monty wifion and the quest for the holy grail of network security repeated from 5 17 at 10 15am n.
Skip this Video
Loading SlideShow in 5 Seconds..
Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am) PowerPoint Presentation
Download Presentation
Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am)

Loading in 2 Seconds...

play fullscreen
1 / 71

Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am) - PowerPoint PPT Presentation

  • Uploaded on

SIM301-R. Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am). Andy Malone MVP, MCT Senior Instructor, Consultant Quality Training (UK) Ltd. Microsoft Certified Trainer MCT (16 Years) Worldwide Security & Systems Trainer & Consultant

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am)' - arvin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
monty wifion and the quest for the holy grail of network security repeated from 5 17 at 10 15am

Monty WiFion and the Quest for the Holy Grail of Network Security! (Repeated from 5/17 at 10:15am)

Andy Malone MVP, MCT

Senior Instructor, Consultant

Quality Training (UK) Ltd

andy malone uk

Microsoft Certified Trainer MCT (16 Years)

Worldwide Security & Systems Trainer & Consultant

Microsoft Most Valuable Professional MVP (Enterprise Security)

International Event Speaker

Winner Microsoft Speaker Idol 2006

Andy Malone (UK)
session agenda
Session Agenda:
  • Introductions
  • Wireless intro & history
  • Current & Emerging Wireless Technologies
  • Wireless Security: The Great Oxymoron
  • Standards & techniques
  • Threats and Countermeasures
  • Best Practices
a wi fi history lesson
A Wi Fi History Lesson
  • Wi-Fi was invented in 1991 by NCR Corp & AT&T (later know as Lucent & Agere Systems in Nieuwegein, the Netherlands.
  • Initially for cashier systems. Originally “WaveLAN” with speeds of 1Mbps/2Mbps.
  • Invented by Vic Hayes who has been named 'father of Wi-Fi' and involved in designing standards such as IEEE 802.11b, 802.11a and 802.11g.
  • In 2003, Vic retired. Agere Systems suffered as customers opted for cheaper Wi-Fi solutions.
  • Agere's 802.11abg all-in-one chipset (code named: WARP) never hit the market
  • Agere Systems quit Wi-Fi market in late 2004.

Courtesy Of CRN

organizations standards
Organizations & Standards
  • FCC – Regulates ISM bands
    • 900 Mhz, 2.4 Mhz, 5.8 Mhz
  • IEEE – Develops wireless LAN standards
  • ETSI – IEEE for Europe
    • HiperLAN/2 Similar to IEEE 802.11 standards
  • WECA (WiFi Alliance) – regulate WiFi labeling

Wi Fi Alliance

ok but what are the benefits
Ok but What are the benefits?
  • Unlike packet radio Wi-Fi uses unlicensed radio spectrum and does not require regulatory approval for individual deployers.
  • Cuts cabling costs
  • Wi-Fi products are widely available
  • Competition amongst vendors has lowered prices considerably
  • Network providers provide roaming agreements
    • Users can move from one access point to another as part of contract
  • Various degrees of encryption available to protect traffic from interception.
  • Wi-Fi is a global set of standards. Unlike cellular carriers, the same Wi-Fi client works in different countries around the world.
the basics
The Basics
  • Each wireless network needs a channel number and SSID (Service Set Identifier)
  • The channel is a number between 1-11 (13 EU)
  • SSID is a alphanumeric string that differentiates wireless networks on the same channel
  • SSIDs are transmitted in clear text
  • Wi-Fi Can be Deployed in Two Modes
    • Ad-HOC (Peer to Peer) mode
    • Infrastructure mode
      • Shares bandwidth among users
      • Supports roaming
the basics1
The Basics
  • Each access point advertise itself by sending beacon frames
  • To become part of the wireless network, a client must first authenticate itself
  • Access point is responsible unless RADIUS is used
  • MAC address will be used as identity
wireless networks the basics
Wireless Networks: The Basics

Security Encryption Wrapper

  • Sending and receiving radio waves
  • Two types
    • Omni-directional
    • Directional
  • Cantenna
802 11 standards
802.11 standards
  • 802.11a – 54 Mbps@5 Ghz
    • Not interoperable with 802.11b
    • Limited to Shot Distances
    • Dual-mode APs require 2 chipsets, this can look like two APs to clients
  • 802.11b – 11 Mbps@2.4 Ghz
    • Full speed up to 300 feet
    • Coverage up to 1750 feet
  • 802.11g – 54 Mbps@2.4 Ghz
    • Same range as 802.11b
    • Backward-compatible with 802.11b
    • Speeds slower in dual-mode
802 11 standards cont
802.11 standards (cont.)
  • 802.11e – QoS
    • Dubbed “Wireless MultiMedia (WMM)” by WiFi Alliance
  • 802.11i – Security
    • Adds AES encryption
    • Requires high cpu, new chips required
    • TKIP is interim solution
  • 802.11n – 100Mbps+
  • Wi-Fi Protected Access (WPA)
    • Subset of 802.11i, forward-compatible with 802.11i (WPA2)
    • Encryption: Version one uses TKIP
    • Auth: 802.1x & EAP – allows auth via RADIUS, also allows auth via PSK
other non wi fi solutions
Other “Non Wi Fi Solutions”
  • CDPD – 19.2 kbps analog
  • GPRS – 171.2 kbps digital
  • WAP – bandwidth-efficient content delivery
  • Ricochet – 176 kbps wireless broadband flop
  • Bluetooth – personal area networks, range limited only by transmit power
  • Blackberry – Use cellular & PCS networks, no authentication at console
  • RFID
  • NFC (Near Feild Communications)
  • Cable replacement technology
  • Short range communication (10 m)
  • Operates at 2.45 Ghz
  • Used for mobile devices
  • Used to transfer information
  • Large Number of Hacking Tools Available
radio frequency identification rfid
Radio-frequency identification (RFID)
  • R,waves exchange data between a reader and an electronic tag for the purpose of identification and tracking.
  • Often seen as Barcode NG
  • Individual & unique like the license plate but for every item in the world
  • Some tags can be read from several meters away and beyond the line of sight of the reader.
  • Application of bulk reading enables an almost-parallel reading of tags.
  • uses Interrogators (also known as readers), and tags (also known as labels), as well as RFID software or RFID middleware.
  • Most contain at least 2 parts: 1 is an integrated circuit for storing and processing information, modulating and demodulating a radio-frequency (RF) signal, and other specialized functions; the other is an antenna for receiving and transmitting the signal.
rfid hacking
RFID Hacking
  • RFID Tags can be cloned
  • A Growing number of hacking tools inc Backtrack 4
  • Traditionally Hardware was expensive but is getting cheaper. E.g. USB Reader
  • Can read ID Badges, Credit Cards etc
  • Once hacked Cards with Authorized ID numbers can be used to unlock doors

Source Dreamtime

near field communications nfc
Near Field Communications (NFC)
  • NFC, is a set of short-range wireless technologies
  • Typically requires a distance of 4 cm or less.
  • Operates at 13.56 MHz and at rates ranging from 106 kbit/s to 848 kbit/s
  • Always involves an initiator and a target
  • Initiator actively generates an RF field that can power a passive target
  • This enables NFC targets to take very simple form factors such as tags, stickers, key fobs, or cards that do not require batteries
  • NFC peer-to-peer communication is also possible, where both devices are powered.
near field communications nfc1
Near Field Communications (NFC)
  • Emulation Mode: the NFC device behaves like an existing contactless card
  • Reader mode: the NFC device is active and reads a passive RFID tag, for example for interactive advertising
  • P2P mode: two NFC devices communicating together and exchanging information
  • Uses Include:
    • Mobile ticketing, such as Mobile Phone Boarding Pass
    • Mobile payment: the device acts as a debit/credit payment card.
    • Smart poster: the mobile phone is used to read RFID tags on outdoor billboards.
  • Pairing of Bluetooth 2.1 & NFC will be as easy as will be replaced by simply bringing the mobile phones close to each other.

Source Dreamscape

nfc the facts
NFC: The Facts…

Source NFC Forum

nfc security concerns
NFC: Security Concerns
  • Theoretically Difficult due to Distance Factors….However!
  • The RF signal for the wireless data transfer can be picked up with antennas
  • Eavesdropping: NFC offers no protection against eavesdropping and can be vulnerable to data modifications
  • Applications may use higher-layer cryptographic protocols (e.g., SSL) to establish a secure channel.
  • Data Modification: One possibility to perturb the signal is the usage of an RFID jammer
  • Relay Attack
  • Lost Phone…

Source Andy Malone

wimax worldwide interoperability for microwave access
WiMAX (Worldwide Interoperability for Microwave Access)
  • A telecommunications protocol that provides fixed and mobile Internet access.
  • Seen as the next generation of wireless
  • Improvement over existing standard of 802.11.
  • No new equipment required
  • First WiMAX equipment launched in 2005
  • Cover wider area, which can be as much as up to 50km
  • Current WiMAX provides up to 40 Mbit/s with the IEEE 802.16m update expected to offer up to 1 Gbit/s fixed speeds
  • The name "WiMAX" was created by the WiMAX Forum, formed in 2001 to promote conformity and interoperability of the standard
  • Forum describes WiMAX as "a standards-based technology enabling the delivery of last mile wireless broadband access as an alternative to cable and DSL

Source Andy Malone

wifi security
WiFi Security
  • IN 2001 Peter Shipley’s 2001 DefCon presentation on WarDriving alarmed the industry
  • The US Dept Homeland Security labelled WiFi a potential terrorist threat, demanded regulation
  • Seen as Shared media – like a network hub
    • Requires data privacy - encryption
  • Authentication necessary
    • Can access network without physical presence in building
    • Once you connect to wireless, you are an “insider” on the network

Source Johan Loos

wireless network security
Wireless Network Security
  • Link Encryption
    • Encrypt traffic headers + data
    • Transparent to users
  • End-to-End Encryption
    • Encrypts application layer data only
    • Network devices need not be aware

Source Dreamtime

link level security vs end to end security
Link Level Security Vs. End to End Security!










End host
















  • IEEE 802.11x security solutions are deployed at the link level
  • efficiency is very important  all traffic will be encrypted
current authentication methods
Current Authentication methods
  • Open Systems Authentication (OSA)
  • Shared Key Authentication
  • EAP / 802.1x
open system authentication
Open system authentication
  • Required by 802.11
  • Just requires SSID from client
  • Only identification required is MAC address of client
  • WEP key not verified, but device will drop packets it can’t decrypt

Source BT

wireless lan security goals
Wireless LAN Security Goals
  • Access Control
    • No abuse of wireless network
    • This requires Key Management
  • Data Integrity
    • Data packets are not modified during transit
  • Confidentiality
    • Data packets are encrypted

Image Source Page:

wireless lan security standards
Wireless LAN Security Standards
  • 802.11 WEP
    • 64/128 bit
    • Integrity Check
  • 802.11 + 802.1x
    • Uses RADIUS
  • 802.11 + WPA
    • 128 bit
    • For data encryption : TKIP
    • For data integrity: MIC
    • PSK or Enterprise
  • 802.11 + WPA2
    • AES

Image Source Page:

shared key authentication
Shared key authentication
  • Utilizes challenge/response
  • Requires & matches key
  • Steps
    • Client requests association to AP
    • AP issues challenge to client
    • Client responds with challenge encrypted by WEP key
    • AP decrypts clients & verifies
  • WEAK! Attacker sniffs plain-text AND cipher-text!

Source Dreamtime

wep wired equivalent privacy
WEP – Wired Equivalent Privacy
  • 3 different key lengths: 64, 128, and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively
  • WEP provides a casual level of security but is more compatible with older devices;
  • It is still used quite extensively despite security flaws
  • Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key;
  • E.g. WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)
  • WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.


more problems with wep
More Problems with WEP
  • Shared key – 40/104 bits
  • Initialization vector (IV) = 24 bits
  • Uses RC4 for encryption
  • Weaknesses/attacks
    • FMS key recovery attack – weak IVs
    • Filter weak IVs to mitigate
    • IV too short, gets reused after 5 hours
    • IP redirection, MITM attacks
    • Traffic injection attacks
    • Bit-flip attacks
  • WEP2 added, increases key length to 128 bits

Source Dreamtime

tkip to the rescue er almost
TKIP to the rescue…er Almost!
  • Seen an interim solution developed to fix the key reuse problem of WEP.
  • TKIP – Temporal Key Integrity Protocol
    • Protects IV by removing predictability
    • Broadcast WEP key rotation is a good alternative if you can’t support TKIP
  • It later became part of the 802.11i and subsequently part of WPA standards.
  • Same encryption as WEP (RC4)
  • Variant Cisco Key Integrity Protocol (CKIP).
wpa wifi protected access
WPA – WiFi Protected Access
  • Originally designed for campus-wired networks
  • 2 Flavours WPA and WPA2
  • Created to resolve several issues found in WEP
  • Both provide good security however, are not compatible with older devices
  • WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase.
  • To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users cannot afford
  • WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.
wpa wifi protected access1

WPA-Personal: Also referred to as WPA-PSK (Pre-shared key) mode.

Designed for SOHO networks and doesn't require an authentication server.

Each wireless network device authenticates with the access point using the same 256-bit key.

WPA-Enterprise: Also referred to as WPA-802.1x mode, and WPA (as opposed to WPA-PSK)

Designed for enterprise networks, and requires a RADIUS authentication server

Provides additional security (e.g. protection against dictionary attacks)

EAP is used for authentication which comes in different flavors (for example EAP-TLS, EAP-TTLS, EAP-SIM).

WPA – WiFi Protected Access
wpa2 wireless security the right way
WPA2: Wireless Security: The Right Way!
  • 802.11b (i) Now Default Setting on Many Wireless Routers
  • FIPS-140 compliant
  • AES replaces RC4 w/TKIP
  • Robust Security Network (RSN) for establishing secure communications
    • Uses 802.1x for authentication
    • Replaces TKIP
  • Counter Mode with Cipher Block Chaining (CCMP) for encryption
    • CCM mode of AES
    • 128-bit keys, 48-bit IV
    • CBC-MAC provides data integrity/authentication
    • CCMP mandatory with RSN
    • WRAP was initial selection, licensing rights/problems got in the way
myth what if i hide my ssid
Myth: What if I Hide my SSID?
  • Common Misconception
  • No such thing as “hiding” an SSID
  • All that this accomplishes is Access Point beacon being suppressed
  • Four other SSID broadcasts not suppressed
    • Probe requests
    • Probe responses
    • Association requests
    • Re-association requests
  • SSIDs must be transmitted in clear text or else 802.11 cannot function
myth use a fixed ip address
Myth: Use a Fixed IP Address
  • Disabling DHCP and forcing the use of Static IP addresses is another common myth
  • IP schemes are easy to figure out since the IP addresses are sent over the air in clear text as UDP Broadcasts
  • Takes less than a minute to figure out an IP scheme and statically enter an IP address
myth use mac authentication
Myth: Use MAC Authentication!
  • Use of the word “authentication” is a joke!
  • It’s not MAC Spoofing…
  • MAC address filtering is all that’s going on
  • MAC addresses are transmitted in clear text
  • Extremely easy to capture with tools like Wireshark
  • Extremely easy to clone and defeat
  • Extremely difficult to manage MAC filtering
mac spoofing example
MAC Spoofing Example
  • Regedit – HKLM\System\CurrentControlSet\Control\Class
  • {4D36E972-E325-11CE-BFC1-08002BE10318}
  • Lookup for your wireless adapter
  • Create REG_SZ String
    • Name: NetworkAddress
    • Value: MAC address
  • Restart PC
myth antenna placement and signal suppression
Myth: Antenna placement and signal Suppression
  • Antenna placement and signal suppression does nothing to encrypt data
  • The hacker’s antenna is bigger than yours
  • Directional high-gain antennas can pick up a weak signal from several kilometers away
  • Lowering the signal hurts legitimate users a lot more than it hurts the hackers
  • Wi-Fi paint or wall paper not 100% leak proof and very expensive to implement
wireless lan threats
Wireless LAN Threats
  • WarChalking – WarDriving - WarFlying
  • Unathorized Access
    • Accidential Association
    • Malicous Association
  • MAC Spoofing
  • Man in the Middle Attack
  • Denial of Service (DoS)
  • Network Injection Attack
  • Caffe Latte attack
wireless lan threats1
Wireless LAN Threats
  • Open Authentication
    • Open system authentication, basically everyone can connect
    • No encryption at all
  • Rogue and Unauthorized Acess Points
    • Employee install unmanaged access point
    • Access Point spoofing for MITM attack
  • Eavesdropping
    • Intercepting of radio signals and decode data
    • Wireless sniffer into promiscuous mode
    • Use an external antenna
wireless lan threats2
Wireless LAN Threats
  • Authentication flood attack
    • Large amount of EAPOL messages
    • Authentication cannot respond
    • Cannot authenticate other wireless client
  • Deauthentication flood attack
    • Target is individual client
    • Attacker uses authentication frame of existing wireless client
wireless lan threats3
Wireless LAN Threats
  • Network jamming attack (DoS)
    • Targets entire wireless network
    • Use transmitter to flood airwaves
    • Its a magnetron
    • But its dangerous if you are close to the transmitter
  • Equipment destruction attack
    • Targets access point
    • High energy power can damage the access point
free wifi the new reality
Free WiFi: The New Reality!


not in the us
Not in the US…
  • PATRIOT Act (Provides Appropriate Tools Required to Intercept and Obstruct Terrorism)
  • Legally classifies many hacking attacks as acts of terrorism

Source Dreamtime

a new generation of wifi hacking tools
A New Generation of WiFi Hacking Tools


Source Fern )Open Source)

wireless lan security recommended best practices
Wireless LAN Security: Recommended Best Practices
  • Deploy AD Secure Wireless Policies with Certificates
  • Implement Secure Management Policy for APs/Bridges
  • Disable Telnet, disable http access, disable CDP, enable SSH, and enable TACACS for Admin authentication
  • Publicly Secure Packet Forwarding: no Inter-client communication on specific VLANs
  • Virus Scanning + Firewall recommended on WLAN Clients
  • RF Monitoring and Rogue AP Detection
    • Radio, client & network based scanning
    • Wireless IPS / IDS
  • Select appropriate EAP mechanism
  • Consider Fixed IP Address Range
home soho user best practice

1. Ensure you change the router’s default passwords

2. Change the SSID name and disable SSID broadcast

3. Setup MAC filters to limit which computers can connect

4. Ensure you use WPA2 encryption

5. Review your wireless logs regularly

6. Look out for upgrades from the manufacturer

7. Practice good security – Updates, AV, ASW etc

Home / SOHO User Best Practice
  • Introductions
  • Wireless intro & history
  • Current & Emerging Wireless Technologies
  • Wireless Security: The Great Oxymoron
  • Standards & techniques
  • Threats and Countermeasures
  • Best Practices
my other sessions

Required Slide

Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.

My Other Sessions…
  • SIM 301 Monty WiFion and the Quest for the Holy Grail of Network Security!
  • SIM 302 Lessons from Hackwarts Vol 1: Defense against the Dark Arts 2011
  • SIM 327 Rethinking Cyber Threats: Experts Panel
  • Find Me Later At…

Trustworthy Computing

Safety and Security Center

Security Development Lifecycle

Security Intelligence Report

End to End Trust

  • Connect. Share. Discuss.


  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

  • Resources for IT Professionals
  • Resources for Developers

andy malone uk1
Andy Malone (UK)
  • E:
  • Twitter: AndyMalone
  • LinkedIn: Andy Malone (UK)

Thanks For Listening & Enjoy TechEd!