Promiscuity And Wireless LANs 183
VB writes: "I saw this article at ZDNet "cleverly" entitled Hackers poised to land at wireless AirPort. We've probably all seen this coming, but, I'd be curious to see what people think about the possibility of securing a network that sends data through the air. What about promiscuous mode devices within range of transmitters, or satellite communications?"
Security on wireless LANs (Score:2)
Anyone who allows broadcast ESS ID's or unknown MAC addresses into their network is just asking for trouble. That is like allowing an intruder to patch straight into your hub!
Follow the instructions and you make the hackers task harder - never impossible - but make it too annoying or too time-consuming and they will go on to easier targets.
Frog51
Left the crypto people out (Score:1)
As an aside, taking a cab through New York with an iPaq and a Wavelan card, it's pretty amazing how many 802.11 LANs you'll pick up (I counted 6 in 40 blocks). I assume I was only getting the unencrypted ones, but if it is really easy to crack the WEP protected ones, this standard is probably going to disappear fast from business use. Or something.
Re:OSU solved this (Score:1)
In most places, wiring closets are HORRIDLY laid out. An extra device can easily be hidden, especually if it all the device is doing is sniffing.
Re:Excessive paranoia (Score:2)
Re:M3 31337 h4x0r! (Score:2)
Rader
Re:Wildly Popular ? (Score:1)
Re:Apple's AirPort traffic is encrypted (Score:2)
Re:Wireless Worthlessness (Score:2)
Rader
Always assume your packets are being sniffed (Score:1)
So what's new here? You should always assume your packets are being sniffed, regardless if you're behind a firewall or not. Use ssh, ssl, or ipsec for everything. You'd be a fool not to. The extra layer of encryption provided by WEP is a nice frosting, but it ain't the cake.
Re:Wireless Worthlessness (Score:2)
Actually, if this is a public school, that's already public information anyway.
--
Re:Apple's AirPort traffic is encrypted (Score:1)
Excessive paranoia (Score:2)
Also, if your name is Joe Schmoe, I suspect the physical security of your person, your home, your car, and other personal property is of greater concern, yet I doubt you expend the same amount of paranoic energy at them.
Re:If you pay attention... (Score:1)
USB became a hit as soon as the iMac shipped, with only USB as its connections. With encougagement to developers, USB became extremely popular becuase people could produce cross-platform peripherals.
Apple has invested heavily in Firewire, making sure more peripherals like hard drives worked with it.
Re:Or encryption? (Score:2)
Number one is correct. This is the hardest part of getting WEP to work, and also the biggest vulnerability (social engineering of the WEP keys)
On two, you should read the referenced article. All of the weaknesses they discovered are independant of the size of the encryption key. They are just as valid for 1024 bit keys as 8 bit keys. The main problems are the too small (24-bit) IV which results in a high rate of reuse of keying material, and the poor choice of a checksum method which allows an eavesdropper to change arbitrary bits in a packet and update the CRC without knowing they WEP key. Had the vendors doing 128-bit WEP gone to a 64/64 split between key and IV it would have been a big improvement. Instead, they split it 104/24 providing no increase in security over the 40/24 split for many attacks.
I'm not sure what you are talking about in three. 802.11 specifies two authentication algorithms. One is a crude "open" method which allows any client to "authenticate". The other is "shared key" which is based on a simple challenge-response using WEP key #1. At no point is DNS involved. In fact, 802.11b has no dependance on any portion of the TCP/IP protocols. It may be that your vendor has included their own authentication on top of 802.11, but if so it has nothing to do with WEP.
Re:Or encryption? (Score:2)
Can you explain this further? I was unaware of any dependency between 802.11b and DNS, and I certainly didn't have to make any DNS changes to get my setup working - including full encryption. Is this an optional part, perhaps related only to the key-distribution you give as concern #1?
Re:What about BlueTooth (Score:2)
Authentication and encryption (Score:1)
Wireless Security (Score:1)
Re:Wireless Worthlessness (Score:1)
Frog51
Frequency hopping, spread spectrum ? (Score:2)
this problem will never go away unless ... (Score:3)
Re:Direct link and my experiences (Score:2)
Re:OSU solved this (Score:1)
Re: (Score:1)
Re:meta-moderation, please let me meta this! (Score:1)
Re:Paranoid theory of the day (Score:1)
--
Re:Oh, great (Score:3)
Ho hum. Not a single argument that was not completely predictable. Oh well, guess I'll have to restate the obvious for your benefit.
That's a non-trivial effort. Do you think the average script kiddie is going to take their wireless-equipped laptop, with 45GB worth of storage, and go sit within range of the target network for 400 hours, and then apply all the compute power to crack the keys? Dream on. Yes, some people can do this, but those are specialized organizations devoted to this kind of task - not random script kiddies.
Yes, I do, thanks very much for asking. Do you? One of the things about script kiddies that you seem to have missed is that the programs they like to use are relatively easy to write and don't care very much about the exact flavor of the underlying hardware. The "confusing the firmware" exploit we're talking about would have to be repeated for every hardware/firmware combination, and would not be at all easy to write. Half of this hardware doesn't even work on Linux due to lack of driver support. Do you really think more skill and effort will be applied to "confusing the firmware" than has been to unconfusing it and getting it to work? Again, dream on.
Of course, you're right that all it takes is one person to write the program and thousands to use it, but it might still take a while before that one person gets done. With a responsible approach to security, it might have taken them long enough that the vendors would already have plugged the holes by the time the exploit code was ready.
That's your opinion. Please back it up.
Do you really think it's that hard for vendors to incorporate a 4096-bit cryptographically secure certificate into the firmware image, such that the card will refuse to operate if the certificate is invalid? Think again. I've worked on firmware, and this is the easiest thing in the world for them. Lots of cards have to decompress their firmware as part of the bootstrap procedure anyway; once you're decompressing, it's trivial to add validation. There is no need for the "hardcoded drivers" (what an absurd concept) or other strawmen you suggest.
It's an IEEE standard, moron. Do you know what that means? The IEEE goes to extraordinary lengths to solicit and incorporate input from interested parties, many of whom I'm sure are pretty well qualified in their fields. We're not talking about some obscure closed trade group here. IEEE standards are in many ways more open than the not-really-standards of open source. Without IEEE standards we probably wouldn't be talking. How do you think your packets get to slashdot? In large part you owe thanks to IEEE for that.
It's your claim, that the process was somehow not open, that is absurd and that requires proof. Get to it.
You just don't know anything about peer review, do you? How many of these sorts of activities have you participated in? The fact is that when you're dealing with complex new technology people sometimes make mistakes. Sometimes the mistakes are real howlers in retrospect. That's life. How many problems do you suppose these guys anticipated and dealt with that you would have flubbed if you'd been in their place? It's really easy to jeer from the peanut gallery, with full benefit of hindsight, but really people who do that are just being pricks.
No, really, try to give us a responsible rebuttal, instead of trying to substitute sneering for reasoning. Try, anyway. What you dismissed so flippantly is actually a very hot issue among security professionals: who gets to find out first?
Now, I knew when I suggested it that the "tell the vendors" approach wouldn't be very popular here on ScriptKiddieDot, but that doesn't make it a troll (and neither does calling it one). It's worth considering how this audience differs from the Real World. For one, the attitude here is "openness at all costs". There's no room allowed for discretion or careful handling of delicate issues. No, I'm not talking about "security through obscurity" because that never works. What I'm talking about is giving the vendors a reasonable timeframe in which to fix problems before letting every black hat in the world have the info. Let's face it, for every white hat on this site there are probably a hundred black hats, and I doubt that there's a single person involved in this discussion in a position to do good rather than harm with this information. How do you think it benefits anyone but the script kiddies to publicize this problem in this fashion? It doesn't help the problems get fixed any faster, it just maximizes the damage that gets done before the problem is fixed. Screw your "information wants to be free" dogma, and think about social implications for once.
In case you missed it the first time, and the second time, let me repeat a third time: I agree that there's cause for concern in this. Nobody's disputing that. What pisses me off is that people are trying to enhance their own images by panicmongering. The actual security threat here has not been shown to be effectively distinguishable from zero, and yet these people are acting like any semi-literate cracker might already have everyone's credit card numbers. Believe me, we're all threatened much more by existing security problems in the wired network than by any implications of these findings. If there's one thing that's obvious from all this, it's that the biggest security problem is people not even using the security facilities available to them.
Re:Wireless Worthlessness (Score:2)
I remember very little else except that certain US students had to battle to keep the Mac lab open after school. That's quite a cooked agreement you have to sign to use their laptops, though. If you're ever downtown St. Paul and need wireless access, my network's available. Keep up the good fight.
Re:URL for referenced paper (Score:2)
Hmm (Score:3)
Are you sure this is suitable for a family website?
Re:Wireless lans a hacking tool. 802.11 planted on (Score:1)
You can solve that problem by physically and configuration-wise securing your switches (you do use switches, right?
On the other hand, it's been said too many times to count that if you don't have physical security, you don't have any!
Robert
Re:Wildly Popular ? (Score:1)
I've been meaning to get our local CCS dept to wire up the local cafe, as a promotional stunt to attract good students, but of course, I haven't bothered actually telling anyone about my plans -- I'm still at the thinking loudly stage.
Looks like apple should take note (Score:1)
Re:Wireless lans a hacking tool. 802.11 planted on (Score:2)
Nokia's WLAN security (Score:1)
What was really interesting, was the fact that Nokia put a smart card slot on the WLAN card. As far as I know, no other vendor has done so.
^Air^Head^
Re:Wireless lans a hacking tool. 802.11 planted on (Score:2)
Yes, you can. Trivially. Often you don't even need special tools, it's right there in the driver config.
Other people have suggested approaches for preventing this problem, most of a preventive nature. If you want more of a "honeypot" kind of solution that lets you catch a spy, here's an idea. Leave the device in place. Filter out all actual IP traffic going through it, and set up alarms to go off when someone makes a link-level connection. With the right equipment you can pinpoint their exact location when the alarm goes off, but even if you don't do that at least you get a chance to look around for people who seem to be in places they shouldn't.
It's not totally foolproof. In particular, it's possible to do truly passive listening that wouldn't get detected, but if you're dealing with someone that sophisticated I doubt you're looking for tips on Slashdot. ;-) Most off-the-shelf access points won't send out any signal at all when they have zero link-level connections, so that's the dead giveaway.
Re:Promiscuous (Score:1)
IPSec (Score:3)
Re:IPSec (Score:3)
No it is not. The dynamic key infrastructure and the stack itself are not 100% stable yet. The reason is that due to various vendor intrigues the highly efficient mechanism for dynamic key management initially implemented in early 2.x OpenBSDs (firefly) was replaced by the current one. The PKI for the current one is horrible and noone besides OpenBSD and a handfull of commercial products implements the entire thing. For example linux does not.
Of course, for a house network you can use static keys. But if you are down to static keys something more simple like cipe or windows PPTP services will do the job anyway. Also in the former (cipe) case you can use blowfish which means much lower overhead.
Re:Convenience of wireless LANs (Score:1)
It will faithfully do 802.11b wireless and works great around the house, also works great for taking with me to class for taking notes. And with the touch screen and included software, you can even do diagrams!
If you want more info about it, take off the fuzzy rabit slippers and e-mail me.
--Josh
In the words of Homer Simpson... "Mmmmm... beer."
encryption (Score:1)
Re:Wireless Worthlessness (Score:3)
Why not just send the message anonymously via the administrations' own mail accounts? That would get their attention.
Re:Frequency hopping, spread spectrum ? (Score:2)
802.11 already uses spread-spectrum technology. I believe that for 2Mbps 802.11 it's "frequency hopping" SS, and for 11Mbps 802.11b it's "direct sequence" SS. No, I don't really know the difference. What's important is that these attacks are apparently possible despite the use of spread-spectrum technology.
Re:Oh, great (Score:1)
Lack of security? Big Deal (Score:1)
Sometimes, for convenience, I'm willing to sacrifice a little bit of privacy (letting everyone see my
As an aside, I assume that stuff like SSL will still work on this wireless network, so if the packet is sniffed they'll get garbage... Anyone know different?
Brant
Brant
For more info than you ever want to know... (Score:3)
.
These guys eat and breathe this stuff 24/7... they have to. And they love to share knowledge.
-Chris
...More Powerful than Otto Preminger...
Re:Security of Wireless vs. Wired (Score:5)
Don't get me wrong - I love 802.11b and use it all the time. But I use WEP and my access points are on an isolated LAN tied to an IPSec box which allows me to get to my internal firewalled LAN. Sure, throughput is an issue, but in those cases, I get my ass off the couch and sit at my desktop! :)
I did read the article (Score:1)
Re:OSU solved this (Score:1)
Re:Solutions (Score:1)
How do you s*** through the suit while you're on the pot? Oh, I guess that explains the total geekness....
Re:WARNING! THIS IS A FLEMISH TROLL (Score:1)
I betcha you never watched Southpark. Otherwise you wouldn't have considered Canada. They make perfectly good trashcans there!
Source of the Stockholm rumor (Score:2)
I first heard about the Stockholm situation (which I'm certain is no different from that of NYC, London, Paris (if you read French :-), &c.) from this copy [counterpane.com] of Bruce Schneier's Crypto-gram newsletter [counterpane.com]. It's near the bottom---search for ``anecdote''.
Makes me wish I had a WaveLAN...
Re:WaveLAN Security (Score:2)
More Popular Than You'd Think (Score:4)
The coolest part is, each time I was on someone's LAN, on the fun side of their firewall. Joy.
Re:Wildly Popular ? (Score:2)
802.11 is more popular (by numbers anyway) in the UK at the moment, as it has some nice peculiarities which allow very dense Access Point packing and higher range - great for use in stores and warehouses like Tesco, Sainsbury etc, but 802.11b has more potential bandwidth-wise.
Once we get onto the 25Ghz band and transmitting at 50Mbit/s the price of the lower spec kit will be easily within reach of the home user (it almost is now - I have a wireless network in my house:) but we'll always be behind the US as we are limited to 100mW so we need more AP's for the same area. Of course we won't get our brains fried as fast!
Frog51
Solutions (Score:2)
For one, you could try a lead-coated bunker so that even Superman and the MPAA won't be able to tap into your precious air waves.
After that, if you're scared about air contamination (all that data has to run through it, no?) you can try accomplishing a complete vacuum ; the NASA has some big pumps for lease.
Having to wear a spacesuit for kernel hacking on an iBook while sitting on the pot will bring you to total geekness!
/max
Re:Or encryption? (Score:4)
1) Key distribution. If you aren't the only person on the network, getting the key out to other people is a non-trivial task and can be the weakest link.
2) 40-bit - the standard WEP keysize is completely insufficient and can be cracked in relatively no time. 128bit versions of the hardware are available, however, so this is an improvement.
3) This is the biggie - the WEP authentication protocol relies on DNS and is therefore prone to massive man-in-the-middle attacks. There is a paper by Jesse Walker called "Wireless LANs Unsafe at Any Key Size; and analysis of the WEP encapsulation" that I encourage everyone to read.
WEP is especially dangerous because it establishes a false sense of security that cause people to be more willing to send sensitive data over the network. You still need to use some other encryption method on to of WEP - even at best it gives the privacy of a standard ethernet LAN.
Other technologies are under development to improve the state of wireless security, such as the IEEE 802.11 Task Group E, which is trying to develop an authentication scheme suitable for 802.11 wireless networks, or the IEEE 802.1x protocol which will do similar things at a more generic level.
There is no existing good solution to the wireless problem (PPPoE hacks aside).
-Alison
A relevant story (Score:2)
References please? (Score:2)
I'd also be curious to know more about your participation in the cryptographic community that you refer to - maybe we've met and I don't know it?
--
Re:References please? (Score:2)
I never claimed to be involved personally in the cryptographic community, nor do any of my comments depend on such a claim. Please take ad hominem attacks elsewhere.
Re:Wireless Worthlessness (Score:2)
I found the staff e-mail index at your school's web site and sent them a link to the article. I explained that it wasn't really you that was afraid to let them know about this, but really it was someone who had stolen your password and wanted to make you look bad.
Dave
Re:Wireless lans a hacking tool. 802.11 planted on (Score:3)
I can build a PC to do the job that's the size of a rubik's cube; Or I can use an off-the-shelf libretto. One would need an additional filter to solve the dust problem, assuming the machine has active cooling, which is not a safe bet at all.
A telephone tap is depressingly easy to make in your home. A "hidden camera" is regulated, but a CCD camera which is about 3cm long and is on a PC board approximately 3cm square is not controlled, and can be hidden in all sorts of interesting devices, like smoke detectors. So, no. This is a networking device. People who don't set up their network for security are bound to be in trouble. If you have a switch (If you're too small to have a switched network, no one cares about your data) with any intelligence at all, you can limit the mac addresses which can live on it; Or in some cases, the IP addresses. True, macs can be changed, but this allows some reasonable security.
Most companies will only have to care about crypto between windows and windows. Some will have to care about windows to unix. More than that will probably be more concerned about unix to unix. Very few will be worried about encryption to their macs, since most shops use macs to feed their artists. WindowsWindows and UnixUnix encryption isn't so tough. WindowsUnix is fairly doable. Anything else is just icing.
--
OSU solved this (Score:2)
Pretty good system if you ask me, although I couldn't explain exactly how it works.
Re:References please? (Score:2)
--
Re:Frequency hopping, spread spectrum ? (Score:2)
That won't help. FHSS does prevent those who don't know the next frequency from listening. However every device on your network knows the next frequency and the time to change to it. So you shift to an appearently random different frequency, but at the same moment so does the guy listening. The army uses FHSS with an algorithm that we don't know, thus we can't know the next frequency to shift to or when to shift. We could figgure out what frequ7encies they are using and record all, if the data is worth it we might be able to put it togather, but that is a hard task. (Potentially NP)
The difference between FHSS and DSSS is DS hops at a known time to the next frequency in order, while FH hops to the next frequency in what appears to be random order. 802.11 defines that either can be used. FH is cheaper to impliment, but it turns out that more companies worked in DS (which is accually inferior except the FCC allows it to transmit data faster) and compititon drove the price down.
Oracle ad? (Score:2)
Not quite correct...read on (Score:3)
Direct Sequence does not hop!! It takes the input signal and combines it with a long chipping sequence in such a way that what was a peak at one frequency becomes a very low broad signal. The military like this because you can get the whole signal to lie at a lower level than rf noise - making it an absolute bugger to find, let alone read. The radio for these is much more expensive but the price is coming down.
Most of the major manufacturers sell both kinds - Symbol and Cisco being the two top brands. Symbol's kit is rebadged by people like 3Com, and Cisco bought Aironet or Telxon, before Symbol bought Telxon. Lucent do quite a good 11Mbit/s Point to Point link as well.
Frog51
Re:If you pay attention... (Score:2)
Re:Oh, great (Score:2)
Hm. Looked fine in preview, but something seems to've been lost. What I meant to say was "for a totally saturated access point".
The new firewall (Score:2)
Next thing you know cisco will be buying Reynolds (makers of reynolds wrap aluminum foil) to encorporate the new high tech, high security technology the food storage company has been developing. Buy stock.
Re:References please? (Score:2)
CDNF. The man may be technically brilliant, and I'll gladly take your word for that, but brilliance does not imply that he lacks baser motivations such as publicity-seeking or hope for profit as the new CTO of a security-related company. His comments on this particular matter were and are irresponsible, regardless of anything else he has ever done.
Re:Closed network (Score:2)
---
Re:Oh, great (Score:2)
Well, assuming the numbers they do (i.e. 1500 byte packets), it takes only 11 Mbps * 18000 seconds = 198 Gb = 24.75 GB of storage space to get a collision in a worst case scenario. But more important, there's no reason to save everything as you go along.
Instead, you just do something like the following. Assume it takes 10 IV collisions to be reasonably assured of computing plaintexts by statistical analysis (this may be generous, considering the redundancies in most of the packets--TCP headers, easily guessed content, etc.). Then you can just build a table for the IV space one portion at a time: say one-eighth at a time. In other words, first you just store all the packets with IVs in the range 0-1x2^22 until you can statistically analyse them and build an IV->cipherstream table for all those IVs. Assuming 10 messages for each IV, this takes about 31 GB. When you're done with that, throw out all those old packets and start on IV range 1-2x2^22, and so on. As they pointed out in their summary [berkeley.edu], it only takes 15 GB to store the entire IV->cipherstream table. Thus we have total expected storage requirements of ~45 GB, and a total running time of 400 hours to decrypt all future traffic on the network. Moreover, we can start decrypting all the packets with IVs we've already "solved" as soon as we solve them.
This is entirely feasible, but it isn't even the half of it. As they suggest, a much better solution to this problem is to use an active, chosen plaintext attack. That is, the attacker can send a known packet from the outside to a machine on the wireless network; the network will encrypt the packet and send it to that machine, along with its IV in plaintext. The attacker merely needs to intercept that packet (a problem, of course, is knowing which packet it is, although this is solvable with unusual choice of destination machine, etc.) and suddenly he has solved that IV, with no statistical analysis necessary. With this method, we only need 15 GB of storage space (for the table) and enough time to send messages which will be encrypting with every different IV. The latter requirement is going to take a real long time, of course, but as a way to attack, say, 95% of the IVs this is very efficient.
I would say that this is likely to be well beyond the capabilities of most script kiddies, and is probably pretty easy for 802.11b equipment vendors to address.
Do you understand the term "script kiddie" at all?? The point of a script kiddie is that he doesn't have to know how to write modified drivers, only how to download them and install them. Hence "script"; they're running someone else's program. And in any case, modifying drivers and even modifying hardware ought not to be beyond the skills or resources of lots of corporate espionage outfits.
Your hope that equipment manufacturers address this problem is probably misgiven; doing so would seem to require them to replace software drivers with hardcoded ones, or at least insert another layer of encryption both inside the hardware and in their drivrs. I submit that both possibilities are very unlikely, and that in any case anyone with deep pockets can build their own 2.4 GHz reciever without too much trouble.
Yeah, like there have never been any problems discovered in crypto products from the self-appointed experts. Uh huh.
Of course there have been, though rarely such softball errors as these. The recently reported vulnerability with the extra decryption keys in PGP, while quite significant, was an implementation error, not an error in the spec itself. And the vulnerabilities found in crypto protocols by the real experts tend to be rather esoteric and impractical ones, and then mainly on entirely new ciphers, not on a spec for piecing together old ones.
In any case, the point is that they are (ideally) found *before* any products using the protocol are put into place. It's called "peer review", perhaps you've heard of it.
That's a pretty inflammatory statement, and apparently not far from being an outright lie. It was irresponsible (or possibly venal) of Ian Goldberg to make such a statement, and doubly so for WSJ's Jared Sandberg. As I said before, there is a matter for serious concern here, but the scaremongering from these people is not helping.
I don't know the history here, so I can't comment. However, I do know that if this protocol was indeed opened up to peer review as you seem to suggest (without any evidence), then something went horribly wrong; for some reason, either everyone missed these rather obvious flaws, or, more likely, no one showed up to review it. The point is, offering something for "peer review" and then assuming it's secure after no one shows up to review it is obviously not good practice. Frankly, I can't believe that any serious peer review wouldn't flag the problems inherent in using RC4 with a linear checksum algorithm, or with layering an encryption scheme on such a tiny (24 bit!) IV space.
The right thing to do would have been to alert the equipment manufacturers, discreetly, and let them decide how they want to alert their customers.
This is so beyond ludicrous I'm not even going to touch it. The rest of your post seems to indicate that you're not a troll, but this makes one wonder.
Read the article (Score:2)
Promiscuous (Score:4)
Sounds like my last experiance at a bar........
Closed netowrk (Score:2)
Plus, Apple runs 40-bit encryption for their Airport. Not only that, I setup the base station so it blocks out clients that aren't on my MAC address "allow"list.
Pretty much, I feel safe, both at home and over then net, becuause I run Appletalk, which doesn't go beyond the router to the cable modem.
Re:Oh, great (Score:5)
I took another look at the link to the paper [berkeley.edu] provided in cid #13 (thanks!) and here are some observations.
"IV" is "initialization vector" and is the same as what is elsewhere called a "salt". The IV is 24 bits; in a previous paragraph the authors had calculated that for a access point an IV is likely to get reused after about five hours. From this we're apparently supposed to conclude that it's a trivial matter to store every packet until an IV collision occurs, and then use the contents of both packets to recover plaintext. They even seem to be aware that two packets often won't be enough, but fail to mention that you need to save and search another five hours' worth of peak-bandwidth traffic to get anywhere in that case.
To be fair, they do point out a pretty serious flaw in a particular implementation of 802.11b, specifically Lucent's, which sets the IV to zero when the card is initialized and merely increments it for each packet. That does indeed make life way too easy for crackers.
I would say that this is likely to be well beyond the capabilities of most script kiddies, and is probably pretty easy for 802.11b equipment vendors to address.
Damn right they haven't. Writing drivers is enough of a pain when the hardware engineer is sitting right next to you. It's harder when you have no access to hardware docs, and harder still when the hardware vendor might actively be attempting to thwart your efforts.
The real problem is not in the paper itself, though, but in the way it was reported. Consider this conclusion, from the paper:
Yeah, like there have never been any problems discovered in crypto products from the self-appointed experts. Uh huh. But I'll let that slide. Now, for contrast, here's an excerpt from the ZDnet article:
That's a pretty inflammatory statement, and apparently not far from being an outright lie. It was irresponsible (or possibly venal) of Ian Goldberg to make such a statement, and doubly so for WSJ's Jared Sandberg. As I said before, there is a matter for serious concern here, but the scaremongering from these people is not helping. The right thing to do would have been to alert the equipment manufacturers, discreetly, and let them decide how they want to alert their customers.
URL for referenced paper (Score:2)
-Alison
Wireless lans just asking to be hacked (Score:3)
Direct link and my experiences (Score:4)
Some information about their analysis [berkeley.edu] is available.
Personally, I wasn't counting on WEP anyway, which is why I didn't bother buying the Lucent Gold cards. I just wish IPsec were more common, so that I wouldn't have to tunnel quite so much through ssh.
Of course, then there are unencrypted wireless networks like the ones at USENIX. Dug Song's presentation on dsniff [monkey.org] was a big hit; look for the "Passwords Found on a Wireless Network" paper. (PostScript only, sorry.)
a new cottage industry (Score:3)
*Shrug*
E.
www.randomdrivel.com [randomdrivel.com] -- All that is NOT fit to link to
Re:If you pay attention... (Score:2)
IEEE1394 is and was in use in commercial A/V equipment before it came down to the end-user level, so it had a chance to build an installed base, but most people just weren't aware of this.
USB and '1394 also solved different problems, they were ways to move lots of data over a copper wire, cheaply and effectively. There *was* no other easy solution before they came along.
Bluetooth isn't solving any problems that aren't already solved by 802.11b. Bluetooth isn't cheaper, it isn't faster, it isn't more secure, it doesn't have a better featureset. Bluetooth is just using short-range RF in a different way. 802.11b cards could easily do what bluetooth claims to do, and they could do it today. With a bit o' engineering the 802.11b cards also have a very low power subchannel, so that they would only talk to devices very close to themselves. By using 802.11b to replace Bluetooth, current RF-to-Ethernet bridges could also enable your cellphone to surf the 'net (or make IP calls) for free inside of a building, by gatewaying to the LAN, etc, etc, etc.
We really only need 1 multipurpose RF network, and my bet says that it ain't gonna be Bluetooth.
Re:Wireless Worthlessness (Score:2)
Someone once pointed out that while insubbordination and incompetence are about equally effective, one is much harder to prove than the other.
WaveLAN Security (Score:5)
You might have heard of a guy called Randy Bush, whose favourite party trick at such events is to sniff the WaveLAN, and email out to captured POP3 usernames their own password with the message 'Be careful with radio!'. It's not even a switched network as a default install.
Setting up some sort of VPN using PoPToP isn't a bad idea in such cases, although WaveLAN does have some security built into it. Personally I use the Buffalo Technology kit which seems to work for 'doze, BSD and Linux.
I've heard rumours that if you wander through Stockholm's business district or through the Square Mile in London, if you're in promiscuous mode you can pick up all sorts of transmissions and a large number of DHCP servers offering IPs to anyone who gets the ESS ID right.
Hope this helps someone. Just be careful out there ;)
Re:Wildly Popular ? (Score:2)
Wireless lans a hacking tool. 802.11 planted on me (Score:5)
This is scary shit.
It takes 10 seconds to plug one of these into your network and a power outlet and you're instantaneously wide open, without knowing it. And if you've got network outlets all over your building, it's just that much easier for you to be "bugged", especially since network outlets often appear in rooms not considered to need securing, like lobbys and waiting rooms and such.
If you're a sysadmin in a really large building, can you really know that every RJ45 jack is being used legitimately? If the spy device is listen -> xmit only, and ignores arp requests, it is invisible other than one extra link light among hundreds on the rack or on some distant hub/switch.
Re:Oh, great (Score:2)
Well, yeah. I am. ;-)
I guess I could claim that I was testing the transmitter's range or something, but it really was just a "because I can" sort of thing. I don't expect I'll be making a habit of it, though it might be handy next time I get a bad burrito or something and expect an extended bathroom stay.
Apple's AirPort traffic is encrypted (Score:2)
Re:Wireless Worthlessness (Score:2)
I'm not sure how much good anonymous email would do. In any case, I would not hack into somebody's email to demonstrate lack of security. That only intensifies the "kill the messenger" problem. I speak from personal experience.
__________________
Or encryption? (Score:2)
The frequency
The "network number"
The encryption secret
I haven't heard of ways to arbitrarily break into one of these without some serious and expensive equipment.
-Omar
Wildly Popular ? (Score:2)
the wildly popular 802.11b wireless networking technologies
Is this a true description of WiFi ?
I'm in the UK, in a real geek environment, and we've only just gone partially wireless. By UK standards, I think we're still ahead of the pack.
What's it like in the USA ? Are AirPorts really popping up in every Starbucks ?
Wireless Worthlessness (Score:5)
One day someone figured out that packet sniffers can be used on the network to see other people's POPmail passwords and AIM conversations, as well as whatever websites they are at. It is genuinely disturbing. However, I am terrified of telling our administration about this because of a kill-the-messenger syndrome.
Let me just say that this is one of the most ridiculously insecure technologies in the world, just waiting for the packets to be pulled down out of the air with a packet sniffer program like EtherPeek. People have been doing this for months around here.
This is just a school. It's terrifying to think that the world's important financial institutions rely on this technology's security.
--
Re:Wildly Popular ? (Score:2)
Actually, Starbucks is unrolling some sort of plan just like that. It's not available yet, and when it is it'll probably have a bunch of restrictions on it. But that's about the shape of it.
Re:Narrow beam antennas and gain (Score:4)
Every 3 DB gain doubles the power recieved. Every 6 DB increase in antenna gain doubles the distance. (line of sight not over the horizon) A narrow beam dish antenna (old c-band TV dish) can have a gain over 36 DB.
If your 6 DB laptop has a range of 500 feet, the guy with the dish has 30 DB more receiving power and will get the same signal you get but from 16,000 feet. He doesn't have to be in your parking lot to sniff you. He just needs a reasonably clear line of sight. Do not be fooled thinking the range a low non directional antenna provides is all the further your signal travels. It isn't. It gets 6 DB weaker every doubling the distance it travels.
It may become too weak for you, but not for a high gain directional antenna. This gain is why a dish antanna can pick out one of many satelites spaced every 6 degrees in the sky over the equator that is transmitting with 50 watts per transponder 22,000 miles away.
Re:Or encryption? (Score:3)
Don't single out WEP for this problem. You run this risk with any security measure. To quote Bruce Schneier, security is a process, not a product. Not that I disagree with your general argument.
__________________
Re:Frequency hopping, spread spectrum ? (Score:2)
Add IPSEC, stir gently. (Score:2)
VPN solves the issue of using 'untrusted' internet connections to connect to the local trusted network, so it's an obvious solution to using untrusted wireless transmissions which have similar security risks to using the Internet... sniffing, MITM, etc.
Security of Wireless vs. Wired (Score:3)
You still need a wired network regardless. And the hacking opportunities are better on a wired network. Several factors prevent hacking from being a viable activity over a wireless network. Low bandwidth is the most obvious. There are some implications for a denial-of-service attack, but these will affect end users, not servers, and with triangulation, it shouldn't be too hard to figure out who is jamming the signal.
The biggest thing is you need a good parity algorithm to account for data loss and encryption to prevent people from picking up sensitive data. However, I dismiss the claim that there is more exposure on a wireless network then a wired one, and hopefully you are using encryption when you give your credit card over the net anyway.
----------------------
Kurt A. Mueller
kurtm3@bigfoot.com
PGP key id:0x75D2DCCD
Re:Or encryption? (clarification) (Score:2)
-Omar
Oh, great (Score:4)
I think a lot of people just don't realize how wireless networking can change the way you feel about computing. Until you've actually surfed from the couch, continued reading on a laptop while you get a drink out of the fridge - or even take a leak - all unencumbered and uninterrupted, I don't think you can fully appreciate the difference. It's amazing to think how accustomed we had all become to the limitations of wired connectivity.
Now this comes along. Right or wrong technically, real or imaginary, this will slow adoption of wireless networking technology. The risk-averse business types who make decisions about deployment will hesitate, so there will be fewer access points both within organizations and in public spaces (hotels, airport lounges, and so on). Companies will forbid their employees to use wireless networking when on the road, or simply not provide the equipment necessary for them to do so. I expect email from our own IT department any moment telling me that wireless is off limits until "investigation of this matter is complete" (which will take months).
All this loss of convenience occurs because a bunch of people who felt left out of a public IEEE standardization process have said the sky is falling. If you read the article, you'll notice that there's practically no real information that would allow anyone to judge how serious the risk really is, and there's a lot of scaremongering about how easy it will be for "script kiddies" to get the right software. How about the hardware? Yes, folks, you need extra hardware to do this, and you also need to be physically proximate to the target. I'm not at all convinced that the script kiddies will be able to take advantage of this hole - whatever it really is.
Yes, it sucks that there's any hole of any size in WEP, and even if the script kiddies can't exploit it the professional crooks might, but the sensationalistic way this is being reported is simply not responsible.