• Aucun résultat trouvé

The Future of 802.11 Security: Is It as Bright as It Seems?

Chapter 2. Under Siege

"Assess yourself and your opponents."

​Ho Yanxi

Why Are "They" After Your Wireless Network?

In the "good old days," Internet access was a privilege of the few and many used to try getting access by all means possible. A common way to achieve

unauthorized access was wardialing, or calling through long lists of phone

numbers using automated tools such as Tonelock for MS-DOS or BreakMachine / Sordial for UNIX in search of modem tones and then trying to log in by guessing a username​password pair. The term wardriving, as well as everything else "war + wireless" has originated from these BBS and wardialing days. Today wardialing is not that efficient, even though you can still stumble on a guessable username and password out-of-band login set for a remote router administration via an AUX

port, in case the main WAN link to the router fails.

In the age of cheap broadband connections everywhere, is getting free bandwidth worth the effort or the gasoline and parking fee? Is it really about the bandwidth and getting access to the Internet, or are there other reasons for people to buy wireless equipment, configure the necessary tools, and drive, walk, or climb out of their comfortable home to search for packets in the air? At least wardialing did not require leaving one's room and getting a laptop or PDA, as well as wireless client cards and (in some cases) even access points.

We can outline at least six reasons for such "irrational" and "geeky" behavior by would-be wireless attackers.

1. It is fun. Many geeks find hacking that involves tweaking both software (sniffing / penetration tools) and hardware (PCMCIA cards, USB adapters, connectors, antennas, amplifiers) more exciting than more traditional

cracking over wired links. The same applies to being able to hack outdoors, while driving, while drinking beer in a pub that happened to be in some unlucky network's coverage zone, and so on.

2. It gives (nearly) anonymous access and an attacker is difficult to

trace. Any time the attacker logs in from his or her ISP account, he or she is within a single whois command and a legally authorized phone call from being caught. The "traditional" way of avoiding being traced back is hopping through a chain of "owned" hosts that then get rm -rfed (or, in case of a more

experienced attacker, shredded, defiled, decimated, or bcwiped) after a

serious attack is completed and the time for an escape sequence has arrived.

There are few significant disadvantages (from a cracker's viewpoint) of such a method. A cracker still needs an ISP account, for which he or she has to

supply credentials. He or she also needs enough "rooted" hosts to hop through; ideally these hosts must belong to different networks in different countries. If one of the targeted hosts implements log storage on a

nonerasable medium (e.g., CD-R, logs sent to a printer), a cracker is in deep trouble. The same applies to secure centralized logging if a cracker cannot get

into the log server. LIDS installed on the attacked host can bring additional trouble; suddenly getting "w00t" is not really getting anywhere. Finally, one of the used hosts can be a trap. Thanks to Lance Spitzner's work, honeypots and even honeynets are growing exceedingly popular among the security community.The bottom line is this: Hiding one's tracks this way is a complex process that includes many steps. Each one of these steps can suddenly

become a point of failure. With wireless cracking, things are different. There is no ISP involved (save for the target's ISP) and the trace would lead to the attacked and abused wireless network, where it would literally dissolve in the air. Even if a person with a laptop or car with a mounted antenna was spotted near the wireless network from which the attack originated, authorities would have a very hard time finding the cracker and proving he or she is guilty. If before and after the attack the cracker has changed his or her wireless client card MAC address, and removed all the tools and data relevant to the attack from the laptop or PDA, then proving the attacker's guilt becomes frankly impossible. Even if you or the company guards approach the cracker during an attack, as long as the cracker is not on the premises, he or she can simply refuse to cooperate and leave. What are you going to do? Take a laptop by force from a stranger on a street?

3. Some might view illicit wireless access as a way of preserving one's online privacy. Recent legislation in the United Kingdom (the infamous RIP or The Regulation of Investigatory Powers Bill) makes online privacy

practically impossible, with ISP logs required to be kept for up to seven years.

This legislation is primarily a response to September 11 and the U.S. Patriot Act, which many other countries have followed in terms of introducing

somewhat similar regulations. An unintended result of this is to encourage users, keen on privacy, to view the Internet connection via someone's WLAN as a good way of remaining anonymous. Of course, at the same time they will violate the privacy of the abused wireless network's owners, but most people are generally selfish. In addition, because they might not trade pirated

software or pornography, send SPAM, or crack local or remote hosts, they will not view their action as something explicitly illegal: It's just "borrowing the bandwidth" for "self-defense" reasons.

4. In addition, there are purely technical reasons (apart from the vague network perimeter) that make wireless networks very attractive for crackers. An access point is not a switch; it's a hub with a radio transceiver.

When was the last time you saw a shared wired Ethernet network? Putting a network interface into promiscuous mode and sniffing out all the Telnet / POP3 / SMTP passwords and NTLM hashes on a LAN looked like a thing of the past until 802.11 networks came into broad existence. At the same time, due to improper network design, an attacker associated with a wireless network will often find himself or herself connected straight to a wired LAN behind the corporate firewall with many insecure and unpatched services exposed to an

unexpected attack. Security-illiterate system administrators might ignore the security of the "inner LAN" altogether, equating network security with the settings of the perimeter firewall. It is a very common mistake and because of it, once the perimeter firewall is bypassed, you can still find old Winsock

Windows 95 machines, unpatched wu-ftpd 2.6.0 daemons, passwordless shares, flowing LM hashes, and similar awful security blunders. Another technical point to be made is that due to the high anonymity of wireless access, crackers can play dirty to achieve maximum break-in efficiency. By that we primarily mean that powerful but very "noisy" vulnerability discovery tools, initially aimed at system administrators auditing their own networks without a need to hide, can be run by wireless attackers without a fear of reprisal. Such tools include Nessus, Satan/Saint/Sara, ISS and RETINA, and so forth.

5. A cracker can install a PCMCIA / PCI card / USB adapter / rogue

access point as an out-of-band backdoor to the network. All the pages of sophisticated egress filtering rules on the corporate firewall suddenly

become useless and a sensitive information leak occurs where no one expects it. On the other hand, unruly users can install wireless devices, from PCMCIA cards in an ad-hoc mode to access points, without company system

administrators even knowing about it. When they do find out, it could be too late. It is simply an evolution of the infamous case of users connecting a

modem and opening a hole in an otherwise secure network by creating a new insecure point of external entry. When a frontal attack against the corporate gateway fails, a desperate Black Hat might attempt to scan the company

premises for insecure wireless access points or ad-hoc networks and succeed.

6. There is always "opportunistic cracking." If you had the chance to read your neighbors' e-mails and check which Web sites they were surfing, would you resist it? If a neighbor has an insecure wireless network, chances are an opportunistic attack will occur. What if the network in question is a corporate WLAN that opens future access into a large, impressive wired network, with the possibility of sensitive data flow and a very high-speed connection to the Internet? Opportunistic cracking of this kind is the victim's nightmare: The attacker does not have to go anywhere, is not limited by battery power, can involve a more powerful desktop machine in executing the attack, and is

likely to have some form of Internet access at hand to get the necessary tools and manuals to carry out an intrusion. Besides, a stationary attacker can sell illegally obtained bandwidth to neighbors and friends, basically operating a small do-it-yourself wireless ISP at the unsuspecting company's expense.

We are quite sure that there are more reasons for targeting wireless networks than entertainment, hiding one's tracks, anonymity, privacy, lateral attacks

against well-protected gateway networks, out-of-band backdoor insertion, and, of course, free bandwidth. However, even these reasons should be sufficient to set

alarms off for anyone planning to install a wireless network or secure an already existing one.