Webupon

It is important that businesses of all sizes as well as corporate telecommuters, work from home personal, the home office and home networks alike implement both preventative and proactive measures to negate or at the very least to reduce exposure to the potentially disastrous negative effects and fiscal risks posed by war driving and wireless network hacking.

War Driving Versus Wireless Network Hacking

While; most of us have heard of hacking, the more recent practice of “war driving” is not so well known.

War Driving

War driving is the practice of cruising around with a wireless enabled laptop complete with a plethora of wireless networking detection and cracking tools. Many war drivers even make use of GPS to physically locate with pin-point accuracy the precise locations of any wireless networks detected.

The major distinction between war driving and hacking into wireless networks is that in the strictest sense war driving is all about discovering the existence of wireless networks.

Wireless Network Hacking

Hacking wireless networks on the other hand is about cracking/breaking into the wireless networks discovered through war driving or any other means for that matter. In short, the hacking of wireless networks is all about gaining access to a network whilst not being a legitimate bone fide network user with authentic access privileges and rights. This does not infer in any way that a would-be intruder/hacker is implicitly malevolent.

War Driving and Wireless Network Hacking Tools

Both war driving and wireless network hacking tend to use the same range of tools as each other. Candidates include specialty wireless packet sniffing tools (Airsnort, Kismet, NetStumbler and Wireshark etc).

The sorry reality is that for tools such as Kismet there really is very little you can do to prevent them from discovering the presence of your wireless network. Fortunately however; there are countermeasures such as fully encrypted transmissions, tunneling and heightened authentication procedures, which you can employ to deny the potential malevolent intruders from progressing beyond the discovery phase.

Legitimate Ethical Wireless Network Hacking

There are many reasons that one may attempt to hack one’s own wireless networks. For example; legitimate authorized and authenticated security staff may be conducting site surveys, penetration testing or network security preparedness assessments and will usually harbor no truly malevolent or other “evil” intentions.

I say usually because many security breaches do involve breaches of trust by authentic personal. Subversion from within is an issue that has existed since long before wireless networking capabilities were developed. Then there is that group who may be attempting to access/hack into your wireless network for the thrill of it simply because it’s there.

War Driving and Wireless Network Hacking Tools

Note that the standard tools used for war driving and wireless hacking purposes are generally the same. They are also the very same tools that authentic network security personal will use to conduct site surveys and penetration testing etc.

Downloadable Self-Extracting and Automatic Installer Packages

In addition, the vast majority of these wireless network tools are freely available for download via the Internet. In general; you will find that the vast majority of these tools will come in the form of self extracting installation packages and/or user installable software.

Here are a few free for private use wireless networking, survey, network discovery, packet sniffing, site assessment and penetration testing tools currently available: Airsnort, ASLeap, CowPatty, Ethereal, Kismet, NetStumbler and Wireshark

Sophisticated Yet User Friendly

What many may not realize is the degree of user friendly sophistication and capabilities that these tools have attained over the years of their existence and development.

Armed by Default

So it is that in today’s wireless networking climate we must assume; that by default, attackers will also be armed with these tools. Bearing this in mind, we will construct our defenses in a manner best suited to counteracting a multiplicity of threats originating from all angles.

War Driving Protective Countermeasures

Countermeasures to protect your wireless network from war driving and hackers in general must be well planned and rigorously maintained and update. Vigilance is the key.

Transmission Medium Access

First line of defense in overcoming the threats posed by war driving and wireless network hacking is achieved by reducing a transmission medium’s exposure to potential threats.

Network Surveys

Site surveys need to be conducted to identify signal leakage and rogue Wireless Access Points (WAPs). This can be easily accomplished without high-tech gadgets. Simply walk around the various network zones, zone perimeters and site perimeters with a wireless enabled laptop to see what signals it can detect. You should be doing this in very much the same way using the same wireless detection and hacking tools that a war driver or any potential hacker would.

Wireless Network Physical Security

Wireless Access Points (WAPs) need to be located and secured in such a way that they can remain free from physical interference and tampering. A redirected WAP antenna can present external entities with an access point to your network.

Furthermore; if enough WAP antennae are compromised (out of alignment, redirected or non-functional) total wireless network collapse can result. Regular inspection and adjustment of WAPs is the best way to limit the damage that can be caused as a result of WAP physical security issues. It also has a role to play in overall network performance and assessment.

Antennae

The use of mixed unidirectional and omnidirectional antennae in a production environment will be of considerable assistance in helping to reduce network perimeter signal leakage.

Multiple In Multiple Out (MIMO) antennae can be used for areas of high network traffic that are contained entirely within your internal network’s publically inaccessible physical perimeters. Careful antennae selection and placement will contribute greatly to wireless networking coverage pattern shaping.

Network Segmentation

Subdividing your network into a number of smaller logical subnets will also help reduce exposure while at the same time delivering greater overall network efficiency and performance. You can also use this as a means of adding extra layers of authentication.

Demilitarized Zones (DMZs)

Use DMZs with limited access rights and privileges to confine potentially “undesirable” traffic to areas of limited functionality without exposing your entire internal network to the threats that they may pose. In this way you can provision and maintain a lower risk publically accessible zone on your network’s periphery if so desired. It also greatly simplifies firewall access lists and rules configuration, management and upkeep.

Disable Internal Anonymous Ad Hoc Connectivity

Sometimes circumstances will dictate that you have no choice other than to permit some degree of anonymous publically accessible ad hoc connectivity to your wireless Network. Confining this type of accessibility to your network’s perimeter using DMZs is usually the way to go.

However; anonymous ad hoc wireless connectivity is not needed for purely internal wireless network accessibility. From a security standpoint once authorized users are internal to your wireless network’s perimeter, they do not need anonymous ad hoc connectivity capabilities, so disable it. All they need do is log onto the network in their usual prescribed manner. Your network access authentication procedures will define who is, and who is not permitted access.

Signal Leakage

You will need to conduct regular site surveys and network preparedness assessments to check and verify that no signal leakage from the fully internal wireless network to the publically accessible zones is occurring. Also check to ensure that there is no leakage from the publically accessible ad hoc wireless networks into your network core.

Change Default Settings

This one is really a no-brainer. Once your wireless devices are up and running change the manufacturer default settings for such properties as administrator name, password or better still passphrase, authentication mechanisms, network name and ID, broadcast parameters, pre-shared keys and the default encryption methods and settings as well as the connection method used to gain access to network resources.

Microsoft Windows Zero Configuration

Microsoft Windows zero configuration anonymous ad hoc wireless network implementations will; by default, result in both wireless enabled client devices and Wireless Access Points (WAPs) alike to persistently advertise their presence to the rest of the world.

Advertising Connectivity Offers and Requests

The client will continually transmit a request for connectivity and the WAP will continually transmit an offer to provide connectivity. This advertising activity by both sides will continue regardless of whether or not the client and WAP are actually connected.

Wireless Networking Administrative Overheads

Yes; this does contribute to a wireless network’s administrative overheads. Most operating systems, networks and wireless access devices also exhibit the same type of behavior when it comes to announcing their presence.

MAC Address Filtering

Wireless enabled device authentication can be most easily implemented through MAC Address filtering. Wireless Access Points (WAPs) and wireless routers have administrator definable access control capabilities based on Layer 2 addressing.

The MAC Addresses of permitted wireless enabled devices are entered into the Wireless Access Point (WAP) or wireless routers MAC Address filter table. Simple Permit/Allow or Deny rules are associated with each MAC Address contained within the devices MAC Address filter table.

The simplest way of using a MAC Address filter table is by entering a list of specifically permitted client MAC Addresses and access is denied to all other devices. All devices lacking a qualified listed in the MAC Address filter table will be automatically denied network access and packets originating from them will be automatically dropped.

MAC Address filter table based access control actually precedes any user based authentication mechanisms since the MAC Address is contained in the Layer 2 header of every packet placed onto the network. This means that packets originating from devices not listed as being permitted in the MAC Address filter table will be dropped without ever being placed on the network transmission medium.

Service Set Identifier (SSID)

Service Set Identifier (SSID) is the name used to identify various different 802.11x wireless networks (WLAN). By default all client devices receive SSID broadcasts from all Wireless Access Points (WAPs) that are within range.

Selection of the Wireless Access Point (WAP) that is to be used for the current connection depends on the specific configuration of the client, either a pre-configured Wireless Access Point (WAP) or the user will select the Wireless Access Point (WAP) from a list of Wireless Access Points (WAPs) discovered as a result of their SSID broadcasts.

Disabling SSID broadcasting by WAPs is one of the best ways of ensuring that you do not come to the attention of war drivers. Although tools such as Kismet can still discover your non SSID broadcasting wireless network many would be intruders will however be thwarted by a lack of SSID broadcasts. Wireless network SSID verification prior to connecting to a wireless network can also help users to avoid the threats posed by “evil twin” attacks.

Encryption

All traffic over publically accessible transmission media such as wireless networks should be protected by very strong advanced encryption.

128-bit Encryption

If your default encryption is Wired Equivalent Protection (WEP) then you should be using a 128-bit encryption key and not the default 40-bit key as a 128-bit key will take considerably longer for intruders to crack.

WPA and WPA2

However; if your equipment supports it, use WPA or WPA2 instead of WEP (although this may require a firmware or software update). WAP2 uses AES which is essentially unrealistic and impractical to break by most hackers.

Authenticated Access Only

Configure your wireless network to permit authenticated user and system access only.

Pre-Shared Keys

If using pre-shared keys make them long and complex as this type of key has less chance of being cracked via brute force dictionary attacks which means that it is impractical for most hackers to guess/crack.

EAP Protected Authentication

In corporate scenarios use EAP or even EAP-FAST to protect authentication and severely restrict the number and frequency of retries before the account is locked-out.

Certificates

If using certificates configure the certificate-based authentication to validate both user and remote device prior to being granted access to the wireless network. Also ensure that rogue systems will be denied access by default.

Tunneling

Corporate users should be using IPSec VPN with split-tunneling disabled.  This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES. Remember public wireless hot

Application Layer Encryption

Because public wireless hot spots do not generally offer encryption you can use application layer encryption software to rectify this failing. Simplite does a good job of encrypting IM sessions.

Firewalls

Install and run software firewall if you have not already done so. Microsoft Windows XP and Vista both have a built-in firewall application. Although it receives, criticism from some quarters the Windows Firewall application is free with the Microsoft Windows OS and has recently received additional improvements. If nothing else is available, use it.

Directory Services

Correct configuration of user accounts and credentials through directory services such as Microsoft’s Active Directory will help with a more granular control over user wireless network access and privileges.

Corporate Firewalls

For larger networks it is probably more appropriate to implement a strategy that includes the deployment of one or more dedicated hardware firewall devices/appliances with Intrusion Detection (IDS) and Intrusion Prevention (IPS) capabilities. Vyatta and Untangle both offer viable lower cost alternatives to other more expensive commercially available firewalls such as Cisco’s PIX and Microsoft ISA 2004.

Malware

Use antivirus and other malware applications as appropriate

Updates

Regular updating of your current and future security applications and tools should never be overlooked. This will include regular testing of both your wireless and wired networks and a thorough appraisal and assessment of their current state of readiness. Here is your best protection against so-called zero-hour vulnerabilities.

Security Policies

Develop, implement and maintain appropriate wireless usage security policies.

User Education and Security Culture

Educate your users in wireless security best practices. Update and communicate with wireless users whenever issues arise. What affects one user is in all likelihood capable of affecting them all. Develop a security conscious atmosphere and culture.

Other Technologies

SSL, Extended Validation SSL, SSH, OpenID, PPPTP, L2TP, IPSec VPN, digital certificates, hashing algorithms