Wireless access has become much more feasible in recent years, but that doesn't mean that security has kept up with its progress. Sure, you may be able to connect to a wireless access point from your local Starbucks and read your email while sipping a cup of coffee — but who else is out there enjoying the recent email instalment from your sister's vacation or perusing your latest bank statement?
To remain protected against such black hats, you need to stay on top of the latest wireless security threats — and make sure your users do the same. For example, most security professionals are aware of the man-in-the-middle attack, which occurs when a black hat is able to read, insert, and modify messages between two machines without either party knowing that someone has compromised the link between them.
This type of attack has somewhat faded due to physical security and the complexity of the current switched networks that usually reside between the two end points. But make no mistake: This type of attack is not obsolete.
The threat
In fact, a relatively new wireless tool is helping revive the man-in-the-middle attack. AirPwn, which debuted at DEFCON 12 in July 2004, requires two 802.11b network interface cards — one for listening and the other for injecting. It is currently only available for POSIX operating systems (i.e., Linux, BSD, and other Unix flavours).
Using this tool on an open wireless network can yield a couple different results. But neither situation is good news for the user. Let's look at the possibilities:
- AirPwn can completely capture an entire wireless session. If a user logs on to check email and isn't working over an SSL connection, someone else can read everything he or she does while online. This includes capturing session tokens and hijacking a session after the user has logged in.
- AirPwn can inject and redirect traffic to another machine. If a user browses to a Web site, a black hat can use AirPwn to inject content from a different location to the user's browser. This content could include anything from text, pictures, or harmful code which could compromise the machine.
The defence
AirPwn is a plague to the open wireless networks that exist all over the world. This is one more reason to teach users that they can't expect privacy while using a public network.
It's imperative that users understand the risks of using public access. In addition, they can increase their level of data protection by following one simple rule:
Limit the type of transactions conducted when connected to a public network.
When you leave your home or corporate network and connect to an open wireless network, your expectation of privacy and security should drop dramatically. There is no such thing as a trusted open network.
If you didn't configure the network and you can't identify everyone connected to the network, that means it's an open network. Remember that whenever you use an open network, someone could be listening and manipulating the information you see and send to others. If you have to log on to a site from an open wireless connection, make sure you use an encrypted connection.
Final thoughts
It's important that security professionals remain aware and knowledge about the tools the enemy has available. Just as vital is sharing this information with users and educating them about defending themselves.
I recommend visiting black hat sites and seeing what types of tools they have to use against you. The bad guys are certainly watching you — it's time you started watching them. Then, pass on that knowledge to the people you support.
Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Centre.
Talkback
Risks associated with wireless access are often misleadingly portrayed. It's all the worse when there is no real substance to the scare-mongering and when little or no practical advise is offered.
While common, this is unfortunate as it undermines already unduly low consumer confidence in what are generally 'secure' platforms (such as online banking and high profile commerce stores) and at the same time draws attention away from issues that are far more likely to effect everyday users.
Basic advice, such as; try to use WPA (or WPA2) encryption on your wireless connections rather than WEP, always have a local firewall active, tips on how to judge the trustworthiness of a site you don't know, and advice on how to verify the authenticity of a site, would all go a long way and be far more beneficial than vague warnings about the existence of an unseen threat.
It's worth being aware that everything you do on the internet can be intercepted by any host between your and your destination - not just your local wireless traffic.
This is one reason why end-to-end encryption between the client requesting the data and the server with the data is so important in the first place.
Not that you might think this from the impression given by some articles - including this one, but all online banking sites in the US and EU of course already use SSL encryption, as do all reputable e-commerce sites.
Likewise, any email that contains information you don't want to be viewable by a third party should be encrypted with a tool like PGP or GPG - or simply use a service like Hushmail.
Though it's worth pointing out if what your being sent is, as suggested, an update on how your sisters latest vacation is going, I think most people would be quite comfortable with the idea of putting that very same information on the back of an open postcard (as we've been doing for over a hundred years). That being the case, I doubt the idea of encrypting messages like that are going to be especially high on anyone's agenda.
What's more worrying however, is that if your using an unencrypted authentication scheme to actually get your mail (such as POP3 without SSL) someone could get a hold of your username and password and be able to read / delete all your mail (and, crucially, reset passwords on other accounts you have, thus gaining access to them). Fortunately, most reputable webmail platforms feature SSL sign-in which means even if people sniffing your traffic can read what your reading, they don't have access to your account thereafter.
In a similar vein, VPN clients for accessing remote networks (such as company file shares) are important on wired networks just as they are on wireless ones. As far as sensitive data is concerned, when your connecting over the internet, it's not just the wireless portion of the connection that's untrustworthy.
Tools to sniff and inject data into network traffic are not new - though it's fair to say they get a lot more publicity when the word 'wireless' comes up (and people tend to write whatever editors think will draw people to their publication). However, these tools work just as well on most wired networks and users would do well to remember that.
Your machine may be secure and patched up, but what about all your co-workers systems - or laptops from outside that get plugged in? The same also applies to some broadband cable installations - can you trust your neighbours, let alone the security of their systems?
There is no overriding logical reason to trust a wired network you don't know any more than you would trust a wireless network you don't know - and it can pay off to be sceptical even of networks you think you can trust.
In conclusion, while good wireless security is a worthy goal and extra vigilance is justified when joining an open network, at the end of the day if you want data to remain confidential during transmission you should always endeavour to use end-to-end encryption with a ver
Oops, seems there is a character limit on responses - the previous Talkback response should have finished up with...:
In conclusion, while good wireless security is a worthy goal and extra vigilance is justified when joining an open network, at the end of the day if you want data to remain confidential during transmission you should always endeavour to use end-to-end encryption with a verifiable remote host.
That applies whether your end of the network is wired or wireless.