On Sat, Nov 14, 2009 at 5:55 PM, Jason Spatafore wrote: > On Sat, 2009-11-14 at 14:52 -0500, Steven A. DuChene wrote: > > The whole concept of "wireless encryption security" is > > somewhat moot with airdump-ng etc tools. > > > > > > WEP keys are really easy to break. > > > > WPA is also easily encroached - but harder with a truely > > unique secure key (which few people use) > > > > > > It just exists as part of the big "security" matrix to keep > > the honest people out. Crackers can get right in anyway! > > I read through that and thought...not really a joke. > > When you look through it, there's a lot of "if you can do this" and "if > you can do that". The simple solution for routers would be to > kill/ignore signals from any system after 3 failed login attempts for a > specified time out period...just like you do on SSH. Yes, you can change > the source MAC...and, yes, you would get 3 packets, get shut out..and > would have to keep changing the MAC which would, in turn, just take > longer...eventually, the cracker gets bored and looks for the easier > target...as always...and just does a DoS attack because that's all they > can really do in the end. > > I'm pretty sure a firmware update (probably forthcoming) can handle that > aspect. > > And, in the end, we *all* know there is no such thing as perfect > security, just like there is no such thing as a perfect deck of cards in > "Magic: The Gathering" or a perfect character in DnD. > > I mean, go ahead, set up a wired network...what's to keep me tapping > into your wall, hooking up a digital signaling device, and using that to > hack your now unsecured network? I'm betting you wouldn't run your > cables securely...and, if you did, who says I can't get past that? > > It's the same argument over and over again. :) It's all about whether or > not the cracker is determined and whether or not they really desire to > break the law. > > The best way, currently in place in Cisco/Microsoft Active Directory networks and Radius/sLDAP networks is MAC address switch negotiation/authentication with Active Directory or sLDAP key based authentication (with the key timing out just under the amount of time that it takes to obtain it from a cracker). So, you don't get access to any network resources (switch access, DHCP, NAT and DNS is unavailable) without a perfectly acceptable Active Directory or key based authentication from a known mac address. If two devices appear with the same mac (during ARP poisoning) the ports in question are shut down. UAT uses this scheme. But with new Video card fast cowpatty style decryption and dictionary pattern matching, this amount of time is VERY SHORT and implementation often not completely tested for many public installs, therefore still attacked (to get 5 minutes of email for instance before trying a second fake auth). The very best current way to protect your WIRELESS includes: 0) Change your default name and password and exclude WLAN side access/management (!!!) 1) Turn off the SSID beacon 2) Require MAC address authentication 3) USE WPA2 4) Use 14 characters in combination of letters and numbers as the password. 5) Don't save your access passwords in protected cache in your browser and surf to cracker, or warez sites or open email that you don't trust. and extra credit: 6) Turn off the router automatically during night if you have the ability to make an access profile. 7) Update and restore your manufacturers firmware on a regular basis. Wipe tools exist, to clear off all data in preparation for new firmware. (Since you can use the browser router access to tftp/wget files to the router to add additional features that are not overwritten simply with a firmware update or reset). 8) Back up your configuration and have a look at it with a hex editor. Restore it once it looks good after a weekly firmware upgrade. 9) Configure a log server and email alerts. Don't assume that running your router on OpenWRT or DDWrt are going to make it more secure - that ssh can be trivially brute forced just like any other - you must protect any open service port or binary (optimally with a kernel based iptables/netfilter sub-interface or zone) and have very secure passwords. SECURITY TEST ALL YOUR INSTALLS and READ YOUR LOGS! -- Skype: (623)239-3392 AT&T: (503)754-4452 www.it-clowns.com