Can someone send Manolo a study group invite, please? [email protected]
2010/10/17 Kristján Ólafur Eðvarðsson <[email protected]> > That is very good. > > > > I investigated further and I only found this: > > > > http://www.dba-oracle.com/t_unauthorized_access_computer_network_crime.htm > > > > *Evil-twins and honey pots* > > I learned about how hackers work by planting “honey pots”, internet-enabled > computers with loose security. I kick-back, look-over the crooks shoulder > and observe their behavior. In one case, a hacker from China upgraded my > version of Linux! *The wi-fi equivalent of a honey pot is the “evil twin” > attack. * > > *“A more recent threat to emerge is the "evil twin" attack. A person with > a wireless-equipped laptop can show up at, say, a coffee shop or airport and > overpower the local Wi-Fi hotspot. The person then eavesdrops on > unsuspecting computer users who connect to the bogus network.* > > *At a technology conference in London this spring, hackers set up evil > twins that infected other computers with viruses, some that gather > information on the user, the Wall Street Journal reported.”* > > > > and this: > > > > > http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/sec_wireless_overview.html#wp877732 > > > > Wireless, due its over the air transmission, has unique security > requirements. The primary security concerns for a wireless network are: > > •[image: http://www.cisco.com/en/US/i/templates/blank.gif]Rogue access > points and clients that can create backdoor access to the company's network. > > > •[image: http://www.cisco.com/en/US/i/templates/blank.gif]Hacker access > points, such as *evil twins and honeypots*, that try to lure your users > into connecting to them for purposes of network profiling or stealing > proprietary information. > > •[image: http://www.cisco.com/en/US/i/templates/blank.gif]Denial of > service that disrupts or disables the wireless network. > > •[image: http://www.cisco.com/en/US/i/templates/blank.gif]Over the air > network reconnaissance, eavesdropping, and traffic cracking. This is now > primarily a legacy issue as the wireless industry has done a good job > creating standard approaches to user authentication and traffic encryption > via 802.11i and WPA. > > •[image: http://www.cisco.com/en/US/i/templates/blank.gif]Controlling the > networks wireless users connect to, especially when they are outside of the > office. > > •[image: http://www.cisco.com/en/US/i/templates/blank.gif]Wireless > security for guest users. > > So perhaps it is a question of finding the „Cisco answer“ to the question. > Evil twin i for example not found in the WCS help (but honey pot is). So I > would probably bet that honey pot would be more accurate. > > Those 2 are often mentioned in the same sentence and they probably mean the > same in my mind. > > But since this is a open ended question, you might use both phrases to show > that you know what you are talking about. > > regards. Kristjan > > > > *From:* Kelvin Dam [mailto:[email protected]] > *Sent:* 17. október 2010 15:19 > *To:* Kristján Ólafur Eðvarðsson > *Cc:* [email protected] > *Subject:* Re: [CCIE Wireless] 1. OEQ Answers (second) > > > > Im may very well be way off here, but Im not convinced that the definition > of "honeypot" you posted is correct. > > > > I believe that a Evil Twin is an AccessPoint, broadcasting the same SSID > as a corporation for instance, trying to lure users to use it. > > > > A HoneyPot is more or less the same, but doesnt have to be the same SSID, > and also used by admins to lure attackers into a confined subnet to > > be monitored. > > > > Im basing my assumptions on these : > > > > Evil Twin > > The attacker uses a bogus base > station<http://en.wikipedia.org/wiki/Base_station>that someone connects to > using > Wi-Fi <http://en.wikipedia.org/wiki/Wi-Fi> wireless technology. By > imitating the name of another, legitimate wireless provider, they can fool > people into trusting the internet services that they are providing. When the > users log into bank or e-mail <http://en.wikipedia.org/wiki/E-mail>accounts, > the phishers have access to the entire transaction, since it is > sent through their equipment. > > Unwitting web <http://en.wikipedia.org/wiki/World_Wide_Web> users are > invited to log into the attacker's > server<http://en.wikipedia.org/wiki/Server_(computing)>with bogus login > prompts, tempting them to give away sensitive information > such as usernames <http://en.wikipedia.org/wiki/Username> and > passwords<http://en.wikipedia.org/wiki/Password>. > Often users are unaware they have been duped until well after the incident > has occurred. > > Users think they have logged on to a wireless hotspot connection when in > fact they have been tricked into connecting to the attacker's base station. > The hacker jams the connection to the legitimate base station by sending a > stronger signal within proximity to the wireless client - thereby turning > itself into an 'evil twin.' > > A rogue Wi-Fi connection can be set up on a laptop with a bit of simple > programming and wireless card that acts as an access point. The access > points are hard to trace, since they can suddenly be shut off, and are easy > to build. A hacker can make their own wireless networks that appear to be > legitimate by simply giving their access point a similar name to the Wi-Fi > network on the premises. Since the hacker may be physically closer to the > victim than the real access point, their signal will be stronger, > potentially drawing more victims. The hacker's computer can be configured to > pass the person through to the legitimate access point while monitoring the > traffic of the victim, or it can simply say the system is temporarily > unavailable after obtaining a user id and > password.[3]<http://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)#cite_note-2> > > > > *HoneyPots* > > A honeypot is valuable as a surveillance and early-warning tool. While it > is often a computer, a honeypot can take other forms, such as files or data > records, or even unused IP > address<http://en.wikipedia.org/wiki/IP_address>space. A honeypot that > masquerades as an open > proxy <http://en.wikipedia.org/wiki/Open_proxy> to monitor and record > those using the system is a sugarcane. Honeypots should have no production > value, and hence should not see any legitimate traffic or activity. Whatever > they capture is therefore malicious or unauthorized. One practical > application of this is a honeypot that thwarts > spam<http://en.wikipedia.org/wiki/Spam_(electronic)>by masquerading as a type > of system abused by spammers. These honeypots > categorize trapped material 100% accurately: it is all illicit. > > Honeypots can carry risks to a network, and must be handled with care. If > they are not properly walled off, an attacker can use them to break into a > system. > > *Victim hosts <http://en.wikipedia.org/wiki/Host_(network)>* are an active > network counter-intrusion tool. These computers run special software, > designed to appear to an intruder as being important and worth looking into. > In reality, these programs are dummies, and their patterns are constructed > specifically to foster interest in attackers. The software installed on, and > run by, victim hosts is dual purpose. First, these dummy programs keep a > network intruder occupied looking for valuable information where none > exists, effectively convincing him or her to isolate themselves in what is > truly an unimportant part of the network. This decoy strategy is designed to > keep an intruder from getting bored and heading into truly security-critical > systems. The second part of the victim host strategy is intelligence > gathering. Once an intruder has broken into the victim host, the machine or > a network administrator can examine the intrusion methods used by the > intruder. This intelligence can be used to build specific countermeasures to > intrusion techniques, making truly important systems on the network less > vulnerable to intrusion. > > > Any takers on this? :) > > > > Kelvin > > 2010/10/15 Kristján Ólafur Eðvarðsson <[email protected]> > > Hi Kelvin, > > That OEQ was rather good. I gave it some thought and scrolled through > the help of my WCS server. Which in fact is very good and explains a lot of > things. > > It is a rouge AP so It cant be a friendly based on that fact. Malicious is > the same thing > basically as a rouge. So they are probably looking for a classification of > that rouge. > > I first read through the classifications of rouges and didn't see a clear > answer to that questions > but for everyone I like to share this info. > > "Rogue Access Point Classification Types > Rogue access points classification types include: > > Malicious-Detected but untrusted or unknown access points with a malicious > intent within the system. They also refer to access points that fit the > user-defined malicious rules or have been manually moved from the friendly > access point classification. See "Malicious Rogue APs" for more information. > Friendly-Known, acknowledged, or trusted access points. They also refer to > access points that fit the user-defined friendly rogue access point rules. > Friendly rogue access points cannot be contained. See "Friendly Rogue APs" > for more information. For more information on configuring friendly access > point rules, see "Configuring Friendly AP Controller Templates". > Unclassified-Rogue access point that are not classified as either malicious > or friendly. These access points can be contained and can be moved manually > to the friendly rogue access point list. See for more information. See > "Unclassified Rogue APs" for more information." > > However when I was reading this I just remembered that I have sometimes got > this warning in WCS > in real setups. "With Honey pot AP detected" > > And this seems to best answer to this question. Do you guys agree ? > > > "Honey Pot AP Detected > Alarm Description and Possible Causes > The addition of WLANs in the corporate environment introduces a whole new > class of threats for network security. RF signals that penetrate walls and > extend beyond intended boundaries can expose the network to unauthorized > users. A rogue access point can put the entire corporate network at risk for > outside penetration and attack. Not to understate the threat of the rogue > access point, there are many other wireless security risks and intrusions > such as mis-configured access points, unconfigured access points, and DoS > (denial-of-service) attacks. > > One of the most effective attacks facing enterprise networks implementing > wireless is the use of a "honey pot" access point. An intruder uses tools > such as NetStumbler, Wellenreiter, and MiniStumbler to discover the SSID of > the corporate access point. Then the intruder sets up an access point > outside the building premises or, if possible, within the premises and > broadcasts the discovered corporate SSID. An unsuspecting client then > connects to this "honey pot" access point with a higher signal strength. > When associated, the intruder performs attacks against the client station > because traffic is diverted through the "honey pot" access point. > > wIPS Solution > When a "honey pot" access point is identified and reported by the Cisco > Adaptive Wireless IPS, the WLAN administrator may use the integrated > over-the-air physical location capabilities, or trace device on the wired > network using rogue location discovery protocol (RLDP) or switchport tracing > to find the rogue device. " > > regards. Kristjan > > > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 15 Oct 2010 08:24:00 +0200 > From: Kelvin Dam <[email protected]> > To: Stalder Dominic <[email protected]>, > [email protected] > Subject: Re: [CCIE Wireless] OEQ Answers (second) > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="windows-1252" > > First question in that doc: > > *A rouge access point broadcasting a trusted SSID is called what? > > They are called ?Trusted APs? or ?Friendly APs?.* > > Is wrong I believe...A Rogue broadcasting a trusted SSID is a Evil Twin to > the best of my knowledge? > > Kelvin > > > 2010/10/13 Stalder Dominic <[email protected]> > > > And here with the small answer list ;-) > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > > > -- > Kelvin Dam > -------------- next part -------------- > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Kelvin Dam > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- George M. Stefanick Jr., CCNA, CWNA, CQS-CWLANSS Sr. Wireless Engineer (717) 471 - 6186 Mobile (717) 798 - 8255 Skype
<<image003.png>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
![http://www.cisco.com/en/US/i/templates/blank.gif]Rogue](http://www.cisco.com/en/US/i/templates/blank.gif]Rogue){kind=link}
![http://www.cisco.com/en/US/i/templates/blank.gif]Hacker](http://www.cisco.com/en/US/i/templates/blank.gif]Hacker){kind=link}
![http://www.cisco.com/en/US/i/templates/blank.gif]Denial](http://www.cisco.com/en/US/i/templates/blank.gif]Denial){kind=link}
![http://www.cisco.com/en/US/i/templates/blank.gif]Over](http://www.cisco.com/en/US/i/templates/blank.gif]Over){kind=link}
![http://www.cisco.com/en/US/i/templates/blank.gif]Controlling](http://www.cisco.com/en/US/i/templates/blank.gif]Controlling){kind=link}
![http://www.cisco.com/en/US/i/templates/blank.gif]Wireless](http://www.cisco.com/en/US/i/templates/blank.gif]Wireless){kind=link}