Archive

Posts Tagged ‘WPA2’

Blackhat 13 Wi-Fi Security Reports and Nuances of Detection Methods

September 12th, 2013

|

blackhat USA 13Shortly following the conclusion of Blackhat’13, a few articles came out reporting wireless scanning data from the venue.

  Inside the Black Hat 2013 Wi-Fi Network

  Karma is a …Errr, What We Learned at BlackHat 2013 

 

Both reports state that many security relevant events were detected in the Wi-Fi traffic during the conference. Given that Blackhat is attended by security experts, ethical hackers and just plain security geeks, finding security signatures in the traffic is not uncommon. Nonetheless, I think a few things still need to be matched up in these stats before arriving at sound conclusions.

|

1190 rogue devices detected compared to 1300 legitimate devices in 24 hours:

|

One of the articles states that: “It’s rather interesting to see an almost equal amount of rogue devices to real ones, and that is very unique”. What would be good to know is how they define ”rogue”. Depending on how you define rogue, you can call anything from a normal friendly device to a real threat posing device as a rogue.

I suspect that the definition for rogue used in the context of this report is so broad that it is classifying just about every wireless device unknown to the scanning system and seen in the airspace as rogue. But then, it is not clear why such an observation is considered “unique”. This is because, almost everyone attending Blackhat carries multiple Wi-Fi enabled devices and we cannot expect them to register each of their devices with the scanning system.

From the security perspective however, it is important not to get lost in definition of rogues, but be able to detect straight up genuine rogues (aka security threats) and not raise false alarms on normal wireless activity.

 

Fast WEP Crack (ARP Replay) Detected

|

The report also cites “most likely a security vendor demonstrating a tool”. What is perplexing is why Blackhat attendees still have interest in WEP crack tools or their antidotes, especially given that WEP has been beaten to nail and is now mostly irrelevant.

Or, it could point in the direction that the Wi-Fi community has done such solid job with security and WPA2 that hackers still think that they have to make hay out of WEP.

There is also a third possibility; that these ARPs are just part of normal Wi-Fi traffic that correlates with the signature of WEP cracking detection.

|

Spoofed MAC Address

|

Both reports state several occurrences of MAC spoofing. I suspect that these inferences are based on sequence number anomalies that were detected in the traffic. In fact, the video in one of the reports explicitly calls out sequence number anomalies. However, it’s important to note that sequence number anomaly also routinely happens due to normal traffic patterns.

Common reasons include :

  • sequence numbers fall in range 0-4096, so they wrap around very quickly making the wrap around appear like sequence number anomaly,
  • radios routinely skip sequence numbers due to implementation nuances,
  • intermediate frames may be missed because of device coming and going out of coverage making it look like a sequence number anomaly.

MAC spoofing should only be concluded after all these possibilities are eliminated.

|

Signatures and Anomaly Detection

|

Similar analysis can be performed for other anomalies detected in Blackhat traffic. In fact, this kind of analysis can be performed for several security alerts in many scanning tools and wireless security systems (may be another blog some day, I have many amusing stories to tell about these alerts :-)). The key take-away is that many times there is a leap from signatures and anomalies detected to inferring the presence of a genuine security relevant event.

Bubbleman path optionsWhose job is it to make this leap: system or admin? The need to make the leap gives rise to false alarm problem. Imagine how difficult the job of the security admins becomes when this happens in the enterprise setting! All of a sudden, the alerts also need to be chased and mitigated, not just documented in reports! These admins are also presented with the challenge of defining and tuning thresholds that are right for their environments. If admins are unable to filter false alarms and/or not get to the root causes of steady stream of alerts, it eventually leads to frustration and turning off the security system.

|

Policy Enforcing WIPS

 |

An alternative to signature and anomaly based system is policy enforcing WIPS. By de-emphasizing signature and threshold anomalies, and instead focusing on auto-classification and intrusion prevention, the policy enforcing WIPS offers strong security without overheads of threshold configuration, signature maintenance, false alarms and manual intervention.

So, to reiterate the meta level point about Wi-Fi security: “Intelligent security algorithms tall pole for effective WIPS. Dedicated scan radios otherwise only overwhelm admins with data”.

|

Hemant tall poll tweet

Wireless security , , , , , , ,

BYOD and WPA2 – not made for each other

February 21st, 2012

BYOD and WPA2: Not Made for Each Other!As the BYOD (Bring Your Own Device) tide rises, the  network and security admins wonder if their existing Wi-Fi infrastructure security will hold on. In particular, will WPA2 with PEAP, which is pretty much the norm for the Wi-Fi infrastructure security in the enterprise networks today, continue to be adequate? WPA2 with PEAP is simple enough, still strong enough, and has served the enterprise Wi-Fi security needs very well in the past several years. The forthcoming BYOD revolution however pops a new challenge for WPA2 and will require additional thinking on part of the network and security admins about how to complement PEAP to address some of the BYOD security issue. This new challenge comes from the ease with which people can bring in personal mobile devices on the enterprise premises and connect them to the WPA2 enterprise Wi-Fi network without administrator knowledge or help.

Read more…

Wireless security , , , , , , , ,

Wi-Fi Insecurity Wrap-up for 2010

December 27th, 2010

The year 2010 witnessed continued growth in the enterprise WiFi deployments. The growth was fueled by the latest 802.11n revision to WiFi technology in the late 2009 and ready availability of WiFi in most consumer electronic devices launched in 2010, including the smart phones, printers, scanners, cameras, tablets, TVs, etc. The year 2010 also witnessed popularity of the specialized WiFi centric devices, such as MiFi.

However, the year 2010 also has some major WiFi security revelations/incidents in its kitty, which re-emphasize the continued need for adoption of the best practices for secure Wi-Fi deployment/usage. Here is the run-down on significant WiFi insecurity events which we witnessed in 2010:

  • Windows 7 virtual WiFi can turn a machine into a soft Rogue, which took Rogue AP thinking to a new level beyond the commercially available AP hardware.
  • Insecurity exposed due to MiFi like devices after the WiFi malfunction was experienced at two major trade shows in 2010 due to these devices – the first one was Google’s first public demo of Google TV and second was iPhone 4 launch at Apple Worldwide Developers Conference. Though this manifested as performance problem, it did show how easy it had become to set up personal HoneyPot AP or Hotspot AP on enterprise premises. Read more…

Wireless security , , , , , , , , , , , , , , , , , ,

WPA2 Hole196 Webinar Q&A

August 21st, 2010

Due to the overwhelming attendance and response we got to the recent WPA2 Hole196 webinar, we did not have time to answer all the questions asked during the webinar. In this post, we are keeping our promise and answering those webinar questions.

By the way, the webinar slides and recording from this webinar as well as answers to the frequently asked questions on Hole196 and a white paper are available here.

So here we go!

Read more…

Wireless security , , , , ,

WPA2 finds itself in a “hole”! Vulnerable to insider attacks!

July 23rd, 2010

WPA2_Hole196Wi-Fi security has experienced a lot of churn over the last decade. As protocols like WEP and TKIP fell by the wayside, WPA2 emerged as the “Last Wi-Fi Security Protocol Standing.” Wi-Fi Alliance recently announced its plan to phase out WEP and TKIP, promoting WPA2 as the go-to security standard.

With solid protection in the form of AES encryption and 802.1x based authentication, there was no reason to look beyond. WPA2 did its job well keeping the bad guys outside, out of the network. And traditionally that has always been the focus of Wi-Fi security.

But…! Read more…

Wireless security , ,

WPA-PSK Passwords Now on Sale…Starting $17!

December 14th, 2009

A cloud-based service called WPA Cracker launched last week promises to crack WPA-PSK (WiFi Protected Access with Pre-Shared Keying) for you starting $17 .

Like any other password-based authentication system, WPA-PSK (and WPA2-PSK) is vulnerable to a “dictionary attack.” This is a brute force technique in which a hacker uses a dictionary or database of commonly used passwords to guess the WPA encryption key. The problem with this approach is that it might take days or weeks to crack even a moderately strong password with a typical PC.

What makes the WPA Cracker service interesting is that it provides you access to huge amount of computing power using a 400-node cluster. The service promises to parse a dictionary of 135 million passwords and email you the results in 20 minutes for $34. If that price tag sounds steep or if you are ready to wait longer, then you can pay $17 to use half the cluster and receive the results by email in 40 minutes.

The service is targeted to ethical hackers that do wireless vulnerability assessment and wireless network penetration testing for a living. But I wonder…what would keep the “unethical” hackers from misusing a cloud-based service like this.

Not every cloud has a silver lining. What do you think?

Wireless security , ,

WiFish Finder: WiFi Honeypot vulnerability assessment made simple

August 2nd, 2009

What % of WiFi laptop users in your organization are vulnerable to WiFishing attacks? The odds are very high that you don’t have an exact answer.

 

WiFish Finder is a tool for assessing whether WiFi devices active in the air are vulnerable to ‘Wi-Fishing’ attacks. Assessment is performed through a combination of passive traffic sniffing and active probing techniques. Most WiFi clients keep a memory of networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed networks and then using a set of clever techniques also determines security setting of each probed network. A client is a fishing target if it is actively seeking to connect to an OPEN or a WEP network. Clients only willing to connect to WPA or WPA2 networks are not completely safe either!

 

To find out why – you’r welcome to try out WiFish Finder a vulnerability assessment tool built by Sohail and Prabhash, members of security research team at AirTight Networks. Sohail is presenting WiFish Finder at DefCon 2009 today. Demo version of this tool (Version 1.0) can be downloaded from http://airtightnetworks.com/fileadmin/downloads/WiFishFinder-v0.1.zip

 

Sohail is also planning to release WiFish Finder Ver 2.0 with speed, usability and feature enhancements (such as PEAP vulnerability detection) upon his return from Las Vegas. To download full featured version of WiFish Finder and for tips on protecting your laptop from Wi-Fishing attacks, visit http://www.airtightnetworks.com/wifishfinder.This URL will be operational in 4-5 days.

 

What % of WiFi laptop users in your organization are vulnerable to WiFishing attacks? Well, you only have to wait another 4-5 days to find out the answer!

 

-*- Pravin -*-

Best practices, Wireless scanning, Wireless security , , , , , , , , ,