Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | ashlie-morrison |
View: | 212 times |
Download: | 0 times |
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wireless LAN Wireless LAN ININsecurity 2004security 2004
Robert C. Jones, M.D.Robert C. Jones, M.D.
LtCol, USAF, Medical CorpsLtCol, USAF, Medical Corps
Staff Anesthesiologist Staff Anesthesiologist
Andrews Air Force Base, MarylandAndrews Air Force Base, Maryland
E-mail: [email protected]: [email protected]
Web site: http://www.notbob.comWeb site: http://www.notbob.com
Disclaimer: Fair Use of Online Resouces
In order to educate health care providers and other professionals, this presentation contains graphics and information obtained on the internet which may be copyrighted According to Sections 107 and 504c of United States Code title 17, this material is considered to be “fair use” of copyrighted intellectual property; it is to be used for non-
commercial purposes only “Fair Use” is the use of a copyrighted work for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or
research. In determining whether the use made of a work in any particular case is a fair use, the factors to be considered shall include:
– The purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes; – The nature of the copyrighted work; – The amount and substantiality of the portion used in relation to the copyrighted work as a whole; and – The effect of the use upon the potential market for or value of the copyrighted work.
The purpose and character of this presentation is for nonprofit educational purposes in support of Homeland Defense and internet security; the nature of the copyrighted work is individual graphics and quotes; the amount and substantiality of the portion used is minimal; and the effect on the potential market for or value of the copyrighted use is negligible. In fact, the hyperlink references crediting the original sources should increase the market value of said copyrighted works by increasing traffic to the websites presenting this material.
This presentation was produced in the United States Air Force medical environment in the interest of academic freedom and the advancement of national defense-related concepts. The views expressed in this presentation and linked-to material are those of the author(s) of said material and do not reflect the official policy or position of the U.S. Air Force, Department of Defense, the United States government, or the AOMPS. Nor do educational links to internet websites or reference sources constitute any kind or degree of verification or validation of information presented therein. Nobody paid me squat to write this stuff, by the way
Point of Contact for questions regarding copyright infringement shall be the current U.S. Department of Defense designated agent to receive notification of claimed DMCA copyright infringement (courtesy of Department of Redundancy Department [DoRD])
Financial Disclosure: I am a Microsoft shareholder, so I can parody and provide commentary upon the products and services of the Microsoft Corporation with impunity
FAIR USE NOTICE: This contains copyrighted material, which is reproduced under the Fair Use Provision of Title 17, U.S.C. Section 107, and is posted for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. This material is posted without profit for the benefit of those who, by accessing this material, are expressing a prior interest in this information for research and educational purposes.
"We came across a company with one of these wireless networks. All their source code, everything was available. This network was beaconing, 'log onto me'...
It basically had its Rolls-Royce parked in the driveway, engine running, with a sign saying 'steal me.' "
-- Thubten Comberford of White Hat Technologies, a wireless security firm.
http://www.wirelessdevnet.com/articles/80211security/Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wireless INSecurity in the News
http://www.wral.com/technology/2465963/detail.html
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
Wireless Wireless ININSecurity is Big BusinessSecurity is Big Business
$100.00 per page…Think what a bargain this lecture is!$100.00 per page…Think what a bargain this lecture is!
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
The Basic Network Security Pyramid
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wireless Security 2003
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues References
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is NOT about
Cellular communication technologyGSM, CDMA, 2G, 2.5G,3G,4G…
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is NOT about
Cellular communication technologyGSM, CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANsPowerline technology, IR, laser, Avian IP
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is NOT about
Cellular communication technologyGSM, CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANsPowerline technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is NOT about
Cellular communication technologyGSM, CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANsPowerline technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit How to ensure 100% WLAN security
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
You can’t afford perfect security
““The only secure computer is one that is The only secure computer is one that is unplugged, locked in a secure vault that unplugged, locked in a secure vault that only one person knows the combination only one person knows the combination to, and that person died last year.”to, and that person died last year.”
Eckel, G and Steen, W., Eckel, G and Steen, W., Intranet WorkingIntranet Working, New Riders, 1996, p. 419, New Riders, 1996, p. 419CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is NOT about
Cellular communication technologyGSM, CDMA, 2G, 2.5G,3G,4G…
Uncommon alternatives to Wired LANsPowerline technology, IR, laser, Avian IP
How to hack the airwaves for fun & profit How to ensure 100% WLAN security AFH* Topics: TEMPEST, HAARP, ECHELON
*Aluminum Foil Hat
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
This Talk Is Not For You If:
http://www.geocities.com/Area51/Dreamworld/1799/UNnwo2.html
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Introduction to Wireless vs. Wired Networking
Wired NetworkingInexpensive infrastructure (CAT5 cable + NICs)Expensive deployment (drilling through walls)Reconfiguring network topology difficultDifficult (not impossible!) to intercept communicationWorldwide exposure to intruders if connected to NetFast! (10/100 Mbps Ethernet Gigabit ethernet…)Negligible interference from environment
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Basic Wired Network TopologyBasic Wired Network Topology
RouterRouter
FirewallFirewall
CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wireless NetworkingExpensive infrastructure (clients+APs=cha-ching!)Inexpensive deployment (protocols supported in OSes)Reconfiguring network topology trivial (?too trivial?)Ridiculously easy to intercept communicationGeographically constrained exposure to intruders*Relatively Slow (“11Mbps” marketingspeak = 5 Mbps)Massive environmental interference (ISM, path loss)
Introduction to Wireless vs. Wired Networking
**ad hocad hoc intranetworks intranetworks
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Basic Wireless Network TopologyBasic Wireless Network Topology
FirewallFirewall
Access PointAccess Point
CIA XXIVCIA XXIV
Infrastructure Mode Infrastructure Mode (using AP)(using AP)
Advantages:Advantages: AP security; isolated net connection AP security; isolated net connection
Disadvantages:Disadvantages: AP cost, complexity; AP cost, complexity; broadcast range broadcast range
STA 2003STA 2003Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
FirewallFirewall
P2P Ad Hoc NetworksP2P Ad Hoc NetworksBasic Wireless Network TopologyBasic Wireless Network Topology
Advantages:Advantages: no addt’l hardware; geographically constrained no addt’l hardware; geographically constrained
Disadvantages:Disadvantages: unmanaged P2Pnet issues; geo. constrained unmanaged P2Pnet issues; geo. constrained
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Basic WLAN Discovery
Beacon Mode (default for 802.11b)Beacon Mode (default for 802.11b)
STASTA
STASTA
Beacon mode shut offBeacon mode shut off probe from station (STA) probe from station (STA)
10 Hz signal with SSID 10 Hz signal with SSID in clear text + info in clear text + info regarding security regarding security
support by AP (WEP, support by AP (WEP, 802.1x, 802.1x, etcetc.).)
probe from STA with probe from STA with SSID = blank or “any”SSID = blank or “any”
valid SSID returnedvalid SSID returned
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Basic WLAN Authentication & Association
Authentication: process of verifying the Authentication: process of verifying the credentials of a client asking to join a WLANcredentials of a client asking to join a WLAN
Association: process of connection client to a Association: process of connection client to a given AP in the WLANgiven AP in the WLAN
802.11 standard specifies 3 states:802.11 standard specifies 3 states:Unauthenticated + UnassociatedUnauthenticated + UnassociatedAuthenticated + UnassociatedAuthenticated + UnassociatedAuthenticated + AssociatedAuthenticated + Associated
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Authentication
Default: Open authentication (+/- MAC/SSID filtering)
Shared Key Authentication (Shared Key Authentication (e.ge.g., WEP)., WEP)
““granted”granted”
““give me access”give me access”
““give me access”give me access”
Authentication challengeAuthentication challenge
Authentication responseAuthentication response
““granted”granted”
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Security Exploits
Physical Theft Eavesdropping Data Modification Identity Spoofing/Masquerading Denial of Service (DoS)
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Let’s Get Physical
Physical theft of laptop/PDA 3rd most common network security threat facing businesses (2003)
Laptop = Expensive; Proprietary Data = Priceless No one is immune (FBI; DEA; IRS; State
Department; Qualcomm CEO…) Theft of proprietary data #1 cause of financial loss
by corporationsReferences: State Dept.: References: State Dept.: http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,54791,00.html
FBI/DEA/IRS: FBI/DEA/IRS: http://www.nwfusion.com/newsletters/sec/2002/01514404.html
Qualcomm CEO: Qualcomm CEO: http://zdnet.com.com/2100-11-523990.html?legacy=zdnn
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
Source:Source:
http://www.gocsi.com/awareness/fbi.jhtml
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Physical Theft (Before)Physical Theft (Before)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Physical Theft (After)Physical Theft (After)
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Eavesdropping Case 1: WardrivingEavesdropping Case 1: Wardriving
Gotcha!Gotcha!
CIA XXIVCIA XXIV
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Eavesdropping Case 2: Office BuildingEavesdropping Case 2: Office Building
CIA XXIVCIA XXIV
Your CompetitorYour Competitor
TabloidTabloid
TerroristTerrorist
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Eavesdropping Case 3: Eavesdropping Case 3: Rogue APsRogue APs
Rogue Access PointRogue Access Point
CIA XXIVCIA XXIV
STA 2003STA 2003Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Eavesdropoing Case 4: Eavesdropoing Case 4: P2P Ad Hoc NetworksP2P Ad Hoc Networks
Insecure modem Insecure modem connection connection
Insecure connection to Insecure connection to outside APsoutside APs
• Unwise placementUnwise placement
• High-power client High-power client
•Unauthorized antennaUnauthorized antenna
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
The 100 meter myth
Increasingly powerful 802.11x clients available 200 mW PCMCIA cards advertise 6000+ ft range http://products.wi-fiplanet.com/wifi/pc_card_16-bit/1058052117.html
Most WiFi® adapters have external antenna connections; even homemade antennas work well
STA 2003STA 2003Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Data Modification (Man in the Middle Attack)Data Modification (Man in the Middle Attack)
AliceAlice CatsCats
BobBob
ListenListen
ReadRead
CorruptCorrupt
ForgeForge
SendSend
CorruptCorrupt
ChortleChortle““Need project Need project
now!”now!”
““Meeting Meeting postponed; go postponed; go home early”home early”
Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40Ref: Edney J, Arbaugh, WA, Real 802.11 Security, pp. 37-40
STA 2003STA 2003Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Identity SpoofingIdentity Spoofing
AliceAlice
BobBob
MAC Address: 0000deadbeef; SSID: defaultMAC Address: 0000deadbeef; SSID: default
CatsCatsSpoof MAC Address: 0000deadbeef; SSID: defaultSpoof MAC Address: 0000deadbeef; SSID: default
Looks like Looks like your your
company’s company’s IP to the IP to the
FBI!FBI!
STA 2003STA 2003Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Generic Wireless Network Generic Wireless Network ExploitsExploits
FirewallFirewall
Access PointAccess Point
Denial of Service (DoS)Denial of Service (DoS)
2.4 GHz 2.4 GHz jammerjammer
microwavemicrowave
ovenoven
Bluetooth deviceBluetooth device
Cell phoneCell phone
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Risks of Specific WLAN technologies
802.11x/WiFiTM
ISM vulnerability MAC/SSID authentication insecurity WEP insecurity
Bluetooth HIPERLAN/2 (Europa: ETSI*) HiSWAN (日本 : MMAC†)
*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm
†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
IEEE 802.11 Risks
ISM: Industrial, Scientific, and Medical Spectrum Not reserved: Allocated for “Amateur” use Long list of things that cause interference in 2.4
GHz range:2.4 GHz cell phones/portable phonesMicrowave ovensStained glass windowsPortable jammers (illegal in USA)
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
MAC/SSID Vulnerability
MAC = media access control addressHardcoded in all NICsEasily Spoofed (Win 9x, Linux; not WinXP)
SSID = Service Set IdentifierUsed to define networksBy default, broadcast by access pointsWill be given out by AP if client configured with
“any” or blank SSID
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Default SSIDs
3Com: comcomcom Cisco: 2, tsunami, WaveLAN Network Compaq: Compaq DLink: WLAN Intel: 101, 195, xlan, intel Linksys: linksys, Wireless Netgear: Wireless Zcomax: any, mello, Test
http://www.iss.net/wireless/WLAN_FAQ.phphttp://www.iss.net/wireless/WLAN_FAQ.php http://www.cirt.net/cgi-bin/ssids.plhttp://www.cirt.net/cgi-bin/ssids.pl
With AP manufacturer, With AP manufacturer, trivial to determine default trivial to determine default
Administrator Administrator username/password!username/password!
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
WEP…what is WEP? Wired Equivalent Protocol (NOT Wireless Encryption Privacy) First defined in 1999 ANSI/IEEE Std. 802.11, section 8.2
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
Never intended to provide strong security; Goals:“Reasonably strong” (dependent on key length)“Self-synchronizing” (for “best effort” delivery)“Efficient” (low processor overhead)“Exportable” (pre-1999 ITAR climate [Phil Zimmerman])“Optional” (so lusers don’t whine to hardware manufacturers
when they mess up WEP on their networks– DISABLED out of the box by all OEMs as of 2003 AFAIK*)
*AFAIK= As far as I know*AFAIK= As far as I know
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Encryption Basics
Need to hide message (plaintext) = needle Generate random stuff (encryption key) = piece of hay Multiply random stuff (keystream) = haystack Hide message in haystack (XOR) needle+haystack (ciphertext)
Intro to Encryption: Intro to Encryption: http://home.ecn.ab.ca/~jsavard/crypto/jscrypt.htm
http://www.mesda.com/files/infosecurity200309.pdf; ; http://hyperphysics.phy-astr.gsu.edu/hbase/electronic/xor.html
XOR Logic GateXOR Logic Gate
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
How is WEP supposed to work?
• Secret key combined with IV, run through WEP cipher PRNG (RC4)Secret key combined with IV, run through WEP cipher PRNG (RC4)
• Plaintext XORed with key sequence (irreversible without key)Plaintext XORed with key sequence (irreversible without key)
• Ciphertext output sent over airwaves after encapsulation into IP packetsCiphertext output sent over airwaves after encapsulation into IP packetshttp://standards.ieee.org/getieee802/download/802.11-1999.pdf
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What is RC4? One encryption algorithm (many others: DES, IDEA, Blowfish, AES, etc.) Efficient streaming cipher (low overhead)-- used in SSL encryption (online banking, etc.) Proprietary trade secret of RSA Inc. http://www.rsasecurity.com Presumed RC4 source code uploaded to Usenet newsgroup sci.crypt 13 Sep 1994…all
open source RC4 implementations based on this anonymous post (including WEP)!
From: [email protected] (An0nYm0Us UsEr)From: [email protected] (An0nYm0Us UsEr)Newsgroups: sci.cryptNewsgroups: sci.cryptSubject: RC4 ?Subject: RC4 ?Date: 13 Sep 1994 21:30:36 GMTDate: 13 Sep 1994 21:30:36 GMTOrganization: Global Anonymous Remail Services Ltd.Organization: Global Anonymous Remail Services Ltd.Lines: 83Lines: 83Message-ID: <[email protected]>Message-ID: <[email protected]>NNTP-Posting-Host: xs1.xs4all.nlNNTP-Posting-Host: xs1.xs4all.nlX-Comment: This message did not originate from the above address.X-Comment: This message did not originate from the above address.X-Comment: It was automatically remailed by an anonymous mailservice.X-Comment: It was automatically remailed by an anonymous mailservice.X-Comment: Info: [email protected], Subject: remailer-help X-Comment: Info: [email protected], Subject: remailer-help X-Comment: Please report inappropriate use to <[email protected]>X-Comment: Please report inappropriate use to <[email protected]>
SUBJECT: RC4 Source CodeSUBJECT: RC4 Source Code
I've tested this. It is compatible with the RC4 object moduleI've tested this. It is compatible with the RC4 object modulethat comes in the various RSA toolkits. that comes in the various RSA toolkits.
/* rc4.h *//* rc4.h */
http://groups.google.com/groups?selm=35gtd7%24404%40ccu2.auckland.ac.nz&oe=UTF-8&output=gplain
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Why is WEP Broken? First paper: Fluhrer, Mantin, Shamir (encryption
flaws) http://www.securityfocus.com/data/library/rc4_ksaproc.pdf
WEP attack using FMS method: Stubblefield, Ionnidis, Rubin http://www.cs.rice.edu/~astubble/wep/
WEP standard implements RC4 improperly http://www.rsasecurity.com/rsalabs/node.asp?id=2009
Flaws in key scheduling algorithm Large number of weak keys encryption easily cracked
IV is sent in the clear with each chunk– subtract 24 bits of IV from encryption key length
http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?RC4
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Quick Fix for WEP: WPA
WPA = “WiFiTM Protected Access” Available as software/firmware upgrade for most
chipsets/manufacturers now or soon Subset of upcoming 802.11i security architecture Patches major vulnerabilities in WEP:
TKIP fixes IV weakness, adds MIC, key mixing, rekeyingSupports enterprise user authentication via EAP and 802.1XSOHO mode: Pre-Shared Key (PSK): autorotates key for you
http://www.newswireless.net/articles/021123-protect.html
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Risks of Specific WLAN technologies
802.11x/WiFiTM
ISM vulnerability MAC/SSID authentication insecurity WEP insecurity
Bluetooth HIPERLAN/2 (Europa: ETSI*) HiSWAN (日本 : MMAC†)
*European Telecommunications Standards Institue: http://www.hiperlan.uk.com/pages/hiperlan.htm
†Multimedia Mobile Access Communication: http://www.arib.or.jp/mmac/e/
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Risks of non-802.11x WLAN technologies
BluetoothMinimal security “out of the box”– need to RTFMSecurity upgrade in B’tooth Spec. 1.2
http://www.itsecurity.com/tecsnews/jun2003/jun255.htm
Red Fang: Bluetooth device discovery tool from @Stake (formerly L0pht Heavy Industries)– proof of concept; not very practical http://www.kewney.com/articles/0300910-bluestake.html
References: http://www.webdesk.com/bluetooth-security-issues/; www.giac.org/practical/GSEC/Tu_Niem_GSEC.pdf
HIPERLAN/2 HiSWAN
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
HIPERLAN/2 and HiSWAN: Future Technologies for Future Talks
Technology needs to “hit the street” for serious Technology needs to “hit the street” for serious security issues to arisesecurity issues to arise
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wardriving 101
Definition: Mobile discovery of WLANs Derived from term “wardialing”: automated dialing of
telephone numbers looking for modems (“Wargames”) Related terms: Warwalking, warflying, warchalking… NOT illegal in USA as of 2003: open ISM spectrum HOWEVER, ethical wardrivers NEVER connect to the
networks they detect, let alone implant/steal data therefrom (see Jeff Duntemann, Drive-by WiFi Guide)
http://www.paraglyphpress.com/pr02242003.php
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Why Wardrive?
Fun: Sense of adventure a la 007 Informative: Teaches one about WLAN security Cheap Hardware: Laptop + client +/- antenna +/- GPS Free Software: Netstumbler, BSDAirtools, Airsnort… Camaraderie: Group wardriving contests popular 31337 Hobby: In-crowd lingo (WEP, )(, tsunami) Business tool: Audit your own network to improve
security/demonstrate insecurity to management
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wardriving Hardware
Old laptop with WLAN client +/- GPS Pigtail– connects wireless card to antenna Antenna– omnidirectional, magnetic mount, low
profile best http://www.wardriving.com/fiva.jpg; Duško i Vlado prizivaju bežične signale: ; Duško i Vlado prizivaju bežične signale: http://www.monitor.hr/interview/ wireless.htm (in Croatian, from Zagreb) (in Croatian, from Zagreb)
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Wardriving Software
NetStumbler http://www.netstumbler.com/
MacStumbler http://www.macstumbler.com/
BSDAirtools http://www.dachb0den.com/projects/bsd-airtools.html
AirSnort http://airsnort.shmoo.com/
Kismet http://www.kismetwireless.net/
Wellenreiter http://www.wellenreiter.net/
Lots of other tools: Lots of other tools: http://wardrive.net/wardriving/tools
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Preparing for Safe and Ethical Wardrive
Use non-production box (old laptop)– just in case Change network ID to generic name (e.g., MSHOME, localhost)
Update client software/firmware Uninstall TCP/IP from supported wireless card Uninstall TCP/IP from integrated wireless (if any) Spoof MAC address of wireless card (can’t in XP) Delete preferred networks (XP): Control Panel | Network | Card | Properties |
Wireless Networks | Preferred Networks
Disable prior to wardrive to
prevent auto-connection to
discovered APs
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
MAC Address Spoofing
Orinoco Gold on Win 98SEOrinoco Gold on Win 98SE
edit /etc/sysconfig/network-scripts/ifcfg-eth0 edit /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming it's your eth0 network card that you (assuming it's your eth0 network card that you want to change the MAC for), and add a line want to change the MAC for), and add a line like this: MACADDR=AA:BB:CC:DD:EE:FF like this: MACADDR=AA:BB:CC:DD:EE:FF (Obviously you want to substitute the MAC (Obviously you want to substitute the MAC address you want in place of address you want in place of AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown AA:BB:CC:DD:EE:FF) Then "/sbin/ifdown eth0", "/sbin/ifup eth0", and you should be up eth0", "/sbin/ifup eth0", and you should be up and running with the new MAC address. You and running with the new MAC address. You can use "/sbin/ifconfig eth0" to verify that the can use "/sbin/ifconfig eth0" to verify that the new MAC address is in effect -- it shows up in new MAC address is in effect -- it shows up in the 'HWaddr' entry on the first line that the 'HWaddr' entry on the first line that
ifconfig printsifconfig prints (YMMV RTFM HTH)(YMMV RTFM HTH)
Red Hat LinuxRed Hat Linuxhttp://groups.google.com/groups?selm=bb8vft%24lma%241%40news01.intel.com&oe=UTF-8&output=gplain
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Conducting Safe and Ethical Wardrive
Read up on local/national laws before you set out Be careful with pigtails– fragile! Put laptop in back of car (behind driver) to prevent
distraction (local laws against watching TV, etc. + common sense safety measure)
Drive during day– no suspicious eerie glow Optimum speed around 30 MPH Screenshots: shift|print screen or graphics program
(PaintShop Pro, etc.); stop car safely if alonePSP8: PSP8: http://www.jasc.com
Results of a “WarSit™” in San Francisco
Wardriving + GPS
http://www.netstumbler.com/nation.phphttp://www.netstumbler.com/nation.php
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Here there be Warchalkers
Mainly mythical meme Originated by Matthew D. Jones, Ph.D. Open node symbolized by )( )( Often used as 31337 shorthand for
wardriving Don’t Warchalk: the world has enough
graffiti
http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
The Basics to Do Now
Pay attention to geographical location of AP (parking lot coverage) Disable file & print sharing if not needed; never share root Disable SSID broadcasting (default = enabled for most products) Change the SSID to something non-default which says nothing
about you or network (boring = good; Smithfamilydiamonds = bad) Upgrade firmware of AP/client to increase security (WPA) Change default administrator login/password for AP Set authentication to “Shared Key” or “Auto”, not “Open System” Configure AP to enable MAC address filtering (not perfect, yes…) Enable WEP/WPA
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Bbbbut…isn’t WEP broken?
Yes, but…just because your front door can be picked, doesn’t mean you shouldn’t lock it!
Never be low hanging fruit for attackers If you just enable WEP more secure than 75%
of WLAN users (according to wardriving data) If you enable WEP + change SSID from default
+ change AP logon/pw: more secure than 95% of lusers
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Enabling WEP
Orinoco Gold on Win 98SEOrinoco Gold on Win 98SE
Linksys pic modified from: Linksys pic modified from: http://www.timhiggins.com/Reviews/images/scrnshots/linksys_wap54g_setup.jpg
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Advanced WEP
Freeware key generators create pseudorandom keys for you to enter
Rotate keys frequently (weekly for business, monthly for home at minimum)
Make sure highest key-length WEP is enabled (remember, 64 bit WEP key is really just 40 bits long [thanks, marketing!])
Upgrade WEP to WPA as soon as possible (look for WPA support for all new hardware)
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Advanced WLAN Security: Topology Options
Treat all wireless communication as insecure Put AP on “unsafe” side of firewall Use VPN (private tunnel) through internet to reach internal network Impractical for SOHO networks (expensive; throughput hit)
FirewallFirewall
““Safe Side”Safe Side” ““Unsafe Side”Unsafe Side”
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Advanced WLAN Security Upgrades
802.1X port-based authentication– requires dedicated authentication server (or server process in AP)
RADIUS authentication: for enterprises only IEEE 802.11i = WPA + RSN; currently in draft form RSN: Robust Security Network 802.1X + EAP +
AES (non-WEP encryption protocol) – will likely need hardware upgrade to run RSN without major hit on throughput; likely available in “mature” form in 2005-6
(world will be beta-testing 802.11i during 2004)
RSN: RSN: http://www.nwfusion.com/news/tech/2003/0526techupdate.html802.11i (advanced): 802.11i (advanced): http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf
802.11i (excellent): 802.11i (excellent): http://www.commsdesign.com/design_library/cd/wl/OEG20021126S0003
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Future WLAN Security Issues
Biological hazards of radio communications Military implementation of DOS vs. WLANs/cellular Geographic extension of WLAN-- ablation of security
through propinquity (ELF; satellites with ultra-sensitive sensors)
Legal aspects (HIPAA, due-diligence) and need to implement security & audit for rogue APs, wardrivers
Follow-on Technologies: UltraWide Band (UWB), others
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
WLAN = Biohazard?
3G networks have been shown to affect cognition of volunteers & create headaches, nausea
Interestingly, enhanced memory and alertness As we become surrounded by WLANs, PANs, WANs,
and cellular broadcasting towers, are we harming our fragile neurological systems?
No evolutionary exposure to MW radiation at current levels…will our children’s children adapt?
http://edition.cnn.com/2003/TECH/ptech/10/01/g3.health.reut/index.html
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Beware the Wolfpack
Small, autonomous sensor-jammers that intelligently coalesce into WLAN on battlefield; 6 lb canisters initiate RF DOS within 500 meter radius
Link together to overpower enemy’s WLAN/cellular communications Part of DARPA XG (Next Generation) RF dominance initiative
http://www.theregister.co.uk/content/69/32361.html
http://www.defenselink.mil/news/Aug2003/n08142003_200308147.html
http://www.darpa.mil/DARPATech2002/presentations/ ato_pdf/speeches/MARSHALL.pdf
http://www.darpa.mil/ato/programs/wolfpack.htm
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Physician, Audit Thyself
Lots of commercial products out there to audit networks for rogue APs, P2P connections, wardrivers
May become legal requirement in future for HIPAA compliance (along with advanced security afforded by RSN/802.11i [final standard anticipated May 2004])
http://www.airdefense.net/products/index.htmlhttp://www.airdefense.net/products/index.html http://www.airmagnet.com/products/handheld.htmhttp://www.airmagnet.com/products/handheld.htm
Pictured: Pictured: Airmagnet Airmagnet
Handheld PAKHandheld PAK®®
http://www.wildpackets.com/products/airopeek http://www.wildpackets.com/products/airopeek
Prevent theft; Prevent theft; BIOS pw; encrypt BIOS pw; encrypt
sensitive filessensitive filesAssume Assume
wardrivers, wardrivers, snoopers all snoopers all around youaround you
Got WPA/802.1X?Got WPA/802.1X?Change default; Change default; don’t broadcastdon’t broadcast
Change default Change default admin logon/pwadmin logon/pw
Enable; rotate Enable; rotate keys manuallykeys manually
Upgrade WEP ASAPUpgrade WEP ASAP
802.1X, 802.11i, RSN; 802.1X, 802.11i, RSN; VPN + RADIUS for VPN + RADIUS for
enterprisesenterprises
Patch OS frequently to Patch OS frequently to plug wireless security plug wireless security
holes; read media for new holes; read media for new WLAN exploitsWLAN exploits
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
The Tao of Network Security
1994-1999:1994-1999:
Information Information AccessAccess
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
The Tao of Network Security
1994-1999:1994-1999:
Information Information AccessAccess
2000-2005:2000-2005:
Information Information DenialDenial
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
What this talk is about
Introduction to Wireless LAN (WLAN) tech Overview of Wireless vs. Wired network security Risks of specific WLAN technologies Wardriving 101 Securing WLAN Communications Future WLAN Security Issues References
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Online Resources
WLAN Specifications•WiFiTM Alliance (formerly WECA): http://www.weca.net/
•IEEE 802.11: http://standards.ieee.org/getieee802/portfolio.html
•IEEE 802.11i: Latest draft (private): http://grouper.ieee.org/groups/802/11/private/Draft_Standards/11i/802.11i-D6.0.doc Lots of interesting
documents: http://www.ieee802.org/11/Documents/DocumentHolder/
•Bluetooth: https://www.bluetooth.org/
•HIPERLAN/2: Official Specs: http://www.hiperlan2.com IEEE Communications Overview: http://www.ihp-ffo.de/systems/Doc/Vorlesung/MC/ %DCbung/Gruppe7-Hiperlan/0130khun.pdf
•HiSWAN: http://www.arib.or.jp/mmac/e/index.htm
•Avian IP Transport Protocol (RFC 1149): http://www.ietf.org/rfc/rfc1149.txt?number=1149
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Online Resources
Basic 802.11 Security•WLAN Security FAQ (ISS): http://www.iss.net/wireless/WLAN_FAQ.php
•WEP Specifications: http://standards.ieee.org/getieee802/download/802.11-1999.pdf
•WEP Insecurity: http://www.cs.rice.edu/~astubble/wep/wep_attack.html
•WPA: http://www.weca.net/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf
•Wardriving: http://www.wardriving.com ; www.sans.org/rr/papers/68/174.pdf
•Netstumbler: http://www.netstumbler.com
•Wireless Glossary: http://www.devx.com/wireless/Door/11333
•Build your own Cantenna: http://www.turnpoint.net/wireless/cantennahowto.html
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Online Resources
Advanced WLAN Security/Continuing Security Education
•SANS http://www.sans.org
•Cool list of WLAN Security Links: http://is-it-true.org/pt/ptips23.shtml
•Google it: search Google for “WLAN security” and/or “WiFi® security”
•Still More whitepapers: http://www.wlana.org/learning_center.html
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Online Resources
AFH Topics
•People are stupid: Wireless Equivalent Privacy: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=%22Wireless+Equivalent+Privacy%22&btnG=Google+Search
•People are stupid 2: Wireless Encryption Protocol:http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Wireless+Encryption+Protocol%22
•HAARP: http://www.haarp.alaska.edu/haarp/ ; http://www.vs.afrl.af.mil/Factsheets/haarp.html
•ECHELON: http://www.europarl.eu.int/tempcom/echelon/ pdf/rapport_echelon_en.pdf
•TEMPEST: http://www.cwrl.utexas.edu/~benjamin/316kfall/316ktexts/tempest1.html
Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved. CIA XXIVCIA XXIV
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Offline Resources
Books/Articles: Computer Security Essentials
Skoudis, Ed, Counterhack, Upper Saddle River, NJ: Prentice Hall PTR 2002. ISBN 0-13-033273-9 (amazing book! dozens of black-hat techniques with countermeasures)
Cheswick WR, Bellovin SM, Firewalls and Internet Security: Repelling the Wily Hacker, New York: Addison-Wesley Publishing Company 1994. ISBN 0-201-63357-4 (a classic)
Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, Sebastopol, CA: O'Reilly & Associates, 1995. ISBN 1-156592-124-0 (first edition includes excellent appendix on basics of ISO/OSI TCP/IP stack)
CIA XXIVCIA XXIVCopyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.Copyright (C) 2004 Robert C. Jones, M.D. All Rights Reserved.
Offline Resources
Books/Articles: WLAN Security
Duntemann J, Jeff Duntemann’s Drive-by WiFi Guide, Scottsdale: Paraglyph Press, 2003. ISBN 1-932111-74-3 (very readable & entertaining; most practical 3-space reference thus far)
Peikari C, Fogie S, Maximum Wireless Security, Indianapolis: Sams Publishing, 2003. ISBN 0-672-32488-1 (contains some errors [er, Wireless Equivalent Privacy? To paraphrase the song, 1/3 ain’t good.])
Edney J, Arbaugh WA, Real 802.11 Security: WiFi Protected Access and 802.11i, Boston (etc.): Addison-Wesley, 2004 (cool time-travel aspect of copyright [to make it seem more current]; almost incomprehensible at times, but good reference)