Rogue Access Points and UBC s Wi-Fi Network

Similar documents
Wireless LAN Security (RM12/2002)

Detecting & Eliminating Rogue Access Point in IEEE WLAN

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Wireless Attacks and Countermeasures

Mobile Security Fall 2013

Wireless Network Security

How Insecure is Wireless LAN?

Wireless Network Security Fundamentals and Technologies

What is Eavedropping?

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

5. Execute the attack and obtain unauthorized access to the system.

NETWORK SECURITY. Ch. 3: Network Attacks

EVIL TWIN ACCESS POINT DETECTION AND PREVENTION IN WIRELESS NETWORK Sandip S. Thite Bharati Vidyapeeth s College of Engineering for Women, Pune, India

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

NETWORK THREATS DEMAN

EECE 412, GROUP 10 REPORT. Security Analysis on the Malicious Use of Public Wi-Fi (December 2010)

Multipot: A More Potent Variant of Evil Twin

Chapter 11: Networks

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Chapter 11: It s a Network. Introduction to Networking

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Wireless technology Principles of Security

Education Network Security

LESSON 12: WI FI NETWORKS SECURITY

Motorola AirDefense Retail Solutions Wireless Security Solutions For Retail

Rogue Access Point Detection using Temporal Traffic Characteristics

BYOD: BRING YOUR OWN DEVICE.

Ethical Hacking and Prevention

CHAPTER 8 SECURING INFORMATION SYSTEMS

Protecting the Platforms. When it comes to the cost of keeping computers in good working order, Chapter10

Standard For IIUM Wireless Networking

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Chapter 24 Wireless Network Security

Define information security Define security as process, not point product.

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

3.5 SECURITY. How can you reduce the risk of getting a virus?

Web Cash Fraud Prevention Best Practices

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Frequently Asked Questions WPA2 Vulnerability (KRACK)

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Wi-Net Window and Rogue Access Points

Webomania Solutions Pvt. Ltd. 2017

2. INTRUDER DETECTION SYSTEMS

Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

Rogue Access Point Detection using Challenge-Response Mechanism

Chapter 6 Network and Internet Security and Privacy

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Coordinated Threat Control

Introduction to Information Security Dr. Rick Jerz

Karthik Pinnamaneni COEN 150 Wireless Network Security Dr. Joan Holliday 5/21/03

Chapter 4. Network Security. Part I

Solution Architecture

Information Technology Policy Board Members. SUBJECT: Update to County WAN/LAN Wireless Standards

WIDS Technology White Paper

Configuring Security Solutions

e-commerce Study Guide Test 2. Security Chapter 10

Detecting Protected Layer-3 Rogue APs

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

5 Tips to Fortify your Wireless Network

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Securing Wireless Networks by By Joe Klemencic Mon. Apr

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

2013 InterWorks, Page 1

II. CURRENT APPROACHES. A. Wireless Approaches

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Obstacle Avoiding Wireless Surveillance Bot

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Best Practices Guide to Electronic Banking

Secure Mobility Challenges. Fat APs, Decentralized Risk. Physical Access. Business Requirements

Guide to Network Security First Edition. Chapter One Introduction to Information Security

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

CTS2134 Introduction to Networking. Module 08: Network Security

Network Security and Cryptography. December Sample Exam Marking Scheme

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Payment Card Industry Data Security Standard (PCI DSS) Primer Version 1.1

Wireless Network Standard

Endpoint Security - what-if analysis 1

Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion

AT&T Endpoint Security

A Visualization Tool for Wireless Network Attacks

Securing Information Systems

Managing Rogue Devices

Authentication Methods

Securing Information Systems

SYSTEM THREAT ANALYSIS FOR HIGH ASSURANCE SOFTWARE DEFINED RADIOS

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Intrusion Attempt Who's Knocking Your Door

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Internet Platform Management. We have covered a wide array of Intel Active Management Technology. Chapter12

Transcription:

Rogue Access Points and UBC s Wi-Fi Network Arunkumar Chebium, Pawittar Dhillon, Kaveh Farshad, Farhan Masud Department of Electrical and Computer Engineering, University of British Columbia Vancouver, BC, Canada {arun.chebium, peterdhillon, kfarshad, farhanmasud}@gmail.com ABSTRACT Rogue Access Points (RAPs) constitute arguably the biggest security threat to Wireless (Wi-Fi) networks today. In this term project, we have studied RAPs in UBC s Wi-Fi network. We have mined recently collected data about wireless access points on campus to extract information about RAPs, prepared scatter plots of this data, demonstrated some threats that a malicious hacker could give rise to by means of using a RAP (MAC address spoofing, phishing, snooping), and talked to a UBC IT network analyst to understand the countermeasures UBC has in place currently to counter the threat of RAPs. Based on this work, we develop a threat model and propose some additional countermeasures that could be employed by students, campus employees and UBC IT administrators to further reduce the threat posed by these RAPs. INTRODUCTION A RAP is, quite simply, any un-trusted or unknown access point in a wireless Local Area Network (WLAN) that could be used by hackers to gain backdoor access into an otherwise secure network and conduct malicious activity such as snooping, introducing worms and viruses, and launching Man-in-the-Middle (MiM) attacks. A common approach in the industry to detect RAPs is to use sniffer software such as AirMagnet, Airdefense, and NetStumbler and perform a walking audit with a portable 1 device. These software programs can then capture the coordinates of the various Access Points (APs), their SSIDs (Service Set Identifiers), MAC addresses and signal strengths. However, this is a very timeconsuming method; moreover, it only yields a snapshot at a certain point in time [1]. A more reliable - albeit expensive - approach involves the use of permanent antennas (probes) that continuously monitor the airwaves to obtain a full wireless footprint of the network [2]. Background probing may also be implemented for organizations that have established wireless network connectivity to augment the existing infrastructure [2]. Solutions proposed by academia to address this issue are few (see [3], [4], [5] for examples of major work). Also, because of their reliance on analyzing the content of actual network traffic, they seem a bit impractical to efficiently and quickly apply to an enterprise-strength network such as UBC s. In this project, we begin by presenting data about the spread of RAPs in UBC s Wi-Fi coverage area. Then we demonstrate some threats that a hacker using a RAP can give rise to. This led us to conducting a security analysis and sketching out a threat model for the network. Then, based on an interview conducted with a UBC network analyst to understand the countermeasures currently employed by UBC to counter RAPs, we propose some additional countermeasures of our own which, in our opinion, will help further reduce the threats posed by RAPs.

ROGUE ACCESS POINTS IN UBC s Wi-Fi NETWORK Our first task was to identify and map out the RAPs currently active in UBC s Wi-Fi network in order to get a grasp on the magnitude of the problem. In order to do this, we began with survey data pertaining to UBC s wireless coverage collected by a team member (Peter) as part of another course (EECE 496). The survey s primary intention was to obtain an estimate of the spread of wireless access points on campus so that a plan could be developed to introduce highly portable devices such as Wi-Fi equipped tablets, PDAs and VOIP-enabled devices into the wireless network. The survey was conducted by performing various walking audits that spanned the length and breadth of the UBC campus and resulted in comprehensive data about access points legitimate and rogue in the form of huge data files. Each data file consists of over 200,000 lines of data, with each line specifying information about an access point in terms of its GPS co-ordinates, SSID, and other parameters of interest. Then, by means of a filtering program in MATLAB that we developed, we mined the data in these files and extracted information about those access points that have SSIDs other than ubc and ubcsecure (and are, therefore, unauthorized). We also used the program to prepare scatter plots of the extracted data in order to obtain visually intuitive representations. Here are some of these results: Fig 1: Area of campus that was surveyed 2 Fig 2: Map of legitimate access points across campus

Fig 3: Map of Rogue Access Points across campus Over 400 RAPs were found in the data that was mined to obtain RAP information. THREATS DEMONSTRATED Our second task was to demonstrate some of the threats that RAPs can give rise to. There are three threats that we demonstrated: (1) MAC Address Spoofing (2) Phishing (3) Snooping on sensitive data. (1) MAC Address Spoofing: To demonstrate this threat, we brought in a rogue desktop computer into UBC and, to allow it to log onto UBC s wired LAN, assigned it the MAC address of a trusted computer that was already authenticated and allowed to use the LAN. We then disconnected the trusted computer from the LAN and attempted to access the internet from the rogue computer instead. We were successful in our attempt. (2) Phishing: Our second mode of attack was more involved. Our intention was to set up a wireless RAP on this rogue desktop computer and broadcast our SSID so that wireless-enabled laptops in the RAP s vicinity would automatically connect to our RAP instead of to UBC s regular wireless service (see [6] for an explanation of why laptops should automatically connect to our RAP). For this purpose, we purchased a commercially available wireless USB adapter that could easily be configured to also work as an access point (see [7]). Also, we gave our RAP an SSID of UBC in order to make it seem as genuine as possible to a casual user who might happen to glance at our RAP s SSID. We then created our own (fake) version of UBC s wireless login page. Using a freely available tool known as AirSnarf, we created the web-page such that, if a user attempts to log in at that page by typing his/her username and password, we would be able to capture those details in a file and direct the user to another web-page that would display the text HACKERS... Just so you know, your password has been obtained. Also, using another freely available tool known as TreeWalk, we poisoned the 3

cache of the rogue desktop computer so that all attempts to navigate to the URL www.ubc.com on the rogue desktop computer as well as on any wireless laptops connected to our RAP would load up our fake web-page (see [8] for a step-by-step explanation of this entire process). However, attempts to navigate to other URLs would work normally as intended, making it difficult for the victim to suspect any malicious activity. Finally, we brought in a wirelessenabled laptop in the vicinity of our RAP; immediately, the laptop automatically connected to our RAP and thus obtained wireless internet access through our RAP. Then, sure enough, when we navigated to www.ubc.com on the laptop, it brought up our fake webpage. When the user typed in his user name and password, the HACKERS... web-page was displayed, and the username and password were available on the rogue desktop computer for viewing. Thus we were able to demonstrate our version of phishing using a rogue desktop computer, a commercially-available wireless USB adapter, and freely available software tools. (3) Snooping: The last threat that we were able to demonstrate was snooping. By running a freely available Ethernet sniffer application on the rogue desktop computer, we were able to observe all the internet traffic of the laptop that was connected to the wireless network through our RAP. One can very well imagine what a serious hacker might be able to do with this type of information: he could profile the victim s internet usage and activity, decrypt sensitive information and cause serious damage to the user. SECURITY ANALYSIS From our work in the previous section, we see that the victim is vulnerable in different ways. The first threat that we demonstrated MAC address spoofing is not only disruptive (by stealing someone s MAC address, we are denying them access to the internet and thereby causing a Denial of Service) but also deceptive (we are masquerading as an authenticated UBC user). Phishing, though, is more dangerous: the confidentiality of the victim s sensitive information is compromised, and by using the harvested username and password, the integrity of information that has been protected using this login data can also be compromised. Therefore, this threat is usurpative in nature. Thus, we see that our work outlines the following threat model: 1. The threat agents here are hackers who would want to conduct malicious activity by using any one of the numerous RAPs available on campus/installing their own RAP (as we did, for example). 2. The threats that they could give rise to are deceptive, disruptive and usurpative in nature. 3. The assets at stake are: valid UBC network credentials (high-value), sensitive user login information (very high-value), and user internet profile and internet activity data (high-to-very-high value). 4

EXISITING COUNTERMEASURES We talked to Mr. Geoff Armstrong, a Network Support Analyst in UBC s IT department 1, about existing countermeasures against RAPs. Here is a summary of what he had to say and our corresponding thoughts: UBC is aware of the presence of RAPs on campus (based on the data we collected, we could identify about 400 RAPs; however, according to Mr. Armstrong, there are about 800 of these currently). UBC has a wireless control board that constantly monitors all activity on the UBC wireless network using full-time probes and detects the emergence of RAPs. Indeed, when a RAP appears, analysts such as Mr. Armstrong receive notification alerts via the wireless control board. They can then monitor these APs and, in case any RAP engages in malicious activity, analysts can use valid APs surrounding the rogue to contain it (using a standard industry technique such as four-point or eight-point containment where the legitimate APs surrounding the RAP broadcast higher-power signals than the rogue, ensuring that users only connect to these legitimate APs). However, we were able to conduct malicious activity using our RAP; thus, even though there are system-level techniques available for containment, vulnerabilities and vulnerable timeframes when attackers can operate still exist in UBC s Wi-Fi network. Also, UBC s IT mostly uses due diligence to eliminate RAPs; in most cases, according to Mr. Armstrong, they go knocking on the doors of people 1 He can be reached at geoff.armstrong@ubc.ca running RAPs and ask them to dismantle them. However, this is considerably lowtech, and, based on our work, we argue that this approach cannot provide a quick-enough solution against an attacker who runs, say, a phishing operation from within UBC, especially since he/she can move quickly within UBC and hide his/her RAP behind the considerable number of RAPs already on campus. Thus, our opinion is that though there are counter-measures in place currently, they need strengthening, especially in the light of the number of RAPs currently on campus and the surprisingly malicious activity that can be conducted in a very short timeframe using a RAP. PROPOSED COUNTERMEASURES The countermeasures that we propose advocate the principle of Defense in Depth by ensuring that there are multiple layers in the defense paradigm employed. These measures recommend that students, campus employees and UBC IT administrators employ some basic safeguards in order to reduce the threats due to RAPs. These are grouped into two categories: victim-centric countermeasures and system-centric countermeasures. 1. Victim-centric countermeasures The following are some easy safeguards that can be employed by students and campus employees that can prevent them from becoming victims: Ensure that all pages which require logging in operate under the https protocol. Change browser settings so as to demand certificates from the login website and only login when certificates are valid and unexpired and reflect web-site and issuing 5

authority names correctly. (This may be thought of as a variation of The Principle of Complete Mediation, in that every access to an asset (login data) is mediated by the user himself/herself.) Use VPN whenever possible to log onto campus wireless networks. 2. System-centric countermeasures The following are some simple, additional measures that could be employed by UBC s IT department: Regularize the removal of RAPs; establish strict time-intervals within which every RAP must be dismantled. Quarantine systems that create and operate RAPs and maintain revocation lists of offending MAC addresses and SSIDs. Publish this list on prominent websites in the UBC network so that users are better educated about the risks involved with RAPs. CONCLUSION Rogue Access Points pose big security threats to enterprise-strength networks but they can be neutralized with due diligence and decisive action. It is our hope that, by demonstrating some of the threats involved, detailing a threat model, and proposing easily-implemented countermeasures, we have been able to increase reader awareness of this important security problem and educate the reader about how best to avoid some of the risks involved and safeguard the confidentiality and integrity of their sensitive information. REFERENCES [1] Identifying Rogue Access Points. URL: http://www.wifiplanet.com/tutorials/article.p hp/1564431. [2] Rogue Access Point Detection: Automatically Detect and Manage Wireless Threats to your Network. URL: www.espireit.com.au/assets/107/files/rogue AccessPointDetection.pdf [3] W. Wei, K. Suh, Y. Gu, B. Wang, J. Kurose, "Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs", accepted to appear in ACM Internet Measurement Conference (IMC) 2007. [4] R. Beyah, S. Kangude, G. Yu, B. Strickland, J. Copeland, Rogue Access Point Detection using Temporal Traffic Characterstics, GLOBECOM 2004. [5] J. Hall, M. Barbeau and E. Kranakis, Enhancing Intrusion Detection in Wireless Networks using Radio Frequency Fingerprinting, Communications, Internet and Internet Technology, 2004. [6] Your computer connects to an access point that broadcasts its SSID instead of an access point that does not broadcast its SSID.URL: http://support.microsoft.com/kb/811427 [7] ZyXEL ZyAIR G-220 - USB 2.0 802.11G Wireless Adapter & Soft-AP - G220. URL: http://www.buy.com/prod/zyxel-zyair-g-220- usb-2-0-802-11g-wireless-adapter-softap/q/loc/101/10381071.html [8] Evil Twin Access Points for Dummies. URL: http://airsnarf.shmoo.com/airsnarf4win.html 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback