We have a retail customer that is concerned with this posting:
http://www.storefrontbacktalk.com/securityfraud/wpa2-broken-and-this-ti…
Although it needs to be instigated by an insider, they are worried that this could cause issues. Can anyone from the AD group comment on this?
WPA2 cracked?// Expert user has replied. |
8 Replies
WPA2 is not cracked. That's just another FUD. Use multi-BSSID aka Virtual AP as you did before abd be happy. More details and thorough analysis here: http://arstechnica.com/business/news/2010/07/wifi-hole196-major-exploit-...
The vulnerability which was released a few weeks ago has some serious implications. It can lead to a man-in-the-middle attack or DoS attack against the network, either way it requires the attacker to already have access to the network to execute it. The practical exposure from the attack is limited additionally given the Motorola product potfolio customers should have little consern. The most important protection cusotmers have is the wireless firewall, a properly implemented set of firewall rules to block all unneccesary wireless to wireless communication would prevent the man-in-the-middle attack from being executred. If customers have questions or concerns about the vulnerability Motorola's offical response can be found at. http://www.airdefense.net/whitepapers/UnderstandingWPAWPA2Hole196Attack…
Hi, WPA2/AES-CCMP itself is NOT CRACKED! Well let's see what Mr. Ahmad is presenting in the next days.... BE AWARE, we are talking about a malicious INSIDER user of the network and NOT a typical outsider attack! So if you have a malicous already in your network, I wouldn't anymore too concerned about that someone is decrypting WLAN/WPA2 traffic - if i own OSI Layer 3 ;-) More details and realistic facts about 'hole196' aka page 196 here: http://blog.aerohive.com/blog/?p=342 In these days a hacker will not spend hours over hours or days to break in WLAN's, he just does a simple client-side attack and fools the user within minutes! Or the neverending story with web services 2.x ! Even it makes fun to crack WPA PSK in the 'cloud' ;-) BTW: if a customer is setting up some Guest-WLAN's, don't allow client-to-client traffic, just activate this simple feature on the AP or switch/controller - like done in these days in most hotspot environments. Rgds, Gerald
Attaching the PDF from the Black Hat presentation.
Please, even the BH2010 PPT is out now in public, it still doesn't change the fact, that this attack works ONLY: *.... malicious insider can inject forged group addressed data traffic ...* If applicable don't allow WLAN client-to-client traffic and attack will not gonna work, like client isolation or PSPF! From an *hacker point* of view, I can tell you, it is much more applicable to setup an rogue AP to fool clients and don't worry about any protocol attacks - of course, besides WEP!
If I understand it correctly (from all the information available), it seems like a simple MU-to-MU deny feature can be used to tackle this problem. But yes, only wherever applicable. If we must allow MU-to-MU communication in a given deployment, we need to look at other solutions like Kevin mentioned.
If I understand it correctly (from all the information available), it seems like a simple MU-to-MU deny feature can be used to tackle this problem. But yes, only wherever applicable. If we must allow MU-to-MU communication in a given deployment, we need to look at other solutions like Kevin mentioned. Regards, Jeelan.
From the limited information I have read, this type of attack can only be performed by an authorised device (i.e. a trusted wireless device that is associated, authenticated and is active on the wireless network): The ability to exploit the vulnerability is limited to authorized users, AirTight says. Still, year-after-year security studies show that insider security breaches continue to be the biggest source of loss to businesses, whether from disgruntled employees or spies who steal and sell confidential data (http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.h…). As this type of attack would initially require Linux with a special driver to perform (i.e. MadWiFI), one quick way to block this type of attack would be to employ NAP/NAC end-point inspection. End-point inspection is used heavily in enterprise environments as a means of blocking or restricting access to devices that do not meet corporate standards. For example if a company has standardised on Windows 7 with a specific set of applications - a device running Linux would easily be identified during authentication and would fail the end-point compliance checks and fail 802.1X authentication. The Linux device would simply not be authenticated on the Wireless network and would not be able to launch an attack. Once Windows software becomes available to launch this attack, end-point inspection could likewise be used to inspect Windows registry ensties, look for a specific software executable and hash, resident programs or search for specific DLLs. A Windows device with specific malicous software installed would be very easy to identify if the correct NAP/NAC checks are employed. Ultimatly very few details are available at the moment as AirTight will not hold a press conference until August 4th. Additionally the BlackHat session that will demonstrate this attack will not happen until Thursday ( http://www.airtightnetworks.com/WPA2-Hole196). Regards, Kevin