Slashdot Mirror
Hacking Wireless 802.11b Nets
John Higgins writes "The Wall Street Journal has a great article on my greatest worries about setting up a wireless network in my home. White hatter Peter Shipley and Matt Peterson of, among other things, the Bay Area Wireless User Group, drove the reporter around the valley with some rudimentary equipment to
find how many corporate networks they could "see" from the street or parking lot. (Sun Micro, check your encryption!) Call me a techie lightweight, but it looks like HPNA2 for me!"
The security here is terrible. We use no authentication via radius or any other method. Anyone with a 802.11 network card, and a sufficient antenna could steal connectivity, and we could not currently tell.
There exists ways to detect this, by monitering the MAC addresses connecting to the APs on the towers, but this is not employed. Neither is each radio catalogued, and IPs, for the most part, are assigned by the DHCP server with no logging.
I do not know if this is typical of most wireless companies, but if it is, then things should be ripe for the taking. I'm posting anonymously, because my company has a history of firing and suing for less.
If this was at Sun's Santa Clara campus, this was definitely not testing. There are several rogue wireless stations there. These are connected to the iPlanet network rather than Sun's main network, though.
Still, Sun's network is extrememly insecure in so many ways, especially internally. Getting to be an internal user is simple, with wireless and DHCP.
The SA's are pretty much powerless to secure the network, as well. Sun's red tape binds their hands. Get fired for securing the network? You bet! Go Sun!
What looks like a quick paint program scrawl of the words "secure me".
The hurdle that prevents people from using encryption and good security is time and knowledge. It took a lot of effort to get WEP turned on where I work because an understaffed IT department had to do it.
The funny part is we use 3DES hardware VPN devices for PTP T1 lines, but that is done by another department that has the time and materials to implement strong security. And they wonder why we don't trust the corporate network?
Tapping unencrypted lines is easy, one of our security people was trained in tapping fiber cables by DOD in '83. Ask how many people think that their private fiber links are truly secure?
Rather than patching together PGP/GPG, SSL, and SSH, I would strongly recommend you spend your efforts implementing IPSEC instead.
Chris
-- I need more coffee. It's Monday. There is no such thing as enough coffee on a Monday.
Require SSH2 tunnels
t ml
Augh! NO! NO!
SSH is a good protocol for secure terminal sessions, but you should never, never use it for tunneling, unless you're fond of session-timeouts and stalled connections.
SSH uses TCP, which means it's the worst protocol you can use for a tunnel... TCP guarantees the reliability of the connection - so a dropped packet can wreak havok.. the tunnel will stop and re-transmit the packet - so every other TCP connection will stall - and guess what? These stalled connections think their packets have been lost, so they retransmit their 'lost' packets - resulting in LOTS of duplicat packets.. (and if the 'original' packet was lost due to congestion, you can guess that you're gonna start flooding the tunnel - a cascade failure.)
A more technical description is available at
http://sites.inka.de/sites/bigred/devel/tcp-tcp.h
Unless you can guarantee that your network will never drop a packet, you need to use an unreliable protocol for the tunnel (think GRE - that's what it was designed for - but even UDP would be a better choice.)
Where I work, we have the whole building in San Jose set up for wireless. The way we approach security is that the wireless network is on the public internet outside the internal firewall (not on the DMZ, the wireless are completely outside).
So, in order to get to internal data while on wireless you must start up a VPN client or go through our portal. This isn't a perfect solution, people still get free bandwidth if they want, but at least they can't get to internal data.
Also, we have most of the wireless access points in public conference rooms, and a couple of them have been stolen!
- Twid
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
Have you ever noticed what stories they "indepndantly" choose to run?
Hackers hacking Sun (can you say MS-massive-security-breah-damage-control?)
Any whiff of PS2 trouble.
Pro MS anti=truat case articles.
And so on and so forth.
NBC should be ashamed they have their name associated with what is clearly just another MS publicity arm.
If you're spewing stray radio waves all over the place, whose fault is that? Is it your job to control your communications or our job to keep our ears shut?
There are other gaping holes which I feel it would be completely unfair to post in any level of detail, but suffice it to say SWAN is riddled with holes waiting to be exploited, and I hope someone decides to do something about it before a h4x0r realizes how easy it would be to own all of it.
--
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
After reading the article, it sounds to me like they're cruising around, looking for wireless LAN's that identify themselves.
By default, a wireless base station will broadcast the SSID of the wireless network of which it is part, and wireless LAN cards can join the network without already knowing the SSID of the network.
One of the simplest security practices is to turn off SSID identification broadcast at the base station. Then the wireless user has to know the name of the network in order to connect. Unfortunately, this quickly becomes a gigantic pain in the ass for the admins of the network, because who wants to go through and change the SSID every time you add a new wireless base? It's really practical only for small organizations.
Mind you, I'm sure this could be fairly easily intercepted from traffic between a user and a base station, but it's a start down the road towards hiding your wireless LAN.
WEP encryption has been proven to be an easily circumvented technology (as reported on /. once upon a time), as has this lack of SSID broadcast, but it's a start. The best bet for true security is to implement a VPN over your wireless LAN, or just treat your wireless zone as a DMZ.
Even Jesus hates listening to Creed.
I am currently using 802.11b a good bit, and have come up with a solution that I am happy with. I setup filtering to disallow any access from the 802.11 interface except to ssh. I then use ppp over ssh to connect. I have setup my laptop to do this when it brings the interface up. I would like to do IPsec, but I have not spent enough time to get it working.
Are you paranoid if you know that they just want to know everything you say and do?
Here's the berkeley study on WEP security:m l
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.ht
---
--Got Lists? | Top 95 Star Wars Line
I'll bet those sysadmins would be very surprised to discover that the 802.1b access points were even on their networks. This stuff is too cheap and bone-head easy to install. Apparently a lot of consultants of various types like to pack them around with their laptops so they don't have to futz with network cables whereever they happen to be working that day.
This isn't merely a clue problem. There is a control problem as well.
Driving arround town there are a lot of 802.11b networks that are left open on purpose. I could care less about someone sending bits over my broadband pipe. Media one might mind but that is a different matter.
If it wasn't for the fact that if I did leave the access point open someone like the author of the article would be bound to post the fact on the net as 'security expert hacked' I would have no problems leaving it open. My internal systems are all behind a firewall in any case.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/