University at Albany, School of Business

1
Wireless Security
2
Wireless SecurityExplosion of Devices

• Spectrums 802.11x, Bluetooth, Infrared,
  Cellular, Radio, Microwave, Satellite

3
Wireless SecurityWireless Cities

• August 21, 2004 BBC News
• New York set for citywide wireless. In exchange
  for being able to mount up to 18,000 new lamp
  post-based antennas, to strengthen coverage
  around the five boroughs, the companies will pay
  the city government around 25m each year. "This
  is something that makes sense," he added. "The
  companies are anxious to do it, and we think it
  will improve service for New Yorkers."
• There is already one patch of midtown Manhattan
  that provides an ideal glimpse of what a more
  wireless-friendly New York will be like.
• Bryant Park has been providing a free service to
  any laptop user who wants access for many months
  now.
• Source http//news.bbc.co.uk/2/hi/technology/35
  78982.stm

4
Wireless SecurityAlbany, NY Wireless

• August 21, 2004 Times Union
• Internet hot spots popping up. On Tuesday,
  Lemery Greisler LLC will celebrate the first
  free, public wireless Internet hot spot in
  downtown Albany. But Omni Plaza, a brick
  courtyard across the street from the law firm's
  offices at 50 Beaver St., is just the centerpiece
  of the ground-up effort to blanket downtown with
  wireless Internet coverage.
• "What we're unveiling is the pilot," said Scott
  Almas, a Lemery Greisler associate and driving
  force behind the effort. "There's a better
  mousetrap than these little access points. My
  vision was Throw out some cheese, draw in the
  mouse and then put in a better mousetrap. That
  would be universal, ubiquitous coverage."
• Earlier this year, Intel Corp. released a
  ranking of American cities with the best wireless
  access. Despite its Tech Valley moniker, the
  Albany-Schenectady-Troy area ranked 71st, behind
  regions such as Wichita, Kan., and Worcester,
  Mass. The as-yet-unnamed downtown effort is an
  attempt to change that.
• "At some point this will be part of the
  municipal infrastructure," Almas said. "But until
  the mice come out, nobody has any interest in
  putting in a better trap."
• Source Times Union

5
Wireless SecurityAlbany, NY Access Points
Empire State Plaza
War Driving in Albany
6
Wireless SecurityAccess to Wireless Data

• July 1, 2004 CNN.com
• Report Homeland Security vulnerable to wireless
  hackers. WASHINGTON (CNN) -- Although charged
  with making the nation more secure, the
  Department of Homeland Security has not taken the
  steps needed to secure its own wireless
  communications, according to a report from the
  department's Inspector General.
• Wireless messaging services played a critical
  role following the September 11, 2001 terrorist
  attacks. While cellular telephone service was
  out, key personnel remained in contact using
  messaging services.
• But wireless technology can facilitate
  unauthorized access to wired networks and data
  through eavesdropping or theft. Those
  vulnerabilities increase the need for strong
  security controls.
• The report concludes that Homeland Security
  cannot ensure that its sensitive information
  about terrorist threats and security is not being
  monitored, accessed, and misused.
• Source Times Union

7
Wireless SecurityWireless Concerns

• Security is the top issue with Wireless Ethernet
• A larger percentage of government respondents
  rated this as an issue compared to industry
  respondents.

Source 2003 Wireless LAN Benefits Study, Cisco
Systems
8
Wireless SecurityWireless Attacks

• Denial of Service
• Jamming (by using a device which will flood
  spectrum with noise and traffic)
• Spoofing identity (through cloning MAC address of
  and setting strength of signal to greater than
  other user)
• Spoofed access points (clients are usually
  configured to associate with the access point
  with the strongest signal)
• ARP poisoning
• Attacker can get packets and frames from the air
  by poisoning caches of MAC/IP combinations of
  two hosts connected to the physical network.
• Sleep Deprivation Attacks
• People run programs on wireless devices to drain
  all its power

Source Wireless Attacks and Penetration Testing
part 1, June 3, 2002
9
Session Hijacking Exploit Demonstration

• Vulnerability
• Inherent weaknesses in underlying protocols used
  on computer networks today
• e.g. ARPs protocol lack of authentication and
  limited table entries.
• Attack Scenario
• Start hunt and identify active sessions.
• Passively monitor session.
• Hijack the session.
• Perform malicious activity.
• Terminate the session.

10
Session Hijacking Protection/Detection

• Protection
• Use encryption.
• Use strong authentication.
• Configure appropriate spoof rules on gateways.
• Monitor for ARP cache poisoning.

• Additional protection at the Data Link Layer
• Use port security feature on Ethernet
  switches.
• Hard code ARP tables on your critical servers
  and turn
• off ARP on your network interfaces.

11
Conclusions
12
Computer SecurityLayered Approach to Security

• Do not underestimate internal network threats.
• Apply industry best practices in day-to-day work.
• Use layered approach with information security.
• Take a proactive approach with information
  security.
• Do not wait for an incident to happen and react
  when it may be too little, too late.

13
AcknowledgementsOrganizations/People

• Thanks to the support of
• NY State Center for Information Forensics and
  Assurance, UAlbany
• NY State Office for Cyber Security and Critical
  Infrastructure Coordination
• New York State Police
• Thanks to Damira Pon, CIFA for assistance in
  preparing this presentation
• Thanks to Sandy Schuman and Steve Walter for
  organizing the Korean Executive talk

14
Additional Material
15
AppendixSecurity Tools
Tool Name General Use OS Available From
Ettercap Sniffer Linux http//ettercap.sourceforge.net
Hunt Sniffer/Hijacking Linux http//lin.fsid.cvut.cz/kra
Ethereal Sniffer Linux Windows http//www.ethereal.com/download.html
RPCScan2 Scanner Windows http//www.foundstone.com
dcom2_scanner.c Scanner Linux http//packetstormsecurity.com
Netcat Scanner-Multipurpose Linux Windows http//www.hack-box.info/bruteforce.html
John the Ripper Password Cracker Linux Windows http//www.openwall.com
Linux Kernel Patch Kernel Security Patch Linux http//www.openwall.com/linux
BufferShield 1.01a Kernel Security Patch Windows http//www.sys-manage.com/index10.htm
OverflowGuard Kernel Security Patch Windows http//www.datasecuritysoftware.com
StackDefender Kernel Security Patch Windows http//www.ngsec.com/ngproducts
Juggernaut Sniffer/Hijacking Linux http//packetstormsecurity.com/
TTY Watcher Sniffer/Hijacking Linux http//www.cerias.purdue.edu
IP Watcher Sniffer/Hijacking Linux http//www.engrade.com
16
AppendixWireless Protocols
Name Description
CDPD (Cellular Digital Packet Data) Supports wireless access to Internet from cell phone networks.
HSCSD (High Speed Circuit Switched Data) Enables data transfer from GSM networks.
PDC-P (Packet Data Cellular) Packet switching message system used in Japan
GPRS (General Packet Radio Service) Specification for transfer on GSM/TDMS networks.
CDMA (-2000 1xRTT) Radio Transmission Technology
Bluetooth Specification for short distance wireless communication between two devices
IrDA Infrared light communication between two devices.
LMDS (Local Multipoint Distribution Service) Broadband wireless point to multipoint using microwave communications
MMDS (Multichannel Multipoint Distribution Service)
802.11x Wi-Fi (for wireless Ethernet) 802.11/a/b/g/i
17
Wireless SecurityTerms

• WEP (Wired Equivalent Privacy)
• WEP is an authentication scheme (not required)
• Only good for data between access points
• Uses 24 bits for initialization vector (same
  vector can be used for different packets) and
  leads to possible duplication.
• Hackers only have to collect data frames by using
  a network monitoring tool and then run a program
  called WEPCrack.
• War Driving
• Needs global positioning system (GPS), wireless
  laptop, and software
• Software keeps track of position and access point
  configuration.
• Data uploaded to internet databases of wireless
  access point maps.
• War Spamming
• Exploiting wireless networks in the process of
  war driving to spend spam.

Source Security Focus, Infocus, Wireless
Attacks and Penetration Testing part 1 , June
3, 2002 Silicon.com, Can
Spammers Really Exploit Wireless Networks,
September 8, 2004
18
Wireless SecurityNew Security Technologies

• 802.11i
• Upgrade of other wireless 802.11a/b/g standards.
  Fixes WEP problems.
• Use of WPA, WPA2 and AES
• Ability to use RADIUS-based authentication of
  users
• WPA (Wi-Fi Protected Access)
• Rekeying of global encryption keys is required
  (unlike WEP)
• Requires TKIP (Temporal Key Integrity Protocol)
  which replaces WEP encryption
• Needs specific hardware and software
• For home and small business users
• WPA2
• For enterprise
• Incorporates 802.1X
• AES (Advanced Encryption Standard)
• Meet the needs for the Federal Information
  Processing Standard (FIPS) 140-2 specification
  (required by many government agencies)
• Needs a dedicated chip to handle encryption and
  decryption

Source http//www.wi-fiplanet.com/news/article.ph
p/3373441