University at Albany, School of Business Center for Information Forensics and Assurance 1 Wireless Security

University at Albany, School of BusinessCenter for Information Forensics and Assurance

1

Wireless Security


2

Wireless SecurityExplosion of Devices

• Spectrums: 802.11x, Bluetooth, Infrared, Cellular, Radio, Microwave, Satellite


3

August 21, 2004 BBC NewsNew York set for citywide wireless. In exchange for being able to mount up to 18,000 new lamp post-based antennas, to strengthen coverage around the five boroughs, the companies will pay the city government around $25m each year. "This is something that makes sense," he added. "The companies are anxious to do it, and we think it will improve service for New Yorkers."

There is already one patch of midtown Manhattan that provides an ideal glimpse of what a more wireless-friendly New York will be like.

Bryant Park has been providing a free service to any laptop user who wants access for many months now.

Source: http://news.bbc.co.uk/2/hi/technology/3578982.stm

Wireless SecurityWireless Cities


4

August 21, 2004 Times Union

Internet hot spots popping up. On Tuesday, Lemery Greisler LLC will celebrate the first free, public wireless Internet hot spot in downtown Albany. But Omni Plaza, a brick courtyard across the street from the law firm's offices at 50 Beaver St., is just the centerpiece of the ground-up effort to blanket downtown with wireless Internet coverage.

"What we're unveiling is the pilot," said Scott Almas, a Lemery Greisler associate and driving force behind the effort. "There's a better mousetrap than these little access points. My vision was: Throw out some cheese, draw in the mouse and then put in a better mousetrap. That would be universal, ubiquitous coverage."

Earlier this year, Intel Corp. released a ranking of American cities with the best wireless access. Despite its Tech Valley moniker, the Albany-Schenectady-Troy area ranked 71st, behind regions such as Wichita, Kan., and Worcester, Mass. The as-yet-unnamed downtown effort is an attempt to change that.

"At some point this will be part of the municipal infrastructure," Almas said. "But until the mice come out, nobody has any interest in putting in a better trap."

Source: Times Union

Wireless SecurityAlbany, NY Wireless


5

Wireless SecurityAlbany, NY Access Points

War Driving in

Albany

Empire State Plaza


6

July 1, 2004 CNN.com

Report: Homeland Security vulnerable to wireless hackers. WASHINGTON (CNN) -- Although charged with making the nation more secure, the Department of Homeland Security has not taken the steps needed to secure its own wireless communications, according to a report from the department's Inspector General.

Wireless messaging services played a critical role following the September 11, 2001 terrorist attacks. While cellular telephone service was out, key personnel remained in contact using messaging services.

But wireless technology can facilitate unauthorized access to wired networks and data through eavesdropping or theft. Those vulnerabilities increase the need for strong security controls.

The report concludes that Homeland Security cannot ensure that its sensitive information about terrorist threats and security is not being monitored, accessed, and misused.

Source: Times Union

Wireless SecurityAccess to Wireless Data


7

• Security is the top issue with Wireless Ethernet• A larger percentage of government respondents

rated this as an issue compared to industry respondents.

Wireless SecurityWireless Concerns

Source: 2003 Wireless LAN Benefits Study, Cisco Systems


8

• Denial of Service – Jamming (by using a device which will flood spectrum

with noise and traffic)– Spoofing identity (through cloning MAC address of and

setting strength of signal to greater than other user)– Spoofed access points (clients are usually configured to

associate with the access point with the strongest signal)

• ARP poisoning– Attacker can get packets and frames from the air by

“poisoning” caches of MAC/IP combinations of two hosts connected to the “physical” network.

• Sleep Deprivation Attacks– People run programs on wireless devices to drain all its

power

Wireless SecurityWireless Attacks

Source: Wireless Attacks and Penetration Testing part 1, June 3, 2002


9

• Vulnerability:– Inherent weaknesses in underlying protocols

used on computer networks today – e.g. ARP’s protocol lack of authentication

and limited table entries. • Attack Scenario:

– Start hunt and identify active sessions.– Passively monitor session.– Hijack the session.– Perform malicious activity.– Terminate the session.

Session Hijacking Exploit Demonstration


10

• Protection: – Use encryption.– Use strong authentication.– Configure appropriate spoof rules on gateways.– Monitor for ARP cache poisoning.

Session Hijacking Protection/Detection

• Additional protection at the Data Link Layer:

– Use port security feature on Ethernet switches.– Hard code ARP tables on your critical servers and turn off ARP on your network interfaces.


11

Conclusions


12

• Do not underestimate internal network threats.

• Apply industry best practices in day-to-day work.

• Use layered approach with information security.

• Take a proactive approach with information security. – Do not wait for an incident to happen and react

when it may be too little, too late.

Computer SecurityLayered Approach to Security


13

• Thanks to the support of:– NY State Center for Information Forensics and

Assurance, UAlbany– NY State Office for Cyber Security and Critical

Infrastructure Coordination– New York State Police

• Thanks to Damira Pon, CIFA for assistance in preparing this presentation

• Thanks to Sandy Schuman and Steve Walter for organizing the Korean Executive talk

AcknowledgementsOrganizations/People


14

Additional Material


15

Tool Name General Use OS Available From

Ettercap Sniffer Linux http://ettercap.sourceforge.net

Hunt Sniffer/Hijacking Linux http://lin.fsid.cvut.cz/~kra

Ethereal Sniffer Linux Windows

http://www.ethereal.com/download.html

RPCScan2 Scanner Windows http://www.foundstone.com

dcom2_scanner.c

Scanner Linux http://packetstormsecurity.com

Netcat Scanner-Multipurpose

Linux Windows

http://www.hack-box.info/bruteforce.html

John the Ripper Password Cracker

Linux Windows

http://www.openwall.com

Linux Kernel Patch

Kernel Security Patch

Linux http://www.openwall.com/linux

BufferShield 1.01a

Kernel Security Patch

Windows http://www.sys-manage.com/index10.htm

OverflowGuard Kernel Security Patch

Windows http://www.datasecuritysoftware.com

StackDefender Kernel Security Patch

Windows http://www.ngsec.com/ngproducts

Juggernaut Sniffer/Hijacking Linux http://packetstormsecurity.com/

TTY Watcher Sniffer/Hijacking Linux http://www.cerias.purdue.edu

IP Watcher Sniffer/Hijacking Linux http://www.engrade.com

AppendixSecurity Tools

http://ettercap.sourceforge.net/

http://lin.fsid.cvut.cz/~kra












http://www.foundstone.com/




16

AppendixWireless Protocols

Name Description

CDPD (Cellular Digital Packet Data) Supports wireless access to Internet from cell phone networks.

HSCSD (High Speed Circuit Switched Data) Enables data transfer from GSM networks.

PDC-P (Packet Data Cellular) Packet switching message system used in Japan

GPRS (General Packet Radio Service) Specification for transfer on GSM/TDMS networks.

CDMA (-2000 1xRTT) Radio Transmission Technology

Bluetooth Specification for short distance wireless communication between two devices

IrDA Infrared light communication between two devices.

LMDS (Local Multipoint Distribution Service) Broadband wireless point to multipoint using microwave communications

MMDS (Multichannel Multipoint Distribution Service)

802.11x Wi-Fi (for wireless Ethernet) 802.11/a/b/g/i


17

• WEP (Wired Equivalent Privacy)– WEP is an authentication scheme (not required)– Only good for data between access points– Uses 24 bits for initialization vector (same vector can be

used for different packets) and leads to possible duplication. – Hackers only have to collect data frames by using a network

monitoring tool and then run a program called WEPCrack.

• War Driving– Needs global positioning system (GPS), wireless laptop, and

software– Software keeps track of position and access point

configuration.– Data uploaded to internet databases of wireless access

point maps.

• War Spamming– Exploiting wireless networks in the process of war driving

to spend spam.

Wireless SecurityTerms

Source: Security Focus, Infocus, “Wireless Attacks and Penetration Testing part 1” , June 3, 2002 Silicon.com, “Can Spammers Really Exploit Wireless Networks”, September 8, 2004


18

• 802.11i – Upgrade of other wireless 802.11a/b/g standards. Fixes

WEP problems.– Use of WPA, WPA2 and AES– Ability to use RADIUS-based authentication of users

• WPA (Wi-Fi Protected Access)– Rekeying of global encryption keys is required (unlike WEP)– Requires TKIP (Temporal Key Integrity Protocol) which

replaces WEP encryption– Needs specific hardware and software– For home and small business users

• WPA2– For enterprise– Incorporates 802.1X

• AES (Advanced Encryption Standard)– Meet the needs for the Federal Information Processing

Standard (FIPS) 140-2 specification (required by many government agencies)

– Needs a dedicated chip to handle encryption and decryption

Wireless SecurityNew Security Technologies

Source: http://www.wi-fiplanet.com/news/article.php/3373441

Documents

University at Albany, School of Business Center for Information Forensics and Assurance 1 Wireless Security