10/18/2010. Learning Objectives. Wireless Security Challenges. Wireless Communication. Typical Wireless Scenario Standards. 802.

Transcription

1 Learning Objectives Wireless Security Challenges ITM 455 Information Security Dr. Sharon Tabor Review basics of wireless communication technology Explore wireless vulnerabilities and challenges Identify security controls to reduce wireless insecurity Differentiate levels of wireless access point protocol security Wireless Communication Wireless communication capabilities have evolved significantly since the early days transmission of packetized data over a wave topology, not using physical links radio waves, PTP over narrow band, or multipoint over WAP and IEEE standards for wireless LANs (b-1999), including revisions a, g, i, n inexpensive and easy to implement, widely used in organizations no control over traffic beyond the AP Typical Wireless Scenario AP broadcasts its SSID unless shut off Enables sniffing, packet logging, or unauthorized use of the access point Once compromised, all attached devices become vulnerable also In spite of the convenience offered by wireless standards, the protocols were never designed with security in mind identifies multi-rate ethernet over 2.4GHz spread-spectrum wireless at 1, 2, 5.5, and 11 Mbps "a" allows products in the 5 GHz spectrum using orthogonal frequency division multiplexing (OFDM), up to 54 Mbps Higher frequency use shortens range, & devices may compete at the same frequencies, causing interference "g" standard increased size of WEP key using RC4 stream cipher 802.1i (2004) promised more security, with authentication and AES encryption WPA (Wifi Protected Access) was implemented as as a subset of i & a temporary solution to WEP insecurities Fully interoperable version released as WPA2, or RSN (Robust Security Network), using AES block cipher 1

2 The i architecture includes 802.1X for authentication (entailing the use of EAP and an authentication server) RSN for keeping track of associations AES-based CCMP (Cipher Block Chaining Message Authentication CodeProtocol) to provide confidentiality, integrity, and origin authentication An important element of the authentication process is the four-way handshake, & a new key distribution method to overcome weaknesses in earlier methods Use of TKIP - Temporal Key Integrity Protocol (shared secret key w/mac address) Different implementations of EAP over TLS, TTLS, MD5, and Cisco developed LEAP Organizational alternative is a layered approach, with an infrastructure architecture & network segregation Accidental association A user turns on a computer and it latches on to a wireless access point from a neighboring company s overlapping network Malicious association Wireless devices connect to a company network through a cracking laptop instead of a company access point (AP) Ad-hoc networks peer-to-peer networks between wireless computers without an access point Non-traditional networks personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk even barcode readers, handheld PDAs, and wireless printers and copiers should be secured Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges Man-in-the-middle attacks attacker entices computers to log into a computer which is set up as a soft AP Denial of service (DoS) occurs when an attacker continually bombards a targeted AP or network with bogus requests, premature successful connection messages, failure messages, and/or other commands Network injection a cracker can make use of access points that are exposed to non-filtered network traffic Caffe Latte attack - a way to defeat WEP not necessary for the attacker to be in the area of the network using this exploit by using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client by sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in WEP the attacker uses the ARP responses to obtain the WEP key in less than 6 minutes 2

3 Wireless Quality & Confidentiality Issues Weather - rain, snow, hail, sleet = "rain fade Lightning - momentary interference or permanent damage Man-made interference - radar, electromagnetic pulse (EMP) Eavesdropping - organization specific, or wardriving (receiver & directional antenna) & marking (war chalking) Wireless Security Controls Proper AP configuration, better than no security for home or small office wireless where they are serve as deterrents & increase the work factor: secure the AP - (cloak) make it invisible, with hidden power source (including power over ethernet) change the default password turn off SSID broadcasting (still available in frame header) (removes identifying signals) use MAC access lists (may also be sniffed) Controls for Larger Organizations control wireless APs and devices control AP layouts (stealthy), and plan the geographic channel layouts to avoid extending transmission shut down APs after hours control signal strength & speed & deny logins from low power levels, implying they are off premise require strong authentication use serious security, moving to WPA/WPA2, TKIP & AES encryption isolate wireless users on minimal risk VLANs monitor activity Large Organizations (cont) Organizations with many employees are particularly vulnerable to security breaches caused by rogue access points If an employee (trusted entity) in a location brings in an easily available wireless router, the entire network can be exposed to anyone within range of the signals Other technical options (still new) Wireless IDS (WIDS) - keeps track of APs within the organization boundaries; logs Wireless Intrusion Prevention System (WIPS) - the most robust way to counteract wireless security risks WLAN Encryption Methods The initial WEP (wired equivalent privacy) protocol developed for wireless networks provided minimal protection A network key is generated and shared with each device, and unfortunately, can be easily sniffed, cracked, and put into use by a hacker or bandwidth bandit via war driving or drive-by hacking Better alternatives are WPA (wireless protected access) and i (WPA2) WLAN Encryption Methods WPA was an interim standard to address security concerns before i uses TKIP (temporal key integrity protocol) to rekey devices frequently, but still uses RC4, a relatively weak encryption algorithm i has very strong security, using AES encryption & TKIP (Temporal Key Integrity Protocol) therefore more resource intensive TKIP provides per-packet key mixing, a message integrity check and a re-keying mechanism, thus fixing the flaws of WEP 3

4 Dual Methods Organizations can choose between modes: PSK - pre-shared key for small office or home users 802.1X (enterprise) mode which will scale for larger organizations, definable to port level Implementation will guide the ultimate security of the standard; ie, a small PSK pass phrase (<20 characters) will generate a key weaker than WEP US government - TEMPEST - devices that produce electromagnetic signals that can be detected & decoded EAP/TLS Authentication Process WTLS Still in Use Wireless Transport Layer Security (WTLS) part of the Wireless Application Protocol (WAP) stack WTLS is the only lightweight encryption for through-the-air transmission it sits between the WTP and WDP layers in the WAP communications stack it has been superseded in the WAP 2.0 standard by the End-to-end Transport Layer Security Specification (Wikipedia, 2009) Security Achieved Confidentiality Modified version of TLS, uses DES, 3DES, RC5, IDEA (40 & 56-bit keys for the former, 40, 56, or 128 for the latter) Uses a shared key process, with several options for key exchange, including Diffie Hellman, Elliptic Curve DF, and RSA Integrity - implemented thru MACs - message authentication codes, supporting MD5 & SHA MAC Authentication - digital certificates, with authentication optional Mobile Device Security Issues Small handhelds lack the memory & processing power the TLS protocol was designed to use Mobile devices should use the same standards as laptops, & should also support data encryption Other requirements include strong passwords (not four-digit PINs such as on the iphone, which doesn't support EAP- TTLS) that can be managed centrally by IT Mobile Device Security Issues Handhelds are vulnerable with little data encryption, optional authentication, and several known attacks: chosen plaintext attack - predictable initialization vectors with known data and sequence numbering PKCS #11 (Cryptographic Token Interface Standard) - uses forced padding error inserted into the transmission stream alert message truncation - disruption of the connection by over-writing encrypted packets with plaintext alert message WAP GAP - transmissions are translated at the gateways, leaving data in clear as it passes 4

5 PCI-DSS RFID Payment Card Industry Data Security Standard a worldwide information security standard assembled by the Payment Card Industry Security Standards Council to attempt to control widespread credit card fraud this has been a particular problem as vendors moved to wireless technology standards include a long list of preventative controls on organizations using various types of scanners, with or without wireless LANs Radio Frequency Identification is a compact wireless technology involves an inexpensive chip that's readable up to several meters away a next-generation barcode, RFID will automate inventory control, cutting costs for retailers and manufacturers while many consumer groups are concerned with privacy issues of being tracked, in reality quality problems and security are larger concerns, as well as adding a whole new dimension to corporate espionage Instant Messaging Another interesting idea with no security Spread to other software & communication options accept file attachments, including Trojans or Worms (Goner, Choke) no encryption or virus checking process requires ID of available users, sends info in cleartext Solutions Organizations who allow should use local servers to keep traffic internal & proprietary New programs can encrypt - Trillian Collaborative Communication Insider threat has a new meaning the Next Gens going Favorite Web 2.0 applications are the type that present security concerns to the organization By age of 21, average 20yr old has been exposed to: 10,000 hours of video games 200,000 s 20,000 hours of TV 10,000 hours of cell phone conversation Less than 5,000 hours reading books Organizations need logical policies, & employee education Bottom Line Wireless communication offers many positive features that increase productivity Wireless communication is inherently insecure All users need to be aware of wireless threats & take action Careful plan, logical policy, hardened APs Knowledgeble application of secure methods 5