Security Watch

Wireless Client Update for XP SP2

Plus: secure e-transactions, baseless Russian hacker hysteria, more.

• By Russ Cooper
• 01/29/2007

• WPA2 support has been added to the Wireless Network Policies node of the Computer Configuration Group Policy Object.
• Wireless Networks set up in Windows XP can now be specified as either broadcast or non-broadcast. Networks specified as broadcast are no longer probed when the client cannot find a preferred network.
• When a wireless adapter is “parked,” which is a state where it is not currently connected to any network and is scanning every 60 seconds for a preferred network, some drivers may interpret this state as a valid network. A random network name is assigned, which may be discoverable by a criminal. Should that happen, it may be possible for the criminal to connect to the system while in this state. The update causes a random strong encryption key to be applied to the random network created.
• The update also prevents systems from connecting to newly created ad hoc networks and forces the user to choose which network they want to connect to. This should help prevent criminals from connecting to the system while it probe for an ad hoc network.
  

Russian Terrorists May Try Cyber attacks
A Russian computer security expert uses FUD to try and drum up more state-funded efforts to combat cyber crimes.

Seems this is the week for FUD! Despite no cyber terrorism events being recorded in Russia, this guy has suggested physical incidents of terrorism by Chechens as somehow indicative that, in the future, they will focus on Russia’s increasingly wired infrastructure.

No reasonable explanation is offered as to why he thinks this, except the fact that he believes the Russian government is understaffed and ill-trained to thwart an attack. While this clearly makes a suggestion terrorists might consider, the fact it has not happened anywhere suggests terrorists aren’t terribly interested in such an attack.

In any event, it is hard to see the value in such stories beyond suggesting that investment in Russia is ill-advised.

E-gold Operator Identifies People Who Misuse System
You’re damned if you do and damned if you don’t. E-gold’s president, Douglas Jackson, says he’s having a tough time getting law enforcement to cooperate regarding his discovery of suspicious transactions while e-gold is being investigated by the U.S. Secret Service.

According to Jackson, he’s been tracking suspicious activity on this service for a year in an effort to expunge the company’s name from its association with carders, botnet owners and child pornography rings. Seems law enforcement would be willing to work with him, but won’t guarantee they won’t use the information he provides against e-Gold should they feel it points in that direction.

Very chicken-and-egg-like. E-gold has started suspending accounts it deems suspect and -- according to one individual -- without providing much reasoning when it does so. It's hard to tell at this point who is in the wrong, but clearly someone is. If e-gold is the festering pool of criminal transactions its been made out to be, it's high time something happened to reverse that, whether it means them ceasing some or all transactions either at their own behest or with influence from law enforcement.

Teenager Ran Internet Banking Scam
A 16-year-old that New Zealand police sent to computer training courses in order to improve his behavior has been charged with and admitted to 26 counts of fraud. The youth defrauded banks of nearly $45,000.

Talk about being out of touch with the times. Clearly there is far more criminal activity to be found by a 16-year-old online than there typically is in the physical world, and online criminal activity is far more stealthily conducted. It might have been better to have the kid pick up garbage on the side of the highway than to teach him to spew it on the Information Superhighway.

RFID Personal Firewall
A research paper on preventing or managing the reading of RFID tags within your personal space has won Best of Show at the Usenix LISA '06 conference. The paper (.PDF here) describes how to build a unit from commercially available off-the-shelf components.

Unfortunately, it seems that the authors have failed to recognize that the device they describe will make an excellent tool for thieves who want to ensure the RFIDs on the goods they steal cannot be detected.