Wireless security (was linux on odd devices)

Lisa Kachold lisakachold at obnosis.com
Sat Nov 14 16:59:43 MST 2009 

On Sat, Nov 14, 2009 at 5:55 PM, Jason Spatafore <jason_online at spatafore.net
> wrote:

> On Sat, 2009-11-14 at 14:52 -0500, Steven A. DuChene wrote:
> >         The whole concept of "wireless encryption security" is
> >         somewhat moot with airdump-ng etc tools.
> >
> >
> >         WEP keys are really easy to break.
> >
> >         WPA is also easily encroached - but harder with a truely
> >         unique secure key (which few people use)
> >
> >
> >         It just exists as part of the big "security" matrix to keep
> >         the honest people out.  Crackers can get right in anyway!
>
> I read through that and thought...not really a joke.
>
> When you look through it, there's a lot of "if you can do this" and "if
> you can do that". The simple solution for routers would be to
> kill/ignore signals from any system after 3 failed login attempts for a
> specified time out period...just like you do on SSH. Yes, you can change
> the source MAC...and, yes, you would get 3 packets, get shut out..and
> would have to keep changing the MAC which would, in turn, just take
> longer...eventually, the cracker gets bored and looks for the easier
> target...as always...and just does a DoS attack because that's all they
> can really do in the end.
>
> I'm pretty sure a firmware update (probably forthcoming) can handle that
> aspect.
>
> And, in the end, we *all* know there is no such thing as perfect
> security, just like there is no such thing as a perfect deck of cards in
> "Magic: The Gathering" or a perfect character in DnD.
>
> I mean, go ahead, set up a wired network...what's to keep me tapping
> into your wall, hooking up a digital signaling device, and using that to
> hack your now unsecured network? I'm betting you wouldn't run your
> cables securely...and, if you did, who says I can't get past that?
>
> It's the same argument over and over again. :) It's all about whether or
> not the cracker is determined and whether or not they really desire to
> break the law.
>
> The best way, currently in place in Cisco/Microsoft Active Directory
networks and Radius/sLDAP networks is MAC address switch
negotiation/authentication with Active Directory or sLDAP key based
authentication (with the key timing out just under the amount of time that
it takes to obtain it from a cracker).

So, you don't get access to any network resources (switch access, DHCP, NAT
and DNS is unavailable) without a perfectly acceptable Active Directory or
key based authentication from a known mac address.  If two devices appear
with the same mac (during ARP poisoning) the ports in question are shut
down.  UAT uses this scheme.

But with new Video card fast cowpatty style decryption and dictionary
pattern matching, this amount of time is VERY SHORT and implementation often
not completely tested for many public installs, therefore still attacked (to
get 5 minutes of email for instance before trying a second fake auth).

The very best current way to protect your WIRELESS includes:

0) Change your default name and password and exclude WLAN side
access/management (!!!)
1) Turn off the SSID beacon
2) Require MAC address authentication
3) USE WPA2
4) Use 14 characters in combination of letters and numbers as the password.
5) Don't save your access passwords in protected cache in your browser and
surf to cracker, or warez sites or open email that you don't trust.

and extra credit:

6) Turn off the router automatically during night if you have the ability to
make an access profile.
7)  Update and restore your manufacturers firmware on a regular basis.  Wipe
tools exist, to clear off all data in preparation for new firmware.  (Since
you can use the browser router access to tftp/wget files to the router to
add <ahem> additional features that are not overwritten simply with a
firmware update or reset).
8) Back up your configuration and have a look at it with a hex editor.
Restore it once it looks good after a weekly firmware upgrade.
9) Configure a log server and email alerts.

Don't assume that running your router on OpenWRT or DDWrt are going to make
it more secure - that ssh can be trivially brute forced just like any other
- you must protect any open service port or binary (optimally with a kernel
based iptables/netfilter sub-interface or zone) and have very secure
passwords.

SECURITY TEST ALL YOUR INSTALLS and READ YOUR LOGS!
-- 
Skype: (623)239-3392
AT&T: (503)754-4452
www.it-clowns.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091114/085ac932/attachment.htm

More information about the PLUG-discuss mailing list