United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Dustin and the Secret Plans (Part 2)

by the LiveSecurity Content Team

If Nandi had been a cartoon, floating question marks would hover over his head right now.

He had just booted up the VAIO laptop Dustin had dropped off, preparing to install ZoneAlarm, McAfee anti-virus, and WatchGuard's latest Mobile User VPN client, when he noticed an icon in the System Tray that none of the other company laptops had displayed. The icon showed a series of yellow bars increasing in height, and he first wondered if it depicted the laptop's battery level.

The cartoon question marks morphed into a little floating light bulb when he realized the icon indicated signal strength. By golly, this machine had a built-in wireless NIC.

Nandi installed the security software, distracted by the presence of the wireless card. Wireless technology fascinated him. His little network at home was completely wireless, even down to his network-adapted Xbox. But because of Dustin's stand against WLANs, Nandi never got to play with wireless at work.

In five minutes the software install was done, but Nandi kept the VAIO in his lap. He was thinking about the war chalking symbol he'd noticed earlier in the parking lot. This was too good an opportunity to pass up.

He plugged his network's Ethernet cable into the freshly-scanned laptop. In seconds, he logged on, opened Internet Explorer, quickly surfed to a Web site, and downloaded Network Stumbler. After a quick trip through the Install Wizard, Nandi unplugged the Ethernet cable and was ready for some educational "war walking."

He put the VAIO in sleep mode and closed it for ease of transport, set it down so he could shrug into his overcoat, then grabbed the laptop and hurried for the parking lot.

As he pushed open the glass door leading out of the lobby, icy air embraced him as if he had stepped into a refrigerator. He shivered and quickened his pace.

Jogging right to get around AMI's building, Nandi could see the length of the business park in the dusk. Across the expanse of asphalt, roughly three football fields long, a suburban retail district backed up to the park, petro-carbons wrinkling and wiggling the variously colored neon signs against the cobalt-blue sky.

Five minutes later, exhaling clouds of steam, Nandi arrived at the chain link fence separating the business park from the back of the retail area. Over the fence, trendy cafes and overpriced clothing boutiques jostled up against Starbucks, Starbucks wanna-bes, and defy-all-business-logic specialty shops.

He opened the laptop, tabbed until the NetStumbler icon was highlighted on the desktop, and hit Enter. NetStumbler popped open a window showing several columns. At first they were empty. But as he watched, the wireless NIC in the laptop, searching automatically for an access point, began to find signals. Two minutes later, the NIC had acquired signals for nine networks, which NetStumbler listed like this.

One column, labeled Encryption, indicated whether a given device's signal was encrypted or not. Only three of the networks had WEP turned on, meaning, the rest were transmitting in the clear. The signals were all weak, but when Nandi selected the SSID labeled "T-Mobile" and pressed his Connect key, eventually the Starbucks log-on screen appeared. "Ha!" Nandi exclaimed. "It is as easy as I have read!"

He pivoted slowly, watching the NIC acquire more signals at the outermost edge of their range. On a whim, he turned the laptop sideways, pointing its wireless stub antenna toward the sky, and picked up a new SSID, Tower Records 3. It obviously must emanate from the three-story Tower Records building visible in the retail area.

He wished he could wander the business park for hours catching signals, but the wind chill was cutting through him. Nandi's ungloved hands were freezing despite the warmth of the laptop. He hurried back across the parking stripes, under the sulfurous glow of the parking lot's lamps.

As he approached the flank of AMI's building, two new SSIDs popped onto his screen: "AMI-AP03" and "default." Neither was encrypted. The signals were strong and getting stronger.

Nandi shook his head, thinking, This is not the way to guard America's secrets. What kind of nincompoop would install a wireless network, leave the SSID at default, and not even turn on WEP? WEP was weak, but it was better than nothing.

Why, Kunstler & Sons was doing better at protecting their secret new cutting-edge trombone technology than this military vendor was doing protecting its life-and-death secrets. Nandi wondered who had done such a poor job. Despite his nobler instincts, he cursored up to "default." Then he double-clicked the icon in the System Tray that opened the wireless NIC's monitoring utility. It displayed the connection's Link Quality and Signal Strength:

As he walked alongside the AMI wall, the signal strengthened steadily, above 40 percent, above 50 percent.

Nandi halted between AMI and K & S, where the smokers had talked hours earlier. He waved the laptop like a divining rod, searching for the strongest signal. It was fully dark now. With the brightly-glowing screen hampering his night vision, he couldn't see where he was. He hoped that he wouldn't trip over a curb or a shrub as he began walking toward the signal's source.

Boink, it jumped to 79 percent. Several steps later, it maxed out.

Nandi looked up from the screen, but couldn't see a thing. A concrete wall, right in front of him, filled his vision. Disoriented, he assumed he was facing AMI. But when he stepped back and craned his neck to verify his location, somehow, he was facing the corner of Kunstler & Sons' building.

Confusion touched off a slow panic inside Nandi. Trying to understand, he stared from the AMI building to the K & S building and back, as if the buildings were having a tennis match. Wait, what network was this "default" SSID on? Cold hands bumbling the laptop, freezing fingers typing awkwardly, he brought up the Command Prompt and entered, ipconfig /all:

Windows 2000 IP Configuration Host Name............: VAIO_Lap
	Primary DNS Suffix . . . . . . . : K-S.net
	Node Type . . . . . . . . . . . . : Hybrid
	IP Routing Enabled. . . . . . . . : No
	WINS Proxy Enabled. . . . . . . . : No
	DNS Suffix Search List. . . . . . : K-S.net
									   
inside.K-S.com
Ethernet
adapter Local Area Connection 2:

Connection-specific
DNS Suffix . : inside.K-S.com
	Description . . . . . . . . . . . : Agere Wireless Ethernet
	Physical Address. . . . . . . . . : 00-00-00-A5-8C-6E
	DHCP Enabled. . . . . . . . . . . : Yes
	Autoconfiguration Enabled . . . . : Yes
	IP Address. . . . . . . . . . . . : 192.168.0.223
	Subnet Mask . . . . . . . . . . . : 255.255.255.0
	Default Gateway . . . . . . . . . : 192.168.0.1
	DHCP Server . . . . . . . . . . . : 192.168.0.10
	DNS Servers . . . . . . . . . . . : 192.168.0.12
									   
192.168.0.13
	Primary WINS Server . . . . . . . : 192.168.0.3
	Secondary WINS Server . . . . . . : 192.168.0.4
	Lease Obtained. . . . . . . . . . : Wednesday, February 19, 2003 2:25:07 PM
	Lease Expires . . . . . . . . . . : Saturday, February 22, 2003 2:25:07 PM

The response displayed the same subnet mask Kunstler & Sons used, the exact same IP address as their default gateway, the same WINS server, the same DNS server --

Staring at the VAIO's screen, he suffered an odd brew of horror, embarrassment, and pain. Suddenly he sounded just like Ozzy Osbourne, except instead of shouting "Sharon!" he was running for his office and shouting "Dustinnn!"

* * * * *

Dustin stood in his office, trying to figure out what to do next. Had he just heard his name? He stepped into the IT bullpen in time to see Nandi running in, one big flapping peacoat with an open laptop. "Nandi! You're still here! I'm glad, because we have --"

"--a rogue AP on our network! How did you know?"

"I was checking the Firebox Status Report and it showed a couple dozen Lucent MAC addresses on our network; there's no way that could happen physically. Must be Agere or ORiNOCO wireless cards. How did you find out?"

"This VAIO has a wireless NIC in it. I saw the WAP from the parking lot. It is broadcasting unencrypted."

"Great," Dustin scowled. "What have you got there?" With one big stride, he joined Nandi, so he could see the laptop's screen.

"NetStumbler," Nandi said. "And the wireless card's signal-monitoring utility." He pointed. "Look. Signal strength. We can use it to home in on the AP."

"Yesss!" Dustin said "You rock, Nandi!"

"Who would do this?" Nandi asked. "Do you think it is one of the salespeoples?"

Dustin pictured their puzzled, innocent faces when the Top Secret printout choked their printer. "I doubt it. I've been thinking someone in the factory wanted Internet connectivity, but didn't want any extra wires in their workstation."

"That could be!" Nandi said. "Let us look!"

They crossed the corridor, ignoring the voices of the sales people still at work in the conference room ahead. They took a sharp left and pushed through the doors to the factory floor.

The factory shift had ended an hour ago. A quiet chill reigned in the assembly area. Fluorescent tubes glowed from the high ceiling, but the individual workstation lights were out. Brass parts gleamed here and there in the shadows. "Head for the back?" Dustin suggested.

But five paces in, Nandi said, "The signal is dropping." They kept walking, and he read, "65 percent … 59 … 40."

They about-faced, now heading back to the office area. "60 … 77 … 84."

The signal led them back through the doors into the corridor, which felt cozy warm compared to the factory. "90," Nandi read as they passed the conference room. "99 … It is maxed out."

Dustin planted himself in the middle of the corridor with five office doors and a conference room within three or four paces of him. He mentally reviewed them: Accounting, Sales, in the corner, Kunstler's office --

Dustin and Nandi exchanged looks. As Nandi exclaimed, "Mr. Kunstler!", Dustin moaned, "Junior!"

Dustin strode to the threshold of Kunstler's open door, and rapped on the doorframe.

Kunstler, seated at his desk reviewing PowerPoint print-outs, looked up. "Mr. Barnes!" he greeted jovially. "What's on your mind?"

"Just wondering," Dustin said, trying to keep his voice casual and non-threatening. Meanwhile, his eyes scanned the room, searching for the AP. "While I was gone last week, did somebody set up wireless access to the network?"

Kunstler's eyes lit up. "Yes! Meant to tell you!" He jumped up from his chair, which spun a lazy half turn, revealing something that looked like a high-tech steam iron sitting on the credenza behind him, right in the window. The label on the empty box next to it read, "ORiNOCO RG-1100 Broadband Gateway." "This thing is great. I can give my company presentation from anywhere on the property. I can take notes out on the factory floor. I --"

"Wow," Dustin said mildly. "Um … who installed it?"

Kunstler beamed. "I did! Cool, eh? One of my golfing buddies told me all about it, and helped me make sure I got a really strong signal. In fact" -- a sly smile crossed his face -- "If I drop in a few more of these things, what do I need you guys for?" He laughed.

No one laughed with him.

He stopped.

"Could you come outside for a moment?" Dustin asked.

Kunstler looked puzzled. "Something wrong?"

"I can explain it better outside."

A beat. Kunstler shrugged. "OK. Lead the way."

Dustin and Nandi headed for the lobby. Kunstler, in shirtsleeves, followed. "This won't take long, will it?"

"Two minutes," Dustin called back. He took the laptop from Nandi.

The trio pushed through the lobby door. "Oo! Brisk!" Kunstler said. His breath emitted a cloud of fog, which struck Dustin as appropriate.

The wireless card's monitoring utility showed a very strong signal. He hurried in the arctic air. At fifteen paces, the signal was still strong. He headed east, crossed the parking lot, reached a side street. Headlights lit them as three silhouettes turning south. When the signal had dropped to 50 percent, he was at least a hundred feet from the building.

Kunstler and Nandi caught up with him. "Look," Dustin said. He angled the laptop so the CEO could see. "Wireless works as a radio broadcast. Your Access Point doesn't only point into the building; it broadcasts in all directions." He pulled up Google. "See? I can reach the Internet from here, connected by the AP in your office."

Kunstler looked mildly surprised. "You can?"

"Oh, it gets better," Dustin said. He turned the screen toward himself, entered a password, and navigated through several directories. Then he said, "Guess what's freely available to anyone who comes by here with a wireless laptop?"

He spun the VAIO to give the CEO perfect visibility of Kunstler & Sons' exclusive agreement with the maker of the secret new alloy.

Dustin was freezing to death by now, teeth chattering as passing traffic whipped up frigid gusts. But it was worth it, just to watch Junior blanch so pale that his ashen face glowed in the dark.

* * * * *

The next morning, Dustin contentedly hummed The Simpsons theme to himself as he put the finishing touches on his e-mail. He was remembering the episode where Bart sold his soul to Milhouse for five dollars. Dustin had kinda done the same by tricking Kunstler.

Sure, the rogue WAP was broadcasting to the world, but no passing stranger could actually see sensitive documents on the network unless they first authenticated to the domain server. But anyone could see file shares, which was bad enough in Dustin's opinion. That would give an attacker a huge assist in enumerating Kunstler & Sons' network. L0phtcrack's ability to sniff encrypted passwords off the network, then brute-force them, might even yield a network log-on. But getting Junior to understand any of this would require nothing less than a brain transplant. So, Dustin had indulged in a grayhat maneuver, slightly exaggerating the exposure in order to make the desired impression.

Even in his shock, Kunstler had refused to give up his new toy entirely. So Dustin had quickly gotten up to speed on how to secure wireless, by rummaging through the LiveSecurity articles archive. He wished the list of LiveSecurity articles was more organized -- when was WatchGuard going to make the archive searchable? -- but using the LiveSecurity Editorial Index, and the "Security Out of Thin Air" white paper, he'd found everything he needed about how to secure wireless LAN segments. He'd even found an article dumbed down enough for Kunstler to understand on the subject, which he was forwarding right now. And with the "Wireless at Home" article, he had a good idea of how he could protect his network while allowing Kai to keep the wireless card in his VAIO. The new VPNforce Port upgrade on WatchGuard's SOHO 6 looked like it was just the ticket.

Dustin's boss was sending out a strongly-worded memo about the company's Acceptable Use Policy, to end all the illicit uses of company laptops by sales reps: no games, no P2P apps, and no "secret" wireless installations. Best of all, Dustin had an approved PO that would allow him to buy a SOHO6 for each sales rep and remote control software he could use to VPN to each laptop and check periodically for policy violations.

Kunstler's WAP had been moved into the LAN room, and its antenna directed away from the parking lot. Its SSID was no longer "default," nor did it blatantly identify which company owned it, the way AMI's SSIDs did. Ah, AMI. That reminded him.

Dustin dragged the stack of secret documents closer to him on the desk, while picking up the phone. He had spent fifteen snoopy minutes looking through them, enough to understand that they described a gyro-mounted laser system which projected steady beams into the sky so jet fighter pilots could align for an aircraft-carrier landing from miles out in any weather.

The business park offered only one lunch spot, a little delicatessen. Through frequent run-ins with Eric somebody-or-other, AMI's network administrator, Dustin had struck up an acquaintance. Turning to his computer, Dustin displayed Outlook's Contacts list. Moments later, he had his counterpart on the phone. "Eric? Dustin, across the parking lot at Kunstler & Sons."

"Hey! What's up?"

"Looks like your wireless network hiccupped yesterday."

"Huh? How could you know that? It was down for, like, ten minutes!"

Dustin had reasoned that if AMI's WLAN went down, when it came back up some of the wireless clients on the Kunstler & Sons end of AMI's building would have acquired the strong signal from Kunstler's rogue ORiNOCO AP. His guess had just been verified. "Well, strange deal. When your network went down, someone's NIC over there accidentally acquired my wireless segment. Alexa's 250-page, top-secret HawkEyes document came out of my printer. And you have war chalking symbols outside your office."

A stunned and near-apoplectic silence emitted from the receiver.

"And if you would like to know my leet hax0r secrets on how to prevent that from happening again," Dustin continued, "all it will cost you is a couple of beers." Seeing Nandi walk into his office with the VAIO, Dustin added, "And a couple of ginger ales."

Eric finally recovered enough to speak. "I'll be right over."

Dustin hung up and grinned.

"How does our wireless defense go?" Nandi asked.

Dustin sat back and templed his fingers. In Mr. Burns' voice, he replied, "Ex-cellent!"