computer security lab juseung yun
DESCRIPTION
Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks. Computer security Lab Juseung Yun. Paper Information. Detail Paper Information Title Proximity Breeds Danger : Emerging Threats in Metro-area Wireless Networks Authors - PowerPoint PPT PresentationTRANSCRIPT
Proximity Breeds Danger:Emerging Threats in Metro-
area Wireless Networks
Computer security LabJuseung Yun
2
Paper Information Detail Paper Information
Title Proximity Breeds Danger: Emerging Threats in Metro-
area Wireless Networks
Authors P.Akritdis, W.Y.chin, V.T.Lam, S.Sidiroglou, K.G.Anagnos-
takis
Publish 2007 USENIX
Hanyang Univ. Computer Security Lab.
3
Goals Quantify threat from large-scale distributed
attacks on wireless networks Focus on three attacks
Hanyang Univ. Computer Security Lab.
4
Introduction Attackers are evolving
Explore creative ways to exploit systems Target new technologies and services as they
emerge Any technology or service reaching critical mass
draws attention Some of the largest security lapses are due to de-
signers being ignorant of the threat landscape Soon wireless networking will reach critical mass
Hanyang Univ. Computer Security Lab.
5
Introduction Study 3 possible threats
Countermeasures are not implemented even though mechanisms are either available or easily implemented.
Threats are underestimated
6
Wildfire Worms - Introduction
Hanyang Univ. Computer Security Lab.
Cabir virus in 2004 -> Symbian OS vulnerabil-ity
Focus on worms that could propagate over 802.11 networks
Main concern, the large number of laptops
Hanyang Univ. Computer Security Lab.
7
Wildfire Worms - Propagation
Probe victims in the neighborhood Gather list of usable access points Nodes at intersections are used for the propaga-
tion of the worms Wireless hotspots
8
Wildfire Worms - Mobility
Hanyang Univ. Computer Security Lab.
Wireless population : Laptops, PDAs, smart phones
Mobility : Compensates for sparse connectivity Helps propagation into secure networks
9
Wildfire Worms – Open vs Protected Access Points
Hanyang Univ. Computer Security Lab.
Open access points : any worm can propagate WEP encrypted : attacks have already been
implemented WPA (Wifi Protected Access) : susceptible to
brute force attacks combined with a weak password
Any type of wifi network can be easily compromised so most likely worms will carry additional payload of cracking tools
10
Wildfire Worms – Infection Process
Hanyang Univ. Computer Security Lab.
Push Method : Probe for an exploitable service and inject code
Pull Method : Man-in-the-middle attack. Listen for broadcasts, pretend to be the web server and respond with pages that include exploits
Broadcast nature of wireless networks makes pull method an attractive method for attack-ers to use
Hanyang Univ. Computer Security Lab.
11
Wildfire Worms – Proof of concept implementation Authors created a wildfire worm for both Win-
dows XP and Vista from WLAN API already available.
The worm was able to associate itself with an AP, scan the local subnet for vulnerable ma-chines and inject code (push method) .
It exploited the vulnerability found in Apache Web server 1.22
Hanyang Univ. Computer Security Lab.
12
Wildfire Worms – Analysis Wifi worms require a widespread vulnerability
Do such vulnerabilities exist ? Data taken from NVD, Securityfocus concerning
Windows XP SP2 between 8/04 – 1/07 Classified into push/pull “friendly” Vulnerability window : time exploit was known and
was not patched Push type flaws existed for 11.89% of period Pull type existed for 48.47% For 98 days critical security flaws in IE allowed the
theft of personal and financial data
Hanyang Univ. Computer Security Lab.
13
Wildfire Worms – Simulation
Push type worm, assuming AP radius of 90m, 14 and 8 Mbps networks, Transmission speed ~100KB/host
14
Large-scale Wifi Spoofing
Hanyang Univ. Computer Security Lab.
Protocols such as DHCP, TCP, DNS are vulner-able to man-in-the-middle attacks
Attackers can perform spoofing in any wireless network within range of the controlled host’s vicinity
15
Wifi Tracknets
Hanyang Univ. Computer Security Lab.
Wifi networks can very well become the new “Big Brother”
However the most concerning thing is that at-tackers can set up a tracking system re-motely, without physical infrastructure
Tracknets provide location information and leak significant amount of personal informa-tion
16
Wifi Tracknets – Tracking Methods
Hanyang Univ. Computer Security Lab.
Tracknet masters gather information from hosts and create their unique profiles MAC Addresses : Unique per host, randomizing it
may lead to software errors and conflicts between ISPs
Live bookmarks – RSS : Customized news feeds presented in browser, can be eavesdropped and added to the user profile information
Location tracking : Radio signal characteristics of WLANs to pinpoint user location
Instant messaging, online service portals, cookies
17
Wifi Tracknets – Experimental Analy-sis
Hanyang Univ. Computer Security Lab.
Effectiveness is expressed in terms of network coverage
18
Wifi Tracknets – Experimental Analy-sis
Hanyang Univ. Computer Security Lab.
Accuracy of gathered RSS profiles
19
Defense Strategy
Hanyang Univ. Computer Security Lab.
User awareness : Strong passwords, use of WPA/WPA2
Wireless IPS : APs have limited computing resources Use a subset of known signatures Centralized wireless controller. All local traffic is directed
here for inspection before being redirected back to the user. Use full set of signatures Rely on honeypot feeds for zero-day attacks
Attackers can avoid AP inspection by performing a low power signal emission (whisper attack), severely re-duces range of attack
20
Defense Strategy
Hanyang Univ. Computer Security Lab.
Lightweight alternatives to WPA and VPN
Ingress filtering : Traffic originating from the wireless network should have an IP address on the local net-work. DNS spoof attacks will arrive from the local net-work yet they will have an external IP address. How-ever with help from a collaborator outside the local network, with some limitations, this attack can succeed
Packet rewriting against collaborator attack : Map DNS and TCP numbers to another space using hash func-tions. Can be used if hardware provides cheap hash functions
21
Defense Strategy
Hanyang Univ. Computer Security Lab.
802.11 spoofing : Attacker violates 802.11 protocol to directly transmit frames to the vic-tim. AP can detect the attack by monitoring transmissions it did not send
Whisper attack detection : Bookkeeping of request-reply pairs to detect excess and in-consistent replies. Alert when host appears to retransmit even after receiving a reply
22
Conclusion
Hanyang Univ. Computer Security Lab.
Wireless technology is bound to draw attack-ers’ attention soon
High risks involved, large-scale rapid worm in-fections, user profiling
User awareness must be raised and security issues must be dealt with
Hanyang Univ. Computer Security Lab.
23
The End