Jump to content


Photo
- - - - -

If you still think wireless security is useless because you have nothing to hide ...


  • Please log in to reply
89 replies to this topic

#16 video321

video321

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 959 posts
  • Location:NJ
  • Hardware:Elk M1, Mi Casa Verde Vera
  • Tech:Z-Wave
  • Audio:Custom
  • Video:Custom
  • CCTV:analog, dvr
  • Phone:Ooma

Posted 27 April 2011 - 08:19 AM

When I get a new client without a secured WiFi network and ask about it I always get the same answer "I have nothing on my computer that anyone would want." At that point is when I have to explain to them it's not what's on your computer they want, but the Internet connection itself. I always say do you really want to go through the hassle of having to explain to the FBI how all of that illegal activity wasn't done by you?

#17 Lou Apo

Lou Apo

    Cocoonut

  • Registered
  • PipPipPipPip
  • 2719 posts
  • Location:Austin TX
  • Experience:average
  • Hardware:ISY-99
  • Tech:INSTEON
  • Audio:Custom
  • Video:Windows Media Center
  • CCTV:analog, dvr

Posted 27 April 2011 - 12:57 PM

If, as is typically the case, they just want to get on the internet or infect your computer with some spamming software, they will pick the easiest one. So just don't be the easiest one.

It's like the joke where two guys are in the woods and a bear stares them down, the one guy goes to tie his shoes and the other guy says, "what are you doing? You can't outrun that bear", and the first guy replies, "I don't need to outrun the bear, I only have to outrun you"

#18 gatchel

gatchel

    Cocoonut

  • Professionals
  • PipPipPipPip
  • 1836 posts
  • Experience:average
  • Hardware:Elk M1, ISY-99
  • Tech:INSTEON, Z-Wave
  • Audio:Sonos
  • CCTV:analog, ip, dvr
  • Phone:POTS

Posted 27 April 2011 - 02:26 PM

This is a good reason to use your home automation devices to turn off your router when it's not in use. I do.

It's not absolute but it is another layer.

Edited by gatchel, 27 April 2011 - 02:27 PM.


#19 hagak

hagak

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 142 posts

Posted 27 April 2011 - 02:53 PM

I disagree. Breaking spec. or not, I don't care. It is more secure in my area. Think about it. In my area, it seems EVERY house has a router. From my living room, I can pickup ~20 routers on any sniffing software I've used (I was trying to figure out if there was any channels NOT in use). So, unless someone is SPECIFICALLY trying to get into my network, they are not going to be targeting my system. A quick scan gives them a LOT to play with. If there are no other routers in the area, no SSID shows up, but there is wifi traffic, of course it doesn't mean anything.

"layers"...this is just one, and it's not a very difficult to add.

I was considering adding a second router, then use that on a second IP subnet, then use SSH/VPN to tunnel into my local network. Just another layer. For the moment, I just use one laptop on the wifi...so, turning it on and off via script is not a big deal.

--Dan

But disabling ssid broadcast is not a layer of security. It really does nothing more than break the spec. Just because the router is not set to broadcast it's ssid does not mean the ssid is hidden from anyone who wants to find it. If you have just one client connected to that router and it is doing zero data transfer the ssid is easily found in the clear because the router and client are always communicating back and forth to keep the connection alive and the ssid part of the communication can NOT be hidden or encrypted regardless of what you do. There are many free very easy to use applications that will let you see any ssid in your area regardless of the ssid broadcast being disabled. For awhile windows had a bug that caused it to not work properly if the ssid was disabled. However many non-pc devices will either not function or be difficult to function if it is disabled.

#20 drvnbysound

drvnbysound

    Cocoonut

  • Registered
  • PipPipPipPip
  • 2857 posts
  • Experience:average
  • Hardware:Elk M1
  • Tech:Z-Wave
  • Audio:Custom
  • Video:SageTV
  • CCTV:analog, ip, dvr

Posted 27 April 2011 - 10:00 PM

While I agree, that selecting to not broadcast your SSID may be very easy to hack with these free applications (Ive personally never looked or tried), I cant tell you how many people have either come to my house or I have gone to theirs and asked about SSID and they have NO IDEA what I am talking about. Knowing that the 8-12 WiFi signals that I pickup from my living room are all open, non-encrypted and the SSID is broadcast it's probably about 99% likely that they dont know what an SSID is either... and if they dont know what it is, they probably arent going to be able to hack mine.

So by hiding my SSID, I am already outrunning those 8-12 people :D

#21 hagak

hagak

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 142 posts

Posted 27 April 2011 - 10:04 PM

While I agree, that selecting to not broadcast your SSID may be very easy to hack with these free applications (Ive personally never looked or tried), I cant tell you how many people have either come to my house or I have gone to theirs and asked about SSID and they have NO IDEA what I am talking about. Knowing that the 8-12 WiFi signals that I pickup from my living room are all open, non-encrypted and the SSID is broadcast it's probably about 99% likely that they dont know what an SSID is either... and if they dont know what it is, they probably arent going to be able to hack mine.

So by hiding my SSID, I am already outrunning those 8-12 people :D

That is just poor logic. Run wpa and those same people will not be able to hack it even with ssid broadcast. Disabling ssid broadcast buys you absolutely nothing security wise. It is not even hiding your network which you do not seem to understand.

#22 Mike W

Mike W

    Newbie

  • Registered
  • Pip
  • 3 posts

Posted 27 April 2011 - 11:49 PM

MAC filtering doesn’t do much, nor does not broadcasting the SSID for reasons already mentioned. If someone has the tools to crack wifi, they have have a network monitoring and capture tool that will see your network.

The best thing you can do is use WPA2 with a strong passphrase and change you SSID. There are pre-computed tables for the 1000 most common SSIDs that can be used with Aircrack and coWPAtty to discover your passphrase in seconds. If your SSID is still "linksys" or "NETGEAR", you are an easy target.

#23 Work2Play

Work2Play

    Cocoonut

  • -=Gold Supporter=-
  • 4958 posts
  • Location:Colorado
  • Experience:guru
  • Software:Elve
  • Hardware:Elk M1, RUC-01
  • Tech:X10-RF, UPB, RadioRA2
  • Audio:AirPlay
  • Video:XBMC
  • CCTV:ip, dvr
  • Phone:3CX, Asterisk, FreePBX, Grandstream, Ooma

Posted 27 April 2011 - 11:59 PM

This is just a topic where someone armed with a little bit of knowledge and a whole bunch of myth is clearly way worse off than someone who either knows very little or knows a lot. If you go through the setup wizard and select WPA2 with a stong password, you're about as safe as a normal residential user will get. If you really have the knowledge and associated paranoia, then further levels of isolation apply (VLAN's, VPN into your network, network level authentication, etc). All I'm saying is that MAC filtering and SSID Broadcast Disable do far less than even a simple WEP password, and with WEP or stronger, they're absolutely pointless - they offer no additional security over the authentication method. The only thing they bring is headaches and hassles with every new legitimate client you try to connect. But if you're a hacker, bypassing those controls is part of the normal hacking process anyways - doesn't even slow them down one bit.



#24 drvnbysound

drvnbysound

    Cocoonut

  • Registered
  • PipPipPipPip
  • 2857 posts
  • Experience:average
  • Hardware:Elk M1
  • Tech:Z-Wave
  • Audio:Custom
  • Video:SageTV
  • CCTV:analog, ip, dvr

Posted 28 April 2011 - 07:26 AM

That is just poor logic. Run wpa and those same people will not be able to hack it even with ssid broadcast. Disabling ssid broadcast buys you absolutely nothing security wise. It is not even hiding your network which you do not seem to understand.


I agree, it isn't hiding it to someone who knows how to find it.... What I said was, is that if you dont know how to manually enter one to get onto a hidden SSID network (and I know MANY people who do not), they probably arent going to know how to 'hack' in either. Knowing that I can find 8+ networks from inside my home that are wide-open, it's unlikely that any of my neighbors know how to locate my SSID. I do have additional layers, so I am not saying that is the only thing that has to be found.

I can see more networks if I step outside, but I wanted to show this.... I turned off my router, and did a scan from my living room using my laptop... I found 1 secured network, you can see that the rest are non-encrypted and wide open for me or anyone else to use:

Posted Image

I work on wireless networks most every day. I have seen a bridge-to-bridge (not an access point) wireless network, using directional antennas mounted 30+ ft above the ground, using MAC filtering, and AES 256-bit encryption get hacked in 2 days. Regardless of what precautions you take, if you are the target of a hacker your network will be compromised, it's only a matter of time.

As most now know, Sony's PSN was recently hacked. I would love to know what precautions Sony had in place and how my consumer grade wifi router can be more secure than their network was.

Edited by drvnbysound, 28 April 2011 - 07:45 AM.


#25 video321

video321

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 959 posts
  • Location:NJ
  • Hardware:Elk M1, Mi Casa Verde Vera
  • Tech:Z-Wave
  • Audio:Custom
  • Video:Custom
  • CCTV:analog, dvr
  • Phone:Ooma

Posted 28 April 2011 - 08:02 AM

I agree, it isn't hiding it to someone who knows how to find it.... What I said was, is that if you dont know how to manually enter one to get onto a hidden SSID network (and I know MANY people who do not), they probably arent going to know how to 'hack' in either. Knowing that I can find 8+ networks from inside my home that are wide-open, it's unlikely that any of my neighbors know how to locate my SSID. I do have additional layers, so I am not saying that is the only thing that has to be found.

This can go on forever, but what needs to be understood is that nobody who wants to get into your network is going to use Windows wireless connections to do it. What they use will show ALL SSIDs in range, whether broadcasting or not, and easily pick out MAC addresses as well.
So, again, you are NOT buying yourself anything but possible connection issues.

Nobody is telling you this to pick at you, but to inform you that you have a false sense of security if you rely on SSID and MACs for security. Instead you should be using WPA minimum with a random and long password.

Since I'm using DD-WRT I have 2 SSIDs on my router. The first is extremely secure with the maximum number of characters for the passphrase and the other is extremely simple to type in for guests and only gets turned on while they visit. I also have the guest SSID on a separate VLAN giving them Internet access only.

#26 drozwood90

drozwood90

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1198 posts
  • Experience:guru
  • Software:HomeSeer
  • Tech:X10-RF, UPB, Z-Wave
  • Audio:Custom
  • Video:Custom

Posted 28 April 2011 - 08:50 AM

But disabling ssid broadcast is not a layer of security. It really does nothing more than break the spec. Just because the router is not set to broadcast it's ssid does not mean the ssid is hidden from anyone who wants to find it. If you have just one client connected to that router and it is doing zero data transfer the ssid is easily found in the clear because the router and client are always communicating back and forth to keep the connection alive and the ssid part of the communication can NOT be hidden or encrypted regardless of what you do. There are many free very easy to use applications that will let you see any ssid in your area regardless of the ssid broadcast being disabled. For awhile windows had a bug that caused it to not work properly if the ssid was disabled. However many non-pc devices will either not function or be difficult to function if it is disabled.


Sure, if they are TARGETING my system, it does nothing. But, adding that to my existing setup is one layer harder than the 20-30 networks around my house. That was my point. NOT from a technical standpoint...if someone wants in, there is nothing you can do except turn off the router. I'm lucky in that there are at least 20-30 networks around my house, I'd say at least 3-4 are unsecured. I'm just "harder" to get into than the next guy.

I suppose I should have made it more clear, I'm NOT saying it is better, but if someone is trying to get a connection to SOME network in the area, there are 20 other networks that are easier to get into. THAT was my point.

As for "one client", true, but that client is only connected 1-2 hours a week. I am a BIG fan of hardwired. Wireless is just not as reliable, fast, etc. as a wired Gigabit connection. I love getting 105meg/sec.+.

I agree, about the other devices not working well. I'm not a proponent of disabling SSID as a end-all-solution. I only mean that in my situation, I have ONE laptop, that I'm on, maybe 1-2 hours a week, and so for ME, with that being the ONLY device, and being a neighborhood that has 20+ networks, some of which are unsecured...I have 2 layers of protection. Again, I understand if someone were to TARGET me, there's not much I can do about it. I used to use MAC filtering, it was a pain. So, I think if not broadcasting the SSID became that hard, I'd probably disable that as well (let's say instead of using one of the 32 GIGABIT drops in my house, I wanted to use wireless for some POPCORN-like box...well, it might not support hidden SSID).

I used to have 2 routers setup. The DC-DC power supply went in the second one. Apparently it did not like being hard turned ON / OFF with an appliance module. So, that's why I mentioned, when I get the second one up, I'll use some sort of VPN/SSH tunnel from one router to the other. OR, if I can figure out how to make Homeseer talk to the CGI webpages that control my router, instead of powering a second one on / off, I'll just enable / disable the wifi part of the router.

I hope that clears it up.

--Dan

#27 drozwood90

drozwood90

    Cocoonut

  • Registered
  • PipPipPipPip
  • 1198 posts
  • Experience:guru
  • Software:HomeSeer
  • Tech:X10-RF, UPB, Z-Wave
  • Audio:Custom
  • Video:Custom

Posted 28 April 2011 - 09:04 AM

random ...password.


I disagree with this. By your logic, a long random password only makes it harder for the users to get on the network.

You can use a long password, and just make a sentence / passphrase which means something to you, then substitute some letters with the "super" characters (#$^&%&), upper case and numbers. Essentially, you don't need random, you need to include as much of the different types of possible characters as possible to make the "rainbow" tables as large as possible that it makes it so that only BRUTE force can crack it.

Wireless is just NOT secure with consumer stuff. The only sure way is to turn the darned thing off and NOT use it. If you do not, there is ALWAYS a possibility someone who wants to CAN get in. The trick is just to make yourself less appealing to anyone else in the area.

If you want to get a warm fuzzy use this:
http://en.wikipedia.org/wiki/Type_1_encryption

or use:
AES-2048 or better
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Then you will need one of these:
http://en.wikipedia.org/wiki/Fill_device

To give the keys to all your users. No matter what you do, you will get hacked given a hacker who wants in. You just have to get yourself in a position of being less of a target, or don't use it.

--Dan

#28 Work2Play

Work2Play

    Cocoonut

  • -=Gold Supporter=-
  • 4958 posts
  • Location:Colorado
  • Experience:guru
  • Software:Elve
  • Hardware:Elk M1, RUC-01
  • Tech:X10-RF, UPB, RadioRA2
  • Audio:AirPlay
  • Video:XBMC
  • CCTV:ip, dvr
  • Phone:3CX, Asterisk, FreePBX, Grandstream, Ooma

Posted 28 April 2011 - 09:21 AM

Posted Image

#29 Ira

Ira

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 563 posts

Posted 28 April 2011 - 10:31 AM

Anyone have any links to documentation on how to use some of the more advanced techniques mentioned here, e.g., VLANs, VPN, etc. in a pure Windows environment using off-the-shelf LAN hardware?

My wife often works from home. She has a wireless adapter in her Windows laptop (provided by her employer), so she gets on our home LAN via the wireless, then VPN's into her work network. Since other people at her company have access to her laptop, I'm not sure what the most secure setup for my home network is that will still allow her to connect wirelessly so she can VPN to her office. It's got to be relatively simple to use once everything is set up. Any ideas?

And I understand that nothing is 100% secure, but I still lock the doors on my home when I leave.

#30 video321

video321

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 959 posts
  • Location:NJ
  • Hardware:Elk M1, Mi Casa Verde Vera
  • Tech:Z-Wave
  • Audio:Custom
  • Video:Custom
  • CCTV:analog, dvr
  • Phone:Ooma

Posted 28 April 2011 - 11:29 AM

I disagree with this. By your logic, a long random password only makes it harder for the users to get on the network.

You can use a long password, and just make a sentence / passphrase which means something to you, then substitute some letters with the "super" characters (#$^&%&), upper case and numbers. Essentially, you don't need random, you need to include as much of the different types of possible characters as possible to make the "rainbow" tables as large as possible that it makes it so that only BRUTE force can crack it.

You're kidding me, right? I have a minimum amount of wireless devices on my network and once they're setup, they're done. I've also stated I have a 2nd SSID for visitors that makes it easy for them to get Internet access only. And do you really think using $ for S or ! for I is fooling anyone's tables???




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users