Re: About War Driving ..

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-12-05 FatalSaint wrote:
> Ansgar -59cobalt- Wiechers wrote:
>
> In your case my answer is simple:
>
> Break your ethernet card. 

Then you simply failed to understand my objections.

> All your comments on "Pointless.. the attacker can.." are moot.  It's
> a simple fact - You can be hacked.  Thus - does that make -all- forms
> of security.. "Pointless.. because the attacker can..."? 

*sigh*

I probably should've added "most easily", but I assumed that it would be
clear to anyone on this list. Apparently my assumption was wrong.

[...]
> Maybe you have never heard of "Defense in Depth" strategy.  The idea
> behind which that you add multiple layers of defense to penetrate your
> network - thus making it more "difficult" for a potential cracker to
> get in.  If he succeeds in cracking 1 layer, he is faced with another,
> and another, and if he is truly determined you weren't going to stop
> him in the first place.

I have heard a thing or two about "Defense in Depth", thank you very
much. However, MAC filtering does not qualify as defense in depth,
because the MAC address is broadcast in clear text. And because WLAN is
a broadcast media you can't even tie a MAC address to a specific switch
port. Meaning that all an attacker has to do is sit back and wait.

> > Please elaborate: how do you believe WPA could be cracked? I know
> > that WPA-PSK can be cracked if a weak passphrase is chosen, but I
> > haven't yet seen a mention of WPA-PSK with a strong passphrase or
> > WPA/TKIP being cracked.
>
> This doesn't even require a response.  WPA-PSK, TKIP and all other
> forms of password encryption and authentication -can- be cracked.  The
> harder the passphrase; the longer the brute force. Keep this in mind
> when you tell me all my -other- alternatives are pointless: Your
> password is vulnerable.  That is the end of story. Given time,
> dedication, patience and machinery (hell, right here in my house I can
> run a crack on 10 simultaneous machines across a linux cluster if i so
> desire -

*sigh*

So tell me: how long does it take you to brute-force a strong WPA
passphrase? Let's take a look:

Assume you have a passphrase of, say 30 characters. Also assume we limit
the passphrase to upper- and lowercase characters, digits and, say ten
special characters. That amounts to 30^72 or 2.25 * 10^106 characters.

Now, how long does it take you to brute-force this? If you can try a
thousand passphrases per second you'd need an average of 3.66 * 10^95
*years* to crack a key. I don't know about you, but I would consider
that sufficiently secure. And I entirely fail to see how the 10 micro-
seconds needed to find a valid MAC address would add any substantial
amount of security to that.

> imagine if a government wanted your information.)

If you wanted to protect your information from the government you'd use
a VPN and still not use on MAC address filtering.

> Not to mention if you are in an office environment half your users
> write their passwords down; especially if you're a good netadmin that
> requires minimum length, minimum combinations of specials, etc - and
> this person in his case could very well be -inside- the building.  How
> hard would it be for you to loot your friends desk when he went to
> lunch?

Ummm... you *do* realize that the WPA passphrase is something you store
in the system once you set up the wireless connection, and not something
you have your users enter every time they want to access the WLAN, don't
you?

Of course you'd use additional measures to keep someone from walking up
to a user's desk and simply retrieve it from his computer. However,
that's a different scenario.

> > > 2) Disable DHCP if you have it running or
> >  
> > Pointless, because the attacker can spoof a valid IP address.
>
> Correct - tack on some time for him to find one.

An insignificant amount of time. That's what makes it pointless.

> > > 2) Disable DHCP if you have it running or
> >
> > Pointless, because the attacker can spoof a valid IP address.
>
> Correct.  See above.

Indeed. See above.

> > > 4) Disable SSID Broadcast (easily got around by anyone with kismet..
> > > but still an added layer)
> >  
> > Pointless, because the attacker doesn't need a broadcast SSID to
> > detect the WLAN.
>
> Correct - See above. He's gotta take the time to find it.

It seems that you don't understand what the SSID's purpose is. Not
broadcasting the SSID doesn't hide a network, but just makes it show up
with no specific ID. So the only difference for the attacker is the five
seconds he needs to take a peek into either network showing up. Which
makes it pointless as a security measure. Unless a peek would take him
an average 3.66 * 10^95 years. In which case it would be irrelevant
whether the attacker can or cannot identify the network by SSID anyway.

> > > 5) If your router has the capability; explicitly allow only the IP's
> > > for the machine's you assign to get out to the internet.
> >  
> > Pointless, because once the attacker can spoof a valid IP address.
>
> And of course causing IP conflicts and a slew of other problems that
> will both A) Slow him down and B) Speed up your detection of him.

IP conflicts? On a broadcast media? When the attacker has spoofed the
MAC address as well? Yeah, right.

> > Not entirely pointless, but a) limits valid users as well, and b) is
> > only effective once the attacker already *got* access to your
> > network. Which is what you want to prevent in the first place.
>
> Wow - You have some defense in depth idea's already.  Let's give you a
> cookie.  So your suggestion is "Well; if he gets on .. we may as well
> sacrifice everything to him because we're morons anyway."  I
> -certainly- would hire you.

At this point I was already assuming that you'd fail to get the point of
my objections. Stop being an idiot and at least try to understand what
I'm writing.

> > > 7) You could get as detailed as static routing and limiting the
> > > amount of bandwidth each machine/IP could use.
> >  
> > Pointless, because the attacker can spoof a valid MAC and IP address.
>
> Wow.. we hit a nail here.  You completely missed what I said.  I said
> static routing and limiting bandwidth.  Even IF your assailant gets on
> - he can not use more than X kbps of YOUR BANDWIDTH unless he has 10
> nic's, all bonded, all on your wireless LAN, All with separate IP's
> using Separate route's combining 10 times X the bandwidth.

*sigh*

Limiting bandwidth does not stop the attacker from doing Bad Things(tm),
not to mention that it doesn't depend in any way on "static routing". Do
you even understand what routing is?

> It's called segmenting i believe.

It's called segmentation, and you'd have to put either address into a
separate subnet. Which is a rather stupid thing to do, because then
you'd have to manage the entire traffic between the hosts on your LAN on
layer 3 instead of layer 2.

> > > Log MAC Addresses.  If he's smart enough to crack your wep then he's
> > > prolly spoofing MAC's.. but you could always go into your logs, see
> > > which MAC is associated with that IP - and then go to all the
> > > machines in your building that you can control and check the MAC
> > > Addresses - might tell you which machine is doing it.
> >  
> > That does only help if you know how to locate that machine. Which is
> > exactly the problem the OP has (because with a WLAN you can't simply
> > follow the wire).
>
> Did you read Hansel and Greddal?  Follow the breadcrumbs.

There. Are. No. Breadcrumbs.

> I said it is -possible- to find it by checking -every- MAC address in
> your building.  If he -didn't- spoof you -may- be able to find the
> machine.

The only thing this is going to tell you is that, yes this machine
*does* have the MAC address in question. Which you already knew before.
It does NOT tell you whether or not the MAC address was spoofed.

And pray tell how he's going to find, say an attacker's notebook? It
doesn't even have to be inside the building, since WLAN still is a
broadcast media.

Of course you'd still go through the logs of your machines to make sure
it's really none of your users or machines. But as you said yourself: if
the attacker is smart enough to crack WEP, he's most likely also smart
enough to spoof the MAC address. And probably also to not use any
computer that the network admin could associate with him.

> Again - There are NO definates in Information Security; vice one: Your
> system IS vulnerable - somewhere - Your job as a SysAdmin, is to find
> it.

It's already clear *where* the system is vulnerable: the use of WEP.

> > That may work, but also means a lot of work. Plus, it just moves the
> > authentication to a higher layer. Why not just leave it in the
> > network layer? Has the same effect, is easier to set up, and keeps a
> > potential attacker entirely out of your network.
>
> Once again - Why put all your eggs in one basket?? The more layers you
> use, the more layers to peel.

More layers also mean increased complexity, thus making the network
(and its security) harder to maintain. Which, in consequence, can
*reduce* the network's security.

[...]
> So far - 90% of the responses to this have been "Upgrade to WPA (WPA2
> if capable)" and that is fantastic.  I offered a more detailed trail
> of a list of specific items that can be done to help -prevent-
> intrusion.  Each step, by itself, can be broken.  Combine them all -
> and it becomes a nuisance.

*sigh*

MAC filtering and disabling SSID broadcast aren't worth the trouble of
setting them up. As for the other measures: 

- Traffic shaping is almost always a good idea, but not a measure to
  stop an attacker.
- Network segmentation is a good idea in most cases too, but not in the
  way you described. It also depends on the OPs requirements, so there's
  no point in telling him to segment his network without telling him
  *in which way* to do this segmentation. Which we can't do, because we
  have insufficient information on his requirements.
- Blocking outgoing ports does limit an attacker, but may also limit
  valid users (especially if you whitlist ports), so it's a tradeoff.
  Also it doesn't address tunneling, and it becomes effective *after* an
  attacker gained access to the network.
- Additional authentication for Internet access is - when implemented
  correctly - a good security measure, but a) adds to your maintenance
  (making it a tradeoff too) and b) only becomes effective *after* an
  attacker already got access to your network. Thus it's only a measure
  to prevent him from (ab)using your Internet connection, *not* a
  measure to keep him from (ab)using your network.
- Using a transparent proxy is an effective measure in some cases, but
  there are several protocols that can't be proxied easily or without
  breaking them (e.g. https). It takes work to set it up, and it takes
  work to maintain it, which needs to be considered before implementing
  a measure like that. Also, like the measures above it becomes only
  effective *after* an attacker got access to your network. Thus it's
  not a measure to *prevent* an attacker from getting access to your
  network.

Bottom line: your suggestions are either ineffective or don't address
the OP's original problem. Which is what I was objecting to.

> The very first thing you should do when planning Information Security
> is to write a very detailed document of "Authorized Use" for your
> network.  LOCK DOWN ANYTHING that is not in that list.  For a home
> network - most of this is irrelevant.  For mission critical servers -
> You damn sure better be doing everything in your power to prevent data
> corruption.  It's called CIA: Confidentiality, Integrity, and
> Availability.  Those are the 3 items that any Systems Administrator
> must ensure. 

True, but goes far beyond the OP's question, and also far beyond what
can be covered in a single mail on this list.

[...]
> The idea here is to be the least targetable person.  If person A uses
> all of my techniques (and the others listed within this thread), and
> person B uses none: Who do you think will be cracked?  I have
> personally seen zones with 20+ SSID's floating through the air.  3 of
> them were completely unsecured with no WEP or MAC Filtering at all. 15
> of them used WEP and 2 used WPA (according to a kismet scan of the
> area). 

Using WPA with a strong passphrase already *makes* you the least
targetable person. Why even bother about additional measures that don't
add any significant amount of security, but do require (significant)
additional maintenance? It's - as I said before - pointless.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------