1 / 23

Computer security Lab Juseung Yun

Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks. Computer security Lab Juseung Yun. Paper Information. Detail Paper Information Title Proximity Breeds Danger : Emerging Threats in Metro-area Wireless Networks Authors

melody
Download Presentation

Computer security Lab Juseung Yun

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks Computer security Lab JuseungYun

  2. Paper Information • Detail Paper Information • Title • Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks • Authors • P.Akritdis, W.Y.chin, V.T.Lam, S.Sidiroglou, K.G.Anagnostakis • Publish • 2007 USENIX

  3. Goals • Quantify threat from large-scale distributed attacks on wireless networks • Focus on three attacks Hanyang Univ. Computer Security Lab.

  4. Introduction • Attackers are evolving • Explore creative ways to exploit systems • Target new technologies and services as they emerge • Any technology or service reaching critical mass draws attention • Some of the largest security lapses are due to designers being ignorant of the threat landscape • Soon wireless networking will reach critical mass Hanyang Univ. Computer Security Lab.

  5. Introduction • Study 3 possible threats • Countermeasures are not implemented even though mechanisms are either available or easily implemented. Threats are underestimated Hanyang Univ. Computer Security Lab.

  6. Wildfire Worms - Introduction • Cabirvirus in 2004 -> Symbian OS vulnerability • Focus on worms that could propagate over 802.11 networks • Main concern, the large number of laptops Hanyang Univ. Computer Security Lab.

  7. Wildfire Worms - Propagation • Probe victims in the neighborhood • Gather list of usable access points • Nodes at intersections are used for the propagation of the worms Wireless hotspots Hanyang Univ. Computer Security Lab.

  8. Wildfire Worms - Mobility • Wireless population : Laptops, PDAs, smart phones • Mobility : • Compensates for sparse connectivity • Helps propagation into secure networks Hanyang Univ. Computer Security Lab.

  9. Wildfire Worms – Open vs Protected Access Points • Open access points : any worm can propagate • WEP encrypted : attacks have already been implemented • WPA (Wifi Protected Access) : susceptible to brute force attacks combined with a weak password Any type of wifi network can be easily compromised so most likely worms will carry additional payload of cracking tools Hanyang Univ. Computer Security Lab.

  10. Wildfire Worms – Infection Process • Push Method : Probe for an exploitable service and inject code • Pull Method : Man-in-the-middle attack. Listen for broadcasts, pretend to be the web server and respond with pages that include exploits • Broadcast nature of wireless networks makes pull method an attractive method for attackers to use Hanyang Univ. Computer Security Lab.

  11. Wildfire Worms – Proof of concept implementation • Authors created a wildfire worm for both Windows XP and Vista from WLAN API already available. • The worm was able to associate itself with an AP, scan the local subnet for vulnerable machines and inject code (push method) . • It exploited the vulnerability found in Apache Web server 1.22 Hanyang Univ. Computer Security Lab.

  12. Wildfire Worms – Analysis • Wifi worms require a widespread vulnerability • Do such vulnerabilities exist ? • Data taken from NVD, Securityfocus concerning Windows XP SP2 between 8/04 – 1/07 • Classified into push/pull “friendly” • Vulnerability window : time exploit was known and was not patched • Push type flaws existed for 11.89% of period • Pull type existed for 48.47% • For 98 days critical security flaws in IE allowed the theft of personal and financial data Hanyang Univ. Computer Security Lab.

  13. Wildfire Worms – Simulation Push type worm, assuming AP radius of 90m, 14 and 8 Mbps networks, Transmission speed ~100KB/host Hanyang Univ. Computer Security Lab.

  14. Large-scale WifiSpoofing • Protocols such as DHCP, TCP, DNS are vulnerable to man-in-the-middle attacks • Attackers can perform spoofing in any wireless network within range of the controlled host’s vicinity Hanyang Univ. Computer Security Lab.

  15. WifiTracknets • Wifinetworks can very well become the new “Big Brother” • However the most concerning thing is that attackers can set up a tracking system remotely, without physical infrastructure • Tracknets provide location information and leak significant amount of personal information Hanyang Univ. Computer Security Lab.

  16. WifiTracknets – Tracking Methods • Tracknet masters gather information from hosts and create their unique profiles • MAC Addresses : Unique per host, randomizing it may lead to software errors and conflicts between ISPs • Live bookmarks – RSS : Customized news feeds presented in browser, can be eavesdropped and added to the user profile information • Location tracking : Radio signal characteristics of WLANs to pinpoint user location • Instant messaging, online service portals, cookies Hanyang Univ. Computer Security Lab.

  17. WifiTracknets – Experimental Analysis • Effectiveness is expressed in terms of network coverage Hanyang Univ. Computer Security Lab.

  18. WifiTracknets – Experimental Analysis • Accuracy of gathered RSS profiles Hanyang Univ. Computer Security Lab.

  19. Defense Strategy • User awareness : Strong passwords, use of WPA/WPA2 • Wireless IPS : APs have limited computing resources • Use a subset of known signatures • Centralized wireless controller. All local traffic is directed here for inspection before being redirected back to the user. • Use full set of signatures • Rely on honeypot feeds for zero-day attacks • Attackers can avoid AP inspection by performing a low power signal emission (whisper attack), severely reduces range of attack Hanyang Univ. Computer Security Lab.

  20. Defense Strategy • Lightweight alternatives to WPA and VPN • Ingress filtering : Traffic originating from the wireless network should have an IP address on the local network. DNS spoof attacks will arrive from the local network yet they will have an external IP address. However with help from a collaborator outside the local network, with some limitations, this attack can succeed • Packet rewriting against collaborator attack : Map DNS and TCP numbers to another space using hash functions. Can be used if hardware provides cheap hash functions Hanyang Univ. Computer Security Lab.

  21. Defense Strategy • 802.11 spoofing : Attacker violates 802.11 protocol to directly transmit frames to the victim. AP can detect the attack by monitoring transmissions it did not send • Whisper attack detection : Bookkeeping of request-reply pairs to detect excess and inconsistent replies. Alert when host appears to retransmit even after receiving a reply Hanyang Univ. Computer Security Lab.

  22. Conclusion • Wireless technology is bound to draw attackers’ attention soon • High risks involved, large-scale rapid worm infections, user profiling • User awareness must be raised and security issues must be dealt with Hanyang Univ. Computer Security Lab.

  23. The End Hanyang Univ. Computer Security Lab.

More Related