Well not really physically “sniff” your neighbors (that would be disgusting especially if you saw my neighbors)…but they do want you to fire up a network sniffer like TCPDUMP and collect the traffic off of wireless networks to root out “terrorists” in your neighborhood. I thought this was a joke when I first saw a link posted on McGrewSecurity…then I saw someone posted a link to this pdf on the penetration testing mailing list on insecure.org. In doing some research it looks like this may be an organization that is “affiliated” with the Department of Homeland Security. Hoax perhaps? This is from the “Network Neighborhood Watch” web site:

“Participants in HNAP would collect sample network traffic from their own home networks as well as samples from networks within the vicinity. The Neighborhood Network Watch will be making a set of freely available instructions on how to capture network traffic, using the open source packet sniffer TCPDUMP, and how to log onto nearby wireless networks that maybe being operated by neighbors.

This allows the participants to not only find out how their own home network is being used but also valuable information about those around their home that may have large amounts of terrorist related traffic flowing over them. This also provides the Neighborhood Network Watch with the ability to see if there is potential terrorist cell activity in or around the participants homes.”

Oh it gets better…there is a nice document (linked above as well) that tells you step-by-step how to sniff wireless traffic and send it to them for analysis:

“With the widespread adoption and usage of wireless networks, it has created a climate that is ripe for exploitation by terrorists. Since these networks often times are unsecured or offered as a free service to the public it allows any individual to use them, including terrorists. Even the networks that reside in our homes can be used by terrorists who maybe our own neighbors or fellow building residents.

Therefore it is imperative that these networks do not go unmonitored. That is why the Neighborhood Network Watch was established and why now the Home Network Awareness Program has been created to allows individuals like yourself to make sure that terrorists may not be using your own home network to plan the next attack on our nation or your very own community. This document has been created so individuals like yourself and your community can become more involved with and to help the Neighborhood Network Watch carry out its mission, by learning how to packet sniff your own home network. That mission being to keep our communityʼs networks safe from terrorists and those who may attempt to harm our community and our nation.”

The FAQ on their web site says it all I guess:

“Q: Isn’t this invading my privacy?

A: In many ways yes, but in a post 9-11 world the government and most communities across the United States, believe that these sorts of measures are necessary to prevent our nation from being attacked by ruthless terrorists. In fact privacy is a relative term with a definition that is constantly being redefined. Especially so in the highly technologically mediated world we live in today. “

Does anyone else think this is the worst possible idea ever?

Foundstone always puts together great research and releases great tools.

The other day Foundstone released a whitepaper describing all of the new and old 802.11 (Wireless) attacks. The paper gives some really good information about AP Impersonation, Rogue Access Points, Implementation Attacks (WEP, Dynamic WEP, WPA/WPA-2 cracking, including the Cafe Latte attack). The paper even goes into wireless client adapters and wireless DoS attacks.

If you conduct wireless penetration tests or want to know more about wireless security, I highly recommend you read this paper. You can download the 802.11 Attacks whitepaper directly from Foundstone.

I was listening to the latest Security Now podcast and Steve Gibson mentioned an interesting social engineering attack where some penetration testers were able to pose as employees just by listening to conference call and other telephone conversations across the street from the company facility. They used a police scanner dialed into the 800-900 Mhz range to pickup the signals of unsecured wireless headsets (very popular with many companies). There was also a very good article on this posted on Dark Reading that is a must read about this attack.

The following is the continuation for “The Wardriving Experiment – Part 1“. To recap…I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people still setup a wireless network without encryption. Results in the following article are from a medium populated suburban neighborhood near a large city.

I drove in a approximate 6 mile area and was able to pick up 194 access points. Results were sampled a few months ago (unfortunately, I am just getting around to analyzing this data…busy life gets in the way!)

Equipment Used

PowerBook G4 running KisMac 0.21a
D-Link DWL-122 USB Wireless Adapter (version A1)
USGlobalSat BU-353 USB GPS (this is a cheap GPS you can find on eBay as well)

GPS and Wireless Adapter Setup

I took the GPS and placed it out the window of my car so I could get a good signal and I used a USB extender cable with the wireless adapter and secured it to my dashboard. Before I left my driveway, I made sure KisMac had my GPS coordinates and everything was working properly.

I must say, once I got the serial to USB drivers working, the GPS unit works extremely well! Not bad for a $50 GPS unit.

Laptop Setup

A good hint prior to wardriving is to disable the “sleep” function on you laptop. This is so you can close the lid on you laptop while you drive. Depending on the laws in your state, I have heard that driving with your laptop open is illegal! So, probably not a bad idea to do this. On OS X you do this by following the “Insomnia” instructions. This is a simple kernel extension to temporarily disable sleep mode on your Mac.

The Results

These results shouldn’t shock anyone but it does show that most people still do not secure their wireless networks. Keep in mind, I took out any ad-hoc networks so so these are all standard “access points”.

87 (45%) “Open” Unsecured Wireless Networks
71 (37%) Using WEP
36 (19%) Using WPA

Interesting to see that there was almost the same amount of WEP encrypted networks as there were “open” networks. Out of all 194 of these networks you also have to wonder how many of these WEP and WPA networks use easy to guess passwords, I would be willing to bet quite a few…perhaps 75% or more. Another reason to use a long passphrase when setting up your access point.

Next up in part 3, I will discuss wardriving in more detail to include some history, good websites for reference and some ethical things to consider if you decide to try wardriving, warbiking, or warwalking on your own.

“With the holiday season around me and the rampant orgy of consumer spending that was occurring nearby at one of the worlds largest shopping malls, I took it upon myself to conduct my own study of retail, and consumer wireless security during the busiest shopping time of the year. My target was West Edmonton Mall, one of the largest retail malls in the world.

Beyond the tenants of responsible disclosure, this report hopes to be a frank and frightening look at how poor retail security is during the 2007 holiday season”

I would say that the wireless security of the retailers in you local mall would probably have the same results..scary..especially after the media frenzy that took place after TJX. Check out his article…good stuff. I still have to post my results of my Wardriving experiment from a large suburban neighborhood…which also show some interesting results as well. Look for that soon!

The second was posted on GNUCITIZEN. Adrian mentions the following:

“Let’s think about it: who gives a darn about compromising your computer when you can change the DNS settings on most consumer routers without a password via UPnP? We’ve said it before here at GNUCITIZEN: people are stuck on the old-school mentality of rooting the user’s box. Things have changed. Your data is now online, your router is a computer much more insecure than your XP desktop that runs an AV + firewall and updates itself automatically on a regular basis…”

After reading the UPnP research on GNUCITIZEN and doing some on my own…this may be a new attack vector that perhaps Bruce may not be aware of yet? It’s some scary stuff…then again, Bruce probably has UPnP disabled on his router right? Or, perhaps Bruce’s commentary makes this quote from this site even more true:

“I don’t bother with WEP or WPA, I just got Bruce to autograph my wireless access point.”

<%image(20080111-bruce-schneier-3.jpg|300|300|The man!)%>

“Historically, the vast majority of trojans, worms, and viruses have targeted the (Windows) PC. Attack and propagation methods may have grown more sophisticated, but the PC has remained the focus of most malware. According to a paper written by a team of researchers at Indiana University, however, this could change in the future. According to the team’s research, an attack that specifically targets wireless routers and spreads between them at any point where coverage overlaps could quickly and easily propagate throughout an entire city.”

Interesting if you think of the possibilities…a worm that uses default router login’s, unsecured wireless, and weak encryption keys…fun.

I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people really still setup a wireless network without encryption. You would think that most people would at least use WEP right? Not exactly! The following is Part 1 of my little experiment in which I talk about vendor responsibility and wireless security education…

It still seems that security is never the first thing a vendor thinks about when instructing a new user who just purchased an access point. To confirm this I purchased a cheap “2.4Ghz 802.11g” wireless access point at the local Best Buy and read through the instructions. To my dismay I found all the information about securing your new access point was toward the middle to the end of the instructions. I had my options of 64-bit WEP, 128-bit WEP, and WPA-PSK. When reading about WEP, they said nothing about WEP being easy to crack and nothing about how to choose a long passphrase for either type of encryption (to see why you should choose a long randomly generated passphrase, see this article). Why not right? Would educating your customers possibly lower sales somehow?

I thought for a minute of someone like my Mom reading these instructions…what would she choose? Lucky for her she could call me! Most people won’t be that lucky and will unfortunately make a bad decision of selecting poor encryption, weak password and/or passphrase or a combination of both. Worse yet..selecting encryption is probably too techincal so most average people are going to select no encryption. Who needs silly encryption, right?

So if the vendor doesn’t educate users about basic wireless security who will? The high school girl at the check out? The (god forbid) “Geek Squad”?

In Part 2 of my wardriving experiment I will talk about what wardriving is, how it is evolving, and the wardriving setup I used to conduct my experiment. I will also talk about the results of a wardrive I did in a pretty populated suburban neighborhood.

1. Setup your laptop as a fake access point.
2. Find out the SSID’s that the victim laptops are trying to communicate to.
3. Crack the WEP keystream with gathered traffic.
4. Trick victim laptops into sending lots of messages to your fake AP(like 70,000-80,000) using ARP.
5. Crack WEP keys and enjoy….!

You can download the full Toorcon presentation here.

Cafe Latte attack steals data from Wi-Fi PCs – Yahoo! News

I am sure all of you have heard about the massive TJX data breach which was detected back in December of 2006. Well it looks like WEP was the root cause for the data breach:

“While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.”

Two years to convert from WEP to WPA may sound like a long time but I am not surprised as these types of upgrades in very large corporations can take even longer then two years. However, it still seems that the selection of systems that didn’t support WPA were the cause for the delay. Keep in mind, with WPA and WPA2 you need to select a long (63 characters if possible) passphrase (if using PSK) to ensure that your key can’t get cracked with a brute force attack.

I wrote an article about properly securing your wireless network last year which explains why it is important to choose a very long, unique WPA-PSK passphrase.

More on the TJX fiasco is here.

- Educate your employees on how small of a circle you travel in, noting that when you are on your cell phone others are listening to your conversation.

- Someone could easily be using a packet sniffer at the airport or hotspot to sniff all of the traffic from your machine. Sniffers are easy to download and use.

- You should always use a VPN when surfing or checking email. That way all the traffic from your machine is encrypted. Most (smart) corporations provide VPN access to their employees. You can also use subscription services like HotSpotVPN for about $10 a month or use a free solution like Hamachi (highly recommended) to connect back to your home network via VPN and surf from your home Internet connection.

- Never use a public computer to access the Internet! It is way to easy to install a keylogger on these computers and everything you type (passwords, CC#’s) could be logged and sent to a malicious person. If you must use a public computer, use a solution like RoboForm ($30 shareware) that defeats keyloggers and encrypts your passwords to a USB key.

- Use a cable lock to lock your laptop to a chair or table if you leave your laptop unattended. This is especially important at a conference or hotel room.

- Use a Notebook Privacy Filter. This cool device only allows you to read your laptop screen. You can’t view anything on the screen when looking at it from any angle but head on.

Web Surfing in Public Places Is a Way to Court Trouble – New York Times