An Interesting Side Note

I noticed, today, that CNBC.com was listing the 10 unhappiest states. A few days ago, I noticed they listed the most religious states. Interestingly, when I compared these, 3 of the unhappiest states were in the list of the top 10 least religious states. None of the top ten most religious states were in the list of the 10 unhappiest states. Is there a connection? Don't know, but I sure found it interesting. Particularly since the 10 most religious states that are not among the 10 unhappiest states have similar unemployment rates (with the obvious exceptions of Michigan and California) and much lower median income rates with matching sales tax rates. It doesn't appear that wealth has much to do with happiness, but religion just may. Curious.

You Cannot Prevent a Wireless DoS Attack (wireless denial of service attack)

I'm not sure why it's such a big deal to me, but I get very frustrated by articles and blogs with titles like the following:

How to prevent wireless DoS attacks

I think it's because, um, YOU CAN'T! You simply cannot prevent a wireless DoS attack against the RF layer of the network.

Don't let wireless intrusion prevention system (WIPS) vendors fool you. You can detect a wireless denial of service (DoS) attack, but you cannot prevent it if it is an RF-level attack. Sure, if it's a frame level attack, you can prevent it through algorithms and dynamic network configuration management procedures. But if you're dealing with a physical level (RF) DoS attack, you can only remove it once the source is located – you cannot prevent it.

All I need is a 2.4 GHz RF generator and I can blanket the entire 2.4 GHz license free ISM band that is used by 802.11 b/g/n. With a 5 GHz RF generator, I could potentially do the same for the U-NII bands used by 802.11a/n. The point is that an RF generator or set of such generators can completely saturate the available spectrum with energy levels that prevent functional communications on any allowed channel. Dynamic channel management and "self-healing" solutions cannot help with this.

A good old fashioned human being with a spectrum analyzer is one of the best ways to locate a physical layer wireless DoS attack. WISP solutions may also be able to triangulate the source of the attack if sensors or multi-purpose access points (access points that both provide wireless functionality and sensing abilities) are used; however, it's not like the WIPS system can somehow zap the attacking device and kill it (though that's a nice thought for the future). The end result is that a physical layer DoS simply CANNOT be prevented. It can only be mitigated (i.e., the severity is reduced by detecting it quickly, locating it and eradicating it).

Personally, I find no greater joy in my IT work than tracking down an attacker and letting him see me with my spectrum analyzer as he flees in fear (and I memorize is license plate number to report him to the police). Would I really even want a software program and hardware set to take away that joy?

Inventors of the world, if you can find a true solution that truly prevents wireless denial of service attacks, you can make billions. Get started.

UPDATE: About an hour after first writing this post I was extremely annoyed by the following press release:

http://www.airtightnetworks.com/home/news/press-releases/pr/article/123/airtight-wireless-dos-attack-prevention-named-top-security-innovation-for-2009.html

Notice the press release uses the phrase DoS attack prevention, but then the actual press release admits frankly that all it does is "counter wireless DoS attacks". My point is still the same: On a wired network, you can immediately shut of the port from which a DoS attack is originating . This can be accomplished in just a few seconds. You cannot accomplish this today when a wireless DoS attack is launched against the entire unlicensed spectrum in which your wireless LAN operates. Please, vendors, just be honest and quit using the word prevent in relation to wireless DoS attacks!

SQL Server 2008 R2 Editions

Microsoft has changed the edition structure for SQL Server 2008 R2 by adding two new editions: Datacenter and Parallel Data Warehouse. The Datacenter edition adds features for management improvement and support for more than 8 processors. The Parallel Data Warehouse edition supports much larger data stores and enhanced data warehouse functions. For more information about these new editions and the traditional editions and what they'll look like in SQL Server 2008 R2, visit this page:

http://www.microsoft.com/sqlserver/2008/en/us/R2-editions.aspx

Windows 7 – Boot ini is Dead!

Starting with Windows Vista, thought it was missed by many IT professionals since Vista was largely ignored, the boot ini file is no longer used to store boot configuration information. Instead the boot configuration database (BCD) is used. Windows Server 2008 and now Windows 7 and Server 2008 R2 also use the new BCD. Instead of editing the boot ini file, you will use the command line command BCDEDIT to work with the BCD. To learn more about BCDEDIT, just launch a command prompt in administrative mode (right-click it on the Start menu and select Run as administrator) and type bcdedit /?. You'll see all the built-in help in its full glory.

You'll also see that you have to work with nasty long BCD entry identifiers. Thank God we have Quick Edit mode. If you haven't enabled Quick Edit mode (or you've disabled it since it's on by default in Windows 7), just right-click on the Command Prompt shortcut and select Properties. On the Options tab, check Quick Edit mode. Now you can highlight text, press Enter and then right-click anywhere to paste it into your command line. This will remove those nasty typos we make when entering long numbers like the BCD entry identifiers.

Here are a few BCDEDIT commands you should know about:

Viewing the BCD data set:

  bcdedit

Backup the BCD data set:

  bcdedit /export filename

Restore the BCD data set:

  bcdedit /import filename

Set the default OS:

  bcdedit /default {identifier}

Note that you can use the keyword current when setting the default if you're currently booted into the system you wish to be the default. For example:

  bcdedit /default {current}

Remember, in Windows 7 boot ini is dead, long live the BCD!
 

Windows 7 Application Compatibility List

The most up-to-date list of compatible (or incompatible) applications is now available at Microsoft's website. The Windows 7 Application Compatibility List for IT Pros is available for download at the Microsoft TechNet site. The list includes more than 7000 applications and covers both business apps and games. The Windows 7 Application Compatibility List is a Microsoft Excel file that rates apps from compatible to future compatibility to incompatible. If your application is on this list, it will save you lots of analysis time so take advantage of it. I know I am.

Viruses and Spyware and Wireless Clients

Many types of malware (malicious applications) exist that an intruder can place on a computer in order to obtain information that he could not get just by having regular file access to the computer.  The most common types of malware today are viruses and spyware.  Viruses are capable of disabling desktop PCs, taking web sites down, and even overloading email servers.  A wireless host connected to a public access network or on an unsecured corporate wireless network is a perfect place to put a virus.  The unsuspecting authorized user would then take the virus into the corporation where it could do its intended harm.

Trojan Horse applications (often called just “Trojans”) are specific types of viruses or malware that pose a serious threat to network security.  According to legend, the Greeks won the Trojan War by hiding in a hollow wooden horse to sneak into the fortified city of Troy.  In today's computer world, a Trojan Horse is described as a malicious, security-breaking program that is disguised as something benign or even useful.  For example, suppose a user downloads what appears to be a movie or music file, but when the file is opened, a dangerous program is executed.  This new executable erases the user’s hard disk, sends their credit card numbers and passwords to a stranger, or lets that stranger hijack the user’s computer to commit illegal denial of service (DoS) attacks.

Another specific type of virus is a worm.  Worms self-replicate and self-proliferate creating a very large-scale problem in a very short period of time.  Worms often come in the form of email worms that send themselves to everyone on a user’s email address book by disguising themselves as harmless attachments.  Worms often do most of their damage well before they are ever noticed.

Most worms, trojans, and other types of viruses can be caught and disinfected before they do damage by using properly installed, configured, and updated virus scanning software.  Tons of virus scanning applications exist on the market and it has recently been suggested that running two such applications simultaneously is worthwhile.  Considering the high risk associated with wireless LANs, such a belt-and-suspenders approach is worthwhile to consider.  Using at least one such scanning application should be required. Of course, you may need to pay close attention to the vendor’s requirements. Many vendors will not support their antimalware application running alongside other such applications.

Another distinct, and relatively new (in the grand history of computing), type of malware is spyware.  Spyware typically comes as a multi-featured software package that can:

 

  • Capture instant messenger traffic
  • Capture email traffic
  • Capture web site traffic and sites visited
  • Capture keystrokes and passwords
  • Be installed remotely and without an install dialog
  • Automatically form and publish web-based (HTTP) reports
     

One of the most used spyware applications the spying software available at spytech-web.com.  When combined with utilities like Hyena and VNC that can push the spyware to unsuspecting hosts and remotely execute and control them, spyware can be a powerful tool for gathering information.  A hacker can collect the gathered data by simply pointing his or her web browser to the authorized user’s IP address and proper port number (defined by the spyware application).

Many web sites are dedicated to virus details, removing viruses, and avoiding re-infection by a virus.  Two of the most popular such sources are www.symantec.com and www.mcafee.com   Spyware is often not detected as a virus because spyware is an installed application that looks like any other authorized program.  For this reason, companies have started making anti-spy software that works much like a virus scanner, but more specifically hunting down spyware.  Several companies produce products, such as Avast, that combine antivirus and anti-spyware into a single package.  Keep in mind that one can prevent malware from being placed on a wirelessly connected computer by using personal firewall software in most cases.

Windows Vista and Windows 7 come with the Windows Defender application. I personally run Avast and Windows Defender on my computers and have not had a single virus or spyware problem in 2009. And this is on computers that I use frequently for security and hacking research. Needless to say, this means I end up at cracking sites quite a lot. I am by no means perfectly protected with this combination, but I am far better off with my wireless clients configured with this protection.