Hacking, Tracking, and BaitingSurveillance, Wardriving and Honeypot

Technologies

Larry KorbaInstitute for Information Technology

National Research Council of Canada

PST 2005 Workshop, October 12, 2005

Overview

• Goal

• Wardriving

• Honeypots

• Other Surveillance Techniques– Surreptitious– Organization

• Conclusions

GOAL

• Describe some “interesting” technologies related to surveillance,– and what to expect next

• Raise privacy, responsibility, legal questions

Wardriving

• In the News

Florida man charged with stealing WiFi signal

July, 2005

How vulnerable is Wi-Fi Authentication?

November, 2004

Wardriving around town

February, 2005

Wi-Fi Security Wakes Up to Reality

June, 2005

Wardriving - Background

• Wi-Fi: Wireless Fidelity– Wireless network communication (GHz range)– Wireless Access points provide bridge to

Internet

• Problems:– Network access through thin air– Wireless networks often configured without any

security– Commonly used Wi-Fi security protocols broken– Looking for wireless access points is fun!– Using them is… illegal? Immoral?

Wardriving – Technologies

• Antenna• Powerful

SensitiveWi-FiCards

Wardriving – Technologies

• WEP 40 and 104 bit (+24 bit initialization vector = 64 bit/128 bit)

• Poor implementation (2001), capture 5 million packets, attach IV in clear

• Firmware improvements, then Korek 2004: WEP statistical cryptanalysis about 2 million packets required to break WEP

• WPA Personal (WPA-PSK) Attack found in 2003, Tools appeared in 2004, WPA Cracker, WPAtty (Brute force, dictionary attacks on WPA-PSK four-way handshake (works on weak pass phrases)

• Aircrack, WepLab, Airsnort, Kismet, Decrypt, among others (MAC address spoofing)

# decrypt -f /usr/dict/words -m 00:02:2D:27:D9:22 -e encrypted.dump -d [RETURN] out.dump Found key: Hex - 61:6c:6f:68:61, ASCII - "aloha"

Wardriving: Results?• Coverage maps

Wardriving – Remedies

• Security Enabled, WEP, WPA (Choose strong key) Change it regularly

• Ensure admin password is enabled• Enable MAC address authentication• Use VPN access

Wardriving – Other Remedies

• Conventional– Radius server– Security audit: Wireless AP detection, WEP/WPA strength

testing, coverage mapping• Others

– Antenna design– Shielding

• Windows, Walls• Paint? Forcefieldwireless.com

• Future– Better AP configuration (secure out of the box)– Intel range determination 1’ over 231’

• Mapping wireless: alternative to GPS (Microsoft)– WPA2 improvements?

• Responsibility? Laws? Morality?

Honeypots

• News Items…

‘Honeymonkeys’ find web threats

Skype Honeypot sn

ares dirt

y IMers

New Gatesweeper firewall collects

information about attackers

Cops tempt crook with technology

Avoiding Sticky Legal Traps:

Hackers have rights too! How can you

deploy honeypots without running afoul

of the law.

Wi-Fi ‘WarTrappers’nab drive-by hackers

Honeypots – Background

• Definition/Description/Origin– “An evening with Bereford: In which a cracker is lured, endured

and studied” Bill Cheswick, 1991– Any system resource whose value lies: in being probed, attacked,

or compromised ; in unauthorized or illicit use of that resource– Don’t solve a particular problem, but contribute to Sec. Arch.

• Not for prevention

• Ineffective against automated attacks

– Provide early warning, prediction– Discover new tools/tactics– Track behavior patterns– Develop forensic analysis skills– Low and High interaction types

Honeypots- Application

• Capture low-hanging fruit

• Network configurations• Emulation• OS with bugs• Open ports…

Honeypots – Spin-offs/Future

• Further Honeypot/Honeynet development– Integrated, proactive 0-day security response– GHH: Google Hack Honeypot

• Honeymonkey– Web spider (client) (unpatched XP)– Gathers malicious code hosted by web servers

• Technology “traps”– Automobiles (Black Box and Bait)

Other Surveillance Techniques

• Keystroke monitoring (Historical and present day (surreptitious screen shots, keystroke monitoring)

• Trojans, rootkits, backdoors via web and email• Email monitoring

– Metalincs– Smarsh– SpectorSoft

• Instant Messaging– IMbrella– Global Relay

• File usage• Network monitoring• Government Surveillance• Google!

• Legal Issues remain!

The Bottom Line

• Surreptitious monitoring and network access– There are many ways, There will be more

• Who is responsible? What is the law?– Privacy protection?

• Is there a “Reasonable Expectation for Privacy” in network related activities?

– Entrapment?• Do possible network intruders have rights?

– If you operate an open wireless access point are you offering a service?

– Jurisdictional issues