Re: [WIRELESS-LAN] Big flaw in WPA2

[Sweetser, Frank E]

"Wrong" is a very slippery term for this kind of flaw.


The short version is that the original specification in how the encryption key 
state machine was not sufficiently tight to prevent this vulnerability from 
happening.  Spoofing certain messages could slip through the protections and 
allow the attacker to manipulate which encryption keys the devices were using.  
Luckily, in this case modifications to the implementation were able to made 
without breaking the standard, or compatibility with other devices.


In other words, we got lucky as far as ease of fixing the glitch.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Marcelo Maraboli 

Sent: Wednesday, October 18, 2017 11:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,

On 10/16/17 4:32 PM, Hector J Rios wrote:
The short answer is Yes.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

Mike Cunningham


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Richard Nedwich 
>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an “educational record” 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--
Marcelo Maraboli Rosselott
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341
** Participation and subscription information for this EDUCAUSE 
Constituent Group 

Re: [WIRELESS-LAN] Big flaw in WPA2

[Marcelo Maraboli]

if it were a Design Flaw, no patch can fix it we would need to 
upgrade to WPA3 or something.


the fact that there is patch going on, is that either every 
implementation is wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must

be cared for.

or am I wrong ?


regards,

On 10/16/17 4:32 PM, Hector J Rios wrote:


The short answer is Yes.

Hector Rios

Louisiana State University

*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Mike Cunningham

*Sent:* Monday, October 16, 2017 1:58 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn’t the fix 
going to need to be made on both sides of the communication link?  
Access points will all need to be updated but also all client wifi 
drivers are going to need to be updated on all wifi enabled devices 
that support WPA2, right?


Mike Cunningham

*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Stephen Belcher

*Sent:* Monday, October 16, 2017 10:40 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 


*Subject:* Re: [WIRELESS-LAN] Big flaw in WPA2

From Cisco:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

*/Stephen Belcher***

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506

(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu 



*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Richard 
Nedwich >

*Sent:* Monday, October 16, 2017 10:34:43 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 


*Subject:* Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




This email may contain confidential information about a Pennsylvania 
College of Technology student. It is intended solely for the use of 
the recipient. This email may contain information that is considered 
an “educational record” subject to the protections of the Family 
Educational Rights and Privacy Act Regulations. The regulations may be 
found at 34 C.F.R. Part 99 for your reference. The recipient may only 
use or disclose the information in accordance with the requirements of 
the Federal Educational Rights and Privacy Act Regulations. If you 
have received this transmission in error, please notify the sender 
immediately and permanently delete the email.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




--
*Marcelo Maraboli Rosselott*
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] RF Sensitivity

[Travis Schick]

We did this... started with lights off in classrooms - then decided lights
off everywhere.   2 weeks later - frantic after-hours call into the help
desk - a whole building has just lost its wifi!!!

[user had issue with device - noticed AP in room had no lights - must be
offline - moved to another room -this AP had no lights. ahh! they all
lost their lights! (Destiny 2 foreshadowing?)]

So be prepared you might get other calls

On Tue, Oct 17, 2017 at 8:24 PM Jeremy Gibbs  wrote:

> Just turn the AP lights off.. see if the complaints go away ;).
>
>
>
>
> On Tue, Oct 17, 2017 at 6:53 PM, Jason Cook 
> wrote:
>
>> We go through one of these very year or 2.
>>
>>
>>
>> Like others we refer them to HR/OHS group. This is  a “health” issue on
>> not for a technical area to make the decision, makes it easy to respond. We
>> worked with HR to help provide information for them to work with, to date
>> we haven’t ended up having to do anything to our network. Mostly they seem
>> to have been people concerned about potential impact after
>> upgrades/changes.
>>
>>
>>
>> Below is the core of what we provide. This one was raised after an
>> upgrade and an AP appeared in the persons office and they were concerned
>> about the proximity but seemed happy with the response as it stopped there.
>>
>> ---
>>
>>
>>
>> New wireless equipment has been recently installed into the 
>>  building, this is replacing hardware that has been installed for over 10
>> years. The existing hardware was installed in the roof space and
>> not-visible, while the new equipment is installed below the roof space and
>> visible. The new hardware operates on the same RF frequencies as the old
>> (2.4 and 5ghz). All hardware and configuration is to Australian standards.
>>
>>
>>
>> I will refer to a statement from the relevant governing bodies in
>> Australia which state  "There is no established scientific evidence that
>> the low exposure to RF EME from Wi-Fi adversely affects the health of
>> children or the general population.”
>>
>>
>>
>> Please see the below full statements from the relevant agencies.
>>
>>
>>
>> Australian Radiation Protection and Nuclear Safety Agency
>>
>> -  Who Set the standards for Australian Radio Frequency
>>
>> http://www.arpansa.gov.au/radiationprotection/factsheets/is_wifi.cfm
>>
>> Australian Communications and Media Authority
>>
>> -  Who regulate Radio Frequency Emissions in Australia
>>
>>
>> http://www.acma.gov.au/Citizen/Spectrum/About-spectrum/EME-hub/eme-and-health
>>
>> World Health Organisation
>>
>> -  Agency of the United Nations for international public
>> health
>>
>> http://www.who.int/peh-emf/publications/facts/fs304/en/
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Jason Cook
>>
>> Technology Services
>>
>> The University of Adelaide, AUSTRALIA 5005
>>
>> Ph: +61 8 8313 4800 <+61%208%208313%204800>
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Rick Brown
>> *Sent:* Wednesday, 18 October 2017 6:46 AM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* [WIRELESS-LAN] RF Sensitivity
>>
>>
>>
>> Curious to how other universities handle complaints from parents,
>> students, staff, or faculty asking for wireless to be turned off in their
>> dorm room, workspace, etc.?
>>
>>
>> Studies that you've used to refute these claims would be helpful!
>>
>> Thanks in advance!
>>
>> Rick
>>
>> --
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/discuss.
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/discuss.
>>
>>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.