how-to block ads
|
|
Share Topic
 |
 |
|
|
|
twixt
join:2004-06-27
North Vancouver, BC | reply to Tig
Re: People's names in SSIDs. said by Tig:Twixt, please elaborate on how choice of SSID could make it easier for unauthorized access.
-
Hi, Tig. DownTheShore has the right idea...
If you know the physical location of a WAP/Router - then you can figure out who uses that WAP/Router. Thus, you know who to target for social-engineering-type attacks.
If you don't know that info, then your social-engineering-type attacks need to be generic - and thus they are far less effective.
Note: The above presumes that someone desires to penetrate a particular WAP/Router's defences. Since most attempts to penetrate are simply to steal internet access, this is irrelevant in many cases. Typically, it is much less work to move on and find a poorly-secured WAP/Router than it is to penetrate a router properly configured to use WPA2-AES with a strong passphrase.
However, the above assumes the hacker has no real purpose in his/her attack - other than to gain access to the internet. This is not always the case.
I am not going to detail various scenarios - since that gives people ideas I don't want to spread. However, there are several ways to compromise any system where the userlist for that system is known - methods successfully used in business environments work just as well (or better) in home environments.
More details on the above will not be forthcoming.
Suffice it to say that one of the ways in which Security is strengthened on a WAP/Router is to have no idea who the users are on that system. Hence the advisability of obfuscated SSIDs. | |
Tig
join:2006-06-29
Carrying Place, ON Reviews:
 ·voip.ms
 ·TekSavvy DSL
| said by twixt:... If you know the physical location of a WAP/Router - then you can figure out who uses that WAP/Router. Thus, you know who to target for social-engineering-type attacks.
Hi Twixt. Thanks for the explanation but I still don't see the concern.
If you are vulnerable to a social-engineering-type attack, your problem is not your SSID.
As for WEP, it's simply not secure regardless of who set up the router. | |
twixt
join:2004-06-27
North Vancouver, BC | said by Tig:said by twixt:... If you know the physical location of a WAP/Router - then you can figure out who uses that WAP/Router. Thus, you know who to target for social-engineering-type attacks.
Hi Twixt. Thanks for the explanation but I still don't see the concern. If you are vulnerable to a social-engineering-type attack, your problem is not your SSID. As for WEP, it's simply not secure regardless of who set up the router. -
Hi, Tig. You are missing the difference between theory and reality.
In the real world, users are not perfect. We/They simply don't respond uniformly and predictably and reliably to threat environments.
Thus, the idea is to make identifying users of a particular WAP/Router more difficult - so that specifically targeted social-engineering-type attacks are made more difficult.
-
Important things to understand about real-world security:
Security is not about making things absolutely foolproof. This is impossible, because fools are so ingenious as to wreck even the most-carefully-constructed security environments.
Furthermore, even the most conscientious of users make mistakes. Humans are not inherently reliable. Even those with delusions of perfection - yes, insert incredulous remark here - have been known to do something as stupid as click on a confirmation they should have avoided... Such is life.
Thus, Security is about making things more-difficult in your particular situation - such that the intruder finds it easier to simply move on to an easier target.
-
Note: The issue of WEP is a red herring. IMO, users of anything other than WPA2-AES are simply asking for trouble.
However, again, we are dealing with real-world-users who are not perfect. Either through ignorance or sloth or cheapthink, users in these categories are not paying attention to valid security concerns.
I consider the vast majority of the above users to be categorically "incorrigible" - and nothing I can do or say will convince them of the usefulness of research, planning or forethought. Thus, I won't bother.
However, IMO anything I can do to mitigate their idiocy is to be applauded - and implemented. | |
|
