Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD 439/539 Wireless Networks and Security Lecture 8 Wi-Fi Threats and Vulnerabilities Fall 2007.

Similar presentations


Presentation on theme: "1 CSCD 439/539 Wireless Networks and Security Lecture 8 Wi-Fi Threats and Vulnerabilities Fall 2007."— Presentation transcript:

1 1 CSCD 439/539 Wireless Networks and Security Lecture 8 Wi-Fi Threats and Vulnerabilities Fall 2007

2 2 Introduction Vulnerabilities –Inherent characteristics of wireless –Deliberate features designed into 802.11 –Flawed design WEP MAC access list –Other design flaws Threats –Hackers Classification Motivation

3 3 Wi-Fi Vulnerabilities Ask, “Why are Wi-Fi networks vulnerable to attack?” –Answer seems obvious...

4 4 Wi-Fi Vulnerabilities Answer –Because its wireless... transmits data on radio waves –Propagate everywhere –Boost waves with powerful antennas to travel up to mile or more –Anyone along the path can listen to the transmission

5 5 Wi-Fi Vulnerabilities Wi-Fi doesn’t fit the traditional model of security –Firewall separates internal network from outer

6 6 Wi-Fi Vulnerabilities Wired networks –Trusted and Untrusted zones separated by firewall Systems inside trusted Systems outside untrusted Untrusted can have enemies Trusted all are your friends – in theory

7 7 Wireless completely violates that model –Introduces vulnerabilities –People don’t understand how to handle the new model of wired + wireless –No longer have a well-defined security perimeter Wi-Fi Vulnerabilities

8 8 Wi-Fi Characteristics 1.Shared, uncontrolled media - Lack of physical security, much harder to control 2.Transient Networks - Mobile – wireless devices can move - Ad-hoc networks, form and dissolve How do we protect these networks?

9 9 Wi-Fi Characteristics 3.User Indifference - True of both wired and wireless networks - Users don’t care about security - Does your mother care about computer security? 4.Easier to attack - Lack of defined perimeter – said that … - Wireless nature – easier than wired networks Hackers are lazy, take the easiest path

10 10 Inherent Vulnerabilities WLAN’s break assumptions of inside/outside paradigm –Can’t be confined –Radio signal cuts through walls and windows –Can’t change the physical reality of wireless Must acknowledge this and counteract the threats Must worry about the following

11 11 Inherent Vulnerabilities Rogue access points –Unauthorized AP installed and connected to Enterprise network On purpose – employee – not malicious On purpose – outsider – malicious intent –Many uses for this useful device if malicious –Cause users to associate to it Man-in-middle attack, session stealing Get possibly sensitive information.. more later

12 12 WEP Encryption Wired Equivalent Privacy –Uses encryption to try to keep data private –Has multiple problems make it more of a liability than a security solution –Still coming up with new attacks against WEP! What was WEP designed for?

13 13 WEP Encryption Designed to … –Keep outsiders from connecting to a network or monitoring traffic on that network –Nothing more

14 14 WEP Encryption WEP and wrong assumptions –Was not designed to be end-to-end encryption –Does not distribute and manage encryption keys Key distribution - manual outside 802.11 spec WPA and WPA2 fixes this –Was not designed for complete data privacy See next slide

15 15 WEP Encryption Question: –Does WEP hide traffic from users on the same network sharing the same WEP key? No. Users can eavesdrop on each other So, how can you be sure users are all legitimate?

16 16 WEP Encryption WEP has no authentication except by encryption keys –Assume user with valid key is legitimate –Doesn’t check any sort of user ID, password or hardware MAC address –802.11i task group Defines how this will be done Now, not done through WEP

17 17 MAC Address Filtering Another security mechanism –Doesn’t work very well –Wi-Fi AP’s have ability to specify list of computers permitted to associate with AP –Any computer not on list turned away by access point –Not able to join your network Even if have WEP or WPA key

18 18 MAC Address Filtering Assumption –Every network device has unique MAC address –What’s wrong with this assumption? MAC addresses can be spoofed!! Machine associates with AP Sends MAC address in the clear Any hacker + sniffer program listen for that transmission, get MAC address Spoof it

19 19 MAC Address Filtering Pretend to be legitimate user –AP can’t tell difference between good user and false user Fact that Software can impersonate MAC address negates MAC address filtering completely

20 20 Other Design Flaws MGMT, CTRL frames not encrypted –Can be spoofed w/o knowledge of WEP key No authentication of AP to station –Can’t prove an AP is legitimate Limited # of stations can use a single AP –We can overflow an AP to prevent wireless access

21 21 Other Design Flaws Some believe that by using a complicated SSID unauthorized user will have difficulty in gaining access to their AP –SSID’s are passed in the clear, even when WEP is enabled –It is trivial to download free designed to intercept SSID’s from a wireless communication session

22 22 SSID Names Note default SSID’s

23 23 Threats

24 24 Threats and Those Responsible Hackers all levels –What motivates them and more importantly … what threat do they pose to your Wi-Fi network

25 25 Attackers Who are your typical attackers and what drives them to break into your network? –What are their motives? –What methods do they use? –What damage can they cause? –Are you are risk?

26 26 Attacker Groups Who are they? Lots of groups out there that can threaten your systems Not easy to classify them –Typical way to group them is by skill level or potential for damage –Can rank them from lowest to highest in skill but doesn’t always correlate with damage potential –Good example are the virus/worm writers Do a lot of damage but not necessarily the most skilled

27 27 Hacker Groups Can loosely classify them by skill level and motive –Elite Hackers – White Hat –Elite Hackers – Black Hat –Virus/Worm Writers and Spammers –Hacktivism Groups –Script Kiddies

28 28 Elite Hackers White Hat Hackers in this group skilled Often belong to a hacker group – L0pht, Masters of Deception Feel they have a mission to improve the security of the computer world Avoid damage to network and systems Inform and educate system administrators about fixes to their security

29 29 Elite Hackers White Hat Elite Hackers – White Hat –Subscribe to a “Hacker Code of Ethics” –It said... Ethical duty of the hacker to remove barriers, liberate information, decentralize power, honor people based on their ability, create things that are good and life-enhancing through computers.

30 30 Elite Hackers White Hat –New Code of Ethics includes: Leave no traces – keep a low profile, if accused, deny it, if caught, plead the 5th. Share information Don’t hoard or hide information Information increases in value when shared

31 31 Elite Hackers Black Hat Skilled but do damage Break-in and leave evidence of their presence –Need to re-install software –Don’t worry about loss of private information –Don’t buy into a Code of Ethics Sell their services to highest bidder In business for themselves

32 32 Elite Hackers Psychological Profile of Elite Hackers Most elite hackers are called deviants Different values and beliefs than society White hats believe they are performing a service for society by exposing poor security practices Sometimes have a tenuous grasp on reality because they live mostly in the cyber world Examples: Rob Morris, Kevin Mitnik

33 33 Examples Elite Hackers Eric Corley (also known as Emmanuel Goldstein) Long standing publisher of 2600: The Hacker Quarterly and founder of the H.O.P.E. conferences. Been part of the hacker community since the late '70s. Kevin Mitnick A former computer criminal who now speaks, consults, and authors books about social engineering and network security. Robert Morris Now a professor at MIT The son of the chief scientist at the National Computer Security Center — part of the National Security Agency (NSA) Cornell University graduate student, he accidentally unleashed an Internet worm in 1988 Thousands of computers were infected and subsequently crashed.

34 34 Script Kiddies Skilled hackers put their scripts on- line They appear to want others to use and benefit from their experience –Goes along with the ethic of “sharing information” –Allows people with limited technical knowledge to do lots of damage since there are lots of them

35 35 Script Kiddies Script kiddie is a wannabe hacker –Scans Internet for compromised systems using freely available tools –At the bottom of the pile in the hacking world –Can still do an incredible amount of damage –Especially to unprotected wireless networks

36 36 Motivation Ego gratification –Both Elite hackers and script kiddies Profit –Earn lots of money hacking these days Spamming, selling credit cards on black market, botnets –Corporate espionage or nation-state level of hacking Political Agenda –Hacktivism is growing as an attention getter

37 37 Motivation Revenge –Grudge against a company –Set off a time bomb - electronically –Steal secrets and sell them to competitor For fun –Just want to see if they can do

38 38 BEFORE AFTER (your results may vary)

39 39 What hackers do to you Basically 4 things with lots of variations 1. Connect to computer – you are unaware –Vandalize machine –Steal data, Use your bandwidth 2. Don’t connect to your computer –Sniff traffic Obtain passwords, credit card data, other useful information

40 40 What hackers do to you 3. Hijack machine –Put Trojan Horse on it –Trojan is a program that seems to do something its supposed to but has a hidden task also –Typically a backdoor but can have other purposes 4. Denial of Service (DoS) –Prevent you from using machine

41 41 Phases of Attacks –In general, many attacks are not spontaneous –Attackers go through phases to compromise a system –Phases of attacks Reconnaissance Scanning Gaining access with Attacks

42 42 Three Phases in an Attack 1.Reconnaissance –Scope out the place, gain initial information on victims, and network discovery 2. Scanning –Build a detailed map of the network and services and vulnerabilities –Open ports 3. Attack –The actual offensive action, method depends on what is goal of attack

43 43 Reconnaissance Purpose for Wireless –Scope out networks and potential victims –Find wireless networks, see if security is enabled, and how strong –Discover as much information about them as possible –Many ways to do this ….

44 44 Reconnaissance Information discovery –Tools Netstumbler, Kismet, Wellenrighter, Wififofum, Cain People –Techniques Rogue AP’s Open/misconfigured AP’s Ad Hoc Stations Ask for information

45 45 Reconnaissance Social Engineering –Surprising number of employees give away sensitive information –Most successful are calls to employees Call the help desk as a “new” employee for help with a particular task Angry manager calls a lower level employee because his password has suddenly stopped working System administrator calls employee to fix her account on the system which requires using her password

46 46 Reconnaissance Defense against Social Engineering –User awareness Must be trained to not give out sensitive information Security awareness program should inform employees about social engineering attacks No reason why a system administrator ever needs you to give him/her your password Help desk should have a way to verify the identify of any user requesting help –Hacker at Defcon wear shirts … “No defense against stupidity …”

47 47 Reconnaissance Specific to Wireless Networks –Physical Reconnaissance In addition to techniques for wired networks wireless networks involve physical aspect –Can see antennas and wireless AP’s Antennas Walls, ceilings, hallways, roofs Access PointsCeilings, walls, support beams shelves Devices - Printers/PDAReception area, offices, desks

48 48 Reconnaissance Techniques –Attackers use lots of different tools and techniques for gathering information –War driving for WLAN’s, war dialing for modems –Note: Defenders need to defend all paths into the network Attackers need to find just one open path Attackers have all the time in the world

49 49 War Driving –Invented by Peter Shipley in 2001 when he drove around Silicon Valley and found hundreds of access points –Mapped them out to show how vulnerable WLAN’s are to snooping

50 50 San Francisco Wi-Fi’s

51 51 War Driving Active Scanning –Broadcast 802.11 probe packets with SSID of “any” to check for access points in range Like going outside and shouting, “Who’s there?” –Netstumbler is free tool for doing active scanning www.netstumbler.com Most popular tool for active scanning WLAN’s Runs under Windows Supports ORiNOCO, Dell TrueMobile 1150, Toshiba 802.11b wireless card, Compaq WL110 plus several others

52 52 War Driving What does Netstumbler do? –Gathers MAC address, SSID, Wireless Channel and relative signal strength of each access point –Also if security is turned on, WEP –Coordinates with GPA system Example: New York City Netstumbler ORiNOCO antenna, Laptop, taxi cab in NY City One hour found 455 access points

53 53 From www.wigle.net The island of Manhattan, one of the densest points of observed networks in the WiGLE world.

54 54 Wigle.net Wireless DB Wireless Geographic Logging Engine: Making maps of wireless networks since 2001 Database 6 years old –12,389,316 points from 765,231,060 unique observations Many known open or weak Access Points –Fully available on the web Search by SSID, MAC address, longitude/latitude, physical address

55 55 War Driving Netstumbler –After installation, important to turn off TCP/IP in Windows –If not, then, when you wardrive and get within range of network, your computer will try to connect to the network –The netstumbler site has interesting features www.netstumbler.com –Database of all access points reported by other war drivers maps.netsumbler.com –You must register, and then you can query the DB for your NIC’s MAC address –You can upload your capture log to their DB –Also, this link has several maps you can browse –http://wiki.personaltelco.net/index.cgi/WarDrivinghttp://wiki.personaltelco.net/index.cgi/WarDriving

56 56 Netstumbler Window Default SSIDs

57 57 War Driving Defense Against Active Scanning –Configure access points to ignore probes with “any” –Can configure access points to repress the beacon so it disables broadcast SSID Passive Scanning –Stealthier way of discovering WLAN’s –Puts wireless card into rfmon mode – monitor mode –Sniffs all wireless traffic from the air

58 58 War Driving Passive Scanning –Kismet – by Mike Kershaw More for detailed packet capture and analysis www.kismetwireless.net –Wellenreiter - by Max Moser Optimized for war-driving www.remoteexploit.org Runs on Linux and supports, prism2, lucent, and cisco wireless card types

59 59 War Driving Wellenreiter Tool Listens for ARP or DHCP traffic to determine the MAC and IP addresses of each wireless device Passive mode –Doesn’t send probe packets Every 100 ms access points send beacons to synchronize timing and frequency information

60 60 War Driving Drawback of Wellenreiter –If access point configured to omit its SSID from its beacons and no other users are sending traffic to access point, won’t be able to determine SSID –Will know its there, not its name

61 61 Summary Wi-Fi networks, 802.11 Standard –Many built-in vulnerabilities –Problems from people related vulnerabilities too Lots of Attackers out there … –Incentive for them, glory, money, fun.. Phases of attack –Reconnaissance, Scanning, Attack War driving – Reconnaissance –Highly successful

62 62 Finish Next time: More on Attacks and Tools Read articles on Course Notes page


Download ppt "1 CSCD 439/539 Wireless Networks and Security Lecture 8 Wi-Fi Threats and Vulnerabilities Fall 2007."

Similar presentations


Ads by Google