Wi-Fi security risk

RSA: Attendees drop ball on Wi-Fi security

Many IT security experts at conference used unsecured devices

John Cox   

 February 12, 2007 (Network World) -- More than half of the wireless LAN devices being used at last week's RSA Conference on information security were themselves unsecured.

That means that the network security experts charged with protecting enterprise data were't even protecting their own.
The finding was the result of two days of WLAN traffic scanning by wireless security vendor AirDefense Inc. On the first two days of the conference, AirDefense monitors found that more than half of the wireless devices on the conference network were vulnerable to two classes of attacks.

One was the "Evil Twin" attack, in which the attacker tricks a victim into wirelessly connecting to a laptop or handheld device posing as a legitimate access point or hot spot. The second class was various "zero day" attacks, which exploit newly found software flaws in applications such as Internet Explorer that haven't yet been fixed by the vendor or patched by the user.

On Day 1, Tuesday, 347 of 623, or 56% of laptops and handhelds were vulnerable. On the second day, almost the same percentage, 57%, were vulnerable, but the numbers were higher: 481 of 847 devices.

In a statement, AirDefense Chief Security Officer Richard Rushing said the vulnerabilities were not the fault of the conference network, which he praised as being secured "as well or better than most standard corporate networks."

Also on Day 1 of the monitoring, AirDefense found 70 devices using peer-to-peer connections by means of common Service Set Identifiers, or network names, such as "Free Internet Access" and "Linksys." On Day 2, the number rose to 87.

The monitoring found 30 devices pretending to be access points, and two of these pretending to be access points on the conference network. One of the two even had a self-sign certificate to mimic the conference authentication server. Five others were masquerading as common hotspots, with names such as "tmobile," "IBAHN" and several local hotels.

On Day 1, there were 57 denial-of-service attacks, including de-authenticating clients and jamming transmissions. That jumped to 85 on Day 2.

The airwaves were regularly and repeatedly scanned for access points by attendees using programs such as NetStumbler. Forty-five devices on the network had altered media access control addresses, apparently in an effort to hide the identity of the device and its user.

On Day 2, AirDefense reported, the tools used in the attacks were more sophisticated. Some tools were variations of the Karma program, which mimics the access point that the target laptop or handheld device is probing for. One attacker had wirelessly seized eight machines and used them to launch simultaneous attacks.

Many client devices connecting to an unencrypted network disclosed a wealth of information about their corporate networks, including domain, authentication server, Active Directory, user name and computer name. Leaking NetBIOS and IPX traffic information was common. According to AirDefense, attackers could (and may have) captured the corporate usernames and authentication hashes sent by the users over the airwaves.