The WiFi snooping row Google has gotten itself into seems to be far from over. In April, Google revealed that its Street View cars had been collecting basic data such as the MAC addresses and SSIDs of WiFi networks in the vicinity. But after German authorities asked Google to audit the data, it admitted to have been “mistakenly” snooping payload data from Open WiFi networks. Apparently, a piece of WiFi data analysis code, written by Google engineers back in 2006, was part of the software used by the Street View cars, in turn leading to the WiFi snooping (of about 600 GB of data across 30 countries!). Read more…
With more enterprises deploying wireless LANs and employee-owned WiFi devices flooding enterprises, wireless LAN forensics is becoming a key component of any network forensic audit — whether to prove compliance with a regulation such as PCI DSS or in response to a security incidence. But wireless presents unique challenges to forensic audits.
Last month, at RSA 2010 conference in San Francisco, I had the oppourtunity to discuss this issue with experienced auditor and certified PCI QSA Jim Cowing. Here you can view the video recording of an abridged version of our RSA 2010 talk “Anatomy of a Forensic Audit: How Wireless Changes the Game.”
Let me summarize the highlights from the talk: Read more…
We often hear that WiFi network performance degrades due to radio interference. We also hear that interference is a complex beast which cannot be easily tamed. There are two types of interference sources which affect WiFi network performance – non-WiFi sources and WiFi sources. This post provides a guide to some practical steps to combat often cited non-WiFi interference sources such as microwave oven, Bluetooth, baby monitors, cordless phones, wireless cameras and jammers. The WiFi interference sources will be discussed in later post.
Overall, some awareness of environment around WiFi network coupled with some simple network planning steps can help win over non-WiFi interference to great extent. Additionally, ability to detect high interference levels on WiFi channels helps detect “unmanaged” sources of interference such as jammer or any unknown source. Many WLAN and wireless security systems today have ability to monitor interference levels on channels on 24×7 basis to facilitate such detection.
Every now and then we run into network administrators and CSOs that brag about how their organization is not vulnerable to wireless security threats, only to see their rash confidence fizzle out once the results from a wireless vulnerability assessment or penetration test are out.
Today, most are aware that Open WiFi on enterprise network is foolish and using WEP encryption is a bad idea and that WPA2/802.1x is the way to go. Then where do they go wrong?
Much has been said about using ‘Best Practices’ alone to secure enterprise WiFi, including no-WiFi policy. However, as security experts will vouch, most breaches happen because of naive insiders.
Imagine such a person as your employee and ask yourself the following questions.
Can you expect all your employees to follow the prescribed WiFi best practices?
Can you be confident that such a person will not connect to a neighboring hotspot, just because his or her desk has spotty WiFi coverage?
Can you be certain that such a person will not bring in a ‘Linksys’ as advised by the radio host; and plug it into the ethernet under the desk and create a Rogue AP?
Can you be certain that this person will not connect to both the WiFi and Ethernet at the same time while connected to the hotspot?
If these questions are hard to answer, you must consider Wireless Intrusion Prevention System!
Just how vulnerable are home WiFi networks? With the abundance of news stories about data privacy, hacking attacks, malware, phishing schemes, retail credit card breaches and the like, I am surprised to see such a large number of home users are still either unconcerned or unaware about securing their data. This video from Fox News, Washington DC shows that weak Wi-Fi security is still all too common in many home Wi-Fi networks.
AirTight Networks security analyst Rick Farina is featured showing how just easy it is for a hacker to find unsecured Wi-Fi in a residential neighborhood. Unfortunately, one thing that gets overlooked in these stories is just how often these same home Wi-Fi devices will show up in the corporate networks, unknowingly providing unecumbered access to sensitive data.
It seems that WLAN management and security are finally moving to the cloud. See the recent announcements by Aeohive (October 27) and Aruba Networks(October 29).
Enterprises, namely SMBs, now have multiple options and price points for managing their wireless networks. We saw this trend about 18 months ago when AirTight decided to release a SaaS verion of our wireless IPS, SpectraGuard Online.
With the introduction of these new offerings, it will be interesting to see if the ASV’s begin to offer wireless vulnerability scanning. They already offer cloud based vulnerability scanning services for the wired network, why not wireless??
Interesting piece on Wi-Fi security on the Today Show this morning. The Today Show aired a piece called “Is your Wi-Fi connection safe?”
The story shows war driving through a residential neighborhood to show that many residential Wi-Fi users still deploy their wi-fi devices without passwords, leaving their connections vulnerable to eavesdropping.
One common Wi-Fi security threat highlighted in this report showed just how easy it is for a hacker to intercept the connection of mobile users connecting to unsecured public Wi-Fi in places like a coffee shop, airport, etc. This is not the first time this subject has been covered. See simlar stories by CNN (August 11, 2009), Fox News (July 12, 2009).
The Today Show should have also included in their report the fact that many Windows based computers cache and probe for previously used wi-fi connections, making users even more vulerable because their computer may be connecting without the users knowledge to a hacker posing as an unsecured hotspot. See the story by Forbes (November 2008).
This latest vulnerability on Cisco WLAN (AP Skyjacking) points out the importance for customers to deploy overlay WIPS to have a zero day response capabilities in place. Making changes to your WLAN controller, APs, and firewalls takes time and new vulnerabilities like this will continue to surface.
A dangerous exploit that can be carried out using this vulnerability is for a hacker to route an enterprise customer’s Cisco AP to WLC deployed out in the Internet and change the Guest SSID to map to an internal enterprise VLAN (using REAP mode supported on Cisco APs); see below for Pravin’s comments.
AirTight is the only WIPS vendor who can detect this dangerous exploit (i.e. Guest SSID mapped to incorrect VLAN) and prevent this scenario. Using AirTight WIPS, you can map WLAN SSID-to-VLAN security policy (i.e. wireless-to-wired security policy mapping) thus allowing you to detect this misconfiguration and prevent a hacker from exploiting this. Using Cisco WLC+WCS+MSE or other third-party WIDS/WIPS, this scenario will go undetected for sometime thus allowing the hacker access into the customer’s enterprise network.
Customers should pay immediate attention to this vulnerability and change their default settings on their Cisco APs (i.e. out of the box configuration) and put zero day response strategy for vulnerabilities like this in the future.
Skyjacking vulnerability which allows Cisco LAP to be diverted to connect to rogue controller by manipulating OTAP could be more dangerous than what has been clarified by Cisco in its advisory. The advisory says that “An exploit could prevent the device from functioning properly, resulting in a DoS condition. There is no risk of data loss or interception by the rogue access point or Wireless LAN Controller.”
As a matter of fact, it should be possible to convert Authorized Cisco LAP into a wired rogue AP using skyjacking. After Cisco LAP is trapped into skyjacking (for example, made to connect to a controller hosted on the net), it is possible to convert it to Cisco REAP mode and make it bridge traffic locally between Enterprise wired subnet and wireless.
Just a thought – won’t blocking LWAPP discovery port on enterprise firewall protect you from this threat?
Stay tuned for more updates as we dig deeper into this.
The WiFi snooping row Google has gotten itself into seems to be far from over. In April, Google revealed that its Street View cars had been collecting basic data such as the MAC addresses and SSIDs of WiFi networks in the vicinity. But after German authorities asked Google to audit the data, it admitted to have been “mistakenly” snooping payload data from Open WiFi networks. Apparently, a piece of WiFi data analysis code, written by Google engineers back in 2006, was part of the software used by the Street View cars, in turn leading to the WiFi snooping (of about 600 GB of data across 30 countries!). Read more…
