Mikey110
|  Wireless proven insecure
»www.theregister.co.uk/2008/10/10···hacking/
Elmsoft and off the shelf hardware can crack wirless in minutes.
VPN here I come. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  I wonder how long the passphrases are that are being cracked? I use a 63-charcter random ASCII key for example and WPA2-PSK [AES] on my home wireless network.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
Cudni
La Merma - La Guerrilla
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| reply to Mikey110
also on the site news
»Using GPUs To Speed Up WPA Hacks
yes, it would be interesting to know how long the passphrase (unless they uncovered some vulnerability). Their password guessing software is good but if the password is long and complex then no chance of getting it quickly
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
Alphanet
join:2001-12-24
U.K.
| reply to Mikey110
From the Elmsoft website
"NVIDIA GPU acceleration (patent pending) reduces password recovery time by a factor of 20"
So for a big WPA key that is still a VERY LONG time
"Linear scalability with no overhead allows using up to 10,000 workstation without performance drop-off"
So you put 10,000 workstations on line, its sill going to take a very long time. |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to Mikey110
I would like to see some actual numbers relating passphrase strength to crack time for WPA.
BTW, if anyone, anywhere, at any time starts using any of those encryption methods for DRM - this software suddenly becomes illegal in the US! Such is the perversity of the DMCA. |
|
Alphanet
join:2001-12-24
U.K.
| Well lets assume we are using a pass-phrase made by picking characters from a selection of 100 (although it could be up to 256) assume a key length of 50 characters (could be up to 63).
Assuming we can try to brute force at a rate of 1 million pass phrases per second (very optimistic as it is a very processor intensive task).
Number of seconds in a year = 60*60*24*365 = 31536000 (say 30 million)
so we can try 30 * 10 ^12 keys per year
if we have a key length of one character choosing from a set of 100 we have 100 combination
key length 2 = 100 * 100 combinations = 100 ^2
key length 3 = 100 * 100 * 100 = 100 ^3
key length 50 = 100 ^50
so to try every combination its 100 ^50 / 3 * 10 ^12 YEARS
= 10 * 10 ^50 / 3 * 10 ^12
= 3 * 10 ^ 38 years - a VERY long time
Now assume we use 50,000 workstations and the improvement of 20 they claim that would improve the situation by a factor of 1 million so it would still take 3 * 10^32 years
That's 3 with 32 0's after it, the Earth won't last anything like that long before the sun goes supernova - its a LONG TIME |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| reply to Mikey110
If the encrypting algorithm is sound, it all depends on the randomness and length of the key. Use a short or a language-based key, and it's more likely to get compromised sooner than later. The Elcomsoft software simply speeds up the bruteforcing process by a factor of 20-100 when using 'ordinary' computers to do the analysis.
The 'big boys' already have their own specialized gear and software, though I'm sure they're always open to considering Elcomsoft's offerings (or similar) for whatever they're worth...
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:  
| reply to Mikey110
The baseline time is pretty much unstated. And what really makes you think that a VPN would not be subject to the same issue here? 
--
Ubuntu MOTU Developer and Forums Council |
|
Its a Secret
Rabidly yours
Premium
join:2008-02-23
Kelowna, BC
·Shaw
| reply to SoonerAl
I'm with SoonerAl on this, and use the same thing. I'm thinking it would take quite a while to crack it. Besides, you'd have to be pretty desperate to crack me when there are a few unsecured networks around me. The path of least resistance works best for most people.
--
"In the future, that which is not mandatory will be illegal" |
|
jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
clubs:
| said by Its a Secret  :I'm with SoonerAl on this, and use the same thing. I'm thinking it would take quite a while to crack it. Besides, you'd have to be pretty desperate to crack me when there are a few unsecured networks around me. The path of least resistance works best for most people. Well more of whether or not there's something interesting on your network. At one of my employers' their company wifi used WPA2-AES to get you into a dummy 172. net, and then you had to Cisco VPN to the default gateway and authenticate via pubkey certificate to gain access to the proxy serer, then go through the proxy server with a correct Active Directory logon to gain internet access.
--
Ubuntu MOTU Developer and Forums Council |
|
JustSpam
@qwest.net
| reply to Mikey110
Just what we need - another mindless piece of spam in the form of an article stating the obvious -
1. Weak keys are susceptible to brute force force attacks
2. The more HW you throw at the brute force attack the faster it discovers the encryption key.
Nothing new and certainly nothing specific to wireless. |
|
GetReal
@qwest.net | reply to Mikey110
quote:
VPN here I come.
Yea. Like the pre-shared key used in most VPNs isn't vulnerable to a brute force attack. |
|
quatrix
join:2005-02-11
Davie, FL
| reply to Mikey110
Paranoia here you come. Do you really think someone's interested in hacking encrypted wireless when there are lots of easier targets? |
|
Jahntassa
What, I can have feathers
join:2006-04-14
Conway, SC
| reply to Mikey110
And as usual..how much of what you're doing in that Wi-fi network is going to the internet? How secure is that?
And nevermind the fact that nobody is going to care enough to spend time cracking into my network when there are plenty of other targets. |
|
Reimer
join:2006-08-14
Toronto, ON
| reply to quatrix
said by quatrix :Paranoia here you come. Do you really think someone's interested in hacking encrypted wireless when there are lots of easier targets? Of course. Why wouldn't they? If someone has the know how and is capable of it, I would bet they would put that knowledge to use, regardless of how many alternative open networks there are.
Maybe the encrypted network has a better signal... maybe it's a faster connection.. |
|
james
join:2001-02-26
antarctica | reply to Mikey110
Wireless proven insecure? Perhaps it should look into therapy. |
|
Its a Secret
Rabidly yours
Premium
join:2008-02-23
Kelowna, BC
·Shaw
| reply to Reimer
said by Reimer : Maybe the encrypted network has a better signal... maybe it's a faster connection.. If you want to try to crack my network, feel free. I think you'll get a wee bit frustrated... 
--
"In the future, that which is not mandatory will be illegal" |
|
slajoh01
join:2005-04-23 | I run my laptop with wireless WPA2.
But on my PC where I keep all of my sensitive data, are always wired... |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to Jahntassa
said by Jahntassa :... nobody is going to care enough to spend time cracking into my network when there are plenty of other targets.
That's true of the wardriving hackers who won't even have this new, expensive commercial software. The use case for this new technique is a well-funded organization taking a special interest in a particular target.
Yes, it's sold as a "recovery" utility, but snooping on networks believed to contain something valuable is the likely scenario. |
|
Uncomm0n
join:2005-04-21
Centreville, VA
| reply to Mikey110
This article is wrong. The only thing they hacked or cracked was a weak passphrase and nothing more. You show me a program that can crack a random 63 character passphrase in WPA2 mode and then I might be a little bit worried...then I will use VPN on my home network. |
|
