Transmissions
by Dragorn
I'm going to risk making a potentially bold statement: Servers and networks are getting boring.
The latest phpBB exploit isn't interesting. Demonstrating WEP breaking on yet another network is boring. Yet another brute force SSH worm? Yawn.
By now, we know these things are weak; We (myself fully included) have been parroting the same dry warnings to customers, media, and fellow hackers for years, and we're just making ourselves hoarse cautioning everyone about them again and again.
What attack surface happily extends itself beyond the corporate firewalls onto untrusted networks? What wanders around the town, city, country, or even world advertising where it came from and what it would like to talk to? All the corporate firewalls in the world won't do a lick of good when the client is connecting to "Free Public Wi-Fi" at an airport in San Jose, or Chicago, or New York, or Copenhagen.
Why is it so easy to attack clients directly? Client security is almost entirely in the hands of the users. Users are notoriously bad at making good decisions about security. So bad, it's necessary to assume that in any situation where the user is asked a question, they will choose the worst, most destructive answer. This, of course, assumes the user is even given the opportunity to make the right decision, which implies their systems are completely up to date and the tools present the users with proper information.
Connecting to a user away from home is as trivial as it gets; When the Wi-Fi is enabled, most systems look for preferred networks (or just any network they've ever connected to before). Many versions of Windows will even create an ad-hoc network of the same name if they can't find the one they want to join, leading to viral wireless networks which spread world-wide. "Free Public Wi-Fi" and "HP Setup" are some of the most notable; Somewhere, sometime in the past, there was a real network called "Free Public Wi-Fi" - but now it's a replicating ad-hoc network. Joe Random User thinks, "I like free... I like Wi-Fi..." and is now another system with the "Free Public Wi-Fi" ad-hoc network in their preferred list, advertising it whenever they go somewhere where there are no other preferred networks.
Too bad the ad-hoc network doesn't go anywhere, since no one is providing DHCP service. Oh wait, here's an IP. And yes, I am your POP3 server, who are you and would you like to tell me your password?
It gets worse: Configuring an ad-hoc network for every client looking for a network is boring. Besides, not every wireless management program defaults to making an ad-hoc network. Patches to the Madwifi drivers, Karma, or the user-space Airbase-ng from the Aircrack suite automate replying to every query. Are you "Free Public Wi-Fi"? Yes, yes I am. Are you "My Corpnet"? That too, come on in. Are you the random garbage Windows Zero Config spews? Sure, why not.
The insidious part of these attacks is that the user never knows it's happening. As far as the client is concerned, the network is operating as expected. There is no reason for the OS to present the user with an alert, or the user to suspect anything is amiss. If a user is particularly alert, they may notice the "Joined Network" pop-up from the network manager.
Controlling Layer 2 means controlling everything the client sees. What's the first action taken by clients after getting an IP? Checking for updates and connecting to email, most likely. When IP allocation, DNS queries, and all other network access is controlled by the attacker, a user doesn't stand much of a chance.
It gets even worse: Spoofing all these services for every client you've attached is tedious, right? Isn't there a simpler way? Yup! Karmetasploit, a combination of Karma/Airbase and Metasploit, uses a spoofed DNS server to alias all remote hosts to itself and brings up a web server serving browser exploits directly to the client. The Evilgrade toolkit performs similarly for trapping unprotected or unauthenticated automatic upgrades from assorted software packages.
It continues to get worse: Why bring up a fake network when an open network is just as good? Despite being several years old, Airpwn is still relevant. Developed to inject "Goatse" into browsers at DEFCON, it demonstrates the ability to inject content into an otherwise trusted browsing session. An attacker can inject images to exploit known browser vulnerabilities, or rewrite included JavaScript files to alter the page within the browser. The web browser security model expects that code loaded by a page is allowed access to the page (cookies, DOM, etc.).
Overwriting (or appending to) a trusted JavaScript file allows execution within the same trust region as the website. Many popular sites support SSL for login, but then serve the normal site over standard HTTP, exposing session cookies and content. Even if the rest of the site is encrypted, any time content is loaded unencrypted (such as ad content for images), it can be substituted with hostile content.
Why spend the time focusing on clients? The simplest case gets credentials to the protected network, by spoofing network services and capturing logins or by sniffing unprotected plaintext. The insidious attack path is to install sleeper software; Firewalls are usually designed to keep traffic out, not prevent traffic from leaving. Even undisguised channels can often go undetected, never mind stealth channels using encryption, HTTP queries, or timing.
So after all the doom and gloom, what can actually be done to fix the problem? The simplest method for protecting clients is to turn off the radio when not in use, maintain patch levels at all times, and force the use of VPN for any sensitive content. But let's be real: That's not likely to happen in most situations.
Protecting clients outside of the sheltered world of the firewalled intranet will continue to be a major challenge and vulnerability for some time to come.
Until the operating system and user tools become simple enough to allow novice users to defend themselves, client security is in a bad place.