When you think of online attacks, the first thing to come to mind is usually the computer virus, that nasty little malicious bit of code that can ruin your day, not to mention your computer. Going hand-in-hand with that threat is spyware, adware and all the other kinds of malware that run the gamut from irritating to intrusive to devastating. That only covers the automatic kinds of threats that are out there. What happens when a hacker sits down to actually do some damage? One frequently used tactic is for the hacker to intercept the information going back and forth between two computers, making him the “man in the middle.”The Man in the Middle
This attack is also known as an MITM or a bucket-brigade attack. To carry it out, the hacker creates an independent connection between the two victims and relays the data that is moving between them. The victims, unaware that anything is wrong, think that they are communicating directly with one another when, in fact, they are really communicating with the hacker. The trick on the hacker’s end is that he must be able to successfully impersonate each of the victims to the satisfaction of the other, both in terms of content (what is being said over the connection) and in terms of authentication (maintaining the connection). If the hacker can do this then he can interject messages, steal information and do all sorts of other havoc.
As security systems have improved, successfully executing a simple man-in-the-middle attack has become more difficult. However, the explosion in wireless Internet usage has led to some interesting adaptations of this attack.
To use a wireless local area network (WLAN), you have to connect through an access point. You have seen access points whenever you connect to a network. In some places, there is only one—presumably yours—that is available and in other places there are a number that will show up as available. You find the one you want, provide your credentials and you are connected. With your computer properly fire-walled and inoculated against viruses, intrusion attacks are more difficult then they might otherwise be, and if the network you have connected to offers its own defenses that is even better. Still, all this does nothing against the attacks that you are most likely to face while sitting with your laptop at Starbucks, sipping your Café Mochachino Grande: The Evil Twin and The Multipot. The Evil Twin
The most prevalent type of attack you might find yourself the victim of—assuming you actually catch it—is called the Evil Twin. In this attack, the hacker has actually set up a fake access point. If you connect to it, your computer and everything you do is wide open to him because you are sending and receiving data through the hacker’s system, not the WLAN you thought you were entering. At this point, it would be child’s play for our hacker to set-up a quick and dirty “Man in the Middle” attack and capture everything from e-mail and chat conversations to Google searches, online forms and credit card information. Even worse, the hacker can also redirect you to other sites, subjecting you to phishing attacks, spyware or other malware on your computer using known weaknesses in your browser. While there is little that an individual on a public WLAN can do, corporate intrusion prevention software (IPS) is some protection since it can break connections that do not go through authorized access points. Of course, there are ways around that as well, such as the Evil Twin’s cousin, the Multipot Attack.The Multipot Attack
This attack is new, first seen in 2007, and it is based on the older Evil Twin attack. The term “multipot” comes from the term “multiple honeypots.” A honeypot is a system designed to attract and trap users. The term is normally associated with network security efforts to trap hackers, but in this case it has been turned around to mean users. Multipot attacks are primarily used to target IPS-protected enterprise-level networks. The difference is that this attack uses two or more controlled evil twin access points. The beauty of this scheme is that it removes the protection offered by IPS. This is because of the time lag between the computer log in, which works in a fraction of a second and the IPS, which operates on a timescale of seconds. When the network realizes that there is improper activity and sends deauthentication packets that force disconnection from the network, the original connection is ended. The client then proceeds to reconnect and becomes associated with the second rogue access point. Again, the network disconnects and again the client bounces back to the first access point. This continues one and then the other with the IPS is always playing catch-up with the connections. Thanks to the time scales involved, the victim is normally unaware that anything of this sort is happening. Mitigating the Threat
While you cannot eliminate these threats, at least not yet, according to security consultant Noah Schiffman, there are things you and your network people can do to mitigate these dangers. Some of these methods include:
- Site Surveys. These can be used to maintain a current database of network elements to provide a baseline for monitoring changes in the WLAN via access point characteristics including:
- Channel signal strengths for each SSID
- Physical access point location
- RF triangulation
- Vendor consistency via MAC addressing
- Access point firmware versions
- Multilayer Protection. The 802.11 standard for wireless Internet only defines Layer 1 (physical) and Layer 2 (data link layer/MAC address sublayer) segments. Adding additional upper-layer authentication, encryption, network access control and vulnerability management would make job of hacking into the system far more difficult.
- Know the Ground and the Threat. Knowledge of the physical area you are working in—and what’s in it—is very important for maintaining a secure network. Things you need to consider include:
- Knowledge of the geographic coverage area including:
- A physical map of the wireless threat exposure
- The identification of high risk areas
- Areas of dense sensor deployment
- 24x7 threat monitoring.
- Threat Classification. Being able to classify the various threats allows you to respond to them with greater speed and effectiveness.
- Physical Access Control. Increasing control to the physical premises of your business is still an essential part of network security that should not be overlooked.
- Education. Employee education and enforcement of a comprehensive, well-defined security policy are the most important things for maintaining a secure network environment.
Copyright © 2009 - 2015 America's Best. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.