Perpetuating weak wireless security
14 messages
Joshua Wright <jwright@hasborg.com> Mon, May 7, 2007 at 3:44 PM
To: "wifisec@securityfocus.com" <wifisec@securityfocus.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Recently, an overlay WIDS vendor announced technology that is supposed
to defeat attacks that take advantage of weaknesses in the WEP protocol.
 While I haven't seen this technology in action yet, I have a pretty
good idea how it works, and I think it's a mistake to trust said
technology or common variants for the protection of sensitive networks.

My employer recently launched a forum site, so I put together an
article/blag post articulating what I think are the deficiencies of such
a system:

http://edge.arubanetworks.com/blog/joswr1ght

The forums are read-only open to the public, but the ability to post on
the site is by invitation-only.  If you want an invitation, please drop
me a note.

Comments welcome, thanks.

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQIVAwUBRj87SjWX3FIa1TkuAQIG7A/5Ac67jEE22OvN0RlaHRScgYy1QOu7ZR65
9wLu+XZzc4QcPiIo9dX3z6FQNwpz9+GWnt/+JqWcfh4OPXDEJJFEhV8gpes6mm6t
E3Y8wl3kMGeHSrKdVzdrxpBQR8JvF4qA5bXOYjQWs/NyLD/KEZlb+dvgo2MBRfyi
QtIEEUW81ShxccrosTx13X9jW792bDB0hiGeXsh06vfjqqcOm4VvmUcRRPnkX3tW
F5H4FDG8SusozLnj7SnGbbGbGXB4MTKdMbKNc1EHGquVBrYAi31/pcC4z6Vf3Z8k
iZ+tqEePgRbpW8tMeeB3a8OQ5VGSjFky5Bd1H6mhTIyxvMEjDNFQKXi8R30GannK
U1yCxh4h8Nviw5ci5F1milnn35YqcOcb/kl2chDd9JpX37WEQQdM7iZtdibb9LO/
Bb2CYbdei4UnflEFIdWBmAFE/N49ZkHKQYQftHGsvb0imEXDJCUDWdoPybzDMGFq
TcLBtVRlff0D8XPC/kbwygioKebYTPt7mXznsBQSReRReuZL9edkQVB/S9+3SQhN
H8bBiB77csyADS2hIBqnBb5dwgRM1E6aOJTducizQ8MNr+5xywOwNDzzMfnroqUu
TYw5EYk1jUC+050n2eOZojtyz4FWhUFFxCSr6uyF8Ywy4Doa7oNNKvub7bsFxwJh
E5WrqgiO7T0=
=ia3v
-----END PGP SIGNATURE-----

Cedric Blancher <blancher@cartel-securite.fr> Tue, May 8, 2007 at 8:18 AM
To: Joshua Wright <jwright@hasborg.com>
Cc: "wifisec@securityfocus.com" <wifisec@securityfocus.com>
Le lundi 07 mai 2007 à 10:44 -0400, Joshua Wright a écrit :
>  While I haven't seen this technology in action yet, I have a pretty
> good idea how it works, and I think it's a mistake to trust said
> technology or common variants for the protection of sensitive networks.

Idea of adding dummy traffic to legit WEP traffic has been mentioned
here before. A quick answer to this could be:

       1. spot real MAC addresses
       2. PCAP filter your capture

I don't think they want to overload real clients and AP with dummy WEP
traffic...


--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html


Nico Darrow <ndarrow@airdefense.net> Tue, May 8, 2007 at 9:15 PM
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: Joshua Wright <jwright@hasborg.com>, wifisec@securityfocus.com, Nathan Rowe <nrowe@airdefense.net>


-----Original Message-----
From: Cedric Blancher [mailto:blancher@cartel-securite.fr]
Sent: Tuesday, May 08, 2007 12:56 PM
To: Nico Darrow
Cc: Joshua Wright; wifisec@securityfocus.com
Subject: RE: Perpetuating weak wireless security

Le mardi 08 mai 2007 à 10:19 -0400, Nico Darrow a écrit :
> Guys, I was the orignal designer of the WEP Cloaking feature released
> by AirDefense. I can field any questions you guys may have on it.

Good.

> 1. The actual fake data traffic is silently dropped by both the client
> and the AP, and throughput tests indicate a negligable impact at both
> 54 and 11 Mbps. We don't flood the air.

Still, they need to decrypt it right ? What impact do you have on
handhelds and low cpu devices, which represents the vast majority of
hardware that can't run anything else than WEP ?

[ND] - All WEP decryption happens on chip so it doesn't bog CPU usuage. The test preformed involved multiple older symbol handheld (XT CPU, DOS OS) and they didn't skip a beat. This technology was primarily marketed at these devices.

> 2. You can't filter the traffic out, we have several dynamic engines
> to circumvent filtering.

I haven't seen your techno, so I can't discuss that point. However, I
really would like to see it work.

[ND] - Absolutely, I believe everyone should be skeptical till they use/see the technology. We've seen too many people jump to conclusions too early before, I'm glad you're not one of them :-D This technology will be available for peer review by the public when it is released.

> Ok here's the thing. This technology was designed to save millions of
> dollars in cost to large retailers still running WEP technology.

That's a point I can hear, if it's only sold to this kind of users. The
thing is it prevent prevent people who actually can use WPA/WPA2 from
migrating to it.

[ND] - When companies purchase equipment they usually have a life cycle of hardware (ie 5 years ) before an overhaul upgrade can be done. We do not recommend staying with WEP forever. Currently it's waaaay cheaper than forcing an immediate upgrade. WEP Cloaking is just ONE feature of the AirDefense Product line, it helps customers become PCI/Compliant and provides all the security and monitoring functionality they need. We are not forcing users to stick to WEP, we are providing an affordable and secure option to allow them to stick to the upgrade timetables.

> For those currently using WEP. Here are some tips to help make WEP
> cracking harder without WEP Cloaking.
> 1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's
> that disallow clients to communicate with eachother...

Come on... "Making the tools not work" is not doing security, it's just
running after the cow. New tools are coming out, existing one get
upgraded. Then what do you do ?
Moreover, this statement is wrong. I wrote a tool, Wifitap that bypasses
PSPF and other station isolation technics both for open and WEP
networks:

[ND] - This section was for people who run WEP and can't afford an overlay IDS/IPS. I wish I could give AirDefense to everyone out there so they can be the most secure, but this isn't a perfect world. I was contributing to the community with some simple security tips to make WEP harder to crack. I do like your WifiTap tool, I use it a lot. Althought, you do require the WEP key to do injection over PSPF with it. These tips are for people to protect themselves against 90% of the script kiddies out there, not security professionals such as yourselves who have resources and knowledge to "chase the cow" :-P (btw love it, I used that quote in a meeting today!)

I also wrote a patch for aircrack(-ng), the -j swtich, that allows to
inject traffic directly to stations using from-DS flag, thus bypassing
PSPF. And it works. OK, it does not work with any ARP query you can
find, but it works.

[ND] - Yup, good mod, use it a bit. Aircrack-ptw requires arp-broadcasts to work for the quick cracking bit.

> 2. VLANS on the ap's. Currently Aircack and other such tools don't
> filter out VLAN traffic (you need to write your own tool to filter it
> out, scapy works for me)

Same answer as above.

[ND] - Cisco AP, two vlans, one running WEP, one running LEAP with Dynamic WEP. Client roams between the two. No tools work. I get your point tho.

> 3. Multiple APs. [...] makes life harder with off the shelf tools.

Same as above.

[ND] - Which tools follow clients when roaming? Nothing off the shelf that I know of.

> 4. If possible, do the basics. MAC filtering, throughput limiting
> (54Mbps/11Mbps only), signal strength filtering.

Good points.

My 5. would be: treat this network as if it was Internet because one day
or the other, it will get broken into.

[ND] - 100% agree, some of the strongest networks I've pen-tested followed this principle.

> For those wanting check out the technology, contact me and I'll let
> you know where and when we will be demoing the technology.

Any time you come near Paris, I'll give a try with great pleasure if I'm
around.

[ND] - Merci Bocu, you got yourself a deal.

BTW, I find your WIDS technology pretty interesting, especially that
framework you developed with Trapeze having AP that can switch from AP
to probes and back.

[ND] - Yeah I love the trapeze hardware, it's really cool and works fantastic. We've got some awesome new features coming out in the near future, so stay tuned :-D


--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!



Cedric Blancher <blancher@cartel-securite.fr> Wed, May 9, 2007 at 10:02 AM
To: Nico Darrow <ndarrow@airdefense.net>
Cc: Joshua Wright <jwright@hasborg.com>, wifisec@securityfocus.com, Nathan Rowe <nrowe@airdefense.net>
Le mardi 08 mai 2007 à 16:15 -0400, Nico Darrow a écrit :
> [ND] - All WEP decryption happens on chip so it doesn't bog CPU usuage.

Right.

> [ND] - This technology will be available for peer review by the public
> when it is released.

I'm looking forward to having a look at it.

> [ND] - When companies purchase equipment they usually have a life
> cycle of hardware (ie 5 years ) before an overhaul upgrade can be
> done.

Check previous thread. I cite two cases where I could audit companies in
this very situation.

> [ND] - I do like your WifiTap tool, I use it a lot. Althought, you do
> require the WEP key to do injection over PSPF with it.

Next version will support fragmentation so it can inject arbitrary frame
from a given keystream, and a tool to extract such keystreams. You won't
be able to read traffic though.

> [ND] Aircrack-ptw requires arp-broadcasts to work for the quick
> cracking bit.

Not quite.
Aircrack-ptw needs ARP traffic so it can easily retrieve 16 bytes of
keystream. Theses ARP packets can be requests or replies. And as you
know replies are sent unicast. In fact, when you attack a network with
ARP injection, valuable traffic for aircrack is unicast ARP traffic. You
keep replaying ARP requests to stimulate ARP replies emission, sent
unicast. As you may know as well, ARP request can also be sent unicast.

> [ND] - Cisco AP, two vlans, one running WEP, one running LEAP with
> Dynamic WEP. Client roams between the two. No tools work. I get your
> point tho.

The "Same as above" was referring to the fact that, although there's
currently no tool available to do it out of the box, attacks are still
there. It's just a question of finding an elegant (or dumb) way to
bypass the limitation and implementing ;)

> [ND] - Which tools follow clients when roaming? Nothing off the shelf
> that I know of.

Same as above. I agree no tool can do that, but thinking of it, I'm
sceptical about this roaming thing.
Say you have two APs. Classical WEP cracking attack described everywhere
starts with associating a random MAC address you will use to reinject
ARP traffic. Right ? Now, whether your client is on AP1 or AP2, you just
don't care, because you're rewriting 802.11 header, putting your
arbitrary MAC address and BSSID you want to inject to.
There could be MAC filtering, right. So you have to use a legitimate
MAC. If this MAC is not up, then see above. If it is, what is preventing
the same MAC address to be associated to AP1 and AP2 at the same time ?
In fact, pre-authenticate to neighbour APs is sometimes done to decrease
roaming handover.

> [ND] - Merci Bocu, you got yourself a deal.

s/Bocu/beaucoup ;) Anyway, we have a deal.

> [ND] - Yeah I love the trapeze hardware, it's really cool and works
> fantastic. We've got some awesome new features coming out in the near
> future, so stay tuned :-D

I met Matthew Gast in Singapore two weeks ago. Interesting discussion.


Regards.


--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
[Quoted text hidden]

Nico Darrow <ndarrow@airdefense.net> Tue, May 8, 2007 at 3:19 PM
To: Cedric Blancher <blancher@cartel-securite.fr>, Joshua Wright <jwright@hasborg.com>
Cc: wifisec@securityfocus.com
Guys, I was the orignal designer of the WEP Cloaking feature released by AirDefense. I can field any questions you guys may have on it.

I can assure you it works. Here are couple points on the technology.

1. The actual fake data traffic is silently dropped by both the client and the AP, and throughput tests indicate a negligable impact at both 54 and 11 Mbps. We don't flood the air.

2. You can't filter the traffic out, we have several dynamic engines to circumvent filtering. We've had several independent teams attempt to pentest even with the real WEP key and they have failed. I've already been through signal strength filtering, retry filtering, sequence filtering, client filtering, distributed sniffing, etc etc. None work. AirDefense is the best in class solution and I assure you the work on this project is on par. I'm not being cocky, I'm just saying that this isn't a hacked job. We have spent over a year developing and refining this technique.

Ok here's the thing. This technology was designed to save millions of dollars in cost to large retailers still running WEP technology. The technology isn't fool-proof, but it's the best option they have. What you get for a fraction of the cost of a fork-lift upgrade is extended life on existing hardware as well as a world class Wireless IDS/IPS as well as a platform for other AirDefense technologies.

Now, I'm sure someone smart will figure out some super-clever way to bypass it but AirDefense has multiple layers of protection. We will of course refine the technology as it gets deployed and used in the field. Like any true Second generation WIDS/WIPS. We have Legacy Encryption Protection (WEP), Intrusion Detection with Auto-Classification of devices (monitor anyone actually making it past the encryption/vlans) and Intrusion Protection (keeping them off once you find out they have the real WEP key).


For those currently using WEP. Here are some tips to help make WEP cracking harder without WEP Cloaking.

1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's that disallow clients to communicate with eachother. Essentially by filtering out broadcast and multicast traffic. Enabling this feature will prevent ARP injection techniques and will prevent Aircrack-ptw from working. Yes it can still be cracked but requires the hacker to capture traffic passively, and in a retail environment with low traffic it can take a while.

2. VLANS on the ap's. Currently Aircack and other such tools don't filter out VLAN traffic (you need to write your own tool to filter it out, scapy works for me), so if you have multiple VLAN's don't use the MBSSID feature and keep all your VLAN's on one BSSID. Technically MBSSID's are way better, but we are talking older hardware.

3. Multiple APs. Clients connect to multiple AP's and when you start injecting they'll roam, forcing you to use secondary radios to keep the device on it or follow it around and combine the traffic later. Not really a good point, but makes life harder with off the shelf tools.

4. If possible, do the basics. MAC filtering, throughput limiting (54Mbps/11Mbps only), signal strength filtering.


For those wanting check out the technology, contact me and I'll let you know where and when we will be demoing the technology.


Nico Darrow
Office of the CTO
AirDefense, Inc.
[Quoted text hidden]

Joshua Wright <jwright@hasborg.com> Tue, May 8, 2007 at 4:22 PM
To: Nico Darrow <ndarrow@airdefense.net>, wifisec@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nico!

Nico Darrow wrote:
> Guys, I was the orignal designer of the WEP Cloaking feature released
>  by AirDefense. I can field any questions you guys may have on it.
>
> I can assure you it works. Here are couple points on the technology.

<snip>

> 2. You can't filter the traffic out, we have several dynamic engines
> to circumvent filtering. We've had several independent teams attempt
> to pentest even with the real WEP key and they have failed. I've
> already been through signal strength filtering, retry filtering,
> sequence filtering, client filtering, distributed sniffing, etc etc.

<snip>

> Now, I'm sure someone smart will figure out some super-clever way to
> bypass it but AirDefense has multiple layers of protection. We will
> of course refine the technology as it gets deployed and used in the
> field.

For a long time, the Cisco Okena folks had a server on the Internet that
was unpatched with a big sign labeled "hack me".  Anyone was welcome to
attack the system, and if they were successful, Cisco used the results
to improve their product, much like Nico is describing here.

Nico, is there any chance AirDefense would make a packet capture
available of WEP Cloaking in action, maybe interspersed with legitimate
frames (around 200K frames or so) for people to take a look at?
Something that would be a practical representation of a legitimate
attack?  If you wanted to make it fun, you could even use something like
a netcat listener and client to stream a message across for people to
try and retrieve. :)

Thanks!

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQIVAwUBRkCVqjWX3FIa1TkuAQLXxg/+L8k3Cy2lGW5tqOjBrT1stLyTWuWLM8/g
lXJqy/6Ln1ePh1aEpbR1dkDhyYmo6yNd4ybzShKXa+DArFWrIgVtLJ4TJ7x6GXjt
RxKVTeLlObN5gTTSuHtLpk4UA1le3ANdcVzVBz/tCFa1nXCszy9NipyftfbakENF
zyr6oDf4yyzlAQgmXZe9WK+9N73MPHEB48UxLMpCn0WrD31oWLpoO9nlDqh1yS/g
1zmWfgdKntML85EnGRUakg2+RpWx5tMqENlHlHxzR2hpW2gcvlsFZjQwC77aCHXa
nqnijGP9hipr/qnWHeBIyGHDNjoqY3JE/ZIKYo6TA3aS4wn5cT/4bsWlPUXNQsmQ
PKnrkcnhUamqg4KMfckQ3NenHcmlxOZwz99B/Rx2K2DXyaEkgnDNZPHKHaYo9G8z
ZSpxz3QVDsJlqJUyAqT2M6rdjGeT/Wp4OhhcH8tUhv0e5rzrRYp6MTZ2kc3DOYC3
/k0VUSi/dm7jXdvvZpdTqIaLMRBE5w1Td8yXlk6c/CCT/j7eR1X9ZynU9oeRhiB9
1Dn7Mf1jwoIiXQqByhWpUzY+8FBQbUGXKL98Z0GCnCQP3XOe9ezTljtI5XDkQnWQ
iy+Mrb8cjnzlUCRJ4Yo7i7msAg7COsMr9HKmC05KuWTV7P4b2W+rYRoAvdBVkex8
IQV9Cd+oc+c=
=aC+O
-----END PGP SIGNATURE-----

Nico Darrow <ndarrow@airdefense.net> Tue, May 8, 2007 at 9:24 PM
To: Joshua Wright <jwright@hasborg.com>, wifisec@securityfocus.com
I completely agree. It has always been a good practice for security
companies to allow public scruitiny and peer review of their technology.
Our current plan is to have an independent auditing company test and
verify the technology once it is publicly released.

Then I'd love to setup a hack-the-wep event (maybe at Defcon as a
capture the flag event) where I'll pony up a prize for anyone who can
successfully decode the message. I may even give away one of my Nemesis
boxes (handheld wireless auditing box) as a prize. Good idea Joshua :-P

-Nico Darrow

-----Original Message-----
From: Joshua Wright [mailto:jwright@hasborg.com]
Sent: Tuesday, May 08, 2007 11:22 AM
To: Nico Darrow; wifisec@securityfocus.com
Subject: Re: Perpetuating weak wireless security

[Quoted text hidden]

nick leachman <nleachman@gmail.com> Wed, May 9, 2007 at 8:31 PM
To: wifisec@securityfocus.com
Cc: ndarrow@airdefense.net
Hi Nico,

First, it was nice to meet you last week at AD. I've heard much about
you from Jerry - all good no less!

I'm a technical peon compared to those who've weighed in this so far;
and as such I won't even attempt to debate the technical points of
this solution; but I would like to make a couple of general points:

1) This solution appears to be "security through obscurity" - a term
borrowed from a SANS instructor if I remember correctly - and that
leaves me feeling uneasy about it. Is this truly the case - are you in
essence burying a molecule of water in a puddle and hoping it's not
found?

2) What bothers me more is that solutions of this type provides a
means to extend the life of a known weak security method. Argue what
you will about bridging the gap to allow companies to make it to their
next hardware refresh cycle (in order to discard WEP); but we know
that what will actually happen in many cases is that this type of
solution will instead provide a means to delay the normal refresh
cycle - thereby extending the life of WEP in this case. If it is
"perceived" that the king now has clothes, where's the incentive to
change? (And no, I'm not a hardware vendor :-)

I understand that it's a double-edged sword - providing a means to
better secure a poor implementation that might not otherwise be
secured at all vs. running the risk of extending the life of this same
poor technology.

- Nick

Nick Leachman
GSEC GCIH

Raul Siles <raul.siles@gmail.com> Wed, May 9, 2007 at 1:00 PM
To: Nico Darrow <ndarrow@airdefense.net>
Cc: Cedric Blancher <blancher@cartel-securite.fr>, Joshua Wright <jwright@hasborg.com>, wifisec@securityfocus.com
Hi Nico,
I'm trying to understand the specific WEP attacks the WEP Cloaking
feature mitigates. It seems it is mainly focused on WEP statistical
attacks (FMS, Korek's improvements and, now, aircrack-ptw). Is this
correct?

If you can disclose some details at this point, does it work against
other WEP based attacks (PRGA-based): KoreK's chopchop,
fragmentation...?

Thanks,
--
Raul Siles
GSE
www.raulsiles.com
[Quoted text hidden]

4ChecK <4check@inbox.com> Thu, May 10, 2007 at 2:41 AM
To: wifisec@securityfocus.com
Bravo. Awesome idea! I love the aspect of releasing it to the masses in a venue such as DefCon before giving it to customers for a large scale implementation. I look forward to seeing it in action.

Cheers
-Nick
[Quoted text hidden]
____________________________________________________________
PREVENT ACCESSING DANGEROUS WEBSITES - Protect your computer with Free Web Security Guard! More information at http://www.inbox.com/wsg

Jex <hewhohuntscats@gmail.com> Thu, May 10, 2007 at 2:08 AM
To: wifisec@securityfocus.com
On 5/9/07, nick leachman <nleachman@gmail.com> wrote:
Hi Nico,

First, it was nice to meet you last week at AD. I've heard much about
you from Jerry - all good no less!

---

2) What bothers me more is that solutions of this type provides a
means to extend the life of a known weak security method. Argue what
you will about bridging the gap to allow companies to make it to their
next hardware refresh cycle (in order to discard WEP); but we know
that what will actually happen in many cases is that this type of
solution will instead provide a means to delay the normal refresh
cycle - thereby extending the life of WEP in this case. If it is
"perceived" that the king now has clothes, where's the incentive to
change? (And no, I'm not a hardware vendor :-)


People are still using WEP. I would argue that while a move to WPA is
a Good Thing, we can't people froce to do so, for various reasons. I'm
sure someone somewhere will appreciate this strengthening of WEP, and
the technology can possibly very well be used to boost WPA/WPA2/etc.

-HeWhoHuntsCats, SysAdmin in training.

Nico Darrow <ndarrow@airdefense.net> Wed, May 9, 2007 at 10:44 PM
To: nick leachman <nleachman@gmail.com>, wifisec@securityfocus.com

Hey Nick, glad to have you at our HQ ;-P

1) Great question. What we are doing with WEP Cloaking is removing all
the shortcuts available to the attacker and forcing him/her to use the
worst possible case scenario (brute forcing). Hence why we named it
WepCloaking instead of WepShield ;-P

2) I agree to a point in some cases. Big companies can't move as fast as
smaller buisneses and by no means does this extend the hardware refresh
cycle, it allows them to stick to their current timeline and better
prepare for the upgrade. A lot of companies can't afford the forklift
right now. Would they rather wait a few years with their pants down or
invest in an AirDefense that gives them a complete solution and
visibility to make sure everything is where it should be?

Here's the down and dirty of it guys. I'm not a marketing person, I'm a
wifi dork. Too many individuals are focusing on a single feature of our
solution. We are selling a COMPLETE solution. Any security guru worth
his salt will tell you, you need layered security. Wireless security is
no different than wired security. In a good setup, you'd have both
visibilty (IDS), active protection (IPS), trouble shooting tools and a
solid infrastructure.

Here is a Practical example. When you own a house and wish to secure it,
do you just have a lock on the door? If someone breaks in, do you buy a
more expensive lock? Maybe. What I would do, is use motion flood lights,
stronger locks, buy a big ugly dog, an alarm system and then start
looking for a better neighborhood :-P

In a round about way I think I compared myself to an ugly dog, but you
guys get the point :-P




-----Original Message-----
From: nick leachman [mailto:nleachman@gmail.com]
Sent: Wednesday, May 09, 2007 3:31 PM
To: wifisec@securityfocus.com
Cc: Nico Darrow
Subject: Re: Perpetuating weak wireless security

[Quoted text hidden]

nick leachman <nleachman@gmail.com> Thu, May 10, 2007 at 3:57 PM
To: Nico Darrow <ndarrow@airdefense.net>
Cc: wifisec@securityfocus.com
Hi Nico,

Thanks for the reply. Please know that I didn't mean to lay the burden
for perpetuating WEP on you. It's just a discussion - not an
indictment of you at all. And your points about a complete solution
and layering are well taken.

I think we're gonna have to agree to disagree on number two though.
I've worked in several accounts - mainly SMB - over the years; and
what I've noticed is that once a technology gets installed (and works
satisfactorily) it often takes a stick of dynamite to get it out.
There are still many networks with Novell 3.12 servers, Token-Ring
LAN's, 10Mbps hubs, Open WLANs - and a vast array of other
technologies that should arguably have been replaced for performance,
interoperability, or security reasons - but they are still installed -
and relied on - because they work.

My point is simply that we who work in the security realm must be
careful because facilitating the longevity of flawed security methods
has the potential of far greater negative impact than performance or
interoperability issues IMHO.

Kind Regards,
- Nick
[Quoted text hidden]
--
"The Lord bless you and keep you;
the Lord make His face to shine upon you,
and be gracious to you;
the Lord lift up His countenance upon you,
and give you peace."

Num. 6:24-26

Nico Darrow <ndarrow@airdefense.net> Wed, May 9, 2007 at 10:44 PM
To: Raul Siles <raul.siles@gmail.com>
Cc: Cedric Blancher <blancher@cartel-securite.fr>, Joshua Wright <jwright@hasborg.com>, wifisec@securityfocus.com
Yes, WEP Cloaking works both on passive as well as active attacks. Injection attacks, stream attacks, MiTM attacks etc etc.
[Quoted text hidden]