Don't Be Scared
By Ben Halpert
"The security guys adequately scared everyone," was the feedback of one attendee at the 2009 Mobile Enterprise Executive Summit, held in Los Angeles this past November. While Jasyn Voshell, Enterprise Security Manager at Textron Inc., and I were hoping to leave a lasting impression, "scared" was not the goal.
Our session, entitled Securing WLAN and VoIP for the Mobile Workforce, incorporated two live demonstrations; one involved a Voice over Internet Protocol (VoIP) phone call and the other, a Wireless Local Area Network (WLAN) public hotspot environment.
For the VoIP demonstration, we used a free VoIP calling service to place a call between two computers. We used a third computer to intercept and record the conversation using a free software program downloadable from the Internet. Jasyn and I proceeded to have a conversation using our two VoIP-enabled devices. Subsequently, we played back the captured voice call for the audience to hear. When we placed the next demonstration call, each computer was loaded with a free program that automatically encrypts voice conversations. When we played the encrypted call back for the audience, all that was heard was static.
An "evil-twin" public hotspot threat environment was then created for the WLAN demonstration. The "evil-twin" is a fake network or wireless access point set up to trick wireless-enabled computing devices in the area to connect unknowingly and capture information or trick users into divulging authentication information (i.e. - username and password), personal information, and organizational sensitive information. For the WLAN demonstration we had one computer act as the "evil-twin" and another act as a typical user in a public hotspot environment.
One of the features of the free evil-twin program we used is that it forces all nearby devices with an active WiFi connection off their existing network and onto the "evil-twin" network. Several audience members were surprised to see their computers automatically reconnect to the "evil-twin" network we temporarily set up. We then disabled the freely available "evil-twin" software.
While some attendees were "...adequately scared..." others found the session contained an "intriguing demonstration to make a valuable point" and others "liked the interplay between speakers and the demos."
All of the software used in the session is freely available to anyone on the Internet. However, we do not recommend or condone using the tools except for demonstration purposes and with permission of the network owners, as appropriate.
See you at the 2010 Mobile Enterprise Executive Summit on November 3-5!
Ben Halpert CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions and requests can be sent to him at firstname.lastname@example.org; please include SECURITY in the subject line.