Home > Security Tips > Threat Monitor > How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

THREAT MONITOR

How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses


Noah Schiffman, Contributor
10.04.2007
Rating: -3.33- (out of 5)


Threat Monitor
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


The introduction of wireless communications within an enterprise network environment presents several new challenges for corporate IT security managers. While many deployments are driven by the convenience of untethered access to network resources, Wi-Fi creates a larger network attack surface and a whole new class of threats and exploits specific to wireless technology.

Listen to Noah's tip

Download Noah's multipot and 'evil twin' prevention advice to your PC or favorite MP3 player.
First, it's important to note that several differences exist between the security monitoring systems of wired vs. wireless networks. In-line probes inspect wired network segments, monitoring packets as they traverse the LAN. Enterprise WLAN monitoring, however, relies on wireless intrusion prevention systems (WIPS), where a distributed network of transceiver sensors constantly monitor all channel bandwidths, reporting all activity to a centralized server. Through analysis of sensor data, the server is able to locate and thwart denial-of-service (DoS) attacks and unauthorized use of network resources, yet such WIPS architectures are more complex to implement and manage than their wired counterparts.

Despite increasingly effective WIPS, wireless attacks are rapidly increasing due to several factors, most notably the proliferation of enterprise usage, the frequent changes in standards and the common misconception that Wi-Fi security is nothing more than an afterthought. Today there are also many well-written applications, platforms, operating systems and hardware modifications designed to simplify the setup and execution of sophisticated wireless attacks. Most of the commonly known types of network threats traditionally seen in wired network environments have been redesigned to exploit wireless systems; sniffing, probing, scanning, spoofing and cryptographic attacks, to name a few, have all been effectively executed.

More information

In our Wireless Security Lunchtime Learning program, Lisa Phifer reviews the risks that Wi-Fi implementation can have on enterprise networks

Learn more about defeating 'evil twin' attacks

Michael Cobb explains how frequently an enterprise network should be checked for rogue access points.
One of the most widespread and effective Wi-Fi attack methods is the "evil twin" attack. A "rogue" or unauthorized access point is set up to appear identical to a nearby legitimate access point. When a user attempts to gain network access, the two identical access points are meant to cause confusion and coerce the user into connection to the illegitimate or evil twin access point, putting the user at the attacker's mercy. The attacker could opt to phish or probe the client for sensitive information, though an attacker will often take the opportunity to execute a wireless man-in-the-middle attack, which involves observing, capturing and forwarding all of the user's outbound traffic through the legitimate AP, providing no indication to the user that anything has gone awry. While this remains an effective threat at the consumer level, fortunately it is often prevented in the corporate setting with a standard WIPS implementation.

The multipot attack takes the evil twin concept a step further and presents a more significant threat to enterprises. Coined from the term "multiple honeypots", a multipot employs the use of two or more malicious access points configured as clones of a legitimate access point.

The multipot's use of multiple rogue access points, however, creates a unique and difficult situation for an enterprise WIPS. In this scenario, when session containment is attempted, the client receives the WIPS's deauthentication packets, which force network disconnection. But when the client restarts the 802.11 reconnection process, it associates itself to the second rogue access point and resumes communication attempts. Although the sensors again detect improper activity and transmit deauthentication packets, the WIPS is presented with a temporal obstacle. Its sensor is a transceiver and is responsible for channel-frequency scanning and packet broadcasting for session containment. While the time required to complete these tasks is in the order of seconds, it is much longer than the millisecond process of client reconnection.

So in a scenario with only one rogue access point, the process of connecting to and being disconnected from a single access point would result in a cycle causing packet flooding, yet with two rogue access points, the client effectively "outruns" the deauthentication packets by hopping back and forth between the rogue access points. Again, this vast difference in the time that each device needs to perform its job -- the WIPS sensor requires seconds while the client just milliseconds -- allows for client communication to proceed without perception of any disruptions.

There are a number of steps that can be incorporated into an enterprise security strategy to mitigate these types of threats. Site surveys to maintain a current database of network elements allow for monitoring WLAN changes via access point characteristics such as channel signal strengths associated with each SSID, physical access point location, RF triangulation, vendor consistency via MAC addressing, and access point firmware versions. Since the 802.11 standard only defines Layer 1 (physical) and Layer 2 (data link layer/MAC address sublayer) segments, multilayered protection should be implemented with additional upper-layer authentication, encryption, network access control and vulnerability management. Knowledge of the geographic coverage area, physical mapping of wireless threat exposure, identifying areas of high risk probability, dense sensor deployment, 24x7 real-time monitoring, effective threat classification and increasing physical access to office premises and surrounding areas are also essential for secure enterprise WLAN deployment. Finally, employee education and enforcement of a well-defined security policy remain the cornerstones for maintaining a secure network environment.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Threat Monitor
Tracing malware's steps with RE:Trace
Worst practices: Learning from bad security tips
Worst practices: Encryption conniptions
Stopping malware in its tracks
Built-in Windows commands to determine if a system has been hacked
Exploit research: Keeping tabs on the hacker underground
Data loss prevention from the inside out
Enterprise security in 2008: Malware trends suggest new twists on old tricks
Thinking fast-flux: New bait for advanced phishing tactics
Lessons learned from TJX: Best practices for enterprise wireless encryption

Wireless LAN Architecture
Is it possible to identify a fake wireless access point?
Wi-Fi simplicity edging out Wi-Fi security
Cisco issues warning for wireless LAN controller flaws
Will securing a wireless LAN make the data link layer vulnerable?
Aruba bolsters mobile suite with security acquisition
VeriSign, AirMagnet team up for wireless IPS
Check Point promises more VoIP security, fewer slowdowns
TJX breach tied to Wi-Fi exploits
Cisco urges Wireless Control System upgrade
Apple fixes flaws in AirPort Extreme Base Station
Wireless LAN Architecture Research

Wireless Access Control
Lessons learned from TJX: Best practices for enterprise wireless encryption
Should the enterprise be concerned with the Apple iPhone's automatic connection to Wi-Fi networks?
Is it possible to identify a fake wireless access point?
Wi-Fi simplicity edging out Wi-Fi security
Should an enterprise network be regularly checked for rogue access points?
Aruba bolsters mobile suite with security acquisition
Cafe Wi-Fi
VeriSign, AirMagnet team up for wireless IPS
Check Point promises more VoIP security, fewer slowdowns
TJX breach tied to Wi-Fi exploits
Wireless Access Control Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
evil twin  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts