Download Chapter 4

ITSY 2417 – Wireless Security Development
Chapter 4
Active Wireless Attacks
Outline

Overview

Objectives

Tech Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms

Technical Notes for Hands-On Projects
4-1
ITSY 2417 – Wireless Security Development
4-2
Notes
Overview
Chapter 4 explains active wireless attacks. You will learn the basic vulnerabilities of a
WLAN. Next, You will learn how malware and spyware can infect wireless networks.
Chapter 4 also lists the vulnerabilities involved with implementing unsecured wireless
LANs. Finally, You will review the different types of wireless infrastructure attacks.
Objectives




Describe the basic vulnerabilities of a WLAN
Tell how malware and spyware can infect wireless networks
List the vulnerabilities involved with implementing unsecured wireless LANs
Explain the different types of wireless infrastructure attacks
Tech Tips
Security Vulnerability
1. Security Vulnerability is a weakness or flaw in an information system that could be
exploited to cause harm. Security vulnerability describes the points of risk regarding the
penetration of a security defense.
2. Describe the basic security vulnerability categories, including:
a. Basic vulnerabilities
b. Vulnerabilities when using a public-access WLAN
c. Vulnerabilities associated with implementing an unsecured wireless network
Basic Vulnerabilities
1. Authentication is the process of asking users to prove that they are who they claim to be
based on what they have, know, or are.
2. A password is a secret combination of letters and numbers that serves to validate or
authenticate a user by what he knows. Passwords are used with user names to log on to
a computer.
3. Describe the problems of using default passwords to protect network equipments as
explained in this section.
Tech
Tip
Read more about passwords at: http://en.wikipedia.org/wiki/Password.
ITSY 2417 – Wireless Security Development
4-3
4. Passwords should never be written down but instead must be committed to memory.
Passwords must also be of a sufficient length and complexity. This creates the following
password paradox: although lengthy and complex passwords should be used and never
written down, it is very difficult to memorize these types of passwords.
5. Describe the characteristics of weak passwords, including:
a. A common word used as a password
b. Not changing passwords unless forced to do so
c. Passwords that are short
d. Personal information in a password
e. Using the same password for all accounts
f. Writing the password down
6. Weak passwords can be exploited using password guessing attacks, such as brute force
or dictionary attacks.
Tech
Tip
Read more about dictionary attacks at:
http://en.wikipedia.org/wiki/Dictionary_attack.
7. Describe the minimum criteria for creating good passwords, including:
a. Password must be at least eight characters long
b. Password contains characters from at least three of the following five categories:
 English uppercase characters (A–Z)
 English lowercase characters (a–z)
 Base 10 digits (0–9)
 Non-alphanumeric (For example: !, $, #, or %)
 Extended ASCII characters
c. Password does not contain three or more characters from the user’s account
name
8. Explain some additional settings for creating good passwords, including:
a. Enforce password history
b. Maximum password age
c. Minimum password age
d. Minimum password length
9. Use Table 4-1 to show some of the most common password settings for wireless
equipment.
10. Describe the use of community strings in SNMP as explained in this section. There are
two types of community strings: read-only strings allow information from the agent to
be viewed, and read-write strings allow settings to be changed.
11. Describe the Vulnerabilities introduced by using SNMP community strings, including:
a. Default SNMP community strings for read-only and read-write were public and
private
ITSY 2417 – Wireless Security Development
4-4
b. Administrators used weak strings
c. Community strings are transmitted in cleartext
Tech
Tip
For more information about the security vulnerabilities of SNMP, visit:
www.cert.org/tech_tips/snmp_faq.html.
12. An improper device configuration can often result in easy access to a system.
13. Universal Plug and Play (UPnP) allows devices on a network to discover other devices
and determine how to work with them. Use Table 4-2 to show Windows operating
systems support.
14. Describe some of the vulnerabilities related to UPnP, including:
a. Can enable an attacker to gain complete control over an affected device
b. Can enable an attacker to prevent an affected system from performing its
intended service
15. Remote access allows for the wireless gateway to be configured remotely over the
Internet. It also allows an attacker to attempt to break into the wireless gateway or
access point since a wireless gateway will permit an unlimited number of attempts to
break the password.
16. Use Figure 4-2 to show how to configure UPnP and remote access in a Linksys WRT54G access point.
Tech
Tip
For more information about UPnP, visit: www.upnp.org/.
Vulnerabilities Associated with Using Public WLANs
1. Malware is computer programs designed to break into and create havoc on portable or
desktop computers. The most common types of malware are viruses, worms, and logic
bombs.
Tech
Tip
Read more about malware at: http://en.wikipedia.org/wiki/Malware.
2. A virus is a program that secretly attaches itself to another document or program and
executes when that document or program is opened. On average, one new virus is
written and released every hour.
3. Describe some of the actions performed by viruses, besides showing annoying messages
like the one in Figure 4-3, including:
a. Cause a computer to repeatedly crash
b. Erase files from a hard drive
ITSY 2417 – Wireless Security Development
4-5
c. Install hidden programs, such as stolen (“pirated”) software, which is then
secretly distributed or even sold from the computer
d. Make multiple copies of itself and consume all of the free space in a hard drive
e. Reduce security settings and allow intruders to remotely access the computer
f. Reformat the hard disk drive
4. Various symptoms that indicate a virus has infected a computer are:
a. A program suddenly disappears from the computer
b. New icons appear on the screen
c. New programs do not install properly
d. Out-of-memory error messages appear
e. Programs stop responding
f. The computer sometimes starts normally, but at other times it stops responding
before it finishes loading
g. Unusual dialog boxes or message boxes appear
h. Sounds or music play from the speakers unexpectedly
i. The computer runs very slowly and takes a long time to start
j. There is a significant amount of modem activity
k. The computer restarts unexpectedly
l. Error messages appear listing “critical system files” that are missing and the
operating system refuses to load
5. A worm is similar to a virus, but differs in the following two aspects:
a. Can travel by itself
b. Does not always require action by the computer user to begin its execution
Tech
Tip
Read more about viruses and worms at:
http://en.wikipedia.org/wiki/Computer_virus.
6. A logic bomb is a computer program that lies dormant until it is triggered by a specific
logical event. Once triggered, the program can perform any number of malicious
activities. Logic bombs are extremely difficult to detect before they are triggered since
they are often embedded in large computer programs.
7. Spyware is a general term used to refer to software that violates a user’s personal
security and impairs a user’s control over the use of system resources. Describe some of
the functions performed by spyware, including:
a. Advertising
b. Collecting personal information
c. Changing computer configurations
8. Beyond being a nuisance to computer users, spyware is a tool attackers employ to
gather personal information about users. After attackers have obtained this personal
information, they can perform identity theft.
9. Explain that identity theft occurs when an individual uses the personal information of
someone else.
ITSY 2417 – Wireless Security Development
4-6
10. Adware is software that delivers advertising content in a manner or context that is
unexpected and unwanted by the user. Adware can also be a security risk because
adware programs perform a tracking function.
Tech
Tip
Learn more about spyware at: http://en.wikipedia.org/wiki/Spyware.
Quick Quiz 1
1. A(n) ____________________ is a secret combination of letters and numbers that serves
to validate or authenticate a user by what he knows.
Answer: password
2. ____________________ are devices that combine access point, router, and network
address translation features.
Answer: Wireless gateways
3. A(n) ____________________ is a computer program that lies dormant until it is
triggered by a specific logical event.
Answer: logic bomb
4. ____________________ is software that delivers advertising content in a manner or
context that is unexpected and unwanted by the user.
Answer: Adware
Vulnerabilities Associated with Implemented Unsecured WLANs
1. Explain how an unsecured WLAN can lead to information theft problems. Emphasize
the point that after breaking into an unsecured WLAN, an attacker can gain access to
any folder set with file sharing enabled.
2. Describe how an attacker can exploit an unsecured WLAN and set up storage space on
a file server or a home computer and fill it with illegal content. An attacker can also set
up a Web site to promote this information.
3. Spam is unsolicited e-mail messages. Emphasize the point that approximately half of
the number of e-mail messages is considered spam.
4. Describe how spammers often build their own lists of e-mail addresses using special
software that rapidly generates millions of random e-mail addresses from well-known
ISPs. Spammers often swap or buy lists of valid e-mail addresses from other spammers
as well.
5. Spam is a lucrative business. Spam may also be dangerous and entitled to legal charges.
Use Table 4-3 to summarize CAN-SPAM law.
ITSY 2417 – Wireless Security Development
Tech
Tip
4-7
Read more about SPAM at:
http://en.wikipedia.org/wiki/Spam_%28electronic%29.
Wireless Infrastructure Attacks
1. This section describes the following two types of attacks to wireless infrastructures:
a. Direct attacks
b. Denial-of-service attacks
Direct Attacks Through Rogue Access Points
1. A rogue access point is an AP installed by an employee without the approval or
supervision of the IT staff. A rogue access point bypasses all of the network security
and opens the entire network and all users to direct attacks.
2. A rogue AP is behind the company’s firewall, opening a clear way to perform peer-topeer attacks. Use Figure 4-4 to illustrate your explanation.
Denial-of-Service Attacks (DoS)
1. A denial-of-service (DoS) attack is designed to prevent a device from performing its
intended function. DoS attacks are common against wired network servers.
2. Use Figure 4-5 to describe how to perform a SYN flood attack.
3. Wireless DoS attacks are designed to deny wireless devices access to the access point
itself. There are two categories of attacks:
a. Physical layer attacks
b. MAC layer attacks
4. Physical layer attacks flood the RF spectrum with enough radiomagnetic interference to
prevent a device from effectively communicating with the AP. Use Figure 4-6 to
illustrate your explanation.
5. Physical layer attacks are generally rare because sophisticated and expensive equipment
is necessary. It is also possible to identify the location of the transmitter.
6. Describe some of the devices that also use the ISM band and can cause interference to
WLAN devices, including:
a. Cordless telephones
b. Microwave ovens
c. Baby monitors
d. Bluetooth personal area network devices
7. MAC layer attacks exploit the way the wireless medium is shared among all devices.
ITSY 2417 – Wireless Security Development
4-8
8. Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) attempts to
prevent multiple wireless devices from transmitting at the same time. CSMA/CA uses
slot times and explicit frame acknowledgement. Use Figure 4-7 to describe how
CSMA/CA works.
9. Use Figure 4-8 to describe how an attacker who has already become associated with the
WLAN can download an extremely large file, effectively “tying up” the network.
10. Another type of MAC layer attack consists of using a packet generator to create fake
packets and flood the wireless network. Use Figure 4-9 to illustrate your explanation.
11. Use Figure 4-10 to explain how an attacker can use disassociation frames to perform a
MAC layer wireless DoS attack.
Quick Quiz 2
1. Once an attacker’s wireless device has entered the network and focused its attacks at
other similar devices, this is known as a(n) ____________________ attack.
Answer: peer-to-peer
2. A(n) ____________________ attack is designed to prevent a device from performing
its intended function.
Answer: denial-of-service (DoS)
denial-of-service (DoS)
DoS
3. With wireless CSMA/CA, the amount of time that a device must wait after the medium
is clear is called the ____________________.
Answer: slot time
4. A(n) ____________________ program creates fake packets that flood the wireless
network.
Answer: packet generator
Class Discussion Topics
1. What are the minimum criteria for creating good passwords?
2. What is a denial-of-service (DoS) attack?
ITSY 2417 – Wireless Security Development
4-9
Additional Resources
1. List of Default Passwords for Network Equipment by Vendors:
www.vulnerabilityassessment.co.uk/passwordsL.htm
2. Dictionary Attack:
www.webopedia.com/TERM/D/dictionary_attack.html
3. CERT® Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of
the Simple Network Management Protocol (SNMP) :
www.cert.org/advisories/CA-2002-03.html
4. Universal Plug and Play (UPnP):
http://en.wikipedia.org/wiki/UPNP
5. Logic Bomb:
http://en.wikipedia.org/wiki/Logic_bomb
6. Adware:
http://en.wikipedia.org/wiki/Adware
7. CAN-SPAM Act of 2003:
http://en.wikipedia.org/wiki/Can_Spam_Act_of_2003
8. CAN-SPAM:
www.fcc.gov/cgb/consumerfacts/canspam.html
Technical Notes for Hands-On Projects
Project 4-1: This project requires a Web browser and an Internet connection.
Project 4-2: This project requires a Web browser and an Internet connection.
Project 4-3: This project requires a Linksys wireless gateway.
Project 4-4: This project requires a Web browser, an Internet connection, and any antivirus
software.
Project 4-5: This project requires a Web browser, an Internet connection, and Microsoft Word.
ITSY 2417 – Wireless Security Development
4-10
Key Terms
 adware — A software program that delivers advertising content in a manner or context
that is unexpected and unwanted by the user.
 authentication — The process of providing proof that a user is “genuine” or authentic.
 Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) — A
procedure used by IEEE WLANs to prevent multiple wireless devices from transmitting
at the same time.
 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
 (CAN-SPAM) — A U.S. law passed in 2003 to limit the effect of spam.
 default password — A standard password that is configured on all equipment.
 denial-of-service (DoS) — An attack designed to prevent a device from performing its
intended function.
 frame acknowledgment — A method in which CSMA/CA reduces collisions using
explicit acknowledgment.
 identity theft — The theft of an individual’s personal information to impersonate that
individual with the intent to commit fraud or other crimes.
 logic bomb — A computer program that lies dormant until it is triggered by a specific
logical event.
 packet generator — A program that creates fake packets that flood the wireless
network.
 password — A secret combination of letters and numbers that serves to validate or
authenticate a user by what the user knows.
 password guessing — A technique used by attackers to exploit weak passwords.
 password paradox — The paradox of needing lengthy and complex passwords, yet
such passwords are difficult to memorize.
 peer-to-peer attack — Attacks directed at other similar devices.
 Plug and Play (PnP) — A service that allows the Windows operating system to
automatically detect new hardware when it is installed on a computer.
 security vulnerability — A weakness or flaw in an information system that could be
exploited to cause harm.
 slot time — The amount of time that a device must wait after the medium is clear.
 spam — Unsolicited e-mail.
 spyware — A general term used to describe software that violates a user’s personal
security.
 Universal Plug and Play (UPnP) — A service that allows devices on a network to
discover other devices and determine how to work with them.
 virus — A program that secretly attaches itself to another document or program and
executes when that document or program is opened.
 weak passwords — Passwords that compromise security.
 wireless gateways — Devices that combine an access point, router, and network
address translation features.
 worm — A malicious program that does not attach to a document to spread, but can
travel by itself.