Re: [Fwd: [WEB SECURITY] TJX pwned via wifi]

Le mardi 08 mai 2007 à 07:44 +0200, Tyrel McMahan a écrit :
[Issues upgrading from WEP] 
> 1. Couldn't you do some things to VLAN the AP's away from the main network?

That's definitly the best bet. If you can't enforce your WLAN security,
then isolate it to mitigate the issue. However, if you have a networked
barre-code readers system, it's very likely to report to a server, that
is itself connected to your ERP. Therefore, your readers being able to
connect to server, it is exposed to attacks. One can spoof a reader and
feed it with inaccurate data. Once compromised, attacker can bounce from
that server to your ERP. Etc.
In addition to firewalling/segregation, you also have to monitor...

> 2. Wouldn't a combination of MAC-address filtering help?

Not for long. Sniffing Wi-Fi traffic on the network will kindly give you
a list of authorised MAC addresses you can use.

> 3. Does turning off the broadcast beacon help at all against this
> newest hack?

My first objection to this will be interoperability. Do you readers
support a cloaked SSID, i.e. will they detect and associate the
network ? Not very likely, cloaked SSID are a good source of problem...

Now, consider it's working. Every association request contains SSID. So
you just have to disassociate/disauthenticate readers to force
reassociation to discover SSID. In addition to this, to discover such a
network, your readers will have to emit targeted probes requests that
contains SSID, revealing it. In a more general situation, this could
facilitate RogueAP attacks as pointed out by Joshua:

http://www.securityfocus.com/archive/137/461967/30/30/threaded
http://www.networkworld.com/columnists/2007/030507-wireless-security.html

Now, does SSID cloaking help against WEP cracking ? Not very much ! SSID
cloaking is a dumb wardriving mitigation technic. Because WEP cracking
does not need you to be associated. I know most tutorial tells you to
associate a random MAC address with aireplay you will use as a source
for your packets, but you can simply use one of already associated MAC
addresses to inject your frames. Moreover, as I demonstrated with
Wifitap:

http://sid.rstack.org/index.php/Wifitap_EN

You can send WEP traffic to a station without being associated. Thus, If
you use aireplay(-ng) -j switch that allows from-DS bit to be set, you
can perform a non associated ARP replay.

> 4. What is the recommended next step for a small company where
> implementing LEAP is seen as "too cumbersome" and not supported by the
> barcode scanners?

Well, to paraphrase a speaker in a recent Wi-Fi security talk: "there's
no free lunch in Wi-Fi security". Meaning that if you want a secure
WLAN, you have to do it right and pay the price. There's no middle
position or compromise. You have to use WPA2/802.1x, or at least WPA. If
it's "too cumbersome", then be honest with yourself and do not try to
cope with security.
My recommended next step would be to hire a professional for whom it's
not cumbersome to deploy 802.1x. I mean come on ! If you care about
security, you just don't have the choice. WEP is plain broken and even a
standard LEAP, as LEAP auth. and WEP cipher, offers a far sufficient
window for an attacker to break in, wether in breaking your credential
as Joshua (again !) demonstrated with asleap:

http://asleap.sourceforge.net/

Or in just breaking the WEP session to gain time limited access to
network.

> Conclusion:  I suppose we have to get the vendor to support WPA2 or
> similar in the next firmware release? Right?

That would be the best.


Now, if I was in a situation I described before, where you can't get WPA
or WPA2 and you can't renew your hardware and I can't just shut down the
WLAN, I would do the following:

. deploy the best authentication method supported on top of WEP
. 802.1x PEAP, EAP-TLS or LEAP if no other choics
. have dynamic WEP keys on top of it
. limit sessions time to the minimum, like 15min
. use MAC addresses filter even if it don't bring much
. isolate this WLAN from the rest of the infrastructure as much as
  possible
. harden hosts that have to communicate with outside networks as much as
  possible
. monitor this network with IDS and event log parsers
. pray, sacrifice a chicken, nail a hacker doll, etc.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html