One of the great new tools in Windows Vista and Windows 7 is the ICACLS command line command. While I’m very annoyed with Microsoft for not supporting the old CACLS syntax and adding the features of ICACLS (all our old CACLS-based batch files break), I have to admit that a few capabilities are very welcome. One such capability is the function used to export and import ACLs from and into objects.

For example, imagine you are about to make several permission changes to a directory structure. You want to ensure you can revert to the current permission structure if you make mistakes. ICACLS allows you to quickly export the permissions for an entire directory structure with the /save switch.

The ICACLS syntax for ACL (or permission) export is as follows:

ICACLS folder_name\* /save filename.acl /T

The /T switch is used to indicate that directory recursion should be used. The /save switch is used to export the results. For example, to save the permissions in a directory named HORSES on the C: drive and all subdirectories and folders, execute the following command:

ICACLS C:\HORSES\* /save horses.acl /T

The file, horses.acl, will contain the permissions in text format. Later, you can import the permissions with the /restore switch if required. To restore the permissions, execute the following ICACLS syntax:

ICACLS C:\HORSES /restore horses.acl

Of course, the ICACLS command provides syntax for permission management as well as backing up and restoring the permissions; however, this new feature is one of the most important to know about. Hopefully, you find this information useful.

Tweet This Post

If the TSA would only scan boarding passes as the passengers go through security, they could determine which passengers have been selected for "random" screening many times in the past and ensure that they are not wasting their time on the same person again and again. For example, I have a friend who flies frequently (3-4 times each month like me) and he said he has not been "randomly" selected once this year.

The biggest problem is that we're depending on extremely biased machines to randomize the passengers. These biased machines are also known as humans. Maybe one TSA agent always selects the person they feel will be most cooperative. Maybe they select every fifth person through to attempt pure randomization. Through observation tests, I can assure you that no such pattern is used even if they are told to use such a pattern. In one sixty minute period I observed 53 passengers going through security. No humanly trackable pattern appeared in the selection process.

However, one interesting pattern did appear. Of the 53 people passing through, 7 were selected for additional screening. Of the 53 passengers, 4 helped other people with an item that fell or some other needed assistance. Not one of these four people were selected.

This made me so curious that I had to do an experiment. While sitting at the Atlanta airport, where hundreds trudge through security each hour, I was able to observe a security lane where the "random selector" agent could clearly see everyone as they were preparing to come through. In just over two hours, I observed 27 people helping someone else through the line. Again, they were not selected for additional screening.

Now, clearly, further research is required to verify this bias, but the preliminary counts seem to indicate that you can greatly increase your odds of avoiding "random" selection by helping someone on the way through the line. And this is just one example of the bias within the human machine.

So, how do we fix this. Simple, an alternating pattern must be used to select the "random" passengers. Each TSA agent can be assigned a pattern (one could be the 3, 5, 2, 1, 7, 3, 5, 2, etc and another be 4, 5, 2, 5, 3, 2, 1, 4, 5, 2, 5, etc) and the "random selector" agent can be replaced with another agent after 3-4 iterations of the pattern making it difficult for pattern watchers to discover the pattern.

Additionally, to add variety to the pattern, if a passenger has been screened more than 3 of the last 5 times they've flown within the last sixty days, the agent is notified through a vibration signal with a hip mounted device. The agent simply passes over this passenger and continues his pattern with the next passenger. Of course, this would require boarding pass scanning outside of security, but maybe this would provide some real value at the point of entry in opposition to what we have now.

Now, I know what you're thinking, "Tom, this sounds too confusing." I say that the TSA agents are paid very well and we should not hesitate to require this ability and skill from them. Those who can't cut it, simply find themselves in lower paid positions, such as the non-observing guard at the exit of security.

In the end, random just ain't random when humans are involved and it can actually make for weakened security. Just a thought.

Tweet This Post

How to prevent wireless DoS attacks

I think it's because, um, YOU CAN'T! You simply cannot prevent a wireless DoS attack against the RF layer of the network.

Don't let wireless intrusion prevention system (WIPS) vendors fool you. You can detect a wireless denial of service (DoS) attack, but you cannot prevent it if it is an RF-level attack. Sure, if it's a frame level attack, you can prevent it through algorithms and dynamic network configuration management procedures. But if you're dealing with a physical level (RF) DoS attack, you can only remove it once the source is located – you cannot prevent it.

All I need is a 2.4 GHz RF generator and I can blanket the entire 2.4 GHz license free ISM band that is used by 802.11 b/g/n. With a 5 GHz RF generator, I could potentially do the same for the U-NII bands used by 802.11a/n. The point is that an RF generator or set of such generators can completely saturate the available spectrum with energy levels that prevent functional communications on any allowed channel. Dynamic channel management and "self-healing" solutions cannot help with this.

A good old fashioned human being with a spectrum analyzer is one of the best ways to locate a physical layer wireless DoS attack. WISP solutions may also be able to triangulate the source of the attack if sensors or multi-purpose access points (access points that both provide wireless functionality and sensing abilities) are used; however, it's not like the WIPS system can somehow zap the attacking device and kill it (though that's a nice thought for the future). The end result is that a physical layer DoS simply CANNOT be prevented. It can only be mitigated (i.e., the severity is reduced by detecting it quickly, locating it and eradicating it).

Personally, I find no greater joy in my IT work than tracking down an attacker and letting him see me with my spectrum analyzer as he flees in fear (and I memorize is license plate number to report him to the police). Would I really even want a software program and hardware set to take away that joy?

Inventors of the world, if you can find a true solution that truly prevents wireless denial of service attacks, you can make billions. Get started.

UPDATE: About an hour after first writing this post I was extremely annoyed by the following press release:

http://www.airtightnetworks.com/home/news/press-releases/pr/article/123/airtight-wireless-dos-attack-prevention-named-top-security-innovation-for-2009.html

Notice the press release uses the phrase DoS attack prevention, but then the actual press release admits frankly that all it does is "counter wireless DoS attacks". My point is still the same: On a wired network, you can immediately shut of the port from which a DoS attack is originating . This can be accomplished in just a few seconds. You cannot accomplish this today when a wireless DoS attack is launched against the entire unlicensed spectrum in which your wireless LAN operates. Please, vendors, just be honest and quit using the word prevent in relation to wireless DoS attacks!

Tweet This Post