Slide Heading Security Auditing Wireless Networks Ted J. Eull viaForensics October 12, 2011 Introductions viaForensics • Digital security via forensics. Leader in mobile forensics and security assessment • Apply methods used for computer crime investigation and incident response proactively to enhance security. • Based in Oak Park, IL (Chicago suburb) Ted Eull, VP Technology Services • • • • 10+ years in IT consulting, corporate and security Background in Web app development GWAPT, CRISC pending Not a wireless pen test specialist (sorry) Agenda or contents slide Why? Reasons to security audit your wireless devices and network What? Identifying your wireless network components How? Wireless audit & technical security assessment process Slide Heading Who and When? Internal/External, frequency of assessment Recommendations and Resources Why: Reasons to audit CobiT Linking Business Goals to IT Goals Many reasons to leverage wireless Key reasons to security audit Why: Reasons to audit • Regulations, regulations • Both industry and government – PCI / Payment Card Industry – GLBA / Gramm–Leach–Bliley Act – Federal Financial Institutions Examination Council / FFIEC – Health Information Portability and Accountability Act / HIPAA – Federal Energy Regulatory Commission / FERC – Sarbanes-Oxley / SOX Why: Duh. • Protect your business / organization • Sensitive and proprietary information • Clients and business partner data • Reputation • The reasons behind the regulations Why: Wireless Issues From the FFIEC IT Examination Handbook http://ithandbook.ffiec.gov/it-booklets/information-security/securitycontrols-implementation/access-control-/network-access-.aspx Wireless Issues Wireless networks are difficult to secure because they do not have a well-defined perimeter or well-defined access points. Unlike wired networks, unauthorized monitoring and denial of service attacks can be performed without a physical wire connection. Additionally, unauthorized devices can potentially connect to the network, perform man-in-the-middle attacks, or connect to other wireless devices. To mitigate those risks, wireless networks rely on extensive use of encryption to authenticate users and devices and to shield communications. More Why: Wireless Issues Wireless Issues (continued) If a financial institution uses a wireless network, it should carefully evaluate the risk and implement appropriate additional controls. Examples of additional controls may include one or more of the following: • • • • • • Treating wireless networks as untrusted networks, allowing access through protective devices similar to those used to shield the internal network from the Internet environment; Using end-to-end encryption in addition to the encryption provided by the wireless connection; Using strong authentication and configuration controls at the access point and on all clients; Using an application server and dumb terminals; Shielding the area in which the wireless LAN operates to protect against stray emissions and signal interference; and Monitoring and responding to unauthorized wireless access points and clients. Why: The threats Data Interception • Can be intercepted at distance with directional antennas (Wi-Fi sniper rifles clocked at > 10 miles) • WEP can be cracked in seconds • TKIP vulnerable to a keystream recovery attack which can allow injection of certain frames, this can enable ARP poisoning and DoS for example. AES is better. • WPA/WPA2 vulnerable to dictionary attacks, rainbow tables and brute forcing. • Many large organizations adopt a standard 802.11x configuration using EAP-TLS with user certificates and a RADIUS server for authentication. Although considered very secure, be aware that it can still expose username and domain in the clear when authenticating. Why: The threats Denial of Service • Signal/frequency jamming • Cheap portable devices from China • Deauth Attack • Management frames are sent in the clear for 802.11a/b/g/n which includes deauth frames. 802.11w protects management frames which prevents deauth attacks but only adopted by a few vendors • A small laptop or handheld device can send out deauth requests continually which drops clients. Can even be targeted at a certain vendor (e.g. all Apple devices) • WIDS should detect this • Channel Reservation • Attacker can send out repeated frames with a maximum wait duration and silence the channel, for equipment that follows 802.11 spec Why: The threats Rogue Access Points • Unauthorized APs plugged into the internal LAN. • Can be detected by some enterprise APs which scan for nearby rogue APs, and also by scanning the internal LAN for the management interface of popular wireless routers. • Can be detected by regular site surveys using Wi-Fi scanning equipment and directional antennas. • Spectrum analyzer capability is useful to catch highly covert installations and devices tuned off-band so as to avoid detection from standard equipment. Why: The threats Misconfigured APs • With the vast number of configuration options it requires a great deal of planning, testing, on-going maintenance and training to operate a large WiFi installation. Ad Hoc and Software APs • Can allow for an attacker to connect directly to a corporate laptop inside a building and route traffic onto the corporate LAN, bypassing network security. Client Driver Attacks • Exploiting bugs in Wi-Fi drivers of clients to remotely execute code on a victim's device without even needing a Wi-Fi network. • Defense is to keep client drivers patched, but still exposed to zero days Why: The threats Misbehaving Clients and Evil Twin APs • Clients forming unauthorized connections accidentally or intentionally • If corporate SSID is hidden, it will cause the client device to continually probe for it wherever it goes, leaking information and providing the ability for devices to be tracked. • If a client has previously connected to a hidden open network, or an open network with a common name such as Starbucks, McDonalds, then an attacker can easily trick the client into connecting to their AP from where a MITM attack can occur. • If a user is allowed to connect to any Wi-Fi networks then they could be enticed to connect to an attacker's AP with the promise of free Wi-Fi or because it looks like an official corporate one. Why: In short • Because it is a scary cyber world out there • To determine whether wireless technologies are properly managed and secured, in accordance with overall enterprise IT governance What: Wireless components • WLAN • IEEE 802.11 Spec • aka Wi-Fi • b/a/g/n • • • • Router/access point Wireless clients Typical range has nearly doubled in 10 years Anything else? What: More than WLAN What: More than WLAN Identify all use of wireless to evaluate potential risk • • • • • Cellular (3G, LTE) Bluetooth Radio-frequency identification / RFID Near field Communication / NFC Zigbee Not all may require security assessment, but each should be understood and evaluated What? More than WLAN When identifying wireless in the enterprise, think outside the WLAN • • • • Warehouse (RFID) PC & Mobile accessories (Bluetooth) “Smart Meters” (Wi-Fi, Zigbee) And most of all… What? More than WLAN Mobile devices and more mobile devices By 2013, mobile phones will overtake PCs as the most common Web access device worldwide [Gartner]. • Often consumer devices (iOS, Android) • Cellular + Wi-Fi • Inexpensive • Flexible • Fast evolving • Easy to secure • Just kidding How: Audit Process • You decided auditing wireless is a good idea • Risk Assessment • Identify technology in use • Threat Profiling: start bottom-up. i.e. Consider all threats to the tech in use • STRIDE threats: Spoofing Identity, Tampering with data, Repudiation (insufficient logging), Information Disclosure, Denial of Service, Elevation of Privileges • Try to construct realistic scenarios • Find pre-constructed scenarios • Have business stakeholders involved How: Audit Process • Evaluate Risk • Consider industry and company-specific regulatory, policy and risk factors • Use DREAD or other rating system • Damage + Reproducibility + Exploitability + Affected Users + Discoverability • Consider potential cost of “worst case scenario” • Evaluate security countermeasures and controls in place which can mitigate threats How: Technical Process • Perform Security Assessment: Scope • • • • Scope Appropriate for Risk Vulnerability assessment vs. penetration testing Test active production systems Plan to trigger detection / countermeasures How: Technical Process • Perform Security Assessment: Review • Design review of Wi-Fi infrastructure • • • • Authentication Defense in depth Physical AP placement, security Signal Coverage • Configuration review of Wi-Fi infrastructure to make sure it is configured correctly • Firmware versions • Review mobile device controls and security How: Technical Process • Perform Security Assessment: Scan • Site survey with directional antenna and some good scanning software to identify rogue APs. Use a spectrum analyzer to pick up covert or malfunctioning wireless devices. • Test WIDS/WIPS if present by undertaking malicious activity such as deauth attacks and Evil Twin APs • Scans for client devices, such as: • Pineapple Karma attack to see who connects • Sniffing authentication to corporate Wi-Fi • Scanning for vulnerable client Wi-Fi drivers (can crash devices) How: Technical Process • Wi-Fi Pineapple and Jasager – Jasager = “The Yes Man” – Portable Wi-Fi router built for initiating MITM position – Web interface for attacker, showing currently connected clients with their MAC address, IP address (if assigned) and the SSID they associated with – Run scripts on IP assignment – Full logging for later review – Extensible, with additional modules – Easy to set up phishing attacks – About $100 from http://hakshop.com/ How: Technical Process • Perform Security Assessment: Mobile Devices • Forensic analysis of mobile devices that access network and store data • Assess data exposure • Test efficacy of security controls (e.g. passcode, remote wipe) • Examples of issues uncovered: • • • • Network username/password easily recoverable Corporate email in user backups Passcode enforcement and remote wipe failure Keychain dump (iOS) How: Technical Process • Mobile Risk Study from viaForensics • • • • • • • Focused on iOS & Android Key issues, recommendations Risk scenarios, risk map Corporate policy recommendations Comparison to BlackBerry Lab tests of MS Exchange ActiveSync policy implementation Technical review of encryption, passcode protection, malware vulnerability, etc. • High-level overview of Mobile Device Management (MDM) software • Available this month (online purchase/download) Who: Internal or External • Some level of internal assessment capability should be maintained • Leverage external specialized expertise for more complete vulnerability assessment or pen test • Experienced testers should perform more than automated scans • Security certifications good, wireless-specific even better (e.g. GAWN) When: And how often • Depends on enterprise audit program • At least annual basic assessment • Identify technologies, infrastructure, devices • Check configurations, logging • Level set with overall security policies • Regular mobile device audits • Frequency of vulnerability scans, pen tests depends on corporate risk evaluation • Ongoing security through active monitoring, such as WIDS/WIPS Recommendations WEP Recommendations • Assume all wireless traffic can be intercepted • Isolate wireless from corporate LAN • If Wi-Fi on LAN is necessary, use strong authentication, isolated VLAN and NAC • Use IDS/IPS for continuous monitoring • Test security systems such as WIDS • Implement reliable VPN for mobile workers, use GPO to require VPN when off LAN • Assess how mobile devices are being used and where data is going • Policy and training for users on wireless security Resources • ISACA • • What every IT auditor should know about wireless telecommunication (2006) http://www.isaca.org/Journal/Past-Issues/2006/Volume4/Pages/What-Every-IT-Auditor-Should-Know-About-WirelessTelecommunication1.aspx Mobile Computing Security Audit/Assurance Program (2010) http://www.isaca.org/KnowledgeCenter/Research/ResearchDeliverables/Pages/Mobile-ComputingSecurity-Audit-Assurance-Program.aspx • viaForensics Mobile Risk Study • http://viaforensics.com/mobile-risk-study Resources • RFID tools (rfidiot, proxclone reader/cloner) • http://hackaday.com/2007/03/25/rfidiot-rfid-io-tools/ • http://proxclone.com/reader_cloner.html • Other tools • • • • • Aircrack http://www.aircrack-ng.org/ Kismac / KisMAC http://www.kismetwireless.net/ Wireshark http://www.wireshark.org/ Ettercap http://ettercap.sourceforge.net/ Pineapple http://hakshop.com/products/wifi-pineapple Questions? Closing comments (if any)