Rogue Access Points and Security Breaches

Darkreading.com has a nice article about Rogue Access Points and wireless security breaches. One of the examples they sited was the security breach of TJX, a Canadian retail chain and corporate parent company of Marshalls.

 In 2005, attackers were able to access the poorly protected and monitored wireless network of the TJX retail store chain, and stole more than 45 million credit and debit card numbers. The subsequent investigation faulted TJX for not having a proper wireless network monitoring system in place, and for collecting more customer information than was necessary to complete purchases. The security breach went undetected for almost two years.
According to the Darkreading.com article, vulnerability assessments of more than a dozen companies revealed that roughly 25% had unauthorized rogue wireless access points setup by employees, and about a third of the companies had misconfigured settings that compromised their wireless security.
Here are several recommendations for wireless networks:
  • Install wireless versions of intrusion detection systems (WIDS) and wireless intrusion prevention systems (WIPS).
  • Use strong virtual private network technology, such as IP security (IPSec)
  • Correct misconfigured wireless networks
  • Quarantine wireless guest networks from the corporate LAN.
  • Put the guest network on an alternate Internet Link, instead of the main Internet link.

How to Crack a Wi-Fi Network’s WPA Password with Reaver

These attacks against WPA and WPA2 are a result of a weakness in the WiFi Protected Setup (WPS) pin system being implemented in home routers and corporate Access Points.

WPS is a feature of newer wireless routers and Access Points that is supposed to make it easier for users to connect to their home networks without having to use long and confusing pass phrases by entering a simple PIN found on the Access Point into the new device. From a security point of view, it is extraordinarily weak.

I think the take-away from this is that WiFi Protected Setup (WPS) is a huge security vulnerability.

To prevent this from happening to your network, please disable this feature if it’s active!

An alternative to GPS

If commercial GPS systems were to start using a combination of American GPS and Russian GONASS GPS system, it might make it a little harder for someone to spoof commercial GPS. GPS Spoofing was demonstrated earlier this year by a group from the University of Texas of Austin Texas, during a demonstration on the super-yacht White Rose.

The researchers were able to spoof the commercial GPS signal by creating a counterfeit GPS signal that was slightly stronger than the real GPS signal. This fooled the yacht’s navigation system into thinking it was several degrees off course, which prompted a request to the navigator to correct the super-yacht’s course, based on the spoofed GPS signal.

It should be noted that this same strategy was used to trick a British Naval Destroyer into entering Chinese waters, instigating an incident where it was destroyed, in the rather mediocre 1997 James Bond movie, Tomorrow Never Dies.In the movie, a unique, multi-million dollar “GPS Encoder” was used to trick the British Destroyer to its doom. In real life, the University of Texas researchers spent $3,000.00 to spoof the GPS signal.

Reaver Wrecks WPS

Reaver is open source, free software running in Linux that allows a user/attacker to conduct a Brute Force Attack on a WPS enabled router or Access Point. With enough time, Reaver can discover the PIN of that Access Point due to a vulnerability in WPS. Once it has the PIN, it’s possible to find the WPA/WPA 2 password.

WiFi Protected Setup (WPS) is a feature of newer wireless routers and Access Points that is supposed to make it easier for users to connect to their home networks without having to use long and confusing pass phrases by entering a simple PIN found on the Access Point into the new device.

 Lifehacker.com has a tutorial for installing and using Reaver to reveal the WPS PIN using a Brute Force Attack.
Once Reaver has been installed, the user takes the following steps to use it:
  • Find your wireless card
  • Put your wireless card into monitor mode
  • Find the BSSID of the router to crack
  • Start using Reaver
The Reaver documentation states that it may take between 4 and 10 hours to crack a WPS enabled Access Point.
To prevent this from happening to your network, please disable this feature if it’s active!

WTF is WPS?

According to WikipediaWiFi Protected Setup (WPS), is “a computing standard that attempts to allow easy establishment of a secure wireless home network.” The intent of WPS is to make it easier for home users to connect to their wireless network without entering long and confusing pass phrases.

Note that in 2011 it was discovered that WPS has a major vulnerability to Remote Brute Force attacks that can recover the WPS PIN, and with it, the network’s pre-shared WPA/WPA2 key. Please disable this feature if it’s active!
There are four methods of using WPS to connect a new device, such as phone, tablet, laptop, to a wireless network:
  1. PIN Method - a personal identification number (PIN) is read from the display or sticker on a new wireless device and entered on a representative of the network, usually an Access Point. Conversely, a PIN located on a representative of the wireless network, such as an Access Point, can also be entered onto a new wireless device. Once entered, the device can connect to the wireless network.
  2. Push Button Method - the user simply pushes a button on the wireless Access Point and the new wireless device. This button can be a physical button, or a virtual representation of a button.
  3. Near-Field-Communication Method - the user places her device in close proximity to the access point, which allows near field communication between the device and the access point.
  4. USB Method - the user takes a USB flash drive and transfers data between the new device and the access point.

Tips for getting a Cybersecurity Job

I found a nice article on Computerworlduk.com that lists five things you can do to make it easier to secure a job in the field of cybersecurity:

  1. Certifications: The author recommended the Certified Information Systems Security Professional (CISSP) certification. Among other certifications that were recommended were vendor specific ones from RSA, Symantec, and Cisco. Certifications from independent organizations included ISACA, GIAC, and ECCouncil.
  2. Previous experience with the Federal Government or the Military: Employers are looking for individuals from the Federal Government or the Military because they may have had access to training that isn’t publicly available yet, and they may already have security clearances.
  3. Learn Security Assertion Markup Language (SAML): SAML is a new, emerging standard allows businesses to extend their identity, authentication, and directory management systems into the cloud-based applications.
  4. Learn security for mobile devices: According to Dave Frymier, Unisys CISO, “You have all of these sexy streams of data on mobile apps. You need to understand how it gets in and how it gets out and how authentication is done and who has access to it.”
  5. Learn how to analyze data: A big part of cybersecurity is searching through large volumes of data generated by numerous security devices and applications, and finding the needle in a haystack. Understanding that data and analyzing it is a big part of the job.

Why WEP Sucks

Here’s a straight forward article on Chris.Pirillo.com about why WEP, used in wireless security, is bad.

The problem is with the way WEP uses the XOR, “Exclusive Or”, bitwise operation when sending authentication.

This is how Chris explains the XOR operation:  “OR, like other bitwise operators, operates on bits. If the 2 input bits are 0 and 0, it puts out 0. If they are 1 and 0, it puts out 1. If they are 0 and 1, it puts out 1. If they are 1 and 1, it puts out 0.”

In WEP, you encrypt data by XORing cleartext data with a key, to create cyphertext. To decrypt this operation, you reverse the process to return the clear text.

Here’s a visual example, based on the one on his site:

Clear–text 1 1 1 0 0 0 0 1
The WEP Key 1 0 0 0 1 0 1 0
—————————-—————————-—————————-
Cypher text 0 1 1 0 1 0 1 1

Now, to decrypt:

Cypher text 0 1 1 0 1 0 1 1
The WEP Key 1 0 0 0 1 0 1 0
—————————-—————————-—————————-
Clear–text 1 1 1 0 0 0 0 1

We are back to the original message.

Here’s the problem though:  What happens when we XOR the cleartext with the cyphertext? Remember, in order to authenticate with WEP, we had to send a cleartext message, then send back the cyphertext results.

Cypher text 0 1 1 0 1 0 1 1
Clear–text 1 1 1 0 0 0 0 1
—————————-—————————-—————————-
??????????? 1 0 0 0 1 0 1 0

That byte looks familiar…

The WEP Key 1 0 0 0 1 0 1 0

An attacker can acquire the WEP key just by XORing two pieces of information that are exchanged when the connection is made. This is very, very bad for security.