Slashdot Mirror
Hacking Wireless 802.11b Nets
John Higgins writes "The Wall Street Journal has a great article on my greatest worries about setting up a wireless network in my home. White hatter Peter Shipley and Matt Peterson of, among other things, the Bay Area Wireless User Group, drove the reporter around the valley with some rudimentary equipment to
find how many corporate networks they could "see" from the street or parking lot. (Sun Micro, check your encryption!) Call me a techie lightweight, but it looks like HPNA2 for me!"
Why are people scared of it? That's not scary! that's nice of the companies to give free bandwidth! That's what the Inter is really all about, isn't it?
I did notice this, too.
And guess what? Today, i got 5 mod points, used 'em up (careful not to overrate crap, since i noticed all the +5's), and then i got 5 more points!
Maybe the number of mod points was increased. By someone, or something.
Anonymous Coward
[ Preferences ]
You have moderator access
and 49,523 points. Welcome
to the those of you just
joining: please read the
moderator guidelines for
instructions.
(updated 9.9!)
Don't make me -5 your ass
The security here is terrible. We use no authentication via radius or any other method. Anyone with a 802.11 network card, and a sufficient antenna could steal connectivity, and we could not currently tell.
There exists ways to detect this, by monitering the MAC addresses connecting to the APs on the towers, but this is not employed. Neither is each radio catalogued, and IPs, for the most part, are assigned by the DHCP server with no logging.
I do not know if this is typical of most wireless companies, but if it is, then things should be ripe for the taking. I'm posting anonymously, because my company has a history of firing and suing for less.
If this was at Sun's Santa Clara campus, this was definitely not testing. There are several rogue wireless stations there. These are connected to the iPlanet network rather than Sun's main network, though.
Still, Sun's network is extrememly insecure in so many ways, especially internally. Getting to be an internal user is simple, with wireless and DHCP.
The SA's are pretty much powerless to secure the network, as well. Sun's red tape binds their hands. Get fired for securing the network? You bet! Go Sun!
I have been in a situation with an aironet network where I have flushed the SSID and wep key of the card, and noticed while flicking bettween consoles that there was traffic from another network floating past. This is with a little ( quite directional ) parabolic grid antennae facing about half way bettween two of our own sites.
As these cards get cheaper and more people use them, the fixed set of frequency's that the frequency hopping cards use are going to become more and more useless with high gain aerials.
Even without the security implications, each site within 'earshot' are going to end up sharing the realistic 500k/s or so that the 11 megabit cards provide.
I am a lawyer and this constitutes legal advice and I shall indemnify you against any losses arising from taking it.
free2air has a long article on this, with lots of links, technical information, source code, and other good stuff.
And the fact that they've found 150 open hosts in London's Docklands.
And for you 802.11b geeks, you may be vaguely interested to know that newsfilter.co.uk (below) is served wirelessly. Yehaw!
...j
What looks like a quick paint program scrawl of the words "secure me".
Somebody is sure running their agenda, that's for sure...
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
One of the simplest security practices is to turn off SSID identification broadcast at the base station. Then the wireless user has to know the name of the network in order to connect.
Yep, I do this on my home AirPort.. Pretty easy.
Unfortunately, this quickly becomes a gigantic pain in the ass for the admins of the network, because who wants to go through and change the SSID every time you add a new wireless base? It's really practical only for small organizations.
Changing it when adding wireless bases? Sheeit, that's easy. Changing it everytime you have layoffs, now THAT is sucks....
Your Working Boy,
- Otis (GAIM: OtisWild)
I think the logical defense here is: These radio waves are passing through my body. I think I have a right to analize them as I see fit.
That solves half of the problem. The other half, is that wireless networks have much less bandwidth available, and anyone joining the network can take advantage of that bandwidth for their own gain. eg. using the company's internet connection, or just utilizing the access points for your own point-to-point pleasure.
Yikes...Thanks for the heads-up, I'll make sure to keep mine on ice. :-)
My Web Page
The vast majority of the security issues (including the one in this article) are simply that the network wasn't configured securely. I haven't seen any real-world attacks against networks that run WEP; the few I have seen have been brute-force decryption of packets. I haven't seen or heard of any attacks where packets were tunneled via a VPN over the wireless network.
As long as you're willing to read up on the security issues and take the time to configure your wireless stuff securely, you should be OK.
My Web Page
It's really not that hard to turn on WEP, even for your non-31337 mom. You go to the configurator software, select to password-protect the network, go to the client, type in the password. Pretty straightforward. Your bank account is secured by a PIN, your Internet mail account is secured by a password, same concept. It would be interesting, though, to sell hardware bundles with pre-configured WEP keys, so that people who didn't want to go to the trouble could spend a few extra bucks and have some security.
The biggest hurdle is poor key-management. WEP only supports a fixed key, that the base station and all clients need to know. That means that if you have to change the key on the base station and all of the clients at the same time. It also means that if somebody visits your office and wants to use the wireless network, you have to give them the WEP key. In a large organization, it can be pretty difficult to distribute a new key to dozens, hundreds, or thousands of users.
WEP has some workarounds for some of this, like letting the base station accept several keys simultaneously, but key management is still difficult.
My Web Page
The only way in the past to keep a network from acquiring devices like rouge computers or routers was to only allow certain mac addresses... university I went to did this, and my cablemodem provider does it now.
Of course that method is quite useless now, as the LinkSys Cable Router I bought has built-in mac address spoofing.
It's damn hard to keep a wireless access point off your network. I'd say at any company a user bringing one in should be fired.
I worked with Shipley about 3 years ago and then he was doing essentially the same thing with modems... he had a continuous "wardialing" project that just automatically went through all phone numbers looking for answering modems and then obvious methods to log in.
He found lots.
--jurgen@botz.org
Twid wrote:
This isn't a perfect solution, people still get free bandwidth if they want...
I would consider this a benefit... it's an excellent convenience to guests. How many "uninvited" users are going to be within your transmission radius?
--jurgen@botz.org
Forget WEP.
Make a wireless network, but don't put it on your private network... instead just make it an independent network that's directly connected to the Internet (with or without NAT) completely "outside" your organizational firewall. TREAT it as the Internet... wireless PUBLIC Internet access. No security. No WEP. Because there is not need.
Simple. All the laptops that want to use it are already set up for accessing the essential services their users want via the Internet anyway! Who has a laptop at work that doesn't need to access services on their work network when they are off-site, be it via modem or home DSL or riccochet or whatever? And is the laptop on a secure network any of these? No. So what do people do in those cases?
Some use VPNs, some just use Web and mail via SSL, some use Ssh, whatever. The point is, it already works.
So make all wireless networks "public internet access", you get the added benefit that visitors will be able to use it without hassle. At worst you're giving free access to some people in the suite next door or across the street.
--jurgen@botz.org
The hurdle that prevents people from using encryption and good security is time and knowledge. It took a lot of effort to get WEP turned on where I work because an understaffed IT department had to do it.
The funny part is we use 3DES hardware VPN devices for PTP T1 lines, but that is done by another department that has the time and materials to implement strong security. And they wonder why we don't trust the corporate network?
Tapping unencrypted lines is easy, one of our security people was trained in tapping fiber cables by DOD in '83. Ask how many people think that their private fiber links are truly secure?
Rather than patching together PGP/GPG, SSL, and SSH, I would strongly recommend you spend your efforts implementing IPSEC instead.
Chris
-- I need more coffee. It's Monday. There is no such thing as enough coffee on a Monday.
While a Cisco Aironet would be nice, $1400 is a bit steep.
The issue is, with all these current 802.11b security issues and the probable introduction of new security features, what are good products to use and steps take? It's one thing to point out the flaws in the system; another entirely to show how to fix (or at least avoid) them.
I detect an "Ask Slashdot" here....
-- "I am disrespectful to dirt. Can you not see that I am serious!"
They are accessing resources on a network (even just to probe to see if they are there) that they *know* they do not have authorization to use. They suspect that these networks are configured with loose security, so they check it out. Under US Law, I'd bet that's not legal.
If it's just radio waves.. why are cellular phone scanners illegal in the US? (As opposed to Canada, where radio transmissions *are* public)
As of 10 or 15 years ago or so (I think) scanners in the us (yes, commonly called police scanners) are not permitted to scan cellular frequencies.
There are professional models you can buy, I'm sure, that may let you, but they are generally for use in labs, and cost a fortune. Of course you can modify your ratshack scanner.....
IF you look at a cool product like the winradio (www.winradio.com) you will notice that the US version has several bands blocked; the euro & Canadian versions don't.
Canada, and many other places, receiving any transmission is legal.
Decryption of private communications may be a different matter.
The article (at least the one in the dead tree version of the WSJ) makes it pretty clear that Shipley was being very careful not to actually look at any emails, data, etc. - just notice that; "Oh, look, there's an online printer, yup, there goes an email ...", just enumerating what he COULD have done.
He's pretty damn sharp, I'm sure he knows more about the legality of it than I do. And *I'm* sure that his chances of getting sued are close to zero.
And it's pretty hard to claim he's stealing resources when all he's doing is sucking up free electrons.
coolness. score one for common sense.
not that a condone dangerous speeding, but it is a good precedent for more reasonable activities
Lord Pixel - The cat who walks through walls
Lord Pixel - The cat who walks through walls
A little bigger on the inside than out
In the UK it would be illegal even to stand in range and see if you can connect. You don't have to actively probe anything to break the law.
It is illegal to receive any radio broadcast that was not intended for your use
Probably originally introduced to make police or army radio scanners illegal, but has also been used to criminalise all radar detectors (think speed traps) and things like intercepting satellite transmissions (think watching shows not intended for the UK market.
In other words, like all overly broad laws, whatever its original intent was it has been twisted to shut down anything anyone with enough power doesn't like.
Lord Pixel - The cat who walks through walls
Lord Pixel - The cat who walks through walls
A little bigger on the inside than out
I usually read at +3. I used to see about 10% of the articles. Now it is 25-30%.
This is worse than the grade inflation in US schools. If you can spell your own name, you will get a B or +3.
Of course, this opens up the problem of a stolen laptop compromising the network...
Remote detonate.
While it is true that even 128 bit WEP isn't sufficiently secure to be /secure/ it is still quite good. (It requires a real effort from the attacker at least. Not something you do willy-nilly while waiting in traffic.)
The problem is that although WEP is rather simple to use the people don't. Using "your" memorystick etc solution it would require even more of an effort. I.e. not gonna happen.
What is needed isn't more tech. What's needed is to make admins, and users aware of the problem.
I agree with you completely in spirit, but the US court system probablly doesn't.
International law doesn't really exist, so there's no law to break regarding China.
Slashdot 's editors are dickheads
It seems that the valley is full of companies in which the 'engineers' are 'testing' wireless networks, and that these 'tests' coincidentally were supposed to stop around the day an article is published about them.
yeah, right, if it wasn't for all this control, my head would be spinning right out of my neck...
-- the cake is a lie
Company: "It was no equipment of ours that set up a napster like server and put in all those beetle songs. We were hacked."
Judge: "So we will have to make all wireless bordcasting of data illegal"
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
I also got 5 points used 2 and suddenly got all 5 again (weird) but then my karma been frozen for months now. must have been a unlucky 13 point karma bug. (who know?)
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
Require SSH2 tunnels
t ml
Augh! NO! NO!
SSH is a good protocol for secure terminal sessions, but you should never, never use it for tunneling, unless you're fond of session-timeouts and stalled connections.
SSH uses TCP, which means it's the worst protocol you can use for a tunnel... TCP guarantees the reliability of the connection - so a dropped packet can wreak havok.. the tunnel will stop and re-transmit the packet - so every other TCP connection will stall - and guess what? These stalled connections think their packets have been lost, so they retransmit their 'lost' packets - resulting in LOTS of duplicat packets.. (and if the 'original' packet was lost due to congestion, you can guess that you're gonna start flooding the tunnel - a cascade failure.)
A more technical description is available at
http://sites.inka.de/sites/bigred/devel/tcp-tcp.h
Unless you can guarantee that your network will never drop a packet, you need to use an unreliable protocol for the tunnel (think GRE - that's what it was designed for - but even UDP would be a better choice.)
40bit encryption, you can hide the networks from broadcasting themselves, allow only specific MAC addresses, and require a password to join the AirPort network.
But no where does it state that they intend for you to trust all of your data to it.
Page 4 of the AirPort Fact Sheet:A similar comment can be found on page 4 of the AirPort FAQ. The most important thing is the omission of any sort of notice that there could be a security problem.
Of course, the whole encryption thing was a semi-trollish joke anyway. Half a year of burning off my excess karma has started to make me prone to them lately. Looks like I caught someone!
The real problem in the article was that these companies were using open network, where you don't have to name the network befoe seeing access to it, and they weren't using any sort of encryption at all. Even AirPort's weak 40-bit encryption, combined with a closed network feature and with filtering MACs would have prevented these people from tuning in from their car.
AirPort actually makes all this configuration a no-brainer.
Microsoft, on the other hand, would be saying that it, just like Windows 2000, is totally secure and safe to use on any corporate LAN. *snort*
Straw man. Check my user profile.
Actually, if you configure the damn thing properly, especially by using centralized MAC filters, Airport's security would be safe enough. I'm hoping Mac OS X's UNIX underpinning would make doing this a little easier.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
What, you mean people aren't using Apple's Airport with it's robust, secure 40-bit encryption scheme to protect all their traffic? Darn PC users.
(Burn, karma, burn...)
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The authorized devices using the network are broadcasting their MAC addresses!!
This so very much reminds me of the well-known 'trick' of cloning a cell phone... sit somewhere where there are LOTS of targets, and just record the ESN/SID (or, in the case of 802.11b, the MAC address), program your own device, and off you go!
I still like the idea of VPN tunneling over the wireless segment. Yes, use the hardware safeguards, but don't trust them. Require SSH2 tunnels, perhaps using PGP-style public/private keysets to make things 'easier.' Of course, this opens up the problem of a stolen laptop compromising the network... but I never said this was a perfect world.
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
I guess I'm a righteous 'l33t haxor when I turn on my scanner and listen to the neighbor's cordless phone.
Unless I missed something here, this does not involve any 802.11b security issues. Some people didn't encrypt their wireless net, some other people could read their packets. BFD.
I've seen SEVERAL stories on MSNBC really getting on Microsoft. I was surprised to see them, since I figured they'd be very biased. But I've seen numerous BIG EMAIL VIRUS!!! type stories on there. They don't seem to be holding many punches back.
Has anyone ever seen a test done with someone sitting in a parking lot attacking the 802.11b encryption? We've had several articles here on /. talking about how insecure the encryption MAY be, but no one has done any real tests yet.
Now for this article. Duh. These admins should be fired. I run 802.11b at my house with full encryption and other security features on. I wouldn't let an access point in this building without securing it first. This isn't a technology problem, it's a human problem. These are probably the same people that don't patch up to the security holes and wonder why they get hacked two years later.
To make it easier, there needs to be a good key exchange mechanism. People that don't put much thought in to security don't want the "hassle" of manually entering keys on everyone's notebooks. I wonder how long before there are web pages with key listings for companies and longitude/latitude locations....
Well the mod points are kinda sporadic. I haven't had any in forever... Now all of a sudden I have mod points and I think.. use it or loose it.. so I use it, but I still use it somewhat wisely. I bet alot of others are thinking the same. If I knew I would get mod points on a regular basis, like an allowance I would be much more frugal. However, if they are given out and taken away at random I tend to be more of an easy sleazy moderator.. ;)
JOhn
Campaign for Liberty
Well, I am a Nortel employee and I use Contivity (Nortel's VPN client...)
The good news is, there are so many completely unsecured networks out there, that if yours isn't actively encouraging eavesdroppers, you are probably far enough ahead of the curve to be "safe" (at least from script kiddie types. If someone is out to get your, you are sunk).
Not something to rely upon in the long run, more of a sad comment on the current state of wireless privacy.
Where I work, we have the whole building in San Jose set up for wireless. The way we approach security is that the wireless network is on the public internet outside the internal firewall (not on the DMZ, the wireless are completely outside).
So, in order to get to internal data while on wireless you must start up a VPN client or go through our portal. This isn't a perfect solution, people still get free bandwidth if they want, but at least they can't get to internal data.
Also, we have most of the wireless access points in public conference rooms, and a couple of them have been stolen!
- Twid
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
Umm --- a sniffer will give you these pretty easily .....
This isn't even "non-damaging probes on networks". This is networks broadcasting information to anyone in the vicinity with a laptop and a wireless network card. If you are shouting on a street corner, is it a crime for me to hear you?
Don't forget that Friday is Hawaiian shirt day.
For a network running Microsoft software, taking common steps such as ensuring Guest access is disabled and that passwords are required for all resources will do the job.
Password protecting resorces isn't going to do any good at all. If you read the article it is clear that these guys are running some king of packet sniffer.
"There -- someone just turned on an NT machine and is getting mail."
There is no way to know this unless you have are collecting and looking at packets on the network. Unless all traffic on the wireless segment is encrypted you will have NO security on that segment.
International air space. If we had faster planes we could get better privacy because you could scan from further away because it would take less time for air forces to respond.
The message on the other side of this sig is false.
Ironically you'd have much better luck as a blackhat, compromising the company's network, stealing their data and selling it to their competition. I'm not advocating this, mind you, but you're a lot less likely to face any legal reprocussions choosing this path. The company you cracked will never be any the wiser, that's for sure.
Likewise notifying a company that they've got a problem as an employee of that company has never (in my experience) got a problem fixed. They keep on doing what they're doing come hell or high water. Companies collectively are damn stupid and I don't see this changing anytime soon. It means plenty of income for the black hats, I suppose. *sigh*
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Exactly.
What we're seeing is only the dawn of what most likely will become a very large problem... the cost of wireless Ethernet is around a few hundered bucks, and is affordable by the clueless.
I run a 1,200 node network, and never thought about this until today. This is an issue we're going to have to address in the future...
If an employee wants to run a wireless LAN, that might be okay, but they really should check with us first to make sure they "do it right"...
The benefits of this would be manyfold:
Naturally you can't do all of these things at the same time or even have all of these things done by the same person, seeing as the explanation for what the hell you were doing listening in on the traffic in the first place might range from dubious to illegal.
Anything that runs over a non-secure medium, like the air, is unsecure. Even with encryption and the like, someone can grab all the data, and decrypt later. There are also some other little tricks you can play with just to mess up someones data. This is a technology that can be used for simple things when it is needed, but for the most part, wireless is for tech nuts that would buy the new Backstreet Boys DVD, because it is totaly interactive, OOH - AAH. Lets be a little realistic about what is possible and what is not.
Have you ever noticed what stories they "indepndantly" choose to run?
Hackers hacking Sun (can you say MS-massive-security-breah-damage-control?)
Any whiff of PS2 trouble.
Pro MS anti=truat case articles.
And so on and so forth.
NBC should be ashamed they have their name associated with what is clearly just another MS publicity arm.
----
I hereby inform you that I have NOT been required to provide any decryption keys.
I remember sitting in my friends apartment in Seattle and being able to connect to 3 different wireless networks by simply setting the default network name to any.. The same trick worked at the airport for network access I was supposed to be paying for..My wirelss client software was complaining about the lack of encryption but it still connected and gave me an ip address..I used napster to benchmark my speed and it was good...Perhaps we should only distribute this information to a smaller group of folks..so those in the "know" can take advantage of a rouge wireless network to get free internet access, and use napster while sitting in a terminal waiting for a flight..
If the tunneled connections don't do retransmission themselves, you can just carefully design the tunneling protocol to be very nonagressive about retransmissions. E.g., ask "did you get that" instead of retransmitting the whole packet, and using a steeper-than-TCP exponentional delay function.
And if you have to tunnel TCP over TCP, the tunneler could inspect packets, detect when the tunneled TCP is retransmitting, and simply drop the retransmission on the floor. This is just a tiny step beyond NAT. Of course, if you're tunneling arbitrary reliable protocols, you're screwed. (Although I suppose you could blindy bandwidth limit the tunneled protocol by dropping packets. If you did this agressively enough, the tunneled protocol could be convinced to sufficiently rate limit itself.)
Incidentally, I've been thinking about this because sometimes you don't have a choice about what kind of connection to use. Sometimes you are provided with an arbitrary stream-oriented, possibly reliable, connection and have to make do.
BTW, thanks for the link to the TCP-TCP web page. I can point people at that instead of explaining...
-- ;-)
Kuro5hin.org: where the good times never end.
Like many people (I suspect), I read Slashdot mainly for the posts. Some of the most informative pieces are those in which one of Slashdot's editors have made a factual error, and the community summarily slams him/her (are there any "hers"?) for lack of journalistic integrity. We get 3-6 +5 posts that seem to be written by experts in the field and are very informative to neophytes like me.
But if we suddenly have like 25 +5 posts per thread, the signal/noise ratio goes WAY down. Come on, 59 +5 posts in the SDMI story? WTF!?!?! They really weren't all that good.
Did Slashdot get cracked? Did they change the moderation system? SOMEBODY CHANGE IT BACK!!!
Thanks for listening.
If you're not wasted, the day is.
If you're not wasted, the day is.
The hurdles are stupidity and laziness.
Unfortunately, very few administrators stop to think of the implications of wireless before doing a mass deployment.
This recently happened at my school, as is talked about in this paper I wrote, which gives a breakdown on some of the vulnerabilities present in my, and many others', schools.
If you're spewing stray radio waves all over the place, whose fault is that? Is it your job to control your communications or our job to keep our ears shut?
My guess is that Sun's comment was true. It really was somekind of WLAN test setup. Unfortunately it was not correctly configured or was connected to the corporate intranet. These WLAN access points and network access cards are so easy to install that without being security concious you are _bound_ to make mistakes - no encryption, no security, connected to intranet/Internet etc. The current business environment also encourages to do everything as fast as possible. Setting up a closed test network for a single project could be just another extra cost. Fortunately all the test WLANs at our office are connected to an isolated test domain - yes, the data moves but there are no Secrets available.
I hate to be the one to point this out, but that is not a Wall Street Journal link.
But besides that.. I read the article earlier today, now I'm finding myself looking down to the parking lot looking for people with laptops in their car..
And I will reiterate the point.. I will stop being paranoid when you all stop following me.
Being the network admin, I've been researching this same issue. And I agree with you regarding the VPN solution. I recently found a link to a company called Colubris who has a really nice AP.
I sent them an email yesterday but have not heard back. I would like to know if I can tie the VPN to authenticate from our LDAP server to allow users worldwide mobility without having the local admins create them an account.
As for the stolen laptop, if you use SecureID tokens, this would help in a case like that, which is the reason I prefer this method over digital certificates.
Now, prosecuting, or even getting the feds to listen to your sob story is another thing, considering no damage was done. The FBI quotes (IIRC) a $5k minimum on damages before they'll even talk to you, but in reality, you'd have to approach $100k or so, and be willing to air your company's lackluster security in the court of law, and of public opinion.
This sig is xenon coated, and will glow red when in the presence of aliens
My company uses a Nortel VPN solution as well. Just seizing the opportunity to poke fun. :-p
This sig is xenon coated, and will glow red when in the presence of aliens
When a VPN vendor doesn't even use it's own software, it looks like it's time to pick a new VPN vendor... ;-)
This sig is xenon coated, and will glow red when in the presence of aliens
Honestly, I didn't meet that many people I disliked. But most of the people I worked with were really out of their depth working with Sun machines, and even the ones that wanted to learn had no time to do it, or weren't allowed to by their bosses.
I wouldn't be surprised if most of the executives use Windows, because they have enough clout to get out of using the standard system put in place for the less than fully clued.
--
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
Sun has no way of connecting back in to work from home. Sun.Net is a sad joke, providing only access to mail and calendar and such. The servers are (or at least they were) quite unreliable.
There is a terminal app, written in Java, but instead of using something normal and usable, they used some bizarre thing which interfaced with the security cards. I can understand the need for that, but the only way to use the system was through an extremely slow and unreliable applet, or by telneting to localhost and going through several gateways (each of which had a nasty habit of hanging right in the middle of working) to finally telnet (?!) to one's office workstation. X11 was, of course, unavailable, unless you wanted to go in through the modem pool, which was limited to 28.8kb/s.
When the only way to get in and maybe fix the emergency brewing at the office is that pathetic, it's a given that there will be unauthorized tunnels in use. I experimented with a few SSH-based things myself (made extremely painful due to the temperamental SOCKS proxy), but had the good sense and courtesy to be even more anal about security than is my wont.
Oh yeah. People liked to share passwords. Within earshot, or over unencrypted voice lines.
Somebody at Sun please work on fixing this. It hurts to remember.
--
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
There are other gaping holes which I feel it would be completely unfair to post in any level of detail, but suffice it to say SWAN is riddled with holes waiting to be exploited, and I hope someone decides to do something about it before a h4x0r realizes how easy it would be to own all of it.
--
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
These guys in the end are doing these companies a service by exposing blatant security holes and embarrassing them. However, they're also itching for a lawsuit. I know most people on /. don't see anything wrong with non-damaging probes on networks, but a law doesn't even have to be violated to win a lawsuit. Any one of these companies (especially the bigger ones) could perhaps win a lawsuit against these guys for using (stealing) their network resources without permission.
However, I believe three major things will keep most companies from prosecuting these guys.
1.) They are embarrassed enough already, and a court case will only embarrass a computer company more (Sun with an insecure network, that looks real good).
2. A lot of Silicon Valley comapnies are running out of cash.
3. The only thing the companies have to gain is deterring others from pulling the same stunt (and tattling about it later).
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
So I'm in LA and have a clear LOS to Hollywood and the Westside (plus I'm pretty high up, so no major obstacles). Anyone interested in an OpenNAP server hosted by BMG?
IMHO, saying that encrypting traffic is too much effort is no longer a valid excuse, now that tools such as ssh, PGP/GPG, and SSL are in wide use. In fact, OpenSSH now supports dynamic port forwarding with socks support; which can allow transparent encryption of traffic.
So, what is the hurdle that prevents people from using the tools available to encrypt their traffic?
dtach - A tiny program that emulates the detach feat
The main campus of my university hard wires mac addresses into their dhcp servers on the wireless LAN. The only problem is they charge $300 to lease a wireless card under the argument that your paying for service. Of course you can just plug in good old RJ-45 into one of the many ports located in classrooms and student areas. Being the battery on my laptop was broke it never bothered me.
--- Justin Dearing http://www.justaprogrammer.net/ We're just programmers.
...fixes the job. For a network running Microsoft software, taking common steps such as ensuring Guest access is disabled and that passwords are required for all resources will do the job.
I can see their point though about networks behind a firewall, but even inside a firewall I'd think companies would be proactive in securing their networks. I just think there's more "scare" than bite in this story-- the technology is secure, it's the networks the technology is run on that needs to be worked with (and this could easily be Linux or Windows systems). It could happen to more than just 802.11b based networks, this could happen to any company that has their network connected to the internet, or any home user that has DSL and a permanent IP address..
All I know about Bush is I had a good job when Clinton was president.
The above link just rec's this post, don't click it unless you want to mod that one up. :)
We need a moderator option of "abuse" (or "goatsex") for flagging these. P)
How can you be in two places at once when you're not anywhere at all?
-- We all have enough strength to endure the misfortunes of other people. La Rochefoucauld
Remember the
Remember the audio and ascii emissions of US government entities about how vulnerable the US are in cyberspace and should prepare for it ?
Really makes you wonder who will start the first cyberwar. I think the US. After that we'll see letters of marque getting issued against the US.
People should be grateful for the warnings from the script kiddies before the 37337 arrives.
I'm still trying to figure out what people mean by 'social skills' here.
--
A feeling of having made the same mistake before: Deja Foobar
After reading the article, it sounds to me like they're cruising around, looking for wireless LAN's that identify themselves.
By default, a wireless base station will broadcast the SSID of the wireless network of which it is part, and wireless LAN cards can join the network without already knowing the SSID of the network.
One of the simplest security practices is to turn off SSID identification broadcast at the base station. Then the wireless user has to know the name of the network in order to connect. Unfortunately, this quickly becomes a gigantic pain in the ass for the admins of the network, because who wants to go through and change the SSID every time you add a new wireless base? It's really practical only for small organizations.
Mind you, I'm sure this could be fairly easily intercepted from traffic between a user and a base station, but it's a start down the road towards hiding your wireless LAN.
WEP encryption has been proven to be an easily circumvented technology (as reported on /. once upon a time), as has this lack of SSID broadcast, but it's a start. The best bet for true security is to implement a VPN over your wireless LAN, or just treat your wireless zone as a DMZ.
Even Jesus hates listening to Creed.
I am currently using 802.11b a good bit, and have come up with a solution that I am happy with. I setup filtering to disallow any access from the 802.11 interface except to ssh. I then use ppp over ssh to connect. I have setup my laptop to do this when it brings the interface up. I would like to do IPsec, but I have not spent enough time to get it working.
Are you paranoid if you know that they just want to know everything you say and do?
I've now worked with wireless network equipment from Cisco, Motorola, and Nortel Networks. I've found that none perform particularly well when using the Wired Equivelency Protocol (WEP) for security, although there aren't a whole lot of other options out there at preasant. Many companies rely simply on the uniqueness of the SSID used within their wireless lan. Some restrict access by MAC address. None of these methods are particularly secure. The only one that suggests making an effort at security is use of WEP.
There was a previous discussion on Slashdot about issues with the security of WEP. The articles out there on security holes in WEP are too numerous to list here.
What scares me most is the sheer lack of concern expressed by many network engineers, with regard to wireless. I've heard many times now, variants on "It's a wireless network. It's insecure by definition so why even make an attempt to secure it." Scary.
--CTH
---
--Got Lists? | Top 95 Star Wars Line
Here's the berkeley study on WEP security:m l
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.ht
---
--Got Lists? | Top 95 Star Wars Line
No, you can keep wireless access from happening -- it's just a pain in the ass. Most switches these days support secure ports. With the Cisco switches I use at work, you can set port security so it not only allows just one specific MAC to use the port, but if anybody unplugs the cable to plug something else in, the port is automatically disabled (although there are other settings to choose from besides automatically disabling the port). This keeps people from spoofing the MAC, because nothing will work until an admin resets the port. For more information, check out this article.
Like a lot of security, it's a pain in the ass, but you can prevent people from plugging in unauthorized devices, wireless or otherwise. Of course, no security is unbeatable.
-N
I said I'm a techie lightweight, remember?? I don't get anywhere near Linux...
I haven't audited the 802.11b protocol, so I can't say whether I think the basis is secure or not, but I have noticed one potential security problem for networks based on a certain brand of local access point hardware (name withheld for now)...
This particular manufacturer stated the hardware was compatible with up to 128-bit encryption, and I did set my remote interface to 128-bit with no problems. The base unit, on the other hand, had no such setting; encryption could either be turned on or left off.
This leads to two potential exploits:
1. Brute force: trying to connect using all 2^40 keys until you are able to access the network. This is probably unworkable, but worth noting.
2. For a network with a large number of remote connections, one or more might have been set to 40-bit instead of 128-bit. Traffic from these nodes could be sniffed and analyzed, and the passphrase hash recovered.
Since I'm administering all of the remote points on my network, I've taken steps to keep this from happening; but for a large corporate net where users tend to fiddle with things, this could definitely cause a problem.
I'll bet those sysadmins would be very surprised to discover that the 802.1b access points were even on their networks. This stuff is too cheap and bone-head easy to install. Apparently a lot of consultants of various types like to pack them around with their laptops so they don't have to futz with network cables whereever they happen to be working that day.
This isn't merely a clue problem. There is a control problem as well.
I have no clue how this protocol works, but I have an idea. What if the clients on the network all needed either; a disk, bootable or otherwise used to program a key in the end users station; a smart card, if you want to get real fancy and want extra security - keep it in a safe if need be; memory stick, use sony's tech to keep a digital key which must be inserted into the wireless lan card in order for it to connect to the network.
/dev/stylus
We could still use the physical to control the radio waves from being stolen. Public/Private keys make sense here - but the trick is how to use it. Encrypt the connections - but without a key, no one connects to the server. A company who used this technology would stand to make money on hardware (upgrades) and selling the specs to competing hardware companies.
Forget 128-Bit Encryption. With the last idea, of a memory stick, could be used to secure the network with a 'key' that holds a larger key - not to much different from a pgp key. Any cards without a key would simply be ignored by a dhcp server or other protocol.
A base station could program the key to the stick, and only when a password/phrase is supplied. This station would of course not be connected to the network. Hell - the base station could use a magnetic card for id.
And the best thing, you go to a desk and just sign out a stick - keeping employees from taking them.
Not a bad idea huh? Wouldn't be cheap - but as I offer this set of ideas to anyone to use, you could get as technical as you want. If you really want to be secure you need to also be paranoid. If I could sit in a parking lot and download anything I want while being under the cover of your net - I could host kiddie porn or start an ILOVEYOU and you'd take the fall. This wireless net reminds me of people who use old cordless phones - you neighbors could call Jamaica if they knew a few things about the phone and have the hardware.
no
Get your Unix fortune now!
Driving arround town there are a lot of 802.11b networks that are left open on purpose. I could care less about someone sending bits over my broadband pipe. Media one might mind but that is a different matter.
If it wasn't for the fact that if I did leave the access point open someone like the author of the article would be bound to post the fact on the net as 'security expert hacked' I would have no problems leaving it open. My internal systems are all behind a firewall in any case.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
There's slight temporary fixes for the Wireless problems dealing with security, I think someone has PKI certs for them (almost sure they have them) but PKI is not really a fix at all now is it?
I'm hoping Pat Calhoun and the folks over at Diameter get on the mark soon with their protocol, since it seems RADIUS is now a dinosaur of sorts. Well for those interested in Wireless security, check out this thesis on it. "Security in Public Access Wireless Networks"
#define crypto
360 degrees of Karma
A company as large and as technically inclined as Sun Microsystems might investigate this type of thing before going ahead and implementing this type of network.
802.11b is what a lot of folks are using for community wireless projects. See this link for an article with a decidedly different perspective on these networks. I really like Clay Shirky's comment:
Well's all that ends.
Good luck, its not supported in linux.
--
--
WHO ATE MY BREAKFAST PANTS?
Correct me if I'm wrong but I do not think cellular phone scanners are illegal in the US(maybe they are by that title or for that use). To the best of my knowledge most people call them "police scanners" or just "radio scanners" and if you put down enough cash you can scan just about any frequency out there. You can even get a cheapy one down at the local radio shack, and most cell phones here have some type of transmission encryption available as a feature on their phone if you're fearful of your conversations being listened to. You can even tune into airports frequencies but they get real *#(@# pissed if you transmit on those frequencies and that *is* a crime. They really prefer kiddies stay off those frequencies and resist the temptations to guide a 747 to land on a barn. It'd be fun stuff but cows have rights too.
Beware blue cats moving at
and I must insist you return our private information that you maliciously and unlawfully intercepted with your colon. We are going to confiscate your transmission receiver and pending the litigation it will be returned to you in 4 to 8 months after we determine the amount of damaging information you've captured.
Beware blue cats moving at
I didn't murder that man, I was just accelerating free lead atoms to 10,000 fps... and I didn't hack that sight I just sent free electrons through a wire and it just happened to reach microshaft and forthcoming electrons on a wire made it put a picture of pr0n with gates face super imposed! It's those rascally free roaming electrons...
Beware blue cats moving at
and hope people don't notice and still pay. Uhm, dude, where is this isp located? Just out of curiousity, it's not like I'd steal network resources or anything.....
Beware blue cats moving at
Go into the network security consulting business, drive around the valley, and have network printers print off your company name and how you can secure their network. Run a winpop on the CEO's laptop telling him he obviously needs your service.. and rake in the dough.. dude I should shut my mouth and start doing this....
Beware blue cats moving at
so you know they're probably bound to mess up the security to begin with on an already insecure OS. IMHO
Beware blue cats moving at
what, does he feel original with this? people have been wardialing since before I was a gleam in my drunk peg legged fathers eye.
Beware blue cats moving at
and how did that asshole larry that sits next to me get accidentally onto the end of that list? Hey.. wow, somehow my pink slip turned into an 85k bonus... weird.. hey HR just posted two open secretarial positions for the new CIO (wow that's me).. qualifications include 34c-24-36.. weird but who am I to complain? corporate policy...
Beware blue cats moving at