The other day I read that Comcast is launching a new plan to turn home internet users into unwilling participants in their new global wifi strategy. I'm sure that they will soon be touting how insanely awesome it will be to get "full strength" internet access virtually anywhere just by subscribing to this service. Other than the issues with taking a service that the consumer already pays for and carving out their bandwidth for other people, the security practitioner in me can't help but wonder what the security ramifications of sharing an internet connection like this actually means. Combine this with the default access to your cable modem that your service provider already has, and it paints a very scary picture of network security for the home user. It is no longer sufficient (if it ever was) to rely on your cable modem for network access controls. Thus, I am advocating in favor of placing a personal firewall between your cable modem and your network for all home internet setups.
Now, it's not as bad as you may think. It doesn't have to be some crazy expensive piece of equipment like you'd purchase for a business. Even the basic home gateways come with the ability to do Network Address Translation (NAT) which effectively turns your internet connection into a one-way pipe. All I'm saying is that instead of plugging your network devices directly into the cable modem for Internet access, you should use your own hardware and draw a clear "line in the sand" between your equipment and theirs. In addition, I would advocate that you should no longer consider the wifi access provided by the cable modem device as safe and should use your own equipment for this access. In other words, treat anything on the WAN side of your home gateway/personal firewall as untrusted and protect against it accordingly.
This presentation was by Robert "RSnake" Hansen and was designed to be a fun conversation to have over drinks with security people. I feel privileged to have been one of those security people who he talked about this with beforehand. A very interesting topic about the non-obvious threats that may or may not exist. My notes are below:
- Because I use the Internet
- Because I'm a target
- Because most people don't know
- Because it's a fun conversation to have over drinks with security guys
- Maybe/hopefully you'll continue this conversation instead of just arguing!
- Must be non-obvious and must be directly related to the Internet. Not:
- ...the President or any other gov'ernment official
- ...or someone involved with SCADA Systems/Brick and mortar
- Must be in control of some infrastructure or software, etc
- Must have the largest or widest negative impact possible for the least amount of work and least likelihood of being stopped
- No magic - must be real and dangerous
- They can't be "bad" people
- You can't take this list too seriously
How I Got Started
- Started thinking about core technologies that everything relies on
- Made a big list
- Shopped it around to dozens of security experts
- Assigned an arbitrary, unscientific, hand-wavy, risk-rating system of my own design
- Ranked them in order of how scared I am of them personally
- John Doe at C|Net
- Job: Network Engineer
- Why: Controls com.com
- Impact: Largest collection point of typo traffic both for web adn email.
- Doesn't require anything overt or even indefensible
- Giorgio Maone of NoScript
- Job: Consultant
- Why: Controls NoScript
- Impact: Nearly every security researcher on the planet - complete compromise. In general the most paranoid people on earth would be compromised.
- Builds arbitrary whitelists (ebay.com)
- Has changed functionality to subvert Adblock Plus
For my first session of the day on Tuesday of the TRISC 2009 conference I attended a presentation by Andrew MacFarlane from Data Foundry, Inc. on "Deep Packet Inspection and the Loss of Privacy and Security on the Internet". While the concept of DPI is nothing new to me and I remember first hearing about it around the FBI's Carnivore project, this particular use case was something that I hadn't heard about. Apparently pretty much every Tier 1 ISP has hopped onboard the DPI bandwagon and is now using the technology for everything from traffic prioritization to targeted advertising. To make matters worse, you automatically agree to this type of monitoring by accepting your ISP's terms of service. Data Foundry has been one of the few ISP's who have spoken out against this practice, but unless more people (especially end-users) lobby their congressmen to remove this waiver of privacy rights as part of our terms of service acceptance, the future of privacy and security on the internet is awfully bleak. My notes from the session are below:
We knew that the historic inauguration of Barack Obama would be generating a lot more Internet traffic than usual, both in general and specifically here at NI. Being prudent Web Admin types, we checked around to make sure we thought that there wouldn't be any untoward effects on our Web site. Like many corporate sites, we use the same pipe for inbound Internet client usage and outbound Web traffic, so employees streaming video to watch the event could pose a problem. We got all thumbs up after consulting with our networking team, and decided to not even send any messaging asking people to avoid streaming. But, we monitored the situation carefully as the day unwound. Here's what we saw, just for your edification!
Our max inbound Internet throughput was 285 Mbps, about double our usual peak. We saw a ni.com Web site performance degradation of about 25% for less than two hours according to our Keynote stats. ni.com ASPs were affected proportionately which indicates the slowdown was Internet-wide and not unique to our specific Internet connection here in Austin. The slowdown was less pronounced internationally, but still visible. So in summary - not a global holocaust, but a noticeable bump.
Cacti graphs showing our Internet connection traffic:
Keynote graph of several of our Web assets, showing global response time in seconds:Looking at the traffic specifically, there were two main standouts. We had TCP 1935, which is Flash RTMP, peaking around 85 Mbps, and UDP 8247, which is a special CNN port (they use a plugin called "Octoshape" with their Flash streaming), peaking at 50 Mbps. We have an overall presence of about 2500 people here at our Austin HQ on an average day, but we can't tell exactly how many were streaming. (Our NetQoS setup shows us there were 13,600 'flows,' but every time a stream stops and starts that creates a new one - and the streams were hiccupping like crazy. We'd have to do a bunch of Excel work to figure out max concurrent, and have better things to do.)
In terms of the streaming provider breakdown - since everyone uses Akamai now, the vast majority showed as "Akamai". We could probably dig more to find out, but we don't really care all that much. And, many of the sources were overwhelmed, which helped some.
We just wanted to share the data, in case anyone finds it helpful or interesting.
Wireless internet access is everywhere these days. Everyone from restaurants and bars to the average Joe Homeowner has some sort of wifi network set up. The problem is that they set up these networks without giving security a second thought (or even a first thought in most cases). I was at the TRISC conference last month and heard SimpleNomad say that he doesn't pay for internet access anywhere any more because there's always an unsecured or poorly secured wireless network wherever he goes. Lately, I've been testing that and he's absolutely right. I'm the only person on my block not running either an open network or a WEP "protected" network. I was even at a local hospital the other day and their "secure" internal network was using WEP.
For those of you just catching up, WEP is an almost 10 year old wireless protocol whose intent was to encrypt your wireless transmissions. The problem is that WEP uses a user-defined key along with an "initialization vector" (IV) to generate the RC4 traffic key used to encrypt your data. If I can gather enough of these IV's, then I can figure out what the key is and your network is now pwned. I can speed up this process by injecting my own packets and I can get your key in under 3 minutes. How's that for security?
So, why is anyone still using WEP? It was deprecated as a wireless privacy mechanism back in 2004. It is easily cracked and provides slightly more security than running an open wireless network. All that and when you buy a new wireless router it's most likely still pre-configured with WEP enabled. On some of these older models better encryption standards such as WPA or WPA2 aren't even options. With much of the wireless network setup falling into the hands of novice users, some of the responsibility lies with the router manufacturers for even allowing them to use WEP. The rest, in my opinion, is on the users themselves, who put up these networks without being educated enough to do so. You wouldn't put a door on your home without making sure the locks worked, would you? How about buying a car where everyone with that model vehicle had your same key? I think you get the picture.