AirTraf 802.11b Security Package

An anonymous reader writes "Being ignorant of network vulnerabilities is a happy condition for only so long. Ignorance is bliss, right up until someone with rogue access drives away with your company secrets. This article covers information about AirTraf, an open source package, which performs a number of tasks, such as determining the Service Set Identifier of the access points, and the channel it is operating under. It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information. The least of your fears should be the leeching of your Internet connectivity. Industrial espionage is a growing reality that you must confront."

Site Surveys

[Gortbusters.org]

As the article points out, they can be a hastle. Metal in the walls, elevators, stairs, etc.

The problem with site surveys is that you have to load expensive software onto a laptop or handheld computer, and go wandering the halls looking for rogue bases, rogue access, and other violations of good security practices. The wandering minstrel who's singing the song of good security must be in the right place at the right time. Invariably, this is a hit-or-miss process, great for finding good places to mount access points, but horrible at making a hit on a security violation. You'd have to traipse the halls and haunt the parking lots, lurking... waiting... like a creepy stalker, trying to find anything out of the ordinary; and you'd still be unable to be in all places at once.

triangulation

[s20451]

Is there any way to do triangulation if you have more than one base station? Then you could do some spatial security as well, by restricting access to particular zones (say, within your own building). I know the cell phone companies have been trying to implement E911 locating for a while ... could you do such a thing with a carefully written 802.11 driver?

Re:triangulation

[killthiskid]

Yes, you can.

Wireless security

[OmniVector]

I've always wondered why wireless security can be such a problem. Why hasn't someone devised a wireless system where encryption is hard to crack? Take a look at SSL: if you have someone listening to the wire, it's hard to get any good information from it based on the way the protocol works. Why can't the same thing be applied to wireless? The only real difference is you don't have to go through the trouble of intercepting the packets on a wire.

Re:Wireless security

[illusion_2K]

Use IPSec, or some other VPN technology. They seem to fix the problem pretty well.

Network Security

[rwiedower]

After reading the article, I'm still confused as to why any defense agency would have "unsecured network access" available with wireless access. All the government places I've worked in have been extremely hesitant to allow users to even have Palms at work. None have ever been so IT-crazy that they've invested heavily in wireless networking technology, beyond simple bridging concepts. Considering that this article comes on the heels of another one a few posts back discussing how the CIA has been reluctant to invest in new tech ideas, it seems hypocritical to criticize the government for being too slow to adopt new technologies but being too quick to adopt those same ones.

If anyone knows of any agencies progressive enough to jump on the wireless bandwagon, pipe up. Otherwise I think it's just another victim of the hype monster.

Scare Tactics

[Bame+Flait]

It's clear to me that no matter how much arm waving is done by security experts and those who stand to profit from the implementation of wireless security (cough, IBM), nothing short of tragedy can motivate American organizations to take security seriously.

Security is NOT a necessity - in fact, many of the things people are trying to "protect" these days don't need to be protected at all - security consultants just want to rake in commissions as they help their clients "secure" their data.

It's high time that these profiteers take off their Microsoft hats and start acting with the best interest of the end-user in mind.

Re:Its a very very simple equation

[hpa]

Always treat your wireless network as a completely insecure network; the same way you treat the public Internet. This has the additional advantage that when visitors come to your company, they can use your wireless network to access their own home base. This can be amazingly useful.

Then use VPN to give your own staff access to the network, with the same security level you require for access from the public Internet.

WEP is not useful for anything than discouraging the casual bandwidth leech, if that matters to you at all.

RF Monitor Mode

[fliplap]

It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information.

As useful as this is, its not going todo much to detect or stop the fact that these are just radio waves. And you can't "detect" a hunk of metal out there picking up on them. Almost all new cards are capable of being put into RF monitor mode and sniffing raw 802.11b frames without transmitting anything.

Prism II and Cisco based cards can do it out of the box. Orinoco cards can do it with a patched driver (patched orinoco-cs on linux, WildPackets driver on Windows).

On top of that, AirSnort now compiles on Windows. Its not a fun/easy setup and still has a lot of problems, but it works.

Real 802.11b security

[grub]

FACT: The Illuminati is using 802.11b as a carrier for their Mind Control Rays. When "reputable sources" speak of 802.11b security, they really want you to work closely with an 802.11b source for a while so you receive their programming.

Real 802.11b security can be achieved by the following means:

Purchase a 15 meter (~50') roll of tin foil.

Wash your hair with baking soda. Don't use commerical brands, they have 802.11b signal enhancers which tune your noggin to their Mind Control Ray.

Once dry, wrap your head in a clockwise fashion with the tin foil. Ensure you cover the top of your head, your ears and base of the neck. You can poke small holes in each side to allow sound to reach your ears.

Sit back and laugh knowing that you have true 802.11b security and are safe from The Illuminati's Mind Control Rays.

Who's that at my door? )(#@Ujf0d923j 329 32

CARRIER LOST

Re:Its a very very simple equation

[s20451]

The flaw is not in the medium, it's in the protocol. Many organizations have pointed this out. The IEEE wanted to make key distribution easy, so in a system where the administrator is not absolutely on top of everything, it's very easy to learn the key and crack the network. A point-to-point, RSA encrypted wireless link should theoretically be as difficult to crack as a wired link, if designed properly.

air traf's site

[ih8apple]

Since no one else linked to it: AirTraf's web site

Also, This link goes to Elixar, the AirTraf project team's new company.

WEP = Weak Encryption Protocol

[Bowie+J.+Poag]

WEP is a miserable encryption algorithm. It can be brute-forced within hours, or passively within a day or two. Simply by having WEP enabled on your access point is *no* guarantee whatsoever that your data is secure.

Now, having everything SSH tunnelled and then wrapped in a flaky WEP crust, that's different... But WEP for 802.11(x) makes about as much sense as a bicycle for a mermaid.

Re:Is the Linksys wireless router not safe

[buckminster]

It's been my experience that all consumer grade access points come with all security features turned off. WEP and MAC filtering are not enabled until the user/admin turns them on. Realistically I don't see this situation changing any. What's the alternative - setting a default WEP password that ships with thousands of identical AP's?

Part of this is an ease of use issue. When you install your first access point you just want to get the thing working. After the initial joy of a succesfull installation it's up to you to turn on WEP and enable MAC filtering. Even then your WiFi network won't be truly secure.

Rogue 802.11b != rogue access to company secrets

[Rosco+P.+Coltrane]

Ignorance is bliss, right up until someone with rogue access drives away with your company secrets

Most wardriving is about finding an open network where you can pull your favorite pr0n from your car on your laptop. And probably for the sheer fun of hacking too. Now, if the admin(s) of a company relie on pirates not being able to plug into the physical ethernet socket for his security, he/they surely should be fired.

In most companies, even if someone gains access to the intranet through 802.11b, he's not going to do much, as the real meat of the company will probably be protected even there. He might get to play with some Windows boxes, see hostnames, sniff this or that, but that's all. True, it's very much better if the guy doesn't see anything in the intranet in the first place, but still, in that worst-case scenario, there is a reasonable level of security left in companies with a decent admin.

Now, 802.11b isn't so secure. If you're really worried, don't use it. If you're really worried and you really want wi-fi, run tunnels over it : it's far from ideal but it's quite secure.

Absolutely.

[Sheetrock]

The industry is rife with snake oil. Firewalls, IDSes, and the like are pushed to every business with a computer.

Yet nobody will put the latest service pack on.

Microsoft software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux. The amount of FUD spread about it is all out of proportion to its flaws, and is probably due to a complete lack of familiarity of its features by its detractors, who would of course use it if it was free. It is this same lack of familiarity that is preyed upon by vendors who would rather sell a $10,000 band-aid than a $50 book.

Re:Absolutely.

[gurps_npc]

Yes, today we think that MS software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux.

But we thought the same thing 24 hours BEFORE the latest service pack came out and we were WRONG

MS's larger number of previous screw ups, slower discovery rate, slower reaction rates, are a strong indication that there are and will continue to be a much higher possbility that you are MS software currently has an undiscovered security flaw waiting to be found by the next lucky fool that thinks he is the MastEr Hack3r.

In addition, it is quite apparent that the number of people capable of installing and maintaing MS software correctly and to their specifications is FAR less then the number of people capable of installing and maintaing Linux software correctly and to their specifications.

Software that is excessivley complex/difficult to install is NOT the best choice for most relatively small businesses.

Re:Its a very very simple equation

[smallpaul]

I have cracked 'secure' wep's in a matter of hours, and the more traffic going over the network, the easier it is.

It is well-known that WEP is insecure but that doesn't mean that it is impossible to send secure data over the air. It is absolutely not the case that "wires=security". If you need to transmit crucial passwords over your corporate intranet you might be smarter to encrypt than rely on the fact that nobody with access to your physical network wants to steal your data. Encryption is the key to security, not broadcast medium.

The only problem I have ever had with wired lines is bad planning. Providing you know where your workstations are going to go, and how you plan on growing, wires are just fine and MUCH faster!! :)

So you need a network drop anywhere anyone may ever want to work on their laptop (or palmtop, or wi-fi phone). Sure, if you are going to be restrictive it is easy to force people to work in the places you tell them they should work. But this can hurt productivity. Knowledge workers will have persistent wi-fi in their homes, in cafes, in restaurants (even McDonald's), in hotels, and in trains, but you're going to tell them they have to deal with wires at the office? Sorry dude, I can't help but think that you are short-sighted and will be proved so over the next few years. Wireless with true encryption will be standard almost everywhere people work.

3 simple steps to improved wireless security

1) Terminate your wireless AP outside your network
2) Use strong VPN software to access your network
3) Only allow the AP to talk to the VPN box

So what's the result?

- no WEP problems
- nobody on wireless is inside your network
- nobody can steal access

It's certainly the only sane response I've seen. Other than, of course, "Don't allow wireless at work" which is rapidly becoming the standard.

Use WaveSEC with opportunistic encryption.

[mellon]

WaveSEC is an add-on for Linux and the BSDs that lets you set up an opportunistic encryption path between your laptop and a server on the wired network. This keeps you safe from eavesdroppers who know your WEP key - indeed, with WAVEsec you don't need a WEP key.

Note that WaveSEC is NOT a replacement for end-to-end security. All it does is protect you from wireless eavesdroppers. If you are using WaveSEC or end-to-end IPsec for all your network connections, you don't need WAVEsec.

Re:Its a very very simple equation

[buysse]

WEP is not useful for anything than discouraging the casual bandwidth leech, if that matters to you at all.

WEP may be useful in one other way -- it gives you some legal protection if someone else uses your wireless network to do something malicious. Running your network unencrypted could be seen as the equivalent of leaving your front door open when you're not home.

Re:Its a very very simple equation

[stacko]

This is simply not true.

First, you can create a secure wireless network. It's complex, and requires a fair amount of kit, but you can do it. The basic premise is to avoid giving an attacker enough data encrypted with the same WEP key--i.e. rotate your keys frequently. There are several options to do this: EAP/TLS, LEAP, and PEAP to name three. Set your key rotation frequency to 3600 seconds, and you're pretty much set. If you have APs that support EAP/TLS, there is an open source solution.

OTOH, find an out-of-the-way conference room with an open wired port and you're off to the races. For the longest time the default shipping configuration for Cisco switches came with all ports in monitor mode, allowing you to sniff away. (Fortunately, this appears to no longer be the case.)

The Casual /.ers's guide to 802.11(a,b,g) Security

[Spyder]

The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.

OK here we go:

All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.

Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.

Security for the wireless:

Most commercial access points will allow at least some of the following:

Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.

Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.

Stuff only a few vendors do:

Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).

Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.

A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.

Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).

Stuff you should know about site surving:

Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.

The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.

Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).

Good luck and happy hunting,

Re:Its a very very simple equation

[stacko]

Ok, let's take EAP/TLS.

EAP/TLS requires that you have PKI in place. To deploy it, you have to set up a CA. Presumably anyone worth their beans will have used a secure connection to distribute the root certificate and client keys to the wireless users.

The authentication process verifies that both the client and the server are who they claim to be using certificates. If someone tries to forge packets, say with a rogue AP, they won't know the authenticator's secret key and thus the client will reject the connection.

How does your exploit pretend to be the real AP and authenticator if it doesn't know the correct secret key, or can't fake the CA chain? Welcome to the world of asymetric cryptosystems!

If you're not familiar with EAP/TLS, a quick google comes up with a whitepaper from Cisco. It covers the concepts of PKI, CA, etc.

If you can defeat 1024 bit PKI, then I think there are much more profitable things to hack aside from WLAN!