New Way to ID Invisible Intruders on Wireless LANs

← Back to Stories (view on slashdot.org)

New Way to ID Invisible Intruders on Wireless LANs

Posted by Zonk on Friday November 30, 2007 @01:45AM from the you-have-laboured-to-produce-a-biologic dept.

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

8 of 122 comments (clear)

Min score:

Reason:

Sort:

Virtually impossible? by morgan_greywolf · 2007-11-30 01:50 · Score: 5, Interesting

I don't know about that. I use WPA-PSK security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

--
My blog
1. Re:Virtually impossible? by cbiltcliffe · 2007-11-30 03:03 · Score: 4, Insightful
  
  and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?
  If the intruders were invisible, how would you see them in logs and IDS? They're invisible. Passive monitoring won't show up in any logs. I know, because I do it sometimes as part of my security service to my customers. You can break into a WEP-encrypted moderate-traffic wireless network without sending a single packet. Once you're in, you can capture all traffic on that network and save it, again, without sending a single packet.
  WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own.
  
  Using the Storm botnet as an example:
  
  There were estimates that put the botnet as large as 50,000,000 computers. Having done WPA-PSK key cracking on a P4 1.6 laptop, it can run around 30 passphrases/second. My desktop is significantly faster, although I haven't actually tried PSK cracking on it. I'd assume probably 45 / second or more. It's not a state of the art machine, by any means. Probably about average.
  
  So if we assume an 8 character random passphrase, (which is all a lot of people will use, so it's easier to remember) that you can type on your keyboard, (again, who's going to use Alt-Numpad combinations?) there are 96 possible keystroke characters that can make up each byte. 96^8 = 7213895789838336 possible password combinations.
  Assuming 45 passphrases / second for each machine, it will take, using this botnet, just over 37 days to break that password. That's assuming the most complex password possible for 8 characters. Realistically, you can take out any special character that's not in 13375p3@k, and for most all you'd need is numbers and letters. That'll cut your time significantly.
  Yes, that's only an 8 character password, which will take 96 times as long to break with only 1 extra character, but how many people, who don't use their full allotment of 63-characters of randomness, are going to use something like "password", "dave sucks", "fleabert" (name of their cat), or even "fleabert scratches too much" as their passphrase?
  Now you've got standard words, which can easily be pulled from a dictionary and put together in different combinations until the passphrase is cracked. Trivial, with enough computing power. And unfortunately, the only people who have access to that kind of computing power, are (I shudder to use the word) cybercriminals.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
Doesn't seem to practical by faloi · 2007-11-30 02:00 · Score: 5, Insightful

The description is, basically, they use the signal strength and round trip times of the signals to figure out if someone unauthorized is on your network. The downside is that, in large corporate wireless networks, I would think people tend to be pretty mobile and there won't be a reliable indicator that the odd signal from slightly too far away isn't just somebody who remembered one last thing on the way to their car. Smaller wireless networks aren't likely to care enough to spend the time it takes to tell.

It's an interesting idea, but I have a hard time seeing it become widespread.

--
"It is a miracle that curiosity survives formal education." -Albert Einstein
Damn by FredDC · 2007-11-30 02:02 · Score: 4, Funny

What? No, but this means that I[NO CARRIER]

--
09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
Triangulation by JustKidding · 2007-11-30 02:07 · Score: 4, Interesting

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation? Also, varying the signal strength and round trip time could throw this off, but even if the exact location of the attacker cannot be determined because of it, the alarm could still be raised.
eavesdropping by backwardMechanic · 2007-11-30 02:13 · Score: 5, Interesting

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that? Warping of the ether?
1. Re:eavesdropping by Ungrounded+Lightning · 2007-11-30 14:42 · Score: 4, Insightful
  
  You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that?
  
  Your firmware might react to being associated with a network enough to eavesdrop it by also responding to low-level configuration traffic. If that happens, even if you don't send any data the firmware may respond to probes, letting the network know you're listening.
  
  If you're truly eavesdropping you're undetectable. But do you know what the vendor put in the binary blob?
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How is this ground breaking? by computerchimp · 2007-11-30 02:42 · Score: 5, Insightful

1) hopping from one router to another is detected via traditional means
2) higher than average roundtrip times are noticed via traditional means
3) signal is triangulated via traditional means to put a location on a suspected signal.

A new but an obvious proceedure that someone has decided to put to paper and product. It is a nice product to notice but this is about as ground breaking as peanut butter and chocolate.

CC