This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. NETW 05A: APPLIED WIRELESS SECURITY Unauthorized Access By Mohammad Shanehsaz February 22, 2005

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Explain how intruders obtain network access using wireless LAN protocol analyzers, site surveying tools, and active intrusion techniques. Explain common points of attacks. Describe common non-secure configuration issues that can be the focus of an attack.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Describe weaknesses in existing security solutions. Explain security vulnerabilities associated with public access wireless networks. Explain how malicious code or file insertion occurs in wireless LAN through the use of Viral attacks and Placement of illegal content. Explain peer-to-peer hacking and how it can be prevented.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Tools For Gaining Access Cisco 350 & Orinoco Gold Cards High gain omni & directional antennas Lophtcrack Manufacturer’s client utilities Lucent Registry Crack ( LRC ) List of manufacturer’s default settings

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Rogue Devices A rogue device is any device that is not authorized to be on the network. It is considered a security breach of the highest level. The best way to go about discovering these devices is to learn how a professional intruder would go about placing them.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Items that an intruder consider when placing rogue devices such as Access Points Location WEP settings Placement Costs Visibility SSID settings Frequency Spectrum choice Antenna

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Location, placement, visibility Rogue devices will be placed as if the device were designed to be there in the first place, without any disruption in service to the existing network. These devices will be placed near the edge of the building-the closer to a window the better, for better coverage from outside the building. It is well hidden, placing it in the CEO or other executive's office behind his or her desk is ideal, but it require a lot of work.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Costs, WEP, SSID settings Small and cheap access points are usually used, there is a good chance to lose it. Using WEP key making it easier for a rogue device without WEP, to be discover by administrator who is scanning the area. The SSID must be match with the existing wireless LAN implementation, having closed system feature, making it harder to detect the device.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Frequency, Antennas, and Spectrum choice Intruders may use 900 MHz units instead 2.4 GHz or 5 GHz, Wi-Fi compliant unit, because no discovery tools can find it. Horizontally polarized antennas are often used to produce a very small RF signature on any scanning devices. Intruders may use FHSS technology, Bluetooth, OpenAir, or HomeRF instead of DSSS, so to avoid being discovered by discovery tools.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. List of items that an intruder consider when placing rogue devices such as Wireless Bridges Placement Priority MAC Spoofing Antenna Use Costs

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Placement, and priority A rogue bridge is placed within the Fresnel Zone of an existing bridge link, which may span several miles, making it tougher to detect. It must be set to a very low priority so it does not become root bridge, and thus give itself away as a rogue device.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. MAC spoofing, Antenna use and Costs If MAC spoofing features are available in the bridge, then the MAC address of an authorized non-root bridge can be spoofed. It will use high-gain directional antennas to ensure a consistently high quality connection. The cost of bridge is higher than access point, even though the chances of being discovered are much lower

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. DATA Theft & Malicious Insertion High-speed wireless connectivity allows nearby intruders to pull large amount of data from a network as well as pushing equal amount of data to the network. It can be Illegal, Unethical, or Inappropriate Content that attacker deposits on the corporate server or individual computer which will result in employment termination of the individual or legal battles between companies.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. DATA Theft & Malicious Insertion There are many types of malware ( viruses and spyware ) that an intruder can place on a computer in order to obtain information or damage the network. These worms, Trojans, and other types of viruses can be caught and disinfected before they do damage by properly installed, configured, and updated virus scanning software.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Peer-to-Peer Attacks Peer-to-peer attacks are attacks instigated by one host aimed at another particular host, both of which are clients of the same network system. Targets that hackers commonly seek are sensitive data files, password files, registry information such as WEP keys, or file share properties, and network access info.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Types of peer-to-peer attacks Spread spectrum RF, by using a compatible RF technology in ad hoc or infrastructure mode. Infrared, using the port on the back of PC. Hijacking, using a rogue access point and a rogue DHCP server, to capture layer 2, and layer 3 connections, then using RF jamming device force the user to roam to the rogue access point

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Unauthorized Control Network Management Tools Network management tools are powerful utilities for managing large enterprise LANs and WANs from a central point of control. Attacker can take over entire network from a mobile workstation using software packages such as Hyena, Solarwinds

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Unauthorized Control Configuration Changes Attacker can reconfigure one access point and having that access point push its configuration to all other access points due to unsecured settings in wireless LAN, or if it start a firmware push followed by terminating the power to all access points because of PoE, it could disable all APs

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Unauthorized Control Third Party Attacks Denial of service and SPAM attacks originating from an unsuspecting network with unsecured wireless LAN, the corporation can then be blacklisted and eventually disconnected from their ISP. - Legal Liabilities - ISP termination of service

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Discussion Questions How has this lesson changed your outlook on rogue access points? Is manual searching for rogues, even on a regular basis, is enough to keep them off your network? What are some ramifications of illegal or unethical content being placed on the network over wireless LAN? Could a hacker target a person for termination?