[ISN] Wireless Hackers Leave No Tracks

From: InfoSec News (isn@private)
Date: Mon Jun 07 2004 - 23:55:12 PDT

  • Next message: InfoSec News: "[ISN] Oops! Firm accidentally eBays customer database"

    Security Manager's Journal by Vince Tuesday 
    JUNE 07, 2004
    I'm a parasite. I didn't pay for the bandwidth I'm using right now. I 
    didn't ask for permission to use it -- I don't even know whom to ask. 
    But I'm on holiday, I have a few bits of work to finish up before I 
    can relax, and I need to send my e-mail. 
    The broadband service in the rented house doesn't work, so I stuck in
    my wireless LAN card and found two WLANs covering the house. One has a
    Secure Set Identifier of "lopez" and has Wired Equivalent Privacy
    turned on; the other has an SSID of "default" and no WEP.
    My wireless card has automatically associated with the "default" base
    station, which gave me a Dynamic Host Configuration Protocol address.  
    Now I'm connected to the Internet at 11Mbit/sec. with no fee and no
    restrictions on what I can do.
    When WLANs hit the mainstream a few years ago, the security focus was
    on confidentiality, and vendors included WEP to encrypt data in the
    air. WEP has flaws -- it might not stop a snooper in your parking from
    reading your data -- but just the fact that "lopez" had it turned on
    was enough to turn my attention elsewhere. Why hack "lopez" when
    "default" is sending in the clear?
    But having data sniffed from the air isn't the real threat that
    wireless poses. That problem is easily solved by using cryptography. A
    bigger worry is "de-perimeterization," which is a fancy way of saying
    that the walls of the normal fortress model are falling away, thanks
    in part to wireless. In the good old days, you inventoried all
    external connections and put firewalls in front of them. Now, nearly
    every organization has so many connections to the outside that it
    isn't feasible to set up firewalls to control access to all of them.  
    If your wireless users need access to all of the internal services,
    what can you block with a firewall?
    And if you're a hacker, why bother trying to intercept data from the
    traffic flying about when you can just connect to the network and
    pretend to be a legitimate client? Once you become a full node on the
    network, you don't have to wait for a client to connect to download
    the information you want and sniff it. Instead, you can just waltz
    right in and take what you want. This is a lot less covert, but unless
    the target has a hair-trigger intrusion-detection system configuration
    and very good triangulation equipment, you probably won't be
    My company's authorized wireless access points have strong
    authentication, so only legitimate clients can connect, but all our
    exterior defenses might be for naught if a staff member plugs in a $99
    access point.
    To protect against this, my team and I run regular sweeps to check for
    illegitimate access points that might allow unauthorized users to
    connect. We had a few early run-ins with staff when we began the
    sweeps, but now the authorized service is so good that everyone is
    happier using that than they would be trying to sneak new equipment
    into the office.
    Insecure Access
    In these sweeps, we've detected many access points that are
    transmitting from outside the company walls. It's interesting to see
    that all the bars and restaurants near our offices have WLANs for
    waiters to send orders to the kitchen. All are insecurely configured.  
    However, since the worst anyone could do is jump the queue for
    ordering drinks, perhaps the low level of protection is all that's
    The only time I really went white was when a sweep at my company
    identified more than 30 unauthorized access points on a single floor.  
    I couldn't imagine why an entire department would go crazy and try to
    provide its own competing WLAN service.
    But when I tried to connect to one of the access points, I could get
    only a printer service Web page. It turned out that our printer vendor
    had shipped a batch of printers with wireless printing support enabled
    by default. Each was functioning as a WLAN access point. We disabled
    the cards and asked the vendor to do the same with future orders.
    Rogue access points in the office are a problem we can solve, but the
    real WLAN problem that strikes terror into my heart is the home user.
    Before WLANs, if I were a hacker or virus writer or if I wanted to
    download or share illegal material, I had limited options. I could use
    my own account and eventually get caught after the feds tracked the
    abuse back to me. I could steal an AOL account by phishing until the
    feds used phone traces to catch me. Or I could wander into a Web cafe,
    do my evil deeds and flee, leaving closed-circuit TV footage,
    fingerprints and physical evidence the feds could use to put me behind
    With WLANs, things have changed. On most streets in big metropolitan
    areas, a few people have broadband, and at least one uses it with an
    insecure wireless connection. Perhaps half of those people turn on the
    Windows XP firewall, but that won't stop an attacker. They just get
    within range and connect. There's no physical evidence, no
    closed-circuit TV, and the poor schmuck whose broadband connection
    gets used is the one whom the feds raid.
    So while the WLAN connection I'm using now is helpful to me as I
    finish up my work while on holiday, someone else could just as easily
    be using it to launch attacks before disappearing anonymously back
    into the night.
    There's no chance that home users will move to two-factor
    authentication for their wireless networks, so I'm making sure that my
    current designs for Web-facing infrastructure don't rely on being able
    to track down and stop attackers. Clearly, that's no longer possible.
    What do You Think?
    This week's journal is written by a real security manager, "Vince
    Tuesday," whose name and employer have been disguised for obvious
    reasons. Contact him at vince.tuesday@private
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Tue Jun 08 2004 - 03:32:22 PDT