Wireless Security University at Albany, School of Business Center for Information Forensics and Assurance.
Download ReportTranscript Wireless Security University at Albany, School of Business Center for Information Forensics and Assurance.
Wireless Security University at Albany, School of Business Center for Information Forensics and Assurance 1 Wireless Security Explosion of Devices • Spectrums: 802.11x, Bluetooth, Infrared, Cellular, Radio, Microwave, Satellite University at Albany, School of Business Center for Information Forensics and Assurance 2 Wireless Security Wireless Cities August 21, 2004 BBC News New York set for citywide wireless. In exchange for being able to mount up to 18,000 new lamp post-based antennas, to strengthen coverage around the five boroughs, the companies will pay the city government around $25m each year. "This is something that makes sense," he added. "The companies are anxious to do it, and we think it will improve service for New Yorkers." There is already one patch of midtown Manhattan that provides an ideal glimpse of what a more wireless-friendly New York will be like. Bryant Park has been providing a free service to any laptop user who wants access for many months now. Source: http://news.bbc.co.uk/2/hi/technology/3578982.stm University at Albany, School of Business Center for Information Forensics and Assurance 3 Wireless Security Albany, NY Wireless August 21, 2004 Times Union Internet hot spots popping up. On Tuesday, Lemery Greisler LLC will celebrate the first free, public wireless Internet hot spot in downtown Albany. But Omni Plaza, a brick courtyard across the street from the law firm's offices at 50 Beaver St., is just the centerpiece of the ground-up effort to blanket downtown with wireless Internet coverage. "What we're unveiling is the pilot," said Scott Almas, a Lemery Greisler associate and driving force behind the effort. "There's a better mousetrap than these little access points. My vision was: Throw out some cheese, draw in the mouse and then put in a better mousetrap. That would be universal, ubiquitous coverage." Earlier this year, Intel Corp. released a ranking of American cities with the best wireless access. Despite its Tech Valley moniker, the Albany-Schenectady-Troy area ranked 71st, behind regions such as Wichita, Kan., and Worcester, Mass. The as-yet-unnamed downtown effort is an attempt to change that. "At some point this will be part of the municipal infrastructure," Almas said. "But until the mice come out, nobody has any interest in putting in a better trap." Source: Times Union University at Albany, School of Business Center for Information Forensics and Assurance 4 Wireless Security Albany, NY Access Points Empire State Plaza War Driving in Albany University at Albany, School of Business Center for Information Forensics and Assurance 5 Wireless Security Access to Wireless Data July 1, 2004 CNN.com Report: Homeland Security vulnerable to wireless hackers. WASHINGTON (CNN) -- Although charged with making the nation more secure, the Department of Homeland Security has not taken the steps needed to secure its own wireless communications, according to a report from the department's Inspector General. Wireless messaging services played a critical role following the September 11, 2001 terrorist attacks. While cellular telephone service was out, key personnel remained in contact using messaging services. But wireless technology can facilitate unauthorized access to wired networks and data through eavesdropping or theft. Those vulnerabilities increase the need for strong security controls. The report concludes that Homeland Security cannot ensure that its sensitive information about terrorist threats and security is not being monitored, accessed, and misused. Source: Times Union University at Albany, School of Business Center for Information Forensics and Assurance 6 Wireless Security Wireless Concerns • • Security is the top issue with Wireless Ethernet A larger percentage of government respondents rated this as an issue compared to industry respondents. Source: 2003 Wireless LAN Benefits Study, Cisco Systems University at Albany, School of Business Center for Information Forensics and Assurance 7 Wireless Security Wireless Attacks • Denial of Service – – – • ARP poisoning – • Jamming (by using a device which will flood spectrum with noise and traffic) Spoofing identity (through cloning MAC address of and setting strength of signal to greater than other user) Spoofed access points (clients are usually configured to associate with the access point with the strongest signal) Attacker can get packets and frames from the air by “poisoning” caches of MAC/IP combinations of two hosts connected to the “physical” network. Sleep Deprivation Attacks – People run programs on wireless devices to drain all its power Source: Wireless Attacks and Penetration Testing part 1, June 3, 2002 University at Albany, School of Business Center for Information Forensics and Assurance 8 Session Hijacking Exploit Demonstration • Vulnerability: – Inherent weaknesses in underlying protocols used on computer networks today – e.g. ARP’s protocol lack of authentication and limited table entries. • Attack Scenario: – – – – – Start hunt and identify active sessions. Passively monitor session. Hijack the session. Perform malicious activity. Terminate the session. University at Albany, School of Business Center for Information Forensics and Assurance 9 Session Hijacking Protection/Detection • Protection: – – – – Use encryption. Use strong authentication. Configure appropriate spoof rules on gateways. Monitor for ARP cache poisoning. • Additional protection at the Data Link Layer: – Use port security feature on Ethernet switches. – Hard code ARP tables on your critical servers and turn off ARP on your network interfaces. University at Albany, School of Business Center for Information Forensics and Assurance 10 Conclusions University at Albany, School of Business Center for Information Forensics and Assurance 11 Computer Security Layered Approach to Security • Do not underestimate internal network threats. • Apply industry best practices in day-to-day work. • Use layered approach with information security. • Take a proactive approach with information security. – Do not wait for an incident to happen and react when it may be too little, too late. University at Albany, School of Business Center for Information Forensics and Assurance 12 Acknowledgements Organizations/People • Thanks to the support of: – – – • • NY State Center for Information Forensics and Assurance, UAlbany NY State Office for Cyber Security and Critical Infrastructure Coordination New York State Police Thanks to Damira Pon, CIFA for assistance in preparing this presentation Thanks to Sandy Schuman and Steve Walter for organizing the Korean Executive talk University at Albany, School of Business Center for Information Forensics and Assurance 13 Additional Material University at Albany, School of Business Center for Information Forensics and Assurance 14 Appendix Security Tools Tool Name General Use OS Available From Ettercap Sniffer Linux http://ettercap.sourceforge.net Hunt Sniffer/Hijacking Linux http://lin.fsid.cvut.cz/~kra Ethereal Sniffer Linux Windows http://www.ethereal.com/download.html RPCScan2 Scanner Windows http://www.foundstone.com dcom2_scanner.c Scanner Linux http://packetstormsecurity.com Netcat Scanner-Multipurpose Linux Windows http://www.hack-box.info/bruteforce.html John the Ripper Password Cracker http://www.openwall.com Linux Kernel Patch Kernel Security Patch Linux http://www.openwall.com/linux BufferShield 1.01a Kernel Security Patch Windows http://www.sys-manage.com/index10.htm OverflowGuard Kernel Security Patch Windows http://www.datasecuritysoftware.com StackDefender Kernel Security Patch Windows http://www.ngsec.com/ngproducts Juggernaut Sniffer/Hijacking Linux http://packetstormsecurity.com/ TTY Watcher Sniffer/Hijacking Linux http://www.cerias.purdue.edu IP Watcher Sniffer/Hijacking Linux http://www.engrade.com University at Albany, School of Business Center for Information Forensics and Assurance Linux Windows 15 Appendix Wireless Protocols Name Description CDPD (Cellular Digital Packet Data) Supports wireless access to Internet from cell phone networks. HSCSD (High Speed Circuit Switched Data) Enables data transfer from GSM networks. PDC-P (Packet Data Cellular) Packet switching message system used in Japan GPRS (General Packet Radio Service) Specification for transfer on GSM/TDMS networks. CDMA (-2000 1xRTT) Radio Transmission Technology Bluetooth Specification for short distance wireless communication between two devices IrDA Infrared light communication between two devices. LMDS (Local Multipoint Distribution Service) Broadband wireless point to multipoint using microwave communications MMDS (Multichannel Multipoint Distribution Service) 802.11x Wi-Fi (for wireless Ethernet) 802.11/a/b/g/i University at Albany, School of Business Center for Information Forensics and Assurance 16 Wireless Security Terms • WEP (Wired Equivalent Privacy) – – – – • War Driving – – – • WEP is an authentication scheme (not required) Only good for data between access points Uses 24 bits for initialization vector (same vector can be used for different packets) and leads to possible duplication. Hackers only have to collect data frames by using a network monitoring tool and then run a program called WEPCrack. Needs global positioning system (GPS), wireless laptop, and software Software keeps track of position and access point configuration. Data uploaded to internet databases of wireless access point maps. War Spamming – Exploiting wireless networks in the process of war driving to spend spam. Source: Security Focus, Infocus, “Wireless Attacks and Penetration Testing part 1” , June 3, 2002 Silicon.com, “Can Spammers Really Exploit Wireless Networks”, September 8, 2004 University at Albany, School of Business Center for Information Forensics and Assurance 17 Wireless Security New Security Technologies • 802.11i – • – – Upgrade of other wireless 802.11a/b/g standards. Fixes WEP problems. Use of WPA, WPA2 and AES Ability to use RADIUS-based authentication of users WPA (Wi-Fi Protected Access) – – – – Rekeying of global encryption keys is required (unlike WEP) Requires TKIP (Temporal Key Integrity Protocol) which replaces WEP encryption Needs specific hardware and software For home and small business users – – For enterprise Incorporates 802.1X – Meet the needs for the Federal Information Processing Standard (FIPS) 140-2 specification (required by many government agencies) Needs a dedicated chip to handle encryption and decryption • WPA2 • AES (Advanced Encryption Standard) – Source: http://www.wi-fiplanet.com/news/article.php/3373441 University at Albany, School of Business Center for Information Forensics and Assurance 18