Hello David,
Below are the requirements for my assignment.
- The following two discussion questions will need to be answered. Each question must be at least 2 paragraphs long with two references to support your answer, but as long as the question is answered I am not concerned by the length.
- The following two discussion questions answered by students will need responses. The responses should be at least a paragraph and have two references to support your answer. The response can be your opinion and you may disagree as long as your response is provided with some sort of true facts.
I will need this completed by FridayApril 8, 2016 no later than 9pm EST so that I am able to submit through Turnitin
*If possible please respond anything related to the assignment in a Microsoft word document.*
I am very paranoid and try to minimize anyone being able to trace this back to me considering these questions are open to the public and are searchable on the internet.
*Thank you in advance*
Question 1:
Select one option from A & B below and complete the discussion question.
Option A) Discuss/describe the attacks associated with WEP, WPA, WPA2 or Bluetooth not covered in Module 9. How can these attacks be detected and prevented?
Option B) Enhance and elaborate on the wireless LAN and Bluetooth related security topics covered in Module 9. Share any additional thoughts you may have on them.
*Note: Module 9 Summary Overview attached
(See Assignment 11.1)
Student Response to Question 1:
Option B) Enhance and elaborate on the wireless LAN and Bluetooth related security topics covered in Module 9. Share any additional thoughts you may have on them.
Week 9's Module introduces the idea of rogue wireless access points (APs) (UMUC, n.d.). The Module's "Rogue Hunt" slide offers two threat scenarios:
- Company employeesset up their own unauthorized AP connections that extend the corporate network wirelessly for their own private convenience
- Hackers set up unauthorized access points, providing wireless access to an organization's internal network from the inside, bypassing perimeter firewalls
I would add to these scenarios another type of rogue AP attack called Evil Twin. In this attack, a rogue AP is made available by an attacker, but advertised with a SSID that masquerades as a legitimate and trusted WiFi connection. This could occur in a public setting--perhaps in a cafe or airport (e.g., an Evil Twin hotspot called "Public-Starbucks")--or in a private environment, such as a corporate office (e.g., "Citicorp Wireless") (Cluley, 2015). The fake AP operates as a Man in the Middle (MITM) proxy, capturing passwords and other sensitive data before forwarding traffic along to a victim or server.
Evil Twin is arguably more insidious than a standard rogue AP for several reasons:
- Thanks to its familiar-sounding SSID, an Evil Twin AP proffers itself as trustworthy--which is probably where the "evil" comes from--and for good reason: psychologists have shown that familiarity is a powerful trust anchor, insofar as it reduces perceived uncertainty in the minds of consumers (Gefen, 2000, pp. 726-727; Potter, 2006, p. 54).
- There are roughly 6 million publicly available WiFi hotspots worldwide--plenty of opportunities for cybercriminals to operate (InfoSecurity Magazine, 2013).
- Evil Twin APs may prove harder for the public to detect than typical rogue APs, since users do not necessary know what is "normal" for a given environment. Where an employee-installed AP might be quickly determined to be rogue once detected (e.g., "This AP should not be here because we don't have a wireless network in this office"), Starbucks visitors probably have no idea if astore offers one hotspot AP or two, one of which could be rogue.
- Erecting an Evil Twin AP does not require any special hardware, other than a wireless laptop; there is no telltale AP base station or antenna hanging out of an employee's cubicle.
The Evil Twin attack comes in two versions:
- Simple: an attacker sets up a rogue AP, gives it a trustworthy-sounding SSID, and waits for visitors to connect. This Evil Twin may exist alone, or alongside many legitimate APs; if there are legit SSIDs in a cafe called Starbucks1 and Starbucks2, the attacker might name his rogue AP Starbucks3.
- Impersonation: the attack is similar to Simple, except that an attacker:
- impersonates an existing access point by copying its SSID, MAC address, and channel
- broadcasts with a higher power (or closer proximity to the target victim) than the real AP
- deauthenticates the victim from the real AP, so that when the victim's computer reconnects, it chooses the Evil Twin AP instead
Kali, a version of Linux loaded with hacker tools, comes equipped for mounting Simple and Impersonation Evil Twin attacks. The general steps for setting up an Evil Twin are (Chaudhary, 2014):
- Use the airmon-ng program to capture packets in order to obtain the real AP's SSID, MAC address (BSSID), and channel number (Aircrack-ng.org, 2015).
- Use the airbase-ng program to create the Evil Twin AP, which will broadcast using the same SSID, BSSID, and channel number as the real AP; if necessary, the frequency of Evil Twin AP Beacon packets can be increased to drown out the real AP's Beacons (Aircrack-ng.org, 2010).
- Use the program brctl to create a bridge between the Evil Twin AP and the attacker's real external network interface, so that victim traffic is routed properly through the attacker's computer to the Internet or other target network (Buytenhek, n.d.).
- Use the dhclient3 program to enable DHCP addressing for victims who connect (Lemon, n.d.).
- Use the airreplay-ng command to deauthenticate the target victim from the real AP (Aircrack-ng, 2013).
- Wait for the victim to connect to the Evil Twin AP; if the victim's computer still prefers the real AP, the Evil Twin's transmission power can be increased with the iwconfig program, or the attacker can move physically closer to the victim.
The Impersonation attack would use all of the steps above, while the Simple attack would only require steps 1-4.
Once the Evil Twin is up and running, an attacker is free to use a sniffer like Wireshark to scan for passwords, or software like SSLStrip to deactivate SSL, making all victim traffic potentially accessible(Marlinspike, 2012).
Detection and Mitigation
While detection and mitigation of Evil Twins may prove challenging to the general public, a variety of solutions have been proposed:
- EAP-SWAT. In this scheme, which is also termed "context-leashing," a real AP sets up a shared key with a user the first time the user connects, using an extension to the 802.1X protocol (Bauer, Gonzales, & McCoy, 2008). The "trust-on-first-use" principle ensures that if a rogue AP appears later, it will not have access to the original shared key (assuming the rogue AP even supports the new 802.1X protocol). This solution is still only theoretical as far as I can tell, and would not work against a first-time user who connects to an Evil Twin on the first try, since the rogue AP could simply serve up its own shared key.
- Hop Differentiating Technique (HDT). Researchers timed packet arrivals to determine that one-hop wireless channels could be distinguished from two-hop (MITM) channels (Song, Yang, & Gu, 2010). The HDT algorithms were able to detect an Evil Twin 99% of the time or better with a roughly 1% to 8% error rate that varied with transmission ranges. Although actual lab tests were conducted, no publicly available HDT tool is available yet.
- Four-Square Antenna Detection. A directional antenna placed at each corner of a square bounding a protected area can detect the presence and location of RF signals using angle-of-arrival and hyperbolic position trig algorithms. Not only would the sudden appearance of a new Evil Twin AP be detectable, but so would its approximate physical location (Carrington, 2011). I was not able to find any four-square detector kits for sale, unfortunately, but I would bet the military has them.
- EvilAP_Defender. This Python script monitors all nearby APs to detect any change in their BSSIDs, channels, ciphers, beacon frames, or other settings (Idris, 2015; Cluley, 2015). If a change is detected, the script triggers an alert. The script can also be used to launch a DoS attack against a rogue AP in order to prevent would-be victims from connecting to it (although I would be careful with that feature, for obvious reasons).
- Private WiFi VPN. Users can install software that creates a private VPN over WiFi, preventing an Evil Twin from being able to sniff traffic. There are a variety of commercial packages available, including Private WiFi ( which sets up a 128-bit SSL/TLS tunnel between a client and the service's private Internet proxies (Rosenblatt, 2013).
Question 2:
Select one topic for discussion that you consider important regarding modern network security architecture. If the topic you want to discuss has previously been covered in one of the Modules, please enhance and elaborate on it. The following is a list of possible topics:
VLAN architecture
Firewall architecture
802.1x /AAA
SSL VPN architecture
Secure wireless LAN architecture
Many more (you may choose your own topic)
Student Response to Question 2:
A VPN is a virtual network, built on top of existing physical networks, and provides a secure communications mechanism for data and other information transmitted between two endpoints (Frankel, Hoffman, Orebaugh, & Park, 2008). SSL VPNsprovide secure, remote access to userfiles.A VPN can be used over the Internet to facilitate the secure transfer of sensitive data across otherwise unsecurednetworks. An Secure Socket Layer (SSL) VPN consists of one or more VPN devices to which users connect using their Web browsers (Micro Focus, 2007). The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or TLSprotocol, and isreferred to as either an SSL VPN or a TLS VPN, as appropriate.
SSL VPNs provide remote users with access to web and client/server applications, and provideconnectivity to internal networks. Despite the popularity of SSL VPNs, they are not meantto replace Internet Protocol Security (IPsec) VPNs, as the technologies complement each other andaddress differentnetwork architectures and requirements (Frankel, et al, 2008). SSL VPNs offer versatility and ease of use because they use the SSL protocol, which is included with all standard web browsers. SSL VPNs offer control for a wide range of users on a variety of computers, accessing resources and files from many locations.
According toFrankel, et al., there are two primary types of SSL VPNs: SSL Portal VPNsallow usersto use a single standard SSL connection to a website to securely access multiple network services. The site accessed is typically called a portal because it is a single page that leads to many other resources. The remote user accesses the SSL VPN gateway using any modern Web browser, identifies themselveso the gateway using an authentication method, and is then presented with a Web page that acts as a portal to the other services.
SSL Tunnel VPNs allow users to use a web browser to securely access multiple network services, including applications and protocols that are not web-based, through a tunnel that is running SSL. SSL tunnel VPNs require that the browser be able to handle active content, which allows them to provide functionality that is not accessible to SSL portal VPNs. Examples of active content include Java, JavaScript, Active X, or Flash applications or plug-ins.
Frankel, et al, reminds usersthat VPNs do not remove all risk from networking. While VPNs can reduce risk, particularly for communications that occur over unsecurednetworks, they cannot eliminate all risk because a VPN is only as robust as the strength of the implementation. For example, flaws in an encryption algorithm or the software implementing the algorithm could allow attackers to decrypt intercepted traffic. Random number generators that do not produce sufficiently random values could also present a vulnerability.Another issue is encryption key disclosure; an attacker who discovers an encryption key could decrypt traffic and convincinglypose as a legitimate user.
Although VPNs are designed to support confidentiality and integrity, they generally do not improve availability, a fact that I have witnessed many times. Many VPN implementations actually decrease availability somewhat, because they add more components and services to the existing network infrastructure. This is highly dependent upon the chosen VPN architecture model and the details of the implementation. The VPN provider I use for example, is Tunnel Bear. Tunnel Bear seems to work inconsistently depending on where I am located in the world at the time. Its use slows down Internet speeds to a crawl in parts of the Middle East, to the point where it is essentially unusable. Strong VPN is slightly better however performance varies depending on the access point.