North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Wifi Security

  • From: Joel Jaeggli
  • Date: Mon Nov 21 18:40:04 2005

On Mon, 21 Nov 2005, Stephen J. Wilcox wrote:

this is assuming that you are talking to the second party and not in fact me
sitting in the middle grabbing credentials, possibly by this stage already
pretending to be that second party
Sorry, if you don't have the second parties private key, you don't get to be them. and if you do have it, then there's no reason for you be in the middle.

its also assuming you understand your certificates, keys and trust. i'd bet most users will click yes when presented with a 'do you trust this new key' message.
[joelja@twin ~]$ ssh -l joelja twin
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
c3:b4:d9:ba:f9:ab:58:0e:98:d4:12:6c:cf:d2:3c:55.
Please contact your system administrator.
Add correct host key in /home/joelja/.ssh/known_hosts2 to get rid of this message.
Offending key in /home/joelja/.ssh/known_hosts2:24
RSA host key for twin has changed and you have requested strict checking.
The authenticity of host 'twin (128.223.214.27)' can't be established.

is fairly unequivical...

you dont have to break the code if the endpoints trust sessions with you and
share their encryption keys
Successfully inserting yourself in the middle requires some social-engineering
or really bad protocol design. The former can be mitigated through vigilance,
the later falls into the realm of peer review and security research.
you forgot to include 'or user error'.. the protocol may be fantastic but if the
user fails to notice a security alert or does something stupid it can be
compromised.

depending on how good you are you may be able to thwart all but the determined
hacker, altho to be fair most people are not going to be a target once they
employ basic security such as weak encryption. but if you are a target then its
vital to be using strong trusted secuity and know your onions!

If I may paraphrase the original posters question (Ross Hosman), it was:

Do large wireless buildouts present a new security threat due to the potential
to spoof AP's?

The answer to that is no, this is a threat we live with currently. We have
tools to mitigate the risks associated with it.
mmmmmm.. i'd say yes. wifi is still pretty niche, its in the offices, its in
airports and starbucks.

once billy bob and his grandpa start using it tho you're bringing it to the
masses who arent IT trained, who havent had a security brief, who are running
windows thats not been patched for 2 years and who think 'billy' is reasonable
for their password

so the technology is the same, but the users are new

You can say that consumers are stupid, and won't figure this out,
okay "consumers are stupid, and won't figure this out" :-)

and that may be true; however when it's starts to cost them losts money, they
will sit-up take notice and buy tools to solve this problem for them, just
like they do with any other security threat that goes beyond being an
anoyance.  probably said product will be blue, say linksys on it, and have the
word vpn (among others) buried on the packaging someplace.
i'm thinking beyond your corporate staff who are currently using these systems
(and quite badly if my casual network sniffing in environments with supposedly
clued individuals is anything to go by!)

my 2-cents :0)

Steve

--
--------------------------------------------------------------------------
Joel Jaeggli  	       Unix Consulting 	       joelja@darkwing.uoregon.edu
GPG Key Fingerprint:     5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2