Wireless SecurityWEP, WPA, and now WPA 2 ( old news - 12:53PM Saturday Feb 07 2004) tags: wireless · hardware The next generation of wireless security (WPA) was supposed to be worlds better than existing technology (WEP), but wrinkles still remain. This week the Wi-Fi Alliance announced that while 175 products were now certified compatible with WPA, they'll be offering the next generation (WPA2) later this year. While some argue wireless is never truly secure, WEP (Wired Equivalent Privacy) was universally considered downright feeble by many users, who were eager for something meatier like WPA (Wi-Fi Protected Access). That's not to say WPA (an interim version of 802.11i) isn't susceptible to old, familiar problems. Wireless security expert Robert Moskowitz last fall tried to temper enthusiasm over WPA, posting his latest WPA research over at Wi-Fi Networking News. Moskowitz explored how the overly simplified interface used to let users select passphrases makes it easy for intruders to sniff traffic and perform offline dictionary attacks. Not actually a problem with WPA itself, the problem rests on the shoulders of hardware manufacturers, who allow users to enter weak keys. "Vendors have, in the large part, let the user community down," says Moskowitz, who suggests that passphrases with 20 or more characters are likely to be immune to the attacks. According to the Security Focus and Internet News, WPA 2 should pop up sometime this year. Wi-Fi Networking news has a good exploration and breakdown of the different standards as well as what improvements can be found in WPA 2.
Related:- AT&T Talks To Us About iPhone Hiccups, Extends Olive Branch
- FCC To Investigate Exclusive Handset Deals
- Group Takes Aim At Special Access Pricing
- Motorola Androids To Hit T-Mobile, Verizon
- Verizon: LTE iPhone 'Apple's Decision'
- New iPhone 3GS Costs $178.96 To Make
- AT&T Offers Free iPhone U-Verse DVR App
- iPhone 3GS Already Jailbroken
|
 
kv5e
Ride Free
Premium
join:2001-12-04
Mesquite, TX | Security is Holistic The best encryption is easily overcome by poor procedures in implementation and continued support.
Continued education and diligent administration of security policies is essential.
The wetware is still the critical path!
KV5E | |
|  | 
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs: | Re: Security is Holistic WEP, WPA, AES, VPN, MAC authentication, hide broadcast SID
They don't work unless you turn them on! | |
| | |
kv5e
Ride Free
Premium
join:2001-12-04
Mesquite, TX
| Re: Security is Holistic While drive testing in the Metroplex (can you hear me now), I ran Net Stumbler on my laptop. 146 AP's in about 60 minutes. One third (mostly business) were WEP enabled. The other 2/3 were all open, probably with no MAC authentication, and most likely DHCP. A few of the open AP had changed the SSID, but most were defaulted.
I bet a lot of them were in trusted zones too, but it's like picking the neighbor's tomatoes; even if he doesn't have a fence then not yours for the taking so I don't try to connect.
Regards,
KV5E | |
| | | der_panzer
join:2003-12-18
Lebanon, TN
| said by pcscdma  :
WEP, WPA, AES, VPN, MAC authentication, hide broadcast SID
They don't work unless you turn them on!
Well said. An hour and a half of wardriving in Nashville yielded more than 600 APs. Only about 25% ran WEP, and less than 10% hide SSID.
We weren't even using a fancy setup with a high gain antenna. We had a USB 802.11b adapter on an extension cable slung around the rear view mirror (inside the car).
"There are only two truly infinite things - the universe and stupidity, and I am unsure about the universe" - Albert Einstein | |
| 
reub2000
Premium
join:2001-12-28
Evanston, IL | I'll continue using ethernet! No need to worry with ethernet, since a hacker would have to have physical access to my router, which would mean breaking into my house, much harder to do, and easier to detect then uploading child porn in car parked across the street. | |
| 
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA | Unprotected? I have my wireless locked down enough to where it's hard to get in, hard enough to where a "driver" will most likely just connect to one of the 4 others within range of me that are wide open. | |
| | der_panzer
join:2003-12-18
Lebanon, TN
| Re: Unprotected? said by dadkins :
I have my wireless locked down enough to where it's hard to get in, hard enough to where a "driver" will most likely just connect to one of the 4 others within range of me that are wide open.
Hard to get in is still not impossible. But, you're right - Hundreds, if not thousands of your nearby neighbors probably have completely insecure APs, so unless someone is trying to prove a point, you'll be left alone. Most predators will choose the easiest prey. | |
| raye
Premium
join:2000-08-14
Orange, CA
| Try IPSec It isn't the easiest encyption to implment nor is it the holy grail. However it is about as close to holy grail as you can get.
Use it on my wireless and wired Windows 2003 AD domain, and it works great! After a few lost hairs that is. The latest gen of Linksys wireless routers/WAPs have this option, I am sure that others do. | |
| | vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| Re: Try IPSec They do? IPsec is for secure communications of clients that support it. I think linksys just supports pass through not actual IPsec communications.
I could be wrong though. I just never heard of that.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! | |
| | | raye
Premium
join:2000-08-14
Orange, CA | Re: Try IPSec wrv54g supports up to 50 IPSec tunnels | |
| 
richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith | I Think I'm OK Right now [but this may change]
WEP enabled
MAC address filtering
IP filtering | |
| vic102482
Premium
join:2002-04-30
Upper Marlboro, MD | Just found a wireless unsecure network today Ironically. Went over and showed the dude how to set it up properly. | |
| | 
laura
Domestic Bliss
Premium
join:2002-04-16
San Jose, CA
| Re: Just found a wireless unsecure network today said by vic102482 :
Ironically. Went over and showed the dude how to set it up properly.
why'd you do that, now you can't use it anymore 
--
pocketpc.bluepapaya.net | |
| | | | 
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs: | Default off None of this really matters if it is by default turned off. The average joe user isn't going to know what this is, and just leave it off. | |
| 
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| FAQ on Wireless Security Nerd is 100% correct that no security standard or encryption algorithum will help if the default is for the equipment to be unsecured.
I'd also add that new security standards should require that the material enclosed with the approved device or software include relevant user education on security measures.
If there is one thing we can all learn from cracker attacks on M$ products it is that:
1. The default configuration must be safe.
2. Install scripts or a nag window should force or nag the user to replace default passwords with complex non-default passwords.
3. The user should be able to reduce security from the default as necessary, but there should be a warning that security is being reduced (with a link to an explanation and suggestions on what can be done to reduce the exposure).
Definitely wired is more secure than wireless, but some installations insist on wireless and we have to provide it.
Here is the BBR FAQ on secure wireless setup:
»Security »How do I secure a wireless network (wireless router)? | |
| yazdzik
Premium,MVM
join:2000-07-26
Honesdale, PA
 ·New York Connect
 ·Verizon Online DSL
| wireless security? Dear Friends,
As the quintessential non geek, I understand as little about what I use as possible without actually using the dvd drive as a cup holder.
Now, even I have some protection for my wireless gateway, as weak and dumb as it may be.
We live in NYC flat, however, and in windows the wireless connexion is genuinely funky. There are lots of networks at any point, usually from three to five, within signal range, and some better than my own. Unless I connect to mine, the prism dirver connects apparently randomly, and nothing at all stops me from connecting to any one of those I can reach.
Linux is more interesting. In order to keep my connexion alive, I can configure the ethernet adapter to connect only to my network. I have to enter essid as well as my easily crackable code. More interesting, however, is the ability to connect with ease to any other network. I get great signal from another gateway, so, just for fun, and with no harm intended or done, I typed in essid XXX, X being the gateway downstairs, I believe.
Not only did I connect, but saw all the neighbours computers, and, over samba, all his shared files. I am not sufficiently curious to read them, but, in what I thought was neighbourliness, told him that he might consider at least wep if not windows unfriendly wpa.
His answer, verbatim, ¨That is just too much work. If people want to leech my bandwidth, I don´t care, I have cable.¨
It is easy to click on ¨share this file.¨
It is easier to ignore even the band aid of wep.
But since no one here seems even to try to create a password, I cannot, on the one hand, imagine anyone learning to use other people´s networks,on the other, presume I am safe from left clicking nonchalants.
So I, on the tenth floor, am safe from my neighbours, who cannot be bother to do anything more than flip a switch. Protection seems like too much work.
I am certainly happy I am their neighbour and not their call-girl, though.
-M
--
If the nurturing teats of justice must be covered because she will suckle us with the sweet milk of compassion, what then is law? | |
| dosbubba
join:2002-01-26
Eustis, FL
| My thoughts Once again we try to contain something that cannot be contained. The very nature of wireless technology is to be free. Just look at radio, and "free" TV. We keep seeking to have the world more and more interconnected, and we've developed a consumer technology that is a step closer to achieving that goal. What do we do with it? We limit it. WiFi in it's very nature leans to being free and open, not semi-open. We've imagined a world where one can access any information, anywhere. That is starting to become a reality, yet we feel the need to confine it. By limiting access, we may only end up limiting ourselves.
Now, this view may be somewhat extreme. The inverse view being "Since I paid for it, I want to control it." as in, the very nature of humans. But maybe its time to overcome the rules we've imposed on ourselves. | |
| | Meier_Logan
join:2004-03-18
Beverly Hills, CA
| Re: My thoughts Sorry for being late to the thread first off.
This is the most ridiculous post I've seen in ages, you tree-hugging moron. The only thing wireless is meant to be free of is, you guessed it, wires. It a damned convenience, nothing more. The fact that some people grab hold of something so simple and turn it into some grand scheme, and analogy of life, is sad. As for your accessing any information anywhere idea, send me a bit of information, your credit card numbers. Oh, so you didn't really mean ANY information, did you.
Meier | |
| 
enOehT
Premium
join:2003-05-17
Lakewood, WA
2 edits | No WEP or WPA for me! I don't use these encryption techniques cause they just don't work and they limit my bandwidth. But I am VERY secure. Here is how:
1) I use 802.11g in "G" mode only, this prevents the majority, 802.11b users, from connecting, while boosting my overall potential throughput.
2) I do NOT broadcast my SSID, so my AP will NOT show up on a list of available APs.
3) My SSID is not the garden variety "LINKSYS", so I am safe from someone guessing.
4) I have my AP set up to ONLY allow my one MAC address of my 802.11g card access. So someone would have to crack my MAC address.
5) Finally, and this is the one I like the most, I set up the DHCP range to only allow for one IP address. So if I am on, I would be alerted to the fact that another computer is trying to use my same internal IP.
This works for me, and I live in a densely populated high rise. I feel like I am invisible to the rest of the building, while there are tons of people in my building using off-the-shelf LINKSYS with no security at all. Sometimes, I wonder why I even bother to pay for bandwidth when there are tons of unknowing "free nets" all over. | |
| | 
jsinaiko
Premium
join:2001-04-25
Chicago, IL
·AT&T Midwest
| Re: No WEP or WPA for me! I certainly use WEP with a strange and long passphrase, along with a strange SSID. But the main thing is the number of default SSID's out there. I can see three as I write this - I'm in the city - all of them having SSID's like 2WIRE321 or LINKSYS, or belkin. And none of them have any encryption or other protection.
It's like the river, which flows over the path of least resistance. As long as there are four or five unprotected wifi's out there for every protected one, the folks who want to break in will take the easy route. Will a burgler crack a safe when there is an open cash drawer next to it? Until everyone is encrypted, WPA, WEP, whatever, as long as you are protected, its gonna be the other guy who gets hit. | |
| | |
enOehT
Premium
join:2003-05-17
Lakewood, WA
| What ever happened to the concept of the Free Net! True, and how are you suppose to know if someone isn't just setting up a FREE NET? When WiFi first started people were intentionally leaving wireless unprotected so that anyone within range could use it. So, is one to assume if you stumble onto an unprotected AP that it is a person who didn't bother to hide it, or more likely didn't know how to hide it, OR that it is a FREE NET that someone setup for that purpose? | |
| | 
Kompressor
Premium
join:2002-02-12
Huntington Beach, CA
| lol, You are VERY UNsecure if you're not using encryption.
1) An average user isn't going to try to hack your connection, and if they are, they're probably going to use an 802.11a/b/g card to do it.
2) Turning off the broadcast SSID does basically nothing. You'll stop a casual user from seeing your network, but who cares if a casual user sees it because all hackers can.
3) So you change your SSID. So what?
4) It is extremely easy to spoof your MAC address when you're running an unencrypted network. You don’t seem to understand that unencrypted signals are as easily read as post cards in the mail.
5) Again, extremely easy to spoof. The only way you'll be alerted is when you get disconnected from the network, and at that time, you'll probably just think it's a technical issue. Do you sit at your computer 24/7? If the hacker knows what he’s doing, the both of you will be connected at the same time. And the hacker isn’t going to show up in your DHCP clients table.
I'm sure it /does/ work for you. But no one would want to hack your computer because I'm sure you have nothing of value, and there are apparently allot of other people in your building to get their Internet connection. But let me say this, you are a perfect example of someone who knows nothing who thinks they know everything. 
Nothing is perfect, including WEP and WPA, but it's sure as hell better than nothing, and it's sure as hell better than what you're doing. | |
| | |
enOehT
Premium
join:2003-05-17
Lakewood, WA
1 edit | Re: No WEP or WPA for me! well, according to this article, encryption is not good either. so I guess if you use wireless you are damned no matter what you do. | |
| | 
GNXPower
Got Boost?
Premium
join:2003-12-18
Huntington Beach, CA
| Limit what bandwidth? I use 128b WEP and while not perfect, it's pretty good, especially considering how little traffic I generate "should" make it difficult to defeat as I change my extremely random WEP keep fairly frequently (about twice a month). That said I have no problems getting the 5-6Mb of my provider connections and 20-30mb to my fileserver when using XPress. As stated by others, hiding and/or changing the SSID does little, MACID's can be spoofed.
--
Don't have it?!? Demand it!!! The Anime Network »www.theanimenetwork.com | |
| | 
gc04
| (1) using 802.11g will not protect you in the long run.
(2) although your AP does not broadcast your SSID, I can still listen for it when your card associates with the access point - this is easily done with a utility such as kismet.
(3) see (2) above.
(4) I will get your MAC address when you associate with your own AP in (2).. when you're offline I can become your MAC address.
(5) I won't try to connect while you're on, as I'll assume that you're using MAC address filtering when I can't associate despie having programmed the right SSID.
RTFRFC.. | |
| Natoma
join:1999-08-30
Brooklyn, NY
 ·Verizon FIOS
| Beware SSID Hiding »www.icsalabs.com/html/communitie···ding.pdf
This paper says that hiding SSID is VERY bad, and useless as well. Easy to read and well written.
I created a 64 character passphrase for WPA, turned that into a 32 character Hex, and then put that Hex in as my passphrase. I also turned on MAC filtering. Pretty much all one can do.
--
--
Natoma | |
| |
enOehT
Premium
join:2003-05-17
Lakewood, WA
1 edit | Re: Beware SSID Hiding Read the article. Interesting, but from my experience I have NOT noticed any performance decrease by not broadcasting my SSID. I get a constant 54mbps in my one bedroom apartment. Also, why would I want other people in my building to see that I have a wireless AP? By broadcasting it, it will show up as an available AP. This will tell people in my apartment complex that I have a laptop with WiFi, and hence might expose me to a possible robbery. Furthermore, this nonsense about the SSID being more exposed is ridiculous. This might be true if someone had sophisticated equipment to listen and interpret all this traffic, but come on, in the real world this doesn't exist, my neighbors aren't even smart enough to hide their off-the-shelf LINKSYS APs, so I am not worried about them sniffing my hidden SSID. | |
| | 
Morac
join:2001-08-30
Riverside, NJ
·Comcast
1 edit | I used to hide my SSID until I found that its very easy to determine if a network exists in the area using netstumbler even if the SSID is hidden. Once a network is found its trivial to discover the SSID.
What's worse is that my neighbors also have a wireless network and they would pick the same channel I was on because they couldn't see my network (causing problems).
Finally one of my wireless devices, while it would work with the SSID hidden, had connection problems and had a hard time finding my network when I changed channels. Unhiding my SSID seemed to fix that.
Right now I leave the SSID unhidden for the reasons above. I have encryption enabled, MAC filtering enabled, DHCP disabled and all the rest so I'm not too worried. | |
| | |
enOehT
Premium
join:2003-05-17
Lakewood, WA
| Re: Beware SSID Hiding I think it is more secure to leave DHCP enabled and set the range to as many IPs as you have computers. In my case one. If you disable DHCP, then that leaves the possibility of picking any internal IP you like, and hard coding it. With my method, if someone broke through all my other security, if I was on the network, it would alert me that two devices were try to use the same IP. Hence I would be alerted to the situation right away. | |
| | | |
Morac
join:2001-08-30
Riverside, NJ
·Comcast
| Re: Beware SSID Hiding That's true if all the devices on the network are always on (and therefore have an IP). Some of my devices like my PS2 aren't always on. If I enabled DHCP I'd be giving out an IP to an intruder.
I forgot to mention my netmask is 255.255.255.248 which only allows 6 ip addresses per subnet (5 other than the router). I also changed my network address. This makes guessing a valid IP a lot harder. | |
| | | | |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| Use all available precautions you have support for You guys ought to give a once over to the FAQ referenced above and the 2 in-depth articles that are linked to in the body of the FAQ.
SSIDs are included in a part of normal transmissions. So a hacker can see them even if beconing is turned off. However:
1. Turning off beaconing does mean someone won't accidentally hook into your LAN. (Accidents happen more often than crackers.)
2. Turning off beaconing means your network isn't so visible when not in active use.
WEP can be cracked with freeware decryption tools listening to the volume of traffic that may pass by in a few hours or days, depending on the key and the business of your network. Still, WEP will slow down any cracker, and will stop casual infiltration.
4. Windows XP has been extended to cover WPA, you just need to run Windows update. | |
| | | |
AnonymousDude
@cableone.net
| Enabling DHCP and setting the range to match the number of computers does NOTHING to prevent someone from picking an address that is not allocated by DHCP. It's perfectly valid (and actually a good network design technique when used properly).
The only way to restrict the number of available IP address is to shrink your subnet. | |
| |
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| The author of the paper »www.icsalabs.com/html/communitie···ding.pdf
doesn't understand how hiding an SSID improves security.
It improves security against accidental connection by non-crackers and beginner scriptkiddies.
Also, he isn't talking about WLANs in SOHO and home environments. | |
| | | 
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| Re: Beware SSID HidingWith some of the current FREE utilities unless you are using WPA, it does not matter much.
The headers in WEP are not encrypted anyway, and since the headers contain the SSID from the client Adapters, well enough said.
Check out this thread:
»The Motherload of Windows Wireless Tools/Links | |
| 
page_fault
Premium
join:2003-11-12
Markham, ON | VPN is the way to go I still say VPN is the most secure way you can do wireless these days. But I could be wrong. | |
|
flywireless
@bellsouth.net
| Safe to connect ?
My question is, how safe is it to use some stranger's unencrypted wireless ? Obviously, I mean using encryption (SSL, SSH, SCP, etc). Is this perfectly safe ? I'm starting to think it would be really easy for someone to do a man-in-the-middle on you if they control the router. | |
| |
peeto
@ntt.n
| Re: Safe to connect ? No, of course it is not safe. In such a scenario it would be very easy for the network owner to record/delete/replace your traffic. "Man in the middle" attacks are normally very difficult to accomplish but this scenario would make it very simple and easy to do. It also decreases the quality of encryption because the data can be recorded so easily and decrypted later. "Man in the middle" attacks are normally difficult because it would mean something like breaking into the local telephone exchange - it's only a matter of time before you get caught there - which is probably nowhere near enough time to accumulate enough data for successful decryption. But if the data was going through your own house - you can legally spend as much time as you need accumulating data for decryption.
Anyways, I have a question. Why are there people on here saying insane things like using WEP isn't completely safe so they're not using it? This is crazy. Do these same people tear up $1200 pay cheques because they're not $1400 pay cheques? | |
| | | |
|
|
