Slide HeadingSecurity Auditing Wireless Networks

Ted J. EullviaForensics

October 12, 2011

Introductions

viaForensics• Digital security via forensics. Leader in mobile forensics and

security assessment• Apply methods used for computer crime investigation and incident

response proactively to enhance security. • Based in Oak Park, IL (Chicago suburb)

Ted Eull, VP Technology Services• 10+ years in IT consulting, corporate and security• Background in Web app development• GWAPT, CRISC pending• Not a wireless pen test specialist (sorry)

Agenda or contents slide

Slide Heading

Why? Reasons to security audit your wireless devices and network

What? Identifying your wireless network components

How? Wireless audit & technical security assessment process

Who and When? Internal/External, frequency of assessment

Recommendations and Resources

Why: Reasons to audit

CobiTLinking Business Goals to IT Goals

Many reasons to leverage wireless

Key reasons to security audit

Why: Reasons to audit

• Regulations, regulations• Both industry and government

– PCI / Payment Card Industry – GLBA / Gramm–Leach–Bliley Act

– Federal Financial Institutions Examination Council / FFIEC– Health Information Portability and Accountability Act /

HIPAA– Federal Energy Regulatory Commission / FERC– Sarbanes-Oxley / SOX

Why: Duh.

• Protect your business / organization• Sensitive and proprietary information• Clients and business partner data• Reputation

• The reasons behind the regulations

Why: Wireless Issues

From the FFIEC IT Examination Handbookhttp://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/access-control-/network-access-.aspx

Wireless IssuesWireless networks are difficult to secure because they do not have a well-defined perimeter or well-defined access points.  Unlike wired networks, unauthorized monitoring and denial of service attacks can be performed without a physical wire connection.  Additionally, unauthorized devices can potentially connect to the network, perform man-in-the-middle attacks, or connect to other wireless devices.  To mitigate those risks, wireless networks rely on extensive use of encryption to authenticate users and devices and to shield communications.

More  

Why: Wireless IssuesWireless Issues (continued)

If a financial institution uses a wireless network, it should carefully evaluate the risk and implement appropriate additional controls. Examples of additional controls may include one or more of the following:

• Treating wireless networks as untrusted networks, allowing access through protective devices similar to those used to shield the internal network from the Internet environment;

• Using end-to-end encryption in addition to the encryption provided by the wireless connection;

• Using strong authentication and configuration controls at the access point and on all clients;

• Using an application server and dumb terminals;• Shielding the area in which the wireless LAN operates to protect against stray emissions

and signal interference; and• Monitoring and responding to unauthorized wireless access points and clients.

Why: The threats

Data Interception• Can be intercepted at distance with directional antennas (Wi-Fi

sniper rifles clocked at > 10 miles)• WEP can be cracked in seconds• TKIP vulnerable to a keystream recovery attack which can allow

injection of certain frames, this can enable ARP poisoning and DoS for example. AES is better.

• WPA/WPA2 vulnerable to dictionary attacks, rainbow tables and brute forcing.

• Many large organizations adopt a standard 802.11x configuration using EAP-TLS with user certificates and a RADIUS server for authentication. Although considered very secure, be aware that it can still expose username and domain in the clear when authenticating.

Why: The threats

Denial of Service• Signal/frequency jamming

• Cheap portable devices from China• Deauth Attack

• Management frames are sent in the clear for 802.11a/b/g/n which includes deauth frames. 802.11w protects management frames which prevents deauth attacks but only adopted by a few vendors

• A small laptop or handheld device can send out deauth requests continually which drops clients. Can even be targeted at a certain vendor (e.g. all Apple devices)

• WIDS should detect this• Channel Reservation

• Attacker can send out repeated frames with a maximum wait duration and silence the channel, for equipment that follows 802.11 spec

Why: The threats

Rogue Access Points• Unauthorized APs plugged into the internal LAN. • Can be detected by some enterprise APs which scan for

nearby rogue APs, and also by scanning the internal LAN for the management interface of popular wireless routers.

• Can be detected by regular site surveys using Wi-Fi scanning equipment and directional antennas.

• Spectrum analyzer capability is useful to catch highly covert installations and devices tuned off-band so as to avoid detection from standard equipment.

Why: The threats

Misconfigured APs• With the vast number of configuration options it requires a great deal of

planning, testing, on-going maintenance and training to operate a large Wi-Fi installation.

Ad Hoc and Software APs• Can allow for an attacker to connect directly to a corporate laptop inside a

building and route traffic onto the corporate LAN, bypassing network security.

Client Driver Attacks• Exploiting bugs in Wi-Fi drivers of clients to remotely execute code on a

victim's device without even needing a Wi-Fi network.• Defense is to keep client drivers patched, but still exposed to zero days

Why: The threats

Misbehaving Clients and Evil Twin APs• Clients forming unauthorized connections accidentally or

intentionally• If corporate SSID is hidden, it will cause the client device to

continually probe for it wherever it goes, leaking information and providing the ability for devices to be tracked.

• If a client has previously connected to a hidden open network, or an open network with a common name such as Starbucks, McDonalds, then an attacker can easily trick the client into connecting to their AP from where a MITM attack can occur.

• If a user is allowed to connect to any Wi-Fi networks then they could be enticed to connect to an attacker's AP with the promise of free Wi-Fi or because it looks like an official corporate one.

Why: In short

• Because it is a scary cyber world out there• To determine whether wireless technologies are

properly managed and secured, in accordance with overall enterprise IT governance

What: Wireless components

• WLAN• IEEE 802.11 Spec • aka Wi-Fi• b/a/g/n

• Router/access point• Wireless clients• Typical range has nearly doubled in 10 years• Anything else?

What: More than WLAN

What: More than WLAN

Identify all use of wireless to evaluate potential risk• Cellular (3G, LTE)• Bluetooth• Radio-frequency identification / RFID• Near field Communication / NFC• Zigbee

Not all may require security assessment, but each should be understood and evaluated

What? More than WLAN

When identifying wireless in the enterprise, think outside the WLAN• Warehouse (RFID)• PC & Mobile accessories (Bluetooth)• “Smart Meters” (Wi-Fi, Zigbee)• And most of all…

What? More than WLAN

Mobile devices and more mobile devicesBy 2013, mobile phones will overtake PCs as the most common Web access device worldwide [Gartner]. • Often consumer devices (iOS, Android)• Cellular + Wi-Fi• Inexpensive• Flexible• Fast evolving• Easy to secure• Just kidding

How: Audit Process

• You decided auditing wireless is a good idea• Risk Assessment

• Identify technology in use• Threat Profiling: start bottom-up. i.e. Consider all

threats to the tech in use• STRIDE threats: Spoofing Identity, Tampering with data,

Repudiation (insufficient logging), Information Disclosure, Denial of Service, Elevation of Privileges

• Try to construct realistic scenarios• Find pre-constructed scenarios• Have business stakeholders involved

How: Audit Process

• Evaluate Risk• Consider industry and company-specific regulatory,

policy and risk factors• Use DREAD or other rating system

• Damage + Reproducibility + Exploitability + Affected Users + Discoverability

• Consider potential cost of “worst case scenario”• Evaluate security countermeasures and controls in

place which can mitigate threats

How: Technical Process

• Perform Security Assessment: Scope• Scope Appropriate for Risk• Vulnerability assessment vs. penetration testing• Test active production systems• Plan to trigger detection / countermeasures

How: Technical Process

• Perform Security Assessment: Review • Design review of Wi-Fi infrastructure

• Authentication• Defense in depth• Physical AP placement, security• Signal Coverage

• Configuration review of Wi-Fi infrastructure to make sure it is configured correctly• Firmware versions

• Review mobile device controls and security

How: Technical Process

• Perform Security Assessment: Scan • Site survey with directional antenna and some good

scanning software to identify rogue APs. Use a spectrum analyzer to pick up covert or malfunctioning wireless devices.

• Test WIDS/WIPS if present by undertaking malicious activity such as deauth attacks and Evil Twin APs

• Scans for client devices, such as: • Pineapple Karma attack to see who connects• Sniffing authentication to corporate Wi-Fi• Scanning for vulnerable client Wi-Fi drivers (can crash

devices)

How: Technical Process

• Wi-Fi Pineapple and Jasager– Jasager = “The Yes Man”– Portable Wi-Fi router built for initiating MITM

position– Web interface for attacker, showing currently

connected clients with their MAC address, IP address (if assigned) and the SSID they associated with

– Run scripts on IP assignment– Full logging for later review– Extensible, with additional modules– Easy to set up phishing attacks– About $100 from http://hakshop.com/

How: Technical Process

• Perform Security Assessment: Mobile Devices• Forensic analysis of mobile devices that access

network and store data• Assess data exposure• Test efficacy of security controls (e.g. passcode,

remote wipe)• Examples of issues uncovered:

• Network username/password easily recoverable• Corporate email in user backups• Passcode enforcement and remote wipe failure• Keychain dump (iOS)

How: Technical Process

• Mobile Risk Study from viaForensics • Focused on iOS & Android• Key issues, recommendations• Risk scenarios, risk map• Corporate policy recommendations• Comparison to BlackBerry• Lab tests of MS Exchange ActiveSync policy implementation• Technical review of encryption, passcode protection, malware

vulnerability, etc.• High-level overview of Mobile Device Management (MDM)

software• Available this month (online purchase/download)

Who: Internal or External

• Some level of internal assessment capability should be maintained

• Leverage external specialized expertise for more complete vulnerability assessment or pen test

• Experienced testers should perform more than automated scans

• Security certifications good, wireless-specific even better (e.g. GAWN)

When: And how often

• Depends on enterprise audit program• At least annual basic assessment

• Identify technologies, infrastructure, devices• Check configurations, logging • Level set with overall security policies

• Regular mobile device audits• Frequency of vulnerability scans, pen tests depends on

corporate risk evaluation• Ongoing security through active monitoring, such as

WIDS/WIPS

Recommendations

WEP

Recommendations

• Assume all wireless traffic can be intercepted• Isolate wireless from corporate LAN• If Wi-Fi on LAN is necessary, use strong authentication,

isolated VLAN and NAC• Use IDS/IPS for continuous monitoring• Test security systems such as WIDS• Implement reliable VPN for mobile workers, use GPO to

require VPN when off LAN• Assess how mobile devices are being used and where

data is going• Policy and training for users on wireless security

Resources

• ISACA• What every IT auditor should know about wireless telecommunication

(2006) http://www.isaca.org/Journal/Past-Issues/2006/Volume-4/Pages/What-Every-IT-Auditor-Should-Know-About-Wireless-Telecommunication1.aspx

• Mobile Computing Security Audit/Assurance Program (2010) http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Mobile-Computing-Security-Audit-Assurance-Program.aspx

• viaForensics Mobile Risk Study• http://viaforensics.com/mobile-risk-study

Resources

• RFID tools (rfidiot, proxclone reader/cloner)• http://hackaday.com/2007/03/25/rfidiot-rfid-io-tools/• http://proxclone.com/reader_cloner.html

• Other tools• Aircrack http://www.aircrack-ng.org/• Kismac / KisMAC http://www.kismetwireless.net/• Wireshark http://www.wireshark.org/• Ettercap http://ettercap.sourceforge.net/• Pineapple http://hakshop.com/products/wifi-pineapple

Questions?

Closing comments (if any)