Wireless changes that paradigm. Radio waves cannot be stopped by walls and doors. As soon as you connect a wireless Access Point to the intranet, any traffic sent wirelessly is now visible in the enterprise’s parking lot. This introduces several new vulnerabilities that did not exist in the wired world. The most common problem is rogue wireless access. An employee or contractor might bring in an unauthorized AP and connect it to the intranet without enabling security. This rogue AP can then provide unrestricted access to hackers in the vicinity sniffing for open or poorly secured wireless APs. Similarly, authorized wireless APs may have weak security like WEP that can allow similar “behind the firewall” access to the sensitive enterprise internal network. Once on the “soft” internal network, hackers can mount several different attacks given the fact that intranets were designed to block attacks at the edge. Wireless also aggravates the “insider threat”. Users can connect their laptops to external wireless networks and bypass internet filters and enterprise proxy’s while being in the enterprise perimeter. Sometimes, laptops can simultaneous be connected to the wired and an unauthorized external wireless network. Many enterprises that have deployed wireless also have to deal with the support costs of managing and troubleshooting wireless connectivity and performance issues that are very different from wired access problems.
New School Method - Direct attacks on Wireless Clients using Cellphone Attack vector on any wifi enabled cell phone… Got a WiFi iPad, iPod, Mac?
Captive portal doesn’t allow “access” until authenticated via the portal It does allow access to the wireless network, and provides an IP… What can I do with access to the local network? Unless PSPF is enabled, hacker can scan and target other users of the wireless network Exploit their laptop and steal credentials for other wireless networks (metasploit anyone?) Validate if portal ACL rules are properly prohibiting access Virtually every captive portal we tested was only controlling HTTP/HTTPS access to the Internet and internal networks We could ping, ssh, telnet, ftp, etc. without EVER authenticating to the portal!!!
Section Slide Example TITLE ALL CAPS ARIAL 44 PT BOLD, line spacing .8 lines. A divider slide can use a photo that bleeds all 3 edges of the right side of the slide. Recommended size of this imagery use is one-half of the slide width. Image can be swapped out using any brand image on www.motorolasolutionscollective.com …crop/size as needed. Directions on page 21.
More payment cards have been skimmed (financial details hijacked) as a result of PIN pads being replaced. Recent example: PIN pads replaced at a fast food chain to steal payment card details The breach occurred at a fast food chain in a busy part of Edmonton, Canada. A &quot;Bluetooth&quot; device was used in the phony PIN pads to transmit all the card details, using a wireless connection. The fraud was discovered when a large number of Edmonton cards started showing up with unusual activity in Montreal.”
Windows 7 (all versions - Starter through Ultimate) provide Virtual Wi-Fi with the operating the system, essentially allowing any desktop user to setup a Virtual Wireless Access Point This is not an adhoc network, but an actually virtual access point that behaves, lives, and breathes like an actual Access Point
The Motorola AirDefense solution provides 3 fundamental value additions for wireless LANs – robust security & wireless regulatory compliance, cost-effective centralized troubleshooting and performance management, and wireless infrastructure management. <Read though the bullets>
Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation
THE THREAT OF WIRELESS AND EMERGING ATTACKS FEB 23, 2011 AIRDEFENSE SOLUTIONS, MOTOROLA SOLUTIONS
WIRELESS SECURITY CONCERNS INTERNET Server Muni Wi-Fi or Neighbors Network Edge Blurred New Attack Vectors ‘Behind’ the Firewall 1 Rogue AP Connected to Network (Network Breach) Hacker 3 Leaked Wired Traffic & Insertion (Data Leakage) Hotspot Evil Twin Mobile User 2 Hotspot Phishing (Data Leakage) 5 Users Bypassing Network Security Controls (Data Leakage/Network Backdoor) 4 Non-Compliant AP (Network Breach/Data Leakage/ Data Compromise)
MOBILE WORKERS VULNERABILITIES Do I have wired & wireless on at the same time? Is my laptop probing for SSIDs not on the safe list? Are my employees using Municipal Wi-Fi? Am I connected to an insecure access point? Am I connected to a real hotspot connection? Am I connected to someone nearby in ad-hoc mode?
HOTSPOT PHISHING/ EVIL TWIN & MORE <ul><li>Attack Vector: Any Wi-Fi Enabled Device </li></ul>New Hotspot Phishing (Data Leakage) : + Mobile Devices <ul><li>Direct attacks on Wireless Clients using Cellphone </li></ul>PalmPre with Hacked Mobile Hotspot
COMPARING PACKETS <ul><li>Comparing packets from Access Points versus Wireless Clients </li></ul>PalmPre sending beacons & probe responses 3 Naïve user Associates with Fake AP Laptop sends Probe Request AP provides IP address to User Scan laptop for vulnerabilities & compromise it 5 Use station as a launch pad 6 User Station Corporate Network Intruder Laptop 2 Fake AP responds with Probe Response
CAPTIVE PORTAL BYPASS – GUEST ACCESS <ul><li>What can I do with access to the </li></ul><ul><li>local network? </li></ul><ul><li>Scan and target other users of the wireless network </li></ul><ul><li>Exploit laptops and steal credentials for other wireless networks </li></ul><ul><li>Validate if portal ACL rules are properly prohibiting access </li></ul><ul><li>Ping, ssh, telnet, ftp, etc. without EVER authenticating to the portal </li></ul>WAN Appsvr1.corp.com 10.5.1.15 IP: 192.168.1.45 DNS: 10.5.1.10 Appsvr1.corp.com Credit card system exposed to the wireless network! !
PINPAD SWAPPING: BLUETOOTH <ul><ul><li>Bluetooth Specs: </li></ul></ul><ul><ul><li>All Bluetooth devices operate at the 2.4 GHz band </li></ul></ul><ul><ul><li>Bluetooth defines 79 channels for communication on the 2.4 GHz band each channel being separated by 1 MHz </li></ul></ul><ul><ul><li>The frequency range 2.402 GHz - 2.480 GHz </li></ul></ul><ul><ul><li>Allows for 1600 frequency hops per second </li></ul></ul>Class Maximum Permitted Power Range (approximate) mW dBm Class 1 100 20 ~100 meters Class 2 2.5 4 ~10 meters Class 3 1 0 ~1 meters
WINDOWS 7 VIRTUAL WI-FI <ul><li>Setup at the DOS Prompt & Share either a Wired or Wireless connection </li></ul><ul><li>The user can share their own desktop (like an ad-hoc network) & the user can share their network connection with others </li></ul><ul><li>Wireless network may use authentication and encryption, BUT the user can share that connection with others, allowing those users to connect to the corporate network with weaker authentication & encryption </li></ul>
<ul><li>Comparing packets from Access Points versus Wireless Clients </li></ul>WINDOWS 7 – COMPARING PACKETS Intruder Laptop 2 Win7 responds with Probe Response Laptop sends Probe Request 1 Win7 provides IP address to User 3 Intruder on Network 4 User Station Corporate Network
INCIDENT RESPONSE & FORENSIC ANALYSIS <ul><li>Historical </li></ul><ul><li>Device logs/syslog </li></ul><ul><li>Firewall logs (Wireless Switches, APs, Wired Firewall) </li></ul><ul><li>Wireless IDS alarms, events, logs </li></ul><ul><li>Wired IDS alarms, events, logs </li></ul><ul><li>Remnants on wireless clients (registry, saved wireless networks, etc.) </li></ul><ul><li>Live </li></ul><ul><li>Wired Sniffing </li></ul><ul><li>Wireless Sniffing </li></ul><ul><li>Spectrum Analysis </li></ul><ul><li>Bluetooth </li></ul><ul><li>RF Analysis, Heat Maps/Location Tracking </li></ul><ul><li>Live analysis on IPS, WIPS, Firewalls, etc. </li></ul><ul><li>Roaming behavior (AP to AP, or client to client ) </li></ul><ul><li>Others… </li></ul>Sources for Analyzing Wireless Attacks
MOTOROLA AIRDEFENSE SOLUTION Ensure Security and Comply with Regulatory & Industry Requirements Centrally Control and Monitor WLAN Infrastructure with One Management Console Infrastructure Management Network Assurance Managed Services Advanced Services Solutions for Any WLAN Allows Remote Troubleshooting and Proactive Analysis of Wireless Issues Security & Compliance