IP: Wired: Wireless Networks in Big Trouble (fwd)

[Eugene Leitl]

-- Eugen* Leitl <a href="http://www.lrz.de/~ui22204/">leitl</a>
______________________________________________________________
ICBMTO  : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204
57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3

---------- Forwarded message ----------
Date: Wed, 22 Aug 2001 05:04:54 -0700
From: David Farber <dave at farber.net>
Reply-To: farber at cis.upenn.edu
To: ip-sub-1 at majordomo.pobox.com
Subject: IP: Wired: Wireless Networks in Big Trouble


>Date: Tue, 21 Aug 2001 00:41:11 -0700
>From: "Robert J. Berger" <rberger at ultradevices.com>
>Organization: UltraDevices Inc.
>
>Wireless Networks in Big Trouble
>By Michelle Delio
>http://www.wired.com/news/wireless/0,1382,46187,00.html
>2:20 p.m. Aug. 20, 2001 PDT
>
>Wireless networks are a little less secure today with the public
>release of "AirSnort," (http://airsnort.sourceforge.net/)
>a tool that can surreptitiously grab and analyze data moving across
>just about every major wireless network.
>
>When enough information has been captured, AirSnort can then piece
>together the system's master password.
>
>In other words, hackers and/or eavesdroppers using AirSnort can just
>grab what they want from a company's database wirelessly, out of thin
>air.
>
>AirSnort's abilities aren't groundbreaking -- security experts know
>all too well that wireless networks can be easily accessed and
>monitored by outsiders. But a fully featured tool to facilitate
>password-grabs wasn't readily available until this past weekend, when
>AirSnort was released on the Internet.
>
>"AirSnort certainly ups the ante in the sense that with this tool,
>your 'encrypted wireless net' can be quickly and easily breached,"
>said Randy Sandone of Argus, a security company.
>
>"Once AirSnort breaks the encryption, you're basically hosed. A
>malicious hacker can read any packet traveling over the network,
>gather information, passwords -- you name it."
>
>Wireless networks transmit information over public airwaves, the same
>medium used by television, radio and cell phones. The networks are
>supposed to be protected by a built-in security feature, the Wired
>Equivalent Privacy system (WEP) -- also known as the 802.11b standard
>-- which encrypts data as it is transmitted.
>
>But WEP/802.11b has proved to be quite crackable. And that's exactly
>why AirSnort was publicly released, said AirSnort programmers Jeremy
>Bruestle and Blake Hegerle. They hope that AirSnort will prove once
>and for all that wireless networks protected only by WEP are not
>secure.
>
>"Yes, AirSnort can be used as a cracking tool, but it can also be used
>as a really big stick in an argument over the safety of WEP," Hegerle
>said.
>
>"We felt that the only proper thing to do was to release the project,"
>Bruestle said. "It is not obvious to the layman or the average
>administrator how vulnerable 802.11b is to attack. It's too easy to
>trust WEP. Honestly, there is a lot of work involved in hardening a
>wireless network. It's easy to be complacent. AirSnort is all about
>opening people's eyes."
>
>Added Sandone: "Perhaps its release will prompt wireless vendors to
>significantly enhance the encryption of their products. And hopefully
>users will come to understand that encryption (regardless of how it is
>used) is not a panacea."
>
>"Some people overhype the power of encryption, and others put too much
>faith in its 'mathematical precision.' It clearly has its value, but
>it shouldn't be the only security mechanism in use."
>
>"Weaknesses in the Key Scheduling Algorithm of RC4," a recently
>published paper by Scott Fluhrer, Itsik Mantin and Adi Shamir,
>outlined a way to learn the master key to the WEP encryption system,
>which would allow an intruder to pose as a legitimate user of the
>network.
>
>Adam Stubblefield, a Rice University undergraduate who was working as
>a summer intern at AT&T Labs, tested that exploit (with the permission
>of the network's administrator) and was able to pull up the network's
>master password in just under two hours.
>
>Stubblefield published his research on the Internet, but did not
>release the program he used to access AT&T's wireless network.
>
>If the software that he wrote to grab passwords were published,
>Stubblefield told a reporter from The New York Times, anyone with a
>basic knowledge of computers and a wireless network card could easily
>crack many wireless networks.
>
>"Basically I read the paper and wondered if the attack would actually
>work in the real world, and how hard it would be to implement,"
>Bruestle said. "I am the CEO of a small security firm, Cypher42, and I
>wanted to know just how difficult or easy it would be to implement the
>attack, so we could properly advise clients on 802.11b security."
>
>Another tool, WEPcrack, was released on the Internet around the same
>time as AirSnort, but WEPcrack is still considered an alpha release, a
>work in progress.
>
>Bruestle and Hegerle's AirSnort is a beta release, a designation that
>indicates a program is not quite ready for primetime, but is further
>along feature and stability-wise than alpha.
>
>Bruestle said he and Hegerle had a basic working version of AirSnort
>after less than 24 hours of programming time.
>
>Bruestle said he has received many e-mails about AirSnort, some in
>favor of the public release of the tool, others accusing him of adding
>to the malicious hackers' arsenal.
>
>"Many of the people who have e-mailed me about AirSnort are sysadmins
>who thanked me for giving them a way to convince management that WEP
>really is insecure," Bruestle said. "Of course, I have gotten a number
>of flame mails too, comparing the release of AirSnort to 'giving guns
>to children.' I understand the viewpoint of those who believe
>dangerous information should be hidden, but I disagree."
>
>Hegerle and Bruestle said that they believe that many people did not
>understand the academic nature of Fluhrer, Mantin and Shamir's paper,
>and may not understand how vulnerable wireless systems are.
>
>"It was beyond even my humble attempts to understand (the paper's)
>full depths," Bruestle said. "The implications of a tool like AirSnort
>are much harder to deny than the paper it was based on."
>
>AirSnort uses a completely passive attack: An AirSnort user needs only
>a Linux-operated computer with a wireless network card, and access to
>whatever wireless network he or she wishes to crack.
>
>Many wireless networks allow amazingly easy access to unauthorized
>users, as some have discovered when their laptops suddenly connect to
>the Internet when they are in or near a building that has a wireless
>network.
>
>"I've been able to connect to networks when standing outside of
>businesses, hospitals or Internet cafés that offer the service," said
>Mark Denon, a freelance technology writer.
>
>"You can jump in and use the network to send e-mail or surf the Net,
>and often it's quite possible to access whatever information is moving
>across the network. It's very easy to piggyback onto many wireless
>networks, and some people make a game of driving or walking around a
>city and seeing how many networks they can jump into."
>
>"A wireless card in the machine that's running AirSnort does not send
>out any data or actually talk with any of the other machines on the
>network," said Hegerle. "It simply listens to all the other traffic,
>so it doesn't matter if the network allows unauthorized access, as
>none of the other machines on the network will even know anyone is
>listening," said Hegerle.
>
>The amount of time required to piece together a password with AirSnort
>depends on a number of factors, Bruestle said, but mostly depends on
>the amount of network traffic and "luck."
>
>"On a highly saturated network, AirSnort can usually collect enough
>packets to guess the key in three or four hours. If the network is
>very low traffic, it can take days to get enough data," Bruestle
>said. "Since the attack is based on probability, the actual number of
>packets required to guess a given key varies from key to key,
>sometimes significantly."
>
>AirSnort monitoring does not have to be all done in one session,
>though. "Five hours one day and five the next works out to be about
>the same as 10 hours in a row," Bruestle said.
>
>Systems administrators have mixed reactions over the release of
>AirSnort.
>
>"Granted, this program will hammer the truth into people's heads about
>the insecure nature of any wireless network protected only by WEP,"
>said Gerry Kaufman, a medical network and systems consultant. "But
>releasing this tool also allows a lot of people access to networks who
>couldn't have cracked them before. I'm really torn between advocating
>open access to information, and keeping tools like AirSnort out of the
>hands of kids with too much free time on their hands."
>
>Kaufman said the "only good thing" that could come from AirSnort's
>release is its use for proving to "those who approve the expenditures"
>that wireless networks need stronger protection.
>
>Hegerle and Bruestle suggest that wireless network users look into
>other end-to-end forms of encryption, such as Virtual Private Networks
>(VPNs) to protect data going over wireless networks.
>
>"While this requires more work, the false sense of security WEP offers
>is worse than no security at all," Bruestle said.
>
>"Quite simply, I won't be happy until there are no people trusting
>their data to WEP as it now exists," Hegerle said. "There are several
>possible ways to change WEP, and I would like to see a new dialog
>begin, one that looks for a replacement to the badly designed WEP we
>are now stuck with."
>
>Under development are new versions of WEP/802.11b that will include
>stronger security features. But the new standards won't be released
>until mid-2002 at the earliest.
>
>--
>Robert J. Berger
>UltraDevices, Inc.
>257 Castro Street, Suite 223 Mt. View CA. 94041
>Voice: 408-882-4755 Fax: 408-490-2868
>Email: rberger at ultradevices.com  http://www.ultradevices.com



For archives see: http://www.interesting-people.org/