Segmented Mobile Data

Segmented Mobile Data networks can be found in retail environments for mobile point of sale, hospitals for critical bedside services, warehouses for inventory and logistics, or many other types of environments.  The main idea behind the use of a segmented mobile data network remains to isolate critical data; or to isolate weaker security technologies from the rest of the wireless network.  Regardless of the reasoning, the goal is the same: keep these networks separated from everyone else.  The most critical design decision, therefore, needs to be on the backend – deciding how exactly to segment these networks off.

Professional grade wireless infrastructure like the Cisco 5500 or Motorola RFS7000 is capable of two completely separated WLANs using the same equipment, which is a commonly used technique in such a design.  The infrastructure has an internal firewall that is used to prevent traffic from crossing between the two networks, and can use VLAN tagging to carry back to the main network using a shared WAN connection, or can use two entirely separate WAN connections.  Either way, the infrastructure is functioning as the separation device.  This also generally needs to be backed up with a firewall on the wired infrastructure side, restricting the data flows from the segmented WLAN into the enterprise.

Another alternative is to use two entirely separate pieces of hardware, with two separate physical connections back to the enterprise.  Depending on the needs of your organization, this may be required; if two physically separated wired LANs are deployed, bridging them with a WLAN device may not align with the networking vision.

The type of protection necessary for the the segmented data network again comes down to the technology available.  For data subject to technical compliance concerns, such as PCI-DSS or HIPAA, the stronger the better.  At minimum, WPA2-AES with pre-shared keys can suffice, although a certificate-based authentication solution is always preferable from a strict data security perspective.

If the network is being segmented due to equipment that cannot support strong encryption and authentication technologies, use the strongest available.  Unfortunately, many types of legacy equipment used in warehouses today cannot support WPA2-AES, or even WPA-TKIP – some may be stuck using WEP!  The weaker the level of protection, the more careful your segmentation on backend should be.

Guest Internet Access

Guest internet access generally is provided by a “hotspot”.  Users connect to an unencrypted network, and are sent to a captive portal page, where they can either login with pre-assigned credentials, or accept a terms of service and proceed without any credentials necessary.  Either way, authentication on such a network is accomplished only at the application-level, and there is no data protection provided by the WLAN itself.  As such, these networks should be treated as untrusted and kept firmly segmented from the enterprise, using the techniques described above.

A popular alternative deployment method for hotspot guest wireless networks is to use an entirely separate physical network for guests.  This can dramatically increase the infrastructure costs, but it accomplishes pure segmentation.  A typical use case for this type of physical segmentation would be a cafe or retail environment that wants to provide guests internet access, but doesn’t want to expose any of their business network.  Purchase a separate internet backhaul and configure a Wireless LAN dedicated to this network only.

If your business is subject to compliance regulations, such as PCI, I would strongly recommend using a physically segmented network for guest access.  While this increases capital expenses, it makes scoping activities related to compliance dramatically simpler.  When dealing with auditors, it is always advisable to have clear-cut boundaries around your critical data, and physically isolating any guest network is an easy way to do so.

Summary

Both of these network types rely on the network administrator segmenting the WLAN from the rest of the network.  It’s temping to plug an access point into an unmanaged switch and have the wireless “just work”, but this can open the network to many avenues of attack.  Assume the worse case at the beginning – that your WLAN is compromised – and design its place in the overall enterprise network to minimize the damage that an attacker could do from there.

To meet these requirements, I use a combination of Dropbox (http://www.dropbox.com), Keepass (http://keepass.info/), and Truecrypt (http://www.truecrypt.org/). I use Dropbox as a portable ‘Program Files’ directory where I install portable versions of Keepass and Truecrypt. This allows me to have my ‘Program Files’ directory replicated on all systems where the Dropbox client is installed (for backup purposes, I usually have my Dropbox account synchronized to 2 different systems).

I use Truecrypt to create an encrypted partition on the USB drive (using AES for encryption and HMAC-SHA-512 as a hash algorithm). The volume key used to encrypt/decrypt the partition is then stored as a password in my Keepass database (which is also stored in my Dropbox).

As long as the Dropbox is synchronized between my test systems, switching from one system to the other is as simple as plugging the USB drive in and launching Truecrypt/Keepass from my Dropbox.

Here’s my step by step instructions to replicating this setup on a Windows XP/Vista/7 system (I assume you already have Dropbox installed on your system):

1. Create a ‘Programs’ directory in your Dropbox folder. In this folder, create 2 subdirectories, ‘Keepass’ and ‘Truecrypt’.
2. Copy the portable versions of these programs into their respective folders (Truecrypt does not have an explicit ‘portable’ distribution, rather download the setup file here and choose the ‘Extract’ option when running the setup, Keepass on the other hand provides a portable version that can be downloaded here).
3. Launch Keepass and create a new password entry for the portable drive. I suggest using the Password generator function to generate the password. Note that since this password is used as an encryption key, I recommend selecting all available characters for generating the password and using the maximum key length (64 characters).
4. Plug in the portable USB drive that will contain the encrypted partition (note: this has only been tested with USB hard drives; I have not tested this with smaller USB flash drives).
5. Launch TrueCrypt and use the ‘Create Volume’ button to launch the new volume creation wizard. I recommend writing down the path to the volume being created to make it easier to mount later. For my personal setup, I chose to create a regular (non-hidden) partition using AES and SHA-512 for encryption and as a hash algorithm. When prompted for the volume password, use the password entry created in Keepass.
6. The volume is now created!

To actually mount the encrypted partition, start Truecrypt and select an available drive entry. Select the encrypted volume from the Volume list then click ‘Mount’. When prompted, enter the password from the Keepass password entry.

Note that regardless of which system was used to create the encrypted partition, you can mount it on any other system as long as you have access to Truecrypt and your volume password.

For the uninitiated, though, here’s a brief summary: using Google (or any other search engine – but really, is there any other?) to find vulnerable web apps, personal information, mp3s in public directories, etc etc.  It’s great fun, and a pretty fundamental initial step of profiling an attack target.

Johnny Long was one of the main evangelists of this method and has a great database of search terms.  It’s no longer actively maintained, but you can still find plenty of good information with this as a starting point!

So Google hacking is great, but it only gets you to the public internet.  What if I wanted to profile the inside of a company, from the outside?  And passively – without hitting their servers myself?  Wouldn’t it be great if I could look for public information shared by company insiders?

Delicious seems almost perfectly designed to do this kind of activity.  For the unfamiliar, delicious is an online bookmarking site, designed around the idea that sharing bookmarks is a great way to learn about new sites.  Which is an alright idea…  but don’t people also bookmark a lot of private information?  I sure do!

Making matters worse, delicious encourages users to get started by uploading their browser bookmarks.  Essentially uploading gobs of potentially personal data to a public site.  This is a classic case of information leakage.  A dedicated attacker can use this public information to get all sorts of juicy tidbits about a company.

Let’s do some examples.  This all works great in theory, but, like Google, there is a LOT of data to sort through.  Say I’m a bad guy interested in insider information about a company.  I can start looking for the basics – say… “intranet”.  Delicious makes this easier by encouraging users to tag their posts for easy categorization:

http://delicious.com/tag/intranet

So that gives me everything that users have tagged with ‘intranet’.   Lots of sites about intranet design, usability, etc.  But also sites tagged by users to manage their own bookmarks!  So I’ll start digging into an individual company… how about AMD?

http://delicious.com/search?p=amd&u=&chk=&context=recent&tag=intranet

The first result doesn’t look interesting, but the second and third, well those sound like intranet sites!  This is confirmed by trying to follow them through and the DNS not resolving.  Nice!  Now let’s see what else this presumed AMD employee has bookmarked…

Wow, lots of development related links!  Interesting.  And what’s that link on page 2 about “AMD Manager Toolkit” ??  This fellow looks like he’s a technical manager at AMD!

Dig a little deeper, and it looks like we have another intranet site – mentioning the (presumably internal) code name of a project.  Interesting!  Go further into the links, and you see even further links to internal project Wiki pages.

Surfing around to a few of the non-intranet sites gives me an even better profile of this person.  They work with unit testing.  They use UML, C++, and Ruby, and read a lot about circuit design.  They live in India.  They’re learning guitar, and are interested in martial arts.

This may seem like innocent information to an outsider, but if I was doing this for espionage purposes, I just learned a lot about the internal operations of a project – and this is with 10 minutes of work on one webpage.  What else could I find if I dug through the internet further?

Web 2.0 is a lot of fun, and can be really useful.  But what’s often overlooked are the implications of sharing all this information.  Unless you make it a point to protect your privacy, that privacy probably doesn’t exist.  And for businesses, this can be a major potential risk.

Delicious certainly doesn’t help stop this – according to the FAQ, you cannot make your links private by default, but instead must manually edit them to make them private.  And also, the TOS leaves responsibility entirely in the hands of the users.  Very laissez-faire!

Should companies ban employees from using sites like delicious?  Probably not.  But I think that this demonstrates that employees need to be more educated on what they are exposing themselves and their employer to when using social networking sites.

BUT making things more interesting- this was an “optional” update with XP SP2, until it was finally rolled into XP SP3.  There is a hotfix for XP SP2 machines in order to support WPA2 – KB 893357.

WPA2/AES didnt’ really become widely implemented until 2006, but it was in the 802.11i spec that introduced WPA in 2004.  For a major vendor like MS to not implement it is pretty crazy.  But then again I, as a wireless security professional, didn’t setup a WPA2/AES network in my home until last month.  So maybe they were onto something.

Anyways, if you’re using XPSP2 and a WPA2 network – you need the hotfix, or XPSP3+.  Good luck out there!  I really recommend moving to WPA2/AES, especially considering the improvements in the Nvidia CUDA drivers that are allowing TKIP to be broken in an increasingly short amount of time.

The COMPAT-WIRELESS project pre-packages the latest wireless code as loadable kernel drivers on a (near) daily basis. This is a convenient way to download pre-patched and archived source… but in order to get the most recent changes (as they are committed) you have to pull the source directly from the kernel.org GIT tree. GIT is a code versioning system similar to CVS, SVN, Bazaar, etc. Below is a simple example of how to do this and compile / install the code. I’m writing this from an Ubuntu installation, but the same concepts should work on other distros. This isn’t an especially difficult process, but it isn’t necessarily obvious either.

There are a few prerequisites for the below instructions to work correctly:

• Kernel greater than 2.6.21

• Kernel headers (“apt-get install linux-headers-generic” in Ubuntu)

• Build tools (“apt-get install build-essential” in Ubuntu)

1. Make a new directory and clone the source trees:

mkdir wireless-testing
cd wireless-testing
git clone git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-testing.git
git clone git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/compat-wireless-2.6.git

2. Make the packages

cd compat-wireless-2.6
export GIT_TREE=../wireless-testing
scripts/admin-update.sh
make

3. Install

cd compat-wireless-2.6
sudo make install

4. Update and repeat steps 2-3 when you want the latest and greatest

cd wireless-testing
git-pull
cd ../compat-wireless-2.6
git-pull

After step 3 you can try reloading the modules dynamically by running “make unload” and “make load” but this probably won’t work if you’re currently using your wireless drivers. Your best bet is to reboot your machine. You can confirm that you’re running the new(er) drivers by listing your kernel modules and look for the mac80211 module.

lsmod | grep mac80211
modinfo mac80211

If there are problems you can uninstall the drivers by running “make uninstall” from the compat-wireless-2.6 directory. Hope this is helpful!