RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-31 Thread Chris Toth 
Has anyone implemented this workaround and heard any negative feedback 
regarding wireless quality?  It seems changing the retries down to 0 would 
result in more dropped sessions and the appearance of a flakier network and 
possibly triggering more client exclusions?

Chris Toth
Senior Network Technician
Bowling Green State University
(419) 372-8462

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Scharloo, Gertjan
Sent: Friday, October 27, 2017 6:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

SMALL Update about Cisco Client workaround:


  *   Troubleshooting 
TechNotes<https://www.cisco.com/c/en/us/tech/wireless-2f-mobility/wireless-lan-wlan/tsd-technology-support-troubleshooting-technotes-list.html>

Wireless KRACK attack client side workaround and detection

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212390-wireless-krack-attack-client-side-workar.html

Regards,

Gertjan Scharloo
ICT Consultant
_

Universiteit van Amsterdam | Hogeschool van Amsterdam

ICT Services
Leeuwenburg | kamer A9.44
Weesperzijde 190 | 1097 DZ Amsterdam
+31 (0)20 525 4885
Mobiel : +31(0) 61013-5880
www.uva.nl<http://www.uva.nl/>
uva.nl/profile/g.scharloo
Beschikbaar : Ma | - | Wo | Do | Vr |


From: wireless-lan 
<WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>> 
on behalf of Gertjan Scharloo <g.schar...@uva.nl<mailto:g.schar...@uva.nl>>
Reply-To: wireless-lan 
<WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>>
Date: Friday, 27 October 2017 at 09:49
To: wireless-lan 
<WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Hi folks,

In a Cisco environment there is a workaround for the client vulnerability :

Workaround for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080 
and CVE-2017-13081
Please read : 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa#workarounds

And read https://twitter.com/vanhoefm/status/923651649595478018

Workaround is very simple (!) :

Global Config, (CLI only option)

config advanced eap eapol-key-retries 0



(5520) >show advanced eap
EAP-Identity-Request Timeout (seconds)……….. 30
EAP-Identity-Request Max Retries….. 2
EAP Key-Index for Dynamic WEP…….. 0
EAP Max-Login Ignore Identity Response……….. enable
EAP-Request Timeout (seconds)…….. 30
EAP-Request Max Retries.. 2
EAPOL-Key Timeout (milliseconds)….. 1000
EAPOL-Key Max Retries…. 0
EAP-Broadcast Key Interval……….. 3600


Regards,

Gertjan Scharloo
ICT Consultant
_

Universiteit van Amsterdam | Hogeschool van Amsterdam

ICT Services
Leeuwenburg | kamer A9.44
Weesperzijde 190 | 1097 DZ Amsterdam
+31 (0)20 525 4885
Mobiel : +31(0) 61013-5880
www.uva.nl<http://www.uva.nl/>
uva.nl/profile/g.scharloo
twitter : wireless_kid
Beschikbaar : Ma | - | Wo | Do | Vr |


From: wireless-lan 
<WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>> 
on behalf of Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>>
Reply-To: wireless-lan 
<WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>>
Date: Thursday, 19 October 2017 at 15:24
To: wireless-lan 
<WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

You have more faith in the WFA than I.  I’m sure our next houses will be Wi-Fi 
certified Krack-Free.
Sent from my iPhone

On Oct 19, 2017, at 5:13 AM, Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:
The specification, like many, was vague in implementation details and 
practically all vendors chose a poor, insecure design.  The only claw in WPA2 
was vagueness in the specification. I understand the Wi-Fi Alliance is working 
on remedying that as well as specifically testing for KRACK in its 
certification testing.

Since many implementations were likely based off the chipmakers reference 
designs, this is not very surprising.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl]
Sent: Wednesday, October 18, 2017 11:56 AM
Subject: Re: Big flaw in WPA2

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,
On 10/16/17 4:32 PM, Hector J Rios wrote

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-27 Thread Scharloo, Gertjan 
SMALL Update about Cisco Client workaround:

 
Troubleshooting TechNotes
 

Wireless KRACK attack client side workaround and detection

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212390-wireless-krack-attack-client-side-workar.html
 

 

Regards,

 

Gertjan Scharloo

ICT Consultant

_

 

Universiteit van Amsterdam | Hogeschool van Amsterdam

 

ICT Services

Leeuwenburg | kamer A9.44

Weesperzijde 190 | 1097 DZ Amsterdam

+31 (0)20 525 4885

Mobiel : +31(0) 61013-5880

www.uva.nl

uva.nl/profile/g.scharloo

Beschikbaar : Ma | - | Wo | Do | Vr |

 

 

From: wireless-lan <WIRELESS-LAN@listserv.educause.edu> on behalf of Gertjan 
Scharloo <g.schar...@uva.nl>
Reply-To: wireless-lan <WIRELESS-LAN@listserv.educause.edu>
Date: Friday, 27 October 2017 at 09:49
To: wireless-lan <WIRELESS-LAN@listserv.educause.edu>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

Hi folks, 

 

In a Cisco environment there is a workaround for the client vulnerability :

 

Workaround for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080 
and CVE-2017-13081

Please read : 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa#workarounds
 

 

And read https://twitter.com/vanhoefm/status/923651649595478018 

 

Workaround is very simple (!) :

 

Global Config, (CLI only option)

 

config advanced eap eapol-key-retries 0

 

 

 

(5520) >show advanced eap

EAP-Identity-Request Timeout (seconds)……….. 30

EAP-Identity-Request Max Retries….. 2

EAP Key-Index for Dynamic WEP…….. 0

EAP Max-Login Ignore Identity Response……….. enable

EAP-Request Timeout (seconds)…….. 30

EAP-Request Max Retries.. 2

EAPOL-Key Timeout (milliseconds)….. 1000

EAPOL-Key Max Retries…. 0

EAP-Broadcast Key Interval……….. 3600

 

 

Regards,

 

Gertjan Scharloo

ICT Consultant

_

 

Universiteit van Amsterdam | Hogeschool van Amsterdam

 

ICT Services

Leeuwenburg | kamer A9.44

Weesperzijde 190 | 1097 DZ Amsterdam

+31 (0)20 525 4885

Mobiel : +31(0) 61013-5880

www.uva.nl

uva.nl/profile/g.scharloo

twitter : wireless_kid

Beschikbaar : Ma | - | Wo | Do | Vr |

 

 

From: wireless-lan <WIRELESS-LAN@listserv.educause.edu> on behalf of Jake 
Snyder <jsnyde...@gmail.com>
Reply-To: wireless-lan <WIRELESS-LAN@listserv.educause.edu>
Date: Thursday, 19 October 2017 at 15:24
To: wireless-lan <WIRELESS-LAN@listserv.educause.edu>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

You have more faith in the WFA than I.  I’m sure our next houses will be Wi-Fi 
certified Krack-Free.

Sent from my iPhone


On Oct 19, 2017, at 5:13 AM, Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu> wrote:

The specification, like many, was vague in implementation details and 
practically all vendors chose a poor, insecure design.  The only claw in WPA2 
was vagueness in the specification. I understand the Wi-Fi Alliance is working 
on remedying that as well as specifically testing for KRACK in its 
certification testing.

 

Since many implementations were likely based off the chipmakers reference 
designs, this is not very surprising.

 

 

Bruce Osborne

Senior Network Engineer

Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl] 
Sent: Wednesday, October 18, 2017 11:56 AM
Subject: Re: Big flaw in WPA2

 

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,

On 10/16/17 4:32 PM, Hector J Rios wrote:

The short answer is Yes. 

 

Hector Rios

Louisiana State University

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

 

Mike Cunningham

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

>From Cisco:

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

 

 

/ Stephen Belcher

Assistant Director of

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-27 Thread Scharloo, Gertjan 
Hi folks, 

 

In a Cisco environment there is a workaround for the client vulnerability :

 

Workaround for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080 
and CVE-2017-13081

Please read : 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa#workarounds
 

 

And read https://twitter.com/vanhoefm/status/923651649595478018 

 

Workaround is very simple (!) :

 

Global Config, (CLI only option)

 

config advanced eap eapol-key-retries 0

 

 

 

(5520) >show advanced eap

EAP-Identity-Request Timeout (seconds)……….. 30

EAP-Identity-Request Max Retries….. 2

EAP Key-Index for Dynamic WEP…….. 0

EAP Max-Login Ignore Identity Response……….. enable

EAP-Request Timeout (seconds)…….. 30

EAP-Request Max Retries.. 2

EAPOL-Key Timeout (milliseconds)….. 1000

EAPOL-Key Max Retries…. 0

EAP-Broadcast Key Interval……….. 3600

 

 

Regards,

 

Gertjan Scharloo

ICT Consultant

_

 

Universiteit van Amsterdam | Hogeschool van Amsterdam

 

ICT Services

Leeuwenburg | kamer A9.44

Weesperzijde 190 | 1097 DZ Amsterdam

+31 (0)20 525 4885

Mobiel : +31(0) 61013-5880

www.uva.nl

uva.nl/profile/g.scharloo

twitter : wireless_kid

Beschikbaar : Ma | - | Wo | Do | Vr |

 

 

From: wireless-lan <WIRELESS-LAN@listserv.educause.edu> on behalf of Jake 
Snyder <jsnyde...@gmail.com>
Reply-To: wireless-lan <WIRELESS-LAN@listserv.educause.edu>
Date: Thursday, 19 October 2017 at 15:24
To: wireless-lan <WIRELESS-LAN@listserv.educause.edu>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

You have more faith in the WFA than I.  I’m sure our next houses will be Wi-Fi 
certified Krack-Free.

Sent from my iPhone


On Oct 19, 2017, at 5:13 AM, Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu> wrote:

The specification, like many, was vague in implementation details and 
practically all vendors chose a poor, insecure design.  The only claw in WPA2 
was vagueness in the specification. I understand the Wi-Fi Alliance is working 
on remedying that as well as specifically testing for KRACK in its 
certification testing.

 

Since many implementations were likely based off the chipmakers reference 
designs, this is not very surprising.

 

 

Bruce Osborne

Senior Network Engineer

Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl] 
Sent: Wednesday, October 18, 2017 11:56 AM
Subject: Re: Big flaw in WPA2

 

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,

On 10/16/17 4:32 PM, Hector J Rios wrote:

The short answer is Yes. 

 

Hector Rios

Louisiana State University

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

 

Mike Cunningham

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

 

>From Cisco:

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

 

 

/ Stephen Belcher

Assistant Director of Network Operations 
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506

 

(304) 293-8440 office 
(681) 214-3389 mobile 
steve.belc...@mail.wvu.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Richard Nedwich 
<rich.nedw...@brocade.com>
Sent: Monday, October 16, 2017 10:34:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2 

 

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 

 

This email may contain confidential information about a Pennsylvania College of 
Techn

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-19 Thread Jake Snyder 
You have more faith in the WFA than I.  I’m sure our next houses will be Wi-Fi 
certified Krack-Free.

Sent from my iPhone

> On Oct 19, 2017, at 5:13 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> The specification, like many, was vague in implementation details and 
> practically all vendors chose a poor, insecure design.  The only claw in WPA2 
> was vagueness in the specification. I understand the Wi-Fi Alliance is 
> working on remedying that as well as specifically testing for KRACK in its 
> certification testing.
>  
> Since many implementations were likely based off the chipmakers reference 
> designs, this is not very surprising.
>  
>  
> 
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  (434) 592-4229
> 
> LIBERTY UNIVERSITY
> 
> Training Champions for Christ since 1971
> 
>  
> From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl] 
> Sent: Wednesday, October 18, 2017 11:56 AM
> Subject: Re: Big flaw in WPA2
>  
> if it were a Design Flaw, no patch can fix it we would need to upgrade to 
> WPA3 or something.
> 
> the fact that there is patch going on, is that either every implementation is 
> wrong (not likely) or
> the specification (how to code the Design) did not address boundaries or 
> restrictions that should/must
> be cared for.
> 
> or am I wrong ?
> 
> 
> regards,
> 
> On 10/16/17 4:32 PM, Hector J Rios wrote:
> The short answer is Yes.
>  
> Hector Rios
> Louisiana State University
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
> Sent: Monday, October 16, 2017 1:58 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>  
> If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
> need to be made on both sides of the communication link?  Access points will 
> all need to be updated but also all client wifi drivers are going to need to 
> be updated on all wifi enabled devices that support WPA2, right?
>  
> Mike Cunningham
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
> Sent: Monday, October 16, 2017 10:40 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>  
> From Cisco:
> 
>  
> 
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
> 
>  
> 
>  
> 
> / Stephen Belcher
> Assistant Director of Network Operations 
> WVU Information Technology Services
> One Waterfront Place / PO Box 6500
> Morgantown, WV  26506
>  
> (304) 293-8440 office 
> (681) 214-3389 mobile 
> steve.belc...@mail.wvu.edu
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Richard Nedwich 
> <rich.nedw...@brocade.com>
> Sent: Monday, October 16, 2017 10:34:43 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>  
> Ruckus is providing a response today.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
> This email may contain confidential information about a Pennsylvania College 
> of Technology student. It is intended solely for the use of the recipient. 
> This email may contain information that is considered an “educational record” 
> subject to the protections of the Family Educational Rights and Privacy Act 
> Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
> reference. The recipient may only use or disclose the information in 
> accordance with the requirements of the Federal Educational Rights and 
> Privacy Act Regulations. If you have received this transmission in error, 
> please notify the sender immediately and permanently delete the email.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
>  
> -- 
> Marcelo Maraboli Rosselott
> Subdirector de Redes y Seguridad
> Dirección de Informática
> Pontificia Universidad Católica de Chile
> http://info

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-18 Thread Sweetser, Frank E 
"Wrong" is a very slippery term for this kind of flaw.


The short version is that the original specification in how the encryption key 
state machine was not sufficiently tight to prevent this vulnerability from 
happening.  Spoofing certain messages could slip through the protections and 
allow the attacker to manipulate which encryption keys the devices were using.  
Luckily, in this case modifications to the implementation were able to made 
without breaking the standard, or compatibility with other devices.


In other words, we got lucky as far as ease of fixing the glitch.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Marcelo Maraboli 
<marcelo.marab...@uc.cl>
Sent: Wednesday, October 18, 2017 11:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,

On 10/16/17 4:32 PM, Hector J Rios wrote:
The short answer is Yes.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

Mike Cunningham


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Richard Nedwich 
<rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an “educational record” 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--
Marcelo Maraboli Rosselott
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341
***

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-18 Thread Marcelo Maraboli 
if it were a Design Flaw, no patch can fix it we would need to 
upgrade to WPA3 or something.


the fact that there is patch going on, is that either every 
implementation is wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must

be cared for.

or am I wrong ?


regards,

On 10/16/17 4:32 PM, Hector J Rios wrote:


The short answer is Yes.

Hector Rios

Louisiana State University

*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Mike Cunningham

*Sent:* Monday, October 16, 2017 1:58 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn’t the fix 
going to need to be made on both sides of the communication link?  
Access points will all need to be updated but also all client wifi 
drivers are going to need to be updated on all wifi enabled devices 
that support WPA2, right?


Mike Cunningham

*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Stephen Belcher

*Sent:* Monday, October 16, 2017 10:40 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

*Subject:* Re: [WIRELESS-LAN] Big flaw in WPA2

From Cisco:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

*/Stephen Belcher***

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506

(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu <mailto:steve.belc...@mail.wvu.edu>



*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Richard 
Nedwich <rich.nedw...@brocade.com <mailto:rich.nedw...@brocade.com>>

*Sent:* Monday, October 16, 2017 10:34:43 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

*Subject:* Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




This email may contain confidential information about a Pennsylvania 
College of Technology student. It is intended solely for the use of 
the recipient. This email may contain information that is considered 
an “educational record” subject to the protections of the Family 
Educational Rights and Privacy Act Regulations. The regulations may be 
found at 34 C.F.R. Part 99 for your reference. The recipient may only 
use or disclose the information in accordance with the requirements of 
the Federal Educational Rights and Privacy Act Regulations. If you 
have received this transmission in error, please notify the sender 
immediately and permanently delete the email.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




--
*Marcelo Maraboli Rosselott*
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-17 Thread Philippe Hanset 
The flaw in WPA2 doesn’t put accounts at risk since that is done with EAP over 
an encrypted TLS tunnel. It it the access to the network and the encryption 
over the air for the regular internet traffic that can be tempered with.

Philippe
www.anyroam.net

> On Oct 17, 2017, at 4:49 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> No, the solution is EAP-TLS with individual device certificates.
>  
>  
>  
> 
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  (434) 592-4229
> 
> LIBERTY UNIVERSITY
> 
> Training Champions for Christ since 1971
> 
>  
> From: Tim Tyler [mailto:ty...@beloit.edu] 
> Sent: Monday, October 16, 2017 9:57 AM
> Subject: Re: Big flaw in WPA2
>  
> This brings up an issue where I have philosophically wondered if mac address 
> authentication isn’t better than 802.11x (wpa2).  The reason isn’t because it 
> guards the network better.  But if one does get hacked at the point of 
> accessing the network, the consequences are way less.  One isn’t giving a way 
> the keys to their other accounts.   I know some institutions do use mac 
> address authentication as their primary access method.   It is difficult for 
> institutions that can’t afford pricey on-boarding solutions to manage 
> certificate lock downs.   Hence, man in the middle attacks become prevalent 
> as well.
>   We already use mac address authentication for devices that won’t support 
> 802.1x.  I keep wondering now if I shouldn’t make that our primary solution 
> someday.  I am curious as to what others think. 
>  
> Tim
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
> Sent: Monday, October 16, 2017 6:51 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Big flaw in WPA2
>  
> 
> https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
> 
> Ryan Turner
> Manager of Network Operations, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-17 Thread Samuel Clements 
By the way, github is maintaining a master list of vendor responses over at:
https://github.com/kristate/krackinfo
 -Sam

On Tue, Oct 17, 2017 at 6:49 AM, Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

> No, the solution is EAP-TLS with individual device certificates.
>
>
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>  *(434) 592-4229 <(434)%20592-4229>*
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Tim Tyler [mailto:ty...@beloit.edu]
> *Sent:* Monday, October 16, 2017 9:57 AM
> *Subject:* Re: Big flaw in WPA2
>
>
>
> This brings up an issue where I have philosophically wondered if mac
> address authentication isn’t better than 802.11x (wpa2).  The reason isn’t
> because it guards the network better.  But if one does get hacked at the
> point of accessing the network, the consequences are way less.  One isn’t
> giving a way the keys to their other accounts.   I know some institutions
> do use mac address authentication as their primary access method.   It is
> difficult for institutions that can’t afford pricey on-boarding solutions
> to manage certificate lock downs.   Hence, man in the middle attacks become
> prevalent as well.
>
>   We already use mac address authentication for devices that won’t support
> 802.1x.  I keep wondering now if I shouldn’t make that our primary solution
> someday.  I am curious as to what others think.
>
>
>
> Tim
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Turner, Ryan H
> *Sent:* Monday, October 16, 2017 6:51 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Big flaw in WPA2
>
>
>
>
> https://arstechnica.com/information-technology/2017/
> 10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-
> open-to-eavesdropping/
>
>
> Ryan Turner
>
> Manager of Network Operations, ITS
>
> The University of North Carolina at Chapel Hill
>
> +1 919 274 7926 <(919)%20274-7926> Mobile
>
> +1 919 445 0113 <(919)%20445-0113> Office
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Max McGrath 
Extreme Network's responseL

https://extremeportal.force.com/ExtrArticleDetail?n=18005

--
Max McGrath  <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
Network Administrator
Carthage College
262-551-
mmcgr...@carthage.edu

On Mon, Oct 16, 2017 at 6:34 PM, Schuette, David <schue...@msudenver.edu>
wrote:

> Aerohive's response
>
> https://www3.aerohive.com/support/security-bulletins/
> Product-Security-Announcement-Aerohives-Response-to-KRACK-
> 10162017.html?_ga=2.40289697.2082952693.1508196685-659670165.1508196685
>
>
> Thanks
> David
> David Schuette
> Network-Data Security Manager
> Information Technology Services
> METROPOLITAN STATE UNIVERSITY OF DENVER
> Campus Box 96, P.O. Box 173362  |  Denver, CO 80217-3362
> Tel 303-556-4639 (old)
> New – 303-615-1130 (Please note my phone number has changed)
> www.msudenver.edu
> MSU Denver’s mission is to provide a high-quality, accessible, enriching
> education that prepares students for successful careers, post-graduate
> education and lifelong learning in a multicultural, global and
> technological society. To fulfill its mission, MSU Denver’s diverse
> university community engages the community at large in scholarly inquiry,
> creative activity and the application of knowledge.
>
> MSU Denver’s mission, vision, ongoing operations and strategic planning
> are informed by a core set of values that define who we are - and aspire to
> be - as a University. They are:
> Community – Access – Diversity – Respect – Entrepreneurship
>
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Richard Nedwich
> Sent: Monday, October 16, 2017 5:05 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>
> Ruckus has posted an official response in a Blog Post here:
>
> https://theruckusroom.ruckuswireless.com/wi-fi/2017/
> 10/16/commonsense-approach-uncommon-problem/
>
> Further, please find a Cloudpath KB article on the Ruckus support site
> here:
> https://support.ruckuswireless.com/documents/
> 2039-faq-security-advisory-cp-101617-802-11r-vulnerability
>
> -Rich
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Schuette, David 
Aerohive's response

https://www3.aerohive.com/support/security-bulletins/Product-Security-Announcement-Aerohives-Response-to-KRACK-10162017.html?_ga=2.40289697.2082952693.1508196685-659670165.1508196685


Thanks
David
David Schuette 
Network-Data Security Manager 
Information Technology Services
METROPOLITAN STATE UNIVERSITY OF DENVER
Campus Box 96, P.O. Box 173362  |  Denver, CO 80217-3362
Tel 303-556-4639 (old) 
New – 303-615-1130 (Please note my phone number has changed)
www.msudenver.edu
MSU Denver’s mission is to provide a high-quality, accessible, enriching 
education that prepares students for successful careers, post-graduate 
education and lifelong learning in a multicultural, global and technological 
society. To fulfill its mission, MSU Denver’s diverse university community 
engages the community at large in scholarly inquiry, creative activity and the 
application of knowledge.  

MSU Denver’s mission, vision, ongoing operations and strategic planning are 
informed by a core set of values that define who we are - and aspire to be - as 
a University. They are: 
Community – Access – Diversity – Respect – Entrepreneurship



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Richard Nedwich
Sent: Monday, October 16, 2017 5:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus has posted an official response in a Blog Post here: 

https://theruckusroom.ruckuswireless.com/wi-fi/2017/10/16/commonsense-approach-uncommon-problem/

Further, please find a Cloudpath KB article on the Ruckus support site here:
https://support.ruckuswireless.com/documents/2039-faq-security-advisory-cp-101617-802-11r-vulnerability

-Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Mike Cunningham 
Same story - different wording. This article is blaming the protocol and not 
the implementation "The weaknesses are in the Wi-Fi standard itself, and not in 
individual products or implementations"  
https://www.theregister.co.uk/2017/10/16/wpa2_krack_attack_security_wifi_wireless/

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Anderson
Sent: Monday, October 16, 2017 3:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

It isn't a design flaw.  It is an implementation flaw that everyone did wrong 
because the spec didn't address the need to be careful about it.

Read this Aruba FAQ, it is helpful to address these sorts of questions:

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

On Mon, Oct 16, 2017 at 06:57:57PM +, Mike Cunningham wrote:
> If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
> need to be made on both sides of the communication link?  Access points will 
> all need to be updated but also all client wifi drivers are going to need to 
> be updated on all wifi enabled devices that support WPA2, right?
>
> Mike Cunningham
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen
> Belcher
> Sent: Monday, October 16, 2017 10:40 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>
>
> >From Cisco:
>
>
>
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
> cisco-sa-20171016-wpa
>
>
>
>
>
> / Stephen Belcher
>
> Assistant Director of Network Operations WVU Information Technology
> Services
>
> One Waterfront Place / PO Box 6500
>
> Morgantown, WV  26506
>
>
>
> (304) 293-8440 office
> (681) 214-3389 mobile
> steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>
>
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCA
> USE.EDU>> on behalf of Richard Nedwich
> <rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
> Sent: Monday, October 16, 2017 10:34:43 AM
> To:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAU
> SE.EDU>
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>
> Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an “educational record” 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Hector J Rios 
The short answer is Yes.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

Mike Cunningham


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Richard Nedwich 
<rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an "educational record" 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Sweetser, Frank E 
Hi Mike,


yes, you're absolutely correct.  Looking around the web, it looks like 
Microsoft and Apple have already released patches, so those who are completely 
up to date should be safe.  Android is more of a mixed bag, but at least Pixel 
phones should be patched in the November fixes in a few weeks.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mike Cunningham 
<mike.cunning...@pct.edu>
Sent: Monday, October 16, 2017 2:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


If this is a flaw in the design of the WPA2 protocol isn’t the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?



Mike Cunningham





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2



>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Richard Nedwich 
<rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2



Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an “educational record” 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email. ** Participation 
and subscription information for this EDUCAUSE Constituent Group discussion 
list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Stephen Belcher 
>From our Cisco SE:


The fix for IOS based AP’s (802.11ac Wave 1 or older) has been posted 
(8.3.130.0)
The fix for ClickOS based AP’s (All 802.11ac Wave 2 AP’s  [1800, 2800 3800 
series]) is in finalization testing and should be posted within a few days. 
(8.3.13x.0) same for 8.2/8.4/8.5
The fix for 8.0 is being written now and ETA will be provided shortly.



/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Chuck Anderson <c...@wpi.edu>
Sent: Monday, October 16, 2017 3:07:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

It isn't a design flaw.  It is an implementation flaw that everyone did wrong 
because the spec didn't address the need to be careful about it.

Read this Aruba FAQ, it is helpful to address these sorts of questions:

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

On Mon, Oct 16, 2017 at 06:57:57PM +, Mike Cunningham wrote:
> If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
> need to be made on both sides of the communication link?  Access points will 
> all need to be updated but also all client wifi drivers are going to need to 
> be updated on all wifi enabled devices that support WPA2, right?
>
> Mike Cunningham
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
> Sent: Monday, October 16, 2017 10:40 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>
>
> >From Cisco:
>
>
>
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
>
>
>
>
>
> / Stephen Belcher
>
> Assistant Director of Network Operations
> WVU Information Technology Services
>
> One Waterfront Place / PO Box 6500
>
> Morgantown, WV  26506
>
>
>
> (304) 293-8440 office
> (681) 214-3389 mobile
> steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>
>
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  on behalf of Richard Nedwich 
> <rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
> Sent: Monday, October 16, 2017 10:34:43 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
>
> Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Chuck Anderson 
It isn't a design flaw.  It is an implementation flaw that everyone did wrong 
because the spec didn't address the need to be careful about it.

Read this Aruba FAQ, it is helpful to address these sorts of questions:

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

On Mon, Oct 16, 2017 at 06:57:57PM +, Mike Cunningham wrote:
> If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
> need to be made on both sides of the communication link?  Access points will 
> all need to be updated but also all client wifi drivers are going to need to 
> be updated on all wifi enabled devices that support WPA2, right?
> 
> Mike Cunningham
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
> Sent: Monday, October 16, 2017 10:40 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
> 
> 
> >From Cisco:
> 
> 
> 
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
> 
> 
> 
> 
> 
> / Stephen Belcher
> 
> Assistant Director of Network Operations
> WVU Information Technology Services
> 
> One Waterfront Place / PO Box 6500
> 
> Morgantown, WV  26506
> 
> 
> 
> (304) 293-8440 office
> (681) 214-3389 mobile
> steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>
> 
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  on behalf of Richard Nedwich 
> <rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
> Sent: Monday, October 16, 2017 10:34:43 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Big flaw in WPA2
> 
> Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Mike Cunningham 
If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

Mike Cunningham


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Richard Nedwich 
<rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an "educational record" 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Stephen Belcher 
>From Cisco:


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa



/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Richard Nedwich 
<rich.nedw...@brocade.com>
Sent: Monday, October 16, 2017 10:34:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Blake Krone 
Very bad idea. You are trading encryption for something that I could spoof in 
no time and be on your network faster than it would take for me to read about 
the wpa2 compromise. 

> On Oct 16, 2017, at 9:56 AM, Tim Tyler <ty...@beloit.edu> wrote:
> 
> This brings up an issue where I have philosophically wondered if mac address 
> authentication isn’t better than 802.11x (wpa2).  The reason isn’t because it 
> guards the network better.  But if one does get hacked at the point of 
> accessing the network, the consequences are way less.  One isn’t giving a way 
> the keys to their other accounts.   I know some institutions do use mac 
> address authentication as their primary access method.   It is difficult for 
> institutions that can’t afford pricey on-boarding solutions to manage 
> certificate lock downs.   Hence, man in the middle attacks become prevalent 
> as well.
>   We already use mac address authentication for devices that won’t support 
> 802.1x.  I keep wondering now if I shouldn’t make that our primary solution 
> someday.  I am curious as to what others think. 
>  
> Tim
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
> Sent: Monday, October 16, 2017 6:51 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Big flaw in WPA2
>  
> 
> https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
> 
> Ryan Turner
> Manager of Network Operations, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Big flaw in WPA2- Cisco Statement

2017-10-16 Thread Lee H Badman 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Yahya M. Jaber
Sent: Monday, October 16, 2017 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Cisco said they will release an official statement today.
Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Oct 16, 2017 17:10, "Norton, Thomas (Network Operations)" 
<tnort...@liberty.edu<mailto:tnort...@liberty.edu>> wrote:

For Aruba folks:



http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74698/1/WPA2%20Vulnerability%20IDS%20feature.pdf



T.J. Norton
Wireless Network Architect – Team Lead
Network Services – Wireless

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since



From: Norton, Thomas (Network Operations)
Sent: Monday, October 16, 2017 8:41 AM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

So basically those are work around as in the interim, so don’t use 802.11r, 
mesh, or clarify engine. Fun stuff! Lee said it Best, let the panic begin lol


T.J. Norton

Wireless Network Architect
Network Operations

(434) 592-6552<tel:%28434%29%20592-6552>



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Oct 16, 2017, at 8:30 AM, McClintic, Thomas 
<thomas.mcclin...@uth.tmc.edu<mailto:thomas.mcclin...@uth.tmc.edu>> wrote:

This seems contradicting…



Workarounds

===

All vulnerabilities described in this advisory may be mitigated by

disabling certain features:

- For ArubaOS, ensure that 802.11r is disabled by verifying that any

   configured SSID profile does not contain a "dot11r-profile".  From the

   command line, "show wlan dot11r-profile" will list any 802.11r profiles

   that have been configured.  If the reference count is 0, 802.11r is not

   enabled.

- For InstantOS, ensure that 802.11r is not enabled in any configured WLAN.

- Disabling 802.11r on the AP infrastructure will effectively mitigate

   client-side 802.11r vulnerabilities.  It will not, however, mitigate

   client-side 4-way handshake vulnerabilities.

- Clarity Engine is a beta feature enabled only in special builds of

   software.  Customers who are participating in this beta should not use

   Clarity Engine until a software update has been completed.

- Mesh mode for both ArubaOS and InstantOS is vulnerable.  Until this

   vulnerability is patched, mesh networks should be disabled.

- Wi-Fi uplink mode for InstantOS is vulnerable.  Until this vulnerability

   is patched, the Wi-Fi uplink feature should not be used.





TJ McClintic



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 16, 2017 7:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2



Let the panic begin.





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Big flaw in WPA2



https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__arstechnica.com_information-2Dtechnology_2017_10_severe-2Dflaw-2Din-2Dwpa2-2Dprotocol-2Dleaves-2Dwi-2Dfi-2Dtraffic-2Dopen-2Dto-2Deavesdropping_%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3D3RHUpF3R323_-8qPyPNO8nzN6DTJnsWpjrrc2drGdik%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=vFmnvcmEgoYO99NInPZ%2Bm01TJAk7lrNIbtXsiuwn4s8%3D=0>

Ryan Turner

Manager of Network Operations, ITS

The University of North Carolina at Chapel Hill

+1 919 274 7926 Mobile

+1 919 445 0113 Office

** Participation and subscription information for this EDUCAUSE

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Yahya M. Jaber 
Cisco said they will release an official statement today.

Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Oct 16, 2017 17:10, "Norton, Thomas (Network Operations)" 
<tnort...@liberty.edu> wrote:

For Aruba folks:


http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74698/1/WPA2%20Vulnerability%20IDS%20feature.pdf


T.J. Norton
Wireless Network Architect – Team Lead
Network Services – Wireless

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since




From: Norton, Thomas (Network Operations)
Sent: Monday, October 16, 2017 8:41 AM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

So basically those are work around as in the interim, so don’t use 802.11r, 
mesh, or clarify engine. Fun stuff! Lee said it Best, let the panic begin lol


T.J. Norton

Wireless Network Architect
Network Operations

(434) 592-6552<tel:%28434%29%20592-6552>



[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Oct 16, 2017, at 8:30 AM, McClintic, Thomas 
<thomas.mcclin...@uth.tmc.edu<mailto:thomas.mcclin...@uth.tmc.edu>> wrote:


This seems contradicting…




Workarounds

===

All vulnerabilities described in this advisory may be mitigated by

disabling certain features:

- For ArubaOS, ensure that 802.11r is disabled by verifying that any

   configured SSID profile does not contain a "dot11r-profile".  From the

   command line, "show wlan dot11r-profile" will list any 802.11r profiles

   that have been configured.  If the reference count is 0, 802.11r is not

   enabled.

- For InstantOS, ensure that 802.11r is not enabled in any configured WLAN.

- Disabling 802.11r on the AP infrastructure will effectively mitigate

   client-side 802.11r vulnerabilities.  It will not, however, mitigate

   client-side 4-way handshake vulnerabilities.

- Clarity Engine is a beta feature enabled only in special builds of

   software.  Customers who are participating in this beta should not use

   Clarity Engine until a software update has been completed.

- Mesh mode for both ArubaOS and InstantOS is vulnerable.  Until this

   vulnerability is patched, mesh networks should be disabled.

- Wi-Fi uplink mode for InstantOS is vulnerable.  Until this vulnerability

   is patched, the Wi-Fi uplink feature should not be used.





TJ McClintic




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 16, 2017 7:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2



Let the panic begin.





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Big flaw in WPA2



https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__arstechnica.com_information-2Dtechnology_2017_10_severe-2Dflaw-2Din-2Dwpa2-2Dprotocol-2Dleaves-2Dwi-2Dfi-2Dtraffic-2Dopen-2Dto-2Deavesdropping_%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3D3RHUpF3R323_-8qPyPNO8nzN6DTJnsWpjrrc2drGdik%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=vFmnvcmEgoYO99NInPZ%2Bm01TJAk7lrNIbtXsiuwn4s8%3D=0>

Ryan Turner

Manager of Network Operations, ITS

The University of North Carolina at Chapel Hill

+1 919 274 7926 Mobile

+1 919 445 0113 Office

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.educause.edu_discuss%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3Du7tywOb4fRH-R2MnZdavSd_MS_SZjDcOQ8aapflnJac%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=9WCAN59ro8L8KbfpfVooH9TtWtGImEKOadEMRqgRMAA%3D=0>.

** Participation and subscription

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Norton, Thomas (Network Operations) 
For Aruba folks:


http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/74698/1/WPA2%20Vulnerability%20IDS%20feature.pdf


T.J. Norton
Wireless Network Architect – Team Lead
Network Services – Wireless

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since




From: Norton, Thomas (Network Operations)
Sent: Monday, October 16, 2017 8:41 AM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

So basically those are work around as in the interim, so don’t use 802.11r, 
mesh, or clarify engine. Fun stuff! Lee said it Best, let the panic begin lol

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552<tel:(434)%20592-6552>

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Oct 16, 2017, at 8:30 AM, McClintic, Thomas 
<thomas.mcclin...@uth.tmc.edu<mailto:thomas.mcclin...@uth.tmc.edu>> wrote:

This seems contradicting…


Workarounds
===
All vulnerabilities described in this advisory may be mitigated by
disabling certain features:
- For ArubaOS, ensure that 802.11r is disabled by verifying that any
   configured SSID profile does not contain a "dot11r-profile".  From the
   command line, "show wlan dot11r-profile" will list any 802.11r profiles
   that have been configured.  If the reference count is 0, 802.11r is not
   enabled.
- For InstantOS, ensure that 802.11r is not enabled in any configured WLAN.
- Disabling 802.11r on the AP infrastructure will effectively mitigate
   client-side 802.11r vulnerabilities.  It will not, however, mitigate
   client-side 4-way handshake vulnerabilities.
- Clarity Engine is a beta feature enabled only in special builds of
   software.  Customers who are participating in this beta should not use
   Clarity Engine until a software update has been completed.
- Mesh mode for both ArubaOS and InstantOS is vulnerable.  Until this
   vulnerability is patched, mesh networks should be disabled.
- Wi-Fi uplink mode for InstantOS is vulnerable.  Until this vulnerability
   is patched, the Wi-Fi uplink feature should not be used.


TJ McClintic


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 16, 2017 7:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Let the panic begin.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__arstechnica.com_information-2Dtechnology_2017_10_severe-2Dflaw-2Din-2Dwpa2-2Dprotocol-2Dleaves-2Dwi-2Dfi-2Dtraffic-2Dopen-2Dto-2Deavesdropping_%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3D3RHUpF3R323_-8qPyPNO8nzN6DTJnsWpjrrc2drGdik%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=vFmnvcmEgoYO99NInPZ%2Bm01TJAk7lrNIbtXsiuwn4s8%3D=0>

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.educause.edu_discuss%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3Du7tywOb4fRH-R2MnZdavSd_MS_SZjDcOQ8aapflnJac%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=9WCAN59ro8L8KbfpfVooH9TtWtGImEKOadEMRqgRMAA%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.educause.edu_discuss%2

RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Tim Tyler 
This brings up an issue where I have philosophically wondered if mac
address authentication isn’t better than 802.11x (wpa2).  The reason isn’t
because it guards the network better.  But if one does get hacked at the
point of accessing the network, the consequences are way less.  One isn’t
giving a way the keys to their other accounts.   I know some institutions
do use mac address authentication as their primary access method.   It is
difficult for institutions that can’t afford pricey on-boarding solutions
to manage certificate lock downs.   Hence, man in the middle attacks become
prevalent as well.

  We already use mac address authentication for devices that won’t support
802.1x.  I keep wondering now if I shouldn’t make that our primary solution
someday.  I am curious as to what others think.



Tim



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Turner, Ryan H
*Sent:* Monday, October 16, 2017 6:51 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Big flaw in WPA2




https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/


Ryan Turner

Manager of Network Operations, ITS

The University of North Carolina at Chapel Hill

+1 919 274 7926 Mobile

+1 919 445 0113 Office

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Lee H Badman 
Just keep in mind that an attacker still needs to be strategically positioned 
(physically) to pull this off, and there are no known cases yet of it 
happening. Not to say it won’t/can’t but it’s easy to get sucked in to the 
panic if just going off of headlines.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Norton, Thomas 
(Network Operations)
Sent: Monday, October 16, 2017 8:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

So basically those are work around as in the interim, so don’t use 802.11r, 
mesh, or clarify engine. Fun stuff! Lee said it Best, let the panic begin lol

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552<tel:(434)%20592-6552>

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Oct 16, 2017, at 8:30 AM, McClintic, Thomas 
<thomas.mcclin...@uth.tmc.edu<mailto:thomas.mcclin...@uth.tmc.edu>> wrote:
This seems contradicting…



Workarounds
===
All vulnerabilities described in this advisory may be mitigated by
disabling certain features:
- For ArubaOS, ensure that 802.11r is disabled by verifying that any
   configured SSID profile does not contain a "dot11r-profile".  From the
   command line, "show wlan dot11r-profile" will list any 802.11r profiles
   that have been configured.  If the reference count is 0, 802.11r is not
   enabled.
- For InstantOS, ensure that 802.11r is not enabled in any configured WLAN.
- Disabling 802.11r on the AP infrastructure will effectively mitigate
   client-side 802.11r vulnerabilities.  It will not, however, mitigate
   client-side 4-way handshake vulnerabilities.
- Clarity Engine is a beta feature enabled only in special builds of
   software.  Customers who are participating in this beta should not use
   Clarity Engine until a software update has been completed.
- Mesh mode for both ArubaOS and InstantOS is vulnerable.  Until this
   vulnerability is patched, mesh networks should be disabled.
- Wi-Fi uplink mode for InstantOS is vulnerable.  Until this vulnerability
   is patched, the Wi-Fi uplink feature should not be used.


TJ McClintic



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 16, 2017 7:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Let the panic begin.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__arstechnica.com_information-2Dtechnology_2017_10_severe-2Dflaw-2Din-2Dwpa2-2Dprotocol-2Dleaves-2Dwi-2Dfi-2Dtraffic-2Dopen-2Dto-2Deavesdropping_%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3D3RHUpF3R323_-8qPyPNO8nzN6DTJnsWpjrrc2drGdik%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=vFmnvcmEgoYO99NInPZ%2Bm01TJAk7lrNIbtXsiuwn4s8%3D=0>

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.educause.edu_discuss%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3Du7tywOb4fRH-R2MnZdavSd_MS_SZjDcOQ8aapflnJac%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=9WCAN59ro8L8KbfpfVooH9TtWtGImEKOadEMRqgRMAA%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussio

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Norton, Thomas (Network Operations) 
So basically those are work around as in the interim, so don’t use 802.11r, 
mesh, or clarify engine. Fun stuff! Lee said it Best, let the panic begin lol

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552<tel:(434)%20592-6552>

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Oct 16, 2017, at 8:30 AM, McClintic, Thomas 
<thomas.mcclin...@uth.tmc.edu<mailto:thomas.mcclin...@uth.tmc.edu>> wrote:

This seems contradicting…


Workarounds
===
All vulnerabilities described in this advisory may be mitigated by
disabling certain features:
- For ArubaOS, ensure that 802.11r is disabled by verifying that any
   configured SSID profile does not contain a "dot11r-profile".  From the
   command line, "show wlan dot11r-profile" will list any 802.11r profiles
   that have been configured.  If the reference count is 0, 802.11r is not
   enabled.
- For InstantOS, ensure that 802.11r is not enabled in any configured WLAN.
- Disabling 802.11r on the AP infrastructure will effectively mitigate
   client-side 802.11r vulnerabilities.  It will not, however, mitigate
   client-side 4-way handshake vulnerabilities.
- Clarity Engine is a beta feature enabled only in special builds of
   software.  Customers who are participating in this beta should not use
   Clarity Engine until a software update has been completed.
- Mesh mode for both ArubaOS and InstantOS is vulnerable.  Until this
   vulnerability is patched, mesh networks should be disabled.
- Wi-Fi uplink mode for InstantOS is vulnerable.  Until this vulnerability
   is patched, the Wi-Fi uplink feature should not be used.


TJ McClintic


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 16, 2017 7:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Let the panic begin.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__arstechnica.com_information-2Dtechnology_2017_10_severe-2Dflaw-2Din-2Dwpa2-2Dprotocol-2Dleaves-2Dwi-2Dfi-2Dtraffic-2Dopen-2Dto-2Deavesdropping_%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3D3RHUpF3R323_-8qPyPNO8nzN6DTJnsWpjrrc2drGdik%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=vFmnvcmEgoYO99NInPZ%2Bm01TJAk7lrNIbtXsiuwn4s8%3D=0>

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.educause.edu_discuss%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3Du7tywOb4fRH-R2MnZdavSd_MS_SZjDcOQ8aapflnJac%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=9WCAN59ro8L8KbfpfVooH9TtWtGImEKOadEMRqgRMAA%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.educause.edu_discuss%26d%3DDwMGaQ%26c%3D6vgNTiRn9_pqCD9hKx9JgXN1VapJQ8JVoF8oWH1AgfQ%26r%3DrYfqH_8oTvcXxRxUI3x3m3Y7Nwgir7tnuoGbdZsrUM4%26m%3D8MuvlPZjzllurTQKouFgNet-ZD2O7K-olxOq3qK0xUg%26s%3Du7tywOb4fRH-R2MnZdavSd_MS_SZjDcOQ8aapflnJac%26e%3D=02%7C01%7Ctnorton7%40liberty.edu%7C869a9c0856a44d85dba708d51491af20%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437538292695507=9WCAN59ro8L8KbfpfVooH9TtWtGImEKOadEMRqgRMAA%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdisc

Re: [WIRELESS-LAN] Big flaw in WPA2

2017-10-16 Thread Norton, Thomas (Network Operations) 
Yeah man, not good!

Looks like has a fix out already. 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.arubanetworks.com%2Fsupport-services%2Fsecurity-bulletins%2F=02%7C01%7Ctnorton7%40liberty.edu%7C4d81ad0b15a14283e3ca08d5148c52a8%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C636437515334893692=S2VY3yn%2FzTZnhPnliyIQQsIynV5fVg7oJk8qnvbBT1c%3D=0

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Oct 16, 2017, at 7:53 AM, Turner, Ryan H 
> wrote:


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.