CSCD 439/539 Wireless Networks and Security - PowerPoint PPT Presentation

1 / 62
About This Presentation
Title:

CSCD 439/539 Wireless Networks and Security

Description:

Boost waves with powerful antennas to travel up to mile or more ... ORiNOCO antenna, Laptop, taxi cab in NY City. One hour found 455 access points. 53 ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 63
Provided by: CarolT155
Category:

less

Transcript and Presenter's Notes

Title: CSCD 439/539 Wireless Networks and Security


1
CSCD 439/539Wireless Networks and Security
  • Lecture 8
  • Wi-Fi Threats and Vulnerabilities
  • Fall 2007

2
Introduction
  • Vulnerabilities
  • Inherent characteristics of wireless
  • Deliberate features designed into 802.11
  • Flawed design
  • WEP
  • MAC access list
  • Other design flaws
  • Threats
  • Hackers
  • Classification
  • Motivation

3
Wi-Fi Vulnerabilities
  • Ask, Why are Wi-Fi networks vulnerable to
    attack?
  • Answer seems obvious ...

4
Wi-Fi Vulnerabilities
  • Answer
  • Because its wireless ... transmits data on radio
    waves
  • Propagate everywhere
  • Boost waves with powerful antennas to travel up
    to mile or more
  • Anyone along the path can listen to the
    transmission

5
Wi-Fi Vulnerabilities
  • Wi-Fi doesnt fit the traditional model of
    security
  • Firewall separates internal network from outer

6
Wi-Fi Vulnerabilities
  • Wired networks
  • Trusted and Untrusted zones separated by firewall
  • Systems inside trusted
  • Systems outside untrusted
  • Untrusted can have enemies
  • Trusted all are your friends in theory

7
Wi-Fi Vulnerabilities
  • Wireless completely violates that model
  • Introduces vulnerabilities
  • People dont understand how to handle the new
    model of wired wireless
  • No longer have
  • a well-defined
  • security perimeter

8
Wi-Fi Characteristics
  • Shared, uncontrolled media
  • - Lack of physical security, much harder to
    control
  • Transient Networks
  • - Mobile wireless devices can move
  • - Ad-hoc networks, form and dissolve
  • How do we protect these networks?

9
Wi-Fi Characteristics
  • User Indifference
  • - True of both wired and wireless networks
  • - Users dont care about security
  • - Does your mother care about computer security?
  • Easier to attack
  • - Lack of defined perimeter said that
  • - Wireless nature easier than wired networks
  • Hackers are lazy, take the easiest path

10
Inherent Vulnerabilities
  • WLANs break assumptions of inside/outside
    paradigm
  • Cant be confined
  • Radio signal cuts through walls and windows
  • Cant change the physical reality of wireless
  • Must acknowledge this and counteract the threats
  • Must worry about the following

11
Inherent Vulnerabilities
  • Rogue access points
  • Unauthorized AP installed and connected to
    Enterprise network
  • On purpose employee not malicious
  • On purpose outsider malicious intent
  • Many uses for this useful device if malicious
  • Cause users to associate to it
  • Man-in-middle attack, session stealing
  • Get possibly sensitive information .. more later

12
WEP Encryption
  • Wired Equivalent Privacy
  • Uses encryption to try to keep data private
  • Has multiple problems make it more of a liability
    than a security solution
  • Still coming up with new attacks against WEP!
  • What was WEP designed for?

13
WEP Encryption
  • Designed to
  • Keep outsiders from connecting to a network or
    monitoring traffic on that network
  • Nothing more

14
WEP Encryption
  • WEP and wrong assumptions
  • Was not designed to be end-to-end encryption
  • Does not distribute and manage encryption keys
  • Key distribution - manual outside 802.11 spec
  • WPA and WPA2 fixes this
  • Was not designed for complete data privacy
  • See next slide

15
WEP Encryption
  • Question
  • Does WEP hide traffic from users on the same
    network sharing the same WEP key?
  • No.
  • Users can eavesdrop on each other
  • So, how can you be sure users are all legitimate?

16
WEP Encryption
  • WEP has no authentication except by encryption
    keys
  • Assume user with valid key is legitimate
  • Doesnt check any sort of user ID, password or
    hardware MAC address
  • 802.11i task group
  • Defines how this will be done
  • Now, not done through WEP

17
MAC Address Filtering
  • Another security mechanism
  • Doesnt work very well
  • Wi-Fi APs have ability to specify list of
    computers permitted to associate with AP
  • Any computer not on list turned away by access
    point
  • Not able to join your network
  • Even if have WEP or WPA key

18
MAC Address Filtering
  • Assumption
  • Every network device has unique MAC address
  • Whats wrong with this assumption?
  • MAC addresses can be spoofed!!
  • Machine associates with AP
  • Sends MAC address in the clear
  • Any hacker sniffer program listen for that
    transmission, get MAC address
  • Spoof it

19
MAC Address Filtering
  • Pretend to be legitimate user
  • AP cant tell difference between good user and
    false user
  • Fact that Software can impersonate MAC address
    negates MAC address filtering completely

20
Other Design Flaws
  • MGMT, CTRL frames not encrypted
  • Can be spoofed w/o knowledge of WEP key
  • No authentication of AP to station
  • Cant prove an AP is legitimate
  • Limited of stations can use a single AP
  • We can overflow an AP to prevent wireless access

21
Other Design Flaws
  • Some believe that by using a complicated SSID
    unauthorized user will have difficulty in gaining
    access to their AP
  • SSIDs are passed in the clear, even when WEP is
    enabled
  • It is trivial to download free designed to
    intercept SSIDs from a wireless communication
    session

22
SSID Names
Note default SSIDs
23
  • Threats

24
Threats and Those Responsible
  • Hackers all levels
  • What motivates them and more importantly what
    threat do they pose to your Wi-Fi network

25
Attackers
  • Who are your typical attackers and what drives
    them to break into your network?
  • What are their motives?
  • What methods do they use?
  • What damage can they cause?
  • Are you are risk?

26
Attacker Groups
  • Who are they?
  • Lots of groups out there that can threaten your
    systems
  • Not easy to classify them
  • Typical way to group them is by skill level or
    potential for damage
  • Can rank them from lowest to highest in skill but
    doesnt always correlate with damage potential
  • Good example are the virus/worm writers
  • Do a lot of damage but not necessarily the most
    skilled

27
Hacker Groups
  • Can loosely classify them by skill level and
    motive
  • Elite Hackers White Hat
  • Elite Hackers Black Hat
  • Virus/Worm Writers and Spammers
  • Hacktivism Groups
  • Script Kiddies

28
Elite Hackers White Hat
  • Hackers in this group skilled
  • Often belong to a hacker group
  • L0pht, Masters of Deception
  • Feel they have a mission to improve the security
    of the computer world
  • Avoid damage to network and systems
  • Inform and educate system administrators about
    fixes to their security

29
Elite Hackers White Hat
  • Elite Hackers White Hat
  • Subscribe to a Hacker Code of Ethics
  • It said ...
  • Ethical duty of the hacker to remove barriers,
    liberate information, decentralize power, honor
    people based on their ability, create things that
    are good and life-enhancing through computers.

30
Elite Hackers White Hat
  • New Code of Ethics includes
  • Leave no traces keep a low profile, if accused,
    deny it, if caught, plead the 5th.
  • Share information
  • Dont hoard or hide information
  • Information increases in value when shared

31
Elite Hackers Black Hat
  • Skilled but do damage
  • Break-in and leave evidence of their presence
  • Need to re-install software
  • Dont worry about loss of private information
  • Dont buy into a Code of Ethics
  • Sell their services to highest bidder
  • In business for themselves

32
Elite Hackers
  • Psychological Profile of Elite Hackers
  • Most elite hackers are called deviants
  • Different values and beliefs than society
  • White hats believe they are performing a service
    for society by exposing poor security practices
  • Sometimes have a tenuous grasp on reality because
    they live mostly in the cyber world
  • Examples Rob Morris, Kevin Mitnik

33
Examples Elite Hackers
  • Eric Corley (also known as Emmanuel Goldstein)
  • Long standing publisher of 2600 The Hacker
    Quarterly and founder of the H.O.P.E.
    conferences.
  • Been part of the hacker community since the late
    '70s.
  • Kevin Mitnick
  • A former computer criminal who now speaks,
    consults, and authors books about social
    engineering and network security.
  • Robert Morris
  • Now a professor at MIT
  • The son of the chief scientist at the National
    Computer Security Center part of the National
    Security Agency (NSA)
  • Cornell University graduate student, he
    accidentally unleashed an Internet worm in 1988
  • Thousands of computers were infected and
    subsequently crashed.

34
Script Kiddies
  • Skilled hackers put their scripts on-line
  • They appear to want others to use and benefit
    from their experience
  • Goes along with the ethic of sharing
    information
  • Allows people with limited technical knowledge to
    do lots of damage since there are lots of them

35
Script Kiddies
  • Script kiddie is a wannabe hacker
  • Scans Internet for compromised systems using
    freely available tools
  • At the bottom of the pile in the hacking world
  • Can still do an incredible amount of damage
  • Especially to unprotected wireless networks

36
Motivation
  • Ego gratification
  • Both Elite hackers and script kiddies
  • Profit
  • Earn lots of money hacking these days
  • Spamming, selling credit cards on black market,
    botnets
  • Corporate espionage or nation-state level of
    hacking
  • Political Agenda
  • Hacktivism is growing as an attention getter

37
Motivation
  • Revenge
  • Grudge against a company
  • Set off a time bomb - electronically
  • Steal secrets and sell them to competitor
  • For fun
  • Just want to see if they can do

38
BEFORE AFTER (your results may vary)
39
What hackers do to you
  • Basically 4 things with lots of variations
  • 1. Connect to computer you are unaware
  • Vandalize machine
  • Steal data, Use your bandwidth
  • 2. Dont connect to your computer
  • Sniff traffic
  • Obtain passwords, credit card data, other useful
    information

40
What hackers do to you
  • 3. Hijack machine
  • Put Trojan Horse on it
  • Trojan is a program that seems to do something
    its supposed to but has a hidden task also
  • Typically a backdoor but can have other purposes
  • 4. Denial of Service (DoS)
  • Prevent you from using machine

41
Phases of Attacks
  • In general, many attacks are not spontaneous
  • Attackers go through phases to compromise a
    system
  • Phases of attacks
  • Reconnaissance
  • Scanning
  • Gaining access with Attacks

42
Three Phases in an Attack
  • Reconnaissance
  • Scope out the place, gain initial information on
    victims, and network discovery
  • 2. Scanning
  • Build a detailed map of the network and services
    and vulnerabilities
  • Open ports
  • 3. Attack
  • The actual offensive action, method depends on
    what is goal of attack

43
Reconnaissance
  • Purpose for Wireless
  • Scope out networks and potential victims
  • Find wireless networks, see if security is
    enabled, and how strong
  • Discover as much information about them as
    possible
  • Many ways to do this .

44
Reconnaissance
  • Information discovery
  • Tools
  • Netstumbler, Kismet, Wellenrighter, Wififofum,
    Cain
  • People
  • Techniques
  • Rogue APs
  • Open/misconfigured APs
  • Ad Hoc Stations
  • Ask for information

45
Reconnaissance
  • Social Engineering
  • Surprising number of employees give away
    sensitive information
  • Most successful are calls to employees
  • Call the help desk as a new employee for help
    with a particular task
  • Angry manager calls a lower level employee
    because his password has suddenly stopped working
  • System administrator calls employee to fix her
    account on the system which requires using her
    password

46
Reconnaissance
  • Defense against Social Engineering
  • User awareness
  • Must be trained to not give out sensitive
    information
  • Security awareness program should inform
    employees about social engineering attacks
  • No reason why a system administrator ever needs
    you to give him/her your password
  • Help desk should have a way to verify the
    identify of any user requesting help
  • Hacker at Defcon wear shirts
  • No defense against stupidity

47
Reconnaissance
  • Specific to Wireless Networks
  • Physical Reconnaissance
  • In addition to techniques for wired networks
    wireless networks involve physical aspect
  • Can see antennas and wireless APs
  • Antennas Walls, ceilings, hallways, roofs
  • Access Points Ceilings, walls, support beams
  • shelves
  • Devices -
  • Printers/PDA Reception area, offices, desks

48
Reconnaissance
  • Techniques
  • Attackers use lots of different tools and
    techniques for gathering information
  • War driving for WLANs, war dialing for modems
  • Note
  • Defenders need to defend all paths into the
    network
  • Attackers need to find just one open path
  • Attackers have all the time in the world

49
War Driving
  • War Driving
  • Invented by Peter Shipley in 2001 when he drove
    around Silicon Valley and found hundreds of
    access points
  • Mapped them out to show how vulnerable WLANs are
    to snooping

50
San Francisco Wi-Fis
51
War Driving
  • Active Scanning
  • Broadcast 802.11 probe packets with SSID of any
    to check for access points in range
  • Like going outside and shouting, Whos there?
  • Netstumbler is free tool for doing active
    scanning
  • www.netstumbler.com
  • Most popular tool for active scanning WLANs
  • Runs under Windows
  • Supports ORiNOCO, Dell TrueMobile 1150, Toshiba
    802.11b wireless card, Compaq WL110 plus several
    others

52
War Driving
  • What does Netstumbler do?
  • Gathers MAC address, SSID, Wireless Channel and
    relative signal strength of each access point
  • Also if security is turned on, WEP
  • Coordinates with GPA system
  • Example New York City
  • Netstumbler
  • ORiNOCO antenna, Laptop, taxi cab in NY City
  • One hour found 455 access points

53
From www.wigle.net
The island of Manhattan, one of the densest
points of observed networks in the WiGLE world.
54
Wigle.net Wireless DB
  • Wireless Geographic Logging Engine Making maps
    of wireless networks since 2001
  • Database 6 years old
  • 12,389,316 points from 765,231,060 unique
    observations
  • Many known open or weak Access Points
  • Fully available on the web
  • Search by SSID, MAC address, longitude/latitude,
    physical address

55
War Driving
  • Netstumbler
  • After installation, important to turn off TCP/IP
    in Windows
  • If not, then, when you wardrive and get within
    range of network, your computer will try to
    connect to the network
  • The netstumbler site has interesting features
  • www.netstumbler.com
  • Database of all access points reported by other
    war drivers maps.netsumbler.com
  • You must register, and then you can query the DB
    for your NICs MAC address
  • You can upload your capture log to their DB
  • Also, this link has several maps you can browse
  • http//wiki.personaltelco.net/index.cgi/WarDriving

56
Netstumbler Window
Default SSIDs
57
War Driving
  • Defense Against Active Scanning
  • Configure access points to ignore probes with
    any
  • Can configure access points to repress the beacon
    so it disables broadcast SSID
  • Passive Scanning
  • Stealthier way of discovering WLANs
  • Puts wireless card into rfmon mode monitor mode
  • Sniffs all wireless traffic from the air

58
War Driving
  • Passive Scanning
  • Kismet by Mike Kershaw
  • More for detailed packet capture and analysis
  • www.kismetwireless.net
  • Wellenreiter - by Max Moser
  • Optimized for war-driving
  • www.remoteexploit.org
  • Runs on Linux and supports, prism2, lucent, and
    cisco wireless card types

59
War Driving
  • Wellenreiter Tool
  • Listens for ARP or DHCP traffic to determine the
    MAC and IP addresses of each wireless device
  • Passive mode
  • Doesnt send probe packets
  • Every 100 ms access points send beacons to
    synchronize timing and frequency information

60
War Driving
  • Drawback of Wellenreiter
  • If access point configured to omit its SSID from
    its beacons and no other users are sending
    traffic to access point, wont be able to
    determine SSID
  • Will know its there, not its name

61
Summary
  • Wi-Fi networks, 802.11 Standard
  • Many built-in vulnerabilities
  • Problems from people related vulnerabilities too
  • Lots of Attackers out there
  • Incentive for them, glory, money, fun ..
  • Phases of attack
  • Reconnaissance, Scanning, Attack
  • War driving Reconnaissance
  • Highly successful

62
Finish
  • Next time More on Attacks and Tools
  • Read articles on Course Notes page
Write a Comment
User Comments (0)
About PowerShow.com