Is YOUR Wi-Fi security up to par? |
Written by Rebecca Mints |
Tuesday, 04 March 2008 09:02 |
You may want to take another look at your Wi-Fi network and the security measures you have in place. Security expert extraordinaire and SANS consultant Joshua Wright engages in a Q&A. Questions were fielded by NetworkWorld moderator Julie Bort before being presented to Joshua.
Question: How secure is WPA-PSK or WPA2-PSK? Joshua Wright: PSK-based authentication mechanisms are notoriously vulnerable to offline dictionary attacks. I wrote one of the first WPA/WPA2-PSK attack tools “coWPAtty.” (Get it? “coW-PAtty” — like the cow … excrement). Newer tools such as Aircrack-ng are even faster. The main problem with PSK mechanisms is that the same shared secret is stored on all devices. I was talking to a customer who was doing handheld credit card transactions with a wireless device using WPA2-PSK. They were PCI compliant (since PCI requires WPA or all kinds of hoops with WEP), but they were vulnerable in that as devices were lost, stolen or turned in for service, the PSK was disclosed and available to anyone who could get their hands on the device. Enterprises should use 802.1X instead of PSK based authentication strategies for stronger authentication and unique, per-user keys.
Question: How should organizations address the threat of driver vulnerabilities?
Joshua Wright: Since a driver vulnerability can expose
a workstation to a remote compromise, and since the vulnerability is
exploited in kernel space which bypasses local security mechanisms
(such as privilege separation, intrusion prevention mechanisms, spyware
and anti-virus tools, etc), it’s a serious threat. Organizations should
start by compiling a list of all the wireless drivers they have
installed in their organization, and regularly check the vendor’s
websites for driver updates.
Question: Is WPA2 now considered very secure and we should feel fine using it? Or are there still attacks/vulnerabilities that it’s susceptible to? Joshua Wright: WPA2 provides strong encryption, and specifies strong authentication mechanisms such as PEAP, TTLS and EAP/TLS as well, so it is a strong strategy for organizations. The common problem with these implementations is when people misconfigure client settings for PEAP and TTLS, like I discussed with Brad Antoniewicz from Foundstone at Shmoocon a few weeks ago (slides at www.willhackforsushi.com, the video will be up at shmoocon.org shortly). If PEAP and TTLS aren’t configured properly, an attacker can impersonate your RADIUS server and get access to the victim’s inner authentication credentials, possibly disclosing the user’s password, or giving the attacker access to the user’s MS-CHAP challenge response, which is almost as good.
Question: Joshua, please let me know your thoughts on disabling broadcasting your router’s SSID. Joshua Wright: It’s a bad idea. I know the PCI specification requires you to do this, and I’ve told them they need to remove this requirement from the specification. Imagine you are a government base and you don’t tell your agents where you are located. They have to walk around and keep asking “Are you the government base?” to everyone the meet. Eventually, some wily hacker or bad guy will say “Heck YEAH I’m your base, come on in and share your secrets with me.” This is essentially what happens with SSID cloaking, where you have to ask every AP you meet if their desired SSID is available, allowing an attacker to impersonate your SSID at the airport, coffee shop, in the airplane, etc. In short, don’t cloak your SSID, but don’t make your SSID something like “sexyhackertargethere” either.
Question: What new risks do you see regarding Bluetooth access points? Joshua Wright: Bluetooth APs are problematic for organizations because they can offer the same range of 802.11b/g APs, but cannot be detected by 802.11 WIDS systems. This allows an attacker to introduce a rogue to your network, and escape detection by the WIDS system. This is something I used at a hospital a while back, where I faked “stomach pain” and plugged a Bluetooth AP into the waiting room electrical and RF45 LAN jack. I used it to hack the hospital for a few weeks from the parking lot across the street until my connection disappeared. At the penetration test wrap-up, I asked for my Bluetooth AP back, and I got blank stares from the security team. Them: “What AP?” Me: “The AP I hid in the waiting room.” Them: “We never found an AP.” Yeah, SOMEONE STOLE MY AP!
Question: Can you explain some of the exploits available that can attack wireless mice and keyboards? Joshua Wright: At the Blackhat Federal conference last week, Max Moser demonstrated attacks against 27 MHz keyboards and mice, where he is able to remotely capture and “decrypt” keystrokes and mouse positions. I use the phrase “decrypt” lightly, since as Max discovered, these devices often use only an XOR mechanism to protect data with a 16-bit “key.” With this capability, it is possible to create a remote, undetectable keystroke logger, which can record every keystroke entered by the user. Further, it appears possible to inject arbitrary keystrokes as well. Max points out that WinKey + R (opening the Run dialog box) could be particularly useful for an attacker trying to compromise a system.
Question: If KARMA was the scariest wireless attack of 2006/2007, what’s scariest for 2008 and beyond? Joshua Wright: Well, I think attacking PEAP networks is pretty scary, but I’m a little biased. I am nervous about wireless driver attacks, and I think we’re only starting to see the beginning of this attack trend (best noted by commercial vendors selling products for LOTS of money to test your drivers for you).
Question: What makes attacking PEAP networks so scary? Joshua Wright: If I compromise your authentication credentials from PEAP, then I have your username and password, likely, your MS Windows domain username and password. That also gives me access to your domain servers, Outlook, file servers, MS SQL, Sharepoint, etc. I think that’s kinda scary, don’t you?
REFERENCES: |