[ISN] RSA announces fix for wireless network security hole

From: InfoSec News (isnat_private)
Date: Wed Dec 19 2001 - 00:11:46 PST

  • Next message: InfoSec News: "Re: [ISN] Adopt A Soldier, or something like that..."

    http://www.siliconvalley.com/docs/news/svfront/049744.htm
    
    Monday, Dec. 17, 2001 
    
    SAN FRANCISCO (Reuters) - RSA Security Inc. Monday will announce new
    technology designed to improve the security of wireless networks used
    within buildings and protect them from so-called ``drive-by hacks.''
    
    Bedford, Massachusetts-based RSA and Hifn of Los Gatos, California,
    have developed a technology patch for the Wireless Equivalent Privacy
    (WEP) protocol designed to encrypt communications transferred over
    standard 802.11 wireless networks.
    
    Such networks are growing increasingly common within corporations,
    warehouses and government offices for laptops and handheld devices
    where users need mobility.
    
    ``If you are running a wireless LAN (local area network), if someone
    was sitting in the parking lot with the correct software and a
    (wireless network) scanner they could pick up information flowing over
    the network,'' said Mike Vergara, director of product marketing at
    RSA. ``They could read all the traffic.''
    
    The current WEP implementation is flawed in that it uses encryption
    ``keys'' or codes for hiding data that are too similar to each other,
    making it relatively easy for someone to figure out the keys, Vergara
    said.
    
    There are tools, such as AirSnort, which surreptitiously grab data
    moving across wireless networks and analyze it to decode the
    encryption, he said.
    
    FAST PACKET KEYING
    
    The new technology, called Fast Packet Keying, ``enables you to
    encrypt each packet of data with a different key,'' Vergara said.
    
    The technology has been approved by the Institute of Electrical and
    Electronics Engineers (IEEE) standards body as an addendum, or patch,
    to the 802.11 standard, he said.
    
    Device makers are upgrading their software, according to Vergara, but
    he didn't know when the patches would make it into devices out in the
    market.
    
    The patch only addresses the known security vulnerability and does not
    address any new holes that might crop up, Vergara conceded.
    
    For that reason, Avi Rubin, a computer security researcher at AT&T
    Labs, suggested researchers develop wireless technology using the new
    Advanced Encryption Standard (AES), approved by the U.S. government.
    
    AES, which is exponentially more difficult to crack than its
    predecessor, is expected to become the standard for securing Internet
    communications over the coming years.
    
    Using AES would require new wireless network cards, said Rubin, who
    was among the first to discover a way to crack the WEP protocol.
    
    ``Band aid approaches may be necessary for the short term,'' he said.  
    But ``for the next generation of (wireless network) cards they should
    throw everything away and design something with AES.''
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 11:53:55 PST