Technology Trends   Chris Gohlke, CPA Lead Senior Auditor Florida Auditor General IT Audits Division [email_address]
Outline <ul><li>Main Topics </li></ul><ul><ul><li>Media Cleansing </li></ul></ul><ul><ul><li>Wi-Fi (802.11) </li></ul></ul...
Media Sanitization <ul><li>We have been taught to think that when &quot;deleting&quot; files and then emptying the Recycle...
<ul><li>Many people think that formatting a hard drive will permanently erase all the data on the drive. This also is not ...
<ul><li>Imagine the hard drive of a computer is like a book.  Instead of words, the hard drive is made up of binary data (...
<ul><li>The only way to erase your hard drive is to overwrite it.  When you delete a file on your computer, it is eventual...
<ul><li>However, you should know that after doing this, a disk is still theoretically readable because even after the comp...
<ul><li>This equipment is prohibitively expensive and is probably only really cost effective for spies trying to access to...
Tableau Device <ul><li>Tableau device is a forensic tool to maintain the status of the drive being tested.  The device is ...
R-Studio <ul><li>R-Studio scans the drive and recovers deleted data. </li></ul>
Audit Guidelines <ul><li>The types of files you try and recover will depend on your scope.  If you are looking for confide...
For More Information… <ul><li>See NIST Special Publication 800-88 (Public Draft, February 2006) – Guidelines for Media San...
What is Wi-Fi? <ul><li>Per Wikipedia – </li></ul><ul><li>Wi-Fi  (sometimes written  Wi-fi ,  WiFi ,  Wifi ,  wifi ) is a t...
What Pushes our Entities to Deploy? <ul><li>Governments are deploying wireless LANs for cost and operational benefits such...
However, the Biggest Driver of Wireless Adoption is ---The explosion of devices which is creating a demand and expectation...
Infrastructure vs. Ad Hoc <ul><li>Infrastructure </li></ul><ul><ul><li>Access Point(s) in Network </li></ul></ul><ul><li>A...
802.11 is the Standard that defines Wi-Fi Key Point: For purposes of auditing, your scanning equipment should be capable o...
Key Point: Your scanning equipment should be capable of detecting all 14 channels to be effective. The Rest of the Informa...
Coverage for 802.11b/g <ul><li>300 feet indoors </li></ul><ul><li>1,500 feet outdoors  </li></ul><ul><li>Speed declines as...
Definition - MAC Address (Like SSN) <ul><li>A  media access control address  ( MAC address ) is a unique identifier attach...
Definition – SSID (Like a Name) <ul><li>A  service set identifier  ( SSID ) is a code attached to all packets on a wireles...
Authentication <ul><li>802.11 networks use two authentication methods: open-system authentication and shared-key authentic...
WEP <ul><li>The 802.11b standard includes a provision for encryption called WEP (Wired Equivalent Privacy). Depending on t...
More WEP <ul><li>WECA (Wireless Ethernet Compatibility Alliance)has only certified the 64 bit WEP encryption.  Thus, acces...
WPA ( Wi-Fi Protected Access ) <ul><li>WPA is a subset of the 802.11i security standard for wireless networks. WPA improve...
TKIP <ul><li>One of the key technologies behind WPA is the Temporal Key Integrity Protocol (TKIP). TKIP addresses the encr...
WPA-PSK <ul><li>One variation of WPA is called WPA Pre Shared Key or  WPA-PSK  for short. WPA-PSK is a simplified but stil...
WPA2-Enterprise <ul><li>Maintains all components specified in the 802.11i standard. </li></ul><ul><li>Supports 802.1x port...
WPA2-PSK <ul><li>One variation of WPA is called WPA Pre Shared Key or  WPA2-PSK  for short. WPA2-PSK is a simplified but s...
Audit Concerns <ul><li>Are there rogue access points? </li></ul><ul><li>Are authorized access points adequately secured? <...
Why are we auditing for rogues? <ul><li>Increased vulnerability to the network by extending entity network “beyond the wal...
Looking for Rogues
Basic Tools <ul><li>PC Cards/WiFi Antennas </li></ul><ul><li>Wi-Fi Finders </li></ul><ul><li>Built in XP Tools </li></ul><...
The Laptop Internal or PC Card has Limits <ul><li>It's  very  difficult to get effective results with a laptop using a PC ...
The Basics of Direction <ul><li>Antennas  come in various shapes and sizes. They have different performance patterns and g...
Directional Antennas <ul><li>Directional antennas are used for Point-to-Point or sometimes for Multi-Point systems dependi...
Backfire <ul><li>The backfire is a small directional antenna with excellent gain (15 dBi). They look similar to a paraboli...
Yagi Directional <ul><li>Yagi antennas were the design of two Japanese people, Hidetsugu Yagi and Shintaro Uda, and are so...
Panel Directional <ul><li>Flat panel and sector directional antennas offer a high gain in a very thin, low profile package...
Dish Directional <ul><li>One of the most powerful wireless antennas for distance.  Parabolic dish antennas put out tremend...
Oh My……..Sniper Antennas
124.9 mile 802.11 link is possible with the right antenna
Omni-Directional <ul><li>This is the common “Base” antenna used for Point-to-Multi-Point. Typical Omni-Directional WiFi an...
Vertical Omni <ul><li>This type of antenna can act as the central point to a WiFi, WLAN or 802.11 application. Can exhibit...
Ceiling Dome <ul><li>Auditees may mount one ceiling dome antenna above every computer or workstation for a complete wirele...
Rubber Duck Omni <ul><li>This antenna gives you approximately 2 times the range over your existing wireless AP &quot;Stock...
Small Desktop <ul><li>Supplements the rubber duck antennas provided for some APs </li></ul>
Mobile Vertical Omni <ul><li>Provides a vast improvement over a PC Card wireless card when used for wardriving.   </li></ul>
Deployment at the Audit Site
Wi-Fi Finders <ul><li>Come in a variety of forms. </li></ul><ul><li>Some just show whether or not there is available Wi-Fi...
2.4 GHz Wi-Fi Detector TEW-T1   <ul><li>Detects 2.4 GHz wireless signals generated from 802.11b/g Wi-Fi device, cordless p...
Wi-Fi Finders/Detectors <ul><li>These are great tools to help you find an access point for use, but are not sufficient for...
Built in XP Tool - very basic tool, but most likely available on any laptop
Netstumbler - More advanced, Free, Works with a variety of wireless cards
Kismet – Linux based, a bit more robust than Netstumbler
Mapping with a GPS to Find Rogues <ul><li>Helps to filter signals that are not physically coming from the location you are...
Using Netstumbler, a GPS, and Google Maps, you can create this…
And you can zoom in on the building you are interested in
If you don’t, someone else will (and probably already has)
Aircrack <ul><li>Aircrack is a set of tools for auditing wireless networks including: </li></ul><ul><ul><li>Airodump: 802....
<ul><li>The tools I have shown so far are free.  But, if you insist on buying something… </li></ul>
Commercial Products - AirMagnet ANALYZER  <ul><li>Immediately identify Rogue Devices using multiple methods.   </li></ul><...
Fluke networks OptiView Series II <ul><li>The Wireless option extends OptiView's capabilities; monitoring all 802.11a/b/g ...
Procedures - Managing the APs <ul><li>How does the auditee connect to the boxes? </li></ul><ul><ul><li>Certain vendors, su...
Sample Wireless Procedures <ul><li>Department heads shall register any deployment of wireless access points with ACNS .  T...
Auditee Should Have Entity AP Maps (they need to know where their stuff is and so do you).
What can be done to secure wireless? <ul><li>Activate WEP at the very least .   WEP is not very secure, but it is still be...
What can be done to secure wireless? <ul><li>If available, Utilize dynamic key exchange mechanisms . Use 802.11i or vendor...
What can be done to secure wireless? <ul><li>Ensure only authorized people can reset the access points . Some access point...
What can be done to secure wireless? <ul><li>Don't broadcast SSIDs . If this feature is available, you can avoid having us...
What can be done to secure wireless? <ul><li>Don't use default SSID names . As a default setting, most access point vendor...
What can be done to secure wireless? <ul><li>Monitor for rogue access points . Create a wireless baseline by creating an i...
Summary for Securing the Wireless Environment <ul><li>Create Wireless policies and procedures after analyzing risks. </li>...
Securing the Wireless Environment <ul><li>Turnoff SSID broadcast or change to name that does not identify entity; </li></u...
R adio  F requency  Id entification (RFID)
About RFID <ul><li>Radio Frequency Identification (RFID) is an automatic identification method, relying on storing and rem...
RFID’s
Early RFID <ul><li>The use of RFID in tracking and access applications first appeared during the 1980s.  </li></ul><ul><li...
Current RFID Uses <ul><li>Talking Prescriptions - 13.56 MHz tags are being placed on prescriptions for Visually Impaired V...
More Current RFID Uses <ul><li>RFID tags are used for electronic toll collection at toll booths.  The system helps to spee...
Even More RFID Uses <ul><li>Wal-Mart and the United States Department of Defense have published requirements that their ve...
RFID Frequencies <ul><li>13.56mhz </li></ul><ul><li>125khz (original) & 134.2khz </li></ul><ul><li>UHF </li></ul><ul><li>M...
RFID Implications <ul><li>Privacy concerns </li></ul><ul><ul><li>Stealing Tag number </li></ul></ul><ul><ul><li>Clean Dump...
Further Information <ul><li>RFDump (www.rfdump.org) </li></ul>
<ul><li>The Auditor security collection is a Live-System based on KNOPPIX. With no installation whatsoever, the analysis p...
Auditor Security Collection <ul><li>In addition to the approx. 300 tools, the Auditor security collection contains further...
Bluetooth
What is Bluetooth? <ul><li>Short range communications </li></ul><ul><li>Personal Area Networks </li></ul><ul><li>Low Power...
Bluetooth Classes <ul><li>Class 3 (1 mW) is the rarest and allows transmission of 10 centimeters (3.9 inches), with a maxi...
Bluetooth-Enabled Devices <ul><li>Printers </li></ul><ul><li>Cell Phones </li></ul><ul><li>Audio Speakers / Headsets </li>...
Bluetooth Security <ul><li>Encryption </li></ul><ul><li>Profiles </li></ul><ul><li>Security Modes </li></ul><ul><li>Securi...
Bluetooth Encryption <ul><li>SAFER+ waleed algorithm – for authentication and key generation (128bit) </li></ul><ul><li>E0...
What are Profiles? <ul><li>Short Version – They are like drivers for peripherals </li></ul><ul><li>Profiles have been deve...
Bluetooth Security Modes <ul><li>Security Mode 1: non-secure </li></ul><ul><li>Security Mode 2: service level enforced sec...
Bluetooth Security Levels <ul><li>Devices, there are 2 levels: </li></ul><ul><ul><li>“trusted device&quot; and &quot;untru...
Bluetooth PIN <ul><li>1-16 Digits </li></ul><ul><li>Basic Attack: Pairing and Authentication Process </li></ul><ul><li>Rep...
Bluetooth Hardware/Software <ul><li>Linksys USBBT100 ($50) </li></ul><ul><li>HyperGain RE05U 2.4GHz antenna ($15) </li></u...
Bluetooth Hacking / Cracking
Long Distance Snarfing <ul><li>Unamplified (but modified) at 1.08mi! </li></ul>
Hacking Tools <ul><li>Blue Bug - Security loophole to allow for downloading of data from bluetooth-enabled cell phones, no...
More Hacking Tools <ul><li>BlueSnarf - Works utilizing OBEX Push Profile (OPP), implemented incorrectly, attacker can util...
Effects <ul><li>Privacy concerns </li></ul><ul><ul><li>Theft of data and personal information </li></ul></ul><ul><li>Use o...
Points of Interests / Reference <ul><li>Bluetooth Security White Paper v1.0 ( www.bluetooth.com/upload/24Security_Paper.PD...
Upcoming SlideShare
Loading in …5
×

Slide 1 - NASACT

462 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
462
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Currently a-I, but a, b, and g are the major ones 802.11b is the most widely used version and is responsible for the recent explosion in WLAN implementation - chance are if you have a wireless system, it&apos;s 802.11b.  Most public &amp;quot;Hot Spots&amp;quot; use 802.11b because of it&apos;s existing widespread customer base. 802.11a products are just reaching the market now (April 2002) and have the benefits of added speed and the fact that they function in the relatively interference free 5GHz frequency range.  However, the protocol is not backwards compatible with 802.11b, making all new hardware necessary in order to upgrade to this technology.  One option may be 802.11b/802.11a dual protocol access points.  While you would still need new APs - these access points would allow you to invest in new client side wireless NICs at your convenience or use a mix of client NICs if necessary. 802.11g holds promise because it has the added speed like 802.11a and it&apos;s backward compatible with the entrenched 802.11b technology.  However, in order to achieve this backward compatibility, the protocol functions in the 2.5 GHz frequency range. This is important because other wireless devices like coreless phones and Bluetooth enabled devices also function in this range and possible interference problems must be considered.
  • What is the range?
  • WEP has a well known black mark against it due to the fact that it can be cracked. The details behind the flaws in WEP are beyond this section, but if you are interested, please read this article . In short, WEP uses RC4 to encrypt the data passed over the network. RC4 requires a passphrase, which is made of up two parts. The first part is known as a pre-shared key (PSK). The PSK must be entered into the configuration settings of each node prior to connecting to the wireless network and is generally 5 or 10 characters in length (5 – 10 bytes). The second part of this passphrase is a three character (three byte) initialization vector value (IV). The purpose of the IV is to encrypt each packet with a different key (IV + PSK). This value is sent pre-pended to the packet as plaintext, which the receiver strips off and uses in the decryption process. While not the most secure method, this process works in practice...assuming the IV&apos;s are truly unique. Unfortunately, it was discovered that the IVs were not exclusive. This problem, when combined with the fact that the IVs were created using the passphrase as one of the variables, became a security nightmare. The result was that the plaintext IVs statistically leaked the PSK, which an attacker could extract by passively sniffing encrypted packets. Two main programs (WEP Crack and Airsnort) were created that demonstrated this flaw. Wireless vendors quickly caught on to how these programs worked and they responded by adding a few lines of code to filter out the &apos;weak IVs&apos; that made this type of WEP cracking possible. Unfortunately, these two programs only focused on one statistical flaw in the WEP encryption process. Much to the chagrin of the wireless vendors, there are several other statistical attacks that can be used to crack the WEP key. As a result a new generation of WEP cracking programs were eventually released. WEP Attack and Aircrack both make short work of cracking a WEP protected network, and have been reported to be successful with about 40,000 packets. When compared to 2-5 million, the impact of the newest attacks are significant. Duplicate IVs (Collision) Each packet is encrypted with a unique streaming key. The key is derived from an algorithm that uses an IV and PSK value. This key is then XOR&apos;d with the plaintext data to produce the encrypted data. The unique part of this process is the unique IV value. Since the IV is limited to 24-bits, there are only 16 million (2^24) possible unique values that can be generated. The problem is that 16 million packets only equates to several hours worth of data. In addition, if a device includes a filter for weak IV&apos;s, the number of values is deduced further. The problem arises when you have duplicate IV values. If an attacker knows the content of one of the packets he has the IV for, he can use the collision to extract the contents of the other packet. In other words, an attacker can decrypt data without ever knowing the password. Assuming an attacker can collect enough known IV-data matches, they can comprise the entire network. ICV WEP incorporated a data integrity check. Using a CRC-32 algorithm, a wireless device calculates a checksum. This checksum value is appened to the data packet and passed to the receiving node. The node would perform the same CRC-32 calculation, which would also produce a checksum value. The two values are compared and if they match the packet is assumed to be valid. On the surface, this integrity check value (ICV) process appears to work. After all, the same CRC-32 algorithm is used by TCP/IP traffic to ensure packets are not corrupted in transmission. Unfortunately, the well known CRC-32 only protects against accidentally corruption. As a result, anyone can capture a packet, remove the original CRC-32 value, alter the packet and simply create a new CRC-32 value that validates the data. In other words, a packet can easily be forged by an attacker. No forgery or replay protection Each packet is encrypted with a unique key. This key is a binary string that actually encrypts each bit of the packet data using an XOR algorithm. Unfortunately, XOR is very simple and can easily be reversed. As a result, it is often trivial to extract the binary key from an encrypted packet. The problem isn&apos;t so much that the key can be extracted. It is what an attacker can do with the key that is disturbing. Because there are no ties between a wireless device and the key, an attacker can reuse this binary string to create a valid encrypted packet that they can then send into a wireless network. In other words, an attacker can easily forge a packet and insert it into a network. In addition to this, any captured packet can be re-injected into a network at any time from any wireless device. There is no check in place to verify that a node should be sending a particular packet.
  • Unauthorized access point detection (rogue AP): the access point employs both active and passive scanning to detect and report all active access points operating within range of the access point. Data from each scan is stored in the access point, available for query, or sent to a management console using SNMP traps. Between user-configurable wireless network scans, SNMP traps are immediately generated upon detection of a new access point.**
  • http://en.wikipedia.org/wiki/RFID#Types_of_RFID_tags
  • Slide 1 - NASACT

    1. 1. Technology Trends Chris Gohlke, CPA Lead Senior Auditor Florida Auditor General IT Audits Division [email_address]
    2. 2. Outline <ul><li>Main Topics </li></ul><ul><ul><li>Media Cleansing </li></ul></ul><ul><ul><li>Wi-Fi (802.11) </li></ul></ul><ul><ul><li>RFID </li></ul></ul><ul><li>Bonus Topics (If Time Permits) </li></ul><ul><ul><li>Auditor Security Collection </li></ul></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><li>The purpose of this class is to serve as a high-level overview. I’ve included a lot of extra information in these slides that won’t be covered in class. If you want even more information on these topics, check out the presentations at http://www.nasact.org/onlineresources/downloads/2005_IT_Conference_Workshop/2005_IT.htm </li></ul>
    3. 3. Media Sanitization <ul><li>We have been taught to think that when &quot;deleting&quot; files and then emptying the Recycle Bin that the selected files are now gone. This is not true. What happens is that the Windows disk manager only &quot;deletes&quot; its known reference to the name and where a file is being stored on the hard drive. The files are actually still there and can be very easily recovered with simple software tools.   </li></ul>
    4. 4. <ul><li>Many people think that formatting a hard drive will permanently erase all the data on the drive. This also is not true. Formatting is only a very low level hard drive cleaning function. </li></ul><ul><li>Formatting a hard drive does not completely erase all data as one may think. It only erases the file structure information. This means that your deleted data can be recovered by anyone possessing the right tools, until it is over written. </li></ul>
    5. 5. <ul><li>Imagine the hard drive of a computer is like a book. Instead of words, the hard drive is made up of binary data (0’s and 1’s). Like a book, the hard drive has a table of contents that catalogs where on the drive the 0’s and 1’s are that make up data files. Deleting and formatting drives is equivalent to removing the table of contents from the book. All of the data is still there. Software tools basically allow the computer to read the book and recreate the table of contents and thereby making all the data accessible. </li></ul>
    6. 6. <ul><li>The only way to erase your hard drive is to overwrite it. When you delete a file on your computer, it is eventually overwritten when the computer puts a new piece of data in the same place. This could happen quickly or could never happen depending on the usage of the computer. </li></ul><ul><li>To truly erase a disk, you want to systematically overwrite every bit on the disk. We use a piece of free software called Killdisk. What this software does is systematically write 0’s into every bit on the disk. </li></ul>
    7. 7. <ul><li>However, you should know that after doing this, a disk is still theoretically readable because even after the computer writes over everything with a 0, there may still be a magnetic signature left over from the old data. We won’t go into the physics behind magnetic media, so think of it this way. Imagine the surface of the drive is full of little circles. Imagine the write head on the drive puts a drop of ink in each circle to write data (white ink for a 0 or black ink for a 1). When one drop overwrites the previous drop, if you look real close at the edge, you might just be able to see what the previous drop was. So, by using very specialized pieces of hardware, you could physically examine the hard drive even after it has been overwritten. </li></ul>
    8. 8. <ul><li>This equipment is prohibitively expensive and is probably only really cost effective for spies trying to access top secret government/corporate information. To be effective against this type of scan, Department of Defense uses a system of 7 consecutive passes alternating 0’s and 1’s. Or to be truly effective, you can physically destroy the drive and platters. </li></ul>
    9. 9. Tableau Device <ul><li>Tableau device is a forensic tool to maintain the status of the drive being tested. The device is one way, meaning, you can read the drive, but it is impossible to change anything on the drive when it is hooked up in this manner. If a device like this is not used for testing, your results would be suspect if they had to be used in a legal proceeding. Auditees do not need to have a device like this to be wiping their drives – in fact, you could not wipe a drive that was attached in this manner.) </li></ul>
    10. 10. R-Studio <ul><li>R-Studio scans the drive and recovers deleted data. </li></ul>
    11. 11. Audit Guidelines <ul><li>The types of files you try and recover will depend on your scope. If you are looking for confidential information, you probably want documents (.doc, .xls, and .txt) and databases (.mdb). If you are looking for inappropriate use, you may be looking for pornography and want .jpg and .bmp. </li></ul><ul><li>If the auditee has a process for wiping drives, you want to see documentation. Most cleaning software should create a log. You should ask for a copy of any that have been sent out to prove that they were cleaned first. </li></ul><ul><li>If the drives or computers don’t physically work, they can’t run cleaning software, but drives can be repaired and still be read. They should have procedures like Degaussing or physically destroying the drives. </li></ul><ul><li>Also you may want to consider what they are doing with the surplus computers. If they are being given away to charities, are they reloading an operating system onto the computers? If so, there may be licensing issues. If they are being trashed, there are environmental concerns for which most States have regulations in place. </li></ul><ul><li>You should have a relationship with law enforcement. For example, if you find what you suspect to be child pornography during your testing, you have a legal obligation to report it. You want to make sure you have had a documented and secure chain of custody so that the drive is admissible as evidence. Since you don’t know what will be on the drive beforehand, you need to do this before you begin testing. </li></ul>
    12. 12. For More Information… <ul><li>See NIST Special Publication 800-88 (Public Draft, February 2006) – Guidelines for Media Sanitization. </li></ul>
    13. 13. What is Wi-Fi? <ul><li>Per Wikipedia – </li></ul><ul><li>Wi-Fi (sometimes written Wi-fi , WiFi , Wifi , wifi ) is a trademark for sets of product compatibility standards for wireless local area networks (WLANs). Wi-Fi, short for &quot;Wireless Fidelity&quot;, was intended to allow mobile devices, such as laptop computers and personal digital assistants (PDAs) to connect to local area networks, but is now often used for Internet access and wireless VoIP phones. Desktop computers can use Wi-Fi too, allowing offices and homes to be networked without expensive wiring. Many computers are sold today with Wi-Fi built-in, others require adding a Wi-Fi network card. Other devices, such as digital cameras, are sometimes equipped with Wi-Fi. </li></ul><ul><li>Short Version – Wi-Fi gets rid of the Network Cable </li></ul>
    14. 14. What Pushes our Entities to Deploy? <ul><li>Governments are deploying wireless LANs for cost and operational benefits such as allowing for a more mobile workforce. </li></ul><ul><li>Educational entities are deploying wireless LANs for cost, operational, and marketing benefits. </li></ul>
    15. 15. However, the Biggest Driver of Wireless Adoption is ---The explosion of devices which is creating a demand and expectation of wireless.
    16. 16. Infrastructure vs. Ad Hoc <ul><li>Infrastructure </li></ul><ul><ul><li>Access Point(s) in Network </li></ul></ul><ul><li>Ad hoc </li></ul><ul><ul><li>No Access Point(s) in Network </li></ul></ul><ul><ul><ul><li>Network Interface card operates as peer station </li></ul></ul></ul>
    17. 17. 802.11 is the Standard that defines Wi-Fi Key Point: For purposes of auditing, your scanning equipment should be capable of detecting all flavors to be effective. Orthogonal Frequency Division Multiplexing Direct Sequence Spread Spectrum Orthogonal Frequency Division Multiplexing Technology Up to 54 Mbps Up to 11 Mbps Up to 54 Mbps Speed 2.4 GHz 2.4 GHz 5 GHz Frequency 802.11 B 802.11 G 802.11 A Only Compatible With 802.11 G 802.11 B 802.11 A
    18. 18. Key Point: Your scanning equipment should be capable of detecting all 14 channels to be effective. The Rest of the Information…..
    19. 19. Coverage for 802.11b/g <ul><li>300 feet indoors </li></ul><ul><li>1,500 feet outdoors </li></ul><ul><li>Speed declines as you get further away from A/P </li></ul><ul><li>With powerful antennas, an entity installation can be extended to a range of 3 miles </li></ul>
    20. 20. Definition - MAC Address (Like SSN) <ul><li>A media access control address ( MAC address ) is a unique identifier attached to most forms of networking equipment. The addresses are designed to be globally unique. The MAC address allows each host to be uniquely identified and allows frames to be marked for specific hosts. (Note, Hackers can spoof the MAC address.) </li></ul>
    21. 21. Definition – SSID (Like a Name) <ul><li>A service set identifier ( SSID ) is a code attached to all packets on a wireless network to identify each packet as part of that network. Think of it as similar to having the company name on the side of a building. The code consists of a maximum of 32 alphanumeric characters. All wireless devices attempting to communicate with each other must share the same SSID. </li></ul><ul><li>There are two major variants of the SSID. Ad-hoc wireless networks that consist of client machines without an access point use the BSSID (Basic Service Set Identifier); whereas on an infrastructure network which includes an access point, the ESSID (E for Extended) is used instead. Each of these different types may be referred to in general terms as SSID. A network's SSID is often referred to as the &quot;network name&quot;. The SSID is either broadcast automatically by the AP, or sent upon request (probe) from a user station. </li></ul>
    22. 22. Authentication <ul><li>802.11 networks use two authentication methods: open-system authentication and shared-key authentication. In both schemes, each mobile client (called a station or supplicant ) must authenticate to the access point. </li></ul><ul><ul><li>Open-system authentication might better be called &quot;no authentication&quot;, because no actual authentication takes place: the station says &quot;please authenticate me&quot;, and the AP does so, with no credential exchange. </li></ul></ul><ul><ul><li>Shared-key authentication is somewhat more robust (except that it depends on WEP). The station requests authentication, and the access point (AP) responds with a WEP-encrypted challenge. The station can decrypt the challenge and respond only if it has the correct WEP password. In both of these methods, the station must also know the service set identifier (SSID) of the AP. However, because the AP might broadcast its SSID, and because stations talking to that SSID always broadcast it, this behavior isn't much of an obstacle to learning the SSID. </li></ul></ul>
    23. 23. WEP <ul><li>The 802.11b standard includes a provision for encryption called WEP (Wired Equivalent Privacy). Depending on the manufacturer and the model of the NIC card and access point, there are two levels of WEP commonly available - one based on a 40-bit encryption key and 24-bit Initialization Vector (also called 64-bit encryption and generally considered insecure) and a 104-bit key plus the 24-bit IV (so called 128 bit encryption.) Each device on the network must have the same key and that key must be manually entered into the wireless receiving device to match the key on the access point. Some proprietary solutions from vendors like Cisco have automated the passing of keys. Future 802.11 encryption standards will have automated key functions under the new Wi-Fi Protected Access (WPA2 ) specification . </li></ul>
    24. 24. More WEP <ul><li>WECA (Wireless Ethernet Compatibility Alliance)has only certified the 64 bit WEP encryption. Thus, access points and cards supporting 128 bit and 256 bit WEP encryption may not work for all vendor wireless cards even if they provide these encryption schemes due to possible variances in the wireless chipsets used by vendors in their products. Therefore, most sites will use the 64 bit encryption to allow wireless cards from different vendors to work on their network. Some vendors like Cisco also have proprietary encryption solutions like LEAP that only work on Cisco wireless cards. For audits , the main concern is that sites using 64 bit WEP encryption are using a weak encryption standard for the security of wireless data communications. Of course, this is better than the majority of access points that are being deployed without WEP even being enabled. </li></ul><ul><li>WEP is EASILY CRACKED </li></ul>
    25. 25. WPA ( Wi-Fi Protected Access ) <ul><li>WPA is a subset of the 802.11i security standard for wireless networks. WPA improves on the authentication and encryption features of WEP. In fact, WPA was developed by the networking industry in response to the shortcomings of WEP. </li></ul>
    26. 26. TKIP <ul><li>One of the key technologies behind WPA is the Temporal Key Integrity Protocol (TKIP). TKIP addresses the encryption weaknesses of WEP. Another key component of WPA is built-in authentication that WEP does not offer. With this feature, WPA provides roughly comparable security to VPN tunneling with WEP, with the benefit of easier administration and use. </li></ul>
    27. 27. WPA-PSK <ul><li>One variation of WPA is called WPA Pre Shared Key or WPA-PSK for short. WPA-PSK is a simplified but still powerful form of WPA most suitable for home Wi-Fi networking. To use WPA-PSK, a person sets a static key or &quot;passphrase&quot; as with WEP. But, using TKIP, WPA-PSK automatically changes the keys at a preset time interval, making it much more difficult for hackers to find and exploit them. </li></ul>
    28. 28. WPA2-Enterprise <ul><li>Maintains all components specified in the 802.11i standard. </li></ul><ul><li>Supports 802.1x port security. </li></ul><ul><li>The primary difference between WPA and WPA2 is the type of encryption used – the stronger Advanced Encryption Standard (AES) vs. TKIP in WPA. </li></ul><ul><li>WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. </li></ul>http://www.wi-fi.org/OpenSection/protected_access.asp
    29. 29. WPA2-PSK <ul><li>One variation of WPA is called WPA Pre Shared Key or WPA2-PSK for short. WPA2-PSK is a simplified but still powerful form of WPA2 most suitable for home Wi-Fi networking. To use WPA2-PSK, a person sets a static key or &quot;passphrase&quot; as with WEP. The AES encryption standard is used to enhance security. </li></ul>
    30. 30. Audit Concerns <ul><li>Are there rogue access points? </li></ul><ul><li>Are authorized access points adequately secured? </li></ul>
    31. 31. Why are we auditing for rogues? <ul><li>Increased vulnerability to the network by extending entity network “beyond the walls” </li></ul><ul><li>Confidential data may be sent in the clear </li></ul><ul><li>Violation of entity policies/procedures for installation of wireless devices </li></ul><ul><li>Errors by Administrators setting up APs </li></ul>
    32. 32. Looking for Rogues
    33. 33. Basic Tools <ul><li>PC Cards/WiFi Antennas </li></ul><ul><li>Wi-Fi Finders </li></ul><ul><li>Built in XP Tools </li></ul><ul><li>Netstumbler </li></ul><ul><li>Wellenreiter </li></ul><ul><li>Kismet </li></ul><ul><li>Aircrack </li></ul>
    34. 34. The Laptop Internal or PC Card has Limits <ul><li>It's very difficult to get effective results with a laptop using a PC card's tiny integrated &quot;bulge&quot; antenna. A fairly small cohort of PC cards has a tiny coaxial jack into which you can plug a coaxial connector leading to an external antenna. Experiments using Netstumbler and a PC card's integrated antenna alone showed that 50%-60% as many stations can be discovered using a higher powered external antenna. </li></ul>
    35. 35. The Basics of Direction <ul><li>Antennas come in various shapes and sizes. They have different performance patterns and gain. </li></ul><ul><ul><li>Directional antennas focus the signal in a specific direction with more power. </li></ul></ul><ul><ul><li>Omni directional antennas work great to cover uniformly in all directions. </li></ul></ul>
    36. 36. Directional Antennas <ul><li>Directional antennas are used for Point-to-Point or sometimes for Multi-Point systems depending on the setup. Directional antennas are Backfires, Yagi, Panel and dish type antennas . </li></ul>
    37. 37. Backfire <ul><li>The backfire is a small directional antenna with excellent gain (15 dBi). They look similar to a parabolic dish, but the gain isn't as high. Work well for point to point or point to multipoint systems because of the excellent gain and the good noise figures. </li></ul>
    38. 38. Yagi Directional <ul><li>Yagi antennas were the design of two Japanese people, Hidetsugu Yagi and Shintaro Uda, and are sometimes referred to as Yagi-Uda antennas. These antennas are typically very directional and are used for point to point, or to extend the range of a point to multi-point system. They have excellent signal strength and in the right circumstances can communicate for miles! </li></ul>
    39. 39. Panel Directional <ul><li>Flat panel and sector directional antennas offer a high gain in a very thin, low profile package. </li></ul>
    40. 40. Dish Directional <ul><li>One of the most powerful wireless antennas for distance. Parabolic dish antennas put out tremendous gain but are a little hard to point and make a connection with. As the gain of an antenna increases, the antenna’s radiation pattern decreases until you have a very little window to point or aim your dish correctly. Dish antennas are almost always used for a point to point system for long haul systems. The Parabolic Dish antennas work by focusing the power to a central point and beaming the radio’s signal to a specific area, kind of like the adjustable reflector on a flashlight. These antennas are highly focused and are an excellent tool to send signals a very long distance. </li></ul>
    41. 41. Oh My……..Sniper Antennas
    42. 42. 124.9 mile 802.11 link is possible with the right antenna
    43. 43. Omni-Directional <ul><li>This is the common “Base” antenna used for Point-to-Multi-Point. Typical Omni-Directional WiFi antennas consist of Vertical Omnis , Ceiling Domes , Rubber ducks , Small Desktops and Mobile vertical antennas . </li></ul>
    44. 44. Vertical Omni <ul><li>This type of antenna can act as the central point to a WiFi, WLAN or 802.11 application. Can exhibit 12dB+ of gain. You would normally find this type of antenna as the central point of an auditee’s system. </li></ul>
    45. 45. Ceiling Dome <ul><li>Auditees may mount one ceiling dome antenna above every computer or workstation for a complete wireless network. </li></ul>
    46. 46. Rubber Duck Omni <ul><li>This antenna gives you approximately 2 times the range over your existing wireless AP &quot;Stock&quot; antenna. </li></ul>
    47. 47. Small Desktop <ul><li>Supplements the rubber duck antennas provided for some APs </li></ul>
    48. 48. Mobile Vertical Omni <ul><li>Provides a vast improvement over a PC Card wireless card when used for wardriving. </li></ul>
    49. 49. Deployment at the Audit Site
    50. 50. Wi-Fi Finders <ul><li>Come in a variety of forms. </li></ul><ul><li>Some just show whether or not there is available Wi-Fi. </li></ul><ul><li>Others test to see if you can get on-line via the connection. </li></ul><ul><li>Others actually display the SSID and other information about the network. </li></ul>
    51. 51. 2.4 GHz Wi-Fi Detector TEW-T1 <ul><li>Detects 2.4 GHz wireless signals generated from 802.11b/g Wi-Fi device, cordless phone, microwave oven and wireless hidden camera </li></ul><ul><li>Helps Network Administrators survey the environment and locate the interference easily </li></ul><ul><li>Verifies Wi-Fi signal strength, allowing Better Configuration </li></ul><ul><li>Indicates signal strength with Diagnostic LEDS </li></ul><ul><li>Displays signal source with Diagnostic LEDS </li></ul><ul><li>Operates at 0.5 seconds for super fast signal detection </li></ul><ul><li>Offers Automatic-Alert, Automatic-Silent, and Manual Scan modes </li></ul><ul><li>Scans for 30 minutes and automatically turns off in Automatic scan mode </li></ul><ul><li>Supports Range of up to 20~45 meters indoor, 60~90 meters outdoor (Depends on the environment) </li></ul>
    52. 52. Wi-Fi Finders/Detectors <ul><li>These are great tools to help you find an access point for use, but are not sufficient for audit purposes. </li></ul>
    53. 53. Built in XP Tool - very basic tool, but most likely available on any laptop
    54. 54. Netstumbler - More advanced, Free, Works with a variety of wireless cards
    55. 55. Kismet – Linux based, a bit more robust than Netstumbler
    56. 56. Mapping with a GPS to Find Rogues <ul><li>Helps to filter signals that are not physically coming from the location you are auditing. </li></ul><ul><li>Helps to localize the signals that are coming from the location you are auditing. </li></ul>
    57. 57. Using Netstumbler, a GPS, and Google Maps, you can create this…
    58. 58. And you can zoom in on the building you are interested in
    59. 59. If you don’t, someone else will (and probably already has)
    60. 60. Aircrack <ul><li>Aircrack is a set of tools for auditing wireless networks including: </li></ul><ul><ul><li>Airodump: 802.11 packet capture program </li></ul></ul><ul><ul><li>Aireplay: 802.11 packet injection program </li></ul></ul><ul><ul><li>Aircrack: static Wep and WPA-PSK key cracker </li></ul></ul><ul><ul><li>Airdecap: Decrypts WEP/WPA capture files </li></ul></ul>www.cr0.net:8040/code/network/aircrack
    61. 61. <ul><li>The tools I have shown so far are free. But, if you insist on buying something… </li></ul>
    62. 62. Commercial Products - AirMagnet ANALYZER <ul><li>Immediately identify Rogue Devices using multiple methods.  </li></ul><ul><li>Physically locate and remove Rogues using the Find Tool.  Insure every device in the network conforms to your security policy with support for WPA, 802.11i, 802.1x, VPNs, LEAP, PEAP, TKIP, MIC, FAST, WEP or others.  </li></ul><ul><li>Proactively identify dozens of wireless attacks and hacks including DoS attacks, Dictionary Attacks, Wireless Intrusions, and the latest Queensland attack.  </li></ul><ul><li>Detect a total of 54 security vulnerabilities and events.  </li></ul><ul><li>Construct and manage detailed security policies through an intuitive policy management interface.  </li></ul><ul><li>Keep your network protected while you troubleshoot with built-in authentication support for WPA, WEP, LEAP, FAST, PEAP, TLS, FAST and more. </li></ul>$2995 $3495
    63. 63. Fluke networks OptiView Series II <ul><li>The Wireless option extends OptiView's capabilities; monitoring all 802.11a/b/g channels to capture and decode data packets, identify rejected association requests and pinpoint access-point conflicts. </li></ul>$44,803.20 $18,227.72 to
    64. 64. Procedures - Managing the APs <ul><li>How does the auditee connect to the boxes? </li></ul><ul><ul><li>Certain vendors, such as Cisco, provide support for Secure Socket Layer (SSL) connections allowing these devices to be managed with optimized security through a Web browser. </li></ul></ul><ul><li>Is change management of the wireless architecture guided by procedures? </li></ul><ul><ul><li>Patches, access, and monitoring. </li></ul></ul><ul><li>Is any of this in writing? </li></ul>
    65. 65. Sample Wireless Procedures <ul><li>Department heads shall register any deployment of wireless access points with ACNS . This registration shall provide information requested by the wireless overseeing committee. Registration and information of wireless activity will be available at: http://www.acns.fsu.edu/Network/wireless_survey.shtml . </li></ul><ul><li>Installation of Access Points will be the responsibility of the individual department, but must comply with rules and regulations of the University as implemented by the overseeing committee and enforced by ACNS. i.e., all installations must not interfere with existing installations and cooperation must be awarded to insure baseline levels of connection service quality. Installation of antennas must comply with all federal and state regulations for antennas. The installation of access points and bridging devices must be consistent with health, building, and fire codes.   Security: General access to the network infrastructure, including wireless infrastructure, will be limited to individuals authorized to use campus and Internet resources. Users of campus and Internet resources shall be authenticated. </li></ul><ul><ul><li>Physical Security of wireless access points will be maintained to protect the access point from theft or access to the data port. </li></ul></ul><ul><ul><li>Password and data protection is the responsibility of the application. The wireless infrastructure will not provide specialized encryption or authentication that should be relied on by applications. In particular, no application should rely on IP address based security or reusable clear text passwords. It is expected instead that service machines will expect/require their own general or applications authentication, authorization and encryption mechanisms to be used by clients entering from any unprotected network. </li></ul></ul><ul><ul><li>Access points or the first switch after the access point shall provide user authentication and/or authorization to the network before access shall be given. </li></ul></ul>
    66. 66. Auditee Should Have Entity AP Maps (they need to know where their stuff is and so do you).
    67. 67. What can be done to secure wireless? <ul><li>Activate WEP at the very least . WEP is not very secure, but it is still better than nothing. Because 802.11 does not support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. This is the same as never changing your password. But the key can be changed manually. There should be procedures to periodically change the WEP Key. But, if site is transmitting confidential information, this is not enough security. Example: A site that must meet HIPAA requirements would probably need a stronger encryption system to meet the spirit of the legislation. </li></ul>
    68. 68. What can be done to secure wireless? <ul><li>If available, Utilize dynamic key exchange mechanisms . Use 802.11i or vendor-specific technologies for enhanced encryption and dynamic key exchange. </li></ul><ul><li>Ensure NIC and access point firmware is up-to-date . Vendors often implement patches to firmware that fix security issues. Start by upgrading the firmware in the access point soon after pulling it out of the box. On an ongoing basis, make it a habit to check that all devices have the most recent firmware releases to cover up all known security holes. As an audit procedure, you can see what version of the firmware they have and compare it to the most up-to-date version. </li></ul>
    69. 69. What can be done to secure wireless? <ul><li>Ensure only authorized people can reset the access points . Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. This makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don't place an access point within easy reach on a table in the office. Instead, mount them out of view above ceiling tiles. Some access points don't have reset buttons, but they allow you to reset via an RS-232 cable through a console connection. To prevent this, be sure to disable the console port. </li></ul><ul><li>Assign &quot;strong&quot; passwords to access points . Don't use default passwords for access points. They are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. </li></ul>
    70. 70. What can be done to secure wireless? <ul><li>Don't broadcast SSIDs . If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. WindowsXP and other monitoring tools (e.g., AirMagnet, NetStumbler, AirPeek, and WinC) will automatically sniff 802.11 traffic to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most sniffing tools useless. This isn't foolproof, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off). At least shutting off the broadcast mechanism will limit access. </li></ul>
    71. 71. What can be done to secure wireless? <ul><li>Don't use default SSID names . As a default setting, most access point vendors use their vendor name as the SSID. Others are also commonly known -- such as &quot;Any.&quot; As a result, set the SSID to something different ---- as odd an word or phrase as possible -- to avoid people from guessing. Better yet, make it something like “Do Not Enter” or “No Trespassing” to put a hacker on notice that this is not a public network. Think of the SSID as being a weak password that will stop a casual snooper. A hacker, though, can easily find the SSID in association frames when a user first boots their wireless device. </li></ul><ul><li>Implement personal firewalls . If a hacker is able to associate with an access point, which is extremely probable if WEP is turned off, the hacker can easily access (via the Windows operating system) files on other users' devices that are associated with an access point on the same WLAN. As a result, it's crucial that all users disable file sharing for all folders and utilize personal firewalls. </li></ul>
    72. 72. What can be done to secure wireless? <ul><li>Monitor for rogue access points . Create a wireless baseline by creating an inventory of wireless access points including SSIDs, MAC addresses, and communication channels used. Continually monitor the network and check for access points that don't conform to the baseline or configuration policies. An access point that doesn't match specific security settings has likely been reset or is actually a rogue access point installed by a hacker or an employee not wanting to coordinate with IT personnel. You can also deploy intrusion detection sensors to identify the presence of hackers based on invalid MAC addresses. The main idea is to provide alerts if suspicious behavior is occurring. Ideally, the auditee should have this baseline for you to use although most will not. </li></ul>
    73. 73. Summary for Securing the Wireless Environment <ul><li>Create Wireless policies and procedures after analyzing risks. </li></ul><ul><li>Authenticate users (LDAP; RADIUS). </li></ul><ul><li>Run WAPs outside of firewall and provide adequate physical security for WAPs; interdepartmental firewalls segregate wireless areas from trusted network assets. </li></ul><ul><li>Run antivirus and firewall software on wireless-enabled client devices. </li></ul><ul><li>Use a VPN, the new WPA encryption or, use WEP or LEAP if other encryption methods not available. </li></ul>
    74. 74. Securing the Wireless Environment <ul><li>Turnoff SSID broadcast or change to name that does not identify entity; </li></ul><ul><li>Employ intrusion detection systems on wireless network segments to monitor for unusual activity on the network and scan for rouge wireless access points, and </li></ul><ul><li>Keep abreast of security vulnerabilities with the wireless infrastructure and take corrective action quickly. </li></ul><ul><li>Attach WAPs to switches and ensure switches are not set to broadcast mode </li></ul><ul><li>Inventory SSIDs, MAC addresses of WAPs, and channels as baseline for use in wireless audits. </li></ul>
    75. 75. R adio F requency Id entification (RFID)
    76. 76. About RFID <ul><li>Radio Frequency Identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders </li></ul><ul><li>RFID tag: a small object can be attached or incorporated </li></ul><ul><ul><li>Product: retail merchandise, shipping containers, tires, etc. </li></ul></ul><ul><ul><li>animals or people </li></ul></ul><ul><li>RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver </li></ul><ul><ul><li>Passive tags require no internal power source, whereas active tags require a power source. </li></ul></ul>
    77. 77. RFID’s
    78. 78. Early RFID <ul><li>The use of RFID in tracking and access applications first appeared during the 1980s. </li></ul><ul><li>Take the example of books in a library. Security gates can detect whether or not a book has been properly checked out of the library. When users return items, the security bit is re-set and the item’s computer record is automatically updated. </li></ul>
    79. 79. Current RFID Uses <ul><li>Talking Prescriptions - 13.56 MHz tags are being placed on prescriptions for Visually Impaired Veterans. The Department of Veterans Affairs Outpatient pharmacies are now supplying the tags with label information stored inside that can be read by a battery powered, talking prescription reader. This reader speaks information such as: Drug Name; Instruction; Warnings; etc. </li></ul><ul><li>Low-frequency RFID tags are commonly used for animal identification. Pets can be implanted with small chips so that they may be returned to their owners if lost. </li></ul><ul><li>Beer kegs are also tracked with LF RFID. </li></ul><ul><li>The Canadian Cattle Identification Agency began using RFID tags as a replacement for barcode tags. The tags are required to identify a bovine's herd of origin and this is used for trace-back when a packing plant condemns a carcass. Currently CCIA tags are used in Wisconsin and by US farmers on a voluntary basis. </li></ul><ul><li>High-frequency RFID tags are used in library book or bookstore tracking, pallet tracking, building access control, airline baggage tracking, and apparel item tracking. </li></ul><ul><li>High-frequency tags are widely used in identification badges, replacing magnetic stripe cards. These badges need only be held within a certain distance of the reader to authenticate the holder. </li></ul><ul><li>The American Express Blue credit card now includes a high-frequency RFID tag, a feature American Express calls ExpressPay. </li></ul><ul><li>UHF RFID tags are commonly used commercially in pallet and container tracking, and truck and trailer tracking in shipping yards. </li></ul><ul><li>Microwave RFID tags are used in long range access control for vehicles. </li></ul>
    80. 80. More Current RFID Uses <ul><li>RFID tags are used for electronic toll collection at toll booths. The system helps to speed traffic through toll plazas as it records the date, time, and billing data for the RFID vehicle tag. </li></ul><ul><li>In January 2003, Michelin began testing RFID transponders embedded into tires. After a testing period that is expected to last 18 months, the manufacturer will offer RFID-enabled tires to car makers. Their primary purpose is tire-tracking in compliance with the United States Transportation, Recall, Enhancement, Accountability and Documentation Act (TREAD Act). </li></ul><ul><li>Some smart cards embedded with RFID chips are used as electronic cash, to pay fares in mass transit systems. </li></ul><ul><li>Starting with the 2004 model year, a Smart Key/Smart Start option became available to the Toyota Prius. The key uses an active RFID circuit which allows the car to acknowledge the key's presence within approximately 3 feet of the sensor. The driver can open the doors and start the car while the key remains in a purse or pocket. </li></ul><ul><li>In August 2004, the Ohio Department of Rehabilitation and Correction (ODRH) approved a $415,000 contract to evaluate the personnel tracking technology of Alanco Technologies. Inmates will wear wristwatch-sized transmitters that can detect if prisoners have been trying to remove them and send an alert to prison computers. This project is not the first such rollout of tracking chips in US prisons. Facilities in Michigan, California and Illinois already employ the technology. </li></ul>
    81. 81. Even More RFID Uses <ul><li>Wal-Mart and the United States Department of Defense have published requirements that their vendors place RFID tags on all shipments to improve supply chain management. Due to the size of these two organizations, their RFID mandates impact thousands of companies worldwide. The deadlines have been extended several times because many vendors face significant difficulties implementing RFID systems. In practice, the successful read rates currently run only 80%, due to radio wave attenuation caused by the products and packaging. In time it is expected that even small companies will be able to place RFID tags on their outbound shipments. </li></ul><ul><li>Since January 2005, Wal-Mart has required its top 100 suppliers to apply RFID labels to all shipments. To meet this requirement, vendors use RFID printer/encoders to label cases and pallets that require EPC tags for Wal-Mart. These smart labels are produced by embedding RFID inlays inside the label material, and then printing bar code and other visible information on the surface of the label. </li></ul>
    82. 82. RFID Frequencies <ul><li>13.56mhz </li></ul><ul><li>125khz (original) & 134.2khz </li></ul><ul><li>UHF </li></ul><ul><li>Microwave </li></ul><ul><li>Range: 10 meters </li></ul>
    83. 83. RFID Implications <ul><li>Privacy concerns </li></ul><ul><ul><li>Stealing Tag number </li></ul></ul><ul><ul><li>Clean Dumpster Diving </li></ul></ul><ul><ul><li>Casing a home or business </li></ul></ul><ul><li>Duplication of tags (spoofing) </li></ul><ul><li>Changes how inventory is done </li></ul>
    84. 84. Further Information <ul><li>RFDump (www.rfdump.org) </li></ul>
    85. 85. <ul><li>The Auditor security collection is a Live-System based on KNOPPIX. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. </li></ul><ul><li>Independent of the hardware in use, the Auditor security collection offers a standardized working environment, so that the build-up of know-how and remote support is made easier. Professional open-source programs offer you a complete toolset to analyze your safety, byte for byte. </li></ul><ul><li>In order to become quickly proficient within the Auditor security collection, the menu structure is supported by recognized phases of a security check. (Foot-printing, analysis, scanning, wireless, brute-forcing, cracking). By this means, you instinctively find the right tool for the appropriate task. </li></ul>Auditor Security Collection
    86. 86. Auditor Security Collection <ul><li>In addition to the approx. 300 tools, the Auditor security collection contains further background information regarding the standard configuration and passwords, as well as word lists from many different areas and languages with approx. 64 million entries. </li></ul><ul><li>Current productivity tools such as web browser, editors and graphic tools allow you to create or edit texts and pictures for reports, directly within the Auditor security platform. </li></ul><ul><li>Many tools were adapted, newly developed or converted from other system platforms, in order to make as many current auditing tools available as possible on one CD-ROM. Tools like Wellenreiter and Kismet were equipped with an automatic hardware identification, thus avoiding irritating and annoying configuration of the wireless cards. </li></ul><ul><li>http://new.remote-exploit.org/index.php/auditor_main </li></ul>
    87. 87. Bluetooth
    88. 88. What is Bluetooth? <ul><li>Short range communications </li></ul><ul><li>Personal Area Networks </li></ul><ul><li>Low Power Communications Between Devices </li></ul><ul><li>Get rid of the wires for peripherals </li></ul>
    89. 89. Bluetooth Classes <ul><li>Class 3 (1 mW) is the rarest and allows transmission of 10 centimeters (3.9 inches), with a maximum of 1 meter (3.2 feet) </li></ul><ul><li>Class 2 (2.5 mW) is most common and allows a quoted transmission distance of 10 meters (32 ft) </li></ul><ul><li>Class 1 (100 mW) has the longest range at up to 100 meters. This class of product is readily available. </li></ul>
    90. 90. Bluetooth-Enabled Devices <ul><li>Printers </li></ul><ul><li>Cell Phones </li></ul><ul><li>Audio Speakers / Headsets </li></ul><ul><li>PDA </li></ul><ul><li>Keyboards / Mice / Joysticks </li></ul><ul><li>Cameras </li></ul><ul><li>MP3 Players </li></ul><ul><li>Networking </li></ul><ul><li>Cars </li></ul><ul><li>Remote Controls </li></ul><ul><li>GPS </li></ul><ul><li>Medical </li></ul>
    91. 91. Bluetooth Security <ul><li>Encryption </li></ul><ul><li>Profiles </li></ul><ul><li>Security Modes </li></ul><ul><li>Security Levels </li></ul><ul><li>PIN </li></ul>
    92. 92. Bluetooth Encryption <ul><li>SAFER+ waleed algorithm – for authentication and key generation (128bit) </li></ul><ul><li>E0 – for packet encryption </li></ul>
    93. 93. What are Profiles? <ul><li>Short Version – They are like drivers for peripherals </li></ul><ul><li>Profiles have been developed in order to describe how implementations of user models are to be accomplished </li></ul><ul><ul><li>Describes a number of user scenarios where Bluetooth performs the radio transmission </li></ul></ul><ul><ul><li>A profile can be described as a vertical slice through the protocol stack </li></ul></ul><ul><ul><li>Defines options in each protocol that are mandatory for the profile </li></ul></ul><ul><ul><li>Defines parameter ranges for each protocol. </li></ul></ul><ul><ul><li>Concept is used to decrease the risk of interoperability problems between different manufacturers' products </li></ul></ul>
    94. 94. Bluetooth Security Modes <ul><li>Security Mode 1: non-secure </li></ul><ul><li>Security Mode 2: service level enforced security </li></ul><ul><ul><li>Channel is established then security procedures are established </li></ul></ul><ul><li>Security Mode 3: link level enforced security </li></ul><ul><ul><li>Bluetooth device initiates security procedures before the channel is established </li></ul></ul>
    95. 95. Bluetooth Security Levels <ul><li>Devices, there are 2 levels: </li></ul><ul><ul><li>“trusted device&quot; and &quot;untrusted device&quot;. The trusted device obviously has unrestricted access to all services. </li></ul></ul><ul><li>Services, 3 security levels are defined: </li></ul><ul><ul><li>services that require authorization and authentication </li></ul></ul><ul><ul><li>services that require authentication only </li></ul></ul><ul><ul><li>services that are open to all devices. </li></ul></ul>
    96. 96. Bluetooth PIN <ul><li>1-16 Digits </li></ul><ul><li>Basic Attack: Pairing and Authentication Process </li></ul><ul><li>Repairing Attack: Exploits the connection establishment protocol and force to repeat the pairing </li></ul><ul><li>Sniffing to cracking times (3GHZ CPU): </li></ul><ul><ul><li>4 Digits: 0.063 seconds </li></ul></ul><ul><ul><li>5 Digits: 0.75 seconds </li></ul></ul><ul><ul><li>6 Digits 7.609 seconds </li></ul></ul><ul><ul><li>7 Digits: 76.127 seconds </li></ul></ul>
    97. 97. Bluetooth Hardware/Software <ul><li>Linksys USBBT100 ($50) </li></ul><ul><li>HyperGain RE05U 2.4GHz antenna ($15) </li></ul><ul><li>btscanner v1 </li></ul><ul><li>btscanner v2 </li></ul><ul><li>BT Audit </li></ul><ul><li>Bluez </li></ul>
    98. 98. Bluetooth Hacking / Cracking
    99. 99. Long Distance Snarfing <ul><li>Unamplified (but modified) at 1.08mi! </li></ul>
    100. 100. Hacking Tools <ul><li>Blue Bug - Security loophole to allow for downloading of data from bluetooth-enabled cell phones, non-intrusive – the owner is not prompted. </li></ul><ul><li>Blooover - Tool to check if other phones are vulnerable to BlueBug, runs on J2ME-enabled devices (cell phones) </li></ul><ul><li>BlueSmack - Knocks out Bluetooth-enabled devices immediately, DoS attack, easy as l2ping –s 600 <bt-hex-address> </li></ul>
    101. 101. More Hacking Tools <ul><li>BlueSnarf - Works utilizing OBEX Push Profile (OPP), implemented incorrectly, attacker can utilize OBEX GET function to download known files from the device </li></ul><ul><li>BlueBump - Requires attacker to establish a trusted relationship peer, Attacker sends vCard to establish authentication, Attacker keeps connection open and tells victim to delete the link key but connection remains active, Attacker requests link-key regeneration, adding new device entry, Attacker can now connect to the device at any time </li></ul><ul><li>BlueDump - Causes Bluetooth device to ‘dump’ stored link key, Enables sniffing to take place, Requires: BDADDR of set paired devices </li></ul>
    102. 102. Effects <ul><li>Privacy concerns </li></ul><ul><ul><li>Theft of data and personal information </li></ul></ul><ul><li>Use of services </li></ul><ul><ul><li>Theft of digital resources </li></ul></ul><ul><li>DoS, Viruses, Worms </li></ul>
    103. 103. Points of Interests / Reference <ul><li>Bluetooth Security White Paper v1.0 ( www.bluetooth.com/upload/24Security_Paper.PDF ) </li></ul><ul><li>Cracking the Bluetooth PIN: (http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/) </li></ul>

    ×