People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

• gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
• running a malicious MIDlet when the phone is first turned on
• accessing files
• sending SMS/MMS
• making phone calls
• reading your contacts
• accessing the SIM card
• eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.

Wireless routers are very common in homes in China nowadays. Unfortunately, properly secured wireless routers are not. Many are still not configured with a network key. This creates a serious security problem.

To demonstrate, just from my home I can easily find a wireless router with no network key. Most of these routers provide a DHCP service, so my laptop can obtain an IP address and access the Internet using that router.

Having obtained an IP address, I run the command “ipconfig /all” to get the IP address of the gateway (router). Then I access that IP via HTTP using Internet Explorer. I get a prompt for a username and password. From this prompt, I learn that the router is manufactured by TP-Link. I easily find the default username and password for this router online. I try the defaults, and I am in luck.

I am now logged into the wireless router’s administration page. No advanced technology was needed. To a person with malicious intentions, the possibilities are great.

To test how prevalent this problem is, I use my mobile phone with WiFi capability and find many wireless routers around my home. Many are not secure, and many have the default admin username and password.

So secure your wireless router. Changing the default admin password and setting up wireless security just takes a minute, but it goes a long way in preventing a big security problem.

Straight out of science fiction? Sounds like it, but it may be closer to reality than you would think.

Recently a bunch of researchers from the University of Washington and the University of Massachusetts, (plus a Harvard MD and a University of Washington Phd) were able to hack a pacemaker/defibrillator.

Think about this for a moment…they were able to make the device stop.

They released the report on their Web site dedicated to medical device security. Very interesting stuff.

Under the hood (so to speak – it was actually on a table) they found that they were able to connect to the device wirelessly, and cause it to shock on command and even to stop altogether. Almost secondary at this point, they were also able to glean sensitive patient information stored on the device.

Exploit scenario’s for this are better left to more deviant-minded individuals, but the net effect is obviously very serious. (When’s the last time your server went post-mortem – literally- from a flaw?)

So here’s the coolest part to the story:

They have examples of how to fix it! How many times have you seen a researcher release details of an exploit and not suggest how to fix it (aye, irresponsible disclosure)? They have taken account of the device designs (wireless transmission) and limitations (battery power) and have suggested ways that device makers could improve the security. Kudos to them! Hopefully this will spark a growing industry to make these devices safer.

One last thought here… would it not be surreal if a computer virus transcended the electronic world and actually infected a human being?

A week after Mcafee Avert Labs found WinCE/InfoJack, we’ve run across more malware in China. This time the malware, running on Symbian Series 60 phones, attempts to extort money from users. SymbOS/Kiazha.A displays a message telling the user to send RMB 50 (approx. $7) to the malware author in order to regain use of the phone.

The warning message is displayed after a delay

The message roughly translated states:
“Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ[id removed] account , or your phone will be paralysed!!!”

QQ is a very popular Instant Messaging network in China and a target for many password stealing trojans and scams. QQ coins, an in-network currency, are also heavily used, traded and stolen outside the QQ network. We’ve covered how theft of QQ coins is prosecuted in the past.

SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission.

On the surface SymbOS/MultDropper.CR looks like a standard collection of previously seen malware. While examining the MultDropper’s components individually, we noticed a few things:

• SymbOS/SmsSend.F sends an SMS to request a new QQ account for the user
• SymbOS/SmsSend.G forwards SMS received to the malware author
• SymbOS/Kiazha.A deletes any sent or received SMS message

Separately these actions seemed in opposition to each other. If the new account SMS were received, it would be deleted by SymbOS/Kiazha.A rendering the initial action moot.

Further testing with the entire malware showed something more interesting. The interaction of these disparate malware produced a functional malware. SymbOS/MultDropper.CR uses malicious payloads (Beselo,Commwarrior) to convince the user their phone is infected. It also sets up SMS forwarding (SmsSend.G) to collect information and potentially passwords. In case the victim doesn’t have a QQ account the malware will order (SmsSend.F) one for them. After all that, SymbOS/Kiazha.A deletes SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.

The interesting thing about MultiDroppers is that usually they’re compiled by malware authors who aren’t programmers and simply collect the work of others. With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware like pieces from a toolkit. Also of note, especially with mobile phone malware, is that the author may have put in all this work to make a profit rather than increase his notoriety.

We came across an interesting presentation at the recent Blackhat Conference that discusses a technique to decrypt cellular signals here. The article discusses a cheaper, faster method of cracking the encryption used between the mobile devices (phones), and mobile stations (cell towers). The encryption in question is the A5/1 algorithm, which is used widely in GSM networks in United States.

The encryption was actually proved to be vulnerable, and can be cracked with a long pre-processing stage (around 2^40 stages or so) with huge amounts of storage. More details can be found here, here, and here. There are also known plain-text based attacks, found here, that can attack A5/1 in minutes, but requires the attacker to be active in the attack.

What makes this attack interesting is that it is completely passive, and was able to overcome the long, pre-processing stage of the attacks discussed above by using custom designed FPGAs instead of the personal PC. With this, they were able to crack the encrypted data within 30 minutes, which makes “real-time” decryption a possibility. Furthermore, the presenters are planning to sell a hardware based product that can do this much faster. This could lead to easier espionage or other illegal activities if the technology lands in the wrong hands.

The presenters also shown various different weaknesses in the current implementation of cellular networks.

Besides the GSM cracking attack , there’s also another paper published on cellular network security, which can be found here. This paper simulates the scheduler (proportional fair) commonly used in several 3G networks and shows that malicious users, with access to a few mobile devices, can manipulate the scheduler into assigning an unfair amount of time slots to the attacker. This shows that with only a few attackers, they were able to steal a majority of time slots.

I think these works, although controversial, could provide the stimulus for a new and robust direction for security practices in cellular technology, since now, cellular networks are used as widely, or even more so, than the Internet. The Internet is relatively well understood compared to the cellular network. More attention focused on the security of the cellular networks might help both consumer and cellular service provider build a more secure network that we all already depend on.

If you are running WPA Enterprise with PEAP, or EAP/TTLS its about time you take a serious look at your client configuration! This weekend at Shmoocon in Washington D.C, Josh Wright and I gave a presentation that demonstrated how a very common, but incorrect client supplicant configuration can lead to the compromise of certain wireless networks and in some cases, provide Windows domain access.

Our AP impersonation attack on PEAP and EAP/TTLS relies on the client failing to properly validate the authentication server’s (RADIUS) TLS certificate. By default, the Windows Zero Configuration (WZC) wireless supplicant performs this validation by putting the trust of the network in the client’s hands. WZC will prompt the client to either continue or cancel upon connecting to the wireless network (similar to the way your web browser prompts you when accessing certain websites over HTTPS). Furthermore, the client may be mislead by this message as it only contains the signing authorities’ name (i.e Verisign) rather then the actual certificate name.

The severity of this issue is further escalated when the client is configured not to validate the server certificate at all. Unfortunately, this is the most common configuration I’ve seen used within organizations. It should be noted that because this is a configuration related attack, WZC is not the only vulnerable client supplicant. OSX’s client, Juniper’s Odyssey Client, and virtually every other wireless supplicant is vulnerable as well.

In either of these scenarios, FreeRADIUS-WPE (our modified version of the open source RADIUS server) can be used to gain access to the inner authentication credentials passed in the TLS tunnel that is established between client and the authentication server. These weak inner authentication protocols (i.e. PAP, MSCHAPv1, MSCHAPv2, etc..) rely on the outer TLS tunnel for protection, so without this protection they are greatly exposed to attack. In some cases these protocols reveal the client’s username and password in clear text, while other cases require a brute force attack. Due to active directory integration, these credentials may also be those used for domain authentication.

Finally, because this is the result of a client related issue, clients may be vulnerable in areas such as coffee shops, airports and other locations outside of the vicinity of the corporate wireless network.

When using WZC and other supplicants, you’ll want to make sure that the client clearly validates the server certificate by only trusting certificates that match the signing authority, and hostname of the RADIUS server. An example of the WZC configuration is below. This is also covered in Microsoft knowledge base article KB941123. For additional information on protecting yourself from this and other attacks, please see my 802.11 attacks whitepaper on Foundstone.com!

In early days, security concerns around computer hardware and the data on these systems were mainly taken care of by ensuring good physical security around them. Lock these systems in a room with restricted access and the systems and data was mostly secure. Options to steal the data were mostly around breaking into the area physically, which is quite difficult. Things had to change and it changed. Networking was changing the way we used to look at computers and was making the data available even though it was kept somewhere on a remote system. This was a major leap in computer science, but was also changing the security scenario of computers. Admins started getting less bothered about physical security and were more concerned in safeguarding data from being stolen though the interconnectivity of these systems. There was a big paradigm shift from physical to network security. History is almost repeating itself again, thought this time making it even tougher. Physical security is gaining importance again, without making network security any less of a concern.

As devices grow smaller and other devices not really seen as “traditional computers” like mobiles and others storage capable devices become more popular, the physical security of such devices become important again. Mobile phones these days can easily store 2-8 GBs of data or more. This could include business critical emails, identity, credit card information or family pictures. As these devices are small, they can easily be lost, stolen and pilfered. Most of these devices run sophisticated enough operating systems, often with wireless capabilities and Bluetooth as well, making other application and network issues applicable to them as well. Not only such handheld devices, even traditional equipments are more vulnerable to physical security these days as most of the concentration is on securing the systems from network or application attacks.

We cannot easily go back to the early day of strong physically secure locker rooms with handheld devices! Good user education and software related protections have to be applied for making data less likely for getting into the wrong hands. These devices may even need to be running tracking systems in addition to data protection to safeguard the device itself as well as the data.

- Tracking systems that can provide the location of the device such as GPS or tracking through mobile service provider may need to be inmplemented for any mobile device carrying sensitive data.
- Only required data should be kept on these devices. Always keep moving the important but less used data onto a more secure system. Back it up!!
- The data should always be kept locked with strong passwords.
- Most critical and important data should even be kept encrypted.
- Have data theft prevention software that performs data wiping - “eradicate it before it falls in enemy hands”. Software that can wipe the data on the basis of some event that gets triggered when the hardware is in wrong hands.
- Unless required, keep all kind of connectivity like wifi and Bluetooth turned off on such handhelds.

Data that can roam with us in our pockets is less physically secure, but good user education and software can at least keep it from getting misused, if not able to prevent it from getting lost.

In city office environments with residential or even non-residential buildings nearby, rogue detection can be a huge and overwhelming issue. Things get even more complicated when you think about shared office spaces where access points are just a wall away. Commercial wireless intrusion detection systems (WIDS) will allow you to place sensors in multiple locations, which allows the WIDS to perform a sort of triangulation to help identify where these APs may reside. The need for these commercial solutions is understandable when you have a wireless network within your organization, but what happens when you don’t? The threat of rogue access points is still there, and an equally serious threat is AP impersonation attacks, which may target corporate systems with wireless cards.

So what’s a guy to do? As mentioned there are two issues here: rogue access points and AP impersonation attacks. Let’s look at each one.

Rogue Access Points: With highly dense environments, the best method I’ve found for identifying rogue access points is similar to those of wireless intrusion detection systems, except it’s a more manual process. What we’ll do is use a standard wireless adapter with a low gain antenna (there is NO need for a high gain antenna, it’ll only make your life difficult) and a wireless sniffer that will display signal strength. The choice here can be either open source or commercial software. I personally use a commercial tool, AirMagnet’s Laptop analyzer, just because it gives me exactly the data that I am looking for. No matter what, don’t use NetStumbler (remember? Active vs Passive sniffing)! Using a floor map, I’ll mark down roughly 5 -10 single points within the office space and take 2 minute snapshots at each point. Once that’s completed I’ll make an Excel spreadsheet containing every BSSID (MAC address) discovered at every sample point, the capture location, and signal strength. Then I’ll sort by BSSID, and start the correlation. For example, if we have 5 sample points, we’ll look for BSSIDs that have relatively high signal strength (~30) at each sample point or at say 4 of the 5 sample points. Assuming you picked points that are around the perimeter and at least one in the middle, you should have enough information to safely assume that is in your office area. If you see particular BSSID with good signal strength along the outer wall samples, you may assume it is outside. Once you have a list of potential real rogue access points, the hunt begins!

For less dense environments or if you’ve targeted a particular suspected rogue, you can use the “walk aimlessly” technique. Use a low gain antenna so you’re not searching for something that’s 3 blocks away, lock in on the particular channel, the particular BSSID (AirMagnet’s “Find” function is really great for this) and just follow the signal. One helpful technique is to use your body to help identify in which direction the signal is originating from. Wireless signals do not propagate through water, so because the human body is made up of something like 70% water, we can place the card near our chest and turn around to see if the BSSID was originating from in front of us by watching the signal strength. Normally it’ll drop ~10 if it is. The same technique can be used for APs above our location, we can put our hand over the top of the card, or bend over. From a third party perspective, all of this may look a little strange, but remember we’re walking around aimlessly anyway, so people already think we’re weird!

In general, the major fault with rogue detection is if AP’s signal strength is turned way down. There are some cases where you may get lucky and pick it up but alot of times thats not the case. You can also take more sample points and even though it has low signal, it might tip you off that it’s somewhere nearby.

AP Impersonation: I’m writing a nice little whitepaper on WPA Enterprise AP impersonation attacks where you can compromise an EAP/TTLS or PEAP 802.11 network due to one common configuration related issue, so I think it’s time to bring more attention to these types of attacks. AP Impersonation attacks are just as they sound, an attacker will position an access point with a mimicked configuration of your wireless access points and the client will unknowingly connect to the attacker’s AP. This can be used in a number of different ways, but here will just look at one variant.

Without a wireless network in your environment, the only wireless an attacker can target is that of your clients. With the wireless network adapter enabled, the client will constantly send probe requests to see if its configured wireless network is available. By responding to these probe requests, an attacker can trick the client into connecting to the malicious access point. In should be noted that if the network in which the client is probing for is encrypted or requires some sort of authentication (assuming its configured correctly), the attack will be mitigated. However in cases such as an airport wireless network, or “Free Public Wifi”, the client may unknowingly connect to the AP exposing itself to further attacks which may ultimately allow the attacker onto the corporate internal network (assuming the client is hardwired into the internal network at the time of attack). Tools have been around for quite awhile now which display these attacks (i.e Hotspotter and Karma).

The main protection against these attacks is disabling wireless all together, disabling while it’s not in use, or disabling while the Ethernet cable is plugged in. Disabling wireless all together is an excellent idea, unfortunately it may not always be an option. You can disable it while it’s not in use, which really relies on getting your clients used to the manually disabling the adapter before and after its use. Again, may not be very feasible. I recommend the last option where you disable the adapter while the Ethernet cable is plugged in. I know most Dell laptops nowadays will do this automatically, and you can even buy wireless configuration software or client security software that will do this as well. Of course, you always want your clients running a firewall and up to date with the recent patches to further mitigate your risk. It’s also recommended to disable the client software from connecting to ad-hoc networks.

In general, rogue APs are such a widely known threat that often go overlooked. They’re usually discovered when a network engineer or security personnel accidentally connects to one or notices it from its client software. This should not be the case within your organization. Quarterly checks should be put in place to ensure these entry points do not go overlooked and that your clients are not subject to these attacks. Think about it, it’ll only take about one day’s work to protect yourself.

Wireless technology has slowly but surely evolved from a luxury to dependency and unless you’ve been living under a rock for just about the last century (no offense to ants, worms or other insects), you’ve started to notice it everywhere. From airports to coffee shops, even to the park across the street, wireless technology is available for your use. Sometimes you have to pay for it and sometimes you don’t, but one thing remains constant for any public use WIFI: it doesn’t care about you! I’m not saying wireless is a technology with or without feelings, I’m saying that every wireless (802.11) provider isn’t taking care of your security, so it’s about time you take the initiative!

Some providers and airports may provide the service free of charge with no questions. Others will force you to a Captive Portal which will allow you to connect, however once you try to access any URL, you’ll be redirected to a login page where you can pay or use your existing login information to ultimately obtain access to the internet via the wireless. This may be a false sense of security for some users as they may not realize that the data they are transmitting is sent in the clear across the network. Remember, authentication does not equal encryption!

If you’re traveling with an attacker in your mists, you’ll probably never notice him but be assured he’ll notice you! All “Johnny Hacksalittle” needs is a wireless card and a 802.11 sniffer (wireshark, kismet, etc..). By locking on to the channel with the most clients and applying the following filter in wireshark an attacker is provided with all of the client’s HTTP activities:

Wow, that was complicated! (can you sense the sarcasm? ) With this trivial technique, an attacker can literally recreate any of the users HTTP activities from the time they start their sniffer to when they stop it. Even more devastating is if the attacker reuses exposed session cookies which would allow him to access any websites you’ve authenticated to without even knowing your username and password! Robert Graham got a good amount of press when he recently publicized how Gmail momentary used HTTP during its login phase which exposed its users session IDs. Although, if the attacker is watching while you’re accessing a website that requires authentication, he can easily filter for HTTP POST requests using “http.request.method eq POST” and potentially sniff your usernames and passwords.

All of this is simply because the 802.11 wireless provider is not using the built in encryption with 802.11, nor are they using any additional mechanisms to ensure the security of your connection (remember they don’t care!). I’m not saying that these 802.11 wireless providers are evil people, they are giving you a service and in turn you are accepting the risks by using that service. So if you still want to use the wireless you just have to be mindful of a couple things.

1. Before entering any data into any field on a webpage, check the URL bar for “https://”. Because HTTPS encrypts all of its data, any of sites the client visits which start with “https://” will not be exposed to this attack, but there are other slightly more advanced attacks which can ultimately trick the user into exposing their sessions. SSL won’t stop the attacker from identifying the website you’re visiting, but it will definitely protect all of your data. Don’t forget what Juan Bocanegra was saying in his blog post, “On the importance of SSL”!
2. If you’re lucky enough to have VPN to your place of work, validate that split tunneling isn’t enabled. An easy test is to go to http://www.whatismyip.com before and after you connect your VPN client. If your IP changes, it’s likely that split tunneling isn’t enabled. With split tunneling enabled, only certain traffic is forced through the tunnel, so you really want to make sure split tunneling is disabled first. If it is, set up your VPN connection and use that to encrypt all of your data. The only downside to this is that you may be subject to the corporate internet filter.

HTTP is used as an example here because it is very common for users to relate to, but this is an issue with all protocols. If there is not built in encryption with the app/protocol you’re using (AIM, telnet, etc..) your activities can be easily monitored by an attacker without you even knowing it! Knowledge is protection (and so is an EVDO card), so be smart about what you’re doing.