Jimbo’s Blog

Google have some new features in the Google Doc’s suite.  The most notable to me being able to easily fetch data from a Google search in to a speadsheet.

For example if I want a cell to display the population of London…

I would use the following code…

Google Lookup Function

Any one of your employee’s can purchase a cheap WiFi AP and connect it to your companies network.  Employees will sometimes do this for their own convenience not realizing it may be leaving you open to attack.

Cisco tool showing location of rouge AP

Many companies currently mitigate this risk by “War Walking”, performing scans to detect rouge AP’s.  There are also more complex Wireless Intrusion Detection Systems (WIDS) availible.  War Walking will certainly detect most if not all of these devices.

So we are now left with the use case of someone who intends to leave a Wifi access point on the network undetected.  Perhaps they have been made redundant or dismissed.  They hide there WiFi Access point behind a filing cabinet near a window so they may maintain access to your corporate network.

In this blog post I will identify 3 ways he/she might try to avoid your “War Walking” scans.

Method 1: WiFi Knocking…

This is very similar to port knocking only, a rogue AP would be connected to your network in monitor mode, listening for probe requests. When the rogue AP receives a packet (or sequence of packets) with the preconfigured SSID, it awakens and switches to master mode. If you have a router which is able to run OpenWRT (Linksys) then you can search for “WKock“.  Essentially when the attacker is not using the AP is is silent in monitor mode and therefore cannot be detected by standard war walking tools.

The program “WKnock” is designed for this purpose, and it can be installed on any AP supported by the OpenWRT framework. During times when the rogue AP isn’t active, it is silent and can’t be detected using common wireless scanning tools.

Method 2: Channel 14 (Works only in certain parts of Europe and America)

In the United States, the FCC has licensed 11 channels for 802.11b/g, which have center frequencies between 2.412 GHz to 2.462 GHz. However, most of Europe allows 13 channels (up to 2.472 GHz), and Japan allows 802.11b all the way up to channel 14, or 2.484 GHz.

Cards manufactured for the United States and Europe often don’t support channel 14, since it’s illegal to transmit on that frequency. There’s overlap between the channels, but at 2.484 GHz, channel 14 is far enough away from channel 11 that network cards are unlikely to pick up much signal on channel 11. If an attacker were to configure an AP to illegally transmit on Channel 14 and export data at 2.484 GHz, security teams monitoring US channels would probably never detect it.

Method 3: Bluetooth Access Point

Most people assume that Bluetooth is limited to 10 metres distace and very slow… that is correct for Class 2 Bluetooth network, which is fairly low-power and has a maximum range of ~10M.

However, there’s more to Bluetooth than you might imagine. Bluetooth Class 1 devices are much more powerful, with ranges similar to 802.11b wireless APs. A Bluetooth Class 1 device can transmit up to 100mW, with a typical range of ~100M (or miles, if the receiver has a directional antenna).You can buy a Class 1 Bluetooth AP for £100-£150.

Can you discover Bluetooth APs while war-walking? Not if you’re just using an 802.11 card. Even if you’re using a spectrum analyzer, you may not notice it. Bluetooth uses Frequency Hopping Spread Spectrum, and hops 1600 times a second throughout the 2.402-2.480GHz band. Because it’s spread out across the spectrum, it can be hard to notice and easily mistaken for noise by the untrained eye. Most Wireless IDS systems and security teams simply don’t look for it (at the moment).

The fog has cleared at last…. the past couple of days I have been unable to see the lights of Canary Wharf.

Having spent Christmas back in Birmingham with family I returned home the other day to find my neighbours building had burn’t to the ground… taking some of my windows with it

Great start to the new year!

Odessa Wharf Fire

Well this has been a long time coming. It seems that the iPhone Dev-Team has finally done the impossible — they’ve gone and unlocked the iPhone 3G. The hack isn’t out yet (the team says they’re shooting for a December 31st release), but when it drops, the crew seems fairly confident it will result in freedom from carrier oppression.

Engadget

# ssh auto-completion
SSH_COMPLETE=( $(cat ~/.ssh/known_hosts | cut -f 1 -d ” ” | \
sed -e s/,.*//g | uniq | egrep -v [0123456789]) )
complete -o default -W “${SSH_COMPLETE[*]}” ssh

Credit goes to Marcel Molina….

Enjoy….

It’s interesting to see how much “wiki speak” is being embraced by modern day folks.

bekathwia on Flickr has come up with the grand idea of printing stickers like the one seen on the advert to the right.