Slashdot Mirror
Promiscuity And Wireless LANs
VB writes: "I saw this article at ZDNet "cleverly" entitled Hackers poised to land at wireless AirPort. We've probably all seen this coming, but, I'd be curious to see what people think about the possibility of securing a network that sends data through the air. What about promiscuous mode devices within range of transmitters, or satellite communications?"
This is really the same problem as always: if you set the LAN up correctly it is pretty secure, but out of the box it isn't. The cheap 802.11 Frequency Hopping stuff is easy to monitor - strong signal strength, known hop sequences etc, but if you use 128 bit WEP, Access Control Lists and encryption over IP (IPsec or others) then you are not too open. Go to 802.11b Direct Sequence and unless you have the correct chipping set, you can often find the signal is at a lower level than ambient RF noise, which adds to the intruders problems
Anyone who allows broadcast ESS ID's or unknown MAC addresses into their network is just asking for trouble. That is like allowing an intruder to patch straight into your hub!
Follow the instructions and you make the hackers task harder - never impossible - but make it too annoying or too time-consuming and they will go on to easier targets.
Frog51
As an aside, taking a cab through New York with an iPaq and a Wavelan card, it's pretty amazing how many 802.11 LANs you'll pick up (I counted 6 in 40 blocks). I assume I was only getting the unencrypted ones, but if it is really easy to crack the WEP protected ones, this standard is probably going to disappear fast from business use. Or something.
Having alarms go off when someone is plugged into an unathorized jack is nice. But what is to prevent someone from splicing the uplink, adding a tap, and just SNIFFING the traffic that goes by for that segment? Unless you do quite a bit of work, Nothing.
In most places, wiring closets are HORRIDLY laid out. An extra device can easily be hidden, especually if it all the device is doing is sniffing.
-b
If someone steals your car and then uses it in a robbery, it's still likely that you will not be charged with that robbery. If someone gais access to your network at home and starts attacking government sites, then it's hard to say what would happen.
-no broken link
Rader
Yeah, right. IR has a limit of 20 feet, and not Every laptop has one. AirPort 802.11b is advertised as 11Mbps, though I get a little less than 10BaseT performance
No, they are sniffing the wireless. The traffic is encrypted (maybe), but if you are a legit user you have the keys. So, just run tcpdump / ethereal / etc. when the card is up and running. Voila, full packet dump. That's one reason why the WEP isn't providing much in the way of security. It just tries to make the wireless equivalent to a shared ethernet. Just like everybody connected to the same hub as you can sniff your traffic, everybody on the same wireless LAN can sniff your traffic.
Rader
So what's new here? You should always assume your packets are being sniffed, regardless if you're behind a firewall or not. Use ssh, ssl, or ipsec for everything. You'd be a fool not to. The extra layer of encryption provided by WEP is a nice frosting, but it ain't the cake.
Actually, if this is a public school, that's already public information anyway.
--
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Yeah, but you can only turn off the encryption link at the base station.
It's not that easy, especially if WEP is employed. Combine this with a decent VPN encryption algorithm and you have pretty decent effective security--especially if your name is Joe Schmoe. Who really wants to break into your dialup network when there are much better and softer targets out there? What's more, if you're using your network primarily to access the internet, the threat from the internet is far greater than the threat from the wireless side. If you think any and all encryption that can be employed on a wireless setup is "worthless", then the internet should be similarly worthless.
Also, if your name is Joe Schmoe, I suspect the physical security of your person, your home, your car, and other personal property is of greater concern, yet I doubt you expend the same amount of paranoic energy at them.
Apple is responsible for getting USB and firewore off the ground.
USB became a hit as soon as the iMac shipped, with only USB as its connections. With encougagement to developers, USB became extremely popular becuase people could produce cross-platform peripherals.
Apple has invested heavily in Firewire, making sure more peripherals like hard drives worked with it.
A few corrections.
Number one is correct. This is the hardest part of getting WEP to work, and also the biggest vulnerability (social engineering of the WEP keys)
On two, you should read the referenced article. All of the weaknesses they discovered are independant of the size of the encryption key. They are just as valid for 1024 bit keys as 8 bit keys. The main problems are the too small (24-bit) IV which results in a high rate of reuse of keying material, and the poor choice of a checksum method which allows an eavesdropper to change arbitrary bits in a packet and update the CRC without knowing they WEP key. Had the vendors doing 128-bit WEP gone to a 64/64 split between key and IV it would have been a big improvement. Instead, they split it 104/24 providing no increase in security over the 40/24 split for many attacks.
I'm not sure what you are talking about in three. 802.11 specifies two authentication algorithms. One is a crude "open" method which allows any client to "authenticate". The other is "shared key" which is based on a simple challenge-response using WEP key #1. At no point is DNS involved. In fact, 802.11b has no dependance on any portion of the TCP/IP protocols. It may be that your vendor has included their own authentication on top of 802.11, but if so it has nothing to do with WEP.
Can you explain this further? I was unaware of any dependency between 802.11b and DNS, and I certainly didn't have to make any DNS changes to get my setup working - including full encryption. Is this an optional part, perhaps related only to the key-distribution you give as concern #1?
Slashdot - News for Herds. Stuff that Splatters.
Bluetooth is vaporware. It's not going to happen.
-This sig intentionally left blank
Surely authentication and encryption are built into any wireless networking technology worth it's salt. Encryption is obviously needed to stop anyone from listening in, and authentication is needed to stop anyone from logging onto the network. Something as simple as SSL with some use management would do the trick. An example being that each client card would have an keypair, and you would teach the network to accept each client card just the same way that you can teach car alarms to accept different remotes. Simple really, not much more to say on the topic.
The wireless groups in austrilia have been discussing, ppoe ,vpns, and ssh encrypted ppp connections. the general consenses is that the ssh path would be too slow. likewise most any addititional encryption would slow the network. the wireless cards already use encryption, but it seems to be useless if someone else has a wireless ethernet card. kinda redundant
Just use encryption - IPSec is ideal for this sort of thing, or PGPnet. It's either that or change your working methods.
Frog51
Sad but true, the actual transmitters themselves can do a lot to prevent un-authorized access. Spread spectrum, especially when combined with synchronised frequency hopping is brutally effective at stopping people "listening in". The US armed forces have been useing the technologies for years. Seems a shame that with so many "off the shelf" components that could implement this technology, large manufacturers are still going for unsecure links.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
This problem will never go away unless new security related technologys are shown to the crypto and security community for peer review before deployment. This is why I respected the recording industry when they asked for SDMI to be tested.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
The gold cards aren't strictly WEP -- they use 128-bit RC4.
Can I ask you which dept you're referring to? Because I've never heard of OSU doing anything remotely similar to this :P
--- Simple solutions are always the best
You create an airlock. Every opening has two doors, vents are covered by metal grids, and power is delivered through iron rings via inductance. Read up about military facilities, they do it all the time. Besides it was a joke. :)
What the hell did I do to piss you off, buddy?
They frequently imply that they log all activity, and then refer back to it if they catch you in a violation. In any case, all our traffic goes out the T1, so they can watch it themselves exceedingly easily, without bothering to use sniffing on the wireless part of the network.
--
--hongpong.com
Ho hum. Not a single argument that was not completely predictable. Oh well, guess I'll have to restate the obvious for your benefit.
That's a non-trivial effort. Do you think the average script kiddie is going to take their wireless-equipped laptop, with 45GB worth of storage, and go sit within range of the target network for 400 hours, and then apply all the compute power to crack the keys? Dream on. Yes, some people can do this, but those are specialized organizations devoted to this kind of task - not random script kiddies.
Yes, I do, thanks very much for asking. Do you? One of the things about script kiddies that you seem to have missed is that the programs they like to use are relatively easy to write and don't care very much about the exact flavor of the underlying hardware. The "confusing the firmware" exploit we're talking about would have to be repeated for every hardware/firmware combination, and would not be at all easy to write. Half of this hardware doesn't even work on Linux due to lack of driver support. Do you really think more skill and effort will be applied to "confusing the firmware" than has been to unconfusing it and getting it to work? Again, dream on.
Of course, you're right that all it takes is one person to write the program and thousands to use it, but it might still take a while before that one person gets done. With a responsible approach to security, it might have taken them long enough that the vendors would already have plugged the holes by the time the exploit code was ready.
That's your opinion. Please back it up.
Do you really think it's that hard for vendors to incorporate a 4096-bit cryptographically secure certificate into the firmware image, such that the card will refuse to operate if the certificate is invalid? Think again. I've worked on firmware, and this is the easiest thing in the world for them. Lots of cards have to decompress their firmware as part of the bootstrap procedure anyway; once you're decompressing, it's trivial to add validation. There is no need for the "hardcoded drivers" (what an absurd concept) or other strawmen you suggest.
It's an IEEE standard, moron. Do you know what that means? The IEEE goes to extraordinary lengths to solicit and incorporate input from interested parties, many of whom I'm sure are pretty well qualified in their fields. We're not talking about some obscure closed trade group here. IEEE standards are in many ways more open than the not-really-standards of open source. Without IEEE standards we probably wouldn't be talking. How do you think your packets get to slashdot? In large part you owe thanks to IEEE for that.
It's your claim, that the process was somehow not open, that is absurd and that requires proof. Get to it.
You just don't know anything about peer review, do you? How many of these sorts of activities have you participated in? The fact is that when you're dealing with complex new technology people sometimes make mistakes. Sometimes the mistakes are real howlers in retrospect. That's life. How many problems do you suppose these guys anticipated and dealt with that you would have flubbed if you'd been in their place? It's really easy to jeer from the peanut gallery, with full benefit of hindsight, but really people who do that are just being pricks.
No, really, try to give us a responsible rebuttal, instead of trying to substitute sneering for reasoning. Try, anyway. What you dismissed so flippantly is actually a very hot issue among security professionals: who gets to find out first?
Now, I knew when I suggested it that the "tell the vendors" approach wouldn't be very popular here on ScriptKiddieDot, but that doesn't make it a troll (and neither does calling it one). It's worth considering how this audience differs from the Real World. For one, the attitude here is "openness at all costs". There's no room allowed for discretion or careful handling of delicate issues. No, I'm not talking about "security through obscurity" because that never works. What I'm talking about is giving the vendors a reasonable timeframe in which to fix problems before letting every black hat in the world have the info. Let's face it, for every white hat on this site there are probably a hundred black hats, and I doubt that there's a single person involved in this discussion in a position to do good rather than harm with this information. How do you think it benefits anyone but the script kiddies to publicize this problem in this fashion? It doesn't help the problems get fixed any faster, it just maximizes the damage that gets done before the problem is fixed. Screw your "information wants to be free" dogma, and think about social implications for once.
In case you missed it the first time, and the second time, let me repeat a third time: I agree that there's cause for concern in this. Nobody's disputing that. What pisses me off is that people are trying to enhance their own images by panicmongering. The actual security threat here has not been shown to be effectively distinguishable from zero, and yet these people are acting like any semi-literate cracker might already have everyone's credit card numbers. Believe me, we're all threatened much more by existing security problems in the wired network than by any implications of these findings. If there's one thing that's obvious from all this, it's that the biggest security problem is people not even using the security facilities available to them.
Slashdot - News for Herds. Stuff that Splatters.
Back when I went to MPA, we didn't have fancy things like laptops. We had insecure windows 95 machines with censorware in the library and we liked it. Some of the more wealthy students like to play golf on their personal laptops during study hall, but I rarely saw them used otherwise.
I remember very little else except that certain US students had to battle to keep the Mac lab open after school. That's quite a cooked agreement you have to sign to use their laptops, though. If you're ever downtown St. Paul and need wireless access, my network's available. Keep up the good fight.
I don't need large brains to have a good time.
Have you read this paper? It's whole thrust is that your point #2 is false. Moreover, it only mentions DNS once in passing as an example of a type of packet an attacker might want to modify. At no point does it state or imply that WEP in any way involves DNS.
Promiscuous devices sending matter flying through the air?
Are you sure this is suitable for a family website?
You can solve that problem by physically and configuration-wise securing your switches (you do use switches, right?
On the other hand, it's been said too many times to count that if you don't have physical security, you don't have any!
Robert
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
It's less than 20 ft to the ceiling in most cafes, and I bet that more laptops have IR than 802.11. Mind you, then I'd have to sit wiht the laptop perched at an awkward angle so that the ceiling-mounted sensor could see it... but still, that strikes me as a nice Q-n-D solution.
I've been meaning to get our local CCS dept to wire up the local cafe, as a promotional stunt to attract good students, but of course, I haven't bothered actually telling anyone about my plans -- I'm still at the thinking loudly stage.
Drive by wireless cracking?
The solution is to use all switched ports and lock down the ports to specific MAC addresses. That should solve most of your problems in this area. You could also just walk the switches looking for new addresses everyday.
You can't grep a dead tree.
My company did an extensive study of WLAN products, and Nokia was the only one that passed our security tests. They created a product in conjunction with the WLAN called the Public Access Zone Controller (AZC). The AZC prevents unauthorized access, not based on MAC, but by username/password (or SecurID), and incorporates VPN for encryption on top of WEP.
What was really interesting, was the fact that Nokia put a smart card slot on the WLAN card. As far as I know, no other vendor has done so.
^Air^Head^
Yes, you can. Trivially. Often you don't even need special tools, it's right there in the driver config.
Other people have suggested approaches for preventing this problem, most of a preventive nature. If you want more of a "honeypot" kind of solution that lets you catch a spy, here's an idea. Leave the device in place. Filter out all actual IP traffic going through it, and set up alarms to go off when someone makes a link-level connection. With the right equipment you can pinpoint their exact location when the alarm goes off, but even if you don't do that at least you get a chance to look around for people who seem to be in places they shouldn't.
It's not totally foolproof. In particular, it's possible to do truly passive listening that wouldn't get detected, but if you're dealing with someone that sophisticated I doubt you're looking for tips on Slashdot. ;-) Most off-the-shelf access points won't send out any signal at all when they have zero link-level connections, so that's the dead giveaway.
Slashdot - News for Herds. Stuff that Splatters.
what bar is this...?
---- Just another spud server.
with implementations available for linux, bsd, and win2k, is the answer. More information can be found with a google search.
If you don't mind a bit smaller screen and using WinCE, the Intermec 6651 is a great terminal. It has a fully rotatable touch screen, as well as a bonus of having an integrated digital camera in the hinge area. The quality of the camera is not the greatest in the world, but for an integrated camera in a light-weight mobile device, I'm happy with it. You can find more information on www.mobileplanet.com by doing a seach for 6651.
It will faithfully do 802.11b wireless and works great around the house, also works great for taking with me to class for taking notes. And with the touch screen and included software, you can even do diagrams!
If you want more info about it, take off the fuzzy rabit slippers and e-mail me.
--Josh
In the words of Homer Simpson... "Mmmmm... beer."
In the words of Homer Simpson... "Mmmmm... beer."
i imagine that it'd actually be harder to copy a signal in the air than one over a network.
Why not just send the message anonymously via the administrations' own mail accounts? That would get their attention.
wow, you have really got to be a dedicated gek to take your laptop with you when you are taking a leek. Kinda brings to mind an image of someone at a urinal trying to prop thier laptop up with one hand while aiming with the other.
Now, I'm as all for Privacy (please note the A.A. Miline-style caps), but the fact of the matter is that anyone who sniffs my packets, and most other people's, is going to get a big fat lot of nothing interesting. The level of security I need differs depending on what I'm doing. If I'm talking to my mom about how her dog had to have hip surgery, I'll use my cordless phone. If I'm plotting assassinations, I use a landline with scramblers on both ends. /. posts and searches for 'porn' on MSNBC). All things being equal, I'd take security over not, but hey, life is full of little disapointments.
Sometimes, for convenience, I'm willing to sacrifice a little bit of privacy (letting everyone see my
As an aside, I assume that stuff like SSL will still work on this wireless network, so if the packet is sniffed they'll get garbage... Anyone know different?
Brant
Brant
Brant
Argle. Bargle.
Visit the isp-wireless mailing list and associated archives at http://isp-lists.isp-planet.com/isp-wireless/
.
These guys eat and breathe this stuff 24/7... they have to. And they love to share knowledge.
-Chris
...More Powerful than Otto Preminger...
Don't get me wrong - I love 802.11b and use it all the time. But I use WEP and my access points are on an isolated LAN tied to an IPSec box which allows me to get to my internal firewalled LAN. Sure, throughput is an issue, but in those cases, I get my ass off the couch and sit at my desktop! :)
Top Most Bizarre/Disturbing Error Messages
I was only replying to the parent post. He described putting up a packet sniffer and the way he described it, it didn't sound like he was using the methods described in the paper to crack WEP. It sounded more like they were sniffing packets that had already come back to transmission over wire.
well that is the way it is in dreese labs. i know the OSU open source club was working on the beowulf cluster and someone plugged in an ethernet card and an alarm went off or something.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
How do you s*** through the suit while you're on the pot? Oh, I guess that explains the total geekness....
---- Just another spud server.
I betcha you never watched Southpark. Otherwise you wouldn't have considered Canada. They make perfectly good trashcans there!
Dutch people suck.
Are you sure? I'm _fairly_ certain that LegitUserAlice cannot read packets sent by LegitUserBob without having to crack some encryption as described in the paper.
That's simple.. you just sit on the pot out of habit.. the suit takes care of the rest. Mind you, the catheters aren't that comfortable, but hey, that a small price to pay.
Besides, you won't be sitting too long after your laptop catches on fire (what? No air == no convection?).
"'Tis great confidence in a friend to tell him your faults, greater to tell him his." --Poor Richard's Almanac
I first heard about the Stockholm situation (which I'm certain is no different from that of NYC, London, Paris (if you read French :-), &c.) from this copy of Bruce Schneier's Crypto-gram newsletter. It's near the bottom---search for ``anecdote''.
Makes me wish I had a WaveLAN...
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
1. Data Encryption: (read: WEP)
2. Refusial of AP's to accept connections from clients set to "ANY" (thus preventing same-protocol sniffing)
3. MAC Address blocking/accepting. Accepting connection based on MAC address will not prevent wireless side sniffing, but it helps keep the data on your wired network a little bit more secure.
Lets remember that with any medium there are always ways to sniff data, including wired networks, but we can do our best to make it more difficult for those who want to.
Well... this study has blown apart RC4 encryption used in 802.11b devices, and it just so happends the 128bit devices use RC4, it doesn't matter how secure the encryption is... if the devices do not exchange keys securely.
In the circumstance you describe, the fact that it was a wireless LAN makes no difference. You can packet sniff ethernet just as well.
And in either case, the solution is to use a VPN.
That is why if you are running a secure network you should be using managed switches and have unused ports disabled. It's not fool proof, but would make something like this much more difficult.
The Economics of Website Security
Last weekend I was in Boston and it was hard to find a place where I didn't have access to someone's wireless network. Just drove around the back bay and at stop lights would check out my laptop. Most of the time I had a usable signal (typically 20% strength, 90% quality according to the software that came with my card). And I never had to do anything- no trying to find the SSID, no hacking WEP keys, it just worked.
The coolest part is, each time I was on someone's LAN, on the fun side of their firewall. Joy.
Just be happy your school has any kind of internet access. I can remeber long afternoons with a few buddies, waiting for pamela to appear via the 14.4 courier we had on our *screaming* 486DX!
Why bother securing the network? Secure the hosts and then you can use them safely on any network, trusted or untrusted.
One of the top 3 hacks was an application that put an airport card into promiscuous mode and showed ever .gif or .jpeg file that came across the network. It was pretty funny.
-D
For an amusing (and somewhat scary) display of Prior Art, see what some of the land/world's premiere techs were doing at the USENIX technical conference in San Diego last summer. Dug Song presented a WiP (Work in Progress) entitled, roughly, "Passwords Found on a Conference Wireless Network." Unfortunately, I cannot find a link right now. There should be enough data here to find it from either USENIX or Dug Song's pages. Hrm. If it's archived anywhere.
--
Given enough personal experience, all stereotypes are shallow.
Starbucks are also going to roll it out in the UK as well, just a bit delayed.
802.11 is more popular (by numbers anyway) in the UK at the moment, as it has some nice peculiarities which allow very dense Access Point packing and higher range - great for use in stores and warehouses like Tesco, Sainsbury etc, but 802.11b has more potential bandwidth-wise.
Once we get onto the 25Ghz band and transmitting at 50Mbit/s the price of the lower spec kit will be easily within reach of the home user (it almost is now - I have a wireless network in my house:) but we'll always be behind the US as we are limited to 100mW so we need more AP's for the same area. Of course we won't get our brains fried as fast!
Frog51
"I'd be curious to see what people think about the possibility of securing a network that sends data through the air."
For one, you could try a lead-coated bunker so that even Superman and the MPAA won't be able to tap into your precious air waves.
After that, if you're scared about air contamination (all that data has to run through it, no?) you can try accomplishing a complete vacuum ; the NASA has some big pumps for lease.
Having to wear a spacesuit for kernel hacking on an iBook while sitting on the pot will bring you to total geekness!
/max
-- It's always darker before it goes pitch black.
There are 3 major problems with WEP (which stands for "Wired Equivalanet Privacy," BTW. I will list them in order of increasing severity.
1) Key distribution. If you aren't the only person on the network, getting the key out to other people is a non-trivial task and can be the weakest link.
2) 40-bit - the standard WEP keysize is completely insufficient and can be cracked in relatively no time. 128bit versions of the hardware are available, however, so this is an improvement.
3) This is the biggie - the WEP authentication protocol relies on DNS and is therefore prone to massive man-in-the-middle attacks. There is a paper by Jesse Walker called "Wireless LANs Unsafe at Any Key Size; and analysis of the WEP encapsulation" that I encourage everyone to read.
WEP is especially dangerous because it establishes a false sense of security that cause people to be more willing to send sensitive data over the network. You still need to use some other encryption method on to of WEP - even at best it gives the privacy of a standard ethernet LAN.
Other technologies are under development to improve the state of wireless security, such as the IEEE 802.11 Task Group E, which is trying to develop an authentication scheme suitable for 802.11 wireless networks, or the IEEE 802.1x protocol which will do similar things at a more generic level.
There is no existing good solution to the wireless problem (PPPoE hacks aside).
-Alison
if you look at the actual research page you'll get much more in-depth information about this, far more than the article.
The researchers say that all of the following are possible using off-the-shelf hardware:
analysis.
stations, based on known plaintext.
worth of traffic, allows real-time automated decryption of all traffic.
It only takes 5 hours to collect enough information to mount a statistical attack! They also describe both passive and active attacks that are possible in some detail. This isnt something to shrug off - even a passive attack is potentially very damaging. And it's not exotic hardware - you can get a lot of mileage just out of your consumer hardware.
There's also a draft of the paper available from the research group.
Don't blame me - I voted for Howard Dean. http://dean2004.blogspot.com
Just because thats the way your HS wireless LAN is setup don't think its done like that in the business world. Every business WLAN I've seen has had WEP turned on, every transaction done over that network has been SSL or using a VPN package. Yes, this includes SSL for mail and even the corporate intranets...
What you said is also true of most every LAN I've seen... as in "let me just say that this (a LAN) is one of the most ridiculously insecure technologies in the world, just waiting for packets to be pulled off the wire...". The simple fact is most business WLANs are new enough to where security is a concern, most LANs aren't, and it shows.
--- I do not moderate.
This Flawhoo story points to www.isaac.cs.berkeley.edu. Where they have appearanlty contrived a way/used the 802.11 standards to sniff on a 802.11 network. Pretty neat schtuff for all you NetworkAdmins who have put that into place already. no we can 0Wn3 j00.
My "original" and "personal" expressions go here.
Could you give references for any papers offering cryptanalysis of any version of the WEP protocol?
I'd also be curious to know more about your participation in the cryptographic community that you refer to - maybe we've met and I don't know it?
--
Xenu loves you!
Foo bar, of course.
:)
(cheesy, but had to be said
Those who do not know the past are doomed to reimplement it, poorly.
Last time I checked, even ordinary LANs are not that secure at all. Ethernet frames transmitted in the clear, and all, y'know. That's why they invented things like SSH, SSL, IPSec, among other fun encrypted protocols. Sure there's MITM attacks still to worry bout, and the like, but it still is much smarter to be using the encryption than not. Even if you're not on a wireless LAN.
Those who do not know the past are doomed to reimplement it, poorly.
I found the staff e-mail index at your school's web site and sent them a link to the article. I explained that it wasn't really you that was afraid to let them know about this, but really it was someone who had stolen your password and wanted to make you look bad.
Dave
I can build a PC to do the job that's the size of a rubik's cube; Or I can use an off-the-shelf libretto. One would need an additional filter to solve the dust problem, assuming the machine has active cooling, which is not a safe bet at all.
A telephone tap is depressingly easy to make in your home. A "hidden camera" is regulated, but a CCD camera which is about 3cm long and is on a PC board approximately 3cm square is not controlled, and can be hidden in all sorts of interesting devices, like smoke detectors. So, no. This is a networking device. People who don't set up their network for security are bound to be in trouble. If you have a switch (If you're too small to have a switched network, no one cares about your data) with any intelligence at all, you can limit the mac addresses which can live on it; Or in some cases, the IP addresses. True, macs can be changed, but this allows some reasonable security.
Most companies will only have to care about crypto between windows and windows. Some will have to care about windows to unix. More than that will probably be more concerned about unix to unix. Very few will be worried about encryption to their macs, since most shops use macs to feed their artists. WindowsWindows and UnixUnix encryption isn't so tough. WindowsUnix is fairly doable. Anything else is just icing.
--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Only one problem -- DOS attacks / bandwidth theft can still be accomplished, unless you want to proxy _everything_. Which leaves you open to DOS attacks.
--
--
I Hit the Karma Cap, and All I Got Was This Lousy
www.etherpeg.org
-pmb
-
Discussing this is like talking about the weather.
Since the 'net is already connected over satellites, what difference does it make ?
My writing here, together with your stuff, is ALREADY checked at Fort Marlene.
And NO, I don't think I'm paranoid, I can live with that pretty good.
With a background in transmitters, radio, intelligence, this topic plays down the very real threat that we love to forget.
"Hackers" are just folks who don't work for the DoD, but in fact, they do almost the same.
We should keep this in mind, before paranoia will destroya...
At Ohio State University, if you plug a computer into an ethernet port and they havent autorized that port to be used, an alarm goes off, you get no network connectivity, and you get located fast. They did this for the exact reason you are talking about, so nobody could bug the network by plugging in to an ethernet port in some back closet where nobody would notice.
Pretty good system if you ask me, although I couldn't explain exactly how it works.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I thought the definition of script kiddie was ``someone whose capacity doesn't come close to encompassing X, for all values of X != `run predigested code.' ''
Thus, unless ``changing the configuration of the drivers'' is something hairy enough that no scriptmaster will bother doing it, it's only a matter of time before the kiddies are equipped.
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
What I would really like to do is replace the laptop with a slightly different device. It would have everything the laptop does, but the screen would be able to fold all the way around, like the way people open a magazine and refold it backwards.
If you did that, the keyboard would be on the other side, and keys would probably get hit a lot.
What I'd like to see is the computer bits in the screen half of the laptop, so the keyyboard could be removable. Make the screen a touchscreen, perhaps include a little writing square a la palm, and then you could use it sans keyboard as needed. Much more portable.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Not until there's a kiddie-level exploit that runs on windows...
--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How long did it take before there were a meaningful number of USB products? IEEE1394?
Those who can not remember the past are doomed to make silly remarks about the present.
--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
My high school is one of the first in the country to use Apple's AirPort wireless technology in the classroom. We all have Apple iBooks. Everyone uses AOL Instant Messenger in class all day long. :-)
One day someone figured out that packet sniffers can be used on the network to see other people's POPmail passwords and AIM conversations, as well as whatever websites they are at. It is genuinely disturbing. However, I am terrified of telling our administration about this because of a kill-the-messenger syndrome.
Let me just say that this is one of the most ridiculously insecure technologies in the world, just waiting for the packets to be pulled down out of the air with a packet sniffer program like EtherPeek. People have been doing this for months around here.
How is this different from any other LAN? If I let you sit down at a computer in my room and you run a packet sniffer, you'll be able to see all of the traffic going to and coming from the other machines in the room. When I was in college the same was probably true for my entire dorm (the LAN was not switched inside the dorms). This is how networks work. If you don't want someone else reading your passwords or your instant messages, encrypt them.
The only difference with wireless is that someone who sin't supposed to be on the LAN might find their way in, but it sounds like the authorized users are causing most of the problems.
Plus you'll have to know the SSID and break the encryption. So if you use a directed antenna, say, 3 degree AND use some kind of VPN over the WEP-encryption it shoud be quiet secure.
What's with the GIGANTIC Oracle ad? I honestly couldn't read the frigging article, the ad flashed so much. Banner ads are okay, but not animated GIF's in the MIDDLE of the article...
no, several words... "End-to-end encryption". If you're using security end-to-end (SSL, SSH, IPsec, documention encryption) the only privacy considerations you may have will be traffic analysis, and it won't matter what physical network you're running over. Sure, you can secure your local net all to hell but you still don't know what your packets will be traversing once you leave your network.
Frequency hopping is basically like an ordinary radio transmitter which is tuned to a different frequency every 100ms or whatever your rate is. The signal strength on each frequency is max, and if you know the hop sequence, you can follow the signal.
Direct Sequence does not hop!! It takes the input signal and combines it with a long chipping sequence in such a way that what was a peak at one frequency becomes a very low broad signal. The military like this because you can get the whole signal to lie at a lower level than rf noise - making it an absolute bugger to find, let alone read. The radio for these is much more expensive but the price is coming down.
Most of the major manufacturers sell both kinds - Symbol and Cisco being the two top brands. Symbol's kit is rebadged by people like 3Com, and Cisco bought Aironet or Telxon, before Symbol bought Telxon. Lucent do quite a good 11Mbit/s Point to Point link as well.
Frog51
...you'll realise it's already here :P
This wouldn't be a big problem if I were running SSH, SSL, and kerberos.
Hm. Looked fine in preview, but something seems to've been lost. What I meant to say was "for a totally saturated access point".
Slashdot - News for Herds. Stuff that Splatters.
The new trading floor being built at 30 Broad St. in New York will have wireless (802.11) connection from the POSTs and trading terminals.
The Economics of Website Security
I was on someone's LAN, on the fun side of their firewall.
This is a little worrying in some ways - they're also on your side of your firewall. Imagine an automatic laptop-hacking machine, left within range of a cafe / station etc. that slurped up every interesting laptop that walked into range...
As I'm an obvious target for such a thing, can anyone suggest resource sites on how to secure my own laptop against such an attack ? I'm used to dealing with firewalls, SYN attacks et al, but someone having the ability to hammer directly on my card slot is a new one for me.
Just wait for the 50mW system on aircraft. I can site there in my seat and get a wireless connection from my latop into the Internet & corp. email neat idea.
Good idea! Hummmm!
Now what just else is there hidden in here...humm!! It would be like the extreme hack. You are flying to Sydney, there is plenty of time to KILL.
You should start seeing it in the next few years.
Putting a hub inline does not bypass switchport security. A transparently bridging ethernet switch would still learn the MAC addresses of devices connected to the hub, and can still shut down the port if an illegal MAC is used.
The next big thing in firewalling is going to be insulating your entire building with aluminum foil so no radio signals get outside :)
Next thing you know cisco will be buying Reynolds (makers of reynolds wrap aluminum foil) to encorporate the new high tech, high security technology the food storage company has been developing. Buy stock.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
troll? Would someone point out exactly why that would be considered a troll? The examples given are factual (if dumbed down) representations of both protocols... moderators who have no knowledge of the subject matter should refrain from moderating examples of protocol down.
---
Video meliora proboque deteriora sequor - Ovidius
". Wireless networks tend to be short range. Several college campuses and business have them, but wireless can only do so much and only transmit so far." Try up to 20 miles for a two-way wireless, and 40 for a download. Those are the best ranges we get at work, with our antennae so far. If you amped a transmitting antenna, I'm sure we could squeeze an extra 5-10 miles out of it. The range is getting longer and longer due to the telco's lack of service in certain areas. Give it another year, and I think we'll start to see repeaters up everywhere. Also remember the frequency, 2.4 Ghz. This has the potential for 2.4Gbs, but now is usually about 11Mbs, but rarely even close due to small pipes on the ISP side. i could'nt lurk anymore
"Go, Lemmings, Go!"
I'd love to find some of this off the shelf hardware. If anyone comes up with a piece of hardware that would get displays of the ssid's on the radios I work with, I'd love to try it out.
"Go, Lemmings, Go!"
Well, assuming the numbers they do (i.e. 1500 byte packets), it takes only 11 Mbps * 18000 seconds = 198 Gb = 24.75 GB of storage space to get a collision in a worst case scenario. But more important, there's no reason to save everything as you go along.
Instead, you just do something like the following. Assume it takes 10 IV collisions to be reasonably assured of computing plaintexts by statistical analysis (this may be generous, considering the redundancies in most of the packets--TCP headers, easily guessed content, etc.). Then you can just build a table for the IV space one portion at a time: say one-eighth at a time. In other words, first you just store all the packets with IVs in the range 0-1x2^22 until you can statistically analyse them and build an IV->cipherstream table for all those IVs. Assuming 10 messages for each IV, this takes about 31 GB. When you're done with that, throw out all those old packets and start on IV range 1-2x2^22, and so on. As they pointed out in their summary, it only takes 15 GB to store the entire IV->cipherstream table. Thus we have total expected storage requirements of ~45 GB, and a total running time of 400 hours to decrypt all future traffic on the network. Moreover, we can start decrypting all the packets with IVs we've already "solved" as soon as we solve them.
This is entirely feasible, but it isn't even the half of it. As they suggest, a much better solution to this problem is to use an active, chosen plaintext attack. That is, the attacker can send a known packet from the outside to a machine on the wireless network; the network will encrypt the packet and send it to that machine, along with its IV in plaintext. The attacker merely needs to intercept that packet (a problem, of course, is knowing which packet it is, although this is solvable with unusual choice of destination machine, etc.) and suddenly he has solved that IV, with no statistical analysis necessary. With this method, we only need 15 GB of storage space (for the table) and enough time to send messages which will be encrypting with every different IV. The latter requirement is going to take a real long time, of course, but as a way to attack, say, 95% of the IVs this is very efficient.
I would say that this is likely to be well beyond the capabilities of most script kiddies, and is probably pretty easy for 802.11b equipment vendors to address.
Do you understand the term "script kiddie" at all?? The point of a script kiddie is that he doesn't have to know how to write modified drivers, only how to download them and install them. Hence "script"; they're running someone else's program. And in any case, modifying drivers and even modifying hardware ought not to be beyond the skills or resources of lots of corporate espionage outfits.
Your hope that equipment manufacturers address this problem is probably misgiven; doing so would seem to require them to replace software drivers with hardcoded ones, or at least insert another layer of encryption both inside the hardware and in their drivrs. I submit that both possibilities are very unlikely, and that in any case anyone with deep pockets can build their own 2.4 GHz reciever without too much trouble.
Yeah, like there have never been any problems discovered in crypto products from the self-appointed experts. Uh huh.
Of course there have been, though rarely such softball errors as these. The recently reported vulnerability with the extra decryption keys in PGP, while quite significant, was an implementation error, not an error in the spec itself. And the vulnerabilities found in crypto protocols by the real experts tend to be rather esoteric and impractical ones, and then mainly on entirely new ciphers, not on a spec for piecing together old ones.
In any case, the point is that they are (ideally) found *before* any products using the protocol are put into place. It's called "peer review", perhaps you've heard of it.
That's a pretty inflammatory statement, and apparently not far from being an outright lie. It was irresponsible (or possibly venal) of Ian Goldberg to make such a statement, and doubly so for WSJ's Jared Sandberg. As I said before, there is a matter for serious concern here, but the scaremongering from these people is not helping.
I don't know the history here, so I can't comment. However, I do know that if this protocol was indeed opened up to peer review as you seem to suggest (without any evidence), then something went horribly wrong; for some reason, either everyone missed these rather obvious flaws, or, more likely, no one showed up to review it. The point is, offering something for "peer review" and then assuming it's secure after no one shows up to review it is obviously not good practice. Frankly, I can't believe that any serious peer review wouldn't flag the problems inherent in using RC4 with a linear checksum algorithm, or with layering an encryption scheme on such a tiny (24 bit!) IV space.
The right thing to do would have been to alert the equipment manufacturers, discreetly, and let them decide how they want to alert their customers.
This is so beyond ludicrous I'm not even going to touch it. The rest of your post seems to indicate that you're not a troll, but this makes one wonder.
www.machack.com - you can even order a CD and I think this hack was included.
Actually I think it also browsed everyone's iBook or PowerBook who were in the Machine room or the Atrium where they had AirPort everywhere, and collected GIFs.
They basically said people should turn ON the encryption option for AirPort, as well as take the normal precautions for sharing.
I wasn't wireless, but even I used ssh to my home system to check mail.
Just found this link: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.htm l
empty comments,
a lameness filter,
read my parent
there is no thing
what else could you want?
Do you mean RC4 with a 128-bit key? RC4 has a 256-byte internal state, so you could theoretically speaking use a 256-byte key for 2048 bits of key entropy.
IANACryptologist, of course :-)
One way to take care of this is to have distribution closets and only patch from the switch to the patch panel outlets that are used and not patch to ports that are not being used. This also means the distributions closets are locked. If your closets and computer room are not locked you are just asking for this kind of thing.
The article says WEP can be cracked.
Just assume that your network is always infiltrated. Encrypt all your trafic.
After all, ethernet is a shared media protocol, whether that media be air or cable. Cable is just [slightly] harder for the determined attacker to bug. For example, I could splice into physical cable and plant a tap there, or -- and now I'm speculating -- an inductive pickup could probably record traffic without even harming the cable at all.
One positive thing about this is that security will be taken much more seriously and hopefully more money and research will take place out of necessity. Most businesses I know aren't too concerned about having un-encrypted data flowing through the network because they are physically fairly secure. If they switched to wireless, security and encryption would of course become very important to them. I can only see this as a good thing. There will definitely be a big demand for "security" experts.
"What about promiscuous mode devices within range of transmitters, or satellite communications?"
Sounds like my last experiance at a bar........
Dirty Pirate Hooker
Simple, I have an Airport connected to a linksys in my house. I simply enable a closed network, so you can't pick up the airport without knowing the exact IP address.
Plus, Apple runs 40-bit encryption for their Airport. Not only that, I setup the base station so it blocks out clients that aren't on my MAC address "allow"list.
Pretty much, I feel safe, both at home and over then net, becuause I run Appletalk, which doesn't go beyond the router to the cable modem.
They'd probably switch off the lan - no more free wireless internet.
+++++
+++++
The harder you look the less you see. That's what we're up against.
I took another look at the link to the paper provided in cid #13 (thanks!) and here are some observations.
"IV" is "initialization vector" and is the same as what is elsewhere called a "salt". The IV is 24 bits; in a previous paragraph the authors had calculated that for a access point an IV is likely to get reused after about five hours. From this we're apparently supposed to conclude that it's a trivial matter to store every packet until an IV collision occurs, and then use the contents of both packets to recover plaintext. They even seem to be aware that two packets often won't be enough, but fail to mention that you need to save and search another five hours' worth of peak-bandwidth traffic to get anywhere in that case.
To be fair, they do point out a pretty serious flaw in a particular implementation of 802.11b, specifically Lucent's, which sets the IV to zero when the card is initialized and merely increments it for each packet. That does indeed make life way too easy for crackers.
I would say that this is likely to be well beyond the capabilities of most script kiddies, and is probably pretty easy for 802.11b equipment vendors to address.
Damn right they haven't. Writing drivers is enough of a pain when the hardware engineer is sitting right next to you. It's harder when you have no access to hardware docs, and harder still when the hardware vendor might actively be attempting to thwart your efforts.
The real problem is not in the paper itself, though, but in the way it was reported. Consider this conclusion, from the paper:
Yeah, like there have never been any problems discovered in crypto products from the self-appointed experts. Uh huh. But I'll let that slide. Now, for contrast, here's an excerpt from the ZDnet article:
That's a pretty inflammatory statement, and apparently not far from being an outright lie. It was irresponsible (or possibly venal) of Ian Goldberg to make such a statement, and doubly so for WSJ's Jared Sandberg. As I said before, there is a matter for serious concern here, but the scaremongering from these people is not helping. The right thing to do would have been to alert the equipment manufacturers, discreetly, and let them decide how they want to alert their customers.
Slashdot - News for Herds. Stuff that Splatters.
* Students are not allowed to download music to their laptops (i.e., macster/napster).
* MPA reserves the right to inspect the hard drive of any laptop computer. In order to do so, the following are not allowed: file encryption, password protection of individual files, or password protection of keyboard access to the computer.
* Students are not allowed to play network-based or on-line games while at school.
* Students should be able to prove that they own any games installed on their hard drives (i.e. produce a CD or product license if requested). It is not permissible to have "bootlegged" software on student computers.
Students in violation of the above rules will be subject to disciplinary action.
And yes, they told me this encryption restriction extends to email as well. Shortly thereafter, they banned using the CD-ROM drives for anything except school stuff because too many ignorant kids didn't know how to open them. Frankly it's depressing to be thought of as such a criminal. I wasn't allowed to tell people that "Encrypt" is a command in the File menu. The knowledge is dangerous. :-(
--
--hongpong.com
Put a faraday cage in the walls of your house, and block EMP too.
Yeah, I know it sucks compared to TCP, but I prefer Appletalk for security reasons. It's really hard to hack into an Appletalk network from behind a linksys, and I turned off the appletalk over TCP. That is a reason for Apple to be more secure than NT.
Besides, it makes it a little harder to snoop, even though it's slower and crummier than TCP, but i don't send gigs of data through Airport, Ethernet's faster.
Still Airport is way nifty, just keep it closed and cloaked.
Okay, the only place I could find a soft copy of this is a zip of a word document - sorry, but here's the link
-Alison
As always with security, you shouldn't have a single point of failure... make sure you encrypt the upper level protocols with the likes of VPND, IPSec or something similar.
Coincidentally, it has been reported that sensitive data from the Davo's World Economic Forum was stolen last week, and Microsoft and Compaq were touting the benefits of 802.11b network on the iPaq PocketPC, they issued all 2300 attendees with a device and installed numerous access points throughout the complex, hotel's etc. I wonder if this could of been the source of the exploit ?
It seems wherever Bill Gates (cheesy grin) goes... security flaws travel with him (like a fly to sh1t).
Do these rules apply only to school-owned notebooks, or also to your own?
Yes, you can have encryption, but any Radio Shack geek can get the equipment to be a node on your network, most likely an invisible one and start cracking err... hacking? (simantics )
Anybody who implimented this sort of thing and claims that he/she "didn't know" should be fired. Nuff Said.
Sig missing. Reward.
lizard boy.
A wireless lan can be tapped by anyone with a radio and some electronics skills. The only way to secure it is with encryption. But of course, as we saw with ssh, even encrypted protocols arent totally secure. Wireless lans would probably be useful, but for a security minded user, they are completely useless. Of course, that won't stop high sales from people who just don't care about people downloading whatever they happen to be saying on IRC, but i'll be sticking with ugly wires for now =)
I am !amused.
Some information about their analysis is available.
Personally, I wasn't counting on WEP anyway, which is why I didn't bother buying the Lucent Gold cards. I just wish IPsec were more common, so that I wouldn't have to tunnel quite so much through ssh.
Of course, then there are unencrypted wireless networks like the ones at USENIX. Dug Song's presentation on dsniff was a big hit; look for the "Passwords Found on a Wireless Network" paper. (PostScript only, sorry.)
At the moment people worried about their data being intercepted by the Government or other organisations already use encryption such as PGP on things like email, and use SSH rather than Telnet and so on. These people will simply continue to use encryption on their wireless devices. Sure traffic is easier to detect, but the problem for any such snooper is still cracking the encryption, which is by far the more difficult task.
Of course the majority won't care about privacy then, just as they don't now...
Hepa filters for wireless network traffic...
*Shrug*
E.
www.randomdrivel.com -- All that is NOT fit to link to
Build Your Own PVR/HTPC news, reviews, &
Encryption at the data link level. Solved.
These sort of things are best not fought openly. Instead, dual boot. Should there be a suprise inspection, accidentally turn off your laptop and reboot into your clean setup.
Someone once pointed out that while insubbordination and incompetence are about equally effective, one is much harder to prove than the other.
You might have heard of a guy called Randy Bush, whose favourite party trick at such events is to sniff the WaveLAN, and email out to captured POP3 usernames their own password with the message 'Be careful with radio!'. It's not even a switched network as a default install.
Setting up some sort of VPN using PoPToP isn't a bad idea in such cases, although WaveLAN does have some security built into it. Personally I use the Buffalo Technology kit which seems to work for 'doze, BSD and Linux.
I've heard rumours that if you wander through Stockholm's business district or through the Square Mile in London, if you're in promiscuous mode you can pick up all sorts of transmissions and a large number of DHCP servers offering IPs to anyone who gets the ESS ID right.
Hope this helps someone. Just be careful out there ;)
Smegma.
I was going to suggest that somebody do somehting with that IR port that every laptop seems to have. They do 2Mbs, right? should be enough for casual web surfing.
EtherPeg is a Macintosh program that will sniff an AirPort network and display any and all GIFs and JPEGs it finds. Comes with source.
Out of curiosity - in your part of the world, how big are wall plates and do they always have AC running to them?
Um, yeah, and the encryption is undone at the card. You can set the card in promiscious mode, and you can sniff the network. Its as simple as that. Check out www.etherpeg.org for more info, and source on how to do it.
It is at times like this that I feel that an SSL tunnel probably isn't such a bad idea. Basically all data transmitted between the workstation and the bridge computer would be encrypted, irrespective of the top level protocol. Between the two you could place 'insecure' technologies such a wireless networks. The advantage with this approach is that it is much easier to update the software running on either of the two computers, than it is to wait for the firmware of these devices to get an update. An additional advantage is that you can choose your own encryption scheme - as long as it recognised by the workstation and the SSL bridge.
Jumpstart the tartan drive.
This is scary shit.
It takes 10 seconds to plug one of these into your network and a power outlet and you're instantaneously wide open, without knowing it. And if you've got network outlets all over your building, it's just that much easier for you to be "bugged", especially since network outlets often appear in rooms not considered to need securing, like lobbys and waiting rooms and such.
If you're a sysadmin in a really large building, can you really know that every RJ45 jack is being used legitimately? If the spy device is listen -> xmit only, and ignores arp requests, it is invisible other than one extra link light among hundreds on the rack or on some distant hub/switch.
Well, yeah. I am. ;-)
I guess I could claim that I was testing the transmitter's range or something, but it really was just a "because I can" sort of thing. I don't expect I'll be making a habit of it, though it might be handy next time I get a bad burrito or something and expect an extended bathroom stay.
Slashdot - News for Herds. Stuff that Splatters.
*shrugs*
"I have not slept a wink"
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Apple's AirPort traffic is encrypted. So if you're sniffing, you're doing it over copper, not from the airwaves. Granted Apple only uses a 40 bit cipher, but I imagine that its enough to keep even the most brilliant high school geek busy for months. On a side note... Packet sniffers sure are cool aren't they?
How paranoid does an admin need to be? How do I get my superiors to know that my paranoia is justified? Most people seem to see security as an obstacle to access.
Such is the infinite Grace of Popeye.
"However, I am terrified of telling our administration about this because of a kill-the-messenger syndrome."
-Quoted directly from original message
http://hongpong.dyndns.org/me/mail-college.html
-Note the reply address on the envelope
Me thinks the lad just shot himeself in the foot.
I'm not sure how much good anonymous email would do. In any case, I would not hack into somebody's email to demonstrate lack of security. That only intensifies the "kill the messenger" problem. I speak from personal experience.
__________________
The frequency
The "network number"
The encryption secret
I haven't heard of ways to arbitrarily break into one of these without some serious and expensive equipment.
-Omar
Now i have to worry when i view porn in the bathroom if my boss is snooping in on me
the wildly popular 802.11b wireless networking technologies
Is this a true description of WiFi ?
I'm in the UK, in a real geek environment, and we've only just gone partially wireless. By UK standards, I think we're still ahead of the pack.
What's it like in the USA ? Are AirPorts really popping up in every Starbucks ?
Bibo Ergo Sum.
One day someone figured out that packet sniffers can be used on the network to see other people's POPmail passwords and AIM conversations, as well as whatever websites they are at. It is genuinely disturbing. However, I am terrified of telling our administration about this because of a kill-the-messenger syndrome.
Let me just say that this is one of the most ridiculously insecure technologies in the world, just waiting for the packets to be pulled down out of the air with a packet sniffer program like EtherPeek. People have been doing this for months around here.
This is just a school. It's terrifying to think that the world's important financial institutions rely on this technology's security.
--
--hongpong.com
I figured that it had to happen.
I mean, the people at the University of Illinois at Urbana-Champaign have been against Wireless Ethernet for a while, primarily because -- even before WEP was known to be crackable -- Wireless Ethernet was a shared medium open to sniffing.
Gentoo Sucks
but on the other hand, we are very security minded. Anybody dumb enough not to use kerberos authentication may deserve what they get, since it is pretty simple to use.
Still, I would not be surprised if some clever folk on campus had already discovered the possibilities - several people transmit their passwords over unsecured Telnet already, and I know that some of those passwords are intercepted.
Ceci n'est pas un post
I'm assuming they find the device, as a hub is an inherently dumb device and will just re-broadcast whatever is sent to it...
"Nobody owns the fucking words man." - James Dean
Every 3 DB gain doubles the power recieved. Every 6 DB increase in antenna gain doubles the distance. (line of sight not over the horizon) A narrow beam dish antenna (old c-band TV dish) can have a gain over 36 DB.
If your 6 DB laptop has a range of 500 feet, the guy with the dish has 30 DB more receiving power and will get the same signal you get but from 16,000 feet. He doesn't have to be in your parking lot to sniff you. He just needs a reasonably clear line of sight. Do not be fooled thinking the range a low non directional antenna provides is all the further your signal travels. It isn't. It gets 6 DB weaker every doubling the distance it travels.
It may become too weak for you, but not for a high gain directional antenna. This gain is why a dish antanna can pick out one of many satelites spaced every 6 degrees in the sky over the equator that is transmitting with 50 watts per transponder 22,000 miles away.
The truth shall set you free!
I really agree with the importance of using a wireless LAN. I have one in my home and it certainly is a lifestyle change - the laptop goes from the home office to the kitchen to the bedroom and occasionally the bathroom, all the while connected to the internet and my desktop. My main original reason for getting it was that in my rented apartment, drilling or tearing up floors to lay cable was not an option. I am really happy with it, and would not go back to wires for anything.
If you like to lie in bed and read, you can basically go over to doing so full time with a wireless LAN. I have an intel anypoint wireless, which is only for win 98/ME :(, crashes occasionally, and is only 1.6 mbps, but it is still great. It makes it much more feasible to go "paperless" - there's no need to print something out when you can take the laptop with you (I would recommend getting a light laptop). I keep everything on my desktop with a big hard drive (music, recipes, technical documentation, data files), and the laptop with its faster processor and smaller hard drive has access to all this stuff from anywhere. I also connected my desktop to real stereo speakers in the living room, and got a remote control on the laptop which can control winamp on the desktop. So I can, theoretically, surf the net and control the stereo from the bathroom, just to give a real-life example.
I am encouraging people I work with to get the same network, so we can meet for lunch and just "be connected", whether at either of our houses or a remote location (no hub required).
Another major unintended benefit is that I need less computers. Rather than put a computer in each place I want one, and running all the cable, I just take the one computer wherever it is needed.
Also, as for security, I think the whole thing is overblown. I live in an apt. building, and my whole apt. is covered, but I don't think coverage extends too far beyond (on the box it says about 150' range, but I suspect less). I think that none of my neighbors have the same hardware as me, so hackers are much more likely to find me through my wired connection ot the internet. It's not like I have a sign in the front yard saying "Intel Anypoint Here", so why would anybody even think about trying to sniff? I can see where this would not apply in the business sector, but for the home user wireless is the way to go.
What I would really like to do is replace the laptop with a slightly different device. It would have everything the laptop does, but the screen would be able to fold all the way around, like the way people open a magazine and refold it backwards. This would make it possible to read the laptop much more comfortably. Also, I would like a utility to rotate the display 90 degrees so that I could get the aspect ratio of a piece of paper. A touch sensitive screen would make it sheer heaven. If anyone knows how to do that, tell me.
'Most men would sooner die than think, and most men do.'
That's the way I took, as well as making it a closed network, so it can't be seen without knowing the IP address.
I guess you can't spoof a MAC address, can you?
VPN solves the issue of using 'untrusted' internet connections to connect to the local trusted network, so it's an obvious solution to using untrusted wireless transmissions which have similar security risks to using the Internet... sniffing, MITM, etc.
I do not deploy Linux. Ever.
I see minimal additional threat being generated from wireless networks. Wireless networks tend to be short range. Several college campuses and business have them, but wireless can only do so much and only transmit so far. Vulnerability is localized, not global like over wireless' wired cousin.
You still need a wired network regardless. And the hacking opportunities are better on a wired network. Several factors prevent hacking from being a viable activity over a wireless network. Low bandwidth is the most obvious. There are some implications for a denial-of-service attack, but these will affect end users, not servers, and with triangulation, it shouldn't be too hard to figure out who is jamming the signal.
The biggest thing is you need a good parity algorithm to account for data loss and encryption to prevent people from picking up sensitive data. However, I dismiss the claim that there is more exposure on a wireless network then a wired one, and hopefully you are using encryption when you give your credit card over the net anyway.
----------------------
Kurt A. Mueller
kurtm3@bigfoot.com
PGP key id:0x75D2DCCD
Lawrence Lessig is my personal hero.
Wifi network cards are sending data through the air, and we already know that NOTHING is ever really all that secure, especially when you're trying to keep overheard/processing power required minimal.
SO, it would stand to reason that by deploying Wifi you are (potentially) saving money on wiring/setup, enabling users to move around more freely, and at the same time subjecting yourself to more security risks.
This should be elementary to just about any halfway decent admin, but considering that it's posted on Zdnet, it's not really targeted to admins, but to end users, managers, and others not-all-that-hip :)
-This sig intentionally left blank
-Omar
Blue Tooth is going open up a whole new world for hackers. Think about it. As you are walking down the street a hacker is following behind you hacking into your Palm.
I think a lot of people just don't realize how wireless networking can change the way you feel about computing. Until you've actually surfed from the couch, continued reading on a laptop while you get a drink out of the fridge - or even take a leak - all unencumbered and uninterrupted, I don't think you can fully appreciate the difference. It's amazing to think how accustomed we had all become to the limitations of wired connectivity.
Now this comes along. Right or wrong technically, real or imaginary, this will slow adoption of wireless networking technology. The risk-averse business types who make decisions about deployment will hesitate, so there will be fewer access points both within organizations and in public spaces (hotels, airport lounges, and so on). Companies will forbid their employees to use wireless networking when on the road, or simply not provide the equipment necessary for them to do so. I expect email from our own IT department any moment telling me that wireless is off limits until "investigation of this matter is complete" (which will take months).
All this loss of convenience occurs because a bunch of people who felt left out of a public IEEE standardization process have said the sky is falling. If you read the article, you'll notice that there's practically no real information that would allow anyone to judge how serious the risk really is, and there's a lot of scaremongering about how easy it will be for "script kiddies" to get the right software. How about the hardware? Yes, folks, you need extra hardware to do this, and you also need to be physically proximate to the target. I'm not at all convinced that the script kiddies will be able to take advantage of this hole - whatever it really is.
Yes, it sucks that there's any hole of any size in WEP, and even if the script kiddies can't exploit it the professional crooks might, but the sensationalistic way this is being reported is simply not responsible.
Slashdot - News for Herds. Stuff that Splatters.