1 / 71

Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am)

SIM301-R. Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am). Andy Malone MVP, MCT Senior Instructor, Consultant Quality Training (UK) Ltd. Microsoft Certified Trainer MCT (16 Years) Worldwide Security & Systems Trainer & Consultant

sandra_john
Download Presentation

Monty WiFion and the Quest for the Holy Grail of Network Security! ( Repeated from 5/17 at 10:15am)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIM301-R Monty WiFion and the Quest for the Holy Grail of Network Security! (Repeated from 5/17 at 10:15am) Andy Malone MVP, MCT Senior Instructor, Consultant Quality Training (UK) Ltd

  2. Microsoft Certified Trainer MCT (16 Years) Worldwide Security & Systems Trainer & Consultant Microsoft Most Valuable Professional MVP (Enterprise Security) International Event Speaker Winner Microsoft Speaker Idol 2006 Andy Malone (UK)

  3. Session Agenda: • Introductions • Wireless intro & history • Current & Emerging Wireless Technologies • Wireless Security: The Great Oxymoron • Standards & techniques • Threats and Countermeasures • Best Practices

  4. Wireless Introduction & History…

  5. A Wi Fi History Lesson • Wi-Fi was invented in 1991 by NCR Corp & AT&T (later know as Lucent & Agere Systems in Nieuwegein, the Netherlands. • Initially for cashier systems. Originally “WaveLAN” with speeds of 1Mbps/2Mbps. • Invented by Vic Hayes who has been named 'father of Wi-Fi' and involved in designing standards such as IEEE 802.11b, 802.11a and 802.11g. • In 2003, Vic retired. Agere Systems suffered as customers opted for cheaper Wi-Fi solutions. • Agere's 802.11abg all-in-one chipset (code named: WARP) never hit the market • Agere Systems quit Wi-Fi market in late 2004. Courtesy Of CRN

  6. Organizations & Standards • FCC – Regulates ISM bands • 900 Mhz, 2.4 Mhz, 5.8 Mhz • IEEE – Develops wireless LAN standards • ETSI – IEEE for Europe • HiperLAN/2 Similar to IEEE 802.11 standards • WECA (WiFi Alliance) – regulate WiFi labeling Wi Fi Alliance

  7. The Standards

  8. Ok but What are the benefits? • Unlike packet radio Wi-Fi uses unlicensed radio spectrum and does not require regulatory approval for individual deployers. • Cuts cabling costs • Wi-Fi products are widely available • Competition amongst vendors has lowered prices considerably • Network providers provide roaming agreements • Users can move from one access point to another as part of contract • Various degrees of encryption available to protect traffic from interception. • Wi-Fi is a global set of standards. Unlike cellular carriers, the same Wi-Fi client works in different countries around the world.

  9. Wireless Technologies…

  10. The Basics • Each wireless network needs a channel number and SSID (Service Set Identifier) • The channel is a number between 1-11 (13 EU) • SSID is a alphanumeric string that differentiates wireless networks on the same channel • SSIDs are transmitted in clear text • Wi-Fi Can be Deployed in Two Modes • Ad-HOC (Peer to Peer) mode • Infrastructure mode • Shares bandwidth among users • Supports roaming

  11. The Basics • Each access point advertise itself by sending beacon frames • To become part of the wireless network, a client must first authenticate itself • Access point is responsible unless RADIUS is used • MAC address will be used as identity

  12. Wireless Networks: The Basics Security Encryption Wrapper

  13. Antennas • Sending and receiving radio waves • Two types • Omni-directional • Directional • Cantenna

  14. 802.11 standards • 802.11a – 54 Mbps@5 Ghz • Not interoperable with 802.11b • Limited to Shot Distances • Dual-mode APs require 2 chipsets, this can look like two APs to clients • 802.11b – 11 Mbps@2.4 Ghz • Full speed up to 300 feet • Coverage up to 1750 feet • 802.11g – 54 Mbps@2.4 Ghz • Same range as 802.11b • Backward-compatible with 802.11b • Speeds slower in dual-mode

  15. 802.11 standards (cont.) • 802.11e – QoS • Dubbed “Wireless MultiMedia (WMM)” by WiFi Alliance • 802.11i – Security • Adds AES encryption • Requires high cpu, new chips required • TKIP is interim solution • 802.11n – 100Mbps+ • Wi-Fi Protected Access (WPA) • Subset of 802.11i, forward-compatible with 802.11i (WPA2) • Encryption: Version one uses TKIP • Auth: 802.1x & EAP – allows auth via RADIUS, also allows auth via PSK

  16. Other Wireless Technologies…

  17. Other “Non Wi Fi Solutions” • CDPD – 19.2 kbps analog • GPRS – 171.2 kbps digital • WAP – bandwidth-efficient content delivery • Ricochet – 176 kbps wireless broadband flop • Bluetooth – personal area networks, range limited only by transmit power • Blackberry – Use cellular & PCS networks, no authentication at console • RFID • NFC (Near Feild Communications)

  18. Bluetooth • Cable replacement technology • Short range communication (10 m) • Operates at 2.45 Ghz • Used for mobile devices • Used to transfer information • Large Number of Hacking Tools Available

  19. Bluetooth Hacking Tools

  20. Radio-frequency identification (RFID) • R,waves exchange data between a reader and an electronic tag for the purpose of identification and tracking. • Often seen as Barcode NG • Individual & unique like the license plate but for every item in the world • Some tags can be read from several meters away and beyond the line of sight of the reader. • Application of bulk reading enables an almost-parallel reading of tags. • uses Interrogators (also known as readers), and tags (also known as labels), as well as RFID software or RFID middleware. • Most contain at least 2 parts: 1 is an integrated circuit for storing and processing information, modulating and demodulating a radio-frequency (RF) signal, and other specialized functions; the other is an antenna for receiving and transmitting the signal.

  21. RFID Hacking • RFID Tags can be cloned • A Growing number of hacking tools inc Backtrack 4 • Traditionally Hardware was expensive but is getting cheaper. E.g. USB Reader • Can read ID Badges, Credit Cards etc • Once hacked Cards with Authorized ID numbers can be used to unlock doors Source Dreamtime

  22. Near Field Communications (NFC) • NFC, is a set of short-range wireless technologies • Typically requires a distance of 4 cm or less. • Operates at 13.56 MHz and at rates ranging from 106 kbit/s to 848 kbit/s • Always involves an initiator and a target • Initiator actively generates an RF field that can power a passive target • This enables NFC targets to take very simple form factors such as tags, stickers, key fobs, or cards that do not require batteries • NFC peer-to-peer communication is also possible, where both devices are powered.

  23. Near Field Communications (NFC) • Emulation Mode: the NFC device behaves like an existing contactless card • Reader mode: the NFC device is active and reads a passive RFID tag, for example for interactive advertising • P2P mode: two NFC devices communicating together and exchanging information • Uses Include: • Mobile ticketing, such as Mobile Phone Boarding Pass • Mobile payment: the device acts as a debit/credit payment card. • Smart poster: the mobile phone is used to read RFID tags on outdoor billboards. • Pairing of Bluetooth 2.1 & NFC will be as easy as will be replaced by simply bringing the mobile phones close to each other. Source Dreamscape

  24. NFC: The Facts… Source NFC Forum

  25. NFC: Security Concerns • Theoretically Difficult due to Distance Factors….However! • The RF signal for the wireless data transfer can be picked up with antennas • Eavesdropping: NFC offers no protection against eavesdropping and can be vulnerable to data modifications • Applications may use higher-layer cryptographic protocols (e.g., SSL) to establish a secure channel. • Data Modification: One possibility to perturb the signal is the usage of an RFID jammer • Relay Attack • Lost Phone… Source Andy Malone

  26. WiMAX (Worldwide Interoperability for Microwave Access) • A telecommunications protocol that provides fixed and mobile Internet access. • Seen as the next generation of wireless • Improvement over existing standard of 802.11. • No new equipment required • First WiMAX equipment launched in 2005 • Cover wider area, which can be as much as up to 50km • Current WiMAX provides up to 40 Mbit/s with the IEEE 802.16m update expected to offer up to 1 Gbit/s fixed speeds • The name "WiMAX" was created by the WiMAX Forum, formed in 2001 to promote conformity and interoperability of the standard • Forum describes WiMAX as "a standards-based technology enabling the delivery of last mile wireless broadband access as an alternative to cable and DSL Source Andy Malone

  27. Wireless Security & Authentication…

  28. WiFi Security • IN 2001 Peter Shipley’s 2001 DefCon presentation on WarDriving alarmed the industry • The US Dept Homeland Security labelled WiFi a potential terrorist threat, demanded regulation • Seen as Shared media – like a network hub • Requires data privacy - encryption • Authentication necessary • Can access network without physical presence in building • Once you connect to wireless, you are an “insider” on the network Source Johan Loos

  29. Wireless Network Security • Link Encryption • Encrypt traffic headers + data • Transparent to users • End-to-End Encryption • Encrypts application layer data only • Network devices need not be aware Source Dreamtime

  30. Link Level Security Vs. End to End Security! Application (HTTP) Application (HTTP) SSL/TLS Transport (TCP) Transport (TCP) End host IPSec Network (IP) Network (IP) Network (IP) Network (IP) network … Link Link Link Link WEP/WPA/WPA2 • IEEE 802.11x security solutions are deployed at the link level • efficiency is very important  all traffic will be encrypted

  31. Current Authentication methods • Open Systems Authentication (OSA) • Shared Key Authentication • EAP / 802.1x

  32. Open system authentication • Required by 802.11 • Just requires SSID from client • Only identification required is MAC address of client • WEP key not verified, but device will drop packets it can’t decrypt Source BT

  33. Wireless LAN Security Goals • Access Control • No abuse of wireless network • This requires Key Management • Data Integrity • Data packets are not modified during transit • Confidentiality • Data packets are encrypted Image Source Page: http://krebsonsecurity.com/2010/06/wi-fi-street-smarts-iphone-edition/

  34. Wireless LAN Security Standards • 802.11 WEP • 64/128 bit • Integrity Check • 802.11 + 802.1x • Uses RADIUS • 802.11 + WPA • 128 bit • For data encryption : TKIP • For data integrity: MIC • PSK or Enterprise • 802.11 + WPA2 • AES Image Source Page: http://blog.emixt.com/new-wi-fi-standard-promises-blazing-fast-data-speeds-2/

  35. Shared key authentication • Utilizes challenge/response • Requires & matches key • Steps • Client requests association to AP • AP issues challenge to client • Client responds with challenge encrypted by WEP key • AP decrypts clients & verifies • WEAK! Attacker sniffs plain-text AND cipher-text! Source Dreamtime

  36. WEP – Wired Equivalent Privacy • 3 different key lengths: 64, 128, and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively • WEP provides a casual level of security but is more compatible with older devices; • It is still used quite extensively despite security flaws • Each WEP key contains a 24 bit Initialization Vector (IV), and a user-defined or automatically generated key; • E.g. WEP 128 is a combination of the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128) • WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption. Sourcehttp://www.wpacracker.com/

  37. More Problems with WEP • Shared key – 40/104 bits • Initialization vector (IV) = 24 bits • Uses RC4 for encryption • Weaknesses/attacks • FMS key recovery attack – weak IVs • Filter weak IVs to mitigate • IV too short, gets reused after 5 hours • IP redirection, MITM attacks • Traffic injection attacks • Bit-flip attacks • WEP2 added, increases key length to 128 bits Source Dreamtime

  38. TKIP to the rescue…er Almost! • Seen an interim solution developed to fix the key reuse problem of WEP. • TKIP – Temporal Key Integrity Protocol • Protects IV by removing predictability • Broadcast WEP key rotation is a good alternative if you can’t support TKIP • It later became part of the 802.11i and subsequently part of WPA standards. • Same encryption as WEP (RC4) • Variant Cisco Key Integrity Protocol (CKIP).

  39. WPA – WiFi Protected Access • Originally designed for campus-wired networks • 2 Flavours WPA and WPA2 • Created to resolve several issues found in WEP • Both provide good security however, are not compatible with older devices • WPA was designed to distribute different keys to each client; however, it is still widely used in a (not as secure) pre-shared key (PSK) mode, in which every client has the same passphrase. • To fully utilize WPA, a user would need an 802.1x authentication server, which small businesses and typical home users cannot afford • WPA utilizes a 48 bit Initialization Vector (IV), twice the size of WEP, which combined with other WEP fixes, allows substantially greater security over WEP.

  40. WPA-Personal: Also referred to as WPA-PSK (Pre-shared key) mode. Designed for SOHO networks and doesn't require an authentication server. Each wireless network device authenticates with the access point using the same 256-bit key. WPA-Enterprise: Also referred to as WPA-802.1x mode, and WPA (as opposed to WPA-PSK) Designed for enterprise networks, and requires a RADIUS authentication server Provides additional security (e.g. protection against dictionary attacks) EAP is used for authentication which comes in different flavors (for example EAP-TLS, EAP-TTLS, EAP-SIM). WPA – WiFi Protected Access

  41. WPA2: Wireless Security: The Right Way! • 802.11b (i) Now Default Setting on Many Wireless Routers • FIPS-140 compliant • AES replaces RC4 w/TKIP • Robust Security Network (RSN) for establishing secure communications • Uses 802.1x for authentication • Replaces TKIP • Counter Mode with Cipher Block Chaining (CCMP) for encryption • CCM mode of AES • 128-bit keys, 48-bit IV • CBC-MAC provides data integrity/authentication • CCMP mandatory with RSN • WRAP was initial selection, licensing rights/problems got in the way

  42. WEP vs. WPA vs. WPA2 Encryption

  43. Myths & Threats…

  44. Myth: What if I Hide my SSID? • Common Misconception • No such thing as “hiding” an SSID • All that this accomplishes is Access Point beacon being suppressed • Four other SSID broadcasts not suppressed • Probe requests • Probe responses • Association requests • Re-association requests • SSIDs must be transmitted in clear text or else 802.11 cannot function

  45. Myth: Use a Fixed IP Address • Disabling DHCP and forcing the use of Static IP addresses is another common myth • IP schemes are easy to figure out since the IP addresses are sent over the air in clear text as UDP Broadcasts • Takes less than a minute to figure out an IP scheme and statically enter an IP address

  46. Myth: Use MAC Authentication! • Use of the word “authentication” is a joke! • It’s not MAC Spoofing… • MAC address filtering is all that’s going on • MAC addresses are transmitted in clear text • Extremely easy to capture with tools like Wireshark • Extremely easy to clone and defeat • Extremely difficult to manage MAC filtering

  47. MAC Spoofing Example • Regedit – HKLM\System\CurrentControlSet\Control\Class • {4D36E972-E325-11CE-BFC1-08002BE10318} • Lookup for your wireless adapter • Create REG_SZ String • Name: NetworkAddress • Value: MAC address • Restart PC

  48. Myth: Antenna placement and signal Suppression • Antenna placement and signal suppression does nothing to encrypt data • The hacker’s antenna is bigger than yours • Directional high-gain antennas can pick up a weak signal from several kilometers away • Lowering the signal hurts legitimate users a lot more than it hurts the hackers • Wi-Fi paint or wall paper not 100% leak proof and very expensive to implement

  49. Wireless LAN Threats • WarChalking – WarDriving - WarFlying • Unathorized Access • Accidential Association • Malicous Association • MAC Spoofing • Man in the Middle Attack • Denial of Service (DoS) • Network Injection Attack • Caffe Latte attack

  50. Wireless LAN Threats • Open Authentication • Open system authentication, basically everyone can connect • No encryption at all • Rogue and Unauthorized Acess Points • Employee install unmanaged access point • Access Point spoofing for MITM attack • Eavesdropping • Intercepting of radio signals and decode data • Wireless sniffer into promiscuous mode • Use an external antenna

More Related