alex.moskalyuk

Konstantin Gavrilenko is the co-founder of the network security consulting firm Arhont. Together with Arhont’s Andrew Vladimirov and Andrei Mikhailovsky, he’s the author of Wi-Foo: The Secrets of Wireless Hacking, published by Addison-Wesley in 2004. I’ve asked Konstantin Gavrilenko about the current problems with the wireless LANs.

1. Looking at the state of wireless security right now and a year ago, would you say that the amount of security problems increased, decreased, or stayed roughly the same? What’s your assessment on the trends in this field?

Our approximate assessment would be stayed roughly the same. While more
networks use WEP and some of them use TKIP instead, the percentage of
protected or partially protected networks vs the unprotected ones is
still around 30 - 40%, since the astronomical growth of WLAN networks
means there are more open networks just as well. Very few WLANs are
properly separated from the wired side or use higher layer
countermeasures such as IPSec VPNs. In fact, in Bristol, UK we know only
one such network. The bottom line is, if someone is looking for an open
WLAN in a neighborhood, it will be found without any significant effort
in no time.

2. Your company, Arhont, is serving a unique niche of network security assessment. Can you tell us more about the business you’re in? What type of customers do you attract? Do you provide a one-time analysis service or subscription-based security support?

We are a quite young, but highly specialized company. I believe we were
one of the first to anticipate the future problems with wireless and
probably one of the best wireless security consultancy in UK. The market
for wireless security is really huge, mainly due to the fact that
despite all the media buzz, majority of companies still do not fully
understand the potential vulnerabilities that wireless networks can
bring into their existing IT infrastructure. We do wardrive often, for
the purpose of collecting statistical data of the overall protection
level of wireless networks, obviously staying within the legal limits,
and we have to say that the picture is worrying. We have seen quite a
few rather large multinationals employing unprotected wireless access to
their internal network. Some of them have improved over the time,
turning on basic WEP. However, the biggest challenge in our business, is
that you do know that the company is vulnerable, however, you can not go
and inform them. The initiative has to come from the client itself, who
should realize the severity of the problem and come to us for advice and
complete solution. The majority of our customers are companies who
strongly rely on the proper functioning of their networks, value the
security of their data and cherish their company image. At the same time
we work with ordinary IT consultancies who try to meet the security
needs of their clients, but lack the experience and established base of
consultants - thats where we come in. In terms of the type of services,
it is really difficult to generalize, as there are clients with an
established strong IT infrastructure and experienced IT staff who just
need a single push in the right direction. At the same time, there are
clients that lack the above, therefore they employ us to look after
their security solutions on a regular basis.

3. The book contains rather detailed information on breaking into wireless LANs with the purpose of stealing information. In one chapter you even provide a sample scenario of generating a DDOS attack on wireless access point. Aren’t you unleashing Pandora’s box by publishing the information, since any script kiddie with limited knowledge can use Wi-Foo to achieve quite intimidating results?

Many things are said about wireless insecurities elsewhere, yet two
thirds or more of real world WLANs are wide open. A shock factor is
needed to make those irresponsible network administrators and managers
to start thinking about fixing the problem and not hiding the facts. We
believe we provide such a factor by publishing this data. As to the
crackers, yes, they can use the described techniques and tools to a
great success in a same way they can use the information and code
published at Packetstorm, Bugtraq, Vulnwatch etc. But there is a catch.
First of all, we go a hard way to show that defense can be just as
exciting as attack. It is far more fascinating to build, lets say, a
custom access point based on a Soekris board and capable of load
balancing, firewalling, traffic prioritisation, wireless intrusion
detection, 802.11i, IPSec and PPTP support and so on, than finding some
poor undefended home or Internet cafe WLAN to snatch bandwidth. Anyone
can do the latter without any significant knowledge, but for doing the
former you need to be a hacker in a real sense of the word. Second,
Wi-Foo is the first book to devote a whole chapter to wireless intrusion
detection. While it is really hard to trace a skilled Black Hat using
802.11 when attacking, script kiddies can be successfully discovered and
arrested at a spot. There is a couple of recent court cases in the USA
already, with wireless crackers put on trial and the law is really harsh
on them, treating them like terrorists. So, be warned. IT Security was
always about knowledge and understanding, if the defender knows more
than the attacker, the attacker will get behind the bars in no time.
Finally, we do hope that after finishing the book and researching
relevant articles and code a (would-be) cracker would feel more like a
professional with great opportunities of getting a well-paid IT security
job and becoming respected in the security community. This is a far more
efficient and less risky path of reaching ones personal aims, whether
they include ego gratification, fun, money, fame or anything else. After
all, an official penetration tester does exactly the same with his/her
Black Hat counterpart, but is getting paid instead of getting jailed.

4. Most of the tools you’ve included in Wi-Foo rely on Linux or BSD families of operating systems. What’s your assessment of the tools available for Windows family of OSs. It’s understandable that the hacker community will use Linux/BSD, which is the industry standard, but if I am a network administrator of a company, whose fleet mostly involves Windows PCs, can I find relatively equivalent tools for strengthening my wireless LANs?

Frankly, we try to limit the amount of interaction with MS Windows OS
family to “only when it is really necessary”. We are supporters of
OpenSource ideology. However, the reason we did not mention wireless
hacking tools for Windows, is that they are nearly non-existent. If you
do not count NetStumbler and Co, which is relatively lame anyway.
Obviously there are closed source enterprise solutions, including
wireless network sniffers and Intrusion Detection Systems, but they are
rather expensive and lack the flexibility offered by their OpenSource
counterparts. We could have included more on the commercial tools, but I
do not think it would have been interesting to the audience we aimed our
book at. Can you imagine a CS university student spending several
thousands of dollars on AirMagnet, so that s/he can wardrive properly?
We can’t, besides we don’t want to encourage the use of pirated software
that is out there to grab In addition to NetStumbler, there were
attempts to port AirSnort to Windows, but IMHO the process is more
time-exhausting than installing and configuring a basic Linux box and
from our perspective it is not worth the time. In order to protect your
wireless net you do not necessarily need to have the tools we have
described. You can rely on the proven Windows built-in protection
mechanisms, e.g. PPTP and IPSec tunnels, leaving the weak WEP out of the
“security equation”. Nowadays you can, of course, go for layer2 security
solutions like WPAv1 countermeasures. Up-to-date, patched and upgraded
Windows XP and Windows 2000 support TKIP, MIC and 802.1x using EAP-PEAP
or EAP-TLS. EAP-MD5 is also supported, but it does not implement mutual
authentication and thus is not recommended. Also, ensure that at least
SP1 is installed on your Windows machines to avoid Windows
Profiles-based man-in-the-middle attacks using Max Moser’s Hotspotter.
Don’t forget third party software - you can use EAP-FAST in Cisco-only
networks or install Funk Software Odissey suite to employ EAP-TTLS.

5. Is 802.11i going to fix most of the wireless security problems nowadays? Should I hold off from buying networking gear until 802.11i is widely implemented among vendors?

We do not believe in a universal panacea. The “I” task group did a
tremendous work at improving 802.11 security after the traditional
wireless security safeguards such as WEP, shared key authentication, MAC
address filtering and closed ESSIDs were easily circumvented.
Nevertheless, every standard should mature and withstand the checks by
the international hacking community. At the moment, there are
significant vendor intercompatibility issues even with WPAv1
(TKIP+MIC+802.1x). We did come across a report stating that only 22% of
TKIP-enabled multivendor WLANs were operational from the first
configuration attempt. This can be one of the explanations why many
networks still run old flawed WEP. Besides, there are several
vulnerabilities in WPAv1 SOHO mode and flaws in certain EAP types - all
of it we have described in Wi-Foo.

WPAv2 Certification is not ready yet, and CCMP requires complete
hardware change / novel hardware installation since it lacks backward
compatibility with TKIP. We’ll wait until WPAv2 rolls out and becomes a
WiFi Certification requirement. In the environments that use random
products from multiple vendors (e.g. users bringing their own client
cards to use hot spots or assemble ad-hoc networks), tested and tried
higher layers defense means can be more suitable and reliable. Here we
are talking about IPSec, latest versions of PPTP or even SSH port
forwarding and SSL. Also, in a long range point-to-point wireless link
using IPSec is easier than WPA Industry countermeasures, since it does
not involve installing redundant RADIUS servers for authentication and
key rotation on both ends. Wireless security problems should be sorted
out individually, taking into account what the network is for, what kind
of traffic passes through it and what is the network’s architecture and
topology. As we stated above, no wireless network is the same and there
is probably no universal security solution for all.