Wireless proven insecure in Security

Wireless proven insecure in Security http://www.dslreports.com/forum/r21245074 en Mon, 14 Dec 2009 23:32:16 EDT Mon, 14 Dec 2009 23:32:16 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21284178 jdmurray : Realize that in WPA2 the 8-to-63-character passphrase is reduced to a 256-bit hash string and combined with the SSID. Therefore, you aren't getting a 10^64 strength. In fact, a 13-character random passphrase will produce a hash just as difficult to brute-force as a 63-character passphrase will. Also realize that using a simple or common SSID might actually make your WPA2 hash key easier to crack.

Church of Wifi WPA-PSK Rainbow Tables]]> http://www.dslreports.com/forum/remark,21284178 Fri, 17 Oct 2008 15:22:23 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21277706 Jason Levine : When I set up my WPA2-PSK security, I generated my key using 60 HEX characters (0-9 & A-F). Would that mean that it would take 5.6 * 10^64 to crack my network? Or does the much shorter character selection pool hurt my network's security?]]> http://www.dslreports.com/forum/remark,21277706 Thu, 16 Oct 2008 13:33:36 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21277666 Jason Levine :

said by JustSpam :

Just what we need - another mindless piece of spam in the form of an article stating the obvious -

1. Weak keys are susceptible to brute force force attacks

Wait, you mean I shouldn't use "12345" as the WPA key for my wireless network? I gotta go change that now. And the combination on my luggage. ;-)]]> http://www.dslreports.com/forum/remark,21277666 Thu, 16 Oct 2008 13:27:58 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21277293 Uncomm0n : It is wrong. "Elcomsoft advance makes WPA and WPA2 encryption open to attack. In fact, the software is specifically designed to support "passport recovery" on Wi-Fi networks running either WPA or the newer WPA2 encryption". WPA and WPA2 are no more open to attack (other than brute fore) than the day it came out. Their software claims to "makes WPA and WPA2 encryption open to attack" It does not make it anymore vulnerable than it already was.]]> http://www.dslreports.com/forum/remark,21277293 Thu, 16 Oct 2008 12:24:46 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21277200 jdong :

said by Uncomm0n

:

This article is wrong. The only thing they hacked or cracked was a weak passphrase and nothing more. You show me a program that can crack a random 63 character passphrase in WPA2 mode and then I might be a little bit worried...then I will use VPN on my home network.

It is not "wrong" -- they did show a method of brute-forcing that is significantly faster than the old methods. However, they failed to put it into perspective as far as what it means in the big picture of brute-forcing.
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,21277200 Thu, 16 Oct 2008 12:12:31 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21277129 Uncomm0n : This article is wrong. The only thing they hacked or cracked was a weak passphrase and nothing more. You show me a program that can crack a random 63 character passphrase in WPA2 mode and then I might be a little bit worried...then I will use VPN on my home network.]]> http://www.dslreports.com/forum/remark,21277129 Thu, 16 Oct 2008 12:02:55 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21251033 swhx7 :

said by Jahntassa

:

... nobody is going to care enough to spend time cracking into my network when there are plenty of other targets.

That's true of the wardriving hackers who won't even have this new, expensive commercial software. The use case for this new technique is a well-funded organization taking a special interest in a particular target.

Yes, it's sold as a "recovery" utility, but snooping on networks believed to contain something valuable is the likely scenario.]]> http://www.dslreports.com/forum/remark,21251033 Sat, 11 Oct 2008 13:17:39 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21249849 slajoh01 : I run my laptop with wireless WPA2.

But on my PC where I keep all of my sensitive data, are always wired...]]> http://www.dslreports.com/forum/remark,21249849 Sat, 11 Oct 2008 03:39:10 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21249713 Its a Secret :

said by Reimer

:

Maybe the encrypted network has a better signal... maybe it's a faster connection..

If you want to try to crack my network, feel free. I think you'll get a wee bit frustrated... :D
--
"In the future, that which is not mandatory will be illegal"]]> http://www.dslreports.com/forum/remark,21249713 Sat, 11 Oct 2008 02:07:43 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21249452 james : Wireless proven insecure? Perhaps it should look into therapy.]]> http://www.dslreports.com/forum/remark,21249452 Sat, 11 Oct 2008 00:09:13 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21249272 Reimer :

said by quatrix

said by Mikey110 :

»www.theregister.co.uk/2008/10/10···hacking/

Elmsoft and off the shelf hardware can crack wirless in minutes.

VPN here I come.

Paranoia here you come. Do you really think someone's interested in hacking encrypted wireless when there are lots of easier targets?

Of course. Why wouldn't they? If someone has the know how and is capable of it, I would bet they would put that knowledge to use, regardless of how many alternative open networks there are.

Maybe the encrypted network has a better signal... maybe it's a faster connection.. ]]> http://www.dslreports.com/forum/remark,21249272 Fri, 10 Oct 2008 23:22:40 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21247533 Jahntassa : And as usual..how much of what you're doing in that Wi-fi network is going to the internet? How secure is that?

And nevermind the fact that nobody is going to care enough to spend time cracking into my network when there are plenty of other targets.]]> http://www.dslreports.com/forum/remark,21247533 Fri, 10 Oct 2008 17:24:52 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21247110 quatrix :

said by Mikey110 :

»www.theregister.co.uk/2008/10/10···hacking/

Elmsoft and off the shelf hardware can crack wirless in minutes.

VPN here I come.

Paranoia here you come. Do you really think someone's interested in hacking encrypted wireless when there are lots of easier targets?]]> http://www.dslreports.com/forum/remark,21247110 Fri, 10 Oct 2008 16:02:49 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21246576 anon :

quote:
VPN here I come.

Yea. Like the pre-shared key used in most VPNs isn't vulnerable to a brute force attack. :-)]]> http://www.dslreports.com/forum/remark,21246576 Fri, 10 Oct 2008 14:24:43 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21246551 anon : Just what we need - another mindless piece of spam in the form of an article stating the obvious -

1. Weak keys are susceptible to brute force force attacks

2. The more HW you throw at the brute force attack the faster it discovers the encryption key.

Nothing new and certainly nothing specific to wireless.]]> http://www.dslreports.com/forum/remark,21246551 Fri, 10 Oct 2008 14:21:56 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21246470 jdong :

said by Its a Secret

:

I'm with SoonerAl on this, and use the same thing. I'm thinking it would take quite a while to crack it. Besides, you'd have to be pretty desperate to crack me when there are a few unsecured networks around me. The path of least resistance works best for most people.

Well more of whether or not there's something interesting on your network. At one of my employers' their company wifi used WPA2-AES to get you into a dummy 172. net, and then you had to Cisco VPN to the default gateway and authenticate via pubkey certificate to gain access to the proxy serer, then go through the proxy server with a correct Active Directory logon to gain internet access.
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,21246470 Fri, 10 Oct 2008 14:08:23 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21246436 Its a Secret : I'm with SoonerAl on this, and use the same thing. I'm thinking it would take quite a while to crack it. Besides, you'd have to be pretty desperate to crack me when there are a few unsecured networks around me. The path of least resistance works best for most people.
--
"In the future, that which is not mandatory will be illegal"]]> http://www.dslreports.com/forum/remark,21246436 Fri, 10 Oct 2008 14:03:15 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21246241 jdong : The baseline time is pretty much unstated. And what really makes you think that a VPN would not be subject to the same issue here? :)
--
Ubuntu MOTU Developer and Forums Council]]> http://www.dslreports.com/forum/remark,21246241 Fri, 10 Oct 2008 13:31:12 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21245718 Blackbird : If the encrypting algorithm is sound, it all depends on the randomness and length of the key. Use a short or a language-based key, and it's more likely to get compromised sooner than later. The Elcomsoft software simply speeds up the bruteforcing process by a factor of 20-100 when using 'ordinary' computers to do the analysis.

The 'big boys' already have their own specialized gear and software, though I'm sure they're always open to considering Elcomsoft's offerings (or similar) for whatever they're worth...
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,21245718 Fri, 10 Oct 2008 12:01:25 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21245544 Alphanet : Well lets assume we are using a pass-phrase made by picking characters from a selection of 100 (although it could be up to 256) assume a key length of 50 characters (could be up to 63).

Assuming we can try to brute force at a rate of 1 million pass phrases per second (very optimistic as it is a very processor intensive task).

Number of seconds in a year = 60*60*24*365 = 31536000 (say 30 million)

so we can try 30 * 10 ^12 keys per year

if we have a key length of one character choosing from a set of 100 we have 100 combination

key length 2 = 100 * 100 combinations = 100 ^2
key length 3 = 100 * 100 * 100 = 100 ^3
key length 50 = 100 ^50

so to try every combination its 100 ^50 / 3 * 10 ^12 YEARS

= 10 * 10 ^50 / 3 * 10 ^12

= 3 * 10 ^ 38 years - a VERY long time

Now assume we use 50,000 workstations and the improvement of 20 they claim that would improve the situation by a factor of 1 million so it would still take 3 * 10^32 years

That's 3 with 32 0's after it, the Earth won't last anything like that long before the sun goes supernova - its a LONG TIME]]> http://www.dslreports.com/forum/remark,21245544 Fri, 10 Oct 2008 11:34:16 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21245390 swhx7 : I would like to see some actual numbers relating passphrase strength to crack time for WPA.

BTW, if anyone, anywhere, at any time starts using any of those encryption methods for DRM - this software suddenly becomes illegal in the US! Such is the perversity of the DMCA.]]> http://www.dslreports.com/forum/remark,21245390 Fri, 10 Oct 2008 11:02:55 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21245132 Alphanet : From the Elmsoft website

"NVIDIA GPU acceleration (patent pending) reduces password recovery time by a factor of 20"

So for a big WPA key that is still a VERY LONG time

"Linear scalability with no overhead allows using up to 10,000 workstation without performance drop-off"

So you put 10,000 workstations on line, its sill going to take a very long time.]]> http://www.dslreports.com/forum/remark,21245132 Fri, 10 Oct 2008 10:16:10 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21245128 Cudni : also on the site news
»Using GPUs To Speed Up WPA Hacks

yes, it would be interesting to know how long the passphrase (unless they uncovered some vulnerability). Their password guessing software is good but if the password is long and complex then no chance of getting it quickly

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008]]> http://www.dslreports.com/forum/remark,21245128 Fri, 10 Oct 2008 10:15:48 EDT Re: Wireless proven insecure http://www.dslreports.com/forum/remark,21245097 SoonerAl : I wonder how long the passphrases are that are being cracked? I use a 63-charcter random ASCII key for example and WPA2-PSK [AES] on my home wireless network.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience]]> http://www.dslreports.com/forum/remark,21245097 Fri, 10 Oct 2008 10:10:14 EDT Wireless proven insecure http://www.dslreports.com/forum/remark,21245074 anon : »www.theregister.co.uk/2008/10/10···hacking/

Elmsoft and off the shelf hardware can crack wirless in minutes.

VPN here I come.]]> http://www.dslreports.com/forum/remark,21245074 Fri, 10 Oct 2008 10:07:12 EDT