Security Watch | Matt Hines » Of spineless TV producers, WEP cloaking and blocking WiFi

August 06, 2007 | Comments: (0)

Of spineless TV producers, WEP cloaking and blocking WiFi

TAGS: Security

I wasn't able to stick around Las Vegas after Black Hat last week for Defcon so I didn't get to see Dateline NBC associate producer Michelle Madigan run for the hills after getting outed by the shows "goons" (see Bob Garza's previous post), but here's my take:

If Madigan had understood anything about the nature of the show and the hackers she was trying to cover she should have known that A: there was a pretty good chance that someone would catch her, and B: if she had just admitted what she was up to when identified, taken a bow and given the Defcon folks credit for doing their homework and then stuck around, she probably would have gotten herself a good story, earned some respect and even made some friends.

Now, maybe she wouldn't have gotten the underground "hacker-for hire" angle she and her bosses wanted, but there would have been a lot of interesting things to talk about anyway, like how the Defcon people knew about her whole gig before she ever landed in Nevada. Funny that. Kudos to Black Hat/Defcon founder Jeff Moss and company for handling it all very professionally from the sound of it.

The fact that she completely missed the "gaming" nature of the event illustrates the fact that people outside the IT security space still don't understand the vibe that drives a lot of the hacker/researcher set. They love a good stunt. Play along and you'll learn something about them and they'll respect you. Run away like a non-vertebrate and you'll forever be a laughing stock.

WEP non-cloaking

In addition to missing the Dateline Debacle, I wasn't able to listen-in on a pair of interesting wireless security sessions being led by researchers from vendor AirTight Networks, but thankfully they briefed me anyway.

One of the presentations was related to the whole concept of WEP cloaking - the art of obfuscating (easily hacked) WEP-protected wireless transmissions by adding a bunch of extraneous traffic into your signals to try and confuse/overwhelm wireless decryption tools that have been proven to crack the system.

While I doubt that a lot of enterprises have embraced WEP cloaking to help bandage their wireless systems, especially with a spate of other secure wireless alternatives available, the folks at AirTight claim to have proven why cloaking doesn't work anyway.

According to AirTight, the transmission frames generated by individual access points and the inserters used to generate the cloaking signals are slightly different -- which makes it easy for anyone trying to defeat the system to catch and filter the actual data.

Rick Farina, an enthusiastic white hat hacker and wireless security engineer at AirTight, also noted that the types of people looking to steal wireless traffic know enough about the protocols and keys used in WEP to find the real data they're looking for despite all the excess noise from cloaking technologies.

"We can devise filters that will crack WEP cloaking as easily as someone can crack plain WEP, no matter how much excess noise you mix in, they key can still be broken," Farina said. "Cloaking doesn't actually protect you at all it just gives you a false sense of security."

(It's worth noting that the practice of WEP cloaking was first publicized by Air Defense, one of AirTight's biggest competitors)

Stopping Muni-fi

A lot of people are excited about the promise of municipal WiFi systems such as the one currently being built in San Francisco, but do not count enterprise IT administrators among that group.

While the systems may provide a nice back-up for workers connecting on the street or when network connections fail, the notion of securing a company's sensitive information is hard enough already without offering every worker unmanaged access to the Internet.

For financial services companies and the like there are sure to be new compliance issues introduced by muni Wi-Fi, for instance. What good is it blocking access to Gmail on your network when people can simply connect to the closest municipal hotspot?

Enter wireless intrusion prevention systems (WIPS), which promise to help companies block such access to WiFi systems to prevent such scenarios. However, AirTight claims those won't stop smarter wireless attackers from finding a way in to your company over the air.

Hackers often use "evil twin" wireless networks to attempt to lure workers to connect for the purpose of breaking into their devices and their employers' networks. WIPs tools promise to prevent such access, but by simply using multiple access points for their attacks, said AirTight CTO Pravin Bhagwat, hackers can easily failsafe their threats.

When a WIPs system blocks access to one access point, the signal merely swaps over to another, creating a layered effect that continually offers access in what AirTight has coined as a "multipot' attack. In a network that crisscrosses an entire city, for instance, it will be impossible to block out enough access points to completely prevent people from logging on, Bhagwat said.

"This type of thing is already happening and the wireless vendors don't seem to care about it," said Bhagwat. "If you test WIPs in this type of environment it's easy to see that the signal merely swaps over to the next closest access point when one is blocked; hackers already know about this technique and countermeasures need to be developed, it's an arms race at this point."

Posted by Matt Hines on August 6, 2007 10:49 AM

RATE THIS ARTICLE: