[ISN] Wi-Fi honeypots a new hacker trap

From: InfoSec News (isnat_private)
Date: Tue Jul 30 2002 - 00:30:48 PDT

  • Next message: InfoSec News: "[ISN] Fluffy Bunny No Longer Energized"

    http://www.theregister.co.uk/content/55/26434.html
    
    [Nuts... I was tooling around with this idea about a year ago, where I 
    was trying to get one company I was consulting for to help bankroll 
    this. Oh well, no bucks, no Buck Rogers...  :)  -  WK]
    
    
    By Kevin Poulsen, SecurityFocus Online
    Posted: 30/07/2002 at 05:16 GMT
    
    Hackers searching for wireless access points in the nation's capital
    may soon war drive right into a trap. Last month researchers at the
    government contractor Science Applications International Corporation
    (SAIC) launched what might be the first organized wireless honeypot,
    designed to tempt unwary Wi-Fi hackers and bandwidth borrowers and
    gather data on their techniques and tools of choice.
    
    That the average wireless network is horribly insecure is common
    knowledge today; surveys of populous metropolitan areas consistently
    turn up hundreds or thousands of 802.11b access points inadvertently
    left unprotected from unauthorized use or eavesdropping by anyone
    within range. (This in addition to many that are deliberately open to
    the public, either commercially or by the generosity of their owners).  
    But while conventional wisdom holds that hackers are enjoying a golden
    era of untraceable ingress into corporate networks across the country,
    nobody claims to know exactly how prevalent wireless hacking really
    has become.
    
    That's where the Wireless Information Security Experiment, or WISE,
    comes in. Headed by former Air Force computer security investigator
    Rob Lee, now an SAIC chief of information security operations, WISE
    hinges on an 802.11b network based at a secret location in Washington
    D.C. and dedicated to no other purpose than being hacked from nearby.
    
    The network has five Cisco access points, a handful of deliberately
    vulnerable computers as bait, and two omni directional high-gain
    antennas for added reach to the nearby streets and alleys. On the
    back-end, a logging host gathers detailed connection data from the
    access points, while a passive 802.11b sniffer with a customized
    intrusion detection system acts as a hypersensitive trip wire. Like
    conventional honeypots, the WISE network has no legitimate users, so
    anything that crosses it is closely scrutinized.
    
    The goal, says Lee, isn't to set up D.C. hackers for prosecution, but
    to research the state of real life wireless hacking in a city
    considered by many to be a hot spot for laptop-toting cyberpunks. Lee
    hopes to learn who's conducting 802.11b attacks, how many hackers use
    wireless access to anonymize attacks on other Internet-connected
    systems, and what the ratio is between intruders, and those who simply
    drop onto nearby networks for convenient Internet access, sometimes
    unknowingly. Ultimately, Lee would like to be able to passively
    identify the various scanning tools hackers and others use to find
    vulnerable wireless networks. "There may be signatures that they give
    off that could be incorporated into a wireless intrusion detection
    device looking for these active signals," says Lee.
    
    Determining Intent a Challenge
    
    The SAIC honeypot went operational on June 15th, and so far hasn't
    pulled in anything particularly nefarious: a single ping sweep of the
    bait machines, and a few people trying unsuccessfully to surf the Web.  
    The WISE network doesn't yet have an Internet connection, but Lee
    plans to hook one up through a Web proxy that will intercept outgoing
    connection attempts and present a consent-to-monitor banner, so he can
    legally watch how the Internet link is used.
    
    Despite the tepid findings so far, the hacker trap is generating
    enthusiasm in the honeypot community, and may spawn similar projects
    in other cities.
    
    "He's taken an idea and really run with it like hell," says Lance
    Spitzner, founder of the Honeynet Project. "He's gotten a lot of
    high-end gear so he could cover a wider area, and he's come up with a
    lot of really neat ideas... And he's basically operating in one of the
    best cities to put up a wireless honeynet."
    
    Peter Shipley, the security researcher who coined the term "war
    driving" over a year ago to describe the practice of cruising city
    streets in search of wireless networks, says he thinks wireless
    honeypots can produce interesting results, but that it could prove
    impossible to accurately differentiate between deliberate intruders
    and ordinary users accidentally dropping into the network. "The
    statistics are not going to be black and white" says Shipley. "They're
    going to be iffy and there's going to be a lot of speculation
    involved."
    
    Of course, unlike Internet-based honeypots, anyone detected on the
    WISE network will be located within a few blocks of the trap, perhaps
    parked in a car or sitting on a bus bench. Despite the opportunity,
    Lee says he doesn't plan to train video cameras on the street, or to
    physically confront hackers. But he may add other wireless
    technologies to the system, like 802.11a or Bluetooth, to widen the
    net. "Right now we're focusing on 802.11b," he says. "This might
    expand."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 03:13:18 PDT