CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN In security Update 2005 Robert C. Jones, M.D. LtCol, USAF, Medical.

CIA XXVCIA XXVCopyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.

Wireless LAN Wireless LAN InInsecurity Update 2005security Update 2005

Robert C. Jones, M.D.Robert C. Jones, M.D.

LtCol, USAF, Medical CorpsLtCol, USAF, Medical Corps

Staff Anesthesiologist Staff Anesthesiologist

Andrews Air Force Base, MarylandAndrews Air Force Base, Maryland

E-mail: rob--at--notbob.comE-mail: rob--at--notbob.com

Web site: http://www.notbob.comWeb site: http://www.notbob.com

Disclaimer: Fair Use of Online Resouces

In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for non-

commercial purposes only “Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or

research. In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:

– The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; – The nature of the copyrighted work; – The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and – The effect of the use upon the potential market for or value of the copyrighted work.

The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites presenting this material.

This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S. Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way

Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA copyright infringement (courtesy of Department of Redundancy Department [DoRD])

Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity

FAIR USE NOTICE: This contains copyrighted material, which is reproduced under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. This material is posted without profit for the benefit of those who, by accessing this material, are expressing a prior interest in this information for research and educational purposes.

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV

Network Abuse Costs $$$: 2003 Data from U.S. FBINetwork Abuse Costs $$$: 2003 Data from U.S. FBI

Where’s Wireless???Where’s Wireless???

WLAN Abuse 2004: Number 5 with a BulletWLAN Abuse 2004: Number 5 with a Bullet

Multiple Multiple Winblows Winblows XP/2000 XP/2000

vulnerabilitiesvulnerabilities


The Basic Network Security Pyramid


Wireless Security 2003

CIA XXIVCIA XXIVCopyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.

Rob’s 2003 Rob’s 2003 WLAN WLAN Security Security PyramidPyramid

CIA XXIVCIA XXIVCopyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.


What this talk is about

Brief Review of Wireless LAN (WLAN) tech



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID Step 3: Change AP PW; WPA if possible, else WEP



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID Step 3: Change AP PW; WPA if possible, else WEP Step 4: Toward 802.11i/WPA2 for Home/SOHO use



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID Step 3: Change AP PW; WPA if possible, else WEP Step 4: Toward 802.11i/WPA2 for Home/SOHO use Step 5: CSE: OS Updates, Vulnerability News



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID Step 3: Change AP PW; WPA if possible, else WEP Step 4: Toward 802.11i/WPA2 for Home/SOHO use Step 5: CSE: OS Updates, Vulnerability News Future Wireless Security Topics


Dusko and Vlado Say: Be Responsible with Dusko and Vlado Say: Be Responsible with your WLAN-kwon-do!your WLAN-kwon-do!

This talk is not a WLAN Cracking HOWTO; This talk is not a WLAN Cracking HOWTO; this is HOWNOTTO on getting 0wn3dthis is HOWNOTTO on getting 0wn3d

Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.

You can’t afford perfect security

““The only secure computer is one that is The only secure computer is one that is unplugged, locked in a secure vault that unplugged, locked in a secure vault that only one person knows the combination only one person knows the combination to, and that person died last year.”to, and that person died last year.”

Eckel, G and Steen, W., Eckel, G and Steen, W., Intranet WorkingIntranet Working, New Riders, 1996, p. 419, New Riders, 1996, p. 419CIA XXIVCIA XXIV



Brief Review of Wireless LAN (WLAN) tech



Introduction to Wireless vs. Wired Networking

Wired NetworkingInexpensive infrastructure (CAT5 cable + NICs)Expensive deployment (drilling through walls)Reconfiguring network topology difficultDifficult (not impossible!) to intercept communicationWorldwide exposure to intruders if connected to NetFast! (10/100 Mbps Ethernet Gigabit ethernet…)Negligible interference from environment


Basic Wired Network TopologyBasic Wired Network Topology

RouterRouter

FirewallFirewall

CIA XXIVCIA XXIV


Wireless NetworkingExpensive infrastructure (clients+APs=cha-ching!)Inexpensive deployment (protocols supported in OSes)Reconfiguring network topology trivial (?too trivial?)Ridiculously easy to intercept communicationGeographically constrained exposure to intruders*Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)Massive environmental interference (ISM, path loss)

Introduction to Wireless vs. Wired Networking

**ad hocad hoc intranetworks intranetworks


Quick Review of WLAN Security Terminology

SSID (ESSID): Service Set Identifier = name for WLAN network; sent out as plain text in every packet; broadcast by default by most access points

AP: Access point: WLAN “router” that talks to client cards WEP: Wired Equivalent Protocol; broken and easily crackable

encryption scheme; not “Wired Equivalent Privacy”, et al. MAC: Unique Media Access Control ID number hard-coded

into every networking device; spoofable via software WPA: Upgrade to WEP security; uses TKIP to rotate encryption

keys for each packet and generate different keys for each computer

802.1x (not to be confused with 802.11x): User authentication mechanism using EAP protocol; separate from encryption

802.11i/WPA2: Major upgrade to security; uses new AES crypto algorithm vs. RC4; part of RSN: Robust Security Network TSN = transitional security network with RSN + TKIP instead of CCMP with AES; more on this laterTSN = transitional security network with RSN + TKIP instead of CCMP with AES; more on this later


Basic Wireless Network TopologyBasic Wireless Network Topology

FirewallFirewall

Access PointAccess Point

CIA XXIVCIA XXIV

Infrastructure Mode Infrastructure Mode (using AP)(using AP)

Advantages:Advantages: AP security; isolated net connection AP security; isolated net connection

Disadvantages:Disadvantages: AP costAP cost, complexity;, complexity; broadcast range broadcast range

STA 2003STA 2003Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved.

FirewallFirewall

P2P Ad Hoc NetworksP2P Ad Hoc NetworksBasic Wireless Network TopologyBasic Wireless Network Topology

Advantages:Advantages: no addt’l hardware; geographically constrained no addt’l hardware; geographically constrained

Disadvantages:Disadvantages: unmanaged P2Pnet issues; geo. constrained unmanaged P2Pnet issues; geo. constrained


Authentication

Default: Open authentication (+/- MAC/SSID filtering)

Shared Key Auth (WEP, WPA PSK)Shared Key Auth (WEP, WPA PSK)

““granted”granted”

““give me access”give me access”

““give me access”give me access”

Authentication challengeAuthentication challenge

Authentication responseAuthentication response

““granted”granted”


Generic Wireless Security Exploits

Physical Theft Eavesdropping Data Modification Identity Spoofing/Masquerading Denial of Service (DoS) Theft of Internet Service Injection of Bad Things via Wireless WLAN as new modem (network soft spot)

Generic Wireless Network Generic Wireless Network ExploitsExploits

FirewallFirewall


Physical Theft (Before)Physical Theft (Before)



FirewallFirewall


Physical Theft (After)Physical Theft (After)




FirewallFirewall


Eavesdropping Case 1: WardrivingEavesdropping Case 1: Wardriving

Gotcha!Gotcha!

CIA XXIVCIA XXIV



FirewallFirewall


Eavesdropping Case 2: Office BuildingEavesdropping Case 2: Office Building

CIA XXIVCIA XXIV

Your CompetitorYour Competitor

TabloidTabloid

TerroristTerrorist



FirewallFirewall


Eavesdropping Case 3: Eavesdropping Case 3: Rogue APsRogue APs

Rogue Access PointRogue Access Point

CIA XXIVCIA XXIV


The 100 meter myth

Increasingly powerful 802.11x clients available 200 mW PCMCIA cards advertise 6000+ ft range http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html

Many WiFi® adapters have external antenna connections; even homemade antennas work well

http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html



FirewallFirewall


Identity SpoofingIdentity Spoofing

AliceAlice

BobBob

MAC Address: 0000deadbeef; SSID: defaultMAC Address: 0000deadbeef; SSID: default

CatsCatsSpoof MAC Address: 0000deadbeef; SSID: defaultSpoof MAC Address: 0000deadbeef; SSID: default

Looks like Looks like your your

company’s company’s IP to the IP to the

FBI!FBI!



FirewallFirewall


Denial of Service (DoS)Denial of Service (DoS)

2.4 GHz 2.4 GHz jammerjammer

microwavemicrowave

ovenoven

Bluetooth deviceBluetooth device

Cell phoneCell phone


Wild Wild WiFi®: WiFi Hog

““Only traffic originating from the Only traffic originating from the Wifi-Hogger's IP address may access Wifi-Hogger's IP address may access

the connection, otherwise the PVJ the connection, otherwise the PVJ (portable video jammer) is switched (portable video jammer) is switched

on, blocking others from accessing the on, blocking others from accessing the open node.”open node.”

• Designed to hijack open (public) nodesDesigned to hijack open (public) nodes

• Could easily be used to hijack Could easily be used to hijack commercial or home access points with commercial or home access points with inadequate security inadequate security

http://www.mle.ie/~jonah/projects/wifihog.htmlhttp://www.mle.ie/~jonah/projects/wifihog.html



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004


Wardriving Update late 2004

→ Mid Sept 04 (same area wardriven in Sep 03); 30 minute drive → Residential neighborhoods/business district→ 5 dBi omnidirectional, magnetic, car-mounted antenna→ TCP/IP disabled on card purposely unable to connect/get IP address (thus legal)

126 APs located; 1 Peer located 97 APs with no security (77%) Of 30 with security, only 13 (43%) 802.11g (likely WPA compliant out of box) 62 APs with default SSID bespeaking ignorant owners (49%) one FAKE-AP (first time: counterfeit AP signals) http://www.blackalchemy.to/project/fakeap/

Worldwide Wardrive 4 (http://www.worldwidewardrive.org/): of 228,537 APs logged, only 61.6% enabled WEP (or better) security; 31.4% used default SSID (note: Lots of smart non-Merkins included)

http://www.worldwidewardrive.org/

Disable prior to wardrive to

prevent auto-connection to

discovered APs

Note!Note!



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy


Locking It Down: Step 1.1

Physical SecuritySecure your laptop/PDA physically

– Windoze XP stores WPA PW and automagically reconnects on startup

BIOS password at least in case WLAN device is stolen!Secure your access points (locked closets vs. desk)

– Remember, reset button on back of AP = Poof! No Security

Wise placement of APs/directional antennas to minimize RF leakIf possible, minimize AP RF power output to least usefulAudit your coverage: Warwalk/drive/sit yourself!

Reference: Reference: http://techrepublic.com.com/5100-6329-5054057.html?tag=hdi

http://techrepublic.com.com/5100-6329-5054057.html?tag=hdi


Locking It Down: Step 1.2

Wireless Policy (Authority) will be in charge of establishing and enforcing

WLAN standards; any implementation that deviates from standard must be approved by (authority)

(Authority) will be the only one(s) installing/modifying/ maintaining APs; (Users) will not install APs

Only (authorized user type list) can use the WLAN; all others require explicit permission from (authority)

All WLAN devices must be secured according to standards set by (authority) All communications must be encrypted using (standard)

All (users) must register WLAN devices with (authority)For good example: For good example: http://www.ksu.edu/policies/ppm/3480.html

http://www.ksu.edu/policies/ppm/3480.html



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID


Locking It Down: Step 2.1 OS/Firmware Updates

Windows XP Service Pack 2 (SP2)– Until Sep 04, very cumbersome process to implement WPA (see notbob.com)– Now, SP2 incorporates new WZC and WPA functionality (finally)

Apple Macintosh: Need firmware upgrade to AirPort Extreme 11g (b sol)– “WPA requires an AirPort Extreme base station and AirPort Extreme or AirPort

clients running Mac OS X v10.3 (Panther), or later. Use of Wi-Fi Protected Access (WPA) reduces the maximum number of network users. Computers with wireless cards that only support WEP cannot join an AirPort network that has WPA enabled.”

– Client: http://www.apple.com/support/downloads/airportupdate.html– AP: http://www.apple.com/support/downloads/airportextremefwupdate.html

Linux: Support depends on chipset; http://hostap.epitest.fi/wpa_supplicant/ also see http://www.linux-sec.net/Wireless/WPA/#WPA for mondo linksMake sure you are running latest version of your AP’s firmware; visit

manufacturer’s website every few months at least

http://www.apple.com/support/downloads/airportupdate.html

http://www.apple.com/support/downloads/airportextremefwupdate.html

http://hostap.epitest.fi/wpa_supplicant/

http://www.linux-sec.net/Wireless/WPA/#WPA


WPA under WinXP SP1 vs. SP2


MAC/SSID Vulnerability

MAC = media access control addressHardcoded in all NICsEasily Spoofed under Win 9x, Linux; New! WinXP spoofing via

freeware Mac Makeup app: http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp

SSID = Service Set IdentifierUsed to define networksBy default, broadcast in the clear by access pointsWill be given out by AP if client configured with “any” or blank

SSID

http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp


MAC Address Spoofing

Orinoco Gold on Win 98SEOrinoco Gold on Win 98SE

edit /etc/sysconfig/network-scripts/ifcfg-eth0 edit /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming it's your eth0 network card that you (assuming it's your eth0 network card that you want to change the MAC for), and add a line want to change the MAC for), and add a line like this: MACADDR=AA:BB:CC:DD:EE:FF like this: MACADDR=AA:BB:CC:DD:EE:FF (Obviously you want to substitute the MAC (Obviously you want to substitute the MAC address you want in place of address you want in place of AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown eth0", "/sbin/ifup eth0", and you should be up eth0", "/sbin/ifup eth0", and you should be up and running with the new MAC address. You and running with the new MAC address. You can use "/sbin/ifconfig eth0" to verify that the can use "/sbin/ifconfig eth0" to verify that the new MAC address is in effect -- it shows up in new MAC address is in effect -- it shows up in the 'HWaddr' entry on the first line that the 'HWaddr' entry on the first line that

ifconfig printsifconfig prints (YMMV RTFM HTH)(YMMV RTFM HTH)

Red Hat LinuxRed Hat Linuxhttp://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain

http://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain


Locking It Down Step 2.2

MAC FilteringBetter than nothing; will keep out your neighborsTo find your adapters’ MAC addresses, under

Windows: start | run | cmd | ipconfig/all ; listed as physical address

Best to explicitly allow only your own MACs; explicit deny is for open APs that are subject to annoying users (without the sense to spoof their MAC addys)


Default SSIDs

3Com: comcomcom Cisco: 2, tsunami, WaveLAN Network Compaq: Compaq DLink: WLAN Intel: 101, 195, xlan, intel Linksys: linksys, Wireless Netgear: Wireless Zcomax: any, mello, Test

http://www.iss.net/wireless/WLAN_FAQ.php http://www.cirt.net/cgi-bin/ssids.pl

With AP manufacturer, With AP manufacturer, trivial to determine default trivial to determine default

Administrator Administrator username/password!username/password!

http://www.iss.net/wireless/WLAN_FAQ.php

http://www.cirt.net/cgi-bin/ssids.pl


Locking It Down Step 2.2 (cont’d)

SSID RulesChange from defaultDon’t broadcast if possible (WPA flaky sometimes)Don’t make it your family/business nameDon’t make it interesting to h@X0rS; boring is

good: ex: thisAPMake it hard to guess (e.g., not Default1)

use this if possibleuse this if possible



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID Step 3: Change AP PW; WPA if possible, else WEP



Change yer freakin’ default AP password!Every script kiddie and her dog knows the default passwords for major

manufacturers! Pick a new, secure PWDisable remote router administration and Universal Plug and Play (if

router doesn’t have nice check box, get Steve Gibson’s UnPlug n’ Pray here: http://grc.com/UnPnP/UnPnP.htm )

While you’re at it, enable router’s firewall function: block anonymous WAN reqests & filter NAT redirection to keep local LAN users from accessing port-forwarded services on router

http://www.linksys.com/download/vertxt/befsr81v2_ver.txt

http://grc.com/UnPnP/UnPnP.htm

http://www.linksys.com/download/vertxt/befsr81v2_ver.txt



Use Encryption


Encryption Basics

Need to hide message (plaintext) = needle Generate random stuff (encryption key) = piece of hay Multiply random stuff (keystream) = haystack Hide message in haystack (XOR) needle+haystack (ciphertext)

Intro to Encryption: Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm

http://www.mesda.com/files/infosecurity200309.pdf; ; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html

XOR Logic GateXOR Logic Gate

http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm

http://www.mesda.com/files/infosecurity200309.pdf

http://www.mesda.com/files/infosecurity200309.pdf

http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html

http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html


WEP…what is WEP? Wired Equivalent Protocol (NOT Wireless Encryption Privacy) First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2

http://standards.ieee.org/getieee802/download/802.11-1999.pdf

Never intended to provide strong security; Goals:“Reasonably strong” (dependent on key length)“Self-synchronizing” (for “best effort” delivery)“Efficient” (low processor overhead)“Exportable” (pre-1999 ITAR climate [Phil Zimmerman])“Optional” (so lusers don’t whine to hardware manufacturers

when they mess up WEP on their networks– DISABLED out of the box by all OEMs as of 2004 AFAIK*)

*AFAIK= As far as I know*AFAIK= As far as I know



How is WEP supposed to work?

• Secret key combined with IV, run through WEP cipher PRNG (RC4)Secret key combined with IV, run through WEP cipher PRNG (RC4)

• Plaintext XORed with key sequence (irreversible without key)Plaintext XORed with key sequence (irreversible without key)

• Ciphertext output sent over airwaves after encapsulation into IP packetsCiphertext output sent over airwaves after encapsulation into IP packetshttp://standards.ieee.org/getieee802/download/802.11-1999.pdf



What is RC4? One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.) Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.) Proprietary trade secret of RSA Inc. http://www.rsasecurity.com Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all

open source RC4 implementations based on this anonymous post (including WEP)!

From: [email protected] (An0nYm0Us UsEr)From: [email protected] (An0nYm0Us UsEr)Newsgroups: sci.cryptNewsgroups: sci.cryptSubject: RC4 ?Subject: RC4 ?Date: 13 Sep 1994 21:30:36 GMTDate: 13 Sep 1994 21:30:36 GMTOrganization: Global Anonymous Remail Services Ltd.Organization: Global Anonymous Remail Services Ltd.Lines: 83Lines: 83Message-ID: <[email protected]>Message-ID: <[email protected]>NNTP-Posting-Host: xs1.xs4all.nlNNTP-Posting-Host: xs1.xs4all.nlX-Comment: This message did not originate from the above address.X-Comment: This message did not originate from the above address.X-Comment: It was automatically remailed by an anonymous mailservice.X-Comment: It was automatically remailed by an anonymous mailservice.X-Comment: Info: [email protected], Subject: remailer-help X-Comment: Info: [email protected], Subject: remailer-help X-Comment: Please report inappropriate use to <[email protected]>X-Comment: Please report inappropriate use to <[email protected]>

SUBJECT: RC4 Source CodeSUBJECT: RC4 Source Code

I've tested this. It is compatible with the RC4 object moduleI've tested this. It is compatible with the RC4 object modulethat comes in the various RSA toolkits. that comes in the various RSA toolkits.

/* rc4.h *//* rc4.h */

http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain

http://www.rsasecurity.com/

http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain


Why is WEP Broken? First paper: Fluhrer, Mantin, Shamir (encryption

flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf

WEP attack using FMS method: Stubblefield, Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/

WEP standard implements RC4 improperly http://www.rsasecurity.com/rsalabs/technotes/wep.html

Flaws in key scheduling algorithm Large number of weak keys encryption easily cracked

IV is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length

http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4

http://www.securityfocus.com/data/library/rc4_ksaproc.pdf

http://www.cs.rice.edu/~astubble/wep/



http://www.rsasecurity.com/rsalabs/technotes/wep.html

http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4


Enabling WEP

Orinoco Gold on Win 98SEOrinoco Gold on Win 98SE

Linksys pic modified from: Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg

http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg


Advanced WEP

Freeware key generators create pseudorandom keys for you to enter

Rotate keys frequently (weekly for business, monthly for home at minimum)

Make sure highest key-length WEP is enabled (remember, 64 bit WEP key is really just 40 bits long [thanks, marketing!])

Upgrade WEP to WPA as soon as possible (look for WPA support for all new hardware)


Bbbbut…isn’t WEP broken?

Yes, but…just because your front door can be picked, doesn’t mean you shouldn’t lock it!

Never be low hanging fruit for attackers Lots of old hardware (pre-2004) can’t support WPA, let

alone WPA2: WEP is the only option If you just enable WEP more secure than 60-75% of

WLAN users (according to wardriving data) If you enable WEP + change SSID from default +

change AP logon/pw: more secure than 95% of lusers


Quick Fix for WEP: WPA

WPA = “WiFiTM Protected Access” Available as software/firmware upgrade for most

chipsets/manufacturers now or soon Subset of new (Jun 04) 802.11i security architecture Patches major vulnerabilities in WEP:

TKIP fixes IV weakness, adds MIC, key mixing, rekeyingSupports enterprise user authentication via EAP and 802.1XSOHO mode: Pre-Shared Key (PSK): autorotates key for you

http://www.newswireless.net/articles/021123-protect.html

http://www.newswireless.net/articles/021123-protect.html


TKIP


Look for the WPA label…


Enabling WPA PSK in Windoze XP SP2

Make sure wireless connection works with WEP first Have wired connection to prevent disconnection with changes Upgrade Windows XP SP1 to SP2 (Windoze Update) Pick a good pre-shared key (PSK)! http://wifinetnews.com/archives/002452.html

Upgrade client firmware to support WPA Implement WPA PSK on router (may need to upgrade firmware) Implement WPA on Windows XP using WZC (Wireless Zero

Configuration) See my separate step-by-step guide on WPA in XP:See my separate step-by-step guide on WPA in XP:

http://www.notbob.com/wlani

http://wifinetnews.com/archives/002452.html

http://www.notbob.com/wlani

Step 1: Upgrade XP to SP2Step 1: Upgrade XP to SP2Step 2: Implement WPA on AP routerStep 2: Implement WPA on AP routerStep 3: Make sure supplicant supports WPAStep 3: Make sure supplicant supports WPAStep 4: Implement WPA PSK under network connectionsStep 4: Implement WPA PSK under network connections


Take Home Message

Everyone in this room should be using WPA instead of WEP at all times right now!

Definitely worth upgrading hardware to support WPA Hospitals/Medical Offices: Legal risks of NOT using

WPA (due diligence) given WEP vulnerabilities



Brief Review of Wireless LAN (WLAN) tech Wardriving Update Late 2004 Step 1: Physical Security and Wireless Policy Step 2: OS, Firmware Updates; MAC Filtering; SSID Step 3: Change AP PW; WPA if possible, else WEP Step 4: Toward 802.11i/WPA2 for Home/SOHO use


WPA Upgrade: IEEE 802.11i/WPA2

802.1X port-based authentication– requires dedicated authentication server (or server process in AP)

RADIUS authentication: for enterprises only IEEE 802.11i = WPA + RSN; finally ratified Jun 04 Uses CCMP (counter mode with cipher block chaining

[CBC] message authentication code protocol) for enhanced privacy, data integrity, and authentication

RSN: Robust Security Network 802.1X + EAP + AES (non-RC4 encryption protocol) – will likely need hardware upgrade to run RSN without major hit on throughput; likely available in “mature” form in 2005-6

RSN: RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html

802.11i (advanced): 802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

802.11i (excellent): 802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003CBC: CBC: http://pedia.nodeworks.com/C/CI/CIP/Ciphhttp://pedia.nodeworks.com/C/CI/CIP/Ciph

er_Block_Chaining/ er_Block_Chaining/

http://www.nwfusion.com/news/tech/2003/0526techupdate.html

http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf

http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003

http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003


AES


Rijndael (Reign-Dahl) is AES

Rijndael is a symmetric block cipher, designed by Belgian/Flemish cryptologists Joan Daemen (Yo-ahn Dah-mun) and Vincent Rijmen (Rye-mun)

Time to crack @ 255 keys/sec: 149 trillion years Basic advantage of AES is its efficiency and low overhead: easier

to implement than its competitors for AES standard For WiFi®, requires dedicated chip to process cipher in real time

http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

“How is that pronounced ? If you're Dutch, Flemish, Indonesian, Surinamer or South-African, it's pronounced like you think it should be. Otherwise, you could pronounce it like "Reign Dahl", "Rain Doll", "Rhine Dahl". We're not picky. As long as you make it sound different from "Region Deal".”

Official NIST AES Specs: Official NIST AES Specs: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf Intro to AES: Intro to AES: http://www.nwfusion.com/details/597.html?def Very Very

High Level AES mathematical explanation: High Level AES mathematical explanation: http://islab.oregonstate.edu/koc/ece575/aes/intro.pdf

http://www.esat.kuleuven.ac.be/~rijmen/daemen.html

http://www.esat.kuleuven.ac.be/~rijmen/index.html

http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

http://www.nwfusion.com/details/597.html?def

http://islab.oregonstate.edu/koc/ece575/aes/intro.pdf

from: http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_ProtectedAccessWebcast_2003.pdffrom: http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_ProtectedAccessWebcast_2003.pdf


Do you really need WPA2?

WPA fixes all known problems with WEP If you avoid choosing weak passphrase subject to

dictionary attack, WPA should suffice for most home/SOHO users for now (2005)

As of Oct 04, WPA has not been broken RC4 will eventually succumb to Moore’s Law will

need to move to AES in the future AES support in WPA2 probably involves upgrading

your hardware: business decision (risk/benefit ratio)See Q&A section here: See Q&A section here: http://www.wi-fi.org/OpenSection/protected_access.asp

http://www.wi-fi.org/OpenSection/protected_access.asp

http://www.wi-fi.org/OpenSection/protected_access.asp


Advanced WLAN Security: Topology Options

Treat all wireless communication as insecure Put AP on “unsafe” side of firewall Use VPN (private tunnel) through internet to reach internal network Impractical for SOHO networks (expensive; throughput hit)

FirewallFirewall

““Safe Side”Safe Side” ““Unsafe Side”Unsafe Side”


Step 5: CSE Continuing Security Education

All users should keep up with major security developments, including WLAN security

Excellent resources:Internet Storm Center http://isc.sans.org News.com http://www.news.com Wireless News Factor http://wireless.newsfactor.com WiFi Planet http://www.wi-fiplanet.com/ NetworkWorldFusion

http://www.nwfusion.com/topics/security.html

http://isc.sans.org/

http://www.news.com/

http://wireless.newsfactor.com/

http://www.wi-fiplanet.com/

http://www.nwfusion.com/topics/security.html


Future Wireless Security Issues 2

Privacy: Sniffing your car’s radio stations

“Red Means Stop, Ya Moron!”: 802.11p

DOS: Wireless Jammers for Jesus

Wireless Viruses: Don’t get stung by Mosquitoes

RFIDS: The Next Security Threat?


Privacy: Sniffing your car’s radio

http://www.washingtonpost.com/wp-dyn/articles/A60013-2004Oct24.htmlhttp://www.washingtonpost.com/wp-dyn/articles/A60013-2004Oct24.html

Device Device sniffs sniffs what what radio radio

station station you are you are listening listening

toto


“Hey, buddy, I’m talking to you”

802.11p is a new IEEE spec to implement WiFi® for vehicles “Emergency vehicles might use broadcast via wireless to change

traffic signals in order to speed themselves along. Cars might also "communicate" with one another, as an exchange of Wi-Fi signals makes it possible to sound proximity alerts when two vehicles come too close to one another.”

Just imagine the potential for chaos when criminals can change traffic lights remotely, or when pranksters activate all the proximity alerts simultaneously…

http://www.wi-fiplanet.com/columns/article.php/3422251

http://www.wi-fiplanet.com/columns/article.php/3422251


DOS: Wireless Jammers for Jesus

Mexico: Cell phone Mexico: Cell phone jammers installed in jammers installed in

churches…would churches…would likely nuke nearby likely nuke nearby

WiFi as well…WiFi as well…http://www.cnn.com/2004/TECH/ptech/10/19/cellphonejammers.ap/ http://www.cnn.com/2004/TECH/ptech/10/19/cellphonejammers.ap/


Don’t Get Stung

Copy protection built into “smart” cellphone game “Mosquitoes” rewritten as Trojan to call expensive premium numbers using embedded Symbian OS

“Sooner or later, I expect I will be advising people not to run unknown applications for their refrigerators and cars,” he says. “It is becoming more of a danger as we embed OS into more of our lives.” --Panda Software CTO Patrick Hinojosa

http://wireless.newsfactor.com/story.xhtml?story_title=Mosquito-Trojan--Copy-Protection-Gone-Wrong&story_id=26310&category=wlssecurity

http://wireless.newsfactor.com/story.xhtml?story_title=Mosquito-Trojan--Copy-Protection-Gone-Wrong&story_id=26310&category=wlssecurity


RFID Security: Brave New World?

RFIDs are poised to become ubiquitous RFIDs have no security and can be hacked “The thinking is, security is a secondary issue right

now that will be fixed once deployments are underway” – Jeff Woods, Gartner Research Director

Ya, that strategy has worked so well for Windows XP, WEP, Iraq…

http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=RFID--The-Next-Security-Nightmare-&story_id=26104&category=mobsec http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=RFID--The-Next-Security-Nightmare-&story_id=26104&category=mobsec

Prevent theft; Prevent theft; BIOS pw; BIOS pw;

encrypt files; encrypt files; backup data; backup data; disaster plandisaster plan

Change default; Change default; don’t broadcastdon’t broadcast

Change default Change default admin logon/pw; admin logon/pw; disable remote disable remote

adminadmin

only if no WPA; only if no WPA; rotate keys rotate keys manuallymanuallyImplement now; Implement now;

choose secure PSKchoose secure PSK

WPA2= 802.1X, 802.11i, WPA2= 802.1X, 802.11i, RSN; VPN + RADIUS RSN; VPN + RADIUS

for enterprisesfor enterprises

Patch OS frequently to Patch OS frequently to plug security holes; read plug security holes; read

media for new WLAN media for new WLAN exploitsexploits

Implement and Implement and enforce wireless enforce wireless

security security AUP/TOSAUP/TOS

Got WPA?Got WPA?

Weekly or Weekly or automaticallyautomatically

Implement Implement MAC filteringMAC filtering


WLAN Security Basics Checklist

Pay attention to geographical location of AP (parking lot coverage) Disable file & print sharing if not needed; never share root Disable SSID broadcasting (default = enabled for most products) Change the SSID to something non-default and boring Upgrade firmware of AP/client to increase security (WPA) Change default admin login/password for AP; disable remote admin Configure AP to enable MAC address filtering (not perfect, yes…) Enable WPA PSK now! For enterprises: RADIUS, WPA2 Only use WEP as last resort (legacy hardware; rotate keys often) Wardrive yourself to audit your security (got rogue teenager AP?)


The Tao of Network Security

1994-1999:1994-1999:

Information Information AccessAccess


The Tao of Network Security

1994-1999:1994-1999:

Information Information AccessAccess

2000-2005:2000-2005:

Information Information DenialDenial


Addendum: It’s the Basics, Stupid

http://www.canada.com/technology/story.html?id=80bc4cc6-f3e3-4960-9b70-91c260e63931

http://www.canada.com/technology/story.html?id=80bc4cc6-f3e3-4960-9b70-91c260e63931


Remember: Common Threats Are Common!

Buffer Overflow attacks based on Windoze vulnerabilities (increasingly zero-day exploits): Sasser, CHM, etc.

Phishing for passwords, bank accounts (↑↑ sophistication) M$ Outlook/OE exploits: worms, viruses, blended threats Hostile websites: spyware, malware, browser hijacking Keystroke loggers: disgruntled employees, spouses, kids IM attacks: embedded malign URLs, spim, predators…

““Wired” attacks are still much more common than WLAN exploits:Wired” attacks are still much more common than WLAN exploits:


Are Most Users too Stupid for the Internet?

• Why not require a license for internet access?• Wired Article: “Are You Too Stupid to Surf?”

• http://www.wired.com/news/privacy/0,1848,60416,00.html

• Several Downsides:• People don’t trust the Gummint (look at TIAO Initiative furor)• Money• Your Grandma wouldn’t pass the test…ever.• If stupid Merkins are kept offline, how about the rest of the

world we haven’t “liberated”…yet?

http://www.wired.com/news/privacy/0,1848,60416,00.html


Are Most Users too Stupid for the Internet?

• Never update your Anti-virus program’s definitions• In fact, let the free version on your new computer expire

• Click on all e-mail attachments with wild abandon• Never use a firewall (equivalent: Windoze fw only)• Keep thinking that OS security updates are for girlie men• Go to naughty sites and install all “required” programs• Use insecure, older versions of apps due to nostalgia• Ignore computer security alerts in the news (news.com)

How to get H@cked and 0wn3d in 7 easy Steps:How to get H@cked and 0wn3d in 7 easy Steps:


References


Online Resources

WLAN Specifications•WiFiTM Alliance (formerly WECA): http://www.wi-fi.org/

•IEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html

•IEEE 802.11i: restricted: http://standards.ieee.org/reading/ieee/std/lanman/restricted/802.11i-2004.pdf

•Lots of interesting unrestricted IEEE documents: http://www.ieee802.org/11/Documents/DocumentHolder/

•Bluetooth: https://www.bluetooth.org/

•HIPERLAN/2: Official Specs: http://www.hiperlan2.com IEEE Communications Overview: http://www.ihp-ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf

•HiSWAN: http://www.arib.or.jp/mmac/e/index.htm

•Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149

http://www.wi-fi.org/

http://standards.ieee.org/getieee802/portfolio.html

http://www.ieee802.org/11/Documents/DocumentHolder/

https://www.bluetooth.org/

https://www.bluetooth.org/

http://www.hiperlan2.com/

http://www.ihp-ffo.de/systems/Doc/Vorlesung/MC/%20%DCbung/Gruppe7-Hiperlan/0130khun.pdf

http://www.arib.or.jp/mmac/e/index.htm

http://www.ietf.org/rfc/rfc1149.txt?number=1149


Wardriving Software

NetStumbler http://www.netstumbler.com/ MacStumbler http://www.macstumbler.com/ BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html AirSnort http://airsnort.shmoo.com/ Kismet http://www.kismetwireless.net/ Wellenreiter http://www.wellenreiter.net/

Lots of other tools: Lots of other tools: http://wardrive.net/wardriving/tools

http://www.netstumbler.com/

http://www.macstumbler.com/

http://www.macstumbler.com/

http://www.dachb0den.com/projects/bsd-airtools.html

http://www.dachb0den.com/projects/bsd-airtools.html

http://airsnort.shmoo.com/



http://www.kismetwireless.net/

http://www.kismetwireless.net/

http://www.wellenreiter.net/

http://wardrive.net/wardriving/tools



Online Resources

Basic 802.11 Security•WLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php (old)

•WEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf

•WEP Insecurity: http://ftp.die.net/mirror/papers/802.11/wep_attack.html (no longer on: http://www.cs.rice.edu/~astubble/wep/wep_attack.html )

•WPA/WPA2: http://www.wi-fi.org/OpenSection/protected_access.asp

•Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf

•Netstumbler: http://www.netstumbler.com

•Wireless Glossary: http://www.devx.com/wireless/Door/11333 (heh heh)

•Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html

http://www.iss.net/wireless/WLAN_FAQ.php


http://www.cs.rice.edu/~astubble/wep/wep_attack.html

http://www.cs.rice.edu/~astubble/wep/wep_attack.html

http://www.wardriving.com/

http://www.sans.org/rr/papers/68/174.pdf

http://www.netstumbler.com/

http://www.turnpoint.net/wireless/cantennahowto.html


Online Resources

Advanced WLAN Security/Continuing Security Education•SANS: http://www.sans.org

•Internet Storm Center http://isc.sans.org •Wireless LAN Security Site: http://www.drizzle.com/~aboba/IEEE/ •News.com http://www.news.com •Wireless News Factor http://wireless.newsfactor.com •WiFi Planet http://www.wi-fiplanet.com/ •NetworkWorldFusion http://www.nwfusion.com/topics/security.html •Google it: search Google for “WLAN security” and/or “WiFi security”•Cool list of WLAN Security Links: http://www.corecom.com/html/wlan.html•Still More whitepapers: http://www.wlana.org/learning_center.html

http://www.wlana.org/learning_center.html


Online Resources

AFH Topics

•People are stupid: Wireless Equivalent Privacy: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search

•People are stupid 2: Wireless Encryption Protocol:http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22

•HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html

•ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf

•TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22

http://www.haarp.alaska.edu/haarp/

http://www.vs.afrl.af.mil/Factsheets/haarp.html

http://www.europarl.eu.int/tempcom/echelon/%20pdf/rapport_echelon_en.pdf

http://www.europarl.eu.int/tempcom/echelon/%20pdf/rapport_echelon_en.pdf

http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html



Offline ResourcesBooks/Articles: Computer Security Essentials

Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of black hat techniques with countermeasures)

Cheswick WR, Bellovin SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 (a classic)

Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-156592-124-0 (first edition includes excellent appendix on basics of ISO/OSI TCP/IP stack)

Anonymous, Maximum Security, Fourth Ed., Indianapolis: SAMS Publishing Dec 2002 (excellent resource)


Offline ResourcesBooks/Articles: WLAN Security

Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale: Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable & entertaining; most practical 3-space reference thus far)

Peikari C, Fogie S, Wireless Maximum Security, Indianapolis: Sams Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er, Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])

Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access and 802.11i, Boston (etc.): Addison-Wesley, 2004 (almost incomprehensible at times, but good reference)

Vladimirov A, Gavrilenko K, Mikhailovsky A, Wi-Foo: The Secrets of Wireless Hacking, Boston (etc.), Addison-Wesley, 2004 (Good overview of WLAN security from Black Hat perspective; grammatical issues)

CIA XXV Copyright (C) 2005 Robert C. Jones, M.D. All Rights Reserved. Wireless LAN In security Update 2005 Robert C. Jones, M.D. LtCol, USAF, Medical.

Documents

copyrighted use

copyrighted material

classroom use

fair use provision of

copyrighted works

impunity fair use notice

fair use of online resouces

nonprofit educational