Feds Hack Wireless Network in 3 Minutes

xs3 writes At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys. This article will be a general overview of the procedures used by the FBI team.."

First DEAD BEEF

[jargoone]

Note to self: change WEP key to something other than "DEADBEEFDEADBEEFDEADBEEFDE".

Re:First DEAD BEEF

[Tackhead]

> Note to self: change WEP key to something other than "DEADBEEFDEADBEEFDEADBEEFDE".

Note to poster: DEADFEDDEADFEADDEADFED is also a poor choice.

Re:First DEAD BEEF

[jargoone]

Note to poster: DEADFEDDEADFEADDEADFED is also a poor choice.

Indeed it is. It's several characters too short.

Re:First DEAD BEEF

[British]

Alternate Wep key(er, something like this): BA DB 0B 13 37 (bad bob leet)

Re:First DEAD BEEF

[cp.tar]

Note to poster: DEADFEDDEADFEADDEADFED is also a poor choice.

You don't want typos in your WEP key now, do you?

Re:First DEAD BEEF

[mrgreenfur]

Whats the deal with dead beef?

At the school I go to the wireless gateway for campus's MAC is DEADDEADBEEF.
Is this just a popular phrase to spell with hex?

Re:First DEAD BEEF

[RFC959]

Is this just a popular phrase to spell with hex?

Pretty much. It does have some historical meaning, although most people are probably unaware of it. See DEADBEEF in the Jargon File.

WEP = weak

[null+etc.]

WEP was almost a weak afterthought for wireless technology. This is just a demonstration of why WEP users should switch to WPA.

Re:WEP = weak

[gad_zuki!]

Is WPA a solution? WPA is just as, if not more, susceptible to a dictionary attack because its password based. WEP isnt usually, but in this case they were using a dictionary attack to crack APs which generate keys from english words. Like Linksys does.

More info here.

Re:WEP = weak

[C10H14N2]

This is a demonstration of why anything that is not isolated should be treated as inherently insecure.

Put the AP on the outside of the firewall and your network security is no more compromised than it is by simple fact of being connected to the internet in the first place. Your internet connection is FAR more dangerous. Secure yourself against that and treat any wireless connection no differently.

I use WEP _purely_ to limit leeching, nothing more. Beyond that, I don't see the point in bothering worrying about it, since if your primary network connection is LESS secure than your WiFi connection, you have MUCH bigger problems. Bandying around about encrypted APs just seems pennywise in that context. I mean, would you feel terribly secure if your wired network connection was absolutely secure for 500ft from your building and totally wide open at either end? Seems rather pointless to me and that is EXACTLY what you have with WiFi. Who the fsck cares and if so why?

Re:WEP = weak

[BJZQ8]

How will Windows Product Activation help us?

Re:WEP = weak

[Serveert]

Sniffing WEP traffic allows you to better determine the session key, sniffing WPA key won't help you since the session key is regenerated regularly. Of course the WPA PSK(private shared key) is susceptible but just choose a large random key and you're fine.

Re:WEP = weak

[Lumpy]

My WAP is directly connected to my internal network and has NO WEP enabled or anything else. it's "wide open" and it's more securethan any company wireless access point I have ever seen.

If you can not recieve the signal, you can access or hack it. My home has aluminum siding with aluminum screening. my accesspoint is in the basement on the street side with another sheet of aluminum 1 wavelength away from the antennas in the direction of the street.

so far even holding a wireless card AGAINST the windows screens will give you no signal, you must be in the house to get a signal, and then it's strong.

The first thing in security is to make sure that your wireless signal is not going places you do not want it to.

How is this news?

[Nintendork]

Do we really thing the FBI is so ignorant that they aren't aware of WEP and WPA cracking utilities?

Re:How is this news?

[LiENUS]

Why would htey need 3 geographically diverse AP's, the wireless nic's broadcast uniformly, there is no directionialization. 3 geographically diverse listening stations should be enough to triangulate someones location.

Those Crazy Feds

[clarus]

Was the password public?

I bet it was public:public

Silly FBI

Re:Those Crazy Feds

[Cumstien]

No linksys like the ID.

Re:Those Crazy Feds

[lucabrasi999]

I bet it was public:public

Actually, the Password was 1-2-3-4-5.

I found that to be rather disturbing, since I have the same combination on my luggage.

takes me longer than 3 minutes

[amichalo]

Damn those feds are good.

It takes me longer than 3 minutes just to type the WEP key from my router into my client!

Re:takes me longer than 3 minutes

[SirTalon42]

Thats not a WEP key. A WEP key is a hex value. The 'password' feature only is used to generate a key. Also the same password will generate different keys on different manufacturer's products (sometimes they are different for the same manufacturer).

No worries.

[unstable23]

I live in the middle of nowhere. I think I may notice two men sitting with a laptop in an ominous black car with government plates, as the only place they could be close enough is my driveway.

Still, it may be time to look at running an IPSEC tunnel over the wireless network.

Re:No worries.

[B3ryllium]

But what if they have special FBI antennas? Made from FBI pringles cans?

Re:No worries.

[_Sprocket_]

....black, ominous pringles cans?

Re:No worries.

[AvantLegion]

>> ....black, ominous pringles cans?

I don't know about that, but I have a four year old Pringles can in my pantry. One glance through the clear lid reveals the chips are looking black and ominous themselves...

Re:No worries.

[sharkey]

Agent Starling: "He said he could smell my Pringles"

Re:No worries.

[marnerd]

Particularly because you live in Wisconsin!

Tongue, Meet Cheek

[American+AC+in+Paris]

Thankfully, the FBI are the good guys.

When I first read the closing line of the article, I chuckled.

Then I felt dismayed.

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

Re:Tongue, Meet Cheek

[SeattleGameboy]

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

Shame... but well earned. Just read the history of FBI.

Re:Tongue, Meet Cheek

[be-fan]

Confidence and respect should not get in the way of pragmatism. To a great degree, the FBI's interests and one's own align. To a lesser degree, they are divergent. This is particularly true in the realm of privacy, where it is in the FBI's interest to violate it, and your own interest to protect it. In cases where interests do not coincide, it is completely rational to not be at least wary.

Re:Tongue, Meet Cheek

[be-fan]

Let's try that again. "It is irrational to not be at least wary".

Re:Tongue, Meet Cheek

[Boronx]

Woah. You don't have to read Chomsky to know that these guys are quite often up to no good.

Re:Tongue, Meet Cheek

[Verteiron]

Well, I would be pretty disappointed if the FBI couldn't do this. I'm also pretty confident that if they are publicly announcement a 3-minute crack, they've probably got a 30-second cracking process down in the basement. Of course, that won't be announced until the 10-second one is working...

My respect for the FBI borders on paranoia because it is their job to have access to things that I do not. I'm pretty sure it's human nature (at least for -this- human) to keep a respectful, watchful eye on those with more knowledge than I have.

Re:Tongue, Meet Cheek

Sometimes biased people are the only ones willing to present certain FACTS at all.

Actually, replace "sometimes" with "almost always".

Honestly, the only people who should worry about bias to the extent of ignoring an entire publication or speaker are the ones too fucking stupid to cross-reference citations. Chomsky is usually damned thorough and rigorous about referencing neutral media - in fact at least 25% of his communication, in my experience, has been debunking "leftist" bullshit. Intelligent people on the "right" do the same kind of self-policing. It's only the sheep-like extremist newbies that howl about bias day-in and day-out.

Re:Tongue, Meet Cheek

[erikkemperman]

I think I see your point. Individual FBI agents are probably very highly skilled.

The problem is that, as an agency, it is their collective duty to enforce bad policies. Increasingly, they are defeating their own purpose and becoming a threat to the very freedoms they supposedly protect. The war on drugs and PATRIOT spring to mind.

"They're only doing their job" is never an argument: unethical practice is not magically justified or even mitigated by being paid for it. If anything I'd say the opposite is in fact true.

And in that regard, the fact that their agents are such able individuals is really just sad: think of what they might accomplish if only they were not busy hatching plans to penetrate my tinfoil hat?

IMHO, no offense.

Re:Tongue, Meet Cheek

[dido]

At least we "geeks" have not been so foolish as to forget history. The FBI *earned* the mistrust and fear that we, and other people who haven't already been brainwashed yet. The story of COINTELPRO is a case in point. There are many other similarly creepy programs that they've embarked on in their history, and since the Patriot act has practically removed the checks on their authority that once existed, there is more reason than ever to be mistrustful and fearful of them.

Re:Tongue, Meet Cheek

[shic]

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

What a loaded sentence! It is sufficiently ambiguous that despite feeling I disagree, the multiple potential interpretations make it difficult to make a counter argument.

I do think it is a shame that historic institutional dishonesty demands contemporary suspicion. The vast majority of people have nothing to fear from the likes of the FBI - mainly because they are likely to be insignificant. Neither mistrust or fear are mutually exclusive with respect. I feel I'm cross-over Gen-X to Gen-Y... Respect is automatic; disrespect is earned. Reverence is most likely an indication of fear or stupidity. Mistrust is a pragmatic reaction under whenever strong personal relationships can't be relied upon.

Re:Tongue, Meet Cheek

[nametaken]

"They're only doing their job" is never an argument: unethical practice is not magically justified or even mitigated by being paid for it. If anything I'd say the opposite is in fact true.

If what you meant was, individual agents shouldn't break the law, then I agree with you entirely. If you mean they shouldn't do anything we might consider unethical, even if its the law, then I might disagree a bit.

I tend to think we should strive to change laws we believe are wrong, not complain about FBI agents who carry out the law.

I think its important that FBI agents aren't making their own laws in the course of duty. Its our job to make the law, using our elected officials.

Re:Tongue, Meet Cheek

[Geoff-with-a-G]

"Spook" refers an agent of the CIA, not the FBI.

WPA is just as 'weak' against Brute Force

[Phoenixhunter]

As long as people continue to use dictionary based passwords, it doesn't really matter how good the encryption is.

Re:WPA is just as 'weak' against Brute Force

[hey!]

Personally, I use "random.org" to generate 152 bit keys. These should be reasonably secure from brute force attacks.

This is reasonably secure for most of my clients, but I'm still a bit worried about those mind-control-rays penetrating my tinfoil hat. How do I know the numbers weren't intercepted. Granted, I'm not advertising the customers they're going to, but you can never be too careful.

Anybody have experience with building and integrating a hardware random number generator?

Re:WPA is just as 'weak' against Brute Force

[Speare]

Just simply combine words from different languages. "Gandalf said 'mellon,' and the doors to Khazad-dum opened wide."

Re:WPA is just as 'weak' against Brute Force

[wirelessbuzzers]

Anybody have experience with building and integrating a hardware random number generator?

Yes. But I can also tell you, a hardware RNG is overkill for these purposes. There is easily enough randomness available through /dev/random based on disk timings and such to make strong 152-bit keys. Alternatively, you can roll a bunch of dice.

If you really, really want a hardware RNG, go for a Soekris card or a C3 processor, or make your own RNG (integrating that would be tougher, though).

Re:WPA is just as 'weak' against Brute Force

[hey!]

I'm not so sure. Wireless security has been historically so bad, every bit of key randomness we can get is probably worth it.

It's like the old joke about the two hikers who encounter an enraged, ravenous bear. The first hiker quickly strips off his hiking boots and starts pulling on his running shoes.

"You fool, an adult bear can run 30 miles per hour," the other hiker says, "you can't possibly outrun it."

"I don't have to outrun the bear," the first replies, "I just have to outrun you."

Re:WPA is just as 'weak' against Brute Force

you should read your sig

Re:WPA is just as 'weak' against Brute Force

[Seigen]

Anyone using WEP to secure anything important needs to get a clue.

That being said, skimming the slashdot responses it wasn't WEP's weakness but the weakness of the text to key algorithm in this case.

As far as dictionary best passwords go, it can be phrased more simply as reducing the cardinality of the keyspace. It doesn't matter how you reduce it, it is just the end result that the total keyspace is smaller allowing an easier search.

That being said I'm not willing to say that dictionary based passwords are completely useless in all cases. They are a very bad idea, and make things orders of mangnitudes easier, but in some cases they might be adequate for low levels of security. It just depends on how long the system needs to remain secure and the cost of that security being violated..

Comment

[pete-classic]

None of the agents could be reached for comment, as they were all busy arresting eachother citing the Patriot Act and the DMCA.

-Peter

Encryption is now useless

[d'oh89]

Guess it's time to pack it up and go home? Course not. No one in their right mind would trust 128 bit encryption over a wireless network for enterprise sensitive data. That's why we have other methods available (Secure token comes to mind). Now if someone really wanted your credit card number when you buy Doom 3 from Amazon.com, they're gonna get it. Luckily you'll probably get your money back when they buy a nice new 30" Mac display and a dual 2.5 gHz system.

People just need to realize that nothing is infalliable, maybe when this is mentioned on Fox News or CNN the general public will learn that they shouldn't trust their network for sensitive data. I know I don't.

Re:Encryption is now useless

[gregor_b_dramkin]

"No one in their right mind would trust 128 bit encryption over a wireless network"

No one in their right mind makes absolute statements. Yes, I know. This sentence is a paradox. Or is it?

The number of bits is not the problem. The (a) problem with WEP is that it contains weaknesses which allow shortcuts that take less time than an exhaustive search of the keyspace would take. The effective strength of 128 bit WEP is regarded as much weaker than 128 bit AES encryption.

Re:Encryption is now useless

[Flying+Purple+Wombat]

People just need to realize that nothing is infalliable, maybe when this is mentioned on Fox News or CNN the general public will learn that they shouldn't trust their network for sensitive data. I know I don't.

The general public will do nothing of the sort, because:

1. They are stupid.

2. They assume the Feds are the only ones with uber-1337 hacking tools required for this "difficult" task.

3. Network vendors will threaten to pull advertising money if the media runs the story.

Re:Encryption is now useless

[displague]

640 bits of encryption ought to be enough for anybody.

Re:Encryption is now useless

[Drakonian]

Hold on there turbo. Your ecommerce transactions are still encrypted (with something much more secure than WEP). It's not like your CC is transmitted in clear text. It's no more insecure than buying something on a LAN like at work or on campus.

Re:Encryption is now useless

[autocracy]

WHOA... slow down buddy. 128 bits of a secure algorithm is definitley stable. The problem is wep has more holes than swiss cheese. They took advantage of weak keys, known plaintext, expected responses... they had all the advantages in the world.

Cracking WEP is still far from cracking AES or TwoFish.

Already acting slow...

[Theaetetus]

Seems this is also an article in how to /. a server in 3 minutes...

Assembled, for your pleasure:
-------

Title: The Feds can own your WLAN too

Introduction
Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected--wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard.

At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys.

This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.

WEP Cracking - The Next Generation

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver.

Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text.

Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets--a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key.

Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"

On with the Show

Before we get into the steps that the FBI used to break WEP, it should be noted there are numerous ways of hacking into a wireless network. The FBI team used publicly available tools and emphasized that they are demonstrating an attack that many other people are capable of performing. On the other hand, breaking the WEP key may not necessarily give an attacker complete access to a wireless network. There could also be other protection mechanisms such as VPNs or proxy servers to deal with.

For the demonstration, Special Agent Bickers brought in a NETGEAR wireless access point and assigned it a SSID of NETGEARWEP. He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers.

Note that normally, you have to find wireless networks before you can crack them. The two wireless scanning tools of choice are Netstumbler for Windows or Kismet for Linux. Since the other WEP cracking tools are mainly Linux-based, most people find it easier to stick with Kismet, so they don't have to switch between Windows and Linux.

Another FBI agent started Kismet and immediately found the NETGEARWEP access point. Just for fun, a third agent used his laptop and ran FakeAP, a program that confuses scanning programs by putting up fake access points.

Attack!

After a target WLAN is found, the next step is to start capturing packets and convert th

Protection

[dpace32]

I am surprised that wireless A/P dont block a MAC address after X number of attempts

Re:Protection

[utexaspunk]

It's not too difficult to change a MAC address anyway. I'd think it would be trivial, especially for the FBI, to modify the MAC address between attempts.

Now what would be really spiffy would be generating MAC-specific keys, so that (combined with blocking after X attempts) no progress could be with a dictionary attack...

WEP is only useful for

[josepha48]

preventing people from accidentally accessing your network. In basic wireless security, you should change the SSID, and use wep. That way your neighbor, if they have a wifi card they cannot just see your network and start surfing on it right away. It will take them 3 minutes (LOL). Actually just changing the SSID and WEP will help prevent the potential issue of what happens when you have 3 wifi networks all with the same SSID. What will a client do when it tries to access the network. It should find the strongest signal, but sometimes you may have 2 signals that are the same strength and the client will get a DHCP ip address from one and then try to surf through the other and may have flaky access. I change SSID for that reason and add WEP the honest people out.

WEP is like gun laws in the US. They only keep the honest people from having guns. What a great society we live in.

Re:WEP is only useful for

WEP is like gun laws in the US. They only keep the honest people from having guns. What a great society we live in.

Um no, WEP is like a lock on your door and shades on your curtains. It provides you with a certain level of protection and privacy. They won't stop the prof. thief or the determined voyeur. If you need/want a higher level of privacy/safty, then one needs to take additional steps to try to attain them.

Note too that having WEP enabled also is a useful tool when it comes time to prosecute. If you leave your packets unencrypted for the world to see, then someone might have a reasonable argument for "accidentally" capturing your data (hey, there is no law against sniffers right). However, if you have WEP enabled (regardless of how strong), then someone would have to be actively trying to break your key to get to your data. You can then prove intent.

Re:WEP is only useful for

[daeley]

An armed society is a polite society.

Perhaps, but a polite society isn't necessarily an armed one.

Re:WEP is only useful for

[Atryn]

An armed society is a polite society.

I think certain middle-eastern situations might be proving otherwise.

Re:WEP is only useful for

[feloneous+cat]

You must provide SOME incentive for people to be polite

I use $100 bills and exotic vacation packages as an incentive. It is freaking amazing how polite people are when you do that...

Re:Not too surprising

Wow, you didn't read the article did you?

They didn't do a dictionary attack. What they did was use aircrack that uses a statistical method to crack the key. You need lots and lots of packets and they got those using void/deauth and a replay attack. It's all in the article.

Also, you also only need one packet to brute force a key.

Wifi: Feds best friend on a stakeout

[9mm+Censor]

So now when the feds are parked out in front of your house waiting for you to leave your apartment, they can leech off your neighbours wifi...

Re:Countermeasures & Conclusion

If you're going to cut-and-paste for karma, please CITE YOUR REFERENCES!

The page you snipped this from is cached here:

http://66.102.7.104/search?q=cache:ChC8gBE_LsEJ:ww w.tomsnetworking.com/Sections-print-article111.php +%22definite+improvement+over+WEP+in+providing+wir eless+security%22&hl=en&client=firefox-a

Not really WEP weakness

[Jaime2]

This doesn't show that WEP is insecure... simply that the key-generation schemes favored by many manufacturers are insecure. Netscape 2.2 was vulnerable to the same type of weakness by using 22 bits of information to build it's 40 bit session key for SSL.

BTW, assuming a similar key generation scheme, this technique could break AES or 3DES, the encryption algorithm is irrelevant here. Why is it that vendors of security products can't figure out security?

Re:Not too surprising

[Qzukk]

I only managed to get to the third page of the useless article (seriously people, put more than 2 paragraphs on a page!)

But so far I have "He encrypted the access point with a 128 bit key--made by just keying in random letters and numbers." which makes me wonder if they actually used a dictionary attack...

Finally loaded the 4th page. Apparently they knocked an authorized user off the AP repeatedly and collected the resulting flood of reauthentication packets, plus used packet replay attacks to get the AP to respond to replayed ARP requests (apparently they are easy to spot in a pcap dump despite encryption). This gave them all the IVs they needed to crack the key.

other way around

[404forbidden]

i read to fast, at first i read "fed wireless network hacked in 3 minutes" ... "old news" i thought..

Re:Not too surprising

[Cruithne]

What is surprising is that such a l33t cr3w used powerpoint for their presentation :/

You are joking right?

On top of WEP encryption, you should also try to filter access to your wireless network using MAC addresses. I do not think a hacker would be able to easily get around that...

OK, just in case you seriously don't know, MAC addresses are not encrypted, so it is dead simple to sniff traffic to find valid MAC addresses and then change the MAC address of the hacking box to the valid MAC address (usually during a time when that machine is not actually connected). I've heard that this is a good way to gain access at pay to play locations like Starbucks ;) MAC filtering will only stop the very casual person from gaining access to your network.

Also keep in mind that MAC filtering only prevents someone from joining the network, you can still sniff at will at the packets.

Re:Not too surprising

[Flying+Purple+Wombat]

Interesting post, too bad I used up my mod points earlier today.

Question: what is a suitable length for a random passkey? I always use random strings for stuff like this, but wonder how long they should be.

Just Leave It Open

[duffer_01]

Glad I didn't go through the effort of locking mine down. Who has the last laugh now, Mr. "You gotta lock that thing down"?

Re:Countermeasures & Conclusion

[Homology]

Even more secure :

1) Install a OpenBSD after plugging in a wireless card that can be used in hostap mode.

2) Install OpenVPN (that has a nice Windows client), and generate server and client certificates. There are howto and scripts for this.

3) Configure the built-in OpenBSD packet filter to only accept connections to/from OpenVPN ports on the wireless NIC.

4) Show war drivers the finger.

Great, reasonable doubt in a pringles can

[maird]

So, just about any law you can break with a computer is now fair game. When you go to court just refer to the three minutes it could have taken some nefarious hacker to use your network without your knowledge. Since the likelihood of such an attack is low then I recommend everyone use a dictionary entry to generate keys. It will keep your neighbours off your network and you'll leave yourself with a perfect reasonable doubt defence when sued or prosecuted.

Pffft Cracking? The Feds have backdoors!

[Phoenixhunter]

Nah, they have the manufacturers build in a backdoor! Didn't you watch 24 last night? All they needed was the manufacturer ID and they got root access!

Is wireless security overrated?

[loopsandsounds]

Maybe 10% of the population are aware of WEP's weaknesses, but would the other 90% understand what/where/how to conifugre WPA on an AP or gateway? I'm not quite sure that Joe home user should be so worried about his WEP key. Most home users don't have any security policy or strategy (ie. millions of exploited Windows machines sitting directly on the internet), and most businesses have a poor network security policy. As a consultant for a large networking manufacturer, I am amazed at the lengths corporations will go to in securing their wireless network, meanwhile you can walk into unsecured parts of the building and just plug in (no 802.1x), or they have a substandard VPN or internet gateway solution. Maybe it would make more sense for our government to do seminars on security practices for computing(including wireless networking) versus demonstrating a 4 year+ old IV weakness vulnerability?

I personally prefer

[arglesnaf]

DECAFC0FFEEBADBADBADBADBAD

Most likely /.'er response

[Cereal+Box]

How dare they! The feds have no right to break into someone's wireless network, no matter how simple the password! I want to see the FBI taken down for this! <continues ranting about "the feds">...

I'm sure we'll hear many comments along those lines from Slashdotters who are no doubt using a wireless connection that they've broken into...

Corporate Espionage

[SunFan]

This is why I always get a little nervous seeing wireless routers stuck to the ceilings of some offices. Given the average security of most offices with wired networks, the outlook for un-wired networks isn't good, IMO.

Pulling cable is a PITA, but it is a layer of physical security that shouldn't be dismissed too soon.

Re:Not too surprising

[NardofDoom]

Sure, you could md5 some random string... if you didn't want to remember it.

Or you could use someone's handy-dandy Random Password Generator and come up with something you'll actually remember.

</shameless plug>

Re:Not too surprising

[Dr.+Evil]

Establishing plausible deniability for an upcoming information leak scandal.

Re:Not too surprising

[AppyPappy]

Bull. They just walked around looking under keyboards.

Re:Countermeasures & Conclusion

[Momoru]

6) Tinfoil. And LOTS of it.

Re:Not too surprising

[flibuste]

Random password generator? On a website? And it's not logging my IP and the password it has generated for me? I would have to be paid to believe this

Seriously, how secure is that?

My WEP key

[claussenvenable]

is one of the 600,426,974,379,824,381,952 ways to spell \/14grA

dictionary-attack that, G-man!

WEP is dead

[DustMagnet]

Sorry about replying to myself, but here's a better link for explaining how this attack works.

Watch the FBI take credit for somebody else's work

[Deker]

So, since nobody has mentioned it, I'll actually break my normal ./ silence and point this out.

The attacks they're using were developed by KoreK and released last summer. Then Christophe Devine re-implemented the attacks in Aircrack.

The FBI had nothing to do with development of this, they're just advertising that they're script kiddies. On top of that, the methods they used to for packet generation so they had something to capture were freaking LAME. Anybody with any form of wireless IDS would see this a mile away (oh yeah, they couldn't even write their own deauth tool...they had to be skript kiddies again and use void11...).

I wasn't AT the talk, any maybe the Tom's Networking guy didn't properly convey the message, but I feel that credit should go to the folks who deserve it, not script kiddies who got some face time at a conference.

-d

Fine, but how is this useful against TKIP?

[AugstWest]

Seriously, when each packet is encrypted with a different key, it seems like this would become a lot more difficult.

A lot of APs and hubs are coming with it now.

You and The Founders

[Ungrounded+Lightning]

Then I felt dismayed.

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

I find it refreshing.

The founders of our government were quite aware that the greatest threat to freedom was the very government intended to secure and maintain it. That governments are run by people, that people are fallible, and that the power of government tempts them to sieze still more power- to simplify their jobs, to enhance thier own lives, or just for the fun of it.

They knew that some people and some institutions would be corrupted, did their best to put roadblocks in the way of corruption to slow the process down, and to warn their successors (us) to be on watch, so we could catch the inevatable slippages and correct them.

An attitude of healthy suspicion combined with grudging respect and occasional heartfelt praise is precicely right, when it comes to agencies such as the FBI. Healthy suspicion because agents - singly, in groups, or institutionally - have gotten out-of-hand repeatedly. Grudging respect (which must be earned but is honest when it is), because the government and its agencies houseclean from time to time, the agency mostly stays on track, and many of its agents are honest, hard-working, and often heroic, doing their best to identify, protect us from, and bring to justice some truly evil people. Occasional heartfelt praise - when they earn it (which they often do), spending their sweat, smarts, and blood to make the rest of us safer.

The reason I find "the 'geek' attitude" refreshing is that it show that a new generation - no, a large social group that crosses several generations - have "gotten it". Like most powerful tools, law-enforcement and investigative agencies can do significant when used properly, and even greater harm when misused or broken. Eternal vigilance is needed to keep them in good repair and on the right job. Now we have yet another generation that understands the need for this vigilance and is standing guard.

Two of them are cryptography masters ...

[GNUALMAFUERTE]

The other is the PowerPoint guru :-P

Re:Not too surprising

[QuietLagoon]

I only managed to get to the third page of the useless article (seriously people, put more than 2 paragraphs on a page!)

I always click on the printer-friendly format. That usually gives you the article and pictures on one continuous page.

No.

[Ungrounded+Lightning]

So what this is telling us is the Feds are really just script kiddies?

No.

What this tells us is that the Feds are showing people just how TRIVIAL and FAST it is for script kiddies and crooks to break into WLANs. And give you pointers on keeping the petty crooks out (and drastically cut crime and reduce the load on the FBI).

Surely you didn't expect them to give you a demo of how THEY do it and how to keep THEM out, did you? B-)

$20 hardware random number generator.

[arete]

128 bits. Roll one 8-sided die 51 times (discarding the least-significant bit of the last roll).

To speed up the process, get one of those
clear boxes they use to make sure people take the right number of pills per day. Get one with more than 22 boxes. (4 times a day for a week = 28, fairly common)

Put dice in boxes. Put a sheet of something solid on the door side. Shake. Invert. voila, random byte strings. w/ 28 boxes you have 84 random bits. Repeat twice for your 152 bit key, dropping the last 16 bits.

chessex.com has a variety of dice - you can can order single d8s for .50c. I'm fairly certain you could find cheaper prices. I estimate the total cost of this hardware randomizer at $20 if done on the cheap.

Someone will probably complain about the non-cryptographic quality randomness of this process. But you only need cryptographic quality randomness when you're going to use it very repeatedly and someone can attack the similarity between them. Since the nonrandomness isn't known to anyone outside and you probably aren't generating a massive number of keys you're fairly safe. To increase security, buy dice from multiple manufacturers and occasionally switch around the lots.

(every 4 d8 values converts to 3 hex values. If you're converting by hand, you could alternately use a pair of dice for a hex value, generating only 56 bits per shake but only needing a table of 16 values to convert by hand to hex. You could also use 4 sided dice for this equally well, since you're only using 4 bits per pair.)

Re:Watch the FBI take credit for somebody else's w

[not5150]

I'm the author of the article.

1. Where in the article does it say the FBI developed the attacks? Did you RTFA?

2. For the IDS comment, I did state that it is NOT a stealthy attack. Not stealthy = IDS will pick it up.

3. You weren't at the talk, and it shows. They did give credit (a LOT of credit) to KoreK and Devine, but I didn't put it in the article. So you can blame me for it.

Re:It's simple - use WAP-PSK

[dagnabit]

t2h4e1r0e4a1r0e5XXXXXXXXXXi7d1e6s1t1o9e0v5e9r1y5s7 t6o0r9y5y6o1u

did you leave out some x's?? i get that it should be

txhxrxexexsx

which is 2 characters too long for your string (assuming the phrase "there are three sides to every story - yours, theirs and the truth")...

or maybe it's

mxaxnxyxsx

damn i need to find something better to do with my time...

Re:Not too surprising

Sure, you could md5 some random string... if you didn't want to remember it.

Or you could use someone's handy-dandy Random Password Generator and come up with something you'll actually remember.

When it comes to passwords that tend to be set and forget for a while or only entered once for the lifetime of any given password, I would prefer to take advantage of the full key space.

For passwords that require daily entering by myself, I prefer 9-11 character random alphanumerics. At the moment I'm using about 5 different ones like this and remember them all.

I guess it depends on what you're protecting and how paranoid you are.

Obligatory Simpsons Reference

[phaetonic]

*Homer looks outside and sees a van*

Flowers
By
Irene

Disabling wireless during off hours

[dstone]

If the "$5 lamp timer" idea to shut down the router during off-hours doesn't work for you (eg. you need wired connections to stay up), a script to enable/disable the wl_net_mode setting on the http://192.168.1.xxx/Wireless_Basic.asp page of a Linksys WRT54GS would seem pretty doable. Put an enable/disable entry into a cron schedule and you've closed the window for hackers somewhat.

Cooking a script up like this (with POST and HTTP Basic Authentication for login) wouldn't be very hard, but does anyone know of Linksys scripts that might already be usable?

Even if WEP is trivial to crack, it's useful

[Ungrounded+Lightning]

Note that even if WEP is trivial to crack it serves a purpose: The same purpose as a lock on a screen door or window.

It doesn't keep out a burglar.

It DOES make it clear that your INTENT was to keep him out, and that if he breaks in his INTENT was to break in.

This is a very important legal point if/when you, or law enforcement, bring action against him.

Similarly, the computing community has generally interpreted permission settings (on files and the like) as an expression of intent, generally honoring them even if they have the ability to bypass them.

This transfers directly to wireless access points: Some people deliberately leave their APs open, to let others use them as a community resource. Generally this is done by leaving them at the default settings. While there may be confusion about it if an AP is in this state, there is NO confusion about the intent if WEP is enabled.

Ignorant Question but I need to know

[auburnate]

On my Netgear wireless router, I have the ability to enable MAC address filtering. If the wireless connection isn't coming from my MAC address, then the attacker can't use my router. Right? I live in an apartment complex and I had just set up my router. Within a week, I noticed someone sharing my router for some goatse action. I enabled my MAC filtering but not WEP and I haven't seen Mr goatse again. Could he come back though somehow? Also, if I don't enable WEP, an attacker could monitor my web usage without necessarily using my internet connection? Thanks for any answers.

Re:Ignorant Question but I need to know

[izomiac]

MAC addresses are really easy to change, especially in windows, so it isn't very good security. All someone has to do is sniff to find out what your MAC address is, and then wait until you're computer is off the network (or they could start injecting packets, but that'd be more difficult). It should keep most undetermined people out though.

Re:Not too surprising

[NardofDoom]

Don't trust me? Download the source and run it yourself. Or use the Javascript. Or ride the camel.

Skip WEP, open up your access points!

[cliffjumper222]

Here at work (an R&D facility for a major electronics company) we have opened up our WLAN for anyone to use and dropped WEP completely. Instead we use VPN's. This enables the following:

1. Any customer/vendor can get easy net access
2. Anyone in our local area can get free Internet access and feel good about our company. The range isn't that far, but for geeks in a pinch, it's there for them.

We don't advertise this feature but it is definitely done for these reasons.

I strongly recommend other companies to just dump WEP or any other authentication system and open up their access points.

Re:Not too surprising

[normal_guy]

I'm suprised you're not using shielded VGA cables to prevent direct snooping of your screen, Steven.

In related news...

[naoursla]

A locksmith was able to pick a locked front door in a residential neiborhood in just under 3 minutes.

However, the FBI has superior entry method that involves breaking the door down in just under 8 seconds.

On automatic "confidence and respect"

[Zhe+Mappel]

It really is a shame when the prevailing "geek" attitude towards agencies like the FBI is mistrust and fear, not confidence and respect.

Others are mentioning COINTELPRO, or Hoover's reign of terror, or Waco, and on and on. No need for me to cover that territory, which any well-informed citizen knows. There's always Wikipedia if you need to bone up on the cheap.

No, I wish to call attention to your language. Therein lies your problem: your language shortcuts thought. Do you realize you write less like a citizen than a subject?

Agencies like the FBI, you write.

Government agencies, law enforcement agencies, you mean. Please stop and think about that.

"Agencies like the FBI"--which would include, of course, the CIA, the NSA, the DEA, the BATF, for starters--are nothing more than arms of power. It is that power to which we must turn, thoughtfully, and ask our questions. We cannot say de facto that an enforcement agency is worthy of "confidence and respect," as you would have it, unless we first examine whose laws and whose agenda these agencies are enforcing.

To take but one high-profile example: the war on drugs. This irrational prohibition has stocked our prisons with the poor, but failed demonstrably by creating more crime in illegal drugs; yet it is blindly enforced by those before whom you would have us genuflect. What choice have they, after all? Yet, fortunately, we have a choice: we can think, they cannot. We can withhold automatic "confidence and respect," as we should, since a brutal and destructive prohibition depends on patsies and collaborators.

The founders of our nation viewed overweening power with deep suspicion, and they anticipated the glamor of irrational obedience--the impulses of mob-like majorities, of good little yes-men. Examine their writings, and behold their constitutional framework: it is in sum a work of almost beautiful paranoia, conceived by men who looked on history as realists. They designed the nation to survive not terrorists or criminals but the surrender of thought by its own inhabitants.

In other words ...

... You have a tinfoil house!

Good riddance

[freality]

I always ask people to turn their WEP keys off anyways.. nothing like creating scarcity out of the plenty of wi-fi networks out there.

Look, your computer ought to be secure at the TCP/IP level. If you're depending on WEP link security, you're probably hosed anyways. And you'll almost surely be hacked by the teeming swarms of infected computers on the net long before you get trouble from a neighbor, a drive-by script kiddie, or now the FBI. Unless you're a paranoid freak and you're sure they're really out to get you. The roving script-kiddies that is.

Worried about bandwidth? If you and your neighbors cooperated instead of hording bandwidth from each other, you'd have more to go around. Heck, you could multi-home your laptop and get multiplexed bandwidth. That's more, not less.

Now turn off those keys and rename your home wi-fi network "public"!

Re:Not too surprising

[elgatozorbas]

To you and other replies making fun of him, IMHO parent was right.

Maybe in this case, where you can download the source etc, his suspicion was unnecessary, but the reason why people ever get in security problems is exactly by _not_ thinking like him. Especially in this case: I would NEVER let my password leak out in such a foolish way as letting it be generated by an (unchecked) on-line source. Best way to let someone else know your password before you even do.

$0.01 random number generator.

[istartedi]

Flip a penny 128 times. Does the same thing, and nobody will think you're a D&D player.

Re:If encryption does not include the MAC address

[izomiac]

WEP & WPA are mostly just encryption layers (maybe some authentication as well). After the encryption is cracked then you can watch all the traffic being transmitted to and from the access point. Wireless cards are still network cards, so they still use MAC addresses to determine which card responds to which packets. If the MAC address wasn't transmitted then the access point couldn't block people by it. AFAIK, the MAC address is encrypted with the rest of the packet, but the process of cracking WEP encryption is passive, so someone could just crack it and packet sniff to find out the MAC addresses that are allowed.

Re:Cointelpro grew out of the Klan crushing

[dido]

If that's true (which I am uncertain), then this is the ultimate example of "turnabout is fair play." As everyone knows COINTELPRO then set its sights on Martin Luther King, the Black Panthers, and American leftist and civil rights advocacy organizations. Apparently they even covertly funneled aid to the Klan and other similar groups later on under the condition that they limit their activities to COINTELPRO targets.

Either way, it was an ugly business, and a part of American history that everyone would do well to remember, especially as America begins its slide into fascism post-September 11th.