Wireless Security Attacks and Defenses

An anonymous reader writes "IT-Observer is running a comprehensive overview of wireless attacks and defenses. From the article: 'Wireless technology can provide numerous benefits in the business world. By deploying wireless networks, customers, partners, and employees are given the freedom of mobility from within and from outside of the organization. This can help businesses to increase productivity and effectiveness, lower costs and increase scalability, improve relationships with business partners, and attract new customers.'"

I suggest shortening the phrase

[spun]

I suggest replacing the phrase "increase productivity and effectiveness, lower costs and increase scalability, improve relationships with business partners, and attract new customers." with "blah." This way we can write things like "X will help businesses to blah" knowing "blah" stands for "do anything that business wants done." As an added bonus, we won't have to change "blah" everytime stupid business buzzwords change. "Blah" always means whatever buzzwords are in vogue.

Re:I suggest shortening the phrase

[spun]

See, you aren't getting "it." You are not an it-getter. When you phrase it like "How exactly will your blah increase blah blah," then the answer becomes obvious: blah!

Comprehensive...

..yet not a mention of WPA

The scenario TFA begins with

...IMO indicates a major problem behind the thinking of many corporate IT departments. Anyone who grants access a machine access to sensititive or confidential data simply because it is on the network is a moron.

Know what confidential data you can access by simply connecting a computer to the network at my school and most universities, for that matter? Almost nothing! All confidential data should be protected with end-to-end encryption, then the worst that can happen if a third party gets a machine on the internal network is that they can use excessive amounts of bandwidth. Denial-of-service attacks are much easier to recover from than (possible) leaks of confidential data.

The article is 100% wrongheaded

[drinkypoo]

Look at page 3. It's the one where they tell you what you should do to secure your network.

Even with its inherent weaknesses, Wireless Encryption Protocols or WEP is still a good method for preventing attackers from capturing your network traffic. Less-experienced hackers will probably not even attempt to capture data packets from a wireless network that is broadcasting using WEP.

Bullshit. Everything you need to do this can be found on a single Linux LiveCD (Auditor Linux) including the kit for doing replay attacks. Only unmotivated "hackers" will fail to crack WEP.

Score: 0/1

MAC Address Blocking - For smaller, more static networks you can specify which computers should be able access to your wireless access points. Telling the access points which hardware MAC addresses can join the network does this. Although, like WEP, in which this can be bypassed by knowledgeable hackers, it is still a valid method for keeping many intruders at bay.

Bullshit. Again, this will only get people who are unmotivated. MAC spoofing is a triviality. It typically will stop drive-by users of wifi, because they can usually find one that has no "protection" and they can use that. MAC restriction will NOT stop anyone who wants onto your network for any reason other than a minor whim.

Score: 0/2

Ditch the Defaults - Most wireless devices are being sold today with default configurations that are easily exploited. The three main areas to watch out for are the router administration passwords, SSID broadcasting, and the channel used to broadcast the signal.

Using a halfway decent scanner makes ANY settings changes you do (besides turning on WPA) utterly useless.

Score: 0/3

Beacon Intervals [...] These intervals should be maximized to make it more difficult to find the network. The network appears quieter and any passive listening devices are not as productive at gathering and cracking encryption keys.

Again, a good scanner makes this irrelevant.

Score: 0/4

Access Lists - Using MAC ACL's (MAC Address Access List) creates another level of difficulty to hacking a network. A MAC ACL is created and distributed to AP so that only authorized NIC's can connect to the network.

Uh, this is the same thing as "mac address blocking". They're the SAME FEATURE, just one is default accept, and the other is default deny.

Score: 0/5 (I should really assign a negative point for trying to use the same feature as a bullet point twice, but I'll be nice.)

Controlling Reset - Something as simple as controlling the reset function can add a great deal of security and reduce the risk of potential hack to your network. After all the security measures are in place and the proper encryption settings are enforced, the factory built "reset" button available on nearly all wireless routers/AP's can, in an obvious way, wipe out everything.

If someone has physical access to your AP, you're fucked anyway. If they can do remote admin in your AP, you're an idiot anyway - and turning off remote admin isn't even listed as a good idea here.

Score: 0/6

Disable DHCP - Disabling the use of DHCP in a wireless network is again, a simple but effective roadblock to potential hackers.

No, it isn't. A few moments of sniffing will tell you what you need to know. Utterly useless and it just makes your life harder.

Score: 0/7

This article tells you nothing about how to effectively secure your network. In fact, it tells you to do a whole bunch of things that won't work.

Want to secure wifi? There is only one means to do so, and that is to use a tunnel with strong encryption. Whether you're using com

Re:The article is 100% wrongheaded

Yeah, 'cause setting up a VPN or ssh tunnels is something EVERYONE can do.

Oh wait, they can't... following the techniques outlined in the article won't stop someone who is determined to get somewhere, just like locking your door won't keep someone who really wants to get into your house out, but as a general deterrant works pretty well.

If you're that bloody paranoid about someone scooping your shemale porn downloads, just stay on the wire.

Re:The article is 100% wrongheaded

[DrSkwid]

One thing people often do is put the AP INSIDE their firewall, such as hanging it on a spare switch port.

All the advice if for SERVERS but what about clients?

In my office I can reach a nearby free WiFi. For kicks I set up my AP with the same SSID and ran it open. Sniff Sniff. Not even illegal as they are connecting to ME ! Remember kids, no expectation of privacy in public places runs both ways =)

Useless

[Zephyros]

I don't trust any article about wireless security that says WEP has any use at all - "Not only is WEP a good way to ward off many would-be attackers, it is strengthened when used with other security techniques." Same for MAC filtering: "[although] this can be bypassed by knowledgeable hackers, it is still a valid method for keeping many intruders at bay." They'll keep your neighbors from hogging all of your bandwidth, but they won't keep out anybody who wants to get at your data.

Not even a mention of WPA2, certificates (hardware/software), or any other actual security measures in there. Some decent stuff about PEBRAC errors in the beginning, and other changes that should be obvious to any netadmin with two brain cells to rub together, but TFA is really not even worth the time it takes to read.

Re:Duh!

[Silver+Sloth]

Which is a very good reason for not implementing it. I would strongly advise any business not to install IT which they don't understand how to implement and secure it properly because they would be, unwittingly, leaving the door open.

Here in the rarified atmosphere of /. we may laugh at the lamers and their pathetic inability to utilise IT. Out there in the real world people are simply getting on with it. Maybe they have better things to spend their time and money on than installing all the latest geek toys.

As a frinstance, my brother is a very successful salesman. He doesn't even own a laptop and can see no reason to do so. He's too busy earning a great deal more money than I do to bother about it.

Re:Duh!

[harrkev]

Besides, cat 5 cable is insanely cheap.

Nope.

OK. The cable itself is cheap. Putting it where it needs to be is expensive. At my company, we hire outside contractors to run all of our cable. It seems like I am always spools of cable lying around, and guys with their feet on a ladder and their heads in the ceiling. Since an outside company is doing this, it turns a $10/hour worker into a $30/hour or more expence to my company.

But still, the wireless is usually used for the manager laptops. They have to have to be able to check Lookout ^h^h^h^h^h^h^h Outlook in meeting.

article doesn't cover quite a few things

[farker+haiku]

The article doesn't mention several things, like the more modern methods that wireless hackers are breaching security. instead of attacking at layer 3, attackers these days are focusing on layer 2 attacks... they're attacking the wireless device drivers themselves, looking for a way in. I heard a podcast where Joshua Wright was mentioning taking over devices that way so as to avoid those pesky firewalls. I just googled wireless hack layer 2 stack driver joshua wright to find some articles. You're on your own for specifics though - just say no to script kiddies.

Faraday cages, wireless networks, and cell phones

[martyb]

You realize you've gauranteed a cell phone won't work in your house if you do that, right? As a prospective home-buyer, that is an immediate no-sale point.

It is possible to construct a Faraday Cage to block wireless network signals without blocking cell phone communications... Wireless networking uses 2.4 GHz signals. Cell phones use entirely different frequencies.

Try it yourself! Place your cell phone in a microwave, close the door (but don't turn it on, of course), and call your cell phone. If your phone rings, then the cell phone signal made it past the microwave's faraday cage. And microwave and wireless networking signals are almost the same -- my network throughput dies whenever I use my microwave.

NOTE: Different cell phone frequencies exist, so YMMV. I can't try this myself (no land-line) but according to what I learned in physics class (LONG ago), I'm pretty confident it should work just fine. Anyone want to give this experiment a try and post how it worked for you?

Not to me.

[mmell]

That's why Al G. Bell invented the landline. He foresaw that cellular would suffer limitations which only landline could prevent.

worthless

[GonzoBob]

Funny the moment I read "which had come equipped with a factory-installed 802.11g antenna" I knew there wouldn't be anything of value.

WEP is not "Wireless Encryption Protocol"

[spun]

Haven't read TFA, just your summary here. Thanks for exposing your brain to this IQ sucking pap so the rest of us don't have to. Do they really call WEP "Wireless Encryption Protocol?" Because it means Wired Equivalent Privacy. They got every fucking word in the acronym wrong!

WEP is also, as you point out, not anywhere equivalent to wired privacy.

Sigh.

"Hey, look at me! I just read two chapters in a "Wireless for Dummies" book and I'm getting paid to write an article in a trade journal!"

Where's the justice?

Hardly comprehensive...barely even useful

[sarkeizen]

I maintain a wireless network of over 40 AP's for a college campus. This article spends much time on nothing.

a) 'default' SSIDS are irrelevant. It doesn't make the networks easier to find. It's not like when I ask windows to "View Wireless Networks" it only shows me the ones called "linksys". Perhaps at one time seeing a router called 'linksys' might have made me think that the user is less likely to be running encryption but under XP it tells me right away which ones are encrypted and which aren't.

b) Warchalking - old hat. Perhaps before it was feasable to simply leave my PDA running as I walk around and report all the AP's it sees this might have been useful.

c) WEP - You've got to be joking. The article mentions the 'newer 128-bit specification' doesn't mention DWEP using 802.1x or WPA. Either make it much harder to crack.

d) IDS - Possibly useful but really only once someone is accessing your system via your wireless.

e) MACs - The article seems to vassilate here, on one hand saying that MAC isn't meant for access control and on the other saying that you should use them for ACLs. MAC authentication is useless, it's trival to find a useful MAC address on any network that's used regularly.

f) DHCP - Stupid. Disabling it stops very little for very long. The vast majority of WLANs are using one of the three non-routable IP ranges. It wouldn't take me long to find one that's accessable. It also introduces a serious pain for the maintainers for the network.

What it should mention are the following:

a) Authentication - 802.1x preferably. I personally don't like web portals as it makes it easier to fool users with "evil twin" attacks.

b) WPA2, using WEP or idealy AES.

c) For corporate WLANs use a system that can use your own wireless networks to detect rogue AP's. I'm using Nortel (now cisco) 2270 (with 2230 aps) and I have SNMP traps which warn me when someone in the WLAN starts up an AP.

d) VLANS - keep the WLAN traffic restricted to particular ports, destinations.

e) Have a written policy for your users. Make them understand that adding their own wireless equipment is forbidden.

f) Using some kind of authentication on your ethernet jacks helps - it's hard to find an AP that will do 802.1x on the WAN side. Even so, it would be tied to a particular user. Using the information from (c) you can just disable their account.

f) Invest in a solution that keeps users OS and Virus software up-to-date.

Article Can't Be Current

[IEEEmember]

The May 10th, 2006 date on this article must be wrong. The article is obviously months or years old. The lack of information about WPA, the discussion of warchalking and the dates of the referenced material all indicate this article was written sometime in early 2005 or late 2004. It was posted on invulnerableit in 11/2005, but I suspect it is older than that.