There are free tools that help you do it. It's wireless hacking and it's highly dangerous to your information resources.
Imagine you're invisible. You walk along a downtown NYC street deep in the financial district. You can even wear your pajamas. You turn into a gleaming skyscraper, walk past the security guard and get in the elevator. You get off on the top floor with a serious-looking executive and walk into the corner office with him. There, you settle into one of the comfortable chairs (forgoing the Cuban cigars arrayed on the coffee table). Then, you wait. After a while, the executive calls in another serious-looking executive. They confer on the impending acquisition of BigBank by BiggerBank and congratulate each other on the coup they are about to score. You get up, walk out the door, leave the building and call your broker. "Buy shares of BigBank," you instruct him. You go home, get out of your pajamas and enjoy an afternoon sailing on your yacht.
Sound far-fetched? Let's push it further. You drive out to the suburbs, walk right into the bedroom of BiggerBank's CEO and hang around listening to him talk to various friends and colleagues about the next big transaction - BiggerBetterBank.
Congratulations! You're part of the new wireless hacker, drive-by cracker crowd. And yes, you can wear your pajamas if you insist. Armed with tools bearing names such as NetStumbler and AirSnort, wireless intruders are harnessing high-powered receivers and transmitters to break into corporate wireless networks from as far away as ten miles. Throw in some simple GPS software and you can instantly map the location of each unprotected wireless access point you find. And there are thousands of these.
Not since the invasion of the Macintosh has a new technology invaded the corporate IT infrastructure with such ferocity. Wireless access points spring up like weeds under desks, in drawers, in ceilings and closets. At least half the time they are left unprotected. Why? Friends, teenage sons or the neighbor techie accompany the well-meaning business person - who is sick of having to find plugs in conference rooms - perhaps on a weekend day, to install a wireless access point somewhere near the office Ethernet jack. The following Monday the executive walks around the office with newly untethered freedom.
Accompanying him, of course, are the invisible aircrackers.
How bad is the problem? On a recent leisurely drive through, yes, the financial district in downtown Boston, Crossbeam engineers discovered several hundred unprotected wireless access points that gave them access to major corporate IT resources in banks, financial services firms, law firms, consultancies - you name it.
Now, these engineers weren't using anything more sophisticated than an external car antenna, a Lucent wireless card and NetStumbler. [See the boxout below, "The Aircracker's Recipe" for a detailed description of the equipment they used and some sample results generated by the cracking tools.] Fortunately, they were just geeks having fun with no intention of looking at proprietary content.
Consider, though, the case of an intrusion suffered several months ago by a major Fortune 500 company. The intrusion was executed from twelve miles away and the intruder was able to hop onto the corporate network and penetrate deep into the company's IT infrastructure. Did the intruder take anything? Who knows? However, the IT security staff detected an unknown machine on the network, suspected an unprotected wireless access point and via a painstaking search of every floor of the breached building found not one but several of the rogue access points and shut them down. Did this stop their worries? Of course not. For one, they knew that new unauthorized access points would spring up. Even worse, they knew that protected access points are crackable.
Here's the depressing news - the wireless encryption protocol (WEP) is not secure. It turns out that while the encryption algorithms at the root of WEP are supposed to generate random keys, in practice they don't do this. If you wait long enough, you will see keys repeat and this is enough for the crypto-crackers to get their hooks into the pattern and eventually break the keys. By the way, you don't have to be a rocket scientist to break the key - a free, publicly available PERL script called WEPCrack will do it for you.
Here's the really interesting part: if you download a file from a corporate network via a wireless connection, have you committed a crime? Well, the jury's out. What? you say, How can this be? - you, Mr. or Ms. Aircracker, are stealing intellectual property or financial records that belong to someone else! Ah yes, but here's the catch. Because the wireless access point is broadcasting its service availability and because the company does not charge for this 'service' (just like an FM station), it may not be considered theft of service. Basically, companies could be construed as 'inviting' hackers and crackers into their network! Just like talk radio - only much more interesting.
So, given this technological and legal chaos, what can you do to protect your corporate information assets? Obviously, you will need to create extraordinary awareness within your company that this is a huge threat. However, knowing that the human factor is the least dependable, there are two technology solutions that will dramatically reduce the likelihood of a breach: one protects your building from external eavesdropping, the other forces authenticated access to the network.
For the external eavesdropping solution let's go back to our Fortune 500 company. Through a stroke of good luck, the company happened to be in the process of moving much of its IT infrastructure into a new building. However, the building was not nearly complete at the time of the wireless intrusion. Our smart network security engineers alerted the building project managers and together they found a vendor who could supply shielded glass for the windows in the building. By testing various flavors of glass, they picked one that effectively blocked access point broadcast advertisements beyond the walls of the building.
The tougher part of the solution was to force all wireless client access through an authentication mechanism that was not WEP. The solution they found was to place a lightweight VPN server running Check Point VPN-1 between every access point and its network connection. This meant that in order to jump onto the network over a wireless connection, an end user would first have to type in a user name and password and then create an IPsec tunnel to access the network. Because the username and password are encrypted and because IPsec uses a much stronger encryption scheme than WEP, the company's network is now much more protected than it was.
Does it solve the problem completely? Of course not, since the next unprotected, unauthorized access point that springs up creates an instant vulnerability. Although the company is not there yet, they are now talking about creating an "interior VPN" mesh so that all access to the network is authenticated, whether wireless or not. This would mean placing VPN termination points at least in front of major corporate information assets in data centers and eventually extending out to the furthest leaves in the network.
From an administrative point of view, this requires a VPN solution that has extraordinary global VPN management for add/change/deletion of rules and policies as well as global software updates for revisions and patches. The good news is that products like Check Point's are mature enough to have developed good management tools. The difficulty will be creating the project to put such an infrastructure in place. For while the cost of intrusions is potentially very large in terms of both dollars and lost reputation, the cost of large network upgrades is also high. However, even here, by starting with data center assets, the greatest concentration of corporate information will be protected.
Ultimately, there is a larger issue, of which wireless vulnerabilities are just one element. A large percentage of security intrusions originate from inside corporate networks - that is, their own employees. Consequently, the 'interior VPN' by itself is not enough. This is why some companies are supplying a new level of integrated, best-of-breed security devices that provide 'decontamination' nodes where traffic can not only be VPN'd but also checked for intrusion signatures, viruses and malicious web code before entering or exiting a VPN tunnel - all at wire speed.
Whatever your decision as an IT or network manager might be, it would be highly instructive to go crack your own network and decide for yourself how vulnerable your company is and what the cost of a breach might be. Then, ask your executive management how they feel about the magnitude and implications of a breach. You might just find new budget dollars springing up like weeds in closets, drawers and all kinds of unexpected places!
Throop Wilder is co-founder and vice president of marketing for Crossbeam Systems, Inc. (www.crossbeamsystems.com).
The Aircracker's Recipe
So, are you ready to go crack your own wireless access points? Here are the ingredients you will need for a full penetration attempt:
- A laptop that you can walk around with and that has at least one PCMCIA Type II slot (pretty standard these days).
- A wireless PCMCIA card. If you plan on driving around looking for vulnerabilities, you should get a card that has an optional external antenna connector. The card Crossbeam used was Lucent's 11Mbit, Ext. 128RCH World Card, Gold (Orinoco 012352/G).
- An external antenna if you are going to drive around. This will extend your reach into access point 'cells.'
- Software that causes the wireless card to search for access points. The most popular of these is NetStumbler. It's free and available on the Net.
- Software that 'sniffs' the wireless network once you have found a vulnerable access point. Common software here is AirSnort. It's Linux-based so you may have to set up a partition on your laptop to run Linux if you want to use it.
- Software that cracks the wireless encryption protocol (WEP). A popular tool is a PERL script called WEPCrack.
Now that you have the ingredients, here's how to put them together:
Step 1. Walk around with NetStumbler running until you find one or more access points. If you're driving around, you will need to attach the external antenna to the wireless card so that your reach is extended. NetStumbler is like a wireless 'ping' that asks access points to identify themselves so you need to be within range. The nice part here is that not only will the access points identify themselves, but they will also tell you whether they've been left in a vulnerable state since they answer the wireless 'ping' with their attributes (WEP on, etc.).
Step 2. Once you have identified the access point you want to use, run AirSnort. AirSnort is a wireless sniffer that simply grabs all packets flying through the air to the access point. Take a look at the information whizzing by - you will see it all!
Step 3. If the access point has WEP turned on (remember, NetStumbler tells you all this), you can still see packets flying through the air but they will all be encrypted. Not to worry, though. Capture a few thousand encrypted packets with AirSnort and then export them to WEPCrack. In less than ten minutes, WEPCrack will have figured out the encryption key and you're free to hop on the network.
Step 4. There's one more thing you might have to do. Access points can limit access to the network using MAC address (the Ethernet hardware address) filtering. But the wireless client software that comes with your Lucent card lets you change the MAC address of your laptop to match the address of one of the legitimate wireless clients whose traffic you snooped.