Slashdot Mirror
AirTraf 802.11b Security Package
An anonymous reader writes "Being ignorant of network vulnerabilities is a happy condition for only so long. Ignorance is bliss, right up until someone with rogue access drives away with your company secrets. This article covers information about AirTraf, an open source package, which performs a number of tasks, such as determining the Service Set Identifier of the access points, and the channel it is operating under. It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information. The least of your fears should be the leeching of your Internet connectivity. Industrial espionage is a growing reality that you must confront."
As the article points out, they can be a hastle. Metal in the walls, elevators, stairs, etc.
The problem with site surveys is that you have to load expensive software onto a laptop or handheld computer, and go wandering the halls looking for rogue bases, rogue access, and other violations of good security practices. The wandering minstrel who's singing the song of good security must be in the right place at the right time. Invariably, this is a hit-or-miss process, great for finding good places to mount access points, but horrible at making a hit on a security violation. You'd have to traipse the halls and haunt the parking lots, lurking... waiting... like a creepy stalker, trying to find anything out of the ordinary; and you'd still be unable to be in all places at once.
--------
Free your mind.
But like most wireless security tools, are the people with ill intent just going to turn it around and use it for their own ends?
Oh well...if the claims are correct, it will all be irrelevant when WPA releases later in the summer.
Is there any way to do triangulation if you have more than one base station? Then you could do some spatial security as well, by restricting access to particular zones (say, within your own building). I know the cell phone companies have been trying to implement E911 locating for a while ... could you do such a thing with a carefully written 802.11 driver?
Toronto-area transit rider? Rate your ride.
I've always wondered why wireless security can be such a problem. Why hasn't someone devised a wireless system where encryption is hard to crack? Take a look at SSL: if you have someone listening to the wire, it's hard to get any good information from it based on the way the protocol works. Why can't the same thing be applied to wireless? The only real difference is you don't have to go through the trouble of intercepting the packets on a wire.
- tristan
If anyone knows of any agencies progressive enough to jump on the wireless bandwagon, pipe up. Otherwise I think it's just another victim of the hype monster.
Wired Cat5e = Secure
:)
Wireless 802.11(a,b,g) = unsecure
I have cracked 'secure' wep's in a matter of hours, and the more traffic going over the network, the easier it is. All you need is about a gig of traffic, and blamo, wep key in shining black letters right in front of you. I'm sorry guys, beaming a signal through the air is not secure (as shown by the amazing security from the satelite TV companies, I think we have all had a h card at some point, or other varients)
The only problem I have ever had with wired lines is bad planning. Providing you know where your workstations are going to go, and how you plan on growing, wires are just fine and MUCH faster!!
No I didnt spell check this post...
It's clear to me that no matter how much arm waving is done by security experts and those who stand to profit from the implementation of wireless security (cough, IBM), nothing short of tragedy can motivate American organizations to take security seriously.
Security is NOT a necessity - in fact, many of the things people are trying to "protect" these days don't need to be protected at all - security consultants just want to rake in commissions as they help their clients "secure" their data.
It's high time that these profiteers take off their Microsoft hats and start acting with the best interest of the end-user in mind.
It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information.
As useful as this is, its not going todo much to detect or stop the fact that these are just radio waves. And you can't "detect" a hunk of metal out there picking up on them. Almost all new cards are capable of being put into RF monitor mode and sniffing raw 802.11b frames without transmitting anything.
Prism II and Cisco based cards can do it out of the box. Orinoco cards can do it with a patched driver (patched orinoco-cs on linux, WildPackets driver on Windows).
On top of that, AirSnort now compiles on Windows. Its not a fun/easy setup and still has a lot of problems, but it works.
FACT: The Illuminati is using 802.11b as a carrier for their Mind Control Rays. When "reputable sources" speak of 802.11b security, they really want you to work closely with an 802.11b source for a while so you receive their programming.
Real 802.11b security can be achieved by the following means:
Purchase a 15 meter (~50') roll of tin foil.
Wash your hair with baking soda. Don't use commerical brands, they have 802.11b signal enhancers which tune your noggin to their Mind Control Ray.
Once dry, wrap your head in a clockwise fashion with the tin foil. Ensure you cover the top of your head, your ears and base of the neck. You can poke small holes in each side to allow sound to reach your ears.
Sit back and laugh knowing that you have true 802.11b security and are safe from The Illuminati's Mind Control Rays.
Who's that at my door? )(#@Ujf0d923j 329 32
CARRIER LOST
Trolling is a art,
Since no one else linked to it: AirTraf's web site
Also, This link goes to Elixar, the AirTraf project team's new company.
Why do I h8 apple?
WEP is a miserable encryption algorithm. It can be brute-forced within hours, or passively within a day or two. Simply by having WEP enabled on your access point is *no* guarantee whatsoever that your data is secure.
Now, having everything SSH tunnelled and then wrapped in a flaky WEP crust, that's different... But WEP for 802.11(x) makes about as much sense as a bicycle for a mermaid.
Bowie J. Poag
It's been my experience that all consumer grade access points come with all security features turned off. WEP and MAC filtering are not enabled until the user/admin turns them on. Realistically I don't see this situation changing any. What's the alternative - setting a default WEP password that ships with thousands of identical AP's?
Part of this is an ease of use issue. When you install your first access point you just want to get the thing working. After the initial joy of a succesfull installation it's up to you to turn on WEP and enable MAC filtering. Even then your WiFi network won't be truly secure.
Bummer
Ignorance is bliss, right up until someone with rogue access drives away with your company secrets
Most wardriving is about finding an open network where you can pull your favorite pr0n from your car on your laptop. And probably for the sheer fun of hacking too. Now, if the admin(s) of a company relie on pirates not being able to plug into the physical ethernet socket for his security, he/they surely should be fired.
In most companies, even if someone gains access to the intranet through 802.11b, he's not going to do much, as the real meat of the company will probably be protected even there. He might get to play with some Windows boxes, see hostnames, sniff this or that, but that's all. True, it's very much better if the guy doesn't see anything in the intranet in the first place, but still, in that worst-case scenario, there is a reasonable level of security left in companies with a decent admin.
Now, 802.11b isn't so secure. If you're really worried, don't use it. If you're really worried and you really want wi-fi, run tunnels over it : it's far from ideal but it's quite secure.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Yet nobody will put the latest service pack on.
Microsoft software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux. The amount of FUD spread about it is all out of proportion to its flaws, and is probably due to a complete lack of familiarity of its features by its detractors, who would of course use it if it was free. It is this same lack of familiarity that is preyed upon by vendors who would rather sell a $10,000 band-aid than a $50 book.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
1) Terminate your wireless AP outside your network
2) Use strong VPN software to access your network
3) Only allow the AP to talk to the VPN box
So what's the result?
- no WEP problems
- nobody on wireless is inside your network
- nobody can steal access
It's certainly the only sane response I've seen. Other than, of course, "Don't allow wireless at work" which is rapidly becoming the standard.
The USSR did a ton of traditional espionage, and a million ton of industrial espionage. Their attempts at landing on the moon was done with a capsule that was a near-perfect copy of the Apollo. Their space shuttle (Buran, or whatever it was called) was an exact replica of the US shuttles. The TU-144, the Russian commercial supersonic airliner, was an exact copy of the Concorde (it was nicknamed the Concordski). Some of the cars destined to the rich russians, like the GAZ Volga, look exactly like US models, etc etc ...
This is not limited to the former USSR : all eastern block countries have done it, and China stil does heavy industrial espionage.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
That might be the case for the Tu-144, but the Soviet lunar project was hardly a copy of the Apollo. They were, after all, trying to get there before the U.S. (although they didn't succeed.) It had some very different attributes, and was derived from the Soyuz program.
Buran certainly was, ahem, heavily inspired by the U.S. space shuttle, but was different in some ways -- for one thing it was intended to be able to operate without any crew.
Note that WaveSEC is NOT a replacement for end-to-end security. All it does is protect you from wireless eavesdroppers. If you are using WaveSEC or end-to-end IPsec for all your network connections, you don't need WAVEsec.
Rather than saying that 802.11x is analogous to a network, think of it as being analogous to an RJ-45 wall jack. If you placed a wall jack in a public area of your local shopping mall you would realize that it is insecure and is exposing your network to the world. Knowing this you would take some action to secure that wall jack. You might disable the port at the switch or you may have a firewall set up to allow the wall jack to be used but prevent unauthorized access to your private network.
The same procedure should be used with wireless. Setting up an access point is the same as placing that RJ-45 jack in the shopping mall. You need to isolate the traffic to and from the wireless access point. A firewall could be used for this but, perhaps the best way would be to establish a VPN server between the access point and your private network. This way, unathorized access can only see the front facing VPN server and nothing else on your network.
Don't look for security in 802.11x, it isn't there. At the same time, Cat5e by itself offers no security. The security that you associate with Cat5e comes only from the physical security surrounding the wall jacks and switches. If you expose the wall jacks, it's a whole new ball game.
The word about the Tu144 is that the Concorde prototype plans that were acquired by the Soviets contained some deliberate mistakes (an old engineering trick) and these led to the crash.
The Russians did have some very good copies of the VAX 11/780 though running VMS. It was only through an almighty balls up by Digital that they lost their advantage after the end of the Soviet Union. HP did wel out of Digital's mistake.
See my journal, I write things there
In reality, you want to firewall off the AP and then use SSL to tunnel through it as you suggest. If they had built something better into the spec like IPsec (as good as SSL, but implemented deeper in the protocol stack), it would have been much better. Setting up SSL properly isn't so easy and it woould be nice to give the average WEP user something that works 'out of the box'.
See my journal, I write things there
The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.
OK here we go:
All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.
Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.
Security for the wireless:
Most commercial access points will allow at least some of the following:
Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.
Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.
Stuff only a few vendors do:
Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).
Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.
A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.
Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).
Stuff you should know about site surving:
Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.
The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.
Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).
Good luck and happy hunting,
Spyder