January 29, 2012

3.4.8 IV Attack

IV attack

An initialization vector (IV) is an arbitrary number that can be used along with a secret key for data encryption. This number, also called a nonce, is employed only one time in any session.

Initialization vectors are used to prevent a sequence of text that is identical to a previous sequence from producing the same exact ciphertext when encrypted. The IV prevents the appearance of corresponding duplicate character sequences in the ciphertext.

The use of an IV prevents repetition in data encryption, making it more difficult for a hacker using a dictionary attack to find patterns and break a cipher.

The initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and IVs are reused with the same key. By examining the repeating result, it is easy for miscreants to crack the WEP secret key, known as using an IV attack.

An IV attack is usually associated with the WEP wireless protocol.

References:
  • http://en.wikipedia.org/wiki/Initialization_vector
  • http://whatis.techtarget.com/definition/initialization-vector.html
  • http://www.pcmag.com/encyclopedia_term/0,2542,t=initialization+vector&i=44997,00.asp
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.7 War chalking

War chalking

Warchalking is the drawing of standard iconography (often in chalk) in public places to advertise an open Wi-Fi wireless network.

Warchalking involves those who discover a way into the network leaving signals on, or outside, the premise to notify others of the vulnerability.

References:

  • http://en.wikipedia.org/wiki/Warchalking

3.4.6 Bluesnarfing

Bluesnarfing

Bluesnarfing is much more serious than Bluejacking, but both exploit others' Bluetooth connections without their knowledge.

Bluesnarfing enables gaining unauthorized access through a Bluetooth connection. This access can be gained through a phone, PDA, or any device using Bluetooth. Once access has been gained, the attacker can copy any data in the same way they would with any other unauthorized access.

References:
  • http://en.wikipedia.org/wiki/Bluesnarfing
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.5 Bluejacking

Bluejacking

Bluejacking is the sending of unsolicited messages (think spam) over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field to another bluetooth enabled device via the OBEX protocol.
Bluejacking takes advantage of a loophole in the technology's messaging options that allows a user to send unsolicited messages to other nearby Bluetooth owners.

Bluetooth technology operates by using low-power radio waves, communicating on a frequency of 2.45 gigahertz. This special frequency is also known as the ISM band, an open, unlicensed band set aside for industrial, scientific and medical devices. When a number of Bluetooth devices are switched on in the same area, they all share the same ISM band and can locate and communicate with each other, much like a pair of walkie talkies tuned to the same frequency are able to link up.

Bluetooth technology users take advantage of this ability to network with other phones and can send text messages or electronic business cards to each other. To send information to another party, the user creates a personal contact name in his or her phone's address book -- the name can be anything from the sender's actual name to a clever nickname.

Bluejackers have devised a simple technique to surprise their victims: Instead of creating a legitimate name in the address book, the bluejacker's message takes the place of the name. The prank essentially erases the "from" part of the equation, allowing a user to send any sort of comment he wishes without identifying himself.

Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters.

Bluetooth is often used for creating personal area networks (PANs), and most Bluetooth devices come with a factory default PIN that you will want to change to more secure values.
One of the simplest ways to secure Bluetooth devices is to not set their attribute to Discoverable.

References:

  • http://www.bluejackingtools.com/what-is-bluejacking/
  • http://electronics.howstuffworks.com/bluejacking.htm
  • http://en.wikipedia.org/wiki/Bluejacking
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4.3 Evil Twin

Evil Twin

Evil twin attack is a term for a rogue Wi-Fi access point (AP) that appears to be a legitimate, but actually has been set up by a hacker to eavesdrop and intercept wireless communications among Internet surfers.

It is an attack in which unsuspecting Wi-Fi users are tricked into associating with a phony wireless Access Point. Also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP, these attacks use phony APs with faked login pages to capture credentials and credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.

Evil twin is the wireless version of e-mail phishing scams. An attacker tricks wireless users into connecting a laptop or mobile phone to a rogue hotspot by posing as a legitimate provider.
By imitating the name of another, legitimate wireless provider, they can fool people into trusting the internet services that they are providing. When the users log into bank or e-mail accounts, the phishers have access to the entire transaction, since it is sent through their equipment.

One way that Corporate users can protect themselves from an evil twin attack is by using VPN (virtual private network) when logging into company servers.

References:

  • http://www.watchguard.com/infocenter/editorial/27061.asp
  • http://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)
  • http://www.ericgoldman.name/security/8-exploits-and-attacks/21-evil-twin-attack-explanation
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.4 Analyze and differentiate among types of wireless attacks

Analyze and differentiate among types of wireless attacks

  • Rogue access points 
  • Interference 
  • Evil twin 
  • War driving 
  • Bluejacking 
  • Bluesnarfing 
  • War chalking 
  • IV attack 
  • Packet sniffing

3.2.14 Transitive Access

Transitive access

Transitive – Passing over to or affecting something else.

Transitive access is a problem when inadvertent (and possibly unauthorized) access results for a set of related and authorized access.

With transitive access, A trusts B, if B then trusts C, then a relationship can exist where C is trusted by A).

In a transitive trust relationship, the relationship between A and B flows through such that A now trusts C.

In all versions of Active Directory, the default is that all domains in a forest trust each other with two-way transitive trust relationships.

While this process makes administration much easier when you add a new child domain (no administrative intervention is required to establish the trusts), it leaves open the possibility of a hacker acquiring more trust than they should by virtue of joining the domain.

References:
  • http://dictionary.reference.com/
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney

3.2.13 DNS poisoning and ARP poisoning

DNS poisoning and ARP poisoning

DNS and ARP poisoning are types of man-in-the-middle (MITM) attacks, which are types of spoofing attacks. A spoofing attack is an attempt by someone to masquerade as someone else.

Address Resolution Protocol (ARP) cache poisoning (sometimes also known as ARP Poison Routing) allows an attacker on the same network segment (subnet) as its victims to eavesdrop on all network traffic between the victims.

ARP poisoning, tries to convince the network that the attacker's MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker's machine.

In ARP poisoning, the MAC (Media Access Control) address table of the victim host is ‘poisoned’ with false data. Incorrect data for a victim host is interjected into the MAC table of the victim host to force the victim to communicate with the wrong host. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack.

Any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value. Sending an ARP reply when no request has been generated is called sending a gratuitous ARP. When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker.

For sensitive hosts, you can rely on static ARP entries in your local ARP cache rather than on ARP requests and replies which can be faked.

As a reactive measure, you can monitor the network traffic of hosts using tools such as Snort or xARP.
With DNS poisoning, the DNS server is given information that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS poisoning. DNS servers store its information (resource records) either in database files or as cached data. This information can be falsified or ‘poisoned’.

Every DNS query that is sent out over the network contains a uniquely generated identification number that’s purpose is to identify queries and responses and tie them together. This means that if our attacking computer can intercept a DNS query sent out from a target device, all we have to do is create a fake packet that contains that identification number in order for that packet to be accepted by that target.

DNS poisoning is difficult to defend against due to the attacks being mostly passive by nature. Typically, you will never know your DNS is being poisoned or spoofed until it has happened. That being said, there are still a few things that can be done to defend against these types of attacks:

  • Secure your internal machines
  • Defending against internal threats and having a good internal security posture is always good
  • Don’t rely on DNS for secure systems – use local hosts file for sensitive name resolution data
  • Use IDS – monitor your network/host
  • Use DNSSEC – an updated and more secure version of DNS


References: