Wi-Fi WPA2 Vulnerability Found

← Back to Stories (view on slashdot.org)

Wi-Fi WPA2 Vulnerability Found

Posted by kdawson on Saturday July 24, 2010 @11:43AM from the keep-your-enemies-closer dept.

BobB-nw sends along news based on yet another press release in advance of the Black Hat conference: a claimed vulnerability in WPA2 Enterprise that leaves traffic open to a malicious insider. "...wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available. Malicious insiders can exploit the vulnerability, named 'Hole 196' by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software, according to AirTight. 'There's nothing in the standard to upgrade to in order to patch or fix the hole,' says Kaustubh Phanse, AirTight's wireless architect who describes Hole 196 as a 'zero-day vulnerability that creates a window of opportunity' for exploitation." Wi-Fi Net News has some more detail and speculation.

155 of 213 comments (clear)

so, not a hole by Bizzeh · 2010-07-24 11:48 · Score: 2, Insightful

so rather than a hole, its more a forced proxy? a user who knows your password, is decrypting your traffic, and re-broadcasting it with different content... if this user has your password, you need to have a think about who you give your password to

--
portfolio
1. Re:so, not a hole by Iwanowitch · 2010-07-24 12:02 · Score: 5, Insightful
  
  Unless the wifi network is at a Starbucks, a university or a corporation.
  That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
  
  --
  One CS student VS 893 DOS games: Let's play oldies
2. Re:so, not a hole by davester666 · 2010-07-24 12:08 · Score: 1
  
  "internal, authorized Wi-Fi user"
  This would be a person with the password to your Wi-Fi network.
  
  --
  Sleep your way to a whiter smile...date a dentist!
3. Re:so, not a hole by Kral_Blbec · 2010-07-24 12:11 · Score: 1
  
  > ...if this user has your password...
  Where does it say that?
  
  whereby an internal, authorized Wi-Fi user
  This is stupid. Its basicly saying that if someone knows your wireless key they can decrypt your wireless traffic. Any web based email should use another layer of encryption via https anyway. I'm too lazy to read the article, but is there mention of if it is for WPA2 personal or enterprise?
4. Re:so, not a hole by yuhong · 2010-07-24 12:13 · Score: 1
  
  Except that they don't need your password, all they need is access to any user account on your WPA(2) network to sniff the Wi-Fi traffic of any other user.
5. Re:so, not a hole by Culture20 · 2010-07-24 12:14 · Score: 4, Insightful
  
  That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
  How's he do that? Am I relying on WPA2 as my only encryption across the 'net?
6. Re:so, not a hole by Anonymous Coward · 2010-07-24 12:14 · Score: 2, Insightful
  
  Not through my SSL or VPN connection, he can't.
7. Re:so, not a hole by WrongSizeGlass · 2010-07-24 12:16 · Score: 1
  
  I'm too lazy to read the article, but is there mention of if it is for WPA2 personal or enterprise?
  Enterprise. From the first line of the summary: a claimed vulnerability in WPA2 Enterprise that leaves traffic open to a malicious insider. .
8. Re:so, not a hole by Anonymous Coward · 2010-07-24 12:28 · Score: 1, Insightful
  
  That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
  How's he do that? Am I relying on WPA2 as my only encryption across the 'net?
  if you're dumb enough to do that for anything important to you, especially when using a wireless network you do not own, then you pay the stupidity tax. that's all. seems fair enough to me so long as no one is representing WPA2 as the be-all and end-all of perfect security, and in that case the unfairness is limited to that person or corporation only.
9. Re:so, not a hole by fwr · 2010-07-24 12:30 · Score: 5, Interesting
  
  Sigh. Understand the protocol before commenting, or at least RTFA. There IS an individual key per user. But, there is also a shared key used for broadcast traffic. The problem is that the shared key is not authenticated, so a user who knows the shared key (i.e., anyone with access to the wireless network), can use the shared key to spoof the AP and send messages to other users, and force them to give up or change their unique per-user keys. A "fix" would be getting rid of the shared key for broadcast, but that would require the AP to send a separate "broadcast" packet to each user individually, using their unique per-user key, instead of just one packet.
10. Re:so, not a hole by John+Hasler · 2010-07-24 12:34 · Score: 1, Troll
  
  > Understand the protocol before commenting, or at least RTFA.
  What, and break with Slashdot tradition? Don't be silly.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
11. Re:so, not a hole by jijacob · 2010-07-24 12:42 · Score: 4, Insightful
  
  ssh -D is just a terminal away.
12. Re:so, not a hole by houghi · 2010-07-24 13:03 · Score: 1, Insightful
  
  Yeah, stupid standard users who have no idea. Luckily we are the elite, so we are not affected. Right?
  
  --
  Don't fight for your country, if your country does not fight for you.
13. Re:so, not a hole by Anonymous Coward · 2010-07-24 13:07 · Score: 2, Funny
  
  Creepy guy? Wow, you sound like an ignorant female. Laughing aloud.
14. Re:so, not a hole by MagicM · 2010-07-24 13:11 · Score: 2, Insightful
  
  can use the shared key to spoof the AP and send messages to other users, and force them to give up or change their unique per-user keys
  I haven't read the spec, but it seems odd that per-user keys would be given up or changed in response to a broadcast message. Could this attack be mitigated by only performing these kinds of actions in response to direct, non-broadcast messages?
15. Re:so, not a hole by blai · 2010-07-24 13:31 · Score: 1
  
  given that you trust what the server does with you?
  
  --
  In soviet Russia, God creates you!
16. Re:so, not a hole by greentshirt · 2010-07-24 13:43 · Score: 1
  
  whoosh
17. Re:so, not a hole by bitslinger_42 · 2010-07-24 14:19 · Score: 2, Interesting
  
  The real fix would be to get users to realize that there's no such thing as a secret when you're yelling loud enough that people a half a block away can hear you. Even if you're talking in code, chances are, if someone really wants to screw with you, they'll figure out how.
  Wireless networking is a convenience, and at Layer 2, there probably isn't much that can be done to secure traffic. If you want secure, either use your own encryption (IPSEC, SSL/TLS, SSH, etc.) or use a wire.
18. Re:so, not a hole by RAMMS+EIN · 2010-07-24 14:27 · Score: 1
  
  ``Unless the wifi network is at a Starbucks, a university or a corporation.
  That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.''
  Not unless he also knows how to break SSL. I've never assumed that any path between me and my mail server was secure, whether wired or wireless, WEP or WPA. So I only read mail over end-to-end encrypted protocols. Of course, most people still send e-mail through unencrypted SMTP, and without very reliable authentication, so I assume neither that e-mail is private, nor that it comes from whom it purports to come from. The protocols just don't work that way.
  
  --
  Please correct me if I got my facts wrong.
19. Re:so, not a hole by squiggleslash · 2010-07-24 14:32 · Score: 4, Interesting
  
  In my experience, the most popular email system out there is Yahoo! Mail, and the web interface doesn't do any encryption except for the logging in process.
  Frankly though, email should generally be considered insecure anyway. It's usually transmitted, somewhere along the chain, in plain-text, and you only have (limited) control over your own connection, not the connection of the party you're communicating with. The pseudo-elitists posting here claiming that they're OK because, unlike the great unwashed, they use HTTPS when they connect to their web mail, are fooling themselves.
  
  --
  You are not alone. This is not normal. None of this is normal.
20. Re:so, not a hole by dissy · 2010-07-24 14:32 · Score: 1
  
  That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
  And that is different from yesterday (before the exploit was known) how exactly?
  That person not using encryption could and did have their email intercepted already. So add one more unknown person to the mix, its not any worse than before.
  This is why one should use encryption. If the atom 'grandma wants to check email and encryption is too hard' is actually still true, then the problem is lack of encryption. Adding one more layer of no encryption is not the thing making the situation worse.
21. Re:so, not a hole by squiggleslash · 2010-07-24 14:38 · Score: 1
  
  Hmm, that worries me. Can you tell me whether it's regular WPA, or WPA2 that's affected? Also should I be worried about malicious insiders hacking my network with this exploit?
  
  --
  You are not alone. This is not normal. None of this is normal.
22. Re:so, not a hole by Nyder · 2010-07-24 14:47 · Score: 5, Insightful
  
  Unless the wifi network is at a Starbucks, a university or a corporation.
  That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
  No, the creepy guy sitting 2 tables from you? he's just viewing porn.
  See that nice dressed business woman? She's stealing your data.
  
  --
  Be seeing you...
23. Re:so, not a hole by sumdumass · 2010-07-24 15:01 · Score: 1
  
  Look up a pineapple and it should give you a hint. Oh yea, your probably going to want to view the revision3 results.
  Anyways, if I have access to the wifi, I can easily trick you into connecting to my access and then I'm your encrypted endpoint. WPA2 works, but I moved the middle and end points for a classic attack.
24. Re:so, not a hole by WrongSizeGlass · 2010-07-24 15:23 · Score: 1
  
  You should be worried about malicious insiders, hackers, men in black suits, men in clown suits, clowns in swimsuits and frogs that claim to be princes.
25. Re:so, not a hole by zippthorne · 2010-07-24 15:40 · Score: 1
  
  Yeah, but you have to remember to add your key to known_hosts *before* you visit the coffee shop, though.
  
  --
  Can you be Even More Awesome?!
26. Re:so, not a hole by mr+exploiter · 2010-07-24 15:40 · Score: 1
  
  I don't see how is this would fix anything. This looks more like a jerk reaction... It's too difficult to get wireless security right so let's give up and use cables instead.
27. Re:so, not a hole by zippthorne · 2010-07-24 15:47 · Score: 4, Interesting
  
  So.. its the same as the wired ethernet, then? Except that instead of just plugging in a wire and sniffing away, it takes a small amount of effort?
  I guess "WiFi is slightly safer than wired networks, when it comes to malicious peers" isn't quite as attention grabbing a headline.
  
  --
  Can you be Even More Awesome?!
28. Re:so, not a hole by mr+exploiter · 2010-07-24 15:51 · Score: 2, Insightful
  
  Am I the only who thought that WPA didn't protected against what this "attack" is doing? I'm not convinced either that this is a real vulnerability.
29. Re:so, not a hole by buchner.johannes · 2010-07-24 17:39 · Score: 1
  
  unless wifi spots think internet access means web access
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
30. Re:so, not a hole by Mr.+Freeman · 2010-07-24 17:54 · Score: 1
  
  Aren't those completely open APs anyway?
  
  --
  -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
31. Re:so, not a hole by Anpheus · 2010-07-24 18:01 · Score: 1
  
  If you managed to break public key cryptography, do tell. I assure you, you'll be quite famous.
32. Re:so, not a hole by Your.Master · 2010-07-24 18:22 · Score: 2, Insightful
  
  Pedestrians should look both ways before they cross the road and observe the local traffic laws and customs. That's taking an active interest in your own personal security. But also, vehicle operators should be wary of pedestrians and certainly try not to run them over, even if they don't look both ways.
  The problem here isn't that we shouldn't strive to educate users. The problem is that the user being poorly educated in these matters isn't an excuse for running somebody over.
33. Re:so, not a hole by hitmark · 2010-07-24 20:16 · Score: 3, Insightful
  
  depends on how diligently one checks the certificates.
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
34. Re:so, not a hole by hitmark · 2010-07-24 20:19 · Score: 1
  
  depends, are we talking hub or switch?
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
35. Re:so, not a hole by Mr2001 · 2010-07-24 20:29 · Score: 1
  
  A "fix" would be getting rid of the shared key for broadcast, but that would require the AP to send a separate "broadcast" packet to each user individually, using their unique per-user key, instead of just one packet.
  How about just signing the important AP broadcast messages with a private key unique to the AP, so they can still be broadcast but the recipients can verify that they're not spoofed?
  
  --
  Visual IRC: Fast. Powerful. Free.
36. Re:so, not a hole by silverdr · 2010-07-24 20:38 · Score: 2, Interesting
  
  > That creepy guy sitting two tables from you at the coffee shop? He can now read your e-mail.
  
  Can he?
  
  Ah - you wrote "_your_ e-mail", right? I am pretty sure he can't do much of reading of _my_ e-mail based on this particular exploit.
  
  And if _you_ rely on WPA (or whatever) within your (W)LAN to protect you from unauthorised reading of your e-mail, then you should really reconsider your approach to data security.
  
  --
  Now, mod me down freely. My karma can't get any worse...
37. Re:so, not a hole by Anne+Thwacks · 2010-07-24 21:18 · Score: 3, Insightful
  
  you'll be quite famous.
  or assassinated
  
  --
  Sent from my ASR33 using ASCII
38. Re:so, not a hole by Sique · 2010-07-24 21:26 · Score: 1
  
  We are talking switch here:
  monitor session 1 source interface Gi0/1 - 23 monitor session 1 destination interface Gi0/24
  
  --
  .sig: Sique *sigh*
39. Re:so, not a hole by Anonymous Coward · 2010-07-24 21:43 · Score: 1, Insightful
  
  Yeah, but when a woman does it, it's hot!
40. Re:so, not a hole by hitmark · 2010-07-24 22:16 · Score: 1
  
  that would indicate that your inside the settings of the switch, iirc. Thats a bit more access then just plugging a computer in and setting it to sniff any traffic it see.
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
41. Re:so, not a hole by amorsen · 2010-07-24 22:30 · Score: 3, Informative
  
  Do not rely on switches for security within a particular VLAN, unless you go high-end and really know what you are doing. There are a million ways to beat switch "security", including mac spoofing, forcing the switch to flood traffic, fake DHCP, fake ARP, fake RA or ND (on IPV6). Each of those attacks can be stopped by a sufficiently clever and well-configured switch, although right now it is difficult to find one that can do RA and ND protection.
  
  --
  Finally! A year of moderation! Ready for 2019?
42. Re:so, not a hole by nstlgc · 2010-07-24 22:53 · Score: 4, Funny
  
  No, the creepy guy sitting 2 tables from you? He's viewing *your* porn.
  
  --
  I'm Rocco. I'm the +5 Funny man.
43. Re:so, not a hole by RAMMS+EIN · 2010-07-24 23:25 · Score: 2, Insightful
  
  Correct. I have actually worked at organizations where they used a certificate signed by their own certificate whenever you accessed something over HTTPS. And since they had added their certificate to the trusted list in Internet Explorer, very few people actually noticed. I did not access my e-mail or enter any passwords not already known to those organizations over those links.
  
  --
  Please correct me if I got my facts wrong.
44. Re:so, not a hole by eulernet · 2010-07-25 00:28 · Score: 2, Funny
  
  See that nice dressed business woman? She's stealing your data.
  You are wrong, they mention man-in-the-middle-style, not woman-in-the-middle-style.
45. Re:so, not a hole by TheTrueScotsman · 2010-07-25 01:11 · Score: 1
  
  That's as maybe. But then, what about Eve?
46. Re:so, not a hole by icebraining · 2010-07-25 01:23 · Score: 4, Informative
  
  Tunneling SSH over an HTTP-Proxy Server
  
  --
  Dilbert RSS feed
47. Re:so, not a hole by clang_jangle · 2010-07-25 02:43 · Score: 1
  
  The problem here isn't that we shouldn't strive to educate users. The problem is that the user being poorly educated in these matters isn't an excuse for running somebody over.
  The "problem" to which you refer is an integral part of human nature. So essentially you're saying "it should be like this", which of course is no help at all. It is the way it is and in light of that it's apparent that the average user is indeed to blame when they get pwned. Any other conclusion is just silly.
  
  --
  Caveat Utilitor
48. Re:so, not a hole by Sir_Lewk · 2010-07-25 03:59 · Score: 1
  
  If he tells, then the cat will be out of the bag and assassination would be pointless. Now if he keeps it a secret....
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
49. Re:so, not a hole by marcosdumay · 2010-07-25 10:41 · Score: 1
  
  Eve is the men-in-the-middle. Or do you have anything against his name?
  
  --
  Rethinking email
50. Re:so, not a hole by Matey-O · 2010-07-25 10:46 · Score: 1
  
  He already could...you're not USING WPA2-enterprise at Starbucks.
  
  --
  "Draco dormiens nunquam titillandus."
51. Re:so, not a hole by sjames · 2010-07-25 14:12 · Score: 1
  
  Not that password, the shared secret on your wireless link to the AP. The problem is that anyone with access to that AP can spoof the AP so that you (actually your 802.11 stack) exchange the shared secret with it.
  Unfortunately, this is a design flaw rather than an implementation bug, so if you're not vulnerable, you're violating the spec.
52. Re:so, not a hole by Rene+S.+Hollan · 2010-07-25 15:07 · Score: 1
  
  Indeed. I work for a firewall manufacturer where our product can be configured to do this. The idea is to block "objectionable" content and detect viruses in HTTPS traffic.
  So, we intentionally set up a man in the middle, that your IT department has your browser trust. Checking the cert hierarchy will make this clear.
  Of course, the better employers will tell you that they are doing this.
  
  --
  In Liberty, Rene
53. Re:so, not a hole by QuietObserver · 2010-07-25 15:08 · Score: 1
  
  From Hoodwinked:
  Nicky Flippers: We don't arrest people for being creepy.
  Tommy: [into walkie-talkie] Yeah, Bruce, you know that guy we got in the tank?
  Bruce: [over walkie-talkie] Ah, the creepy one?
  Tommy: Yeah, better let him go.
54. Re:so, not a hole by Andy+Dodd · 2010-07-26 02:14 · Score: 1
  
  Starbucks doesn't use encryption last time I checked. The AP is open, access control is handled at the router. (You're "blackholed" in an isolated network until you pay or, since I think they have limited free service, click through a Terms of Use.)
  
  --
  retrorocket.o not found, launch anyway?
55. Re:so, not a hole by wastedlife · 2010-07-26 04:23 · Score: 1
  
  There is this thing, called the "Shift" key, that you hold down while typing the first letter of a sentence. It is very simple to do and vastly improves readability. Once you have mastered this, we can get into the finer points of capitalization, such as capitalizing proper nouns. I see you already have a decent grasp of punctuation and paragraphs, so I will give you some points for that.
  If you are going to rant about how anyone can educate themselves to use tools such as computers properly, you should educate yourself on how to convey your thoughts in a way that people will be more willing to read.
  
  --
  Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
56. Re:so, not a hole by mldi · 2010-07-26 06:36 · Score: 1
  
  Frankly though, email should generally be considered insecure anyway. It's usually transmitted, somewhere along the chain, in plain-text, and you only have (limited) control over your own connection, not the connection of the party you're communicating with. The pseudo-elitists posting here claiming that they're OK because, unlike the great unwashed, they use HTTPS when they connect to their web mail, are fooling themselves.
  Well, just checking it can be considered secure, so as to the relevancy of TFA, I would feel fine using HTTPS to check my webmail over a wi-fi connection that I do or do not own. Sending/receiving mail (via webmail) over that same HTTPS connection isn't any less secure than a connection at home either when speaking in context of the actual SMTP transmission. That is, unless you're using your own machine as the mail server for whatever reason.
  Not disagreeing, just noting the context in the spirit of TFA.
  
  --
  If you aren't suspicious of your government's actions, you aren't doing your job as a responsible citizen.
57. Re:so, not a hole by greentshirt · 2010-07-26 19:28 · Score: 1
  
  Too long, did not read, but you should get a hobby, or a penpal, or a gaming console, and probably visit with a professional who can tell you why you felt so compelled to write that mini-novel.
Re:WTF by Anonymous Coward · 2010-07-24 11:54 · Score: 2, Funny

You have an awfully low UID for such a huge troll!
Re:WTF by MadGeek007 · 2010-07-24 11:56 · Score: 1

No. Humans make mistakes; it's a natural fact of life. To expect anything to be flawless is foolish.
Re:WTF by AnonymousClown · 2010-07-24 11:56 · Score: 1

Can't anybody design any piece of hardware or software that does not have some lame vulnerability?
I have. The program is called One.
Basically, it's an NPN transistor that has a voltage that goes to its base. Its collector is connected to 6V and its emitter is connected to ground. There's a 1K resistor connected to the base and emitter.
It's a binary one and it's hack proof.
Genius huh?
Next, I'll be showing my 1 pixel digital image called: One.
I'm gonna be rich!

--
RIP America
July 4, 1776 - September 11, 2001
Re:WTF by sakdoctor · 2010-07-24 11:57 · Score: 1

Hans R Camenzind?
Re:WTF by The+MAZZTer · 2010-07-24 11:57 · Score: 1

What about if the power fails?
Not that big a deal... by Denis+Lemire · 2010-07-24 11:59 · Score: 4, Insightful

This vulnerability is only useful if the attacker knows your WPA key. In other related news, it has been discovered that those who know your root password can delete all your files.
1. Re:Not that big a deal... by tagno25 · 2010-07-24 12:06 · Score: 2, Interesting
  
  This vulnerability is only useful if the attacker knows your WPA key.
  This is for WPA2-EAP (may or may not cover WPA2-PSK). So they need a valid username and password, not just a key.
2. Re:Not that big a deal... by maximander · 2010-07-24 12:13 · Score: 5, Interesting
  
  When I give someone my root password, I assume they can delete all my files.
  When I give them a limited shell account and set permissions correctly, I don't make that assumption.
  This exploit is more like the later than the former: WPA was supposed to keep traffic of each individual user safe, and now it doesn't.
3. Re:Not that big a deal... by Denis+Lemire · 2010-07-24 12:22 · Score: 5, Insightful
  
  M'eh, if you have anything sensitive that you're sending over the network it should be sent securely, period. ie) via SSH, HTTPS, etc... Otherwise, you're just doing it wrong.
  Having an additional layer like WPA provided is indeed a nice thing, but this being compromised isn't the end of the world. I'd be far more concerned if there was a vulnerability that allowed someone to bypass WPA all together and connect to a network in which he or she isn't authorized.
  The encryption of the traffic itself really isn't that much of a selling point when it'll continue across the wired network in the clear once it hits the router or switch upstream. Encryption that isn't end-to-end really isn't worth the time spent talking about it.
4. Re:Not that big a deal... by Shakrai · 2010-07-24 12:26 · Score: 1
  
  M'eh, if you have anything sensitive that you're sending over the network it should be sent securely, period. ie) via SSH, HTTPS, etc... Otherwise, you're just doing it wrong.
  So I should put an ssh/ssl tunnel between my laptop users and our Windows file server?
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
5. Re:Not that big a deal... by Kral_Blbec · 2010-07-24 12:31 · Score: 1
  
  Yeah, but this could mean that any wireless network you don't have complete control over (public hotspots, etc.) are effectively compromised even if the wireless link is encrypted with WPA2.
  Of course, using a VPN would negate the problem, but I suspect that a significant number of public wi-fi users don't use a VPN as well.
  No, it means that they are remotely possibly compromised.
6. Re:Not that big a deal... by Shadyman · 2010-07-24 12:42 · Score: 2, Insightful
  
  "When I give them a limited shell account and set permissions correctly, I don't make that assumption."
  
  Isn't the idea to always expect the worst? I'd tend to assume that if I give anyone any access at all, that they will find a way to break it.
7. Re:Not that big a deal... by Denis+Lemire · 2010-07-24 12:46 · Score: 1
  
  That or replace your Windows file server with something trustworthy. ;)
  Actually, I may have to claim ignorance here as I haven't looked into it recently, is there STILL no crypto available in SMB/CIFS traffic?
  If not then perhaps IPSEC between your Windows servers and clients, it's a probably a hassle to setup, but it would give you another layer of security. I've never trusted wireless enough to do sensitive data transfers using non-secure protocols. Guess that's why I don't see this as a big deal. Just business as usual.
8. Re:Not that big a deal... by yuhong · 2010-07-24 12:47 · Score: 1
  
  Only if something like people connecting to the wired network and running packet sniffers is a concern.
9. Re:Not that big a deal... by yuhong · 2010-07-24 12:51 · Score: 5, Insightful
  
  Yep, WEP stood for Wired Equivalent Privacy, which was all it and WPA(2) was intended to provide, nothing more.
10. Re:Not that big a deal... by Denis+Lemire · 2010-07-24 13:01 · Score: 1
  
  Exactly...
11. Re:Not that big a deal... by John+Hasler · 2010-07-24 13:21 · Score: 1
  
  > Isn't the idea to always expect the worst? I'd tend to assume that if I give
  > anyone any access at all, that they will find a way to break it.
  The worst would be to assume that they will find a way to break it no matter what you do even with no access at all and so it is all hopeless.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
12. Re:Not that big a deal... by John+Hasler · 2010-07-24 13:25 · Score: 3, Insightful
  
  It's "Wired Equivalent Privacy" only if your idea of "wired privacy" involves dangling a cable out the window down into the alley behind the building.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
13. Re:Not that big a deal... by blacklint · 2010-07-24 13:35 · Score: 4, Interesting
  
  It used to be that an enterprise WPA2 network had a similar level of privacy to a switched wired network, where individual users couldn't see each other's traffic. Now it is equivalent to a network with hubs, allowing connected users to see each other's traffic.
14. Re:Not that big a deal... by yuhong · 2010-07-24 13:40 · Score: 1
  
  This seems like a packet injection attack to me.
15. Re:Not that big a deal... by yuhong · 2010-07-24 13:41 · Score: 1
  
  Are you talking about the WEP security holes found over the last few years? That was not what I am talking about.
16. Re:Not that big a deal... by GNUALMAFUERTE · 2010-07-24 13:51 · Score: 1
  
  Yes, but first you have to get rid of windows.
  
  --
  WTF am I doing replying to an AC at 5 A.M on a Friday night?
17. Re:Not that big a deal... by mysidia · 2010-07-24 15:12 · Score: 1
  
  This is more like: when you let a user plug into your network, there is a possibility of them using ARP Hijacking or IP Spoofing to capture traffic intended for another computer on the same subnet.
  In many ways, this is just a wireless protocol equivalent of ye' old ARP hijack.
  But I don't see anyone around shouting about how the Ethernet protocol is broken and needs this security hole in the protocol to be fixed.
18. Re:Not that big a deal... by amorsen · 2010-07-24 22:38 · Score: 2, Interesting
  
  Actually it seems that WPA2 enterprise is exactly like a switched wired network. The casual users can't see each others traffic, but the knowledgeable can see everything. Unless there's an ubergeek doing the switch administration (which generally doesn't happen outside academia) and the switch is really good (which is rarely the case in academia).
  
  --
  Finally! A year of moderation! Ready for 2019?
19. Re:Not that big a deal... by slater86 · 2010-07-25 02:05 · Score: 1
  
  Kinda sounds the same as people foolishly relying on switches (as opposed to hubs) for keeping malicious users from sniffing username/password combos going by. Just use ssl over the top and you're good to go still. Multiple layer is for a reason.
  
  --
  When people ask if I'm an optimist, I say "I hope so". --Bill Bailey
20. Re:Not that big a deal... by sjames · 2010-07-25 14:27 · Score: 1
  
  Oddly enough, plenty of people (including professionals) think that WPA is a magic bullet that protects you from others on the same AP as well as outsiders.
  They're wrong.
home router still safe by faber0 · 2010-07-24 12:00 · Score: 1

your home wpa2/psk environment is still safe, so don't worry about your neighbours virtual break-in.....
Yawn by Jeffrey+Baker · 2010-07-24 12:03 · Score: 2, Insightful

In other news, people on your wired ethernet segment can also see your "private" traffic. If you care so much, use SSL. Next scaremongering non-story in 3, 2, 1.
Re:WTF by MichaelSmith · 2010-07-24 12:05 · Score: 1

Mine doesn't make me happy at all.

--
http://michaelsmith.id.au
Michael Jackson said it best by CaptSaltyJack · 2010-07-24 12:05 · Score: 5, Funny

"I'm starting with the man in the middle
I'm asking him to change his ways
Every packet is encrypted just a little
If you wanna make your network a safer place
Find the man in the middle and punch his face."
1. Re:Michael Jackson said it best by vivek7006 · 2010-07-24 12:45 · Score: 1
  
  U sir are my new hero!
2. Re:Michael Jackson said it best by PJ6 · 2010-07-24 14:37 · Score: 1
  
  You, sir, are one of the reasons I actually read the comments here :)
3. Re:Michael Jackson said it best by AmberBlackCat · 2010-07-24 14:40 · Score: 1
  
  If your comment had a "Like" button, I'd click it.
4. Re:Michael Jackson said it best by Dusty101 · 2010-07-25 04:47 · Score: 1
  
  That just made my day.
  Maybe I should get out more, though?
I don't understand how it could be possible... by John+Hasler · 2010-07-24 12:09 · Score: 1

...even in principle to create a secure over-the-air encryption system with no out-of-band key exchange. Does there exist a proof of this?

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. Re:I don't understand how it could be possible... by fwr · 2010-07-24 12:26 · Score: 2, Interesting
  
  There is an out-of-band key exchange. It is called a trusted certificate. You know, just like how HTTPS works. This is for WPA2 Enterprise, of which there are many different EAP methods possible, but for which most do include an out of band key exchange (i.e., certificates, or EAP-FAST PAK). In any case, there's also the old DH key exchange, which worked fine for IPsec for years.
2. Re:I don't understand how it could be possible... by John+Hasler · 2010-07-24 12:49 · Score: 1
  
  Ok. I was thinking of "personal" mode (I don't use wireless at all, myself).
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
3. Re:I don't understand how it could be possible... by selven · 2010-07-25 09:18 · Score: 1
  
  Each user has a pair of cryptographic keys--a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but the private key cannot be feasibly (ie, in actual or projected practice) derived from the public key.
  Public Key Cryptography.
Re:WTF by Anonymous Coward · 2010-07-24 12:18 · Score: 1, Funny

You are the humanity's last hope as time and time again those "incompetent" engineers have failed us. This is how it's going to happen. You will get an EE degree from college. Then move onto graduate school to get a PhD in EE. Then you will become an EE professor. After 20 ~ 30 years of excellent productivity of research, you will become a chairman of IEEE and make sure that the published networking protocols are free of any vulnerabilities. Let me know how far you were able to manage through this process.
Re:WTF by MadGeek007 · 2010-07-24 12:30 · Score: 1

Good point. That made me think. On the surface there is nothing wrong with a hello world program. However, technologies are only as effective, secure, and efficient as the systems on which they depend.

Believe it or not, I'm a "glass half full" kind of guy; I'm just paranoid :)
Re:WTF by mortonda · 2010-07-24 12:32 · Score: 3, Funny

nah, things went downhill about the 50k mark... ;)
Re:WTF by Mr.+Vage · 2010-07-24 12:40 · Score: 1

That's simply a demo of his next project, Zero.
Re:WTF by AHuxley · 2010-07-24 12:46 · Score: 1

Sure category 6 cable. As for wifi your right, why is it so hard to encrypt as needed, are chips that expensive per unit and cryptography developers that rare?

--
Domestic spying is now "Benign Information Gathering"
Mommy! by Konster · 2010-07-24 12:48 · Score: 1

Mommy, Jimmy's sniffing my packets again, make him stop!
1. Re:Mommy! by Andorin · 2010-07-24 13:37 · Score: 1
  
  ...yuck.
  
  --
  That Anonymous Coward guy is pretty annoying. Can we have the government censor him or something?
Actually makes a bit of sense if you can't enforce by dbIII · 2010-07-24 12:49 · Score: 1

Actually that's not entirely a bad idea.
One frequent problem is that many people that think they are too important to obey pesky IT rules and they will give out the WPA key to any visitor that wants to check their email. Thus you have to assume to a point that the network is open and restrict things to certain MAC addresses or similar anyway.
Assuming the wireless network is completely open (but not actually doing so), sticking it on the outside of a firewall and letting laptop users in with some sort of VPN actually makes a bit of sense.
Re: I will make sure he is gonna look like by caekys · 2010-07-24 12:58 · Score: 1

I will make sure he is gonna look like Michael Jackson himself, after I am done.
Re:Actually makes a bit of sense if you can't enfo by yuhong · 2010-07-24 13:01 · Score: 1

Or just create separate open wireless networks outside the firewall for visitors along with the WPA(2) wireless networks.
VPN by Jaime2 · 2010-07-24 13:07 · Score: 5, Insightful

I've been telling people to use VPN over WiFi connections forever. Even better, put your wireless devices on the outside of the firewall, so they have no choice but to VPN in. This also makes giving a random guest access to your wireless no big deal. Any one who thinks wireless networking will ever be safer than an old-fashioned hub is deluding themselves.
1. Re:VPN by zippthorne · 2010-07-24 15:57 · Score: 1
  
  But the article pretty clearly demonstrates that it already is safer than the old-fashioned hub: with the old fashioned hub, every computer can hear every other computer, and nobody encrypts anything at all by default. Even with the new exploit, there are some parts of the communication that still aren't compromised by a malicious peer, which is something that wired "hub" networks really can't claim. (switched networks OTOH, if you've got enough switches...)
  Also, with VPN, once someone is connected to the VPN, they're another peer, just like a wired peer. I fail to see how you get any benefit to your proposed solution to the problem.
  
  --
  Can you be Even More Awesome?!
2. Re:VPN by fonos · 2010-07-24 17:26 · Score: 1
  
  Also, with VPN, once someone is connected to the VPN, they're another peer, just like a wired peer. I fail to see how you get any benefit to your proposed solution to the problem.
  The benefit of the VPN is that it encrypts your traffic so that someone using this exploit wouldn't be able to see and manipulate your traffic.
3. Re:VPN by phoenix321 · 2010-07-24 21:14 · Score: 1
  
  This seems like an old case of "never trust the client".
  A wireless LAN client is by default a mobile computer. Only lazy or stingy companies would connect stationary computers by wireless.
  A mobile computer will leave the company with its employee on business trips or weekends, otherwise they wouldn't need a mobile one. It will then need to connect to an external network, hotspot or 3G link. (Except for the rare case of purely internal mobility on large campuses protected by armed guards with bag and suitcase inspection on every leave)
  A computer that has left the direct observable company area and/or connected to an external network is by definition a piece of untrusted equipment. It may be a bit more trusted or secure than a computer connecting from a public Internet cafe somewhere in rural Nigeria, but not by a large margin.
  A company is foolish if it allows a mobile computer to behave as a truly internal, trusted resource and operate on sensitive corporate data or transfer any data outside the data center.
  A company is also foolish if it allows a stationary computer to do the same, since no computer is truly stationary or physically impenetrable unless you weld shut the case and bolt it on the ceiling.
  You either control the workplace environment and all things and data going in and out - which you can't above a certain size threshold or budget - or you take measures to keep the data in your data center where you *can* do that.
  That's why I'm a big fan of virtualized desktops and a two-factor authentication for the users. Virtualized desktop sessions will also protect the data in transit, end-to-end, using a password or other secret communicated out of band.
  After that, security between client computer and network doesn't matter that much anymore. Even keyloggers would not be able to extract any existing data, only newly typed text. It would take full-screen video capturing with OCR to make out any secrets and even then only the documents the user opens and views in that session. Both could be attained easier and less noticeable by shoulder-surfing or hiding cameras in the room, so I'm not too worried about it.
4. Re:VPN by Anne+Thwacks · 2010-07-24 21:26 · Score: 1
  
  Any one who thinks wireless networking will ever be safer than an old-fashioned bath tub is deluding themselves.
  There, thats fixed it for you!
  
  --
  Sent from my ASR33 using ASCII
5. Re:VPN by ensignyu · 2010-07-25 00:03 · Score: 1
  
  I'd be nice if I could allow people to use my wifi network, but ONLY to VPN to their own network. That way, they could use it to get connectivity but can't do stupid stuff using my IP address (for the same reason that some sites block Tor exit nodes).
6. Re:VPN by Charliemopps · 2010-07-25 00:19 · Score: 1
  
  Thats the problem with wireless security, it simply makes people feel safe when they are not. All it does is keep the neighbors from spying on what your doing. Anyone with even the slightest skill and motivation can intercept just about everything you're doing over a wireless connection.
7. Re:VPN by Sancho · 2010-07-25 02:21 · Score: 1
  
  Are you actually saying that a virtual machine is safe from the host on which it runs?
8. Re:VPN by evilviper · 2010-07-25 05:47 · Score: 1
  
  Any one who thinks wireless networking will ever be safer than an old-fashioned hub is deluding themselves.
  Care to explain how you can say that "VPN" over WiFi is safe, but WiFi can never be safe?
  If the computational requirements weren't so high, there's nothing stopping WiFi manufacturers from integrating IPSec, or similarly well-proven network protocols into the standard.
  And yes, I would say that WiFi with elementary encryption is more secure than a HUB of all things... While people don't typically know how to do it, there's not much stopping someone from picking-up the RF signal off a piece of CAT-5, from outside your building... That's how a cable tracer works to begin with.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
9. Re:VPN by Jaime2 · 2010-07-25 06:41 · Score: 1
  
  Care to explain how you can say that "VPN" over WiFi is safe, but WiFi can never be safe?
  History. People always seem so optimistic that the current flaws of wireless will be solved in the next six months, but they never are. I remember talking to friends ten years ago and listening to "pretty soon everything will be wireless". Since then, wireless has gone from 11Mb/s to 150Mb/s, where very few people get 150 in real life, plus it's shared bandwidth. Wired networking has gone to 1Gb/s as the cheap standard and 10Gb/s readily available in the wiring closet, this is dedicated bandwidth as everything is switched nowadays.
  
  Wireless security has gone the same direction -- IPSec has been around longer than 802.11 (1995 vs. 1997). I can't remember any major attacks against IPSec in the 15 years it has been around, but every wireless security protocol has had at least one. Since the hardware vendors have refused to include a sane protocol, I've been recommending using one on top of wireless forever. The day a real end-to-end security protocol is included with a wireless standard, I'll change my recommendation. I'm not holding my breath, as the goal of wireless security is to keep unauthorized people off the network, not to protect each data stream from each other.
  
  As for picking up CAT-5 signals from outside the building -- most offices have hundreds of CAT-5 wires running in bundles for much of their total distance. It would take some pretty hardcore equiptment to pick up a single data stream without the ability to wrap a pickup coil around a single wire. All it takes to pick up wireless network signals is a $30 card that comes preinstalled on laptops.
Re:Actually makes a bit of sense if you can't enfo by Shakrai · 2010-07-24 13:10 · Score: 1

One frequent problem is that many people that think they are too important to obey pesky IT rules and they will give out the WPA key to any visitor that wants to check their email.

Most enterprise grade access points will support multiple SSIDs and VLANs. It's child's play to setup a VLAN for guests that provides internet access without putting them on your corporate network. I did this at my job because I was sick of explaining to the bosses why it was a bad idea to put vendors and salespeople on our corporate network just so they could check their e-mail. It took all of ten minutes to setup with Cisco access points, switches and routers.

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Re:Actually makes a bit of sense if you can't enfo by yuhong · 2010-07-24 13:10 · Score: 1

Of course, if you really want to limit it to visitors, you could use WPA(2)-Personal for the visitor network.
Re:WTF by Eivind+Eklund · 2010-07-24 13:20 · Score: 5, Funny

I'd say more around the 5170-mark, myself.

--
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
Re:WTF by Tumbleweed · 2010-07-24 13:20 · Score: 3, Interesting

nah, things went downhill about the 50k mark... ;)
Not really. Things went downhill much sooner than that. I'd have a much lower UID than I have if I had seen the need for it, but the 'first poster' morons, etc., weren't much yet around, and there wasn't much value to HAVING a Slashdot account until some time after the account system was first implemented.
One question by cowboy76Spain · 2010-07-24 13:30 · Score: 1

Hi.
We recently had some security tests with a consulting firm and, while no WiFi test was done (we have no WiFi), I was curious and asked the guy about WiFi security. He told me that, given that there was a constant traffic, he could break any WiFi in about two hours. So I do not know if this vulnerability is a completely different thing or that guy was just too much optimistic.
Anyone does have first hand info?

--
Why can't /. have a rich-text editor? Editing your own HTML is so XXth century.
Not normally by Sycraft-fu · 2010-07-24 13:47 · Score: 2, Insightful

The whole point of a switch is that it sends data only to the host that it is for. So you don't get my data out your switch port. If you clone a MAC, that doesn't do the trick as it just confuses the switch and some data goes to one computer, some to the other, and the connection works poorly. Back in the day you could overload the switches in various ways and make them act like hubs, but that is also noticeable, and it doesn't work on new high quality switches.
Wired networks are actually pretty secure from snooping over all. It's not impossible, but it is damn hard.
1. Re:Not normally by bitslinger_42 · 2010-07-24 14:14 · Score: 1
  
  Of course, this is why serious attackers on a switch don't try cloning MACs. They send gratuitous ARPs to the systems they want to sniff traffic from and pretend to be the default router. Or they take over the root of the spanning tree on the switch. Or they send an email to their target that says "Click this link to download nekkid pictures of " but actually installs a keystroke logger.
  None of that is as hard as the 133t hax0rs want you to believe. Not trivial, and not undetectable, but not particularly difficult these days, thanks to Ettercap.
  Of course, it's often cheaper and easier to just slip the janitor a $50 to have them photocopy all the CEO's garbage, but that doesn't sound nearly geeky enough :-)
2. Re:Not normally by hitmark · 2010-07-24 20:22 · Score: 1
  
  the email keylogger have nothing to do with the kind of network one is running...
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Re:WTF by Architect_sasyr · 2010-07-24 14:16 · Score: 1

This was explained to me once, so I feel the urge to pass on the (mis)information.

Your average crypto geek has a job, generally they teach in a university or write books or blogs. What they don't do is troll around job sites looking for "Cryptographic Developer needed to design new standard" jobs. It would be boring etc. What they do do is sit around their office on a quiet friday afternoon and pick apart current cryptographic standards, looking for flaws and such just like this. It takes a pretty special kind of person to read and understand the standards (no I am not one of them), but you can't ask them to drop everything and do it.

At a guess, I'd say that (or a variant of that) is why cryptography developers are so apparently rare.

--
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
No shit, really? by RoboRay · 2010-07-24 14:19 · Score: 1

So, if you grant someone access to your encrypted wireless network, the person you granted access to can access data on that network? Who would have thunk it?
1. Re:No shit, really? by udippel · 2010-07-24 15:14 · Score: 1
  
  So, if you grant someone access to your encrypted wireless network, the person you granted access to can access data on that network? Who would have thunk it?
  Is that 'data' in your sentence or 'encrypted data'?
  Is that 'data' in your sentence or 'keys'?
So an authenticated user can sniff my packets.. by Culture20 · 2010-07-24 14:20 · Score: 1

Just to make sure (I've never read the WPA2-EAP specs), the login username/password for access to the wireless is encrypted with another layer and isn't now cleartext to any malicious authenticated user? Any place with single sign-on for Wireless and Computers could be seriously exposed to internal baddies.
Fire the consultant by VortexCortex · 2010-07-24 14:29 · Score: 2, Insightful

Statements like, "I could break any WiFi in about two hours," are red flags that you should higher a different security researcher...
The terms "any", "ever" or "all" are not in most security researcher's vocabularies when talking about unknowns or speculative situations.
We prefer to use terms that imply some degree of uncertainty such as "mostly", "almost never", and "nearly all" since the one thing we know
as security researchers is "trust no one", followed closely by "there is almost always an exception to the rule".
I'm certain that there is at least one "WiFi" your researcher could not break in approximately two hours, thus voiding the "any" term they used.
When in doubt just say, "Prove It."
In other words... by thePowerOfGrayskull · 2010-07-24 14:36 · Score: 1

In other words, if someone is already logged into a network they can perform a MITM attack against user(s) on that network?
Maybe it's just me, but I never considered traffic *within* a network to be secure from other network users, even on a wired network.
1. Re:In other words... by gmthor · 2010-07-24 20:14 · Score: 1
  
  When you are on an enterprise level network, all traffic goes through high configurable switches that are locked. No user can see other peoples traffic. To do a man in the middle attack, you would have to get access to the switches or routers. This is usually much harder to achieve.
  
  --
  How do I uncompress my MD5 archive?
Re:WTF by squiggleslash · 2010-07-24 14:43 · Score: 1

I hit CTRL-C when this was running and now I have complete access to the computer!

--
You are not alone. This is not normal. None of this is normal.
Not 100% suprising... by tengeta · 2010-07-24 14:48 · Score: 1

If there is a reason you don't want someone seeing it, don't Wi-Fi it. Its not a 100% solution but it gets Wi-Fi vulnerabilities out of the way. I've always been too paranoid to do anything financial over a Wi-Fi and I only get more reasons to support that paranoia.

--
"They confiscated everything, even the stuff we didn't steal!"
Re:WTF by Nyder · 2010-07-24 14:49 · Score: 1

nah, things went downhill about the 50k mark... ;)
Not really. Things went downhill much sooner than that. I'd have a much lower UID than I have if I had seen the need for it, but the 'first poster' morons, etc., weren't much yet around, and there wasn't much value to HAVING a Slashdot account until some time after the account system was first implemented.
I know things were going downhill when they let me have an account.

--
Be seeing you...
Re:WTF by IgnitusBoyone · 2010-07-24 15:17 · Score: 1

This has to be one of the Best UID threads I have stumbled on to in a while, but then again what do I know. My 840k shows that I lingered for way to long before signing up. I often wonder what I would be if I had signed up around 2001 when I started reading Slashdot. Granted given the fact I have less then 20 replies or so I haven't needed it all that much. Recently been trying to change that.

--
Momento Mori
Re:WTF by zippthorne · 2010-07-24 15:49 · Score: 1

If the power fails, the state isn't "zero." It's indeterminate. Therefore his next project is actually called, 'Maybe'

--
Can you be Even More Awesome?!
What now? by iris-n · 2010-07-24 16:16 · Score: 1

Is there any wi-fi crypto left standing?
I understand that only applies to Enterprise mode; so will enterprises revert to using passphrases? Or if you use passphrases you already don't have protection from your peers?
Also, TFA talks only abou WPA2. However, there seems to be no reason to think it does not apply to WPA as well. Is anyone sure?

--
entropy happens
1. Re:What now? by gmthor · 2010-07-24 20:22 · Score: 1
  
  WPA-PSK doesn't even have this protection.
  You should consider WPA(1) practically broken. To many weaknesses have been discovered already.
  
  --
  How do I uncompress my MD5 archive?
2. Re:What now? by iris-n · 2010-07-25 01:24 · Score: 1
  
  No. AFAIK, the vulnerabilities in WPA(1) only applies to WPA+TKIP. WPA+AES is still flawless.
  And they don't lead to key retrival, so I wouldn't consider it to be pratically broken, anyway.
  
  --
  entropy happens
3. Re:What now? by yuhong · 2010-07-25 08:10 · Score: 1
  
  Not to mention reducing the rekey timeout and disabling QoS (basically it opened a loophole in TKIP's replay protection) fixes most of them.
4. Re:What now? by yuhong · 2010-07-26 13:09 · Score: 1
  
  Reading the Beck-Tews paper, it should really be "reducing the rekey timeout or disabling QoS". And the trick to fix the TSC counter referenced by this paper and described in more detail in another paper by having a MITM to jam traffic would obviously require physical access, thus isn't really practical.
Re:WTF by Shimmer · 2010-07-24 16:44 · Score: 1

Slashdotters have been complaining about Slashdot for as long as I can remember (since '98).

--
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Ummm... by Stormy+Dragon · 2010-07-24 16:48 · Score: 1

Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software, according to AirTight
Wouldn't it be easier for said malicious insider to just give the man-in-the-middle the PSK?
1. Re:Ummm... by yuhong · 2010-07-25 17:38 · Score: 1
  
  This attack is against WPA(2) Enterprise.
Open Source? by MarkusQ · 2010-07-24 17:03 · Score: 1

Anyone else note the gratuitous dig at open source:

user can decrypt, over the air, the private data of others, inject malicious traffic into the network, and compromise other authorized devices using open source software,

So I guess everything would be OK except for those pesky kids and their free software. *sigh*
-- MarkusQ
Re:WTF by Khyber · 2010-07-24 17:40 · Score: 1

Shit I thought they were slacking when they let me disable ads!

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Haha by X.25 · 2010-07-24 19:09 · Score: 1

Holy crap, I am really sentimental now.
I remember the good old days of security world, where BH/CCC/Defcon/etc presentations were technical marvels and work of extremely bright people.
Ah, good old days...
No need to worry... by fph+il+quozientatore · 2010-07-24 19:40 · Score: 2, Funny

...I'm using WEP, so I am perfectly safe!

--
My first program:
Hell Segmentation fault
Doubtful... by azrider · 2010-07-24 19:46 · Score: 1

Ahmad says it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet
Which is no longer used in current Linux kernels (and won't even compile properly without major tweaks.

The problem appears restricted to WPA Enterprise (802.1X with TKIP/AES-CCMP) in practical terms, because a malicious user must have legitimate credentials to gain access to the network to exploit the flaw.
And admin level access to the system to perform MAC spoofing. Sure, another user could see your broadcast transmission, but the user credentioals are not used during broadcast.

--
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
1. Re:Doubtful... by Splab · 2010-07-24 22:10 · Score: 1
  
  Uhm, what?
  The point of mad wifi is he can use that to exploit the WPA2, it seems that you think it's an exploit within the drivers. Doesn't matter if it's used in the current kernels, you can just install an earlier version.
  Also, this exploit is useful if you have access to the network, since you have physical access to some machine near the AP, you have some admin access to the machine, thus this is very much an issue if you only rely on WPA2.
2. Re:Doubtful... by azrider · 2010-07-25 23:50 · Score: 1
  
  The point of mad wifi is he can use that to exploit the WPA2, it seems that you think it's an exploit within the drivers.
  No, the article (as I quoted) states that it is the driver. Pay attention to what you are responding to.
  
  Also, this exploit is useful if you have access to the network, since you have physical access to some machine near the AP
  Not on MY NETWORK, since with Radius or TACACS+ there is more to the authentication than you think.
  Besides, this is broadcast traffic (which should not have critical information) as opposed to point-to-point authenticated traffic.
  If you are sending sensitive traffic over broadcast protocols, you deserve what you get.
  If your network security administrator (who might be your system administrator too) allows it, FIRE THEM NOW.
  
  --
  And ye shall know the truth, and the truth shall make you free.
  John 8:32(King James Version)
Re:Discrepancy: Theory vs. Practice by ledow · 2010-07-24 21:59 · Score: 3, Insightful

Because in practice, making sure that there is absolutely no hint of a secure piece of information is incredibly tricky. Most programmers traditionally have little concept of actual *secure* programming. Most implementations of perfectly secure algorithms are subject to flaws because people didn't treat side-cases, or properly analyse how the traffic use would affect the algorithm, etc. e.g. not renegotiating keys often enough, so that people can see enough traffic to decrypt a key in a relatively short space of time.
Additionally, this isn't an attack on the crypto. The crypto secures the conversation, it does not necessarily prove identity and if it does prove identity most places don't care about the identity (how many company distinguish individual users/computers over the wireless network by anything other than MAC/IP/username given? AES is still 100% perfectly intact. If you'd been using, say, OpenVPN or OpenSSH with the same algorithm over an unsecured wireless network, the internal encrypted conversation would still be virtually as secure today as it was when AES was invented. The problem is that the *implementation* of AES wasn't designed to cover the usage scenario here, and probably never could be because of the way the access to this particular tiny piece of this part of the broadcast specification is granted. Basically, the flaw has always been sitting there in WPA, not in AES which is still chugging along nicely doing its job. Shocking that a wireless "encryption" fails to properly implement a security scheme because of a bad implementation that side-steps the actual encryption itself... that's never ever happened before ever anywhere :-P
Moral of the story: only trust crypto from those well-established in the crypto-field that's been attacked and attacked and still is approved for government/military use in lots of sensible countries. And then make sure you have a damn good implementation that's not overly complex, or cast in stone, such that most people can't examine it / play with it / fix it.
If you'd been running OpenVPN over the same wireless network, but using OpenVPN's key infrastructure and encryption instead of WPA or WEP or anything at all (i.e. completely "open" wireless) you would still be secure. A bad implementation of a particular encryption in WPA allows people to bypass steps of the actual encryption process that were never designed to be bypassed. It's almost an "out of band" security vulnerability - i.e. nothing to do with whether you use AES or Blowfish or 3DES or whatever you choose... they basically find a way around the (still theoretically secure) encryption that has no effect on the efficacy of the encryption itself.
Basic rule: Just because your "Ethernet-over-the-mains" devices says it uses AES, don't think that means it's "secure". Chances are that it's not.
Re:Actually makes a bit of sense if you can't enfo by Linker3000 · 2010-07-24 22:49 · Score: 1

Indeed - we have a Draytek 2820 broadband wireless router at HQ and it can be setup with up to four SSIDs that can be individually rate limited and isolated from each other (if wanted), giving guest users only broadband access but no corporate LAN connectivity.

--
AT&ROFLMAO
Seriously, why is WPA needed? by characterZer0 · 2010-07-24 23:36 · Score: 1

Connect to an open access point. Establish a VPN connection to the router. Configure the router to only route traffic from VPNed clients. What is the problem? Why can VPN be secure but they cannot seem to manage to build a wireless security system?

--
Go green: turn off your refrigerator.
Re:WTF by fnj · 2010-08-01 04:38 · Score: 1

You do understand that one man's "troll" is another man's refusal to tolerate incompetence and sloppiness? I suggest you look up the definition of "troll," Coward.