Lesson 12 Wireless and Instant Messaging

1
Lesson 12- Wireless and Instant Messaging
2
Overview

• What is Wireless? The term wireless refers to
  telecommunication technology, in which radio
  waves, infrared waves and microwaves, instead of
  cables or wires, are used to carry a signal to
  connect communication devices.
• These devices include pagers, cell phones,
  portable PCs, computer networks, location
  devices, satellite systems and handheld digital
  assistants.
• Wireless networking is the transmission of data
  using a physical topology, not direct physical
  links.

3
Wireless Data Networks
50 Mbps
802.11 is WiFi WAP is small handhelds
Spread Spectrum Wireless LANs
10 Mbps
Infrared Wireless LANs
2 Mbps
1 Mbps
Data Rates
56 Kbps
19.6 Kbps
Narrow Band Wireless LANs
Satellite
9.6 Kbps
Local
Wide
Coverage Area
4
Wireless Landscape
WiMAX as a last-mile alternative for remote areas
not currently served by DSL or cable
5
Wireless Technologies
WAN (Wide Area Network)
MAN (Metropolitan Area Network)
LAN (Local Area Network)
PAN (Personal Area Network)
6
Bluetooth

• Uses devices with small radio transceivers,
  called radio modules, built onto microprocessor
  chips
• Special software, called a link manager,
  identifies other Bluetooth devices, creates links
  with them, and sends and receives data
• Transmits at up to 1 Mbps over a distance of 33
  feet and is not impeded by physical barriers
• Bluetooth products created by over 1500 computer,
  telephone, and peripheral vendors

7
PAN

• Two or more Bluetooth devices that send and
  receive personal area network (PAN
• Many challenges face Bluetooth
• Cost chip prices have increased
• Limited support
• Shortcomings in protocol itself no handoff
  between piconet and security not optimal
• Positioning in marketplace
• Conflicts with other devices in radio spectrum

Bluetooth was named after the 10th century Danish
King Harold Bluetooth, who was responsible for
unifying Scandinavia
8
Background

• Wireless and instant messaging are two topics of
  concern to computer and network security
  professionals.
• Wireless systems are vulnerable since data flows
  over the unsecured air waves
• There is no control over the physical layer of
  the traffic.
• If an attacker can get close enough to the
  signal's source, he can listen and capture all
  the packets for examination.
• Attackers may modify the traffic being sent, or
  send their own traffic to disrupt the system.
• Instant messaging sends unencrypted traffic to
  and from the Internet-based messaging servers.
• IM is an uncontrolled file transfer.

9
Wireless

• Two of the most common point-to-multipoint
  systems are
• Wireless Application Protocol (WAP)
• Designed to support all the services of the new
  PDA and wireless e-mail devices including cell
  phone and pager capabilities
• IEEE 802.11
• The 802.11 protocol has been standardized by the
  IEEE for wireless local area networks..

10
CIA and WTLS

• Wireless Transport Layer Security (WTLS) was
  developed to avoid broadcasting clear data.
• It is a lightweight encryption protocol derived
  from the current Transport Layer Security (TLS)
  protocol in use across the Internet.
• WTLS Authentication can be performed in several
  ways, including digital certificates, tokens, or
  simple passwords.
• Designed to meet fundamental requirements for
  security confidentiality, integrity, and
  authentication.
• Confidentiality - Wireless affords no control
  over the physical medium
• Only authorized users can read sent and received
  packets
• Encryption is the best way to ensure
  confidentiality Integrity
• Integrity is accomplished by indicating that the
  information has not been modified.
• Authentication - Both sender and receiver must
  authenticate, uses WTLS.

11
Wireless Transport Layer Security (WTLS) Protocol

• WTLS uses a modified version of the TLS protocol,
  formerly known as SSL.
• WTLS uses modern cryptographic algorithms and in
  common with TLS allows negotiation of
  cryptographic suites between client and server.
• Algorithms - An incomplete list
• Key Exchange and Signature
• RSA
• Elliptic Curve Cryptography (ECC)
• Diffie Hellman
• Symmetric Encryption
• DES
• Triple DES
• RC5
• IDEA
• Message Digest
• MD5
• SHA1

12
WTLS Protocol Authentication

• WAP device sends request for authentication
• Gateway responds, then sends a copy of its
  certificate which contains gateways public key
  to the WAP device
• WAP device receives the certificate and public
  key and generates a unique random value
• WAP gateway receives encrypted value and uses its
  own private key to decrypt it

13
Security Issues with WTLS

• WTLS protocol is designed around more capable
  servers than devices, which have small amounts of
  memory and limited processor capacity.
• Encryption is prohibited because of low memory or
  CPU capabilities
• Authentication is optional and is done with
  digital certificates.
• WAP GAP - If an attacker were to compromise the
  gateway, they would be able to access all of the
  secure communications traversing the network
  juncture
• WTLS uses weaker keys
• WLAN Service set identifiers (SSIDs - later)
• There are known security vulnerabilities in the
  implementation of WTLS, including
• Chosen plaintext attack
• PKCS 1 attack
• Alert message truncation attack

14
WTLS Chosen Plain Text

• The chosen plaintext attack works on the
  principle of predictable Initialization Vectors
  (IVs).
• By the nature of the transport medium that it is
  using, WAP, WTLS needs to support unreliable
  transport.
• This forces the IV to be based upon data already
  known to the client, and WTLS uses a linear IV
  computation.
• The IV is based on the sequence number of the
  packet and several packets are sent unencrypted,
  severely decreasing entropy, which reduces
  confidentiality.

15
WTLS, PKCS and AMT

• PKCS used with RSA encryption gives a standard
  for formatting the padding used to generate a
  correctly formatted block size.
• When the client receives the block, it will reply
  to the sender as to the validity of the block.
• In the PKCS 1 attack, an attacker attempts to
  send multiple guesses at the padding to force a
  padding error.
• Alert messages in WTLS are sometimes sent in
  plaintext and are not authenticated.
• This allows an attacker to overwrite an encrypted
  packet from the actual sender with a plaintext
  alert message.
• It would lead to possible disruption of the
  connection through a truncation attack.

16
WAP GAP security issue

• There is concern over the so-called WAP GAP.
• Confidentiality of information is vulnerable
  where two different networks meet.
• WTLS acts as the security protocol for the WAP
  network, and TLS is the standard for the
  Internet, and the WAP gateway translates one
  encryption standard to the other in plaintext.
• A WAP gateway is an especially appealing target,
  as plaintext messages are processed through it
  from all wireless devices, not just a single
  user.

17
IEEE 802.11 Standards Activities

• 802.11 refers to a family of specifications
  developed by the IEEE for wireless LAN
  technology.
• 802.11a 5GHz, 54Mbps
• 802.11b 2.4GHz, 11Mbps
• 802.11d Multiple regulatory domains
• 802.11e Quality of Service (QoS)
• 802.11f Inter-Access Point Protocol (IAPP)
• 802.11g 2.4GHz, 54Mbps
• 802.11h Dynamic Frequency Selection (DFS) and
  Transmit Power Control (TPC)
• 802.11i Security
• 802.11j Japan 5GHz Channels (4.9-5.1 GHz)
• 802.11k Measurement

18
802.11
Electromagnetic Spectrum any particular spot on
the spectrum is defined by its wave length and
frequency.

• IEEE standard - introduced in 1990
• Defined cable-free local area network with either
  fixed or mobile locations that transmit at either
  1 or 2 Mbps which was insufficient for most
  network applications
• A new standard was developed for sending
  packetsized data traffic over radio waves in the
  unlicensed 2.4 Ghz band.
• Unlicensed, means it does not have to be
  certified by the FCC, and devices could possible
  share the bandwidth with other devices such as
  cordless phones, baby monitors etc.

19
Physical Layer OSI Model

• Defines how bits and bytes are transferred to and
  from the physical medium, in the case, radio
  waves of the electromagnetic spectrum.
• If the device shares same physical layer (radio
  frequency) implementations, they can communicate.

802.11b and 802.11g share the same frequency
20
Three Wireless Technologies
802.11b
802.11g
802.11a
Frequency Band
2.4 GHz
5 GHz
2.4 GHz
Worldwide
US/AP
Worldwide
Availability
MaximumData rate
11 Mbps
54 Mbps
54 Mbps
Cordless Phones Microwave Ovens Wireless Video
Bluetooth Devices
Cordless Phones Microwave Ovens Wireless Video
Bluetooth Devices
Other Services (Interference)
HyperLAN Devices
The Laws of Radio Dynamics Higher Data Rates
Shorter Transmission RangeHigher Power
Output Increased Range, but Lower Battery
LifeHigher Frequency Radios Higher Data
Rates Shorter Ranges
21
Wi-Fi

• Wi-Fi Alliance
• Wireless Fidelity Alliance
• 170 members
• Over 350 products certified
• Wi-Fis Mission
• Certify interoperability of WLAN products
  (802.11)
• Wi-Fi is the stamp of approval on all tested
  products
• Promote Wi-Fi as the global standard

22
802.11 Authentication and Association

• The 802.11 standard includes rudimentary
  authentication and confidentiality controls.
• Authentication is handled in its most basic form
  by the 802.11 access point (AP).
• It forces the clients to perform a handshake when
  attempting to associate to the AP. Association
  is the process needed before the AP will allow
  the client to talk across the AP to the network.
• Association occurs only if the client has all the
  correct parameters needed such as the service set
  identifier (SSID) in the handshake.

23
802.11 Access Security

• Access to wired ethernet segments is protected by
  physical security measures but wireless will
  broadcast beyond physical network
• Attack is easy with a single wireless access card
  costing less than 50 which can give access to
  any unsecured AP within 300 feet
• An attacker can probe and log packets without
  giving any indication that an attempted intrusion
  is taking place.
• The attempted association is recorded only by the
  MAC address of the wireless NIC associated to it.
  
• Most APs do not alert when users associate to it.
  

24
Wireless LAN Security - War Driving
War Driving
Hacking into WEP
War driving (drive-by hacking or LAN-jacking) is
a play on war dialing. War dialing, in turn,
comes from the 1983 movie War Games, now a
classic in computer cracking circles.
Literally, war driving is using a laptops to
pick up unsecured wireless networks for anonymous
and free high-speed Internet access, akin to
stealing long-distance phone service.
25
War Chalking

• Welcome to Warchalking! Warchalking is the
  practice of marking a series of symbols on
  sidewalks and walls to indicate nearby wireless
  access. That way, other computer users can pop
  open their laptops and connect to the Internet
  wirelessly. It was inspired by the practice of
  hobos during the Great Depression to use chalk
  marks to indicate which homes were friendly.

26
War Flying

• War flying uses airplanes to find the wireless
  access points. The obvious advantage is the extra
  height provides an unobstructed line.
• Some people think war driving is illegal.
  Actually accessing someone's network is illegal,
  but detecting the network is not. You can think
  of war driving as walking up to a house, and
  checking to see if the door is unlocked. If you
  find an unlocked door, you write down the address
  and move to the next house. It becomes illegal
  when you open the door and walk in, which is
  similar to accessing the Internet through a AP
  without the owner's permission.

27
Using a Sniffer

• Specialized sniffer tools have emerged recently,
  with a single objective, to crack WEP keys.
• A sniffer and a wireless network card are a
  powerful attack tool.
• A shared media wireless network exposes all
  packets to interception and logging.
• They work by exploiting weak IV in the encryption
  algorithm.
• To exploit this weakness, you need a certain
  number of ciphertext packets. Once you have
  captured enough packets, the program can decipher
  the encryption key being used very quickly.
• Popular wireless sniffers are Ethereal,
  WildPackets, AiroPeek and Sniffer Pro 4.0.

28
NetStumbler

• The most widely used of these programs is called
  Netstumbler by Marius Milner.
• It listens for access point beacon frames in a
  range and logs all available information about
  the access point for later analysis.
• If the computer has a GPS unit attached to it,
  the program also logs the coordinates of the
  access point.
• This information can be used to return to the
  access point, or to plot maps of access points in
  a city.
• This is a Windows-based application, but there
  are programs that work on the same principle for
  Mac, BSD, Linux, and other operating systems.

29
Netstumbler Screen
30
Sniffer Pro 4.0 Screen
31
802.11 Authentication Tools

• SSID - service set identifier
• The SSID is a unique 32-character identifier
  attached to the header of the packet.
• It functions as a group identifier.
• The SSID is sent in plaintext.
• Some operating systems display a list of SSIDs
  active in the area.
• This weakness is magnified by the default setting
  of most access points (linksys APs use linksys),
  to transmit beacon frames.
• The purpose of beacon frame is to announce the
  presence and capabilities of wireless network so
  that WLAN cards can associate.

32
WEP

• 802.11 protects confidentiality with Wired
  Equivalent Privacy (WEP), a key.
• It is based upon a key shared by the AP and all
  the clients using the AP.
• WEP uses the RC4 stream cipher to encrypt data to
  authenticate wireless devices (not wireless
  device users)
• The plaintext IV (initialization vector) is the
  weaknesses in WEP
• The total keyspace is approximately 16 million
  keys.
• Once the key is repeated, the attacker has two
  ciphertexts encrypted with the same key stream.
• The attacker may examine the ciphertext and
  retrieve the key.
• The weakness of the WEP protocol is that the IV
  problem exists regardless of key length (24
  bits).

• WEP is easily attacked
• How to crack WEP

33
WPA

• Wi-Fi Protected Access (WPA) were created in
  response to several serious weaknesses in Wired
  Equivalent Privacy (WEP).
• WPA implements the majority of the IEEE 802.11i
  standard, and was intended as an intermediate
  measure to take the place of WEP while 802.11i
  was prepared.
• WPA is designed to work with all wireless network
  interface cards, but not necessarily with first
  generation wireless access points.
• WPA2 implements the full standard, but will not
  work with some older network cards.
• WPA is designed for use with an 802.1X
  authentication server
• WPA uses Temporal Key Integrity Protocol (TKIP)
  and was meant to fix WEP problems.
• TKIP uses a shared secret combined with the
  card's MAC address to generate a new key. This is
  then mixed with the initialization vector to make
  per-packet keys that encrypt a single packet
  using the same RC4 cipher that traditional WEP
  uses.
• The other advantage of WPA is that it can be
  retrofitted to the current hardware with only a
  software change, unlike AES and 802.1X.

34
802.11i Standard

• Or, how do we get from here to there 802.11i? The
  final IEEE security standard thats expected next
  year with a robust set of security improvements.
  .
• Currently, all 802.11a, b, and g devices support
  WEP (Wired Equivalent Privacy) encryption which
  has had flaws and exploits well documented.
• On the road to 802.11i, the Wi-Fi Alliance has
  required WPA (Wi-Fi Protected Access), which
  fixes all of WEPs problems, is a subset of
  802.11i, and which allows full backwards
  compatibility for most 802.11a and b devices made
  before 2003.
• 802.11i manages the encryption part but needs
  802.1x to provide authentication, and the use of
  AES as the encryption protocol.

35
802.1x Standard

• The use of IEEE 802.1X authenticates and
  dynamically varies encryption keys.
• 802.1X ties a protocol called EAP (Extensible
  Authentication Protocol) to both the wired and
  wireless LAN media and supports multiple
  authentication methods, such as token cards,
  Kerberos, one-time passwords, certificates, and
  public key authentication. IETF's RFC 2284.
• It fits into existing authentication systems such
  as RADIUS and LDAP.
• It allows 802.1X to interoperate well with other
  systems such as VPNs and dial-up RAS.
• There are four common ways of implementing
  802.1X
• EAP-TLS support PKI in x.509 and active
  directory
• EAP-TTLS - EAPTunneled TLS Protocol
• EAP-MD5 - uses the MD5 encryption protocol to
  hash a user's username and password
• EAPCisco Wireless or LEAP - requiring two-way
  authentication, AP authenticates to the client
  and vice versa.

36
WLAN Security Hierarchy
Enhanced Security
802.1x, TKIP/WPA Encryption, Mutual
Authentication, Scalable Key Mgmt., etc.
Basic Security
Open Access
40-bit or 128-bitStatic WEP Encryption
No Encryption, Basic Authentication
Home Use
Public Hotspots
Business
VirtualPrivateNetwork (VPN)
Business Traveler, Telecommuter
Remote Access
37
Authentication Types Summary

• Open Authentication to the Access Point with WEP,
  doesnt rely on RADIUS/TACACS server
• Shared Key Authentication to the Access Point
  WEP
• EAP Authentication to the Network Combo EAP and
  RADIUS/TACACS
• MAC Address Authentication to the Network MACs
  can be spoofed, but better than nothing
• Combining MAC-Based, EAP, and Open Authentication
• Using CCKM for Authenticated Clients allows
  Roaming
• Using WPA Key Management

38
Instant Messaging (IM)

• IM - Uses a real-time communication model
• The programs had to appeal to a wide variety of
  users, so ease of use was paramount, and security
  was not a priority.
• Can be used on both wired and wireless devices
• The program is now being used not only for
  personal chatting on the Internet, but also for
  legitimate business use.
• Easy and fast
• Instant messages - Send notes back and forth with
  a friend who is online
• Chat - Create your own custom chat room with
  friends or co-workers
• Web links - Share links to your favorite Web
  sites
• Images - Look at an image stored on your friend's
  computer
• Sounds - Play sounds for your friends
• Files - Share files by sending them directly to
  your friends
• Talk - Use the Internet instead of a phone to
  actually talk with friends
• Streaming content - Real-time or near-real-time
  stock quotes and news

39
IM

• User Base
• AIM 53 million active users (Nielsen//NetRatings,
  August 2005), 195 million total (January 2003).
• Skype 45 million total (September 2005).
• MSN Messenger 29 million active
  (Nielsen//NetRatings, August 2005), 155 million
  total (April 2005).
• Yahoo Messenger 21 million active (September
  2005).
• Jabber 13.5 million total (Osterman Research
  August 2005).
• QQ 10 million active, 400 million total users
  (Tencent Q1 results 2005).
• Gadu-Gadu 3.6 million total (January 2005).
• ICQ 1.8 million active (September 2005), 140
  million total (June 2003).

40
Issues

• The nature of this type of communication opens
  several holes in a system's security.
• When attached to a server, it broadcasts the IP
  address of the originating client.
• Sends File Attachments
• Without an IM server, plain text messages go
  directly to the internet (no encryption).
• Rogue Applications - typically installed by the
  end user
• If server is not available on the default ports,
  some IM applications begin to scan all ports
  looking for one that is allowed out of the
  firewall.
• IM applications work only in a networked
  environment and, therefore, are forced to accept
  traffic as well as send it.
• Social Engineering Overcomes Even Encryption. An
  IM message can be sent to anyone.
• While application sharing is great especially
  for conferencing and remote control for helpdesk
  purposes, if security is breached, your machine
  may be controlled by an unknown party

41
Issues

• Legal Issues Surrounding IM
• Basically, students should realize that if a
  corporation allows IM, all bets are off regarding
  the legal implications.
• E-mail is much easier to control and has had
  years of management review to make policies
• E-mail provides a built-in logging capability
  whereas IM messages are gone once they scroll off
  the screen (if logging is not enabled).
• Therefore, you could communicate with someone
  with your logging turned off and they could be
  logging the transaction. This puts you in a
  legal disadvantage were your conversation to be
  used in a legal proceeding.

42
What to do?

• Use a local server.
• Keeping messages within the perimeter of the
  organization goes a long way to ensuring that
  confidential information does not get out.
• Blocking IM
• block all IM and then monitor the network to see
  if anyone has found a way around it or a new IM
  is in use.
• Policies
• Unfortunately, employees may make a convincing
  case that IM is useful then the best that can
  be done is make strong policies and limit IM
  clients to one or two vendors so you can maximize
  control.
• Newer client programs, such as Trillian, can
  encrypt the chat messages
• While this does not help with file sharing
  problems, it provides confidentiality if both
  clients are using the program
• Virus Scanner - to protect the method of file
  exchange