Wi-phishing New Frontier Jorge Sebastião, CISSP, ISP

Wireless Today?

Are this your packets???

Why Does This Happen? Firewall IDS Anti-Virus Attack

Wireless Broadband Hacker Fined In a first of its kind case for the UK, the Isleworth court in London has found Gregory Straszkiewicz (24) guilty of hijacking a wireless broadband (Wi-Fi) connection. He has now been fined £500 and given a 12 months conditional discharge: Police sources said Straszkiewicz was caught standing outside a building in a residential area holding a wireless-enabled laptop. The Crown Prosecution Service confirmed that Straszkiewicz was ' piggybacking ' the wireless network that householders were using. He was reported to have attempted this several times before police arrested him.

In a first of its kind case for the UK, the Isleworth court in London has found Gregory Straszkiewicz (24) guilty of hijacking a wireless broadband (Wi-Fi) connection. He has now been fined £500 and given a 12 months conditional discharge: Police sources said Straszkiewicz was caught standing outside a building in a residential area holding a wireless-enabled laptop. The Crown Prosecution Service confirmed that Straszkiewicz was ' piggybacking ' the wireless network that householders were using. He was reported to have attempted this several times before police arrested him.

Low Budget attacks

War-driving Software is free Available on Internet Hardware is inexpensive Easy to map insecure sites Post maps on the Internet

Software is free

Available on Internet

Hardware is inexpensive

Easy to map insecure sites

Post maps on the Internet

War-chalking almost free

New Devices, New Risks Laptops Mobiles Bluetooth PDA Smart Card

Laptops

Mobiles

Bluetooth

PDA

Smart Card

The real problem Technology Process People

Is there a teenager within 55 miles of your building?

Wi-Fi High Jacking 60-70% wireless networks are wide open Why are the Wi-Fi networks unprotected?

60-70% wireless networks are wide open

Why are the Wi-Fi networks unprotected?

Evil Twin SSID: CYINFOSEC Wireless EVIL TWIN SSID: CYINFOSEC Wireless Mobile wireless user with wireless card ON SSID: ‘ANY’

I A rogue AP looking for “ CYINFOSEC ”. Inverse Wardriving

Threats - Wireless Devices Corporate Network Barcode Scanner Parking Lot BEACONS Accidental Association Malicious Association Intruder ATTACK Confidential Data Soft AP Hardware AP Wireless Laptop Ad-Hoc Rogue Access Point Hotspot Evil Twin PROBES PROBES Neighboring WLAN

Wireless Threats to Mobile Workers Real? Mobile workforce new edge of corporate network (the laptop) User laptop airport lounge-extended backbone accidental association hard to detect New tool for identity theft You ARE “vulnerable” to this Users WILL give up credentials, WEP keys If you’ve got SSO, doh! Finding rogue AP / client is a challenge A social engineering problem than a technical vulnerability—what’s the “patch”?

Mobile workforce

new edge of corporate network (the laptop)

User laptop

airport lounge-extended backbone

accidental association

hard to detect

New tool for identity theft

You ARE “vulnerable” to this

Users WILL give up credentials, WEP keys

If you’ve got SSO, doh!

Finding rogue AP / client is a challenge

A social engineering problem than a technical vulnerability—what’s the “patch”?

Detection ANY wireless activity (if policy is no WiFi) Duplicate SSIDs Different / mismatching MACs Interference / SNR spikes Association requests More…

ANY wireless activity (if policy is no WiFi)

Duplicate SSIDs

Different / mismatching MACs

Interference / SNR spikes

Association requests

More…

Client Defense Strategies Local AP awareness User education OS Level awareness Multi-layer Security One-time authentication mechanisms Application authentication No WiFi? No WiFi connected to Intranet? A defence kit for wireless users…? Sort of a ZoneAlarm for WiFi *gasp* OS-level awareness of the problem?

Local AP awareness

User education

OS Level awareness

Multi-layer Security

One-time authentication mechanisms

Application authentication

No WiFi? No WiFi connected to Intranet?

A defence kit for wireless users…? Sort of a ZoneAlarm for WiFi

*gasp* OS-level awareness of the problem?

Several Options Low V Low (with VPN) Strong 802.1X authentication (*) AES with per-session keys 802.11i x Low Strong 802.1X authentication TKIP with per-session keys WPA Enterprise High “ Pre-shared Key” TKIP with per-session keys WPA Personal Medium Strong 802.1X authentication WEP/104 with per-session keys “ Pure” 802.1X High None WEP, 40-bit keys or 104-bit keys WEP40 / 104 Risk Authentication Encryption Strategy

AP Location Strenght Considerations

Countermeasures Trade Offs All countermeasures are a trade-off Secure Fast/Easy Cheap

Accurate Detection/Response Correlation Across Sensors Stateful Analysis Statistical Base-lining and Aggregation Correlation ACCURATE ALARMS Threat Index Multiple Detection Technologies are required for accurate & comprehensive detection Personal for Mobile Protection Device Alarms Anomalous Behavior Protocol Abuse Signature Analysis Policy Manager

Forensic & Incident Resp. WLANs are transient & security incidents happen often  Important to collect critical device communication & traffic information to analyze what went wrong Device Connectivity Logs Device Activity Logs Channel Activity Logs Signal Strength Data transferred by Direction Detailed Logs Were We Attacked? What Entry Point was Used? When Did the Breach Occur? How Long Were We Exposed? What Transfers Occurred? Which Systems Were Compromised? Investigation W5 Bytes per Minute Large File downloaded Min-by-Min View “ Forensic analysis is critical to assess damage from a security breach and take proactive steps for future.” – Meta Group

Device Connectivity Logs

Device Activity Logs

Channel Activity Logs

Signal Strength

Data transferred by Direction

Were We Attacked?

What Entry Point was Used?

When Did the Breach Occur?

How Long Were We Exposed?

What Transfers Occurred?

Which Systems Were Compromised?

Anti-Phishing Laws -Identity Theft Penalty Enhancement Act -Aggregated Identity Theft - Defined as using a stolen identity to commit other crimes. -Mandatory sentencing of 2 years. Anti-Phishing Act of 2005 -Prohibits the use of a website/email to coerce others to divulge their personal information. -Penalties: 5 years, $250,000 fine. Effectiveness: Professionals vs. Amateurs

2G GSM: Network Architecture BSC MS BTS MSC OMC Um A-bis Circuit-switched technology Voice Traffic Mobility mgt A PSTN/ISDN EIR AUC HLR VLR

GSM:Network Attacks Eavesdropping Intruder eavesdrops signalling and data The required equipment is a modified MS Impersonation of a user Intruder sends signalling and/or user data to the network, The required equipment is again a modified MS Impersonation of the network Intruder sends signalling and/or user data to the target user The required equipment is modified BTS Man-in-the-middle Intruder puts itself in between the target user and a genuine network The required equipment is modified BTS in conjunction with a modified MS Compromising authentication vectors in the network Intruder possesses a compromised authentication vector

Eavesdropping

Intruder eavesdrops signalling and data

The required equipment is a modified MS

Impersonation of a user

Intruder sends signalling and/or user data to the network,

The required equipment is again a modified MS

Impersonation of the network

Intruder sends signalling and/or user data to the target user

The required equipment is modified BTS

Man-in-the-middle

Intruder puts itself in between the target user and a genuine network

The required equipment is modified BTS in conjunction with a modified MS

Compromising authentication vectors in the network

Intruder possesses a compromised authentication vector

Fake BTS IMSI catcher by Law Enforcement Intercept mobile originated calls Can be used for over-the-air cloning

IMSI catcher by Law Enforcement

Intercept mobile originated calls

Can be used for over-the-air cloning

Bluetooth? Piconet Application Profiles States Standby: do nothing Inquiry: search for other devices in the vicinity Paging: connect to a specific device Connection: participate in a piconet (master or slave) Modes: active, hold, park, sniff standby connected page inquiry M S S S SB P P SB Profiles Protocols Applications

Piconet

Application Profiles

States

Standby: do nothing

Inquiry: search for other devices in the vicinity

Paging: connect to a specific device

Connection: participate in a piconet (master or slave) Modes: active, hold, park, sniff

Blue Tooth Fishing Unique ID Location Tracking Free phone calls Download/update address book Calendar … . Free GPRS/Internet … .. Even class 3 devices can be intercepted at a distance greater than 10 meters Max Range 1.1 Miles (1.7km)

Unique ID

Location Tracking

Free phone calls

Download/update

address book

Calendar

… .

Free GPRS/Internet

… ..

Even class 3 devices can be intercepted at a distance greater than 10 meters

Max Range 1.1 Miles (1.7km)

BT Sample Attacks Vulnerabilities in Bluetooth enabled mobile phones Braces – A Bluetooth Tracking Utility http://braces.shmoo.com/ SNARF attack BACKDOOR Attack BLUEBUG Attack

Vulnerabilities in Bluetooth enabled mobile phones

Braces – A Bluetooth Tracking Utility http://braces.shmoo.com/

SNARF attack

BACKDOOR Attack

BLUEBUG Attack

BT Risks NO alerting the owner of the target device Access to restricted information stored on the phone Contacts Calendar Call log Free phone call, SMS, GPRS Remote monitoring, voice, data Affected models should disable Bluetooth

NO alerting the owner of the target device

Access to restricted information stored on the phone

Contacts

Calendar

Call log

Free phone call, SMS, GPRS

Remote monitoring, voice, data

Affected models should disable Bluetooth

Bluetooth Conclusions All these attacks can be performed in a matter of seconds Generally phones are more vulnerable when discoverable Some models can be attacked when undiscoverable Bluejacking is encouraging people to leave their devices discoverable Exploit code is not publicly available at this time Vendor responses to these vulnerabilities have not been promising List of vulnerable devices: http://www.thebunker.net/release-bluestumbler.htm

All these attacks can be performed in a matter of seconds

Generally phones are more vulnerable when discoverable

Some models can be attacked when undiscoverable

Bluejacking is encouraging people to leave their devices discoverable

Exploit code is not publicly available at this time

Vendor responses to these vulnerabilities have not been promising

List of vulnerable devices: http://www.thebunker.net/release-bluestumbler.htm

What’s next….? Pharming (more effective) Pharming is the next step in this type of attack Pharming uses DNS to redirect people from legitimate websites to the attacker’s fake website. DNS is an internet server that translates www.yourwebsite.com into its IP address such as 128.101.138.134. RFID

Pharming (more effective)

Pharming is the next step in this type of attack

Pharming uses DNS to redirect people from legitimate websites to the attacker’s fake website.

DNS is an internet server that translates www.yourwebsite.com into its IP address such as 128.101.138.134.

RFID

What’s next….. RFID hacking

Wireless Security Plan Staff Skills, Training Risk Assessment Upgrade Architecture Implement New Controls Monitor/Monitor/Monitor Develop comprehensive incidence response

Staff Skills, Training

Risk Assessment

Upgrade Architecture

Implement New Controls

Monitor/Monitor/Monitor

Develop comprehensive incidence response