On Wed, 16 Feb 2011 21:25:47 +0000 (UTC), Aaron FIsher
<aaronfischer@sbcglobal.net> wrote:
>REQUEST:
>Can/would the intelligentsia on alt.internet.wireless (Jeff Lieberman
>perhaps?) comment on whether that statement has merit based on what I
>just read at technet.microsoft.com (quoted above & reference at the end
>of this post).
Spell my name correctly and I promise not to bite your head off. Full
moon Friday night and I'm already getting hungry.
<http://802.11junk.com/jeffl/pics/jeffl/slides/jeffl-wolf.html>
>PROBLEM:
>According to the reference article, the WinXP SP3 WZC client is
>"periodically disclosing its set of preferred non-broadcast wireless
>networks".
Sigh. Yes, WZC and probably some other wireless clients try to
connect to the preferred network SSID first. Since encryption is
established AFTER the initial association with the access point, the
SSID is contained inside the association request frame and is NOT
encrypted. See:
<http://www.wi-fiplanet.com/tutorials/article.php/1447501/Understanding-80211-Frame-Types.htm>
However, once your laptop associates successfully with the coffee shop
access point, all such broadcasts cease. Should your laptop go into
standby, when it wakes up, it will NOT try to connect to the preferred
SSID, but instead try to reconnect to the previous SSID (the coffee
shop hot spot). Incidentally, this algorithm is the source of the all
too common problem of coming home and discovering that your laptop
still things it's at the coffee shop, and will not connect to your
home network until you scan for networks and intentionally connect to
your home SSID.
>Therefore, my epiphany goes, the "bad guy" could easily determine my home
>network SSID from my single visit to a local public hotspot
Yep, he could. He would need to know your laptops MAC address in
order to filter the traffic to just see your connection requests.
That's not too difficult but you could easily change your MAC address
for the ocassion and drive the sniffer nuts.
>and, with
>enough determination, correlate my preferred non-broadcast wireless
>networks to my laptop computer (even if I've changed my MAC address,
>hostname, username, proxy server, and SSH tunnel, daily).
Nope. The only things that can be sniffed are the MAC address of your
wireless contrivance and your preferred SSID. All the other junk only
becomes useful after successful association with the access point.
However, hiding your SSID is nothing more than security by obscurity.
Same with juggling your MAC address. It creates more obstacles to
overcome, but doesn't actually add much to your overall security. It's
like the username and password problem. It's generally assumed that
the username (or login name) is generally accessible or guessable.
Only the password needs to be secure. It's the same with wireless.
The ONLY thing that needs to be secure is the WPA2 pass phrase. You
can post all the other info on a sign outside your house and without
the WPA2 pass phase, nobody will be able to do much with your wireless
connection.
The whole issue is not terribly relevent because it's easy to sniff
the association/dassociation and authentication/deauthentication
frames, which contain the access point SSID. If I wanted to break
into your home wireless system, I wouldn't do so at a coffee shop. I
would do it at your home.
If you want to go witch hunting for privacy issues, start by getting
rid of all the Post-it notes on your monitor. Most of them probably
contain various passwords. After that, consider how many machines
have your WPA2 pass phrase on them. Ask yourself how many of those
machines have been in the hands of evil hackers like myself. Then
read about recovering the hash codes for WPA2 access from these
machines.
<http://www.nirsoft.net/utils/wireless_key.html>
Give me a few minutes with your laptop and your WPA2 key is mine. Have
you left your laptop unattended and in the presence of known hackers?
Start worrying. All it takes is about 5 seconds and a USB memory
thing with an autorun.inf file setup to extract
HKLMACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\In terfaces\*
keys from your registry and your shared key is all mine.
Want a fix? Start thinking about NOT using a pre-shared key, but
using a server assigned (RADIUS) delivered key. Each is unique for
each session, and each user. There's nothing saved on the laptop. You
will need a RADIUS server, or RADIUS service provider, a login, and
yet another password.
>QUESTION:
>Is it true that hiding the SSID in one place actually broadcasts it in
>all others?
No. If you did NOT hide your SSID, and broadcast it regularly so that
your neighbors don't land on top of your network and spew trash on the
channel you're using, then when you arrive at the coffee shop, your
laptop will still try to initially connect to the saved preferred
SSID. In other words, you have the same problem with or without a
hidden SSID.
>Why Non-broadcast Networks are not a Security Feature
>* http://technet.microsoft.com/en-us/l.../bb726942.aspx
Actually, a very nice article on some obscure issues some of which I
hadn't considered.
>Notes:
>* I do realize that the realm of "privacy" protection entails a
>thoughtful multi-layered approach, including proxys, SSH tunneling, TORs,
>encryption, spoofing, etc.
Security and privacy are similar but not identical. Security is
preventing anyone from entering your network and then playing tourist.
Privacy is preventing anyone from determining how much ****o or warez
you're downloading on your wireless network.
>Therefore, I request the astute advice from the team stay on the specific
>topic of whether or not hiding the SSID on your home wireless router
>actually broadcasts that SSID at all hotspots on your WinXP SP3 laptop.
"...broadcasts that SSID at all hotspots..." is kinda misleading.
Broadcasts are never aimed at a particular device. They're sent to
anyone or anything that's listening. They're not intended to be
hidden, secret, protected, encrypted, private, or obscured.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
#
http://802.11junk.com jeffl@cruzio.com
#
http://www.LearnByDestroying.com AE6KS