Re: About War Driving ..

[FatalSaint <admin () linuxniche com>]

Ansgar -59cobalt- Wiechers wrote:
>   

In your case my answer is simple:

Break your ethernet card. 

All your comments on "Pointless.. the attacker can.." are moot.  It's a 
simple fact - You can be hacked.  Thus - does that make -all- forms of 
security.. "Pointless.. because the attacker can..."? 

If you are connected to a network you -can- be cracked remotely.  If you 
are not - you can be hacked physically.  The only truly secure machine 
is the one that does not exist.  Thus by your standards; Information 
security is "Pointless."

Maybe you have never heard of "Defense in Depth" strategy.  The idea 
behind which that you add multiple layers of defense to penetrate your 
network - thus making it more "difficult" for a potential cracker to get 
in.  If he succeeds in cracking 1 layer, he is faced with another, and 
another, and if he is truly determined you weren't going to stop him in 
the first place.  If he is a script kiddie looking for a thrill; it is 
your hope he'll get bored.

--Please elaborate: how do you believe WPA could be cracked? I know that
--WPA-PSK can be cracked if a weak passphrase is chosen, but I haven't yet
--seen a mention of WPA-PSK with a strong passphrase or WPA/TKIP being
--cracked.

This doesn't even require a response.  WPA-PSK, TKIP and all other forms 
of password encryption and authentication -can- be cracked.  The harder 
the passphrase; the longer the brute force.  Keep this in mind when you 
tell me all my -other- alternatives are pointless: Your password is 
vulnerable.  That is the end of story.  Given time, dedication, patience 
and machinery (hell, right here in my house I can run a crack on 10 
simultaneous machines across a linux cluster if i so desire - imagine if 
a government wanted your information.)  Not to mention if you are in an 
office environment half your users write their passwords down; 
especially if you're a good netadmin that requires minimum length, 
minimum combinations of specials, etc - and this person in his case 
could very well be -inside- the building.  How hard would it be for you 
to loot your friends desk when he went to lunch?
> 2) Disable DHCP if you have it running or
>   

--Pointless, because the attacker can spoof a valid IP address.


Correct - tack on some time for him to find one.

> 2) Disable DHCP if you have it running or
>   

--Pointless, because the attacker can spoof a valid IP address.


Correct.  See above.

> 4) Disable SSID Broadcast (easily got around by anyone with kismet..
> but still an added layer)
>   

--Pointless, because the attacker doesn't need a broadcast SSID to detect
--the WLAN.


Correct - See above. He's gotta take the time to find it.

> 5) If your router has the capability; explicitly allow only the IP's
> for the machine's you assign to get out to the internet.
>   

--Pointless, because once the attacker can spoof a valid IP address.


And of course causing IP conflicts and a slew of other problems that 
will both A) Slow him down and B) Speed up your detection of him.

--Not entirely pointless, but a) limits valid users as well, and b) is
--only effective once the attacker already *got* access to your network.
--Which is what you want to prevent in the first place.

Wow - You have some defense in depth idea's already.  Let's give you a 
cookie.  So your suggestion is "Well; if he gets on .. we may as well 
sacrifice everything to him because we're morons anyway."  I -certainly- 
would hire you.

> 7) You could get as detailed as static routing and limiting the amount
> of bandwidth each machine/IP could use.
>   

--Pointless, because the attacker can spoof a valid MAC and IP address.


Wow.. we hit a nail here.  You completely missed what I said.  I said 
static routing and limiting bandwidth.  Even IF your assailant gets on - 
he can not use more than X kbps of YOUR BANDWIDTH unless he has 10 
nic's, all bonded, all on your wireless LAN, All with separate IP's 
using Separate route's combining 10 times X the bandwidth.  It's called 
segmenting i believe.

> Log MAC Addresses.  If he's smart enough to crack your wep then he's
> prolly spoofing MAC's.. but you could always go into your logs, see
> which MAC is associated with that IP - and then go to all the machines
> in your building that you can control and check the MAC Addresses -
> might tell you which machine is doing it.
>   

--That does only help if you know how to locate that machine. Which is
--exactly the problem the OP has (because with a WLAN you can't simply
--follow the wire).

Did you read Hansel and Greddal?  Follow the breadcrumbs.  I said it is 
-possible- to find it by checking -every- MAC address in your building.  
If he -didn't- spoof you -may- be able to find the machine.  Again - 
There are NO definates in Information Security; vice one: Your system IS 
vulnerable - somewhere - Your job as a SysAdmin, is to find it.

--That may work, but also means a lot of work. Plus, it just moves the
--authentication to a higher layer. Why not just leave it in the network
--layer? Has the same effect, is easier to set up, and keeps a potential
--attacker entirely out of your network.

Once again - Why put all your eggs in one basket?? The more layers you 
use, the more layers to peel.  I have worked in government for a number 
of years, in there, when you talk "Mission Critical" data - you aren't 
kidding. 

So far - 90% of the responses to this have been "Upgrade to WPA (WPA2 if 
capable)" and that is fantastic.  I offered a more detailed trail of a 
list of specific items that can be done to help -prevent- intrusion.  
Each step, by itself, can be broken.  Combine them all - and it becomes 
a nuisance.  The very first thing you should do when planning 
Information Security is to write a very detailed document of "Authorized 
Use" for your network.  LOCK DOWN ANYTHING that is not in that list.  
For a home network - most of this is irrelevant.  For mission critical 
servers - You damn sure better be doing everything in your power to 
prevent data corruption.  It's called CIA: Confidentiality, Integrity, 
and Availability.  Those are the 3 items that any Systems Administrator 
must ensure. 

You must also weigh your Threat, vs Risk.  And then Risk vs Cost-Benefit 
ratio.  You then determine the best course of action for -your- network. 

The items I listed were small steps that 90% of the wireless routers of 
today have the capability to do - and can add a great level a security 
against your average Joe.  I then just touched the TOP of the iceberg on 
more advanced items and suggestions if the COST is worth it. 

The idea here is to be the least targetable person.  If person A uses 
all of my techniques (and the others listed within this thread), and 
person B uses none: Who do you think will be cracked?  I have personally 
seen zones with 20+ SSID's floating through the air.  3 of them were 
completely unsecured with no WEP or MAC Filtering at all.  15 of them 
used WEP and 2 used WPA (according to a kismet scan of the area). 

Ask yourself - If you are sitting in that area; which network would you 
abuse? The unsecured plug and play.... or the WPA encrypted network?  
(obviously the correct answer being None.  But to prevent hackers - you 
must think as them.  And to prevent them well; you must be able to 
hack.  There are legal ways to do so; setup your own honeypot in your 
house and go at it.  It is quite fun, entertaining, and very educational.)

Learn the tools of your enemy; and become their nemesis.   That  is my 
goal; and that should be the goal of -anyone- entrusted with someone 
else's network.  Simply not implementing a feature because -you- know 
how to hack it; simply means that the crackers no longer need to.  You 
have just handed your network over on a silver platter.

Very Respectfully,
FatalSaint

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------