cia xxiv copyright (c) 2004 robert c. jones, m.d. all rights reserved. wireless lan in security 2004...

CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

Wireless LAN Wireless LAN ININsecurity 2004security 2004

Robert C. Jones, M.D.Robert C. Jones, M.D.

LtCol, USAF, Medical CorpsLtCol, USAF, Medical Corps

Staff Anesthesiologist Staff Anesthesiologist

Andrews Air Force Base, MarylandAndrews Air Force Base, Maryland

E-mail: [email protected]: [email protected]

Web site: http://www.notbob.comWeb site: http://www.notbob.com

Disclaimer: Fair Use of Online Resouces

In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for non-

commercial purposes only “Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or

research. In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:

– The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; – The nature of the copyrighted work; – The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and – The effect of the use upon the potential market for or value of the copyrighted work.

The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites presenting this material.

This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S. Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way

Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA copyright infringement (courtesy of Department of Redundancy Department [DoRD])

Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity

FAIR USE NOTICE: This contains copyrighted material, which is reproduced under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. This material is posted without profit for the benefit of those who, by accessing this material, are expressing a prior interest in this information for research and educational purposes.

"We came across a company with one of these wireless networks. All their source code, everything was available. This network was beaconing, 'log onto me'...

It basically had its Rolls-Royce parked in the driveway, engine running, with a sign saying 'steal me.' "

-- Thubten Comberford of White Hat Technologies, a wireless security firm.

http://www.wirelessdevnet.com/articles/80211security/Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV

http://www.wirelessdevnet.com/articles/80211security/


Wireless INSecurity in the News

http://www.wral.com/technology/2465963/detail.html

http://www.wral.com/technology/2465963/detail.html

CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV

Wireless Wireless ININSecurity is Big BusinessSecurity is Big Business

$100.00 per page…Think what a bargain this lecture is!$100.00 per page…Think what a bargain this lecture is!


The Basic Network Security Pyramid


Wireless Security 2003



What this talk is about

Introduction to Wireless LAN (WLAN) tech

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues References


What this talk is NOT about

Cellular communication technologyGSM, CDMA, 2G, 2.5G,3G,4G…




Uncommon alternatives to Wired LANsPowerline technology, IR, laser, Avian IP





How to hack the airwaves for fun & profit





How to hack the airwaves for fun & profit How to ensure 100% WLAN security

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

You can’t afford perfect security

““The only secure computer is one that is The only secure computer is one that is unplugged, locked in a secure vault that unplugged, locked in a secure vault that only one person knows the combination only one person knows the combination to, and that person died last year.”to, and that person died last year.”

Eckel, G and Steen, W., Eckel, G and Steen, W., Intranet WorkingIntranet Working, New Riders, 1996, p. 419, New Riders, 1996, p. 419CIA XXIVCIA XXIV





How to hack the airwaves for fun & profit How to ensure 100% WLAN security AFH* Topics: TEMPEST, HAARP, ECHELON

*Aluminum Foil Hat


This Talk Is Not For You If:

http://www.geocities.com/Area51/Dreamworld/1799/UNnwo2.html

http://www.geocities.com/Area51/Dreamworld/1799/UNnwo2.html



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security


Introduction to Wireless vs. Wired Networking

Wired NetworkingInexpensive infrastructure (CAT5 cable + NICs)Expensive deployment (drilling through walls)Reconfiguring network topology difficultDifficult (not impossible!) to intercept communicationWorldwide exposure to intruders if connected to NetFast! (10/100 Mbps Ethernet Gigabit ethernet…)Negligible interference from environment


Basic Wired Network TopologyBasic Wired Network Topology

RouterRouter

FirewallFirewall

CIA XXIVCIA XXIV


Wireless NetworkingExpensive infrastructure (clients+APs=cha-ching!)Inexpensive deployment (protocols supported in OSes)Reconfiguring network topology trivial (?too trivial?)Ridiculously easy to intercept communicationGeographically constrained exposure to intruders*Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)Massive environmental interference (ISM, path loss)

Introduction to Wireless vs. Wired Networking

**ad hocad hoc intranetworks intranetworks


Basic Wireless Network TopologyBasic Wireless Network Topology

FirewallFirewall

Access PointAccess Point

CIA XXIVCIA XXIV

Infrastructure Mode Infrastructure Mode (using AP)(using AP)

Advantages:Advantages: AP security; isolated net connection AP security; isolated net connection

Disadvantages:Disadvantages: AP cost, complexity; AP cost, complexity; broadcast range broadcast range

STA 2003STA 2003Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.

FirewallFirewall

P2P Ad Hoc NetworksP2P Ad Hoc NetworksBasic Wireless Network TopologyBasic Wireless Network Topology

Advantages:Advantages: no addt’l hardware; geographically constrained no addt’l hardware; geographically constrained

Disadvantages:Disadvantages: unmanaged P2Pnet issues; geo. constrained unmanaged P2Pnet issues; geo. constrained


Basic WLAN Discovery

Beacon Mode (default for 802.11b)Beacon Mode (default for 802.11b)

STASTA

STASTA

Beacon mode shut offBeacon mode shut off probe from station (STA) probe from station (STA)

10 Hz signal with SSID 10 Hz signal with SSID in clear text + info in clear text + info regarding security regarding security

support by AP (WEP, support by AP (WEP, 802.1x, 802.1x, etcetc.).)

probe from STA with probe from STA with SSID = blank or “any”SSID = blank or “any”

valid SSID returnedvalid SSID returned


Basic WLAN Authentication & Association

Authentication: process of verifying the Authentication: process of verifying the credentials of a client asking to join a WLANcredentials of a client asking to join a WLAN

Association: process of connection client to a Association: process of connection client to a given AP in the WLANgiven AP in the WLAN

802.11 standard specifies 3 states:802.11 standard specifies 3 states:Unauthenticated + UnassociatedUnauthenticated + UnassociatedAuthenticated + UnassociatedAuthenticated + UnassociatedAuthenticated + AssociatedAuthenticated + Associated


Authentication

Default: Open authentication (+/- MAC/SSID filtering)

Shared Key Authentication (Shared Key Authentication (e.ge.g., WEP)., WEP)

““granted”granted”

““give me access”give me access”

““give me access”give me access”

Authentication challengeAuthentication challenge

Authentication responseAuthentication response

““granted”granted”


Generic Wireless Security Exploits

Physical Theft Eavesdropping Data Modification Identity Spoofing/Masquerading Denial of Service (DoS)


Let’s Get Physical

Physical theft of laptop/PDA 3rd most common network security threat facing businesses (2003)

Laptop = Expensive; Proprietary Data = Priceless No one is immune (FBI; DEA; IRS; State

Department; Qualcomm CEO…) Theft of proprietary data #1 cause of financial loss

by corporationsReferences: State Dept.: References: State Dept.: http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html

FBI/DEA/IRS: FBI/DEA/IRS: http://www.nwfusion.com/newsletters/sec/2002/01514404.html

Qualcomm CEO: Qualcomm CEO: http://zdnet.com.com/2100-11-523990.html?legacy=zdnn

http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html

http://www.nwfusion.com/newsletters/sec/2002/01514404.html

http://zdnet.com.com/2100-11-523990.html?legacy=zdnn


Source:Source:

http://www.gocsi.com/awareness/fbi.jhtml

http://www.gocsi.com/awareness/fbi.jhtml

Generic Wireless Network Generic Wireless Network ExploitsExploits

FirewallFirewall


Physical Theft (Before)Physical Theft (Before)



FirewallFirewall


Physical Theft (After)Physical Theft (After)




FirewallFirewall


Eavesdropping Case 1: WardrivingEavesdropping Case 1: Wardriving

Gotcha!Gotcha!

CIA XXIVCIA XXIV



FirewallFirewall


Eavesdropping Case 2: Office BuildingEavesdropping Case 2: Office Building

CIA XXIVCIA XXIV

Your CompetitorYour Competitor

TabloidTabloid

TerroristTerrorist



FirewallFirewall


Eavesdropping Case 3: Eavesdropping Case 3: Rogue APsRogue APs

Rogue Access PointRogue Access Point

CIA XXIVCIA XXIV



FirewallFirewall

Eavesdropoing Case 4: Eavesdropoing Case 4: P2P Ad Hoc NetworksP2P Ad Hoc Networks

Insecure modem Insecure modem connection connection

Insecure connection to Insecure connection to outside APsoutside APs

• Unwise placementUnwise placement

• High-power client High-power client

•Unauthorized antennaUnauthorized antenna


The 100 meter myth

Increasingly powerful 802.11x clients available 200 mW PCMCIA cards advertise 6000+ ft range http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html

Most WiFi® adapters have external antenna connections; even homemade antennas work well

http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html



FirewallFirewall


Data Modification (Man in the Middle Attack)Data Modification (Man in the Middle Attack)

AliceAlice CatsCats

BobBob

ListenListen

ReadRead

CorruptCorrupt

ForgeForge

SendSend

CorruptCorrupt

ChortleChortle““Need project Need project

now!”now!”

““Meeting Meeting postponed; go postponed; go home early”home early”

Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40



FirewallFirewall


Identity SpoofingIdentity Spoofing

AliceAlice

BobBob

MAC Address: 0000deadbeef; SSID: defaultMAC Address: 0000deadbeef; SSID: default

CatsCatsSpoof MAC Address: 0000deadbeef; SSID: defaultSpoof MAC Address: 0000deadbeef; SSID: default

Looks like Looks like your your

company’s company’s IP to the IP to the

FBI!FBI!



FirewallFirewall


Denial of Service (DoS)Denial of Service (DoS)

2.4 GHz 2.4 GHz jammerjammer

microwavemicrowave

ovenoven

Bluetooth deviceBluetooth device

Cell phoneCell phone



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies


Risks of Specific WLAN technologies

802.11x/WiFiTM

ISM vulnerability MAC/SSID authentication insecurity WEP insecurity

Bluetooth HIPERLAN/2 (Europa: ETSI*) HiSWAN (日本 : MMAC†)

*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm

†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/

http://www.hiperlan.uk.com/pages/hiperlan.htm


http://www.arib.or.jp/mmac/e/


IEEE 802.11 Risks

ISM: Industrial, Scientific, and Medical Spectrum Not reserved: Allocated for “Amateur” use Long list of things that cause interference in 2.4

GHz range:2.4 GHz cell phones/portable phonesMicrowave ovensStained glass windowsPortable jammers (illegal in USA)


MAC/SSID Vulnerability

MAC = media access control addressHardcoded in all NICsEasily Spoofed (Win 9x, Linux; not WinXP)

SSID = Service Set IdentifierUsed to define networksBy default, broadcast by access pointsWill be given out by AP if client configured with

“any” or blank SSID


Default SSIDs

3Com: comcomcom Cisco: 2, tsunami, WaveLAN Network Compaq: Compaq DLink: WLAN Intel: 101, 195, xlan, intel Linksys: linksys, Wireless Netgear: Wireless Zcomax: any, mello, Test

http://www.iss.net/wireless/WLAN_FAQ.phphttp://www.iss.net/wireless/WLAN_FAQ.php http://www.cirt.net/cgi-bin/ssids.plhttp://www.cirt.net/cgi-bin/ssids.pl

With AP manufacturer, With AP manufacturer, trivial to determine default trivial to determine default

Administrator Administrator username/password!username/password!


WEP…what is WEP? Wired Equivalent Protocol (NOT Wireless Encryption Privacy) First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2

http://standards.ieee.org/getieee802/download/802.11-1999.pdf

Never intended to provide strong security; Goals:“Reasonably strong” (dependent on key length)“Self-synchronizing” (for “best effort” delivery)“Efficient” (low processor overhead)“Exportable” (pre-1999 ITAR climate [Phil Zimmerman])“Optional” (so lusers don’t whine to hardware manufacturers

when they mess up WEP on their networks– DISABLED out of the box by all OEMs as of 2003 AFAIK*)

*AFAIK= As far as I know*AFAIK= As far as I know



Encryption Basics

Need to hide message (plaintext) = needle Generate random stuff (encryption key) = piece of hay Multiply random stuff (keystream) = haystack Hide message in haystack (XOR) needle+haystack (ciphertext)

Intro to Encryption: Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm

http://www.mesda.com/files/infosecurity200309.pdf; ; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html

XOR Logic GateXOR Logic Gate

http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm

http://www.mesda.com/files/infosecurity200309.pdf

http://www.mesda.com/files/infosecurity200309.pdf

http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html

http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html


How is WEP supposed to work?

• Secret key combined with IV, run through WEP cipher PRNG (RC4)Secret key combined with IV, run through WEP cipher PRNG (RC4)

• Plaintext XORed with key sequence (irreversible without key)Plaintext XORed with key sequence (irreversible without key)

• Ciphertext output sent over airwaves after encapsulation into IP packetsCiphertext output sent over airwaves after encapsulation into IP packetshttp://standards.ieee.org/getieee802/download/802.11-1999.pdf



What is RC4? One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.) Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.) Proprietary trade secret of RSA Inc. http://www.rsasecurity.com Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all

open source RC4 implementations based on this anonymous post (including WEP)!

From: [email protected] (An0nYm0Us UsEr)From: [email protected] (An0nYm0Us UsEr)Newsgroups: sci.cryptNewsgroups: sci.cryptSubject: RC4 ?Subject: RC4 ?Date: 13 Sep 1994 21:30:36 GMTDate: 13 Sep 1994 21:30:36 GMTOrganization: Global Anonymous Remail Services Ltd.Organization: Global Anonymous Remail Services Ltd.Lines: 83Lines: 83Message-ID: <[email protected]>Message-ID: <[email protected]>NNTP-Posting-Host: xs1.xs4all.nlNNTP-Posting-Host: xs1.xs4all.nlX-Comment: This message did not originate from the above address.X-Comment: This message did not originate from the above address.X-Comment: It was automatically remailed by an anonymous mailservice.X-Comment: It was automatically remailed by an anonymous mailservice.X-Comment: Info: [email protected], Subject: remailer-help X-Comment: Info: [email protected], Subject: remailer-help X-Comment: Please report inappropriate use to <[email protected]>X-Comment: Please report inappropriate use to <[email protected]>

SUBJECT: RC4 Source CodeSUBJECT: RC4 Source Code

I've tested this. It is compatible with the RC4 object moduleI've tested this. It is compatible with the RC4 object modulethat comes in the various RSA toolkits. that comes in the various RSA toolkits.

/* rc4.h *//* rc4.h */

http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain

http://www.rsasecurity.com/

http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain


Why is WEP Broken? First paper: Fluhrer, Mantin, Shamir (encryption

flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf

WEP attack using FMS method: Stubblefield, Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/

WEP standard implements RC4 improperly http://www.rsasecurity.com/rsalabs/node.asp?id=2009

Flaws in key scheduling algorithm Large number of weak keys encryption easily cracked

IV is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length

http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4

http://www.securityfocus.com/data/library/rc4_ksaproc.pdf

http://www.cs.rice.edu/~astubble/wep/



http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4


Quick Fix for WEP: WPA

WPA = “WiFiTM Protected Access” Available as software/firmware upgrade for most

chipsets/manufacturers now or soon Subset of upcoming 802.11i security architecture Patches major vulnerabilities in WEP:

TKIP fixes IV weakness, adds MIC, key mixing, rekeyingSupports enterprise user authentication via EAP and 802.1XSOHO mode: Pre-Shared Key (PSK): autorotates key for you

http://www.newswireless.net/articles/021123-protect.html

http://www.newswireless.net/articles/021123-protect.html


Risks of Specific WLAN technologies

802.11x/WiFiTM

ISM vulnerability MAC/SSID authentication insecurity WEP insecurity

Bluetooth HIPERLAN/2 (Europa: ETSI*) HiSWAN (日本 : MMAC†)

*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm

†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/



http://www.arib.or.jp/mmac/e/


Risks of non-802.11x WLAN technologies

BluetoothMinimal security “out of the box”– need to RTFMSecurity upgrade in B’tooth Spec. 1.2

http://www.itsecurity.com/tecsnews/jun2003/jun255.htm

Red Fang: Bluetooth device discovery tool from @Stake (formerly L0pht Heavy Industries)– proof of concept; not very practical http://www.kewney.com/articles/0300910-bluestake.html

References: http://www.webdesk.com/bluetooth-security-issues/; www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf

HIPERLAN/2 HiSWAN

http://www.itsecurity.com/tecsnews/jun2003/jun255.htm

http://www.kewney.com/articles/0300910-bluestake.html

http://www.webdesk.com/bluetooth-security-issues/

http://www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf


HIPERLAN/2 and HiSWAN: Future Technologies for Future Talks

Technology needs to “hit the street” for serious Technology needs to “hit the street” for serious security issues to arisesecurity issues to arise



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101


Wardriving 101

Definition: Mobile discovery of WLANs Derived from term “wardialing”: automated dialing of

telephone numbers looking for modems (“Wargames”) Related terms: Warwalking, warflying, warchalking… NOT illegal in USA as of 2003: open ISM spectrum HOWEVER, ethical wardrivers NEVER connect to the

networks they detect, let alone implant/steal data therefrom (see Jeff Duntemann, Drive-by WiFi Guide)

http://www.paraglyphpress.com/pr02242003.php

http://www.paraglyphpress.com/pr02242003.php


Why Wardrive?

Fun: Sense of adventure a la 007 Informative: Teaches one about WLAN security Cheap Hardware: Laptop + client +/- antenna +/- GPS Free Software: Netstumbler, BSDAirtools, Airsnort… Camaraderie: Group wardriving contests popular 31337 Hobby: In-crowd lingo (WEP, )(, tsunami) Business tool: Audit your own network to improve

security/demonstrate insecurity to management


Wardriving Hardware

Old laptop with WLAN client +/- GPS Pigtail– connects wireless card to antenna Antenna– omnidirectional, magnetic mount, low

profile best http://www.wardriving.com/fiva.jpg; Duško i Vlado prizivaju bežične signale: ; Duško i Vlado prizivaju bežične signale: http://www.monitor.hr/interview/ wireless.htm (in Croatian, from Zagreb) (in Croatian, from Zagreb)

http://www.wardriving.com/fiva.jpg

http://www.wardriving.com/fiva.jpg

http://www.monitor.hr/interview/wireless.html


Wardriving Software

NetStumbler http://www.netstumbler.com/

MacStumbler http://www.macstumbler.com/

BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html

AirSnort http://airsnort.shmoo.com/

Kismet http://www.kismetwireless.net/

Wellenreiter http://www.wellenreiter.net/

Lots of other tools: Lots of other tools: http://wardrive.net/wardriving/tools

http://www.netstumbler.com/

http://www.macstumbler.com/

http://www.macstumbler.com/

http://www.dachb0den.com/projects/bsd-airtools.html

http://www.dachb0den.com/projects/bsd-airtools.html

http://airsnort.shmoo.com/



http://www.kismetwireless.net/

http://www.kismetwireless.net/

http://www.wellenreiter.net/

http://wardrive.net/wardriving/tools


Preparing for Safe and Ethical Wardrive

Use non-production box (old laptop)– just in case Change network ID to generic name (e.g., MSHOME, localhost)

Update client software/firmware Uninstall TCP/IP from supported wireless card Uninstall TCP/IP from integrated wireless (if any) Spoof MAC address of wireless card (can’t in XP) Delete preferred networks (XP): Control Panel | Network | Card | Properties |

Wireless Networks | Preferred Networks

Disable prior to wardrive to

prevent auto-connection to

discovered APs


MAC Address Spoofing

Orinoco Gold on Win 98SEOrinoco Gold on Win 98SE

edit /etc/sysconfig/network-scripts/ifcfg-eth0 edit /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming it's your eth0 network card that you (assuming it's your eth0 network card that you want to change the MAC for), and add a line want to change the MAC for), and add a line like this: MACADDR=AA:BB:CC:DD:EE:FF like this: MACADDR=AA:BB:CC:DD:EE:FF (Obviously you want to substitute the MAC (Obviously you want to substitute the MAC address you want in place of address you want in place of AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown eth0", "/sbin/ifup eth0", and you should be up eth0", "/sbin/ifup eth0", and you should be up and running with the new MAC address. You and running with the new MAC address. You can use "/sbin/ifconfig eth0" to verify that the can use "/sbin/ifconfig eth0" to verify that the new MAC address is in effect -- it shows up in new MAC address is in effect -- it shows up in the 'HWaddr' entry on the first line that the 'HWaddr' entry on the first line that

ifconfig printsifconfig prints (YMMV RTFM HTH)(YMMV RTFM HTH)

Red Hat LinuxRed Hat Linuxhttp://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain

http://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain


Conducting Safe and Ethical Wardrive

Read up on local/national laws before you set out Be careful with pigtails– fragile! Put laptop in back of car (behind driver) to prevent

distraction (local laws against watching TV, etc. + common sense safety measure)

Drive during day– no suspicious eerie glow Optimum speed around 30 MPH Screenshots: shift|print screen or graphics program

(PaintShop Pro, etc.); stop car safely if alonePSP8: PSP8: http://www.jasc.com

http://www.jasc.com/

http://www.jasc.com/

Results of a “WarSit™” in San Francisco

Wardriving + GPS

http://www.netstumbler.com/nation.phphttp://www.netstumbler.com/nation.php


Here there be Warchalkers

Mainly mythical meme Originated by Matthew D. Jones, Ph.D. Open node symbolized by )( )( Often used as 31337 shorthand for

wardriving Don’t Warchalk: the world has enough

graffiti

http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf

http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications


The Basics to Do Now

Pay attention to geographical location of AP (parking lot coverage) Disable file & print sharing if not needed; never share root Disable SSID broadcasting (default = enabled for most products) Change the SSID to something non-default which says nothing

about you or network (boring = good; Smithfamilydiamonds = bad) Upgrade firmware of AP/client to increase security (WPA) Change default administrator login/password for AP Set authentication to “Shared Key” or “Auto”, not “Open System” Configure AP to enable MAC address filtering (not perfect, yes…) Enable WEP/WPA


Bbbbut…isn’t WEP broken?

Yes, but…just because your front door can be picked, doesn’t mean you shouldn’t lock it!

Never be low hanging fruit for attackers If you just enable WEP more secure than 75%

of WLAN users (according to wardriving data) If you enable WEP + change SSID from default

+ change AP logon/pw: more secure than 95% of lusers


Enabling WEP

Orinoco Gold on Win 98SEOrinoco Gold on Win 98SE

Linksys pic modified from: Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg

http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg


Advanced WEP

Freeware key generators create pseudorandom keys for you to enter

Rotate keys frequently (weekly for business, monthly for home at minimum)

Make sure highest key-length WEP is enabled (remember, 64 bit WEP key is really just 40 bits long [thanks, marketing!])

Upgrade WEP to WPA as soon as possible (look for WPA support for all new hardware)


Advanced WLAN Security: Topology Options

Treat all wireless communication as insecure Put AP on “unsafe” side of firewall Use VPN (private tunnel) through internet to reach internal network Impractical for SOHO networks (expensive; throughput hit)

FirewallFirewall

““Safe Side”Safe Side” ““Unsafe Side”Unsafe Side”


Advanced WLAN Security Upgrades

802.1X port-based authentication– requires dedicated authentication server (or server process in AP)

RADIUS authentication: for enterprises only IEEE 802.11i = WPA + RSN; currently in draft form RSN: Robust Security Network 802.1X + EAP +

AES (non-WEP encryption protocol) – will likely need hardware upgrade to run RSN without major hit on throughput; likely available in “mature” form in 2005-6

(world will be beta-testing 802.11i during 2004)

RSN: RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html802.11i (advanced): 802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

802.11i (excellent): 802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003

http://www.nwfusion.com/news/tech/2003/0526techupdate.html

http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003

http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues


Future WLAN Security Issues

Biological hazards of radio communications Military implementation of DOS vs. WLANs/cellular Geographic extension of WLAN-- ablation of security

through propinquity (ELF; satellites with ultra-sensitive sensors)

Legal aspects (HIPAA, due-diligence) and need to implement security & audit for rogue APs, wardrivers

Follow-on Technologies: UltraWide Band (UWB), others


WLAN = Biohazard?

3G networks have been shown to affect cognition of volunteers & create headaches, nausea

Interestingly, enhanced memory and alertness As we become surrounded by WLANs, PANs, WANs,

and cellular broadcasting towers, are we harming our fragile neurological systems?

No evolutionary exposure to MW radiation at current levels…will our children’s children adapt?

http://edition.cnn.com/2003/TECH/ptech/10/01/g3.health.reut/index.html

http://edition.cnn.com/2003/TECH/ptech/10/01/g3.health.reut/index.html


Beware the Wolfpack

Small, autonomous sensor-jammers that intelligently coalesce into WLAN on battlefield; 6 lb canisters initiate RF DOS within 500 meter radius

Link together to overpower enemy’s WLAN/cellular communications Part of DARPA XG (Next Generation) RF dominance initiative

http://www.theregister.co.uk/content/69/32361.html

http://www.defenselink.mil/news/Aug2003/n08142003_200308147.html

http://www.darpa.mil/DARPATech2002/presentations/ ato_pdf/speeches/MARSHALL.pdf

http://www.darpa.mil/ato/programs/wolfpack.htm

http://www.theregister.co.uk/content/69/32361.html

http://www.defenselink.mil/news/Aug2003/n08142003_200308147.html

http://www.darpa.mil/DARPATech2002/presentations/ato_pdf/speeches/MARSHALL.pdf

http://www.darpa.mil/DARPATech2002/presentations/ato_pdf/speeches/MARSHALL.pdf




Physician, Audit Thyself

Lots of commercial products out there to audit networks for rogue APs, P2P connections, wardrivers

May become legal requirement in future for HIPAA compliance (along with advanced security afforded by RSN/802.11i [final standard anticipated May 2004])

http://www.airdefense.net/products/index.htmlhttp://www.airdefense.net/products/index.html http://www.airmagnet.com/products/handheld.htmhttp://www.airmagnet.com/products/handheld.htm

Pictured: Pictured: Airmagnet Airmagnet

Handheld PAKHandheld PAK®®

http://www.wildpackets.com/products/airopeek http://www.wildpackets.com/products/airopeek

Prevent theft; Prevent theft; BIOS pw; encrypt BIOS pw; encrypt

sensitive filessensitive filesAssume Assume

wardrivers, wardrivers, snoopers all snoopers all around youaround you

Got WPA/802.1X?Got WPA/802.1X?Change default; Change default; don’t broadcastdon’t broadcast

Change default Change default admin logon/pwadmin logon/pw

Enable; rotate Enable; rotate keys manuallykeys manually

Upgrade WEP ASAPUpgrade WEP ASAP

802.1X, 802.11i, RSN; 802.1X, 802.11i, RSN; VPN + RADIUS for VPN + RADIUS for

enterprisesenterprises

Patch OS frequently to Patch OS frequently to plug wireless security plug wireless security

holes; read media for new holes; read media for new WLAN exploitsWLAN exploits


The Tao of Network Security

1994-1999:1994-1999:

Information Information AccessAccess


The Tao of Network Security

1994-1999:1994-1999:

Information Information AccessAccess

2000-2005:2000-2005:

Information Information DenialDenial



Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues References


Online Resources

WLAN Specifications•WiFiTM Alliance (formerly WECA): http://www.weca.net/

•IEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html

•IEEE 802.11i: Latest draft (private): http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc Lots of interesting

documents: http://www.ieee802.org/11/Documents/DocumentHolder/

•Bluetooth: https://www.bluetooth.org/

•HIPERLAN/2: Official Specs: http://www.hiperlan2.com IEEE Communications Overview: http://www.ihp-ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf

•HiSWAN: http://www.arib.or.jp/mmac/e/index.htm

•Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149

http://www.weca.net/

http://standards.ieee.org/getieee802/portfolio.html

http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc

http://www.ieee802.org/11/Documents/DocumentHolder/

https://www.bluetooth.org/

https://www.bluetooth.org/

http://www.hiperlan2.com/

http://www.ihp-ffo.de/systems/Doc/Vorlesung/MC/%20%DCbung/Gruppe7-Hiperlan/0130khun.pdf

http://www.arib.or.jp/mmac/e/index.htm

http://www.ietf.org/rfc/rfc1149.txt?number=1149


Online Resources

Basic 802.11 Security•WLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php

•WEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf

•WEP Insecurity: http://www.cs.rice.edu/~astubble/wep/wep_attack.html

•WPA: http://www.weca.net/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf

•Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf

•Netstumbler: http://www.netstumbler.com

•Wireless Glossary: http://www.devx.com/wireless/Door/11333

•Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html

http://www.iss.net/wireless/WLAN_FAQ.php


http://www.wardriving.com/


Online Resources

Advanced WLAN Security/Continuing Security Education

•SANS http://www.sans.org

•Cool list of WLAN Security Links: http://is-it-true.org/pt/ptips23.shtml

•Google it: search Google for “WLAN security” and/or “WiFi® security”

•Still More whitepapers: http://www.wlana.org/learning_center.html


Online Resources

AFH Topics

•People are stupid: Wireless Equivalent Privacy: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search

•People are stupid 2: Wireless Encryption Protocol:http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22

•HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html

•ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf

•TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22

http://www.haarp.alaska.edu/haarp/

http://www.vs.afrl.af.mil/Factsheets/haarp.html

http://www.europarl.eu.int/tempcom/echelon/%20pdf/rapport_echelon_en.pdf

http://www.europarl.eu.int/tempcom/echelon/%20pdf/rapport_echelon_en.pdf

http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html


Offline Resources

Books/Articles: Computer Security Essentials

Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of black-hat techniques with countermeasures)

Cheswick WR, Bellovin SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 (a classic)

Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-156592-124-0 (first edition includes excellent appendix on basics of ISO/OSI TCP/IP stack)


Offline Resources

Books/Articles: WLAN Security

Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale: Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable & entertaining; most practical 3-space reference thus far)

Peikari C, Fogie S, Maximum Wireless Security, Indianapolis: Sams Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er, Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])

Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access and 802.11i, Boston (etc.): Addison-Wesley, 2004 (cool time-travel aspect of copyright [to make it seem more current]; almost incomprehensible at times, but good reference)