Wireless Hacking with Fruit

/

A while back I delivered a short wireless security presentation, at a Toastmasters meeting, designed to explain a technical subject to a non-technical audience. The presentation went well enough that I’ve decided to record a modified version to place here.

This video is a very high-level explanation of how wireless networks operate. This is by design as I want to keep the information accessible to everyone and not just to those individuals who already have a deep technical understanding of wireless networking and information security.

Dan C.

Do you have additional tips for protecting yourself from this type of wireless attack? Leave your tip in the comments section and, as always, please be sure to share this post with anybody you think would benefit from viewing it.

The Rule of 10s and 3s

/

A while back I wrote a blog post explaining how an antenna works when it is connected to a wireless access point. Today I’m going to add to that lesson by explaining The Rule of 10s and 3s. Essentially, you can use this rule to figure out what your transmit power is going to be when you add various connectors, cables, and external antennas to your access points. Without further ado:

Please remember that using The Rule of 10s and 3s does not give you exact figures. It should only be used to perform rough calculations. Also, this video is not intended to be a technical deep-dive into the field of RF mathematics. Instead, my goal is to explain the basics of a complex topic so that almost anyone can understand it. (I’ve assumed knowledge of milliwatts and decibels though).

Dan C.

Bonus marks if you can explain why having this knowledge is important for anyone working with WLANs. Leave your answer in the comments section and share this video with anyone you think might benefit from knowing this rule.

Will tokenization (t10n) make your PCI pain go away?

/

I just finished reading the tokenization guidelines from the PCI Council. A very good document, much more informative than the one on virtualization. However, it does not provide the simple connect the dots type of advice most would want because t10n is complicated. It is complicated in its own right, let alone the fact that it is being deployed as part of PCI DSS compliance program.

Here are some of the issues that are raised:

  • Solution architectural,
  • Deployment,
  • Operational challenges
  • Software development, and
  • Contractual terms and conditions.

So will tokenization make your PCI compliance pain go away? Will it even ease your pain? Just a little bit?

Let me cut to the chase: Maybe, but don’t count on it. There are no silver bullets in the PCI compliance arena. At the end of the day t10n is a *scope reduction* approach. As such it can help reduce and minimize your PCI compliance efforts, but it does not eliminate your need to comply. Also, because it is part of what defines your PCI DSS scope it will need to be reviewed in detail each and every year when you undergo your PCI validation whether Self-Assessment Questionnaire or Report on Compliance.

I highly recommend that merchants thinking about deploying t10n give it a read. I also highly recommend any service providers looking to offer a t10n solution read it as well. It’s got good advice for both. Let’s dig in a bit more:

The Idea of t10n

The whole idea is to turn a primary account number (PAN), a valuable piece of data, into a token, that is not a valuable piece of data. Tokens should not be valuable in any way to an attacker. If the token allows you to conduct a transaction then it is a payment instrument or a high value token. These can (and likely will) be monetized by criminals. The guidance says they “might be in scope for PCI DSS.” You are directed to consult with your acquirer and/or the card brands. In my opinion high value tokens should be treated no differently than cardholder data, they are in scope. At least until the card brand or acquiring banks rule otherwise.

Tokens can be single use or multi-use. What kinds you’ll need are dependent on your business processes. There isn’t really a PCI DSS impact on one or the other. Both kinds of tokens, how they are generated, used, and destroyed will have to be reviewed in detail.

How to do it

Turning a PAN into a token can be done in three main ways:

  1. Encryption (transforms the PAN directly and is reversible)
  2. Hashing (transforms the PAN directly and is not reversible)
  3. Indexing (does not transform the PAN, is not reversible, maps a PAN to a randomly selected value)

In all cases, recovery of the PAN from the token must be computationally infeasible. This is a technical term from the cryptography field that basically means it should take millions of years of effort to do so. Even if you leverage “the cloud” it should take millions of years. Recovery should not be possible even if you have a number of tokens (ciphertext only attack) and/or a number of PAN/token pairs (known plaintext attack). One last thing is that if tokens are generated by hashing, the hash of the PAN should be not stored with a truncated version of the PAN, this makes brute forcing the PAN significantly easier.

You should take two things from this:

  1. A t10n system is, at its core, a cryptographic system. Cryptography is HARD. It is hard to design the ciphers, it is hard to design the protocols, and it is hard to implement them correctly. Rolling your own crypto for an in-house developed t10n solution is definitely not recommended. Even using a solution from an otherwise reputable brand is potentially risky. How are they implementing the crypto? Do they have any experience? How are they testing?
  2. Encrypted tokens are still encrypted PANs. The would still be subject to requirements 3.4, 3.5 and 3.6, unless PCI FAQ 10359 applies (the “no access to encryption keys” FAQ). According to the guidance document The Council is “further evaluating how these consideration may impact PCI DSS scope” in these situations.

Token mapping

There are definitely two times in the lifetime of a transaction where a PAN is mapped to a token.

  1. When a transaction is started and a PAN is submitted for t10n, and
  2. When a token is submitted for de-tokenization to get a PAN back.

Any device that submits a PAN or retrieves a PAN is in-scope. So are the people, processes, and systems involved. In your efforts to reduce scope and minimize the handling of cardholder data, who and what can access the t10n system and use the t10n process is a key point to pay attention to. The guidance mentions that the “necessary authentication information”  be provided when interacting with the t10n system. There is no elaboration on this.

As part of requirement 7 you’re supposed to be implementing least privileges and access to cardholder data only on a “need to know” basis. Requirement 8 spells out the authentication requirements for in-scope systems. It may be tempting to simply deploy an authentication system that meets these minimum standards. However, even passwords that pass all the sub-requirements of 8.5 are not particularly strong. You should be looking at something stronger.

Is that a token you’ve got there?

With t10n comes the challenge of distinguishability. Just what is a token and what isn’t. This is most prevalent with format-preserving approaches to t10n. Your solution may allow you to turn a PAN into something that looks just like a PAN but actually isn’t. It’s the right length, right format, passes the mod-10 checksum (Luhn) algorithm. So how do you know it’s really a token and not a PAN?

If there is no way to tell, this may lead to mis-scoping and leaving cardholder data unprotected where you thought it was. A very big mistake to make.

Scope: what’s in, what’s out?

Considering that you are going to deploy a t10n solution to help reduce your PCI scope, just what will be left in scope? Here are some general guidelines.:

  • Obviously the t10n system itself is in scope. This includes the devices doing token mapping, and the card data (token) vault itself. There may be other support systems that provide encryption key management, and/or authentication services. These would be in scope as well.
  • Systems, devices or processes that accept PANs and then get them tokenized.
  • Systems, devices or processes that submit tokens and have them de-tokenized.
  • Systems, devices or processes with *access* to the t10n system or t10n process.
  • Any other system, device or process connected to the above 3 types of systems, even if it does not perform tokenization or handle PAN data directly.

That 4th bullet point is a tough one. It essentially creates a hard divide between in-scope and out of scope devices. If a device accesses the t10n solution for any reason, maybe to patch, maybe to provide authentication, then it is in scope as well. While this may be stringent, it is certainly clear.

Outsourcing, tokens in the cloud

A new breed of service provider is popping up providing t10n services. We could call them t10n service providers (TSPs) or tokenization as a service (TaaS) providers to make them sound more cloud-like. Some are brand new entities, and some are just a new service from existing service providers and acquiring banks. Regardless, using them is attractive because it can reduce your burdens, but it won’t get you off the hook for your compliance. There is still requirement 12.8 (the 3rd party service provider requirement). The merchant is ultimately responsible for the validation of whatever t10n solution they use. Who does precisely what is depends on precisely what the TSP does for you. It should be spelled out in detail in your SLA with the TSP.

Recommendations

As you can see there are a lot of subtleties and nuances with a t10n solution. So what to do?

  • If you haven’t decided on a direction or solution yet, get a conceptual Threat and Risk Assessment (TRA) done. Make sure that whoever is performing the TRA has access to a QSA, or better yet is a QSA. This can help you decide whether you even should take a t10n approach. T10n is all the rage lately, but maybe it’s not for you.
  • If you have selected a solution but haven’t deployed it yet, have a logical TRA performed as well as a detailed PCI Scope assessment of the current and future post t10n environment. This will help you determine that actual impact to your PCI scope and the resulting PCI DSS compliance efforts. Don’t rely on the vendor, they most likely are not a QSA and not conversant with all the little gotchas that can crop up.
  • If you have selected and maybe even implemented a t10n solution, even if you’ve had it looked at by a QSA, do another review. This guidance changes things. The QSA who assessed it may have been making an assumption that has now been clarified that made their previous advice incorrect.
  • If you do decide to go with t10n, strongly consider deploying it in conjunction with end to end encryption. That way PANs are only ever contained in PTS approved PINPADs. That is a whole other kettle of fish that we’ll have to deal with at another time.

Jason M.

 

Mobile Troubles

/

The growth of mobile phone usage seems to be rapidly outpacing the growth of mobile security adoption. For instance how many people are running anti-virus (AV) software on their laptops and desktops? And now how many are running AV on their mobile phone? There are several free anti-virus applications available for most platforms, including laptops, desktops, tablets or even smartphones. An informal poll conducted by SANS in July 2010 found that approximately 85% of smart phones did not have any AV installed. Of the 14% who did have AV installed, 18% had reported finding malware.

The thing I found strange about this poll is that security has seen improvements on the laptop/desktop side yet, our mobile devices have a fair bit more exposure and are left vulnerable. In 2010, Android had seen several firsts: SMS Trojan, Botnet, Monitored GPS, and even a Bank Phishing application. These firsts signal a dramatic increase of malware on the Android platform. One report, by McAfee, stated that the rise since last quarter was 76%. 

Android is not the only mobile platform that is susceptible. Research has shown that there is a positivie correlation between the popularity of the device/operating system and the infection rate. This correlation is similar to that seen in the PC world and the same is true for the techniques that are being used to infect the victims. One of the largest threat vectors I can think of is the large volume of applications within the app stores. With such an influx of new apps, it is hard to ensure that each one is safe.

You may wish to thank me for a sleepless night, but you already know how to protect yourself because mobile phones are just small computers. So you should start by doing the same things you do on your laptops and desktops. First get some basic AV installed from a reputable source. Second, perform some research before installing any apps on your phone. If you are uncertain of the source then maybe it is not worth the risk. Afterall, an ounce of prevention is worth a pound of cure.

Joe O.

What do you do to protect your mobile phone from malware? Share you thoughts, and techniques in our comments section.

A letter to my potential wireless friend

/

Dear Potential Friend,

I really want to be your friend. In fact, I want to be the kind of friend you can count on to tell you the truth no matter what the consequences. It's with this thought in mind that I am forced to tell you that, and this may sting a little, you have completely lost your mind by deciding to deploy fifty home wireless routers in an attempt to become a wireless enterprise. There, I said it. For a few moments I thought about allowing you to experience this life lesson for yourself, but then I remembered what my grampa always used to say: "There's two things friends should never do. First, friends don't let friends use home wireless gear to perform enterprise deployments. The other thing friends never do is talk while I'm trying to watch TV. Won't you be my friend?".

It's the first thing that grampa mentioned that forced me to write you this letter. I couldn't, in good conscience, let you go through with this terrible mistake. Here's why (I've enclosed a picture of grampa. If it helps soften the blow you can pretend he's the one talking):

  1. Hardware Quality - Home wireless routers are made to be affordable for personal use under average personal circumstances. The hardware used is not as well tested as enterprise gear, is generally not as sensitive, and is not as rugged. Also, home gear is usually designed to sit on a desk and not to be mounted on walls or ceilings. As such, home gear is probably not plenum rated like a lot of enterprise gear.

  2. Management Interface - Home gear usually has a nice web interface you can use to configure your network. This works great for a single access point, but you are going to waste an entire day logging in to all fifty access points just to make a single configuration change. Enterprise gear is designed to allow easy configuration from a single console for all access points. Log in once, make the change once, and log out. Simple.

  3. Channel and Power Management - Wireless networks operate over a shared-medium. Your access point's signal is transmitting through the same physical space as your neighbours signal. This means there is bound to be some signal interference. Home routers have very poor capabilities for handling interference. Usually the only control you have is channel selection and maybe, if you're lucky, transmit power. Do you really want to log in to every access point and manually adjust these settings on an hourly basis as your environment experiences different levels of interference? Enterprise wireless gear does this stuff for you. It's designed to tune itself so that you only need to get involved in the really tricky situations.

  4. Power - Enterprise access points can be powered via the ethernet cable (PoE). You can do this by using PoE-capable switches or mid-span PoE injectors. Either way, you don't need to worry about how you're going to run an extension cable from the access point's location in the middle of the ceiling to the wall outlet behind a desk.

  5. Features - Home access points are great for getting home users on the Internet because home users usually have very basic requirements: get me on the Internet, and keep me on the Internet. My friend (can I call you that yet?), I could tell you wonderous stories of the features I have seen on enterprise-grade solutions. These solutions can give you different levels of access based on who you are, where you are, which device you are using, and what time it is. These solutions can drop your traffic directly onto the local network or even send it through an encrypted tunnel to a completely different location without you even noticing. Deploying a wireless network in an enterprise is not the same as deploying one for your home. Considerations must be made for each different user, device, and circumstance and I just don't think you'll be able to keep up with your home access points. There are so many more feature I could write about but I think you get the point.

  6. Security - How long does it take you to change the WPA2 pre-shared key (PSK) on your home access point? Now take that time and multiply it by the number of access points you have. That is the level of pain you are going to experience each time a contractor, guest, or employee leaves your company. Not to mention routine PSK changes as a matter of policy. (If you're doing the math, that's a lot of passphrase changes). So, you can either hire a co-op student to constantly change the PSK and notify every employee, or you can use an enterprise-grade solution that allows you to do away with pre-shared keys. That's right, imagine having users connect to the network using the same usernames and passwords they use to log into their computers. Imagine being able to provision individual logon credentials for guests, contractors, and employees who bring in personal devices and want to get online. Again, I don't think you'll be able to keep up with those home access points.

I know home wireless gear is the 'right price'. I get it, but good wireless networks are not commodity items that can just be picked up off the shelf and plugged in. Every wireless network is different and you are going to need to invest in a proper solution that meets and adapts to your specific needs. Sure you can save a few upfront dollars by sourcing home access points, but I think you'll find the additional cost, in dollars and time, of tearing down that deployment because it doesn't work and is too hard to manage, is not going to make you too happy. My potential friend, I urge you to heed my advice by not trying to design by dollars. Leave home (commodity) gear in the home and use the enterpise gear for your business. 

Yours Truly,

 

Dan C. (My friends call me @SimplyWifi)

P.S. If, after reading this letter you feel that we can still be friends, I'd love to hear back from you. Please send me a letter, or leave a note in the comments section below with any thoughts or questions. Also, please subscribe / follow us and share this with others so you can save them from making the same terrible mistake.