Lately, Google has been apologizing for mistakenly collecting data from unprotected Wi-Fi networks with the fleet of vans the company has sent out for its StreetView service.  Some have pointed out that, by leaving their wireless networks unprotected, companies had no reason to expect their data would not be collected somehow.

And so we have another example of what can happen when data and communications are left unprotected.  You’re even susceptible to accidental disclosure of information.  What other accidents might occur?  One thing that comes to mind is accidental loss of bandwidth.  Someone who doesn’t know any better might turn on their laptop and find that they have Internet access.  What they didn’t realize is that they automatically connected to your network, and while they are streaming high-quality video, your employees are struggling to get their work done.

Accidents will happen.  If you must have a wireless network, and you still have not secured it, do something about it (hint: WPA2).

Raise your hand if you use Microsoft’s Remote Desktop client.   Keep your hand raised if you have ever wondered how a Remote Desktop session is secured.  Finally, only keep your hand up if you have acted on your curiosity and now know the method of encryption used to secure RDP communications and how vulnerable it is to attack.

If your hand is still raised, congratulate yourself for being so security-conscious, but be aware that you are sitting at your computer with your hand in the air because a blog post told you to.  As for everyone else, you should read on.

The good news is that the Remote Desktop Protocol (RDP) is indeed encrypted using RC4.  The bad news is that RC4 is not the best form of encryption out there and can be susceptible to attack by a determined foe.  There may be easier ways to grab protected information than trying to snoop on Remote Desktop sessions, but you should definitely be wary of what information is passing from your fingertips to the remote machine and back.

Older versions of Remote Desktop are vulnerable to man-in-the-middle attacks.  This is even more worrisome because the man in the middle doesn’t even need to attack RC4.  Your RDP data arrives completely decrypted and open for his perusal.

Do you or your employees regularly use Remote Desktop over the Internet with no further security measures in place?  If so, I would recommend that you add them.  Don’t know how?  Contact us!

In past blog posts, we’ve talked about how important it is to be aware of the encryption being used when communicating with your bank’s website or other sites where private information may be exposed. We’ve seen how web browsers try to help keep you on your toes, and we’ve encountered malicious programs that fool you into thinking your connection is secure when it’s not.

SSLPasswdWarning is a Firefox add-on designed specifically to avoid being tricked by something like sslstrip. If you click on or give focus to a password box, the add-on will examine the web page’s source to make sure that the password will be submitted using a secure connection. A warning box is shown, and the submission is halted if that is not the case. For instances when the site remembers your password and fills in the field for you, SSLPasswdWarning will also examine forms at the moment they are submitted.

Even if you feel like you cannot possibly be affected by programs like sslstrip, this add-on can make things more convenient for you. Sometimes, a website might present a login page that is not encrypted and only encrypt the password submission. Now, if you install this add-on, you can feel more comfortable about the security of your password without having to examine the page’s source code each time.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

In the previous Apache and SSL tutorial, we created a private key and a self-signed certificate for our secure server. What we did not cover was protecting the server’s key with a passphrase. It’s never a good idea to leave a private key sitting around in unencrypted form, so in this tutorial, we will encrypt it and learn what difficulties this brings about on a Windows system.

Read the rest of this entry »

Recently, Nick discussed how cross-site scripting (XSS) is one of the major areas of concern for Web application security and showed us how to avoid attacks from a coding perspective. Now, Mozilla Security has proposed a new defense against XSS called Content Security Policy (CSP).

Read the rest of this entry »

For this week’s tutorial, I decided to set up a secure web server using Apache on my Windows system. This time, I will be covering generation of the certificate signing request (CSR) and a temporary self-signed certificate. If you would like to try this yourself, make sure that when you download Apache, OpenSSL is included.

Read the rest of this entry »

Pinging is an easy way to determine if communication is possible between two hosts, but sometimes you need more information than an ICMP echo request can provide. hping is a nifty command-line tool that allows you to use different protocols and the features of those protocols to test how a host will respond to different scenarios. It can be a strong ally for network analysts who want to find all the holes in their network before the bad guys do.

Read the rest of this entry »

Gmail S/MIME is a pretty cool Firefox add-on that adds signing and encrypting capabilities to Gmail. The add-on integrates smoothly with the user interface so that you might think Google had added the feature themselves. It still needs some work (it’s currently at version 0.4) but has the potential to be a very useful tool for security-conscious users.

Read the rest of this entry »

A couple years ago, Facebook.com revealed just how much information is shared on social networking sites when they introduced news feeds to the home page and user profile pages. These feeds made users nervous perhaps because they had thought that their personal information was safe as long as it was not broadcast to everyone on their friend lists. In reality, it was a new way of distributing information that had always been available to them. Since then, Facebook has added a wide array of privacy options, yet we still find stories of people being fired because of something they said online.

How do you prevent this from happening to you? I guess one option could be to start removing Facebook friends until you are only connected to people that you completely trust, but then why use the site at all? You could instead make all of your not-so-close friends into “limited profile” friends who can only see certain parts of your information, but you will find that it is very difficult to separate your many friends into just two groups. There is another way, and that is what today’s tutorial is about.
Read the rest of this entry »

When you notice suspicious activity on your Windows system, it’s a good bet that whatever malware has breached your security measures has configured some mechanism to automatically launch the misbehaving process after a reboot. The Autoruns utility is very useful for finding and eliminating those items that allow malware to run without any user action.

Read the rest of this entry »