Slashdot Mirror
Exploiting and Protecting 802.11b Networks
iforgotmyfirstlogon writes: "A couple of guys from Extreme Tech drove around New York, New Jersey, Boston, and Silicon Valley with a high gain antenna to see how many (secure and) unsecure wireless networks they could tap into. They used NetStumbler and Linux AirSnort to help them search. Results? They came across over 800 networks and less than 40% had any sort of security."
They later went on to add that, "Out of the 40% of computers in which access was gained, just over 20% were serving some really great porn. Hey, why do you think we did this survey in the first place?"
Peter Shipley did that in San Fransisco and found smaling like 2500 access points. The only way this will ever be fixed is if companies realize that you cannot depend on protocol level security. WEP is not the answer. Tunneled SSL, or some sort of VPN end to end security is the only way to protect your connect.
Jeff Knox
You know, these people driving around looking for wide open networks are probably the ones that raise the biggest stink about "script kiddys" any time someone finds a new security hole.
Yes, WEP is insecure. Yes, there are a lot of networks that are just thrown up. Wow, kind of like wire eh? Reminds me of that great quote, "Never attribute to malicousness what can be explained by human stupidity."
Does anyone know of any good Documentation on how to secure wireless communications ?? I know we have 2 wireless connections between 3 building using SMC's Wireless routers, and the only security that was built in other than the 64 and 128 bit encryption (which is apparently crackable), and only allowing certain MAC addresses to communicate (which is also easy to crack).
So instead of writing articles on how bad wireless tech is to crack, (4th article I've read in a week) why not write a how-to on how to implement security on your wireless LANs.
There has been a lot of talk about people deploying many 802.11b connections privately, thus building non-corporate owned, cooperative wireless access to the net around cities and such. This might put a bit of a damper on that, but IMO it should not stop it by any means. While people might not be able to order stuff for now, there are a great many things to do that don't require security, and such nets really seem to be the ultimate expression of a free internet. If/when firmware updates become available, the access would just be that much better. It would also put more pressure on commercial interests.
The article's completely right about wireless exceeding their advertised range, i've just got home from the LBW where we had a single flat panel antenna connected to a regular base station transmitting over about 1 1/2 miles up to the campsite, to another relatively small antenna connected to a wavelan card in a laptop. Sure the link went down at the slightest hint of bad weather, and we got about 30% packet loss, but we were still getting about 500mbits. :)
- Hypnos
Why is this guys comment a 0? A "how to" may not be as sexy as driving around for open networks, (and if you think that's sexy, you've been way toooo into Final Fantasy jpegs), but it's definitely needed.
However, in a brief spiel before I have to run, ensure end-to-end encryption. Approach it just like you would a normal WAN. Disable telnet and ftp on your servers, use SSH and SCP instead. Harden your hosts. Look into using FreeSwan or the BSD's IPSec solutions for vpns. Switch over to DJDNS. In short, do everything that people should be doing on their 'normal' wired networks. It never ceases to amaze me that just because WEP is easy to break, everything else must be totally secure by default.
Hope that helps.
From the looks of this survey these guys did, if they were to come by my campus (they didnt, it's not in any of the cities they drove around), one of a few things could happen:
- this network would appear to be insecure because non-WEPed transmissions could be found on it.
- This network wasnt found because the school network would refuse access to it.
- The network is secure because it was found, but data could not be accessed because the school network wouldnt allow it.
Any thoughts?The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
By doing this you are basicly acknowledging that the security isn't there and force your users to use secure tools to get to secure places.
Anyway my point is that if one of these guys drives by my home they'll probably pick up up my 802.11 and add it to their map, maybe even hack it to get access to the 'net - but do I care? nope
We also treat the wireless security as a joke. We're using an access point located outside our firewall behind another firewall. All clients using the access point get back into the corporate network using the same VPN software they use while on the road. In fact, they are now set up so they never turn the VPN software off.
Anyone breaking the security of our access point gets plain old Internet access and doesn't get into the corporate net.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
WEP is not the answer. Tunneled SL, or some sort of VPN end to end security is the only way to protect your connect.
Hear hear.
So the thing to do is to put the wireless LAN port on the logical OUTSIDE of your firewall and let the laptops all tunnel in through it. Your firewall can also filter connections between the WLAN and your net feed.
For the open net your users can also encrypted-tunnel to the tunnel server and go out from there, to avoid eavesdroppers. With this configuration there's no reason to bother with WEP.
Go ahead and route packets between the net and the wireless port if you're feeling altruistic, or restrict WLAN connections to the tunnel server(s) if you're not.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
There were a few APs at Linuxworld, about 11 or 12 networks when I scanned, I think only a couple had an real security.
The OSDN booth had a wide open AP that I was able to use to get net access while I was hanging around nearby.
I was checking Slashdot, almost caught a breaking story for First Post, while I was in the audience listening to CmdrTaco's Q&A session.
Hopefully, from now on there will be more and more open APs at conventions so I can get net access at random places on the floor.
It comes down to speed vs. privacy. You can ignore WEP and use IPsec or a VPN. You'll take a speed hit, but you'll have reasonable privacy.
If you don't mind exchanging some privacy for additional speed, 128 bit WEP isn't a bad choice. It hasn't lived up to it's "Wired Equivalent" name but sniffing and decrypting is a non-trivial operation.
For more speed with minimal privacy, 80 bit WEP doesn't cost much bandwidth (2%) and you're still only going to be sniffed and decrypted by folks with a clue.
In some situations, speed is most important and privacy is meaningless. Suppose you're downloading Debian ISO's over a wireless link. There are times (one might argue the majority of internet traffic) when privacy just doesn't matter. If you can use reliable encrypted protocols for the exceptions then open mode 802.11b is fine. What are you trying to hide?
As long as we're able to encrypt those transactions that require privacy none of the WEP "stuff" matters. How secure is your wired network internet traffic after it gets to your ISP?
When you have 1000's of people driving around trying to h4x0r 802.11b networks, it won't be the same thing anymore.
How do you know you don't ALREADY have thousands of people driving around sniffing 802.11b nets?
And how is a person supposed to distinguish nets left open deliberately, as a public service, from those left open accidentally?
The existence of public 802.11b ports gives plausabile deniability of criminal intent to anyone making parasitic but non-malicious use of an accidentally-open WLAN.
(IANAL of course. But I'd hate to be a prosecutor trying to bring a case against someone who "trespassed" on a WLAN port.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
There seems to be a recent outbreak in these "drive by hackings." Thank the gods my friend registered www.drivebyhacking.com a couple months ago. Now we just have to figure out what to put up there.
----- Mike Sklens Staff Writer, Planet GameCube.com
read the article:5 3D 7%2526s%253D1024%2526a%253D13880%2526app%253D5%252 6ap%253D6,00.asp
http://www.extremetech.com/article/0,3396,apn%2
fslg503-985-8686503-985-8686503-985-8686503-985-8
I was in a Starbucks here in Austin, TX which offers 802.11b access (for a fee). Instead of winding up on the provider's network, I was on the Safeway network (the Starbuck's is inside a Randall's / Safeway supermarket). This allowed my Win2000 laptop to browse the supermarket network, which has many shared [and unsecured] systems probably used for re-ordering / EDI, etc. The real issue is about education of network professionals about wireless security and how to implment it, whether or not they use WEP (Safeway clearly did NOT). I for one just wanted my 'net access via Starbucks and not Safeway's ultra-slow (probably frame relay) network.
Not when you can crack all of them with AirSnort.
All it takes is time and traffic.
Of course, it still amazes me that so few had even the most basic levels of security installed.
Then again, most of the managers I have worked for seem to think that if you take steps to protect yourself, you become liable if you get hacked. (Yes, I know that makes no sense. Never stopped them...)
"Trademarks are the heraldry of the new feudalism."
Why of course, under the logic similar to that found in the DMCA, all wireless networks are perfectly secure!
There, don't you feel better now? Our fine Brother Sam passed a law saying that something is so it must be true and has always been true.
double plus good i say!
1984 here we come.
We know wep is insecure. There is little point in even putting anything on these nets. as a matter of fact I can find reasons not to. Let's say for example that you run a facility that has large numbers of people from outside coming in. WOuld it make sense to enforce 128 bit encryption? Sheesh, all the people with bronze (no encryption) and silver (40/64 bit encryption) can't use it.
As someone pointed out above, put it outside the firewall, requirte ssh/vpn to get inside a firewall. tell people it's an insecure net, and recommend personal firewalls (zone alarm. blackice, ipchains, etc).
The major benefit of wireless is access anywhere. Security directly conflicts with access. For example, managing MAC level security (restricting by MAC) is a pain in the keister. WEP is worthless. So assume all your traffic is insecure and use something to encrypt it. If you really need to prevent people from getting on and using your net, _don't use wireless_.
-- Who is the bigger fool? The fool or the fool who follows him? --
you must be from the south... where i come from, he's Uncle Sam.
<insert lyrics to "I'm my own grampa" here>
I can just imagine some poor network admin trying to figure out who the heck is using their network to surf for pr0n (and imagine the PHB trying to figure out who they need to fire).
But seriously, with wireless it seems like it would be incredibly difficult to trace the unauthorized user. Land based hacks are usually done over the internet rather than by physically connecting to their network. As a result, there's usually logs to help track down the person(s) using the network.
But this seems incredibly tough... if the cracker didn't go anywhere on the network that would give themselves away (such as logging into hotmail to check their mail), I would guess that it would damn near impossible to find out who was sneaking into the network... even if/when they were actually connected. I would guess that the wireless network might get the MAC address of the card being used to get into the network, but even that likely wouldn't get you anywhere.
Is that true, or am I missing something here?
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
Your proposal is a great public service. Many crackers out there are in dire need of a totally untraceable way to launch the next innovations in Outlook and IIS worms. Without wide open wireless access points, advances in malware state-of-the-art would be needlessly hindered.
There are some tips there. Extreme Tech also ran an article a couple of days ago on the basics of securing wlans.Here is the link
With all the stories on how bad WEP is and how most 802.11 networks aren't secured, I haven't found an answer to this question about securing a home 802.11 network (I'm not claiming to be an expert on this, so maybe this is a simple question).
I'm assuming most home users don't have the equipment/skills to set up the access point outside of a firewall and use VPN/SSH. Given that, how risky is the following:
1) Consumer base station (Airport)
2) WEP password enabled
3) Access restricted to specific MAC addresses (not possible w/Apple's configurator, but doable with the 3rd party Java version)
4) Airport plugged into home LAN, no other machines running any servers or file sharing (none are Windows boxes, 2 OS X, 2 OS 9.2)
I understand all the actual 802.11 traffic is basically open. I assume if the web site I'm using has effective encryption then that data is safe, but my POP3 password could be grabbed assuming it isn't encrypted by something other than WEP.
What I'm wondering is would this setup effectively prevent someone from setting up a laptop outside my house and getting at the files on my LAN.
This seems to me a reasonable set up for a home user, but if it leaves the family Quicken file vulnerable to any kid on the block then 802.11 seems to be destined to never be mainstream. If on the other hand a home user can put at least basic security in place (e.g. they can see your web pages but they can't trash your entire drive) then it has a chance.
Thanks.
We tried this stunt from an office window in the centre of New Zealand's largest city, Auckland. Even with only the laptop's wireless card, we were able to tap into 13 networks, and gain external internet access through 10 of these. The main security risk this poses, is that most highspeed business connections here are MB capped, and therefore, any kid with a laptop and wireless LAN card can use any local retailer's high-speed connection to download his warez, or even worse, to carry out even more highly illegal activity and it is traced back to.. the kid? No. The retailer. And this was only with a 5 inch steel aerial! Imagine what we could tap into with the kind of reciever power used in that article. Ironically, one of the internal networks we were able to enter completely anonymously, was that of a major NZ bank. Cash anyone?
Regarding the "publicly accessible" wireless networks that are supposedly springing up, why not setup a nice transparent stateful firewall to only allow outgoing (and their resulting replies) connections? That way if your neighbor, or "the public" want to use your broadband connection, they can do so wirelessly, but only to make outbound connections. Granted, they could setup a VPN or some such to get a public IP for unrestricted inbound/outbound traffic. Just monitor the system and keep extensive connection logs (no, that's not packet sniffing logons and passwords ;)).
Of course, why are you letting other people surf through your connection for free? Another issue, for another Slashdot article.
The net result of this insecurity will likely not be better security protocols, but rather another inane law restricting the right of people to use wireless devices.
It happened with cellphones in the 90's, that's why it's now illegal to listen to cellular frequencies in the US.
Just wait, it will happen.