After a recent breach, the security administrator performs a wireless survey of the corporate network. The security administrator notices a problem with the
following output:
MAC SSID ENCRYPTION POWER BEACONS
00:10:A1:36:12:CC MYCORP WPA2 CCMP 60 1202
00:10:A1:49:FC:37 MYCORP WPA2 CCMP 70 9102
FB:90:11:42:FA:99 MYCORP WPA2 CCMP 40 3031
00:10:A1:AA:BB:CC MYCORP WPA2 CCMP 55 2021
00:10:A1:FA:B1:07 MYCORP WPA2 CCMP 30 6044
Given that the corporate wireless network has been standardized, which of the following attacks is underway?
A.
Evil twin
B.
IV attack
C.
Rogue AP
D.
DDoS
Explanation:
The question states that the corporate wireless network has been standardized. By `standardized’ it means the wireless network access points are running on
hardware from the same vendor. We can see this from the MAC addresses used. The first half of a MAC address is vendor specific. The second half is network
adapter specific. We have four devices with MAC addresses that start with 00:10:A1.
The “odd one out” is the device with a MAC address starting FB:90:11. This device is from a different vendor. The SSID of the wireless network on this access
point is the same as the other legitimate access points. Therefore, the access point with a MAC address starting FB:90:11 is impersonating the corporate access
points. This is known as an Evil Twin.An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider. In
an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be
stolen by spying on a connection or using a phishing technique.
For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and
frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate
hotspot with the same name.
In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of
wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.
Incorrect Answers:
B: An initialization vector is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce,
or “number occurring once,” as an encryption program uses it only once per session.
An initialization vector is used to avoid repetition during the data encryption process, making it impossible for hackers who use dictionary attack to decrypt the
exchanged encrypted message by discovering a pattern. This is known as an IV attack. This is not what is described in this question. Therefore, this answer is
incorrect.
C: A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network
administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large
organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that
can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual
authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network.
The Evil Twin in this question is a type of rogue access point. However, as the access point is impersonating the corporate network, it is classed as an Evil Twin.
Therefore, this answer is incorrect.
D: A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web
servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is
overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are
that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the
behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense
mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able
to simply add more attack machines. This after all will end up completely crashing a website for periods of time. This is not what is described in this question.
Therefore, this answer is incorrect.http://www.techopedia.com/definition/5057/evil-twin
http://www.techopedia.com/definition/26858/initialization-vector http://en.wikipedia.org/wiki/Denial-of-service_attack