Category Archives: Wireless Security

DHS wants you to sniff your neighbors

2
Filed under Wireless Security

*** UPDATE #2: The site mentioned below is an elaborate hoax/experiment created by a graduate student! Thanks to everyone for researching this! If anything…get a good laugh out of it. ***

Well not really physically “sniff” your neighbors (that would be disgusting especially if you saw my neighbors)…but they do want you to fire up a network sniffer like TCPDUMP and collect the traffic off of wireless networks to root out “terrorists” in your neighborhood. I thought this was a joke when I first saw a link posted on McGrewSecurity…then I saw someone posted a link to this pdf on the penetration testing mailing list on insecure.org. In doing some research it looks like this may be an organization that is “affiliated” with the Department of Homeland Security. Hoax perhaps? This is from the “Network Neighborhood Watch” web site:

“Participants in HNAP would collect sample network traffic from their own home networks as well as samples from networks within the vicinity. The Neighborhood Network Watch will be making a set of freely available instructions on how to capture network traffic, using the open source packet sniffer TCPDUMP, and how to log onto nearby wireless networks that maybe being operated by neighbors.

These samples of network traffic would then be sent to the Neighborhood Network Watch for analysis using the latest revision of the NNWKAA. The participants would then be sent back a rating for each network along with a rating for the area as a whole.

This allows the participants to not only find out how their own home network is being used but also valuable information about those around their home that may have large amounts of terrorist related traffic flowing over them. This also provides the Neighborhood Network Watch with the ability to see if there is potential terrorist cell activity in or around the participants homes.”

Oh it gets better…there is a nice document (linked above as well) that tells you step-by-step how to sniff wireless traffic and send it to them for analysis:

“With the widespread adoption and usage of wireless networks, it has created a climate that is ripe for exploitation by terrorists. Since these networks often times are unsecured or offered as a free service to the public it allows any individual to use them, including terrorists. Even the networks that reside in our homes can be used by terrorists who maybe our own neighbors or fellow building residents.

Therefore it is imperative that these networks do not go unmonitored. That is why the Neighborhood Network Watch was established and why now the Home Network Awareness Program has been created to allows individuals like yourself to make sure that terrorists may not be using your own home network to plan the next attack on our nation or your very own community. This document has been created so individuals like yourself and your community can become more involved with and to help the Neighborhood Network Watch carry out its mission, by learning how to packet sniff your own home network. That mission being to keep our communityʼs networks safe from terrorists and those who may attempt to harm our community and our nation.”

The FAQ on their web site says it all I guess:

“Q: Isnít this invading my privacy?

A: In many ways yes, but in a post 9-11 world the government and most communities across the United States, believe that these sorts of measures are necessary to prevent our nation from being attacked by ruthless terrorists. In fact privacy is a relative term with a definition that is constantly being redefined. Especially so in the highly technologically mediated world we live in today. “

Does anyone else think this is the worst possible idea ever?

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

802.11 Attacks Whitepaper

0
Filed under Wireless Security

<%image(20060811-wireless access point.jpg|136|94|Wireless!)%>

Foundstone always puts together great research and releases great tools.

The other day Foundstone released a whitepaper describing all of the new and old 802.11 (Wireless) attacks. The paper gives some really good information about AP Impersonation, Rogue Access Points, Implementation Attacks (WEP, Dynamic WEP, WPA/WPA-2 cracking, including the Cafe Latte attack). The paper even goes into wireless client adapters and wireless DoS attacks.

If you conduct wireless penetration tests or want to know more about wireless security, I highly recommend you read this paper. You can download the 802.11 Attacks whitepaper directly from Foundstone.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Wireless Headset Dangers

0
Filed under Wireless Security

<%image(20080216-plantronics.jpg|127|127|Wireless Headset)%>

I was listening to the latest Security Now podcast and Steve Gibson mentioned an interesting social engineering attack where some penetration testers were able to pose as employees just by listening to conference call and other telephone conversations across the street from the company facility. They used a police scanner dialed into the 800-900 Mhz range to pickup the signals of unsecured wireless headsets (very popular with many companies). There was also a very good article on this posted on Dark Reading that is a must read about this attack.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Wardriving Experiment – Part 2

0
Filed under Wireless Security

< %image(20071120-kismac.jpg|91|91|KisMac)%>

The following is the continuation for “The Wardriving Experiment – Part 1“. To recap…I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people still setup a wireless network without encryption. Results in the following article are from a medium populated suburban neighborhood near a large city.

Read More »

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Hacking West Edmonton Mall

0
Filed under Wireless Security

Found this post over at the Defcon forums…RenderMan did a wireless audit of West Edmonton Mall (located in Canada) which is one of the largest malls in the world. RenderMan details his assessment of the 200+ wireless networks and devices…including a separate review of Bluetooth devices found.
Read More »

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Steal Schneier’s Wifi

0
Filed under Wireless Security

I was in total dismay when I read the recent commentary by known security expert Bruce Schneier about how he leaves his home wireless network open..yes, meaning no encryption..wide open free wifi generously donated to the neighborhood by Bruce. While I understand some of the points he was trying to make I started to really think more about this idea after reading two articles on Bruce’s decision.
Read More »

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

WiFi flu?

Filed under Wireless Security

Interesting post about a viral router attack…with so many unencrypted wireless access points (including ones with WEP) this is seeming more and more like a future possibility. From the article:

“Historically, the vast majority of trojans, worms, and viruses have targeted the (Windows) PC. Attack and propagation methods may have grown more sophisticated, but the PC has remained the focus of most malware. According to a paper written by a team of researchers at Indiana University, however, this could change in the future. According to the team’s research, an attack that specifically targets wireless routers and spreads between them at any point where coverage overlaps could quickly and easily propagate throughout an entire city.”

Interesting if you think of the possibilities…a worm that uses default router login’s, unsecured wireless, and weak encryption keys…fun.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Wardriving Experiment – Part 1

0
Filed under Wireless Security

<%image(20071120-kismac.jpg|91|91|KisMac Logo)%>

I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people really still setup a wireless network without encryption. You would think that most people would at least use WEP right? Not exactly! The following is Part 1 of my little experiment in which I talk about vendor responsibility and wireless security education…

It still seems that security is never the first thing a vendor thinks about when instructing a new user who just purchased an access point. To confirm this I purchased a cheap “2.4Ghz 802.11g” wireless access point at the local Best Buy and read through the instructions. To my dismay I found all the information about securing your new access point was toward the middle to the end of the instructions. I had my options of 64-bit WEP, 128-bit WEP, and WPA-PSK. When reading about WEP, they said nothing about WEP being easy to crack and nothing about how to choose a long passphrase for either type of encryption (to see why you should choose a long randomly generated passphrase, see this article). Why not right? Would educating your customers possibly lower sales somehow?

I thought for a minute of someone like my Mom reading these instructions…what would she choose? Lucky for her she could call me! Most people won’t be that lucky and will unfortunately make a bad decision of selecting poor encryption, weak password and/or passphrase or a combination of both. Worse yet..selecting encryption is probably too techincal so most average people are going to select no encryption. Who needs silly encryption, right?

So if the vendor doesn’t educate users about basic wireless security who will? The high school girl at the check out? The (god forbid) “Geek Squad”?

In Part 2 of my wardriving experiment I will talk about what wardriving is, how it is evolving, and the wardriving setup I used to conduct my experiment. I will also talk about the results of a wardrive I did in a pretty populated suburban neighborhood.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Cafe Latte attack steals data from Wi-Fi PCs – Yahoo! News

Filed under Wireless Security

Demonstrated at the Toorcon hacking conference in San Diego over the weekend is a new way to attack laptops that use WEP encryption. Typically, the way to attack WEP was to sniff the wireless network traffic and crack the WEP key while in range of a legitimate access point. With this new technique you can now attack the client itself, no real AP needed. In basic terms how does this work?

1. Setup your laptop as a fake access point.
2. Find out the SSID’s that the victim laptops are trying to communicate to.
3. Crack the WEP keystream with gathered traffic.
4. Trick victim laptops into sending lots of messages to your fake AP(like 70,000-80,000) using ARP.
5. Crack WEP keys and enjoy….!

You can download the full Toorcon presentation here.

Cafe Latte attack steals data from Wi-Fi PCs – Yahoo! News

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

WEP blamed for TJX data breach

Filed under Wireless Security

<%image(20071002-wifispy.png|200|265|WiFi Hacker)%>

I am sure all of you have heard about the massive TJX data breach which was detected back in December of 2006. Well it looks like WEP was the root cause for the data breach:

“While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.”

Two years to convert from WEP to WPA may sound like a long time but I am not surprised as these types of upgrades in very large corporations can take even longer then two years. However, it still seems that the selection of systems that didn’t support WPA were the cause for the delay. Keep in mind, with WPA and WPA2 you need to select a long (63 characters if possible) passphrase (if using PSK) to ensure that your key can’t get cracked with a brute force attack.

I wrote an article about properly securing your wireless network last year which explains why it is important to choose a very long, unique WPA-PSK passphrase.

More on the TJX fiasco is here.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS