CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN IN security 2004 Robert C. Jones, M.D. LtCol, USAF, Medical Corps.

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN IN security 2004 Robert C. Jones, M.D. LtCol, USAF, Medical Corps LtCol, USAF, Medical Corps Staff Anesthesiologist Andrews Air Force Base, Maryland E-mail: rob@notbob.com Web site: http://www.notbob.com

Disclaimer: Fair Use of Online Resouces l In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted l According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for non- commercial purposes only l “Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research.  In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include: –The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; –The nature of the copyrighted work; –The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and –The effect of the use upon the potential market for or value of the copyrighted work. l The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites presenting this material. l This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S. Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way l Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA copyright infringement (courtesy of Department of Redundancy Department [DoRD]) l Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity FAIR USE NOTICE: This contains copyrighted material, which is reproduced under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. This material is posted without profit for the benefit of those who, by accessing this material, are expressing a prior interest in this information for research and educational purposes.

"We came across a company with one of these wireless networks. All their source code, everything was available. This network was beaconing, 'log onto me'... It basically had its Rolls-Royce parked in the driveway, engine running, with a sign saying 'steal me.' " -- Thubten Comberford of White Hat Technologies, a wireless security firm. http://www.wirelessdevnet.com/articles/80211security/ Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101 l Securing WLAN Communications

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101 l Securing WLAN Communications l Future WLAN Security Issues

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101 l Securing WLAN Communications l Future WLAN Security Issues l References

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is NOT about l Cellular communication technology  GSM, CDMA, 2G, 2.5G,3G,4G… l Uncommon alternatives to Wired LANs  Powerline technology, IR, laser, Avian IP

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is NOT about l Cellular communication technology  GSM, CDMA, 2G, 2.5G,3G,4G… l Uncommon alternatives to Wired LANs  Powerline technology, IR, laser, Avian IP l How to hack the airwaves for fun & profit

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is NOT about l Cellular communication technology  GSM, CDMA, 2G, 2.5G,3G,4G… l Uncommon alternatives to Wired LANs  Powerline technology, IR, laser, Avian IP l How to hack the airwaves for fun & profit l How to ensure 100% WLAN security

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. You can’t afford perfect security “The only secure computer is one that is unplugged, locked in a secure vault that only one person knows the combination to, and that person died last year.” Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419 CIA XXIV

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is NOT about l Cellular communication technology  GSM, CDMA, 2G, 2.5G,3G,4G… l Uncommon alternatives to Wired LANs  Powerline technology, IR, laser, Avian IP l How to hack the airwaves for fun & profit l How to ensure 100% WLAN security l AFH * Topics: TEMPEST, HAARP, ECHELON  *Aluminum Foil Hat

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Introduction to Wireless vs. Wired Networking l Wired Networking  Inexpensive infrastructure (CAT5 cable + NICs)  Expensive deployment (drilling through walls)  Reconfiguring network topology difficult  Difficult (not impossible!) to intercept communication  Worldwide exposure to intruders if connected to Net  Fast! (10/100 Mbps Ethernet  Gigabit ethernet…)  Negligible interference from environment

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. l Wireless Networking  Expensive infrastructure (clients+APs=cha-ching!)  Inexpensive deployment (protocols supported in OSes)  Reconfiguring network topology trivial (?too trivial?)  Ridiculously easy to intercept communication  Geographically constrained exposure to intruders*  Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)  Massive environmental interference (ISM, path loss) Introduction to Wireless vs. Wired Networking *ad hoc intranetworks

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Basic Wireless Network Topology Firewall Access Point CIA XXIV Infrastructure Mode (using AP) Advantages: AP security; isolated net connection Disadvantages: AP cost, complexity;  broadcast range

STA 2003 Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Firewall P2P Ad Hoc Networks Basic Wireless Network Topology Advantages: no addt’l hardware; geographically constrained Disadvantages: unmanaged P2Pnet issues; geo. constrained

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Basic WLAN Discovery Beacon Mode (default for 802.11b) STA STA Beacon mode shut off  probe from station (STA) 10 Hz signal with SSID in clear text + info regarding security support by AP (WEP, 802.1x, etc.) probe from STA with SSID = blank or “any” valid SSID returned

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Basic WLAN Authentication & Association l Authentication: process of verifying the credentials of a client asking to join a WLAN l Association: process of connection client to a given AP in the WLAN l 802.11 standard specifies 3 states:  Unauthenticated + Unassociated  Authenticated + Unassociated  Authenticated + Associated

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Authentication l Default: Open authentication (+/- MAC/SSID filtering) l Shared Key Authentication (e.g., WEP) “granted” “give me access” Authentication challenge Authentication response “granted”

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Security Exploits l Physical Theft l Eavesdropping l Data Modification l Identity Spoofing/Masquerading l Denial of Service (DoS)

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Let’s Get Physical l Physical theft of laptop/PDA 3 rd most common network security threat facing businesses (2003) l Laptop = Expensive; Proprietary Data = Priceless l No one is immune (FBI; DEA; IRS; State Department; Qualcomm CEO…) l Theft of proprietary data #1 cause of financial loss by corporations References: State Dept.: http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html FBI/DEA/IRS: http://www.nwfusion.com/newsletters/sec/2002/01514404.html http://www.nwfusion.com/newsletters/sec/2002/01514404.html Qualcomm CEO: http://zdnet.com.com/2100-11-523990.html?legacy=zdnn http://zdnet.com.com/2100-11-523990.html?legacy=zdnn

STA 2003 Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Eavesdropoing Case 4: P2P Ad Hoc Networks Insecure modem connection Insecure connection to outside APs Unwise placement Unwise placement High-power client High-power client Unauthorized antennaUnauthorized antenna

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. The 100 meter myth l Increasingly powerful 802.11x clients available l 200 mW PCMCIA cards advertise 6000 + ft range http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html l Most WiFi ® adapters have external antenna connections; even homemade antennas work well

STA 2003 Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Data Modification (Man in the Middle Attack) Alice Cats Bob ListenReadCorruptForgeSendCorruptChortle “Need project now!” “Meeting postponed; go home early” Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40

STA 2003 Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Identity Spoofing Alice Bob MAC Address: 0000deadbeef; SSID: default Cats Spoof MAC Address: 0000deadbeef; SSID: default Looks like your company’s IP to the FBI!

STA 2003 Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Denial of Service (DoS) 2.4 GHz jammer microwaveoven Bluetooth device Cell phone

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Risks of Specific WLAN technologies l 802.11x/WiFi TM  ISM vulnerability  MAC/SSID authentication insecurity  WEP insecurity l Bluetooth l HIPERLAN/2 (Europa: ETSI*) l HiSWAN ( 日本 : MMAC † ) *European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htmhttp://www.hiperlan.uk.com/pages/hiperlan.htm †Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/http://www.arib.or.jp/mmac/e/

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. IEEE 802.11 Risks l ISM: Industrial, Scientific, and Medical Spectrum l Not reserved: Allocated for “Amateur” use l Long list of things that cause interference in 2.4 GHz range:  2.4 GHz cell phones/portable phones  Microwave ovens  Stained glass windows  Portable jammers (illegal in USA)

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. MAC/SSID Vulnerability l MAC = media access control address  Hardcoded in all NICs  Easily Spoofed (Win 9x, Linux; not WinXP) l SSID = Service Set Identifier  Used to define networks  By default, broadcast by access points  Will be given out by AP if client configured with “any” or blank SSID

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Default SSIDs l 3Com: comcomcom l Cisco: 2, tsunami, WaveLAN Network l Compaq: Compaq l DLink: WLAN l Intel: 101, 195, xlan, intel l Linksys: linksys, Wireless l Netgear: Wireless l Zcomax: any, mello, Test http://www.iss.net/wireless/WLAN_FAQ.php http://www.cirt.net/cgi-bin/ssids.pl With AP manufacturer, trivial to determine default Administrator username/password!

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. WEP…what is WEP? l Wired Equivalent Protocol (NOT Wireless Encryption Privacy) l First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2 http://standards.ieee.org/getieee802/download/802.11-1999.pdf http://standards.ieee.org/getieee802/download/802.11-1999.pdf l Never intended to provide strong security; Goals:  “Reasonably strong” (dependent on key length)  “Self-synchronizing” (for “best effort” delivery)  “Efficient” (low processor overhead)  “Exportable” (pre-1999 ITAR climate [Phil Zimmerman])  “Optional” (so lusers don’t whine to hardware manufacturers when they mess up WEP on their networks– DISABLED out of the box by all OEMs as of 2003 AFAIK * ) *AFAIK= As far as I know

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Encryption Basics l Need to hide message (plaintext) = needle l Generate random stuff (encryption key) = piece of hay l Multiply random stuff (keystream) = haystack l Hide message in haystack (XOR)  needle+haystack (ciphertext) Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm http://www.mesda.com/files/infosecurity200309.pdfhttp://www.mesda.com/files/infosecurity200309.pdf; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html http://www.mesda.com/files/infosecurity200309.pdfhttp://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html XOR Logic Gate

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. How is WEP supposed to work? Secret key combined with IV, run through WEP cipher PRNG (RC4) Secret key combined with IV, run through WEP cipher PRNG (RC4) Plaintext XORed with key sequence (irreversible without key) Plaintext XORed with key sequence (irreversible without key) Ciphertext output sent over airwaves after encapsulation into IP packets Ciphertext output sent over airwaves after encapsulation into IP packets http://standards.ieee.org/getieee802/download/802.11-1999.pdf

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What is RC4? l One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.) l Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.) l Proprietary trade secret of RSA Inc. http://www.rsasecurity.com http://www.rsasecurity.com l Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all open source RC4 implementations based on this anonymous post (including WEP)! From: nobody@vox.xs4all.nl (An0nYm0Us UsEr) Newsgroups: sci.crypt Subject: RC4 ? Date: 13 Sep 1994 21:30:36 GMT Organization: Global Anonymous Remail Services Ltd. Lines: 83 Message-ID: Message-ID: NNTP-Posting-Host: xs1.xs4all.nl X-Comment: This message did not originate from the above address. X-Comment: It was automatically remailed by an anonymous mailservice. X-Comment: Info: usura@xs4all.nl, Subject: remailer-help X-Comment: Please report inappropriate use to X-Comment: Please report inappropriate use to SUBJECT: RC4 Source Code I've tested this. It is compatible with the RC4 object module that comes in the various RSA toolkits. /* rc4.h */ http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Why is WEP Broken? l First paper: Fluhrer, Mantin, Shamir (encryption flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf http://www.securityfocus.com/data/library/rc4_ksaproc.pdf l WEP attack using FMS method: Stubblefield, Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/ http://www.cs.rice.edu/~astubble/wep/ l WEP standard implements RC4 improperly http://www.rsasecurity.com/rsalabs/node.asp?id=2009 http://www.rsasecurity.com/rsalabs/node.asp?id=2009 l Flaws in key scheduling algorithm  Large number of weak keys  encryption easily cracked l IV is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Quick Fix for WEP: WPA l WPA = “WiFi TM Protected Access” l Available as software/firmware upgrade for most chipsets/manufacturers now or soon l Subset of upcoming 802.11i security architecture l Patches major vulnerabilities in WEP:  TKIP fixes IV weakness, adds MIC, key mixing, rekeying  Supports enterprise user authentication via EAP and 802.1X  SOHO mode: Pre-Shared Key (PSK): autorotates key for you http://www.newswireless.net/articles/021123-protect.html

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Risks of Specific WLAN technologies l802.11x/WiFi TM  ISM vulnerability  MAC/SSID authentication insecurity  WEP insecurity l Bluetooth l HIPERLAN/2 (Europa: ETSI*) l HiSWAN ( 日本 : MMAC † ) *European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htmhttp://www.hiperlan.uk.com/pages/hiperlan.htm †Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/http://www.arib.or.jp/mmac/e/

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Risks of non-802.11x WLAN technologies l Bluetooth  Minimal security “out of the box”– need to RTFM  Security upgrade in B’tooth Spec. 1.2 http://www.itsecurity.com/tecsnews/jun2003/jun255.htm http://www.itsecurity.com/tecsnews/jun2003/jun255.htm  Red Fang: Bluetooth device discovery tool from @Stake (formerly L0pht Heavy Industries)– proof of concept; not very practical http://www.kewney.com/articles/0300910-bluestake.html http://www.kewney.com/articles/0300910-bluestake.html  References: http://www.webdesk.com/bluetooth-security-issues/; www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf http://www.webdesk.com/bluetooth-security-issues/www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf l HIPERLAN/2 l HiSWAN

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. HIPERLAN/2 and HiSWAN: Future Technologies for Future Talks Technology needs to “hit the street” for serious security issues to arise

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wardriving 101 l Definition: Mobile discovery of WLANs l Derived from term “wardialing”: automated dialing of telephone numbers looking for modems (“Wargames”) l Related terms: Warwalking, warflying, warchalking… l NOT illegal in USA as of 2003: open ISM spectrum l HOWEVER, ethical wardrivers NEVER connect to the networks they detect, let alone implant/steal data therefrom (see Jeff Duntemann, Drive-by WiFi Guide) http://www.paraglyphpress.com/pr02242003.php

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Why Wardrive? l Fun: Sense of adventure a la 007 l Informative: Teaches one about WLAN security l Cheap Hardware: Laptop + client +/- antenna +/- GPS l Free Software: Netstumbler, BSDAirtools, Airsnort… l Camaraderie: Group wardriving contests popular l 31337 Hobby: In-crowd lingo (WEP, )(, tsunami) l Business tool: Audit your own network to improve security/demonstrate insecurity to management

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wardriving Hardware l Old laptop with WLAN client +/- GPS l Pigtail– connects wireless card to antenna l Antenna– omnidirectional, magnetic mount, low profile best http://www.wardriving.com/fiva.jpghttp://www.wardriving.com/fiva.jpg; Duško i Vlado prizivaju bežične signale: http://www.monitor.hr/interview/ wireless.htm (in Croatian, from Zagreb) http://www.monitor.hr/interview/ wireless.htm http://www.wardriving.com/fiva.jpg http://www.monitor.hr/interview/ wireless.htm

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wardriving Software l NetStumbler http://www.netstumbler.com/ http://www.netstumbler.com/ l MacStumbler http://www.macstumbler.com/ http://www.macstumbler.com/ l BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html http://www.dachb0den.com/projects/bsd-airtools.html l AirSnort http://airsnort.shmoo.com/ http://airsnort.shmoo.com/ l Kismet http://www.kismetwireless.net/ http://www.kismetwireless.net/ l Wellenreiter http://www.wellenreiter.net/ http://www.wellenreiter.net/ Lots of other tools: http://wardrive.net/wardriving/tools http://wardrive.net/wardriving/tools

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Preparing for Safe and Ethical Wardrive l Use non-production box (old laptop)– just in case l Change network ID to generic name (e.g., MSHOME, localhost) l Update client software/firmware l Uninstall TCP/IP from supported wireless card l Uninstall TCP/IP from integrated wireless (if any) l Spoof MAC address of wireless card (can’t in XP) l Delete preferred networks (XP): Control Panel | Network | Card | Properties | Wireless Networks | Preferred Networks

Disable prior to wardrive to prevent auto- connection to discovered APs

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. MAC Address Spoofing Orinoco Gold on Win 98SE edit /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming it's your eth0 network card that you want to change the MAC for), and add a line like this: MACADDR=AA:BB:CC:DD:EE:FF (Obviously you want to substitute the MAC address you want in place of AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown eth0", "/sbin/ifup eth0", and you should be up and running with the new MAC address. You can use "/sbin/ifconfig eth0" to verify that the new MAC address is in effect -- it shows up in the 'HWaddr' entry on the first line that ifconfig prints (YMMV RTFM HTH) Red Hat Linux http://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Conducting Safe and Ethical Wardrive l Read up on local/national laws before you set out l Be careful with pigtails– fragile! l Put laptop in back of car (behind driver) to prevent distraction (local laws against watching TV, etc. + common sense safety measure) l Drive during day– no suspicious eerie glow l Optimum speed around 30 MPH l Screenshots: shift|print screen or graphics program (PaintShop Pro, etc.); stop car safely if alone PSP8: http://www.jasc.com http://www.jasc.com

Results of a “WarSit™” in San Francisco

Wardriving + GPS http://www.netstumbler.com/nation.php

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Here there be Warchalkers l Mainly mythical meme l Originated by Matthew D. Jones, Ph.D. l Open node symbolized by )( l )( Often used as 31337 shorthand for wardriving l Don’t Warchalk: the world has enough graffiti http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101 l Securing WLAN Communications

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. The Basics to Do Now l Pay attention to geographical location of AP (parking lot coverage) l Disable file & print sharing if not needed; never share root l Disable SSID broadcasting (default = enabled for most products) l Change the SSID to something non-default which says nothing about you or network (boring = good; Smithfamilydiamonds = bad) l Upgrade firmware of AP/client to increase security (WPA) l Change default administrator login/password for AP l Set authentication to “Shared Key” or “Auto”, not “Open System” l Configure AP to enable MAC address filtering (not perfect, yes…) l Enable WEP/WPA

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Bbbbut…isn’t WEP broken? l Yes, but…just because your front door can be picked, doesn’t mean you shouldn’t lock it! l Never be low hanging fruit for attackers l If you just enable WEP  more secure than 75% of WLAN users (according to wardriving data) l If you enable WEP + change SSID from default + change AP logon/pw: more secure than 95% of lusers

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Enabling WEP Orinoco Gold on Win 98SE Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Advanced WEP l Freeware key generators create pseudorandom keys for you to enter l Rotate keys frequently (weekly for business, monthly for home at minimum) l Make sure highest key-length WEP is enabled (remember, 64 bit WEP key is really just 40 bits long [thanks, marketing!]) l Upgrade WEP to WPA as soon as possible (look for WPA support for all new hardware)

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Advanced WLAN Security: Topology Options l Treat all wireless communication as insecure l Put AP on “unsafe” side of firewall l Use VPN (private tunnel) through internet to reach internal network l Impractical for SOHO networks (expensive; throughput hit) Firewall “Safe Side” “Unsafe Side”

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Advanced WLAN Security Upgrades l 802.1X port-based authentication– requires dedicated authentication server (or server process in AP) l RADIUS authentication: for enterprises only l IEEE 802.11i = WPA + RSN; currently in draft form l RSN: Robust Security Network  802.1X + EAP + AES (non-WEP encryption protocol) – will likely need hardware upgrade to run RSN without major hit on throughput; likely available in “mature” form in 2005-6 (world will be beta-testing 802.11i during 2004) RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html http://www.nwfusion.com/news/tech/2003/0526techupdate.html 802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf 802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003 http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101 l Securing WLAN Communications l Future WLAN Security Issues

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Future WLAN Security Issues l Biological hazards of radio communications l Military implementation of DOS vs. WLANs/cellular l Geographic extension of WLAN-- ablation of security through propinquity (ELF; satellites with ultra-sensitive sensors) l Legal aspects (HIPAA, due-diligence) and need to implement security & audit for rogue APs, wardrivers l Follow-on Technologies: UltraWide Band (UWB), others

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. WLAN = Biohazard? l 3G networks have been shown to affect cognition of volunteers & create headaches, nausea l Interestingly, enhanced memory and alertness l As we become surrounded by WLANs, PANs, WANs, and cellular broadcasting towers, are we harming our fragile neurological systems? l No evolutionary exposure to MW radiation at current levels…will our children’s children adapt? http://edition.cnn.com/2003/TECH/ptech/10/01/g3.health.reut/index.html

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Beware the Wolfpack l Small, autonomous sensor-jammers that intelligently coalesce into WLAN on battlefield; 6 lb canisters initiate RF DOS within 500 meter radius l Link together to overpower enemy’s WLAN/cellular communications l Part of DARPA XG (Next Generation) RF dominance initiative http://www.theregister.co.uk/content/69/32361.html http://www.defenselink.mil/news/Aug2003/n08142003_200308147.html http://www.darpa.mil/DARPATech2002/presentations/ ato_pdf/speeches/MARSHALL.pdf http://www.darpa.mil/DARPATech2002/presentations/ ato_pdf/speeches/MARSHALL.pdf http://www.darpa.mil/ato/programs/wolfpack.htm

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Physician, Audit Thyself l Lots of commercial products out there to audit networks for rogue APs, P2P connections, wardrivers l May become legal requirement in future for HIPAA compliance (along with advanced security afforded by RSN/802.11i [final standard anticipated May 2004]) http://www.airdefense.net/products/index.html http://www.airmagnet.com/products/handheld.htm Pictured: Airmagnet Handheld PAK ® http://www.wildpackets.com/products/airopeek

Prevent theft; BIOS pw; encrypt sensitive files Assume wardrivers, snoopers all around you Got WPA/802.1X? Change default; don’t broadcast Change default admin logon/pw Enable; rotate keys manually Upgrade WEP ASAP 802.1X, 802.11i, RSN; VPN + RADIUS for enterprises Patch OS frequently to plug wireless security holes; read media for new WLAN exploits

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Introduction to Wireless LAN (WLAN) tech l Overview of Wireless vs. Wired network security l Risks of specific WLAN technologies l Wardriving 101 l Securing WLAN Communications l Future WLAN Security Issues l References

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Online Resources WLAN Specifications http://www.weca.net/WiFi TM Alliance (formerly WECA): http://www.weca.net/ http://www.weca.net/ http://standards.ieee.org/getieee802/portfolio.htmlIEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html http://standards.ieee.org/getieee802/portfolio.html http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc http://www.ieee802.org/11/Documents/DocumentHolder/IEEE 802.11i: Latest draft (private): http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc Lots of interesting documents: http://www.ieee802.org/11/Documents/DocumentHolder/ http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc http://www.ieee802.org/11/Documents/DocumentHolder/ http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc http://www.ieee802.org/11/Documents/DocumentHolder/ https://www.bluetooth.org/Bluetooth: https://www.bluetooth.org/ https://www.bluetooth.org/ http://www.hiperlan2.comHIPERLAN/2: Official Specs: http://www.hiperlan2.com IEEE Communications Overview: http://www.ihp- ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf http://www.hiperlan2.com http://www.ihp- ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf HiSWAN: http://www.arib.or.jp/mmac/e/index.htm http://www.arib.or.jp/mmac/e/index.htm Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149 http://www.ietf.org/rfc/rfc1149.txt?number=1149

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Online Resources Basic 802.11 Security http://www.iss.net/wireless/WLAN_FAQ.phpWLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php http://www.iss.net/wireless/WLAN_FAQ.php http://standards.ieee.org/getieee802/download/802.11-1999.pdfWEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf http://standards.ieee.org/getieee802/download/802.11-1999.pdf WEP Insecurity: http://www.cs.rice.edu/~astubble/wep/wep_attack.html http://www.cs.rice.edu/~astubble/wep/wep_attack.html WPA: http://www.weca.net/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf http://www.weca.net/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf http://www.wardriving.comwww.sans.org/rr/papers/68/174.pdf Netstumbler: http://www.netstumbler.com http://www.netstumbler.com Wireless Glossary: http://www.devx.com/wireless/Door/11333 http://www.devx.com/wireless/Door/11333 Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html http://www.turnpoint.net/wireless/cantennahowto.html

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Online Resources Advanced WLAN Security/Continuing Security Education SANS http://www.sans.org http://www.sans.org Cool list of WLAN Security Links: http://is-it-true.org/pt/ptips23.shtml http://is-it-true.org/pt/ptips23.shtml Google it: search Google for “WLAN security” and/or “WiFi ® security” Still More whitepapers: http://www.wlana.org/learning_center.html http://www.wlana.org/learning_center.html

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Online Resources AFH Topics People are stupid: Wireless Equivalent Privacy: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search People are stupid 2: Wireless Encryption Protocol: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22 HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html http://www.haarp.alaska.edu/haarp/http://www.vs.afrl.af.mil/Factsheets/haarp.html ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html

Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Offline Resources Books/Articles: Computer Security Essentials   Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of black-hat techniques with countermeasures)   Cheswick WR, Bellovin SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 (a classic)   Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-156592-124-0 (first edition includes excellent appendix on basics of ISO/OSI TCP/IP stack)

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Offline Resources Books/Articles: WLAN Security   Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale: Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable & entertaining; most practical 3-space reference thus far)   Peikari C, Fogie S, Maximum Wireless Security, Indianapolis: Sams Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er, Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])   Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access and 802.11i, Boston (etc.): Addison-Wesley, 2004 (cool time-travel aspect of copyright [to make it seem more current]; almost incomprehensible at times, but good reference)

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN IN security 2004 Robert C. Jones, M.D. LtCol, USAF, Medical Corps.

Similar presentations

Presentation on theme: "CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN IN security 2004 Robert C. Jones, M.D. LtCol, USAF, Medical Corps."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN IN security 2004 Robert C. Jones, M.D. LtCol, USAF, Medical Corps.

Similar presentations

Presentation on theme: "CIA XXIV Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN IN security 2004 Robert C. Jones, M.D. LtCol, USAF, Medical Corps."— Presentation transcript:

Similar presentations

About project

Feedback