(LAN) INsecurity 2005 - NotBobTec Enterprises, Incorporeal

Download Report

Transcript (LAN) INsecurity 2005 - NotBobTec Enterprises, Incorporeal

Wireless LAN Insecurity Update 2005
Robert C. Jones, M.D.
LtCol, USAF, Medical Corps
Staff Anesthesiologist
Andrews Air Force Base, Maryland
E-mail: rob--at--notbob.com
Web site: http://www.notbob.com
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Disclaimer: Fair Use of Online Resouces
FAIR USE NOTICE: This contains copyrighted material, which is reproduced
under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for
purposes such as criticism, comment, news reporting, teaching, scholarship, or
research. This material is posted without profit for the benefit of those who, by
accessing this material, are expressing a prior interest in this information for
research and educational purposes.







In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted
According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for noncommercial purposes only
“Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or
research.
 In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:
– The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
– The nature of the copyrighted work;
– The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
– The effect of the use upon the potential market for or value of the copyrighted work.
The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work
is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is
negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites
presenting this material.
This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related
concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S.
Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or
degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way
Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA
copyright infringement (courtesy of Department of Redundancy Department [DoRD])
Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Network Abuse Costs $$$: 2003 Data from U.S. FBI
Where’s Wireless???
WLAN Abuse 2004: Number 5 with a Bullet
Multiple
Winblows
XP/2000
vulnerabilities
The Basic Network Security Pyramid
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Wireless Security 2003
Rob’s 2003
WLAN
Security
Pyramid
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
XXV
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about

Brief Review of Wireless LAN (WLAN) tech
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID
 Step 3: Change AP PW; WPA if possible, else WEP

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID
 Step 3: Change AP PW; WPA if possible, else WEP
 Step 4: Toward 802.11i/WPA2 for Home/SOHO use

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID
 Step 3: Change AP PW; WPA if possible, else WEP
 Step 4: Toward 802.11i/WPA2 for Home/SOHO use
 Step 5: CSE: OS Updates, Vulnerability News

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID
 Step 3: Change AP PW; WPA if possible, else WEP
 Step 4: Toward 802.11i/WPA2 for Home/SOHO use
 Step 5: CSE: OS Updates, Vulnerability News
 Future Wireless Security Topics

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Dusko and Vlado Say: Be Responsible with
your WLAN-kwon-do!
This talk is not a WLAN Cracking HOWTO;
this is HOWNOTTO on getting 0wn3d
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
You can’t afford perfect security
“The only secure computer is one that is
unplugged, locked in a secure vault that
only one person knows the combination
to, and that person died last year.”
Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
What this talk is about

Brief Review of Wireless LAN (WLAN) tech
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
XXV
Introduction to Wireless vs.
Wired Networking

Wired Networking
Inexpensive infrastructure (CAT5 cable + NICs)
Expensive deployment (drilling through walls)
Reconfiguring network topology difficult
Difficult (not impossible!) to intercept communication
Worldwide exposure to intruders if connected to Net
Fast! (10/100 Mbps Ethernet  Gigabit ethernet…)
Negligible interference from environment
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Basic Wired Network Topology
Firewall
Router
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Introduction to Wireless vs.
Wired Networking

Wireless Networking
Expensive infrastructure (clients+APs=cha-ching!)
Inexpensive deployment (protocols supported in OSes)
Reconfiguring network topology trivial (?too trivial?)
Ridiculously easy to intercept communication
Geographically constrained exposure to intruders*
Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)
Massive environmental interference (ISM, path loss)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
*ad hoc intranetworks
CIA XXV
Quick Review of WLAN Security Terminology







SSID (ESSID): Service Set Identifier = name for WLAN
network; sent out as plain text in every packet; broadcast by
default by most access points
AP: Access point: WLAN “router” that talks to client cards
WEP: Wired Equivalent Protocol; broken and easily crackable
encryption scheme; not “Wired Equivalent Privacy”, et al.
MAC: Unique Media Access Control ID number hard-coded
into every networking device; spoofable via software
WPA: Upgrade to WEP security; uses TKIP to rotate encryption
keys for each packet and generate different keys for each
computer
802.1x (not to be confused with 802.11x): User authentication
mechanism using EAP protocol; separate from encryption
802.11i/WPA2: Major upgrade to security; uses new AES crypto
algorithm vs. RC4; part of RSN: Robust Security Network
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. TSN = transitional security network with RSN + TKIP instead of CCMP with AES; more on this later
CIA XXV
Basic Wireless Network Topology
Infrastructure Mode
(using AP)
Firewall
Access Point
Advantages: AP security; isolated net connection
Disadvantages: AP cost, complexity; broadcast range
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Basic Wireless Network Topology
P2P Ad Hoc Networks
Firewall
Advantages: no addt’l hardware; geographically constrained
Disadvantages: unmanaged P2Pnet issues; geo. constrained
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
Authentication

Default: Open authentication (+/- MAC/SSID filtering)
“granted”
“give me access”
 Shared
Key Auth (WEP, WPA PSK)
“granted”
Authentication response
Authentication challenge
“give me access”
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Generic Wireless Security Exploits
Physical Theft
 Eavesdropping
 Data Modification
 Identity Spoofing/Masquerading
 Denial of Service (DoS)
 Theft of Internet Service
 Injection of Bad Things via Wireless
 WLAN as new modem (network soft spot)

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Generic Wireless Network Exploits
Physical Theft (Before)
Firewall
Access Point
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Physical Theft (After)
Firewall
Access Point
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 1: Wardriving
Firewall
Access Point
Gotcha!
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 2: Office Building
Tabloid
Firewall
Access Point
Terrorist
Your Competitor
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Generic Wireless Network Exploits
Eavesdropping Case 3:
Rogue APs
Firewall
Access Point
Rogue Access Point
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
The 100 meter myth
Increasingly powerful 802.11x clients available
 200 mW PCMCIA cards advertise 6000+ ft range

http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html

Many WiFi® adapters have external antenna
connections; even homemade antennas work well
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Generic Wireless Network Exploits
Identity Spoofing
MAC Address: 0000deadbeef; SSID: default
Looks like
your
company’s
IP to the
FBI!
Bob
Firewall
Access Point
Alice
Cats
Spoof MAC Address: 0000deadbeef; SSID: default
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
STA 2003
Generic Wireless Network Exploits
Denial of Service (DoS)
microwave
oven
Cell phone
Firewall
Access Point
Bluetooth device
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
2.4 GHz
jammer
STA 2003
Wild Wild WiFi®: WiFi Hog
• Designed to hijack open (public) nodes
• Could easily be used to hijack
commercial or home access points with
inadequate security
“Only traffic originating from the
Wifi-Hogger's IP address may access
the connection, otherwise the PVJ
(portable video jammer) is switched
on, blocking others from accessing the
open node.”
http://www.mle.ie/~jonah/projects/wifihog.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Wardriving Update late 2004
→
Mid Sept 04 (same area wardriven in Sep 03); 30 minute drive
Residential neighborhoods/business district
5 dBi omnidirectional, magnetic, car-mounted antenna
→
TCP/IP disabled on card purposely unable to connect/get IP address (thus legal)

126 APs located; 1 Peer located
97 APs with no security (77%)
Of 30 with security, only 13 (43%) 802.11g (likely WPA compliant out of box)
62 APs with default SSID bespeaking ignorant owners (49%)
one FAKE-AP (first time: counterfeit AP signals) http://www.blackalchemy.to/project/fakeap/
Worldwide Wardrive 4 (http://www.worldwidewardrive.org/): of 228,537 APs
logged, only 61.6% enabled WEP (or better) security; 31.4% used default SSID
(note: Lots of smart non-Merkins included)
→
→





Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Disable prior to
wardrive to
prevent autoconnection to
discovered APs
Note!
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Locking It Down: Step 1.1

Physical Security
Secure your laptop/PDA physically
– Windoze XP stores WPA PW and automagically reconnects on startup
BIOS password at least in case WLAN device is stolen!
Secure your access points (locked closets vs. desk)
– Remember, reset button on back of AP = Poof! No Security
Wise placement of APs/directional antennas to minimize RF leak
If possible, minimize AP RF power output to least useful
Audit your coverage: Warwalk/drive/sit yourself!
Reference: http://techrepublic.com.com/5100-6329-5054057.html?tag=hdi
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Locking It Down: Step 1.2

Wireless Policy
(Authority) will be in charge of establishing and enforcing
WLAN standards; any implementation that deviates from
standard must be approved by (authority)
(Authority) will be the only one(s) installing/modifying/
maintaining APs; (Users) will not install APs
Only (authorized user type list) can use the WLAN; all others
require explicit permission from (authority)
All WLAN devices must be secured according to standards set
by (authority) All communications must be encrypted using
(standard)
All (users) must register WLAN devices with (authority)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
For good example: http://www.ksu.edu/policies/ppm/3480.html
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Locking It Down: Step 2.1

OS/Firmware Updates
Windows XP Service Pack 2 (SP2)
– Until Sep 04, very cumbersome process to implement WPA (see notbob.com)
– Now, SP2 incorporates new WZC and WPA functionality (finally)
Apple Macintosh: Need firmware upgrade to AirPort Extreme 11g (b sol)
– “WPA requires an AirPort Extreme base station and AirPort Extreme or AirPort
clients running Mac OS X v10.3 (Panther), or later. Use of Wi-Fi Protected Access
(WPA) reduces the maximum number of network users. Computers with wireless
cards that only support WEP cannot join an AirPort network that has WPA enabled.”
– Client: http://www.apple.com/support/downloads/airportupdate.html
– AP: http://www.apple.com/support/downloads/airportextremefwupdate.html
Linux: Support depends on chipset; http://hostap.epitest.fi/wpa_supplicant/
also see http://www.linux-sec.net/Wireless/WPA/#WPA for mondo links
Make sure you are running latest version of your AP’s firmware; visit
manufacturer’s website every few months at least
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
WPA under WinXP SP1 vs. SP2
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
MAC/SSID Vulnerability

MAC = media access control address
Hardcoded in all NICs
Easily Spoofed under Win 9x, Linux; New! WinXP spoofing via
freeware Mac Makeup app:
http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp

SSID = Service Set Identifier
Used to define networks
By default, broadcast in the clear by access points
Will be given out by AP if client configured with “any” or blank
SSID
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
MAC Address Spoofing
edit /etc/sysconfig/network-scripts/ifcfg-eth0
(assuming it's your eth0 network card that you
want to change the MAC for), and add a line
like this: MACADDR=AA:BB:CC:DD:EE:FF
(Obviously you want to substitute the MAC
address you want in place of
AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown
eth0", "/sbin/ifup eth0", and you should be up
and running with the new MAC address. You
can use "/sbin/ifconfig eth0" to verify that the
new MAC address is in effect -- it shows up in
the 'HWaddr' entry on the first line that
ifconfig prints
Orinoco Gold on Win 98SE
(YMMV RTFM HTH)
Red Hat Linux
http://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain
CIA XXV
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
Locking It Down Step 2.2

MAC Filtering
Better than nothing; will keep out your neighbors
To find your adapters’ MAC addresses, under
Windows: start | run | cmd | ipconfig/all ; listed as
physical address
Best to explicitly allow only your own MACs;
explicit deny is for open APs that are subject to
annoying users (without the sense to spoof their
MAC addys)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Default SSIDs
3Com: comcomcom
 Cisco: 2, tsunami, WaveLAN Network
 Compaq: Compaq
With AP manufacturer,
trivial to determine default
 DLink: WLAN
Administrator
 Intel: 101, 195, xlan, intel
username/password!
 Linksys: linksys, Wireless
 Netgear: Wireless
 Zcomax: any, mello, Test

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
http://www.cirt.net/cgi-bin/ssids.pl
http://www.iss.net/wireless/WLAN_FAQ.php
CIA XXV
Locking It Down Step 2.2 (cont’d)

SSID Rules
Change from default
Don’t broadcast if possible (WPA flaky sometimes)
Don’t make it your family/business name
Don’t make it interesting to h@X0rS; boring is
good: ex: thisAP
Make it hard to guess (e.g., not Default1)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
use this if possible CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID
 Step 3: Change AP PW; WPA if possible, else WEP

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Locking It Down Step 3.1

Change yer freakin’ default AP password!
Every script kiddie and her dog knows the default passwords for major
manufacturers! Pick a new, secure PW
Disable remote router administration and Universal Plug and Play (if
router doesn’t have nice check box, get Steve Gibson’s UnPlug n’ Pray
here: http://grc.com/UnPnP/UnPnP.htm )
While you’re at it, enable router’s firewall function: block anonymous
WAN reqests & filter NAT redirection to keep local LAN users from
accessing port-forwarded services on router
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
http://www.linksys.com/download/vertxt/befsr81v2_ver.txt
CIA XXV
Locking It Down Step 3.2

Use Encryption
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Encryption Basics
XOR Logic Gate




Need to hide message (plaintext) = needle
Generate random stuff (encryption key) = piece of hay
Multiply random stuff (keystream) = haystack
Hide message in haystack (XOR)  needle+haystack (ciphertext)
http://www.mesda.com/files/infosecurity200309.pdf; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm
CIA XXV
WEP…what is WEP?
Wired Equivalent Protocol (NOT Wireless Encryption Privacy)
 First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2

http://standards.ieee.org/getieee802/download/802.11-1999.pdf

Never intended to provide strong security; Goals:
“Reasonably strong” (dependent on key length)
“Self-synchronizing” (for “best effort” delivery)
“Efficient” (low processor overhead)
“Exportable” (pre-1999 ITAR climate [Phil Zimmerman])
“Optional” (so lusers don’t whine to hardware manufacturers
when they mess up WEP on their networks– DISABLED out of
the box by all OEMs as of 2004 AFAIK*)
*AFAIK= As far as I know
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
How is WEP supposed to work?
• Secret key combined with IV, run through WEP cipher PRNG (RC4)
• Plaintext XORed with key sequence (irreversible without key)
• Ciphertext output sent over airwaves after encapsulation into IP packets
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
CIA XXV
What is RC4?




One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.)
Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.)
Proprietary trade secret of RSA Inc. http://www.rsasecurity.com
Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all
open source RC4 implementations based on this anonymous post (including WEP)!
From: [email protected] (An0nYm0Us UsEr)
Newsgroups: sci.crypt
Subject: RC4 ?
Date: 13 Sep 1994 21:30:36 GMT
Organization: Global Anonymous Remail Services Ltd.
Lines: 83
Message-ID: <[email protected]>
NNTP-Posting-Host: xs1.xs4all.nl
X-Comment: This message did not originate from the above address.
X-Comment: It was automatically remailed by an anonymous mailservice.
X-Comment: Info: [email protected], Subject: remailer-help
X-Comment: Please report inappropriate use to <[email protected]>
SUBJECT: RC4 Source Code
I've tested this. It is compatible with the RC4 object module
that comes in the various RSA toolkits.
/* rc4.h */
http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Why is WEP Broken?
First paper: Fluhrer, Mantin, Shamir (encryption
flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf
 WEP attack using FMS method: Stubblefield,
Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/
 WEP standard implements RC4 improperly

http://www.rsasecurity.com/rsalabs/technotes/wep.html
Flaws in key scheduling algorithm Large number
of weak keys  encryption easily cracked
 IV is sent in the clear with each chunk– subtract 24
bits of IV from encryption key length

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4
CIA XXV
Enabling WEP
Orinoco Gold on Win 98SE
Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg
CIA XXV
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
Advanced WEP
Freeware key generators create pseudorandom
keys for you to enter
 Rotate keys frequently (weekly for business,
monthly for home at minimum)
 Make sure highest key-length WEP is enabled
(remember, 64 bit WEP key is really just 40 bits
long [thanks, marketing!])
 Upgrade WEP to WPA as soon as possible (look
for WPA support for all new hardware)

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Bbbbut…isn’t WEP broken?
Yes, but…just because your front door can be picked,
doesn’t mean you shouldn’t lock it!
 Never be low hanging fruit for attackers
 Lots of old hardware (pre-2004) can’t support WPA, let
alone WPA2: WEP is the only option
 If you just enable WEP more secure than 60-75% of
WLAN users (according to wardriving data)
 If you enable WEP + change SSID from default + change
AP logon/pw: more secure than 95% of lusers

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Quick Fix for WEP: WPA
WPA = “WiFiTM Protected Access”
 Available as software/firmware upgrade for most
chipsets/manufacturers now or soon
 Subset of new (Jun 04) 802.11i security architecture
 Patches major vulnerabilities in WEP:

TKIP fixes IV weakness, adds MIC, key mixing, rekeying
Supports enterprise user authentication via EAP and 802.1X
SOHO mode: Pre-Shared Key (PSK): autorotates key for you
http://www.newswireless.net/articles/021123-protect.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
TKIP
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Look for the WPA label…
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Enabling WPA PSK in Windoze XP SP2







Make sure wireless connection works with WEP first
Have wired connection to prevent disconnection with changes
Upgrade Windows XP SP1 to SP2 (Windoze Update)
Pick a good pre-shared key (PSK)! http://wifinetnews.com/archives/002452.html
Upgrade client firmware to support WPA
Implement WPA PSK on router (may need to upgrade firmware)
Implement WPA on Windows XP using WZC (Wireless Zero
Configuration)
See my separate step-by-step guide on WPA in XP:
http://www.notbob.com/wlani
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Step 4: Step
Implement
Step
3: Make
2:
Step
Implement
WPA
1:
sure
Upgrade
PSK
supplicant
WPA
under
XPonto
network
supports
AP
SP2
router
connections
WPA
Take Home Message
Everyone in this room should be using WPA instead
of WEP at all times right now!
 Definitely worth upgrading hardware to support WPA
 Hospitals/Medical Offices: Legal risks of NOT using
WPA (due diligence) given WEP vulnerabilities

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
What this talk is about
Brief Review of Wireless LAN (WLAN) tech
 Wardriving Update Late 2004
 Step 1: Physical Security and Wireless Policy
 Step 2: OS, Firmware Updates; MAC Filtering; SSID
 Step 3: Change AP PW; WPA if possible, else WEP
 Step 4: Toward 802.11i/WPA2 for Home/SOHO use

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
WPA Upgrade: IEEE 802.11i/WPA2





802.1X port-based authentication– requires dedicated
authentication server (or server process in AP)
RADIUS authentication: for enterprises only
IEEE 802.11i = WPA + RSN; finally ratified Jun 04
Uses CCMP (counter mode with cipher block chaining
[CBC] message authentication code protocol) for
enhanced privacy, data integrity, and authentication
RSN: Robust Security Network 802.1X + EAP +
AES (non-RC4 encryption protocol) – will likely need
hardware upgrade to run RSN without major hit on
throughput; likely available in “mature” form in 2005-6
CBC:
http://pedia.nodeworks.com/C/CI/CIP/Ciph
er_Block_Chaining/
802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003
802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf
RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html
CIA XXV
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
AES
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Rijndael (Reign-Dahl) is AES




Rijndael is a symmetric block cipher, designed by
Belgian/Flemish cryptologists Joan Daemen (Yó-ahn Dáh-mun)
́
and Vincent Rijmen (Rýe-mun)
Time to crack @ 255 keys/sec: 149 trillion years
Basic advantage of AES is its efficiency and low overhead: easier
to implement than its competitors for AES standard
For WiFi®, requires dedicated chip to process cipher in real time
Official NIST AES Specs: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Intro to AES: http://www.nwfusion.com/details/597.html?def
Very High Level AES mathematical explanation: http://islab.oregonstate.edu/koc/ece575/aes/intro.pdf
“How is that pronounced ?
If you're Dutch, Flemish, Indonesian, Surinamer or South-African, it's pronounced like you think it should be. Otherwise, you could pronounce it like "Reign Dahl",
"Rain Doll", "Rhine Dahl". We're not picky. As long as you make it sound different from "Region Deal".”
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
from: http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_ProtectedAccessWebcast_2003.pdf
Do you really need WPA2?
WPA fixes all known problems with WEP
 If you avoid choosing weak passphrase subject to
dictionary attack, WPA should suffice for most
home/SOHO users for now (2005)
 As of Oct 04, WPA has not been broken
 RC4 will eventually succumb to Moore’s Law will
need to move to AES in the future
 AES support in WPA2 probably involves upgrading
your hardware: business decision (risk/benefit ratio)

See Q&A section here: http://www.wi-fi.org/OpenSection/protected_access.asp
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Advanced WLAN Security: Topology Options
“Safe Side”




“Unsafe Side”
Firewall
Treat all wireless communication as insecure
Put AP on “unsafe” side of firewall
Use VPN (private tunnel) through internet to reach internal network
Impractical for SOHO networks (expensive; throughput hit)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Step 5: CSE Continuing Security Education
All users should keep up with major security
developments, including WLAN security
 Excellent resources:

Internet Storm Center http://isc.sans.org
News.com http://www.news.com
Wireless News Factor http://wireless.newsfactor.com
WiFi Planet http://www.wi-fiplanet.com/
NetworkWorldFusion
http://www.nwfusion.com/topics/security.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Future Wireless Security Issues 2

Privacy: Sniffing your car’s radio stations

“Red Means Stop, Ya Moron!”: 802.11p

DOS: Wireless Jammers for Jesus

Wireless Viruses: Don’t get stung by Mosquitoes

RFIDS: The Next Security Threat?
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Privacy: Sniffing your car’s radio
Device
sniffs
what
radio
station
you are
listening
to
http://www.washingtonpost.com/wp-dyn/articles/A60013-2004Oct24.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
“Hey, buddy, I’m talking to you”



802.11p is a new IEEE spec to implement WiFi® for vehicles
“Emergency vehicles might use broadcast via wireless to change
traffic signals in order to speed themselves along. Cars might
also "communicate" with one another, as an exchange of Wi-Fi
signals makes it possible to sound proximity alerts when two
vehicles come too close to one another.”
Just imagine the potential for chaos when criminals can change
traffic lights remotely, or when pranksters activate all the
proximity alerts simultaneously…
http://www.wi-fiplanet.com/columns/article.php/3422251
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
DOS: Wireless Jammers for Jesus
Mexico: Cell phone
jammers installed in
churches…would
likely nuke nearby
WiFi as well…
http://www.cnn.com/2004/TECH/ptech/10/19/cellphonejammers.ap/
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Don’t Get Stung
Copy protection built into “smart” cellphone
game “Mosquitoes” rewritten as Trojan to call
expensive premium numbers using embedded
Symbian OS
 “Sooner or later, I expect I will be advising
people not to run unknown applications for their
refrigerators and cars,” he says. “It is becoming
more of a danger as we embed OS into more of
our lives.” --Panda Software CTO Patrick Hinojosa

http://wireless.newsfactor.com/story.xhtml?story_title=Mosquito-Trojan--Copy-Protection-Gone-Wrong&story_id=26310&category=wlssecurity
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
RFID Security: Brave New World?
RFIDs are poised to become ubiquitous
 RFIDs have no security and can be hacked
 “The thinking is, security is a secondary issue right
now that will be fixed once deployments are
underway” – Jeff Woods, Gartner Research Director
 Ya, that strategy has worked so well for Windows
XP, WEP, Iraq…

http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=RFID--The-Next-Security-Nightmare-&story_id=26104&category=mobsec
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Patch OS frequently to
plug security holes; read
media for new WLAN
exploits
Change default
admin logon/pw;
disable remote
admin
Weekly or
automatically
Got WPA?
Prevent theft;
BIOS pw;
encrypt files;
backup data;
disaster plan
WPA2= 802.1X, 802.11i,
RSN; VPN + RADIUS
for enterprises
only if no WPA;
rotate keys
manually
Implement now;
choose secure PSK
Change default;
don’t broadcast
Implement
MAC filtering
Implement and
enforce wireless
security AUP/TOS
WLAN Security Basics Checklist










Pay attention to geographical location of AP (parking lot coverage)
Disable file & print sharing if not needed; never share root
Disable SSID broadcasting (default = enabled for most products)
Change the SSID to something non-default and boring
Upgrade firmware of AP/client to increase security (WPA)
Change default admin login/password for AP; disable remote admin
Configure AP to enable MAC address filtering (not perfect, yes…)
Enable WPA PSK now! For enterprises: RADIUS, WPA2
Only use WEP as last resort (legacy hardware; rotate keys often)
Wardrive yourself to audit your security (got rogue teenager AP?)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
The Tao of Network Security
1994-1999:
Information
Access
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
The Tao of Network Security
1994-1999:
2000-2005:
Information
Access
Information
Denial
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Addendum: It’s the Basics, Stupid
http://www.canada.com/technology/story.html?id=80bc4cc6-f3e3-4960-9b70-91c260e63931
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Remember: Common Threats Are Common!
“Wired” attacks are still much more common than WLAN exploits:
Buffer Overflow attacks based on Windoze vulnerabilities
(increasingly zero-day exploits): Sasser, CHM, etc.
 Phishing for passwords, bank accounts (↑↑ sophistication)
 M$ Outlook/OE exploits: worms, viruses, blended threats
 Hostile websites: spyware, malware, browser hijacking
 Keystroke loggers: disgruntled employees, spouses, kids
 IM attacks: embedded malign URLs, spim, predators…

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Are Most Users too Stupid for the Internet?
•
Why not require a license for internet access?
• Wired Article: “Are You Too Stupid to Surf?”
• http://www.wired.com/news/privacy/0,1848,60416,00.html
•
Several Downsides:
•
•
•
•
People don’t trust the Gummint (look at TIAO Initiative furor)
Money
Your Grandma wouldn’t pass the test…ever.
If stupid Merkins are kept offline, how about the rest of the
world we haven’t “liberated”…yet?
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Are Most Users too Stupid for the Internet?
How to get H@cked and 0wn3d in 7 easy Steps:
•
Never update your Anti-virus program’s definitions
• In fact, let the free version on your new computer expire
•
•
•
•
•
•
Click on all e-mail attachments with wild abandon
Never use a firewall (equivalent: Windoze fw only)
Keep thinking that OS security updates are for girlie men
Go to naughty sites and install all “required” programs
Use insecure, older versions of apps due to nostalgia
Ignore computer security alerts in the news (news.com)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
References
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Online Resources
WLAN Specifications
•WiFiTM Alliance (formerly WECA): http://www.wi-fi.org/
•IEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html
•IEEE 802.11i: restricted: http://standards.ieee.org/reading/ieee/std/lanman/restricted/802.11i-2004.pdf
•Lots of interesting unrestricted IEEE documents: http://www.ieee802.org/11/Documents/DocumentHolder/
•Bluetooth:
https://www.bluetooth.org/
•HIPERLAN/2: Official Specs: http://www.hiperlan2.com
IEEE Communications Overview: http://www.ihpffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf
•HiSWAN: http://www.arib.or.jp/mmac/e/index.htm
•Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Wardriving Software






NetStumbler http://www.netstumbler.com/
MacStumbler http://www.macstumbler.com/
BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html
AirSnort http://airsnort.shmoo.com/
Kismet http://www.kismetwireless.net/
Wellenreiter http://www.wellenreiter.net/
Lots of other tools:
http://wardrive.net/wardriving/tools
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Online Resources
Basic 802.11 Security
•WLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php (old)
•WEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf
•WEP Insecurity: http://ftp.die.net/mirror/papers/802.11/wep_attack.html (no longer on:
http://www.cs.rice.edu/~astubble/wep/wep_attack.html )
•WPA/WPA2: http://www.wi-fi.org/OpenSection/protected_access.asp
•Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf
•Netstumbler: http://www.netstumbler.com
•Wireless Glossary: http://www.devx.com/wireless/Door/11333 (heh heh)
•Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Online Resources
Advanced WLAN Security/Continuing Security Education
•SANS: http://www.sans.org
•Internet Storm Center http://isc.sans.org
•Wireless LAN Security Site: http://www.drizzle.com/~aboba/IEEE/
•News.com http://www.news.com
•Wireless News Factor http://wireless.newsfactor.com
•WiFi Planet http://www.wi-fiplanet.com/
•NetworkWorldFusion http://www.nwfusion.com/topics/security.html
•Google it: search Google for “WLAN security” and/or “WiFi security”
•Cool list of WLAN Security Links: http://www.corecom.com/html/wlan.html
•Still More whitepapers: http://www.wlana.org/learning_center.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Online Resources
AFH Topics
•People are stupid: Wireless Equivalent Privacy:
http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search
•People are stupid 2: Wireless Encryption Protocol:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22
•HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html
•ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf
•TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIV
Offline Resources
Books/Articles: Computer Security Essentials
Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice
Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of
black hat techniques with countermeasures)
Cheswick WR, Bellovin SM, Firewalls and Internet Security:
Repelling the Wily Hacker, New York: Addison-Wesley
Publishing Company 1994. ISBN 0-201-63357-4 (a classic)
 Chapman, D. Brent and Zwicky, Elizabeth D., Building
Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995.
ISBN 1-156592-124-0 (first edition includes excellent appendix
on basics of ISO/OSI TCP/IP stack)
Anonymous, Maximum Security, Fourth Ed., Indianapolis:
SAMS Publishing Dec 2002 (excellent resource)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV
Offline Resources
Books/Articles: WLAN Security
 Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale:
Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable &
entertaining; most practical 3-space reference thus far)
 Peikari C, Fogie S, Wireless Maximum Security, Indianapolis: Sams
Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er,
Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])
 Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access and
802.11i, Boston (etc.): Addison-Wesley, 2004 (almost incomprehensible at
times, but good reference)
Vladimirov A, Gavrilenko K, Mikhailovsky A, Wi-Foo: The Secrets of
Wireless Hacking, Boston (etc.), Addison-Wesley, 2004 (Good overview of
WLAN security from Black Hat perspective; grammatical issues)
Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.
CIA XXV