Security Basics: RE: About War Driving ..

["Alan Greig" <Alan.Greig () Ogilvie co uk>]

As many have highlighted it would be difficult to actually locate the
perpetrator however it depends in what your ultimate goal is. If you
think its an outsider with knowledge of your key then change the key and
implement better encryption, Wep isn't sufficient in securing AP's. You
may also want to consider some of the following.


1. If you have more than one AP for coverage do you know what AP he is
connecting to? Have you tested the extents of your wireless coverage
from each AP thus giving you a rough idea of his vicinity?

2. How often do they connect? If it's a regular occurrence would it be
possible to reduce the wireless signal strength gradually until the
traffic stops as this would give you an idea of what floor they are on. 

3. If you have a few AP's to hand you could let your users know you are
enhancing wireless coverage and as such you are having to move people
over to a new system. Install a couple of AP's on different SSID's with
strong encryption then gradually shift everyone across until the traffic
hits the new ap's.

4. Look at some form of Compliance Product such as Sygate or Symantec's
stuff to limit what can or can't be done on a users machine. 

Just my two bobs worth.

Alan
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: 02 December 2006 13:59
To: security-basics () securityfocus com
Subject: Re: About War Driving ..

On 2006-11-30 FatalSaint wrote:
> Just a couple.. I'm kind of a noob here but:
>
> 1) Use WPA/TKIP instead of WEP.  Harder to crack (though not
> impossible)
Please elaborate: how do you believe WPA could be cracked? I know that
WPA-PSK can be cracked if a weak passphrase is chosen, but I haven't yet
seen a mention of WPA-PSK with a strong passphrase or WPA/TKIP being
cracked.

> 2) Disable DHCP if you have it running or
Pointless, because the attacker can spoof a valid IP address.

> 2a) Enable static DHCP for the MAC Addresses of the authorized PC's
Pointless, because the attacker can spoof a valid MAC address.

> 3) MAC Address Filter your router
Pointless, because the attacker can spoof a valid MAC address.

> 4) Disable SSID Broadcast (easily got around by anyone with kismet..
> but still an added layer)
Pointless, because the attacker doesn't need a broadcast SSID to detect
the WLAN.

> 5) If your router has the capability; explicitly allow only the IP's
> for the machine's you assign to get out to the internet.
Pointless, because once the attacker can spoof a valid IP address.

> 6) Disable the torrent ports at the firewall .. I am not sure what
> they are or if torrent will get around them by using port 80 instead.
> (in actuallity, in a business environment I'd disable -all- outgoing
> ports except 80 and 443 - if someone needs specific access have your
> net-admin explicitly allow their machine out.)
Not entirely pointless, but a) limits valid users as well, and b) is
only effective once the attacker already *got* access to your network.
Which is what you want to prevent in the first place.

> 7) You could get as detailed as static routing and limiting the amount
> of bandwidth each machine/IP could use.
Pointless, because the attacker can spoof a valid MAC and IP address.

> Log MAC Addresses.  If he's smart enough to crack your wep then he's
> prolly spoofing MAC's.. but you could always go into your logs, see
> which MAC is associated with that IP - and then go to all the machines
> in your building that you can control and check the MAC Addresses -
> might tell you which machine is doing it.
That does only help if you know how to locate that machine. Which is
exactly the problem the OP has (because with a WLAN you can't simply
follow the wire).

> Some more advanced things could be to install a proxy server; require
> the use of login's to get to the internet - then you can track by
> login. Or even installing a transparent proxy and logging all
> websites/communication out to the internet (this could cause a very
> large logfile.)
That may work, but also means a lot of work. Plus, it just moves the
authentication to a higher layer. Why not just leave it in the network
layer? Has the same effect, is easier to set up, and keeps a potential
attacker entirely out of your network.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq



CONFIDENTIALITY NOTICE: This email and any attachments may be confidential. They may contain privileged information and 
are intended for the named addressee only. They must not be distributed without our consent. If you are not the 
intended recipient, please notify us immediately and delete the message and any attachments from your computer, do not 
disclose, distribute, or retain this email or any part of it.

DISCLAIMER: Internet communications are not secure and therefore Ogilvie Group Ltd does not accept legal responsibility 
for the contents of this message.  Unless expressly stated, opinions in this email are those of the individual sender 
and not of Ogilvie Group Ltd.   Ogilvie Group Ltd checks outgoing e-mails with anti-virus software that is regularly 
updated however this does not guarantee that any files attached to this e-mail are virus free. You must therefore take 
full responsibility for virus checking. Ogilvie Group Ltd reserves the right to monitor all email communications 
through their networks.



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------