[Dshield] Wireless broadcasts

Willy, Andrew AWilly at eSMIL.net
Wed Jun 29 02:11:48 GMT 2005


The broadcasts included spanning tree packets and ARPs.  

WEP was being used -- something that will be rectified.  However, since
these are appearing, forgive the term, pre-encryption, does it matter if it
WEP or WPA?

I'm suspicious that despite my efforts somehow it was not a valid test.  I
had disconnected from the WAP (removing previous settings to ensure I was
listening to only what was available without a key exchange), and disabled
IP on the interface (like I've done for IDS sensors).  Is this a fair
experiment?  

To refine the question, if a war-driver parked outside our offices, what
traffic is normal for him to listen in on plain-text, if any, without first
going through the effort (yes, WEP, a few minutes) of breaking the
encryption? 

Sorry again for the elementary questions.

Thank you,

Andrew

-----Original Message-----
From: Michael Cox [mailto:mscox at ti.com]
Sent: Tuesday, June 28, 2005 9:51 AM
To: AWilly at esmil.net
Subject: Re: [Dshield] Wireless broadcasts


My understanding:

Some broadcast traffic, e.g. some 802.11 protocol packets, must be sent
in the clear for clients to be able to communicate to the point that key
exchange can occur.

Once they key(s) are set up, broadcast traffic such as ARP's should be
encrypted.

With plain ol' WEP, the same key is used for all unicast and non-unicast
packets.

With the various EAP types that offer per session keying, there are
separate unicast (unique for each client) and non-unicast (shared by all
clients) keys.

Examples of the plaintext broadcasts you are seeing would probably clear
this up.

Regards,
Michael Cox


NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed only
by the individual or organization named as addressee. If you have received
this email in error please notify Scottsdale Medical Imaging, an affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to the
sender or to support at esmil.com - and destroy all copies of this message and
any attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of Scottsdale Medical Imaging. Confidential health information is protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.


More information about the list mailing list