day exploit for Internet Explorer in the wild.  The updates released by Microsoft yesterday did not fix this vulnerability.  The specific exploit checks to be sure it is running in IE7 on XP or 2003 before it does anything, but whether other versions are exploitable is not yet known.

The article says "At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon."

http://isc.sans.org/diary.html?storyid=5458


 

AVG recently released an update that mistakenly identified a valid user32.dll file as containing a virus.  It instructs users to delete the file, which of course makes the system unbootable.  This affects AVG 7.5 and 8.0 running on Windows XP.  AVG says this only affects a few non-English versions, but the volume of reported incidents indicates this may not be completely accurate. [more]


 

PCWorld published an article yesterday titled "Holiday Travel Tips: Protect Your Laptop and Privacy."  It is a good and timely article; however, a few additional tips you might find handy include:

  1. Cable lock your laptop anytime it will be out of your possession (in your car, hotel, etc.).  Cable locks are relatively inexpensive and provide an excellent additional layer of protection.
  2. Encrypt any confidential information on your laptop - it is best to utilize full-disk encryption.
  3. Shut down your laptop when you are not using it - some encryption software can still be compromised if a laptop is stolen while logged in or in "sleep" mode.

We hope you have a fun, safe, and secure Holiday season!