[ISN] Wireless Hackers Leave No Tracks

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,93625,00.html

Security Manager's Journal by Vince Tuesday 
JUNE 07, 2004
COMPUTERWORLD

I'm a parasite. I didn't pay for the bandwidth I'm using right now. I 
didn't ask for permission to use it -- I don't even know whom to ask. 
But I'm on holiday, I have a few bits of work to finish up before I 
can relax, and I need to send my e-mail. 

The broadband service in the rented house doesn't work, so I stuck in
my wireless LAN card and found two WLANs covering the house. One has a
Secure Set Identifier of "lopez" and has Wired Equivalent Privacy
turned on; the other has an SSID of "default" and no WEP.

My wireless card has automatically associated with the "default" base
station, which gave me a Dynamic Host Configuration Protocol address.  
Now I'm connected to the Internet at 11Mbit/sec. with no fee and no
restrictions on what I can do.

When WLANs hit the mainstream a few years ago, the security focus was
on confidentiality, and vendors included WEP to encrypt data in the
air. WEP has flaws -- it might not stop a snooper in your parking from
reading your data -- but just the fact that "lopez" had it turned on
was enough to turn my attention elsewhere. Why hack "lopez" when
"default" is sending in the clear?

But having data sniffed from the air isn't the real threat that
wireless poses. That problem is easily solved by using cryptography. A
bigger worry is "de-perimeterization," which is a fancy way of saying
that the walls of the normal fortress model are falling away, thanks
in part to wireless. In the good old days, you inventoried all
external connections and put firewalls in front of them. Now, nearly
every organization has so many connections to the outside that it
isn't feasible to set up firewalls to control access to all of them.  
If your wireless users need access to all of the internal services,
what can you block with a firewall?

And if you're a hacker, why bother trying to intercept data from the
traffic flying about when you can just connect to the network and
pretend to be a legitimate client? Once you become a full node on the
network, you don't have to wait for a client to connect to download
the information you want and sniff it. Instead, you can just waltz
right in and take what you want. This is a lot less covert, but unless
the target has a hair-trigger intrusion-detection system configuration
and very good triangulation equipment, you probably won't be
discovered.

My company's authorized wireless access points have strong
authentication, so only legitimate clients can connect, but all our
exterior defenses might be for naught if a staff member plugs in a $99
access point.

To protect against this, my team and I run regular sweeps to check for
illegitimate access points that might allow unauthorized users to
connect. We had a few early run-ins with staff when we began the
sweeps, but now the authorized service is so good that everyone is
happier using that than they would be trying to sneak new equipment
into the office.


Insecure Access

In these sweeps, we've detected many access points that are
transmitting from outside the company walls. It's interesting to see
that all the bars and restaurants near our offices have WLANs for
waiters to send orders to the kitchen. All are insecurely configured.  
However, since the worst anyone could do is jump the queue for
ordering drinks, perhaps the low level of protection is all that's
necessary.

The only time I really went white was when a sweep at my company
identified more than 30 unauthorized access points on a single floor.  
I couldn't imagine why an entire department would go crazy and try to
provide its own competing WLAN service.

But when I tried to connect to one of the access points, I could get
only a printer service Web page. It turned out that our printer vendor
had shipped a batch of printers with wireless printing support enabled
by default. Each was functioning as a WLAN access point. We disabled
the cards and asked the vendor to do the same with future orders.

Rogue access points in the office are a problem we can solve, but the
real WLAN problem that strikes terror into my heart is the home user.

Before WLANs, if I were a hacker or virus writer or if I wanted to
download or share illegal material, I had limited options. I could use
my own account and eventually get caught after the feds tracked the
abuse back to me. I could steal an AOL account by phishing until the
feds used phone traces to catch me. Or I could wander into a Web cafe,
do my evil deeds and flee, leaving closed-circuit TV footage,
fingerprints and physical evidence the feds could use to put me behind
bars.

With WLANs, things have changed. On most streets in big metropolitan
areas, a few people have broadband, and at least one uses it with an
insecure wireless connection. Perhaps half of those people turn on the
Windows XP firewall, but that won't stop an attacker. They just get
within range and connect. There's no physical evidence, no
closed-circuit TV, and the poor schmuck whose broadband connection
gets used is the one whom the feds raid.

So while the WLAN connection I'm using now is helpful to me as I
finish up my work while on holiday, someone else could just as easily
be using it to launch attacks before disappearing anonymously back
into the night.

There's no chance that home users will move to two-factor
authentication for their wireless networks, so I'm making sure that my
current designs for Web-facing infrastructure don't rely on being able
to track down and stop attackers. Clearly, that's no longer possible.


What do You Think?

This week's journal is written by a real security manager, "Vince
Tuesday," whose name and employer have been disguised for obvious
reasons. Contact him at vince.tuesday at hushmail.com