X-Account-Key: account1 X-UIDL: 46752 X-Mozilla-Keys: Return-Path: os2-wireless_users-owner@2rosenthals.com Received: from 192.168.100.5 (hawking [192.168.100.5]) by 2rosenthals.com (Hethmon Brothers Smtpd) id 20050207204358-52086-7 ; Mon, 07 Feb 2005 20:43:58 -0500 (Hethmon Brothers Smtpd) id 20050207204357-24651-7 ; Mon, 07 Feb 2005 20:43:57 -0500 Message-ID: <4208195D.7070601@2rosenthals.com> User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 References: <4207B2E8.2000502@2rosenthals.com> <0IBK00L7O8B8O1@mxout4.netvision.net.il> <200502072155.j17LtP6V009550@ms-smtp-02-eri0.socal.rr.com> In-Reply-To: <200502072155.j17LtP6V009550@ms-smtp-02-eri0.socal.rr.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 07 Feb 2005 20:43:57 -0500 Sender: os2-wireless_users-owner X-Listname: os2-wireless_users@2rosenthals.com Reply-To: os2-wireless_users@2rosenthals.com From: Lewis G Rosenthal To: os2-wireless_users@2rosenthals.com Subject: [OS2Wireless] CWNA Question of the Week X-List-Unsubscribe: Send email to mailusers-request@2rosenthals.com X-List-Owner: mailusers-owner@2rosenthals.com Hi, Doug. Note my comments, below... Doug LaRue wrote: >** Reply to message from Stan Goodman on Mon, 07 Feb 2005 23:13:57 +0200 > >very interesting but there seems to be much more to this than just the L2/L3 hijack. It said that >Bill was xfering files to a server on the corporate LAN. This means that the hijacker actually got >in the middle of Bill and ABCcorp and this means he/she got into the ABCcorp LAN such that Bill >could think the was xfering files to/from a corporate server. Unless I'm missing something, this is >a bit more involved hijacking but then again, it's probably a MS Windows LAN and the hijacker has >probably been in the LAN for far longer than he/she's been in the middle of end users. > > > Absolutely right. That's what first led me to believe that this was a man-in-the-middle attack, and that the hijacker was the one who was actually "running" the "server." Yes, they did give more detail than what was necessary, and a real LAN (NetWare, for example - sorry, my bias is showing) would make the attacker work hard at getting in. >The question is, what can we do, or use, to keep and eye on this kind of thing? And can we script >this up so checks are made every time the wireless network come up? > > > Well, the first thing I can think of (besides using encryption, which will at best, slow the attacker down while he cracks the WEP or the WPA - harder, but it can be done), is to make note of your DHCP server from whcih you recorded an offer. Check with your IT department to be sure that this is the only DHCP server on the subnet (there should be only one, unless they've somehow split the address pool to load balance those poor, lumbering Windows DHCP servers). Use the DHCP Monitor to see where your address originated. There is more at stake here, though. Consider the scenario where the L3 attacker is actually recording packets sent from the WLAN users (as is typically the case - and yes, that is indeed an L7 attack and not L2/L3). POP3 email usually travels in the clear - including passwords - as does FTP and SMTP. And should unsuspecting users visit unsecured sites on the 'net and enter sensitive data ("oh, *that's* what that lock icon thingy is down there!"), well, you get the picture. Of course, all of this aside, we have the same issue with cell phones. Yes, digital phones are harder to snoop than analog phones were, but it's still possible. And people say the darnedest things... >Doug > > > > >>** Reply to message from Lewis G Rosenthal on >>Mon, 07 Feb 2005 13:26:48 -0500 >> >> >> >> >>>I thought this one was worth forwarding to the list. Enjoy! >>> >>>*Question of the Week* >>> >>>Bill, a wireless LAN end user at ABC Corporation, is transferring a file >>>over the wireless network to a server. Approximately half way through >>>the transfer, the transfer suddenly stops. Doing his own initial >>>troubleshooting Bill finds that his wireless connection is still active, >>>but he can no longer access the corporate network resources. Confused, >>>Bill calls the help desk who asks him to check his IP address. Upon >>>checking the IP address of Bill's workstation they find that his IP >>>address is on the wrong subnet. The subnet on which Bill's PC is >>>addressed is not part of the corporate network. The help desk technician >>>informs Bill that he has been subject to what kind of wireless attack? >>> >>>1. Man-in-the-middle >>>2. L2/L3 Hijacking >>>3. TCP session hijacking >>>4. Bit-flipping attack >>>5. Spread spectrum RF jamming attack >>>6. Eavesdropping attack >>> >>>*Question of the Week Aswer* >>> >>>Wireless L2/L3 hijacking attacks use a narrowband RF generator to jam >>>(interfere with) a specific transmission channel forcing users to roam >>>to another, more usable, channel. This usable channel is the software or >>>hardware (usually software) access point of the intruder. When the >>>authorized user makes an association to the intruder, this is deemed a >>>L2 hijack. Many operating systems such as Windows 2000 and Windows XP >>>automatically perform a DHCP renewal any time they lose Layer 2 >>>connectivity. For this reason, the intruder can install DHCP server >>>software on the same laptop in order to give the authorized user an IP >>>address when one is requested. This is deemed a Layer 3 hijack. The >>>reason for the Layer 3 hijack is that once the authorized user has an IP >>>address on the same network segment as the intruder, the intruder will >>>be able to perform Layer 7 (application layer) attacks against the >>>authorized user's computer. >>> >>> >>Very clear. Now it's much easier for me to understand why so many people use >>Windows2000 and WindowsXP operationg systems. Horation Alger was right: "If you >>build a better mousetrap, the world will beat a footpath to your door". >> >>-- >>Stan Goodman >>Qiryat Tiv'on >>Israel >> >>"When your enemy falls, do not rejoice." -- Proverbs 24:17 >> >>If a pig loses its voice, is it disgruntled? >>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> >>To unsubscribe from this list, send a message to >>steward@2rosenthals.com with the command >>"unsubscribe os2-wireless_users" in the body >>(omit the quotes). >> >>For help with other commands, send a message >>to steward@2rosenthals.com with the command >>"help" in the body (omit the quotes). >> >>This list is hosted by Rosenthal & Rosenthal >>P.O. Box 281, Deer Park, NY 11729-0281. Non- >>electronic communications related to content >>contained in these messages should be directed >>to the above address. (CAN-SPAM Act of 2003) >> >>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> >> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > >To unsubscribe from this list, send a message to >steward@2rosenthals.com with the command >"unsubscribe os2-wireless_users" in the body >(omit the quotes). > >For help with other commands, send a message >to steward@2rosenthals.com with the command >"help" in the body (omit the quotes). > >This list is hosted by Rosenthal & Rosenthal >P.O. Box 281, Deer Park, NY 11729-0281. Non- >electronic communications related to content >contained in these messages should be directed >to the above address. (CAN-SPAM Act of 2003) > >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > > > -- Lewis ------------------------------------------------------------ Lewis G Rosenthal, CNA, CLE Rosenthal & Rosenthal Accountants / Network Consultants New York / Northern Virginia www.2rosenthals.com Team OS/2 / NetWare Users International www.novell.com ------------------------------------------------------------ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To unsubscribe from this list, send a message to steward@2rosenthals.com with the command "unsubscribe os2-wireless_users" in the body (omit the quotes). For help with other commands, send a message to steward@2rosenthals.com with the command "help" in the body (omit the quotes). This list is hosted by Rosenthal & Rosenthal P.O. Box 281, Deer Park, NY 11729-0281. Non- electronic communications related to content contained in these messages should be directed to the above address. (CAN-SPAM Act of 2003) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=