On Fri, 04 Aug 2006 09:46:34 -0700, Jeff Liebermann
<jeffl@comix.santa-cruz.ca.us> wrote in
<u7t6d2la1h2b6rju4ho1soh0laiatl0m08@4ax.com>:

>"Bill Kearney" <wkearney99@hotmail.com> hath wroth:

>>So you'd rather keep your head in the sand, ostrich-like, than take
>>effective action? G'head, leave you ass in the air, exposed to being
>>hacked, while trying to discredit the sources.
>
>If it wasn't for the sterling credentials of those presenting the
>wirless driver exploit, it would probably be dismissed as alarmist and
>possibly fabricated. Methinks Ellch and Maynor might have a slightly
>different agenda. Major security exploits are normally not released
>in the middle of security conventions unless those making the
>presentation are after publicity. It could easily have been released
>in one of the security mailing lists, where exploit details are
>usually not released until after those affected are informed. Some
>time is allowed for the manufacturers to review the problem and offer
>fixes. Peer review and comments in the mailing lists are also
>necessary to make sure there were no oversights and errors.
>
>However, the problem is a bit different when giving a live public
>demonstration. The trick is to show that there is a problem, but to
>not leak exploit details to the hackers. Trying to do that
>effectively at the Black Hat convention is a guaranteed loser.
>Everyone present is going to want exploit details. Those with a clue
>are going to run home and crank out exploit scripts. Meanwhile, the
>manufacturers are in a state of panic, and the trade press is sure to
>expand this into the inevitable demise of all things wireless.
>
>In my opinion, the only thing positive that might come out of this is
>the publicity received by Ellch and Maynor. Everything else is in
>disarray and subject to many questions. Like Fleischmann and Pons
>(cold fusion), they got their publicity and nothing else useful.

I suspect there's more going on here than meets the eye. A big problem
in security is getting vendors to pay proper attention. My guess is
that these guys got fed up with the lack of concern, and decided to
build a fire under them with this public presentation. If so (or
something like that), my own opinion is, "Bravo!"

I'm frankly sick and tired of vendors _knowingly_ shipping badly flawed
products. It's the major reason I largely dropped out of beta testing
-- I have a long list of _major_ bugs I found as a beta tester that were
left unfixed in released products (which I'm unable to disclose due to
NDAs).

<http://blog.washingtonpost.com/securityfix/2006/08/followup_to_macbook_post.html>

Follow-up to the Macbook Post

I'd like to respond to the people who commented on yesterday's post
about the video's depiction of the use of a third-party wireless card
on the Macbook. I spent more than an hour with Dave Maynor watching
this exploit in action and peppering him with questions about it.

During the course of our interview, it came out that Apple had leaned
on Maynor and Ellch pretty hard not to make this an issue about the
Mac drivers -- mainly because Apple had not fixed the problem yet.
Maynor acknowledged that he used a third-party wireless card in the
demo so as not to draw attention to the flaw resident in Macbook
drivers. But he also admitted that the same flaws were resident in
the default Macbook wireless device drivers, and that those drivers
were identically exploitable. And that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it
remains a fact that the default Macbook drivers are indeed
exploitable.

To all of the commenters who complained about why this demo was not
shown live, I refer you back to the text of the blog post, which
pointed out the dangers inherent in showing this type of exploit live
to a room overflowing with curious hackers who would like nothing
more than to capture a copy of the exploit wirelessly and experiment
with it.

Again, the whole point of this story was not to pick on Macs, but to
point to a security issue that affects multiple operating systems and
one that is long overdue for some serious code review by the
companies that OEMs rely upon to produce this software.

As always, thanks for all the comments. Keep them coming.

-- Brian Krebs

>>Meanwhile, smarter folks
>>will simply upgrade their firmware and reconfigure their devices to avoid
>>the risks.
>
>How? It's a driver issue. According to the story line, you don't
>even need to be connected to be successfully attacked. Just have the
>client radio enabled. I have my doubts after reading the
>presentations and watching the video clip. There were some things
>involved in the demo that were totally un-necessary. Why did they use
>a laptop as an access point?

Probably because the MacBookPro has Airport functionality built into it.

>Why do they claim that a connection is
>not necessary, and then run the demonstration while connected. Etc.

I can think of a number of legitimate reasons. Why assume otherwise?

>Methinks the smart people will not panic, just wait and see, and
>perhaps turn off their wireless clients or radios when not in use.

Panic is never a good idea. Nonetheless I'm now concerned about the
Atheros wireless device in my own notebook computer, and even more for
ones I've deployed for clients and friends, since that was reportedly
the hardware used in the demo.

I've always turned off my own wireless when not needed, not only for
security, but also for power saving and less annoyance. (I like how
easy that is with a ThinkPad, one of the reasons I use and recommend
them.) However, I really can't expect all my clients and friends to do
so.

Until this is all sorted out, I've decided to:

1. Monitor updates and security for clients and friends even move
carefully than usual.

2. Use Wireless Client Bridges instead of integrated wireless adapters
as much as possible.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>