Wireless security - Detecting rouge access point

According to Deraison & Gula (2009) detecting wireless access points is a major source of activity for many enterprise security groups and they suggest manual inspection and dedicated system audits as two methods that can be used for this task.

Manual audits
Conducting a system audit with a wireless enabled notebook computer or a PDA device and walking around the network premises will help locate any access points connected and transmitting wireless signals. This would require physical access to all locations of the network. Utilizing RF scanning systems would assist in pin pointing the access point locations much easily.


Dedicated auditing can use some of the techniques as below.
Centralized monitoring
There are solutions available that can utilize authorized access points of the company network to transmit any other wireless signals they detect to a centralized consol. Jim Geier (2003) identifies Air Wave as an example. By examining this data would help to identify any unauthorized connections from a central point and this method suits any large network.

Port scanning
Employing software tools to do a TCP port scan of the company network would list all devices with port 80 enabled. Port 80 is associated with HTTP protocol network traffic and Geier (2003) points this technique will detect web servers, printers and nearly all access points. This method would also suit large networks.

Nessus vulnerability scanner is an example of software that performs port scanning.

Once the access points are identified, further checks will be required to determine if the access point is really a rogue access point.

Check if default SSID is used
Check if SSID is set to broadcast
Check if default administrator account is accessible using default password
Check if MAC address filtering is used
Vendor name, device type, model
Security configuration
Check if encryption is used

Finding items in the above list with default values in use or no values set are indicators the access point is a rogue one according to Peláez (2004).

References

Deraison, R, Gula, R, 2009, Using nessus to detect wireless access points,
http://www.nessus.org/whitepapers/wap-id-nessus.pdf

Geier, J, 2003, Identifying rogue access points,
http://www.wi-fiplanet.com/tutorials/article.php/1564431/Identifying-Rogue-Access-Points.htm


¬Peláez, R, 2004, Auditing 802.11 wireless networks focusing on the Linksys BEFW11S4
Access Point, An auditors perspective, http://it-audit.sans.org/community/papers/auditing-80211-wireless-networks-focusing-linksys-befw11s4-access-point_121

Pacchiano, R, 2006, How to Track Down Rogue Wireless Access Points,
http://www.smallbusinesscomputing.com/webmaster/article.php/3590656/How-to-Track-Down-Rogue-Wireless-Access-Points.htm

Vulnerability assessment - Nessus Vulnerability Scanner

Download Nessus vulnerability scanner

Fill requested information and submit.

Start server

Use default values and obtain activation code.

Start client

This step could not be performed successfully due to below error.

Wireless security - Spoof a MAC address using SMAC

Download SMAC from www.klcconsulting.net/smac

SMAC 2.0 allows (Media Access Control) MAC address to be changed for a network adaptor or otherwise known as spoofing the MAC address.

This task demonstrates how to exploit a vulnerability that is present in wireless networks. An attacker could find out a valid MAC address allowed by an access point, spoof the attackers network adapter to use the allowed MAC address and connect to the network.

Install and run application

View the MAC address

Update to a new MAC address

The evaluation copy allows 0C-0C-0C-0C-0C-0C to be updated. The program also had to be run as administrator for Windows Vista version.

Start a command prompt

View the adapter information

Type ipconfig/all and enter. The updated MAC is displayed.

Cryptography - Hash generators & comparing hashes

Hash

One of the basic algorithms of cryptography is the hashing algorithm. Given an original block of message the algorithm will generate a hash that is unique for this particular message.
Advantage of a hash is that it is not feasible to compute the original message by reverse calculating the hash.
A common use of a hash is to check the integrity of a message. As an example ATMs use the hashed password stored on the card and the entered password hashed to validate the user.

MD5Deep

This is a set of programs to compute various hash keys for a given input file or files.

Create the input message

Create a word file with the text "Now is the time for all good men to come to the aid of their country".

Save the file

Create a hash

Execute md5deep and provide the above file name as it's input.
md5deep g:\csinfo\itc358\assessment2\country.docx
The generated hash key will be displayed. The length of the hash created is 128 bits or 16 bytes. The value shown is in 32 hexadecimal characters.

Create a hash

Use the md5deep documentation file as input to create another hash.
The length of the hash created is 128 bits or 16 bytes. The value shown is in 32 hexadecimal characters. This conforms to the requirement of a good hash algorithm to generate a consistent hash value regardless of the content length used to generate the hash.

Modify the message contents

Open the word file created as input to hash 1 and modify it by removing the fullstop at the end of the sentence.

Create a hash using the modified word file

Even the slightest modification has resulted in creating a completely new has value.
This proves the hash function can be used to check the integrity of a message.

Create a hash using sha1deep

The hash value length is 160 bits or 20 bytes long for both documents but the hash value is significantly different for the two documents.

Create a hash using sha256deep

The hash value length is 256 bits long for both documents but the hash value is significantly different for the two documents.

Create a hash using whirlpooldeep

The hash value length is 512 bits long for both documents but the hash value is significantly different for the two documents. The displayed hash value is in 128 hexadecimal digits.

Cryptography - Uses for hashes

Hash

Creating a hash value is a basic function of cryptography. The input is processed by a hashing function and the output is the hash value or message digest. Ciampa (2009) describes a hashing algorithm as the most basic cryptographic algorithm. A characteristic of a good hashing function is that no two different messages will produce the same hash value and the hash value cannot be reversed in order to find the original message. Additionally regardless of the input message length the output hash value length will be a fixed number of characters.

Standard Hash Algorithms

MD5 – Message digest algorithm version 5
SHA – Secure hashing algorithm
Whirlpool - Whirlpool hashing algothirm

Uses of hashes

Client authentication by a server is a good scenario for using hash values. As an example Ciampa (2009) describes how ATMs use hash values to validate user’s entered password hashed against the hashed password stored on the card.
This avoids the need to transmit passwords over the network, more efficient, more secure.

A message can be verified as the original with the use of a hash value.
The creator of the message generates a hash value also known as a message digest. The recipient can generate the hash value and compare with the original hash to verify the message content is original and has not been modified. However this technique does not provide confidentiality of the message.

Stallings(2005)describes three alternative ways in which the above technique can be used to obtain authenticity as well as confidentiality.

• Using conventional encryption
• Using public-key encryption
• Using secret value

Another use of hash function is message integrity check which is a digital signature found in secure email according to Pfleeger and Pfleeger (2007)

References

Ciampa, M, 2009, Security+ guide to network security fundamentals,

Pfleeger, C, Pfleeger, S, 2007, Security in computing, Prentice hall

Stallings, W, 2005, Business data communications, Prentice hall

Wireshark - Protocol Analyser

Networks

Computer networks have become an important part of our daily life. We rely and depend on such networks to accomplish many tasks on a daily basis we often do not realize their existence. The phone calls, paying bills, transport, operating of rail and road networks everything depend on the computer networks that provide and carry out many tasks electronically.

Therefore networks attract significant attention when it comes to security and the number of attacks being carried out on them are increasing.

Vulnerabilities

Variety of devices, protocols, transmission, data and applications that make up the
network contributes to the many vulnerabilities the network will possess.

Attacks

Denial of service, spoofing, man-in-the-middle and replay are some of the types of attacks that can be performed on a network.

Wireshark

Wireshark is worlds foremost network protocol analyser according to their about wireshark Webpage.

This tool can be used on many different platforms to analyse a variety of protocols that a device is receiving and transmitting.

The windows installation is utilizing another industry standard software called WinPcap, Windows packet capture library. This is used to gain link layer network access on Windows environments.

Download Wireshark

Wireshark can be downloaded from the website download page or one of the mirror sites listed on their website. Once the download is complete run the .exe to install the software. It will prompt to install WinPcap and use the default setting of start WinPcap on start up to enable easy use of the application.

Launch Wireshark

Launch Wireshark and click Capture and Interfaces. Select the network interface adapter of the computer and click start button.

View captured packets

Depending on the network traffic, it will capture and display the packets captured.
If nothing appears untick "capture packets in promiscuous mode".

View login information

Direct the web browser to url www.medialightbox.com/login

Enter user id Gerald and password happy and press enter. The login attempt will fail as there is no valid user with this credentials and an error message will be displayed as below.

Find data in packets

Return to Wireshark window, click edit then find packet. Click string, type Gerald in the filter field and click find. Records will be shown which contains the searched string.

In steps 7 and 8 the wireshark captures the data being transmitted to and from the computer as data packets. Their contents are then displayed along with other information such as source, destination IP address, protocol and status codes.

When the data are transmitted as encrypted content such using ssl protocol wireshark will not be able to display the data content as plain text.

Question 3 – Virus attacks

Computer security

Security in the context of computers mean addressing the important aspects of Confidentiality, Integrity and Availability of the computer system.
A good secure system would have achieved the right balance of these three aspects in relation to data, software and hardware of the particular computer system. Once a system is secured it has a lower possibility of being subject to be exploited the vulnerabilities of the system.

Virus

Computer viruses are software that can cause damage to the computer system that it resides in as well as spread itself (the software) to other computer systems. These viruses have the ability to attach them selves to another object such as a document or file and once the document or file is opened or executed by the user, virus will spread to that computer system. If this file were copied to another the virus would spread the same way to that computer. This processes will enable viruses to spread and infect many computer systems. Today's highly networked systems and the Internet has enabled an ideal medium for the viruses to spread.


Viruses exploit vulnerabilities that exist in software and destroy, alter or compromise data on a computer system.

Worst computer viruses

While there may be many different ways to categorize a computer virus such as, the damage caused, the hardness to detect, the time taken to spread and so on code red, Melissa, I love you & nimda can be listed as well known and worst effecting viruses that have spread in the computing world so far.
Based on an article by (Thorsberg, 2002) worlds worst viruses are

1. LoveLetter - I love you virus (2000)
2. Klez worm (Oct 2001)
3. Melissa virus (Mar 2001)
4. Magistr (Mar 2001)
5. Explorer.zip worm (1999)
6. Anna Kournikova (or VBS.SST@mm) worm (Feb 2001)
7. Nimda virus (Sep 2001)
8. Benjamin worm (May 2002)
9. Code red worm(2001)
10. Sircam (Jul 2001)

The latest viruses

Examining Symantec's security response page (Symantec, 2010a) few of the latest threats are listed below and the vulnerabilities were noted on Microsoft Windows, Microsoft Access, Outlook, Adobe flash player and Adobe reader.

W32.Changeup.C - Worm

This was discovered on 23 july 2010 and infected Windows 95, Windows 98, Windows XP, Windows Me, Windows Vista, Windows NT, Windows server 2003 and Windows 2000 systems. The worm exploits a vulnerability in Microsoft Windows shortcut 'LNK' files automatic file execution and spread through removable and shared drives.

Bloodhound.Exploit.343 - Trojan, Virus, Worm

Symantec lists Windows systems as affected by this worm and it also exploits the Microsoft Windows shortcut 'LNK' files automatic file execution vulnerability.

Bloodhound.Exploit.341 - Trojan, Virus, Worm

Windows systems are affected by this worm and it exploits a Microsoft Outlook TNEF Stream with MAPI attachment Remote code execution vulnerability according to Symantec.

(McAfee, 2010b) had the below list of malware on it's threat center web page on the same day and noted Microsoft Windows, Microsoft Office and Internet Explorer on the current vulnerabilities list.

Exploit-CVE2010-2568

(McAfee, 2010a) described this malware as exploiting a vulnerability found in Microsoft windows shell code which allows code execution via a maliciously crafted .lnk file. Removable USB drives and shared folders were noted means of spreading for this malware.

MSIL/Terdial.d

This particular malware periodically dials premium rate/high cost long distance phone numbers according to (McAfee, 2010b) MSIL/Terdial.D description. It requires compact .NET framework installed to run the malicious code and is packaged with a legitimate game called “PDA Poker Art” according to Mcafee’s description.

The latest attacks

According to the Internet security threat report by (Symantec, 2010b) Hydraq trojan was used to carry out attacks on large companies in January 2010. This trojan has used a previous unknown vulnerability in Microsoft Internet Explorer and a patched vulnerability in Adobe Reader and Adobe Flash. Attackers have been able to gain full remote access to the computers once the Trojan has been installed.

Further according to the same report in 2009 a major attack has been carried out against a single credit card payment processor, hacking in to the network using an SQL-injection attack.

Crimeware kits

An increasing problem with computer attacks would be the crimeware kits, a toolkit that allows people to customize malicious code and includes a variety of different exploits. Some examples of these are Zeus kit which could be bought for $700 or even free from underground forums. Fragus, Eleonore and Neosploit are also well known attack kits that can be used for web attacks according to (Symantec, 2010b)

References

McAfee (2010a). Exploit-CVE2010-2568 Retrieved 31/07/2010, from
http://vil.nai.com/vil/Content/v_268562.htm

McAfee (2010b). MSIL/Terdial.D Retrieved 31/07/2010, from
http://vil.nai.com/vil/Content/v_268519.htm

Symantec (2010a). Security response Retrieved 23/07/2010, from
http://www.symantec.com/business/security_response/landing/threats.jsp

Symantec (2010b). Symantec global internet security threat report. Trends for 2009, XV.
Retrieved from http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

Thorsberg, F. (2002). The world's worst viruses, from
http://www.pcworld.com/article/103992/the_worlds_worst_viruses.html