[ISN] The War Driver Returns

From: InfoSec News (isn@private)
Date: Tue May 16 2006 - 02:11:23 PDT


David Ramel
May 15, 2006 

I am back on the prowl. Stealthily I slide through the night, 
searching for unprotected wireless networks. I find one! 

And then I find hundreds more. Who cares? War driving is so 2004. 
Wireless security has matured and moved on. When's the last time you 
heard of a wireless hack? If it happens, it sure doesn't get any 
publicity anymore.

But the news is chock-full of stolen laptops and other data breaches - 
take a look at our Data Security Breaches page.

Why sit out in a parking lot for hours "sniffing" wireless traffic 
when you can just walk in and grab the finance guy's laptop? Or surf 
your county's Web site for all kinds of personal data?

Also, increased awareness about the much-stronger WPA2 encryption spec 
and other precautions have cut down on all the fun - er, I mean, made 
us all safer.

For sure, there are plenty of targets out there. Two years ago, I went 
war driving on my route to work and found more than 100 wireless 
networks. This year, I found more than 400.

Back then, about 70% weren't encrypted; this year it was around 55%. 
So even though a higher percentage of networks are encrypted, there 
are now many more total unencrypted networks.

Is there really a wireless security problem?

So, why the lack of hacks? Is wireless security still a problem?

"I think the problem is relatively small and dropping," said Gartner 
Inc. analyst John Pescatore. He said a big part of the problem a 
couple of years ago was that companies weren't supporting wireless 
networking but users were doing it anyway, setting up rogue access 
points with no central security management or strategy.

Now, Pescatore said, companies are supporting wireless and following 
security precautions. For example, he said businesses are more aware 
that they need something "stronger than password authentication," so 
he is seeing more companies rely upon secondary authentication.

Fellow Gartner analyst Ken Dulaney agrees. "This has become less of an 
issue," he said, for two primary reasons. First, "WPA2 has given us 
very good security, and the devices themselves are better protected 
than in past years."

He said there are now multiple levels of security implemented and 
extending to the desktop itself - such as PC firewalls - instead of a 
reliance on perimeter security only. "People are beginning to realize 
that protecting the environment is not working," he said.

Farpoint Group analyst and Computerworld columnist Craig Mathias said 
in an e-mail response that the wireless security threat should be 
divided into curious, casual hackers and professional data thieves. As 
for the casual hacker, he said, "I think the war-driving days are 
over; there's no real sport left in that, and simple WPA or WPA2 
security are quite effective here."

Mathias said the bigger threat is the professional data thieves, and 
they don't typically attack wirelessly. "Rather, they use physical 
theft, social engineering and exploiting known weaknesses to get what 
they want. The best way to counter this is to stop thinking about 
wireless security and start thinking about network security. This 
means end-to-end VPN-based encryption, encrypting sensitive data 
anywhere it is stored, and using strong two-factor authentication on 
every sensitive resource."

Any wireless hacks out there?

So, aren't there any big wireless hacks out there? "I don't know of 
any \[recent\] significant wireless breaches," said consultant Jack 
Gold, of J. Gold Associates, via e-mail. He said most companies have 
gotten pretty good at security.

"Not only have they turned on the security on the AP, but they also 
generally run some sort of firewall and isolate each location from the 
rest of the network," he said. "So any 'wireless hackers' would 
generally have to break through the wireless security, \[and\] then 
also have to break through the firewalls to get beyond the local 
network. Not impossible, but this is a hard thing to do, and do you 
really want to be sitting in a car outside a shopping center trying to 
hack in for a long period of time? Probably not."

Dulaney also didn't know of any such wireless breaches.

Pescatore didn't know of any documented cases, but he has his 
suspicions. "I have to believe that in some cases there have been 
targeted wireless sniffing attacks or man-in-the-middle attacks," he 
said. He suspects this because he knows of breaches where the thief 
left no electronic trail, like there usually is in a wired intrusion.

He said the attackers could have been unusually proficient and covered 
their tracks, but the victim companies kept good network and firewall 
logs that contained no evidence at all. "That's when you realize, 
somebody sniffing wirelessly doesn't leave a trail," he said.

The computer trade press certainly believes a big wireless security 
threat still exists. The "Top 10 Tips for Wireless Security" story is 
a staple, regurgitated again and again in different forms, much like 
the "How to Lose 10 Pounds in a Week" or "Is He The Right One?" 
articles in other magazines.

In fact, Computerworld just trotted out another one last week. I 
e-mailed the columnist to ask if it was really a big problem and if he 
knew of any examples of wireless data theft. He seemed shocked at my 
ignorance. He said my query could almost be material for another 
column (look for one soon; these people aren't paid chicken feed!).

"Attackers love ignorance, and this is a great case of it," he said. 
"I am not insulting you. I am just saying that it is these 
misperceptions that give people a false sense of security and hackers 
a ... dream."

I thanked him for his reply and asked him to help me overcome my 
ignorance by answering my original questions as to how exactly a 
wireless hacker would go about stealing data from even an unsecured 
network at a private home or company and if he knew of any specific 
instances of such theft, beyond hearsay reports.

He didn't provide any specific techniques but said anyone with basic 
computer and networking knowledge could do it. He said he knew of 
wireless breaches but couldn't talk about them.

I asked several other people and no one knew exactly how to access 
even an unprotected wireless network and steal stuff. Even the Web 
wasn't much help  just a lot of vague references.

As near as I can tell, you would have to practically beg somebody to 
steal from you: don't encrypt, don't change default SSID, don't change 
default password, turn on sharing for your PC and turn off the 
firewall, make sure your bank account number and password are readily 
available, etc.

I guess there are people doing all that, but I wonder what they have 
to steal and who's putting much effort into finding them.

If even one default is changed, it appears you would have to resort to 
sniffers or frame generators or traffic injectors or something equally 
labor- and time-intensive.

So maybe there are master hackers out there with arcane methods of 
compromising wireless networks and installing bots, spyware, Trojans 
and what-have-you, and they cover their tracks and no one knows about 

Yeah, right.

Please drop me a line if you know of any wireless breaches. Or if you 
know exactly how one would steal data from a home or company with a 
wireless network -- what tools you would use and how you would use 
them. Or if you have any thoughts on the subject at all. I would love 
to hear from you. Use the "Send Us Feedback" link below or send e-mail 
to david_ramel at computerworld.com.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue May 16 2006 - 02:23:02 PDT