July 29, 2002
Informit's Dumb Article On Wardriving

These guys confuse just about every issue surrounding "wardriving" and wireless. The point of "wardriving" isn't to hack the networks you find -- just to use them.

If wardriving were a bad thing, why would people be warchalking to let others know where their networks were.

It's like the twilight zone or something. These guys are living in their own reality -- one of hype and misinformation.
Anyway here's the story by Frank Fiore and Jean Francois:

Unwitting Collaborators, Part 6: Wireless Insecurity.

Here's the whole article:


To avoid the hassles of installing LAN lines or to hasten deployment of LANs, or even to allow for more mobility in the workplace, many organizations are installing wireless networks. These networks are being installed by organizations at a rapid rate.

Unfortunately, organizations don't see the threats posed to their network security by wireless networks, or don't understand that a wireless network should be treated as you would any other medium—using it as a transport layer only. Sending information through a wireless network potentially opens your network for the entire world to see. It's akin to sending a postcard through email and could open your network to "drive-by hacking."


The "Wardriving" Scenario

The District Clerk of Harris County, Texas was in for an unexpected surprise. Based on a demonstration by a computer security analyst and upon the recommendation of the head of the county's Central Technology Department, District Clerk Charles Bacarisse shut down the wireless computer network in his office. The computer security analyst had met with the department head and used a laptop computer and a $60–75 wireless card to show him how to tap into Bacarisse's system by "wardriving."

The security flaw in the county's wireless network created a dangerous potential for vandalism—or even more serious problems. Using the practice of wardriving, someone with just an 802.11 device and sniffing software such as NetStumbler could gain access to the county's system and use it as a platform to hack other systems, including those of government agencies and businesses, leaving few traces.

Once tapped into the county system, a hacker could conceivably send emails appearing to come from county officials that could not be traced to the true author. Just as worrisome was the potential for someone to crash county computers, reroute printers, alter or delete records, or post illegal material on one of the county's network computer servers.


The Security Breach

Wardriving is easy. Just buy a wireless card, slide it into a laptop computer equipped with easily obtainable software, and with little trouble you can scan for and capture the radio signals linking computers on a wireless network. Then you can gain complete, unfiltered access to that network.

Essentially, wardrivers use the wireless signals to enter into a computer network. What many organizations fail to understand is that the wireless signals emanating from their network are not confined to their offices—or even their building. Wireless signals can easily pass through office ceilings, walls, and floors. As many incidents have shown, an unauthorized user could gain access to a wireless network by simply sitting in his car across the street or in an office above or below the organization in the same building.

A perfect example is the large retailer Best Buy. Some Best Buy stores use a sophisticated wireless network that lets their cash registers beam information—including the credit card numbers of customers—to a central computer elsewhere in the store for processing. But it was shown that a wardriver can sit in a Best Buys store parking lot and pick up and view this data. Once alerted to this security breach, Best Buy shut off wireless cash registers at all its stores.

So how do the wardrivers do it? By using simple software products that are easy to obtain over the Internet. Here are some of the tools that wardrivers use to crack wireless networks:


NetStumbler is a piece of Windows software that, when coupled with a GPS unit and a wireless card, lets you snoop on the location of 802.11b networks. Think your network is not known to wardrivers? Think again. NetStumbler's web site includes a map showing the locations of U.S. networks people have found using the software.

AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Using the Wired Equivalent Privacy (WEP) protocol, 802.11b is crippled with numerous security flaws. AirSnort requires approximately 5–10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.

WEPCrack is another Open Source tool for breaking 802.11 WEP secret keys. While AirSnort is popularly known, WEPCrack made the first publicly available tool for a wardriver attack.

Remember, the practice of wardriving is simple: All a hacker needs is a device capable of receiving an 802.11b signal, a device capable of locating itself on a map, and software that will log data from the second when a network is detected by the first. You then move these devices from place to place, letting them do their job. Over time, you build up a database composed of the network name, signal strength, location, and IP/namespace in use. The network is then open to illicit use.


Corrective Actions

Wireless technology is inherently insecure. But you can plug many of its security holes. Though not entirely foolproof, when used in unison the following corrective actions act as a "defense in depth" and should close the majority of security flaws in your wireless network.


Create a wireless network policy. Think about what your staff is trying to do when using the 802.11b network. Do they need Internet access? Do they need access to services on the local wired LAN? In short, plan your use of your wireless network and be as restrictive as possible without interfering with your users' requirements.

Educate users about the possible dangers of using wireless network technology. Hold training sessions periodically to review their understanding of the security risks and the how to use the network properly.

Avoid default configurations. Never rely on the basic configuration that's given you for the base station if you're connecting to a wireless LAN. Default installations and configurations are the security professional's worst nightmare. That's an open invitation to a wardriver. Don't use the default service set identifier (SSID)—the identifier that designates a particular network. You can better secure your wireless network by creating a unique SSID. WEP currently exists in 64-bit (40-bit key) and 128-bit (104-bit key) modes. Finally, don't make your WEP key identical to your SSID.

Avoid using Dynamic Host Configuration Protocol (DHCP) with wireless networks. Having a static network address will slow down the hacker, although he can still get on your network using a sniffer program.

Drop unencrypted packets. Don't let unencrypted data pass through your wireless network. Access points for your wireless network can be configured to drop packets that aren't encrypted using the right WEP key.

Use access control lists. Configure your internal network to allow access only to known and trusted NICs. The problem here is your MAC address. The only authentication that identifies your NIC is transmitted unencrypted, and a lot of wireless cards allow the MAC address to be changed. Filtering MAC addresses will stop the casual "snooper" but not the skilled cracker. This makes the use of access control lists somewhat limited, but it's another barrier the intruder will have to get through to reach your network.

Place the wireless network behind a firewall in a DMZ. Isolate access points so they're placed on their own segment or virtual LAN (VLAN). Use a stateful IP-filtering firewall separating the restricted wireless LAN and unrestricted "internal" wired LAN.

Use VPN technology and strong authentication. If you want a wireless user to be able to use protected services on the internal network, a virtual private network (VPN) can be the best solution to the problem. However, because VPN depends on trusting the IP address of the connecting host alone, a compromised machine on the restricted network would be given access to the unrestricted network as well. Thus, username and password authentication should be required to gain access to the unrestricted LAN. In addition to an IPSec-based VPN, use tools like SSH and PGP to encrypt messaging and/or traffic that contains sensitive information to further prevent compromise.

Place wireless access points physically inside buildings, but outside corporate firewalls. Keep the company VPN behind the firewall. If you have meeting rooms or conference rooms that sit along the perimeter of your building, consider using Tempest-rated glass.

Turn down the gain. If you set up an access point near an exterior wall, turn down the gain. Gain is what controls the signal strength and how far that signal will travel. This could curb the use of your network by someone sitting in their car on the street or in the park across the street from your building.

Implement port security on your LAN switches and hubs: 802.11b access points are relatively inexpensive now. You don't want any employee buying a base station and plugging into your corporate network.

Test your network. Use tools like NetStumbler to test your network, to know the potential risks to your wireless network and where they may come from.

Because of the insecurity of wireless technology, administrators and IT security professionals are challenged to build secure foundations for 802.11b wireless technologies without limiting the beneficial functionality it provides. But help is on the way. In Summer 2002 Netsec will release intrusion detection system (IDS) boxes that will help system administrators identify outside users quickly. Each box is about the size of a 3x5 index card box. An organization can place these IDS boxes on the four corners of their building and keep the network secure.

In the meantime, network administrators should always know the five "W's" of their network:

* What was accessed?
* Who accessed it?
* When did they access it?
* Why did they access it?
* Where did they access it from?


Don't Be an Unwitting Collaborator

In many senses, adding a wireless capability to your network is like adding a miniature Internet to your network, in the sense that you're creating an opening for potentially hostile elements. A cyberterrorist would only need to drive around an area until a LAN could be found that either had lots of bandwidth or vulnerable systems, and use those resources to launch attacks on local and/or remote networks and systems.

In effect, your wireless network can be a cyberterrorist dreamland. Chris O'Ferrell, chief technology officer of the wireless technology company Netsec, knows this firsthand. He keeps an eye out for vulnerable 802.11 networks, and is amazed at how many he finds. Located in Herndon, Virginia, Netsec's offices are in the heart of "Spook Valley," where the Pentagon, the CIA, and many information-security companies are located. While driving through Washington's Dulles International Airport, O'Ferrell says he can often see baggage-operator networks on his computer.

So much for increased airport security in our nation's capital.

Would you really want a cyberterrorist using the bandwidth in your company to launch attacks against you or others? How easy is it? This easy. Just click here and follow the easy-to-use instructions.

Sleep tight.

Posted by Lisa at July 29, 2002 09:54 PM | TrackBack
Me A to Z (A Work In Progress)