Wi-Fi penetration made pant-soilingly easy

[ChadTower]

Holy scary.

[boykster]

that's pretty scary

* boykster covers entire house in tin foil and hides in the basement

[ChadTower]

I'm putting on my tinfoil underpants, too.  Just in case.

[fredster]

I bet you could get a PSP to do that.

[ChadTower]

It's the software that is the killer here, not really the device.  Any wireless device could do that if it had the software.

[Zero_Hour]

Just another reminder to use all the security features of your Access points. Encryption, and mac address based permissions.

She said Immunity is taking orders for the $3,600 device, mostly from law enforcement agencies looking to do covert hacking on sensitive networks.

If you have a "sensitive network" that is using wireless anywhere in it's infrastructure, must not be all that sensitive after all. If your data is that important, then protect it, even if that means giving up some convenience.

Still a very cool piece of testing software for sure. And the Nokia 770 they're using it on is actually pretty sweet on its own.

[danny_galaga]

reminds me. i really should get around to putting a password on this wireless system. if i can be bothered to find out how...

[ChadTower]

The bigger issue most of the public seems to be missing is that these devices can make direct peer connections.  You don't need to worry about only your WAP, you need to worry about every wireless device individually too.  Can't tell you how many places I've been that has the WAPs reasonably secured but then has dozens of unsecured devices talking to it.

[AlanS17]

Oh! Oh! I want one for my bday! (like that's ever gonna happen...

[fredster]

Chad, is there a good tutorial on the net you would recommend for setting up a wireless network?

Using Windows XP?  I have read through microsoft stuff, but I can't seem to get the same menus on all XP devices that have tried to connect.

[patrickl]

The bigger issue most of the public seems to be missing is that these devices can make direct peer connections.  You don't need to worry about only your WAP, you need to worry about every wireless device individually too.  Can't tell you how many places I've been that has the WAPs reasonably secured but then has dozens of unsecured devices talking to it.

That does sound plausible, but you make it sound much worse than it is.

Either the WLAN is setup securely and unsecured clients cannot connect or it is not setup securely and unsecure clients can connect. You cannot have it both ways.

It's also not like everything with a WiFi card can be connected too. You need to specifically set it up to allow incoming connections.

What I did see happen is that people in office thought it would be nice to have wireles access so they could roam the building and they simply connected an access point to their network cable since the pesky sysadmin wouldn't do it for them. Or that indeed people do set their notebook WLAN card to AdHoc mode (for instance to use it to share their network connection to their PDA). They can then not use that WLAN card to connect to the AP though. Besides if there is an AP available it's a lot easier to just use that than setting up an AdHoc connection.

So sure, you can have unsecure devices in your secured environment, but they won't be talking to your secure accesspoints.

Even a simple PDA will figure these people out right away too. When I go into a clients office and my PDA tries to set up a WiFi connection I see possible open entry points right away (nothing special btw, it just looks for a connection and alerts about new ones).

Actually the only thing that I can see new here is that they sell it as a ready hacking package. You can do the same thing with a notebook, some readily available software (for instance a special linux distro that will hack a WEP key in 2 minutes) and to invest some time to set it all up.

PDA's can do quite a lot of WLAN hacking already. Although so far the software for them has been a little less powerful. Mostly it's just impractical to use a PDA to hack a network.

Actually this Silica is very easily detected by a properly secured network. From what i get out of that article, it's an active port scanner. These things stick out like a sore thumb. A properly secured network will have software running to detect port scanners and actively block them and warn a sysadmin. A passive scanner takes longer to break in, but it's undetectable.

[ChadTower]

Chad, is there a good tutorial on the net you would recommend for setting up a wireless network?

I'm the wrong person to ask.  I do not have a wireless network, I wired my house with cat6 so that I wouldn't have to have one.  I know networking itself but the wireless specific concepts, except where I can extrapolate from my general networking knowledge, are not nearly as strong.

Patrick, while you'r'e right about a lot of that, what it doesn't address is that most of the most common places to sit and scan for openings are free wifi spots.  Starbucks, restaurants, hell the local McDonald's has wifi now.  Who that works at McDonald's is going to manage security and explain it to your average McDonald's customer when they bring in their ancient laptop and can't get on the net?  The only logistic way to handle that without hiring an expensive admin/support person is to keep it wide open.  That makes it the perfect place for someone with bad intentions... guaranteed wide open access point and anyone there is probably also wide open.

That person sits in the parking lot, scans all those open devices, runs a couple exploits, installs malware on all of them.  Later those devices connect to more secure networks, perhaps (like at their job), and now the malware connects home via http (almost all employers have http going out in their proxies) and boom control inside a secured location.

I have always been of the impression that a wireless device can run with multiple predefined configs, allowing it to connect to a secured network (if it has the config) as well as any unsecured network (for which it would not need a config).  Is this incorrect?

[Strokemouth]

I have always been of the impression that a wireless device can run with multiple predefined configs, allowing it to connect to a secured network (if it has the config) as well as any unsecured network (for which it would not need a config).  Is this incorrect?

No, that's right.

And I'd like to play with that Silica. I've looked at CANVAS before, but I seem to remember it being very expensive for what seemed to be a collection of exploits with a decent ARP poisoner. That was a while ago, though.

[ChadTower]

A constantly updated collection of exploits.  The service is where the cost lies.

[patrickl]

I have always been of the impression that a wireless device can run with multiple predefined configs, allowing it to connect to a secured network (if it has the config) as well as any unsecured network (for which it would not need a config).  Is this incorrect?

No, that's right.

Well only in part. If you set up a notebook be used in an AdHoc peer to peer connection it will not be using that WLAN card to connect to another Access Point.

It still does not connect in an insecure way to your protected access point. Of course it gives you a wide open leak, but my point was that someone made that leak.

[patrickl]

Patrick, while you'r'e right about a lot of that, what it doesn't address is that most of the most common places to sit and scan for openings are free wifi spots.  Starbucks, restaurants, hell the local McDonald's has wifi now.  Who that works at McDonald's is going to manage security and explain it to your average McDonald's customer when they bring in their ancient laptop and can't get on the net?  The only logistic way to handle that without hiring an expensive admin/support person is to keep it wide open.  That makes it the perfect place for someone with bad intentions... guaranteed wide open access point and anyone there is probably also wide open.

Entirely true. I was just reacting to your claim that even if you protect your access point that the network is still wide open. Apart from idiots bringing in new open access points (ad hoc or infrastructure) of course.

Indeed people using an open WiFi hotspot better make sure they have some other form of protection if they want to keep their information private (firewall/VPN/Virus scanner/etc). Or just hope that no one is listening/hacking.

Indeed if their computer gets hacked then anything can happen when they come back in your secure environment. But then a computer can also get hacked from using a malicious website (WLAN or cabled) So you need to protect every computer going on line anyway.

It's illegal to break in BTW (even on a open connection). Last year a guy in the US was arrested for using his neighbours internet connection. But still that doesn't mean you should leave your door open.

You shouldn't really use WiFi with anything less than WPA encryption. WEP can be hacked in minutes (if there is enough traffic) and an open connection is like an open door so anyone can come in. Setting up WPA is hardly more difficult than using WEP and only slightly more work than leaving it all open.

The following steps will easily protect a WLAN:
- Put a password on the Access Point (on the administration interface)
- Change the name (SSID) of your network in the accesspoint and make sure itīs not broadcasted
- Use WPA encryption (or at the very least WEP if you must use some old devices that canīt use WPA, but do realize WEP can be hacked)

Disabling SSID broadcast (your network will stop screaming out it's name to the whole world) is a nuisance, but I think itīs a big step. It prevents your network from showing up in a WLAN scan. So you have to type in the name yourself rather than have Windows autodetect it (which obviously makes it a bit more work to set up, but hardly a lot). Active scanning software only sees the broadcasted SSID's so that's the biggest percentage of hackers that are gone with one simple step.

The WPA encryption deals with the passive scanners.

Personally I don't bother with a MAC-address filter. It can be hacked anyway and it's a huge nuisance, but of course if you feel like it use that too.

[Strokemouth]

You're half right on the WPA stuff. WPA-PSK (TKIP) is just as easy to crack as WEP as it uses the same RC4 encryption. In fact, WPA-PSK (TKIP) is easier to crack as you only need to gather one small set of data from one person joining the network. The advent of WPA2 makes it a little tougher now since you can choose to use AES over RC4, but you are still only limited by how complex the password is. Since WPA can use a simple passphrase, chances are they are pretty easy brute force. WPA Enterprise is a different story, but I doubt you'll see many places in your neighborhood that have their wireless hooked up to a RADIUS server using WPA w/ 802.1x, etc.

Even disabling SSID broadcast doesn't REALLY protect you. It is VERY easy to get the SSID of an AP that is not set to broadcast. You can use something like AirJack to spoof a deauthenticate packet to the client, forcing them to re-establish a session and causing the SSID to be sent plain text again or just use one of the many sniffers that look in places other than the beacon packet for the SSID (which, again, is sent plain text).

The best way to stay secure wirelessly is to use a layered approach. Turning off broadcast is a start. Use WPA2 (AES). MAC filtering does help, too. The logic is not that one of these measures will prevent all attacks, but that there will be enough hurdles in the way to make a possible attacker double-think whether or not it is worth their time.

[ChadTower]

Or, turn it off when you're not actually using it.   

[patrickl]

You're half right on the WPA stuff. WPA-PSK (TKIP) is just as easy to crack as WEP as it uses the same RC4 encryption.

Well the thing is that with WPA (using TKIP) the key changes so the hacker doesn't get the chance to collect enough data to actually crack the encryption. Of course, the newer version of WPA you use the better, but even the basic form of WPA is a lot harder to hack than WEP. The only way to do it (in a WPA-PSK network) is with a dictionary or brute force attack and that can take a very long time. Depending on your password it will take days to centuries before it gets hacked.

It's substantially harder (more time consuming) to crack even the simplest form of WPA than it is to crack WEP. Of course you should select a secure password, but that goes for every password you use.

The best way to stay secure wirelessly is to use a layered approach.

Maybe you missed that, but that's what I said too. I didn't suggest either of the steps as a separate method of securing the network.

:edit: Forgot to ask, but what reason do you have for using MAC-address filtering? Just as an extra layer? I always thought that a hacker, who is already able to sniff and decrypt WPA, will have no trouble getting the MAC-address out of the frames and spoof it. It's the last hurdle a hacker faces and by then I doubt it will stop him, so that's why I don't bother with it.

[ChadTower]

A lot of the "hackers" I've talked to were just script kiddies that didn't understand what the crap they downloaded was doing... so any potential hurdle could be an entry killer, one more is just that much better.

[jbox]

To summarise all the 133t talk to the non-h4x0rs on the board:

(a) Security is a sliding scale, not a "YES" or "NO".
(b) Thus, every extra obstacle you can add helps.
(c) Someone committed to hacking your network can always do it.
(d) But you *can* make them spend more time & money then they will cost you.

People like IBM, NSA, FBI and other TLAs can always hack you if they really wanted to. The main idea here is to push the random drive-by hacker towards hacking someone else's network by making yours too much work to bother with. It's exactly the same way you try to discourage random buglers by trying to make your house harder to rob then it's worth.

[ChadTower]

Anything at all beyond a 5 minute effort will cause them to drive to the next house, really.  There are so many wide open targets that any effort at all isn't worth trying.

[Samstag]

And along those lines (pushing hackers toward easier game) don't go out and buy a high-power router when you don't really need one.  The longer your range, the greater your risk.  Neighbors may be more tempted to try to get in if they get a strong signal all the time, and drive-by's are more likely to find you.

[patrickl]

A lot of the "hackers" I've talked to were just script kiddies that didn't understand what the crap they downloaded was doing... so any potential hurdle could be an entry killer, one more is just that much better.

Well I understand that, but my point is that it would have taken so much effort and time to get to that last hurdle that a few seconds extra would not deter that hacker. Suppose someone has been monitoring your network traffic for months and did all that was necessary to get in and then he needs only to copy the MAC-address from a single frame. I don't think any hacker that determined would back off at that point.

BTW you can protect your WLAN to be quite unbreakable by using the RADIUS protocol. Some cheap routers can be upgraded with open source firmware. Not sure what the status is but a few months ago it was all the rave. I'm still thinking if I should upgrade mine. Not so much because I need the protection, but it does sound cool to be really well protected.

[fredster]

[ChadTower]