Welcome to The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST
Search
Nickname Password Security Code Security Code Type Security Code  
Penetration Testing the way it was meant to be

CCCure Quiz

We recommend:

Best hacking and penetration testing magazine in the world

Video Library

Skimming for ID theft
5 / 2
Views: 218
Comments: 2
11-01-2008 00:18

Latest version of ATM skimmer hidden behind a speaker looking device
5 / 3
Views: 232
Comments: 0
11-01-2008 00:11

ATM Scam, do check your ATM machine before using it
5 / 1
Views: 213
Comments: 0
10-31-2008 23:59

Forums Posts

Methodologies

Recommended PodCasts

Recommended Sites

Security Blogs

Security Forums

Best Downloads

Best Web Links

Survey

Whic of the following certifications would you like to get?

GPEN
GCIH
CEH
CREST
GREM
GSEC
CISSP
Security+
Other (please leave a comment)



Results
Polls

Votes: 347
Comments: 0

Who's Online

There are currently, 192 guest(s) and 1 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST: Wireless Vulnerability

Search on This Topic:   
[ Go to Home | Select a New Topic ]

Wi-Fi Alliance Expands WPA2 to include EAP-AKA, EAP-FAST
Posted by cdupuis on Wednesday, 29 July 2009 @ 18:16:03 EDT (2250 reads)
Topic Wireless Vulnerability

Yesterday the Wi-Fi Alliance announced an expanded testing regimen for WPA2 including the EAP-AKA and EAP-FAST authentication methods.

http://www.wi-fiplanet.com/news/article.php/3831746

When I was working at Aruba Networks, I spoke up against the inclusion of EAP-FAST in WPA2.  While EAP-FAST can be a very secure protocol, it suffers from a PAC provisioning security weakness.

With EAP-FAST, each client needs a Protected Access Credential (PAC) for authentication.  The PAC is unique for each device on the network.  The long-standing challenge with EAP-FAST is how to get the PAC to the end-user.

You can generate a PAC and sneaker-net it to the client, but this doesn't scale very well.  You can deliver the PAC through active directory or some other management mechanism, but this assumes you have
some network access in the first place (which doesn't work for the all-wireless office concept).  Cisco's  solution is to use EAP-FAST-Phase-0 which uses anonymous Diffie-Hellman authentication* (meaning an attacker can impersonate the AP and RADIUS server, getting access to inner authentication credentials such as MS-CHAPv2 for a short time).

Cisco advises customers to turn on EAP-FAST-Phase-0 for a short time until all the PAC's are provisioned, acknowledging a short period of vulnerability.  In my experience, organizations might turn off anonymous
PAC provisioning until they have a new batch of wireless clients to authorize, then it gets turned back on and left on.

EAP-FAST can be a very secure protocol, and in Cisco's defense there isn't an easy answer to the problem of "secure and simple authentication with no certificates, kthxbye".  For me, the Wi-Fi Alliance has to look
at the whole picture of a given EAP method, and certify only those that have a well-rounded security picture, from provisioning to revocation and everything in-between.  I'm disappointed that EAP-FAST will get more
traction as a result of this change as I think it's a negative as far as wireless security is concerned (but hey, it keeps me employed as a penetration tester).

- -Josh

p.s. On Thursday I'm delivering a webcast on "Budget Wireless Assessment Using Kismet Newcore".  Attendees will also get a 10% discount on my upcoming SANS Ethical Hacking Wireless class, details at
https://www.sans.org/webcasts/show.php?webcastid=92713.


* To be fair, you can also use PKI configured on the client and PAC server to protect the PAC provisioning process ... but then you would just use PEAP and not bother with EAP-FAST.

(Read More... | Score: 0)


Updated release of OSWA-Assistant Wireless Auditing/Pentesting LiveCD/LiveUSB
Posted by cdupuis on Wednesday, 29 July 2009 @ 07:20:39 EDT (2371 reads)
Topic Wireless Vulnerability

Anonymous writes "

The latest version 0.9.0.6g of the OSWA-Assistant wireless auditing/penetration-testing LiveCD/LiveUSB toolkit (download at http://oswa-assistant.securitystartshere.org) will be released at DEFCON 2009 in Las Vegas by the Wall-of-Sheep team!

With many updates/new WiFi, Bluetooth and RFID tools added, you can download this latest release version for free at http://oswa-assistant.securitystartshere.org starting from 2359hrs (GMT+8) on 5 Aug 2009  (as the toolkit's creator ThinkSECURE Pte Ltd are giving WoS a couple of days' exclusive headstart).

Details on the tools inside (including some that cannot be found elsewhere, e.g. MoocherHunter), supported hardware and FAQs are available here:

Tools List: http://securitystartshere.org/page-training-oswa-assistant-tools.htm

Supported Hardware:  http://securitystartshere.org/page-training-oswa-assistant-platforms.htm

Download:  http://securitystartshere.org/page-training-oswa-assistant-download.htm

FAQ & Help:  http://securitystartshere.org/page-training-oswa-assistant-faq.htm

 

"

(Read More... | Score: 0)


wepbuster 0.6 has been released
Posted by cdupuis on Monday, 06 July 2009 @ 22:17:53 EDT (1732 reads)
Topic Wireless Vulnerability

Hello everyone,

I would like to announce the release of the latest beta version (0.6) of wepbuster.

This version now works with the unmodified aircrack-ng programs. It requires at least the latest svn version of aircrack-ng 1.0(rc4). With a very few modifications, this could also work with older versions of ircrack-ng. Other requirements can be found in the README.TXT and the project page.

Among the changes since the previous version (0.5):

- now works with unmodified aircrack-ng programs (airodump-ng, aircrack-ng, aireplay-ng)
- better sorting, added packet loss, also number of packets to send when sorting can be set
- all skipped APs will be displayed at the bottom (no more annoying "Skipping..." messages)
- fixed bug in "Ping failed again!" error even when DHCP hasn't been tried yet
- logfiles created for rebroadcast and fragmentation attack so the progress can be seen in real time
- added setting for number of packets to try for fragmentation attack

See the CHANGELOG for more details.

As usual, the project page is at:
http://code.google.com/p/wepbuster/

And the source can be downloaded from:
http://code.google.com/p/wepbuster/downloads/list


Which is also viewable using your browser via:
http://code.google.com/p/wepbuster/source/browse/#svn/trunk

I hope you're having fun using this tool as much as I am in improving it.

Thank you for your bug reports and suggestions.


Keep them coming!

ciao!
-mark

(Read More... | Score: 0)


Official release of "Keykeriki" open source wireless keyboard sniffer
Posted by cdupuis on Tuesday, 16 June 2009 @ 15:03:12 EDT (1920 reads)
Topic Wireless Vulnerability

Anonymous writes "

Hi everyone, i just like to announce officially the release of our wireless keyboard sniffer Keykeriki.

An addition to the official press release;

Website: http://www.remote-exploit.org/Keykeriki.html

Video with some demonstration available on website as well Contact: hardhack@remote-exploit.org

The first lot of pre-fab PCBs will arrive until the end of this week.

Stay tuned... Max Moser

So here is our press release:

“Keykeriki” – Dreamlab Technologies and remote-exploit.org develop the first open 27Mhz wireless keyboard sniffer. It sniffs and records the signal of wireless keyboards and demonstrates their security
risk level. And it can be used to demonstrate hacking-attacks for educational purpose.


Wireless keyboards are very popular in many offices and private homes.  Even in the front office section of banks, they are frequently used.  But they represent a big security risk – as dreamlab technologies already pointed out in a white paper published 2007.

Wireless keyboards are risky, because they transmit a radio signal that is not enough protected. The newly developed portable universal receiver sniffs and records the signal of wireless keyboards and demonstrates their security risk level.

The keykeriki-software and construction plans for hardware are freely available online at:

[www.remote-exploit.org].

Hardware

The hardware needs to be portable and small and to be able to adapt to future needs. Keykeriki is therefore built around a Texas Instruments TRF7900 chip controlled by an ATMEL ATMEGA microcontroller.

For logging abilities an SDCard-interface is built into the board layout, as well as an additional USART channel for future hardware extensions (“backpacks”). The whole board can be powered directly via the USB-bus or a stable 5V power source.

When connected to a computer’s USB-port, one can use either a decent terminal application or the keykeriCTL software which is included in the software package of this project.  All the schematics can be
downloaded in eagle- and PDF-format as part of the project’s software package.

Fully equipped boards will be provided in the near future.

Software

Because of the flexible hardware design, most features can be built in by software. This first release contains (among other features) radio frequency switching, signal strength display, deciphering of encryptions, sniffing and decoding of keystrokes of Microsoft 27Mhz based keyboards.

Extensions

Hardware extensions are easy to realize because two different interfaces, a second USART, I²C/TWI and SPI, are externalized. Therefore so called Backpacks e. g. an LCD display controller can be connected using the USART Interface.

The Future

Future extensions include amplification for antennas, support of other Microsoft keyboards and products of other producers, the constant amelioration of hard and software and the parallel handling of several keyboards.

Furthermore, a keykeriki able to send mouse and keyboard signals is intended.

Technical details can be found online: www.remote-exploit.org.

About Dreamlab
Dreamlab Technologies AG is an internationally operating company specialized in IT-Security. Established in
1997, Dreamlab Technologies performs high-end security test, consulting and education, and realizes solutions based on “best-in-class” open standard technologies.

Dreamlab Technologies is an official education partner and representative of ISECOM (Institute for Security and Open Methodologies) for France, Germany and Switzerland.

ISECOM is the editor of OSSTMM, today’s most popular security audit methodology.

"

(Read More... | Score: 0)


Russian researchers achieve 100-fold increase in WPA2 cracking speed
Posted by cdupuis on Sunday, 26 October 2008 @ 23:46:35 EDT (2419 reads)
Topic Wireless Vulnerability

Russian researchers achieve 100-fold increase in WPA2 cracking speed
Oct.12, 2008 in Security

http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/

Russian security company Elcomsoft just posted a press release detailing a new method to crack WPA and WPA2 keys:

With the latest version of Elcomsoft Distributed Password Recovery, it is now possible to crack WPA and WPA2 protection on Wi-Fi networks up to 100 times quicker with the use of massively parallel computational power of the newest NVIDIA chips. Elcomsoft Distributed Password Recovery only needs a few packets intercepted in order to perform the attack.

The 100-fold increase in speed is achieved with two GeForct GTX280’s per workstation; for €599 you can build a network of 20 workstations dedicated to “recovering” your “lost” WPA keys. This means that a WPA or WPA2 key could be cracked in days or weeks instead of years.

This has prompted security firm GSS to advise their clients to add an additional layer of protection to their Wifi networks:

“This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data,” said GSS managing
director David Hobson. “As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.”

But the question remains how long it will take until the next generation of GPU’s or custom-designed chips will break VPN encryption as well. 3DES DES encryption can already be broken quite easily with
custom-built machines, and while AES appears to be better on paper, there is no guarantee that there isn’t some hidden flaw in the algorithm. GSS agrees:

Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data
privacy.

Update:
This will, of course, mainly affect simple ascii keys. And it will only work against static keys; anyone using more complicated authentication schemes will not be at risk for now. But since that takes a couple of extra minutes when installing, smaller businesses or departments often skip setting this up.

(Read More... | Score: 0)


MoocherHunter Tool released for Real-Time Geo-Locating of WiFi Hackers/Mooche
Posted by boss on Friday, 23 May 2008 @ 22:15:13 EDT (10219 reads)
Topic Wireless Vulnerability

Anonymous writes "Singapore, May 20, 2008 -- ThinkSECURE Pte Ltd (www.securitystartshere.org) today announced the official public release of MoocherHunter™, ThinkSECURE's free-for-end-user-use real-time WiFi moocher/hacker tracking tool.

"We developed MoocherHunter™ with two key purposes in mind: first, to assist law-enforcement officers in hunting down unauthorized WiFi users in real time, and second, to enable any owner of an 802.11-based wireless access point to identify whether an unauthorized person is using their access point and give them that same capability to hunt down those unauthorized users," said Mr. Julian Ho, ThinkSECURE's co-founder.

Completely designed from the ground up with purely in-house code, MoocherHunter™ was first demonstrated to ASEAN, Interpol and S.E.Asian law-enforcement officers during a closed-door, invitation-only workshop hosted by the Singapore Police Force in early 2008.

During developmental field tests in March 2008, a single ThinkSECURE employee armed with MoocherHunter™ and a directional antenna was able to isolate and geographically locate, with an average accuracy of under 2 meters, the physical position of a wireless moocher associated with a test access point across different multi-storied-multi-tenanted residential and office environments within an average of 30 minutes of initial detection.

"With MoocherHunter™, the physical disconnect between the wireless network infrastructure and the wireless moocher or hacker, which has been used by various individuals as a shield to mask illicit activities involving wireless networks such as warez-downloading, illegal-file-sharing, seditious forum postings and so on, is no longer a defence," said Mr. Ho.

"Our approach in designing MoocherHunter™ rectifies the weaknesses inherent in previous attempts to address geo-location of unauthorized wireless users which relied on static-positioned access points or expensive commercial handheld PDA devices with ineffective non-directional antennae. MoocherHunter™ is available as part of our free-to-use OSWA-Assistant™ wireless auditing and penetration-testing toolkit which can be used on a user's existing laptop...and free is always a good value proposition," Mr. Ho added.

MoocherHunter™ is available in the latest release of the OSWA-Assistant™, ThinkSECURE Pte Ltd's free-for-download wireless auditing and penetration-testing liveCD toolkit. The toolkit can be downloaded from http://oswa-assistant.securitystartshere.org .

For more details or if you are are a law-enforcement official or anyone who wants formal training on how to effectively deploy and use MoocherHunter™, please visit http://moocherhunter.securitystartshere.org ."

(Read More... | Score: 0)


PC/SC support for RFIDIOt
Posted by boss on Tuesday, 10 July 2007 @ 21:43:37 EDT (5907 reads)
Topic Wireless Vulnerability

Anonymous writes "Folks,

I'm pleased to announce that I've finally got around to releasing PC/SC support for RFIDIOt. This means you can use lower cost reader/writers that are also much easier to find (although at the moment there are limitations as to what you can do with them, so they are not a complete alternative).

So far I've only tested the Omnikey Cardman 5321, which is a 13.56MHz device, and am able to access things like e-passports, Mifare cards and ISO 15693 (commonly used in ticketing and hotel doors etc.).

No doubt there are some simple tweaks that would enable more of the other test programs to work but I felt there was enough here to get people started so didn't want to delay the release any further...

Full list of changes in this release:

v0.p
add PCSC support and http://pyscard.sourceforge.net/)
[hints/tips/inspiration Henryk Plötz]
fix cardselect.py and multiselect.py to check for presence of card
fix 'waitfor/do nothing' in RFIDIOt.py [Philippe Biondi]
cleaner check digit calc in mrpkey.py [Philippe Biondi]
change -r to -R (reader type) to allow -r to be used for PCSC compatibility
add speed/framesize reporting to mrpkey.py
increase MAX read chunk size to 118 in mrpkey.py (needs fixing to go up to device supported size ISO_FRAMESIZE)
fix bit allignment issue in FDXBID encoding/decoding [Matsche]
add global uid variable
add locked block reporting to readmifare
add readmifaresimple.py

Full details here:

http://rfidiot.org

enjoy,
Adam
--
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station
Marshborough Road
Sandwich mailto:adam@thebunker.net
Kent
CT13 0PL
UNITED KINGDOM
"

(Read More... | Score: 0)


Cracking Cisco LEAP with ASLEAP
Posted by boss on Monday, 09 July 2007 @ 23:58:53 EDT (1664 reads)
Topic Wireless Vulnerability

Anonymous writes "
Security: Cracking Cisco LEAP with ASLEAP
This is a 14 minute video well worth the viewing for anybody who wants to learn about WLAN security more or needs to understand how their networks might be vulnerable. Learn how hackers work so you can protect your network!

This video was created by wireless guru Devin Akin, CTO of CWNP. Watch the 30 second preview at the URL below, then buy the entire video for $4.99.

Check it out now
New: Wi-FiGurus.com
Wi-FiGurus (www.wi-figurus.com), the Community of Wi-Fi Professionals, is now offering free access to Wireless LAN Concepts, a comprehensive video based e-learning course, and Top 25 Wi-Fi Tutorial Pack, a PDF download, for its registered users. The Wi-FiGurus site includes regularly updated podcasts, interviews, tutorials, online video based training, quizzes, quick tips, news and more. The users can not only comment, rate and vote on the content posted on the site but also build and showcase their profile, submit their own content for publication, and network with other users on the site.

Visit Now
New White Paper: Intel/Cisco WLAN Deployment Guide
In a new white paper co-sponsored by Intel and Cisco, the two tech giants both recommend training and certification for wireless, and specifically training and certification from CWNP.

Read this new 32 page white paper and discover the Six Phases of Wireless Deployment.

Read Now
Tutorial: Learning to Share Your Wi-Fi
In any given location, chances are that personal Wi-Fi networks outnumber hotspots. So wouldn't it be nice if some of those private networks were made available for use by people who need Internet access?

Read Now
Recertification Alert
Recertify and save 20% on your exam.

If you earned one of your CWNP Certifications before September, 2004, you will need to recertify soon. Login to the CWNP Tracking System to find your recertification date.
Upcoming Classes

Here is a sample list of upcoming CWNP Classes. Check here for a full list.

LEVER Technology Group, PLC CWSP 20-Aug-2007 London, GREAT BRITAIN
AirSpy/SpectraLink CWNA 13-Aug-2007 Atlanta, Georgia USA
C3-Wireless CWNA 23-Jul-2007 Melbourne, Florida USA
Eight-O-Two Technology Solutions CWNA 21-Aug-2007 San Diego, California USA
Integrated Digital Technologies CWNA 23-Jul-2007 Pasadena, California USA
Security University Bootcamp 14-Jul-2007 Vienna, Virginia USA
Wavegard, Inc. CWNA 20-Aug-2007 Baltimore, Maryland USA
Comsec Wireless CWNA 06-Aug-2007 Anchorage, Alaska USA
Globeron Bootcamp 13-Aug-2007 INGAPORE
itMasterclass.nl CWNA 01-Oct-2007 Leusden, Utr NETHERLANDS
"

(Read More... | Score: 0)


Great Deal on Senao Cards
Posted by boss on Thursday, 12 April 2007 @ 20:19:22 EDT (6379 reads)
Topic Wireless Vulnerability

Anonymous writes " -----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Seth Fogie
Sent: Thursday, April 12, 2007 1:03 PM
To: wifisec@securityfocus.com
Subject: Ebay deal on Senao cards at $10 a pop - 81 available

http://cgi.ebay.com/SENAO-NL-2511CD-PLUS-EXT2-LONG-RANGE-WIRELESS-PC-CARD_W0QQitemZ120108336387QQihZ002QQcategoryZ45000QQrdZ1QQcmdZViewItem

Now that is a pretty good deal - plus they combine shipping if you get multiples.

Just a tip!

Seth "

(Read More... | Score: 0)


SSID Cloaking actually reduces your WIFI security
Posted by boss on Monday, 05 March 2007 @ 21:40:31 EST (1643 reads)
Topic Wireless Vulnerability

cdupuis writes "NOTE FROM CLEMENT:
Here is a repost of a great post from my friend Joshua Wright on the wifi security mailing list.

While many networks use SSID cloaking as a mechanism to improve the security of the network, I believe it actually reduces the security of the network substantially.

I wrote an article for Network World that was posted today about this issue:

http://www.networkworld.com/columnists/2007/030507-wireless-security.html

The most significant issue is that with the recent Windows XP SP2 hotfix KB917021, the preferred network list for WZC allows users to specify "Connect even if this network is not broadcasting". When this option is selected (not the default), stations will look for the network with directed probe requests (disclosing the SSID's in the PNL, and exposing the station to KARMA and Hotspotter attacks).

When the option is not on, the station will only connect when it observes the SSID in beacons and from responses following a broadcast probe request frame. Of course, if the SSID is cloaked, the station will be unable to connect, forcing them to use the "Connect even if ..."
option, and exposing them to KARMA attacks.

This hotfix has not yet been distributed as part of the automatic update service from Microsoft. Several other facets of WZC has changed with this update, including how ad-hoc networks are started to mitigate the spread of the "Free Public WiFi" phenomenon. If you are responsible for Windows XP wireless stations, and you haven't read up on this hotfix yet, take a few minutes to do so: http://support.microsoft.com/kb/917021.

On an unrelated note, dragorn and I will be presenting at Shmoocon this year about LORCON, our framework for experimentation in wireless networks. If anyone is going to be at Shmoocon and wants to grab a drink or something, drop me a note.

- -Josh
"

(Read More... | Score: 0)


WCCD Vulnerability Update (10 August 2006)
Posted by boss on Friday, 11 August 2006 @ 09:50:01 EDT (1320 reads)
Topic Wireless Vulnerability

Anonymous writes "WCCD Vulnerability Update: (10 August 2006)

Latest Intel chipset IntelR PRO/Wireless 2200BG driver version 9.0.4.17 (dated 26 June 2006) downloaded off Intel's website is STILL affected by the WEP Client Communications Dumbdown vulnerability.

Tested using Windows XP SP2 zeroconfig.

More details at: http://securitystartshere.net/page-vulns-wccd.htm "

(Read More... | Score: 0)


Webcast Featuring Josha Wright
Posted by boss on Friday, 09 June 2006 @ 10:29:26 EDT (1857 reads)
Topic Wireless Vulnerability

cdupuis writes "NOTE FROM CLEMENT:
A great webcast you do not want to miss. My friend Joshua Wright will be talking about emerging wireless attack. Joshua is god at finding wireless vulnerability. A webcast worth watching for sure. Here is Josh email about it followed by the formal announcement:

I'm participating in a webcast next week to talk about some research I've been doing on emerging 802.11 attacks with colleagues from Juniper and IGX.

The marketing people at Aruba say I have to spend a few slides talking about our products, but then my material is all wireless-attacks, I promise. :)

Specifically, I'm going to talk about attacking preferred network lists with KARMA, hotspot injection attacks with AirPWN and 802.11 protocol fuzzing research.

I've also seen the slides from Bob Spognardi at Juniper and I'm personally excited to hear what he has to say about federal data privacy requirements and wireless networking.

If you are interested in catching the webcast, you can sign up at www.ihavebeenhacked.com (no, really).

Thanks, Josh

Here is the formal announcement:
Please join your peers and the members of igxglobal, Aruba and Juniper Networks for a Live Lunch and Learn Webinar:

* igxglobal will discuss identification and mitigation ofvulnerabilities over the air and best practices.* Juniper Networks will talk about their Funk Software Product securing wireless LAN and Data Privacy.

* Aruba will talk about Emerging 802.11 Attacks. Mr. Barry Johnson, igxglobal's Director of Threat Mitigation, will share his extensive 15 year experience in assisting major corporations as well as the government sector in developing, implementing and educating clients on security risks, compliance and regulatory standards such as GLBA, HIPAA, SOX, PCI and others to assist in securing their IT environments.

Mr. Bob Spognardi, Northeast Sales Manager from Juniper Networks brings an extensive background in the Security Arena now passionately representing Funk Software. Mr. Spognardi worked in sales for information security companies for the past 10 years. Since 2002, has been the northeast sales manager for Funk Software (now Juniper Networks). Before Funk, worked in sales for Sonicwall, Netscreen and RSA Security.

Mr. Josh Wright is a Senior Security Architect for Aruba Networks and the author of several open-source wireless security assessment tools designed to illustrate and raise awareness of common vulnerabilities in wireless networks. His current assignment includes research into new techniques used by attackers to compromise the security of wireless networks including IEEE 802.11 and Bluetooth LANs. When not breaking wireless networks, he practices Aiki-Jutsu, where he tries not to break things.

About igxglobal: Go to www.igxglobal.com
About Juniper Networks: Go to www.juniper.net
About Aruba: Go to www.arubanetworks.com

If you have any questions please contact: Katarina Almqvist at:
Phone: 201-615-3458
E-mail: kalmqvist@igxglobal.com or
Website: www.ihavebeenhacked.com
When: Wednesday June 14th, 12.00 - 1.00pm

Attendees will have the chance to win a free external scan for up to 6 ip-addresses, iPod or a $200 American Express Gift Certificate at the end of the Q/A Session.

Agenda: 12.00 pm - 12.05 pm
Webinar Introduction by Victor Machado, Security Sales Professional,

igxglobal. 12.05 pm - 12.20 pm
Identity & Information Theft over the Air and Best Practices.
Speaker: Barry Johnson, Director of Threat Mitigation, igxglobal.

12.20 pm - 12.35 pm
Secure Wireless Lan Authentication and Data Privacy.
Speaker: Bob Spognardi, Northeast Regional Sales Manager Juniper Networks.

12.35 pm - 12.55 pm
Emerging 802.11 Attacks.
Speaker: Josh Wright, Senior Security Architect for Aruba Networks.

12.55 pm - 01.00 pm
Questions & Answers with Victor Machado, igxglobal, Juniper and Aruba. "

(Read More... | Score: 0)


NIST Guide to IEEE 802.11i Robust Security Networks
Posted by boss on Tuesday, 06 June 2006 @ 09:03:48 EDT (1224 reads)
Topic Wireless Vulnerability

cdupuis writes " June 5, 2006
NIST Draft Special Publication 800-97
Guide to IEEE 802.11i: Robust Security Networks Adobe

PDF<http://csrc.nist.gov/publications/drafts/Draft-SP800-97.pdf> (4.52 MB)

Zipped Adobe PDF<http://csrc.nist.gov/publications/drafts/Draft-SP800-97_pdf.zip> (3.52 MB)

NIST is pleased to announce the release of draft Special Publication (SP) 800-97, Guide to IEEE 802.11i: Robust Security Networks.

SP 800-97 provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network (WLAN) security.

IEEE 802.11i provides security enhancements over the previous 802.11 security method, Wired Equivalent Privacy (WEP), which has several well-documented security deficiencies.

IEEE 802.11i introduces a range of new security features that are designed to overcome the shortcomings of WEP. This document explains these security features and provides specific recommendations to ensure the security of the WLAN operating environment. It gives extensive guidance on protecting the confidentiality and integrity of WLAN communications, authenticating users and devices using several methods, and incorporating WLAN security considerations into each phase of the WLAN life cycle.

The document complements, and does not replace, NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices.

NIST requests comments on NIST SP 800-97 by July 7, 2006.

Please submit comments to :
800-97comments@nist.gov with "Comments SP800-97/802.11i" in the subject line"

(Read More... | Score: 0)


Practical Wireless Deployment Methodology (PWDM)
Posted by boss on Thursday, 19 January 2006 @ 08:22:32 EST (1342 reads)
Topic Wireless Vulnerability

Anonymous writes "Hi Everyone,

We've launched a hardware-neutral wireless deployment/upgrading methodology at http://www.pwdm.net and would like some feedback on whether it is useful to you and how we can make it more so.

The PWDM (Practical Wireless Deployment Methodology) is a practical, vendor-independent, high-level framework/methodology which is intended to help people who are tasked with deploying, upgrading, maintaining & securing 802.11-based WLANs, irrespective of whether they are private (SOHO, enterprise, home) or public (hotspots) in nature.

The methodology comprises the following steps:
* Deployment Analysis
* Contractual Negotiation
* Deployment Tactical Planning
* Deployment Procedural Rollout
* Supporting Infrastructure Rollout
* AP Security Issues
* Layer 3 Mitigation Strategies
* Management Overlay
* Gateway Security
* UAT & Commissioning

If you're interested in taking a look, you can download the current version of the PWDM (ver 1.4) at http://www.pwdm.net"

(Read More... | Score: 0)


WEP Client Communication Dumbdown (WCCD) Vulnerability
Posted by boss on Monday, 16 January 2006 @ 16:54:13 EST (1763 reads)
Topic Wireless Vulnerability

Anonymous writes "ThinkSECURE Pte Ltd (http://www.securitystartshere.net) has released details of a client-side wireless vulnerability which affects wireless users who are still using WEP.

More details including mitigation actions are available at our website at:
http://www.securitystartshere.net/page-vulns-wccd.htm

### Vulnerability Name ###
WEP-Client-Communication-Dumbdown (WCCD) Vulnerability

### Vulnerability Description ###
ThinkSECURE has discovered that certain well-known wireless chipsets, using vulnerable drivers under the Windows XP operating system and when configured to use WEP with Open Authentication, can be tricked by a 802.11-based wireless client adapter operating in master mode ("the attacker") to discard the WEP settings and negotiate a post-association conection with the attacker in the clear.

We have named this vulnerability as the "WEP-client-communication-dumbdown" (wccd) vulnerability.

This vulnerability is apparently not due to Windows itself but due to the operation of the drivers for the affected wireless cards. However, this does not discount a situation where a patch could be released by Microsoft to deal with the problem on the chipset makers' behalf.
Again, this is apparently NOT a Windows problem but a wireless chipset driver-related one.

End-users of the system would not notice any difference about the clear connection that was being established. Although WPA/2 & WPA-PSK have been out for some time now, in our experience there is still a large installed client base who are still using WEP-enabled Access Points and thus have WEP-enabled profiles setup in their laptops. This installed base is vulnerable.

### Vulnerability Impact ###
The vulnerability was observed in a Windows XP wireless client configuration with the vulnerable drivers and with the following setups:
1. Profile configured using Windows XP zero configuration as well as using the vulnerable drivers' bundled wireless client managers;
2. Profile configured to use WEP with static WEP key & Open Authentication.

Using ThinkSECURE's recently-released security auditor's tool - probemapper - one can remotely evaluate the SSID and capabilities of wireless profiles from probe requests and assess whether the subject is probing for any Open-Authentication-WEP-encryption-enabled wireless networks.

When a Windows XP client using a vulnerable chipset driver is configured as outlined above via their wireless profiles ("the victim"), the victim will send out probe requests bearing the SSID configured in the wireless profile.

An attacker who detects the probe request frames coming from the configured profile can configure a master-mode-enabled wireless card with the detected SSID of the probe request frames and, using Open Authentication with no-encryption, send probe responses to the victim.

The victim will then initiate authentication and association, sending an association request frame with the Privacy Bit set to 1 (AP/STA can support WEP).

The attacker returns an association response frame with Privacy Bit set to 0 (AP/STA cannot support WEP).

Although the correct behavior should be to not establish any communication due to the difference between association request and response Privacy Bits, the victim "dumbs-down" and establishes an un-encrypted communications session to match the attacker's Privacy Bit setting of 0, thus ignoring the WEP settings as configured in the client's profile. All traffic to & from this connection will be sent in the clear.

A victim who has a vulnerable wireless network at home and brings a laptop bearing the profile of said home wireless network to his/her organization and plugs in using a wired connection may be attacked in this manner and used as a conduit by the attacker, through the bridging of the laptop's wireless interface to the wired interface, to the victim's organization's wired network, thus bypassing corporate perimeter defences. It is irrelevant that the organization does not use wireless or has a no-wireless policy if that policy is not strictly enforced through proactive checking.

Also, firewalling on the victim's laptop might not guarantee safety in certain cases: e.g. the attacker issues an IP address and gateway address to the victim in response to the victim's typical DHCP request upon association so as to fool the victim's machine into forwarding all traffic to the attacker's machine. The result is that, when the victim opens up a web browser for example, he will see a crafted page bearing malicious code on the attacker's machine which runs exploit code on the victim's machine (a good example being the recent WMF vulnerability) to give the attacker a reverse shell into the victim, where the attacker can then do the bridging of the interface or anything else he wants.

### Vulnerability Cause ###
In our testing, we have narrowed down the cause of the problem to stem from the way certain chipset manufacturer drivers deployed for the Windows platform operate in handling an association.

Affected chipset manufacturer(s) have been notified via their website contact addresses.

In the interests of responsible disclosure, we will not be stating which chipset drivers which we tested as vulnerable for a minimum period of 14 days after this vulnerability advisory, thus giving time for the notified vendors to issue non-vulnerable drivers. (dated 16 Jan 2006)

### Vulnerability Discovery Acknowledgment ###
Christopher Low & Julian Ho of ThinkSECURE Pte Ltd discovered and researched this vulnerability from Dec 2005 to 15 Jan 2006."

"

(Read More... | Score: 0)

Our Sponsors

Login

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Latest Windows Tools

Latest Linux Tools

Virtual Machines VM's

Hacker's Magazine

Web & Apps Security

Scanning Service

Reverse Engineering

Vulnerabilities Research

Big Story of Today

There isn't a Biggest Story for Today, yet.

Old Articles

Wi-Fi Security


You can syndicate our news using the file backend.php or ultramode.txt


All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2003-2008 by Clement Dupuis and Nathalie Lambert (Site Maintainers).

 


 

 


Page Generation: 0.99 Seconds