Back to Subject
Practice MCQ

Unit 6 - Notes

INT244

Unit 6: Hacking Wi-Fi and Bluetooth, Mobile Device Security, Cloud Technologies and Security

1. Wireless Networks and Threats

What Is a Wireless Network?

A wireless network uses radio waves to connect devices (nodes) without physical cabling. It operates primarily on the IEEE 802.11 standards (Wi-Fi).

  • WLAN (Wireless Local Area Network): Covers a limited area (home, office) using Access Points (APs).
  • SSID (Service Set Identifier): The name broadcast by the AP to identify the network.
  • Channels: Sub-divisions of frequency bands (2.4 GHz and 5 GHz) used to reduce interference.
  • Security Standards Evolution:
    • WEP (Wired Equivalent Privacy): Obsolete and highly insecure due to static encryption keys (RC4 stream cipher issues).
    • WPA (Wi-Fi Protected Access): Introduced TKIP (Temporal Key Integrity Protocol) to solve WEP issues but still vulnerable.
    • WPA2: Uses AES (Advanced Encryption Standard) and CCMP. Currently the standard, though vulnerable to KRACK (Key Reinstallation Attack).
    • WPA3: The latest standard, introducing SAE (Simultaneous Authentication of Equals) to prevent offline dictionary attacks.

A Close Examination of Threats

Wireless networks are inherently less secure than wired networks because the transmission medium (air) is accessible to anyone within range.

  1. War Driving: The act of moving around a specific area to map the population of wireless access points. Attackers use tools like Kismet or WiGLE to locate vulnerable networks.
  2. Rogue Access Points: An unauthorized AP installed on a secure network (e.g., an employee plugging a home router into a corporate LAN port), bypassing the firewall.
  3. Evil Twin: A counterfeit AP set up by an attacker with the same SSID and MAC address as a legitimate AP. Users unknowingly connect to the attacker's device, allowing for Man-in-the-Middle (MitM) attacks.
  4. Packet Sniffing: Intercepting unencrypted traffic. On open Wi-Fi, cookies and credentials can be stolen (Session Hijacking).
  5. Deauthentication Attacks: Sending spoofed de-auth frames to disconnect users from the AP. This is often used to capture the WPA "Handshake" for offline cracking.
  6. Jamming: Intentional interference with radio frequencies to create a Denial of Service (DoS).

Hacking Bluetooth

Bluetooth operates on the IEEE 802.15.1 standard, using Frequency Hopping Spread Spectrum (FHSS) in the 2.4 GHz band.

  • Discovery Mode: The state in which a Bluetooth device broadcasts its existence.
  • Pairing: The process of exchanging Link Keys for future authentication.

Common Bluetooth Attacks

  1. Bluejacking: Sending unsolicited messages (usually vCards or text) to a Bluetooth-enabled device. It is annoying but generally harmless (no data theft).
  2. Bluesnarfing: Unauthorized access to information (contacts, calendars, emails, text messages) from a wireless device through a Bluetooth connection. This is a severe data confidentiality breach.
  3. Bluebugging: The attacker takes total control of the target phone. They can make calls, send messages, and listen to conversations without the owner's knowledge.
  4. Blueborne: An airborne attack vector that requires no pairing or user interaction. It exploits vulnerabilities in the Bluetooth stack to execute code remotely.

2. Security Operations: SIEM and SOC

Introduction to SIEM (Security Information and Event Management)

SIEM refers to software solutions that aggregate and analyze activity from many different resources across the entire IT infrastructure.

  • Core Functions:
    1. Data Aggregation: Collects logs from firewalls, servers, routers, and AV software.
    2. Correlation: Links differing events to identify patterns (e.g., 5 failed logins on a server + a database access attempt = brute force attack).
    3. Alerting: Sends immediate notifications to analysts when threats are detected.
    4. Retention: Stores logs for compliance (GDPR, HIPAA, PCI-DSS) and forensics.
  • Examples: Splunk, IBM QRadar, ArcSight, AlienVault.

Introduction to SOC (Security Operations Center)

The SOC is the centralized team (people) and facility responsible for monitoring and analyzing an organization's security posture on an ongoing basis.

  • Relationship with SIEM: The SIEM is the tool; the SOC is the team that uses the tool.
  • SOC Roles:
    • Tier 1 Analyst: Triage and monitor alerts.
    • Tier 2 Analyst: Incident response and investigation.
    • Tier 3 Analyst: Threat hunting and advanced forensics.
    • SOC Manager: Oversees operations and strategy.

3. Mobile Device Security

Mobile OS Models and Architectures

Android Architecture

  • Kernel: Based on the Linux Kernel (handles hardware drivers, power management).
  • Middleware: Libraries (SQLite, WebKit) and the Android Runtime (ART).
  • Permissions: App-centric permission model. Users grant access to sensors/data (manifest file).
  • Open Source: High customizability but higher fragmentation, leading to slower security patch distribution across different manufacturers.
  • Sideloading: Allows installation of APKs from outside the Google Play Store (high risk).

iOS Architecture

  • Kernel: Based on XNU (Darwin/BSD).
  • Secure Chain of Trust: Hardware (Boot ROM) validates the Bootloader, which validates the Kernel, verifying signatures at every step.
  • Sandboxing: Strictly enforced. Apps cannot access other apps' data or system files unless explicitly allowed via APIs.
  • Walled Garden: Apps can typically only be installed from the App Store, which has rigorous security reviews.

Goals of Mobile Security

  1. Confidentiality: Protecting data at rest (encryption on the chip) and data in transit (VPNs/TLS).
  2. Integrity: Ensuring the OS has not been rooted (Android) or Jailbroken (iOS), which bypasses security controls.
  3. Availability: Ensuring the device can be used when needed (protection against battery draining malware or ransomware).

Device Security Models (Enterprise Deployment)

  1. BYOD (Bring Your Own Device): Employees use personal devices for work.
    • Risk: High. Corporate data mixes with personal apps.
    • Control: Containerization (separating work/personal profiles).
  2. COPE (Corporate Owned, Personally Enabled): Company buys the device, allows personal use.
    • Risk: Moderate. IT has full control over the device but privacy concerns exist.
  3. CYOD (Choose Your Own Device): Employee selects from a pre-approved list of devices purchased by the company.
  4. COBO (Corporate Owned, Business Only): Strictly for work. Highest security, lowest user satisfaction.

Countermeasures

  1. MDM (Mobile Device Management): Software that allows IT to enforce policies (require passcodes, disable cameras), push updates, and perform Remote Wipe if a device is lost/stolen.
  2. MAM (Mobile Application Management): Focuses on securing specific corporate apps rather than the whole device.
  3. Biometrics: Implementation of Fingerprint scanning or FaceID to replace weak PINs.
  4. Encryption: Full Disk Encryption (FDE) should be mandatory.

4. Cloud Technologies and Security

What Is the Cloud?

According to NIST, Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.

Service Models

  1. IaaS (Infrastructure as a Service): Provider gives virtual hardware (storage, CPU, network). Customer manages the OS and Apps (e.g., AWS EC2).
  2. PaaS (Platform as a Service): Provider gives hardware + OS + Runtime. Customer manages only the Application and Data (e.g., Google App Engine, Heroku).
  3. SaaS (Software as a Service): Provider manages everything. Customer just uses the software (e.g., Gmail, Salesforce, Office 365).

Deployment Models

  • Public: Shared infrastructure available to the general public.
  • Private: Infrastructure operated solely for a single organization.
  • Hybrid: Composition of two or more clouds (private/public).

Threats to Cloud Security

  1. Data Breaches: Unauthorized access to sensitive data due to weak authentication or bugs.
  2. Misconfiguration: The #1 cause of cloud incidents (e.g., leaving an AWS S3 bucket "Public").
  3. Insecure APIs: Cloud services are managed via APIs. If these are insecure, attackers can manipulate the cloud environment.
  4. Account Hijacking: Phishing or credential stuffing allowing attackers to take over administrative cloud consoles.
  5. Insider Threats: Malicious employees at the Cloud Service Provider (CSP).

Cloud Computing Attacks

  1. Side-Channel Attacks: In a shared physical server (multi-tenancy), one malicious Virtual Machine (VM) tries to extract cryptographic keys or data from a target VM by analyzing shared hardware cache or CPU usage (e.g., Meltdown/Spectre).
  2. Wrapper Attacks: Exploiting the XML signature wrapping in web services (SOAP) to trick the server into accepting an illegitimate request.
  3. DoS/DDoS: Exploiting the "elasticity" of the cloud. Attackers flood a service, causing it to auto-scale, which results in huge financial costs for the victim (EDoS: Economic Denial of Sustainability).
  4. Cloudborne: Attackers implant a backdoor in the firmware of the physical server. When the victim provisions a VM on that hardware, the attacker compromises it.

Testing Security in the Cloud

Testing in the cloud is legally and technically complex.

  • The Shared Responsibility Model:
    • Provider (AWS/Azure): Responsible for security of the cloud (physical centers, hypervisors, cabling).
    • Customer: Responsible for security in the cloud (OS patching, firewalls, data encryption, IAM).
  • Penetration Testing Restrictions:
    • You generally cannot DDoS cloud infrastructure (it affects other customers).
    • You must often obtain written permission from the CSP before pen-testing your own instances to avoid triggering their security alarms.
  • CASB (Cloud Access Security Broker): A software tool acting as a gatekeeper between on-premise infrastructure and cloud providers to enforce security policies.