Presentation by AirTight Networks
Presentation by AirTight Networks
Presentation by AirTight Networks
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Wireless Vulnerability Management<br />
Understanding WiFi<br />
Cyber-attacks<br />
http://www.airtightnetworks.com/seminar/dsci.html<br />
Pravin Bhagwat<br />
pravin.bhagwat@airtightnetworks.com<br />
Co-founder and CTO<br />
<strong>AirTight</strong> <strong>Networks</strong><br />
www.airtightnetworks.com<br />
To learn how <strong>AirTight</strong> can help secure your<br />
wireless network, send email to:<br />
contact@airtightnetworks.com<br />
©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
WiFi: Background<br />
Ethernet<br />
WPA2<br />
WiFi Access Point<br />
WPA<br />
- Extension of wired Ethernet<br />
- Unlicensed frequency<br />
- Built-in in laptops, phones<br />
WiFi Signal area<br />
WEP<br />
Open<br />
WiFi laptop<br />
Page 2<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Security Breach through WiFi:<br />
Recent Incidents<br />
Page 3<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
TJX Breach - The Tip of the Iceberg<br />
• TJX network & servers compromised for 18+ months<br />
• 94 million payment card accounts compromised<br />
• Estimated liabilities >$4.5B<br />
• Other breaches uncovered during the investigation<br />
• BJ’s Wholesale<br />
• OfficeMax<br />
• Boston Market<br />
• DSW<br />
• Barnes and Noble<br />
• Sports Authority<br />
• Marshalls<br />
• Forever 21<br />
Page 4<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Types of WiFi Cyber Attacks<br />
Attacker<br />
Sensitive Data Storage<br />
Attacker<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
External AP<br />
Misuse of Internet access<br />
Theft of confidential<br />
data or service<br />
disruption<br />
Mobile users can<br />
<strong>by</strong>pass security<br />
controls or become<br />
an easy target<br />
Page 5<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Wireless Breaks the Wired Security Model<br />
Layer 7 (Application)<br />
Layer 6 (<strong>Presentation</strong>)<br />
Layer 5 (Session)<br />
Layer 4 (TCP)<br />
Layer 3 (IP)<br />
Layer 2 (MAC)<br />
Layer 1 (PHY)<br />
Anti-virus/ spyware/ malware/ spam<br />
URL filters, Web proxies, IDS<br />
SSL VPN, Network IDS, Host IDS<br />
Network & Personal Firewalls, IP-SEC VPN<br />
Unprotected<br />
Unprotected<br />
Wired Security<br />
Page 6<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Why WiFi Cyber Crime is on Rise?<br />
Attacker<br />
Sensitive Data Storage<br />
Attacker<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
External AP<br />
Widespread WiFi<br />
vulnerabilities & lack of<br />
public awareness<br />
Vulnerability<br />
exploitation is easy;<br />
Hacking tools are<br />
readily available<br />
Breach detection is not<br />
possible using currently<br />
deployed security<br />
systems.<br />
Page 7<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
WiFi Vulnerabilities:<br />
Airport Scanning Report<br />
Mumbai, Pune & Bangalore Scan<br />
Results<br />
Page 8<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Airport WiFi Scan Study Methodology<br />
• Phase 1: Visited 14 airports world-wide (11 in US; 3 in Asia-Pacific). Number of<br />
Access Points = 478; Number of Clients = 585<br />
• Phase 2: Visited 13 additional airports worldwide (9 in US, 2 in Europe, 2 in Asia-<br />
Pacific)<br />
• Traces collected between 30 Jan 2008 through 8 Feb 2008. 5 minute scans at<br />
randomly selected location<br />
>> Portland (PDX)<br />
>> Chicago (ORD)<br />
>> Ottawa (YOW)<br />
>> Newark (EWR)<br />
Seoul (ICN)<br />
>> San Francisco(SFO)<br />
>> San Jose (SJC)<br />
>> Pittsburgh (PIT)<br />
>> Philadelphia (PHL)<br />
Malaysia (KLIA)<br />
Singapore (SIN)<br />
>> Orange County (SNA)<br />
>> Myrtle Beach (MYR)<br />
Page 9<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.<br />
>> West Plam Beach (PBI)
WiFi Scan of Mumbai, Pune and Bangalore<br />
Page 10<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
A Closer Look at South Mumbai Results<br />
Access Points (Total 637)<br />
WPA<br />
12%<br />
WEP<br />
42%<br />
802.11i<br />
6%<br />
Open<br />
(default)<br />
13%<br />
Open<br />
27%<br />
• 40% of the APs in the survey are<br />
OPEN<br />
• 13% APs being used in default<br />
configuration -- factory default<br />
setting (OPEN, default password,<br />
SSID)<br />
• 42% (security conscious users?) are<br />
relying on WEP<br />
• Only 18% using WPA/WPA2<br />
Strong Strong evidence highlighting the the need need to to educate WiFi WiFi users users about about security<br />
Page 11<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Similar Trend Found in Airport Scan Results<br />
• Majority of Wi-Fi networks are<br />
OPEN<br />
• A large number of WEP<br />
installations are also visible<br />
~28%<br />
• Small % of secure WPA/WPA2<br />
Wi-Fi networks<br />
But are all these hotspots?<br />
Page 12<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
A magnified look at “unsecured” access<br />
points<br />
41% Hotspot APs<br />
Non Hotspot APs 59%<br />
• Concourse<br />
• tmobile<br />
• Wayport<br />
• AttWi-Fi<br />
• FlyPittsburgh<br />
• Flypdx<br />
• singaporeair_B<br />
• singaporeair_F<br />
• JWA Hotspot<br />
• Ft.Laud-Hlwd_ Airport-Public<br />
• ACCESS-StarHub<br />
(1) Hotspot APs don’t<br />
hide SSID<br />
(2) Hotspot SSIDs are<br />
well known/published<br />
and advertised<br />
(3) Usually signal from<br />
multiple hotspot APs is<br />
visible at any coverage<br />
location<br />
• (null ssid)<br />
• Backbone<br />
• PacGate<br />
• LGDacom<br />
• SFOPRIVATE<br />
• Ice Currency Services<br />
• IAACCO<br />
• KIOSKWIRELESS<br />
• BullPenH1<br />
• AceRail<br />
• e-Baggage Trial AP1<br />
Page 13<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
What is WEP being used for? – Airport<br />
Scan Example<br />
• Many of the unsecured WiFi networks being used<br />
for:<br />
• Baggage handling<br />
• Passenger ticketing<br />
• Retailer stores<br />
“Hidden” SSID of an<br />
AP can be discovered<br />
in minutes!<br />
Page 14<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Target <strong>Networks</strong> are Also Easy to Identify<br />
Nandish 3Com DISHNET-BLR THE SLDASM PARK HOTEL The Oberoi,<br />
Bangalore, Taj, INFOEDGE, NSN-Guests Sunrise SMC SJCC.PG siraj SignaDesign<br />
SHELLVMR NSN-DC-BLR-Corina Unison SJCC.BCOM International<br />
CENTRAL PARK Sterling Suites Livevox linksys-usl lakhome KZAVMI Kusuma HCLD5<br />
HCLconf Pioneer HCLACCOUNTS INSPIRON INSILICA Infospace hm-wifi-data Highstreet<br />
Capital Hcbg3rd1 Hathway Microsense-Savannah UTStarcom BroVis Aricent Guest<br />
Aricent Employee guest-access ABD Network INN BANGALORE linksys<br />
guest-access Airlink EDGESOFT Taj hotels AMAT_Prod Lepapillon lekhraj<br />
Opsource_India Axentis Software India Blr Fortune Select JAGRANSOLUTIONS<br />
vger Trinity Mobily Infotech MSFTWLAN HHPL Hcbg3rd2 IBM Fidility1 A A<br />
ROYAL SUBWAY SMCBLR ORCHID Prudential WiFi Madhu lr LORDS essar-beetel<br />
domino's aztec1ff3 Amadeus-WAP-3F CENTRAL PARK Sysfore-Conference<br />
Page 15<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Tackling WiFi Security Challenge<br />
Page 16<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
DoT Regulation dated 23 Feb 2009<br />
Home Users<br />
WiFi Hotspots<br />
Organizations<br />
• Aimed at regulating anonymous misuse of Internet access<br />
• Mandates use of centralized authentication for Internet usage/WiFi services<br />
• Regulation being channeled through ISPs. Compliance is required within<br />
four months<br />
Page 17<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Types of WiFi Cyber Attacks: Revisited<br />
Attacker<br />
Sensitive Data Storage<br />
Attacker<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
External AP<br />
Misuse of Internet access<br />
DoT regulation is aimed at<br />
solving only the first<br />
problem<br />
Theft of confidential<br />
data or service<br />
disruption<br />
Mobile users can<br />
<strong>by</strong>pass security<br />
controls or become<br />
an easy target<br />
Page 18<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
WiFi Security: Practical Issues from<br />
Enterprise and Service Provider’s<br />
Perspective<br />
Page 19<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Using Centralized Authentication over WPA/WPA2<br />
Eavesdropping<br />
Unauthorized Access<br />
Unauthorized access to network will be blocked<br />
WPA, WPA2<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
Page 20<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Practical Issues: #1<br />
Using Centralized Authentication<br />
over OPEN or WEP<br />
‣Guest access in enterprise scenario<br />
‣Hotspot service providers<br />
‣Home WiFi<br />
Page 21<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Recall: Wireless Breaks the Wired Security<br />
Model<br />
Layer 7 (Application)<br />
Layer 6 (<strong>Presentation</strong>)<br />
Layer 5 (Session)<br />
Layer 4 (TCP)<br />
Layer 3 (IP)<br />
Layer 2 (MAC)<br />
Layer 1 (PHY)<br />
Anti-virus/ spyware/ malware/ spam<br />
URL filters, Web proxies, IDS<br />
SSL VPN, Network IDS, Host IDS<br />
Network & Personal Firewalls, IP-SEC VPN<br />
Unprotected<br />
Unprotected<br />
Wired Security<br />
Page 22<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Using Centralized Authentication over OPEN or WEP<br />
-Most hot spot providers using<br />
Web based authentication<br />
-After authentication is<br />
successfully carried out, a hacker<br />
can still gain network access<br />
using MAC address spoofing<br />
tools<br />
2) Free toosl such as S-Mac or<br />
Mac MakeUp make spoofing a<br />
push button exercise<br />
Unauthorized access still possible despite use of<br />
central authentication!<br />
Page 23<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Practical Issues: #2<br />
Open Access Points<br />
Misconfigured Access Points<br />
Rogue Access Points<br />
Page 24<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Rogue AP = Unauthorized AP attached to<br />
the enterprise network<br />
• Backdoor to the wired enterprise network<br />
• If goes undetected, can completely compromise all your network<br />
defenses<br />
• Comes in many forms<br />
Host AP<br />
• Corporate espionage, insider attack, or simply an unwitting,<br />
impatient employee looking for WiFi access<br />
WiFi USB drives<br />
Pocket AP<br />
Wall jack AP<br />
Page 25<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Presence of Open, Misconfigured and Rogue AP can<br />
cause problem<br />
Unauthorized User<br />
Sensitive Data Storage<br />
OPEN<br />
Misconfigued<br />
APs<br />
Rogue<br />
APs<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
Adhoc connections<br />
• Outsider can steal sensitive data on the<br />
wire<br />
• Outsider can scan all enterprise devices<br />
and servers for vulnerabilities and exploit<br />
them<br />
• Unauthorized internet access still<br />
possible!<br />
Page 26<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Practical Issues: #3<br />
Dealing with Open Neighbor APs<br />
Page 27<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
WiFi Signal Spillage from Neighbor’s APs<br />
Page 28<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Deliberate or inadvertent connections to<br />
neighbor APs<br />
Sensitive Data Storage<br />
OPEN<br />
• Deliberate<br />
• Employees get enticed to connect to Open external APs<br />
– Unprotected APs in the neighborhood, Hotspots<br />
• Inadvertent<br />
• Windows wireless connection utility caches earlier connected networks<br />
• Actively seeks to connect to those networks later<br />
– Most common with default SSIDs (linksys, default) and hotspot SSIDs (tmobile,<br />
GoogleWiFi)<br />
• Traffic over such connections <strong>by</strong>passes enterprise security controls<br />
Page 29<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Practical Issues: #4<br />
Threat of Wi-Phishing &<br />
Man-in-the-middle attacks<br />
Page 30<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Misassociations: Connections to a<br />
Honeypot (evil twin)<br />
• An attacker sets up an AP that advertises SSID<br />
which is being probed <strong>by</strong> WiFi clients or that<br />
advertises SSID of a near<strong>by</strong> enterprise or hotspot<br />
• Induces WiFi clients into connecting to it<br />
Hacker<br />
• Can launch variety of attacks after connection is<br />
established<br />
• Stealing sensitive corporate data<br />
• Man-in-the-middle/Wi-Phishing<br />
• Scanning the laptop for vulnerabilities (e.g.,<br />
Metasploit)<br />
Free WiFi<br />
• Honeypot attack tools are freely available over<br />
Internet<br />
• KARMA, Delegated<br />
Page 31<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Video: Wi-Phishing using Honeypot<br />
Page 32<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Best Practices Enterprise Wireless<br />
Security:<br />
Page 33<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Layered Approach to Wireless Security<br />
Eavesdropping<br />
Unauthorized Access<br />
Cracking Exploits<br />
MAC spoofing attacks<br />
Denial of Service<br />
Wi-Phishing<br />
Honeypots<br />
External APs<br />
External Users<br />
WEP, WPA, WPA2<br />
Guest Access<br />
Misconfigured AP<br />
Rogue AP<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
Adhoc connections<br />
Common Wireless Vulnerabilities and Threats<br />
Page 34<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Layered Approach to Wireless Security<br />
Eavesdropping<br />
Unauthorized Access<br />
Cracking Exploits<br />
MAC spoofing attacks<br />
Denial of Service<br />
Wi-Phishing<br />
Honeypots<br />
External APs<br />
External Users<br />
WEP, WPA, WPA2<br />
Guest Access<br />
Misconfigured AP<br />
Rogue AP<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
Adhoc connections<br />
Re-establish Your Network Security Perimeter<br />
Page 35<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Wireless Intrusion Prevention System (WIPS):<br />
Making sure someone is watching!<br />
Page 36<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
SpectraGuard Product Family<br />
• SpectraGuard Enterprise Server and Sensors for<br />
mid to large organizations<br />
• Server can be delivered on an <strong>AirTight</strong> Appliance or<br />
a ProCurve ONE Service Module<br />
• Sensors to support 802.11n and 802.11abg<br />
networks<br />
• SpectraGuard Online<br />
• <strong>AirTight</strong> SpectraGuard delivered as a service<br />
offering with no capital equipment purchase<br />
required<br />
Page 37<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Implementing Secure WiFi<br />
1. WiFi access should<br />
be secure and<br />
restricted to only<br />
authorized users<br />
Guest Users<br />
Unauthorized users<br />
4. Unauthorized<br />
access & security<br />
policy violations<br />
should be centrally<br />
detected, logged<br />
and blocked.<br />
WPA, WPA2<br />
Guest Access<br />
Autonomous APs<br />
Test APs<br />
Firewall<br />
Wired IPS<br />
SPAM/AV<br />
URL filtering<br />
2. Guest WiFi access<br />
(for visitors) should<br />
be monitored so that<br />
its misuse can be<br />
detected and<br />
prevented<br />
3. Autonomously<br />
operated APs<br />
should conform to<br />
enterprise security<br />
policies<br />
Page 38<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Promote Safe and Secure Use of WiFi<br />
Regulatory Regulatory Framework Framework<br />
Policy Making<br />
Awareness Awareness Campaign Campaign<br />
Education<br />
WiFi WiFi Security Security Audits Audits<br />
Regulation/<br />
Law Enforcement<br />
WiFi WiFi Security Security Technology<br />
Technology<br />
Technology Solutions<br />
Who’s at risk<br />
Home Users<br />
WiFi Hotspots<br />
Organizations<br />
• Promote measures to reduce WiFi Cyber Attack Exposure through collaboration of<br />
regulatory, law enforcement agencies and through public private partnership<br />
• Education: encourage users to adopt security best practices<br />
• Regulation: require periodic self-audits, forensic log maintenance and compliance to standards<br />
• Enforcement: empower & train law enforcement agencies<br />
• Technology: use technology where appropriate to meet the desired security objectives<br />
Page 39<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Is Your Network at Risk?<br />
Are your sensitive corporate<br />
secrets leaking over the air?<br />
Are your employees connecting<br />
to neighbor’s WiFi networks?<br />
Are you having difficulty<br />
enforcing your corporate security<br />
policies at multiple sites?<br />
Internet<br />
If answer to any of these questions is a<br />
“Not Sure” or “Yes” then your enterprise<br />
is vulnerable to a wireless security breach.<br />
Can someone across the<br />
street shutdown your<br />
WiFi network?<br />
Are rogue WiFi devices attached<br />
to you enterprise network?<br />
Page 40<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.
Offerings <strong>by</strong> <strong>AirTight</strong> <strong>Networks</strong><br />
WiFi Security Training<br />
WiFi Security Audit<br />
WiFi Intrusion Prevention<br />
Services<br />
WiFi Security Course<br />
(2 days)<br />
After attending this course you<br />
should be able to:<br />
Understand the risks<br />
associated with WLANs<br />
Learn threats posed <strong>by</strong> WiFi<br />
hackers<br />
Learn different techniques to<br />
manage and secure WLANs<br />
Services<br />
Vulnerability Scan and Audit<br />
Detect unauthorized or<br />
insecure WiFi devices in your<br />
premises<br />
Assess compliance to WiFi<br />
security best practices<br />
Detailed reports<br />
One time or Quarterly<br />
Products<br />
SpectraGuard Enterprise<br />
Best wireless intrusion prevention<br />
for complete 24/7 protection from<br />
all wireless threats:<br />
Detect and Locate block rouge<br />
devices<br />
Stop Data Leakage<br />
Prevent unauthorized access<br />
Prevent WiFi hack attacks<br />
Page 41<br />
Wireless Vulnerability Management ©2008 <strong>AirTight</strong> <strong>Networks</strong>, Inc.