Sunday, November 30, 2008

Finally posted some belated photos to Flickr

Last August Anna and I had a few days off before 1st grade started.  So, we spend the week together going places and checking out neat sites.  Some how I forgot to post the photos to flickr so I just put them up there.

Grandpa, who was a flight navigator in Vietnam and a S.A.C. instructor for many years at Mather A.F.B., might find some of these interesting since one of our stops was the Sacramento Aerospace museum next to McClellan A.F.B.  Anna had fun climbing up into the planes and riding in the simulators.  Being a week day we had the place to ourselves!

Exploring the Aerospace Museum of California

We also spent a day at the State Fair, this photo was near the end of the day.  We were relaxing before the final show, then heading home.

State Fair Girl

and another day with friends at the Sacramento Train museum.  In this photo Anna and her friend Ruby are posing in front of a Western Pacific diesel engine.  Anna's great grandpa worked for the Southern Pacific for 40 years.

Exploring the Sacramento Railroad Museum

Sunday, November 23, 2008

WPA Wireless Networking isn't Broken!

Despite what the most media sources have been saying, WPA certified wireless networking is not actually broken.  Rather than write-up a long complicated description of what was actually discovered, this has already been done (see grc.com's Security Now podcast #170 TKIP Hack).  I'll try to keep it short and simple.

First, as I noted on an old post on Wireless security, WEP (Wired Equivalent Protection) is totally broken so, you should NOT still be using this.  The WPA "crack / hack" discovery is simply a weakness in the protocol, TKIP (Temporal Key Integrity Protocol) used by many people that are currently using the WPA certified security.  WPA was an early implementation of the 802.11i specification before it was finalized.  What you want to use to mitigate what is really a very minor weakness in WPA is WPA2.  WPA2 is the 802.11i specification in it's completed / finalized form.  Now once you switch to WPA2 you also want to use AES and NOT TKIP.

If your equipment doesn't support WPA2, Check and see if there is a newer firmware for your router(s) and access points that may support WPA2.  If your are stuck with WPA, check and see if your router supports QoS (Quality of Service) and make sure you have it disabled.  It is likely the if you have QoS enabled it is doing you no good anyway.  QoS is a key feature in the slight weakness of the WPA crack.  Another name for QoS on some wireless routers is WMM (WiFi Multi Media).  This is a fairly new Wi-Fi Alliance certification on some routers.  All this new acronym indicates is an interoperability certification using a subset of the 802.11e subspec.  So, again disable WMM if it is enabled.  Another way to mitigate this attack would be to reduce the re-keying time from the default of 3600 seconds (60 minutes) to less than 12 minutes, say 660 seconds (11 minutes).  Then the attacker runs out of time before being able to complete the attack on one packet.  Doing this also removes the possibility of a DoS (Denial of Service) attack that could be done by injecting packets with bad MIC (Message Integrity Code).

So, bottom line.  Use WPA2 with AES / CCMP (NOT TKIP or AES+TKIP) and use a long randomly generated security key.  My favorite site for generating very high quality, cryptographic-strength keys is GRC's Perfect Passwords page.  FYI I also use his Perfect Paper Passwords service for shorter strings I can use for passwords and Passcards.

The minor weakness discovered only allows the attacker to get a short packet of relatively known contents once every 12 minutes or once every 4-5 min with QoS/WMM and issue a reply attack with up to about 7 fake packets.  These short packets are probably DHCP or ARP packets.  They can't actually decrypt your packets and they don't have the time to fake a larger data packet since your router will likely re-key once an hour.  This re-keying causes the attacker to have to start over from scratch.

Sunday, November 02, 2008

Halloween 2008

Halloween 2008We went trick-or-treating with Anna's friend Eva and her two cousins. Pretty cute for a group of Halloween ghouls.  Then they all had a sleep over at Eva's for the night.  Stayed up watching scary movies and stuffing themselves with candy.