Return-Path: <sentto-279987-3979-1007080747-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 29 Nov 2001 16:43:08 -0800 (PST) Received: (qmail 6625 invoked by uid 510); 30 Nov 2001 00:39:33 -0000 Received: from n31.groups.yahoo.com (216.115.96.81) by all.net with SMTP; 30 Nov 2001 00:39:33 -0000 X-eGroups-Return: sentto-279987-3979-1007080747-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.52] by n31.groups.yahoo.com with NNFMP; 30 Nov 2001 00:39:09 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 30 Nov 2001 00:39:07 -0000 Received: (qmail 53868 invoked from network); 30 Nov 2001 00:39:07 -0000 Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 30 Nov 2001 00:39:07 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 30 Nov 2001 00:39:08 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAU0f4A14595 for iwar@onelist.com; Thu, 29 Nov 2001 16:41:04 -0800 Message-Id: <200111300041.fAU0f4A14595@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 29 Nov 2001 16:41:04 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:War.Driving:.Computing.mobility.opens.networks.to.an.invasion.of.the.wireless.snatchers.] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit War Driving: Computing mobility opens networks to an invasion of the wireless snatchers. By Sandra Kay Miller, Information Security, 11/29/2001 <a href="http://www.infosecuritymag.com/articles/november01/technology_wardriving.shtml">http://www.infosecuritymag.com/articles/november01/technology_wardriving.shtml> In the 1980s, hackers began "war dialing"--dialing phone numbers until they found an open modem--to access networks. The '90s Internet boom created easier and more direct avenues of attack, such as IP scanners and packet sniffers. Enter the next generation of nefarious network intrusion: war driving. Literally, war driving is using a laptop's wireless NIC set in promiscuous mode to pick up unsecured wireless LAN signals. At this stage of the game, hackers are war driving--or "LAN-jacking," as it's sometimes called--wireless networks for anonymous and free high-speed Internet access, akin to stealing long-distance phone service. Chris "Weld Pond" Wysopal, director of research and development at @stake (www.atstake.com), says the potential for wireless network intrusion is "absolutely huge," since the number of wireless LANs is rapidly expanding. "War driving is as cheap as the war dialing that started the growth of the computer underground after the movie War Games, for which it was named. A wireless Ethernet card is $100, far cheaper than a modem in 1985," Wysopal says. "A person who wants to take advantage of war driving only needs to drive a couple miles if they are in a populated area before they will find a wide-open network, which they can peruse at will or simply use as an anonymous Internet connection." Affordable and easy-to-use wireless LANs are being deployed not only by traditional IT folks, but by anyone who can plug a CAT5 cable into a hub. Wireless access points are boxes (usually routers) that have Ethernet going in one side and wireless antennas out the other. It's a general misconception that 802.11b wireless signals have a limited transmission radius. However, many war driving aficionados report that they can identify wireless LANs within six city blocks using a simple omnidirectional antenna in conjunction with their wireless NIC. Another frequent factor in wireless network breaches comes from corporate and personal users' false impression that the Service Set Identifier (SSID), which is attached to packets sent over the wireless LAN, functions as a secret password. In September, Al Potter, manager of the Network Security Labs at ICSA Labs, a division of TruSecure Corp. (www.trusecure.com), conducted an unobtrusive test that demonstrated war driving is more than just theoretical. While driving at 65 mph between Leesburg, Va., and Dulles International Airport near Washington, D.C., he detected "dozens" of unsecured wireless LANs. "I do not understand why individuals and companies are continuing to expose themselves this way," says Potter. (TruSecure publishes Information Security .) War driving requires no elaborate software or hardware. An ordinary consumer wireless NIC set in promiscuous mode will easily latch on to open wireless network beacons. Using a Global Positioning Satellite (GPS) receiver in conjunction with wireless NICs, crackers are mapping major metropolitan areas and compiling a quasi-telephone book of wireless networks, both secured and unsecured. For those curious about increasing their ability to pick up wireless networks, a number of antennas, both commercial varieties and homemade models, are listed online. A 3 dB omnidirectional antenna that can easily be mounted to the hood of a car sells for around $60. But a true gearhead can pick up a 24 dB hand-held parabolic grid antenna for not much more than loose change. For the do-it-yourselfer, directions and templates are readily available online for making antennas with brass tubing, scrap metal and a little wood and wire. Simply put, the technology and equipment for war driving is cheap and readily available, which makes it all the more dangerous for wireless networkers. Software that facilitates locating wireless networks is also readily available on the Web. Network Stumbler is a popular Windows utility for war driving that scans for 802.11b networks and logs all the signals it locks on to--including the real SSIDs, the AP's MAC address, the best signal-to-noise ratio encountered and the duration of time the network was accessed. By adding a GPS receiver to the laptop, the program even logs the exact latitude and longitude of the AP. IBM has a similar product, Wireless Security Auditor, which works with Linux on an iPAQ PDA. For FreeBSD fans, Peter Shipley has posted a Perl script that plucks latitude/ longitude information from a GPS unit and converts it into detailed maps of a user's LAN-jacking activities. Defending "Air" Given the prevalence of these tools, IT managers and CIOs will need to incorporate wireless threats into their overall security programs. IT policies should be updated to reflect the risks of wireless devices connected to the corporate network. Network admins would also be wise to research and institute wireless security measures specific to their needs and establish a metric for auditing their wireless vulnerabilities. There are a number of deterrents to war drivers. But again, thanks to the plug-and-play capabilities of wireless LANs, the lack of security is often as simple as changing the default settings during installation of a wireless network. The Wired Equivalency Privacy (WEP) system is the encryption standard used by 802.11b wireless networks. However, WEP is undermined by common mistakes, including the failure to activate it entirely or engage WEP with the encryption key set to the default value. Initializing WEP on the wireless LAN will deter casual war drivers, but will do little against sophisticated hackers with a more sinister agenda. A more secure scenario, recommended by the 802.11 working group, is overlaying WEP with a secondary layer of security, such as a VPN or IPSec. Another security method is to install a firewall and/or a DMZ between the wireless and wired segments of the network. As with hackers of previous generations, there's always going to be someone who wants to dig a little deeper. Recently, programs have appeared on the Internet aimed at breaking WEP encryption keys. AirSnort has the ability to intercept and analyze WEP-protected wireless traffic. By collecting enough packets, a system's master password can be acquired from 100MB to 1GB of traffic. WEPCrack is a tool using weaknesses in the RC4 key scheduling to crack the encryption keys. War drivers are the cowboys of the "Wireless West," taking advantage of everything from the casual drive-by of a completely unprotected access point for free Web surfing to capturing proprietary data. If you see someone cruising the neighborhood in his SUV sporting a multitude of antennas on the roof and a laptop on the dashboard, you can be sure you've spotted a new breed of hacker--the war driver. SANDRA KAY MILLER (<a href="mailto:sandra@pa.net?Subject=Re:%20(ai)%20War%20Driving:%20Computing%20mobility%20opens%20networks%20to%20an%20invasion%20of%2526In-Reply-To=%2526lt;200111291421.fATELia22342@smtpsrv2.mitre.org">sandra@pa.net</a>) is a freelance journalist based in Pennsylvania with more than 12 years experience covering technology. Her work routinely appears in InfoWorld, IEEE's Computer Magazine and Midrange Computing Showcase. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Call any phone in the world with Crystal Voice PC to Phone No monthly charge. $0.39/min. FREE Trial. Click Here! http://us.click.yahoo.com/6Ort8A/wPXDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST