Recognizing and Battling Your Enemy
Cyber guerillas are the newest breed of hackers. They love to hunt and sniff the air for signals emitted from the wireless handheld devices that you use to connect primarily with the WLAN. They then exploit the vulnerable network to launch an attack. In this article, Judith talks about who the cyber guerillas are and where you will most likely meet them. Additionally, she’ll cover the various wireless security issues and describe how they use the tools of the trade to intercept, intrude upon, and attack the unprotected wireless traffic. Finally, a brief discussion about the VPN support, followed by a list of the shortcomings of mobile devices — with suggested solutions to overcome them, of course.
Who are the Cyber Guerillas?
They are cyber spies that were the stuff of fiction you read a decade ago, but now they can spring right at you out of Jack’s proverbial box if you are not careful — especially when you use your Palm or other wireless mobile device on the road. They are the cyber version of the urban guerillas you read about in the newspapers.
Cyber guerillas intend to deny or destroy wireless services for legitimate users, and as such, are more of a danger, even, than hackers. Hackers, or intruders, know ahead of time where the signals emanating from wireless networks (WLAN and mobile) are (see C. C. Palmer’s “Ethical Hacking”). They use the trade tools to listen to actual packet flow in a vulnerable network and then break into the intended system targets. Cyber guerillas, on the other hand, search for signals in the spectrums and then use hacking tools to decrypt the transmissions.
In Search of Their Prey
The guerillas can find their victims stealthily, which could be anyone — a business traveler closing a multimillion dollar deal, a professor working on a sensitive research proposal, a senior executive using a dual-mode phone to roam from a Wi-Fi network at a hotspot (for example, a hotel) to a cellular network on his way to a plane, or even military personnel receiving military alerts while on a break from combat (see Meridith Levinson’s article, “Building on Air”).
I was a victim when incoming signals into my Palm caused my e-mail list to jitter wildly while a train I was riding in stopped momentarily. When the train started to move again, the jitters ceased. I immediately purged all messages from my Palm, as it has weak or no encryption algorithm due to low memory and low speed.
Get a Load of a Cyber Guerilla
A cyber guerilla assumes the role of an eavesdropper when he listens and grabs passwords, valid station identifiers, and network addresses (particularly the default ones the installer or system administrator forgot to change). After getting the information, this cyber guerilla might decide to steal Internet bandwidth or, even better, use your network as a springboard to attack others. Once there, the cyber guerilla could promote himself to masquerading, so he can pretend that he is you in obtaining the private information that he is not supposed to have access to (see Lisa Phifer’s article, “Air Safety”).
Whatever role the guerillas play, they use a sniffing tool or two to search for signals from wireless mobile devices. After they successfully intercept the signals, they divert those signals to tap into high-speed connections, and then target wireless vulnerabilities. You might even see one or two nice-looking, well-dressed cyber guerillas sitting in the airport or on a moving commuter train if you are very observant; it’s obvious in the way they point or direct their laptops or handheld devices toward your device when you have, say, your Pocket PC’s internal antenna turned on.
Wireless Security Weak Spots
All wireless telecom industries must monitor the effectiveness of the security mechanisms they’ve implemented. This is particularly important because some mobile devices (such as phones) come without mechanisms for secure transactions. These devices must rely on the security between a device and the provider so that a mobile user can securely perform e-banking, retail payment, brokerage, and other types of transactions.
Rising on the horizon is the emerging multicast wireless technology that would allow a group of mobile users to communicate with one another in m-commerce, military command and control, distance learning, and intelligent transportation control. While considering the marvels of this technology, you must also recognize the security concerns. Wireless links risk interception and eavesdropping, resulting in guerillas stealing or modifying information or even entering the system and rendering it useless by denying service to legitimate users. This is exactly what cyber guerillas love to do.
Some tools that I call cyber weapons combine the best of the sniffing and hacker tools already available. With these cyber weapons — hand-made or manufactured — at the ready, guerillas can effectively intercept signals, rearrange the packets into their proper sequence, and find out the access points of a high-speed network that they can tap into.
In the real world, the users of ready-made sniffing tools fall into two groups. In the first group, the legitimate system administrators check traffic flow in WLANs connected with cellular networks to ensure, for example, it does not reach the dangerous point of system overload that would result in a system crash. The illegitimate users that make up the second group employ intercepting tools (and other types of cyber weapons, as well).
Like other software, legitimate sniffing tools, if not properly designed and implemented, can contain wireless network vulnerabilities. Cyber guerillas can use their weapons to exploit the vulnerabilities of legitimate system administrators’ sniffing tools. For example, on May 29, 2002, Security Tracker.com reported vulnerabilities in Kismet Wireless Network Sniffing Software.
War-drivers and walkers use freeware sniffer tools (see “Sniffing for the Air”), including Ministumbler, a network sniffer for Pocket PC 3.0 and 2003, in order to get information about open, unprotected access points, or APs.
Cracker tools like WEPcrack can quickly begin decoding traffic on Linux-based systems, even when WEP is turned off. One encryption weakness is that the keys for each AP and client must be identical. Another weakness is that WEP’s initialization is rather low (24-bits long) for effective encryption, even though WEP supports 64- and 128-bit keys (see Dale Gardner’s “Wireless Insecurities”).
Please do add VPN Support
VPNs in handheld devices provide one of the better ways to prevent intruders from gaining access to wireless transmissions. Once the device’s VPN client is present and obtains an IP address by connecting to the Internet, it can authenticate itself to a company VPN’s server (see Sandra Kay Miller’s “Facing the Challenge of Wireless Security”). In many VPN applications, IPSec is included to drive cyber guerillas away (see Dale Gardner’s “Wireless Securities”).
Microsoft has added a VPN support for its Pocket PC 2002, while WebSphere Everyplace Connection Manager includes a mobile VPN (for laptops and PDAs) to encrypt data. This software is intended to protect roaming across both wireless and wired networks. It also enables a developer to make portal information available to multiple types of devices (see Jimmy Thrasher’s “Transcoding Technology in WebSphere Everyplace Access: Using Transcoding Technology to Expand your Pervasive Portal”).
Defeating Your Would-Be Attacker
While you enjoy using wireless mobile devices with or without VPN support, you must consider the additional pitfalls associated with them. Don’t be discouraged, though, as I have some tried-and-true solutions.
Pitfall 1: Frequency channel overlapping. The space between channels can be so narrow that one frequency might overlap with another in certain situations. Solution: Note when overlapping occurs and move your palm or laptop to a better location.
Pitfall 2: Wi-Fi Implementation incompatibility. That is, technologies used in different systems do not always work together. Solution: Get a standard dual-mode mobile phone that allows switching from Wi-Fi to cellular and vice versa.
Pitfall 3: Hotspots in public places. To be productive while waiting in airports and hotel lobbies, workers employ a hotspot to which they give subscriber identity and payment information. At a safe distance, the cyber guerillas can employ intercepting tools, immediately after the legitimate users plug their mobile devices into a hotspot. Solution: Try to get your company to establish or upgrade the policy on the use of hotspots, such as launching a VPN client before logging into the SSL portal or installing a PDA version of a personal firewall program at a hotspot.
Pitfall 4: Unauthorized workstations. They have also been used to connect with laptops and PDAs. Solution: Make an inventory of laptops and PDAs, MAC addresses, and operating systems, and label workstations as to the level of data sensitivity.
Pitfall 5: System defaults that haven’t been changed. They can expose corporate assets to unauthorized users. Solution: Change the default settings for administrator passwords, APs, and Service Set Indentifiers (SSID). Do not enter new settings that are easy for the cyber guerillas to guess. Create a long sequence of numbers and letters that will confuse a guerilla. Do not post them where a guerilla could see them! Change the settings on a periodic basis (for example, 30 days).
Pitfall 6: Immature or inadequate wireless standards. If they are not applied consistently they might not be effective. Solution: Organize an industry-wide standards committee to create, improve, or implement wireless mobile device standards.
Preparing for Combat
More and more of the PDAs will be seen that allow users to roam from one wireless type to another, such as WLAN, MLAN, and WWAN, as manufacturers move dual-mode chipsets from the developmental stage to the marketable level. However, good and better encryption algorithms are not the answer to better security for PDAs. Security should be added to each networking layer and each physical entity of the network (see Steve F. Russe’s article, “Wireless Network Security for Users”). PDA versions of a personal firewall, intrusion detection, and other security programs for desktop computers are also needed. More important is the ability of a handheld mobile device to switch among wired and wireless networks with a security policy in place. The device must satisfactorily reduce risks to reasonable levels with safeguards and a disaster recovery plan in place.
• Read “Wireless Network Security for Users”, by Steve F. Russe.
• Read this interesting article on “Facing the Challenge of Wireless Security”, by Sandra Kay Miller in Computer, IEEE Computer Society Press, July 2001.
• Here’s a case study of how Bechtel used wireless technology to stay ahead of their competitors.
• The vulnerabilities in Kismet Wireless Network Sniffing Software are laid bare in this article.
• Lisa Phifer offers solutions and best practices for protecting wireless networks in her article, “Air Safety”.
• Read more about identifying and controlling PDA vulnerabilities in “Wireless Insecurities” , by Dale Gardner.
• The author’s ” The Complete Book of Middleware” focuses on the essential principles and priorities of system design and emphasizes the new requirements brought forward by the rise of e-commerce and distributed integrated systems.
• Myerson has also written ” Enterprise Systems Integration” to provide business insight and the technical know-how that ensures successful systems integration.
• The article ” Sniffing the Air for Trouble” tells how you can download freeware AP discovery tools.
• Download the Websphere Everyplace Connection Manager 188.8.131.52 for a free evaluation.
• This article on ” Ethical Hacking” offers a view of the counterparts to cyber guerillas.
• Developers will also find useful information in the article ” Transcoding Technology in WebSphere Everyplace Access: Using Transcoding Technology to Expand your Pervasive Portal“.
• This link for MiniStumbler contains information on using MiniStumbler on a Pocket PC
• Cracker tools like WEPcrack can quickly begin decoding traffic on Linux-based systems.