Whitepaper: Top Five Instant Messaging Security Risks for 2006
Though widely adopted, IM is generally unprotected and unmonitored in consumer and enterprise environments, leaving it vulnerable to attacks and exploits. These attacks have grown exponentially over the past three years, increasing the need for real-time threat response for IM and peer-to-peer (P2P) applications.
Whitepaper: E-Mail Discovery–Worst Case Scenarios Versus Best Practices
Searching through volumes of back-up tapes for requested e-mails is costly and time-consuming, with no guarantee that all the requested records will be recoverable. Veritas Enterprise Vault, now from Symantec, enables organizations to implement automated, policy-based archiving of e-mail and related files to a fully indexed, searchable online archive.
Whitepaper: Using Backup and Archiving Technology to Meet Compliance Objectives
Along with an increasing amount of information to store, enterprises are subject to a number of data retention requirements. Backup and archiving solutions can help address these challenges. They will even help you remain flexible for future developments and changes, such as the next generation of regulations and policies that are sure to come along.
Last month, evil twin access points (APs) made news. Just as Wi-Fi users were starting to take security seriously (locking down APs, encrypting traffic...) they may have undermined their newfound awareness by unwittingly hopping onto insecure networks.
Evil twin hotspots prey on users that like to stray out of the watchful eye of security administrators.
It goes without saying that a jaunt to the local coffee shop has its perks and enjoying a breezy spring afternoon at the park instead of the office is a nice change of pace. Despite the pleasant surroundings, however, it's not a time to let your guard down.
The concept is actually fairly straightforward. A schemer sets up an access point (AP) that overpowers a legit one, passing it off as a bona-fide hotspot. Before you know it, users log on and as any network administrator knows, it's only a matter of using the right tools to pry data from the packets that fly across the network.
"Foolish users!", you may think. Unfortunately, evil twins also pose a risk to a company's network. How so? They allow a third party to farm authorized user/pass combos to any number of web-accessible applications and assets.
In this spotlight thread, AO members discuss how to evade the dangers posed by this breed of AP.
Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.
zencoder offers some common sense advice on avoiding the evil twin's wrath...
How do you guard against one? Normal wireless or shared network security practices. Would you go check your email, do some online banking, and log in to several web site accounts if you were at a huge LAN party? Then why do it when connected to a public access point? Seriously, this is basic nework security discipline.
If you do these things, you are at a huge risk. I know people who run packet sniffers at LAN parties as a matter of habit. I've been known to observe traffic at public hotspots myself while testing a VPN tunnel.
This is a re-branding of a basic Man-in-the-Middle (MITM) attack.
They're becoming quite common, especially with all of the HotSpots that are popping up everywhere. I've even seen such attacks attempted in different apartment complexes where I have friends.
Such attacks are actually quite simple to do. A MITM attack, at the most basic level, is when an attacker fools both a sender and receiver into thinking they are communicating with one another when, in fact, the attacker is actually intercepting all traffic sent between the two devices. For wireless networks, the attacking device typically involves the use of a rogue access point (AP).
First, the attacker deauthenticates the wireless client from the access point by spoofing their MAC address, which was collected by sniffing the packets sent between the device and the access point. At the same time, the attacker notifies the client device that they were deauthenticated by spoofing the AP's MAC address. This requires the client to reauthenticate with the AP. Instead of reassociating with the AP, however, the client authenticates with the rogue AP set up by the attacker while the rogue AP reassociates with the legitimate AP acting as the client. The rogue AP then grants to the client's reassociation request, thereby becoming a go-between between the two devices. This allows the attacker to not only modify any packets sent or received by the client, but also intercept any authentication information such as WEP keys or WPA authentication schemes.
The best way to prevent a MITM attack is to utilize server host authentication, which prevents an attacker from being able to impersonate the access point because they do not have access to the AP's private key. This is actually something that is currently being developed as part of the IEEE 802.11i standard.
bogdand offers some more tips.
Check the AP settings if possible:
SSID, authentication method open/shared -- both easy to counterfeit or re- broadcast.
WPA/ WPA-PSk/etc.. -- require additional skills and tools to be decrypted without using the same key. An encrypted flow of data will pass through the redirecting rogue AP so it will be more "secure" requiring decryption after sniffing and dumping data
Check the Authenticity Certificate used by the AP (if used) and by the Web Site that you are visiting, be suspicious if flapping occurs.
Encountered any evil twins in your travels? Discuss them here.
What is AntiOnline?
AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on the latest hazards and how to protect your systems against them.
We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process.