RE: Perpetuating weak wireless security

Guys, I was the orignal designer of the WEP Cloaking feature released by 
AirDefense. I can field any questions you guys may have on it.

I can assure you it works. Here are couple points on the technology.

1. The actual fake data traffic is silently dropped by both the client and the 
AP, and throughput tests indicate a negligable impact at both 54 and 11 Mbps. 
We don't flood the air.

2. You can't filter the traffic out, we have several dynamic engines to 
circumvent filtering. We've had several independent teams attempt to pentest 
even with the real WEP key and they have failed. I've already been through 
signal strength filtering, retry filtering, sequence filtering, client 
filtering, distributed sniffing, etc etc. None work. AirDefense is the best in 
class solution and I assure you the work on this project is on par. I'm not 
being cocky, I'm just saying that this isn't a hacked job. We have spent over a 
year developing and refining this technique.

Ok here's the thing. This technology was designed to save millions of dollars 
in cost to large retailers still running WEP technology. The technology isn't 
fool-proof, but it's the best option they have. What you get for a fraction of 
the cost of a fork-lift upgrade is extended life on existing hardware as well 
as a world class Wireless IDS/IPS as well as a platform for other AirDefense 
technologies.

Now, I'm sure someone smart will figure out some super-clever way to bypass it 
but AirDefense has multiple layers of protection. We will of course refine the 
technology as it gets deployed and used in the field. Like any true Second 
generation WIDS/WIPS. We have Legacy Encryption Protection (WEP), Intrusion 
Detection with Auto-Classification of devices (monitor anyone actually making 
it past the encryption/vlans) and Intrusion Protection (keeping them off once 
you find out they have the real WEP key). 


For those currently using WEP. Here are some tips to help make WEP cracking 
harder without WEP Cloaking.

1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's that 
disallow clients to communicate with eachother. Essentially by filtering out 
broadcast and multicast traffic. Enabling this feature will prevent ARP 
injection techniques and will prevent Aircrack-ptw from working. Yes it can 
still be cracked but requires the hacker to capture traffic passively, and in a 
retail environment with low traffic it can take a while.

2. VLANS on the ap's. Currently Aircack and other such tools don't filter out 
VLAN traffic (you need to write your own tool to filter it out, scapy works for 
me), so if you have multiple VLAN's don't use the MBSSID feature and keep all 
your VLAN's on one BSSID. Technically MBSSID's are way better, but we are 
talking older hardware.

3. Multiple APs. Clients connect to multiple AP's and when you start injecting 
they'll roam, forcing you to use secondary radios to keep the device on it or 
follow it around and combine the traffic later. Not really a good point, but 
makes life harder with off the shelf tools.

4. If possible, do the basics. MAC filtering, throughput limiting 
(54Mbps/11Mbps only), signal strength filtering. 


For those wanting check out the technology, contact me and I'll let you know 
where and when we will be demoing the technology.


Nico Darrow
Office of the CTO
AirDefense, Inc.

-----Original Message-----
From: listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx 
[mailto:listbounce-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx] On Behalf 
Of Cedric Blancher
Sent: Tuesday, May 08, 2007 3:19 AM
To: Joshua Wright
Cc: wifisec-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@xxxxxxxxxxxxxxxx
Subject: Re: Perpetuating weak wireless security

Le lundi 07 mai 2007 à 10:44 -0400, Joshua Wright a écrit :
>  While I haven't seen this technology in action yet, I have a pretty
> good idea how it works, and I think it's a mistake to trust said
> technology or common variants for the protection of sensitive networks.

Idea of adding dummy traffic to legit WEP traffic has been mentioned
here before. A quick answer to this could be:

        1. spot real MAC addresses
        2. PCAP filter your capture

I don't think they want to overload real clients and AP with dummy WEP
traffic...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html