Hack2-CompGde-081706.

qxd 8/17/06 4:14 PM Page 1

Advanced
Hacking Techniques:
Implications for a
Mobile Workforce
By Daniel V. Hoffman, CISSP, CWNA, CEH
August, 2006
Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 2

CONTENTS

Introduction 2
The Changing Threat Landscape 3
Step-by-Step Guide: Hacking the 4
Mobile Workforce
Security Fundamentals: Rethink Your Security 7
Strategy with the Mobile Worker in Mind
Sponsor Perspective: 8
Fiberlink: Simple. Secure. Mobility.

DEMONSTRATION
Click here to view the demonstration:
“Hacking the Mobile Workforce”

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 3

EXECUTIVE SUMMARY Some interesting market trends also support this

same point:
Laptops are being deployed within enterprises at an
• By 2008, 75% of the sales and services workforce
increasing rate, mostly because of the flexibility and
worldwide will be mobile. (Gartner)
convenience they provide employees, and in turn, the
• In May 2005, notebook sales accounted for 53% of the
productivity gains they provide for the companies.
total U.S. PC market, outpacing desktop sales for the
first time. (Current Analysis, July 2005)
It’s impossible to go anywhere today without seeing
people working outside the traditional office setting on
This shift in employee mobility has created a need to
their laptops - at the local coffee shop, while lounging in
redefine the mobile worker. No longer can a mobile worker
the park, standing at their kitchen counters, waiting at
be defined solely as a “road warrior,” the traveling sales-
airport gates, and working in their hotel rooms. Gone are
person who spends upwards of 80% of their time on the
the days when
road going from airport, to hotel, to customer site, etc.
people worked
It may also be a teleworker – someone who works
86% of employees in the United States from 9:5 at
mainly from their home office and uses either a laptop
will be working on laptops by 2007. the office. As
or sometimes even a personal PC. In today’s business
—Gartner Research John Girard
environment, a mobile worker can be defined simply
stated in a
as any user that has been issued a mobile computing
report on
device, such as a laptop.
Managing the Mobile & Remote Wireless Workforce1,
“during recent years, the volume of people working outside
With the growth in mobile laptop usage comes a new set
the settings of central offices has risen steadily. No matter
of complexities for enterprises trying to make it simple
where people are physically located, they are usually
and seamless for their end-users to connect, while at the
involved in remote work. Their outputs, collaborations,
same time, protecting their network, their assets and the
meetings and styles are characterized by interactions
reputation of their business.
that are electronic, not face-to-face.”

In November 2005, a Boeing Co. laptop with personal

information on 160,000 current and former employees
was stolen and never recovered.

DEMONSTRATION
Click here to view the demonstration:
“Hacking the Mobile Workforce”

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 4

THE CHANGING THREAT LANDSCAPE Although most enterprises are aware of these sophisticated
Web-based attacks, the threat is as daunting as ever.
When it comes to protecting data and devices, many IT
professionals say that it has become too difficult to keep
up. In other words, staying ahead of the security curve is
More than 59 million cyberassaults originate in
overwhelming, and many feel like they are not leading,
North America alone in an average 24-hour period.4
but rather responding or reacting. Conversely, there are —Consumer Reports, July 2006
others that feel like they have it all covered. Their end-
users aren’t complaining, their executives are happy, they
haven’t experienced any security breaches, and costs are
under control. In our first video analysis, “Real World The Disconnected Threat
Security Threats: The Anatomy of a Hack” (12/2005), In a 2005 FBI Computer Crime Survey, US companies
Dan Hoffman (Systems Engineer) walked through three alone lost an estimated $67 billion due to computer
primary network-based threats: crimes (e.g., viruses, spyware, PC theft and other computer
crimes). This is despite the fact that virtually all of the
1. Credentials and data sniffing organizations surveyed used anti-virus software (98.2%)
2. Malware including viruses, worms, trojans, spyware and personal firewalls (90.7%). These losses are due to
and adware the fact that traditional Internet security solutions are not
3. Direct attacks to computer system or network as a enough to handle sophisticated web-based threats.
result of deliberate action Malicious code can easily navigate open ports, disable a
personal firewall and infect a network long before a
The guide provided a thorough description of each type signature-based anti-virus fix is available, or a software
of threat, and best practices for how to protect your patch can be deployed.
enterprise against that specific form of attack.
One of the greatest challenges that IT faces is the multitude
Gone are the of possible entry points for viruses, worms and other
“The major Internet threat that is on the malware to enter the network – whether their mobile
days of
rise is the financially motivated, targeted users are connected to the network, or not. These
random
internal attacks.”2 include: USB storage devices and iPods®, laptop usage
experimenta-
—John Pescatore, Gartner Research outside the perimeter, non-network based wireless commu-
tion and
information nication (e.g., Bluetooth) or careless acceptance of an End
vandalism for the pure enjoyment of publicity and notoriety. User License Agreement can all expose the corporate
Today’s hackers are more motivated by quick financial network to malicious code and jeopardize the safe-
gain – targeting specific industries or companies and guarding of corporate data.
going after their valued data and information. They are
executing more cleverly than ever before to avoid detection. And who can miss the headlines about the risks associated
Therefore, enterprises need more sophisticated security with the physical theft or loss of laptops? If a laptop is
processes, architectures and strategies to deal with stolen or lost, corporate information and personal
these attacks today, and in the future. information can be compromised at potentially catastrophic
levels - permanently damaging a business reputation and
A recent Gartner study shows that viruses and worms still leaving behind the residue of gross financial repercussions.
top the list of threats that keep IT organizations up at night
– with spyware and phishing in a close tie for second.3

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 5

LAPTOP THEFT STATS HACKING THE MOBILE WORKFORCE

• 97% of stolen computers are never recovered. (FBI) In Fiberlink’s latest video analysis, expert ethical hacker,
• Veterans Administration: A laptop was stolen in Daniel V. Hoffman, CISSP, CWNA, CEH demonstrates a
May 2006, with Social Security numbers and personal series of four modern-day attacks:
information for 26.5 million veterans. The VA offered
free credit monitoring services to those affected. (The
laptop was recovered in June, with no evidence that Hack 1: Access Point (AP) Phishing, the “Evil Twin”
the information had been copied.) Hack 2: Vulnerable, Simply Surfing the Net
• Ameriprise Financial: In January 2005, Ameriprise Hack 3: Unaware of Vulnerabilities at 30,000 Feet
Financial Inc. of Minneapolis had to notify 226,000 Hack 4: Modifying Malware to Invisibly Bypass
people that their names and other personal data was Anti-Virus Programs
stolen from a laptop left in an employee’s car.
• Boeing Co: In November 2005, a Boeing Co. laptop Each demonstration takes the viewer through a series
with personal information on 160,000 current and of steps that many hackers would follow to exploit
former employees was stolen and never recovered. mobile and remote systems that lack the appropriate
security protection, and provides best practices on how
For more information on data breaches like these and to safeguard your network.
others, go to www.privacyrights.org.
Hack #1 – AP Phishing, the “Evil Twin”
Bottom line: Network-based security applications can’t
With the increase in mobile computing, more and more
protect mobile devices from all threats. A proactive and
workers are taking advantage of public Wi-Fi hotspots to
pervasive security strategy is required to protect valuable
work anytime, anywhere they choose to stay productive.
corporate assets against modern-day attacks.
Sometimes these locations require the user to pay for
Internet connectivity; others offer it for free. Enterprises
can no longer ignore end-users who “bring their own”
Wi-Fi connectivity - they need to take steps necessary to
proactively protect the laptops (endpoints) that are being
used to connect back to the corporate network for sensitive
data and resources.

In this hacking demonstration, better known as the “Evil

Twin,” a hacker creates a fake public Wi-Fi hotspot by
utilizing a readily available Access Point emulation program.
At this point, an unsuspecting end-user is tricked into
entering their username and password into a fake Wi-Fi
hotspot login page, where those credentials are stolen.

DEMONSTRATION
Click here to view the demonstration:
“Hacking the Mobile Workforce”

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 6

Consider the following preventative measures: • Remediate security deficiencies persistently and
• Deploy an intelligent, software-based client on all in real-time by pushing security patches to the endpoint
laptops that has the ability to validate the authenticity anytime it is connected to the Internet. Employing a
of a public Wi-Fi hotspot network. system that supports seamless, real-time remediation
of vulnerabilities prior to VPN connectivity will ensure
• Set policies that require an end-user to enter Wi-Fi your network will not be compromised, and your end-user
authentication credentials into an intelligent will remain productive.
software-based client that encrypts both the user name
and password, versus allowing the user to enter their • Layer security by utilizing an enterprise-grade personal
credentials into whatever HTML page happens to be firewall with IPS (Intrusion Prevention) functionality
presented to them when they connect. that could stop a potential exploit from running on a
mobile system, even if it was not patched.

Hack #2 – Vulnerable, Simply

Surfing the Net Hack #3 – Unaware of Vulnerabilities
It is virtually impossible for enterprises to keep up with at 30,000 Feet
the ever-changing threat landscape. Most enterprises are Airplane travel allows mobile workers to remain
aware of the plethora of security patches, anti-virus and productive, even when they are not able to communicate
anti-spyware updates that are made available on a daily with their co-workers and customers on the ground.
basis. However, the problem is that the highly reactive and Today, most domestic flights don’t generally provide
“inside the LAN” defenses that are employed by most Internet connectivity, leaving most IT managers feeling
enterprises lack the systems necessary to ensure that fairly confident that mobile workers are safe when
mobile devices receive these updates in a timely manner. working in the air.
In addition, enterprises often lack the controls to prohibit
a user from surfing the Internet if their security posture Unbeknown to most, however, workers utilizing a
is deficient. Windows Operating System can find themselves at
significant risk because Windows does a poor job of
Hackers are highly aware of the gaps present in updating controlling non-network based access. For this hack
mobile workers in a timely and persistent manner, and demonstration, HotSpotter passively monitors probe
they take advantage by performing hacks on mobile systems frame requests automatically being sent by Windows XP
that do not receive Internet Explorer security patches anytime the machine is powered ON. It then identifies
quickly enough. As a result, the mobile system is the preferred networks listed in Windows XP Zero
completely compromised. Config and utilizes that information to establish
network connectivity to a mobile user’s machine, in
Consider the following preventative measures: an environment where no previous Internet-based
• Have policy enforcement logic reside on the network exists. At this point, the mobile device can be
endpoint that prohibits a mobile user from surfing the completely compromised by the hacker.
Internet if they are missing a security patch.

“During recent years, the volume of people working outside

the settings of central offices has risen steadily.”
—John Girard, Managing the Mobile & Remote Wireless Workforce

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 7

Consider the following preventative measures: Consider the following preventative measures:
• Control network access by preventing mobile • Layer security by utilizing anti-spyware and a
devices from connecting to Wi-Fi networks unless personal firewall with IPS functionality. Anti-spyware
specifically initiated by the end-user. solutions can catch modifications and installations of
malware that anti-virus systems might miss. Personal
• Layer security by utilizing an enterprise grade personal Firewalls with IPS have similar functionality, with the
firewall with an intrusion prevention system (IPS) on added benefit of prohibiting unwanted connections.
every mobile device. This will prohibit a hacker from Also, the use of two-factor authentication for SSL
exploiting the machine. connectivity is becoming essential. A keylogger that
captures every key an end-user enters will not be able
• Remediate security deficiencies in real-time by to re-use those credentials to login themselves, if
pushing patches to a mobile endpoint anytime it is two-factor authentication, such as RSA tokens,
connected to the Internet. Following this practice will are utilized.
ensure that mobile systems will always have the latest
protection and be less susceptible to exploitation. • Remediate security deficiencies in real-time by
ensuring that anti-virus and anti-spyware applications
are always running and have the latest definition
Hack #4 – Modifying Malware to Invisibly files installed prior to VPN connection back to the
Bypass Anti-Virus Programs corporate network.
Virtually all enterprises have anti-virus software installed
on their mobile systems. Most enterprises, however,
do not have the systems in place to ensure that the
anti-virus program is always running and up-to-date prior US companies alone lost an estimated $67 billion due to
to allowing an endpoint access to the corporate network. computer crimes (e.g., viruses, spyware, PC theft and
Regardless, this hack will demonstrate how malware can other computer crimes.) This is despite the fact that virtually
be modified to invisibly bypass two different anti-virus all of the organizations surveyed used anti-virus software
programs. This hack will also demonstrate how important (98.2%) and personal firewalls (90.7%).
it is to protect all mobile endpoints, even if those —FBI Computer Crime Survey, 2005
endpoints are only connecting to the corporate network
via SSL VPN.

DEMONSTRATION
Click here to view the demonstration:
“Hacking the Mobile Workforce”

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 8

SECURITY FUNDAMENTALS: RETHINK Fundamental Change #2

YOUR SECURITY STRATEGY WITH THE Security policy enforcement logic needs to reside
MOBILE WORKER IN MIND on the endpoint.
Many companies are looking at solutions like Cisco
Fundamental Change #1 Network Admissions Control (CNAC) as the single source
Require your mobile endpoints to have the to protect their corporate networks against threats.
same level of security as those devices that are Although a very strong solution for devices that are
connecting to the network from inside the network connecting from inside the corporate perimeter, the good
perimeter. and bad news is that’s it – NAC was designed to only
The reason for this is simple: at some point that endpoint protect the inside: the LAN users, the corporate network;
will connect back to the corporate network. Most IT not the mobile endpoint.
enterprises spend most of their time making sure security
is up-to-par on the machines that they see everyday (those The checking of a laptop’s security posture and subsequent
machines inside the perimeter), versus mobile laptops remediation needs to take place on the endpoint,
which may leave the perimeter and not come back whether the laptop is connected or not. If a mobile system
for months. is missing a security patch that makes it vulnerable to an
exploit just for simply surfing the Internet, then that endpoint
Not unlike desktop PC’s, laptops need comprehensive should not be able to browse the Internet until it is
mobile inspection systems to determine whether a device remediated with the proper security patch. Waiting until
seeking a network connection is really an authorized that mobile system connects back to the corporate LAN
device. It also requires that they are requesting tools that to receive that patch is simply too late – by that time,
monitor a device to see if it has up-to-date firewall, your network may have already been exposed.
anti-spyware and anti-virus settings, and all current software
patches. This level of security should be applied to reduce
risk, ensure business continuity and comply with government Fundamental Change #3
regulations, irrespective of the actual threats. Fixing security deficiencies needs to occur
automatically and persistently, in real-time.
Most enterprise IT departments would never dream of Most of the time, mobile systems need to connect to the
tearing down hardware-based firewalls and IPS equipment corporate network to receive security patches, and anti-virus,
from their WAN. While at the same time, their mobile personal firewall updates, etc. This policy can leave the
systems are connected directly to the Internet and public mobile system vulnerable to exploits the majority of the
Wi-Fi hotspots, often without up-to-date personal firewalls time they are physically away from the office. All anti-virus
containing IPS functionality and without the necessary updates and security patches must be pushed down to
security patches and anti-virus or anti-spyware updates. the endpoint anytime they are connected the Internet, as
soon as they are tested and authorized by the enterprise,
and without end-user interaction or approval. In addition,
any security application that becomes disabled by malware
or an end-user must be automatically restarted to provide
97 percent of stolen computers are never recovered. the necessary level of protection.
—Federal Bureau of Investigations

© 2006 Fiberlink Communications, Corp.

 8

Fundamental Change #4 FIBERLINK: SIMPLE. SECURE. MOBILITY.

Layered Security is Essential. Fiberlink delivers the software and services that make
No single countermeasure can protect a network from all mobile working simpler and more secure for today’s
threats. Deploying multiple, integrated security measures global enterprises. Since 1994, Fiberlink has earned a
throughout the enterprise is your best bet to protect your reputation for being the trusted mobility expert for
systems against threats to the enterprise. And don’t be demanding customers like GE, Bloomberg, and
fooled by claims made by SSL service providers, who tout Continental Airlines, as well as over 675 other mid to
that browser-based VPN access back to the corporate large-sized companies.
network provides all the security IT needs to protect your
network. VPNs (SSL or IPSEC) alone, while important, Fiberlink has a legacy of offering solutions that
certainly do not provide the security necessary to protect compliment the access component of mobile connectivity.
a mobile device. Anti-spyware, personal firewall with Though access remains an important service, Fiberlink
IPS, proper endpoint configuration and robust patching solves the challenges of securely managing mobile and
and quarantining systems should all be required, and current, remote workers for IT, while simplifying the end user
on an endpoint. connectivity experience.

Fiberlink developed Extend360™ mobile access software

Fundamental Change #5 and its Dynamic Network Architecture PlatformTM (DNA)
Controlling Access is Crucial to Security. to extend security, command and control over mobile
Controlling access falls into three essential categories: devices. This established a foundation for offering
broader solutions that deliver both access and endpoint
• Ensuring that the access being provided is valid; (i.e., security and allowed Fiberlink to differentiate itself
Evil Twin, AP Phishing). from competitors.

• Ensuring that connectivity to Wi-Fi hotspots occurs With the demand for dial services declining and
only when desired and initiated by an end-user. trends towards “free” access, Fiberlink has focused
development on enabling and securing all forms of
• Ensuring that Internet and VPN connectivity only access and offering valued-added services. Fiberlink
occur when a mobile or remote system meets the created the first solution that allows end users to
minimum-security requirements to establish this “bring their own access” but remain protected and
connectivity. connected to the enterprise.

Customers are asking for IT solutions that provide

the ability to control who and how mobile users get
connected, along with better business intelligence,
through a control center portal. Fiberlink services are
focused on providing the avoidance of reputation risk,
asset risk, and network risk, using the command and
DEMONSTRATION control features of the DNA Platform technology.

Click here to view the demonstration:

“Hacking the Mobile Workforce”

© 2006 Fiberlink Communications, Corp.

Hack2-CompGde-081706.qxd 8/17/06 4:14 PM Page 10

In addition, endpoint vulnerabilities are on the rise.

Fiberlink has created the ability to isolate and remediate
identified vulnerabilities before the user “touches” and
potentially exposes the LAN. With each new innovative
service offered, Fiberlink creates competitive advantages
over access providers, security point solutions and direct
competitors.

To view the live demonstration, Hacking the

Mobile Workforce, use the link below:

DEMONSTRATION

Fiberlink has been recognized by Gartner as a leader in

their 2006 Magic Quadrant for U.S. Managed Remote
Access and Mobility Services for the 5th consecutive
year. Click here to view the report.

SOURCES:

1) “Managing the Mobile and Wireless Workforce,” John Girard,

28 April 2004

2) Augment Security Processes to Deal with the Changing Internet

Threat, John Pescatore, 2 March 2006

3) Excerpt from Gartner RAS Core Research Note G00129419

“User Survey: Security Summit Reveals Spending Patterns
Worldwide, 2005” Vic Wheatman.

4) Consumer Reports.org. State of the Net 2006, July 2006

© 2006 Fiberlink Communications, Corp.