Tuesday, March 22, 2005
Wi-Fi, Snorkeling it up
Combating Wi-Fi's Evil Twin
Mon Mar 21, 1:26 PM ET
Mark Long, wireless.newsfactor.com
Just when wireless hot-spot surfers thought it was safe to get back into the water, hackers have come up with new methods for mimicking corporate Web sites and intranets in the 802.11 environment.
Wi-Fi's "evil twin" is basically a hacker who infiltrates a company by picking up its SSID (Service Set Identification) and learning what type of encryption is being used while sitting in a convenient spot outside the building, said IBM (NYSE: IBM - news) global solutions manager for managed security services Doug Conorich.
"Then the hacker will use a WLAN tool like Airsnort or other available freeware to suck off information about who is connecting to whom and what is happening on the Wi-Fi network," Conorich told NewsFactor.
The intruder will attempt to gain entry by posing as one of the access points of the company, masquerading as a corporate network or "the man in the middle," by using an antenna that is stronger than the one in the internal access point, Conorich explained. "Wi-Fi is going to connect to the strongest signal that is out there. And if the hacker has the stronger signal, then corporate people will latch onto it -- and the hacker will be able to take their credentials by emulating the corporate Web site."
A New National Pastime?
Although wireless hacking is rather new, it already is becoming something of a national pastime. There are clubs around the U.S. that are devoted to so-called "war chalking." "When club members find an access point, they will chalk it on the sidewalk, using a code that says whether the access point is open or closed, and gives the SSID and the channels being used," notes Conorich.
"People go out on a Friday or Saturday night, walk around and find as many access points as they can as a sort of contest," Conorich said. "In New York City, there is a Web site called NYCwireless that logs all of the Wi-Fi access points seen around the New York City area and lists their addresses, operating channels, and so on."
Although war chalking is not a threat to the enterprise in and of itself, it can become a prelude to "war driving" -- a game that involves driving around looking for vulnerable access points that may become targets for hack attacks at a later date, Conorich added.
Hiding the SSID
"Normally, what companies do to protect themselves is to hide their SSIDs by turning off their broadcast," said Conorich. "This forces hackers to know the SSID.”
But, if hackers wait long enough, they will be able to deduce the SSID -- the unique ID with a maximum of 32 characters that is attached to the header of a packet, notes Conorich. "Each probing laptop is going to send that SSID over the airwaves in clear text, so if I am monitoring the signal, I am eventually going to see what that SSID is."
Whenever possible, I.T. managers should avoid installing access points that will radiate signals beyond the confines of the physical enterprise. This will make it less likely that hackers can intercept enterprise traffic from the corporate parking lot.
Nevertheless, a hacker equipped with a highly directional antenna can pick up Wi-Fi signals over quite a distance, notes Symantec (Nasdaq: SYMC - news) senior director of engineering Alfred Huger, who acknowledges that a 3-meter dish left over from the early days of satellite TV certainly would do the trick.
Securing Existing Wi-Fi Corporate Nets
"At the base level, you need to make sure that WEP encryption is on, which sounds like a trivial matter, but many companies don't bother to encrypt their traffic at all," Huger told NewsFactor.
"And if you require the traffic to go through a VPN server, then the hacker will not be able to emulate the VPN connection --because that will force everybody to encrypt all their traffic," Huger said. "But no matter what you do, it does not stop people from trying to get to you," he acknowledged.
"If only VPN traffic is allowed to pass through the network, then, yes, protection can be had, inasmuch as total protection is humanly possible to achieve," Huger said. "But even then, the I.T. manager must always keep in mind that 'where there's a will, there's a way.'"
Routing users through a VPN does not preclude someone from getting onto the network and taking part in LAN traffic, notes Huger. For this reason, I.T. managers should consider not tying the Wi-Fi network directly to their corporate LANS.
A Proactive Approach
Businesses can take a more proactive approach by deploying a wireless intrusion-detection technology that connects to the system in much the same way as a wireless access point. But rather than handling traffic, the wireless sensor just "sniffs at all the traffic that goes by," notes Conorich.
"It allows companies to inventory all their assets, know every AP up on their area, every wireless device probing, then take an inventory that identifies which ones are theirs," says Conorich.
The next step is to determine the rogue access points, which basically fall into two categories: the rogue Access Point (AP) set up on the network, and the APs of a neighboring company or a Starbucks (Nasdaq: SBUX - news), which may be free access or corporate in nature. "Even though the latter don't belong to you, you'll need to want to identify them before you can ignore them," advises Conorich.
Public Hot-Spot Scenarios
Wi-Fi's phishing also represents a serious threat to mobile workers, because it is all too easy for hackers to set up a false Web page that mimics a public hot spot in the airport or the local coffee shop.
The hacker merely needs to gain one-time access to the source to make a Web site copy that will be able to trick Wi-Fi surfers into disclosing private information, says McAfee AVERT Research Fellow Jimmy Kuo. Then, all that's required is for the spoofer to generate a signal that is strong enough to overwhelm the genuine hot spot AP.
Probably the only thing that would alert someone to the fact that they were being spoofed would be that the genuinely secure sites "typically operate under 'https,' while those mimicked would just be under 'http.'" Kuo told NewsFactor.
"One of the first things you want to do after logging on to a public hot spot "is to immediately log onto to the corporate network through the VPN process, which will encrypt every single transmission coming in and going out of your machine," Kuo advises.
"But the general rule is, if you are out in public, then assume that everything you do is in public," he says. If you are going to open an account over a public hot-spot connection, for example, "then you'd better make sure it doesn't have an open credit line."
Forcing the VPN connection
I.T. managers worried about hacker infiltration over notebooks parked in public may elect to deploy an anti-virus product -- such as Symantec Client Security, which incorporates a location-awareness function that allows the amount of network protection to change automatically, based on notebook location.
When the software program senses that the laptop is outside of the corporate firewall, then it automatically forces the network-connected device into running a VPN session, says Symantec Group Product Manager Kevin Haley.
"Once this happens, all traffic is encrypted to prevent someone from being able to listen in," Haley told NewsFactor. "So you can sit in a coffee shop on a Wi-Fi connection and have the same firewall protection as if you were behind the network gateway."
The software uses a number of criteria -- including domain and IP address -- to determine where the network-connected notebook is located at any given moment, Haley said. The software also gives I.T. managers the ability to establish a specific VPN policy for notebooks or even push a new policy out to the clients at will.
Mon Mar 21, 1:26 PM ET
Mark Long, wireless.newsfactor.com
Just when wireless hot-spot surfers thought it was safe to get back into the water, hackers have come up with new methods for mimicking corporate Web sites and intranets in the 802.11 environment.
Wi-Fi's "evil twin" is basically a hacker who infiltrates a company by picking up its SSID (Service Set Identification) and learning what type of encryption is being used while sitting in a convenient spot outside the building, said IBM (NYSE: IBM - news) global solutions manager for managed security services Doug Conorich.
"Then the hacker will use a WLAN tool like Airsnort or other available freeware to suck off information about who is connecting to whom and what is happening on the Wi-Fi network," Conorich told NewsFactor.
The intruder will attempt to gain entry by posing as one of the access points of the company, masquerading as a corporate network or "the man in the middle," by using an antenna that is stronger than the one in the internal access point, Conorich explained. "Wi-Fi is going to connect to the strongest signal that is out there. And if the hacker has the stronger signal, then corporate people will latch onto it -- and the hacker will be able to take their credentials by emulating the corporate Web site."
A New National Pastime?
Although wireless hacking is rather new, it already is becoming something of a national pastime. There are clubs around the U.S. that are devoted to so-called "war chalking." "When club members find an access point, they will chalk it on the sidewalk, using a code that says whether the access point is open or closed, and gives the SSID and the channels being used," notes Conorich.
"People go out on a Friday or Saturday night, walk around and find as many access points as they can as a sort of contest," Conorich said. "In New York City, there is a Web site called NYCwireless that logs all of the Wi-Fi access points seen around the New York City area and lists their addresses, operating channels, and so on."
Although war chalking is not a threat to the enterprise in and of itself, it can become a prelude to "war driving" -- a game that involves driving around looking for vulnerable access points that may become targets for hack attacks at a later date, Conorich added.
Hiding the SSID
"Normally, what companies do to protect themselves is to hide their SSIDs by turning off their broadcast," said Conorich. "This forces hackers to know the SSID.”
But, if hackers wait long enough, they will be able to deduce the SSID -- the unique ID with a maximum of 32 characters that is attached to the header of a packet, notes Conorich. "Each probing laptop is going to send that SSID over the airwaves in clear text, so if I am monitoring the signal, I am eventually going to see what that SSID is."
Whenever possible, I.T. managers should avoid installing access points that will radiate signals beyond the confines of the physical enterprise. This will make it less likely that hackers can intercept enterprise traffic from the corporate parking lot.
Nevertheless, a hacker equipped with a highly directional antenna can pick up Wi-Fi signals over quite a distance, notes Symantec (Nasdaq: SYMC - news) senior director of engineering Alfred Huger, who acknowledges that a 3-meter dish left over from the early days of satellite TV certainly would do the trick.
Securing Existing Wi-Fi Corporate Nets
"At the base level, you need to make sure that WEP encryption is on, which sounds like a trivial matter, but many companies don't bother to encrypt their traffic at all," Huger told NewsFactor.
"And if you require the traffic to go through a VPN server, then the hacker will not be able to emulate the VPN connection --because that will force everybody to encrypt all their traffic," Huger said. "But no matter what you do, it does not stop people from trying to get to you," he acknowledged.
"If only VPN traffic is allowed to pass through the network, then, yes, protection can be had, inasmuch as total protection is humanly possible to achieve," Huger said. "But even then, the I.T. manager must always keep in mind that 'where there's a will, there's a way.'"
Routing users through a VPN does not preclude someone from getting onto the network and taking part in LAN traffic, notes Huger. For this reason, I.T. managers should consider not tying the Wi-Fi network directly to their corporate LANS.
A Proactive Approach
Businesses can take a more proactive approach by deploying a wireless intrusion-detection technology that connects to the system in much the same way as a wireless access point. But rather than handling traffic, the wireless sensor just "sniffs at all the traffic that goes by," notes Conorich.
"It allows companies to inventory all their assets, know every AP up on their area, every wireless device probing, then take an inventory that identifies which ones are theirs," says Conorich.
The next step is to determine the rogue access points, which basically fall into two categories: the rogue Access Point (AP) set up on the network, and the APs of a neighboring company or a Starbucks (Nasdaq: SBUX - news), which may be free access or corporate in nature. "Even though the latter don't belong to you, you'll need to want to identify them before you can ignore them," advises Conorich.
Public Hot-Spot Scenarios
Wi-Fi's phishing also represents a serious threat to mobile workers, because it is all too easy for hackers to set up a false Web page that mimics a public hot spot in the airport or the local coffee shop.
The hacker merely needs to gain one-time access to the source to make a Web site copy that will be able to trick Wi-Fi surfers into disclosing private information, says McAfee AVERT Research Fellow Jimmy Kuo. Then, all that's required is for the spoofer to generate a signal that is strong enough to overwhelm the genuine hot spot AP.
Probably the only thing that would alert someone to the fact that they were being spoofed would be that the genuinely secure sites "typically operate under 'https,' while those mimicked would just be under 'http.'" Kuo told NewsFactor.
"One of the first things you want to do after logging on to a public hot spot "is to immediately log onto to the corporate network through the VPN process, which will encrypt every single transmission coming in and going out of your machine," Kuo advises.
"But the general rule is, if you are out in public, then assume that everything you do is in public," he says. If you are going to open an account over a public hot-spot connection, for example, "then you'd better make sure it doesn't have an open credit line."
Forcing the VPN connection
I.T. managers worried about hacker infiltration over notebooks parked in public may elect to deploy an anti-virus product -- such as Symantec Client Security, which incorporates a location-awareness function that allows the amount of network protection to change automatically, based on notebook location.
When the software program senses that the laptop is outside of the corporate firewall, then it automatically forces the network-connected device into running a VPN session, says Symantec Group Product Manager Kevin Haley.
"Once this happens, all traffic is encrypted to prevent someone from being able to listen in," Haley told NewsFactor. "So you can sit in a coffee shop on a Wi-Fi connection and have the same firewall protection as if you were behind the network gateway."
The software uses a number of criteria -- including domain and IP address -- to determine where the network-connected notebook is located at any given moment, Haley said. The software also gives I.T. managers the ability to establish a specific VPN policy for notebooks or even push a new policy out to the clients at will.
# posted by J.C. : 3:46 PM
