|  del.icio.us

Discuss in Forums (1)

By Daniel V. Hoffman, CISSP, CWNA, CEH

Without question, travelers utilize their laptop computers while flying in airplanes.  This is a perceived safe environment, where the vast majority of flights do not yet have wireless/satellite Internet access available to passengers. Consequently, to the typical traveler, the biggest security threat is somebody reading data off their computer screen. What they don't realize is that a savvy wireless hacker can be exploiting their systems in this environment without their knowledge.

It is well known that to configure a connection to a wireless network in Windows XP Zero Config, you go to Network Connections and add a network to the Preferred Network section. You can also simply connect to a Wireless signal being displayed in Available Wireless Networks and upon connection, it will add that network to your Preferred Network list. That way, Windows XP will automatically connect to that network each time it is sensed and the applicable configuration information is contained in that Preferred Network "bookmark." You probably know this. What is not realized by a typical laptop user is what occurs from that point forward. What actually happens is that Windows Zero Config will routinely, automatically and unbeknownst to the end-user send a probe request into the air, seeing if that particular network happens to be available. When it is available, it will connect. When it's not, it will wait and try again by sending another probe request.

The Hack

Let's say you are on an airplane and you open your laptop to do some offline work. Unbeknownst to you, this probe request is being sent out on a routine basis, seeking the wireless network(s) you have defined in your Preferred Networks section. Another, malicious person on the plane is also using a laptop and running a program called HotSpotter. This program will see those probe requests, compare them against a list of well-known SSIDs, then turn itself into a Wireless Access Point with the matching SSID of the wireless network(s) in your Preferred Network List. In doing so, the user working offline can automatically become connected to the hacker's "wireless network." If they don't have a personal firewall running and are not patched completely, they can be easily hacked in a situation where they probably feel quite safe.

The Tools

• Laptop with wireless card that supports HostAP.

• HotSpotter program with scripts to run DHCP (HotSpotter program is available as part of the Auditor security collection, available at: http://www.remote-exploit.org/index.php/Auditor_main)

• Program(s) of choice to exploit the victim's system once they are connected to your WLAN. I also recommend the Auditor security collection for this, as it has many different tools in this regard.

The Prevention

• An up-to-date and always running enterprise-grade personal firewall with IDS/IPS capability - This would prevent access from unwanted systems and also detect actions that a hacker would be using in an attempt to gain access to the system.

• A properly configured system that is completely up-to-date with security patches/fixes - Hackers gain access to systems by running exploits that take advantage of vulnerabilities. Such vulnerabilities would not be present if a machine were patched, running properly configured Antivirus as well as Antispyware. These security programs should also be scanning in real-time and be set to automatically update their respective definition files. Often hackers will break into a machine and install malware (keyloggers, system monitors, remote control applications) and properly maintained security programs will be able to detect when this is happening and remove the suspect malware as well as notify the end-user that a threat was detected.

• Utilize client security policy enforcement software - Components such as McAfee's EPO and Fiberlink's Extend360 ensure that all security services are running from startup to shutdown and that these services are always up-to-date.

• Disable the Wi-Fi adapter - Only enable your Wi-Fi adapter when you are purposely attempting to make a connection. Considering how Wi-Fi utilities operate, a wireless connection can be established without any action from an end-user. This is dangerous for many reasons. This single step would provide extraordinary protection against a HotSpotter attack.

Coming Next Month: Essential Wireless Hacking Tools

Questions or comments can be sent to Daniel V. Hoffman, CISSP, CWNA
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it