[QCLUG] Recent article on Slashdot and VPN setup

Dave Bergert dbergert@gmail.com
Mon, 13 Oct 2008 14:52:10 -0500 

---------------------- multipart/alternative attachment
Two good articles on this:

http://www.formortals.com/Default.aspx?tabid=36&EntryID=119

http://erratasec.blogspot.com/2008/10/wpa-is-not-obsolete.html



On Oct 13, 2008, at 1:56 PM, David Hinkle wrote:

> WPA in all it's mutant forms probably isn't going away any time  
> soon, but it arguable should never have been born.  For day to day  
> applications such as playing world of warcraft and picking up girls  
> on the internet it's fine, but if you really need to keep something  
> confidential you should be using something with a lot longer history  
> and a lot more research behind it.
>
> Wep was always a hack, and will always be a hack, the purpose of  
> which is only to give lip service to security without having to  
> build AP's with enough horse power to do real encryption.  Whatever  
> parts of the standard may or may not have been broken at any given  
> time is irrelevant, it'll all get broken sooner rather than later  
> anyway.  The golden rule:  Anyone smart enough to design their own  
> secure crypto system knows better than to do so.   If the people who  
> designed WEP were smart enough to build a secure encryption system  
> they would have done so by deploying IPSEC.
>
> David
>
>
> -----Original Message-----
> From: qclug-bounces@qclug.org on behalf of Chris Cooper
> Sent: Mon 10/13/2008 1:41 PM
> To: qclug@qclug.org
> Subject: Re: [QCLUG] Recent article on Slashdot and VPN setup
>
> The WPA2 standard is far from dead.  This only applies to WPA/WPA2 PSK
> (Pre-Shared Key).  It has no effect on WPA-EAP (or any variation
> thereof).  If you use a radius server for WPA Authentication, this
> article means nothing.
>
> Hardware assisted WPA-PSK cracking is nothing new.  coWPAtty (a
> popular WPA cracking utility) already has support for FPGA hardware
> acceleration.  What they did was simply alter the code to use the new
> NVida API (the NVidia in API mode acts almost like an FPGA for the
> heavy floating point math required by RC4 and AES encryption).
>
> Back in May, Lockheed used the Playstation 3 Cell processor to do  
> the same:
> http://www.networkcomputing.com/blog/dailyblog/archives/2008/05/lockheed_breaks.html
>
> This really isn't anything new, just a new application.  Even at that,
> it is still just brute forcing.  This isn't like WEP where they found
> design flaws that let them derive the keys.
> Given enough processing power, any encryption is trivialized.  The
> 3DES standard once used by Linux crypt() is just as cryptographically
> sound as AES.  The only difference is AES can use larger keys at the
> cost of MUCH greater processing power.  This increases the time
> required to exhaust the entire keyspace during a brute force attack.
> As computers get faster and faster, and the average core count becomes
> greater, all of our current encryption standards will become
> trivialized, much the way 3DES has.
>
> As Arron pointed out, it really just boils down to password strength.
> A great password generator and site explaining password strength and
> complexity is:
> https://www.grc.com/passwords.htm
>
>
>
> On Mon, Oct 13, 2008 at 10:11 AM, Arron Lorenz  
> <arronlorenz@gmail.com> wrote:
> > I also should mention that in Soviet Russia you don't crack WPA,  
> WPA CRACKS
> > YOU!!
> >
> > On Mon, Oct 13, 2008 at 10:07 AM, Arron Lorenz <arronlorenz@gmail.com 
> >
> > wrote:
> >>
> >> I read the article you mentioned and the method for cracking is  
> still the
> >> same method they just figured out that if you use hundreds/ 
> thousands of
> >> networked pc's that it goes faster.
> >> From the article:
> >> "The 100-fold increase in speed is achieved with two GeForce  
> GTX280's per
> >> workstation"
> >> Now that is two (2) Nvidia GTX 280's per workstation. They also  
> said you
> >> would need 20 of these workstations.
> >>
> >> They also mentioned in the article that:
> >> "This will, of course, mainly affect simple ascii keys. And it  
> will only
> >> work against static keys; anyone using more complicated  
> authentication
> >> schemes will not be at risk for now. But since that takes a  
> couple of extra
> >> minutes when installing, smaller businesses or departments often  
> skip
> >> setting this up."
> >> I hope that no one is using simple keys for their passwords.  
> "abcd1234"
> >> will be cracked quickly whereas "a^b#c$d*1.2,3?4" will take a lot  
> longer.
> >> original
> >> article: http://securityandthe.net/2008/10/12/russian-researchers-achieve-100-fold-increase-in-wpa2-cracking-speed/
> >> So I would say make sure your WPA keys are updated to a good  
> password.
> >> Make sure that you change it regularly (The Ron Popeil "Set it  
> and forget
> >> it" method of security is not good). Also don't put important  
> financial data
> >> over wireless. I also would make sure to not piss off anyone with  
> $20,000 in
> >> top of the line nvidia graphics cards.
> >> Thanks,
> >> Arron
> >>
> >>
> >> On Mon, Oct 13, 2008 at 9:46 AM, Mark Riedesel  
> <mriedesel@gmail.com>
> >> wrote:
> >>>
> >>> Those ingenious Russians. I plan to be there!
> >>>
> >>> On Mon, Oct 13, 2008 at 9:18 AM, agamotto  
> <agamotto@sbcglobal.net> wrote:
> >>>>
> >>>>        I read last night that apparently gfx cards can now be  
> used to
> >>>> hack WEP and WPA networks with relative ease.  Anyone coming to  
> the meeting
> >>>> tomorrow care to discuss setting up a VPN with the usual DSL or  
> Cable
> >>>> router/modem setup?  I am a bit confused as to where the VPN  
> sits in terms
> >>>> of setup.
> >>>>
> >>>>        I figured this might be a good discussion topic!
> >>>>
> >>>> _______________________________________________
> >>>> QCLUG mailing list
> >>>> QCLUG@qclug.org
> >>>> http://qclug.org/mailman/listinfo/qclug
> >>>
> >>
> >>
> >>
> >> --
> >> From:
> >> Arron James Lorenz
> >> Reel to Reel Drive In
> >> http://www.DavenportDriveIn.com
> >> 563-579-7046
> >
> >
> >
> > --
> > From:
> > Arron James Lorenz
> > Reel to Reel Drive In
> > http://www.DavenportDriveIn.com
> > 563-579-7046
> >
> _______________________________________________
> QCLUG mailing list
> QCLUG@qclug.org
> http://qclug.org/mailman/listinfo/qclug
>
>

Dave Bergert
dbergert@gmail.com




---------------------- multipart/alternative attachment
An HTML attachment was scrubbed...
URL: http://qclug.org/pipermail/qclug/attachments/1565bdf9/attachment.htm

---------------------- multipart/alternative attachment--