WIFI SECURITY

code is found, web admins should immediately change all FTP passwords, then
attempt to preserve all logs from the FTP
daemon and web server processes before
running a cleanup script or restoring from
backups. These logs will prove invaluable
in post-mortem analysis and may help
stress the importance of safe computing
procedures by all FTP account holders.
Finally, I cant stress enough the value
of regular, full backups of mission-critical
website code. Infections such as this one
can be cleaned up with scripts, but that
isnt always the case. The best way to protect yourself is to preserve a copy of the
infected code for later analysis, then rapidly
remove any infected pages, replacing them
with code from a known-good source.

2.

3.

4.

References
1. Symantec Security Response and
Hayashi, Kaoru. New Obfuscated
Scripts in the Wild: /*LGPL*/.
Symantec Connect. 8 January 2010.
Symantec. 10 January 2010. <http://
www.symantec.com/connect/blogs/

5.

new-obfuscated-scripts-wild-lgpl>
Unmask Parasites. From Hidden
Iframes to Obfuscated Scripts. Unmask
Parasites. Blog. 23 Dec 2009. 10 January
2010. <http://blog.unmaskparasites.
com/2009/12/23/from-hidden-iframesto-obfuscated-scripts/>
Virustotal.
Virustotal.
MD5:
b6e81eeb807fb07bde48be6b8b5bdead Trojan Horse a variant of Java/
Tro j a n Dow n l o a d e r. A g e n t . N AC
Trojan:Java/Selace.K Virustotal. 10
January 2010. 10 January 2010. <http://
www.virustotal.com/analisis/65b5e1b3a
7376e7c8cd293ebce7a1496f9fcf096554
7e367cd7a2ab5eb56baaf-1263710824>
Adobe. Security Bulletin APSB10-02
Security Advisory for Adobe Reader
and Acrobat. Adobe Security Bulletin.
12 January 2010. 12 January 2010.
<http://www.adobe.com/support/security/bulletins/apsb10-02.html>
JustCoded.
Gumblar-family
virus removal tool JustCoded. 22
December 2009. 12 January 2010.
<http://justcoded.com/article/gumblar-family-virus-removal-tool/>

6. Ferrer, Methusela Cebrian . HTML/

MalScr.A. CA Virus Detail. 14
January 2010. Computer Associates.
14 January 2010. <http://www.
ca.com/us/securityadvisor/virusinfo/
virus.aspx?id=80867>
7. Mozilla
Foundation.
Firefox
Browser. 10 January 2010. Mozilla.
10 January 2010. <http://www.
mozilla.com/en-US/firefox/personal.
html?from=getfirefox>
8. Maone, Giorgio. NoScript
JavaScript/Java/Flash blocker for a
safer Firefox experience. 10 January
2010. InformAction. 10 January
2010. <http://noscript.net/getit>
9. Brandt, Andrew. Fake Zbot Site
Poses as CDC H1N1 Flu Vaccine
Info. 1 December 2009. webroot. 10
January 2010. <http://blog.webroot.
com/2009/12/01/fake-zbot-site-poses-as-h1n1-flu-vaccine-info/>
10. CodeSquid. Using FileZilla Wiki
22 August 2009. FileZilla Project.
12 January 2010. <http://wiki.filezilla-project.org/Using#Using_the_
Quick_Connect_bar>

Negotiating WiFi security

Tom Rowan, security consultant, Magirus
Wireless networks are desirable to many organisations because they increase
workforce flexibility and save cabling costs. In older offices, listed buildings,
and businesses based in the outdoors, wireless maybe the only way to provide
network access to all parts of the workplace environment. Some businesses even
provide wireless networks to reach out to visitors and customers to entice them
into their premises and allow them to work from there. Wireless networks will
enable the coming myriad of tablet and slate machines to function as seamless
internet terminals. They are here to stay.
For all their flexibility and low cost,
though, securing wireless networks is one
of the most challenging infrastructure
security tasks that a network manager
needs to consider. The broadcast nature of
the radio technologies that underpin wireless Ethernet (WiFi) networks means that
the signals can be picked up in areas where
they were not intended to be received
including outside of the business premises.
Turn on a wireless network transceiver
in any city and many tens of networks
8

Network Security

will be detected within a few seconds.

Many of these will be leaking outside
of their intended reception range. The
radio waves used to carry WiFi networks
typically have a range of forty-five metres
indoors and ninety metres outdoors.
This can mean that they can be picked
up far outside the building that they are
intended to serve.
This broadcast-based technology is the
root cause that underlies all the security
problems, vulnerabilities and eventual

attacks that this article will discuss. With

wired networks it is very hard to intercept data without intruding physically
into the building under attack. A network tap would have to be located inside
the core network of the business. This
approach is potentially dangerous to
liberty, and takes a dedicated and brave
individual to make the attempt.

In practice, there is surprisingly

little perceived interference
because the radio technologies
in use layer error correction
and recovery protocols over the
broadcast mechanism
Wireless networks, on the other hand
take away any of this danger. They
simply beam the network right to a
potential attacker. Naturally, one of the
primary attacks against wireless networks
is the interception of these broadcast sig-

February 2010

WIFI SECURITY
nals. Even if these signals are encrypted,
access to the data inside is only delayed
as long as the encryption key remains
uncompromised. It is sensible to assume
that a key can be found eventually.

DDoS
A second attack against wireless networks is denial of service. Unfortunately,
this is very easy to achieve. In fact, the
very prevalence of wireless technologies can cause denial of service due to
the frequency allocations assigned. The
radio frequency bands used by WiFi networks are 2.4Ghz and 5Ghz. The lower
frequency band particularly is an open
access range that has been made available
for low power use by licensed manufacturers. The end user of the equipment
does not require a licence at the point of
use provided that the power output of
the equipment does not exceed specified
power output.
There are not many of these open
access bands available in the crowded
allocated frequency spectrum2. This
means that vendors of business and consumer radio equipment prize this range
alike. The 2.4Ghz range is not used by
any other more important licensed
radio technologies because it is the harmonic frequency at which water molecules vibrate. This is the way in which
microwave ovens work. They excite the
water molecules inside the food to be
heated at 2.4Ghz. These excited molecules exhibit this additional energy as
heat; the food gets hot and cooks. This
phenomenon can cause problems for
radio transmissions in this frequency
range. If the atmosphere contains a large
amount of moisture (such as in a steamy
kitchen or factory floor) it can become
opaque to these radio waves.
Common technologies using this
frequency range are WiFi, HyperLAN,
Bluetooth, DECT, low-power remote
control of toys such as miniature model
aircraft and cars and microwave ovens.
This over allocation may cause some
disruption and collision between technologies using this frequency range.
In practice, there is surprisingly little
perceived interference because the radio
technologies in use layer error correction

February 2010

and recovery protocols over the broadcast mechanism. Unfortunately, there is

increased overhead in error correction,
which reduces the effective bandwidth of
the network.
Malicious denial of service is affected
simply by blocking these frequencies.
This can be achieved by blocking the
channel being used by the target network using another WiFi device and
an all out packet flood. It is possible to
transmit tens of thousands of packets per
second effectively flooding the available
bandwidth in the air. It is not possible
to attack a wired network in this way
without much more intimate access to
the network.

Microwave attacks
A second more effective if dangerous
attack is to use an unshielded microwave
generator such as that found in an oven.
This would provide some 800 watts of
output as opposed to a typical WiFi network at five watts maximum; the effect
on WiFi networks would be devastating.
While this sounds extreme it is entirely
possible that this kind of attack might be
used against a city block where the density of wireless networks affected would
be highest.
The third main attack against a wireless
network is to gain unauthorised access.
This attack is widely perpetrated against
home wireless users because a large
number of them do not use any mechanism to secure access to their network.
For most consumer networks, the primary aim of wireless networking is to
allow one more laptops to connect conveniently to a shared internet connection.
If no protection mechanisms are configured then anybody with a suitable wireless device can use that same internet connection for free. Why pay for broadband
yourself when you can borrow bandwidth
from a neighbour? Once worry is that
any illegal activities carried out by the
unwanted visitor using the network can
be attributed to the subscriber.
There is an even more sinister aspect
to this attack even in the home environment, however. Using wireless it is
fundamentally possible to gain access to
systems connected to the target home

network. This might include stealing

files, music or executing malicious code
to gain administrative access to the system. Identity theft, access to bank and
other online accounts might be possible
through this mechanism.
In the UK, there have been arrests
where unauthorised access to wireless
networks has been suspected3.

Breaking the law

wirelessly
The UK Communications Act of 2003
states that a person who (a) dishonestly
obtains an electronic communications
service, and (b) does so with intent to
avoid payment of a charge applicable to
the provision of that service, is guilty of
an offence.4
If this is a worry for the home user,
then the corporate network administrator has bigger nightmares. While wishing
to provide wireless networks there is the
very real risk of network intrusion over
this medium. A network manager would
be sacked for trailing a long Ethernet
cable from their core switch out onto
the unprotected pavement outside their
building. When they use wireless networks they could be said to be doing
exactly this. The cable is broadcast
radio, but the analogy is sound.
If an attacker can gain access to a
wireless network that forms part of the
internal corporate environment then
they may as well be sat at a desk inside
the building. The same problems of data
theft, malicious access and bandwidth
erosion are possible on the corporate
network too. The impact of these intrusions could be much greater in financial
and reputational terms.

The time taken to crack a

WEP key is typically between
five minutes and half an hour
depending on the relative signal
strength of the network being
attacked
So even early versions of the WiFi
standards had provision for encrypted
networking and access control. The first
attempt was known as Wired Equivalent
Privacy (WEP) and was included in

Network Security

WIFI SECURITY
the IEEE 802.11 standard as ratified in
19975. It provides data encryption and
access control via authentication. It has
since been shown to exhibit a flawed
design.

Whats wrong with WEP

A standard 64bit WEP key is in fact
a 40 bit shared key combined with a
24bit Initialisation Vector (IV), while
a 128bit key is based on a 104bit shared
key. This key is then used to fuel an RC4
cipher that encrypts the traffic data. The
key lengths used with WEP are fairly
low, but there are more significant attack
vectors against the algorithm itself.
An IV is a set of random bits that is
used to seed a stream cipher such as the
RC4 cipher used in WEP. This value can
be changed easily and regularly without
having to go through a rekeying process.
In WEP, the IV is transmitted once in
plain text as the client associates with the
wireless access point and then automatically incremented with each packet. The
problem is that 24bits is too few. 2^24
is approximately 16.7 million. This is
a very small number compared to the
number of packets typically sent by clients on a busy network, so eventually,
IVs will be repeated. This gives an eavesdropping attacker a chance.
An identical packet encrypted by the
same key using a stream cipher gives the
exact same encrypted output packet. If
the IV is repeated, then the keying material at that moment is exactly the same
key because the shared key component
does not change at all regularly, if ever.
These two facts lead to the possibility of probability based cryptographic
attacks. The more repeated IVs, the more
chance of success of the attack. Simply listening for repeated IV frames can work if
sufficient traffic is transmitted on the network. In a quieter network, the attacker
must replay captured packets to generate
sufficient IV collisions.
The author has been able to repeatedly
demonstrate this attack to clients using
freely available software tools and a suitable wireless network card6. The time
taken to crack a WEP key is typically
between five minutes and half an hour
depending on the relative signal strength
10

Network Security

of the network being attacked. This

means that WEP is all but useless in any
practical security sense against a determined and equipped attacker. However,
like a fake burglar alarm affixed to the
front of a building, it will still keep out
a less knowledgeable or poorly equipped
would-be intruder.
It is possible to apply MAC address
filtering to all wireless networks. This has
the effect of allowing only a white-list
of MAC addresses to associate with the
wireless access point. When the list of
possible wireless clients is small such as
in a home network this is a useful addition that will keep out low-level attackers. It is always possible to detect existing
traffic by sniffing packets. These packets
can be decoded and the MAC address
faked onto the attackers network card.
This is a trivial attack7.

What WEP did next

WEP has been superseded by two security technologies known as WPA and
WPA2. WPA (WiFi Protected Access)
was designed and implemented as a
short-term fix for the shortcomings of
WEP. It was designed to be compatible with WiFi hardware that provided
sufficient facilities to support for WEP.
There is no official ratified IEEE standard for WPA; it slots in between 802.11
for WEP and the 802.11i standard that
defines WPA2.

WPA (WiFi Protected Access)

was designed and implemented
as a short-term fix for the
shortcomings of WEP
The WPA protocol implemented a new
key management scheme known as the
Temporal Key Integrity Protocol (TKIP).
This provides massive improvements over
WEP, but significantly could be implemented on older WiFi hardware as long
as firmware upgrades were applied. In
theory this removed a major barrier for
adoption of WPA over WEP, although
in practise it was harder to upgrade older
access points to support WPA than had
been anticipated. Most new client and
access point hardware from 2003 onwards
supports WPA without issue.

The encryption algorithm is the same

as in WEP, but the way in which IVs
are generated is modified. IV length is
increased to 48bits. This is an extremely
large number and effectively eliminates
the collision problem. A second layer
of protection called MIChael provides
protection against the packet replay
attacks that were at the heart of the
active packet generation attack discussed
above. With WEP, it is possible to flood
the network to generate IV collisions
more quickly. The MIChael scheme uses
the sender and receiver hardware MAC
addresses to generate a UID that is used
for integrity. If the algorithm detects two
repeated packets in a sixty-second timeframe, it shuts down the network for a
further sixty second. It is easy to break
the UID generation in order to fool
MIChael that in turn generates a possible denial of service attack scenario.
WPA supports two modes of operation. The first is a pre-shared key mode
(WPA-PSK) where both sides of the
communication need to know the same
key. The shared key is supplied by the
administrator and must be changed at
both access point and client if it needs
to be updated due to good policy or
compromise. If the access point key is
changed out of sync, then previously
enabled clients would be unable to connect, prompting support desk work
to rectify the situation. This leads to a
situation where, in common with WEP
and most pre-shared key based protocols
from IPSEC to bank card PINs, this key
is rarely changed.
Keys can be supplied as sixty-four
hexadecimal digits or as a passphrase
ranging from eight to sixty-three ASCII
characters. The ASCII version is padded
appropriately and both are converted to
a 256bit key. WPA is susceptible to brute
force attacks if a weak pre-shared base key
is chosen. There are look-up tables available to speed this cracking process8.

Cloud-based cracking
Recently, a WPA cracking service running
on a cloud based computing platform has
been released. A user of the service needs
to upload a set of packet data that is then
compared to a set of WPA rainbow tables.

February 2010

WIFI SECURITY
At the time of writing the price of a
cracking run is $17 or $35 depending on
the service level chosen9.
The second mode of operation is an
enterprise model where an Extensible
Authentication Protocol (EAP) module
is used to improve the authentication of
WiFi network clients. EAP is an authentication framework that supports the use
of 802.1x network access control10,11.
This mode of operation is much stronger
in practise than WPA-PSK, but it of
little use to the average home user or
smaller business that does not have the
necessary investment in 802.1x VLAN
capable switches and NAC devices.
In 2008, a flaw was discovered in
TKIP. This is based on a known problem
with the WEP algorithm. The attacker
monitors network traffic until an address
resolution protocol (ARP) packet is captured. An ARP is easily distinguished
even when encrypted. An ARP request
uses a broadcast MAC address as the
destination and is a very short packet.
Using a statistical attack, it is possible
to derive the unknown parts of the ARP
packet. This attack takes just under a
quarter of an hour to work because it
triggers the sixty second network timeout
built into MIChael a number of times
as various keys are computed based on
responses from the protocol. Once this
has been achieved, it is possible to inject
malicious packets into the network12.

WPA2
WPA2 fully implements the IEEE
802.11i standard, including a replacement for TKIP based on the AES block
cipher. This improvement is known as
CCMP13. This protocol, as the time of
writing, is considered fully secure. It is
recommended that all networks implement WPA2 where possible. However, in
practical terms the majority of Windows
XP laptops that the author has encountered do not have the optional WPA2
client software installed.
The installation of this update requires
administrator rights on the laptop in
question meaning that it is unlikely to
be a field upgrade for already deployed
laptops. Newer versions of Windows and
Mac OS X inherently support WPA2.

February 2010

For users of these operating systems

there are no barriers to the adoption of
WPA2 in all wireless networks.

From experience of performing

scans for rogue networks, these
are rarely secured in any way
and often advertise the name
of the company to which the
belong by broadcasting a
poorly named SSID or network
name
Some network environments do not
wish to take the risk of implementing
any wireless networks at all. Even with
implementing WPA2-Enterprise and
utilising 802.1x network access control
features, some organisations have made
the decision to avoid any risks associated
with WiFi networks. Even if a slightly
less risk adverse administrator goes to the
trouble of encrypting and securing their
own WiFi networks, they are still at risk
from employees who might implement
a rogue wireless access point. These are
unofficial access points that are simply
connected to the main network.
From experience of performing scans for
rogue networks, these are rarely secured
in any way and often advertise the name
of the company to which the belong by
broadcasting a poorly named SSID or
network name. There is real danger to
corporate networks here. One solution
is to perform regular WiFi scanning to
search for, locate and disable these devices.
Automated wireless IDS products are also
available that are able to perform the same
task at some cost to the organisation.

Anyone for coffee?

A related problem is the proliferation of
coffee shop and free wireless provision in
inner city environments. While these networks allow employees to make contact
back to the corporate network while out
of the office, they also pose a significant
security risk while users are in the office.
Most operating systems cache a list of
known (read: trusted) wireless SSIDs.
They will automatically connect to
known networks even while connected
to a wired network. This affectively
creates a bridge between the corporate

network and Starbucks wireless! Software

is available to detect and control this
behaviour if users are not technical
enough to understand these implications
on their own.
A secure implementation of wireless
networks needs to consider the following:
U >> iV >` i} i>
must be provided using WPA2 and
AES-CCMP. Older hardware should
be replaced rather than security
decreased for compatibility.
U i >VVi V } n
and EAP based protocols, or regularly-changed complex long pre-shared
keys with all the inconvenience that
this brings.
U -i}i}> v ii i v
wired networks within the network environment. At least one VLAN should be
used to split WiFi networks from the
main network unless passed through a
suitable firewall and IPS device.
U  > V`i} imenting a VPN inside the network.
Wireless clients, having successfully
been through NAC procedures, would
have to use a standard SSL or IPSEC
VPN to progress further into the
corporate network. This gives additional user level authentication and
non-repudiation as well as enhanced
encryption at the cost of some bandwidth overheads.
U ,i}> V>} v }i >VVi
points or the implementation of a
wireless IPS must be considered for
all networks regardless of whether a
corporate wireless service exists or not.
User education and strict IT usage
policy in this regard can help to steer
an appropriate response should rogue
devices be discovered.
U
>iv i `i} V`}
the selection and positioning of WiFi
antennas can be invaluable in limiting the spread of signals beyond the
intended area of coverage.
U ii} > ii i
requires and understanding of the issues
presented above. On one hand is the
push from management to bring flexibility and enhanced capability to the
workforce. On the other is the trade-off
and balance with doing this securely.

Network Security

11

MOBILE SECURITY
References
1. 802.11, Wikipedia, Jan 25 2010
<http:/ / en.wiki p e di a . or g /wi ki /
IEEE_802.11>
2. UK Frequency Allocation Table,
National Frequency Planning Group,
2008 <http://www.ofcom.org.uk/
radiocomms/isu/ukfat/ukfat08.pdf>
3. Man arrested over wi-fi theft, BBC
News, August 22 2007, http://
news.bbc.co.uk/1/hi/england/london/6958429.stm
4. Communications Act 2003, Office
of Public Sector Information, 2003,
<http://http.hmso.gov.uk/acts/
acts2003/20030021.htm>
5. IEEE Std 802.11-1997 Information
Technologytelecommunications And Information exchange
Between
Systems-Local
And

Metropolitan Area Networksspecific Requirements-part 11:

Wireless Lan Medium Access
Control (MAC) And Physical Layer
(PHY) Specifications, IEEE, 1997,
http://ieeexplore.ieee.org/search/
freesrchabstract.jsp?arnumber=6547
49&isnumber=14251&punumber=
5258&k2dockey=654749@ieeestds
&query=%28802.11+1997%29%3
Cin%3Emetadata&pos=0
6. Backtrack 4 download page,
BackTrack Linux, Accessed January
2010, <http://www.backtrack-linux.
org/downloads/>
7. Change (Spoof ) MAC Address on
Windows 2000, XP, 2003, VISTA,
2008, KL Consulting, Accessed
January 2010, <http://www.klcconsulting.net/change_mac_w2k.htm>

8. Church of Wifi Uber coWPAtty

lookup tables, Church of WiFi, April
5 2009, <http://www.churchofwifi.
org/default.asp?PageLink=Project_
Display.asp?PID=90>
9. WPA Cracker, Accessed January 2010
<http://www.wpacracker.com/>
10. EAP, Wikipedia, January 8 2010,
< ht t p: / / e n . w ik ipe d ia .o rg/ w i ki /
Extensible_Authentication_Protocol>
11. 802.1x, Wikipedia, 24 January
2010
<http://en.wikipedia.org/
wiki/802.1X>
12. Martin Beck and Eric Tews, Practical
Attacks Against WPA, November 8
2008, <http://dl.aircrack-ng.org/
breakingwepandwpa.pdf>
13. CCCP, Wikipedia, January 10 2010,
< ht t p: / / e n . w ik ipe d ia .o rg/ w i ki /
CCMP>

Managing mobile security:

How are we doing?
Alan Goode, Managing Director, Goode Intelligence
The latest generation of mobile phones, such as the iPhone and Googles
Android platforms, are having a transformational effect on the way that we
access, use and store information. There is no doubt of the business benefit that
data-enabled, multi-network (mobile operator and WiFi enabled), always-on
mobile devices give us but what are the implications for information security?
Does access to company-confidential information on a mobile phone give us
cause for alarm and by allowing employees to use their own phones for business
are we opening up a compliance can of worms? Who owns the data?
The Goode Intelligence (GI) mobile
security 2009 Survey is a vendor-independent study of the current status of
mobile phone security within business,
providing a snapshot of how business is
tackling the security challenges posed by
mobile phones. Published in three parts,
the first two parts have been published
and are available to download from the
Goode Intelligence website, www.goodeintelligence.com.

Who took part?

The survey respondents came from a
wide cross-section of sectors including
finance, defence, government, healthcare,
12

Network Security

technology, telecommunications, charity,

recruitment, legal, retail and utility.

Just under half of the

respondents (46%) do not have
a specific documented security
policy that covers mobile phones
Survey respondents came from three
regions around the world, the European
Union, the rest of Europe, and North
America. The role of the survey respondents ranged from senior management to
consultant and included the following:
chief information security officer (CISO),
network security manager, head of IS governance and security, security analyst and

information security consultant. In terms

of organisational size, there was representation from companies with fewer than
100 employees through to those with
more than 100 000 employees.
It is heartening to learn that in 2009,
virtually all of the respondents have a
documented security policy (96%). It is
another story however, regarding organisations that have a specific documented
security policy that covers mobile phones.
Just under half of the respondents (46%)
do not have a specific documented security policy that covers mobile phones.
In answer to the question how adequately do security standards and frameworks such as ISO 27001/2, COBIT and
ISF Standard of Good Practice (SoGP)
cover mobile? 45% said that mobile was
covered slightly or not at all. Only 10%
stated that the standards cover mobile
security policy well. A further 30% reported that the standards covered mobile security policy adequately but that there was
room for further improvement. This is an
interesting statistic, and points to a wider
issue of awareness of exactly what is con-

February 2010