New Way to ID Invisible Intruders on Wireless LANs 122
Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."
Virtually impossible? (Score:5, Interesting)
Triangulation (Score:5, Interesting)
Makes sense. (Score:2, Interesting)
I'm fairly new to all this but at a very basic level it seems to make sense.
It just a more complex method of looking at the flashing lights on the modem to see if its in sync with your known wireless connections. -- Okay alot more complex than that.
I wondeer if this can be applied to other wireless systems, e.g., radio systems. If so it would be very useful
eavesdropping (Score:5, Interesting)
Re:eavesdropping (Score:2, Interesting)
This is new? Products that do some/all now... (Score:2, Interesting)
Not to flame or troll or slashvertise, but how is this new? I was a conference recently where the coolest security product on display was from http://www.airtightnetworks.net/ [airtightnetworks.net]: Their WIPS can be configured with an organization's known wireless clients (MAC address, make, HW and SW versions, etc.), and then detect systems that shouldn't be there.
According to the reseller's CTO - I had the good fortune to stop by the booth before he and the COO departed and the booth was left with only salesdroids - the system has an extensive database of fingerprints - hardware, software, etc., think of timings and the like specific to particular combinations of OS, firmware, and chipset.
This raises the bar for a snooper: They not only have to clone your MAC addresses, etc., they have to clone the MAC, etc., on a box running the same OS, firmware, chipset, as the legit box. And they have to get the WPA keys right.
(They also a neato WPA key management app to raise that bar, too.)
Apologies if this seems slashvertisical, seems to me the best way to debunk someone's claim of newnessess and neverbeendonebeforedness is to point real selling product that does all of the non-vapourware things the someone claims to have invented.
URL to paper (Score:1, Interesting)
Re:Virtually impossible? (Score:3, Interesting)
Even so called security professionals seem to have trouble with this. One of my favorite gripes is the security team at my new employer, who insist on forcing us to use 8 to 10 character passwords, no more, no less. They demand a numeral and a special character, which actually reduces the search space substantially. I am prone to setting up passwords for people like "Eagles~In*Trees" which is easy to remember, and tough to crack, but they won't let me any more, forcing us to issue things like "sFg#8Jk@", which the user promptly writes on a sticky note and pastes to the monitor so they won't forget it.
Re:Triangulation (Score:3, Interesting)
Sounds like they're not "triangulating" - computing the DIRECTION to a station from two monitoring locations in order to identify the station's location as the third point of a triangle. Instead they're measuring the round-trip time for a probe/response, which measures the distance (plus internal delays in the remote station) without identifying direction.
Adding delay can make a station appear to be farther than it is, but not nearer. So short of finding a way to send signals backward in time (or responding enough faster than the standard firmware to fool the montior) you can't spoof being closer than you are.
Which does nothing for a pure eavesdropper. But if the "eavesdropper"'s firmware associates with the eavesdropped network enough that it turns on its transmitter and responds to low-level protocol probes, it CAN be detected even if the user sends no traffic.
They're also using signal strength measurement - perhaps to work around unknown firmware response time. That might make them subject to spoofing by using a directional antenna and/or increasing transmit power to make the signal appear stronger, and thus closer, than it actually is.
(Another approach would be using multiple receivers at known (or self-measured relative) locations to do a LORAN-style triangulation on particular transmissions from the remote station, measuring the arrival-time differences at three or more stations to locate the remote station at the intersection of two or more hyperbolas. But that involves synchronizing time-bases between the monitoring stations in a way that would be beyond normal firmware's capabilities. It would also become less accurate as the distance to the remote station increases.)