From Stalkers to Attackers
After walking inside the building, Fred and Joan noted from the front desk registry that Diversified Financials was located on the first and second floors of the building. A variety of smaller companies were located on the third floor, some of which had succumbed to the dot-com financial meltdown. By sitting on the leopard skin couch in the empty reception area of a defunct technology company located on the third floor, Fred and Joan determined that they could get a strong signal from one of the DF access points, probably on the second or first floor.
Like many companies, Diversified Financials didn't realize that their wireless signals were leaking through their walls, ceilings, and floors. An attacker can get access on the street outside, from the basement, or from several floors above an access point. While cement and steel attenuate the wireless signals to some extent, they don't block the signals! A carefully designed wireless infrastructure architecture can minimize the signal leakage by using directional antennas. However, truly secure wireless infrastructures must recognize that signal bleed is possible, and provide additional security controls, as we'll explore in the next mistake.
From their vantage point on the third floor, Fred and Joan set up their laptops to start gathering data from the wireless network. Using their NetStumbler logs, they noted that their target was using Wired Equivalent Privacy (WEP), a mechanism for securing wireless LAN data. While WEP offers an additional layer of security, several flaws have been discovered in the protocol that allows its encryption keys to be cracked if enough data can be gathered. To crack a WEP key, the attackers must use a tool to gather encrypted data, such as the wireless sniffer AirSnort.
Using AirSnort, the attacker must sniff a large amount of encrypted data from the network, often in the neighborhood of 500MB or more of data, which can take several hours to gather. While Joan's laptop chugged away gathering data and cracking the WEP key, Fred decided to look at his NetStumbler logs a little more carefully. In addition to the DF SSIDs, he also noticed two more access points very close by, both with SSIDs set to the default value for Cisco access points, "tsunami." These access points didn't even have WEP enabled, making them trivial to break through.
In addition to the WEP-enabled access points on its network, Diversified Financials included access points that didn't use WEP. While WEP doesn't provide bulletproof security (as we shall soon see), it does raise the bar against casual attackers. An organization's access point configuration should include the activation of WEP and the distribution of appropriate WEP keys.
After using AirSnort to sniff about 500MB of WEP-encrypted data from the Diversified Financials network in about eight hours, Fred and Joan were able to determine a WEP key. Now, they could gain access to the Diversified Financials network via a WEP-enabled access point, and through two "tsunami" access points that didn't use WEP. The choice was theirs.
Diversified Financials used a wireless solution that didn't periodically rotate WEP keys. Recent wireless LAN products have included modifications to the WEP key-exchange algorithms that automatically update WEP keys on a periodic basis. By continuously rotating WEP keys, an organization can minimize the exposure to an attacker who cracks WEP keys.
With the WEP key cracked, Fred and Joan configured their systems to use this key to communicate with one of the DF access points. With the proper WEP key in place, Fred and Joan set up their laptop to use the Dynamic Host Configuration Protocol (DHCP) to automatically get an address on the network. The access point not only gave Fred and Joan an address, it also allowed them complete, unfiltered access to the network.
This is one of the biggest mistakes made by Diversified Financials. They didn't provide a strongly encrypted and authenticated method for gaining access to their network via wireless LANs. Organizations using wireless LAN technology should require all wireless connections to be sent through a Virtual Private Network (VPN) gateway device and firewall. VPN client software should be installed on all PCs and laptops requiring wireless access. The VPN should provide strong authentication and encryption from the VPN client to the VPN gateway. The VPN gateway should be located between the wireless access point and the protected internal network. The firewall should be configured to filter incoming connections, to ensure that only valid services (such as email or web access) are allowed, with all other services being blocked. With this type of architecture, all data being sent on the wireless LAN must first go through the VPN and then the firewall before being allowed on the corporate network.
After gaining access to the network, Joan and Fred began exploring the systems by using a network-vulnerability scanning tool, such as the popular Nessus scanner. The Nessus tool discovered several vulnerable machines, from which Fred and Joan were able to gather very sensitive data. They retrieved a smorgasbord of interesting insider data from the Diversified Financials network, including emails about planned mergers and acquisitions, financial performance numbers that were to be publicly disclosed the following week, and sensitive customer information such as account numbers, balances, and holdings.