Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study: Wi-Fi users Still Don't Encrypt

Posted by CowboyNeal on from the won't-you-come-on-in dept.

Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor. What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."

22 of 283 comments (clear)

  1. Okay ... by Neon_Mango · · Score: 4, Informative

    But with some patience and airsnort even "secured" (ie. encrypted) access points can be used without permission. And MAC address filtering is a joke since I can easily change the what MAC address my airport card uses under linux.

    Maybe it's time for a new, and effective standard.

    1. Re:Okay ... by Bagheera · · Score: 4, Informative

      Using AirSnort takes time and patience. For a "large" site where you can get a lot of traffic, or where you're trying to crack your next door neighbor's network where you can get a lot of traffic over time, it's practical.

      At a conference, it's unlikely that people will even bother setting up WEP since key management isn't worth the effort.

      MAC address filtering is a mixed bag. Yes, it's trivial to alter your own MAC address to impersonate another machine, but the usefulness depends on your environment. A big site probably won't bother with filtering. Too many addresses to track. A small site running MAC filtering may well have a clueful network admin who'll notice homeboy.haxornet.lan's MAC on the air when he -knows- he left that box at the office.

      The point was the insecure protocols used over the wireless links. Web, POP, IMAP, telnet, etc., passwords sent in the clear are trivial to sniff in that environment.

      As some have already pointed out SSL will cure that issue for quite a number of applications. Using SSH to reach your mail server is another simple "fix" to what is essentially NOT a wireless networking problem.

      --
      Never attribute to malice what can as easily be the result of incompetence...
  2. Good basic WLAN security info... by pir8garth · · Score: 5, Informative

    There is some good basic WLAN security info on AirDefense's knowledge center section of their website...

    --
    Something clever...
  3. Screenshot of AirDefense software... by pir8garth · · Score: 2, Informative

    AirDefense Software Screenshot

    --
    Something clever...
  4. Re:POP3 with SSL by derF024 · · Score: 4, Informative

    What about IMAP? Is it secure? Does it support SSL?

    both IMAP and SMTP also support ssl nativley.

    I use wifi around my apartment, and I encrypt everything via either ssl (imap, smtp and http) or ssh tunnels. After living on a non-switched college network for 4 years, I've learned to never trust the local network anywhere.

  5. Re:POP3 with SSL by SCHecklerX · · Score: 4, Informative
    Or just run ssh on the client and server and be done with it, but then again, it's far easier and more efficient to just use pine on the 'pop' server via ssh login when you are away. Or you could be uber-cool and run cyrus IMAP instead, then you are in sync and have all of your mail no matter where you are.

    ssh -N -l loginname -i ~/.ssh/identity_nopass -L 5110:localhost:110 pop.server.net

    In the above, you would configure your pop client to go to localhost as the server on port 5110.

  6. Re:POP3 with SSL by colinleroy · · Score: 2, Informative

    What POP3 daemons support SSL _NATIVELY_?
    Qpopper does.

    --
    blah
  7. Re:Arriving clue by jdreed1024 · · Score: 3, Informative
    Is it possible that most people don't give a shit about encrypting their e-mail because the contents of their e-mail are so inane and you can't trust the intervening steps?

    It's not the e-mail that's the problem. It's the fact that your password is sent unencrypted (with a few notable exceptions). And, a large portion of the time, I'd bet your password for the POP3 server is the same as that for a shell account with that ISP. Or FTP access to your web publishing directories. Or, if you're really stupid, it's the same as your online banking password.

    --
    There is no sig, there is only Zuul.
  8. Re:and? by volsung · · Score: 2, Informative

    I generally don't care whether my email messages are encrypted, but I do care about whether my email password is being sent out cleartext. Something like digest authentication would be fine, but I don't think IMAP or POP3 does that, so I have to go all out and use IMAPS.

  9. Re:POP3 with SSL by petard · · Score: 2, Informative
    I use wifi around my apartment, and I encrypt everything via either ssl (imap, smtp and http) or ssh tunnels. After living on a non-switched college network for 4 years, I've learned to never trust the local network anywhere.

    It's good that you've learned never to trust the local network anywhere, but your comment implies that you could rely on a switched network for some sort of added security. You can't. It is trivial to sniff traffic on a switched network.

    --
    .sig: file not found
  10. Because by CausticWindow · · Score: 2, Informative

    802.11b is slow enough already.

    Try streaming a DivX over wireless with encryption, it doesn't work. It barely works when you turn it off.

    --
    How small a thought it takes to fill a whole life
  11. WEll by mindstrm · · Score: 5, Informative

    the point of WEP is misunderstood, as well. Yes, it was poorly implemented.. but it was not supposed to be the data security layer anyway... just "wired equivalent"
    That means.. it was supposed to be roughly as hard to get access to the actual network packets as it is when someone has a wired lan.

    The wire is not secure, as you know. Wires can be tapped numerous ways, invasively, or passively. Yes, the logic is kind of flawed, the situation is different.. but it just makes it harder to sniff, not impossible.

    IT wasn't supposed to be a replacement for using secure protocols.

  12. yeah, wardrive and prove it! by MyDixieWrecked · · Score: 5, Informative
    I went wardriving the other day through a rich neighborhood in NJ. Good ol kismac, my Ti, and the stock Airport card/ antennas. After a 10 minute drive, we discovered nearly 20 open networks. A mere 5 of them using WEP.

    I was surprised that I was able to pick these up from the street. Also surprising was the names of some of the networks, I mean kittyNET, c'mon!

    Also, it's amazing how many people have linksys.

    USE WEP, PEOPLE! Or at least configure your router to only accept your computers' MAC address! jeez.

    There's lots of reasons to close your network to the outside. The main one being that you don't want to give people access to your LAN. Most people don't password their computers from other machines on the LAN, since they figure it's secure, but it's not. Also, I tried the default linksys password ("admin") on a couple of the networks, and would have been able to change router settings. Imagine setting up a dreamcast w/ wifi outisde of someone's house on their external power outlets and serving warez off their connection. sheesh.

    these routers should come with little pamphlets about wireless security.

    --



    ...spike
    Ewwwwww, coconut...
    1. Re:yeah, wardrive and prove it! by MyDixieWrecked · · Score: 4, Informative
      btw, screenshot:

      WARDRIVE!

      --



      ...spike
      Ewwwwww, coconut...
    2. Re:yeah, wardrive and prove it! by EchelonZero · · Score: 2, Informative
      actually, that MAC is for an Apple Extreme Airport:

      00-03-93 (hex) Apple Computer, Inc.
      000393 (base 16) Apple Computer, Inc.
      20650 Valley Green Dr.
      Cupertino CA 95014
      UNITED STATES

  13. ugh by TrekkieGod · · Score: 2, Informative
    The best you can do with access points today is to set up single key (like WEP) that is shared among multiple users.

    WEP is a horrible thing. I use it msyelf, but that's mainly to keep my non-techie neighbors from turning on their laptops one day, have windows xp realize there's a wireless connection in their range, and start using my bandwidth. I have no delusions that my data is secure since anyone could, with a little patience, use airsnort to find out what my key is.

    The accesspoints of the future would hopefully have 2 WEPs: One to allow access to acesspoint and a second second one - dynamically assigned to individual clients(probably recognized by unique mac address) for all data communication between that unique client and accesspoint.

    As another poster pointed out in this very article, it would be much better to have some sort of PGP encryption in the access point, where you send your public key to it, and it encrypts the data back. Problem with doing anything based on mac addresses themselves, is that you can change your mac address in both windows and linux

    --

    Warning: Opinions known to be heavily biased.

  14. Re:POP3 with SSL by APDent · · Score: 2, Informative

    Actually, Outlook Express is SSL-enabled. Googled "outlook express ssl" and found this: How to configure Outlook Express 5.X and 6.X to use SSL (Windows)

  15. Re:Not surprising (for other reasons) by The+Real+Programmer · · Score: 2, Informative

    Ask that question again, "why would anyone target me specifically?" It sounds like you use Windows. It also sounds like you don't know what a script kiddie is. It really sounds like you haven't got a clue.
    There is a low likelihood that someone will engage in a targetted attack against your machine. However, with batch attacks being run by adolescents, targetting entire IP address ranges, you b0x could be 0wnz0r3d by such an attack.
    Your...question, "My point is, sure, if someone went to the effort, I guess they could hack my computer, but why would anyone target me specifically?" is the same view most people have. The problem is that your are clueless, and don't believe that it takes no effort at all to 0wn j00r b0x.

  16. Re:Interesting... by pe1rxq · · Score: 3, Informative

    This isn't about wep....
    Its about people using an insecure method to access their mail.
    The wireless access points were ment to be open to the public.

    Jeroen

    --
    Secure messaging: http://quickmsg.vreeken.net/
  17. Re:Arriving clue by stinky+wizzleteats · · Score: 2, Informative

    I mean really - if I want secure transfer of information i'm not going to use e-mail. The effort wasted securing it is truly wasted effort, in my view, because of the lack of a trusted MTA.

    Use GPG. Then you don't have to trust anything, except that you have a geniune key.

  18. How to add WEP to your WAP by Jon+Abbott · · Score: 4, Informative

    Here's a simple guide to setting up WEP on your WAP:

    1. Visit this page -- it will generate 13 random hexadecimal digits that you will use for a 128-bit key.

    2. Copy the resulting digits into a text editor and strip out all of the whitespace between the characters.

    3. Log into your WAP router and go to the Wireless configuration settings. Select the "128-bit encryption" option, and enter the generated key into the WEP key field.

    4. The last step is OS-dependent... In OS X, you would log on to the WAP as usual, except that now it will ask for a password. Select the dropdown box labeled "password" and change it to "128-bit Hex", then enter in the generated key. I believe OS 9 users will need to enter a "$" before their hex key for it to work properly. It won't let you paste the key in, so you will need to type it carefully. I don't run my Linux box via WAP, so I'm not exactly sure how Linux users would do this -- feel free to reply to this post and add other OS instructions...

    --
    Slashdot's first reaction to VMware
  19. Wireless or not -- secure email on the road by cait56 · · Score: 2, Informative

    Agreed. Anytime you are checking your email on the road it should be secure. ssh tunneling is one method, secure webmail is another.

    What amazes me is that so few firms understand that their "road warriors" are their weakest link in their security. You frequently see firms where engineers are told they cannot work from home, even with ssh tunneling, "for security reasons", but the companies' road warriors are zipping in and out of airports with detailed business plans and spreadsheets sitting on their unsecured laptops.

    Hint to sysadmins, if you're letting them fetch their mail over a clear connection, you'd probably let someone else pretending to be them send email through the company mail server.