Slashdot Mirror
New Security Ideas From Intel
Scott writes "Intel is developing a new technology that could prevent unauthorized access to wireless networks using the time it takes for packets to arrive from the access point to the Wi-Fi user. This is one of several ideas were presented at Intel Developer Forum. Intel has also released a hardware-based solution to fight against worm spreading. From the report: 'The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network.'"
is only as strong as the weakest link.. which in most cases is the user.
Say goodbye to P2P and BT.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Hey, kudos to Intel for coming up with this stuff, but I suspect that the majority of people who buy a wi-fi router in the next five years will still not bother to even change the default admin password.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Please. Slashdot has had the same effect on websites for years.
Security through proximity is not security at all.
No thank you. Don't decide for me what traffic I can generate.
You are not the customer.
The amount of time it takes for a packet to arrive could change because things other than physical distance from the access point. Like hardware latency, interference, etc. If it could be forgiving of these, perhaps the packet transfer time could only be so high, it may work. I haven't RTA yet, but I think there are betters ways to stop the spread of a worm. I think every machine on a network should be running a software firewall, not just a hardware firewall for incoming threats from the outside. With people bringing in floppies and USB storage devices, the attacks are coming from the inside. Why trust the inside? Windows desktops should have the firewall enabled. If you need available ports, allow them and nothing else. And IMHO if reasonable, run FreeBSD on your servers or something else with fewer attacks. Intel's solution will help, but still result in problems. It will have to be hardware-based or virii could stop it. A hardware-based solution could be very expensive, unless Intel wants to give it away, or bundle it with NIC's or CPUs.
Powered by caffeine and sugar; BSD
Crackers are developing new technologies to enable unauthorized access to wireless networks using the time it takes them to intercept and retransmit packets between the access point and the Wi-Fi user.
As for the "solution" of detecting worms by autokilling connections when bandwidth usage changes in a way that the software didn't predict, (in a way that's more likely to cripple your favorite P2P client software more than it's likely to disable a worm that decides to start slowly and ramp up), how about Intel gets off its sorry ass (if you felt a rant coming on, you were right) and comes up with a real solution to connection hijacking -- namely by implementing cryptographically strong authentication between client and access point at Layer 2 of the OSI model, not Layer 7.
Oh, right. Securing Layer 2 instead of Layer 7 would harm the interest of those in charge of writing Layers 8 (financial) and Layer 9 (political) of the 7-layer model.
What happens if I have to take my laptop to the bathroom with me? Will I stay connected?
It's because of people like you that I cannot touch our company's periodicals library. Damn you! DAMN YOU TO HELL!
If you tell the router which port you run your P2P on (e.g. I usually run Azureus on port 6502), then it should be able to distinguish P2P traffic from virus traffic. Besides, virus connections are usually much shorter lived than P2P connections, right?
Before anyone gets too upset at the idea of their computers getting cut off from the internet for running P2P:
This kind of technology is not interesting to home users, or even for developer workstations: nobody is going to want to use a technology that cuts off their personal computer. The place it looks (IMHO) to be aimed at is ordinary user desktops in large corporations. These are (supposed to be) highly locked-down environment and controlled tightly by the sysadmins. In this environment, the IT manager is going to prefer inconveniencing a few users by cutting their 'net connection than managing a widescale worm outbreak that'll likely take the rest of the network down for everyone.
Horses for courses: home users and developers will still be best served by taking precautions (virus scanners and social countermeasures) and being vigilant for signs of an outbreak.
The system monitors the number of external connections being made and if a higher network activity is detected, the computer is disconnected to prevent the infection of further machines on the network.
My router, a Westell 327w, already has this feature. It locks up when I use the wifi for anything remotely network-intensi...NO CARRIER SIGNAL
unable to resolve function slashdot.sig(), aborting...
Why stop at doing this for wireless devices? Why not include such connnection-based control for any connections made from the host?
Also, the article says this proposed change will require change to existing Wi-Fi devices. IS that really going to happen in near future?
http://efil.blogspot.com/
What is there here that can't be done with software ?. Oh, wait .. that needs Microsoft to do it. Doing it at the WiFi card level might give intel an advantage - but most likely they'll just push this into the driver code. Then we're back to the "why doesn't Microsoft do this" - though in truth, we should chuck it and use Linux.
It essentially means that the moment I run bittorrent, Intel's new WiFi chip will throw me off the network. That's what it'll do for most of us.
> The access point times the time it takes a packet to arrive the client and go back. Using this time, the access point can predict the location of the user and tell whether a client device is inside or outside the allowed area, for example office wall.Similarly all Ethernet cards will have something that allows only packets addressed to it's MAC address to be read. And then someone will find out a way to work around that. I could rephrase when guns are outlawed, only outlaws will have guns - but this is even worse. Intel will create APs which have an artificially limited range to prevent you from taking your laptop to the crapper. This is almost like the userfriendly joke about laptops chained to the desk form of security.
Truly these are ideas to be sold, not products. Once people buy in on the security of these things, intel hopes to make a killing for no extra-work (yes, we have to buy the NEW secure WiFi cards and then just boot up that AP, let's get mailing status reports - leaving a router with "linksys" wide open). Security needs care and control - just cheap hacks on hardware will not do .Quidquid latine dictum sit, altum videtur
Could it be..
- Setting the router defaults to be more secure
- Printing out how to run the setup utility included with the router to secure your network on a big bright yellow card
- Forcing the user to pay attention to the settings by setting the WPA key to a random default
- Printing, in big letters somewhere on the inside of the box, explaining how if the user runs yet another inescure 802.11b network, the terrorists have already won
</sarcasm>It seems like Intel might be searching for an automatic solution for this problem, which is bound to fail as quickly as they can put it out in the wild. How do you protect users from bad network setups if the users largely aren't aware that the problem exists? We don't need new technology, we need to modify existing technology that, while it might add a few extra steps, forces users to pay attention to the problem that everyone here is already aware of.
DOS attacks have just gotten easier.
http://www.rayn.net . Funny. Stuff.
I agree... about a year ago I did a quick wardrive around my mom's neighborhood (upper middle class suburb of Columbus, OH). I drove 3 blocks, and found 14 wireless networks. 10 were open. I tried using the default password for all of the router types (as identified by netstumbler), and it worked on 9 of the open networks... only 1 of the secured networks had not changed the default password.
......
What is the solution to this? I am hardly an expert on supply-side economics relating to production, but how hard would it be to set a random password for both the router and the wireless network? Include a piece of paper with both the password written on them (kind of like a manual addendum, that way each manual won't have to be customized). Or better yet, make the default password the serial number of the router. Extremely difficult to guess, usually a string of alpha and numerics, and the user could never really lose it (unless they removed the serial number sticker from the router).
There has to be a better way of doing things than what currently exists. To offer a product to consumers that has no security whatsoever in an out of the box condfiguration is moronic. Even more moronic is the fact that the consumer (I'm speaking in general terms of course) makes no effort to read the manual. You would think that logic would strike them in the face as they connect to their network for the first time...
"Oh, look, Windows automagically detected my wireless network!"
"Neat, now it's joined! That was easy..."
"Almost TOO easy"
*smack* (this is the sound of logic smacking them in the face)
"Wow, maybe I should do something so that it wouldn't be this easy for other people!"
Just like driving a car:
(D) to go forward
(R) to go backward
(OK, so it has nothing to do with Clarke's Law, other than sharing the same sentence pattern.)
"Intel is developing a new technology that could prevent unauthorized access to wireless networks using the time it takes for packets to arrive from the access point to the Wi-Fi user."
As opposed to, say, enabling encryption?
"Intel has also released a hardware-based solution to fight against worm spreading."
The software-based solution is using a real OS. Another hardware-based solution is to refuse to run any Microsoft operating systems.
Windows won't be going away any time soon, so there will remain plenty of worm fodder. I am surprised by the number of relatively unsophisticated home users who are switching to Mac OS X or Linux as a result of adware, spyware, and worms, but I haven't seen the same switcher phenomenon occurring in corporations.
Besides, worms probably wouldn't go away even if Windows did. Although conventional wisdom says that a large pool of exploitable systems is required for successful worm propagation, that's not true, demonstrated by the Witty Worm's exploitation of a very small population of vulnerable systems. Although they are not as common, worms have exploited other, non-Windows systems and application software, and certainly buffer overflow exploits are discovered periodically in such systems. Granted, the UNIX architecture makes worm exploitation of application software less likely to result in super-user access, but routers, DNS servers, and others remain vulnerable to the extent that they contain worm-able security defects -- and clearly many do.
Worms are getting more sophisticated all the time. From the starting point of their current capabilities, worms and botnets could easily be extended to automatically harvest particular types of data from particular companies or government agencies, using the chaos of a massive worm outbreak for cover. Their ability to receive arbitrary commands from remote attackers over IRC control channels means that they may already be in use for this purpose.
My company specializes in antiworm technology and consulting. The FireBreak AntiWorm system impedes worm propagation without interfering with normal network operations -- including bit torrent.
There is a tremendous amount of innovation going in in the software security area lately, driven by the relatively recent realization among large corporations that they must now spend money on worm prevention, containment, and recovery if they want their heavy investment in the Windows monoculture to survive.
Opting out of the monoculture simply isn't feasible for most large corporations at this point. It's not just the cost of the desktop PC -- if that's all it was, a bunch of them would have switched en masse to Mac OS X Tiger when it came out. The applications, the developers who write them, the help-desk workers, the system administrators, the managers, the employees -- at this point all they know is Windows.
Switching a desktop is so hard for a large company, that the survival of the Windows monoculture is virtually assured for about as long as one can predict anything in the IT world (5 years, I'm told). The the problems that come with it will be creating market opportunities for a long while to come.
If you mod me down, I shall become more powerful than you could possibly imagine.
Intel is developing a new technology that could prevent unauthorized access to wireless networks
There already exist a number of methods for preventing unauthorized access to wireless networks: stopping SSID broadcasting, filtering MAC addresses, WPA, and even IPSEC for the paranoid. People already don't use what is available because they don't think it is important. What makes Intel think they will use this? It seems to me that the automatic response to security mechanism these days is "turn it off, it's too confusing and we aren't trying to hide anything." A lot of people just don't understand that their passwords and credit card numbers are being sent over the airwaves in cleartext and can be easily intercepted unless you use the security features of your access point.
They did this for a while last year with bell south. My friend could no longer check or send email and his router ceased properly functioning. yeah.. filter port 25... who cares about any of that "internet stuff"
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
What if someone uses your open access point to send Spam thru your ISP and account ?
The thought of having other people using my ISP account, which has my name on it, to do ilegal or inmoral (to me) stuff like spam, warez, piracy, etc is enogh to think about security. The fact that I don't wan others sucking up my bandwithd is another thing I think off.
I would donate part of my bandwidth to the general community though. If it was easy and secure.
Regarding others reading my packets, well I already asume that, since when there's nobody sniffing at the routers ? Long live GnuPG, SSL and SSH.
Pupeno
If you go to far you get disconnected.
Mostly its not anything special just a 25 foot cat5 cable.
actually, it was apple's .mac mail server, on which 3 separate accounts were active for 2 computers in their household.
Are you implying that the constant complaining I was hit with was all about nothing?
bell south even admitted to them the problem was they were blockign port 25, but didn't indicate they'd do something to alleviate those little "inconveniences" involving non-working email and routers.
Whoops!
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
So how long before your ISP picks it up? Think of upload caps, port blocks and smtp jails as other "technologies" that piss users off and don't do anything for security.
Friends don't help friends install M$ junk.
There's no need for any of this. All we have to do is make use of the security flag defined by RFC3514. See it at: http://www.faqs.org/rfcs/rfc3514.html
This has been available to us since 4/1/03, and comes to us via Steve Bellovin, a security guy of note.
What you do with a computer does not constitute the whole of computing.