Understanding the enemy

The wireless network’s inherent vulnerabilities, in and of themselves, aren’t
necessarily bad. The true problem lies with all the malicious hackers out
there just waiting to exploit these vulnerabilities and make your job — and
life — more difficult. In order to better protect your systems, it helps to
understand what you’re up against — in effect, to think like a hacker. Although
it may be impossible to achieve the same malicious mindset as the cyberpunks,
you can at least see where they’re coming from technically and how
they work.
For starters, hackers are likely to attack systems that require the least
amount of effort to break into. A prime target is an organization that has just
one or two wireless APs. Our findings show that these smaller wireless networks
help stack the odds in the hackers’ favor, for several reasons:
Smaller organizations are less likely to have a full-time network administrator
keeping tabs on things.
Small networks are also more likely to leave the default settings on their
wireless devices unchanged, making them easier to crack into.
Smaller networks are less likely to have any type of network monitoring,
in-depth security controls such as WPA or WPA2, or a wireless intrusiondetection
system (WIDS). These are exactly the sorts of things that
smart hackers take into consideration.
However, small networks aren’t the only vulnerable ones. There are various
other weaknesses hackers can exploit in networks of all sizes, such as the
following:
The larger the wireless network, the easier it may be to crack Wired
Equivalent Privacy (WEP) encryption keys. This is because larger networks
likely receive more traffic, and an increased volume of packets
to be captured thus leads to quicker WEP cracking times. We cover WEP
in-depth in Chapter 14.
Most network administrators don’t have the time or interest in monitoring
their networks for malicious behavior.
Network snooping will be easier if there’s a good place such as a crowded
parking lot or deck to park and work without attracting attention.
Most organizations use the omnidirectional antennae that come standard
on APs — without even thinking about how these spread RF signals
around outside the building.
Because wireless networks are often an extension of a wired network,
where there’s an AP, there’s likely a wired network behind it. Given this,
there are often just as many treasures as the wireless network, if not more.
Many organizations attempt to secure their wireless networks with routine
security measures — say, disabling service-set-identifier (SSID)
broadcasts (which basically broadcasts the name of the wireless network
to any wireless device in range) and enabling media-access control
(MAC) address filtering (which can limit the wireless hosts that can
attach to your network) — without knowing that these controls are
easily circumvented.
SSIDs are often set to obvious company or department names that can
give the intruders an idea which systems to attack first.
Throughout this book, we point out ways the bad guys work when they’re
carrying out specific hacks. The more cognizant you are of the hacker mindset,
the deeper and broader your security testing will be — which leads to
increased wireless security.
Many hackers don’t necessarily want to steal your information or crash your
systems. They often just want to prove to themselves and their buddies that
they can break in. This likely creates a warm fuzzy feeling that makes them feel
like they’re contributing to society somehow. On the other hand, sometimes
they attack simply to get under the administrator’s skin. Sometimes they are
seeking revenge. Hackers may want to use a system so they can attack other
people’s networks under disguise. Or maybe they’re bored, and just want to
see what information is flying through the airwaves, there for the taking.
The “high-end” uberhackers go where the money is — literally. These are the
guys who break into online banks, e-commerce sites, and internal corporate
databases for financial gain. What better way to break into these systems than
through a vulnerable wireless network, making the real culprit harder to trace?
One AP or vulnerable wireless client is all it takes to get the ball rolling.