RE: Perpetuating weak wireless security

-----Original Message-----
From: Cedric Blancher 
[mailto:blancher-cPThYx3uDionEikN29/hQkZa+K1vlBrA@xxxxxxxxxxxxxxxx] 
Sent: Tuesday, May 08, 2007 12:56 PM
To: Nico Darrow
Cc: Joshua Wright; wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx
Subject: RE: Perpetuating weak wireless security

Le mardi 08 mai 2007 à 10:19 -0400, Nico Darrow a écrit :
> Guys, I was the orignal designer of the WEP Cloaking feature released
> by AirDefense. I can field any questions you guys may have on it.

Good.

> 1. The actual fake data traffic is silently dropped by both the client
> and the AP, and throughput tests indicate a negligable impact at both
> 54 and 11 Mbps. We don't flood the air.

Still, they need to decrypt it right ? What impact do you have on
handhelds and low cpu devices, which represents the vast majority of
hardware that can't run anything else than WEP ?

[ND] - All WEP decryption happens on chip so it doesn't bog CPU usuage. The 
test preformed involved multiple older symbol handheld (XT CPU, DOS OS) and 
they didn't skip a beat. This technology was primarily marketed at these 
devices.

> 2. You can't filter the traffic out, we have several dynamic engines
> to circumvent filtering.

I haven't seen your techno, so I can't discuss that point. However, I
really would like to see it work.

[ND] - Absolutely, I believe everyone should be skeptical till they use/see the 
technology. We've seen too many people jump to conclusions too early before, 
I'm glad you're not one of them :-D This technology will be available for peer 
review by the public when it is released.

> Ok here's the thing. This technology was designed to save millions of
> dollars in cost to large retailers still running WEP technology.

That's a point I can hear, if it's only sold to this kind of users. The
thing is it prevent prevent people who actually can use WPA/WPA2 from
migrating to it.

[ND] - When companies purchase equipment they usually have a life cycle of 
hardware (ie 5 years ) before an overhaul upgrade can be done. We do not 
recommend staying with WEP forever. Currently it's waaaay cheaper than forcing 
an immediate upgrade. WEP Cloaking is just ONE feature of the AirDefense 
Product line, it helps customers become PCI/Compliant and provides all the 
security and monitoring functionality they need. We are not forcing users to 
stick to WEP, we are providing an affordable and secure option to allow them to 
stick to the upgrade timetables.

> For those currently using WEP. Here are some tips to help make WEP
> cracking harder without WEP Cloaking.
> 1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's
> that disallow clients to communicate with eachother...

Come on... "Making the tools not work" is not doing security, it's just
running after the cow. New tools are coming out, existing one get
upgraded. Then what do you do ?
Moreover, this statement is wrong. I wrote a tool, Wifitap that bypasses
PSPF and other station isolation technics both for open and WEP
networks:

[ND] - This section was for people who run WEP and can't afford an overlay 
IDS/IPS. I wish I could give AirDefense to everyone out there so they can be 
the most secure, but this isn't a perfect world. I was contributing to the 
community with some simple security tips to make WEP harder to crack. I do like 
your WifiTap tool, I use it a lot. Althought, you do require the WEP key to do 
injection over PSPF with it. These tips are for people to protect themselves 
against 90% of the script kiddies out there, not security professionals such as 
yourselves who have resources and knowledge to "chase the cow" :-P (btw love 
it, I used that quote in a meeting today!)

I also wrote a patch for aircrack(-ng), the -j swtich, that allows to
inject traffic directly to stations using from-DS flag, thus bypassing
PSPF. And it works. OK, it does not work with any ARP query you can
find, but it works.

[ND] - Yup, good mod, use it a bit. Aircrack-ptw requires arp-broadcasts to 
work for the quick cracking bit.  

> 2. VLANS on the ap's. Currently Aircack and other such tools don't
> filter out VLAN traffic (you need to write your own tool to filter it
> out, scapy works for me)

Same answer as above.

[ND] - Cisco AP, two vlans, one running WEP, one running LEAP with Dynamic WEP. 
Client roams between the two. No tools work. I get your point tho.

> 3. Multiple APs. [...] makes life harder with off the shelf tools.

Same as above.

[ND] - Which tools follow clients when roaming? Nothing off the shelf that I 
know of.

> 4. If possible, do the basics. MAC filtering, throughput limiting
> (54Mbps/11Mbps only), signal strength filtering. 

Good points.

My 5. would be: treat this network as if it was Internet because one day
or the other, it will get broken into.

[ND] - 100% agree, some of the strongest networks I've pen-tested followed this 
principle.

> For those wanting check out the technology, contact me and I'll let
> you know where and when we will be demoing the technology.

Any time you come near Paris, I'll give a try with great pleasure if I'm
around.

[ND] - Merci Bocu, you got yourself a deal. 

BTW, I find your WIDS technology pretty interesting, especially that
framework you developed with Trapeze having AP that can switch from AP
to probes and back.

[ND] - Yeah I love the trapeze hardware, it's really cool and works fantastic. 
We've got some awesome new features coming out in the near future, so stay 
tuned :-D


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!