how reassuring this is ..
WPA PEAP wifi is so rare that im sure that the world must be at peace if this is all ther is to report. Does anyone here use PEAP ? most people have never heard of it. The fact ther is a weakness in it mean FA to me.
Businesses using some of the more advanced methods for securing connections to Wi-Fi access points need to take a hard look at the configuration settings of client computers. So say researchers who have documented a simple way to impersonate trusted networks. The attack works on access points that use the Wi-Fi Protected …
It is used at the university I attend, and I suspect many Universities, Colleges, etc use it because it has the ability kick users off once they are no longer students or staff. This instead of a shared WPA passcode that can only be changed by disrupting every node. Smart businesses would use it so that they can control access to their network without having to change a WPA passcode every time an employee quits or is fired.
I might be guilty of removing validation of certificates, as I remember having configuration problems at first. Now I have to check; not that I have much at stake in it.
I have it deployed at several sites. The problem with validating certificates stems, I feel, mostly from the use of self-signed certificates. No one wants to spend the money on a real cert when "they don't have to," even though it can cost as little as $20 a year.
All of our deployments are Small Business Server 2003, which will generate a self-signed certificate by default. No biggie, since this cert can be deployed to all authorized domain clients. The problem comes into play when you want a guess to join the network. But, frankly, guests shouldn't be using your main network, let alone be given .1x credentials.
Also, you can push out wireless restrictions via Group Policies, which helps maintain control over misconfigurations.
As far as I can tell, I'm doing it right.
Paris, because as far as I know, she's doing it right.
If you read the original paper, this is actually able to be fixed with proper administration. You just need to make sure the supplicant (that means the program on the client that will do the connecting) checks the server certificate's validity. The fix (for MS at least) is even shown in the article.
I understand the point is to get the most people possible read the article...but I think the article reads too much like FUD.
Breaking a 256 bit key is not child's play, so long as there are not exploits in the algorithm. According to wikipedia "one would need a device consuming at a minimum 10 gigawatts (about the equivalent of eight large, dedicated nuclear reactors) running continuously for 100 years" to brute force a 128 bit key.
...is the fact that this isn't actually a crack of the security - it's an exploit of poor configuration. If stupid admins (and their equally stupid clients) weren't so stupid as to TURN OFF the security features for their network, this wouldn't even be worth noting. It's like padlocking a door but leaving a side window open - there's no breach of padlock security, but there's no point in having even bought a padlock if you don't know how to close your windows (no pun intended).
The very first problem which any attacker faces is how to get physical access to the secure data. ANY wireless technology, solves this problem just by being switched on. If it radiates, you can sniff it.
Furthermore, the attacker can listen to gigs and gigs of traffic over a long period of time (in cryptanalytic terms) and can take a good guess at the nature of the data. He can then use it to work on the statistics.
Even the most sophisticated protocols will eventually crack under such scrutiny and with the trade-offs between speed and security needed for acceptable performance, wireless protocols are not all that sophisticated.
If you have really valuable data—I mean really, really valuable—don't use a wireless network and make sure your LAN/WAN is physically secure. Then you can start thinking about protocols.
The most secure way of communication on a small network is bij wire. Nobody outside your wired network will know it is there, thus making it a less (if at all) likely candidate to intrusion. Wireless networks advertise themself (just start up your laptop, and you'll see what I mean), more or less inviting anyone to at least give it a try. Anyone familiar with a little training in Electronic Warfare can tell you that.
Unless there is a seriously compelling reason to set up wireless, I always recommend against it. Don't use it just because you can.
To those who say that this is not an issue as the problem goes away if the clients are configured properly:
Relying on client-side security is not a valid prospect. This is a weakness because someone with legitimate access to the network can change a setting they do not fully comprehend and unsuspectingly leak information thereby compromising your network, and as an administrator there is nothing you can do about it.
Simple answer? Don't use a wireless network or if you do ensure it has a different authentication to your core network and ensure that nothing of any interest can be accessed over it.
In the street I live, I'm not too worried about hacking, because there are now so many wireless networks in a small area that they all interfeare with each other. I can sit 6ft from my hub, and still not be able to connect to it.
In fact if I want to do anything serious in the evening I use a cable.
There are in fact 15 separate networks visible to me, of which 5 are unsecured, 7 are WEP and 3 are WPA. Apparently one of the unsecured ones isn't "bovverd".
A year ago there were 3, including me and "bovverd".
I think it's time for a new standard with more channels, and more ability to screen out local networks that aren't yours.
Meanwhile if you live in a narrow street of terraced houses, don't bother going wi-fi too much.
God help anyone who tried to use wireless video or audio streaming, they'll find they have bought an expensive bookend.
Does anyone know if limiting access by mac address can be compromised?
I understand that this data is not transmitted by the access point, hence difficult or impossible to collect the permitted address list & very unlikely to guess.
Although you could sniff the mac address from a connected client then spoof it!
MAC address based access controls are the simplest to get around! Seriously, do not use this with the expectation it will give you security. If you want security, treat it like you would treat the Internet - terminate in a DMZ, require 2 factor auth, use client-side agents with validation tools to identify user and device to the network before allowing out of the sandbox DMZ, use WPA TKIP /PEAP etc plus VPN software.
just my tuppence based on the networks I work with every day
A combination of MAC and WEP security is plenty to keep out someone just looking for a free Internet connection. There will always be a belkin54g on your site survey you could use. However WEP security is cracked in a couple of minutes with the right tool and MAC security simply requires some sniffing and a WiFi with a cloneable WLAN MAC address. Lots of these have the feature on their user interface.
It's worrying that a badly configured client could give away the keys to your network to a man-in-the-middle attacker. WPA and a Radius server is just the sort of security that a company would use. Anyone cracking that rather than connecting to the nearby belkin54g would be up to really bad stuff.
It makes sense to keep your power low and keep all Access Points on the ground floor or even the basement. If you have them high up in the building then even a little Edimax 7209 with standard 3db antenna can be used from 1km. Keeping your signal from straying from the building also helps with interferance, you don't get so swamped with everyone elses signal.
In theory MAC address filtering is great. As you say, the AP doesn't transmit anything, so there's nothing so snoop - until a valid client connects, and the packets have a valid MAC address stamped all over them. But of course, this doesn't matter as no-one can fake a MAC address, can they ;-)
I've moved over to 802.11n (draft) shiny apple airport running at 5GHz for the AppleTV & Macbook laptop access with a smidgeon of firewalled "internet sharing: ON" 802.11g from a USB stick transceiver for the various domestic NintendoDSL's, Nokia E65's , Vista Laptops which can't cope with advanced protocols reliably, so it seems, etcetera.
the 13 logical WiFi channels at 2.45GHz mostly overlap with effectively about 6 real (centre) frequencies. The 5GHz unlicensed band has a bit more space , at the moment, but Wimedia, WiMax etc are coming to steal some of that.
try using channel 13 as default, or buy some shiny fruit toys!
We'll all end up using UWB - ultrawideband , which is currently secure by obscure; by the way , did you know that the ultrawideband radar cross-section of a Mallard Duck is -20dB square metres, (0.02dBnanoWales) http://www.multispectral.com/pdf/UWBRadar.pdf
"While I hate to disparage the omnipotent Wiki, but since when did we measure computational power in Watts?"
"FLOPS per Watt" is certainly a major interest these days. Besides, this is El Reg. Did you expect sensible units?
My gripe with Wiki's example is that they let the computation run for 100 years. If they'd just sat on their arses for the first 50 years they could have bought a new machine and run the whole calculation in an afternoon.
My gripe with Doug Bird, who cited Wiki, is that the scaling of cracking time is, er, non-linear. Doug surely knows this, because the Wiki page he quotes from (http://en.wikipedia.org/wiki/Brute_force_attack) makes this quite clear. Some of the other people posting here seem to think that 256-bit keys will be crackable by ordinary PCs within a few years. They should read the Wiki page and learn.
Not checking the validity of server certificates is transparent to whether you are shopping/banking online, logging into the SSL/TLS VPN, or using WPA-TLS. The media (wireless, wired, etc.) is also transparent at that level (see OSI model for a framework).
I believe your "simple answer" should be to no longer use SSL or TLS, or for that matter any technology that requires certificates (see PKI).
There is a valid argument about client-side security, but your post only displays a misunderstanding of the real issues involved in both the "client-side security" and "WPA-TLS" issues.
"Does anyone know if limiting access by mac address can be compromised?"
Ahahahahaha ..... oh ..... excuse me ..... got to pick my tits up off the floor .....