[iwar] WISE

From: Fred Cohen (fc@all.net)
Date: 2002-07-29 21:18:03


Return-Path: <sentto-279987-5085-1028002540-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 29 Jul 2002 21:28:07 -0700 (PDT)
Received: (qmail 26232 invoked by uid 510); 30 Jul 2002 04:21:20 -0000
Received: from n37.grp.scd.yahoo.com (66.218.66.105) by all.net with SMTP; 30 Jul 2002 04:21:20 -0000
X-eGroups-Return: sentto-279987-5085-1028002540-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.198] by n37.grp.scd.yahoo.com with NNFMP; 30 Jul 2002 04:15:40 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 30 Jul 2002 04:15:39 -0000
Received: (qmail 59412 invoked from network); 30 Jul 2002 04:15:39 -0000
Received: from unknown (66.218.66.216) by m5.grp.scd.yahoo.com with QMQP; 30 Jul 2002 04:15:39 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 30 Jul 2002 04:15:39 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g6U4I3B03557; Mon, 29 Jul 2002 21:18:03 -0700
Message-Id: <200207300418.g6U4I3B03557@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 29 Jul 2002 21:18:03 -0700 (PDT)
Subject: [iwar] WISE
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

http://online.securityfocus.com/news/552

Wi Fi Honeypots a New Hacker Trap

War drivers beware, the next wireless network you tap might be part of
an elaborate sting. By Kevin Poulsen, Jul 29 2002 1:00AM

Hackers searching for wireless access points in the nation's capital may
soon war drive right into a trap. Last month researchers at the
government contractor Science Applications International Corporation
(SAIC) launched what might be the first organized wireless honeypot,
designed to tempt unwary Wi Fi hackers and bandwidth borrowers and
gather data on their techniques and tools of choice.

That the average wireless network is horribly insecure is common
knowledge today; surveys of populous metropolitan areas consistently
turn up hundreds or thousands of 802.11b access points inadvertently
left unprotected from unauthorized use or eavesdropping by anyone within
range. (This in addition to many that are deliberately open to the
public, either commercially or by the generosity of their owners). But
while conventional wisdom holds that hackers are enjoying a golden era
of untraceable ingress into corporate networks across the country,
nobody claims to know exactly how prevalent wireless hacking really has
become.

That's where the Wireless Information Security Experiment, or WISE,
comes in. Headed by former Air Force computer security investigator Rob
Lee, now an SAIC chief of information security operations, WISE hinges
on an 802.11b network based at a secret location in Washington D.C. and
dedicated to no other purpose than being hacked from nearby.

The network has five Cisco access points, a handful of deliberately
vulnerable computers as bait, and two omni directional high-gain
antennas for added reach to the nearby streets and alleys. On the
back-end, a logging host gathers detailed connection data from the
access points, while a passive 802.11b sniffer with a customized
intrusion detection system acts as a hypersensitive trip wire. Like
conventional honeypots, the WISE network has no legitimate users, so
anything that crosses it is closely scrutinized. The wireless hacker
trap is generating enthusiasm in the honeypot community, and may spawn
similar projects in other cities. The goal, says Lee, isn't to set up
D.C. hackers for prosecution, but to research the state of real life
wireless hacking in a city considered by many to be a hot spot for
laptop-toting cyberpunks. Lee hopes to learn who's conducting 802.11b
attacks, how many hackers use wireless access to anonymize attacks on
other Internet-connected systems, and what the ratio is between
intruders, and those who simply drop onto nearby networks for convenient
Internet access, sometimes unknowingly.  Ultimately, Lee would like to
be able to passively identify the various scanning tools hackers and
others use to find vulnerable wireless networks. "There may be
signatures that they give off that could be incorporated into a wireless
intrusion detection device looking for these active signals," says Lee.

Determining Intent a Challenge The SAIC honeypot went operational on
June 15th, and so far hasn't pulled in anything particularly nefarious:
a single ping sweep of the bait machines, and a few people trying
unsuccessfully to surf the Web.  The WISE network doesn't yet have an
Internet connection, but Lee plans to hook one up through a Web proxy
that will intercept outgoing connection attempts and present a
consent-to-monitor banner, so he can legally watch how the Internet link
is used.

Despite the tepid findings so far, the hacker trap is generating
enthusiasm in the honeypot community, and may spawn similar projects in
other cities.

"He's taken an idea and really run with it like hell," says Lance
Spitzner, founder of the Honeynet Project. "He's gotten a lot of
high-end gear so he could cover a wider area, and he's come up with a
lot of really neat ideas... And he's basically operating in one of the
best cities to put up a wireless honeynet."

Peter Shipley, the security researcher who coined the term "war driving"
over a year ago to describe the practice of cruising city streets in
search of wireless networks, says he thinks wireless honeypots can
produce interesting results, but that it could prove impossible to
accurately differentiate between deliberate intruders and ordinary users
accidentally dropping into the network. "The statistics are not going to
be black and white" says Shipley. "They're going to be iffy and there's
going to be a lot of speculation involved."

Of course, unlike Internet-based honeypots, anyone detected on the WISE
network will be located within a few blocks of the trap, perhaps parked
in a car or sitting on a bus bench. Despite the opportunity, Lee says he
doesn't plan to train video cameras on the street, or to physically
confront hackers. But he may add other wireless technologies to the
system, like 802.11a or Bluetooth, to widen the net. "Right now we're
focusing on 802.11b," he says. "This might expand."

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Will You Find True Love?
Will You Meet the One?
Free Love Reading by phone!
http://us.click.yahoo.com/7dY7FD/R_ZEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT