Looking Back At Wireless Security In 2003
Wireless security is one of the hottest topics in our business. In the article you are just reading, I’ve tried to cover some of the most interesting wireless security topics and events in 2003. The article is divided into several thematical sections: general overview of the wireless security happenings, look back on some software tools, spotlight of two interesting books, a brief positive rant on corporate security world and a Q&A with three wireless security experts working at Funk Software, AirScanner Corporation and IBM.
General overview
The first news item added to Help Net Security in this year was “Wi-Fi: The National Security Threat”. The topic of this news item, was literally copied all over and over throughout the year, so the majority of news stories dissed wireless security. This media “attack” on wire-free network security, eventually lead to a raise in wireless security awareness and better state of security in general.
In March, consultancy firm KPMG once again stressed out the importance of wireless threats, so they set up a couple of wireless honeypots over London and stood by to see what was happening. The results showed some activity, mostly bandwidth stealing and a conclusion was made: “The project dispels the myth that all unauthorized wireless activity is harmless”. At this year’s RSA Conference Europe, held in Amsterdam, I’ve spoken with one of the guys who ran this project and was unpleasantly surprised that all those figures derived from the study, were based on extremely small amount of “unauthorized wireless activity”. From what he said, a new wireless honeypot project is in preparation and it will include far more honeypots, running on several operating systems, which will finally bring much better (from the quality perspective) results than the initial project.
During the NetWorld+Interop conference in April, the Wi-Fi Alliance launched Wi-Fi Protected Access (WPA), protocol that was needed to carry on upon flawed WEP. “Rather than wait for 802.11i to come out as a full standard, which may not happen until next year, they decided to take parts of the draft standard that are already very solid and take that to market now as Wi-Fi Protected Access,” said David Cohen, Wi-Fi Alliance security committee chair. WPA soon faced some critics (1, 2).
When taking a look at May, I remember another quote from Wi-Fi Alliance, this time from Kirk Allchorne, marketing co-chairman at that organization, which showed the need for making new security standards: “It has become apparent to us that enterprise markets were avoiding Wi-Fi because of security worries”. In the other news, AirDefense’s May newsletter featured an interesting list of top 10 Wireless LAN Policy Violations.
In June, we’ve seen a big plus going to wireless networks, when Intel Corp.’s Chief Financial Officer Andy Bryant said his company had found that the security offered by a “controlled wireless network” was superior to computer security regimes that traditionally have blocked wireless access as a threat. The end of the June was marked by a third World Wide WarDrive. This is an effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The results showed that things are going better, as the number of WEP enabled networks went up and both numbers of default SSID and default SSID + No WEP networks went down.
I need to mention AirDefense one more time, but in July they did another interesting thing. During the 802.11 Planet Expo in Boston, they monitored WLAN activity and published their findings. The results showed a lot of malicious activity. Citing the “explosion” of wireless hotspots in public spaces, homes and businesses, IBM Corp. in October unveiled a new managed intrusion detection service targeted at wireless networks. According to Shane Robison, HP executive VP, HP has security projects in development such as moving its SSL-based VPN technology to 802.11 wireless networks.
November brought us “Weakness in Passphrase Choice in WPA Interface” by Robert Moskowitz, a senior technical director at ICSA Labs, part of TruSecure Corp. In his paper, Mr. Moskowitz describes a number of problems with the new WPA standard, including the ability of attackers to sniff critical information from wireless traffic and to discover the value of a wireless network’s security key.
As people have a lot of imagination, these are some of the phrases you’ll stumble upon any day now: Warwalking, Warwatching, WiLDing, Warbiking, Warhiking, Bluejacking and Bluestumbling.
Software
Although the software products I will mention weren’t released in 2003, they were quite often updated during the past 12 months and received a fair amount of exposure in wireless security related discussions.
AirSnort is currently in version 0.2.3. Microsoft Windows users were pleasantly surprised when AirSnort developers announced in February that AirSnort alpha is working on the Windows platform. After some AiroPeek reverse engineering (this software does monitor mode style wireless packet capture, and as the AirSnort developer noted, it was easier to do some reverse engineering than learning to write Windows drivers), AirSnort can be run on Windows. Many Windows running wannabe wardrivers were happy with this news, but the developer noted: “I literally just got this running and I have not had a lot of time to debug anything”. From the software’s point of view, there were some new patches released – orinoco patch for orinoco-0.13d/0.13e drivers and dsniff patches to allow dsniffing in monitor mode.
Kismet, the popular 802.11 wireless network sniffer, received a lot of updates throughout the year. In February it was announced that kismet-devel is now supporting remote drone sniffers for distributed sniffing. The next couple of months brought us a Perl module that simplifies writing Kismet clients in Perl, Debian packages of the -devel tree, Gentoo ebuild scripts and possibility of doing OSX Viha capturing. At the end of July, version 3.0.0 stable was released, which was upgraded to 3.0.1 in a week, resulting with a lot of bugfixes. Besides the news I have noted, this new version offered integration with snort, new packet engine, a stateful packet inspector and a new alert system. Since then, the software is in constant development, so we will see what will Kismet developers bring us in the year 2004.
As for NetStumbler, there really weren’t any breaking news in 2003. This software has a great respect from a number of wireless security enthusiasts, so everyone was expecting a new version (the current 0.3.30 version was released in August 2002). At the beginning of the December, the product’s developer announced that he is working on 0.4 version, which will “work better and on more cards than ever before”. For the handheld geeks, “MiniStumbler will come with it, and it will work on the Dell CF cards as well as Prism CF and PC cards”. No dates were mentioned for these releases.
While taking a look at Wardriving software gadgets, it was expected that Warlinux will get its update to 0.6. This handy bootable Linux CD distribution, proved to be a useful tool for both the systems administrators that want to audit and evaluate their wireless network installations, as well as ever present wardrivers. Somewhere in May 2003, the software developer, who is also running the popular wardriving.com web site, gave some brief information that 0.6 is in progress, but because the lack of free time and some hardware crashes the release was postponed. For the BSD fans out there, WarLinux idea inspired the creation of WarBSD, a FreeBSD 5.0 based wireless network auditing kit. The author notes that “at this point, WarBSD is still very much in its infancy”, but the hopes are high for this project.
A couple of weeks ago, AirScanner Corporation, announced the discontinuation of their Mobile Sniffer. As I was expecting the Microsoft Windows Mobile 2003 port of this tool, it really came to me as a surprise that the tool was offed.
Wireless security books
I’ve read and reviewed a number of books dealing with wireless security and the best two (from my perspective) were “Wireless Hacks” by Rob Flickenger and “How Secure is Your Wireless Network? Safeguarding Your Wi-Fi LAN” by Lee Barken. These books were so good and they deserve to receive the exposure in this 2003 overview. I should just note that “Wireless Hacks” is not solely concentrated to security topics, but it has its fair share of security tips. Some of my favorable comments on these books were:
Wireless networks are something quite new for the majority of computer users. We know its pros and cons, its security issues, but we don’t have so much experience to create our own workarounds, helping tools and similar gadgets. Flickenger has that kind of experience and unselfishly shares that knowledge with his readers. During one of my previous wireless themed book reviews, I noted that majority of the books discuss almost the same content. As expected, “Wireless Hacks” goes a galaxy away from those books and introduces the readers with just the perfect content to make itself an undisputed champion in its category.
The book has 240 pages and I’m quite happy to say that Barken managed to use this, for a book relatively short space, to create an extremely good Wi-Fi security guide. The author goes straight to the point and as early, as on page 3, he talks about the detection of rogue access points. The biggest advantages this book provides over other similar releases are the author’s casual writing style combined with a great quantity of information, backed up by diagrams and illustrations. The book can be read by almost anyone, but I think it will suite the best to the newcomers in the wireless security field and to those interested into beefing up the state of their Wi-Fi network.
The corporate wireless security world
As wireless security received more and more exposure throughout the media, we’ve seen a number of new startups offering their expertise in this field. When taking a look at the corporate wireless security sphere (as presented via media press releases and company newsletters), I can see that majority of the news releases were concerning new client wins, integrations with other vendor technologies and showing the current state of wireless (in)security. All the companies I’ve successfully followed throughout the year proved that there is still space in the wireless security market for new products, new ideas and innovative services.
Third party opinions
What better way to finish an overview with a brief Q&A section with some of the experts in the field of wireless security. The people I’ve talked with are as pictured below, from left to right: Gene Chang (VP of Strategic Business Development, Funk Software), Cyrus Peikari (President and CEO, AirScanner Corporation) and Ivica Ostojic (IT Security Consultant, IBM Croatia Ltd.).
What are the biggest security issues of wireless networks today?
Gene Chang: The WLAN security landscape is still confusing to end users. While enterprises have largely standardized on 802.1X and WPA, both because it provides the strong security they require and because it makes it easy to integrate into their existing network infrastructure, there are still numerous decisions they have to make. They need to choose the right EAP type (such as EAP-TTLS) to protect their network & ensure security integration. Some technicians have tried to turn EAP protocols into a religious or political decision. This has cause confusion for many users. Security managers need to decide (or often have already decided) on a security scheme for managing users. Each EAP protocol is designed for different security environments. That is why Funk Software products offer such a wide range of EAP methods. This is especially important in larger organizations where each department or business unit may have different requirements for security. Some groups may be adequately protected with passwords. Other departments may need higher degrees of security and deploy more expensive token technology. Funk’s products support the widest range of choices.
Cyrus Peikari: In 2003 it was unnerving to see the proliferation of Windows Mobile embedded devices, without enough visible commitment to security on the part of Microsoft. Windows CE already runs on millions of PDAs, but it is severely lacking a mature security architecture, as Microsoft itself admits. Worse, Microsoft is now driven to ship Windows Mobile on hundreds of millions of Smartphones. With so many devices connected wirelessly, yet lacking security, the risk increases geometrically. Imagine large, mesh networks of devices, running embedded Outlook Express, and freely associating with hotspots and with each other. This greatly increases the number of vectors for wireless worms, distributed Denial of Service, and “airborne” viruses.
What do you see will happen in the field of wireless security in 2004?
Gene Chang: Continued enhancements to security technology, including moving to AES in the WLAN hardware as part of the new 802.11i standard. Better integration with IPSec to enable more security choices. Introduction of more products supporting VLANs to allow a single network to better handle a user community with different security requirements by better separation of users needing more security from users that have lower degrees of security. We will finally see security moving into the public network. This will help accelerate business users to adopt the public service as an extension of the enterprise. This will accelerate revenue growth for the public networks from business users by removing many of the opportunities of fraud and thief of service.
Cyrus Peikari: Looking ahead to 2004, Microsoft is going to need to make up for lost time. If Microsoft wants their Windows CE .NET platform to take off, they will have to put security first. Despite promises, it hasn’t happened yet, at least not on Windows CE. Meanwhile, it is good to see open source solutions like embedded Linux maturing for PDA and handset devices. As the functionality of embedded Linux takes off, we may see more users abandoning Windows CE for the perceived security of open source.
Ivica Ostojic: Maybe it will be best to quote Ginsberg theorem witch said:
- You can’t win.
- You can’t break even.
- You can’t even quit the game.
Over and out
While the majority of readers think that wireless networks are generally insecure, we all know that the human factor is the biggest problem. It is up to us, the users and the administrators, to watch the new technologies and to keep updated with the events – which will finally lead to a phrase “wireless security”, that won’t any longer be an oxymoron.