WPA2 KRACK Vulnerability, Getting Information

*** This page is being updated regularly. Please check back periodically. ***

I'm sure everyone who does anything with networking or Wi-Fi has heard about the announced WPA2 KRACK vulnerability. I won't go into depth with my opinion on it. I'd just like to start a collection of useful information in one single place.

First, the security researcher's website on the attack details:
https://www.krackattacks.com/

Second, read these articles and watch these videos by experts:
Mojo Networks / Pentester Academy Videos: http://blog.mojonetworks.com/wpa2-vulnerability
Aruba Blog: http://community.arubanetworks.com/t5/Technology-Blog/WPA2-Key-Reinstallation-Attacks/ba-p/310045
Aruba FAQ: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

*IMPORTANT UPDATE*
What's the TL;DR? There are 9 vulnerabilities that are client related and 1 that is AP / Infrastructure related. All are implementation issues, meaning software patching can fix them! Of the 9 CVE's related to clients, ALL can be mitigated with AP / Infrastructure updates as a workaround, but the infrastructure won't be able to determine if failure is from packet loss issues or attack. The long-term fix is definitely client software patching. The 1 CVE related to AP / Infrastructure is related to 802.11r Fast Transition - if you have it enabled you should patch ASAP. If not, no big Continue reading

25% off SanDisk Ultra 32GB microSDHC UHS-I card with Adapter – Deal Alert

SanDisk has discounted some cards today on Amazon. Their Ultra 32GB microSDHC UHS-I card with Adapter is currently listed for $11.19, which is $0.61 cheaper than the 16GB model. Today they've also priced the 64GB model at $17.99, 128GB for $36.99, and 200GB for $62.99. See these discounts on Amazon, today only.To read this article in full or to leave a comment, please click here

Using the Linux find command with caution

A friend recently reminded me of a useful option that can add a little caution to the commands that I run with the Linux find command. It’s called -ok and it works like the -exec option except for one important difference — it makes the find command ask for permission before taking the specified action.Here’s an example. If you were looking for files that you intended to remove from the system using find, you might run a command like this:$ find . -name runme -exec rm {} \; Anywhere within the current directory and its subdirectories, any files named “runme” would be summarily removed — provided, of course, you have permission to remove them. Use the -ok command instead, and you’ll see something like this. The find command will ask for approval before removing the files. Answering y for “yes” would allow the find command to go ahead and remove the files one by one.To read this article in full or to leave a comment, please click here

Some notes on the KRACK attack

This is my interpretation of the KRACK attacks paper that describes a way of decrypting encrypted WiFi traffic with an active attack.

tl;dr: Wow. Everyone needs to be afraid. It means in practice, attackers can decrypt a lot of wifi traffic, with varying levels of difficulty depending on your precise network setup. My post last July about the DEF CON network being safe was in error.

Details

This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug).

When a client connects to the network, the access-point will at some point send a random "key" data to use for encryption. Because this packet may be lost in transmission, it can be repeated many times.

What the hacker does is just repeatedly sends this packet, potentially hours later. Each time it does so, it resets the "keystream" back to the starting conditions. The obvious patch that device vendors will make is to only accept the first such packet it receives, ignore all the duplicates.

At this point, the protocol bug becomes a crypto bug. We know how to break crypto when we have two keystreams from the same starting position. It's not always reliable, but Continue reading

On Approaches to Internet Security, Cybersecurity, and the Path Forward

On 5 October, I had the pleasure of speaking at the New York Metro Joint Cyber Security Conference, which brings together a community of security practitioners from the New York Metro area. Two talks stood out for me. First, the keynote by Maria Vullo, Superintendent Financial Services for the state of New York, who explained her drivers for regulating cybersecurity requirements for the Financial Sector [link to the presentation]. Second, a presentation by Pete Lindstrom from IDC, who, in a presentation on how perimeter security needs a thorough rethink, kept returning to the economics of security.

The reason I refer to these two talks is because I can appreciate them for their own, almost diametrical approaches for improving security. Pete Lindstrom making a strong economic and risk-based approach, questioning whether patching every vulnerability that comes along makes any sense from an economic risk and scale analysis. Maria Vullo, on the other hand, using capacity-based regulation to incentivise stronger security controls.

Those two points resonate strongly with what I was trying to get across: There is no magic security bullet, there is no security czar, and maintaining trust needs an active approach from all stakeholders.

Starting off with how our Continue reading

CCDE October Online Class is starting, why CCDE from Orhan Ergun ?

CCDE October Online Instructor Led Class will start today. My Online CCDE Classes are 10 days, everyday around 4 hours. But really, let’s be honest, can you understand everything in 10 days ? So, can you pass the CCDE Practical exam just studying this 10 days course ?   No. No. Even if you are …

Continue reading "CCDE October Online Class is starting, why CCDE from Orhan Ergun ?"

The post CCDE October Online Class is starting, why CCDE from Orhan Ergun ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

CCDE October Online Class is starting, why CCDE from Orhan Ergun ?

CCDE October Online Instructor Led Class will start today. My Online CCDE Classes are 10 days, everyday around 4 hours. But really, let’s be honest, can you understand everything in 10 days ? So, can you pass the CCDE Practical exam just studying this 10 days course ?   No. No. Even if you are […]

The post CCDE October Online Class is starting, why CCDE from Orhan Ergun ? appeared first on Cisco Network Design and Architecture | CCDE Bootcamp | orhanergun.net.

Introduction to Cisco Wireless- Flex Connect Mode

Today I am going to talk about the Cisco Wireless Flex-connect mode and how it works in the enterprise or campus network with wireless connect with APs. There are two different modes, one is the local switched mode and another is called as Flex-connect mode.

In the case of the local switched mode, an AP creates two CAPWAP tunnels to the WLC.  One is for management, the other is data traffic.  This behaviour is known as "centrally switched" because the data traffic is switched(bridged) from the AP to the controller where it is then routed by some routing device.

Let's take an example here, let us suppose the below example about the difference between Local vs Flex-connect mode

Local Switching Vs Flex-Connect

Office 1 is located in New Delhi (using local mode)
Office 2 is located in Sydney(using flex connect)
Datacenter is located in San Jose 

Local Mode means that a tunnel is created from Wireless AP to the WLC. All traffic goes to the WLC. Authentication and user traffic. If office 1(New Delhi) is configured with local mode, the wireless clients will actually have all of their traffic tunnelled to San Jose and will use an IP from Continue reading

New Webinar: QoS Fundamentals (and Other Events)

I listened to Ethan Banks’ presentation on lessons learned running active-active data centers years ago at Interop, and liked it so much that I asked him to talk about the same topic during the Building Next-Generation Data Center course.

Not surprisingly, Ethan did a stellar job, and when I heard he was working on QoS part of an upcoming book asked him whether he’d be willing to do a webinar on QoS.

Read more ...

BGPSec – A reality now

The Secure Inter Domain Routing (SIDR) initiative held its first BoF at IETF 64 back in November 2005, and was established as a Working Group in April 2006. Following the Youtube Hijack incident in 2008, the need to secure BGP became increasingly important and SIDR WG charter explains it well:
The purpose of the SIDR working group is to reduce vulnerabilities in the inter-domain routing system. The two vulnerabilities that will be addressed are:
  • Is an Autonomous System (AS) authorized to originate an IP prefix
  • Is the AS-Path represented in the route the same as the path through which the NLRI traveled.

This last vulnerability was the basis for defining an AS Path validation specification which has become known as BGPsec.

BGPsec attempts to assure a BGP peer that the content of a BGP update it has received, correctly represents the inter-AS propagation path of the update from the point of origination to the receiver of the route.

So far, 39 RFCs have originated from the SIDR WG, with three drafts currently under discussion. Seven RFCs were published last month (September 2017) providing a big boost to the securing routing work:

Cisco Firepower 4100 Series introduction

Today in this article I am going to talk about the Cisco Firepower 4100 series. As in my earlier articles I talk about the Cisco Firepower 2100 series and Cisco Firepower 9300 series which is one of the most powerful box in security domain.

Before we start with the Cisco 4100 series Firewall, A next generation firewall with NGFW image, below are the Cisco Firepower 2100 and Cisco Firepower 9300 articles. You can go to that articles as well for your references.

Cisco Firepower 9300 Series
Cisco 2100 Series Firepower
Cisco Firepower 2100 BOQ guide

Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput range addresses data center and internet edge use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint.  

Fig 1.1- Cisco Firepower 4100 Series

Cisco Firepower 4100 Series supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco Firepower 4120 platform.

Cisco Firepower 4100 series comes in various models and these models are 
  • Cisco Firepower 4110
  • Cisco Firepower 4120
  • Cisco Firepower 4140
  • Cisco Firepower 4150
Let's talk about the basic features of Continue reading

Cisco Firepower 9300 Series Introduction

Today I am going to talk about the Cisco Firepower 9300 series which is one of the most powerful box by Cisco systems. Cisco Firepower 9300 is a Next Generation Firewall and has various capabilities of AVC, IPS, AMP and URL filtering with the high throughput value.

Cisco Launches 3 different series in the Firepower services which is called as Next generation Firewalls with all the above mentioned services within a box. The Firepower series are
In this article, I will only talk about Cisco 9300 Firepower next generation firewalls. Although you can have two different images in the box. You can use ASA image or NGFW image in all these 3 boxes as per the requirement in your network. 

Cisco Firepower 9300 is a highly scalable with carrier-grade, modular platform designed for service providers, high-performance computing centres, large data centres, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. 

Fig 1.1- Cisco Firepower 9300 NGFW

Technology Short Take 88

Welcome to Technology Short Take #88! Travel is keeping me pretty busy this fall (so much for things slowing down after VMworld EMEA), and this has made it a bit more difficult to stick to my self-imposed biweekly schedule for the Technology Short Takes (heck, I couldn’t even get this one published on Friday!). Sorry about that! Hopefully the irregular schedule is outweighed by the value found in the content I’ve collected for you.

Networking

Our Fellows Speak: “The Internet of the Future is Feminist“

The Internet Society invited four fellows from Latin America to the Forum on Internet Freedom in Africa 2017, which was held 27-29 September in Johannesburg. Two of the fellows, Veronica Vera and Anais Cordova-Paez of the ISOC Ecuador Chapter, shared their focus of work related to Internet freedom.

By Veronica Vera and Anais Cordova-Paez, ISOC Ecuador Chapter

Actions online are equally important toactions offline, which is why talking about freedom in the Internet is talking about human rights. In a world that is reproducing violence in all fields we need to talk about freedom embracing women’s rights; in this point of history seeking freedom is seeking gender equality.

Can we talk about Internet freedom if we don’t think about how we want Internet to be? And what do we have to do to achieve it? This is a conversation we need to have, because violence against women is everywhere, in all dimensions. In the cyberspace, human rights defenders, activists, or any woman who speaks out loud about her rights becomes a target of abuse, cyberstalking, revenge pornography, body shaming, and all kinds of violence that make us realize why it is really important to have a discussion about the principles of Continue reading

1 1,895 1,896 1,897 1,898 1,899 3,871