I am currently working on a major revision to my Open Secure Wireless project to incorporate changes introduced with IEEE 802.11u.

The changes to 802.11 are part of what the Wi-Fi Alliance is calling "Hotspot 2.0", which they plan to launch in 2012. It appears that the Wi-Fi Alliance and Wireless Broadband Alliance may be currently focusing this effort on mobile carriers and service providers rather than smaller open and public hotspots. However, the changes introduced in 802.11u could also be used to enable a hotspot to be both open and secure. I am referring to this project as Open Secure Wireless 2.0 (OSW2), and I encourage the Wi-Fi Alliance to consider adopting this as a component of Hotspot 2.0.

A paper (and hopefully code!) will be forthcoming soon, but read on for the background and overview of how this might work.

I was fortunate to be invited to demonstrate Open Secure Wireless (also named Secure Open Wireless Networking -SOWN- by the IBM folks) at Black Hat in the Arsenal Tool/Demo area along side a couple really cool guys - Tom Cross from IBM and Takehiro Takahashi. This has received some good press including Slashdot, SearchSecurity, and a mention in eWEEK.

Following the demo Tom has also released the proof of concept code for SOWN under GPLv2 along with our presentation on a post at the ISS Frequency X Blog. 

Next I will be presenting Open Secure Wireless at Security B-Sides Missouri (BsidesMO) in Jefferson City on October 21st.

Finally, if you work at or have contacts in the wireless product development groups at Microsoft, Apple, Cisco, etc., or large wireless hotspot providers like AT&T, Google, or a university please contact me. I'd love to have the opportunity to make the case for how a few small code changes can make things better for everyone.

Many sites already use E-mail as an unofficial form of authentication, but a new browser-based federated identity protocol called BrowserID from Mozilla Labs aims to make it official. The new system is implemented using the Mozilla Verified Email Protocol, which ties authentication to email addresses.

Yesterday U.S. District Judge James Ware refused Google's motion to dismiss a class action suit alleging violation of the Federal Wiretap Act for sniffing open wireless networks as part of their "Street View" program.

Judge Ware based this decision in part on the plaintiffs assertion that the open wireless "networks were themselves configured to render the data packets, or electronic communications, unreadable and inaccessible without the use of rare packet sniffing software; technology allegedly outside the purview of the general public."

My article "Unsafe at any SSID: Wireless Hotspot (In)Security" is the feature story for the March 2011 ISSA Journal!

ISSA Journal is an international magazine for ISSA members. If you are not a member, you can join here.

From the abstract:

Qualys has just released IronBee, an open source Web Application Firewall (WAF) developed in conjunction with Akamai. The main two developers on IronBee are Ivan Ristić and Brian Rectanus, who previously wrote ModSecurity before the acquisition by Breach Security (and later Trustwave). Also interesting is the participation of Will Metcalf, Lead QA for Open Information Security Foundation (OISF) and the inclusion of the LibHTP library written by Ivan and included with OISF's Suricata. It is encouraging to see LibHTP pick up another project. As IronBee is ultimately targeted for SaaS deployment, I wonder if this means we will see a combined IronBee/Suricata SaaS in the future. 

The IETF has chartered an active working group to standardize secure distribution of public keys for authentication over DNSSEC called DNS-based Authentication of Named Entities (DANE). This follows Dan Kaminsky's work and presentations on the Phreebird suite, a set of tools that enable authentication and federation of trust through DNSSEC. Kaminsky calls this Domain Key Infrastructure (DKI).

Using Phreebird, and eventually standards developed by DANE, domain name owners will be able to easily set up DNSSEC and publish public keys in DNS including self-signed certificates which can be validated through the root of trust established by DNSSEC. This may reduce the need for Public Key Infrastructure (PKI) certificate signing.

End of the year fun... Have a Happy Holidays!

Recently I ran across a scenario where the Microsoft Sysinternals tool PsExec would not work against a Windows 7 domain-joined computer. The command was failing with an "Access Denied" error. On Vista and newer, User Access Control (UAC) issues a restricted token to processes, but PsExec requires an elevated token. On the local system's Microsoft-Windows-UAC\Operational log the following event appeared: The process failed to handle ERROR_ELEVATION_REQUIRED during the creation of a child process.

Further research found that newer versions of PsExec have a command argument (-h) to specify elevated rights.

However, even with specifying -h PsExec was still failing with "Access Denied". After some digging, I discovered that it's all about how the authentication credentials are presented to the remote system. UAC has an exception for remote connections using domain credentials, so that machines can still be administrated remotely (otherwise, there would be no way to respond to UAC prompts). When connecting remotely and authenticating with NTLM using a domain account, Windows 7 issues an elevated token.

The Metasploit Framework project released a module yesterday that implemented an attack against the Windows Shell vulnerability when displaying icons for LNK files. The MSF module exploits the vulnerability over WebDAV - currently over HTTP (80/tcp) only. With this module an attacker only needs a victim to click a link to have their system owned.

I have submitted a rule, included below, to Emerging Threats to detect an attempt to access a ".lnk" file from the Windows Shell over WebDAV. In my testing with both Snort and Suricata, the signature reliably detected the MSF exploit.