Data Interception

One attack that must be considered when using wireless technology is the threat of data interception. In data interception, one of the key benefits of wireless technologies also leads to one of its greatest weaknesses. Because radio transmissions are broadcast through the air to target devices, any system properly configured within the radio broadcast range can also receive the wireless messages. Thus, devices that should not be on the wireless network can receive the transmissions. The extension of the network by wireless technologies has also increased the attack surface available to malicious users; an adversary can become part of a network and interact with systems that were not designed to operate in a hostile environment.

A common activity used for wireless attacks is war driving. A malicious individual can drive around with a laptop and a wireless receiver listening to the radio traffic being broadcast. Programs running on the laptop can be set up to automatically analyze the data and attempt to break into the networks as they are found. In addition, many attackers also correlate the data with GPS information to create a map of wireless access points. Based on their location, attackers can later revisit these access points for further attack.

Data Encryption

The use of data obfuscation through cryptographic ciphers and algorithms has been around for a long time. The Atbash alphabet was used to obscure the names of various items in Hebrew writings, such as the Bible. The obfuscation method commonly used on Usenet, rot13, has its origins in the scytales that were believed to have been used by ancient Greeks, whereby they wrapped a strip of paper around a stick, wrote the message, and transported the strip of paper. Only someone with a stick of equivalent diameter would be able to read the message.

The need for encryption has carried through from ancient times. Modern computer networks also make heavy use of encryption technology. As wireless technologies continue to spread, the use of encryption and authentication schemes has become more important for many users. Privacy concerns, classified information, and trade secrets are transmitted over wireless technologies. An adversary who receives the data being transmitted over the wireless link will still have to crack the encryption before the data being protected can be read. Transmissions from hostile sources trying to spoof the identity of an authorized party still need to subvert or break the authentication mechanism before the data will be accepted.

There are problems and limitations in many of the current encryption deployments for wireless technologies, however. The initial encryption mechanism used by 802.11X protocols is known as Wired Equivalent Privacy (WEP). WEP has a serious design flaw that allows hostile entities to derive the encryption key and see all traffic with relative ease. Access control mechanisms that used the Media Access Control (MAC) address of networked devices no longer give IT professionals any guarantee a rogue device is within an easily identified physical area. Wireless address book synchronization capabilities in cellular phones and other portable devices allow address books to be stolen when implemented incorrectly, for example, Bluesnarfing for Bluetooth-enabled devices.

With advances in cryptanalysis, software for analyzing wireless network traffic and deriving encryption keys and passwords has become commonplace. Assigning a complex encryption key for WEP still allows an attacker to find out what the key is within a matter of minutes using software such as aircrack and WepLab. Using stronger encryption algorithms with weak keys leaves networks vulnerable to dictionary attacks that use lists of words and permutations to try and guess encryption keys. Both aircrack and WepLab support this mode of operation as well.

Input Hijacking

Attackers can do more than just steal data being transmitted over wireless links. Many devices and software services accept input from the user to take action. This command channel can be hijacked, allowing the attacker to interact with sensitive applications they should not have access to.

Using a wireless input device such as a keyboard can allow passwords and credit card information to be intercepted. Hijacking the connection and taking control of the input may be possible as well, allowing the attacker to input arbitrary data, change passwords on online bank account interfaces, purchase a thousand bags of composting material to be delivered to your door, or send letters of resignation to your employer.

Popular wireless keyboard receivers can pick up transmissions from a different keyboard. If the communications travel over radio links instead of infrared, an attacker can sit down nearby and associate with the receiver using the same make and model of keyboard. In many cases, hijacking the mouse can be done through the same receiver as well.

In order to use such devices safely, you must gain a basic understanding of radio emission characteristics in order to assess the risk of using such devices for sensitive data. Chapter 2 will cover the nature of radio emissions to allow you to evaluate the risks of data interception and command channel hijacks in more detail.

Business Impacts of Wireless Threats

There are many consequences of having the network security of a business compromised. Payroll and benefits data may be exposed; trade secrets can end up in the hands of competitors; data theft disclosure laws such as the California Security Breach Information Act (CA1386) can force a company to notify customers their private data have been stolen; and access to business-critical services from third-party vendors may be suspended until problems have been remediated to their satisfaction.

Preventing these problems holds a high priority for IT administrators. Various precautions and security measures implemented at network gateways such as firewalls, creation of bastion hosts, VPN tunnels, and host hardening have been used to mitigate the risks of data theft and network intrusion. However, all of the effort put into securing a network can be rendered moot by the careless installation of a single wireless access point. By enabling wireless devices to connect to the internal network within an office, attackers can enter the range of radio transmissions and join the internal network without having to circumvent the access control mechanisms already in place at the network perimeter and the physical access control systems as well.

The traffic and security monitoring system present at the wired network perimeter will not log attacks carried out from a rogue system already within the trusted network. Deployment of security-critical patches and host hardening activity are often lagging within a trusted network in comparison to the network perimeter.

You might look for logs such as LAN users, connection or status log, or connected MAC addresses. And you can also use a tool to check the IP/MAC on your wireless network IP range.

Verify the MAC addresses

To find out who is on your network, you have to make a list of all the devices that are meant to be connected. Find out their MAC adresses and their IP addresses if they are static.

To find out the MAC and IP address on Windows OS, click the Start menu and choose Run. Type cmd and click OK. In the screen that opens, type ipconfig/all and hit Enter. The MAC address will be shown as the physical address.

Once you know the MAC addresses of each of the computers on your wireless network, you will recognise any addresses that don’t belong under the window that shows the MAC addresses of current clients.

Check the IP addresses

Similarly you can see how many IP addresses have been dipped out by the DHCP server. If you check the IP of each of your computers, you can see if other IP addresses have been used in your wireless network.

To find out your IP address on Windows OS : Click Run ? type in cmd ? type ipconfig/all ? which will display the IP address for that computer.

Use a software to scan for IP/MAC

Zamzom Wireless Network Tool (google it for download) is a free tool that can do a quick scan for you. Just load it up, hit Fast Scan and it will show you the IP and MAC addresses of every computer that is connected to your WAN. You can also perform a deep scan, but a fast scan will be enough for most users.

Dealing with intruders

If you find someone using your wireless router, they may well not be doing so nastily or intentionally. Sometimes people can’t tell which is their own connection and they may honestly believe that they are using their wireless router. In this case, the best thing that you can do is to secure your own wireless network.

To address the confidentiality issues of trade wireless networks, the 802.11 standard includes a simple mechanism for encryption of data, it is Wired Equivalent Privacy.

However, several serious vulnerabilities were identified by cryptologists. WEP is sometimes dubbed with the nickname of Weak Encryption Protocol. WEP has been superseded by WPA in 2003 and by WPA in 2004 (WPA2 is the version of the IEEE 802.11i standard certified by the Wi-Fi Alliance.

WEP is an encryption protocol in charge of 802.11 frames using the RC4 symmetric algorithm with key length of 64 bits or 128 bits. The principle of WEP is to define initially a secret key of 40 or 128 bits. This secret key must be declared at the access point and clients. The key is to create a pseudo-random length equal to the length of the frame. Each transmission of data is then encrypted using the pseudo-random number as a mask with an Exclusive or between the pseudo-random number and the frame.

The session key shared by all stations is static, that to deploy a large number of wireless stations it is necessary to configure them using the same session key. Thus knowledge of the key is sufficient to decrypt communications.

In addition, 24-bit key is used only for initialization, which means that only 40-bit 64-bit key used to encrypt and actually 104 bits to 128 bits key.

In the case of 40-bit key, a brute-force attack (trying all possible keys) can quickly bring the hacker to find the session key. Also a fault detected by Fluhrer, Mantin and Shamir on the generation of pseudo-random string makes possible the discovery of the session key stock 100 MB to 1 GB of traffic created intentionally.

WEP is not sufficient to ensure real privacy. However, it is strongly advised to at least implement a 128-bit WEP protection to ensure a minimum level of confidentiality and avoiding in this way 90% risk of intrusion.

To get a higher level of security you should use WPA or WPA2. Use of encrypted tunneling protocols can provide secure data transmission under an insecure network. But replacements for WEP have been developed to restore security to the Wifi  network itself.

Today’s wireless networking products don’t always help the situation as configuring their security features can be time-consuming and non-intuitive. The tips below go over the steps you should take to improve the security of your home wireless network.

• Change the default wireless  settings
  

You can read about changing default setting (username, password ans SSID) here :
http://www.security4wireless.com/always-change-your-wireless-default-settings/

• Enable WPA / WEP encryption

All wireless equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans.

Many encryption technologies exist for Wifi. Of course you will want to pick the strongest encryption that works with your network. However, the way these technologies work, all Wifi devices on your network must share the the same encryption settings. Consequently you may need to find a “lowest common demoninator” setting.

• Disable SSID broadcast

The wireless access point or router typically broadcasts the network name (Service Set IDentifier) at regular intervals. This element was designed for businesses and mobile hotspots where clients may roam in and out of range.

In the home network, this roaming characteristic is needless, and it increases the probability someone will try to login to your home network. Luckily, most wireless access points allow the SSID broadcast feature to be disabled by the network manager.

• Enable physical MAC address filtering

Every part of wireless gear possesses a unique identifier called MAC address. Access points & routers keep track of the MAC addresses of all devices that connect to them. Lots of such products offer the owner an option to key in the MAC addresses of their home equipment that restricts the network to only permit connections from those devices.

Make this, but also know that the feature is not so powerful as it may seem. Hackers & their program programs can fake MAC addresses easily.

• Turn off auto-connect

Connecting to an open wireless network such as a public wireless hotspot or your neighbor’s router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

• Make firewalls on computers and router

Most network routers contain built-in firewall capability, but the option also exists to disable them. Make sure that your router’s firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

• Assign static IP to Wifi devices

Most home networks drop toward using dynamic IP addresses. DHCP technology is indeed easy to set up. However, this convenience also works to the benefit of network hackers who can easily obtain valid IP addresses from your network’s DHCP pool.

Disable DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

• Turn off the wifi network when you don’t use it

Shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least think about doing so during travel or extended periods offline.

Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.

If you own a wireless router but are only using it wired connections, you may turn off Wifi on a broadband router without powering down the entire network.

• Position the access point safely

Wireless signals normally reach to the exterior of a home. A small amount of signal leakage outdoors isn’t a problem, but the more this signal reaches, the easier it is for attackers to detect and exploit. Wifi signals frequently reach through neighboring homes.

When installing a Wifi home network, the position of router and access point determines its reach. Try to position these devices near the center of your home rather than near windows.

Change your default username and password :

Most of wireless access points & routers permit an admin to manage their WiFi network through a special admini account. This root account provides complete superuser access to the device’s configuration settings with a special username and password.

Manufacturers set both the account user/pass at the factory. The username is often basically the word admin or administrator. The password is typically empty (blank), the words “admin,” “1234,” or “password,” or some other simple password.

To improve the security of a wireless network, you ought to change the administrative password on your wireless access point or router immediately when installing the unit.

The default passwords for popular models of wireless network gear are well-known to hackers & often posted on the Net. Most devices do not permit the administrative username to be changed, but if yours does, you have to change this name too.

Finally, to maintain home network security in the future, continue changing this root password regularly, not three times. Lots of experts recommend changing passwords every 30 days. Use words that would be impossible for others to guess.

Change the default Service Set IDentifier (SSID) :

SSID is a name that identifies a wireless LAN. A client device receives broadcast messages from all access points within range promotion their SSIDs. As the SSID displays to users, it normally consists of human-readable characters. But the standard does not require this.

The SSID is defined as a sequence of 1–32 octets each of which may take any character.
The SSID can be accessed from within these products’ Web-based or Windows-based configuration utilities.

Common examples of pre-defined SSIDs are simple names like “network,” “wireless,” “1234,” or “default.” An SSID can be changed at any time, as long as the alter is also made on all wireless clients in the network.
To increase the security of your home wireless network, modify the SSID to a strong name.

How to make strong password and SSID :

You can generate a strong password using some tools and online generating strong passwords. However, here are some recommended tips to make a strong password (and SSID) based on security practices :

• At least 10 characters in length.
• Does not contain your user name, real name, organization name, family member’s names or names of your pets.
• Does not contain your birth date.
• Does not contain a complete dictionary word.
• Is significantly different from your previous password.

Should contain three (3) of the following character types :

• Lowercase Alphabetical (a, b, c, etc.)
• Uppercase Alphabetical (A, B, C, etc.)
• Numerics (0, 1, 2, etc.)
• Special Characters (@, %, !, etc.)

• Passive attacks:

In a wireless network passive listening is even easier than the media air is hardly controllable.

Often, the radio coverage of one access point goes beyond the private domain of a company or an individual. The passive attack the most common is the search for access point.

This attack (called Wardriving) became the “game” the favorite of many hackers, the access points are easily detected by a scanner (equipped with a laptop WiFi card and special software to search for PA.) These cards are equipped with wifi directional antennas (Yagi type) to listen to the radio traffic at a distance outside the coverage area of access point.

There are two types of scanners, liabilities (Kismet, WifiScanner, prismstumbler …) without leaving traces, virtually undetectable and assets (Netstumbler, dstumbler) detectable when listening, they send out “probe request” . Netstumbler only works on Windows, others work with Linux.

The sites identified are then indicated by marking out (with chalk) the following code (Warchalking):

A preliminary traffic analysis allows to find the SSID (network name), the MAC address of access point, throughput, use of WEP encryption and signal quality. Combined with a GPS, the software can locate the access point.

At a higher level of software (or type Aisnort WEPCrack) allow a few hours (depending on traffic), to decipher the WEP key and with the tools and network analysis conventional information retrieval can go further. The attacker can pass a so-called active attacks.

• Active attacks :
  

We’ll see, quite briefly, the various known attacks in wired networks and affect, of course, the world of wireless.

1- DoS (Denial of Service)
The denial of service network is often an alternative to other forms of attack because in many cases it is simpler to implement, requires less knowledge and less easily traceable than a direct attack to enter a system to take control.

This attack is intended to prevent legitimate users from accessing services by saturating false requests these services. It is generally based on “bugs” software.
In the wireless environment, it includes blocking access points either by flooding the request of disassociation or Deauthentication (Airjack type program), or more simply by jamming radio signals.

2- Spoofing (impersonation)

IP spoofing is a technique that allows an attacker to send a packet machine appears to be from an IP address other than the attacker’s machine. IP spoofing is not provided an IP address change.

More precisely it is a travesty (he is the technical term) of the IP address in the packets, that is to say that the packets are modified so that they appear to reach d a machine.

3- “Man in the middle” in rural Wi-Fi

This attack is for a Wi-Fi has to have an access point near abroad in other legitimate AP. Stations wishing to connect to the network to deliver PA “felon” their information for the connection.

This information will be used by a pirate station. Just simply a pirate station listening to the traffic, get MAC address of a legitimate station and its AP, and intercalated in the middle.

This is a list of default usernames and passwords used in wireless routers.

You will know it now.. so don’t forget to change your default user/pass

This list is sorted by vendor and model  of the router.

Let’s start :