Tales of a White Hat War Driver
Pages: 1, 2
Responses from Owners of Insecure Networks
I realized what I was finding was not a failure of the technology, but a human failure. Sure, WEP isn't great and it can be broken, we all know that, but it is at least a good "front door." The process of cracking the WEP keys is much more time consuming, especially on a slow network, than most hackers are willing to hang around for (unless they live next door). After studying my logs, tracking down owners of these networks was relatively easy. In hopes of aiding some of these folks, I called them, introduced myself, and told them what I had found.
I got a variety of responses. Many people were simply not aware of this security issue, and admitted they just took the device out of the box and plugged it in. Also, many smaller shops had "professionals" come in and install their equipment, but security was never discussed.
One IT manager, shocked that I had found him from so far away, admitted that they chose not to use WEP because of the overhead involved. True, you can expect to reduce your throughput about 1 Mb/sec using WEP, but I think the trade off is worth it.
Some said they were just in a "test" mode and not really being used. Others were upset simply because I had found them. The Federal Courthouse's original response was that the AP I discovered was for lawyers accessing the Internet and they didn't care if others could tap into it (Yikes!). Then they called back the next day with a different story. Finally, they called a third time and said it was no longer being used. Obviously, in this age of heightened security, some feathers were ruffled by this discovery.
I realize that many IT departments are under-staffed and over-worked, and that many smaller businesses don't even have an IT department. But users need to realize when they deploy a wireless network that they are basically giving up some control of the physical access of their network. I have heard others compare it to laying a network cable out on the sidewalk and seeing who will connect to it.
Considerations for Implementing a Wireless LAN
Deploying a wireless network needs to be carefully evaluated. Below, I have outlined items to consider both before and after implementing a wireless LAN.
- What will you use your wireless network for? Just don't deploy it because it's the cool thing to do and everyone else is doing it.
- What will your security model be? What types of information do you deal with, and what would the consequences be if your network was compromised?
- Think about using tools such as a VPN (Virtual Private Network) to your access point, or place a firewall between the access point and your network. Or place your wireless LAN in its own VLAN (Virtual LAN) to separate it from your internal network. Or use end-to-end encryption, such as IPsec.
- Use the free, built-in security features that come with the wireless access point, such as WEP. Unless they really want in to your network, it's enough to cause the casual hacker to go somewhere else. On a small network, you may want to also invoke ACLs (Access Control Lists), giving access only to certain MAC addresses.
- If you require high security, you should invest in a more secure access point that authenticates with a RADIUS server or has other secure features built in. The Lucent AP-500 is moderately priced, but includes features found on their enterprise class product, such as a Closed System Mode that doesn't broadcast its SSID and supports 128-bit WEP. And at this writing, access points with dynamic WEP key generation have become available.
- Unless you purposely want to have outdoor users on your network, try to locate access points in the middle of the building and away from glass windows. Or use a concentrated (unidirectional) antenna system so the radio pattern will be focused in a known area.
- If you have a large business, you may want to write a policy on how the company controls the airspace. WLANs have become so popular that many companies find individual departments are setting them up with no permission from central IT departments. This can interfere with and degrade the corporate WLAN, since they can use the same radio channels. Some of the APs I discovered, once traced back to the business, were found to be unauthorized by the network administrators.
- Use the built-in security on your network switches or hubs. For instance, with 3COM switches, I have used DUD (Disconnect Unauthorized Device) on ports, or SNMP "MAC Address Change" warnings, insuring that new devices aren't plugged into the network without authorization.
- If you are working with a VAR or some other installer, obtain a written agreement as to the type of wireless configuration they are responsible for installing. Make sure they leave proper documentation as to what they've done.
- Don't be too descriptive in naming your WLAN.
- Because most wireless end-users work with laptops and PDAs (Personal Digital Assistants), these devices are more prone to be stolen or misplaced. Take precautions to prevent this and have a plan in place in case it does happen, such as system level passwords so someone cannot gain access to the computer's hard drive. In some systems, WEP keys are stored as plain text in the Windows registry, making it easy for someone to retrieve. Have a plan in place to change WEP keys also. Although this should be done on a periodic basis anyway.
- Do a site survey!!! I can't stress this step enough. Most people have no idea where their radio waves are traveling. Walk or drive around the perimeter of your site and document where your coverage areas are. Most access points use omnidirectional antennas, so their pattern consists of a large circle.
|
Related Articles
Easy 802.11b Wireless for Small Businesses NoCatAuth: Authentication for Wireless Networks An 802.11 ISP on Maine's Rocky Coast |
One last observation: it appears wireless is quickly gaining momentum in the home market, as I found many residential access points. Ironically, when I figured out the percent rate, home users appear to be better at securing their networks than many of the businesses I found. Two access points I remember coming across were residential units, WEP-enabled, with network names of "DONTUWISH" and "NOWAYDUDE." War drivers hate stuff like that!
Alan Rothberg has worked in the computer field for over fifteen years in a variety of network environments.
Return to the Wireless DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 9 of 9.
-
this guy sucks
2002-10-05 21:40:20 anonymous2 [Reply | View]
yo, stop complaining. jesus thought he was right and they killed him, leave people alone you are not doing anyone a favor, you are trying to make a name for yourself..
-
80.11 and wardriving
2002-09-16 15:32:52 anonymous2 [Reply | View]
The biggest mistake most people make with wirless since it is wirless it should be reguarded as a hostile network just like the internet would be.
Use good passwords and the best encryption thats is feasible in your budget.Get the 128bit or better cards.
Also do use WEP it's free with the hardware so use it.
Also it's a good ideal to have the airnet firewalled from the rest of your local network.
If this is too much work then what happens is your fault.
-
Win2k Security Suggestions
2002-04-14 11:46:59 henrygguzman [Reply | View]
Hello Alan,
Good article. I am also coming at you from beautiful Colorado Springs.
As part of a defense in depth strategy, I think Win2 and XP offer some good features that would help lock down a wireless LAN. Certificate-based file encrytion and ip authenication between the lan clients seem like a good fit to me. That way, if an intruder did penetrate your lan, he would be unable to access any files unless he also hacked your certificate server, which would take more time. Hopefully you would detect the intruder with your IDS before he was able to crack the certificate server. You could pull the cert server off-line after it created the authorized certificates, but that would not permit you to renew the certificates daily.... What do you think, Alan?
I just ordered an access point, looking forward to doing some white hat experimentation and testing.
Regards,
-
Authenticating Firewalls
2002-04-02 21:02:07 Schuyler Erle |
[Reply | View]
Or, you could put an authenticating firewall between your wireless net and the rest of your network -- perhaps something like NoCatAuth. </plug>
-
Netstumbler isn't silent
2002-04-01 11:37:44 jpetry [Reply | View]
Just FYI,
In my experience, Netstumbler isn't silent, and it's use can be detected. Netstumbler seems to send 802.11b managment "Probe request" packets. If you have a recent tcpdump and a wireless card that can be put into promiscuous (aka monitor) mode, you can detect these packets.
-
Response to Colorado Springs
2002-03-30 16:29:21 alanr [Reply | View]
Thanks for the comments Konrad! You raised some good points, but let me clarify a few things. I did mentioned WEP had been cracked (briefly, because it's a given), and I think if you re-read the article, you'll see I mentioned that WEP doesn't necessarily determine security (paragraph under 2nd picture), and stated that VPN, VLAN, IPsec or other measures can be employed.
As far as whether or not I actually connected to something, as a professional, I should tell you that doing so would violate my ethics, along with probably breaking the law. That's why I stated in the beginning that I used a personal firewall to keep me from connecting to anyone's network. By studying my firewall's logs, I can tell you honestly, I could've easily penetrated most networks. I shared my story with a NBC news reporter, and even he didn't want to push trying to break into anyone's network. I hope you can understand my position on this. Thanks again for the comments... NEXT?!
Alan
-
Just as open in Colorado Springs?
2002-03-30 07:20:04 kgrr [Reply | View]
My experience here in the front range of Colorado (Denver and Colorado Springs area) is different. Here in Colorado Springs, more users depend on WEP for security. I see about 30% of access points secured with WEP. But many more have purposely discarded it. This is why I am not sure if counting the number of subscribers using WEP is an accurate measure of security. Let me explain.
It's important to note that Rothberg did not mention in his article that WEP has been cracked and that there are tools such as WEPCrack and AirSnort available online to break them. AT&T labs has described a method which will break a WEP key in 15 minutes. Thus, if you have sensitive data, it is very important to use a VPN system overlay to authenticate your users and encrypt your data. In the cases where a VPN is used, the useless WEP is discarded because in larger businesses it's impossible to take the system down to change all the WEP keys. This is because WEP uses the same key for the entire system. His numbers of only 14% of systems secure is very deceiving. To accurately make a measurement of open systems, one must actually have been able to connect to something on the other side of the wireless connection.
For a home user, look for access points that disable SSID broadcasts. The Linksys WAP 11 can do this with a software download from the manufacturer's web site.
Although very useful, be aware that MAC Address filtering cannot be relied upon because there are no standards that require client card manufacturers to have MAC addresses that cannot be altered. It is possible on many client cards to re-program the MAC address to match ones seen over the air with tools like Netstumbler. But most hackers don't know how to do this. It's another layer on the onion.
Another simple thing to do -- password securing all shared drives and resources. If access is gained to the network through the Wired LAN or Wireless LAN, it's important to safeguard your files and printer paper. LAN Jacking does occur, but is not a sensational a topic.
By all means, when 802.11i security becomes available, upgrade the defective WEP in your wireless network to secure the MAC layer.
Konrad Roeder
Consulting Systems Engineer
http://www.springswireless.com -
Just as open in Colorado Springs?
2006-07-08 00:38:09 dawncq [Reply | View]
If you did wardriving, you would notice that WEP only means "encrypted", no matter it is WEP,WPA, or others. that's what the author should have mentioned too.
For getting what protocol a system uses, it is much more complex than just using probe. As a "good behavior" software like NetStumbler, it won't risk connecting or intruding to a network and give you a piece of information of encryption protocol.
