RADIUS Insecurity; Hotfix Reporter; New Security Services and Risks

Do you run RADIUS for authentication in your network environment? If so, you might be interested in a new paper, "An Analysis of the RADIUS Authentication Protocol," which Joshua Hill posted on the BugTraq mailing list on November 12. Hill dissects the protocol to reveal half a dozen vulnerabilities that an attacker can use in various combinations to compromise a network. The vulnerabilities originate mostly from what Hill considers to be the misuse of MD5 (a hash function) as a cipher primitive. Hill also makes several suggestions for improving the protocol, and he points out that the Internet Engineering Task Force (IETF) is working on a new authentication protocol specification called DIAMETER. Stop by Hill's Web page to read the paper, which also includes information about DIAMETER.

If you use the Microsoft HFNetChk tool, which checks systems for installed and missing hotfixes, you know that the output the tool presents could be improved. Maximized Software provides a freeware complement for HFNetChk called "Hotfix Reporter," which further automates hotfix checking and reporting. The tool consists of command (.cmd) files and an executable that converts the tabbed HFNetChk output into a formatted .html file for viewing with a Web browser. In the HTML report, Hotfix Reporter displays related Microsoft Security Bulletins and TechNet articles as clickable links, compares scans against the same system to determine whether new hotfixes are available, and lets you hide hotfixes that you want to ignore.

In addition, the Hotfix Reporter Web site offers advice about how to perform actions such as automating HFNetChk scans, emailing subsequent reports to a given account, and automating the download of the Microsoft-related mssecure.xml file, which HFNetChk uses to determine the state of hotfixes on a given system. Hotfix Reporter seems to be a great tool you might want to add to your toolkit.

The Denver Post ran an interesting story on November 5 about a new security firm called Fuzion Security, which offers a new vulnerability-assessment service called AsseZment. Customers already include firms such as Qwest and OppenheimerFunds. According to the news story, AsseZment produces a "report that shows what the company's security risks are, how much it will cost to address the risks and how much the company can expect to save by addressing the risks. The report also prioritizes the most significant security risks."

Since 1992, Fuzion Security founders have written 14 books on security-risk assessment, and they've spent the last 14 months developing their new services. You can learn more at the Fuzion Security Web site.

Did you hear about the college students who managed to break the security of bank ATMs? The Cambridge students published details of the findings last week, much to the dismay of banks and customers everywhere. Apparently, most ATMs run standard software in conjunction with an IBM 4758 cryptographic co-processor. The IBM device uses the Common Cryptographic Architecture (CCA) technology, which relies on Data Encryption Standard (DES) to protect sensitive information. Attackers have shown repeatedly that DES is vulnerable to attack. Now, using off-the-shelf software, the college students have proven that any unscrupulous bank employee can steal funds from unsuspecting banks and banking customers.

Although Ross Anderson (also of Cambridge University) first exposed the vulnerability in February 2001, apparently no one took action to correct the matter. But now that the Cambridge students have revealed the exploit, banks might begin to better protect their assets and the assets of their customers. Be sure to stop by and read the report.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.