Wi-Fi is everywhere, everything is on Wi-Fi now, phones, tablets, laptops, even home PCs, game consoles, smart devices (IoT), sensors etc. The security of WiFI is imperative, and has been entrusted to the WPA2 protocol. For that protocol, thus far all exploits have been connected to guessing the security key (hence reliant on customers having a weak key) or surrounding technologies (WPS for example) or older implementation such as the TKIP.
None of them were successful against a strong security-minded implementation.
Until today.
The attack – high-level breakdown of how the attack works and which devices are affected
An extremely interesting paper was released (16th October 2017) by its author, Mathy Vanhoef, this paper would rock the world of Wi-Fi as shines light on how to exploit the WPA2 protocol in such a way as to be able to decrypt the user data.
How does the attack work?
The attack does not allow the attacker to join the protected WiFi, nor does it break the encryption key. The attack is focused on the management plane in the WPA2, more precisely on 4-way handshake exchange during the client join. It is achieved by manipulating and replaying handshake messages. By replaying message 3 of the handshake the attacker has the ability reinstall an already used nonce instead of a fresh key (a replay is allowed by the protocol because messages can be lost due to low signal etc). To guarantee security, an encryption key combination (key+nonce) should be used only once, then different versions of it (different nonce) should be used. Reusing the same key and nonce allows the attacker to derive the keystream, which combined with knowing a portion of the data that is encrypted and the already encrypted data, is enough to decrypt the rest of the data.
The attacker is positioning himself/herself in the middle of the handshake between the AP and the client by using a spoofed WiFI SSID with same name and making the client join his SSID by advising him to switch channels (hence the attack works best if the client has stronger signal to the attacker than to the legit AP). Only when this man-in-the-middle is completed can the attacker manipulate this handshake (as described above) and starting decrypting what the user sends.
Who is affected? – Practically every Wi-Fi enabled client, as again this is an attack towards the WPA2 protocol itself which all vendors needed to follow in their implementations, so this is not a scenario when the exploit is possible due to bugs in the code.
Android and Linux are the ones that are easier to compromise to the fact they mostly (41% of the devices out there) use wpa supplicant version 2.4. With them the code developers have followed a WPA2 standard advice to delete the nonce after its use so when the replay of message 3 happens the nonce that is used is comprised only from zeros making it trivial to decrypt. Further finding from the same author describe the possibility for that attack to work (with few changes) also towards wpa_supplicant 2.6 and iOS and freeBSD clients. This latest update brings the percentage of vulnerable supplicant to a very high number (as the author states, if you have a phone it is most likely vulnerable).
Impact:
We are sending out massive amount of sensitive data using Wi-Fi these days. Username and passwords are just the start, but credit card information, personal IDs, emails, private pictures etc. I guess nobody wants that data to be shared and read by others. Furthermore, the top choice device for many of these, is your smart phone, which in fact is the most vulnerable type of client device (see Conclusions chapter below).
So, what is next?
Do we go back to WPA or WEP or wait for WPA3?
Answer is no, WPA is also vulnerable and WEP is even less secure, WPA2 can be amended (both as a protocol and as implementation in software) and will continue to be used. It is recommended that WPA2 with CCMP is used, as TKIP and GCMP are even easier to break and attackers can not only listen to data but also manipulate data so malware can be injected into the traffic.
How to protect ourselves
Only the software update can mitigate this attack. Keep a close eye to the vendor announcement and patch as soon as they release the security patch for this exploit. Some of the patches may be silently releases and installed on your devices but please make sure you have them.
Actions like changing your PSK password and such do not make any difference (remember, the attack does not reveal this password nor lets the attacker join your network).
Deploy additional levels of encryption that is independent of the WPA2, such as SSL/TLS or IPSec. In the example on the krackattack page, they were only able to read the data from the web site after striping the SSL from it which in fact is a misconfiguration on the website itself.
Conclusion
The current threat is obviously for the end devices, not the infrastructure devices (APs etc). I expect that Microsoft, Apple and other commercial major OS vendors will react very fast and will silently patch (if they have not done so already). That would be sufficient for laptops and PCs with enabled Wi-Fi. A bigger problem will be for smart phone users, every Android vendor (Samsung, HTC etc) dictates its patching schedules, so I am not expecting a fast reaction from them. Apple runs its own devices so I expect faster reaction.
Having put the spotlight on client devices and not infrastructure, it is mandatory to mention that this new type of attack and the sure-to-come spin-offs from it will lead to new attacks towards infrastructure devices.
Cisco has numerous products that are found vulnerable and still investigating many more for that possibility.
Related materials:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
Assessing the needs of MSPs, integrators and other organisations and the challenges they face when sourcing quality third-party professional project and technical services for Cisco technologies
Managed services businesses that provide project support and professional and technical services for Cisco technology solutions in the UK face significant challenges in meeting customer expectations, and at the same time, recruiting, training and retaining good quality Cisco-qualified personnel.
Many of these organisations will be focused managed services providers (MSP) and / or active Cisco systems integrator and value-added reseller partners. Others will be facilities management (FM) companies, or specialist third party organisations or consultants who get involved with project planning and delivery. The IT departments of end-user organisations may also be responsible for providing these services.
Whatever their exact position in the marketplace, these businesses and organisations share the same challenges with regard to Cisco technical services delivery, and frequently need to call on the services of third-party organisations to fill the gaps in their own resource and capabilities.
While this would seem to be an easy and sensible way to address the problem, using external suppliers also brings its own issues and MSPs, Cisco integrators and other organisations making use of third-party services will often find themselves frustrated because they can’t get the quality or levels of services they need, when they need them, and at a price they are happy to pay.
This report examines these needs and challenges and explores some of the potential responses MSPs, integrators, consultants, end-user organisations and other businesses might be able to take to improve satisfaction levels with external providers.
In most ways, the telecommunications revolution of the last few decades has made the world a much smaller place – but not necessarily for those who work in the industry.
Where before being based on an offshore platform or a remote research station was an isolating experience that removed workers from normal life for weeks or months on end, now they can do their Christmas shopping between shifts. And a job that may once have involved travelling for days at a time to collect research or meet colleagues can now be done without leaving the sofa at home.
But many aspects of telecoms and ICT have got more complicated, and some jobs still need to be done in person. Ironically, one of those jobs is often setting up the very systems that make the highly connected, no-need-to-get-off-the-couch world possible. And this can present real difficulties for firms who don’t have the scale to make engineers available across wide geographical areas.
Back in the early 1980s, all things telecom in the UK were run by one firm, BT – or British Telecom as it called itself back then. Its privatisation and subsequent industry deregulation gradually opened up a vast and rapidly growing market to hundreds of ambitious smaller players, even though the old state monopoly remained a domineering presence. Many thrived on sub-contracts from BT itself, while another huge industry grew up around the ICT infrastructure being built by every sector of the economy to take advantage of the communications revolution.
But whereas there was once always a BT engineer almost on every street corner, these smaller firms face the difficulty of finding suitable support staff to reach all geographies to which they are committed. For UK firms playing a leading role installing technology for global industries such as oil and gas, finance or law, this can mean having to reach dozens of countries in order to fulfil a contract.
At the same time, the technology itself has also got more complicated, and aspects have become very specialised, meaning that suitable skills can be very thin on the ground. For Cisco engineers, for example, the highest CCIE level of specialist can include no more than a couple of hundred certified engineers in each category, spread across the world.
Recent reports have focused on a shortage of security specialists, and the six figure salaries that firms are having to pay to secure their services. Undoubtedly, rising awareness of the threat from cyber crime means that security experts are in huge demand, and the crisis is particularly acute. But in fact some of the other top disciplines are also experiencing rocketing demand, such is the key nature of Cisco networks to most industries these days.
Whether you are looking for a CCIE specialist in Security, Wireless, or Routing and Switching, you will find it hard to get their attention, and not just because they are usually engrossed in learning more about these fascinating technologies. Should a company wish to directly employ an expert in each of half a dozen specialities, its IT budget will swell by more than half a million pounds a year.
This is where outsourcing comes into its own, as even relatively small firms are able to offer a comprehensive service to their clients thanks to our full UK coverage of Cisco engineers, and our international Cisco resource.
The general benefits to business of outsourcing specialist services are well documented /LINK, and naturally these apply for network engineers too. You will reduce risk, control capital costs and be free to concentrate on your core business. But the nature of a white label service goes further and gives even greater advantages.
Any client firm can confidently claim that it can get a specialist engineer to any part of the UK, at any time of day or night, every day of the year. This allows them to bid on a range of contracts that would otherwise be prohibitive, potentially undercutting and out-competing larger rivals that employ a smaller range of Cisco-certified staff in-house. The ultimate client is also a winner, benefiting from a high quality of service – and of course they need never know that engineers were sub-contracted in.
Many VAR’s, Channel Partners and MSP’s are responsible for allocating the correct technical resource to monitor and manage their client’s IT Networks. Do they hire an external Cisco Network Engineer or allocate an in-house generalist IT Administrator?
IT Experts and Network experts have distinct specialisms and require the application of a significantly unique set of skills. IT Administrators tend to a multitude of IT duties ranging from desktop support to software installation & configuration. Cisco Network Engineers on the other hand are more specialised with typical duties ranging from VPN tunnelling to intricate network designs.
Organisations can be reluctant to hiring external experts as they prefer to assign generalist in-house IT staff to attempt complex networking tasks, often to the detriment to the end client.
Limited Internal Resources
Ask an IT/Systems Administrator for almost any VAR, MSP or Channel Partner what their duties are, and their answer will be “Everything!” They need to monitor & fix, software & hardware, back up data, enhance performance, security, storage and the list goes on. Internal IT & Engineering Departments are generally lacking in specific IT specialist functions. It would sink many businesses to the bottom of the ocean if they had experts in Cisco, Juniper, F5, Microsoft, Dell and Citrix who all need regular work. Not only do you need vendor specialists, you also need to have them situated in every single country where your clients are located.
It is therefore imperative to realise the limitations of the technical resources you have at your disposal in-house. You can hire an external expert in Cisco Networks or you can muddle along with what you have.
The Problem with Muddling Along
Round pegs fit into square pegs no problem, but they don’t stay there as the wrong tool has been used for the job. Holding your extremely expensive network together with sticky tape and a few short term fixes may solve an immediate problem, but it will simply add to the magnitude of problems brewing underneath those sub-standard fixes.
Systems administrators or IT generalists may be able to maintain and manage basic network functions, but complex configurations and designs MUST be left to the experts. If you need a CCNP Wireless, then hire one, if you need a CCIE Security, hire one. Prices from one Cisco Engineer to another varies depending on individual skill sets and market experience, where that experience should not be underestimated or undervalued. Technical couriers are often hired by organisations instead of paying the market price for a CCNA Engineer in an effort to minimise the cost of technical resourcing.
Muddling along might save you a penny or two in the short-term, but if I was your client, I certainly wouldn’t be satisfied that my critical business problems are solved with inferior solutions. Clients pay a premium price to have their networks maintained and managed, subsequently only premium solutions will suffice.
Quality of Service
Cisco certifications are highly regarded by Enterprise organisations, VAR’s, MSP’s & Channel Resellers, yet lower prices too often take precedence over quality of service. Cisco hardware is the backbone of all networks in almost every Enterprise organisation, which requires the application of Cisco best practises at all times to guarantee quality and continuity of service.
Here I’ll be bold and hail Cisco Certified Engineers as the best the market has to offer, no other certification comes close. When a CCNA or CCIE Engineer is assigned to complete a specific Network task there is no other IT Expert or Technician more qualified, experienced or skilled to successfully do so: round pegs for round holes.
By allocating anything other than a Cisco Certified Engineer to tackle a Cisco Network task is prioritising price over quality of service delivered. Cisco experts may be more expensive than the cheaper in-house generalist option, but if you think experts are expensive, wait and see how much amateurs cost you.
Can you imagine being a Female Network Engineer? Experiencing wolf whistles daily, earning far less than male counterparts and making the cups of tea – Well, sorry to disappoint but this simply isn’t true. Women can rack, stack and mount just like any other male Cisco Network Engineer and are generally treated just like any other Engineer. I wanted to cause a stir with this blog by highlighting the gulf between male and female Engineers, but despite some vocal opinion in social media circles, I found more equality than inequality.
An interview with Female Cisco Network Engineer Christine Bowman-Jones (CCNA R&S) was conducted to gain a deeper understanding of a day in the life of a female Cisco Network Engineer.
What or who was your inspiration to become a Network Engineer?
I was currently undertaking a PC maintenance course whilst working in a call centre. I have always enjoyed technology and decided a career change was needed. When the course was coming to the end, a lecturer – Mike Fitzgerald came into our class to give a talk on a foundation degree – Network Security Technologies. I found the talk captivating and the enthusiasm given by Mike was inspiring. I owe the path taken to Mike Fitzgerald, he was my true inspiration and gave me the knowledge and determination to succeed.
How many females did you have in your University/CCNA Classes?
When I first started my foundation degree there was one other female, however after a few weeks this female left the course, and then I became the sole female.
What skills/qualities do you think women need to become a Network Engineering Professional?
You need to work hard, the same as a male, you need to commit long hours to studying to learn your craft, you need determination as the path is not an easy one, however I would not say this is due to discrimination, although there is always that judgement in the background that you are a women initially.
Were there any groups or organisations to provide support for women in IT or women studying IT in the UK?
Not that I am aware of, however I never investigated this path.
Can you provide an example of when you’ve been treated differently to your male counterparts? If not, do you feel you’re treated as an equal by clients and fellow Cisco Network Engineers?
During my time at University I always felt like I was treated equally, in the workplace I rarely encounter other Cisco Network Engineers, however when I do I have never had an issue. I think you always get that initial 10 minutes whilst they get used to you being a female, however I really don’t see it as an issue.
When clients see a woman turning up on site to rack and mount, do you feel you’re being judged more than men, and why?
I have always enjoyed the surprised look by clients when a woman does turn up on site to rack and mount, and I don’t think women will ever escape that. I always get the offer of them carrying something for me etc., but I don’t see that as an issue, in fact quite enjoy it sometimes, however I never take them up on it.
Why do you think there are such small numbers of female Network Engineers or IT In general?
It can be an intimidating environment, and sometimes you do need a thick skin from the jokes. However once you gain that respect it doesn’t become an issue.
What would be your words of advice to young aspiring female Network Engineers?
I would say it will always be a male dominated environment and you have to be prepared for that. My advice is to be the best you can be, learn as much as possible, and know in yourself the abilities you have, and then you will achieve respect within the industry.
Starting your own business can be daunting, what gave you the confidence to pursue starting your own business?
I was working as a project manager with the threat of redundancy, not really undertaking a great deal of networking etc., the threat became real, and I thought to myself that I want to prove myself as an Engineer and had nothing to lose. I have never worked so hard in my life, however find it rewarding, and it’s that satisfaction that makes me carry on.
You’re currently CCNA R&S, what Cisco exams are next for you and why do you want to pursue this area in your career?
I am currently looking to complete my CCNP R&S, I have completed the routing exam and looking to undertake the switching exam shortly. I will look to become fully CCNP certified hopefully by the end of next year. I enjoy Cisco networking and get a great deal of satisfaction and enjoyment out of it, I always enjoy learning new skills and developing existing skills.
Your quality of service and onsite professionalism is an area we understand many end-clients take the time to compliment you on – explain why your quality of service is exceptional?
My company reputation is the most important part for me, I will endeavour to complete a job 100% to my ability, I will always go above and beyond for a client and ensure they are happy when I leave site. I am always eager to wow a client and treat them with respect, return work and future projects are imperative for the survival of any company.
Conclusion
Full equality between male and female Engineers doesn’t exist yet, and it may never be the utopian vision some people crave. As Christine testified to in her interview, she sometimes works in an “intimidating environment” which is “male dominated” and where women need to have a “thick skin from the jokes”, but most importantly Christine feels like she is always “treated equally” in her job.
Equality, anti-discrimination and HR legislation exist to prevent Engineers like Christine from enduring inequality, yet it still exists. Some women may be intimidated to enter into a traditionally “male dominated environment” but unless more women challenge this “norm” then the landscape will never change.
In the UK alone, a mere 16% of the IT workforce are female and only 8% are Engineers – bleak statistics indeed, but the future looks bright for women in IT with the rise of several prominent women in key positions within top companies.
Attitudes and current cultures need to change; men and women in the field of ICT need to challenge antiquated norms, challenge male-orientated environments and place just as much trust in a female in ICT as we do in males. A greater balance between males and females in key Technology and Board room positions help to:
Potential employers of female IT Engineers shouldn’t employ more women because they’re women, it should be done with the foresight of improving your business and fostering innovation. When a male IT Engineer turns up to a client for a job nobody blinks, when the Engineer is female everyone is watching – a woman with a screwdriver here to rack and mount? Then, when the female performs to an identical level of standards as the man, it is the female who will get the plaudits from the client – why, because they stood out. Make female Engineers a key strength of your company, stand out from your competitors and create a competitive advantage – pink screwdrivers work the same as black ones, but one catches the eye more.
Marissa Mayer – CEO Yahoo
In 1999 Marissa joined a young Google as employee number 20 and more significantly as their 1st ever female Engineer. For the next 13 years, Mayer climbed the ranks of Google heading the Google mentorship programme, multi-million dollar acquisitions and Google maps.
At just 37 years young, Mayer was appointed CEO of Googles fierce rivals Yahoo and has since been named in Fortune & Forbes list of the Most Powerful Women in Business in the world, and holding her own against the men to become number 10 as Business Person of the Year.
Rebecca Jacoby – CIO Cisco
For the past 20 years, Rebecca Jacoby has risen through the ranks at networking equipment giant Cisco and has been CIO & Senior Vice President since 2006. A founding member of the Technology Business Management Council, Rebecca is at the forefront of progressive technology. Considering Jacoby started her career in manufacturing and supply chain, she’s an inspiration to any gender working at Cisco, Network Engineering or in Technology.
In a recent interview with David Weldon of FierceCIO, Rebecca quoted “in my career I liked being involved in transformation. I always got the most out of jobs when I was asked to go in and make change and keep driving change.” Somewhat ironic that transformation is the key driving technological innovation and likewise, in this blog post with transformation being the key to creating a gender balance in Network Engineering, ICT and business.
Cisco
Girls in ICT day is a CSR programme where Cisco employees engage with 13-18 year old girls aspiring to work in the field of ICT. In 2015 over 3,000 students attended, up from 2,331 in 2014 proving the success of reaching out to females at a young age.
Culture
The problems of having such a paltry amount of female Network Engineers & ICT isn’t so much a failure within existing businesses, but more of a wide-spread ignorance. If there are more prominent female Engineers, CIO’s and CTO’s then more young girls will see a future for themselves in a traditionally male-orientated role. Zeus Kerravala, Founder & Principal Analyst with the ZK Research says there is a lack of skilled Network Engineers, especially in Wireless, Voice & Security. Therefore there are jobs to fill as Network Engineers – jobs that women can fill if given the chance.
If you’re a female Engineer what barriers have you had to face in ICT? If you’re an employer what’s your opinion on the lack or rise of female Engineers? All comments are warmly welcomed.
