Many of us utilize wireless routers these days in our daily lives. We use them at home, at the airport, at the local coffee shop, and many other places we often frequent. But what do we know about how to secure them. Many people have fallen into the trap of thinking that as long as their router has a password and they don't give that password out to anyone, that their system is secure. What they don't realize is that often times they are utilizing the WEP (Wired Equivalent Privacy) standard, which is very weak and was never intended to be used to secure sensitive data. This blog will show how easy it is to crack a WEP secured router and why you should use a better encryption standard such as WPA or WPA2.
Most of my information comes from the Small Net Builder website: http://www.smallnetbuilder.com/wireless/wireless-howto/24244-howtocrackweppt1 and is intended to educate users on why they shouldn't use WEP to secure their information. It is not intended to be used to crack networks that are not your own without the consent of the owner; sometimes referred to as "war-driving".
This particular hack relies on the open source Aircrack suite, which is run on the Back Track 2 linux platform. For a more detailed walkthrough please read the attached article; this post will merely cover a brief overview.
The first thing that must be checked is that there is a client currently associated with the router. This is because we need a client associated with it in order to get the needed information for an ARP Replay Attack (explained later). In order for aircrack to work 3 pieces of information are needed: the MAC address of the Access Point (AP), the MAC address of the client computer associated with the AP, and the channel being used by both.
To keep things short, essentially what happens is, using the Aircrack suite, activity is stimulated between the AP and the client system, which generates Initialization Vector (IV) packages. These packages are captured and are what the actual password will be generated from once we have enough of them. We use the IVs because they are sent in clear text, and as a result, and be manipulated to gain the desired information. The crack requires between 300,000 to 1,500,000 IVs in order for it to have enough information to disern. This is where the ARP Request Replay Attack come in.
Once a valid ARP package has been captured, one of the Aircrack programs is utilized to continuously inject requests to the AP. Using another one of the Aircrack programs, the IVs are processed until, "Abracadabra!!" there is your password. All of this can be done in as little as 10-20min.
As you can see, relying on WEP to protect your AP is a very poor decision if you are trying to protect any important information. WPA and WPA2 are much more secure and are even able to provide faster connections in some cases. The choice is pretty simple.
Tuesday, April 26, 2011
Wednesday, April 6, 2011
Sandboxes
Everyone has heard the old adage that practice makes perfect. In security nothing is ever perfect, but practicing exploiting vulnerabilities can make it easy to avoid breaches and help make sure that best practices are being followed. One of the best places to do this is in a sandbox environment. A sandbox is a specifically designed area on a server, which is dedicated for testing and experimentation. What this means is that you can't really break it. The system isn't tied to anything important and it's sole purpose if for the user to push it's boundaries. Two pretty good security sandboxes, especially for beginners, can be found at https://google-gruyere.appspot.com/ and www.hackthissite.org/ .
The Gruyere application has been designed by Google to teach people basic weaknesses in web design. It walks the user through several tutorials, which deal in both basic black box and white box hacking. Black box hacking refers to finding weaknesses in a system through, more or less, trial and error. The user basically experiments with inputs and parameters until they find a weak point they can exploit. White box hacking refers to using source code to find bugs in the programming.
Hackthissite is a different kind of web site in that it doesn't offer a walk through for it's challenges and puzzles and it is more of a hacker community project. Essentially you have to sign up to use any of the site's resources, but once you do you are provided with a variety of puzzles and challenges ranging from the most basic to very complicated hacking trials. The site also includes a discussion board for talking about new techniques and bouncing around ideas.
There are many more sites like these, which can be found on the internet. These are just a couple that are pretty well known.
The Gruyere application has been designed by Google to teach people basic weaknesses in web design. It walks the user through several tutorials, which deal in both basic black box and white box hacking. Black box hacking refers to finding weaknesses in a system through, more or less, trial and error. The user basically experiments with inputs and parameters until they find a weak point they can exploit. White box hacking refers to using source code to find bugs in the programming.
Hackthissite is a different kind of web site in that it doesn't offer a walk through for it's challenges and puzzles and it is more of a hacker community project. Essentially you have to sign up to use any of the site's resources, but once you do you are provided with a variety of puzzles and challenges ranging from the most basic to very complicated hacking trials. The site also includes a discussion board for talking about new techniques and bouncing around ideas.
There are many more sites like these, which can be found on the internet. These are just a couple that are pretty well known.
Identity Management
There are several partial solutions for identity management, which are commonly used by companies to protect their assets. They are often used together to form a more thorough solution. This post will focus primarily on the different solutions and how they connect together.
The first level is the directory, which is a specialized database, optimized for reading and searching operations, and it acts as the main component of any good solution. This is because it performs the function of a central repository for all the information needed by identity management software. Because a large portion of the information found in an identity management system is found in different locations, many directories form meta- or virtual directories. The difference between the two is that a meta-directory actually gathers the necessary information and stores it all in one place, while a virtual directory only points to where the information can be found.
Another level of protection is found at the internet level. Web access management is used to control users' interactions with web-based enterprise assets. According to the CISSP All-in-One Exam Guide the basic process looks like the following:
As discussed in the previous post, passwords are an important part of authentication. As such, password management is important to a total identity management solution. The three common approaches to dealing with this are:
Legacy single sign-on is another issue. It functions much like the single sign-on found in web access management. The only major difference is that it is for employees and the applications they use as opposed to the internet. Often legacy applications can be a hassle because they require a different type of authentication than the solution can offer, and in these situations IT departments may come up with some work around. The pitfalls of this type of system are that it is often expensive to implement and if anyone ever manages to hack their way in, they have access to everything.
Another issue that must be address is account management. New employees often find that it takes a good bit of time to get all the rights they need for their account in order for them to start productively performing their job. Also, it is quite common for employee accounts to still be active, long after that employee has been terminated. This causes multiple problems from a security standpoint. A better practice is for an automated system to be set up that allows HR to add or remove a new employee. When this happens a message needs to be sent automatically to that employee’s manager, who would be required to sign off on the permission to give or take away certain rights and access. After the permission is given, the changes automatically take place in the system. This type of system can be very expensive, but with more and more regulatory requirements going into effect, they are becoming more prevalent.
The final issue is fairly simple and that is the profile update. This involves adding, deleting, or changing user information as needed. Generally there needs to be a tool in place, which allows a user to log in and change non-sensitive data about themselves.
The first level is the directory, which is a specialized database, optimized for reading and searching operations, and it acts as the main component of any good solution. This is because it performs the function of a central repository for all the information needed by identity management software. Because a large portion of the information found in an identity management system is found in different locations, many directories form meta- or virtual directories. The difference between the two is that a meta-directory actually gathers the necessary information and stores it all in one place, while a virtual directory only points to where the information can be found.
Another level of protection is found at the internet level. Web access management is used to control users' interactions with web-based enterprise assets. According to the CISSP All-in-One Exam Guide the basic process looks like the following:
· User sends in credentials to web server
· Web server validates user’s credentials
· User requests to access a resource
· Web server verifies with the security policy to determine if the user is allowed to carry out this operation
· Web server allows access to the requested resource
This is just a very basic summary of what web access management looks like. In practice it often has a much more complicated tiered architecture, which utilizes everything from routers and firewalls to databases and the directory. Essentially what happens is once the user logs in, the server gives the browser a cookie (generally only a session cookie), which is then used to continually authenticate the user as long as they are logged in. If the user loses the cookie, either by timing out or clearing it manually, then they will be required to re-authenticate. This is referred to as single sign-on.As discussed in the previous post, passwords are an important part of authentication. As such, password management is important to a total identity management solution. The three common approaches to dealing with this are:
· Password synchronization – this allows users to only need one password for multiple systems. It makes it easier for users to have a more complex password, without causing them to create a security hazard by writing down their passwords. The major problem with this is that legacy systems are often impossible to incorporate into this type of solution as their code is not compatible.
· Self-Service Password Reset – a product is utilized, which allows users to reset their own passwords by providing certain identifying information, which in turn triggers an email response with the ability to reset their password. This program should not ask for publicly available identifying information.
· Assisted Password Reset – essentially the same thing as the self-service reset, except the user gives a help desk employee the identifying information and the employee then sends a new password to the user. The user is then required to change the password again in order to prevent the help desk employee from causing a liability.
Legacy single sign-on is another issue. It functions much like the single sign-on found in web access management. The only major difference is that it is for employees and the applications they use as opposed to the internet. Often legacy applications can be a hassle because they require a different type of authentication than the solution can offer, and in these situations IT departments may come up with some work around. The pitfalls of this type of system are that it is often expensive to implement and if anyone ever manages to hack their way in, they have access to everything.
Another issue that must be address is account management. New employees often find that it takes a good bit of time to get all the rights they need for their account in order for them to start productively performing their job. Also, it is quite common for employee accounts to still be active, long after that employee has been terminated. This causes multiple problems from a security standpoint. A better practice is for an automated system to be set up that allows HR to add or remove a new employee. When this happens a message needs to be sent automatically to that employee’s manager, who would be required to sign off on the permission to give or take away certain rights and access. After the permission is given, the changes automatically take place in the system. This type of system can be very expensive, but with more and more regulatory requirements going into effect, they are becoming more prevalent.
The final issue is fairly simple and that is the profile update. This involves adding, deleting, or changing user information as needed. Generally there needs to be a tool in place, which allows a user to log in and change non-sensitive data about themselves.
Subscribe to:
Comments (Atom)