DISCLAIMER : [Insert the biggest, most comprehensive lawyerspeak here]. Securitywriters.org (SWG) or the author(s) are NOT RESPONSIBLE for anything that happens to you, ur cat, dog, sexlife or wife after you go through the information presented below. Enjoy.

Contents

• An unwired Universe
  
  { Notes : An encyclopedic introduction to wireless technology, a must-read! }
  { Contrib : Charles Hornat }
  

• Tales from the Void
  
  { Notes : Misc. topics investigated }
  { Contrib : Hitchhiker }

• Logfile
  { News, Views etc }

• How can you contribute ?
  { Procedure for sending submissions for the zine }
  

Suggested Links : Issue #4 , usenet postings

Movies : Race The Sun (James Belushi, Halle Berry)

Music : Wheatus (Teenage Dirtbag), Five (cover of Queen's We will rock you), Bryan Adams (Here I am)

An unwired Universe
By Charles Hornat

Overview

After seeing many articles and the huge wave of interest in wireless technology, I felt it's time for a buffet on the subject, also highlighting the pros and cons. Here's hoping that, you would gain a better understanding and position to read further (comfortably) on the subject.

Please be aware that this is much like a "crash" course, You are adviced to go thru the references given for further study.

Quick Jump

• Wireless Protocols
  
  
  • Wireless Application Protocol (WAP)
    • The WAP Gap.
    • Protecting WTLS WAP Gateways
      
      
  • Bluetooth
    • Bluetooth Security Issues
    • Securing Bluetooth
      
      
  • 802.11 Current
    • Access Control
    • Wired Equivalent Privacy (WEP)
    • 802.11b Security
    • 802.11 Future
      
      
• Top 5 Security Issues
  • Eavesdropping
  • Theft or Loss of wireless devices
  • Denial of Service
  • Viruses
  • Masquerading
    
    
• Wireless Cheat Sheet
  
  
• Bluetooth vs. 802.11. 10

Wireless LAN Network Architectures

1. Ad-Hoc : is a peer-to-peer setup where one wireless client talks directly to another without passing through any additional access point or proxy.  A common network identifier is used for peers to communicate with each other.
   
   
2. Single Point of Access : an AP (Access Point) is used in this type of setup to connect wireless users to a wired network. This acts like a bridge between the wireless users and the network with which they wish to connect to. The AP is responsible for authenticating the wireless users via password and MAC address. Network performance is inversely proportional to the distance between the node and its AP.
   
   E.g. A system that is 5 feet from the Access Point could monopolize the bandwidth from other nodes while another one 20 feet away could experience degraded network performance.
   
   The area surrounding the AP is called “Basic Service Set”, or BSS.
   
   
3. Multiple Access Point : This setup allows multiple APs for the network. The network “hand-off” the users' info and ensures the best network performance available by allocating the closest free AP.

Wireless Technologies

Infrared Wireless

• 2mbps
• Can not penetrate opaque objects
• Uses direct or diffused technology
  • Directed (Requires line of sight)
  • Diffused (Limited to short distances such as a single room)

Radio Frequency (RF)

• Most use 2.4 GHz frequency range
• Most popular WLAN technology
• Covers long ranges
• Includes narrowband and spread spectrum technology
• Previous versions ran at 2 mbps
• Current run at 11 mbps
• New standards allow use at 54 mbps

Wireless Protocols

Wireless Application Protocol (WAP)

• Operates over a multitude of different wireless technologies:
  • Cellular Digital Packet Data (CDPD)
  • Code Division Multiple Access (CDMA)
  • Global System (GSM)
    
    
• Built in security at the transport lawyer similar to SSL

• Enables a multitude of wireless devices including cell phones and PDAs to have a common way to access the internet

The WAP Gap

WAP (Wireless Application Protocol) has an issue commonly referred to as the “WAP gap.”

Wireless device

(WTLS)

WAP Gateway

(TLS/SSL)

Internet Server

• WTLS: Wireless Transport Layer Security
  
  
• Used in versions prior to WAP 2.0
  
  
• Requires the WAP Gateway to decrypt WTLS transmissions and the re-encrypt as TLS/SSL
  
  
• Sensitive data is exposed as it traverses the gateway

If an attacker were to compromise the wireless gateway, she would be able to access all of the secure communications traversing the network juncture. The wireless carrier usually controls the gateway.  The user will not be able to gain any knowledge regarding the security in place at the gateway.  This setup requires that the users implicitly trust that the gateway is secure and monitored.

 WTLS is replaced by TLS in WAP 2.0.  The gateway above is no longer needed to translate (decrypt from one standard and re-encrypt to another) since the Internet servers are able to interpret the TLS transmission directly.  All data remains encrypted as it passes through the gateway.  Since there is such a large difference in WAP technologies, the implementation of WAP 2.0 may take a long time.

Protecting WTLS WAP Gateways

• Ensure the WAP Gateway never stores decrypted content on secondary media
  
  
• Implement additional security at the higher layers
  
  
• Secure the WAP gateway physically so that only administrators have access to the system console
  
  
• Limit administrative access to the WAP gateway so that is not available to any remote site outside the firewall
  
  
• Disconnect WAP application from the rest of the network
  
  
• Add WAP devices to your PKI infrastructure 

Bluetooth

• Can be used to almost connect any device to another device
  
  
• Operates at the 2.4 GHZ ISM Frequency band
  
  
• Supports a range of 30 feet
  
  
• Maximum bandwidth is 1 MB/s
  
  
• Devices don’t need to be “line of sight”
  
  
• Supports data, voice, and content-centric applications
  
  
• Uses FHSS at up to 1600 hops per second
  
  
• Signal hops among 79 frequencies at 1 MHz intervals for a high degree of interference immunity
  
  
• Up to seven simultaneous connections can be established and maintained
  
  
• Will be embedded in future versions of Microsoft Windows and Pocket PC’s

Each Bluetooth device stores the following:

• 48-bit unique device address
  
  
• 128-bit unique unit key

Each connection has a link key associated with it, this is used to generate the encryption key. The link key value is chosen during connection setup for two devices that have not previously communicated.  After this is done, it is used for authentication.

Bluetooth Security Issues

• The link key is not really secret, connections can be eavesdropped and deciphered
  
  
• The encryption can be broken in some cases
  
  
• A device’s address is unique – by tracking a particular address a person’s activities can be tracked
  
  
• A 4-digit PIN code must be entered manually each time the device is used and this can be considered a hassle
  
  
• To avoid the hassle of entering the 4-digit PIN code each time, the PIN code can be stored in the devices memory or hard drive creating an inherent security vulnerability
  
  
• The user chooses the PIN code, and the PIN code requires no type of complexity.  Users can use ‘0000’ or ‘1234’

Securing Bluetooth

 The Bluetooth specification defines 3 security modes:

Non-secure - Non-secure mode does not initiate any kind of security.

Service-level security - In Service-level security, security policies are defined by the access requirements of the application the user is using.

Link level Security - Security standards are established before the link setup is complete. 

Most of the problems associated with Bluetooth are inherent in the Bluetooth protocol and implementation. Best practices to date suggest:

• Implement the necessary authentication
  
  
• Implement the necessary encryption mechanisms at the application layer
  
  
• Avoid the use of Unit keys, use combination keys instead
  
  
• Perform the bonding in an environment that is as secure as possible against eavesdroppers, and use long random Bluetooth passkeys.

For specific implementations and security concerning those implementations, please see the white-paper on Bluetooth security at: http://www.bluetooth.com/upload/24Security_Paper.PDF

802.11 Current

802.11 supports 3 physical layers

• Infrared
• Radio Frequency
  • FHSS-Frequency Hopping Spread Spectrum
  • DSSS-Direct Sequence Spread Spectrum
    
    
• Technology spread into 802.11a, 802.11b, 802.11g
  • 802.11b supports up to 11 Mbps at 2.4 GHz
  • 802.11a supports up to 54 Mbps at 5 Ghz
  • 802.11g supports up to 54 Mbps at 2.4 Ghz
  • 802.11b only uses DSS which allows greater throughput but is more susceptible to radio signal interference
  • 802.11a are up to 5x faster than 802.11b nets, but are not interoperable with 802.11b nets.

Access Control

• Media Access Control (MAC) filtering
  
  
• Perform Service Set Identifier (SSID)

Wired Equivalent Privacy (WEP)

• Encrypts data with 40 or 128 bit keys
  
  
• Automated tools exist to crack WEP encryption keys
  
  
• Exploits weakness in RC4 key scheduling algorithm
  
  
• AirSnort tool can compute the key in less than 1 minute of sniffing wireless communication
  
  
• Completely passive attack making it extremely difficult to detect
  
  
• Tools used to perform attack are freely available for download on the internet

802.11b Security

Problems

• Media Access Control (MAC) address filtering - can be sniffed and spoofed
  
  
• Service Set Identifier (SSID) - broadcast by access points and should not be considered secret
  
  
• The SSID can be easily sniffed
  
  
• WEP Encryption can be easily cracked
  
  
• 40 or 128 bit Wired Equivalent Privacy - has been broken using tools like:
  • Airsnort: http://airsnort.sourceforge.net/
  • WEPCrack: http://sourceforge.net/projects/wepcrack

Solutions

• Use a strong Authentication Mechanism
  
  
• Require mutual authentication between client and server
  
  
• Utilize end-to-end encryption at the higher protocol layers (e.g. SSH and SSL) - Using a VPN solution to replace WEP
  
  
• Configure the Access Points to keep silent about the SSID - Disable the Access Points beacon signal and configure it to ignore anonymous request for the SSID.  

802.11 Future

802.11d – support for 802.11 frames, new regulations

802.11e – QoS enhancements in the MAC

802.11f – Inter Access Point Protocol

802.11g – High Rate or Turbo Mode – 2.4GHz bandwidth extension to 22Mbps

802.11h – Dynamic Channel Selection and Transmit Power Control

802.11i – Security Enhancement in the MAC

802.11j – 5 GHz Globalization among IEEE, ETSI Hiperlan2, ARIB, HiSWANa

Top 5 Security Issues

Most information below was gathered from SANS, Information Security Magazine and other top information security resources.

Eavesdropping

• Issues
  • Attackers can gain access to wireless transmissions without being close to the network. 
  • Difficult to detect if someone is eavesdropping
  • An attacker can gather critical or confidential material
    
    
• Steps to protect
  • Use encryption like SSH, SSL, IPSec or VPN
  • Prevent the Access Point from broadcasting the SSID
  • Use authentication and access control (SSID and MAC address filtering) to prevent attackers from being able to connect to your network

Theft or Loss of wireless devices

• Risk
  • Wireless devices can be stolen or lost
  • Devices can contain confidential corporate information
  • An Attacker can gain access to the network via a stolen device and information on that device
  • Data on wireless devices is stored in clear text
    
    
• Minimizing the Risk
  • Audit wireless devices in your environment regularly
  • Develop strict guidelines and policies for connecting wireless devices to the network
    • Personal Use Restrictions Policy
    • Enforce a Password Policy
    • Antivirus Policy
  • Encrypt the data that is stored on the wireless devices
  • Strong authentication
  • Device Access Controls and Secure Configuration

Denial of Service

• Issues
  • An attacker can jam all communications on the wireless side
  • Cost to perform a DOS is minimal
  • Attack is simple to perform and can be done from common tools easily found on the Internet
    
    
• Steps to protect
  • In small environments use Infrared instead of RF if possible
  • Operate wireless networks only from shielded buildings
  • A DOS attack is very difficult to defend against.  When under such an attack, locate and disable the attacking device

Viruses

• The threat from malware has always been there for almost all popular platforms. Now virus writers are trying out some specific techniques for wireless devices/networks.
  
  
• Though a bug in the wild is yet to happen (specifically aimed at wirless), many proof of concept efforts are already out there (e.g. Phage).
  
  
• A relatively slow scene does'nt mean you can relax, correct defenses have to be put in place for future contingencies.
  
  
• Reliable and comprehensive anti-virus solution(s) have to be installed at various entry points (mail,web,gateway etc). Companies in the loop include F-Secure, Kaspersky, Trend Micro, Network Associates, Symantec etc.

Masquerading

• Issues
  
  • Rogue clients pretend to be a legitimate endpoint  
    • An attacker could obtain a working IP address via DHCP or by guessing
    • A Rogue client becomes a node on the internal net behind all firewalls
      
      
  • Rogue Access Points could trick clients into logging in
    • Attackers would need to place the rogue Access Points strategically to present the strongest signal
    • This would allow an attacker to harvest critical or confidential information or authentication credentials
      
      
  • Difficult to detect this attack
    
    
• Steps to protect
  • Clients must be authenticated before being allowed to connect 
  • Use Strong authentication mechanisms that an attacker could not spoof like Public Key authentication
  • Choose authentication mechanisms that will not reveal credentials or critical or confidential information (passwords) to a rogue Access Point

Wireless Cheat Sheet

(Table 1:Comparison)

(Figure 1: http://www.btdesigner.com/pdfs/KenNoblittComparison.pdf)

Bluetooth vs. 802.11

(Table 2: http://www.kerton.com/papers/BT-WF.pdf)

Hope this helped. See you next time.

Tales from the Void
By Arun Darlie Koshy

This section would be totally non-linear and would graph out into diverse areas, but a common theme would be there .. on the way we may build up system utilities, viruses, firewalls or anything which you and i can think about.

It's to see possible ways someone can exploit a feature or concept in today's infostructure (hardware, software nething..).

[29.09.02]

If something can become a race conditon, it will..

For a student interested in OS design, understanding process management is essential. Here are my notes.. if nothing else, it will give some reassurance to another soul who maybe caught up in the same problem.

Before starting out, the book we're discussing :

• Operating Systems : Design and Implementation 2e (by AST, published by Prentice Hall) (Ref #1)

• Other reference materials used would be indicated at that point. Familiarity with OS concepts and assembler/C is assumed.

Objectives :

1. Processes need to communicate with each other effectively, without errors and in proper order
   
   
2. The IPC (inter-process communication) model should be abstract (high-level)

Race Conditions :
means exactly what it says. It is a sitiuation brought about by two processes or more processes running in the
same time slice (actually, same is a bit inaccurate, as only one process is having the CPU at a given instant).

Let's look at the example of the print spooler (pg.57, section 2.2.1, Ref #1)

We have a standard printer daemon (program handling print requests across the OS) which has a "spooler directory" containing filenames. Lets make two variables "out" and "free".

("out" : next file to print, "free" : the next free slot)

Slot 1: |nuke.txt| (out)
Slot 2: |terror.txt|
Slot 3: |biowar.pdf|
Slot 4: |tempest.xls|
Slot 5: |prnlog.lst|
Slot 6: |drive.txt|
Slot 7: (free)
..
Slot n:

Let's now imagine two processes named, Tom n Jerry, (i.e Process T n Process J) want to print and it happens at the same instant.

T reads "free" and sees that the next free slot is 7, and stores it locally (say in T_Slot). Just then, say the scheduler interrupts and switches to process J. It also sees the 7, stores the name of its file, updates free to be slot 8.

Now T comes back to life, and starts from where it left, it looks at T_Slot, sees the 7 and writes the its file (overwriting J's fn) and updates free to slot 8.

We witnessed a race condition... right now, above. J will never get its printout for apparent reasons. Please read this again and again, if u did'nt get it at once. You have to visualize.

So the next question is how to avoid race conditions ? The answer is mutual exclusion which basically means that if one process is using a shared resource (variable,file,printer .. nething), then the other processes CANNOT use the same resource.

Four conditions for a good solution (to avoid race conditions) are :

• Only one process can be in it's (CR) critical region at a time ( CR refers to the part of the program which uses the shared resource )

• We cannot make any assumptions about the hardware

• No process outside it's CR can block another process

• Infinite waiting periods must be ruled out (i.e we must be sure that no sitiuation leads to a process waiting forever to enter it's CR)

We will now consider some solutions discussed in the book :

• A simple solution would be to disable all interrupts just after entering the CR, and enable them just before leaving (process switching won't happen a clock interrupt) .. this ensures the process can access the shared resource without getting disturbed.

• But, in the final analysis, the power to turn off interrupts should be reserved with the OS (for attending to its own mutual exclusion needs while updating system lists, variables etc). The user should'nt be allowed to this as a rogue program (or a poorly written one) can cause the system to malfunction (say a process forgets to enable the interrupts).

• Next we consider the concept of lock variables, say we have a single, shared variable called lock. We can use this in the following manner, if the lock is 0, it means that no process is in the critical region else its 1. So, when process T wants to enter its CR, it will first check if the lock is 0, then set it to 1 and proceed. Incase it finds it to be 1, it means already another process is in a CR, and T has to wait.

• I hope u did'nt read the above without an alarm sounding in ur brain. The word "shared" .. we spot our old culprit, again a race condition can happen with the solution itself, stop reading here, take a minute or two off to think how.

• It happens when say, process T reads the lock and sees its 0 and is about to set it to 1, at that instant process J kicks in does the same check, sets it to 1, now when process T resumes, it also sets the lock to 1 and both of them goto their CRs at the same time.
  
  The following code snippet may help in visualizing :
  
  loop_enter_cr :
  mov cx, lock
  cmp lock, 0            ;problem occurs, when J gets control at this instant
  mov lock, ax           ;where ax=1, when T resumes, its at this position .. now both T & J set the lock to 1
  jne loop_enter_cr
  ret                          ;return to caller, ready to enter CR
  
  
• The next solution to be considered is that of strict alternation. Before we step into that, here are the code snippets of process T & J for this study :
  
  

  Process T while (TRUE) {   while (turn!=0) ; //loop till turn becomes 0   critical_region();   turn=1;   noncritical_region(); }

  Process J while (TRUE) {   while (turn!=1) ; //loop till turn becomes 1   critical_region();   turn=0;   noncritical_region(); } Ref : Pg.60, Chap 2, Process, Ref #1

  
  Before you begin to analyze what happens, please refresh yourself on the rules for a good solution. Now, think about if the above is a good solution
  
  In the next update we will discuss the above (i.e why it is not acceptable), Peterson's Solution, Producer-Consumer problem, semaphores, monitors, message passing etc. In the final part, we will go thru some classical IPC problems.
  

[26.09.02]

Ease of Use > Security

It is absolutely true. People are lazy. They don't like to read manuals, use complicated software or observe safe practises.

• Maintain encrypted filesystems for all personal work/details (almost all my data). This is the only place where you need to physically enter a password (fairly complex).

• All passphrases used are program generated and then a bit of personally introduced noise is added. Most of them are as much as the buffer permits. Of course, this is not memorized, it is stored in a file kept in the fs. When entry is required, it is done via simple cut-paste. This makes the process a bit more intruder-resistant (keyloggers etc).

• Whenever sensitive information needs to be transmitted, especially via e-mail, use PGP and further wrappers. Personally, I prefer DSS (maximal).

• Default = Unsafe (whatever program, solution, protocol et.al)

• Use a non-standard mail client, this reduces your risk to exploits related to some particular client (more applicable under Windows).

• You develop an intuitive sense about ur system as time passes. Anything that seems out of the ordinary on a given day usually does indicate some problem (say it takes longer to boot, run a program or ur system is throwing up weird errors). Learn to respond to this intuition.

• Learn about various protocols, and learn to use the more secure ones (even if they are harder to use) .. eg. select ssh over telnet.

• Never trust closed-source software completely. Infact, never trust completely :)

Logfile

[September - October]

• India's premier and one of the world's most respected institutes - IIT, Madras - held Shastra' 02, a tech festival. Ayan is involved in the organization and hosting of AI-Bots (mentioned earlier in this column). Learn more about it at www.shaastra.iitm.ac.in .

• I hate intrusive technology (Cells, Laptops, PDAs..). Strange, I feel this way considering my area of work. But its something I cannot deny. There should be moments when a human being is detached from technology .. away from it all. Someday when God permits, I like be someplace where the air is devoid of info-electrons (seeking utopia in today's world i guess :-) ). I prefer being unwired and real.

• Take a look at Bill Joy's brilliant article (circa 99) "Why the future doesn't need us".

• Check http://web.mit.edu/newsoffice/nr/2002/nevanlinna.html , amazing achievement.. intellectual giants.

• Mark this site http://www.linux-box.org , seems to be a really good source on linux security.

• Check out http://www.winguides.com/security/password.php , an excellent web-based utility.

• Remembered something.. take a look at the illustrations given in the Jurassic Park (the book, before each new chapter) .. though it is sacrilege for purists, this may prove interesting enough for you to get started on chaos theory. A book by James Gleick called "Chaos" is also a good intro. It may also help you to understand the world we live in today and the events taking place.

• Guitar players who I really wish were my neighbours :-) .. Jimi Hendrix ( the man who started it all ), Van Halen ( listen to a solo on MJ's Beat It apart from his own work ), Joe Satriani (God's own guitar player), Slash (for his pentatonic work and a timeless "Sweet Child O Mine"), Nuno Bettencourt ( "More than Words" .. vindicated my trust in the acoustic guitar) and Billie Joe Armstrong (for "Time of your life").

• Wrote "Run" .. a positive poem for change :-). Listened to Kishoreda's "Neele Neele Ambar par" after a long time.. I still want to know who played the guitar on this song .. amazing acoustic performance.

• It's so funny how so many people want to put you down. But they can't stop you from flying unless you want them to. Like someone wise said (and recently i was reminded by Stat) "Your are your own worst enemy".

• Velocity is what scares the average. They get scared by speed .. of brilliance, achievements, they try to downplay it, tell you that you're like them.. carry on fools, i am having so much fun.

• Learn to use your anger in a positive way. Let it be the fuel, power to a life extraordinary, I've realized that that the key for not being a face in the crowd is .. stay away from it.

• Appa always says "Remember the loneliness of the long distance runner".. nothing grand, simple words, always rings true.

• Today was one of those days, long, weird, happy and sad. Anyways, I wrote a poem on it, so all well.

• The world is like a mirror, it will present to you exactly what you want to see or do. We all say that there is "grey", but its my strong feeling that it often boils down to simple wrong and right.

• Check this out, *nix's fav daemon's distro site gets hacked and replaced with a rogue version, I guess its sendmail blues.
  

Contribute! Learn! Discuss!

Contact:
You're invited to send in your entries, comments et.al for publication to hwcol@arunkoshy.cjb.net

Hot Topics (but definitely not restricted to):
algorithms, stuff related to systems programming and applied network security.

Style:
SWG advocates a "hands-on" approach .. Get to the code or point. Provide references and links if necessary (especially if you're presenting a fresh perspective on something already known).

All images, content & text (unless other ownership applies) are © copyrighted 2003, Infosecwriters.com. All rights reserved. Comments are property of the respective posters.