[ISN] Hacking the White House

From: InfoSec News (alerts@private)
Date: Tue Sep 11 2007 - 22:33:52 PDT


http://www.darkreading.com/document.asp?doc_id=133515

By Tim Wilson
Site Editor
Dark Reading
September 10, 2007

I'm sitting with Richard Rushing, chief security officer of AirDefense, 
on a stone bench that sits neatly between the White House and the U.S. 
Treasury Building. As we both look intently at the laptop on Rushing's 
lap, a three-foot Radio Shack antenna protrudes from his briefcase, 
pulling in transmissions from both of these carefully-secured national 
institutions.

Yup, we're "war walking" the White House. We're looking for wireless 
networks that are open to hack.

As we sit, scanning the IDs of dozens of wireless networks in the area, 
the shadow of a uniformed White House security officer falls over our 
screen. He's the first one to notice our antenna, even though we've 
passed at least eight officers on our walk so far.

Damn, I'm thinking. Now we're in for an hour of police questioning, or 
maybe worse. I wonder when I'll get home tonight?

"Excuse me, gentlemen," the officer says politely. "I don't mean to 
interrupt, but what is that device you have there?"

Rushing, a trained penetration tester and ethical hacker, doesn't try to 
hide anything. "It's an antenna," he says.

The officer frowns for a moment and looks at the antenna more closely. 
Then his face brightens. "Cool," he says. "Nice. Thank you." And without 
another word, he turns and walks away, crossing the street.

And that, folks, is the only time anybody stopped us. We walked the 
entire White House grounds, circling the Old Executive Office Building 
and the Treasury. We passed at least 20 security officers while Rushing 
pointed the wireless antenna out of his briefcase (it's that little 
white box you see in the photo). Several officers appeared to notice it; 
only one of them said anything.

It could be that they knew what we were doing and didn't care, confident 
in the White House's wireless defenses. Or it could be that they saw it 
and didn't know what they were looking at. Either way, it didn't make me 
feel more confident in the security of our national institutions.

As it turned out, however, the White House's wireless defenses -- at 
least inside the fences -- were pretty sound. On a one-hour walk around 
the grounds, Rushing was able to collect data on 104 wireless networks. 
The antenna discovered 66 wireless access points, and roughly 90 
stations connected to them.

About half of the networks were unencrypted, and many of them were using 
WEP, an early wireless security technology that has been proven 
vulnerable on numerous occasions. But we weren't able to decipher any 
IDs or addresses belonging to White House staff -- most of the "open" 
connections belonged to hotels, coffee houses, and law offices in the 
surrounding neighborhood.

If President Bush was sitting on his bed, surfing ESPN via a wireless 
connection to get ready for his fantasy football season, we couldn't 
tell -- not from where we were sitting, anyway.

Despite our failure to intercept Laura Bush's personal email, Rushing's 
war walk did provide a number of lessons for enterprise network and 
security managers. Rushing, who is on a mission (along with many of his 
AirDefense colleagues) to show organizations how vulnerable their 
wireless networks can be, showed me some obvious flaws -- and potential 
hacks -- that many companies may fall prey to in the near future, if 
they haven't already.

At the Treasury building, for example, we pick up the faint trace of a 
user accessing an EV-DO wireless broadband network, bypassing both the 
building's wired network and local WiFi. Many employees are taking to 
using their personal EV-DO cards at work so they can use Websites or 
applications that aren't allowed on the corporate network.

"Some people think they're doing the company a favor by using EV-DO, but 
once you're on the Internet, you're still subject to any attack on the 
Web, and you're using a machine that you're planning to attach back into 
the company network, if you're not connected while you're sitting at the 
desk," Rushing observes. "You're still bringing risk to the company, if 
you're not following policy."

Rushing brings up the access screen for a local law firm which offers 
unencrypted guest access via WiFi. "Here, all you have to do is crack 
the password and you're in," he says. "That's not enough security." 
About 70 to 80 percent of the rogue access points that AirDefense 
uncovers are created by "guests," usually consultants or other business 
partners who are onsite and looking to get out to the Internet or their 
own company's network.

"Occasionally, we see consultants connecting to another client's network 
while they're on site with the primary client," Rushing laughs. "Talk 
about double dipping."

Later, Rushing shows me how easy it is for a phisher to duplicate one of 
these internal "guest" log-in screens and grab all the traffic from an 
unsuspecting client. "I'm surprised we don't see more of that."

After we pass the White House press room, we pick up a network called 
"ABC Wireless LAN," quite possibly a WiFi connection established for the 
use of reporters and camera crews onsite. "Some companies will have a 
mobile WLAN setup that they use when they deploy groups of employees out 
in the field," Rushing notes. "Often, they're not doing enough to 
encrypt them, or at least disguise them so that an attacker can't find 
them so easily."

Rushing also shows me how wireless networks and devices are often 
misconfigured. We pick up several Hewlett-Packard printers, which ship 
with a WiFi capability that many companies don't bother to turn off when 
they're installed. "They plug it in and it works, and they don't bother 
to read the rest of the instructions," he says. "But a printer can be a 
point of access into the network, just as a PC can."

In another network, the IT administrator has done a good job 
camouflaging the name of the network and protecting the primary access 
point with a strong password. But many administrators don't understand 
that their "secondary" APs, such as those in conference rooms or office 
floors, may be listed by name ("first floor conference") in sub-fields 
of the WLAN software, and are just as accessible as the primary AP.

"When you do wireless, you have to give up your wired network thinking," 
Rushing warns. "You can't designate one AP as the main point of access 
and put a firewall in front of it, like you do in a wired environment. 
Every AP in a wireless network is equally vulnerable. And you can't 
practically put a firewall in front of all of them."

A wireless network can be entered through any access point that can be 
found with a simple Radio Shack antenna, such as the one we've been 
using on the White House grounds, Rushing says. "In fact, in most 
businesses, it's actually easier, because I can war drive into the 
parking lot and collect data on any network that's within 100 yards or 
so," he says. "And any AP in the building could be my point of entry."

To prove his point, Rushing later pulls up WIGLE, a war drivers' 
database that contains information on some 2.8 million wireless networks 
and access points that have been mapped by hackers and hobbyists around 
the world. WIGLE provides much of the same antenna-generated data that 
we've just collected at the White House -- only it's also got a map 
function, so you can see exactly where the APs are in your area -- and 
which ones are unprotected.

"Kids are adding to WIGLE all the time -- it's one of the ways you can 
look cool," Rushing says. "The more APs you've mapped, the cooler you 
are."

Rushing superimposes the WIGLE map on Google's real-world satellite 
photo maps, so that we get an aerial view of the White House and 
surrounding area, with wireless APs represented as small rectangular 
boxes. About 4,000 wireless networks and APs have been mapped in less 
than one square mile around the White House -- at least eight of them 
are shown within the building itself. None of them shows up as 
accessible, but we can see exactly where they've been detected 
previously.

Apparently, we're not the first people to have done the White House war 
walk. "The one thing that most administrators don't know about 
wireless," Rushing says, "is how much leakage they've got. The signal 
leaks out because of poor security, or through open doors or windows, or 
even because of problems with the wireless network itself that your 
vendor doesn't tell you about. If an attacker sits there long enough, 
they can get signals that nobody intended for them to have."

Maybe it's time somebody mentioned it to the White House guards.


____________________________________
Visit the InfoSec News Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Tue Sep 11 2007 - 22:54:45 PDT