Title: Driveby Hacking
1Drive-by Hacking
ECE 578 COMPUTER NETWORK AND SECURITY A TERM
PAPER ON
Shekhar shinde Shinde_at_engr.orst.edu Oregon State
University.
2Contents
- Background
- Problem of drive by hacking
- Wireless security options
- Challenges
- Types of attacks
- Internet scanner
- Real life solution to the problem
- Conclusion
- References
3Background
- WLAN technology is making its way into
organizations, but - Authorized deployments are hindered by security
concerns. - Unauthorized (rogue) deployments put the
corporate network at risk. - Top concerns
- Where are the access points?
- Are they vulnerable to attack?
- Where is the network perimeter?
4Market
5The Problem Drive By Hacking
The Building
If the distance from the Access Port to the
street outside is 1500 feet or less, then a
Hacker could also get access while sat outside
6Wireless LAN Security Options
- MAC address filtering
- Vendor specific authentication
- SSID/Network ID
- Wired Equivalent Privacy (WEP)
- Emerging IEEE 802.11x
7Or in other words
The Problem ??Totally proprietary technology,
and therefore vendor specific and the initial
broadcast keys can still be sniffed
1. User runs client software and enters User name
Password
Valid only for session
Valid only for session
3. When device wants to connect to a different
AP, a new session is created, with a different
unique set of keys
2. The request is sent to the RADIUS/EAP Server,
RADIUS authenticates the session and sends unique
session keys to device AP
8The Challenges
- Rogues Access Points
- Due to low cost, users setting up their own Aps
without IT knowledge (ie boardrooms) - DHCP
- One of the advantages of WLAN is the ability to
move around the building, therefore moving
between IP subnets therefore DHCP is needed,
but very abuse able !! - 803.11xx and other technologies (such as
Bluetooth WAP) are all new and so no standards
exist, so very vendor specific
9Types of Attacks
- Insertion Attacks
- Interception and unauthorised monitoring
- Jamming
- Client to Client Attacks
- Brute Force on AP password
- Encryption Attacks
- Mis-configurations
10Types of Attacks
- Insertion
- Deploying un-authorised devices or creating new
wireless networks without prior knowledge of IT - Interception and Unauthorised Monitoring
- As with wire networks it is possible to sniff
the network, but where monitoring agents are
required, with WLAN you can get everything. - Jamming
- As name suggests this is a Denial of Service
Attack floods the 2.4Ghz range, used by these and
other devices, so nothing can communicate
11Types of Attacks
- Client to Client Attacks
- Once Windows is configured to support Wireless it
can be contacted by any other wireless device
so all the usual File Sharing and TCP service
attacks work - Brute Force on Access Point password
- The APs use simple usernames and passwords which
can be easily brute forced, and key management is
not easy - Encryption Attacks
- Although 802.11 has WEP, vulnerabilities have
already been found and the keys can easily be
cracked - Mis-configurations
- All major vendors make their units easy to
deploy, so they come with insecure, well known
pre-configurations, which are rarely changed when
installed
12WLAN Security Challenges
- How to Defend against WLAN Threat
- WLAN Security is similar to the Wired network.
- Just represents an extension of wired networks
- Another potential un-trusted entry point into the
wired network. - Multi-Layer Security Approach
- Protect WLAN holistically at the network, system,
and application layer for clients, access points,
and the back-end servers. - Apply traditional wired security
countermeasures.
13WLAN Discovery / Assessment/ Monitoring Tools
- Internet Scanner 6.2, the market leading network
vulnerability assessment tool, was the first to
assess many 802.11b security checks. 802.11
checks are in several X-Press Updates (XPU 4.9
and 4.10). - RealSecure 6.5, the market leading IDS, was the
first to monitor many 802.11b attacks. Recommend
to make sure you are up to the latest X-Press
Updates. 802.11 checks for IDS were in XPU 3.1.
14Internet Scanner
1. Finds the Holes
2. Finds Rogue Access Points or Devices
15Real Secure
Kill !!
Kill !!
16The Solution
- Wireless Scanner 1.0 is the solution for this
problem - Identify 802.11b access points.
- Assess the implementation of available security
features. - Laptop-based for mobility.
- Wireless Scanner provides automated detection
and security assessment of WLAN access points and
clients.
17Target Market
- Primary market of Wireless Scanner 1.0
- Enterprise customers
- SMB customers
- Security consultants / auditors
- These customers want to
- Implement a WLAN without compromising their
existing security measures. - Protect network from unauthorized APs.
18How it works ..
- Each device has a WLAN adapter
- These communicate back to Access Ports (AP), or
Wireless Bridges - The technology works like old ethernet bridges by
simply passing data on - So anyone with a wireless device could,
theoretically, connect to your network.
19Features Detection
- Wireless Scanner detects access points
and active clients.
20Features Security Assessment
- Wireless Scanner probes access points to
determine their vulnerability to connection and
attack by unauthorized users.
21Features Reporting
- Multi-level reporting
- Export options
- New Access Points report highlights new 802.11b
devices discovered in scan.
22Features Flexibility
- Mobile users can scan while walking
- User configurable
- Filters
- Alarms and notifications
- Encryption keys for scanning
- Configurations can be saved and loaded
23References
- Wireless scanner a white paper by stephen
schmid. - Cryptography and Network Security Principles and
Practice, Second Edition by William Stallings - Web reference of www.computing.co.uk/News/
- Cryptography and network security, third edition
by William Stallings - Fundamentals Of Computer Security Technology by
Edward G. Amoroso. - Network Security by Mario Devargas.
- LAN Times Guide To Security And Data Integrity by
Marc Farley, Tom Stearns, And Jeffrey Hsu. - Computer System And Network Security by Gregory
B. White, Eric A. Fisch, Udo W. Pooch.