Re: [Fwd: [WEB SECURITY] TJX pwned via wifi]

Everyone,
In light of this latest WEP security hack and given the scenario that
Cedric mentioned where a company had just invested in equipment such
as barcode scanners in which the PCMCIA card is not easily removed or
upgraded (or maybe voids the warranty if removed/upgraded)  I have the
following questions.....

1. Couldn't you do some things to VLAN the AP's away from the main network?
2. Wouldn't a combination of MAC-address filtering help?
3. Does turning off the broadcast beacon help at all against this newest hack?
4. What is the recommended next step for a small company where
implementing LEAP is seen as "too cumbersome" and not supported by the
barcode scanners?
Conclusion:  I suppose we have to get the vendor to support WPA2 or
similar in the next firmware release? Right?

Thanks in advance for your comments!

--
Tyrel McMahan
tman@xxxxxxxxxxxxxxx
+48.600.508.440 Mobile (Warsaw, PL)

On 5/7/07, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote:
> Le lundi 07 mai 2007 à 06:32 -0500, d1n a écrit :
> > Most companies wait until it's too late and they never want to allocate
> > enough funds for security. Then something like this happens and the
> > damage is already done. Very sad and I feel bad for their customers.
>
> Problem also lies in hardware. Few years ago (end of 2003, early 2004),
> I had to pentest two companies using wireless barre-code readers.
>
> The first one was relying on 40bits WEP with old pre-b frequency hoping
> (1-2Mbps) hardware. Non-upgradable. They had to renew their complete
> hardware base (readers+AP) in order to switch to WPA.
>
> The second one had barre-code readers with PCMCIA slot. Vendor was not
> supporting WPA, the best they could get was LEAP if they switch all
> PCMCIA Wi-Fi adapters to Cisco ones that close to 200USD each at that
> time.
>
> Now, go tell theses people who had invested a lot in their current
> infrastructure "hey guys, you have to renew everything because your
> security sucks". Even if security management agrees, associated cost
> would eventually lead to a very simple risk management decision: "we'll
> take the risk". And sometimes some mitigation means relying on backend
> security architectures, mostly firewalls.
>
> Problem is, when backend security architectures fails at preventing
> escalation, we get TJX situation, that obviously failed at a lot more
> things than just not using WEP: lack of firewalling, lack of security
> patches and, most of all, no sensible data encryption...
>
>
> BTW, thx to Richard, I'm lurking on IRC again ;)
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> SyScan'07: 2 days of WiFi training and practice in Singapore
> http://syscan.org/reg_training.html


--
Tyrel "Ty the Tech Guy" McMahan
Technology Specialist
tman@xxxxxxxxxxxxxxx
www.TechMundial.com

+011.48.600.508.440 Mobile (Warsaw, PL)
+1.901.313.4447 VoIP (Memphis,TN, USA)

--
Tyrel McMahan
tman@xxxxxxxxxxxxxxx
+48.600.508.440 Mobile (Warsaw, PL)