Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study: Wi-Fi users Still Don't Encrypt

Posted by CowboyNeal on from the won't-you-come-on-in dept.

Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor. What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."

11 of 283 comments (clear)

  1. Okay ... by Neon_Mango · · Score: 4, Informative

    But with some patience and airsnort even "secured" (ie. encrypted) access points can be used without permission. And MAC address filtering is a joke since I can easily change the what MAC address my airport card uses under linux.

    Maybe it's time for a new, and effective standard.

    1. Re:Okay ... by Bagheera · · Score: 4, Informative

      Using AirSnort takes time and patience. For a "large" site where you can get a lot of traffic, or where you're trying to crack your next door neighbor's network where you can get a lot of traffic over time, it's practical.

      At a conference, it's unlikely that people will even bother setting up WEP since key management isn't worth the effort.

      MAC address filtering is a mixed bag. Yes, it's trivial to alter your own MAC address to impersonate another machine, but the usefulness depends on your environment. A big site probably won't bother with filtering. Too many addresses to track. A small site running MAC filtering may well have a clueful network admin who'll notice homeboy.haxornet.lan's MAC on the air when he -knows- he left that box at the office.

      The point was the insecure protocols used over the wireless links. Web, POP, IMAP, telnet, etc., passwords sent in the clear are trivial to sniff in that environment.

      As some have already pointed out SSL will cure that issue for quite a number of applications. Using SSH to reach your mail server is another simple "fix" to what is essentially NOT a wireless networking problem.

      --
      Never attribute to malice what can as easily be the result of incompetence...
  2. Good basic WLAN security info... by pir8garth · · Score: 5, Informative

    There is some good basic WLAN security info on AirDefense's knowledge center section of their website...

    --
    Something clever...
  3. Re:POP3 with SSL by derF024 · · Score: 4, Informative

    What about IMAP? Is it secure? Does it support SSL?

    both IMAP and SMTP also support ssl nativley.

    I use wifi around my apartment, and I encrypt everything via either ssl (imap, smtp and http) or ssh tunnels. After living on a non-switched college network for 4 years, I've learned to never trust the local network anywhere.

  4. Re:POP3 with SSL by SCHecklerX · · Score: 4, Informative
    Or just run ssh on the client and server and be done with it, but then again, it's far easier and more efficient to just use pine on the 'pop' server via ssh login when you are away. Or you could be uber-cool and run cyrus IMAP instead, then you are in sync and have all of your mail no matter where you are.

    ssh -N -l loginname -i ~/.ssh/identity_nopass -L 5110:localhost:110 pop.server.net

    In the above, you would configure your pop client to go to localhost as the server on port 5110.

  5. Re:Arriving clue by jdreed1024 · · Score: 3, Informative
    Is it possible that most people don't give a shit about encrypting their e-mail because the contents of their e-mail are so inane and you can't trust the intervening steps?

    It's not the e-mail that's the problem. It's the fact that your password is sent unencrypted (with a few notable exceptions). And, a large portion of the time, I'd bet your password for the POP3 server is the same as that for a shell account with that ISP. Or FTP access to your web publishing directories. Or, if you're really stupid, it's the same as your online banking password.

    --
    There is no sig, there is only Zuul.
  6. WEll by mindstrm · · Score: 5, Informative

    the point of WEP is misunderstood, as well. Yes, it was poorly implemented.. but it was not supposed to be the data security layer anyway... just "wired equivalent"
    That means.. it was supposed to be roughly as hard to get access to the actual network packets as it is when someone has a wired lan.

    The wire is not secure, as you know. Wires can be tapped numerous ways, invasively, or passively. Yes, the logic is kind of flawed, the situation is different.. but it just makes it harder to sniff, not impossible.

    IT wasn't supposed to be a replacement for using secure protocols.

  7. yeah, wardrive and prove it! by MyDixieWrecked · · Score: 5, Informative
    I went wardriving the other day through a rich neighborhood in NJ. Good ol kismac, my Ti, and the stock Airport card/ antennas. After a 10 minute drive, we discovered nearly 20 open networks. A mere 5 of them using WEP.

    I was surprised that I was able to pick these up from the street. Also surprising was the names of some of the networks, I mean kittyNET, c'mon!

    Also, it's amazing how many people have linksys.

    USE WEP, PEOPLE! Or at least configure your router to only accept your computers' MAC address! jeez.

    There's lots of reasons to close your network to the outside. The main one being that you don't want to give people access to your LAN. Most people don't password their computers from other machines on the LAN, since they figure it's secure, but it's not. Also, I tried the default linksys password ("admin") on a couple of the networks, and would have been able to change router settings. Imagine setting up a dreamcast w/ wifi outisde of someone's house on their external power outlets and serving warez off their connection. sheesh.

    these routers should come with little pamphlets about wireless security.

    --



    ...spike
    Ewwwwww, coconut...
    1. Re:yeah, wardrive and prove it! by MyDixieWrecked · · Score: 4, Informative
      btw, screenshot:

      WARDRIVE!

      --



      ...spike
      Ewwwwww, coconut...
  8. Re:Interesting... by pe1rxq · · Score: 3, Informative

    This isn't about wep....
    Its about people using an insecure method to access their mail.
    The wireless access points were ment to be open to the public.

    Jeroen

    --
    Secure messaging: http://quickmsg.vreeken.net/
  9. How to add WEP to your WAP by Jon+Abbott · · Score: 4, Informative

    Here's a simple guide to setting up WEP on your WAP:

    1. Visit this page -- it will generate 13 random hexadecimal digits that you will use for a 128-bit key.

    2. Copy the resulting digits into a text editor and strip out all of the whitespace between the characters.

    3. Log into your WAP router and go to the Wireless configuration settings. Select the "128-bit encryption" option, and enter the generated key into the WEP key field.

    4. The last step is OS-dependent... In OS X, you would log on to the WAP as usual, except that now it will ask for a password. Select the dropdown box labeled "password" and change it to "128-bit Hex", then enter in the generated key. I believe OS 9 users will need to enter a "$" before their hex key for it to work properly. It won't let you paste the key in, so you will need to type it carefully. I don't run my Linux box via WAP, so I'm not exactly sure how Linux users would do this -- feel free to reply to this post and add other OS instructions...

    --
    Slashdot's first reaction to VMware