North Vancouver, BC
reply to Tig
Re: People's names in SSIDs.
said by Tig:- said by twixt:
... If you know the physical location of a WAP/Router - then you can figure out who uses that WAP/Router. Thus, you know who to target for social-engineering-type attacks.
Hi Twixt. Thanks for the explanation but I still don't see the concern.
If you are vulnerable to a social-engineering-type attack, your problem is not your SSID.
As for WEP, it's simply not secure regardless of who set up the router.
Hi, Tig. You are missing the difference between theory and reality.
In the real world, users are not perfect. We/They simply don't respond uniformly and predictably and reliably to threat environments.
Thus, the idea is to make identifying users of a particular WAP/Router more difficult - so that specifically targeted social-engineering-type attacks are made more difficult.
Important things to understand about real-world security:
Security is not about making things absolutely foolproof. This is impossible, because fools are so ingenious as to wreck even the most-carefully-constructed security environments.
Furthermore, even the most conscientious of users make mistakes. Humans are not inherently reliable. Even those with delusions of perfection - yes, insert incredulous remark here - have been known to do something as stupid as click on a confirmation they should have avoided... Such is life.
Thus, Security is about making things more-difficult in your particular situation - such that the intruder finds it easier to simply move on to an easier target.
Note: The issue of WEP is a red herring. IMO, users of anything other than WPA2-AES are simply asking for trouble.
However, again, we are dealing with real-world-users who are not perfect. Either through ignorance or sloth or cheapthink, users in these categories are not paying attention to valid security concerns.
I consider the vast majority of the above users to be categorically "incorrigible" - and nothing I can do or say will convince them of the usefulness of research, planning or forethought. Thus, I won't bother.
However, IMO anything I can do to mitigate their idiocy is to be applauded - and implemented.