kv5e
Ride Free
Premium
join:2001-12-04
Mesquite, TX | Security is Holistic
The best encryption is easily overcome by poor procedures in implementation and continued support.
Continued education and diligent administration of security policies is essential.
The wetware is still the critical path!
KV5E |
|
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs: | WEP, WPA, AES, VPN, MAC authentication, hide broadcast SID
They don't work unless you turn them on! |
|
reub2000
Premium
join:2001-12-28
Evanston, IL | I'll continue using ethernet!
No need to worry with ethernet, since a hacker would have to have physical access to my router, which would mean breaking into my house, much harder to do, and easier to detect then uploading child porn in car parked across the street. |
|
kv5e
Ride Free
Premium
join:2001-12-04
Mesquite, TX
| reply to pcscdma
Re: Security is Holistic
While drive testing in the Metroplex (can you hear me now), I ran Net Stumbler on my laptop. 146 AP's in about 60 minutes. One third (mostly business) were WEP enabled. The other 2/3 were all open, probably with no MAC authentication, and most likely DHCP. A few of the open AP had changed the SSID, but most were defaulted.
I bet a lot of them were in trusted zones too, but it's like picking the neighbor's tomatoes; even if he doesn't have a fence then not yours for the taking so I don't try to connect.
Regards,
KV5E |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA | Unprotected?
I have my wireless locked down enough to where it's hard to get in, hard enough to where a "driver" will most likely just connect to one of the 4 others within range of me that are wide open. |
|
der_panzer
join:2003-12-18
Lebanon, TN
| reply to pcscdma
Re: Security is Holistic
said by pcscdma  :
WEP, WPA, AES, VPN, MAC authentication, hide broadcast SID
They don't work unless you turn them on!
Well said. An hour and a half of wardriving in Nashville yielded more than 600 APs. Only about 25% ran WEP, and less than 10% hide SSID.
We weren't even using a fancy setup with a high gain antenna. We had a USB 802.11b adapter on an extension cable slung around the rear view mirror (inside the car).
"There are only two truly infinite things - the universe and stupidity, and I am unsure about the universe" - Albert Einstein |
|
der_panzer
join:2003-12-18
Lebanon, TN
| reply to dadkins
Re: Unprotected?
said by dadkins :
I have my wireless locked down enough to where it's hard to get in, hard enough to where a "driver" will most likely just connect to one of the 4 others within range of me that are wide open.
Hard to get in is still not impossible. But, you're right - Hundreds, if not thousands of your nearby neighbors probably have completely insecure APs, so unless someone is trying to prove a point, you'll be left alone. Most predators will choose the easiest prey. |
|
raye
Premium
join:2000-08-14
Orange, CA
| Try IPSec
It isn't the easiest encyption to implment nor is it the holy grail. However it is about as close to holy grail as you can get.
Use it on my wireless and wired Windows 2003 AD domain, and it works great! After a few lost hairs that is. The latest gen of Linksys wireless routers/WAPs have this option, I am sure that others do. |
|
richk_1957
If ..Then..Else
Premium
join:2001-04-11
Minas Tirith | I Think I'm OK
Right now [but this may change]
WEP enabled
MAC address filtering
IP filtering |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD | Just found a wireless unsecure network today
Ironically. Went over and showed the dude how to set it up properly. |
|
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs: | Default off
None of this really matters if it is by default turned off. The average joe user isn't going to know what this is, and just leave it off. |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| reply to raye
Re: Try IPSec
They do? IPsec is for secure communications of clients that support it. I think linksys just supports pass through not actual IPsec communications.
I could be wrong though. I just never heard of that.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| FAQ on Wireless Security
Nerd is 100% correct that no security standard or encryption algorithum will help if the default is for the equipment to be unsecured.
I'd also add that new security standards should require that the material enclosed with the approved device or software include relevant user education on security measures.
If there is one thing we can all learn from cracker attacks on M$ products it is that:
1. The default configuration must be safe.
2. Install scripts or a nag window should force or nag the user to replace default passwords with complex non-default passwords.
3. The user should be able to reduce security from the default as necessary, but there should be a warning that security is being reduced (with a link to an explanation and suggestions on what can be done to reduce the exposure).
Definitely wired is more secure than wireless, but some installations insist on wireless and we have to provide it.
Here is the BBR FAQ on secure wireless setup:
»Security »How do I secure a wireless network (wireless router)? |
|
yazdzik
Premium,MVM
join:2000-07-26
Honesdale, PA
 ·New York Connect
 ·Verizon Online DSL
| wireless security?
Dear Friends,
As the quintessential non geek, I understand as little about what I use as possible without actually using the dvd drive as a cup holder.
Now, even I have some protection for my wireless gateway, as weak and dumb as it may be.
We live in NYC flat, however, and in windows the wireless connexion is genuinely funky. There are lots of networks at any point, usually from three to five, within signal range, and some better than my own. Unless I connect to mine, the prism dirver connects apparently randomly, and nothing at all stops me from connecting to any one of those I can reach.
Linux is more interesting. In order to keep my connexion alive, I can configure the ethernet adapter to connect only to my network. I have to enter essid as well as my easily crackable code. More interesting, however, is the ability to connect with ease to any other network. I get great signal from another gateway, so, just for fun, and with no harm intended or done, I typed in essid XXX, X being the gateway downstairs, I believe.
Not only did I connect, but saw all the neighbours computers, and, over samba, all his shared files. I am not sufficiently curious to read them, but, in what I thought was neighbourliness, told him that he might consider at least wep if not windows unfriendly wpa.
His answer, verbatim, ¨That is just too much work. If people want to leech my bandwidth, I don´t care, I have cable.¨
It is easy to click on ¨share this file.¨
It is easier to ignore even the band aid of wep.
But since no one here seems even to try to create a password, I cannot, on the one hand, imagine anyone learning to use other people´s networks,on the other, presume I am safe from left clicking nonchalants.
So I, on the tenth floor, am safe from my neighbours, who cannot be bother to do anything more than flip a switch. Protection seems like too much work.
I am certainly happy I am their neighbour and not their call-girl, though.
-M
--
If the nurturing teats of justice must be covered because she will suckle us with the sweet milk of compassion, what then is law? |
|
dosbubba
join:2002-01-26
Eustis, FL
| My thoughts
Once again we try to contain something that cannot be contained. The very nature of wireless technology is to be free. Just look at radio, and "free" TV. We keep seeking to have the world more and more interconnected, and we've developed a consumer technology that is a step closer to achieving that goal. What do we do with it? We limit it. WiFi in it's very nature leans to being free and open, not semi-open. We've imagined a world where one can access any information, anywhere. That is starting to become a reality, yet we feel the need to confine it. By limiting access, we may only end up limiting ourselves.
Now, this view may be somewhat extreme. The inverse view being "Since I paid for it, I want to control it." as in, the very nature of humans. But maybe its time to overcome the rules we've imposed on ourselves. |
|
enOehT
Premium
join:2003-05-17
Langhorne, PA
2 edits | No WEP or WPA for me!
I don't use these encryption techniques cause they just don't work and they limit my bandwidth. But I am VERY secure. Here is how:
1) I use 802.11g in "G" mode only, this prevents the majority, 802.11b users, from connecting, while boosting my overall potential throughput.
2) I do NOT broadcast my SSID, so my AP will NOT show up on a list of available APs.
3) My SSID is not the garden variety "LINKSYS", so I am safe from someone guessing.
4) I have my AP set up to ONLY allow my one MAC address of my 802.11g card access. So someone would have to crack my MAC address.
5) Finally, and this is the one I like the most, I set up the DHCP range to only allow for one IP address. So if I am on, I would be alerted to the fact that another computer is trying to use my same internal IP.
This works for me, and I live in a densely populated high rise. I feel like I am invisible to the rest of the building, while there are tons of people in my building using off-the-shelf LINKSYS with no security at all. Sometimes, I wonder why I even bother to pay for bandwidth when there are tons of unknowing "free nets" all over. |
|
jsinaiko
Premium
join:2001-04-25
Chicago, IL
·AT&T Midwest
| I certainly use WEP with a strange and long passphrase, along with a strange SSID. But the main thing is the number of default SSID's out there. I can see three as I write this - I'm in the city - all of them having SSID's like 2WIRE321 or LINKSYS, or belkin. And none of them have any encryption or other protection.
It's like the river, which flows over the path of least resistance. As long as there are four or five unprotected wifi's out there for every protected one, the folks who want to break in will take the easy route. Will a burgler crack a safe when there is an open cash drawer next to it? Until everyone is encrypted, WPA, WEP, whatever, as long as you are protected, its gonna be the other guy who gets hit. |
|
Natoma
join:1999-08-30
Brooklyn, NY
 ·Verizon FIOS
| Beware SSID Hiding
»www.icsalabs.com/html/communitie···ding.pdf
This paper says that hiding SSID is VERY bad, and useless as well. Easy to read and well written.
I created a 64 character passphrase for WPA, turned that into a 32 character Hex, and then put that Hex in as my passphrase. I also turned on MAC filtering. Pretty much all one can do.
--
--
Natoma |
|
enOehT
Premium
join:2003-05-17
Langhorne, PA
1 edit | Read the article. Interesting, but from my experience I have NOT noticed any performance decrease by not broadcasting my SSID. I get a constant 54mbps in my one bedroom apartment. Also, why would I want other people in my building to see that I have a wireless AP? By broadcasting it, it will show up as an available AP. This will tell people in my apartment complex that I have a laptop with WiFi, and hence might expose me to a possible robbery. Furthermore, this nonsense about the SSID being more exposed is ridiculous. This might be true if someone had sophisticated equipment to listen and interpret all this traffic, but come on, in the real world this doesn't exist, my neighbors aren't even smart enough to hide their off-the-shelf LINKSYS APs, so I am not worried about them sniffing my hidden SSID. |
|
Morac
join:2001-08-30
Riverside, NJ
·Comcast
1 edit | reply to Natoma
I used to hide my SSID until I found that its very easy to determine if a network exists in the area using netstumbler even if the SSID is hidden. Once a network is found its trivial to discover the SSID.
What's worse is that my neighbors also have a wireless network and they would pick the same channel I was on because they couldn't see my network (causing problems).
Finally one of my wireless devices, while it would work with the SSID hidden, had connection problems and had a hard time finding my network when I changed channels. Unhiding my SSID seemed to fix that.
Right now I leave the SSID unhidden for the reasons above. I have encryption enabled, MAC filtering enabled, DHCP disabled and all the rest so I'm not too worried. |
|
