Transcript PowerPoint presentation

www.iss.net
Wireless Security
August 10, 2006
Michael H. Warfield
Senior Researcher and Fellow
ISS X-Force
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
This presentation is also available on-line:
http://www.wittsend.com/mhw/2006/Wireless-Security-ALE
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Outline
 Introduction and Standards
 Common Uses and Abuses
 Security Incident Examples
 Access Control and Confidentiality
 Securing Wireless Networks
 Closing Summary and References
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Introduction
 Many forms of wireless






Point-to-point
Wi-Fi / 802.11
WiMax / 802.16
Mobile Broadband / 802.20
Bluetooth
3rd Generation Cellular, EVDO, GPRS, Wireless Broadband
 Wi-Fi is becoming ubiquitous
 Cheap and easy and popular
 Wireless is incredibly flexible
 Cost effective compared to hard wired networks
 Works in harsh environments
 Works in mobile environments
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Wi* 802.* Standards
(Alphabet Soup?)
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11
 IEEE ratified in 1997
 General wireless standards family
 Has now grown to include 6 over-the-air modulation protocols
 Lots and lots of protocol amendments
 2.4 GHz shared unlicensed band
 Covered by FCC Part 15 regulations
 Initially 1-2 Mbps
 Poor performance
 Poor acceptance
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11a
 IEEE Ratified in 1999
 First ship in 2001
 5 GHz unlicensed band
 54 Mbps
 High Performance
 Costly
 Poor range
 Adoption was slow and poor
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11b
 IEEE ratified in 1999
 2.4Ghz shared unlicensed Band
 Up to 11Mbps
 Moderate Performance
 Relatively inexpensive
 Moderate range (twice that of 802.11a)
 Moderate interference from other services
 Quickly became very popular
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11g
 IEEE ratified in June 2003
 Shipping in January 2003
 2.4GHz shared unlicensed band
 54 Mbps (Super G bounding to over 100 Mbps)
 Good Performance
 Inexpensive (dirt cheap)
 Powerful (many have third party upgrades)
 Compatible with 802.11b
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11n
 100+ Mbps
 Compatible with 802.11b and 802.11g
 Upcoming standard
 Multiple proposals submitted
 No consensus as of yet
 Continuing disagreements are delaying final standardization
 Availability is poor
 Cost is relatively high
 MIMO – 802.11n preview?
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11s
 IEEE Working group first met in July 2004
 802.11 w/ Mesh topology
 Intel early proposal for 802.11s
 Builds on 802.11 a/b/g
 Should be applicable to 802.11n
 No current standards for 802.11 mesh
 Access points and nodes autonomously relay packets
 Self organizing and extensible
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.1X
 IEEE standard for Network Access Controls
 Applies to both wired and wireless networking
 There is no 802.11X
 Common misunderstanding
 Instantiated in the 802.11i wireless standard
 Incorporates a number of authentication methodologies
 PSK – Pre-Shared Keys
 EAP – Extensible Authentication Protocol
 LEAP – Cisco Limited Extensible Authentication Protocol
 Radius
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.16
 WiMax
 WorldWide Interoperability of Microwave Access
 802.16a – Metropolitan Area Network
 802.16e – Moble Broadband
 Other amendments address other concerns in the standard
 Both Licensed and Unlicensed modes
 Higher power
 Broader coverage
 Sprint selecting WiMax for Mobile Broadband
 Anticipated network rollout in 4th quarter of 2007
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Common (and Uncommon) Uses
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Hotspots
 Hotspots are publicly accessible wireless zones
 Pay and free hotspots are proliferating
 Most airports now have hotspots
 Some are free, some for pay
 Some hotels are opting for wireless for broadband
 Some are teaming up with wireless providers
 Some coffee chains have wireless for customers
 Some shops are dealing with customers who won't leave
 Some shops dealing with users in parking lots
 Some people set up hotspots just for kicks
 Some criminals set up hotspots looking for victims
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Neighborhood Networks
 Cul-De-Sac Area Networks (CDSAN)?
 High power APs cover a couple of small streets
 Antennas extend range even further
 YES! You really CAN be the ISP for your entire cul-de-sac!
 Example neighborhood net in Canada
 Broadband
 VoIP
 Video
 Being commercialized for businesses
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Municipal WiFi
 Municipalities considering WiFi as a utility
 Antennas / Access Points on lights and utility poles
 Mesh networking avoids need for wired backbones
 WiMax may extend range and coverage
 Uniform coverage and management
 Narrows “the digital divide”
 Provides additional emergency services backup
 Conflicts with commercial competition
 Mixed legislative actions
 Some active deployments
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Communities
 Philadelphia
 Proposal for community WiFi resulted in state legislation to prevent it
 Philadelphia has an exemption in resulting legislation
 San Fransisco
 Google initially contracted to providing free service
 New Orleans
 Free service in aftermath of Katrina using donated equipment
 BellSouth reported to have withdrawn a donation as a result
 Boston
 May contract with a non-profit to run city-wide WiFi
 Washtenhaw County, MI
 County wide WiFi deployment approved
 85Kbps Free, 500Kbps $35/month
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Wireless Police Knocking?
 New York
 Westchester County New York proposed mandatory WiFi security
 Encryption is NOT mandatory
 Security is mandatory even WITH encryption
 Canola Ranch Resorts
 Tucson condo resort
 Provides wireless and broadband to each unit
 Covenants require that all wireless be secured
 This one requires encryption
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Wireless VoIP
 Wireless PBX
 Great for mobile employees
 Hospitals
 Schools
 Conference Centers
 Cost effective
 Versatile
 Isolated Access Points and networks control security
 Potential eavesdropping / sniffing threats
 Some cell phones now support cellular plus VoIP on
802.11*
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Industry and Agriculture
 Supports mobile equipment
 Farm equipment in the field
 Mobile factory floor equipment and employees
 Eases deployment and installation
 Wiring problems in old installations
 Connections between buildings
 Aids with hostile environments
 Not merely end networking services
 Part of the industrial process
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Personal Area Networks
 Wireless cards and access points are as cheap as network





interfaces now
Employees may install APs under desks for their laptops
Convenient for home-to-office road warriors
Home lan security problems may become corporate lan
security problems
Unauthorized or rogue access points can create gaping
security holes
Open workstations can open up your wired network
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
WiFi Defense Against the RIAA???
 Two recent court cases decided against the RIAA
 Argued that an IP address is not a person
 Evidence of pervasive activity
 Evidence of access by others in the home
 Each case was settled and dismissed
 Use an open access point to argue others may have access?
 Neither case resulted in a judgment
 No legal precedent
 Both cases presented evidence of others in the home
 Hand waving arguments are unlikely to work
 Other evidence may be brought into play (on either side)
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Trick Out Your WiFi Router!
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Trick Out That Router
 LinkSys WRT54GS Router
 “Linux based” version
 100 MBit “Speed Booster”
 Has more RAM and Flash than the G / GL
 Add high gain antennas
 Cheap pair of 7 db Onmi
 D-Link directional
 Larger 11 db omni “billy club”
 Add run of low-loss coax to the attic for antenna height
 Add range extenders (repeaters)
 Upgrade to 3rd party firmware
 Add “mesh” or WDS access points
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
DD-WRT Firmware
 Based on Sveasoft Talisman release
 Based on Linksys sources and OpenWRT sources
 Adjustable power (26 mW -> 250 mW)
 Multiple VLAN's and VPN's
 Supports many many vendors (not just Linksys) and







models
Multiple ESSID's per access point
WEP / WPA / WPA2 / Radius support
OpenVPN
IPv6
VoIP
Kismet (an access point that can wardrive as well)
Turns that $60 router into a $600 super performer
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Common (and Uncommon) Abuses
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Wardriving
 Popular sport
 Simple as a PDA
 A small mobile antenna is non-intrusive
 Pringles cans are cheap and effective antennas
 Good directional antennas can work for miles
 Automated tools build wardriving maps with gps
 Majority of access points have no encryption!
 Majority of access points use default settings!
 An FBI representative has stated that wardriving and
warchalking are legal (but bandwidth theft is not).
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Inverse Wardriving
 Wardriving with an Access Point
 Linux based access points have extra features
 Extra power
 Remote command line
 Can run Kismet on the Access Point
 Trolling for open clients willing to connect
 Many workstations are enabled for “any” AP
 Can compromise associated wired networks
 Early tests were run at Democratic National Convention
 Windows was vulnerable to an Ad-Hoc Evil Twin
Wardriving
 Windows boxes would probe for previous connections
 Attacker could emulate other access points based on probes
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Open Workstations
 Easy and common to “attach” to the “wrong” access point
 Many laptops come with built-in WiFi
 WiFi may be enabled without realization
 Difficult to lock down laptops to limited connections
 Open workstations may be contaminated outside of security
perimeters
 Open workstations may bridge wireless to wired networks
 Home users may bring wireless enabled into the workplace
 WiFi policy must include workstation setups!
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Driver Attacks
 Workstations may be directly attacked through WiFi drivers
 They don't have to be in use
 Workstation does not have to be connected to a WiFi network
 User may not even realize WiFi is enabled
 Recent BlackHat 2006 demonstration
 Demonstration was video only
 (They were practicing safe WiFi)
 Attack against Mac OSX
 Other operating systems also vulnerable to similar attacks
 Demonstrated against third party drivers
 Native drivers are also vulnerable
 Recent Intel security advisory on the Centrino WiFi drivers
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Evil Twin
 Variation on the “inverse wardriving”
 Evil access point mimics existing access point ESSID
 Looking for specific networks
 Not just for promiscuous workstations
 Increased power can override legitimate access points
 Evil twins can be more difficult to find than rogues
 Kismet can spot “time stamp” anomalies from Evil Twins
 Shield from within, shield from without
 May be used for WiPhishing
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
SSL Attacks
 Some sites use SSL to protect admin access to web interface
 Some access points used a static server certificate
 SSL does not provide for “Perfect Forward Secrecy”
 SSL does not provide for “Diffie Hellman Key Exchange” in
default “server authenticated” sessions
 Access point firmware readily available for download
 Static certificate from access point firmware image allows
attackers to intercept and decrypt the SSL traffic!
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Broadcast Leakage
 Access points will broadcast LAN broadcast packets
 Local LAN or directed broadcasts
 Netbios is extremely “chatty”
 Workstation names
 Domain / Workgroup names
 Login (user) names
 Services
 ARP requests
 Network mapping
 ARP cache poisoning
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Hotspot Battles
 Only 11 channels in North America
 Competition with and between fee services
 Providers have set up fee based wireless access
 Cybercafes have set up wireless services
 Competing individuals have used directional antennas to
broadcast into competing locations
 Organizations have set up free hot spots
 Companies seeking to set up services for a fee have come into
conflict with community hotspots
 Some hot-spots in airports have become free
 WiFi spectrum overlaps with some Amateur Radio
 Amateurs use much more power
 Accidental cross access and cross interference have occurred
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Security Incidents
(What were you thinking?)
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Information Leakage
 Information may leak from insecure wireless networks
 Networks may be routed over wireless links
 Information may leak in broadcast messages
 Attackers can use techniques such as “arp cache poisoning”
to intercept and redirect traffic
 Schools have had student data accidentally exposed through
wireless networks
 What's your legal liability?
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Threats to Reputation
 Wireless is easy to use for inappropriate activity
 Retail chains have used wireless for temporary cash




registers
Researchers have found insecure wireless nets
broadcasting sensitive customer information
Publication of wireless leaks have lead to major public
relations incidents for several companies
What if the researchers had been “bad guys”?
(Some have been)
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Computer Break-ins
 Major hardware chain had an insecure wireless network in





Michigan
Intruders used it to break into the home office computers
in North Carolina
Law enforcement contacted but access not shut down
during investigation
Intruders were caught sitting in the parking lot during a
subsequent break-in
Intruder sentenced to 9 years in jail though he failed!
What about using a high gain directional antennas?
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Spammers
 Drive-by-spamming is taking place
 Spammers can send millions of E-Mails in minutes
 Your servers get blamed
 Your abuse people get harassed
 Your company gets blacklisted
 California man plead guilty to spamming people through
unprotected hotspots
 Convicted under Can-Spam Act
 What about wireless theft?
 Also being used to launch phishing scams
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Extortionists
 Extortionists have exploited open access points
 Maryland man used unsecured wireless networks to make
“untraceable” threats and extortion demands
 Threats traced to homes and a dentist's office
 Caught by his demand for money
 (Make the check payable to...)
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Simple Bandwidth Theft
 Individual in Florida observes someone sitting in his
neighborhood playing with a laptop
 Individual hides laptop whenever people approach
 Individual still present several hours later
 Suspicious behavior reported to police
 Police find the suspicious individual using WiFi
 Charged with theft of bandwidth
 Other charges pending?
 Neighborhood watch?
 Coffee shop tired of non-customer in parking lot
 Asked to leave several times
 Charged with theft of bandwidth after several months
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Other Illegal Activities
 Canadian police caught an individual driving the wrong





way down a one-way residential street
Individual had wardriving equipment in the car
Individual had been exploiting open residential access
points to download child pornography
Additional charge: Theft of telecommunications
What if it was your access point?
How would you explain the network activity to law
enforcement?
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Denial of Service
 Various Denial of Service attacks possible
 “Omerta” disassociate attacks disconnect workstations
 Also useful in WPA-PSK attacks
 RF attacks overwhelm channels and spectrum
 Overpowered access points generate interference
 General congestion and channel crowding
 RF “Ping of Death”
 Unlicensed services are not protected from RF interference
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Access and Confidentiality
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Gateway Control
 Access control through an application gateway
 Use web site authentication to open a firewall
 Little or no link level security
 Wireless traffic may be sniffed
 Very common in hotels
 Very common in paid-for “hot spots”
 Somewhat common at universities
 Prone to “information leakage”
 Prone to MAC hijacking
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
MAC level access control
 Access granted based on MAC address
 No protection from sniffing
 MAC addresses may be spoofed or hijacked
 Business often have batches of MAC addresses
 Administrative headache to maintain MAC tables
 Does not scale well
 In really POOR implementations, multiple WiFi clients can
share MAC addresses and get away with it.
 MAC access control
 Block ICMP
 Use orthogonal activity (difference servers and services)
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
VLAN access control
 Combination of Gateway and MAC using VLANS
 VLAN assigned based on MAC address
 Gateway access control switches MAC between VLANS
 Scales much better than pure MAC level access
 Still has disadvantages of both
 No protection from sniffing
 MAC addresses may be spoofed or hijacked
 Business often have batches of MAC addresses
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
SSID Access Control
 SSID broadcast (Wi-Fi network name)
 Cloak a network by disabling SSID broadcast
 Network can still be probed and uncloaked
 Network traffic can still be sniffed
 SSID can be determined from other traffic
 Automated tools are designed to collect information about




cloaked networks
Useful for network selection control
Little use as access control
Can help with network selection control
Does indicate that this is NOT a public network
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
To SSID or Not To SSID
 Advantages to broadcasting SSID / ESSID
 Autodetection of Networks by workstations
 Disadvantages to broadcasting SSID / ESSID
 Closed network names appearing on foreign workstations
 Potential for accidental connections (if not encrypted)
 Advantages to NOT broadcasting SSID / ESSID
 Notice: “This network is not public”
 Accidental connections highly unlikely
 Disadvantages to NOT broadcasting SSID / ESSID
 Manual configuration of networks and workstations
 “False sense of security”
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
WEP
 Wire Equivalent Privacy
 IEEE standard adopted in 2000
 Simple shared key encryption
 40/56 bit DES (export grade - worthless)
 128 bit RC4
 Weakness unveiled in 2001 led to many attacks
 Design is vulnerable to plaintext codebook attacks
 Some implementations are extremely insecure
 Recent attacks effective against all variations
 Really poor design – even worse implementations
 Some older implementations worse than others
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
WPA
 Wireless Protected Access
 Based on subset of IEEE 802.11i draft
 WiFi Alliance interim specification
 Can use preshared keys (PSK – WPA Personal)
 Serious problems with weak passwords and PSK!
 Can use Radius / EAP / LEAP authentication
 Leap is vulnerable to known attacks (asleap)
 Uses stronger encryption and initialization vectors
 TKIP avoids IV codebook attacks
 Support is mandatory for Wi-Fi logo
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
802.11i / WPA2
 Security standard applicable to 802.11 family
 Application of 802.1X to 802.11 protocols
 Ratified by IEEE in mid 2004
 WiFi alliance brands 802.11i as WPA2
 Requires AES layer 2 encryption
 Fully encrypted WLAN
 Not all legacy cards can be supported
 Support for Windows XP/SP2 and Linux available
 Linux / *NIX – wpa_supplicant
 Generic 802.1X on Linux support - XSupplicant
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Virtual Private Networks
 Virtual Private Networks (VPNs) can provide secure
connections on insecure networks
 IPSec
 PPTP
 L2TP
 VPNs should be used in open environments for secure
access to private resources
 VPNs do not protect from threats or viruses on the open
network
 VPNs should be used with personal firewalls
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Securing Wireless Networks
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Securing your network
 Define your wireless policy in writing and enforce
 Don't use default settings!
 Change the SSID
 Disable SSID broadcast, if so desired
 Use WPA if possible (802.11i/WPA2 where available)
 Use WEP where WPA is not available
 Watch for rogue access points and eliminate
 Disable wireless where not used
 Disallow open connections
 Treat wireless networks as untrusted networks
 Keep access points and systems up to date!
 Employ a security tool such as ISS Proventia Desktop
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Physical Access
 Plan for physical (RF) access controls
 Reduce power to reduce leakage
 Use more access points for better defined coverage
 Plan antenna locations
 Avoid outer walls
 Provide for shielding of sensitive areas
 Provide spot coverage for weak areas
 Test for RF leakage and coverage
 Physical controls help, but are not the total answer!
 They can get better antennas
 They can boost more power
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Encryption and authentication
 What level(s) are necessary and/or sufficient?
 What is being protected?
 Confidentiality?
 Access?
 Link level
 WEP/WPA/WPA2
 VPN
 Application
 Multiple layers may be necessary
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Security on Open Networks
 Use a secure VPN to access private resources
 Use SSL encrypted versions of access protocols
 https instead of http
 pop3s instead of pop3
 imaps instead of imap
 Use a personal firewall or similar protection
 Use an intrusion protection system (IPS)
 ISS Proventia Desktop
 Scan for viruses
 Keep systems religiously up to date
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Securing WEP
 Use WEP only if nothing else better is available
 Use 128 bit encryption
 Test all access points for weak packets (Kismet)
 Consider changing shared access keys periodically or
when security situation changes
 Use with MAC controls on small networks
 Keep access points behind a firewall in a DMZ
 Assume the network is untrusted and provide for
additional security
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Securing WPA/WPA2
 Use WPA2 or WPA when ever available
 Use hardened authentication where possible
 Radius
 EAP
 Use strong passwords for WPA Pre-Shared Keys
 Minimum of 17 characters
 Include complex characters (numbers, caps, punctuation)
 It's easier to break weak passwords on WPA PSK than it is
to do codebook attacks on WEP!
 Avoid LEAP
 Known attacks
 Online attack tool: asleap
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Who Forgot to Invite the Cryptographers?
 Hardened crypto may not provide hardened security
 Flaws in algorithms
 Flaws in design
 Flaws in implementation
 WEP used RC4 – 128 bit cryptography
 Lots of design and implementation errors
 WPA was suppose to address flaws in WEP
 Still some serious problems in WPA-PSK
 SSL servers on APs may be using shared certificates
 Static shared certificates are worse than shared keys
 People can download firmware with certificates to your AP
 Dynamic, self-signed, certificates are better than shared certs
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Deception Tools
 Fake access points can befuddle war drivers
 Deception tools can detect intruders looking for access
 Access attempts to honeypot access points can trigger
alerts that intruders may be in the area
 Fake access points do no good if they are not monitored
and maintained!
 Generally not a worth-while investment unless you are
protecting a high profile target
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Closing
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Summary
 Wireless networking is inherently insecure
 Default configurations are insecure (but getting better)
 Wireless takes effort and direction to secure
 Wireless networks can be made secure
 Insecure networks can be used securely
 Simply throwing cryptography at it may not be the answer!
 You may need additional security tools on the workstation
 Be paranoid – They are out there and they are out to get you!
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Tools
 DD-WRT
 Linksys Info
 Kismet
 Airsnort
 BSD-Airtools
 THC-Wardrive
 Netstumbler
 AiroPeek
 Airmagnet
<http://www.dd-wrt.com>
<http://www.linksysinfo.org>
<http://www.kismetwireless.net>
<http://airsnort.shmoo.com>
<http://www.dachb0den.com>
<http://www.thc.org>
<http://stumbler.net>
<http://www.ig.com.au/AiroPeekMain.htm>
<http://www.airmagnet.com>
 FakeAP
<http://www.blackalchemy.to/project/fakeap>
 Wardriving CD
<http://www.wardrive.net/wardriving/tools>
 Proventia Desktop <http://www.iss.net>
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
Resources and References
 http://www.wittsend.com/mhw/2006/Wireless-Security-ALE
 http://www.informationheadquarters.com/Internet/WIFI.sht







ml
http://www.networkintrusion.co.uk/wireless.htm
http://www.usbwifi.orcon.net.nz/
http://www.wi-fi.org/
http://www.wifinetnews.com/
http://www.wi-fiplanet.com/
http://grouper.ieee.org/groups/802/11/
http://www.drizzle.com/~aboba/IEEE/
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.
www.iss.net
Wireless Security
August 10, 2006
Michael H. Warfield
[email protected]
[email protected]
© 2006 Internet Security Systems. All rights reserved worldwide. Contents are property of Internet Security Systems.