|Combatting Wireless Security Threats|
|Security - General|
|Written by Chris Peters|
|Sunday, 21 December 2008 20:00|
How do you let the good guys in while keeping the bad guys out?
A lack of physical security combined with diabolical social engineering practices presents an ongoing challenge to network security personnel. Even if your company doesn't have a wireless network, it's a pretty sure bet that some of the laptops in your organization have built-in wireless capability. That means that a wireless laptop could act as a bridge, forming an opportunity for access to your internal network to anyone with an antenna, some precocious software, and the will to hack into your world.
Security for the Wireless
When wireless communication was just starting out, the folks who were developing the 802.11 standard for wireless recognized that some form of security layer was necessary. A goal was established to make wireless communication as secure as wired. Wired Equivalent Privacy (WEP) was the result, but it had limited success. Turns out, given the test of a little time, there are serious shortcomings in the WEP standard, both with respect to providing secure communication and with normal authorized interaction between a mobile device and its access point (AP). To the rescue came the 802.11i specification that included a newer security standard called Wi-Fi Protected Access (WPA). WPA was intended to take the place of WEP and yet, years later, WEP is still the de facto standard for wireless configurations--so much so that usually when a wireless router is configured, the default encryption setting is WEP, not the more secure WPA.
Wireless interaction can be unsecured under an open system administration (OSA) link, which has no security measures in place (like the access offered at an airport or in an ad hoc session), or secured with "shared-key authentication." In a secure wireless network, a mobile device is authenticated by sending a secret key to the access point. There is, however, no provision for authenticating the AP. That is, the laptop or PDA has no way to verify that the host it is communicating with is authentic.
Even with WPA encryption in place, data transmitted through the air is easily hacked, snatched, grabbed, and decrypted. Fifteen minutes and a little research will render even a newbie hacker enough knowledge and tools to sniff out and decrypt airborne packets.
A "hot spot" is a place where wireless signals may be received, such as the airport, a local coffee shop, or sometimes, a whole district of a city. The networks may be secured or unsecured (even graciously open to public use just as a courtesy). "Wardriving" is the practice of driving, biking, or walking around a city with a laptop or PDA and mapping the hot spots. Wardriving may be casual, where hotspot locations are detected and shared among friends, or more organized, where special software is used by a large number of participants to map large areas within a city and post the hotspot information to a hosted database.
Wardriving is not, in itself, malicious. You can try it yourself. Just take your wireless laptop and drive down a city street, displaying the available networks as you go. Chances are you'll be able to detect the presence of a handful of networks--some public, some more or less private.
For fun, you might try stopping in front of a motel that advertises "Free Internet" and signing on to their network. For even more fun, drive to a city's financial district--you know, banks, insurance companies, big buildings with lots of suits--and park nearby. See if you can get into an unsecured network there.
You may even notice that among the detected networks are some designated as "ad hoc." These are wireless-enabled computers that are transmitting a direct peer-to-peer signal, without the benefit of access-point security. Ad hoc participants transmit in the open.
If you can get into a network, try to "sniff" the wireless network traffic using one of the network protocol analyzers like Wireshark or NetStumbler. Whoa! Wait a minute! Sniffing someone's wireless network? In a financial district? That's not right. But that's how easy it is. True, in such a neighborhood, an unsecured network will be a supplement to the institution's secured network, and you're not likely to intercept any sensitive information, but it points out the problems with wireless systems. And all this without the benefit of any of the not-so-benevolent wireless hacking tools readily available.
Even when access-point security is in place, many network administrators will not go to the effort to change their hardware from the manufacturer's default settings when it's installed. This leaves an obvious security hole where a savvy hacker can get past a secured system.
Piggybacking is the unauthorized use of an unsecured network, like your next door neighbor's Internet connection. It's also a source of interesting arguments for and against the legal and ethical aspects of wireless technology. Those who see nothing wrong with piggybacking feel that when the neighbors send radio signals into one's home or business uninvited, those signals are like fruit from the neighbor's tree that falls into their yard: they have a right to use them. Those who disagree feel that piggybacking is stealing bandwidth from someone who has rightfully paid for it.
Legally, there hasn't been much definitive action. California passed a law requiring manufacturers of wireless equipment to attach a sticker that warns users to establish security settings.
Further, in most secured wireless environments, the mobile devices are not individually identified. That is, they all have the same access code and can only be authenticated as being part of a group. An unauthorized device that has gotten into the network through a stolen access code would be difficult to identify, and changing the access code difficult to deploy.
Most experienced network administrators will tell you that the greatest system security exposure is posed by the people who use the system. As it often turns out, it's easier to get someone to give you a password than it is to hack it out. In a classic example, a sign-on display screen is counterfeited. The screen looks exactly like the real thing because it was produced from a screen capture of the real thing, but behind the phony screen lurks a program that will capture a user ID and password and transmit them to some obscure Web site. The program then displays a "failed sign-on" message (causing the users to think they've committed a typing error) and ends. The authentic sign-on screen is then allowed to display, and the user signs on as usual. That user has just been hacked and doesn't suspect a thing. Of course, that sort of attack would require some opportunity to install the counterfeit program on the user's machine, but that's pretty easy to do as well through a Trojan horse type of virus or worm where, again, the user is deceived into cooperating.
In another example that involves no computers, networks, or hacking tools, an evil-doer who knows, or can figure out, a valid user ID (a user ID based on the user's name is especially susceptible) calls the company help desk with some sort of bleeding-heart story:
"Hello. This is [insert salesperson's name]. I'm on the road at a customer site and have to give a demo of our products in five minutes, but for some reason my password is not working! I guess I should have changed it before it expired. Can you please reset it for me?"
The person working the help desk has a heart and actually feels he/she is acting in the best interest of the company and complies with the request. The password is reset to a company default--something like tempuser--and the hacker is in. Sweet.
A wired network that is considered to be physically secure may also be compromised by wireless technology--again, at the hand of a person. This can be especially vulnerable because any security measure that is deemed strong can, by virtue of this assumption, be especially vulnerable once hacked. For example, a well-meaning employee in one of those financial institutions installs a wireless access point (a box with an antenna for transmitting and receiving wireless signals) to the network for the innocent purpose of making work life more convenient (laptops in the boardroom, working lunches, that sort of thing.) Now the wired network is on the air without a strong authentication system in place. This security leak could go undetected unless a company performs a periodic walk-through using a network detection device.
What to Do About Wireless Security
By definition, a wireless network has no physical security. As such, most measures of restricting access to data by locking the door do not exist. With that in mind, what is the overall solution to the wireless security challenge? The IEEE has a new, more capable encryption standard in place called Advanced Encryption Standard (AES.) AES is already in place in other communication applications and is a promising security strategy for wireless, but it's said to require too much from current 802.11 hardware. For the time being, then, the responsibility for wireless security falls on the network administrators.
Hardware, including wireless routers, are expected to be plug-and-play-capable and will work right out of the box, without any custom configuration. Your strongest measure to secure your wireless network is to modify the default settings.
When setting up your wireless network, attach a single PC through a physical wired port. Point your browser to the router's IP address (usually 192.168.0.1 or 192.168.1.1) and change the default settings:
Some Security Information Resources
Until the problems attendant with wireless security are resolved, your best defense against intrusion may be vigilance. Here are some noteworthy Web sites dedicated to wireless security that will keep you apprised of current status and developments (my thanks to Dr. Carol Taylor of Eastern Washington University):
|Last Updated on Friday, 19 December 2008 06:02|