2.7. Explain the vulnerabilities and implement mitigations associated with wireless networking.

Wireless networking has become common on both corporate and home networks. Properly managing wireless networking for reliable access as well as security isn't always an easy or straightforward proposition. This section examines various wireless security issues.

Wireless cells are the areas within a physical environment where a wireless device can connect to a wireless access point. Wireless cells can leak outside the secured environment and allow intruders easy access to the wireless network. You should adjust the strength of the wireless access point to maximize authorized user access and minimize intruder access. Doing so may require unique placement of wireless access points, shielding, and noise transmission.

802.11 is the IEEE standard for wireless network communications. Various versions (technically called amendments) of the standard have been implemented in wireless networking hardware, including 802.11a, 802.11b, 802.11g, and 802.11n. 802.11x is sometimes used to collectively refer to all of these specific implementations as a group, however 802.11 is preferred as 802.11x is easily confused with 802.1x, which is an authentication technology independent of wireless. But you may see these two terms used interchangeably when discussing standard wireless issues. Each version or amendment to the 802.11 standard offered slightly better throughput: 2MB, 11MB, 54MB, and 100MB+, respectively. The 802.11 standard also defines Wired Equivalent Privacy (WEP), which provides eavesdropping protection for wireless communications.

Wired Equivalent Privacy (WEP) is defined by the IEEE 802.11 standard. It was designed to provide the same level of security and encryption on wireless networks as is found on wired or cabled networks. WEP provides protection from packet sniffing and eavesdropping against wireless transmissions.

A secondary benefit of WEP is that it can be configured to prevent unauthorized access to the wireless network. WEP uses a predefined shared secret key; however, rather than being a typical dynamic symmetric cryptography solution, the shared key is static and shared among all wireless access points and device interfaces. This key is used to encrypt packets before they are transmitted over the wireless link, thus providing confidentiality protection. A hash value is used to verify that received packets weren't modified or corrupted while in transit; thus WEP also provides integrity protection. Knowledge or possession of the key not only allows encrypted communication, but it also serves as a rudimentary form of authentication because, without it, access to the wireless network is prohibited.

WEP was cracked almost as soon as it was released. Today, it is possible to crack WEP in minutes, thus rendering it a worthless security precaution. Fortunately, there are alternatives to WEP, namely WPA and WPA-2. WPA or WiFi Protected Access is an improvement over WEP in that it does not use the same static key to encrypt all communications. Instead, it negotiates a unique key set with each host. However, a single passphrase is used to authorized the association with the base station (i.e., allow a new client to set up a connection). If the passphrase is not long enough, it could be guessed. Usually 14 characters or more for the passphrase is recommended.

WPA was not designed as the replacement for WEP; it was a temporary fix until the new 802.11i amendment was completed. The process of crafting the new amendment took years, and thus WPA established a foothold in the marketplace and is still widely used today. Additionally, WPA can be used on most devices, whereas the features of 802.11i exclude some lower-end hardware.

802.11i is the amendment that defines a cryptographic solution to replace WEP. When finalized, the WPA solution was already widely used, so they could not use the WPA name as originally planned, thus it was branded WPA-2. But this does not indicate that 802.11i is the second version of WPA. In fact, they are two completely different sets of technologies. 802.11i or WPA-2 implements concepts similar to IPSec to bring the best-to-date encryption and security to wireless communications.

Wireless networking has made networking more versatile than ever before. Workstations and portable systems are no longer tied to a cable, but can roam freely around an office or environment—anywhere within the signal range of the deployed wireless access points. However, this freedom comes at the cost of additional vulnerabilities. Wireless networks are subject to the same vulnerabilities, threats, and risks as any cabled network, plus there are the additional issues of distance eavesdropping and packet sniffing as well as new forms of DoS and intrusion.

When you're deploying wireless networks, you should deploy wireless access points configured to use infrastructure mode rather than ad hoc mode. Ad hoc mode means that any two wireless networking devices, including two wireless network interface cards (NICs), can communicate without a centralized control authority. Infrastructure mode means that a wireless access point is required, wireless NICs on systems can't interact directly, and the restrictions of the wireless access point for wireless network access are enforced.

One method used to discover areas of a physical environment where unwanted wireless access might be possible is to perform a site survey. A site survey is the process of investigating the presence, strength, and reach of wireless access points deployed in an environment. This task usually involves walking around with a portable wireless device, taking note of the wireless signal strength, and mapping this on a plot or schematic of the building. Site surveys should be conducted to ensure that sufficient signal strength is available at all locations that are likely locations for wireless device usage, while at the same time minimizing or eliminating the wireless signal from locations where wireless access shouldn't be permitted (public areas, across floors, into other rooms, or outside the building). A site survey is useful for evaluating existing wireless network deployments, planning expansion of current deployments, and planning for future deployments.

2.7.1. Data emanation

Data emanation is the transmission of data across electromagnetic signals. Almost all activities within a computer or across a network are performed using some form of data emanation. However, this term is often used to focus on emanations that are unwanted or on data that is at risk due to the emanations.

Emanations occur whenever electrons move. Movement of electrons creates a magnetic field. If you can read that magnetic field, it could be recreated elsewhere in order to reproduce the electron stream. If the original electron stream was used to communicate data, then the recreated electron stream is also a recreation of the original data. This form of electronic eavesdropping sounds like science fiction, but it is science fact. The U.S. government has been researching emanation security since the 1950s under the TEMPEST project.

To protect against eavesdropping and data theft requires a multipronged effort. First, maintain physical access control over all electronic equipment. Second, where physical access or proximity is still possible for unauthorized personnel, use shielded devices and media. Third, always transmit any sensitive data using secure encryption protocols.

2.7.2. War driving

War driving is the act of using a detection tool to look for wireless networking signals. Often, war driving is used to describe someone looking for a wireless network they are not authorized to access. In a way, war driving is performing a site survey for possibly malicious or at least unauthorized purposes. War driving derives its name from the legacy attack concept of war dialing, which was used to discover active computer modems by dialing all numbers in a prefix or area code.

War driving can be performed with a dedicated handheld detector, with a PDA with WiFi capabilities, or a notebook with a wireless network card. War driving can be performed using native features of the OS, or specialized scanning and detecting tools can be used.

Once a wireless network is detected, the next step is to determine if the network is open or closed. An open network has no technical limitations as to what devices can connect to it, while a closed network has technical limitations to prevent unauthorized connections. If the network is closed, an attacker may try to guess or crack the technologies preventing the connection. Often, the closed feature is just disabling SSID broadcasting. This restriction is easily overcome with a wireless SSID scanner (see the next section for more information). Following this, the next step for a hacker is to determine if encryption is in use, what type is in use, and if it is possible to overcome that protection.

2.7.3. SSID broadcast

Wireless networks traditionally announce their SSID on a regular basis within a special packet known as the beacon frame. When the SSID is broadcast, any device with an automatic detect and connect feature is not only able to see the network, they can initiate a connection with the network. Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it is still a discoverable value with a wireless packet sniffer. Thus, the SSID should be disabled if the network is not for public use, but realize that hiding the SSID is not true security as any hacker with basic wireless knowledge can easily discover the SSID.

2.7.4. Blue jacking

Blue jacking is the sending of messages to Bluetooth-capable devices without the permission of the owner/user. Just about any Bluetooth-enabled device, such as a PDA, cell phone, and even notebook computers, can receive a blue jacked message. Most blue jacking is the sending of a vCard (a virtual business card) to a target device over the OBEX protocol (which is also used by infrared communications). Bluetooth on most PDA and cell phone devices is only accessible from 10 meters away or less, while on a notebook Bluetooth may be accessible from up to 100 meters away.

A blue jack message is often positioned in the name field of the vCard, with little to nothing else. This limits the messages to short strings of text. But still, this stunt can be used to pull off various pranks, teasing, and even advertisements. Some multimedia message–capable phones are also able to receive images and sound. Blue jacking is mostly harmless as it does not contain any malicious code, or at least has not so far.

2.7.5. Bluesnarfing

Bluesnarfing is the unauthorized accessing of data via a Bluetooth connection. Often the term blue jacking is mistakenly used to describe or label the activity of bluesnarfing. Successful bluesnarfing attacks against PDAs, cell phones, and notebooks have been able to extract calendars, contact lists, text messages, e-mails, pictures, videos, and more. Because bluesnarfing is the stealing of data, it is illegal in most countries.

Bluesnarfing typically occurs over a paired link between the hacker's system and the target device. If the device is not enabled to be seen by the public (i.e., discoverable) or to allow pairing, bluesnarfing is usually not possible. There was a Bluetooth flaw that could be exploited to perform bluesnarfing against phones that were set up as private, but this has long since been patched. It is true that bluesnarfing is also possible against non-discoverable devices if you know their Bluetooth MAC address, but this is usually not a practical attack as the 48-bit address must be guessed.

2.7.6. Rogue access points

One vulnerability commonly discovered during a site survey is the presence of rogue wireless access points. A wireless access point can be connected to any open network port or cable. Such unauthorized access points usually aren't configured for security or, if they are, aren't configured properly or in line with the organization's approved access points. Rogue wireless access points should be discovered and removed in order to eliminate an unregulated access path into your otherwise secured network.

It is not an uncommon tactic for an attacker to find a way to visit your company (via a friend who is an employee or by going on a company tour, posing as a repair man or breakfast taco seller, or even breaking in at night) in order to plant a rogue access point. After a rogue access point is positioned, an attacker can gain entry to the network easily from a modest distance away from your front door.

2.7.7. Weak encryption

Weak keys and weak encryption are not attacks but rather are vulnerabilities in how a cryptography system is used that make various types of attacks possible. The term weak keys implies that the cryptographic key selected to encrypt a file or a communication session is either too short or too easily guessed. Weak keys are generally anything less than 64 bits in length. As a result of weak keys, attackers have an easier time cracking encrypted communications because they have to try fewer possible permutations during a full brute-force attack than they would for strong keys (those at least 128 bits long). In general, you should avoid using weak keys by only using cryptography solutions that use longer, stronger keys.

Mathematical attacks are a specific type of attacks against cryptography. They're directed against the algorithm in an attempt to exploit the arithmetic it employs. The goal of a mathematical attack is to either decrypt an encrypted message or to discover the key used for encryption.

Weak encryption can also describe any cryptography system that either has a design or implementation flaw or is being asked to provide security beyond its capabilities. This is unfortunately a recurring event across the globe as organizations use poor cryptography or use good cryptography poorly. One example of this is the WEP system from 802.11. WEP is based on RC4, but due to flaws in design and implementation, WEP is weak in several areas, two of which are the use of a static common key and poor implementation of IVs (initiation vectors). Due to these weaknesses, a WEP crack can reveal the WEP key after it finds enough poorly used IVs. When the WEP key is known, the attacker can join the network, then listen in on all other wireless client communications.

2.7.8. Exam Essentials

Data emanation

Data emanation is the transmission of data across electromagnetic signals. Almost all activities within a computer or across a network are performed using some form of data emanation.

War driving

War driving is the act of using a detection tool to look for wireless networking signals. Often, war driving is used to describe someone looking for a wireless network they are not authorized to access.

SSID broadcast

Wireless networks traditionally announce their SSID on a regular basis within a special packet known as the beacon frame. When the SSID is broadcast, any device with an automatic detect and connect feature is not only able to see the network, they can initiate a connection with the network.

Blue jacking

Blue jacking is the sending of messages to Bluetooth-capable devices without the permission of the owner/user, usually as a prank.

Bluesnarfing

Bluesnarfing is the unauthorized accessing of data via a Bluetooth connection. Bluesnarfing is data theft and therefore a crime.

Rogue access points

A rogue wireless access point can be connected to any open network port or cable. Such unauthorized access points usually aren't configured for security or, if they are, aren't configured properly or in line with the organization's approved access points. Rogue wireless access points should be discovered and removed in order to eliminate an unregulated access path into your otherwise secured network.

Weak encryption

Weak encryption is any cryptography system that either has a design or implementation flaw or is being asked to provide security beyond its capabilities.

802.11 and 802.11x

802.11 is the IEEE standard for wireless network communications. Versions include 802.11a (2 MB), 802.11b (11 MB), and 802.11g (54 MB). The 802.11 standard also defines Wired Equivalent Privacy (WEP).

WEP

Wired Equivalent Privacy (WEP) is defined by the IEEE 802.11 standard. It was designed to provide the same level of security and encryption on wireless networks as is found on wired or cabled networks. WEP provides protection from packet sniffing and eavesdropping against wireless transmissions. A secondary benefit of WEP is that it can be configured to prevent unauthorized access to the wireless network. WEP uses a predefined shared secret key.

Site surveys

A site survey is the process of investigating the presence, strength, and reach of wireless access points deployed in an environment. Site surveys should be conducted to ensure that sufficient signal strength is available at all locations that are likely locations for wireless device usage, while at the same time minimizing or eliminating the wireless signal from locations where wireless access shouldn't be permitted.