RE: About War Driving ..

["Andrew Aris" <andrew () dev bigfishinternet co uk>]

Responses inline... 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of FatalSaint
Sent: 01 December 2006 00:18
To: gaurav saha; security-basics () securityfocus com
Subject: Re: About War Driving ..

Just a couple.. I'm kind of a noob here but:

1) Use WPA/TKIP instead of WEP.  Harder to crack (though not impossible)

--> good dea, WPA/WPA2 with a decent strong passphrase is probably one of
the best steps to take.


2) Disable DHCP if you have it running or
2a) Enable static DHCP for the MAC Addresses of the authorized PC's

--> Wouldn't achieve much I'm afraid, a valid IP is too easy to spoof.

3) MAC Address Filter your router

--> Doubt it will help in this particular intrusion since I think OP said
the guy is already smart enough to change MAC. Not going to hurt for general
wireless security though.

4) Disable SSID Broadcast (easily got around by anyone with kismet.. but
still an added layer)

--> I've always found it causes more hassle then its worth.

5) If your router has the capability; explicitly allow only the IP's for the
machine's you assign to get out to the internet.

--> Wouldn't achieve much I'm afraid, a valid IP is too easy to spoof.

6) Disable the torrent ports at the firewall .. I am not sure what they are
or if torrent will get around them by using port 80 instead.  (in
actuallity, in a business environment I'd disable -all- outgoing ports
except 80 and 443 - if someone needs specific access have your net-admin
explicitly allow their machine out.)

--> This would probably be a good idea as a general net security thing. If
you can identify what services people need legitmately then deny everything
and allow just those.

7) You could get as detailed as static routing and limiting the amount of
bandwidth each machine/IP could use.

--> Only offers damage limitation - preventing an intruder from saturating
your connection, a lot of work and restritcion to legitmate traffic just for
that though.

Log MAC Addresses.  If he's smart enough to crack your wep then he's prolly
spoofing MAC's.. but you could always go into your logs, see which MAC is
associated with that IP - and then go to all the machines in your building
that you can control and check the MAC Addresses - might tell you which
machine is doing it.

--> If he is spoofing MAC addresses then logging it wont tell you much

Some more advanced things could be to install a proxy server; require the
use of login's to get to the internet - then you can track by login. 
Or even installing a transparent proxy and logging all
websites/communication out to the internet (this could cause a very large
logfile.)

--> they *CAN* be got around using tunnelled traffic - can help to stop
casual intruders but I doubt that's what this guy is. If you want to go down
the authentication a RADIUS server would be a better route.

I don't know your network infrastructure so these are just random thoughts
on what you -could- do if you're buisness plan allows.


On 11/30/2006, "gaurav saha" <gauravsaha007 () yahoo com> wrote:

> Hi ,
> I was wondering if it is possible to locate and catch a guy who is 
> connecting to our wep wireless network and downloading stuff from 
> torrents and using up our bandwidth ..
> I checked up with arp scan and found 2 unknown IPs
> 192.168.1.246 and 247
> Is there anyway of locating the guy in a building of 7 floors and how 
> to stop this ..I have tried changing the Wep keys so . he is cracking 
> the wep key.
> Any Suggestion People ?
> ---gaurav
>
>
>
> _______________________________________________________________________
> _____________
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail beta.
> http://new.mail.yahoo.com



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------