Forgot your password?
typodupeerror
News

Exploiting and Protecting 802.11b Networks 168

Posted by michael
from the who-needs-echelon dept.
iforgotmyfirstlogon writes: "A couple of guys from Extreme Tech drove around New York, New Jersey, Boston, and Silicon Valley with a high gain antenna to see how many (secure and) unsecure wireless networks they could tap into. They used NetStumbler and Linux AirSnort to help them search. Results? They came across over 800 networks and less than 40% had any sort of security."
This discussion has been archived. No new comments can be posted.

Exploiting and Protecting 802.11b Networks

Comments Filter:
  • 802.11b Insecurities (Score:1, Informative)

    by pryan (169593)
    It takes less than 1000 packets to crack the cryptographic protocols in 802.11b WEP, regardless of key strength. Even those 802.11b networks with so-called security probably aren't very secure against someone casing the network. Use a higher-level protocol such as Kerberos or IPSec on top of the WEP.
  • by batobin (10158) on Wednesday September 05, 2001 @09:31PM (#2258154) Homepage
    They later went on to add that, "Out of the 40% of computers in which access was gained, just over 20% were serving some really great porn. Hey, why do you think we did this survey in the first place?"
  • Thats nothing (Score:4, Insightful)

    by Jeff Knox (1093) on Wednesday September 05, 2001 @09:32PM (#2258157) Homepage
    Peter Shipley did that in San Fransisco and found smaling like 2500 access points. The only way this will ever be fixed is if companies realize that you cannot depend on protocol level security. WEP is not the answer. Tunneled SSL, or some sort of VPN end to end security is the only way to protect your connect.
    • by Ungrounded Lightning (62228) on Wednesday September 05, 2001 @10:07PM (#2258252) Journal
      WEP is not the answer. Tunneled SL, or some sort of VPN end to end security is the only way to protect your connect.

      Hear hear.

      So the thing to do is to put the wireless LAN port on the logical OUTSIDE of your firewall and let the laptops all tunnel in through it. Your firewall can also filter connections between the WLAN and your net feed.

      For the open net your users can also encrypted-tunnel to the tunnel server and go out from there, to avoid eavesdroppers. With this configuration there's no reason to bother with WEP.

      Go ahead and route packets between the net and the wireless port if you're feeling altruistic, or restrict WLAN connections to the tunnel server(s) if you're not.
      • So the thing to do is to put the wireless LAN port on the logical OUTSIDE of your firewall and let the laptops all tunnel in through it. Your firewall can also filter connections between the WLAN and your net feed.

        kinda, what you do is have one firewall then your DMZ with the wireless LAN there then your REAL firewall. you dont need black hat's geting to the laptops on your wireless LAN from the web, nor into your LAN from the wireless LAN.
      • Exactly. This is the ONLY choice.

        An 802.11 network outside the firewall may be open to abuse by warez kidz, but it won't be open to unauthorized access to your PRIVATE NETWORK that you've probably spent many $K to secure via firewalls and the like. Assume that ALL 802.11 traffic is public internet traffic, and then run IPSec over it for all private traffic, and you should be okay.

    • I'm still not convinced that's all that safe. For example, do you believe that two machines attached via a hub (not switch) using ssh or vpn to establish a link is totally safe from a third machine attached to the same hub?

      Some pretty clever hacks were employed back in the day before wirespread use of switches and those hacks are all relevant once again against wireless networks. Don't be lulled into a false sense of security just because you think you negotiated an encrypted link.
    • Peter Shipley did that in San Fransisco and found smaling like 2500 access points. The only way this will ever be fixed is if companies realize that you cannot depend on protocol level security.
      I agree... but I think for different reasons than most people may think. The technology discussed in this thread tends to be viewed as a mechanism to secure access to the internal network (or external internet - I suspect abuse of resources will become a big issue eventually). That's only part of the issue brought forth by wireless network equipment.

      A lot of assumptions are being made on how corporate IT departments deploy wireless networks. And it is a valid issue. Security does not come naturally to a large segment of IT professionals. However, it isn't the only issue.

      My favorite point to harp on is - rogue access points.

      Wireless network access points are (relatively) cheap. They're designed to go from box to plug-n-play insecure (damned that functionalty vs. security inverse thing) on the network in a few quick, easy steps. This will lead to a large number of corporate internal networks becoming exposed to external, and considerably less noticable, access as individuals begin to provide their own wireless connectivity. And it will be unlikely this issue will go away anytime soon.

      The internal network is now a hostile environment (as if it wasn't already). Interenal security practices must be considered and secure protocols implemented. It'll be a hassle for a lot of organizations who have relied on firewalls to provide the hard, crunchy exterior to protect the chewy goodness of the internal network.

      Crunch.

  • yawn (Score:2, Funny)

    by tagplazen (310628)
    You know, these people driving around looking for wide open networks are probably the ones that raise the biggest stink about "script kiddys" any time someone finds a new security hole.

    Yes, WEP is insecure. Yes, there are a lot of networks that are just thrown up. Wow, kind of like wire eh? Reminds me of that great quote, "Never attribute to malicousness what can be explained by human stupidity."
  • by mgpeter (132079) on Wednesday September 05, 2001 @09:35PM (#2258165) Homepage
    Does anyone know of any good Documentation on how to secure wireless communications ?? I know we have 2 wireless connections between 3 building using SMC's Wireless routers, and the only security that was built in other than the 64 and 128 bit encryption (which is apparently crackable), and only allowing certain MAC addresses to communicate (which is also easy to crack).

    So instead of writing articles on how bad wireless tech is to crack, (4th article I've read in a week) why not write a how-to on how to implement security on your wireless LANs.

  • When some guys get in their car and drive about looking for open wireless networks, they have an article posted about how they are pointing out such great problems. It is even implied (at least to me) that these guys are helping spread the word about wireless network security. Yet, when someone does the exact same thing over a wired network, it's called Port Scanning and they are labelled 'script kiddies' and are cursed and thought of a less-than-human. I don't understand it. (This is not a troll, or meant as a flame, just my thoughts on the matter.)

  • There has been a lot of talk about people deploying many 802.11b connections privately, thus building non-corporate owned, cooperative wireless access to the net around cities and such. This might put a bit of a damper on that, but IMO it should not stop it by any means. While people might not be able to order stuff for now, there are a great many things to do that don't require security, and such nets really seem to be the ultimate expression of a free internet. If/when firmware updates become available, the access would just be that much better. It would also put more pressure on commercial interests.
    • Given the basic nature of routing, the traffic on these 'free' networks, long-range traffic has to get to an upstream Internet pipe somehow (and the aggregate of traffic in a 'free' internet would be large getting to these pipes).

      Who would underwrite the cost of that upstream "last mile" to the Internet from the "free" wireless access net? I'd rather not have the sum total of several thousand "free" wireless access points flowing through my T-1 / T-3 / OC-whatever if the traffic is significant.

      The cost should ultimately drop with wireless, obviously, because the end users don't have to underwrite the large infrastructure creation cost required to support them.

      You'd expect this with existing shared technology like cable modems, but of course the economics of the monopoly apply here still (telecom regulation yeah right, at least today)

      But perhaps the bottleneck would shift from a last mile problem to a first mile problem (with which the average ISP deals quite nicely) in a wireless neighborhood. In cases where frequency of access and bandwidth consumption are low, I'd expect access prices to drop significantly, though.

      The shared-resource telecom concepts of Erlangian distribution, and so on become highly relevant again in such a scenario. Is this the PBX / concentrator again?

      Speaking of which, in the Boston area, if you have line-of-sight to the Prudential building (and who doesn't in mass of landfill), you can now get wireless (microwave?) 1 megabit guaranteed bandwidth for $300 a month.

    • I don't see how a network "by and for the people" can survive. It seems like any open access point that can be used anonymously is going to attract a bad element who will abuse it.

      I would certainly never share wireless bandwidth with my neighborhood because I don't want the FBI to come knock on my door for what the punk kid down the street did via my wireless generosity. Screw that kid -- he can pay for his own ISP and go 0wn someone's unsecured server to stage his attacks from, in the time-honored tradition of his forefathers.
  • by Hypnos7787 (467137)
    The article's completely right about wireless exceeding their advertised range, i've just got home from the LBW [slashdot.org] where we had a single flat panel antenna connected to a regular base station transmitting over about 1 1/2 miles up to the campsite, to another relatively small antenna connected to a wavelan card in a laptop. Sure the link went down at the slightest hint of bad weather, and we got about 30% packet loss, but we were still getting about 500mbits. :)
  • If you don't have any resources unprotected on your network, why shouldn't the wireless network be wide open? My suggestion is to leave the network open, set up secure tunnels for the important stuff, and let passers-by use your 'net connection. Where's the harm in that?

    That's probably what the 40% were doing, anyway...
    • and let passers-by use your 'net connection. Where's the harm in that?

      Your proposal is a great public service. Many crackers out there are in dire need of a totally untraceable way to launch the next innovations in Outlook and IIS worms. Without wide open wireless access points, advances in malware state-of-the-art would be needlessly hindered.

  • Did this study take into account that some 802.11 networks can operate under either secure or unsecure simultaneously? Example: My school's campus has 802.11 running throughout the campus. Because the school is in a major city and the network can be reached from about a quarter mile from campus, you must register the mac addresses of your wireless card before you can use it. From there, you can use secure (using WEP) or unsecure (no WEP) to use the network. Reason for this flexibility is to allow older cards to operate on the wireless network.

    From the looks of this survey these guys did, if they were to come by my campus (they didnt, it's not in any of the cities they drove around), one of a few things could happen:

    1. this network would appear to be insecure because non-WEPed transmissions could be found on it.
    2. This network wasnt found because the school network would refuse access to it.
    3. The network is secure because it was found, but data could not be accessed because the school network wouldnt allow it.
    Any thoughts?
    • My lucent card can change the mac address with the default windows apps it comes with. Give me a break. Wireless is insecure.
      • ummmm..... as every other stock holder will tell ya, Lucent is insecure. :-)
      • I just checked the status pages of the network, it looks like they're taking steps to counteract the exploit discovered recently. The school will provide software that runs on your laptop that encrypts the data using 168-bit 3DES (and other security measures). How this works and what software that is exactly it doesnt say.

        The software probably sits just above the driver and does the work there, and then the school's antennas decrpyt it. Vice versa for data being transmitted to the laptop. Dont know how they would do the key exchange securely or anything like that.

        The BIG plus here is that it now wont matter what card you use nor whether or not it supports WEP. Unfortunately, it may depend on what OS you're running.
      • My lucent card can change the mac address

        so, can MAC's be sniffed, then? I'm assuming they can be, but if they can't, you'd obviously have to know which mac's are allowed in before you set yours.

        still, it looks like the .11b folks really didn't do their homework. too bad - think of all those 128bit 'gold cards' that people paid extra for, only to now find out that they got NO extra value for their dollar.

        (and can this encryption bug be fixed in firmware? I sure hope so - it would be nice..)

        • Yes you can sniff mac addresses.
          • I know they can be on wired nets, I was just hoping that the .11b standard would mask the mac addr or somehow code the addr's differently from the payload.

            for extra security, I probably would have taken the mac and munged it somehow, a-la PKI (public/private combo). giving away the addr seems somehow worse than giving the pkt contents away. if you let the text be readable, you've lost individual privacy. if you give out the mac addr, you've just lost network security, which I think is much worse.

            at any rate, it seems the .11b standard is very broken. how the hell did it get to full standard status without someone realizing these basic design flaws??

  • Was advertised on Television in NY (SUNY, Alderson? Anderson? not sure). Begs the question- who's watching?

    Their article is nothing new, really, it was just the first documented 'story'. In fact, shouldn't they be tossed in prison for port scanning and gaining access to unauthorized resources?

    Puts a damper on Free nodes- I wonder how many people are going to spend the money on wireless with the intent to give it away for free if, every time they turn it on, they are probed almost as maliciously as when the cable light comes on.
  • granted you could do the same thing on most wired networks just as easy, I suppose.
    But wireless signals do have a limited range in feet/yards, but heck if you put the time or find something unsecured you could do it a couple of continents away.

    Next in the news: unsecured IIS boxes running unsecured wireless access. @home sues for patent infringment for "pointless wastes of bandwidth 'we though of first' "
    Film @ 11, in DivX ;), naturally.

    Moose.

    If I hit you with a post, and no one sees it, do I get a fish?
  • It more like two open networks. One is the test network in our lab which isn't connected to anything other than other devices were playing with and the other is a point to point lan between a linux box and a solaris box. The solaris box is currently undergoing an audit but its going to live oustside of the firewall which is kind of where it is now. AT work I've had to make it very clear that If I catch any of this wireless stuff pluged into my network, I'll turn off their port. I may have gottent my point accross or maybe not but I still scan for arp traffic of the ether address ranges of the offending devices.
    • That works all fine and dandy until someone uses NAT to connect their wireless access point to your network in such a way that you can't see their MAC addresses.

      (That's how we used to run networks of 20 machines in a dorm room when they restricted traffic to the NIC with the MAC address that we had to register with the network admin.)
  • most of the people I know who know what they are doing now basicly drop their access point down outside their firewall and insist that users VPN/SSH in.



    By doing this you are basicly acknowledging that the security isn't there and force your users to use secure tools to get to secure places.



    Anyway my point is that if one of these guys drives by my home they'll probably pick up up my 802.11 and add it to their map, maybe even hack it to get access to the 'net - but do I care? nope

    • Until a malicious being hacks a site through your network or uploads defametory/DMCA-bait material and suddenly your ISP has pulled your access or some friendly folks are asking you to tone down on the death threats to the president.

      I suspect such malicious folks are of similar bent to those who leave beer cans littered around senic parks, personally.
    • how can someone hack your site if the wireless router is OUTSIDE your firewall? (or rather how can they hack it any more easily than any other attack on your firewall)



      The whole point is to just accept that your wireless connection is as unsafe as the larger 'net - and treat it the same way

      • Not your site, but another insecure site, but from your ip space. I think the worst thing aspects would be someone spamming via your access point. Then your netblock gets blacklisted and/or your ISP gets mad.

        If you want to run a "free" access point, you still need to be responsible. Put the access point in your dmz and have your outside router filter SMTP (tcp/25) outbound except from your legitimate internal SMTP servers. Your normal users should be using a VPN/tunnel to the inside of your network for email anyway.

        That's the biggest service I can think of you'd want to stop some jerk from messing with. Can anyone else think of other services beyond just stuff that would hog the bandwidth (which could be anything)?
  • We also treat the wireless security as a joke. We're using an access point located outside our firewall behind another firewall. All clients using the access point get back into the corporate network using the same VPN software they use while on the road. In fact, they are now set up so they never turn the VPN software off.


    Anyone breaking the security of our access point gets plain old Internet access and doesn't get into the corporate net.


    • We're using an access point located outside our firewall behind another firewall. [...] Anyone breaking the security of our access point gets plain old Internet access and doesn't get into the corporate net.
      Is this your company's only net access? I hope that you are running that guerilla net [shmoo.com] knowingly.

      It is one thing to openly allow access, with users presumably understanding that they should not abuse [toaster.net] a common resource. It is another to leave your (I'm assuming) fat pipe open to NetStumblers, who may be more inclined to over-exploit it while they still can.

      Also, does unencrypted SMTP or other traffic go in/out via this link? You have a sniffer's paradise if it does.

      • I'd assume you mean SMTP that is going to be coming from LAN-based servers and out the router to the internet. Unless a user is using SMTP (and not tunneling in first), the access point isn't going to send any of that traffic via 802.11b, so nothing to sniff. Unless the traffic is to/from a wireless card (or between two bridges), it's not going to be transmitted. The access point is a bridge, and sniffing on one side of a bridge with all the nodes on the LAN side is nearly pointless (you get to new learn mac and ip addresses from broadcasts, but that's it).
      • WEP is in place as a minor deterrent in case someone comes by. It is definitely not our only access, but no one gets access unless they crack our WEP since the system is set to reject unencrypted data. No unencrypted traffic goes through that access point as that network is dedicated to that use.
  • Linuxworld APs (Score:2, Interesting)

    by xwred1 (207269)
    There were a few APs at Linuxworld, about 11 or 12 networks when I scanned, I think only a couple had an real security.

    The OSDN booth had a wide open AP that I was able to use to get net access while I was hanging around nearby.

    I was checking Slashdot, almost caught a breaking story for First Post, while I was in the audience listening to CmdrTaco's Q&A session.

    Hopefully, from now on there will be more and more open APs at conventions so I can get net access at random places on the floor.
  • by jwkane (180726) on Wednesday September 05, 2001 @10:10PM (#2258261) Homepage
    It comes down to speed vs. privacy. You can ignore WEP and use IPsec or a VPN. You'll take a speed hit, but you'll have reasonable privacy.

    If you don't mind exchanging some privacy for additional speed, 128 bit WEP isn't a bad choice. It hasn't lived up to it's "Wired Equivalent" name but sniffing and decrypting is a non-trivial operation.

    For more speed with minimal privacy, 80 bit WEP doesn't cost much bandwidth (2%) and you're still only going to be sniffed and decrypted by folks with a clue.

    In some situations, speed is most important and privacy is meaningless. Suppose you're downloading Debian ISO's over a wireless link. There are times (one might argue the majority of internet traffic) when privacy just doesn't matter. If you can use reliable encrypted protocols for the exceptions then open mode 802.11b is fine. What are you trying to hide?

    As long as we're able to encrypt those transactions that require privacy none of the WEP "stuff" matters. How secure is your wired network internet traffic after it gets to your ISP?
    • by Anonymous Coward
      Ah, just about any modern computer can do 11Mbps (insert favorite RC* number here) fairly readily. If your'e using a protocol that does compression to boot, you may actually experience faster speeds, but possibly higher latencies. Of course, you have to have machines on both sides of this hypothetical VPN that can cope with the increaced loads, but with most modern machines, this is hardly a concern, unless one is consistently pumping out max bandwith.
    • I don't think they're talking about wireless internet...

      The point is that wireless internal networks (very common) are not secure in the same sense that wired ones are. And that is a very bad thing.

      For instance, lets say you're sharing the C drive of one of your computers through SMB (CIFS, also known as "File and Printer Sharing" in Windows). This is only on your local network, keep in mind. I actually do this - there's no reason not to, because no one can break into my house to connect to my LAN.

      Now, lets say I have a wireless network, but it's not secure (80-bit WEP or somesuch). Somebody could crack the encryption key easily, parked on my block (not even directly in front of my house), and then do bad things, like:

      - Delete the contents of my C drive
      - Replace system files
      - Put data on my HD that I did not ask for (anything illegal)
      - Take data from my HD they were not supposed to have access to (work stuff, etc.)

      Or anything else malicious. Only people with malicious intent would do this, but usually not to a home network. Therefore, the danger is not present in home networks as well as wireless internet (where it was never present - the connection is a direct line-of-sight link, not geographically spread over a radius).

      The danger is present in corporate or government or military insecure networks. If somebody can stand outside of the parking lot of the Pentagon and get data, that's very bad. :)
    • There are times (one might argue the majority of internet traffic) when privacy just doesn't matter. If you can use reliable encrypted protocols for the exceptions then open mode 802.11b is fine. What are you trying to hide?


      Cryptographic analysis includes analyzing what is encrypted and what isn't, and drawing conclusions from that data. For example, if you never encrypt your email to family members but always encrypt email to one individual, one might conclude that your corrispondence with that individual is of an illegal nature, and seek a search warrant to bug your PC and find out what you're really discussing. Maybe it's the weather. Maybe it's the weather in Bolivia and how it will affect the next crop. We won't know, Judge, unless we tap that PC and read the mail ourselves. If you encrypt everything then you've cut off one more data source.


      The other analogy would be to ask why you send letters when a post card would do; why not save money (bandwidth) with postcards for the familiy update to Mom and only use letters for the secret stuff, like love letters? The answer is that your family updates to Mom are nobody's business but yours, and my answer to you is that your Debian ISO download is also nobody's business but yours.

  • by StrikerObi (145657) on Wednesday September 05, 2001 @10:15PM (#2258271) Homepage
    There seems to be a recent outbreak in these "drive by hackings." Thank the gods my friend registered www.drivebyhacking.com a couple months ago. Now we just have to figure out what to put up there.
  • I was in a Starbucks here in Austin, TX which offers 802.11b access (for a fee). Instead of winding up on the provider's network, I was on the Safeway network (the Starbuck's is inside a Randall's / Safeway supermarket). This allowed my Win2000 laptop to browse the supermarket network, which has many shared [and unsecured] systems probably used for re-ordering / EDI, etc. The real issue is about education of network professionals about wireless security and how to implment it, whether or not they use WEP (Safeway clearly did NOT). I for one just wanted my 'net access via Starbucks and not Safeway's ultra-slow (probably frame relay) network.
  • by Black Art (3335) on Wednesday September 05, 2001 @11:00PM (#2258378)
    Not when you can crack all of them with AirSnort.

    All it takes is time and traffic.

    Of course, it still amazes me that so few had even the most basic levels of security installed.

    Then again, most of the managers I have worked for seem to think that if you take steps to protect yourself, you become liable if you get hacked. (Yes, I know that makes no sense. Never stopped them...)
  • so what. (Score:4, Insightful)

    by Raleel (30913) on Wednesday September 05, 2001 @11:17PM (#2258407)
    We know wep is insecure. There is little point in even putting anything on these nets. as a matter of fact I can find reasons not to. Let's say for example that you run a facility that has large numbers of people from outside coming in. WOuld it make sense to enforce 128 bit encryption? Sheesh, all the people with bronze (no encryption) and silver (40/64 bit encryption) can't use it.

    As someone pointed out above, put it outside the firewall, requirte ssh/vpn to get inside a firewall. tell people it's an insecure net, and recommend personal firewalls (zone alarm. blackice, ipchains, etc).

    The major benefit of wireless is access anywhere. Security directly conflicts with access. For example, managing MAC level security (restricting by MAC) is a pain in the keister. WEP is worthless. So assume all your traffic is insecure and use something to encrypt it. If you really need to prevent people from getting on and using your net, _don't use wireless_.
  • Traceable? (Score:4, Interesting)

    by sdo1 (213835) on Wednesday September 05, 2001 @11:26PM (#2258426) Journal
    I can just imagine some poor network admin trying to figure out who the heck is using their network to surf for pr0n (and imagine the PHB trying to figure out who they need to fire).

    But seriously, with wireless it seems like it would be incredibly difficult to trace the unauthorized user. Land based hacks are usually done over the internet rather than by physically connecting to their network. As a result, there's usually logs to help track down the person(s) using the network.

    But this seems incredibly tough... if the cracker didn't go anywhere on the network that would give themselves away (such as logging into hotmail to check their mail), I would guess that it would damn near impossible to find out who was sneaking into the network... even if/when they were actually connected. I would guess that the wireless network might get the MAC address of the card being used to get into the network, but even that likely wouldn't get you anywhere.

    Is that true, or am I missing something here?

    -S
    • You would trace it down to the Wireless Access Point in fairly short order based on the address scope you had given that segment of your network. From there if its obviously a rogue (drive by) you simply turn off the Access Point until you can come up with a workable solution for your network.

      As is typical its $cost (time/material) vs. requirement (level of data security required).

      I think you'll find more and more of these "Free Networks" drop out due to people using them for nefarious actions on the internet from the safety of their car... no wait... their bike... no wait... the guy sitting on the bench over there... Nooooooo please... don't cut my line... it wasn't me!!!

      That or they will start heavily filtering on the allowable outbound traffic the people offering these networks will allow... out.
  • A little research in to what I want in a contract to do security work without being arrested for hacking led me to discover that the law is very strict and straight forward. The point? These guys broke the law big time, did it hundreds of times, and advertised it in the media. If someone wanted to charge them there is no doubt they could be convicted.

    As for the morals of what they did, I'll leave that up to you.
    • The only thing even remotely close to grey that they did was the one time they guessed the subnet to try and connect. That was the only "questionable" activity.

      The rest is the equivalent to using a scanner to look for police/emergency/ham radio conversations. All they did was look for traffic and see if the networks were talking plain text and/or advertising SSID and/or requiring WEP.
  • by wareadams (185080) on Thursday September 06, 2001 @12:43AM (#2258606)
    With all the stories on how bad WEP is and how most 802.11 networks aren't secured, I haven't found an answer to this question about securing a home 802.11 network (I'm not claiming to be an expert on this, so maybe this is a simple question).

    I'm assuming most home users don't have the equipment/skills to set up the access point outside of a firewall and use VPN/SSH. Given that, how risky is the following:

    1) Consumer base station (Airport)
    2) WEP password enabled
    3) Access restricted to specific MAC addresses (not possible w/Apple's configurator, but doable with the 3rd party Java version)
    4) Airport plugged into home LAN, no other machines running any servers or file sharing (none are Windows boxes, 2 OS X, 2 OS 9.2)

    I understand all the actual 802.11 traffic is basically open. I assume if the web site I'm using has effective encryption then that data is safe, but my POP3 password could be grabbed assuming it isn't encrypted by something other than WEP.

    What I'm wondering is would this setup effectively prevent someone from setting up a laptop outside my house and getting at the files on my LAN.

    This seems to me a reasonable set up for a home user, but if it leaves the family Quicken file vulnerable to any kid on the block then 802.11 seems to be destined to never be mainstream. If on the other hand a home user can put at least basic security in place (e.g. they can see your web pages but they can't trash your entire drive) then it has a chance.

    Thanks.
    • WEP, from current analysis, is a reasonable protection from causal and low-resource snooping. If someone with a laptop happens by your house and tries to get onto your network, then you're probably okay with WEP. However, if they have one of the tools being published to compromise your WEP keys and decides to park themselves within radio range and gather enough data to do this, then WEP would not be sufficient.

      Your physical mailbox and receipts thrown away in the garbage at stores expose your financial resources to a greater degree than copying Quicken files over your 802.11b network using WEP. Given that the scope of exposure is limited to local physicality, and thus not exposed to the script kiddies of the world, the chances of having a skilled and resourced attack against your network is much smaller than someone trying to carry out credit transactions from a receipt recovered from the trash of a store.

      In short, change your WEP keys every week or two and use a higher level cryptographic protocol when possible. I am not familiar with AppleTalk's cryptographic capabilities. If it provides some mechanisms for authentication and confidentiality, then I would feel okay with that setup.

      Also, monitor your network. Try to configure any resources accessible on your network to generate logs and review them periodically. Most of the time, attackers will spend quite a bit of time casing and probing your network before breaching integrity of your resources and data. Unfortunately, with WEP, a passive attack is usually sufficient. However, it does take time, so if you change your keys frequently enough, you're frustrating them to the point where all but the most persistent attackers will go away.

      Remember the cardinal rule of crime: attack the easy targets. As long as there are lots of 802.11b networks wide open, then your WEP enabled network is, in all likelyhood, going to be skipped over.
    • Apple's Airport Admin Utility will let you MAC-lock your Airport Base Station. Not that that gains you a whole lot of security since they can sniff your MAC address....

      My measures for securing my ABS:

      1. MAC address locking to my machines
      2. "Closed" network to avoid broadcasting SSID
      3. WEP turned on to keep out the anklebiters
      4. base station powered off when not in use

      The only one that I actually trust? The last one. However, given that there's a completely open 802.11 network somewhere fairly close (at least last time I popped up a wireless card to use my base station, I had two options and the other one didn't ask for a WEP password) I figure "I don't have to outrun the bear, I just have to outrun you." :)

      All of these measures are just to keep people from using my network connection for free, anyway. All my wireless traffic is either protected by SSH, SSL, or IPsec or it's stuff I don't care about ("ooh! look! I can watch him visit CNN's web site!").

  • by joekool (21359)
    I have no wireless network card, and no experience with PPPOE, but it does seem that it is exactly the type of thing to use to give your connection a bit of encryption. Of course that is assuming that it does some kind of decent encryption. if it doesn't, well it sounds like a 10 minute hack to solve the problem, but then again, it's not my area of expertise
    • PPPoE does NOT add encryption to your traffic!
      It is only the the PPP password than can be encrypted and then again only if you are using chap, not pap to exchange the password.
      • ah, then it is as I though, another case of me talking about something that I really don't know about! what I was tying to get at was that it would be nice if their was a way to use an application hat functions similar to the way ppoe works, but with encryption added. it has everything else you would want in such software, such as authentication, ease of use, etc.

        but then again I probably just don't know what I am talking about
        ;-}
  • New Zealand (Score:5, Interesting)

    by Anonymous Coward on Thursday September 06, 2001 @12:59AM (#2258641)
    We tried this stunt from an office window in the centre of New Zealand's largest city, Auckland. Even with only the laptop's wireless card, we were able to tap into 13 networks, and gain external internet access through 10 of these. The main security risk this poses, is that most highspeed business connections here are MB capped, and therefore, any kid with a laptop and wireless LAN card can use any local retailer's high-speed connection to download his warez, or even worse, to carry out even more highly illegal activity and it is traced back to.. the kid? No. The retailer. And this was only with a 5 inch steel aerial! Imagine what we could tap into with the kind of reciever power used in that article. Ironically, one of the internal networks we were able to enter completely anonymously, was that of a major NZ bank. Cash anyone?
  • I run a 56k Linux firewall with a crossover cable into a Linksys wireless cablemodem/dsl router, the BEWS4. Then I hang a 24-port hub off the hub port, with 3 Linux boxes, an NT server for work and my wife's 98 box. My Linksys doesn't support limiting wireless clients to a list of MAC addresses.

    I really only have one wireless client at this point, so perhaps I can limit the DHCP to one client and then use ipchains to restrict server access to the wired static range and the wireless dhcp "range of one". I can't go with static on the laptop b/c I use the wireless at 4 locations, all DHCP. Like hell I'm gonna change the IP address each place I attach to.

    Does anyone run kerberos at home? Seems like a real bitch to setup. Well, amanda just got around to my laptop so I'd better go...
  • Regarding the "publicly accessible" wireless networks that are supposedly springing up, why not setup a nice transparent stateful firewall to only allow outgoing (and their resulting replies) connections? That way if your neighbor, or "the public" want to use your broadband connection, they can do so wirelessly, but only to make outbound connections. Granted, they could setup a VPN or some such to get a public IP for unrestricted inbound/outbound traffic. Just monitor the system and keep extensive connection logs (no, that's not packet sniffing logons and passwords ;)).

    Of course, why are you letting other people surf through your connection for free? Another issue, for another Slashdot article.
  • Ok, here it is in a nutshell. You can put an Open Source-based IPSec gateway immediatly upstream of your wireless AP... or better yet, simply put a wireless card in a Linux box... and secure your wireless with an IPSec tunnel.

    This protects your network, your traffic and if the hosts are configured properly... your clients. Way better than the mess that Nasa came up with.

    I am currently setting up a Linux/FreeSwan device for my employer's wireless and I have a similar OpenBSD IPSec setup at home.

    I also have a floppy-based Linux "access-point" that I'm trying to integrate FreeSwan with that will offer the same thing for anyone.

    Anyone interested?
  • How many times have we heard this now? This has been an old hat for well over a year. And what's more, even before WEP was shown to be TOTALLY broken a couple of months ago it was obvious that 802.11b security wasn't... even if you used encryption, with in an organization that's useless because there's no key management... you can't possibly think that a password that's stored on dozens to hundreds of laptops that are travelling all over, some percentage getting stolen as a matter of course, most of which can be regularly accessed innoculously by strangers, can be called "secure" in even the vaguest sense!

    The right way to do wireless is simple... DON'T Don't bother. Don't use /any/ security. And don't DON'T DON'T connect the wireless net to your organizational network... just connect it to the
    Internet and treat it as public internet access. Instead of asking "do we put wireless access on our network", ask "do we want to provide public wireless internet access throughout our buildings a few hundred feet beyond? And make your ESSID something like "yourname-public" so its obvious... visitors should be able to easily use it to! Why the hell not?

    You already have some way of accessing your organizational network or some of its services from the Internet, don't you? (If you don't you have security requirements that probably mean you REALLY can't use wireless.) Be it IPSec VPNs or SSh tunnels, or just SSL web/mail access, that's what you'll have to use even when you're using the wireless gateways right in your office.

    Of course you can set up some other level of IPSec tunnels /specifically/ for the wireless LAN, but I think that's stupid, anything you do might as well be the same for wireless/Internet access... it's exactly the same problem space. In either case you have a network you MUST treat as COMPLETELY UNTRUSTED.

    -j

  • by Anonymous Coward
    What always amazes me about these daily stories on the "insecurities" of 802.11b is that not a single person mentions that IEEE already has a solution -- 802.1x.

    Using 802.1x, a computer/user must authenticate to the access point through standard RADIUS/EAP mechanisms (e.g., smart card, certificate, MD5-based challenge response, etc.). If you are unable to authenticate, the access point (or wired Ethernet switch, for that matter -- this isn't 802.11b specific) will refuse to forward any of your packets to the network.

    There are also provisions in 802.1x to have the access point authenticate to the client, in order to prevent man-in-the-middle attacks, among other things.

    Furthermore, 802.1x provides means to give each user a different WEP key, and to cycle those keys at various intervals. This greatly reduces the exploitability of the cryptographic flaws in WEP. (These flaws should still be addressed, though.)

    Finally, 802.1x is already available today, in Windows XP.

  • I believe cisco aironet is able to rotate keys if a radius server is available. You could make your rotation fo keys happen at a fairly short interval and give any wannabe snoopers a fairly annoying experience, possibly even rotating them before snoopers collect enough information to break any key you are using. not sure if any of the other 802.11b implementations allow for this. normally a session uses one key and will use the one key indefinatley.
  • If it takes 100MB~1GB of packet data for airsnort to crack your 802.11 network, why not set up a cron job to telnet into your access point and change the access code after every 10MB, or so?

    Doesn't seem like the overhead would be that large...
  • The net result of this insecurity will likely not be better security protocols, but rather another inane law restricting the right of people to use wireless devices.

    It happened with cellphones in the 90's, that's why it's now illegal to listen to cellular frequencies in the US.

    Just wait, it will happen.

Although the moon is smaller than the earth, it is farther away.

Working...