What Are the Enemies Like?

The popular media such as television, newspapers, and movies are fond of the word "hacker," which has passed into the English language and probably many others. However, there is no clear definition for what constitutes a hacker. Movies usually represent a hacker either as a nerdy, socially disconnected genius or as a 12-year-old computer wizard?and neither of these descriptions is usually true. In fact there are so many activities that can be described as "hacking" that we could probably all earn the title at some point or other. Still, there are people who specialize in attacking computer security in sophisticated ways, and they certainly merit the title of hacker. It is useful in building our defenses to try to understand the motivations of those enemies who are prepared to dedicate resources to attacks.

Hackers fall into categories of threat that you can draw like a pyramid. At the bottom are people, sometimes called "script kiddies," who have relatively weak tools. As you move up toward the top of the pyramid, the number of attackers decreases quickly but their expertise and the complexity of their tools increase. This middle section is where you would start to see cryptographic attack tools?that is, tools that seek to break into secure systems rather than just searching for systems where security is turned off. At the top of the pyramid is a small group we describe as ego hackers using the most sophisticated techniques.

Let's start with the casual sorts of privacy violations. If you peek over someone's shoulder on an airplane to read the presentation she is preparing, are you a hacker? IEEE 802.11 committee meetings involve hundreds of people using a huge Wi-Fi LAN. Even here some people forget to enable protection of their laptops. If, in a boring moment, a committee member browses around the network out of curiosity, is that person a hacker?

From the point of view of popular culture, these casual acts do not constitute hacking. But from the point of view of a security system, there is no distinction between casual and dedicated attacks, except in the sophistication of the tools that are used. All unwelcome network visitors must be classed as potential enemies regardless of their motivations or skills.

The enemy has choices in where and when to attack. It is the job of security policy to anticipate the possibilities and the job of security protocols to block the attacks. Correctly anticipating all the options is one of the challenges of good security. To use a crude example, there is no point in locking the front door if you leave the windows open.

Almost any attack can be explained by one of these motivations:

  • Gaming: A hacker gambles her time and effort in the hope of a payoff through a successful attack. Many sports and games rely on a similar motivation. It is the cyber equivalent to fly-fishing.

  • Profit or revenge: The attacker wants to steal information, damage your system because of a grievance, or alter your system to acquire a tangible reward (such as money, stock, or pension rights).

  • Ego: The hacker wants to prove, to himself or his peers, that he is clever, tenacious, and brave.

The motivation determines the options the attacker considers. A revenge attacker, for example, may consider blowing up your network server with a bomb, whereas such an approach would be unlikely to provide satisfaction to the ego player.

Gaming Attackers

By far the largest number of attacks come from gaming attackers. We use this term to describe people who have too much time on their hands and enjoy playing a game called "let's see whether we can watch the neighbors without their knowing."

People can stumble into this type of activity almost accidentally by downloading a tool they found on the Web that is designed to compromise security. There are many such programs and they are easy to download, install, and run. Chapter 16 looks at a few examples. Some of these programs simply try to access every Internet (IP) address possible, looking for a response. These programs, called scanners, require no technical expertise and can work unattended. You download it, run it, and go to work, school, or bed. The next day you can check to see whether it found anything. These types of programs can sometimes be successful when running on a broadband connection such as cable modem or ADSL.

Performing these simple incursions requires little expense. As with any good game, players can get early, but limited, positive results such as a list of active computers. It's easy to see how these types of tools can be captivating. In most cases the fun wears off, due to lack of success or lack of interesting discoveries or fear of detection. However, for a few people the desire to make progress will become stronger, leading them to look for more powerful tools and other ways to score successes. People who attack you in this way generally don't understand security, but they do know how to run downloaded scripts.

The picture of a fresh-faced teen sliding down the slippery path to a life of obsession and ultimate destruction is, of course, more than a little sensational. But it becomes easier to understand why people get involved in security attacks, and a few really do move into the hard-core categories. Fresh faced or not, these attackers are your enemy when you are setting up network security.

While the gamers are the most numerous, they are easy to block and against. It is easy to mount this class of attack by downloading the appropriate scripts and programs. Our concern here is whether the gaming hackers are likely to attack Wi-Fi LANs. Such attacks require a different type of hardware and a greater investment in time. However, all the elements of "the game" are still there.

Even the simplest security mechanisms provide protection against low-level attacks. But many Wi-Fi LANs are running with no security at all. Companies and individuals are often unaware of security risks or assume that eavesdropping is the only risk. They may be concerned about security but procrastinate about taking action?leaving their system in the default unprotected state that it was in when they bought it, regularly thinking, "I must figure out that security configuration stuff sometime." Whatever the reason, there are many unprotected Wi-Fi LANs and it is quite simple to get a laptop computer and a Wi-Fi LAN adapter card and drive around a city or suburb looking for a network to join. You would be surprised how quickly a network can be found.

Even this simple attack requires more effort than running a script on your PC at home. You have to have a laptop and you have to spend time and gas driving around. This fact is enough to discourage a large percentage of the casual attackers. Furthermore, if you have any security (such as WEP) turned on, attackers will probably pass you by in search of an unprotected network. Generally, they only attack a protected network if they think you have something special. If you have broadband Internet access, you are at risk from attackers who want to use you as an Internet jumping-off point. They may be looking for free broadband access. However, there can be a more sinister purpose if the attacker wants to use your link for illegal purposes. In this scenario a person might use your account to download illegal pornography or to coordinate with other criminals or even terrorists. You are likely to be completely unaware of this type of incursion.

In rare cases, hackers who are moving up the "difficulty levels" may consider the security implemented on your system as a challenge for gaming. WEP does have weaknesses that can be exploited by special tools easily downloaded from the Internet (see Chapter 6).

Profit or Revenge Attackers

You are unlikely to suffer an attack for profit or revenge if you are a home user (unless you have a dog that likes to dig up the neighbor's lawn or something similar). In reality, attacking for profit is probably not that common. There have been cases in which credit card databases have been compromised. Stealing credit card information is actually a form of identity theft because the information can be used to make purchases while the thief is pretending to be the cardholder. Such identity thefts can usually be detected, and the culprits run a risk of being caught and sent to jail. However, there may be many more subtle attacks that are undetected. For example, if an attacker could read the financial results of a corporation before they were announced, he might be able to make money by buying or selling shares. This is an ideal attack because, providing his stock transaction is not so huge as to get attention, no one would ever know that an attack had occurred. This is why we used the word "probably" when we said profit attacks are rare. There is no good way to assess how any of these types of attack occur.

The risk of revenge attacks from disgruntled ex-employees or even customers is growing. This can show up as attempts to corrupt a Web site, plant a virus, or delete files. You can see that there is an important distinction between profit and revenge attacks. Profit attacks try to leave no trace. The point of a revenge attack is to be as visible as possible.

Profit or revenge attackers have a specific objective and a particular target, and they are prepared to invest time and money into planning. They are likely to research the best methods, think about weaknesses, and find the right tools for the attack. If you use a Wi-Fi LAN, they will consider it as an avenue for attack.

Doing reconnaissance on Wi-Fi LANs is easy. The attacker drives as close as possible to your building, starts up a laptop, finds out what networks you have running, and identifies the names of the access points. With simple tools, he can find out how many users are operating. He can quickly determine whether you are using Wi-Fi LAN security and whether it is WEP or some other system. If you have no security in operation, he can connect immediately. It may be that even if he gets on your network, you have logon passwords for all the servers; but, as has been mentioned previously, this only increases the level of sophistication of the required tools. If the attacker is smart, he will make several trips and try to remain undetected either until the job is done or until he is ready to inflict the damage.

The fact that these types of attacks can be performed over a period of time allows the enemy to go away and gradually learn more and acquire stronger tools. It is this iterative process, driven by a specific goal, which makes this category of attacker dangerous. If revenge is the goal then, when accomplished, the attacker will probably not repeat. He will have "gotten even" in some dysfunctional way of thinking. Of course, the profit attacker is very likely to repeat if undetected and poses a threat that increases over time. This is one reason why companies need to continuously reevaluate security policy and put effective monitoring in place

One interesting approach to detection of such attacks is a honeypot network.[1] This type of network is actually designed to attract attacks. A honeypot network looks like a conventional network, but it is intentionally weak and not attached to any real data. Your goal is to catch the attacker before he or she recognizes the trap.

[1] For more information, see Lance Spitzner, Honeypots: Tracking Hackers. Boston: Addison-Wesley, 2003.

To construct a simple honeypot network, set up an access point, attach it to an old computer, and put a load of useless junk data on the computer. Create directories with names like "Accounts" or "Personnel" that are access protected. Give the access point a different network name from that of your real network and site it near the visitors' parking. Leave WEP off or turn it on with a weak password like "admin." Make sure that all your legitimate clients are configured only to use the legitimate access points. Then watch for a wireless client attached to the honeypot access point. Most access points can log when a client connects. You may be able to use a network management program to get an audible alert. This would give you the opportunity to stroll outside to look for a suspicious person with a laptop in his car.

A honeypot network lets you evaluate the likelihood of attacks on your network and the types of attack being made. More advanced honeypot servers can gather information about attackers. If you are interested in retaliating against a serious attacker through law enforcement, you need to gather proof of the attacks and of the identity of the attacker. Some honeypot programs are not servers at all but instead smart software that emulates the behavior of a server to keep the attack going while information is gathered. 00[Sub]7, the Ultimate SubSeven Logging tool by Jeff Capes, for example, is a program that can be run on a home computer and sits on one of the ports most commonly attacked. It logs information when an attack occurs and can notify attackers of the monitoring?which usually scares them away.

Ego Attackers

At the top of the threat pyramid is the ego hacker. Ego hackers come closest to matching the image of hackers in popular culture. They are motivated by the difficulty of the task and by the feeling that they are members of an elite group. They seek contact with other ego hackers and status within that group. Promotion in the group comes from demonstrating successful attacks and distributing inventive new methods. To be successful, a person would need to climb a long learning curve, understanding all the methods of attack and assimilating the weaknesses of existing systems. They would need to understand at a detailed level how the security protocols work on each system they wish to attack. Ultimately their knowledge and capability may put them on a par with legitimate security researchers. A few ego hackers have crossed the border and established legitimate security businesses.

Rather than wait for ego hackers to break into security systems, crypto professionals look for flaws in cryptographic systems and publish them. This is not popular with the companies that sell the equipment. For example, when the attacks on WEP were discovered, many in the industry wanted to avoid the information becoming widely known. However, legitimate security researchers know that they are in a race against the top-level ego hackers. These hackers will uncover any weaknesses that the researchers don't find first.

A more contentious issue is the publishing of hacking tools. For example, the weaknesses of WEP were published and vendors started to react. Then a software tool called AirSnort was made available on the Web (http://airsnort.shmoo.com/), rending WEP security instantly useless. What was the value in releasing such a tool? Supporters argued that ego hackers would have developed such a tool in secret and it was better to develop it in public. Whatever your stance in this debate, AirSnort certainly got everyone's attention. The much-improved Wi-Fi Protected Access (WPA) is the result.

Now we are ready to look at how Wi-Fi security can be incorporated into existing networks. Trying to attach Wi-Fi systems to a network with a conventional security architecture can cause real problems. These systems have very different characteristics from conventional wired hardware.

    Part II: The Design of Wi-Fi Security