Wireless trespasser stopped dead in his tracks

By Andrew R. Hickey, News Writer 01 May 2006 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

"Oh lord!"

Those were the first words out of Ned Allison's mouth one recent afternoon when by chance he spotted a crasher trying to hop onto his network. The exclamation could've been a lot more colorful, but thankfully for Allison, he was on it. He had it under control.

At the time, Allison, vice president of the Sacramento chapter of the Information Systems Security Association, was working as a network and security expert at a high-profile California state agency. He won't name the agency, but he said it's a government agency with a network containing critical state data. Allison is also a Certified Information Systems Security Professional, the premier vendor-agnostic information security certification.

The agency had made a request to bring wireless scanners into the warehouse. Since the warehouse is on a major thoroughfare with a lot of wireless activity, however, some deemed the barcode readers a security risk because the information they transferred would contain financial data. But as Allison is quick to point out: "Security is meant to enable business, not disable it." So he forged on.

Still, Allison noted that the agency is snuggly settled in a neighborhood with a "fairly rich wireless environment," where freeloaders are known to seek out free wireless Internet access. The agency already had two-factor authentication, token, device certification -- you name it -- but the wireless scanners didn't support any of that.

And then he tried to hit a device on my network. I saw this guy say, 'Ah, fresh meat, I'm going to try to connect.' Ned Allison Network and Security Expert, California Government Agency

Allison sought a way to establish a barrier in the warehouse so the barcode scanners and their wireless connection would not leak into the street -- a sort of invisible fence. He didn't want anything getting in or going out. He found what he needed with a product from Network Chemistry. The Redwood City, Calif.-based wireless security vendor provided the agency with a system that fences in the warehouse and recognizes valid devices. Any invalid or unauthorized devices that try to get on are trapped in a tarpit.

So, one day -- the "Oh lord" day -- Allison was using that product, Network Chemistry's RFprotect Mobile, to check out the wireless environment in the area. The portable, laptop-based analyzer can be used for site surveys, security assessments, planning sensor locations, and incident responses. It also gives a good overview of wireless activity in the area.

"From my desk, I could see a particular individual brought his system up and tried to connect to the hotel across the street," Allison said. "I was just watching this out of curiosity."

The hotel makes folks pay for access, so the rogue looked somewhere else. He tried a nearby coffee shop. Nope, gotta pay. He tried a few more places. Nope. He tried a passing UPS delivery truck. Nope, the signal was gone in a second.

As the would-be invader systematically moved his way up the street, Allison got the sinking feeling that his network was next.

Just then, he was alerted that a wireless Network Interface Card (NIC) on a computer connected to the wired network was up and broadcasting. The pinging laptop belonged to a database administrator with pretty much unlimited network access.

Though broadcasting with a NIC is a violation of agency policy, the laptop was brand new and still in default mode. Because it was new, the laptop's default configuration was set to connect to any available wireless network, including ad hoc and peer-to-peer connections. A broadcasting NIC is a common vulnerability in new Windows operating system machines that are still in default mode. Regardless, a broadcasting NIC meant someone could link wirelessly into the laptop and bridge into the wired network, something Allison certainly did not want, but which almost happened.

For more information Check out our story on a mall thwarting wireless intruders Learn more about the differences between IDS and IPS Read more security stories in our Network Defenders series

"And then he tried to hit a device on my network," Allison said of the potential intruder. "I saw this guy say, 'Ah, fresh meat, I'm going to try to connect.'"

Allison made a break for it. Using RFprotect Mobile and its QuickLocate feature, he was able to physically track down the broadcasting laptop one floor up and a few doors down. He was fast enough to find the machine, gain administrative access, and shut down the NIC before the wireless snoop could get in, thwarting the attack and preventing unauthorized network access.

"Because I had this here," Allison said, "I was able to walk up and prevent the intrusion."

While Allison can't say for sure the person trying to connect to his network had any malicious intent -- probably just a cheapskate looking for free wireless -- the consequences could've been huge. The meddler could've gotten in and island hopped throughout the network from the "privileged network station" he was trying to tap into. That would've given him access to most network data. Also, had the trespasser done anything illegal while on the agency's network, Allison and his crew would've been responsible because they were the network hosts.

Allison credits putting the kibosh on the intrusion to being in the right place at the right time, and though stressful, the incident gave him enough proof to convince upper management that Network Chemistry's products are necessary tools. A short time after the near-breach, the agency deployed Network Chemistry's RFprotect Distributed system, purpose-built sensors for 24/7 intrusion detection and prevention. Allison said he and others no longer have to rely on dumb luck or manual blocking to protect against attacks because the RFprotect system automatically provides wireless threat protection.

"It was a very great eye-opener here for people to understand how vulnerable we were to this particular issue," he said.

The entire thing, from watching the would-be hacker try the hotel to shutting down the NIC card, took roughly five minutes. But watching it all unfold, Allison said, seemed much longer.

"I was literally watching him walk up the street," he said. "I went from 'This is kind of neat,' to 'Oh lord, here's someone on my network pinging.'"

Tags: Network Security Monitoring and Analysis,  Network Security Best Practices and Products,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary