CWNP CWNA – Types of Wireless Attacks
We’re going to take a look at some of the different types of wireless attacks that could occur. So we’ll look at them from the point of view of somebody trying to break into the network, maybe somebody trying to steal your identity by tricking you.
We’ll also look at ways in which our existing hardware can do some monitoring for intrusions and what we should probably create as far as an actual wireless security policy.
So I mentioned this before when we talked about security, that a portal should be protected by using strong authentication methods so that only those who are legitimate users can get their traffic through. And when I say portal, I mean the access point. Now, I also made mention that people trying to connect to the access point who might want to try to do administrative work should also be authenticated, again with a very strong method and they hopefully will not be able to do it through the wireless part of the interface. So the radio itself is like a physical port.
I mean, not that there’s a wire plugged into it, but it is a connection that you use. It helps you provide the IP address you need and so it is accessible by somebody who might want the telnet or ssh to get into it. And as I said before, don’t let that be used. Use the management ports, the physical ports to be able to get your connection as an administrator.
So if you don’t protect that portal, a couple of things happen. Number one, that means unauthorized users could send traffic, potentially malicious traffic into your networks. But if you also don’t protect the management part of it, then they could read the information about your configuration, maybe even figure out what your administrative passwords are and cause you even more concerns as they go through. One of the big buzz phrases in the wifi security has always been to worry about things like a rogue access point.
I’m going to give you some examples of why a rogue access point can be bad. Now, unfortunately, the definition of rogue access point just means that somewhere you found an access point that you are able to connect to within your company, your building that does not belong to your corporation. It doesn’t necessarily mean it’s bad. I mean, in today’s world, if your office and your building is next to another office, they might have an access point that is detectable to you. But it’s not rogue, it’s not connected to your network in any way. In other cases, the access point might be there because somebody in your office decided they don’t like how you’re doing networking, so they bring their own in from home.
Or it could be that somebody might even bring in their tablet or smartphone and not realize that they’re trying to bridge you from your network to some other network and it just goes on and on and on. So that is a big buzz phrase and something we have to look at. And we’ll look at that a little more detail as we go on in this particular module.
So anyway, the potential is to make sure we understand what these different attacks are and especially when we talk about having an open or unsecured gateway, what that really means to the security of your network. Basically, if that’s what you have, you ought to just say hey, every hacker come on and have fun with all of my data. The same might also occur with the rogue access point. And as I said, it’s anything that’s unauthorized. Now, in the early days of wireless and I’m not, by the way, condoning what I’m about to tell you. I actually thought I was a little bit dodgy as a story. But in the early days, open and unsecured gateways were almost the norm.
That’s what we were used to. If there was protection, at the most, it was weap encryption, which I’ve already told you is not very strong. I had a friend well, he’s still a friend, but who worked for a sales or a salesperson for a security company down in Los Angeles. And their job half of the week was to drive through downtown laurie looking for those wireless access points that had no security. Then they were asked to get into that network so they could prove on a piece of paper by whatever they acquired that they illegally probably acquired.
That’s what I didn’t, like, go back and say, hey, look, I was by yesterday. I saw that things aren’t protected. This is what I was able to do, in a way, to sell their security services. I think the reason the company went out of business was probably because they were, in my mind anyway, kind of breaking or stepping on a few laws. But you don’t want people to do that to you and your network. And so that’s why we focus so much about security.
So let’s take a look at kind of some options when it comes to what happens with wireless security. So one of the things is that in our office we install what we would call an authorized access point and we go out of our way hopefully to put the best encryption on there, the wpa two enterprise where we’re doing that 802 one X and eep and using the best us the encryption. And because of that, then we know that whoever connects to us is going to be an authorized client. And that’s not a problem. At least we would hope that’s not a problem. But what if somebody puts an access point into your office? How would that happen? Well, you might have a person who is in their office.
Let’s see if I can make a wall and a couple of doors. Anyway, so they have their own little office here and that person is here. And maybe they don’t like the coverage that you have with your wireless or they don’t like going through all of these security procedures. What if they were to take their own little access point? I’ll make an antenna and take the wired part and connect it into your building. That would be a rogue access point. The problem is that the wired network in most cases would allow this station to come in, give it the appropriate IP addresses for being a member of the wired network.
And then this user would say, okay, now look, I can roam all through the building, go anywhere. I have my own access point. The problem is that thing might be radiating out into the parking lot. So you might find somebody who pulls into the parking lot and says, oh look, here’s an access point that has no restrictions. And so they would connect to that access point. Again, it’s a rogue access point which is connected to your wired network. And they would say, hey, this is great. Look at I have access to get to all of your network resources, everything else you have. In fact, I don’t even have to worry about those because they’re not going to be asked who I am.
I’m just able to get unauthorized access to everything else in your network. Because generally speaking, if you can get to the wired network, there’s usually a dhcp server that will give you the IP address you need for the local network, give you the IP address of the router that you would use as your gateway to get out and have free internet access. And it just causes a lot of problems. Now this is not BYOD bring your own device. We use that for things like tablets and smartphones. This would be somebody who brings their own networking equipment in and connects it into your internal network.
And trust me, there’s been a lot of work by different companies to come up with a solution to be able to detect when somebody plugs some extra network device into their network. I’ve been working with this problem since, I think, right before the year 2000, with companies that are worldwide and have offices in every country. While one of them was a rental car company, I won’t say who, and they were having this problem all the time, is that the people working behind the counter would say, hey, this really sucks. I can’t get out and do what I want on the network.
So they would bring these unauthorized access points into the network. They would plug them in, and now the person is like, oh, this is great. I have Internet connection wherever I go based on the rental car company’s internal network. And so did every customer that came in to rent a car or every customer of the rental car company next to them had that access. And it was proving to be a huge security problem. There’s another company that’s kind of gone out of business, but they might still have some business online. So I don’t want to mention them, but they did something extra about that. I’m just going to bring this up while we’re talking about security and wireless attacks. And what would happen is that wherever in the world their cities were, they would all go through.
And I can’t draw the state of Texas to save my life. They would all go through their headquarters in Dallas, Texas. So if they were in anchorage, Alaska, they would go through here. If they were in boise, idaho portland or it didn’t matter. Everything they did went through that central office before it went out to the world of the Internet. And at every store location, if somebody were to plug into an open port of a switch, that switch would immediately report the new up down on the interface and the people at Dallas would just cut off that entire link.
At least they did something about it. Now, you might want to know how I knew this. Well, I had a contract with an Internet company to put new routers in to all of the Pacific Northwest offices for a promotion they were doing. And on my first office, my first job, I plugged the router that they brought in to the switch and took down the office. And, well, they weren’t happy, but it wasn’t my fault.
But I thought to myself, well, that’s smart and we can do things like that on the wired side as well when somebody wants to introduce a rogue access point, even if we use something like port security, which most switches have, I mean, there’s a lot of things we can do to make this problem go away. But nonetheless, that’s one type of wireless attack. And the question is, was it really a wireless attack or somebody who’s not knowledgeable about networking, trying to make their job easier, not realizing how they opened up new security holes?
Another thing we have to worry about is a new type of bridge. Now, bridging is almost synonymous with switching. That is, a device that can connect two or more things together and allow transit traffic. We use the term switching for a device that can do bridging at high speed. Now, what if I have a legitimate user connected through wireless technology or even wired? What if they’re just wired into my network?
Let’s pretend there’s a switch here and they’re wired into it, but they have their wireless card on and somebody else decides to make this ibss, the independent basic service set, which some of us might know as an ad hoc network. So as an ad hoc network, that means there’s no wireless lan controller in between us, but they’re communicating through wireless technology. And by the way, it could also be bluetooth, it could be a number of different types of technologies.
So this has happened to me. I was sharing some files with students in the class and I put my wireless card into an ad hoc mode. And the purpose of that was, because of the restrictions of their physical network, I couldn’t share files, and they were too big for me to start trying to put onto USB drives anyway. They would then connect ad hoc, get the files that I shared. All was good, but they could have, if they were somebody on the outside, somebody might have been in the room next door that wasn’t a part of that company.
They could have connected to me ad hoc and used my connection to bridge themselves into the actual company’s network. That was always a fear as far as being able to find a way. And again, that’s what it’s about. It’s about trying to find a way into a network that you’re not supposed to have. Now, how I knew that this happened to me was number one, I did it on purpose for that class.
But when I went to the airport the next day to fly home, I noticed that somebody else had connected to my laptop through that ad hoc connection and were downloading the same files from me. And not that they were important files, but I threw a few from my security classes. I threw a few viruses and malware into that folder to see if I could find out who by looking at the reaction on their face, it was it was basically without permission, connecting. Unfortunately, I never figured it out, so I just stopped the connection. But that’s how easy it is when somebody I randomly can find that connection, connect to me and begin to get those files. So we don’t want to do that.
Now it gets even worse. The reason I say it gets even worse is that when your company does have access points and it’s a part of your network, right? So maybe you, with your tablet are connecting wirelessly to this network. And if it’s also cellular capable. That means it still has a 4g connection out to the outside world. And depending on what programs or games or whatever you’re running, again, you’re allowing that BYOD device to be able to create a bridge into your network. One of the things that an auditor I worked with, very smart person, I wish I was this smart, generated a program that he would, while sitting inside the network, send a ping to all of the addresses inside of the network.
Boom, just hit that ping. And depending on the speed of the wireless, if a ping response came. And by the way, he used an external server with a public IP for them to respond to. And if he got the pings back the legitimate way from the inside of the network, no problem. But he was finding devices on the outside that would reply to the ping that was sent on the inside of the network and he was then able to figure out who was using devices properly, improperly, illegally, whatever, to create these extra connections.
And in both of these situations, the problem I have is that you might be paying a lot of money for something like a firewall to be able to protect yourself from the world of the internet and everybody out there. You’ve got all this great protection to stop the hacks from coming in. But now we have a place that has no security between your personal device or your laptop or anything else to be able to get into our network. And so it’s causes a lot of problems if we’re not on top of it.
The 811 wireless networks, again operating a license free frequency band. Why is that important? Well, there are many different frequencies out there. If they’re licensed, you have to apply for a license. There are a lot of people out there who they call ham radio experts or whatever that hobby is. I’m not really big on that. Hobby that do have licenses to operate on different networks, but they have to buy special equipment, they have to have the license, and they have to go through a lot of testing to be able to do it. I know you’re saying, why is that important?
The reason it’s important is because when it’s unlicensed like eight or 211, it doesn’t matter who you are, you can go to any local electronic store and buy equipment that will operate on that frequency, and you don’t need any licensing, you don’t need any training. So it’s very easy for hackers to be able to get the equipment they need to break into your wireless networks. Remember, your data transmissions travel in the open air, and anybody with a radio that is close enough can listen not only to the traffic from the access point, but from all of the computers and phones and tablets that are connected to it. So it’s available to anybody, is what I was trying to get at.
There are some people who and I’ve never tried to build one of these, but they use a pringles can as what they call a can tenna, to try to get better reception from signals that would otherwise be too weak to be able to hear, so they could be further away from your network and still be able to hear the radio frequency coming in. It’s kind of like those people who used to have well, they still do probably people like to eavesdrop and spy.
They have these little parabolic antennas that were designed to be able to eavesdrop on voice conversations that people might be having in a parking lot a couple of hundred feet away that they normally wouldn’t be able to hear from where they’re standing. So they use that kind of stuff to amplify that signal, and that’s what’s happening with the voice traffic. So using this cantana, then maybe I could be 50ft further away than normal for the weakest signal and still be able to pick up that signal, but I’d have to aim that can at whatever it is.
I wanted to listen to another example going beyond that in the days of these cell phones that were well, I’m going to go back into the don’t even remember what they called the type of transmissions that they did back in those days. It was well before four G and three G and all this other stuff. But there were people who would put these cantanas, basically onto a rifle stock, so it looked like they were aiming a rifle, when actually all it was there was the, you know, the the butt of the gun and the handle to hang on to it. And they would aim that can tenna at people on their cell phones.
Maybe some of you might remember the days of cell phones when you’d flip it open and pull up the antenna. And what they would do is they would intercept the electronic identification number, program it into one of their unprogrammed phones, and steal your service from you. So what do you do to fix that type of eavesdropping? That’s why we said encryption is mandatory, so that whatever information they get, the majority of it will be unusable.
So there are many ways, again, to be able to get this information. I’ve talked about a lot of stories, all of them true, by the way. So we can monitor these wireless communications either by the casual eavesdropping. Well, okay, one time I casually eavesdropped on something I didn’t mean to. This is again, back in the days when there was really no encryption. I had my laptop open while driving through downtown Seattle trying to use my GPS information that I had.
And by the way, it was not through cellular technologies. A whole different day back then, I didn’t have GPS on the phones. And as I was driving down the roads trying to follow my and I had to buy a separate GPS from my laptop trying to follow those directions, suddenly all my mail started coming into my inbox because I had automatically connected to some businesses WiFi while I was stopped at a stop light out in front. So to me, that sounded like casual eavesdropping that I suddenly had free WiFi malicious would be doing all of those other things I was talking about that would be trying to purposely listen to those radio waves.
Popular posts
Recent Posts