Course list http://www.c-jump.com/bcc/

Wi-Fi Security

1. New Wave of Wireless Consumer Products
2. Smartphone and Wi-Fi
3. Mobile Wi-Fi Hotspots Bridging Two Wireless Worlds
4. Low User Awareness
5. Controlled Environment
6. Issues with Wi-Fi
7. Issues with Wi-Fi, cont.
8. Issues with Wi-Fi, cont.
9. Smart Phone Vulnerabilities
10. Smart Phone Vulnerabilities, cont.
11. Requirements for Network Forensics
12. Requirements for Network Forensics, cont.
13. Requirements for Network Forensics, cont.
14. Wireless: No Choke Point
15. Wireless: No Choke Point, cont.
16. Wireless: No Choke Point, cont.
17. Multi-channel operation
18. Wireless: Dynamic topology
19. Wireless: Dynamic topology, cont.
20. Wireless: Dynamic topology, cont.
21. Wireless: Dynamic topology, cont.
22. Wireless: Encrypted Traffic
23. WPA and WPA2
24. Wireless Vulnerability Assessment
25. Wireless Vulnerability Assessment, cont.
26. Evolution of Wireless Forensics Methods
27. Evolution of Wireless Forensics Methods, cont.
28. Evolution of Wireless Forensics Methods, cont.
29. Capturing Raw Packet Traces
30. Capturing Raw Packet Traces, cont.
31. Quantitative Forensics
32. Quantitative Forensics, cont.
33. Limitations OF Raw Forensics and Quantitative Forensics
34. Wireless Anti-Forensic Techniques
35. Stealth-mode Rogue APs
36. Malicious clients
37. Known Vulnerable SSIDs
38. Mobile Honeypot
39. Qualitative Wireless Forensics Workflow

1. New Wave of Wireless Consumer Products

• Number of wireless mobile devices exploding

• More wireless options getting embedded in laptops and Smart Phones

• Increasing use of Smart Phones at workplace

   

   

2. Smartphone and Wi-Fi

3. Mobile Wi-Fi Hotspots Bridging Two Wireless Worlds

4. Low User Awareness

5. Controlled Environment

• All was okay in a controlled environment...

   

6. Issues with Wi-Fi

7. Issues with Wi-Fi, cont.

8. Issues with Wi-Fi, cont.

9. Smart Phone Vulnerabilities

•  

  Unmanaged Smart Phones on enterprise network without authorization

   

10. Smart Phone Vulnerabilities, cont.

•  

  Wi-Fi users bypassing enterprise security through Smart Phone hotspots

   

11. Requirements for Network Forensics

•  

  Choke points exist in traditional networks, e.g. a firewall...

  • ...with Wi-Fi -- multiple hotspots, and more hotspots...

   

12. Requirements for Network Forensics, cont.

•  

  Known network topology, so incident can be linked to a particular physical device...

  • ...Not so simple with Wi-Fi!

   

13. Requirements for Network Forensics, cont.

•  

  Data flow in clear text...

  • ...Wi-Fi attacks encrypt all transmissions, hard to understand what the $@*# is going on!..

   

14. Wireless: No Choke Point

•  

  Shared unbounded medium uses multiple frequencies

   

15. Wireless: No Choke Point, cont.

•  

  Multi-channel operation and auto-channel selection are hard for censors to detect

   

16. Wireless: No Choke Point, cont.

•  

  Dynamic environment

   

17. Multi-channel operation

•  

  Scan across all channels: 20 MHz and 40MHz (802.11n!)

  Illegal Channels:

  • Open Source Linux-based APs can be used to transmit on illegal or in-between channels

  • Potent especially in 5 GHz

  • Variable, auto-configurable transmission speeds

   

18. Wireless: Dynamic topology

•  

  Dynamic Connectivity: devices in motion connect to other hotspots/networks

   

19. Wireless: Dynamic topology, cont.

•  

  Ad hoc networks -- changeable topology

   

20. Wireless: Dynamic topology, cont.

•  

  Dynamic location: approximate tracking

   

21. Wireless: Dynamic topology, cont.

•  

  Tethering, e.g. laptop connecting to an Internet-enabled cellphone

   

22. Wireless: Encrypted Traffic

23. WPA and WPA2

• Features:

  • Strong encryption

  • Pair-wise keys

  • Dynamic keys

    • Impossible to decrypt instantly!

   

24. Wireless Vulnerability Assessment

•  

  Wireless Intrusion Prevention System (WIPS)

   

25. Wireless Vulnerability Assessment, cont.

•  

  Handheld Wireless Analyzer (requires walking around)

   

26. Evolution of Wireless Forensics Methods

•  

  Raw Forensics: manual log review

   

27. Evolution of Wireless Forensics Methods, cont.

•  

  Quantitative Forensics: statistical simulations based on data packet analysis

   

28. Evolution of Wireless Forensics Methods, cont.

•  

  Qualitative Forensics: using key factors and data packet filtering

   

29. Capturing Raw Packet Traces

• Requires significant storage

• Relies on repetitive manual analysis:

  1. replay

  2. analyze

   

   

30. Capturing Raw Packet Traces, cont.

•  

   

  Repetitive manual analysis:

  1. replay

  2. analyze

   

31. Quantitative Forensics

•  

  Based on packet-level analysis and statistics

   

32. Quantitative Forensics, cont.

•  

  Statistical trends generated over hours, days, weeks, months...

   

33. Limitations OF Raw Forensics and Quantitative Forensics

34. Wireless Anti-Forensic Techniques

•  

  Available off the shelf:

  • Stealth Rogue APs

  • MAC Spoofing

  • Illegal channels

  • Malicious clients

   

35. Stealth-mode Rogue APs

36. Malicious clients

• Malicious clients use laptops with USB Wireless Routers, producing Soft AP devices.

• USB Wireless Routers:

  • Windy

  • Connectify

   

37. Known Vulnerable SSIDs

•  

  Avoid using these in your wireless configurations at home or in the office!

  • (See next slide why.)

   

38. Mobile Honeypot

• Technology advances made possible to create honeypot APs.

• Mobile honeypot is a malicious AP trying to lure nearby clients with the following vulnerability:

  1. Authorized corporate laptop connects to unauthorized AP -- at home or at a public hotspot network.

  2. Such client is known as client in adhoc mode.

  3. When the laptop is back in the office, it tries to reestablish connections.

  4. The laptop is probing for unauthorized network names, including those with known-vulnerable SSIDs, such as Free Public Wi-Fi.

  5. Some laptops can be probing for as many as 5 or more of the vulnerable SSIDs.

  6. Honeypot AP captures user credentials!

   

39. Qualitative Wireless Forensics Workflow