Wireless Security and Vulnerabilities
There are several encryption protocols that are used to protect network access: Wired Equivalency Privacy (WEP), WI – FI Protected Access (WPA), and Wireless Protected Access 2 (WPA2).
1. Wired Equivalency Privacy (WEP) is an encryption protocol the uses a 64 0r 128 bit encryption key to secure data traffic. This form of wireless security is outdated and one of the least secure wireless encryption protocols.
AirSnort is a tool that can be used to exploit WEP shared encryption key. This type of attack is called WEP cracking.
2. Wi–Fi Protected Access (WPA) aims to provide a more secure wireless transmission than WEP. WPA builds on the 802.11i standard developed by IEEE. This standard uses 128 bit encryption and an encryption key management scheme called Temporal Key Integrity Protocol (TKIP).
The keys are checked for integrity to catch any spoofed keys. WPA changes the encryption keys used for every data packet that is forwarded or sent.
WPA also leverages EAP for port based authentication. WPA can be con be configured in two ways, for home use or for Enterprise use. For WPA Enterprise a RADIUS server in added for central authentication and auditing.
Although WPA is more secure than WEP the encryption keys can be obtained through “WPA cracking.” WPA cracking (like WEP) uses software to obtain WPA encryption keys.
To extend security on wireless access points MAC address filtering is added. MAC address filtering adds the complexity that only host on the filter list are able to join the Access Point, regardless of if they have the encryption keys or not.
3. Wireless Protected Access 2 (WPA2) provides even further security in wireless transmissions. WPA2 uses Advanced Encryption Standard (AES) to encrypt keys and offers an additional feature of key caching. Encryption can extend from 128-bit to 256-bit standards. Furthermore, as with WPA, a RADIUS server can be included for WPA2 –Enterprise mode.
Device placement plays an important role in securing a wireless network. By placing a wireless access point strategically, it can help to identify an “Evil Twin” on your network.
An “Evil Twin” is a rouge access point on a network that is used to trick or fool users into connecting to it.
Once network users connect to this rouge access point, an attacker can capture the data packets sent from the users. By naming and placing WAP’s in strategic locations “Evil Twins” can be identified and users are less likely to join access points that they know are not part of the network. For example, a coffee shop could have WAP’s located inside their store called “coffeeshopWAP” for customer use.
The coffee shop may have an outside sitting area where their wireless signal may not reach. An attacker could set up a WAP that the coffee shop’s users can connect to called, “teashopWAP.” Customers of the coffee shop may be fooled into thinking they are using the coffee shop’s wireless network, but they are not, and their communications could be compromised.
The other side to this problem is when a security conscious network administrator adjusts the wireless signal, so it will not extend too far beyond the building walls. There may be areas of the building where users are unable to connect to the wireless network; or in the case of buildings with cinder blocks and metal bars, a weak signal may not transmit through these materials.
Also, a non-associated WAP emitting a stronger signal may lure company employees to join it, instead. Review the following example.
Adjusting Signal Strength
A network administrator may want to adjust the signal strength, providing greater access to company users at distances >100 meters of office locations. He or she may accomplish their goal of reaching all the office users, but may introduce their wireless signal to users who are not supposed to have access or know about the network.
Consider the following:
When attackers search for wireless signals or networks to connect to he or she will be more likely to pick up an amplified wireless signal. This type of behavior of driving around a neighborhood or city looking for a wireless network to connect to is called “War Driving.”
Once an attacker has identified an area that has either an open wireless network or one that they plan to compromise, they will mark this area. By marking the known area, they can come back at a later time to accomplish their intended goal and this behavior is known as “War Chalking.”
The other side to this problem is a security conscious network administrator who adjusted the wireless signal not to extend too far beyond the building walls. There may be areas of the building where users are unable to connect to the wireless network or in the case of buildings with cinder blocks and metal bars, a weak signal may not transmit though these materials. Also, someone emitting a strong signal may lure company employees to join their network.
Threats and Vulnerabilities
There are various types of attacks that can occur and disrupt or cause damage to a network and network resources.
1. Virus: A virus is a computer program, malware, that when executed interrupts or damages the functionality of an application or the computer system itself. This type of attack can be spread by sending an email with the virus executable attached. When the attachment is opened by the recipient, a virus can take over their computer system. A virus can also infect computer systems another way. If a user picks up a flash drive that does not belong to them and inserts it into their computer, they may see a folder or icon that looks curious to them. If a user chooses to click this icon or folder, a virus or program is executed.
2. Worm: A worm is different from a virus, in that, it does not need the assistance of a user to execute. Worms self-replicate and once they infect a host they move on to additional systems within the network by themselves. A worm is another type of malware which can cause denial of service issues.
3. Denial of Service (DoS): A DoS is a common type of attack where a server or computer system is sent more data than it can process. While it is trying to process this data, no other service that the server or computer system is tasked with will run. This denies or prevents the expected service the resource was to provide, for example, a Web server. Three types of DoS attacks are listed below:
A buffer overflow is a type of DoS attack. It overloads the amount of space reserved by an Application in memory with data. Once the memory allotment has been exceeded the virus or attacker may be able to execute their code or instructions on the system. Furthermore, a buffer overflow can be used to “crash” or constantly reboot a machine.
A Smurf attack is another DoS attack where ICMP packets are used to flood a target system. For instance, if an attacker were to make it appear that a single computer or server sent a ping request to every computer on a college campus all those campus computers would send a reply. The single server or computer in this case would not be able to perform its intended function (i.e. serve web pages); due to the time it takes to process the ICMP data packets from all of the campus computers.
A Distributed Denial of Service Attack (DDoS) is an attack that involves many computer systems working together to stop the availability of a service on a targeted system. A hacker will often use computers that have already been compromised by malware for massive DoS attacks.
4. A Man in the Middle Attack (MITM): A MITM can be described in a number of situations where a third-party is monitoring, capturing, altering or sending data instructions in between two communicators (hosts) without their knowledge.
5. FTP Bounce: An FTP Bounce attack happens when a compromised system is sent instruction by a third party who would not ordinary have access to issue a ‘port’ command to another system. For instance, see Figure 1 which illustrates if Alice and Mallory are on domain A and only computer’s on the same domain can send commands to one another, then Bob who is located outside of Domain A must issue commands through Alice, Alice’s system will then send a request to access a port on Mallory’s system. This transmission would happen without Alice or Mallory knowing Bob was involved.
Figure 1 Illustration of FTP Bounce as described in the above section.
6. Packet sniffing: A technique where the data traveling across media is captured and read. There is packet sniffing software that allows a user (Figure 2), Bob, to view and capture all network traffic that is sent between all parties (Alice & Mallory) on the network. Packet Sniffing is not usually described as an MITM attack, however it is easy to understand the concept from this model.
Figure 2 Illustration of the Packet Sniffing technique as described in the above section.
7. Social Engineering: Social Engineering occurs when an attacker will uses tactics to confuse, fool, trick or scare a user into giving them information they would not normally give someone they did not know.
A well-known example of this is when an attacker acquires the phone number of a company’s Executive Secretary, who may not be as suspicious as a network security administrator.
The attacker calls the secretary and acts like a helpdesk worker who needs to verify the secretary’s username and password. The secretary not thinking that this person is not with the company gives his/her username and password. The attacker may then be able to access his/her system and uncover private documents.
Phishing is commonly seen in email. An attacker sends a user information that their account has changed and that they should call 1-800-stlmypassw to verify account information.
In order to mitigate the effects of hackers and software vulnerabilities an organization must train their workforce on what to look out for. If an employee is aware of Social Engineering tactics, then they are less likely to fall victim to this type of attack.
An organization should make employees aware of any top secret or intellectual property so they will handle this information with care. This type of training is typically done at new hire orientation or provided through a Learning Management System (LMS). Employees should have these trainings audited to ensure everyone is aware of security issues that affect the organization.
Software vendors are constantly creating software patches to address security vulnerabilities or issues in their software. Network and Systems administrators should update the software patches made available by the vendor in a timely manner.
By updating the software patches in a timely manner, system security is enhanced. Some Network and Systems administrators have the software patches downloaded automatically or through a server that is delegated to push updates out to systems on the network.
Network and Systems Administrators should be aware of the effects these patches and updates have on the systems. In some cases updates will have an adverse effect, the network and systems administrators must know how to identify and roll back these updates.
Policies and Procedures
Organizational policies and procedures define how all employees should conduct themselves when entering the facilities and using company equipment.
They also provide guidelines in how to approach change management, training and other organization specific duties. Policies can also describe password complexity, how remote access is granted, or which critical systems to back up and when.
Organizations will be impacted by security issues. They will typically have an incident response team composed of network and system managers, lawyers, public relations and other stakeholders to address the security breach. This incident response team will have policies and procedures to determine how evidence is handled and documented.
Wireless networks expand the security scope that network administrators must address. It is important to know the aspects of wireless encryption as it will aide in selecting the appropriate standard.
Threats, attacks and vulnerabilities will always be present in networks and software; however, using mitigating techniques will help to prevent or recover from a malicious attack.