Digital Picture Frames, USB Hard Drives Found Already Infected with Trojans

This is a little off the wireless topic, but important for security nonetheless: A recent article in the San Francisco Chronicle mentions that many USB photo frames have been found to contain Trojan Horses. When plugged into users' computers, these Trojans can get automatically installed without the user knowing. Antivirus software may not help because they don't yet have signatures for these Trojans. A similar problem regarding USB hard drives was discussed last year at Slashdot.org. What's the solution? If you run Windows, disable autorun. A few sites on how to do that are here and here. Don't trust any free software already on these devices or hard drives. Mac and Linux users generally are safe, because autorun is unsupported or disabled by default.

Vulnerabilities Found in Many Wireless AP's

A security software firm (Codenomicon) tested their software on various Bluetooth, Wi-Fi, and WiMax devices and found a very high vulnerability rate. In their whitepaper [PDF], they tested several brands of Wi-Fi Access Points (although they don't say which brands) and found vulnerability rates ranging from 25%-75% for their tests. Take the report with a grain of salt, however, since they may be biased to sell their testing software. Home users should consider setting up a DMZ for their wireless access points. Corporations should consider a Wireless Security solution on top or their existing wireless infrastructure, such as Aruba Networks or AirWave (Aruba has recently announced they will be acquiring Airwave).

Gmail still not 100% safe even over SSL... beware of SideJacking

What is SideJacking? It's a new term for hijacking your browser session. SideJacking was listed as one of The Five Coolest Hacks of 2007. What's new here is that your Gmail account can be compromised even when SSL is being used. From the Errata Security Blog: "SSL is not always complete. A good example is Gmail. In theory, using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default - but they become unencrypted if SSL fails." And, how would SSL fail? A wily hacker just needs to send a few RST (reset) packets to thwart the SSL communication on port 443. (If there's not already a tool to make this process easy, don't worry, there will be). So, what's the solution? Until Google fixes these weaknesses, VPN tunnels are your friend. Basically, the only 100% secure (or as close as you can get) way to connect to the internet securely is to connect over a VPN tunnel to your home machine, then browse to the internet on that machine. This was also covered on GRC's SecurityNow podcast some time ago. You can also run LogMeIn or GoToMyPC on your home computer. These encrypt communication from your laptop to the host computer. Connect to your home computer that way and then do your browsing. You could also connect with an SSL VPN box at your company, and if it's configured, browse from there. Hopefully Google will fix the security weaknesses. I should mention that Gmail is still the best major free web-based email solution, since MSN and Yahoo force SSL for the password entry, but don't encrypt the pages after that point. Gmail lets you conduct the whole session over SSL even after you're logged in. Lastly, another protection is to make sure you log out of Gmail when you're done. That way, if you go to a coffee shop and you're browser is open when you wake up your laptop from suspend mode, it won't automatically connect, potentially exposing your session id. And if you do use Gmail there, log out when you leave, since that way if someone just stole your session id but hasn't yet used it to compromise your account, it's ok because you've just invalidated it. I plan to do some testing on Firefox soon to see if it pops up its warning "Although this page is encrypted, the information you have entered is to be sent over an unencrypted communication and could be easily read by a third party" when SSL is blocked during a Gmail login. For more information on browser security, check out this page from Michael Horowitz' site.

What NOT to do with your Wireless LAN

In this classic blog post, The six dumbest ways to secure a wireless LAN, ZDNet's George Ou describes the worst way to secure your WLAN. From the article:

For the last three years, I've been meaning to put to rest once and for all the urban legends and myths on wireless LAN security. Every time I write an article or blog on wireless LAN security, someone has to come along and regurgitate one of these myths. If that weren't bad enough, many "so called" security experts propagated these myths through speaking engagements and publications and many continue to this day.

Also don't miss his Wireless LAN Overview for beginners.

TrueCrypt ships version 5.0 today

Version 5.0 of the free, open-source and cross-platform encryption program TrueCrypt is now available for download and installation for Windows, Mac OS, and Linux. TrueCrypt:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.

Further information regarding features of the software may be found in the documentation.