Slashdot Mirror
Study: Wi-Fi users Still Don't Encrypt
Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor.
What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."
First post through my neighbor's compromised WAP gateway. Off to view some porn now. :-)
A similar survey would be to test how many POP3 servers out there support SSL. I suspect that it's on the low side of 3%. POP3 with SSL is a trivial, easy alteration that many POP3 clients support, instantly securing the network without layering on a secondary encryption layer (VPN/PPTP/IPSec) when all you want is to check you email, which is what probably 99% of the users do at trade shows like this.
There is some good basic WLAN security info on AirDefense's knowledge center section of their website...
Something clever...
And with some patience, very little in fact, your car door can be opened, and your car stolen, or your house door opened, and your house cleaned out... but that doens't mean we run around leaving our doors unlocked and open.
Furthermore... there are legal implications. Is sniffing out POP passwords in this way illegal? Probably, but maybe not.. but is doing so off an encrypted channel illegal? Most certainly... as there is no logical way you can deny that you kneew the signal was supposed to be private.
This only verifies the importance of application level encryption. Every socket communication should be encrypted so that security doesn't rely on the network connection itself.
Suprasphere encrypts all socket communication using a dynamically generated Diffie-Hellman key exchange. This is much better than SSL because it does not require using a CA so you can set it all up without any administrative overhead.
Furthermore, all authentication uses a zero-knowledge proof so that a password is never sent over the wire. Even though the traffic is all encrypted anyway, this adds another level of security so that a compromised passphrase at one sphere will not allow authentication at any other. You can store a profile at different places that can only give you access if you can prove beyond a statistically reasonable doubt that you are who you say you are.
With all the media hype about wireless, a growing number of people are simply buying an access point and a couple of NICs, flicking through the manual, and then running default configurations, because the average user probably isn't aware that what they are doing *is* insecure, and has never heard of WEP. No doubt this (and newer ideas such as 802.11x) will be in the 'advanced' section at the back of the manual with bluntly technical instructions filled with acronyms and concepts that a non-IT savvy person would simply skip over.
Once it 'works', the majority set-it-and-forget-it - no different to the populous of home users running xDSL without a firewall, or those who never patch their boxes. A quick drive round your local residential area with a copy of Kismet proves this point for anyone with any doubt =)
On the flipside of the coin, in the corporate world, sales reps, engineers, and other 'road warriors' should really be given this advice from their support teams, and have their machines configured appropriately in advance by someone knowledgeable - they really can't be held responsible for the lack of action by the correct department.
The point of this analysis was that when people used unencrypted wifi in public places, they used open and unencrypted channels to communicate sensitive information such as email passwords. i.e. They didn't establish an encrypted VPN session first, or their organizations don't use IPSec/POP3 SSL. The net effect is that they're publicly broadcasting all of their information.
Of course I wouldn't see it much differently if the conference hall had CAT5 jacks that you could plug into: You still should have no faith in the people running the show, or anyone capable of putting in a wire shunt, who have every ability to log and trace all of you messages: You should always presume that someone is listening. This is just another reminder that the world needs to move to secured application layer transport protocols as mandatory (or blocking external access apart from through a VPN) as quickly as possible, because the human element will always take the easiest route, and the natural human instinct, barring a case of paranoia, is to presume that nothing will ever happen to them- Every victim is someone who thinks it'll only happen to the next guy.
If you use WEP, but everyone knows the key (e.g., at a trade show so you need to make the key public to let people on the WiFi network), I assume that's the same as unencrypted. However, why couldn't there be a RSA or symmetric encryption for 802.11[x]? So you make the public key for the access point, available, anyone with that can connect, but your PC/WiFi card encrypts every packet going out the door, so the traffic going from the client to the access point is now secure. Similarly, the client gives the access point its public key, so all the traffic coming back to the client is also secure. This probably requires a lot more overhead in the access point and client, but I don't think that it would be unreasonably so.
And with some patience, very little in fact, your car door can be opened, and your car stolen, or your house door opened, and your house cleaned out... but that doens't mean we run around leaving our doors unlocked and open.
A lot of people do leave their doors unlocked. Besides, your analogy is flawed because breaking into a car or house attracts people to the presense of the crime. Cracking WEP encryption is something that can be done in the privacy of your own home.
Is sniffing out POP passwords in this way illegal?
Maybe not, but using that sniffed POP password certainly is.
Encryption might take a while to set up, but it's a very good thing. Not only for your own data.
I'll explain. Many of us run web servers and let friends have sites or mail accounts on them. Now, I'm pretty sure that in most places reading your user's mail is illegal. Suppose you're logged in on your server trying to solve some problem by looking at what's going on with a sniffer like tcpdump or ethereal. Accidentally you see a friend's private email scroll by.
Now, of course, this wasn't intentional. But what if you make a slip? The email could have been about some event you didn't know about. Then, a week later you forget where you got that information from, you ask that friend about whether his grandma got better. The friend then asks "How do you know that? You weren't reading my mail, were you?". Depending on how this person feels about you, you might get into some trouble.
This is why on my server I provide IMAP accounts only though SSL. I never look in user directories unless needed. And I tell everybody who gets an account that if they want to be completely sure their data stays confidential that they should use PGP and that I can explain how to use it.
It's not that hard to set up, anyway. Set up a mail server with SSL and you'll be able to check your mail safely from anywhere. Install SSH for administration. Install Apache SSL even if you don't need it much, to give the users who want it the ability to log in with an encrypted connection. Use an instant messenger like Jabber with a SSL connection too.
Don't worry about self-signed certificates. A certificate from Verisign provides a rather small increase of security which people tend to ignore anyway. If you just want to avoid your traffic from being sniffed, it should be enough.
Excepting web browsing, most of my data is encrypted. I even found that I can browse kuro5hin.org throught https. It's a good thing too, when I login my password won't be sent in clear text.
the point of WEP is misunderstood, as well. Yes, it was poorly implemented.. but it was not supposed to be the data security layer anyway... just "wired equivalent"
That means.. it was supposed to be roughly as hard to get access to the actual network packets as it is when someone has a wired lan.
The wire is not secure, as you know. Wires can be tapped numerous ways, invasively, or passively. Yes, the logic is kind of flawed, the situation is different.. but it just makes it harder to sniff, not impossible.
IT wasn't supposed to be a replacement for using secure protocols.
I was surprised that I was able to pick these up from the street. Also surprising was the names of some of the networks, I mean kittyNET, c'mon!
Also, it's amazing how many people have linksys.
USE WEP, PEOPLE! Or at least configure your router to only accept your computers' MAC address! jeez.
There's lots of reasons to close your network to the outside. The main one being that you don't want to give people access to your LAN. Most people don't password their computers from other machines on the LAN, since they figure it's secure, but it's not. Also, I tried the default linksys password ("admin") on a couple of the networks, and would have been able to change router settings. Imagine setting up a dreamcast w/ wifi outisde of someone's house on their external power outlets and serving warez off their connection. sheesh.
these routers should come with little pamphlets about wireless security.
...spike
Ewwwwww, coconut...
The average non-technical user is happy enough just getting things working.
Home users want to take their notebooks anywhere in the house and be able to surf. Business travel through airports (interoperability) may not even be their priority.
Why should they be concerned about mac addresses or hex keys? Firmware upgrades to make things more compatible?
Lets make it easy for them. Vendors should sell wireless home networking kits that have all the encryption turned on in advance by default, with drivers that assume this also by prompting for the prepackaged keys at install time.
Joe user could buy a box containing an access point with two pcmcia wireless nics. By default those two nics will be the only onces that can access the access point. The shiny box that says "easy install" will be what clinches the purchase.
Of course an advanced user could still change the defaults to suit their needs.. but that requires effort.
Joe User will always assume the defaults are good enough for him, and they should be.
You misunderstand. WEP was poorly designed and should not be trusted, but just because WEP is broken doesn't mean that all encryption is broken, and it doesn't stop me from sending securely ecrypted traffic over a completely open access point, or over a WEP access point.
At the moment I am sitting in a coffee shop with free, unencrypted, 802.11b internet access. My reading of slashdot, and the posting of this message, are quite readable by anyone nearby with motivation, a computer, and some brains.
But in another window I have an ssh session logged into my basement Linux server. When I logged in my notebook checked that the signature was as expected and therefore there was no man-in-the-middle attack going on. I am typing this on a notebook I control, I have high confidence that that session is as secure as my house (the weak link, my server is there). I don't need to trust the guy sitting a few chairs down, I don't need to trust the coffee shop.
If I really want to do some web browsing secure from local sniffers I could fire up netscape from my basement but with the display on my notebook. (X has some bebefits.) It would be slow, but it would work.
Encryption is not a magic bullet, but it is a very valuable tool.
What can you do? Don't use MS Windows. Don't use telnet for text logins, don't use plain POP or IMAP for reading e-mail--there are encrypted versions of both. Be worried about banking on open wires; if you see a padlock in the corner of your browser window it means (probably means, there could be bugs) it is encrypted and you have a secure connection to the other end--but who is on the other end? Is it *really* your bank? (This is the man-in-the-middle attack.) Think twice before typing important passwords on a keyboard you don't control. Twice in recent months there has been news of rogue technicians putting sniffers on keyboards, I think one was airport kiosks and one at some college.
Don't use one (or even two) passwords for everything. It is far better to write your different passwords down on a list and keep it in your wallet than it is to reuse passwords in different circumstances. If someone mugs you they can get the list and they might not appreciate its significance, but if you reuse a password one crooked or incompetent web site can leak and now anyone in the world might have your "master key". I keep my list of passwords encrypted with one nasty-ass-long password, and that one I don't write down. Pick good passwords, single words, names, dates, etc., are bad ideas.
Now think about all this advice. Think it through. Understand why I said what I said and whether it makes sense. There are no easy rules to computer security, you have to stop to understand the problem a bit.
One of the tasks involved in becoming an adult is to acquire an ability for "common sense", something that children don't have and take years to develop. Well, computer security has hit us and turned us all into children who have to learn a new kind of common sense. Don't just follow rules, learn and think. And don't be too paranoid.
-kb, the Kent who keeps his ssh related software up to date, and you should too.