Principles of Computer Security: discuss ethical, professional and legal issues which you consider arise from this scenario.

Presenter

Presentation Notes

2.4 GHz band – This is the frequency used by Bluetooth, 802.11 and other personal area networks. 5 GHz band – This is the frequency band used by 802.11a. Beacon frames – An 802.11 management frame for the network that contains several different fields, such as the timestamp and beacon interval, but most importantly, the SSID. Bluejacking – This is a term used for the sending of unauthorized messages to another Bluetooth device. Bluesnarfing – This is like bluejacking, with the exception that an attacker copies off the victim’s information. This can include e-mails, contact lists, calendars, and anything else that exists on that device. Bluebugging – This occurs when an attacker uses Bluetooth to establish a serial connection to a mobile device that allows full control over the phone, including the placing of calls to any number without the phone owner’s knowledge. Confidentiality – This is the ability to keep protected data a secret. Direct-sequence spread spectrum (DSSS) – This is a modulation type that spreads the traffic sent over the entire bandwidth. IEEE 802.1X – This protocol can support a wide variety of authentication methods. IEEE 802.11 – This protocol has been standardized by the IEEE for wireless local area networks (LANs). Orthogonal  frequency division multiplexing (OFDM) – With multiplexes, or separates, the data to be transmitted is broken into smaller chunks based on frequency and then the chunks are transmitted on several subchannels. RC4 stream cipher – It is used to encrypt the data as it is transmitted through the air. Service set identifier (SSID) – This identifies a specific 802.11 wireless network. It transmits information about the access point that the wireless client is connecting to. WAP  gap – This involves confidentiality of information where WAP and TLS encryption standards networks meet. Wired Equivalent Privacy (WEP) – This the encryption scheme used to attempt to provide confidentiality and data integrity on 802.11 networks. Wireless Application Protocol (WAP) – This protocol transmits data to small handheld devices such as cellular phones. Wireless Transport Layer Security (WTLS) – This encryption protocol is used on WAP networks.

Presenter

Presentation Notes

– Three versions are currently in production: 802.11g, 802.11b, and 802.11a, and a fourth standard, 802.11n, has been ratified. – WAP has been overtaken by a variety of protocols pushing us to third-generation (3G) or fourth-generation (4G) mobile networks. The security world ignored wireless for a long time, and then within the space of a few months, it seemed like everyone was attempting to breach the security of wireless networks and transmissions. One reason wireless suddenly found itself to be such a target is that wireless networks are so abundant and so unsecured. – Wireless is particularly problematic from a security standpoint, because there is no control over the physical layer of the traffic.

Presenter

Presentation Notes

Security+

Presenter

Presentation Notes

Almost all current mobile phones have wireless networking features built in. WAP has fallen by the wayside as mobile networks’ capabilities have increased The need for more and more bandwidth has pushed carriers to adopt a more IP-centric routing methodology with technologies such as High Speed Packet Access (HSPA) and Evolution Data Optimized (EVDO). – Mobile phones have ruthlessly advanced with new technologies and services, causing phones and the carrier networks that support them to be described in generations—1G, 2G, 3G, and 4G. 1G refers to the original analog cellular standard, Advanced Mobile Phone System or AMPS. 2G refers to the digital network that superseded it. 3G is the system of mobile networks that is currently being deployed. 4G runs an IP-based system utilizing Voice over IP.

Presenter

Presentation Notes

– Security+ – Wireless Transport Layer Security (WTLS) encryption scheme, which encrypts the plaintext data and then sends it over the airwaves as ciphertext. – WTLS uses a modified version of the Transport Layer Security (TLS) protocol, formerly known as Secure Sockets Layer (SSL). The WTLS protocol supports several popular bulk encryption algorithms, including Data Encryption Standard (DES), Triple DES (3DES), RC5, and International Data Encryption Algorithm (IDEA). A MAC algorithm generates a one-way hash of the compressed WTLS data. WTLS supports the MD5 and SHA MAC algorithms.

Presenter

Presentation Notes

– Security+ – WTLS acts as the security protocol for the WAP network, and TLS is the standard for the Internet, so the WAP gateway has to perform translation from one encryption standard to the other. This translation forces all messages to be seen by the WAPgateway in plaintext. This is a weak point in the network design, but from an attacker’s perspective, it’s a much more difficult target than the WTLS protocol itself. – The limited nature of mobile devices hampers the ability of the security protocols to operate as intended, compromising any real security to be implemented on WAP networks.

Presenter

Presentation Notes

– This has reduced the need for lightweight protocols to handle data transmission, and more standard protocols such as IP can be used. – The increased power and memory of the handheld devices also reduce the need for lighter-weight encryption protocols. This has caused the protocols used for 3G mobile devices to build in their own encryption protocols. All the standards include transport layer encryption protocols to secure the voice traffic traveling across the wireless signal as well as the data sent by the device.

Presenter

Presentation Notes

Bluejacking involves setting the message as a phonebook contact. Then the attacker sends the message to the possible recipient via Bluetooth. A popular variant of this is the transmission of “shock” images, featuring disturbing or crude photos. As Bluetooth is a short-range protocol, the attack and victim must be within roughly 10 yards of each other. The victim’s phone must also have Bluetooth enabled and must be in discoverable mode. Bluesnarfing is used to require a laptop with a Bluetooth adapter, making it relatively easy to identify a possible attacker, but bluesnarfing applications are now available for mobile devices. The majority of Bluetooth phones need to be discoverable for the bluesnarf attack to work, but it does not necessarily need to be paired. In theory, an attacker can also brute-force the device’s unique 48-bit name. – Bluebugging allows access to the full AT command set—GSM phones use AT commands similar to Hayes-compatible modems. This connection allows full control over the phone, including the placing of calls to any number without the phone owner’s knowledge. Fortunately, this attack requires pairing of the devices to complete, and phones initially vulnerable to the attack have updated firmware to correct the problem. To accomplish the attack now, the phone owner would need to surrender her phone and allow an attacker to physically establish the connection.

Presenter

Presentation Notes

– The primary reason that spread-spectrum technology is used in 802.11 protocols is to avoid interference on the public 2.4 GHz and 5 GHz bands. – This use of subchannels is what the “frequency division” portion of the name refers to. Both of these techniques, multiplexing and frequency division, are used to avoid interference. Orthogonal refers to the manner in which the subchannels are assigned, principally to avoid crosstalk, or interference with your own channels.

Presenter

Presentation Notes

– Typical range for 802.11a is roughly 100 yards indoors and 300 yards outdoors, line of sight. 802.11a uses a higher band and has higher bandwidth. It operates in the 5 GHz spectrum using OFDM. Supporting rates of up to 54 Mbps, it is the faster brother of 802.11b; however, the higher frequency used by 802.11a shortens the usable range of the devices and makes it incompatible with 802.11b. The 802.11g standard uses portions of both of the other standards: it uses the 2.4 GHz band for greater range but uses theOFDM transmission method to achieve the faster 54 Mbps data rates.

Presenter

Presentation Notes

The SSID is a phrase based authentication mechanism that helps ensure that you are connecting to the correct AP. WEP has been shown to have an implementation problem that can be exploited to break security. Having physical control of an information asset is critical to its security. Physical access to a machine will enable an attacker to bypass any security measure that has been placed on that machine. Wireless networking takes the keys to the kingdom and tosses them out the window and into the parking lot. A typical wireless installation broadcasts the network right through the physical controls that are in place. An attacker can drive up and have the same access as if he plugged into an Ethernet jack inside the building—in fact, better access, because 802.11 is a shared medium, allowing sniffers to view all packets being sent to or from the AP and all clients. War-driving, war-flying, war-walking, warchalking— all of these terms have been used in security article after security article to describe attacks on wireless networks.

Presenter

Presentation Notes

Anonymity – An attacker can probe your building for wireless access from the street. Then he can log packets to and from the AP without giving any indication that an attempted intrusion is taking place. It gives attackers the ability to seek out and compromise wireless networks with relative impunity. The low cost of the equipment needed. A single wireless access card costing less than $100 can give access to any unsecured AP within driving range. – Attacking a wireless network is relatively easy compared to attacking other target hosts.

Presenter

Presentation Notes

– NetStumbler listens for the beacon frames of APs that are within range of the card attached to the NetStumbler computer. When it receives the frames, it logs all available information about the AP for later analysis. Since it listens only to beacon frames, NetStumbler displays only networks that have the SSID broadcast turned on. If the computer has a GPS unit attached to it, the program also logs the AP’s coordinates. This information can be used to return to the AP or to plot maps of APs in a city. -The shared medium of a wireless network exposes all packets to interception and logging. Popular wireless sniffers are Wireshark (formerly Ethereal) and Kismet. Sniffers are also important because they allow you to retrieve the MAC addresses of the nodes of the network. APs can be configured to allow access only to prespecified MAC addresses, and an attacker spoofing the MAC can bypass this feature. -Unfortunately, WEP has turned out to have several problems. WEP’s weaknesses are specifically targeted for attack by the specialized sniffer programs. They work by exploiting weak initialization vectors in the encryption algorithm. WepCrack and AirSnort are two programs used to exploit WEP. -All these tools are used by the wireless attacker to compromise the network. They are also typically used by security professionals when performing wireless site surveys, which identify the existence of a wireless network within the organization -Recurring site surveys are important because wireless technology is cheap and typically comes unsecured in its default configuration. If anyone attaches a wireless AP to your network, you want to know about it immediately -Rogue Access Points can be set up by well-meaning employees or hidden by an attacker with physical access. An attacker might set up a rogue access point if they have a limited amount of physical access to an organization, perhaps by sneaking into the building briefly. The attacker can then set up an AP on the network and, by placing it behind the external firewall or network IDS (NIDS) type of security measures, can attach to the wireless at a later date at their leisure.

Presenter

Presentation Notes

-This unique 32-character identifier is attached to the header of the packet. The SSID is broadcast by default as a network name, but broadcasting of this beacon frame can be disabled. Many APs also use a default SSID; for Cisco APs, this default is tsunami, which may indicate an AP that has not been configured for any security. Renaming the SSID and disabling SSID broadcast are both good ideas; however, because the SSID is part of every frame, these measures should not be considered adequate to secure the network. While the SSID is a good idea in theory, it is sent in plaintext in the packets, so in practice SSID offers little security significance— any sniffer can determine the SSID, and some operating systems, such as Windows XP (see Figure 12.6), will display a list of SSIDs active in the area and prompt the user to choose which one to connect to. From a security perspective, the beacon frame is damaging because it contains the SSID, and this beacon frame is transmitted at a set interval (ten times per second by default). Since a default AP without any other traffic is sending out its SSID in plaintext ten times a second, you can see why the SSID does not provide true authentication. Scanning programs such as NetStumbler work by capturing the beacon frames and thereby the SSIDs of all APs. – The IV is the primary reason for the weaknesses in WEP. The IV is sent in the plaintext part of the message, and because the total keyspace is approximately 16 million keys, the same key will be reused. Once the key has been repeated, an attacker has two ciphertexts encrypted with the same key stream. This allows the attacker to examine the ciphertext and retrieve the key. This means that equipment with an advertised WEP key of 128 bits can be cracked in less than a day, whereas to crack a normal 128-bit key would take roughly 2,000,000,000,000,000,000 years on a computer able to attempt one trillion keys a second

Presenter

Presentation Notes

– EAP-TLS uses per-user, per-session dynamically generated WEP keys to help prevent anyone from cracking the WEP keys in use, as each user individually has her own WEP key. The main problem with the EAP-TLS protocol is that it is designed to work only with Microsoft’s Active Directory and Certificate Services; it will not take certificates from other certificate issuers. The EAP-MD5 protocol works by using the MD5 encryption protocol to hash a user’s username and password. This protocol, unfortunately, provides no way for the AP to authenticate with the client, and it does not provide for dynamic WEP key assignment. In the wireless environment, without strong two-way authentication, it is very easy for an attacker to perform a man-in-the-middle attack. The problem of not dynamically generating WEP keys is that it simply opens up the network to the same lack of confidentiality to which a normal AP is vulnerable. An attacker has to wait only for enough traffic to crack the WEP key, and he can then observe all traffic passing through the network. Because the security of wireless LANs has been so problematic, many users have simply switched to a layered security approach—that is, they have moved their Aps to untrustworthy portions of the network and have forced all clients to authenticate through the firewall to a third-party VPN system. – All the security measures of the wired and wireless network can be defeated by the rogue AP. Since the IT department doesn’t know about it, it is an uncontrolled entry point into the network. No matter what kind of rogue AP you are dealing with, the rogue AP must be detected and controlled.