Reglas para los libros de Peirce-Kripke

Mobile NAC and the Wireless Threat 159 Some of these threats are obvious and some of them are not. Let’s talk about a wireless threat that takes place where there isn’t a wireless network.

This next attack could take place on an airplane, on a train, or in any other public area. It furthers the point that NAC protection must exist outside of the LAN and any time a mobile laptop is powered on. For this example, the corporate LAN will never even come into play. In fact, the end user doesn’t even try to connect to a corporate network.

Let’s go with the plane scenario. Without question, getting some work done on a plane is a great way to pass time and to remain productive. In this day and age, having Internet connectivity on a plane is a rarity. The technology exists and is in use, but it is practically never seen domestically. In fact, the use of wireless on airplanes is actually forbidden by FAA regulations. That notwithstanding, I’ve seen that most people do not bother to turn off their wireless cards when they start up their laptops on planes. This opens the door to exploitation.

From my experience, many company laptops use WZC to control wireless connectivity. This comes with the operating system, so it doesn’t cost the companies any money. While not extraordinarily intuitive, most users can muddle their way to getting connected to wireless. As with many things computer-related, convenience is a big factor in how things work. To make wireless connectivity convenient, WZC only requires that an end user connect to a wireless LAN one time, and then it will automatically connect to that wireless LAN every time the user comes within range. This sounds convenient and it is. Every time the user comes home, the user simply starts up the computer and is automatically connected to his or her wireless LAN. There’s nothing that the end user needs to do to establish this connectivity.

This functionality is made possible by WZC automatically adding the wireless network into the ‘‘Preferred Networks’’ section. End users can also manually add wireless networks into this area. Figure 5-27 shows the Linksys network having automatically been added to this area because the user connected to this network.

By default, the networks added here will automatically be connected to any time they come into range. If no encryption or authentication were being used on these networks, then the only thing WZC would use to identify the network is the SSID. So, if a user had the home wireless open and it was called ‘‘Linksys,’’ the laptop would automatically connect to any wireless network that was open, in range, and named ‘‘Linksys.’’ This means that the end user could automatically become connected to networks when he or she didn’t intend to, and without doing anything to facilitate that connection. That is a pretty big security threat. Wireless networks are everywhere, and many of them use common names, so this is a very real threat.

In the scenario just stated, there weren’t any networks available. The person would simply be sitting on a plane, using a laptop. The kicker is that it doesn’t

160 Chapter 5 ■ Understanding the Need for Mobile NAC

Figure 5-27 Automatically adding a wireless network in the ‘‘Preferred Networks’’ section

matter if there’s a network or not. The person is still vulnerable to attack. This person is also still trying to connect to those networks. By default, with WZC, probes will be sent out to search for wireless networks. This is illustrated in Figure 5-28.

To establish a direct connection to the potential victim, all a hacker would need to do is listen to these probes and turn his system into an access point broadcasting the SSID of one of the networks listed in Preferred Networks. You saw in the ‘‘Protecting against AP Phishing and Evil Twin’’ section earlier in this chapter that Airsnarf could be used to turn a laptop into an access point broadcasting any SSID desired by the person running the program. The key here is listening for these probes.

Hotspotter is the name of the application that can perform that function. It is quite simple in how it works:

1. It looks at a predefined list of possible wireless names that may be sought out by an application such as WZC.

2. When it finds a probe seeking to connect to a wireless network, it dis- plays which network is being sought.

Mobile NAC and the Wireless Threat 161

Are you there “Linksys”? Are you there “tmobile”? Are you there “hhonors”?

If the laptop is powered on and the Wi-Fi card enabled, by default Windows Zero Config will send out

probes trying to connect to the SSIDs listed in Preferred Networks.

Figure 5-28 WZC probes searching for the wireless networks

The list that Hotspotter would reference is normally quite long. It doesn’t make sense to print the entire list here, although some of the most common names of wireless networks are:

Linksys 2Wire Tmobile Concourse Boingo Tsunami

Armed with this list and the Hotspotter program, a person with malicious intent could run Hotspotter and sit back and wait for potential victims. In my live hacking demonstrations, this is something I show relatively often. I can usually pick up a laptop trying to connect to a wireless network in less than 10 seconds.

Once it’s known to what network someone is trying to connect to, someone with malicious intent simply needs to turn his or her own laptop into that network. WZC will automatically connect, and the attacker would have Layer 3 access to that machine. For the duration of the flight, the hacker could try to exploit the machine using many of the methods already discussed. Figure 5-29 illustrates this process.

What would protect the laptop in this scenario? The answer is many of the things that were already covered in this chapter, including the following:

Ensuring that the personal firewall is always running.

Ensuring mobile machines receive their patches while mobile. In this sce- nario, the patches would have been received when the user connected to a hotspot before going onto the plane.

162 Chapter 5 ■ Understanding the Need for Mobile NAC 1. Window Zero Config Seeks out

the tmobile network, because the user connected to this network prior

to getting on the plane.

3. Window Zero Config automatically connects to the fake

“tmobile” connection.

Are you there “tmobile?”

I’m “tmobile.”

4. With a Layer 3 connection, the attacker can now run exploits

against this machine. 2. A hacker running Hotspotter

reads this probe and turns his computer into an access point with

the SSID of “tmobile.”

Figure 5-29 Exploiting WZC seeking a wireless network

Restricting and controlling wireless connectivity if the security posture is deficient.

With these and the other points mentioned in this chapter in place, the laptop in this scenario would be as protected as it could possibly be. The important point to realize is that the threats are everywhere, so a NAC solution needs to work everywhere.

N O T E Think of the previous proxy-as-security example. That would have provided absolutely no protection in this scenario.