seguridad en tecnologías wireless - principalldm/mypage/data/ss/apuntes/2017-modulo19.pdf ·...

Seguridad enTecnologías

Wireless

Prof. Javier Echaiz

Dpto. de Cs. e Ing. de la Computació[email protected]

http://cs.uns.edu.ar/~jechaiz

Seguridaden Wireless

Javier Echaiz 2

Roadmap

Wireless Technology1

Wireless Hacking Examples2

What to Do3

Q & A4


Javier Echaiz 3

Tecnología Wireless en todos lados…


Javier Echaiz 4

Tecnologías Wireless

With GreatPower, ComesGreatResponsibility.

Peter Parker,Spiderman

Nada esgratis. Estaflexibilidadtiene su costo.

Javier Echaiz


Javier Echaiz 5

Riesgos en Wireless

• Conceptos equivocados acerca de laseguridad wireless.

• Amenazas wireless en producción,hotspots/redes rogue.

• Ataques DoS, eavesdropping,debilidades en protocolos, informationdisclosure, …


Javier Echaiz 6

Riesgos (no los veremos en detalle)

Physical• Loss• Theft• Damage• Physical accessData• Data removal• Malicious code• Storage CIAAccess Control• Unauth. device• Unauth. userTransmission• Transmission CIAConnection• Unapproved AP• Unapproved network

ThreatsAdministrative• User behavior• Policy• ProceduresPhysical• Surveillance• Hostile Environment• TEMPEST• Visitor Control• Inspection• Fragile Equipment• Public PlacementTechnical• Identification• Authentication• Access Control• Protection Mechanism• Key Management• Engagement

VulnerabilitiesX AssetsNetwork• Equipment• AvailableData / Resource• Sensitivity• CriticalityDevices• Mobile Devices• Removable Storage

Classification• Conf. [H, M, L]• Integ. [H, M, L]• Avail. [H, M, L]

X

“CIA” = confidentiality, integrity, availability


Javier Echaiz 7

• Red Ethernet mediante ondas deradio en lugar de cables.

• Es una herramienta para laconveniencia, idealmente cuando serequiere movilidad.

• Es una solución cuando se necesitanconexiones por cortos períodos detiempo.

Definición (1)


Javier Echaiz 8

• Una tecnología que puede resolverproblemas que por distintasrazones no pueden resolversemediante tecnologías cableadas.– Lugares donde es imposible seguir agregando

cables por distintos motivos.– Áreas demasiado amplias donde los cables son

imprácticos.– Aulas.– Etc.

Definición (2)


Javier Echaiz 9

What Wireless is not:

Las tecnologías wireless NO son unreemplazo de las conexionescableadas!!!!

Wireless no esni seguro, ni rápido, ni confiable.

Seguridad

Velocidad

Confiabilidad


Javier Echaiz 11

• Los datos que viajan en una conexiónwireless se envían (broadcast) medianteun canal abierto de radio (tipo walkie-talkie, radio de onda corta, celular, etc.) ó

• Los datos wireless viajan “protegidos”mediante un estándar inseguro: WEP(wired equivalent protection), el cual esfácilmente crackeable y basado en“secreto compartido”. De esta forma,cualquiera con permiso de acceder a estared puede leer cualquier cosa de la red!

Wireless es inherentemente inseguro


Javier Echaiz 12

Wireless is inherently insecure-There are many ways to attack:

• Pretending to besomeone/somethingelse:– SSID Attack– Malicious Association– Mac Spoofing– Man in the Middle Attack

• Direct and Denial ofService attacks:– Insertion Attack– Encryption Attack– Jamming


Javier Echaiz 13

Insecure: Easily Hijacked

Malicious Association: A hacker sets up a rogue accesspoint, sets it to display a dummy login page, and collectsusernames and passwords. This is probably the mostlikely scenario to happen at Universities. Using thesecurity tools mentioned later in this presentation are agreat way to avoid falling for this trap.


Javier Echaiz 14

Insecure: Easily Sniffed

“Sniffing” a connection means listening in (much like atap on a phone) and pulling useful information out of thedata stream. Most data is sent “clear text” which meansthat the sniffer can read it with little effort.


Javier Echaiz 15

Security:Why the user should care

• System Administrators are often asked byusers:

• “Why should I care about security? NothingI do is confidential.”

ARE YOU SURE?


Javier Echaiz 16

• Think about your password. How manysystems do you use it on? E-mail, fileserver, your on-line banking/brokering,One-click buying at Amazon.com (wherethey have your credit card # on line).Airline reservation sites or travel agents.

• If someone gets your password, theycan access any of those.

Security: Why the user should care (1)


Javier Echaiz 17

• Always use different passwords ondifferent systems. That way, if onepassword gets compromised, the rest ofyour accounts will still be protected.

Security: Why the user should care (2)


Javier Echaiz 18

• Is any student information (IDs, grades, etc)ever sent in e-mail? They (and other) data areconsidered confidential. There are legal issuesregarding the safety and accessibility ofinformation.

• What if someone accessed your e-mail andsent a threatening or harassing e-mail tosomeone? How could you prove it wasn’t you?Your word is often not enough.

• ‘Sniffing’ wireless traffic is trivially easywith free, easy to download, easy to usesoftware.

Security: Why the user ... (3)


Javier Echaiz 19

Sniffing a telnet session (user view)


Javier Echaiz 20

Sniffing a telnet session (sniffer view)


Javier Echaiz 21

Sniffingan SSHsession:

This is a similar session when the end-useris using encryption (SSH). The sniffer is outof luck.


Javier Echaiz 22

Sniffing a search session: End User


Javier Echaiz 23

Sniffing asearchsession:Sniffer


Javier Echaiz 24

Your hard drive is accessible.If you’re not actively using the card,

disable it or remove it.

The wireless card itself is a newavenue of attack.


Javier Echaiz 25

Security solutions

It is possible to be mostly safeusing wireless technology, but theend user must be very careful.More later in this presentation.

Seguridad

Velocidad

Confiabilidad


Javier Echaiz 27

Speed –Wired is much faster than wireless:


Javier Echaiz 28

Speed (1)

• Wireless is considerably slowerthan wires.

• It’s a shared resource, so the morepeople use it, the less there is foryou.


Javier Echaiz 29

Speed (2)

• It doesn’t take much to have the wirelessconnection slow down to modem-likespeeds.

• Unless the user is sitting exactly next to theaccess point, the best speed they might get islow (7 to 11Megabits), and as soon as there isany interference, the speed dropsdramatically.

• If there are other users, the availablebandwidth is split between them. In addition,more users create more interference, so thespeed goes down even further.

Seguridad

Velocidad

Confiabilidad


Javier Echaiz 31

Wireless is unreliable: its easilyblocked


Javier Echaiz 32

Blocked by a human hand…

• This shows howthe strength of thesignal isdecreased byplacing a handover the wirelesscard.

• Green is good signal,• Red is interference,• Purple is dropped signal.


Javier Echaiz 33

Wireless is unreliable: lots ofinterference


Javier Echaiz 34

Interference by other technology

• This shows howmuch inter-ference isadded by using a2.4GHz cordlessphone near thewireless card.

• Green is good signal,• Red is interference,• Purple is dropped signal.


Javier Echaiz 35

So, what can the user do about...

• Speed: Well, nothing, except get a bettersignal (move closer, remove obstacles).

• Reliability: Again, not much. Laws of physicsare fairly immutable, after all. Next Generationaccess points may have some other solutions:different bandwidths, more redundancy in thedata transfer, etc.

• Security: Lots! That’s what most of the rest ofthis presentation is about.


Javier Echaiz 36

How the Wirewall works: (1)

• The user starts up their machine, and opens a webbrowser to go to their favorite site.

• The Wirewall sees the connection request, andredirects the user to the Wirewall Login page.


Javier Echaiz 37

Wirewall specific X.500 LoginThis authentication process is encrypted.


Javier Echaiz 38

• The Wirewall sends the authentication data to theX.500 (central authentication server) and checks tomake sure that the user is OK.

• The X.500 server sends back a ‘yes’ or ‘no.’• If ‘yes,’ the Wirewall server opens a connection for

that client (laptop) for a certain amount of time.• This whole process is encrypted.



Javier Echaiz 39

• After the authentication process finishes, the Wirewall redirectsthe client back out to the original website.

• From here on out, unless the client is using their own encryption,everything is insecure.

• This authentication process must be followed before the client isallowed past the wirewall onto the University network and/or theInternet (unless vpn is used, more on that later.)



Javier Echaiz 40

Using Wireless Safely

• Be Smart and Aware• Disable the Wireless card unless it is in use.• Use Encryption

– VPN (Virtual Private Network)– SSH (for TELNET, FTP, POP, IMAP, X-Win, etc.)– SSL (E-Mail, Web Browsing)


Javier Echaiz 41

Using Wireless Safely:Be Smart and Aware

• Always keep in mind that the information youmay be transmitting might be confidential,important, legally protected, or potentiallydamaging.

• If it is any of those things, take steps to besafe.

• But always remember, part of the process willbe out of your control. Do you trust the entiresystem/process?


Javier Echaiz 42

VPN: Advantages / Disadvantages

• Advantages:– Encrypts all of the data

from the client to the VPNserver, not just certainapplications.

– Compresses data; canspeed up connection.

– Bypasses WirewallAuthentication andauthenticates on the VPNserver.

– Easy to use once is setup.

• Disadvantages:– Does not encrypt anything

beyond the VPN server.– All encryption slows down

the connection, but this isprobably offset by thecompression.

– Has to be set up inadvance.

– Bye bye roaming.


Javier Echaiz 43

Using Wireless Safely

• Use Encryption– VPN (Virtual Private Network)– SSH (Secure Shell)

• (for TELNET, FTP, POP, IMAP, X-Win, etc.)

– SSL (Secure Socket Layer)• (E-Mail, Web Browsing)


Javier Echaiz 44

• SSH and SSL are both single-connection encryption methods whichshould be used whenever possible.

• SSH – (Secure Shell) tends to be usedby telnet/ftp-like applications such asSFTP/SCP and tunneling.

• SSL – (Secure Socket Layer) tends tobe used by E-mail and Webconnections.

SSH / SSL


Javier Echaiz 45

SSH / SSL Overview


Javier Echaiz 46

SSH/SSL: Advantages &Disadvantages

• Advantages:– Encrypts data all the way

from the client to thedestination server.

– Can be used for multipledestinations.

– Easy to use once is setup.

• Disadvantages:– Only encrypts the data

using the SSH / SSLchannel.

– All encryption slows downthe connection.

– SSH: Each connectionneeds a different setup.


Javier Echaiz 47

SSL Usage

• In Web Browsers:– Generally initiated by Server, and user is redirected

to a secure site, often after a login page.– Uses Certificates (Thawte, Verisign, or self-signed).– Confirm by checking Lock icon in the lower left or

right hand of web-pages.

• E-mails: SSL / PGP.


Javier Echaiz 48

VPN vs. SSH/VPN

• VPN encrypts the connection from the client tothe VPN server. After that, the data is on itsown.

• SSH/SSL encrypt the data ALL the way fromthe client to the final destination.

• You CAN use both at the same time.


Javier Echaiz 49

The wireless card itself is a newavenue of attack.

• Your hard drive is accessible. If you’re notactively using the card, disable it or remove it.

• If you have both your wired connection andyour wireless connection, plugged in andturned on, a hacker can use the wirelessaccess to ‘bridge’ over and access the wirednetwork.

Herramientasempleadas enAtaques Wireless


Javier Echaiz 51

Yesterday and Today

• Last Year– The NO Wireless Policy– WEP– Captive Portals

• This Year– Face it you have wireless

Policy– WPA2 + Authentication– VPN– Firewall/Policy Enforcement– Bluetooth in everything– Fake Access Points– WiMax– EvDO

• Hacking Attempts– War driving/walking/flying– Disgruntled employee– Industrial espionage– Electronic warfare


Javier Echaiz 52

Whose WAP are you Connected ToAnyway?

Who are you connected to?


Javier Echaiz 53

Para todolo demás

existe MC!

War Driving

• Equipment– Laptop --- u$s 1300– Wireless card --- u$s 60– Antenna --- u$s 10 (homebrew)– Scanning Software --- Free– GPS (optional)


Javier Echaiz 54

Equipment

• Antennas– Omni-directional

• Mast mount– Semi-directional

• Yagi– Highly-Directional

• Grid• Parabolic

• Home Brew Antennas


Javier Echaiz 55

Equipment

• Laptops– *BSD– GNU / Linux– M$ Windows– Mac OS X– Etc.

• Handhelds– HP iPaq– Sharp Zaurus– Etc.


Javier Echaiz 56

Interception Range

Basic Service Set (BSS) –Single cell

Station outsidebuilding perimeter.


Javier Echaiz 57

Have you Been Chalked?


Javier Echaiz 58

Equipment

• Scanning Software• Net Stumbler

– www.netstumber.com• Airopeek

– www.wildpackets.com• Wellenreiter

– www.remote-exploit.org• KISMET

– www.kismetwireless.net• AirSnort

– airsnort.shmoo.org

The Air in my kitchen…


Javier Echaiz 59

http://www.kensington.com/html/3720.html#

Wi-Finders


Javier Echaiz 60

• Wireless standard forpersonal areanetworks (PANs)

– Replace wiredconnections

– A few devices thata person carries

– A few devices on auser’s desktop

Bluetooth Security


Javier Echaiz 61

Bluetooth: Where?

• Cars• Phones• PDAs• Laptops• Printers• Earpieces• Keyboard, mice• Coke Machines


Javier Echaiz 62

BluetoothWardriving!!


Javier Echaiz 63

Blue Sniffing and…

• Smurf• MeetingPoint• BTScanner• BlueSweep• BlueWatch (not free)

• Blue Jack


Javier Echaiz 64

The Blue Attack

• Hooking up?

• Open Microphone

• Dialing for dollars

• Contacts, Notes, Email


Javier Echaiz 65


Javier Echaiz 66

Securing Bluetooth

• PIN

• Don’t be promiscuous

• Turn it off


Javier Echaiz 67

IrDA

• Laptop• Phone• Blackberry• PDA• Keyboards/Mice• Is yours enabled?• Easy transfer• Banana sticker


Javier Echaiz 68

EvDO

• Evolution Data Only, Evolution DataOptimized

• High speed• Always on• 2.4 mbps bandwidth• Supported by some cell phones• PCMCIA cards


Javier Echaiz 69

Recommended References• NIST 800-48• Wireless Security Implementation Guide, Defense Information Systems Agency• Wireless Security Checklist, Defense Information Systems Agency• Open-Source Security Testing Methodology Manual, Institute for Security and Open

Methodologies• Wi-Foo The Secrets of Wireless Hacking• Real 802.11 Security Wi-Fi Protected Access and 802.11i• Wireless Security: Ensuring Compliance with HIPAA, GLBA, SOX, DoD 8100.2 and

Enterprise Policy, AirDefense, www.airdefense.com• Weaknesses in the Temporal Key Hash of WPA, Vebjorn Moen, Havard Raddum, Kjell Hole,

University of Bergen, Norway• Security Flaws in 802.11 Data Link Protocols, Nancy Cam-Winget, Russ Housley, David

Wagner, Jesse Walker• Securing a Wireless Network, Jon Allen, Jeff Wilson• Securing Wireless Data: System Architecture Challenges, Ravi, Raghunathan, Potlapally,

Computer and Communications Research Labs NEC USA• Solving the Puzzling Layers of 802.11 Security, Mischel Kwon• 802.11 Security, Praphul Chandra• NIST Wireless Network Security 802.11, Bluetooth and Handheld Devices, Tom Karygiannis,

Les Owens• Cisco SAFE: Wireless LAN Security in Depth


Javier Echaiz 70

WEP


Javier Echaiz 71

Wired Equivalent Privacy (WEP)

• Basic encryption mechanism for wirelessnetworks

• Uses RC4 for encryption• Designed to prevent casual traffic sniffing

attacks• There are a number of failures associated

with WEP and a variety of attacks to defeat it


Javier Echaiz 72

WEP Attacks

• Vendor Implementation Weakness– Neesus Datacom Key Generation Algorithm– wep_crack (effective for 40-bit only)

• Dictionary Attacks– WEPAttack

• FMS Attacks– Aircrack(ng)


Javier Echaiz 73

Vendor ImplementationWeakness Example

• wep_crack


Javier Echaiz 74

Dictionary Attack Example

• WEPAttack


Javier Echaiz 75

FMS Attack Example

• Aircrack-ng


Javier Echaiz 76

LEAP


Javier Echaiz 77

802.1x/EAP Overview

• Weaknesses and Administrative Problemsof Wireless Networks– How do you distribute dynamic keys?– How do you authenticate users?

• Solution: A LEAP of Faith!


Javier Echaiz 78

LEAP Dictionary Attack

• Asleap


Javier Echaiz 79

WPA


Javier Echaiz 80

Wi-Fi Protected Access (WPA)

• WPA is a part of the 802.11i specification, which isdedicated to improving the security of wirelessnetworks

• Two Major Problems with upgrading the security ofwireless networks– Had to be fixed as a software upgrade– Lack of available processing capacity in wireless

equipment

• Temporary Solution: Temporal Key IntegrityProtocol (TKIP)


Javier Echaiz 81

WPA Pre-shared Key (PSK)Attack

• cowpatty

MB9

MB9 Consider how much time you have and focus on the "must know" information that matters most to the customer. This maximizes theamount of time left for discussion and questions.

Follow the rule of 3: Organize your content around no more than 3 ideas, with no more than 3 supporting ideas for each. This createsa strong presentation focus and maximizes customer understanding and retention.Manal Bari, 02/03/2007


Javier Echaiz 82

References

• Wireshark – http://www.wireshark.org• Kismet – http://www.kismetwireless.net• wep_crack – http://www.lava.net/~newsham/wlan/• WEPAttack – http://wepattack.sourceforge.net• Aircrack-ng – http://www.aircrack-ng.org• Asleap – http://asleap.sourceforge.net• Cowpatty – http://sourceforge.net/projects/cowpatty• File2air- http://secwatch.org/wifidownload.php?cat=5• http://wirelessdefence.org


Javier Echaiz 83

Top 10 para seguridad Wireless

1. Cambie el password default del AP (y el username).2. Use el mejor std soportado (WAP2, WEP256, etc.).3. Cambie SSID default del AP.4. Habilite filtrado por MAC (recuerde que no es la panacea!).5. Deshabilite el broadcast del SSID.6. No se conecte automáticamente a redes Wi-Fi Open.7. Asigne IPs estáticos / Deshabilite DHCP.8. Habilite FW tanto en router (/AP) como en cada dispositivo.9. Ubique router/AP en un buen lugar (señales que se

escapan!).10.Apague la red cuando no se vaya usar por tiempos largos.

Fundamental: Educación!

Las tecnologíasseguras existen:Úselasinteligentemente!


Javier Echaiz 85

?

[email protected]

Gracias...


Javier Echaiz 86


Javier Echaiz 87

Wireless Definition (Expansion)

CorporateAccess Point

CorporateLaptop Data

Phone

1.0 Gb

RogueAccess Point

UncontrolledAccess Point

Wireless CapableDevices

USB Drive

iPod

Non-CorpLaptop

Theft / Usurpation

Access

Mobile DataStorage

Data RemovalMalicious Code

• Interception• Interference• Damage


Javier Echaiz 88

Securing Wireless at Work

• The Security Policy• Authentication• Authorization• VPN• DMZ• Wireless on their own VLAN• Hardened wireless gateway• Device policy enforcement• Passwords on devices• Auto erase on devices when password authentication fails a set number of times• Disable, remove, scratch IrDA ports not needed• Physical examination of site regularly• Wireless Audits• IDS


Javier Echaiz 89

Secure 802.11 at Home

• WEP– RC4– 64 bit– 128 bit more secure (bit slower speed)– Pass phrase

• WPA– Pre-shared keys

• TKIP– Temporal Key Integrity Protocol. TKIP utilizes a stronger encryption method and

incorporates Message Integrity Code (MIC) to provide additional protection. Still RC4.• AES

– Advanced Encryption System, which utilizes a symmetric 128-Bit block data encryption.

– Pre-shared keys with Radius• RADIUS uses an external RADIUS server to perform user authentication.


Javier Echaiz 90

More Home Security

• Mac Filtering• SSID• VPN• Best Practices… what not to do on your wireless segment• DMZ• Firewalls


Javier Echaiz 91

Robust Security Network Association

RADIUSserver

Supplicant(wireless device)

Authenticator(access point)

associated associated

802.11 association

EAP/802.1X/RADIUS authenticationMSK

MSKMSK(master session key)

PMK

4-way handshake

PTK (pairwise transient key) PTKGTK (group temporal key) GTK

Group key handshake

New GTK New GTK

Data

For broadcast andmulticast traffic

PMK (pairwise master key)


Javier Echaiz 92

WEP vs. WPA vs. WPA2

WEP WPA WPA2Encryption RC4 RC4 AES

Key rotation None Dynamicsession keys

Dynamicsession keys

Key distribution Manuallytyped intoeach device

Automaticdistributionavailable

Automaticdistributionavailable

Authentication Uses WEPkey asAuthC

Can use 802.1x& EAP

Can use 802.1x& EAP


Javier Echaiz 93


Javier Echaiz 94

A vs B vs G (2)


Javier Echaiz 95

Non-discoverable Phones

• Most bluetooth devices allow you tomake them non-discoverable.

• Do not broadcast.• Still able brute-force MAC address toconnect.

• Redfang tool does this for you.


Javier Echaiz 96

Bluetooth Attacks

• Bluesnarfing– Vulnerabilities in OBEX protocol allows unauthenticated access to

bluetooth services. Allows exploits such as dumping all contacts.• Backdooring

– Once a device is paired, even if that device is removed, access isstill allowed.

• Bluebugging– Creating unauthenticated serial-over-bluetooth connection. Allows

full access to phone and supposedly allows attacks such as turningphone into listening device.

• Bluejacking– Tricking user into setting up a connection through the widespread

use of bluejacking.


Javier Echaiz 97

Final Slide

seguridad en tecnologías wireless - principalldm/mypage/data/ss/apuntes/2017-modulo19.pdf ·...

Documents