Wireless Connections and Security Precautions

Hackers Expose 'Critical' Wi-Fi Driver Flaw

August 3, 2006 By  Ryan Naraine

http://www.eweek.com/article2/0,1895,1998452,00.asp

LAS VEGAS —Wi-Fi-enabled computers are sitting ducks for code execution attacks because of gaping flaws in wireless drivers shipped on both Mac and Windows systems, security researchers warned at the Black Hat Briefings security conference here.

A pair of hackers—David Maynor and Jon Ellch—demonstrated such a break-in on an Apple MacBook laptop fitted with a wireless card that was broadcasting its presence to another computer set up as an access point.

During the demonstration, the researchers were able to take complete control of the MacBook via a specific vulnerability in the device driver code that sits between the operating system and the wireless card.

Maynor and Ellch did not release details or exploit code for the flaw, which affects a wide range of Wi-Fi card manufacturers. The researchers have notified the affected companies and are working closely to identify the vulnerable code.

"This is not a big problem today. But, it should be something to take seriously now before it becomes a big, big problem a year or two from now," said Maynor, who works as a senior researcher at Atlanta-based SecureWorks.

"The OS vendors have been hardening the operating system a lot, so now attackers have two choices. They can go up to the application level, or they can go lower to the device driver level," Maynor said, warning that Wi-Fi drivers present an easy-to-exploit target.

"You've got to keep in mind that [malicious] people with an unlimited amount of time can spend a lot of time looking at these things," he added.

Ellch, a well-known security expert who uses the hacker moniker "Johnny Cache," made it clear that the issue is not specific to Apple's Mac computers. "This isn't an Apple problem or a Microsoft problem. This is something that's problematic across the industry," he said.

Wireless Connectivity:

Wi-Fi (sometimes written Wi-fi, WiFi, Wifi, wifi) is a trademark for set of product compatibility standards for wireless local area networks (WLANs). Wi-Fi, short for "Wireless Fidelity", was intended to allow mobile devices, such as laptop computers and personal digital assistants (PDAs) to connect to local area networks, but is now often used for Internet access and wireless VoIP phones. Desktop computers can use Wi-Fi too, allowing offices to be networked without expensive wiring. Many computers are sold today with Wi-Fi built-in, others require adding a Wi-Fi network card. Other devices, like digital cameras, are equipped with Wi-Fi.

A person with a Wi-Fi-enabled device can connect to a local area network when near one of the network's access points. The connection is made by radio signals; there is no need to plug the device into the network. If the local area network is connected to the Internet, the Wi-Fi device can have Internet access as well. The geographical region covered by one or several access points is called a hotspot. The range of an access point varies. The access point built into a typical Wi-Fi home router might have a range of 45 m (150 ft) indoors and 90 m (300 ft) outdoors.

The Wi-Fi trademark is controlled by the Wi-Fi Alliance (formerly the Wireless Ethernet Compatibility Alliance), the trade organization that tests and certifies equipment compliance with the IEEE 802.11 standards. Apple Computer sells Wi-Fi products under its AirPort trademark. Certified products can use the official Wi-Fi logo, which indicates that the product is interoperable with any other product also showing the logo.

Wi-Fi is based on the IEEE 802.11 specifications. There are currently four deployed 802.11 variations: 802.11a, 802.11b, 802.11g, and 802.11n. The b specification was used in the first Wi-Fi products. The g and n variants are the ones most often sold as of 2005.

In most of the world, the frequencies used by Wi-Fi do not require user licenses from local regulators (e.g., the Federal Communications Commission in the US ). 802.11a equipment, using a higher frequency, has reduced range, all other things being equal.

The most widespread version of Wi-Fi in the US market today (based in IEEE 802.11b/g) operates in the 2,400 MHz to 2,483.50 MHz.

New standards beyond the 802.11 specifications are currently in the works and offer many enhancements, anywhere from longer range to greater transfer speeds. One example is 802.16 WiMAX, with a range of several miles and data rates of up to 70Mbs. 802.16a permits operation between 2 and 11 GHz, so there may eventually be some interoperability between 802.11 units and some 802.16a units.

Security:

WiFi equipment could be used to steal personal information (passwords, financial information, identity information, and so on) transmitted from Wi-Fi users, if sensible protections are not used.

The first and most commonly used wireless encryption standard, Wired Equivalent Privacy or WEP, has been shown to be easily breakable even when correctly configured. Most wireless products now on the market support the Wi-Fi Protected Access (WPA) encryption protocol, which is considered much stronger, though some older access points have to be replaced to support it. The adoption of the 802.11i standard (marketed as WPA2) makes available a even better security scheme — when properly configured. As of mid-2005, both Microsoft Windows XP and Macintosh OS-X support WPA2, but on newer equipment only. While waiting for better standards to be available, many enterprises have chosen to deploy additional layers of encryption (such as VPNs) to protect against interception.

Some report that interference of a closed or encrypted access point with other open access points on the same or a neighboring channel can prevent access to the open access points by others in the area. This can pose a problem in high-density areas such as large apartment buildings where many residents are operating Wi-Fi access points.

Commercial Wi-Fi Internet access services are available in places such as Internet cafes, coffee houses and airports around the world (sometimes called Wi-Fi-cafés), although coverage is still patchy.

While commercial services attempt to move existing business models to Wi-Fi, many groups, communities, cities, and individuals have already set up free Wi-Fi networks, often adopting a common peering agreement in order that networks can openly share with each other. Free wireless mesh networks are often considered the future of the internet.

Many municipalities have joined with local community groups to help expand free Wi-Fi networks. Some community groups have built their Wi-Fi networks entirely based on volunteer efforts and donations. Philadelphia is one of the largest cities to have embarked on a city owned and operated WiFi network for public use. Many universities provide free WiFi internet access to their students, visitors, and anyone on campus. Similarly, some commercial entities such as Panera Bread offer free Wi-Fi access to patrons.

Advantages of Wi-Fi

• Unlike packet radio systems, Wi-Fi uses unlicensed radio spectrum and does not require regulatory approval for individual deployers.
• Allows LANs to be deployed without cabling, potentially reducing the costs of network deployment and expansion. Spaces where cables cannot be run, such as outdoor areas and historical buildings, can host wireless LANs.
• Wi-Fi products are widely available in the market. Different brands of access points and client network interfaces are interoperable at a basic level of service.
• Competition amongst vendors has lowered prices considerably since their inception.
• Many Wi-Fi networks support roaming, in which a mobile client station such as a laptop computer can move from one access point to another as the user moves around a building or area.
• Many access points and network interfaces support various degrees of encryption to protect traffic from interception.
• Wi-Fi is a global set of standards. Unlike cellular carriers, the same Wi-Fi client works in different countries around the world.

Disadvantages of Wi-Fi

• Use of the 2.4 GHz Wi-Fi band does not require a license in most of the world provided that one stays below the local regulatory limits and provided one accepts interference from other sources, including interference which causes your devices to no longer function. It is sometimes claimed that Amateur Radio operators have permission to boost the power on their Wi-Fi transmitters up to the legal maximum for their Amateur Radio license class under some conditions; this is not permitted in the US , nor in most locations.
• Legislation/regulation is not consistent worldwide.
• The 802.11b and 802.11g flavors of Wi-Fi use the 2.4 GHz spectrum, which is crowded with other equipment such as Bluetooth devices, microwave ovens, cordless phones, or video sender devices, among many others. This may cause a degradation in performance. The 900 MHz or 5.8 GHz cordless phones are good to use to avoid interference if one has a Wi-Fi network.
• Power consumption is fairly high compared to other standards, making battery life and heat a concern.
• Free access points (or improperly configured access points) may be used by a hacker to anonymously initiate an attack that would be difficult to track beyond the owner of the access point.

Unintended and Intended use by outsiders

The default configuration of most Wi-Fi access points provides no protection from unauthorized use of the network. Many business and residential users do not intend to secure their access points by leaving them open to users in the area. It has become etiquette to leave access points open for others to use just as one can expect to find open access points while on the road. Most Wi-Fi community networks are based on free access and freely sharing bandwidth.

Measures to deter unauthorized users include suppressing the AP's service set identifier (SSID) broadcast, only allowing computers with known MAC addresses to join the network, and various encryption standards. Older access points frequently do not support adequate security measures to protect against a determined attacker armed with a packet sniffer and the ability to switch MAC addresses. Harmless recreational exploration of other people's access points has become known as war driving, and the leaving of graffiti describing available services as war chalking.

It is also common for people to unintentionally use others' Wi-Fi networks without specific authorization. Operating systems such as Windows XP and Mac OS X automatically connect to any nearby wireless network, depending on the network configuration. A user who happens to start up a laptop in the vicinity of an access point may find the computer has joined a network without any visible indication. Moreover, a user intending to join one network may instead end up on another one if the latter's signal is stronger. In combination with automatic discovery of other network resources this could theoretically lead wireless users to send sensitive data to the wrong destination.

from: http://en.wikipedia.org/wiki/Wireless_router

Linksys Router Security:

The current generation of Linksys products provide several network security features, but they require specific action on your part for implementation:

• Change the router’s default Administrator Password
• Disable SSID Identifier Broadcasting
• Change the default SSID (and change it periodically)
• Enable MAC Address Filtering to allow access to your computers' MAC addresses only
• Limit the number of IP addresses your router can assign
• Update your wireless network card drivers and router firmware
• Enable Encryption and use WPA if possible
• WEP encryption keys periodically

Security Threats Facing Wireless Networks

Wireless networks are easy to find. Hackers know that in order to join a wireless network, wireless networking products first listen for  "beacon messages".   These messages are unencrypted and contain much of the network’s information, such as the network’s SSID (Service Set Identifier) and the IP Address of the network PC or access point. One result of this, seen in many large cities and business districts, is called “War chalking”. This is one of the terms used for hackers looking to access free bandwidth and free Internet access through your wireless network. Here are the steps you can take:

Change the administrator’s password regularly.  With every wireless networking device you use, keep in mind that network settings (SSID, WEP keys, etc.) are stored in its firmware. Your network administrator is the only person who can change network settings. If a hacker gets a hold of the administrator’s password, he, too, can change those settings. So, make it harder for a hacker to get that information. Change the administrator’s password regularly.

SSID. There are several things to keep in mind about the SSID:

• Disable Broadcast
• Make it unique
• Change it often

Most wireless networking devices will give you the option of broadcasting the SSID. While this option may be more convenient, it allows anyone to log into your wireless network. This includes hackers. So, don’t broadcast the SSID.

Wireless networking products come with a default SSID set by the factory. (The Linksys default SSID is “linksys”.) Hackers know these defaults and can check these against your network. Change your SSID to something unique and not something related to your company or the networking products you use.

Change your SSID regularly so that any hackers who have gained access to your wireless network will have start from the beginning in trying to break in.

MAC Addresses. Enable MAC Address filtering. MAC Address filtering will allow you to provide access to only those wireless nodes with certain MAC Addresses. This makes it harder for a hacker to access your network with a random MAC Address.

WEP Encryption. Wired Equivalent Privacy (WEP) is often looked upon as a panacea for wireless security concerns. This is overstating WEP’s ability. Again, this can only provide enough security to make a hacker’s job more difficult.

There are several ways that WEP can be maximized:

• Use the highest level of encryption possible
• Use a “Shared” Key
• Use multiple WEP keys
• Change your WEP key regularly

Implementing encryption will have a negative impact on your network’s performance. If you are transmitting sensitive data over your network, encryption should be used.

WarDialing - The Internet connection comes in from your provider and is connected to a wireless access point or router, which broadcasts the signal. You connect wireless antenna network cards to your computers to receive that signal and talk back to the wireless access point and you are in business. The problem with having the signal broadcast though is that it is difficult to contain where that signal may travel. If it can get from upstairs to your office in the basement then it can also go that same 100 feet to your neighbors living room. Or, a hacker searching for insecure wireless connections can get into your systems from a car parked on the street.

Man Charged With Stealing Wi-Fi Signal   7/6/05 Yahoo News

ST. PETERSBURG , Fla. - Police have arrested a man for using someone else's wireless Internet network in one of the first criminal cases involving this fairly common practice.

Benjamin Smith III, 41, faces a pretrial hearing this month following his April arrest on charges of unauthorized access to a computer network, a third-degree felony.

Police say Smith admitted using the Wi-Fi signal from the home of Richard Dinon, who had noticed Smith sitting in an SUV outside Dinon's house using a laptop computer.

The practice is so new that the Florida Department of Law Enforcement doesn't even keep statistics, according to the St. Petersburg Times, which reported Smith's arrest this week.

Innocuous use of other people's unsecured Wi-Fi networks is common, though experts say that plenty of illegal use also goes undetected: such as people sneaking on others' networks to traffic in child pornography, steal credit card information and send death threats.

Security experts say people can prevent such access by turning on encryption or requiring passwords, but few bother or are unsure how to do so.

Wi-Fi, short for Wireless Fidelity, has enjoyed prolific growth since 2000. Millions of households have set up wireless home networks that give people like Dinon the ability to use the Web from their backyards but also reach the house next door or down the street.

It's not clear why Smith was using Dinon's network. Prosecutors declined to comment, and a working phone number could not be located for Smith.

That doesn’t mean you shouldn’t use wireless networking. You just have to be smart about it and take some basic precautions to make it more difficult for curiosity seekers to get into your personal information:

• Change the System ID: Devices come with a default system ID called the SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier). It is easy for a hacker to find out what the default identifier is for each manufacturer of wireless equipment so you need to change this to something else. Use something unique- not your name or something easily guessed.

• Disable Identifier Broadcasting: Announcing that you have a wireless connection to the world is an invitation for hackers. You already know you have one so you don’t need to broadcast it. Check the manual for your hardware and figure out how to disable broadcasting. 

• Enable Encryption: WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) encrypt your data so that only the intended recipient is supposed to be able to read it.

• WEP has many holes and is easily cracked. 128-bit keys impact performance slightly without a significant increase in security so 40-bit (or 64-bit on some equipment) encryption is just as well. As with all security measures there are ways around it, but by using encryption you will keep the casual hackers out of your systems. If possible, you should use WPA encryption – see below, (most older equipment can be upgraded to be WPA compatible). WPA fixes the security flaws in WEP but it is still subject to DOS (denial-of-service) attacks.

• Restrict Unnecessary Traffic: Many wired and wireless routers have built-in firewalls. They are not the most technically advanced firewalls, but they help create one more line of defense. Read the manual for your hardware and learn how to configure your router to only allow incoming or outgoing traffic that you have approved.

• Change the Default Administrator Password: This is just good practice for ALL hardware and software. The default passwords are easily obtained and because so many people don’t bother to take the simple step of changing them they are usually what hackers try first. Make sure you change the default password on your wireless router / access point to something that is not easily guessed like your last name.

Upgrade from WEP to WAP:  Wireless Security: WPA Step by Step

By   Craig Ellison   10/14/03   Source

Odds are, your wireless network is not secure. Even if you've enabled WEP (Wired Equivalency Protocol) encryption, the flaws in that standard are well documented, and hackers can break WEP easily. You need WPA (Wi-Fi Protected Access), a far stronger protocol that fixes the weaknesses in WEP. For further discussion of WPA, see our wireless security story.

Here we'll take you through the process of upgrading your networking equipment and enabling WPA security for your home WLAN. To upgrade your wireless security to WPA, you must have three critical components:

• an access point (AP) or wireless router that has WPA support;
• a wireless network card that has WPA drivers available;
• a client (called a supplicant) that supports WPA and your operating system.

WPA replaces WEP in small-office or home routers, so moving to WPA is an all-or-nothing proposition. For you to consider an upgrade, every wireless device on your network must have WPA capabilities. This includes any wireless bridges you might use for your Microsoft Xbox (or other gaming device), digital camera, home audio gateway, and print server.

If you haven't purchased wireless hardware already, buying WPA-capable networking equipment is easy. The Wi-Fi Alliance began certifying products for WPA interoperability in April. In addition, all new products submitted for certification after August 2003 must have WPA capability. Any product that passes Wi-Fi WPA compatibility testing will have the Wi-Fi Protected Access box checked on its package label. You can also visit the Wi-Fi Alliance's Web site and search for WPA-certified products (www.wi-fi.org/OpenSection…)

If you already own wireless networking hardware, upgrading may not be possible. You must check the Web sites of your hardware makers for WPA upgrades. WPA is designed so that legacy wireless hardware can be upgraded via drivers, but with the product cycles of wireless gear being about six months, most manufacturers do not provide WPA upgrades for legacy products. If you find WPA support, it will probably be for relatively new products. If you don't find driver upgrades for your hardware, you'll either have to buy new equipment or live with WEP.

For this article, we selected the Linksys WRT54G broadband router and the Linksys WPC54G client card. Both products are widely available and have online driver and firmware upgrades for WPA.

Update Your OS

The easiest part of the process is adding WPA support to your OS. Microsoft provides a free WPA upgrade, but it works only with Windows XP. If you are running an OS other than Win XP, you'll need a third-party supplicant. The client software is available from either Funk Software (www.funk.com) or Meetinghouse Data Communications (www.mtghouse.com). For now, we'll assume that you're running Win XP.

The WPA client is not available as an automatic Windows update – but does come with the upgrade to XP SP2. You can find it in the Microsoft Knowledge Base Article 815485 (http://support.microsoft.com…). Download the file into a new directory. Double-click on it to install it. (The file is self-extracting and self-installing) Once you've installed the update, reboot your machine. The software adds additional dialog boxes to the Network Control Panel to support the new authentication and encryption options of WPA. You can check to be sure that the upgrade has been installed by opening the Control Panel, double-clicking on Add or Remove Programs, and checking for Windows XP Hot fix (SP2) Q815485.

Update the Firmware in your router AP

Now you must download the upgrades for your router and network cards. We recommend that you download everything before upgrading anything. For the Linksys router, go to the company's Web site, click on Support | Downloads, select the product (WRT54G), and click on Downloads for this Product. (http://www.linksys.com/download.) When the page loads, click on Firmware.

From this page, you can choose to download the firmware file, manually update your router, or use an automatic update program. We'll use the automatic utility. If you need to download drivers for your wireless adapter, follow the same procedure and enter the name of your adapter (WPC54G), then download the file Wpc54g_driver_utility_v1.21.zip to an empty directory, such as C:\downloads\linksys. Click on the link to download the utility and save the file on your computer. Once the download is complete, click on Open. Now follow the steps to complete the upgrade.

After your router reboots, log on to it. If possible, use a wired connection to change the security settings, because if you change the settings wirelessly, you won't be able to communicate with your router until after you've configured your client.

Configure WPA Settings

Your router's home page will change as a result of the firmware upgrade. To set up the WPA encryption for your router, click on the Enable button and then Edit Security Settings. Before:

After:

In the Security Mode field, select WPA Pre-Shared Key (no authentication server required).

• For WPA Algorithms, select TKIP. This is the approved and certified algorithm. Though some products support AES (Advanced Encryption System), interoperability among various vendors' products hasn't been certified. You could try AES on your router and client; if it works, AES provides even greater security than WPA.
• For the WPA Pre-Shared Key, create a key that won't be easily compromised. Write it down, as you'll need to enter the same key when you configure your network card.
• Leave the Group Key Renewal row set at 3600, then click on Apply.

The following page has your WPA options.

Pick a Preshared Key

Choose TKIP:

Update Your Network Card

Now you're ready to update your network card – if your network card driver is pre-5/26/03

• Unzip the driver file you downloaded earlier. The directory where you unzipped the file contains the driver you need (Bcmwl5.sys) along with the INF file. Make a note of this location. Although you can uninstall the old drivers from the Add or Remove Programs applet and reinstall the entire package you've downloaded, it's much easier to update the driver via the Device Manager.  [see 3 screenshots below]
• From the Control Panel, double-click on the System icon and click on the Hardware tab. Click on Device Manager.
• Right-click on the wireless adapter.
• Select Properties and click on Driver. If your card hasn't been upgraded, you'll see a driver date prior to 5/26/2003. If you driver is dated May 26 or later, it already supports WPA. You can click on Cancel and jump to the step that shows the Wireless Networks dialog.
• Click on Update Driver.
• Tell the wizard to search specific locations for the driver. Type in the directory where you unzipped the upgrade file.
• Click on Next.
• The updated driver will show a date of 5/26/2003 or later.

Updating the driver via the Device Manager:

Don't give up yet. We're almost finished!

• Open the Network applet in the Control Panel, right-click on your wireless card, and click on the Wireless Networks tab.
• In the Available networks window, select the name of your network. This is the same as the SSID (network name) you configured in your router.
• Click on Configure.
• Under Network Authentication, select WPA-PSK. If you don't select the correct authentication mode, you won't be allowed to select the correct encryption mode (TKIP). If you leave network authentication set to Open, the only encryption options you'll see are WEP or Disabled.
• In Data encryption, select TKIP (or AES if you selected AES earlier).
• In Network key, type in the same WPA Shared Key you entered into the AP configuration and type it again under Confirm network key. Then click on OK.

Because you enabled WPA security on your router AP previously, when you finish your client configuration, you should be able to associate with your access point and use the network as you did before. Only now you have a secure wireless link.

Recommended: Netgear RangeMax 240 Wireless Router (Better than the Linksys Wireless-N Broadband Router)   Wireless Router + 4-port switch - 10 / 100, 802.11b / g Wireless chip set: Airgo True MIMO Gen3 128-bit WEP, WPA/WPA2 Personal Auto channel selection: Yes Mounting options: Horizontal, vertical Price when rated: $119  8/06     Amazon used marketplace: $69   2/07

Wireless Connectivity Notes:

What is the range of a wireless device?

The range of a wireless device depends on many factors: radio interference, or “noise,” distance from an access point, connection speed, and physical interference. Indoors, the range of a wireless network card is between 50 and 200 feet. Outdoors (line of sight), the range can be up to 1,000 feet.

What is 802.11b - 802.11a - 802.11g - 802.g2?

802.11a, 802.11b, and 802.11g are standards that have been developed by the IEEE ( Institute of Electrical and Electronic Engineers). The IEEE is an international organization that develops standards for hundreds of electronic and electrical technologies. The organization uses a series of numbers, like the Dewey Decimal system in libraries, to differentiate between the various technology families.

The 802 committee develops standards for local and wide area networks (LANs and WANs). 802.11 is then further divided. 802.11b, or Wi-Fi, is a standard for wireless LANs operating in the 2.4 GHz spectrum with a maximum shared bandwidth of 11 Mbps (megabits per second). Another standard, 802.11g, is for WLANs operating in the 2.4 GHz frequency but with a maximum data rate of 54 Mbps. 802.11g uses the same technology as 802.11b but the bandwidth (speed) has increased. 802.11a is a different standard for wireless LANs operating in the 5 GHz frequency range with a maximum data rate of 54 Mbps. Wireless networks are usually a shared medium (radio waves), and there are many variables in radio coverage such as physical barriers like elevators, bookcases, or heavy steel doors, human density, and number of network users. In a campus library for instance, actual throughput is usually 2-6 Mbps with 802.11b and 22 Mbps for 802.11g.

Apple's AirPort Extreme uses a brand new wireless standard called 802.11g2.

AirPort Extreme is compatible with all AirPort products, as well as Wi-Fi certified 802.11b wireless products. The range of AirPort Extreme is up to 150 feet. For higher performance you need to have both the Airport Extreme Card and the AirPort Extreme base Station, which also supports a printer plugged into the base to share printing. The range of AirPort Extreme is up to 50 feet at 54 Mbps. See details at: http://www.cami.be/product_info.php?manufacturers_id=3&products_id=520

Does wireless interfere with other devices?

Yes, any 2.4GHz device that is near the wireless access point or wireless card can affect the performance and may shut off your network connection. These devices are usually microwave ovens in close range, cordless phones, cameras and other 2.4GHz wireless devices. Other access points can interfere with the CU wireless network, so it is necessary to coordinate with ITS if you wish to set up a wireless access point.

XP SP2 New Wireless Network Setup Wizard

A new feature of Windows XP SP2 and other wireless devices, which have a USB port and support Windows Connect Now, greatly simplifies the configuration of strong security for wireless networks in the home or small office.

The Wireless Network Setup Wizard steps you through the configuration of wireless network settings—a wireless network name, the authentication and encryption method, and a strong WEP key or WPA-PSK—and then writes that configuration as a set of Extensible Markup Language (XML) files on a Universal Serial Bus (USB) flash drive (UFD). You then plug the UFD into other wireless devices in the home or small office that support Windows Connect Now. All of the wireless devices that support Windows Connect Now automatically read the settings from the XML files stored on the UFD and configure themselves with the same settings as the computer on which the Wireless Network Setup Wizard was initially run.

For details, go to: http://www.microsoft.com/technet/community/columns/cableguy/cg0604.mspx

Evil Twin" and other Wi-Fi-oriented attacks

1/26/05

http://www.eweek.com/article2/0,1895,1755275,00.asp

A whole new class of attacks is emerging to threaten Wi-Fi users. "Evil Twin" and other Wi-Fi-oriented attacks can fool users into providing confidential information or compromise their computers.

Here's the basic evil twin scenario: The attacker sits in the parking lot of a coffee house—or maybe even in the coffee house itself—with a Wi-Fi card and a separate connection to the Internet, probably over a cellular carrier network. Using an attack tool such as hotspotter, they simulate a wireless access point with the same SSID (wireless network name) as the one users would expect, such as 't-mobile'.

If the signal is strong enough, other users will connect to the attacker's system instead of the real access point. The attacker can then serve them a Web page asking for the user to re-enter their credentials, including credit card info if they have the nerve to go so far, give them an IP address and then pass them on to the Internet.

Some golf courses are becoming Wi-Fi hot spots.

There are many other scenarios. Even without stealing the credentials and credit card info, the attacker sits as a man-in-the-middle and can capture any unencrypted traffic. The attacker doesn't even really need the cellular card; they can just get the info and return an error. If the attacker doesn't stick around too long, the user may eventually get through on the real access point and drop all suspicion.

These attacks are more likely to work with public hot spots rather than corporate Wi-Fi networks, which are likely to use more secure network authentication mechanisms. The real exposure to corporate users is when they use a public hot spot to run the corporate VPN; first they must expose themselves to evil twin-type attacks.

Rogue access points have become a problem as well within corporate networks, and these too could operate from the parking lot of a building, especially if aided by a directional antenna. Windows connects by default to all wireless networks a user has in their networks list, meaning all networks to which they have connected in the past. So if an attacker waits with a rogue access point named 'linksys' odds are that a user will eventually come along who had connected to such a network at home. The user's notebook, and the corporate network to which it is attached, may then be vulnerable.

Personal firewalls don't stop the evil twin part of the attack, as they don't operate at that network level. Of course, the notebook itself is exposed when connected to an evil twin, and the attacker could access any open shares or exploit any uncorrected vulnerabilities, and here a firewall could help.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

There are companies, such as AirDefense, which sell products to defend against such attacks. AirDefense sells products both for personal systems and enterprises to counter evil-twin, rogue AP and other attacks. Strong authentication and encryption are also generally good defenses.

It's not surprising that connections over a wireless network would have vulnerabilities. Wi-Fi is becoming so ordinary a technology that users may not be alert enough for the threats they are likely to face. So as with other threats, education is the first line of defense against wireless attacks.

Identity thieves are going wireless in their quest to steal your personal info:

Erin Biba - Medill News Service - March 15, 2005

http://www.pcworld.com/news/article/0,aid,120054,00.asp

You may want to think twice before logging into a public wireless hotspot. Sure, grabbing a few minutes of connectivity is convenient, but identity thieves are discovering that, through "evil twin" attacks, hotspots are a great way to steal unsuspecting users' private information.

So how does an evil twin attack work? Let's say that I'm a hacker. I set up my computer to transmit a signal that turns my PC into an access point, or Wi-Fi hotspot. I'll even give it a legitimate-sounding name, like T-Mobile Hotspot, to fool unsuspecting surfers.

Next, I put my laptop in a backpack and read a newspaper while sipping some java at the local coffee shop. All I have to do is wait for you to connect. (And if I'm looking to steal from you, I'll require you to enter a credit card number to get access, just like T-Mobile does--then I'll have your credit card information.) While you surf the Web, my computer redirects you to Web pages I have created that happen to look like the ones you visit on a daily basis.

In fact, the only difference between the Citibank page you visit every day and the one I have made is that my page is unencrypted. I can log all of the information you input into various Web forms, and when you check your e-mail, I can read it along with you.

Why It Works So Well

"The only way to tell the difference between [a] legitimate and non-legitimate [access point] is intent," says Jeffrey Schiller, network manager and security architect at the Massachusetts Institute of Technology. "The fundamental problem is when you are in a public place there is no way to discriminate."

Schiller offers an example of how easy it could be to fall victim to an evil twin attack. While at the airport during a recent trip to New York , he says, he turned his laptop into an access point. His intention was to get access to the Internet, but as soon as he created the hotspot, Schiller noticed that three people had begun using his computer as an access point.

"I probably could have seen their e-mail" and been able to track their movements on the Web, he says.

Don't Let Your Browser Make You Feel Safe

According to Schiller, there are several measures already in place by most Web browsers to warn about unencrypted Web pages. However, he says, each of them has various security flaws.

Pop-Up Warnings: Web browsers often use a pop-up dialog box to indicate that information being sent is not encrypted. The problem with this, Schiller says, is that these boxes offer the option to "never show this again." If you have clicked this box just once, you will no longer be warned if you are sending information through unencrypted channels.

The Lock Icon: Most Web browsers display a small lock icon to indicate an officially regulated, encrypted Web page. The problem with these, Schiller says, is that you must be diligent about looking for them every time you log on to a new page. Additionally, if a hacker changes even one letter in the domain name you are familiar with (an example Schiller offers is replacing the lowercase L in lehman.com with a one, 1ehman.com), they can then register that domain name. When you are redirected to that page it will display the lock icon, and you may never notice the changed domain name. Why would an illegitimate site be able to display this lock icon? Because, Schiller says, the public certifying authority that gives out digital signatures to legitimate sites can be fooled into giving digital signatures to illegitimate sites.

HTTPS and Unfamiliar Links: According to Schiller, most banks advertise the unencrypted version of their Web pages (https indicates a secure version; http, however, is easier to remember). When you log on to that page and click to enter the encrypted version, you can be redirected to a page with a domain name that is unrelated to the bank's home page. If you do not recognize the name, it is difficult to know if you have been redirected to a page operated by the bank or by a hacker. Which, Schiller says, makes users "sitting ducks."

How to Protect Yourself

Those who perpetrate evil twin attacks are benefiting from the distractions of public places. According to Schiller, "they're depending on you not [paying] attention."

If you are diligent, these tips will make you less likely to fall victim to an attack.

• Check Your Wi-Fi Settings: Many laptops are set to constantly search and log on to the nearest hotspot. While this option might seem convenient, it does not allow you to monitor which hotspots you are logging on to and determine if they are legitimate. Turning off this option will prevent your computer from logging on to a hotspot without your knowledge.
• Pay Attention to Dialog Boxes: Pop-up warnings are there for a reason--to protect you. If you are lucky enough to have not clicked the "never show this again" option, make sure you read these warnings carefully before agreeing to send information.
• Use One of Your Credit Cards on the Web Only: Open a credit card account that is used solely for the purposes of shopping on the Web. Ideally, you should be able to access account records online so you don't have to wait for monthly statements to monitor any activity. "Be prepared to close that account on short notice if it's been compromised," says Schiller.
• Conduct Private Business in Private: "Maybe you don't need to move money around or check your bank statements when you are connected to a public hotspot that you're not really familiar with," says Schiller. If you restrict your public surfing to Web pages you don't mind a stranger reading along with you, there is little an evil twin attacker can do to harm you.

Legal Help?

The House of Representatives has put language in the proposed Securely Protect Yourself Against Spyware Act, or Spy Act, to prosecute those caught wirelessly stealing your information.

Recently moved through the House Committee on Energy and Commerce, the Spy Act would require companies that produce spyware to notify users and receive their consent before software is installed. Additionally, companies would be required to provide users with easy uninstall options.

Now that the bill is fully written and out of committee, it is only a matter of time before it comes to the House floor for a vote. If passed by the House, the bill would need to be introduced and passed by the Senate before becoming law.

But while the Spy Act now makes it possible to punish those who conduct evil twin attacks, the very nature of the problem may make it difficult to identify the culprits. Victims may never realize that the hotspot they used to surf the Web was illegitimate, and once that hotspot has been shut down, it can be impossible to find the perpetrator.

The best advice is to stay vigilant and protect yourself.