Tag Archive for Wi-Fi

| May 26, 2015
Comments Off on Another Hole in Internet Armor

Another Hole in Internet Armor

Another Hole in Internet ArmorAnother hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

Diffie-Hellman key exchangeResearchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University, and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and change any data passed over the connection.

The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

prime numberTo prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime number used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.

They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.

VPN attackThere is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.

What should you do?

1 – Go to the researcher’s website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}

2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;

Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.

3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;

We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.

patch for Firefox4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.

5 – DarkReading reports that on the server-side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.

The researchers have also provided guidance:

  1. If you have a web or mail server, they recommend  – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
  2. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers the Elliptic-Curve Diffie-Hellman Key Exchange.
  3. If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you support use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

rb-

Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate, and tell them to get out of the way. 

Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break the encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| April 28, 2015
Comments Off on Wi-Fi Marches On

Wi-Fi Marches On

Wi-Fi Marches OnKevin Fitchard at GigaOm lays out where Wi-Fi is headed. Now that the second wave of 802.11ac Wi-Fi equipment is hitting the market, new pans are happening. The Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE) have begun to look ahead to 802.11ac successor. This time around, the wireless industry is turning its focus away from overall network capacity to real connection speed to the device.

IEEE logoMr. Fitchard explains that the huge gigabit-plus numbers often attributed to 802.11ac can be a bit misleading. They represent the overall capacity a Wi-Fi network can support. For instance, 1.3 Gbps in today’s most advanced routers, but only in the rarest of circumstances would any single device actually be able to connect at such high rates. The author argues that 802.11ac technologies improvements will be able to pack more high-speed connections into a single router and take advantage of bigger swaths of unlicensed spectrum.

Fair share

However, individual connections are still peaking at just over 300 Mbps. Assuming the broadband connection that can even support those speeds. Typical connection speeds are far slower. 802.11ac channel widthWith 802.11ax, though, wireless engineers are making sure the individual, not just the network, gets its fair share of attention, said Greg Ennis, VP of Technology for the Wi-Fi Alliance.

Wi-Fi Alliance logoThough the IEEE is still in the early stages of developing the 801.11ax specifications (we likely won’t have a ratified standard until at least 2018), it has begun setting priorities for the new technology, the Wi-Fi Alliance’s Ennis said. And at the top of that list is a 4X increase in speed to the device, possibly pushing individual device connections into the gigabit range.

MIMO-OFDA

GigaOm speculates that the IEEE is hoping to do this with a new radio technology called MIMO-OFDA. MIMO, or multiple input-multiple output, uses multiple antennas to send multiple streams of data to the same or different devices, while OFDA is a variant of the orthogonal frequency division multiplexing (OFDM) technologies used in 4G mobile and earlier Wi-Fi standards. The idea is to create a more powerful and efficient radio that can shove more bits into the same transmission. That would create a bigger data pipe to the individual devices, which would, in turn, add up to greater overall network capacity and better Wi-Fi performance even in the sketchiest of conditions, Mr. Ennis said. “The goal here is not just to increase average throughput, but the average throughput users would actually see in the real world, even in the densest environments,” Ennis said.

IEEE 802.11axChinese equipment maker Huawei (002502) — which is heading up the IEEE 802.11ax working group — is already doing trials of MIMO-OFDA systems and it’s hitting 10.53 Gbps in the lab using Wi-Fi’s traditional 5 GHz band. Whether that means a 10 Gbps to your smartphone or tablet remains to be seen, but it hardly seems relevant given it’s difficult to comprehend what any device could possibly do with a 10 Gbps connection (much less a home broadband connection capable of supporting a high-capacity link).

 

IEEE 802.11ah

Faster simultaneous Wi-Fi connections

But if 802.11ax lives up to its promise, the author says it should be able to squeeze a lot more and a lot faster simultaneous connections out of a single router or hotspot, which would mean a far better experience for everyone on a crowded network. Though the IEEE won’t ratify 802.11ax until 2018 or later, we might see the Wi-Fi Alliance certify “draft-ax” devices and equipment beforehand just as we saw “draft-n” and “draft-ac” devices before their respective 802.11 standards were finalized. It all depends on how far the wireless industry has progressed with the underlying technology in the coming years, Ennis said. A range comparison for different Wi-Fi technologies. And long before we see the “ax” suffix stamped onto any gadget or router, other combinations of the Wi-Fi alphabet will make an appearance.

The Alliance will begin certifying the first 802.11ad, or WiGig, devices next year, supporting extremely close range but very high-capacity links between gadgets and peripherals. A bit further down the road is 802.11ah, which will take Wi-Fi to the 900 MHz band where it will provide narrowband but long-range connectivity to the internet of things.

rb-

Techie wireless alphabet  – IEEE, N, AC, AD, AH, AX, MIMO, OFDM, EI, EIO, O!

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| April 16, 2015
Comments Off on Wi-Fi Charges Up Ethernet

Wi-Fi Charges Up Ethernet

Wi-Fi Charges Up EthernetInformation Technology prognosticators Gartner (IT) predicts that 40% of enterprises will use Wi-Fi as the default connection for mobile and non-mobile devices by 2018 according to Fred Donovan at FierceMobileIT. The prediction says that typically fixed location devices like; desktops, desk phones, projectors, and conference rooms will use Wi-Fi as their primary connection replacing Ethernet.

Wi-FI logoGartner says Wi-Fi is facilitating BYOD. The enterprise Wi-Fi network now allows workers to choose any device and move anywhere in the workplace. Gartner argues that the introduction of security measures like 802.1X augmented with Advanced Encryption Standard (AES) encryption has lessened IT’s worry about security breaches involving the Wi-Fi infrastructure. Ken Dulaney, V.P. and distinguished analyst at Gartner said;

Ethernet cabling has been the mainstay of business workspace connectivity since the beginning of networking. However, as smartphones, laptops, tablets, and other consumer devices have multiplied, the consumer space has largely converted to a wireless-first world

Facilitating BYOD

As the first connection to the enterprise infrastructure, Wi-Fi brings workers the ability to choose any device and move anywhere without worry. VP Dulaney continued;

WI-FI certifiedAs bring your own device (BYOD) has increased in many organizations, the collision of the business and consumer worlds has changed workers’ demands

Furthermore, cabling systems or even peer-to-peer (P2P) wireless solutions using technologies that offer cable replacement have had to deal with a variety of connectors challenges, such as USB and micro-USB, as video systems move beyond Video Graphics Array (VGA). The market research firm also argues that MACD costs will decrease.

MACD costsAdditions, moves, and changes are costly inconveniences that waste time for enterprise IT organizations. A move can sometimes involve cabling changes that can cost as much as $1,000 … With Wi-Fi printers, desktops, and other devices, all that is required is a cable to the power source, leaving workers free to move themselves making reconfigurations of offices easier.

Because of the many benefits of Wi-FI, Gartner VP Dulaney predicts firms are going to change how they connect;

we expect many organizations to shift to a wireless-by-default and a wired-by-exception model.

New Ethernet specifications

In order to deal with the new wireless-by-default reality, changes are needed on the wired network.  at FierceCIO reports that the vendor community is working to address the Wi-Fi first world. Unfortunately, there are two industry groups pushing their own new Ethernet specifications. Mr. Mah says that new Ethernet standards are needed to work with Wave 2 of 802.11ac wireless access points (AP) with a theoretical maximum throughput of up to 3.5Gbps.

NCaptain Ethernetew standards are needed because the existing Gigabit Ethernet is a bottleneck and current alternatives are not attractive. First, link-aggregating two Gigabit Ethernet connections for each Wi-Fi AP would need additional cabling and more expensive managed switches to support it. Using 10GbE would be overkill. Upgrading to 10GbE is a significant investment that includes new Category 6a or Category 7 cables, more power, and more cabling.

One faction, the MGBase-T Alliance, was formed in June 2014 and includes; Avaya, Aruba Networks (ARUN), and Brocade (BRCD) as well as component vendors Broadcom (BRCM) and Freescale Semiconductor. The other group known as the NBase-T Alliance was formed in October 2014. This faction consists of Cisco (CSCO), Intel, Xilinx (XLNX), Freescale, and Aquantia, a company that’s already making 2.5G/5G components.

Little agreement on standards

At the moment, the only agreement between the two factions is that 2.5Gbps and 5Gbps speeds are needed. The IEEE 802 LAN/MAN Standards Committee has set up the P802.3bz 2.5/5GBase-T Task Force to address this issue. The 2015 Q1 CommScope Standards Advisor reports that the 802.3bz Ethernet cablescommittee has decided so far that:

  • 2.5 GBase-T option will run on Cat 5e (Class D) 4 pair UTP up to 100M, and
  • 5 GBase-T option will run on Cat 6 (Class E) 4 pair UTP up to 100M.
  • There is no release date yet

The concern, however, is that vendors could jump the gun by shipping pre-standard products ahead of standards rectification, complicating matters and slowing down the development of the pertinent standards.

rb-

Remember 802.11n? Pre-standard products? Given that there is no guarantee that systems built with components from the two groups will work together. Don’t jump the gun – waiting for the standard to solidify before buying into new 2.5G/5G Ethernet networking hardware.

For now, Dell’Oro Group analyst Alan Weckel told FierceCIO is that enterprises will probably be able to buy 2.5G/5G equipment starting in Q2 of 2015. 

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
| April 9, 2015
Comments Off on 802.3bt More Power to the People’s Devices

802.3bt More Power to the People’s Devices

802.3bt More Power to the People's DevicesPower over Ethernet (PoE) powers more than one million end devices today. To continue PoE’s success, the IEEE is answering the market’s demands for more power by developing 802.3bt the third generation of PoE.

The first generation of PoE (2003), 802.3af delivered 12.95 Watts. The second generation, 802.3at (2009) provides 25.5 Watts to the equipment. The new version of PoE will address the need for higher-power PoE. The IEEE has proposed a new standard, 802.3bt, which promises to double the power output of the current 802.3at standard. The new 802.3bt standard, scheduled to be released in 2017, will also adjust PoE to work with 10Gbase-T.

IEEE logoCabling Installation & Maintenance Magazine provides an excellent overview of the new standard. They report that the IEEE 802 LAN/MAN Standards Committee which develops and maintains networking standards like Ethernet, VLANs, and Wireless LAN, is developing the new standard. The DTE Power via MDI over 4-Pair Task Force is working to specify a set of next-generation PoE specifications, and the levels of power likely to be delivered ultimately via the 802.3bt standard will still work on twisted-pair cable, possibly as a four-pair PoE specification which could improve energy efficiency and offer greater power.

New POE Applications

IndustryApplicationTypical Power Consumption
HealthcareNurse call system30-50W
RetailPoint of sale system30-60W
BankingIP Turrets45W
Building ManagementVariable air volume controllers, Access controllers40-50W
Enterprise ITThin clients, Virtual desktop terminals50W
HospitalityPOE switches45-60W
Premise SecurityPTZ cameras30-60W
IndustrialBrushless drives, Motor control>30W
VariousDigital signage>30W
VariousMultichannel wireless access points>30W
via CommScope

The new PoE standard will support 10GBase-T. The 10GBase-T standard uses all 4 pairs to send data. These facts will force the IEEE 802.3bt committee to figure out how to keep the power from interfering with the data on the same wires to supply a minimum of 49 watts at the powered device. One of the key parameters the article mentions is to limit pair-to-pair current imbalance.

POE logoOther goals for the 802.3bt standard are: to be backward-compatible with “af” and “at.” and increased energy efficiency. According to the article, a global move to 4-pair POE systems would create potential energy savings of 60.8 million kilowatt-hours which would prevent greenhouse gasses from 66 million pounds of coal saved annually.

Paul Vanderlaan, technical manager of cable maker Berk-Tek – Nexans’ advanced design and applications lab and other cabling-industry technical experts believe that 802.3bt’s support of 10GBase-T means that the minimum twisted-pair cabling system requirement will increase.  In order to support 10GBase-T, it seems likely that a Category 6A system will be the recommendation. The author notes that the IEEE does not address cabling performance, that is the focus of groups like the TIA or ISO/IEC.

The transition to the new PoE standard will not be simple. CommScope published a white paper where they explain:

Category 6A cabling… Category 5e cabling only provides the minimum level of performance required. Therefore, it is recommended to use Category 6 or Category 6A cabling-preferably solutions … 

Berk-Tek’s Vanderlaan explained why Category 6A cabling is the preferred system. He summarizes the electrical-engineering calculations;

As a general rule, increased copper content, or larger gauge size, will aid in power delivery … when you migrate … you should see larger gauge sizes and more copper content.

system performance characteristicsUnder the new standard users will have to pay attention to new cabling-system performance characteristics like DC resistance unbalance and pair-to-pair resistance imbalance.  The higher wattage’s up to 1 full amp (1,00 milliamps) will present challenges to performance requirements. Mr. Vanderlaan told Cabling Installation & Maintenance Magazine:

For users, cable selection will be based not just on the speed that can be supported, but rather on speed as well as power delivery. What you simply plug in today, you may want to also power in the future.

A new challenge cable plant owners will have to consider is heat. CommScope explains that heat generated within bundles of cables supporting IEEE 802.3bt could rise enough to effect performance.

ambient temperature… the temperature of the cabling will rise due to heat generation in the copper conductors  … the temperature of the cable bundle higher than the ambient temperature of the surrounding environment … The IEEE 802.3bt four-pair PoE standard is expected to assume a maximum temperature rise of 10 degrees Celsius (50 degrees F) when all four pairs are energized … the ambient temperature should not exceed 50 degrees Celsius (122 degrees F) … CommScope recommends Category 6A cabling for four-pair PoE applications. Because increased thermal loading can also increase insertion loss, the maximum cable length should be de-rated for higher temperatures, per ANSI/TIA-568-C.2.

Several vendors have already released pre-standard device-powering systems to meet users’ current needs.

As in the pre-PoE standard days, Cisco (CSCO) has marketed proprietary PoE systems since 2011. Cisco’s Universal Power Over Ethernet (UPOE) technology, which delivers 60 watts of power to devices powered by the Catalyst 4500E; some of those devices include Cisco IP phones, personal telepresence systems, compact switches and wireless access points.

Also, the non-standard Power Over HDBase-T (POH) was introduced by the HDBase-T Alliance a trade group that promotes and standardizes HDBase-T technology for whole-home distribution of uncompressed high-definition (HD) multimedia content. This system delivers up to 100 watts of power to TVs and other devices over distances up to 100 meters/320 feet via one Category 5e or 6 cable with standard RJ45 connectors.

rb-

The new standard is a welcome addition to the toolkit. Cost savings is one of the appeals to PoE. On many projects, PoE low voltage contractors can do the work rather than electrical contractors. If the new system pushes the maximum rate to 75W at the devices as some predict, with there be a backlash from the EC’s and authorities having jurisdiction? Time will tell.

In the meantime, the article says owners and managers should check their current infrastructure with eyes toward how the next generation of devices might be powered via more-capable PoE technology.

Of course, it is always a good idea to pull out your acceptance documentation to understand the installed base of the cable and the likelihood that the cable has the electrical performance characteristics required to support the next generation of PoE.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| September 25, 2014
Comments Off on Internet of Things Full of Holes

Internet of Things Full of Holes

Internet of Things Full of HolesThe Internet of Things, is big and heading towards huge. The Internet of Things (IoT) is a system where unique identifiers are assigned to objects, animals, or people. These “Things” then transfer data over a network without requiring human-to-human or human-to-computer interaction. Whatis.com says IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), and the Internet.

Business Insider believes that the IoT will be the biggest thing since sliced bread. They claim there are 1.9 billion IoT devices today, and 9 billion by 2018, which roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined. Gartner (IT) predicts that there will be 26 billion IoT devices by 2020. Based on a recent article in InfoSecurity Magazine is a very scary thing.

BI Global IOT Installed Devie projectionsThe InfoSecurity article says HP (HPQ) found 70% of the most common IoT devices have security vulnerabilities. HP used its Fortify On Demand testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new study.

HP tested IoT devicesHP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to exploit the devices and their cloud and app elements. Some of the results are:

  • A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device,
  • 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application,
  • 80% of devices studied allowed weak passwords like 1234 opening the door for WiFi-sniffing hackers,
  • 80% raised privacy concerns about the sheer amount of personal data being collected,
  • 70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,
  • 60% had cross-site scripting or other flaws in their web interface vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials,
  • 60% didn’t use encryption when downloading software updates.

Mike Armistead, VP & General Manager, HP Fortify, explained that IoT opens avenues for attackers.

IoT opens avenues for the attackers.While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.

HP urged device manufacturers to eliminate the “lower hanging fruit” of common vulnerabilities. They recommend manufacturers, “Implement security … so that security is automatically baked in to your product … Updates to your product’s software are extremely important.”

Antti Tikkanen, director of security response at F-Secure, told InfoSecurity said the problems HP uncovered in this report were just the tip of the iceberg for IoT security risks.

One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly … At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.

rb-

I covered the threats that IoT or “smart” devices presented back in 2012. I don’t know where HP (or the rest of the security community) has been.

The current generation of “smart” devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share.

It is also annoying that HP did not reveal the details on the products they tested.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »