On Tue, Feb 12, 2002 at 02:54:22PM -0500, Tom Kiblin wrote:
> Some of the better APs and WLAN Bridges allow you to control the MACs
> allowed to communicate with it, or Allowed Talkers. You build the MAC
> table directly on the AP/WLAN Device. And, you can turn off "Advertise
> ESSID" from the AP, so the attacker has to know the SSID and guess the MAC
> address as well.
Regarding the MAC access controls, please refer to my other
message. An attacker can trivially sniff valid MAC addresses from the
air and use them directly or use them to guess or brute force others.
That's a no brainer...
As far as the ESSID goes, you can turn of the "advertise ESSID"
but that doesn't buy you very much at all. All the attacker has to do
is sniff the air until a legitimate client negotiates access with the
AP and extract the ESSID from that. Again... Trivial. Might take
a little more time, but still a no brainer.
> Wireless LANs can be made secure, you just have to put some time and effort
> into it. They are no worse then wired LANs in my humble opinion.
IMHO... There seem to be a lot of people out there who have not
played with either AirSnort or WarDrive (or worked on similar proprietary
tools as I have) and haven't seen just what they can do.
To reiterate... MAC addresses and ESSID can be obtained trivially
and you have no way to prevent that. They can be sniffed from the air
passively by any itinerant attacker. If "advertise ESSID" is disabled,
the attacker may have to wait for someone to connect in, but he still
can get the information. Guessing other valid MAC addresses from observed
MAC addresses is almost as trivial. Cracking WEP is a joke. AirSnort
(to crack WEP) requires particular wireless cards which can be placed
into RF monitor mode, but those are plentiful and cheap.
All of this can be done without him revealing his presence to you,
since it is a totally passive activity. The WEP cracking can even be
done "off-line". Use a system to sniff the air and accumulate the
encrypted data and then turn the data loose on another machine to boil
it down for the key.
> Of course, with all the FUD in the press lately about Drivebyhacking and so
> forth, companies that don't know any better or lack good IT security
> teams/departments/people/etc, are worried mainly because they don't know or
> understand what the issues are.
FUD? The tools are out there now. The kiddie poos are already
playing with them. We already have evidence of "drive by spamming".
I've watched AirSnort roll over a WEP encrypted access point like it
was a speed bump. I've had my laptop going off like a geiger counter
from the open access points while walking through an airport. In my
mind there is no "uncertainty" or "doubt" that there is not nearly
enough "fear".
> I took my iPAQ with my Orinoco card and some software, and was able to find
> a few APs within a 3 block radius, and they were all wide-open. Ignorance
> is scary.
Yes it is...
You say you have been successful at locating open access points.
I can identify several dozen, just driving into work. That's not the
point. That's the backwards point. We KNOW there are LOTS of insecure
access points out there. The real question is "can you secure one
acceptably well." You think you can secure one. Have you tried and
then taken AirSnort and WarDrive to it to see what happens?
Don't forget, too, that while VPNs help, but they don't necessarily
prevent attacks on other workstations on the wireless. Having a secure
gateway to block access to the outside network doesn't protect that
other workstation that's sitting there with an open file share (you
wouldn't BELIEVE the number of open file shares of entire hard drives
spotted in the terminal room at an IETF meeting). Windows and Netbios
is extremely "chatty" as well. Is any of that broadcast name resolution
stuff leaking out on the air or of any risk to anyone (hint - think login
names and machine names). Any of those Windows systems configured with
guest access? Linux laptops? Got Samba? Samba got guest? Laptop
got NFS?
Your claim is that "They are no worse then wired LANs". I have
seen no evidence that they come even close. An attacker can ALWAYS
obtain information from them which he would not have from a wired lan
(unless he was physically connected). Even if it's trivial data to
some (like the MAC addresses and ESSID or Netbios names), it's still
data. Wireless can't do better than wired, and I haven't seen where it
can even do as good. The real questions are what can you do to minimize
the risk and is the remaining risk acceptable. That requires understanding
the risk.
And yes, that brings us back to the issue of ignorance.
> tjk
> T. These are only small At 02:05 PM 2/12/2002 -0500, you wrote:
> > Forgot one thing in my previous message...
> >
> >On Mon, Feb 11, 2002 at 11:44:50PM -0500, Jason Costomiris wrote:
> >> On Mon, Feb 11, 2002 at 08:13:22PM -0800, David Talkington wrote:
> >> : Chad and Doria Skinner wrote:
> >> :
> >> : >1. Setup DHCP to only assign IPs to specific MAC Addresses
> >> :
> >> : Wrong already. MAC addresses are under client control. You can
> >> : assign a different one to your network card with ifconfig (if the
> >> : driver can handle that). Try it. :-)
> >
> >> Now before you immediately discount that, remember that a would-be
> >> attacker would need to know the MAC address of an *authorized* client.
> >> Any by the way - MAC addresses aren't always under the control of the
> >user
> >> when we're talking about WLAN cards.
> >
> > The selection of the card is under the control of the user
> >(attacker). The selection of the operating system is under the control
> >of the user (attacker). Therefore, the ability of an attacker to
> >select the MAC addresses is ALWAYS under his control. Even if it means
> >he has to run out to Joe's Computer Shack and pick up a different card
> >and switch to it, it is under HIS control and NOT yours.
> >
> > [...]
> >
> >> --
> >> Jason Costomiris <>< | Technologist, geek, human.
> >> jcostom {at} jasons {dot} org | http://www.jasons.org/
> >> Quidquid latine dictum sit, altum viditur.
> >> My account, My opinions.
> >
> > Mike
> >--
> > Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
> > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the best of all
> > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
> >
> >
> >
> >_______________________________________________
> >Redhat-list mailing list
> >[EMAIL PROTECTED]
> >https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
