Wireless security foiled by new exploits

Watch out for scary new hacker tools like KARMA, plus exploits in Bluetooth and 802.11n, says Joshua Wright in this recent Network World chat.

Just when you thought your wireless network was locked down, a whole new set of exploits and hacker tools hits. WPA2, PEAP, TTLS or EAP/TLS can shore up your network, if configured properly. Securing clients is a lot more difficult. These topics and more were addressed by Joshua Wright in this recent Network World chat. Wright is famous for his irreverent security blog WillHackforSushi.com. He is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks. Plus he's a popular speaker at a long list of security conferences.

Just when you thought your wireless network was locked down, a whole new set of exploits and hacker tools hits. WPA2, PEAP, TTLS or EAP/TLS can shore up your network, if configured properly. Securing clients is a lot more difficult. These topics and more were addressed by Joshua Wright in this recent Network World chat.

Wright is famous for his irreverent security blog WillHackforSushi.com. He is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks. Plus, he's a popular speaker at a long list of security conferences.

Moderator-Julie: Welcome and thank you for coming. Our guest today is Joshua Wright -- famous for his irreverent security blog WillHackforSushi.com (although, he says, he'd really rather hack for the challenge, not for raw fish.) He is also the author of the six-day SANS Institute course, Assessing and Securing Wireless Networks. Plus he's a popular speaker at a long list of security conferences.

Josh_Wright: Welcome everyone, and thanks for coming. Hopefully you have some killer questions for me about wireless security, hacking, sushi or 1975 AMC Gremlin restoration (my first car). So, hit me up and I'll do my best to answer as many questions as we have time for.

Josh_Wright: Her name was Phoebe, by the way (the Gremlin).

Moderator-Keith: While we await the onslaught of questions for Josh, we will provide a pre-submitted question that Josh has already answered. Q: In general, how well are enterprises securing their wireless network?

Josh_Wright: Enterprises are doing ... better. We are seeing fewer open networks and more organizations moving to WPA/WPA2 from WEP. There is still more than a fair share of WEP networks, sometimes motivated by the need to support legacy wireless clients (such as VoIP phones, or Symbol scanners). A lot of the enterprises I talk to feel comfortable with the security of their WPA/WPA2 networks, but they often fail to realize that this is only one piece of a wireless security strategy. Failure to address client configuration and security issues, rogue detection and home/mobile users leaves organizations exposed to attack.

Atome: What is your point of view on overlay vs. integrated wireless IDS/IPS solutions?

Josh_Wright: Overlay vendors often have a strong product, since overlay vendors ONLY make wireless intrusion detection system (WIDS) products. Vendors that have to do WIDS and wireless transport and hardware and all the QA and testing that goes along with it have more to worry about, and may not have as sophisticated a product.That said, overlay products are vulnerable in that they don't have knowledge of the encryption keys used on the network - they can only look at Layer 1 and Layer 2. Integrated vendors have the advantage there, where they can look at all the traffic on the network, analyzing not only Layer 1 and 2 but all the way up to Layer 7 as well (but not Layer 8 and 9, which are money and politics, as we all know ;) [Note, for more information on WIDS, check out Josh's whitepaper on the topic.]

Mw: How secure is WPA-PSK or WPA2-PSK?

Josh_Wright: PSK-based authentication mechanisms are notoriously vulnerable to offline dictionary attacks. I wrote one of the first WPA/WPA2-PSK attack tools "coWPAtty." (Get it? "coW-PAtty" -- like the cow … excrement). Newer tools such as Aircrack-ng are even faster. The main problem with PSK mechanisms is that the same shared secret is stored on all devices. I was talking to a customer who was doing handheld credit card transactions with a wireless device using WPA2-PSK. They were PCI compliant (since PCI requires WPA or all kinds of hoops with WEP), but they were vulnerable in that as devices were lost, stolen or turned in for service, the PSK was disclosed and available to anyone who could get their hands on the device. Enterprises should use 802.1X instead of PSK based authentication strategies for stronger authentication and unique, per-user keys.

PeterDiamond: Does disabling file and print sharing on your computer prevent other users on the same wireless network from accessing your computer files?

Josh_Wright: To some extent yes, but not 100%. Other services such as the remote desktop protocol are still exposed. Also remember that any user can install VNC on their workstation, which is a gold mine for an attacker. When I'm doing penetration tests, and I find machines running VNC, I break out the champagne, because I know the network is pwned.

WireGuy: Are you saying that you can pwn a network with ANY version of VNC installed on the systems?

Josh_Wright: Not any, but I haven't failed yet. You could do a secure install, I'm sure, but in my experience, VNC installs are almost always done by end-users, with no account lockout, no login monitoring and weak passwords.

Moderator-Keith: Pre-submitted question: Q: How should organizations address the threat of driver vulnerabilities?

Josh_Wright: Since a driver vulnerability can expose a workstation to a remote compromise, and since the vulnerability is exploited in kernel space which bypasses local security mechanisms (such as privilege separation, intrusion prevention mechanisms, spyware and anti-virus tools, etc), it's a serious threat. Organizations should start by compiling a list of all the wireless drivers they have installed in their organization, and regularly check the vendor's websites for driver updates.

I've also written a tool to assist in enumerating installed drivers on Windows hosts that includes a vulnerability assessment component. The tool is called WiFiDEnum. A free tool available at http://labs.arubanetworks.com/wifidenum, WiFiDEnum scans hosts over your wired (or wireless) network and enumerates all the wireless drivers that are installed, using a local database of known vulnerabilities to let you know when you are exposed to driver threats.

Alanm: Is WPA2 now considered very secure and we should feel fine using it? Or are there still attacks/vulnerabilities that it's susceptible to?

Josh_Wright: WPA2 provides strong encryption, and specifies strong authentication mechanisms such as PEAP, TTLS and EAP/TLS as well, so it is a strong strategy for organizations. The common problem with these implementations is when people misconfigure client settings for PEAP and TTLS, like I discussed with Brad Antoniewicz from Foundstone at Shmoocon a few weeks ago (slides at www.willhackforsushi.com, the video will be up at shmoocon.org shortly). If PEAP and TTLS aren't configured properly, an attacker can impersonate your RADIUS server and get access to the victim's inner authentication credentials, possibly disclosing the user's password, or giving the attacker access to the user's MS-CHAP challenge response, which is almost as good.

McQ: To your earlier point -- to what degree are WPA2 scanners available today, if enterprises were willing to replace their WEP-only devices? Are there abundant choices?

Josh_Wright: Newer handheld devices for manufacturers, retailers and the food/hospitality industry are available, but only within the past year or so. This is a problem for many organizations, since the amortization schedule on these devices is usually very long (7-10 years), which makes it difficult to upgrade. I would not say there are abundant choices available, but customers need to tell these vendors that they require WPA2 and to stop buying anything that doesn't support WPA2 and strong EAP types such as TTLS and PEAP or EAP/TLS.

Moderator-Keith: Here's another pre-submitted question: Do you think wireless LANs will ever replace wired Ethernet as the preferred network of choice in an enterprise?

Josh_Wright: I believe deploying wireless-only offices will be a popular choice in the next few years, leveraging 802.11n technology after the industry has gone through the bumps and bruises of early installations. Just from a cost perspective alone, wireless is tremendously attractive over wired LANs in new facilities. Add in the intrinsic benefits of mobility and convergence of 802.11 and VoIP systems and there are several tangible benefits to replacing Ethernet with wireless.

Ed: Are standards in the works to address control level security (to prevent DoS and MIM attacks)?

Josh_Wright: There is an IEEE working group developing techniques to mitigate spoofing management frames in wireless networks (IEEE 802.11w), which will mitigate, de-authenticate and disassociate flood attacks. However, this WILL NOT STOP DoS ATTACKS (sorry, I get a little excited about this topic ;). 802.11w will address two popular DoS attacks, but will not address other DoS attacks such as beacon DS Set spoofing where I tell the victims their AP is on channel 255, or triggering Michael Countermeasures, a vulnerability in TKIP, or by performing A-MSDU Block Ack DoS attacks, a vulnerability in 802.11n networks. For more information on wireless attacks, check out www.wve.org.

Al: How helpful would you say user training on securing wireless devices at home can be for non-technical people?

Josh_Wright: Sure, I think end-user training is an important factor in wireless security. For example, anyone can impersonate T-Mobile, using the "tmobile" SSID and pretending to be the legitimate web page that asks for a credit card number or authentication credentials. Users need to understand the risks of clicking "Ok" to certificate warnings in their browsers, and to ensure they are always working with an SSL website before submitting sensitive authentication credentials. Supporting that, we as enterprise network managers need to be diligent about deploying SSL websites properly. I know at least two or three of you (or maybe even more like 90% of you) have a website were you tell your users "Oh, just click Ok at that warning, and don't worry about it." That sends the message that this kind of behavior is OK, and when an attacker impersonates a website, the end-user thinks, "Stupid Internet Explorer" and gets pwned.

PeterDiamond: Joshua, please let me know your thoughts on disabling broadcasting your router's SSID.

Josh_Wright: It's a bad idea. I know the PCI specification requires you to do this, and I've told them they need to remove this requirement from the specification. Imagine you are a government base and you don't tell your agents where you are located. They have to walk around and keep asking "Are you the government base?" to everyone the meet. Eventually, some wily hacker or bad guy will say "Heck YEAH I'm your base, come on in and share your secrets with me." This is essentially what happens with SSID cloaking, where you have to ask every AP you meet if their desired SSID is available, allowing an attacker to impersonate your SSID at the airport, coffee shop, in the airplane, etc. In short, don't cloak your SSID, but don't make your SSID something like "sexyhackertargethere" either. :)

PatrickT: How (if at all) is 802.11n going to change the security picture?

Josh_Wright: 802.11n exposes us in a few new ways: 1. Greater distance in range for wireless AP's, conservatively at 1.5 times the range of 802.11a, liberally at four times the range of 802.11a. 2. Harder for WIDS to monitor. With 802.11n we have 20 MHz and 40 MHz channels, which makes WIDS systems spend less and less time on channel and more time channel hopping, which reduces the chances they'll be able to pick up an attack. 3. Hidden rogues. 802.11n introduces a technology for 802.11n-only devices called Greenfield mode, which makes it impossible for legacy 802.11a/b/g WIDS devices to detect the rogue AP or the user's traffic. 4. New DoS vulnerabilities. The 802.11n specification has two mechanisms for aggregating frames, which has prompted changes in how devices acknowledge transmitted frames. This has opened up DoS vulnerabilities, where an attacker can stop 802.11n devices from accepting any more frames. 5. New drivers, the complexity of 802.11n is largely felt by client devices, and new device drivers have to be written to support the specification and new hardware. With the complexity of 802.11n, this has lead to new driver vulnerabilities, which can be exploited by an attacker.

Moderator-Keith: We've got a lot of questions in queue, so please be patient. Josh is getting to as many as he can. In the meantime, here's another pre-submitted question and answer: Q: What are the best ways to protect mobile workers who want to use public Wi-Fi hot spots in order to get work done?

Josh_Wright: I personally use Wi-Fi hotspots, but I tunnel all my traffic through an encrypted tunnel. Organizations that need to leverage hotspots should use data tunneling mechanisms such as IPSec so that the client isn't transmitting unencrypted traffic at the hotspot location. Note that it is also necessary to secure the authentication component at a hotspot before you can start an encrypted tunnel session. Helping users understand the risks associated with SSL errors on websites, and ensuring that users only send sensitive authentication credentials over a SSL session will help mitigate hotspot impersonation attacks.

Russ H: What new risks do you see regarding Bluetooth access points?

Josh_Wright: Bluetooth APs are problematic for organizations because they can offer the same range of 802.11b/g APs, but cannot be detected by 802.11 WIDS systems. This allows an attacker to introduce a rogue to your network, and escape detection by the WIDS system. This is something I used at a hospital a while back, where I faked "stomach pain" and plugged a Bluetooth AP into the waiting room electrical and RF45 LAN jack. I used it to hack the hospital for a few weeks from the parking lot across the street until my connection disappeared. At the penetration test wrap-up, I asked for my Bluetooth AP back, and I got blank stares from the security team. Them: "What AP?" Me: "The AP I hid in the waiting room." Them: "We never found an AP." Yeah, SOMEONE STOLE MY AP!

Stretch: What Bluetooth AP did you use at the hospital?

Josh_Wright: Belkin F8T030.

EAP-Watcher: You recently assisted Brad Antoniewicz on cracking PEAP or EAP/TTLS. What supplicants or native solutions are well suited for the not so astute wireless support personal?

Josh_Wright: The Microsoft Windows WZC supplicant is very good, since you can configure all the proper settings to secure PEAP using GPO. Also, the Funk/Juniper Odyssey supplicant is very good, since you can setup permissions to forbid users from adding new RADIUS servers to the trusted list using the permissions editor, and build a silent installer in a MSI file. Essentially, you need to be able to say, "Forbid the user from accepting RADIUS servers I haven't explicitly permitted," and have a way to push that install remotely. I was disappointed in the Apple OS X supplicant, in that I wasn't able to do either of these things.

GAWN certified: Do you have any thoughts on why the PCI spec still allows the use of WEP? Given the known vulnerabilities, aren't companies asking for trouble? Will they be able to hide behind PCI compliance when they are sued by shareholders for using a known vulnerable wireless encryption method and getting successfully hacked? When will PCI remove WEP support from the compliance criteria?

Josh_Wright: First, IANAL (I Am Not A Lawyer -- whew!), so I can't give you legal advice here. :) The PCI spec still accommodates WEP because they have to, many retailers have wireless WEP-only devices that need to be supported into the future for at least a few more years. Does this allow people to hide behind PCI when they get pwned? From my understanding, the merchant is protected from their banks supplying payment cards, but not from the FTC or a civil suit.

Moderator-Keith: Pre-submitted question: Q: If you were a student at Duke University and you wanted to hack their new 802.11n network, what would you do?

Josh_Wright: I personally don't have anything against Duke University or their wireless network, but as a generic example, here are some steps an attacker might take:

1. Google it; Googling "site:duke.edu wireless" turns up some interesting hits including a Wireless FAQ and step-by-step instructions on how to setup your machine to connect to the network. It turns out they use the open-source NetReg product to provide access control, and use an open SSID.

2. Decide on a plan of attack; if the attacker is after student information, they could do some packet sniffing with tools like Kismet or Wireshark and identify the traffic that is transmitted over plaintext. If there are internal Web sites that students use to retrieve information about their accounts, the attacker could try to use a man-in-the-middle attack with tools like Ettercap to impersonate the legitimate server and steal authentication credentials. If the attacker is looking to access student e-mail or other resources, they could use Sidejacking techniques, where they steal session cookies for sites such as Gmail, Yahoo! Mail, Hotmail and other. Since only the authentication portion of these sites is encrypted, attackers could steal a legitimate session cookie for a logged-in user and start to use the cookie with their own browsers to access the e-mail as if they were the legitimate user.

3. Pwnage.

These steps really have little to do with Duke specifically, but are more of a generic vulnerability that often afflicts schools. Since students bring their own computers to campus, the school ends up supporting almost anything students may have, which often precludes strong encryption and authentication mechanisms. As a former .edu network manager, I can say that securing a university's client devices is no easy task.

McQ: Is it still considered a best practice to use IPSec VPNs with wireless LANs, even if WPA2/EAP is fully deployed?

Josh_Wright: I would say no; if you can do this, then hey, that's cool. But it's a big burden on devices. Requiring multiple levels of encryption will make it more difficult for users to leverage the wireless network, which may slow adoption and ultimately the benefits you get from wireless. Also, it is prohibitive for lightweight devices such as PDA's and VoIP phones to do multiple layers of encryption. Even on laptop devices, AES-CCMP encryption using WPA2 and IPSec will cause you significant CPU load, which reduces your battery life significantly, which will make your users unhappy. I'm satisfied with WPA2 and PEAP, TTLS or EAP/TLS, when it is configured properly, and audited to validate the install.

Nickel: Hi Josh, I've read that for a home wireless network using WPA or WPA2 that to be as secure as possible, the SSID needs to be as unique as possible. Can you explain why this is, especially in light of the fact that the SSID is visible?

Josh_Wright: Just knowing the SSID isn't enough to gain access to the network, you need the passphrase to join the WPA/WPA2-PSK network. I use WPA-PSK at home (my wife's USB card only does WPA), and I have a relatively long passphrase ("family movie night" -- for anyone who wants to stop by and hang out). I think that's fairly good for me, with my limited number of devices. If someone wants to come by and hack my wireless network, then damn, please knock on the door and introduce yourself so we can get a cup of coffee and hang out or something. :)

Stretch: My company is considering setting up a overlay wireless IDS using kismet and openwrt routers. How does this solution compare to the commercial IDS systems out there? Are there any good resources out there detailing how to do this?

Josh_Wright: A great book is "WRT54G Ultimate Hacking" by Paul Asadoorian and Larry Pesce. They also teach a two-day class at the SANS Institute on the same topic, and they show you how to do a WIDS system on the cheap, using Kismet and the common Linksys WRT54G hardware. When I was doing more consulting, I used the same hardware to send to customers, where they would install it on their network and give me remote access so I could do the audit remotely. In Paul and Larry's class, they also talk about doing other interesting hacking stuff on the WRT. I'm waiting for the WRT54G battle-bot, where the AP drives around the office and smashes any rogue AP with a hammer or something. ;) …photo?

BR: How secure is EV-DO?

Josh_Wright: Security through obscurity, I'd say. We don't know a lot about the security of EV-DO, and it's against the law in the U.S. for me to even sniff that traffic, so there is little research on how secure it is. In Germany, a hacking group known as The Hackers Choice (THC) has done some analysis of the GSM protocol, and they have successfully written their own GSM sniffer using a software defined radio (SDR) and cracked the encryption using Field Programmable Gate Arrays (FPGAs). This allows them to intercept and record GSM phone calls and SMS messages. Telecom vendors have relied on obscurity for a long time now. I think we're going to see that change in the coming years as more people have access to SDR technology and cryptographic accelerators including FPGAs. For more information on GSM hacking, check out the Open Ciphers website at www.openciphers.org.

TomL: Do you think that 11n will be more secure then the current a/b/g APs or will security be still left up to the end user to configure and enable (i.e. will security in 11n be the default configuration)?

Josh_Wright: I think 802.11n introduces more vulnerabilities in the near-term, until the industry catches up. It's not more secure by any shot. That said, it's a much better performer in terms of bandwidth and reliability, changing how clients interact with the RF network through MIMO receivers. 802.11n users will be able to have a more reliable network experience, which will make administrators happy as well. Unfortunately, 802.11n is very disruptive, so there will be some pain between now and when it becomes ubiquitous.

Moderator-Keith: Here's another pre-submitted question: Are there any security issues related to the recent Bluetooth SIG announcement about using the Wi-Fi signal for high-speed data transfer?

Josh_Wright: This kills me. 802.11 is ubiquitous, achieves high data rates and is enjoying tremendous popularity. Bluetooth tries to achieve high data rates with UWB, but it doesn't appear to be happening as quickly as the Bluetooth SIG wants, so they'll hop on the 802.11 bandwagon as well. The Bluetooth SIG sends out press releases about Bluetooth-WiFi, with plans to leverage WiFi on demand for high-speed data transfers when needed. But it won't be called Bluetooth-WiFi (the SIG hasn't decided on a name yet), and it might or might not be in the SIG 3.0 specification, and it may or may not use 802.11 security mechanisms. And it in no way expresses that UWB isn't a viable option for Bluetooth. Are you confused yet? Me too, and so is the rest of the Bluetooth community. As far as security threats that we know about, we know that the Bluetooth E0 encryption mechanism is significantly flawed, but there aren't any commodity tools available to implement an attack. This could change if E0 is applied to 802.11 technology, since there are many tools available to capture 802.11 traffic. We also know that the new Secure Simple Pairing security mechanism used for Bluetooth, while an improvement over the pre-2.1 Bluetooth authentication mechanisms, fails on devices such as Bluetooth headsets leaving users exposed to man-in-the-middle attacks.

Woodrow: Are enterprises seeing many KARMA or other wireless phishing attacks? What's the best defense against these?

Josh_Wright: KARMA gets my vote for scariest attack tool in 2006/2007. Fortunately, Windows XP SP2 defeats a lot of the issues KARMA exploited, as does Windows Vista, assuming you are using WZC. If you are using third-party driver managers such as the Intel or ThinkPad utilities, you are unfortunately out of luck. WIDS monitoring systems can help you here, but it isn't helpful when the KARMA attacker is exploiting users at the airport. Unfortunately, using independently strong protocols such as SSL is your best defense against attack. :(

Mike: How secure is WPA2-AES and EAP-Fast Radius?

Josh_Wright: EAP-FAST was designed by Cisco to resolve the weaknesses in Cisco LEAP. I reported the weaknesses in LEAP to Cisco a few years ago, and had a chance to review EAP-FAST when it was in the early development stages. EAP-FAST can be secure when clients are provisioned in a secure manner (e.g. the PAC's are delivered over a reliable and secure transport). However, this is the rub with EAP-FAST. Most users use the EAP-FAST Phase 0 automatic PAC provisioning mechanism, which leaves clients vulnerable to man-in-the-middle attacks. In this attack, the attacker pretends to be your RADIUS server offering EAP-FAST service, and when victims connect to the evil RADIUS server, the victims disclose their authentication credentials. Brad and I wanted to get this attack working for Shmoocon, but we didn't finish it in time. Keep an eye on willhackforsushi.com for updates once I get it working.

Moderator-Keith: Pre-submitted question: Q: What's the hardest thing to configure in terms of wireless security?

Josh_Wright: Managing the security of client devices is the hardest problem to tackle. Misconfigured devices, improper client security configuration, ad-hoc networks and driver vulnerabilities are all issues that need to be addressed for clients to be secured. Enterprise management systems like Windows Server 2003 Group Policy help here, but are only effective if you can apply a draconian management policy for your users. If you require flexibility and centralized management, enterprises are often out of luck.

Oestec: Is a 100% secure wireless network actually possible to achieve?

Josh_Wright: This is hard to say, I don't know what you think is 100% secure. I'm 100% satisfied with the security of my home network, and I use WPA-PSK. It's more a question of what's reasonable for your organization. I think that almost all organizations can get to this level of satisfactory security with careful planning, deployment and monitoring.

Moderator-Keith: Because of all of the great questions coming in, we are extending this chat by another 30 minutes, or until Josh complains of carpal tunnel syndrome from his typing.

Mike: What are your thoughts on AP containment?

Josh_Wright: AP containment is cool, it gives you the chance to stop rogue AP's when users are on them while you go into the network closet, bust out your big stick/bat/katana and go find the person who deployed the AP on your network. You shouldn't rely on it 100% though, and you should always use it as a short-term mechanism to stop an attacker and not a long-term fix for a rogue device. Also, not all vendor's rogue containment products are equal, and some are seriously flawed (see http://www.willhackforsushi.com/papers/wlan-sess-cont.pdf).

Dbranch: On the subject of AP containment, isn't there also a risk of liability (in the instance where you have accidentally contained your neighbor's AP because your system considers it to be a rogue)? Don't you need to be fairly certain that it is indeed a rogue?

Josh_Wright: I'm just waiting for the case where two competing .COMs in San Jose start DoS-ing each other. APs are offline, online and offline again. Anarchy, dogs and cats living together, Hillary names Anne Coulter as her running mate, etc. Seriously, you do need to be careful about who you DoS with rogue AP containment and all the vendor's products I know of take steps to correlate that the AP is really on your network. We haven't seen many attacks trying to exploit that yet though. Note to self: figure out way to manipulate rogue AP shielding to gets networks to attack each other. AWESOME QUESTION! : )

Hillary Clinton and Ann Coulter

Moderator-Keith: Another pre-submitted question: How is 802.11n going to change the security posture (if at all) due to the new drivers required on enterprise machines, and/or the speeds/feeds involved?

Josh_Wright: 802.11n is a very complex protocol. Lots of new supported data rates, new management frames and information elements, new positive acknowledgment mechanisms and two frame aggregation strategies mean lots of new code in 802.11n drivers. That means lots of new code which may not have been evaluated from a security perspective quite as well as it probably should have been. At RSA2008 this year, I'll be talking about 802.11n security threats, and one of the topics I'll be covering is the threat of new driver vulnerabilities. At the conference, I'll be demonstrating new 802.11n fuzzing tools I've written for the Metasploit project to identify parsing bugs in 802.11n information elements and in 802.11n aggregate MSDU frames. (Fuzzing is a vulnerability discovery technique.)

LP: Do you think many Wi-Fi fuzzing attacks against driver and AP firmware vulnerabilities are actually occurring in the wild?

Josh_Wright: Are people exploiting these attacks in the wild, it's hard to say. I know that if you have a secure wireless network using EAP/TLS and WPA2 and WIDS and client security, then I'm going to use this as a mechanism to break into your network. It has lots of advantages for the attacker, such as ring0 access on the compromise host (more privileges than "administrator"), vulnerable drivers stay on systems for a long time, few administrators are paying attention to the problem, etc. Also, remember that TJ Maxx got pwned over WEP in 2007, six years after we knew WEP was broken. Wireless flaws and exploits tend to hang around for a long time, and it takes the guys who are actually running these tools against networks for profit a while to catch up.

Stripes: Time to name names. Can you tell us what two brands you're most comfortable with when it comes to security for 1) home use, and, 2) business use?

Josh_Wright: No vendors are perfect... but I work for Aruba Networks, and I know the inside deal on our security, and I think it has a lot of useful advantages for deployments. For home use, I use a Linksys WRT54G with custom firmware from OpenWRT.org on it to manage it as my own firewall and NAT box.

x409: How important is it to encrypt your management frames?

Josh_Wright: Today, not so much. When we start disclosing more sensitive information in 802.11k (radio resource management) and 802.11v (wireless network management), it will be a bigger issue. The facets of protecting deauthenticate and disassociate frames in 802.11w aren't that important to me. Some vendors with early 802.11w implementations are touting them as the solution to wireless DoS attacks, and it's just not so. I wrote more about this on my Aruba blog.

Moderator-Julie: For those of you staying until the end of the chat, we have a surprise. Network World will be giving away a copy of the book "Metasploit Toolkit" by David Maynor, K.K. Mookhey, Jacopo Cervini, Fairuzan Roslan and Kevin Beaver." Josh says the book is good. To enter to win. e-mail your name and mailing address to me. I'll announce the winner five minutes before the end of today's chat.

Go: Is IAS a good solution to use for a RADIUS server? Is there one that is more secure that you could recommend?

Josh_Wright: IAS is a good RADIUS server because it comes with Windows Server and it integrates well in a Microsoft-centric environment. It is a poor choice of a RADIUS server if you need to do something other than PEAP since it only supports PEAP, EAP-MD5 (which you should never use) and EAP/TLS. The Funk/Juniper Odyssey server has lots of supported EAP types and integrates well into a lot of environments, but you'll pay a premium for that. I personally love FreeRADIUS, though it's a PITA to get it setup initially. Once it's setup though, it's rock-solid and an awesome performer.

Moderator-Keith: Another pre-submitted question: Q: Can you explain some of the exploits available that can attack wireless mice and keyboards?

Josh_Wright: At the Blackhat Federal conference last week, Max Moser demonstrated attacks against 27 MHz keyboards and mice, where he is able to remotely capture and "decrypt" keystrokes and mouse positions. I use the phrase "decrypt" lightly, since as Max discovered, these devices often use only an XOR mechanism to protect data with a 16-bit "key." With this capability, it is possible to create a remote, undetectable keystroke logger, which can record every keystroke entered by the user. Further, it appears possible to inject arbitrary keystrokes as well. Max points out that WinKey + R (opening the Run dialog box) could be particularly useful for an attacker trying to compromise a system.

Woodrow: If KARMA was the scariest wireless attack of 2006/2007, what's scariest for 2008 and beyond?

Josh_Wright: Well, I think attacking PEAP networks is pretty scary, but I'm a little biased. :) See my post on the topic. I am nervous about wireless driver attacks, and I think we're only starting to see the beginning of this attack trend (best noted by commercial vendors selling products for LOTS of money to test your drivers for you).

Joemama: What makes attacking PEAP networks so scary?

Josh_Wright: If I compromise your authentication credentials from PEAP, then I have your username and password, likely, your MS Windows domain username and password. That also gives me access to your domain servers, Outlook, file servers, MS SQL, Sharepoint, etc. I think that's kinda scary, don't you? :)

Fracxion1: Would you recommend using MAC filtering for a home device? Does it really provide any valuable added security? (By the way, excellent keynote at the SANS 2007 Las Vegas conference.)

Josh_Wright: Thanks for coming to the SANS conference. I had a lot of fun (for those of you who missed it, I demonstrated eavesdropping on Bluetooth headsets, and injecting arbitrary audio. It was a lot of fun. Here's a link to the video on YouTube. Unfortunately, MAC filtering does little for you, since an attacker can easily learn all the valid MAC addresses on your network using tools like Kismet (when running Kismet, press "C" for a list of all clients). It's simple to impersonate a MAC address, on Windows using macchanger, on Linux "ifconfig eth0 ether hw 00:11:22:33:44:55" and on OS X "ifconfig eth0 hw 00:11:22:33:44:55".

GLH Hospital: We are using PEAP with certificates for authentication. Any other suggestions?

Josh_Wright: Make sure you always perform certificate validation. Also make sure you specify the name of the RADIUS server in the supplicant configuration settings (matching the name on the RADIUS server certificate). Finally, be sure you reject any other certificates and don't let users be prompted if a previously unrecognized RADIUS certificate is received. At Shmoocon, Brad and I talked about how I can get a VeriSign certificate for MyCompany.com, and give it to your client. The Windows supplicant by default will prompt the user to accept or reject the legitimate certificate, without identifying the organization the certificate was issued to. We believe any normal user will say "Accept." Since, honestly, most IT professionals don't understand certificate hierarchies, how can we expect our end-users to make those kinds of decisions?

Joemama: Can PEAP be made as secure as TLS (both with and w/o client-side certificates for PEAP)?

Josh_Wright: Nice handle there joemama. :) PEAP has the option of being used as PEAP-EAP-TLS, where PEAP is used first, followed by EAP/TLS as the inner authentication mechanism (this is supported by WZC and IAS, and I believe by Funk/Juniper Odyssey as well). Honestly though, if you are going to that kind of trouble, I'd just use EAP/TLS instead.

EAP-Watcher: Other than the misconfigured client issues, is PEAP a suitable, secure 802.1x authentication for most organizations?

Josh_Wright: Yes, totally. It integrates nicely with Windows, has native support in Windows XP and Vista and you have integrated support in Windows IAS as well. As long as you address the configuration issues I pointed out earlier, it will do very well.

Bubba: I heard some noise lately about attacks on APs from leveraging Web browser plug-ins such as a Flash player. Is this a problem for the enterprise, or mostly for the SOHO, or just smoke?

Josh_Wright: There has been some discussion about exploiting home AP's that often have weak configuration properties through client exploits (such as browser exploits). The "cool" (read: evil) part of this attack is that if I can change the configuration of your home AP, I can do "cool" (read: evil) things like changing your DNS servers to my evil dns servers. Then I can manipulate your traffic all I want by forging DNS. And I can hold your router ransom for 1 million dollars (read: pinky to the lip in Dr. Evil fashion).

Jon: any recommendations for RADIUS that works well with eDirectory on NetWare or Linux? Or is FreeRADIUS the ticket?

Josh_Wright: FreeRADIUS works well with NetWare systems, or you can use a product like Funk/Juniper Odyssey, that works as well.

GAWN certified: A comment on the hotspot question. A best practice is to use different credentials for authenticating to the hotspot, and then once you have Internet access use a different set of credentials in your VPN authentication phase. This ensures that compromise of your hotspot credentials over the wireless link does not also result in compromise of your VPN. A second best practice is of course two-factor authentication in either or both authentication events so as to eliminate the risk of compromise of a reusable password. Your thoughts Josh?

Josh_Wright: Two-factor authentication is always desirable for a security perspective, but the lack of integration with Windows (e.g. increasing the cost of deployment) and the general "unfriendlyness" (ok, I made that up word) usually hinders the adoption of wireless. You have to balance the need for security and the complexity of deployment and usefulness for your end users. If you can get away with it, by all means go two-factor. If you can't, it's not the end of the world, and you can do pretty well with password authentication.

E: Do you think David Carradine's tai chi workout will make me an uber-ninja/pirate killer like he showed he was in your Shmoocon video?

Josh_Wright: Definitely not. The only way you get to be an uber-ninja is to defeat a pirate in a death match. We're starting a fight club in Providence if you want to sign up... OK, not so much of a fight club, more like a Hack or Halo club, but the chicks still dig it.

Dbranch: Dude, I hate to break it to you, but the chicks don't dig it. :)

Bieber: No one has asked any sushi questions yet, so here's one: do you prefer to go out for sushi (and where?) or do you roll your own?

Josh_Wright: Sakura on Wickenden Street in Providence. Man, they have an AWESOME scallop nigri that is just out of this world. On the topic of sushi, a lot of people don't know this but the wasabi you get on your dish isn't really wasabi, it's Chinese mustard dyed green. Next time you are out for sushi, ask the waitstaff if they have fresh wasabi, and you'll probably pay extra for it, but the flavor is out of this world.

Moderator-Julie: And the winner of the free book is Nick Leachman. The book can also be bought as an e-book.

We want to thank you, Josh, for being our guest today and thank you all for coming!www.networkworld.com/chat

Please mark your calendars for our upcoming chats, at 2 p.m. ET,

Friday, March 7: Busting enterprise security myths, with 451Group's outspoken Nick Selby

Tuesday, March 25: Cisco Networking Simplified with Neil Anderson

Josh_Wright: I just wanted to thank everyone for coming and for the awesome questions. It's time for me to go get some sushi as a reward for the carpal-tunnel I got from typing so much for the past 90 minutes. Feel free to drop me a line if you have more questions.

Learn more about this topic

Buyer's Guide: Wireless LAN Security

Wireless networks burning questions

Wireless icon Craig Mathias' blog

Wireless Alert newsletter

Wireless and mobile discussions

1 2 3 4 Page
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies