Security Basics mailing list archives
Re: About War Driving ..
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 5 Dec 2006 12:50:09 +0100
On 2006-12-05 FatalSaint wrote:
Ansgar -59cobalt- Wiechers wrote: In your case my answer is simple: Break your ethernet card.
Then you simply failed to understand my objections.
All your comments on "Pointless.. the attacker can.." are moot. It's a simple fact - You can be hacked. Thus - does that make -all- forms of security.. "Pointless.. because the attacker can..."?
*sigh* I probably should've added "most easily", but I assumed that it would be clear to anyone on this list. Apparently my assumption was wrong. [...]
Maybe you have never heard of "Defense in Depth" strategy. The idea behind which that you add multiple layers of defense to penetrate your network - thus making it more "difficult" for a potential cracker to get in. If he succeeds in cracking 1 layer, he is faced with another, and another, and if he is truly determined you weren't going to stop him in the first place.
I have heard a thing or two about "Defense in Depth", thank you very much. However, MAC filtering does not qualify as defense in depth, because the MAC address is broadcast in clear text. And because WLAN is a broadcast media you can't even tie a MAC address to a specific switch port. Meaning that all an attacker has to do is sit back and wait.
Please elaborate: how do you believe WPA could be cracked? I know that WPA-PSK can be cracked if a weak passphrase is chosen, but I haven't yet seen a mention of WPA-PSK with a strong passphrase or WPA/TKIP being cracked.This doesn't even require a response. WPA-PSK, TKIP and all other forms of password encryption and authentication -can- be cracked. The harder the passphrase; the longer the brute force. Keep this in mind when you tell me all my -other- alternatives are pointless: Your password is vulnerable. That is the end of story. Given time, dedication, patience and machinery (hell, right here in my house I can run a crack on 10 simultaneous machines across a linux cluster if i so desire -
*sigh* So tell me: how long does it take you to brute-force a strong WPA passphrase? Let's take a look: Assume you have a passphrase of, say 30 characters. Also assume we limit the passphrase to upper- and lowercase characters, digits and, say ten special characters. That amounts to 30^72 or 2.25 * 10^106 characters. Now, how long does it take you to brute-force this? If you can try a thousand passphrases per second you'd need an average of 3.66 * 10^95 *years* to crack a key. I don't know about you, but I would consider that sufficiently secure. And I entirely fail to see how the 10 micro- seconds needed to find a valid MAC address would add any substantial amount of security to that.
imagine if a government wanted your information.)
If you wanted to protect your information from the government you'd use a VPN and still not use on MAC address filtering.
Not to mention if you are in an office environment half your users write their passwords down; especially if you're a good netadmin that requires minimum length, minimum combinations of specials, etc - and this person in his case could very well be -inside- the building. How hard would it be for you to loot your friends desk when he went to lunch?
Ummm... you *do* realize that the WPA passphrase is something you store in the system once you set up the wireless connection, and not something you have your users enter every time they want to access the WLAN, don't you? Of course you'd use additional measures to keep someone from walking up to a user's desk and simply retrieve it from his computer. However, that's a different scenario.
2) Disable DHCP if you have it running orPointless, because the attacker can spoof a valid IP address.Correct - tack on some time for him to find one.
An insignificant amount of time. That's what makes it pointless.
2) Disable DHCP if you have it running orPointless, because the attacker can spoof a valid IP address.Correct. See above.
Indeed. See above.
4) Disable SSID Broadcast (easily got around by anyone with kismet.. but still an added layer)Pointless, because the attacker doesn't need a broadcast SSID to detect the WLAN.Correct - See above. He's gotta take the time to find it.
It seems that you don't understand what the SSID's purpose is. Not broadcasting the SSID doesn't hide a network, but just makes it show up with no specific ID. So the only difference for the attacker is the five seconds he needs to take a peek into either network showing up. Which makes it pointless as a security measure. Unless a peek would take him an average 3.66 * 10^95 years. In which case it would be irrelevant whether the attacker can or cannot identify the network by SSID anyway.
5) If your router has the capability; explicitly allow only the IP's for the machine's you assign to get out to the internet.Pointless, because once the attacker can spoof a valid IP address.And of course causing IP conflicts and a slew of other problems that will both A) Slow him down and B) Speed up your detection of him.
IP conflicts? On a broadcast media? When the attacker has spoofed the MAC address as well? Yeah, right.
Not entirely pointless, but a) limits valid users as well, and b) is only effective once the attacker already *got* access to your network. Which is what you want to prevent in the first place.Wow - You have some defense in depth idea's already. Let's give you a cookie. So your suggestion is "Well; if he gets on .. we may as well sacrifice everything to him because we're morons anyway." I -certainly- would hire you.
At this point I was already assuming that you'd fail to get the point of my objections. Stop being an idiot and at least try to understand what I'm writing.
7) You could get as detailed as static routing and limiting the amount of bandwidth each machine/IP could use.Pointless, because the attacker can spoof a valid MAC and IP address.Wow.. we hit a nail here. You completely missed what I said. I said static routing and limiting bandwidth. Even IF your assailant gets on - he can not use more than X kbps of YOUR BANDWIDTH unless he has 10 nic's, all bonded, all on your wireless LAN, All with separate IP's using Separate route's combining 10 times X the bandwidth.
*sigh* Limiting bandwidth does not stop the attacker from doing Bad Things(tm), not to mention that it doesn't depend in any way on "static routing". Do you even understand what routing is?
It's called segmenting i believe.
It's called segmentation, and you'd have to put either address into a separate subnet. Which is a rather stupid thing to do, because then you'd have to manage the entire traffic between the hosts on your LAN on layer 3 instead of layer 2.
Log MAC Addresses. If he's smart enough to crack your wep then he's prolly spoofing MAC's.. but you could always go into your logs, see which MAC is associated with that IP - and then go to all the machines in your building that you can control and check the MAC Addresses - might tell you which machine is doing it.That does only help if you know how to locate that machine. Which is exactly the problem the OP has (because with a WLAN you can't simply follow the wire).Did you read Hansel and Greddal? Follow the breadcrumbs.
There. Are. No. Breadcrumbs.
I said it is -possible- to find it by checking -every- MAC address in your building. If he -didn't- spoof you -may- be able to find the machine.
The only thing this is going to tell you is that, yes this machine *does* have the MAC address in question. Which you already knew before. It does NOT tell you whether or not the MAC address was spoofed. And pray tell how he's going to find, say an attacker's notebook? It doesn't even have to be inside the building, since WLAN still is a broadcast media. Of course you'd still go through the logs of your machines to make sure it's really none of your users or machines. But as you said yourself: if the attacker is smart enough to crack WEP, he's most likely also smart enough to spoof the MAC address. And probably also to not use any computer that the network admin could associate with him.
Again - There are NO definates in Information Security; vice one: Your system IS vulnerable - somewhere - Your job as a SysAdmin, is to find it.
It's already clear *where* the system is vulnerable: the use of WEP.
That may work, but also means a lot of work. Plus, it just moves the authentication to a higher layer. Why not just leave it in the network layer? Has the same effect, is easier to set up, and keeps a potential attacker entirely out of your network.Once again - Why put all your eggs in one basket?? The more layers you use, the more layers to peel.
More layers also mean increased complexity, thus making the network (and its security) harder to maintain. Which, in consequence, can *reduce* the network's security. [...]
So far - 90% of the responses to this have been "Upgrade to WPA (WPA2 if capable)" and that is fantastic. I offered a more detailed trail of a list of specific items that can be done to help -prevent- intrusion. Each step, by itself, can be broken. Combine them all - and it becomes a nuisance.
*sigh* MAC filtering and disabling SSID broadcast aren't worth the trouble of setting them up. As for the other measures: - Traffic shaping is almost always a good idea, but not a measure to stop an attacker. - Network segmentation is a good idea in most cases too, but not in the way you described. It also depends on the OPs requirements, so there's no point in telling him to segment his network without telling him *in which way* to do this segmentation. Which we can't do, because we have insufficient information on his requirements. - Blocking outgoing ports does limit an attacker, but may also limit valid users (especially if you whitlist ports), so it's a tradeoff. Also it doesn't address tunneling, and it becomes effective *after* an attacker gained access to the network. - Additional authentication for Internet access is - when implemented correctly - a good security measure, but a) adds to your maintenance (making it a tradeoff too) and b) only becomes effective *after* an attacker already got access to your network. Thus it's only a measure to prevent him from (ab)using your Internet connection, *not* a measure to keep him from (ab)using your network. - Using a transparent proxy is an effective measure in some cases, but there are several protocols that can't be proxied easily or without breaking them (e.g. https). It takes work to set it up, and it takes work to maintain it, which needs to be considered before implementing a measure like that. Also, like the measures above it becomes only effective *after* an attacker got access to your network. Thus it's not a measure to *prevent* an attacker from getting access to your network. Bottom line: your suggestions are either ineffective or don't address the OP's original problem. Which is what I was objecting to.
The very first thing you should do when planning Information Security is to write a very detailed document of "Authorized Use" for your network. LOCK DOWN ANYTHING that is not in that list. For a home network - most of this is irrelevant. For mission critical servers - You damn sure better be doing everything in your power to prevent data corruption. It's called CIA: Confidentiality, Integrity, and Availability. Those are the 3 items that any Systems Administrator must ensure.
True, but goes far beyond the OP's question, and also far beyond what can be covered in a single mail on this list. [...]
The idea here is to be the least targetable person. If person A uses all of my techniques (and the others listed within this thread), and person B uses none: Who do you think will be cracked? I have personally seen zones with 20+ SSID's floating through the air. 3 of them were completely unsecured with no WEP or MAC Filtering at all. 15 of them used WEP and 2 used WPA (according to a kismet scan of the area).
Using WPA with a strong passphrase already *makes* you the least targetable person. Why even bother about additional measures that don't add any significant amount of security, but do require (significant) additional maintenance? It's - as I said before - pointless. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Re: About War Driving .., (continued)
- Re: About War Driving .. Robert Szewczyk (Dec 01)
- Re: About War Driving .. gaurav saha (Dec 01)
- Re: About War Driving .. Dave Moore (Dec 04)
- Re: About War Driving .. Steven (Dec 06)
- list moderation (was Re: About War Driving.) Kelly Martin (Dec 07)
- Re: About War Driving .. gaurav saha (Dec 01)
- Re: About War Driving .. Robert Szewczyk (Dec 01)
- Re: About War Driving .. Joel W Pauling (Dec 01)
- Re: About War Driving .. giles (Dec 01)
- Re: About War Driving .. FatalSaint (Dec 01)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 04)
- Re: About War Driving .. FatalSaint (Dec 06)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 06)
- Re: About War Driving .. FatalSaint (Dec 07)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 07)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 04)
- Re: About War Driving .. Brian Loe (Dec 07)
- Re: About War Driving .. FatalSaint (Dec 07)
- Re: About War Driving .. Brian Loe (Dec 07)
- Re: About War Driving .. FatalSaint (Dec 07)
- Re: About War Driving .. Kelly Martin (Dec 08)
- Re: About War Driving .. pryorda pryor (Dec 12)
- RE: About War Driving .. Alan Greig (Dec 06)