1 / 29

War of the Airwaves

War of the Airwaves. Next Generation Wireless Hacking and Defenses. May 2007. Richard Rushing Chief Security Officer. Wireless LAN Glossary & Standards. 2. Drivers Increased business dependency on Wireless Increasing user base At home and Hotspot use

baakir
Download Presentation

War of the Airwaves

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. War of the Airwaves Next Generation Wireless Hacking and Defenses May 2007 Richard Rushing Chief Security Officer

  2. Wireless LAN Glossary & Standards 2

  3. Drivers Increased business dependency on Wireless Increasing user base At home and Hotspot use Evolving Standards and newer technologies VOIP One simple issue can expose the whole corporate network Security issues Recreational hacker -> activist -> organized crime -> industrial espionage Greater proliferation of viruses Increased tooling to exploit vulnerabilities Internal vs. external threats Malicious intent vs. accidental What is Driving Evolution of Wireless Security? Secure Wireless & Policy Compliance are keys to Successful Deployment 3

  4. Wired Network Security Architecture Attackers SECURE ENTERPRISE PERIMETER Server INTERNET INTRANET Virus & Malware Desktop Inside Threat Data Theft 4

  5. Wireless Changes the Security Paradigm 2 3 5 1 4 Hotspot Phishing Leaked Wired Traffic & Insertion Non-Compliant AP Users Bypassing Network Security Controls Rogue AP Connected to Network Evil Twin Hotspot Hacker Server Mobile User AP INTERNET INTRANET Laptop Desktop Muni Wi-Fi 5

  6. RF Signal Propagates far outside Buildings Signal emitted from a single AP located in downtown Lawrence, Kansas Source: Wireless Network Visualization Project – a collaborative effort between University of Kansas' Information & Telecommunications Technology Center & Kansas Applied Remote Sensing Program 6

  7. Who cares about the APs in my corporation?Is Your Organization a Hot Spot? • It could be your network! • Many known open or weak Access Points are available on the Web • Database is over 4 years old, has even the Oldest/Pilot Networks • http://wigle.net • Wireless Geographic Logging Engine • Search for AP’s by • SSID • Physical Address • MAC address • Longitude/latitude • Remember to remove corporate names from your SSIDs ~10,490,000 APs listed ~400,000,000 Observations 7

  8. A North Carolina Medical Consulting Firm Broke into the computer system of a local medical consulting firm & illegally accessed information of hundreds of patients, including checks and insurance forms Wireless hackingbust in Michigan • Two Michigan men repeatedly cracked Lowe’s nationwide network from a 1995 Pontiac Grand Prix parked outside a suburban Detroit store. • Charged with penetrating and intentionally damaging a Lowe’s system. • First hopped onto the Wi-Fi network at the store to access the company’s central data center at Lowe’s headquarters. • Deployed hacking software, in one case crashing the point of sale terminals. LONDON, England -- "Evil twins" are the latest menace to threaten the security of Internet users, experts in the UK are warning. An "evil twin" is a bogus base station that latches on to someone using new "Wi-Fi" wireless technology. Victims think their laptops or mobile phones are connected to bona fide wireless internet connections. Security causes electronics giant register ban Best Buy banned the use of wireless cash registers at its 492 stores after learning a hacker may have intercepted a customer’s credit card number. A Texas County Court Hackers accessed information filed by the clerk of courts by using only a laptop & wireless card Minneapolis News Station A Wholesale club A California Public School District Unprotected WLAN allowed full unauthorized access to sensitive files & enabled hackers to upload their own files into servers Hacked via wireless network at a store location, credit card data was stolen AND used to the tune of $20M. The lax security found by the FTC to be an “unfair trade practice”; now under 9 years of probation and have to institute security measures and hire 3rd party auditor http://www.airdefense.net/education/video/ Wireless Intrusions are Happening Home Improvement Store Electronics Retailer Major Wholesale Store

  9. Case Study: Real World Wireless Attacks • 1.4 million credit/debit cards stolen • 96,385 checking accounts compromised • Faces 20 years of FTC audits • One of the FCT charges: “Failed to use readily available security measures to limit access to computer networks through wireless access points on the networks”

  10. Increasing Sophistication of Attacks MADWi-Fi Attack Sophistication High Low 2007 2002 Knowledge Required by Intruder Wireless LAN Security Stories SMBrelay Wireless hacking bust in Michigan when two men cracked a retail store’s nationwide network; at point crashed the point of sale terminals HostAP Karma airbase void11 Security lapses caused electronics retailer to ban wireless cash registers ASLEAP A person broke into the computer system of a North Carolina medical consulting firm & illegally accessed information of hundreds of patients, including checks and insurance forms file2air AirCrack CoWPAtty Lorcon A wholesale club was hacked & credit card data stolen & used upto the tune of ~$ 20M Wigle.net War drivers broke into a retail giant’s network & over 4 month period, stole credit info of more than 1 million customers Wireless LAN Security Videos At a California public school district, unprotected WLAN allowed full unauthorized access to sensitive files & enabled hackers to upload their own files into servers Denver News ABC News CNN Fox News Minneapolis News http://www.airdefense.net/education/video/ 10

  11. Expert Opinions AirDefense named Market Leader in Overlay WIDS Market. Frost and Sullivan AirDefense Enterprise has all the class and sophistication that any Fortune 500 company could ever hope for from a WIDPS. Network Computing Perform wireless intrusion detection to discover rogue access points, foreign devices connecting to corporate access points and accidental association to nearby access points in use by other companies. Gartner All DoD wired and wireless networks should deploy 24x7 wireless monitoring and intrusion detection systems that are NIAP Common Criteria certified. Department of Defense By monitoring wireless device traffic, AirDefense can isolate, prevent, or mitigate network intrusions and subsequent downtime. InfoWorld Unsecured WLANs can jeopardize entire enterprise network, data and operations. Forrester 11

  12. Data Seepage • Your Notebook is not location aware • Office • Home • Hotspot • Want to Always Connect to Something • All the data is the same • Company Name • Servers • Clients • Applications • And More….. Office What am I connected to? Home Hotspot 12

  13. What in the Air can Kill You? • Multicast / Broadcast Key? • #1 Corporate Vulnerability • Even if the data is encrypted, the services that are run by the MAC address can be detected • Remember wireless is LAYER 2; it will send out all Layer 2 traffic • VRRP, HSRP, Spanning Tree, OSPF, VTP/VLAN, CDP • VLANs don’t help unless filtered • Broadcast/Multicast key rotation is OFF by Default • Client devices using static WEP cannot use the access point when you enable broadcast key rotation It’s a two-way street, what goes out can also come in! 13

  14. Station Impersonation and Identity Theft Third Party Tools Native Windows Tools SMAC REGEDIT SMAC is a MAC Address Modifying Utility for Windows 2000, XP, and Server 2003 systems, regardless of whether the manufactures allow this option or not. Advanced Properties www.klcconsulting.net/smac 14

  15. Attacking Authentication 802.1x was never design for Wireless 802.1x is vulnerable to session-hijacking and MITM by default EAP type is important 802.1x is a stack of dominos Denial of Service could Cripple an enterprise Taking out the Radius or Authentication Server YOU NEVER AUTHENTICATE THE AP No Key, No Cert, just BLIND Trust 15

  16. Hacking Password Hashes Get virtually any password Offline & passive LEAP, PPTP, MS-CHAPv2, MD-5 Search hash list to find password Large password list to generate hashes Requires 3-5 GB of space Rainbow tables are indexed hash lists Required 2-3 TB of space Known tables exist for up to14 characters http://rainbowtables.shmoo.com/ http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online.com/ 16

  17. VPNs over Wireless are Vulnerable Break weak encryption & authentication Re-authentication on weak ciphers Dictionary attacks on weak ciphers Protocol & server flaws exposed IKE Aggressive mode Pre-shared keys Exploiting bugs in VPN server (Bugtraq, IKE-crack) Always use strong encryption & mutual authentication Preferably using digital certificates Use dynamic keying that can be changed rapidly 17

  18. Listening in on VoIP Conversations Cain & Able Decode SIP conversations Recorded as WAV files Caller ID intercepting 18

  19. Exploiting is too Easy! Vx.netlux.org MVBSWE Worm Editors Virus Editors Script Editors Do you Trust your Hotspot Web Page?

  20. AirDefense Protects Wireless Networks 2 3 5 1 4 Prevents Hotspot Phishing Stops Leaked Wired Traffic & Insertion Monitors for Non-Compliant APs Protects Users Identifies & Terminates Rogue APs Evil Twin Hotspot Hacker Server Mobile User AP INTERNET INTRANET Laptop Desktop Muni Wi-Fi 20

  21. AirDefense Highlights • #1 Wireless Security Platform • Deployed in 30 countries across 5 continents • Partnered with IBM, Motorola/Symbol, Nortel, CSC, BT, Symantec, Trapeze, Enterasys etc. Market Leadership • Pioneered Wireless IDS/IPS market • 24 Patents pending/granted • Common Criteria (EAL-2) certified Technology Innovation • Over 700 enterprise customers • Deployed in healthcare, retail, federal, transportation, telecom etc. verticals • Securing over 1 million devices worldwide Enterprise Customers Industry Recognition 21

  22. AirDefense is the Market Leader “AirDefense has been a pioneer in the WIDPS market, and has been able to gain and maintain its market leadership position because of its dedication to technological excellence, its well considered growth strategies and its significant business partnerships. These factors make AirDefense the deserving recipient of the 2007 Frost & Sullivan Award for Market Leadership in the global WIDS market.” Source: World Wireless Intrusion Detection and Prevention Systems Markets, Frost & Sullivan, Dec-2006 http://www.frost.com/prod/servlet/report-toc.pag?repid=FA03-01-00-00-00 22

  23. The AirDefense Product Family The AirDefense Enterprise Solution Tools for Administrators Analyze Real-time snapshot of local wireless activity AirDefense Server Protect Enterprise Perimeter Protect Mobile User AirDefense Sensor HEADQUARTERS Plan & Validate Accurate RF simulation tool for coverage analysis In-field measurements of wireless deployments AirDefensePersonal Agent REMOTE OFFICES MOBILE USERS 23

  24. Functionality Requirements of a Wireless IPS 1 Eliminate Rogues Connected To The Network 2 Vulnerability Assessment 3 Comprehensive Intrusion Detection 4 Automated Protection 5 Comply with Enterprise & Regulatory Policies 6 Troubleshoot Wireless Network Performance 7 Investigate Incidents with Forensic Data 8 Enterprise-Class Scalability with Lowest TCO 24

  25. Eliminate Rogues Connected To The Network 1 2 Detect Rogue Devices Assess Threat Level • APs, laptops & specialty devices • Ad-hoc networks & accidental associations • Search wired networks for rogues • Prioritize based on threat level • Identify rogues connected to the network • Ignore neighboring networks 4 Eliminate Rogue Threat 3 Analyze Connections • Automated & manual termination • Wireless or wired termination • Stop devices even when they roam • Locate rogue devices in real-time • In-depth analysis of rogue activity • Who was connected to the rogue • How much data transmitted 25

  26. Automated Protection Wireless Termination • Terminates target device only – minimal disruption to rest of network • Automated or on-command disconnect • Authorization required, audit trail maintained • Compliant with applicable laws & FCC regulations AirDefense Server AirDefense Sensor Neighboring AP X Switch Wired-side Port Shutdown Laptop • Port look-up and suppression • On-command shutdown ALERT! Rogue AP on Network PORT SUPPRESSED! Rogue AP on Network ALERT! Accidental Association TERMINATED! Accidental Association 26

  27. Comply with Enterprise & Regulatory Policies Define Policy Define COMPLY Monitor Enforce Define  Monitor  Enforce • Define corporate & regulatory policies • Monitor to ensure devices operate properly • Enforce policies on non-compliant devices • Run compliance reports for: • Federal Govt. (DoD 8100.2) • Financial (GLBA) • Retail (PCI) • Healthcare (HIPAA) • Corporate (Sarbanes Oxley) Report on Compliance 27

  28. Investigate Incidents with Forensic Data • How serious was the attack? • Which entry point was used? • When did the breach occur? • How long was the exposure? • What transfers occurred? One-Click Investigation • 300 statistics per device per minute • Device connectivity logs • Signal strength measurements • Data transfer by type & direction Store Critical Data Device Information Device Forensics 28

  29. Summary • Security risks are significant due to shared broadcast media • Every organization has WLANs (rogue and/or sanctioned) • Check out wigle.net • Probing laptops are serious & often ignored • Employee use of wireless at home is pervasive • WLAN Policy Enforcement is required • Define > Monitor > Enforce • When deploying a WLAN, use layered security approach • Encryption > Authentication > 24 X 7 RF Monitoring • Have Control over your Air Domain • Assets > Relationships > Behavior 29

More Related