How easy is it to take over a laptop using a wireless device and also using WPA2? It's not that hard to do.
This month, HD Moore, is releasing a kernal bug every day of this month. One of his releases covers a Broadcom wireless driver. This driver is used in PC's from Dell, HP, Gateway and other vendors as well as built into some devices by Linksys and Zonet.
The device driver flaw allows for a malicious person to take control of your laptop without you knowing about it. Even more scary, the flaw works whether the laptop is connected to a wireless network or not. The flaw exists in the wireless cards background scanner looking for wireless networks.
A number of patches are now available. However, trying to get the patches out to all the millions of laptops around the world won't be easy and there will likely be many, many users who don't know of this threat.
This then brings to mind the threat to the enterprise from a wireless device.
When the first wireless protocol 802.1, which was the underpinning of WEP (Wired Equivalent Privacy), was released a few years ago, it was quickly proven to be seriously flawed and easily hackable. This lead to the the industry of drive by hackings where criminals would simply drive around and find networks that were using the protocols and easily crack them.
The WEP protocol weaknesses were somewhat quickly bridged with a Temporal Key Integrity Protocol (TKIP) and then replaced in 2003 with a WiFi Protected Access (WPA) (802.11) and then again upgraded in July 2004 with WiFi Protected Access 2 (WPA2).
Against this background, there has been widespread increase in the use of wireless devices to access enterprise networks, applications and sensitive enterprise information. This trend will likely continue as it affords enterprises the ability to quickly access information and work anywhere in the world at any time.
Couple all of this with generally weak authentication used on the wireless devices i.e. uid and password. Criminal attackers are now beginning to focus in the wireless device as an easy entry into the enterprise by deploying malware on the wireless device.
So what is the answer to the use of wireless devices and the threats to the enterprise? THERE IS NO SILVER BULLET! Your enterprise needs a graded threat model to deal with the use of wireless devices.
To start with, any device using WEP should be used only for extremely low risk applications. DO NOT let your employees log on to your enterprise systems using this device and have access using the same authentication to sensitive information or applications. The ability to crack this is child's play. Read here for all the different attack mechanisms available.
All your wireless devices should be using WPA or WPA2. Read here for all sorts of information on current threats even when using these protocols.
Your enterprise security policy should have a policy enforcement point at the perimeter of your enterprise that first of all detects the software and hardware being used by a wireless device attempting to access the network. It is here that you should put all devices that don't meet the latest upgrades (such as the Broadcom driver) into a containment area until they are upgraded. Companies making this network access control appliance include Infoblox and Caymas.
Then you should only use low level authentication for low level risk networks, application and information systems. DON"T ALLOW YOUR USERS TO ACCESS HIGH RISK NETWORKS, APPLICATIONS AND INFORMATION ONLY WITH A UID AND PASSWORD! There is a rapidly growing risk these can be easily breached.
For higher risk situations require stronger authentication. While some of you may groan and say "but all this costs money to deploy things like digital certs, secureID tokens, biometrics etc." there is the associated risk. Read this for a discussion on costs of attacks.
So at this point, you've implemented a network perimeter access control device, upgraded WEP devices and eliminated the use of the protocol, have adopted WPA and WPA2, have taken precautions even when using these protocols, you've upgrade the Broadcom drivers and used stronger authentication for higher risk applications. "Now I'm secure" you think. WRONG!
Given the current state of malware attacks and the increased growth of organized crime, you should not trust all of the above to protect your enterprise crown jewels. If you're going to have a senior executive access the crown jewels using their wireless, then you should use transaction authentication.
Even after the executive has successfully logged on, the transaction authentication software looks at their hardware, IP address, geolocation, user profile, user history and time of day to determine if the person on the end of the device is who they are purporting to be. It will stop the attempts by the executive if it determines there is grounds to do it or, flag enterprise management in real time or, ask the executive all sorts of personal questions to validate themselves further.
This is what a layered wireless access security policy needs to look like. You need to have:
* Risk management analysis done for the enterprise
* Network access control appliances in place
* Single sign on security software in place
* Graded authentication strengths determined
* Stronger authentication deployed against higher risks
* Transaction authentication software in place for highest risk situations
Without it, your enterprise is running a high risk of a security breach in the near or mid-future.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us