Security Basics mailing list archives
RE: About War Driving ..
From: "Alan Greig" <Alan.Greig () Ogilvie co uk>
Date: Tue, 5 Dec 2006 13:20:00 -0000
As many have highlighted it would be difficult to actually locate the perpetrator however it depends in what your ultimate goal is. If you think its an outsider with knowledge of your key then change the key and implement better encryption, Wep isn't sufficient in securing AP's. You may also want to consider some of the following. 1. If you have more than one AP for coverage do you know what AP he is connecting to? Have you tested the extents of your wireless coverage from each AP thus giving you a rough idea of his vicinity? 2. How often do they connect? If it's a regular occurrence would it be possible to reduce the wireless signal strength gradually until the traffic stops as this would give you an idea of what floor they are on. 3. If you have a few AP's to hand you could let your users know you are enhancing wireless coverage and as such you are having to move people over to a new system. Install a couple of AP's on different SSID's with strong encryption then gradually shift everyone across until the traffic hits the new ap's. 4. Look at some form of Compliance Product such as Sygate or Symantec's stuff to limit what can or can't be done on a users machine. Just my two bobs worth. Alan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar -59cobalt- Wiechers Sent: 02 December 2006 13:59 To: security-basics () securityfocus com Subject: Re: About War Driving .. On 2006-11-30 FatalSaint wrote:
Just a couple.. I'm kind of a noob here but: 1) Use WPA/TKIP instead of WEP. Harder to crack (though not impossible)
Please elaborate: how do you believe WPA could be cracked? I know that WPA-PSK can be cracked if a weak passphrase is chosen, but I haven't yet seen a mention of WPA-PSK with a strong passphrase or WPA/TKIP being cracked.
2) Disable DHCP if you have it running or
Pointless, because the attacker can spoof a valid IP address.
2a) Enable static DHCP for the MAC Addresses of the authorized PC's
Pointless, because the attacker can spoof a valid MAC address.
3) MAC Address Filter your router
Pointless, because the attacker can spoof a valid MAC address.
4) Disable SSID Broadcast (easily got around by anyone with kismet.. but still an added layer)
Pointless, because the attacker doesn't need a broadcast SSID to detect the WLAN.
5) If your router has the capability; explicitly allow only the IP's for the machine's you assign to get out to the internet.
Pointless, because once the attacker can spoof a valid IP address.
6) Disable the torrent ports at the firewall .. I am not sure what they are or if torrent will get around them by using port 80 instead. (in actuallity, in a business environment I'd disable -all- outgoing ports except 80 and 443 - if someone needs specific access have your net-admin explicitly allow their machine out.)
Not entirely pointless, but a) limits valid users as well, and b) is only effective once the attacker already *got* access to your network. Which is what you want to prevent in the first place.
7) You could get as detailed as static routing and limiting the amount of bandwidth each machine/IP could use.
Pointless, because the attacker can spoof a valid MAC and IP address.
Log MAC Addresses. If he's smart enough to crack your wep then he's prolly spoofing MAC's.. but you could always go into your logs, see which MAC is associated with that IP - and then go to all the machines in your building that you can control and check the MAC Addresses - might tell you which machine is doing it.
That does only help if you know how to locate that machine. Which is exactly the problem the OP has (because with a WLAN you can't simply follow the wire).
Some more advanced things could be to install a proxy server; require the use of login's to get to the internet - then you can track by login. Or even installing a transparent proxy and logging all websites/communication out to the internet (this could cause a very large logfile.)
That may work, but also means a lot of work. Plus, it just moves the authentication to a higher layer. Why not just leave it in the network layer? Has the same effect, is easier to set up, and keeps a potential attacker entirely out of your network. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq CONFIDENTIALITY NOTICE: This email and any attachments may be confidential. They may contain privileged information and are intended for the named addressee only. They must not be distributed without our consent. If you are not the intended recipient, please notify us immediately and delete the message and any attachments from your computer, do not disclose, distribute, or retain this email or any part of it. DISCLAIMER: Internet communications are not secure and therefore Ogilvie Group Ltd does not accept legal responsibility for the contents of this message. Unless expressly stated, opinions in this email are those of the individual sender and not of Ogilvie Group Ltd. Ogilvie Group Ltd checks outgoing e-mails with anti-virus software that is regularly updated however this does not guarantee that any files attached to this e-mail are virus free. You must therefore take full responsibility for virus checking. Ogilvie Group Ltd reserves the right to monitor all email communications through their networks. --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Re: About War Driving .., (continued)
- Re: About War Driving .. FatalSaint (Dec 06)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 06)
- Re: About War Driving .. FatalSaint (Dec 07)
- Re: About War Driving .. Ansgar -59cobalt- Wiechers (Dec 07)
- Re: About War Driving .. Brian Loe (Dec 07)
- Re: About War Driving .. FatalSaint (Dec 07)
- Re: About War Driving .. Brian Loe (Dec 07)
- Re: About War Driving .. FatalSaint (Dec 07)
- Re: About War Driving .. Kelly Martin (Dec 08)
- Re: About War Driving .. pryorda pryor (Dec 12)
- RE: About War Driving .. Alan Greig (Dec 06)
- Re: About War Driving .. Gouki (Dec 04)
