[ Previous entry: "Some cool foreign films..." ] [Main Index] [ Next entry: "You know you're fat when..." ]
|
10/21/2003 Entry: "Wireless Insecurity"
"If you like, yes," said Ford. "That's what they told us in the army," said the man, and his eyes began the long trek back down to his whisky. "Will that help?" asked the barman. "No," said Ford and gave him a friendly smile. -- Ford Prefect to man at a pub, from Douglas Adam's "Hitchhiker's Guide to the Galaxy." I have get asked a lot why I, a tech geek, do not have wireless in my house. Simple. Security. I am not putting this in my tech geek Slashdot journal because I think everyone should know this: Wireless is very insecure. First, all "out of the box" wireless routers and stuff don't have security enabled. They know most everyone out there would find this complicated, so they hope that you get it up and working first, and then worry about the security next. This is okay, if you actually follow the second part. I would, and on my cable router, I have it set for the most secure possible. If that was all it took, I'd say, "Pfft... piece of cake." But see, there are some problems. See, wireless cannot be contained within my walls. It broadcasts about 20-50 feet or more in all directions from my house. The picture in this entry shows how far your connection roams from just *one* wireless access point (More details by these fine folks). Note that not only do his three immediate neighbors have total access to his network, but that people across the street on BOTH SIDES have "weak" access as well. In fact, the people across the street from his back yard almost have full signal strength. See, this worries me more than most, because my back yard faces an alley, where anyone can park and get access. "Okay," you say. Why should you care about access? Put a firewall on your computers and be done with it." It's not so much the breaking into my network and stealing files I am worried about. A firewall would protect that. But it's the fact that I have given anyone access to my Internet connection to do whatever they want. Download illegal files. Crack computers. Launch attacks. All that will be traced to my connection. "Well, silly, secure your router!" Sure, I can do that. Let's look at the "big three" in wireless protection. Allow only certain IPs: I could turn off DHCP, and have only static IPs. But IP addresses can be EASILY sniffed (detected) and then spoofed (pretending to be an IP address). In the real world, this is like posing as the delivery guy to get into a secure building. Allow only MAC addresses: The MAC address (the physical address of your network card) is a unique number that's a bit harder to spoof. But it is spoofable. A good wardriving hacker with the right card can spoof a MAC address easily. This is like posing as a random employee to get into the building. WEP: Wireless Encryption Protocol: This is the last, and for most, the best defense. It's kind of hard for a newbie to set up, but once working, the 128-bit encryption will be a lot harder to crack. Most people will see this and move on. This is like posing as a specific employee, with a badge, to get into a building. But a good, determined hacker can crack any WEP in less than a few hours. By, say, parking in an alley Starbucks Coffee (in the shopping center behind my house) doesn't use WEP, and someone at my house, with a wireless connection, showed me how easy it was to get into their network. He waited for someone to log in, got their MAC, sniffed their password, decrypted it, and waited for the guy to log off. Then he connected as this guy to prove that he was a manly geek not afraid of fraud (although, to his credit, he did nothing but prove he could get Internet access before he logged off). We also saw someone with a wide-open access on their personal network, inlcuding their mp3 collection of rap music, some pr0n (hacker term for pronographic material), and how many computers were connected to that router. There are even easy-to-use hacker tools like Phlak, Kistmet, and WarBSD that make it easier to get this stuff done. This stuff is supposed to be used to test your own network leaks, but, of course, the hardware store that sells you the flashlight, crowbar, and locksmith kit won't ask many questions, either. So this is why I don't have wireless. Unlike the man at the pub talking to Ford, I don't have army training to tell me to put a bag over my head if the end of the world comes, or some cracker uses my network connection to attack the FBI website. The FBI can get past my paper bag.
|
"I thought," he said, "that if the world was going to end we were meant to lie down or put a paper bag over our head or something."The Peanut Gallery responds with: 4 comments
|
One word: IPSec. (Mostly) secure wireless is possible, but with a metric shedload of work. But this is a *excellent* article for the uninformed. I'm bookmarking it to show to my less clued co-irkers. Posted by Stormgren @ 10/28/2003 11:02 PM EST |
|
Aha! So it is... I learned something new today! Thank you! :) More on WEP: WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. However, it has been found that WEP is not as secure as once believed. WEP is used at the two lowest layers of the OSI model - the data link and physical layers; it therefore does not offer end-to-end security. Here's also a link to why it's so vulnerable: The weakness of WEP encryption lies in its poor implementation of the IV. If, for example, a hacker uses an XOR function to mathematically link two packets of a session that have been processed with the same IVs, that is, identical RC4 keys, then he can compute the key. As the initialization vector is 24 bits long, it will be duplicated in a busy access point - sending 1500 byte packets at a transmission rate of 11 Mbps - after no more than five hours. During this time, a maximum of 24 GB is transmitted. It is therefore realistic to record data transmissions over several hours and using a notebook in order to get packets with identical IVs and consequently, identical RC4 keys. As the standard says nothing about generating the IV, not all of the manufacturers are using the entire 24-bit field for the IV. The IV may even duplicate itself faster, in which case less has to be recorded. Lucent WLAN cards, for example, reset the IV to 0 each time they were initialized, and then counted upwards. Recording the data streams of several users in a WLAN, the hacker will sooner encounter packets with duplicate IVs. Fluhrer, Martin and Shamir also found that there are weak initialization vectors that provide clues to a byte of the key with 5% certainty. After recording four to six million packets (some 8.5 GB), there is a sufficient number of weak IVs to determine the entire WEP key. It gets even easier if the WEP key, instead of being required in Hex format by the WLAN software, consists of an ASCII string. Because only normal characters and numbers can be entered, the number of possible combinations is lessened. Thus the degree of hit certainty stated above increases, and it only takes one to two million recorded packets to determine the key. Posted by Punkie the Corrected @ 10/22/2003 12:28 PM EST |
|
Actually, WEP expands to "Wired Equivalent Privacy"; as you're already aware, this is a lie.
Posted by Definition Weenie @ 10/22/2003 10:09 AM EST |
|
yeh, I live in an apartment and I have been using the wireless connection of the guy downstairs since the beginning of this year. I havent tried to look in his computer of nothing but I bet I could if I wanted to.
Posted by teh offensive spark @ 10/22/2003 09:36 AM EST |
