Wi-phishing New Frontier Jorge Sebastião, CISSP, ISP
Wireless Today?
Are this your packets???
Why Does This Happen? Firewall IDS Anti-Virus Attack
 
Wireless Broadband Hacker Fined  <ul><li>In a first of its kind case for the UK, the Isleworth court in London has found G...
Low Budget attacks
War-driving <ul><li>Software is free </li></ul><ul><li>Available on Internet </li></ul><ul><li>Hardware is inexpensive  </...
War-chalking almost free
New Devices, New Risks <ul><li>Laptops </li></ul><ul><li>Mobiles </li></ul><ul><li>Bluetooth </li></ul><ul><li>PDA </li></...
The real problem Technology Process People
Is there a teenager within 55 miles of your building?
Wi-Fi High Jacking <ul><li>60-70% wireless networks are wide open </li></ul><ul><li>Why are the Wi-Fi networks unprotected...
Evil Twin SSID: CYINFOSEC Wireless EVIL TWIN SSID: CYINFOSEC Wireless Mobile wireless user with wireless card ON SSID: ‘ANY’
I A rogue AP looking for “ CYINFOSEC ”. Inverse Wardriving
Threats - Wireless Devices Corporate Network Barcode Scanner Parking Lot BEACONS Accidental Association Malicious Associat...
Wireless Threats to Mobile Workers Real? <ul><ul><li>Mobile workforce </li></ul></ul><ul><ul><li>new edge of corporate net...
Detection <ul><li>ANY wireless activity (if policy is no WiFi) </li></ul><ul><li>Duplicate SSIDs </li></ul><ul><li>Differe...
Client Defense Strategies <ul><li>Local AP awareness </li></ul><ul><li>User education </li></ul><ul><li>OS Level awareness...
Several Options Low V Low (with VPN) Strong 802.1X authentication (*) AES with per-session keys 802.11i x Low Strong 802.1...
AP Location Strenght Considerations
Countermeasures Trade Offs All countermeasures are a trade-off Secure Fast/Easy Cheap
Accurate Detection/Response Correlation Across Sensors Stateful Analysis Statistical Base-lining and Aggregation Correlati...
Forensic & Incident Resp. WLANs are transient & security incidents happen often    Important to collect critical device c...
Anti-Phishing Laws -Identity Theft Penalty Enhancement Act -Aggregated Identity Theft - Defined as using a  stolen identit...
2G GSM: Network Architecture <ul><ul><li>   </li></ul></ul>BSC MS BTS MSC OMC Um A-bis Circuit-switched technology Voice T...
GSM:Network Attacks <ul><li>Eavesdropping </li></ul><ul><ul><li>Intruder eavesdrops signalling and data </li></ul></ul><ul...
Fake BTS <ul><li>IMSI catcher by Law Enforcement </li></ul><ul><li>Intercept mobile originated calls </li></ul><ul><li>Can...
Bluetooth? <ul><li>Piconet </li></ul><ul><li>Application Profiles </li></ul><ul><li>States </li></ul><ul><ul><li>Standby: ...
Blue Tooth Fishing <ul><li>Unique ID </li></ul><ul><li>Location Tracking </li></ul><ul><li>Free phone calls </li></ul><ul>...
BT Sample Attacks <ul><li>Vulnerabilities in Bluetooth enabled mobile phones  </li></ul><ul><ul><li>Braces – A Bluetooth T...
BT Risks <ul><li>NO alerting the owner of the target device  </li></ul><ul><li>Access to restricted information stored on ...
Bluetooth Conclusions  <ul><li>All these attacks can be performed in a matter of seconds  </li></ul><ul><li>Generally phon...
What’s next….? <ul><li>Pharming (more effective) </li></ul><ul><ul><li>Pharming is the next step in this type of attack </...
What’s next….. RFID hacking
 
Wireless Security Plan <ul><li>Staff Skills, Training </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Upgrade Architec...
Upcoming SlideShare
Loading in …5
×

Wireless Phishing New Frontier

3,772 views

Published on

Wireless fishing the new frontier is a short presentation about the risk associated with the new wireless devices we use such as laptops, mobiles

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,772
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Wireless Phishing New Frontier

    1. 1. Wi-phishing New Frontier Jorge Sebastião, CISSP, ISP
    2. 2. Wireless Today?
    3. 3. Are this your packets???
    4. 4. Why Does This Happen? Firewall IDS Anti-Virus Attack
    5. 6. Wireless Broadband Hacker Fined <ul><li>In a first of its kind case for the UK, the Isleworth court in London has found Gregory Straszkiewicz (24) guilty of hijacking a wireless broadband (Wi-Fi) connection. He has now been fined £500 and given a 12 months conditional discharge: Police sources said Straszkiewicz was caught standing outside a building in a residential area holding a wireless-enabled laptop. The Crown Prosecution Service confirmed that Straszkiewicz was ' piggybacking ' the wireless network that householders were using. He was reported to have attempted this several times before police arrested him. </li></ul>
    6. 7. Low Budget attacks
    7. 8. War-driving <ul><li>Software is free </li></ul><ul><li>Available on Internet </li></ul><ul><li>Hardware is inexpensive </li></ul><ul><li>Easy to map insecure sites </li></ul><ul><li>Post maps on the Internet </li></ul>
    8. 9. War-chalking almost free
    9. 10. New Devices, New Risks <ul><li>Laptops </li></ul><ul><li>Mobiles </li></ul><ul><li>Bluetooth </li></ul><ul><li>PDA </li></ul><ul><li>Smart Card </li></ul>
    10. 11. The real problem Technology Process People
    11. 12. Is there a teenager within 55 miles of your building?
    12. 13. Wi-Fi High Jacking <ul><li>60-70% wireless networks are wide open </li></ul><ul><li>Why are the Wi-Fi networks unprotected? </li></ul>
    13. 14. Evil Twin SSID: CYINFOSEC Wireless EVIL TWIN SSID: CYINFOSEC Wireless Mobile wireless user with wireless card ON SSID: ‘ANY’
    14. 15. I A rogue AP looking for “ CYINFOSEC ”. Inverse Wardriving
    15. 16. Threats - Wireless Devices Corporate Network Barcode Scanner Parking Lot BEACONS Accidental Association Malicious Association Intruder ATTACK Confidential Data Soft AP Hardware AP Wireless Laptop Ad-Hoc Rogue Access Point Hotspot Evil Twin PROBES PROBES Neighboring WLAN
    16. 17. Wireless Threats to Mobile Workers Real? <ul><ul><li>Mobile workforce </li></ul></ul><ul><ul><li>new edge of corporate network (the laptop) </li></ul></ul><ul><li>User laptop </li></ul><ul><ul><li>airport lounge-extended backbone </li></ul></ul><ul><ul><li>accidental association </li></ul></ul><ul><ul><li>hard to detect </li></ul></ul><ul><li>New tool for identity theft </li></ul><ul><li>You ARE “vulnerable” to this </li></ul><ul><li>Users WILL give up credentials, WEP keys </li></ul><ul><li>If you’ve got SSO, doh! </li></ul><ul><li>Finding rogue AP / client is a challenge </li></ul><ul><li>A social engineering problem than a technical vulnerability—what’s the “patch”? </li></ul>
    17. 18. Detection <ul><li>ANY wireless activity (if policy is no WiFi) </li></ul><ul><li>Duplicate SSIDs </li></ul><ul><li>Different / mismatching MACs </li></ul><ul><li>Interference / SNR spikes </li></ul><ul><li>Association requests </li></ul><ul><li>More… </li></ul>
    18. 19. Client Defense Strategies <ul><li>Local AP awareness </li></ul><ul><li>User education </li></ul><ul><li>OS Level awareness </li></ul><ul><li>Multi-layer Security </li></ul><ul><li>One-time authentication mechanisms </li></ul><ul><li>Application authentication </li></ul><ul><li>No WiFi? No WiFi connected to Intranet? </li></ul><ul><li>A defence kit for wireless users…? Sort of a ZoneAlarm for WiFi </li></ul><ul><li>*gasp* OS-level awareness of the problem? </li></ul>
    19. 20. Several Options Low V Low (with VPN) Strong 802.1X authentication (*) AES with per-session keys 802.11i x Low Strong 802.1X authentication TKIP with per-session keys WPA Enterprise High “ Pre-shared Key” TKIP with per-session keys WPA Personal Medium Strong 802.1X authentication WEP/104 with per-session keys “ Pure” 802.1X High None WEP, 40-bit keys or 104-bit keys WEP40 / 104 Risk Authentication Encryption Strategy
    20. 21. AP Location Strenght Considerations
    21. 22. Countermeasures Trade Offs All countermeasures are a trade-off Secure Fast/Easy Cheap
    22. 23. Accurate Detection/Response Correlation Across Sensors Stateful Analysis Statistical Base-lining and Aggregation Correlation ACCURATE ALARMS Threat Index Multiple Detection Technologies are required for accurate & comprehensive detection Personal for Mobile Protection Device Alarms Anomalous Behavior Protocol Abuse Signature Analysis Policy Manager
    23. 24. Forensic & Incident Resp. WLANs are transient & security incidents happen often  Important to collect critical device communication & traffic information to analyze what went wrong <ul><li>Device Connectivity Logs </li></ul><ul><li>Device Activity Logs </li></ul><ul><li>Channel Activity Logs </li></ul><ul><li>Signal Strength </li></ul><ul><li>Data transferred by Direction </li></ul>Detailed Logs <ul><li>Were We Attacked? </li></ul><ul><li>What Entry Point was Used? </li></ul><ul><li>When Did the Breach Occur? </li></ul><ul><li>How Long Were We Exposed? </li></ul><ul><li>What Transfers Occurred? </li></ul><ul><li>Which Systems Were Compromised? </li></ul>Investigation W5 Bytes per Minute Large File downloaded Min-by-Min View “ Forensic analysis is critical to assess damage from a security breach and take proactive steps for future.” – Meta Group
    24. 25. Anti-Phishing Laws -Identity Theft Penalty Enhancement Act -Aggregated Identity Theft - Defined as using a stolen identity to commit other crimes. -Mandatory sentencing of 2 years. Anti-Phishing Act of 2005 -Prohibits the use of a website/email to coerce others to divulge their personal information. -Penalties: 5 years, $250,000 fine. Effectiveness: Professionals vs. Amateurs
    25. 26. 2G GSM: Network Architecture <ul><ul><li>  </li></ul></ul>BSC MS BTS MSC OMC Um A-bis Circuit-switched technology Voice Traffic Mobility mgt A PSTN/ISDN EIR AUC HLR VLR
    26. 27. GSM:Network Attacks <ul><li>Eavesdropping </li></ul><ul><ul><li>Intruder eavesdrops signalling and data </li></ul></ul><ul><ul><li>The required equipment is a modified MS </li></ul></ul><ul><li>Impersonation of a user </li></ul><ul><ul><li>Intruder sends signalling and/or user data to the network, </li></ul></ul><ul><ul><li>The required equipment is again a modified MS </li></ul></ul><ul><li>Impersonation of the network </li></ul><ul><ul><li>Intruder sends signalling and/or user data to the target user </li></ul></ul><ul><ul><li>The required equipment is modified BTS </li></ul></ul><ul><li>Man-in-the-middle </li></ul><ul><ul><li>Intruder puts itself in between the target user and a genuine network </li></ul></ul><ul><ul><li>The required equipment is modified BTS in conjunction with a modified MS </li></ul></ul><ul><li>Compromising authentication vectors in the network </li></ul><ul><ul><li>Intruder possesses a compromised authentication vector </li></ul></ul>
    27. 28. Fake BTS <ul><li>IMSI catcher by Law Enforcement </li></ul><ul><li>Intercept mobile originated calls </li></ul><ul><li>Can be used for over-the-air cloning </li></ul>
    28. 29. Bluetooth? <ul><li>Piconet </li></ul><ul><li>Application Profiles </li></ul><ul><li>States </li></ul><ul><ul><li>Standby: do nothing </li></ul></ul><ul><ul><li>Inquiry: search for other devices in the vicinity </li></ul></ul><ul><ul><li>Paging: connect to a specific device </li></ul></ul><ul><ul><li>Connection: participate in a piconet (master or slave) Modes: active, hold, park, sniff </li></ul></ul>standby connected page inquiry M S S S SB P P SB Profiles Protocols Applications
    29. 30. Blue Tooth Fishing <ul><li>Unique ID </li></ul><ul><li>Location Tracking </li></ul><ul><li>Free phone calls </li></ul><ul><li>Download/update </li></ul><ul><ul><li>address book </li></ul></ul><ul><ul><li>Calendar </li></ul></ul><ul><ul><li>… . </li></ul></ul><ul><li>Free GPRS/Internet </li></ul><ul><li>… .. </li></ul><ul><li>Even class 3 devices can be intercepted at a distance greater than 10 meters </li></ul><ul><li>Max Range 1.1 Miles (1.7km) </li></ul>
    30. 31. BT Sample Attacks <ul><li>Vulnerabilities in Bluetooth enabled mobile phones </li></ul><ul><ul><li>Braces – A Bluetooth Tracking Utility http://braces.shmoo.com/ </li></ul></ul><ul><ul><li>SNARF attack </li></ul></ul><ul><ul><li>BACKDOOR Attack </li></ul></ul><ul><ul><li>BLUEBUG Attack </li></ul></ul>
    31. 32. BT Risks <ul><li>NO alerting the owner of the target device </li></ul><ul><li>Access to restricted information stored on the phone </li></ul><ul><ul><li>Contacts </li></ul></ul><ul><ul><li>Calendar </li></ul></ul><ul><ul><li>Call log </li></ul></ul><ul><li>Free phone call, SMS, GPRS </li></ul><ul><li>Remote monitoring, voice, data </li></ul><ul><li>Affected models should disable Bluetooth </li></ul>
    32. 33. Bluetooth Conclusions <ul><li>All these attacks can be performed in a matter of seconds </li></ul><ul><li>Generally phones are more vulnerable when discoverable </li></ul><ul><ul><li>Some models can be attacked when undiscoverable </li></ul></ul><ul><ul><li>Bluejacking is encouraging people to leave their devices discoverable </li></ul></ul><ul><li>Exploit code is not publicly available at this time </li></ul><ul><li>Vendor responses to these vulnerabilities have not been promising </li></ul><ul><li>List of vulnerable devices: http://www.thebunker.net/release-bluestumbler.htm </li></ul>
    33. 34. What’s next….? <ul><li>Pharming (more effective) </li></ul><ul><ul><li>Pharming is the next step in this type of attack </li></ul></ul><ul><ul><li>Pharming uses DNS to redirect people from legitimate websites to the attacker’s fake website. </li></ul></ul><ul><ul><ul><li>DNS is an internet server that translates www.yourwebsite.com into its IP address such as 128.101.138.134. </li></ul></ul></ul><ul><li>RFID </li></ul>
    34. 35. What’s next….. RFID hacking
    35. 37. Wireless Security Plan <ul><li>Staff Skills, Training </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Upgrade Architecture </li></ul><ul><li>Implement New Controls </li></ul><ul><li>Monitor/Monitor/Monitor </li></ul><ul><li>Develop comprehensive incidence response </li></ul>

    ×