AirDefense, the leader in 24x7 wireless LAN security and monitoring, discovered wireless LAN attacks are evolving from simple sniffing to complicated data injection and network manipulation while monitoring the airwaves at DefCon 12, the annual underground hacking convention held last week in Las Vegas.
"The types of attacks we are seeing are increasingly more sophisticated than those of years past," said Richard Rushing, chief security officer of AirDefense. "Whereas last year we noted basic denial of service and MAC spoofing attacks, this year hackers have moved on to what we refer to as level three attacks, where hackers are actually injecting traffic into the network and manipulating data."
AirDefense identified an injection attack where attendees surfing the Web would receive manipulated images and form data that they had not requested. Previously, this attack was most often used on the wired side; however, hackers taking advantage of the open, unencrypted traffic have learned to adapt the technology to function in the wireless environment.
AirDefense also discovered a new Developer's Kit Denial of Service (DoS) attack. This type of attack involves modifying firmware on a network card to allow the cards to send data without having to wait for a signal from the access point. This type of attack, equivalent to a chattering network card, can knock people off the network, prevent other users from sending data, or even allow an individual to take control of the network.
"This is an example of how theoretical attacks are becoming practical. The only way to identify this type of attack is to use a monitoring system with multiple analysis engines to detect anomalous behaviors. These types of attacks are why we are continuing to add theoretical alarms based on correlation across signature, behavior and policy engines to AirDefense. As more instances of attackers using developer's kits occur we want to ensure our customers are equipped to defend their network," said Anil Khatod, president and CEO of AirDefense.
DefCon remains the defacto conference to view leading edge tools and techniques. This year DefCon boasted the "Wall of Shame," a large screen that was displaying passwords and identifying attendees that used "clear-text" services over the wireless network, including email, Telnet and Instant Messenger. Originally, the producers of the wall were using "Ethereal" to capture the traffic and then parceling the data for user names and passwords. By the second day of the conference the producers of the wall, having become more adept, began using "Cain and Abel," a more sophisticated tool that automatically captures passwords.