AirTraf 802.11b Security Package

An anonymous reader writes "Being ignorant of network vulnerabilities is a happy condition for only so long. Ignorance is bliss, right up until someone with rogue access drives away with your company secrets. This article covers information about AirTraf, an open source package, which performs a number of tasks, such as determining the Service Set Identifier of the access points, and the channel it is operating under. It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information. The least of your fears should be the leeching of your Internet connectivity. Industrial espionage is a growing reality that you must confront."

Sounds like a great security tool...

[craenor]

But like most wireless security tools, are the people with ill intent just going to turn it around and use it for their own ends?

Oh well...if the claims are correct, it will all be irrelevant when WPA releases later in the summer.

triangulation

[s20451]

Is there any way to do triangulation if you have more than one base station? Then you could do some spatial security as well, by restricting access to particular zones (say, within your own building). I know the cell phone companies have been trying to implement E911 locating for a while ... could you do such a thing with a carefully written 802.11 driver?

Re:triangulation

[Bagheera]

Using triangulation is relatively trivial. Combining war-driving with GPS and FoxHunting techniques can yield fairly accurate positions for AP's and the client cards. It gets difficult when there's a lot of them on the air, but it's still doable.

It's technically possible to combine simple RDF (using phase descriminators) with a base station to get a directional vector. Two RDF equipped bases would give you a point rather than a line, so it should also be possible to location limit access. Not that I've ever seen an implementation. Note it would take more than just a driver, since the antenna setup on most base stations is ill suited to use in RDF applications. We're talking specialy build AP's here.

Unfortunately, the AirTraf download site seems to be a tad 'dumb' - redirecting me back to the Survey page repeatedly - so I haven't been able to play with it and see what it's capable of.

Scare Tactics

[Bame+Flait]

It's clear to me that no matter how much arm waving is done by security experts and those who stand to profit from the implementation of wireless security (cough, IBM), nothing short of tragedy can motivate American organizations to take security seriously.

Security is NOT a necessity - in fact, many of the things people are trying to "protect" these days don't need to be protected at all - security consultants just want to rake in commissions as they help their clients "secure" their data.

It's high time that these profiteers take off their Microsoft hats and start acting with the best interest of the end-user in mind.

Re:Its a very very simple equation

[hpa]

Always treat your wireless network as a completely insecure network; the same way you treat the public Internet. This has the additional advantage that when visitors come to your company, they can use your wireless network to access their own home base. This can be amazingly useful.

Then use VPN to give your own staff access to the network, with the same security level you require for access from the public Internet.

WEP is not useful for anything than discouraging the casual bandwidth leech, if that matters to you at all.

Re:Growing reality ?

[Rosco+P.+Coltrane]

The USSR did a ton of traditional espionage, and a million ton of industrial espionage. Their attempts at landing on the moon was done with a capsule that was a near-perfect copy of the Apollo. Their space shuttle (Buran, or whatever it was called) was an exact replica of the US shuttles. The TU-144, the Russian commercial supersonic airliner, was an exact copy of the Concorde (it was nicknamed the Concordski). Some of the cars destined to the rich russians, like the GAZ Volga, look exactly like US models, etc etc ...

This is not limited to the former USSR : all eastern block countries have done it, and China stil does heavy industrial espionage.

Use WaveSEC with opportunistic encryption.

[mellon]

WaveSEC is an add-on for Linux and the BSDs that lets you set up an opportunistic encryption path between your laptop and a server on the wired network. This keeps you safe from eavesdroppers who know your WEP key - indeed, with WAVEsec you don't need a WEP key.

Note that WaveSEC is NOT a replacement for end-to-end security. All it does is protect you from wireless eavesdroppers. If you are using WaveSEC or end-to-end IPsec for all your network connections, you don't need WAVEsec.

Re:Its a very very simple equation

[buysse]

WEP is not useful for anything than discouraging the casual bandwidth leech, if that matters to you at all.

WEP may be useful in one other way -- it gives you some legal protection if someone else uses your wireless network to do something malicious. Running your network unencrypted could be seen as the equivalent of leaving your front door open when you're not home.

WEP was borked by design...

[hughk]

It seems the committee approving 802.11 had no cryptographer. The protocol is borked and is unsuitable without frequent changes of key for any kind of privacy. The best bet is the MAC as most APs allow restriction of which MACs can connect, but that too can be overcome.

In reality, you want to firewall off the AP and then use SSL to tunnel through it as you suggest. If they had built something better into the spec like IPsec (as good as SSL, but implemented deeper in the protocol stack), it would have been much better. Setting up SSL properly isn't so easy and it woould be nice to give the average WEP user something that works 'out of the box'.

Re:Its a very very simple equation

[espo812]

No, your wrong. You cannot create a secure WiFi network.

Sure you can, using the same methods to create a secure wired network.

You can layer cruft on top and pretend it's secure but when I can send a disconnect to your wifi clients and have them associate with my rouge network, I own your ass.

VPN. Man in the middle is inconsequential: all data is encrypted to the VPN gateway, so you can't read the data. If I can't get to the VPN I know something is up. A lot of these posts are talking about the security of wired networks, and wireless networks are insecure. Tcpdump and a collision domain is compromised. Dsniff and a broadcast domain is potentially compromised. IPsec is one of the few if not only ways to secure IP traffic on a network.

Re:Its a very very simple equation

[stacko]

I understand where you're coming from, but EAP/TLS clients were written by people who also understand this (at least the ones I've played with). Thus, when validation of the server certificate fails, you don't get an option that says "proceed anyway". On Win XP, you get something that looks like this. No option to accept.

That's not to say that you can't turn validation off. You can, but it requires that the user go into some in-depth options on their NIC configuration. I, the evil uber-hacker, could attempt to persuade my victim to walk through these steps or, better yet, download and install a key from my evil-CA which I would then use on the evil-rogue-AP to spoof a session.

Shoot, at that point it's just as easy to persuade said user to download and install a trojan, which works equally well on both wired and wireless networks, rendering the security differences moot. And, as a bonus, the wired network doesn't even require that I construct and install an evil-spoofing-AP!

All the same, if you have a link to the demo you mentioned, please post it. I'd be interested, for sure.