RE: Big flaw in WPA2

2017-10-19 Thread Osborne, Bruce W (Network Operations) 
The specification, like many, was vague in implementation details and 
practically all vendors chose a poor, insecure design.  The only claw in WPA2 
was vagueness in the specification. I understand the Wi-Fi Alliance is working 
on remedying that as well as specifically testing for KRACK in its 
certification testing.

Since many implementations were likely based off the chipmakers reference 
designs, this is not very surprising.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl]
Sent: Wednesday, October 18, 2017 11:56 AM
Subject: Re: Big flaw in WPA2

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,
On 10/16/17 4:32 PM, Hector J Rios wrote:
The short answer is Yes.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

Mike Cunningham


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu<mailto:steve.belc...@mail.wvu.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Richard Nedwich 
<rich.nedw...@brocade.com<mailto:rich.nedw...@brocade.com>>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an "educational record" 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--
Marcelo Maraboli Rosselott
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Big flaw in WPA2

2017-10-17 Thread Richard Nedwich 
FYI,

As it seems relevant here, below is excerpted from 'Cloudpath FAQ Security 
Advisory 10-16-17_v2', which posted yesterday.

Best,
Rich
-=-=-=-=-=

How can Cloudpath help?
While this issue is severe and must be remediated, please note that there are 
much easier ways to compromise the network. Below are the steps we recommend 
you take: 

1)  If you are using Cloudpath to onboard devices, do redirect users to the 
portal page that gives them more information about this weakness and urge them 
to upgrade their BYOD and guest devices to the latest firmware (generating 
awareness is the important)
2)  Via Cloudpath’s device configuration settings, enforce OS auto-upgrade 
on all IT-owned devices. 
3)  Via Cloudpath’s workflow branches, identify and redirect more risky 
devices (Android, Linux etc.) to portal page to perform OS upgrade. You can 
also check for the firmware version on those devices and limit/block access if 
the firmware is old. Alternatively, you can put affected devices on a limited 
guest VLAN or role and even block plain HTTP for those devices.
4)  If on a EAP-TLS network, enable server side certificate validation to 
make sure your clients join the ‘correct’ SSID or network and they do not join 
a spoofed AP. 

Do I need to revoke the certificates, are keys compromised?

The weakness allows a man in the middle to overwrite the keys in the WAP2 4-way 
handshake which enables for data visibility and the original keys themselves 
are not compromised. Because of this we do not think it is necessary to revoke 
the certificates, however revoking the certificates does force the users to 
re-onboard and that forces users to accept terms and conditions and also view 
any notification that you put on the captive portal including limiting access 
to severely affected devices.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Big flaw in WPA2

2017-10-17 Thread Osborne, Bruce W (Network Operations) 
No, the solution is EAP-TLS with individual device certificates.



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Tim Tyler [mailto:ty...@beloit.edu]
Sent: Monday, October 16, 2017 9:57 AM
Subject: Re: Big flaw in WPA2

This brings up an issue where I have philosophically wondered if mac address 
authentication isn’t better than 802.11x (wpa2).  The reason isn’t because it 
guards the network better.  But if one does get hacked at the point of 
accessing the network, the consequences are way less.  One isn’t giving a way 
the keys to their other accounts.   I know some institutions do use mac address 
authentication as their primary access method.   It is difficult for 
institutions that can’t afford pricey on-boarding solutions to manage 
certificate lock downs.   Hence, man in the middle attacks become prevalent as 
well.
  We already use mac address authentication for devices that won’t support 
802.1x.  I keep wondering now if I shouldn’t make that our primary solution 
someday.  I am curious as to what others think.

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 6:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Big flaw in WPA2

2017-10-16 Thread Richard Nedwich 
Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Big flaw in WPA2

2017-10-16 Thread McClintic, Thomas 
This seems contradicting…


Workarounds
===
All vulnerabilities described in this advisory may be mitigated by
disabling certain features:
- For ArubaOS, ensure that 802.11r is disabled by verifying that any
   configured SSID profile does not contain a "dot11r-profile".  From the
   command line, "show wlan dot11r-profile" will list any 802.11r profiles
   that have been configured.  If the reference count is 0, 802.11r is not
   enabled.
- For InstantOS, ensure that 802.11r is not enabled in any configured WLAN.
- Disabling 802.11r on the AP infrastructure will effectively mitigate
   client-side 802.11r vulnerabilities.  It will not, however, mitigate
   client-side 4-way handshake vulnerabilities.
- Clarity Engine is a beta feature enabled only in special builds of
   software.  Customers who are participating in this beta should not use
   Clarity Engine until a software update has been completed.
- Mesh mode for both ArubaOS and InstantOS is vulnerable.  Until this
   vulnerability is patched, mesh networks should be disabled.
- Wi-Fi uplink mode for InstantOS is vulnerable.  Until this vulnerability
   is patched, the Wi-Fi uplink feature should not be used.


TJ McClintic


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Monday, October 16, 2017 7:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Let the panic begin.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Big flaw in WPA2

2017-10-16 Thread Lee H Badman 
Let the panic begin.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.