Wireless, NAC holes on display at Black Hat

Hacker confab still in the swing of things following ’05 drama

One year after an ISS researcher’s presentation set off a press firestorm, the Black Hat Briefings Conference in Las Vegas was back to its old form last week: poking holes in enterprise sacred cows such as NAC (network access control) and wireless technology.

Participants demonstrated widespread flaws in wireless device drivers and pointed out holes in common NAC technology to crowded halls. Attendance at this year’s conference was up 30 percent from last year, when researcher Michael Lynn stole the show for revealing a flaw in Cisco’s IOS operating system.

This year, one of Lynn’s former colleagues at ISS provided one of the more notable presentations of the show, demonstrating a zero-day hole in wireless device drivers for an Apple laptop that could allow a hacker to seize control of the system.

Dave Maynor, a senior security researcher at SecureWorks, who worked at ISS until just one month ago, and Jon Elch (aka “Johnny Cache”) played a video showing a MacBook being owned through an exploit of device drivers for an unnamed third-party wireless card. Although the researchers refused to name names -- pending a patch from the vendor -- IT should be aware that vulnerabilities can lurk in device drivers for wireless gear.

Wi-Fi exploits will be even more dangerous when wireless devices increase their range from a couple hundred feet to a mile or more in the coming years, Maynor told InfoWorld.

NAC technology from Cisco, Symantec, and other vendors also came under scrutiny.

Ofir Arkin of Insightix raised questions about the efficacy of NAC technologies, saying that the current generation of NAC solutions is riddled with holes.

For example, NAC solutions that work DHCP (Dynamic Host Configuration Protocol) proxy servers, which are deployed in between a DHCP server and a LAN, offer little protection from machines that obtain static IP addresses for their network connections, rather than using DHCP. That makes significant portions of enterprise networks invisible to the NAC access control products, Arkin said.

NAC solutions that enforce access through network switches, such as Cisco Systems’ Network Admission Control, were also cited as having weaknesses. For example, Cisco’s NAC technology is specific to its switches and routers, but enterprises often use a mixture of switching and routing gear. Hackers can find their way into an enterprise network simply by finding and connecting through a unmanaged switch, Arkin said.

In an interview with InfoWorld, Cisco CSO John Stewart said NAC is in its infancy and has a ways to go before it will provide comprehensive security, but added that wasn’t a reason not to adopt it.

“The technology’s immature. But [NAC] will increase my capability to keep my network in good condition,” Stewart said.

It’s inherently going to be found that there are weaknesses, Stewart said. “But I think that’s the wrong thing to focus on. We want to address the weaknesses but focus on the benefits.”