I am in the process of setting up wireless access in our small office.
The wireless access point hardware I have seen is all equipped to do up
to 128 bit WEP encryption and MAC filtering. A couple of questions:
1. I have read that WEP is broken. Is it really? Do I want to use
something else? One of the laptops that will be connecting is a few
years old and it's built in wireless supports WEP 128 but not other
encryption as far as I can tell.
2. MAC filtering seems to me to be a great idea. Adds a layer of
security. If WEP is enabled, is the MAC address of the laptop also
encrypted? Does it matter?
3. Thinking out loud now. If my laptop is busy looking for wireless
access points, and transmitting it's MAC address in the clear. Assume an
attacker learns my MAC address. Then I get to my office and log on to
the Wireless Access Point. It requires that I send the MAC encrypted.
Does the attacker have a crib that will them to pry open WEP 128? If
so, am I better off with just WEP and not MAC filtering?
> Greetings,
>
> I am in the process of setting up wireless access in our small office.
> The wireless access point hardware I have seen is all equipped to do up
> to 128 bit WEP encryption and MAC filtering. A couple of questions:
>
> 1. I have read that WEP is broken. Is it really? Do I want to use
> something else? One of the laptops that will be connecting is a few
> years old and it's built in wireless supports WEP 128 but not other
> encryption as far as I can tell.
>
> 2. MAC filtering seems to me to be a great idea. Adds a layer of
> security. If WEP is enabled, is the MAC address of the laptop also
> encrypted? Does it matter?
>
> 3. Thinking out loud now. If my laptop is busy looking for wireless
> access points, and transmitting it's MAC address in the clear. Assume an
> attacker learns my MAC address. Then I get to my office and log on to
> the Wireless Access Point. It requires that I send the MAC encrypted.
> Does the attacker have a crib that will them to pry open WEP 128? If
> so, am I better off with just WEP and not MAC filtering?
>
>
> Thanks for all your thoughts,
>
> John
Your security policies should match the security risk you are willing to
live with. In other words, do you have sensitive date? Critical data?
Analyze what you have on your computer and how "sensitive" it really is.
WEP is a very weak "encryption" protocol and I have read, but not done it
yet, that it can be broken in minutes. MAC filtering is moot and really
gets you little added security....
If your data is that important, ie you have SS#, credit card info, etc, etc
Just use some cat5....or look into some of the new wireless protocols.
on 10/10/2005 1:06 PM Juergen Nieveler said the following:
> John Hyde <EJhyd@netscape.net> wrote:
>
>
>>1. I have read that WEP is broken. Is it really? Do I want to use
>>something else? One of the laptops that will be connecting is a few
>>years old and it's built in wireless supports WEP 128 but not other
>>encryption as far as I can tell.
>
>
> WEP can be broken with a few minutes of work and a few tools like
> "Aircrack". You should use WPA instead. If the builtin system doesn't
> support it, don't use it - buy another WLAN card.
>
>
>>2. MAC filtering seems to me to be a great idea. Adds a layer of
>>security. If WEP is enabled, is the MAC address of the laptop also
>>encrypted? Does it matter?
>
>
> It doesn't matter. The encryption of WEP can be broken in minutes,
> after that the attacker can see your MAC, adjust his computer, and he's
> in.
>
>
>>3. Thinking out loud now. If my laptop is busy looking for wireless
>>access points, and transmitting it's MAC address in the clear. Assume an
>>attacker learns my MAC address. Then I get to my office and log on to
>>the Wireless Access Point. It requires that I send the MAC encrypted.
>>Does the attacker have a crib that will them to pry open WEP 128? If
>>so, am I better off with just WEP and not MAC filtering?
>
>
> WEP128 is broken, it's not even worth thinking about anymore.
>
>
> Juergen Nieveler
Thanks for the reply. I'll be trying to find a firmware upgrade for the
laptop since it is built in. If not, I'll take the advice of finding an
alternate card.
I did find this interesting quote about WEP.
"WEP is better than nothing
If you can't use WPA, perhaps because you can't afford new base stations
and Panther upgrades for all your laptops, at least enable WEP, feeble
though it may. There is an old joke about two guys hiking in the woods
who spot a mean looking grizzly bear heading their way. One of the
hikers takes off his back pack, pulls out running shoes, and starts
putting them on. The other says "You idiot, you can't outrun a hungry
bear in the woods." The first replies "I don't have to outrun the bear,
I only have to outrun you." Even minimal security may be effective
against snoops who have plenty of unprotected targets to choose from.
Use the higher, 128-bit security setting, if possible, and change
passwords frequently."
John Hyde <EJhyd@netscape.net> writes:
> Greetings,
>
> I am in the process of setting up wireless access in our small
> office. The wireless access point hardware I have seen is all equipped
> to do up to 128 bit WEP encryption and MAC filtering. A couple of
> questions:
>
> 1. I have read that WEP is broken. Is it really? Do I want to use
> something else? One of the laptops that will be connecting is a few
> years old and it's built in wireless supports WEP 128 but not other
> encryption as far as I can tell.
WPA with radius authentication is cryptographically quite superior.
WEP is crackable very quickly provided enough initialization vectors
and traffic have been gathered. Injection techniques can be leveraged
to generate the required traffic in a compressed timeframe. Freely
available tools like kismet are available with these tools built in.
If your access point uses weak/predicatable initialization vectors,
it's cracable that more quickly.
> 2. MAC filtering seems to me to be a great idea. Adds a layer of
> security. If WEP is enabled, is the MAC address of the laptop also
> encrypted? Does it matter?
The mac is in the clear, IIRC. Passive sniffers like kismet can
detect them, and those mac's can be used in spoofing.
> 3. Thinking out loud now. If my laptop is busy looking for wireless
> access points, and transmitting it's MAC address in the clear. Assume
> an attacker learns my MAC address. Then I get to my office and log on
> to the Wireless Access Point. It requires that I send the MAC
> encrypted. Does the attacker have a crib that will them to pry open
> WEP 128? If so, am I better off with just WEP and not MAC
> filtering?
WEP 128 is better than mac filtering alone. wep 128 + mac filtering
will prevent the casual hack, but is trivially crackable for someone
in sniffing range. For home use, probably it's acceptable risk
depending on how dense your surroundings. For a business environment,
a VPN connection with strong encryption is preferable.
WPA + radius authentication is the best of breed right now. Firmware
upgrades may get you there for free. WPA + pre-shared key
authentication has a weakness in it that makes a brute force attack
nearly feasible, though I haven't been following that issue closely.
All production wireless right now should be considered something that
can be DOS'd so relying on it for a connection that must be there
continuously is dicey. Wired is preferable if possible.
>I am in the process of setting up wireless access in our small office.
>The wireless access point hardware I have seen is all equipped to do up
>to 128 bit WEP encryption and MAC filtering. A couple of questions:
>1. I have read that WEP is broken. Is it really? Do I want to use
>something else? One of the laptops that will be connecting is a few
>years old and it's built in wireless supports WEP 128 but not other
>encryption as far as I can tell.
WEP can be cracked relatively easily. If someone sits outside your offices
and gets something line 1000000 bytes of encrypted traffice, they can
apparently figure out what the key is, and then have complete and free
access to your network. Is this an acceptable risk for your business?
WPA is stronger, if your router and your systems support it.
Your one laptop might be OK, as long as the WEP key is changed regularly
and that laptop is not used very much.
>2. MAC filtering seems to me to be a great idea. Adds a layer of
>security. If WEP is enabled, is the MAC address of the laptop also
>encrypted? Does it matter?
>3. Thinking out loud now. If my laptop is busy looking for wireless
>access points, and transmitting it's MAC address in the clear. Assume an
>attacker learns my MAC address. Then I get to my office and log on to
>the Wireless Access Point. It requires that I send the MAC encrypted.
>Does the attacker have a crib that will them to pry open WEP 128? If
>so, am I better off with just WEP and not MAC filtering?
>> WEP128 is broken, it's not even worth thinking about anymore.
>>
>>
>> Juergen Nieveler
>Thanks for the reply. I'll be trying to find a firmware upgrade for the
>laptop since it is built in. If not, I'll take the advice of finding an
>alternate card.
>I did find this interesting quote about WEP.
>"WEP is better than nothing
>If you can't use WPA, perhaps because you can't afford new base stations
>and Panther upgrades for all your laptops, at least enable WEP, feeble
>though it may. There is an old joke about two guys hiking in the woods
>who spot a mean looking grizzly bear heading their way. One of the
>hikers takes off his back pack, pulls out running shoes, and starts
>putting them on. The other says "You idiot, you can't outrun a hungry
>bear in the woods." The first replies "I don't have to outrun the bear,
>I only have to outrun you." Even minimal security may be effective
>against snoops who have plenty of unprotected targets to choose from.
>Use the higher, 128-bit security setting, if possible, and change
>passwords frequently."
That depends on whether or not someone wants to target you. do you have
competitors who you would rather not have on your network? They do not care
that the lumber yard down the street is easier to break into, they want
you.
Ie, if the bear wants you, for your red hat, being able to run faster than
your friend is irrelevant.
"Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
news:Xns96EC5D7CFED7Cjuergennieveler@nieveler.org. ..
> John Hyde <EJhyd@netscape.net> wrote:
>
> > I did find this interesting quote about WEP.
> >
> > "WEP is better than nothing
> >
> > If you can't use WPA, perhaps because you can't afford new base
> > stations and Panther upgrades for all your laptops, at least enable
> > WEP, feeble though it may.
>
> I don't agree with that, actually. Turning on WEP will make you think
> "Oh, I got at least SOME security", so you'll never know when your
> security isn't there anymore.
>
> Either go for real security, or no security - if you have no encryption
> enabled, you'll at least always remember that there's a good reason to
> be carefull.
Interesting argument.
A car ignition lock can be forced.. so do you park your car with the doors
open and the key in the ignition? ;o)
--
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!
on 10/10/2005 9:49 PM Unruh said the following:
> John Hyde <EJhyd@netscape.net> writes:
>
>
>>>WEP128 is broken, it's not even worth thinking about anymore.
>>>
>>>
>>>Juergen Nieveler
>
>
>>Thanks for the reply. I'll be trying to find a firmware upgrade for the
>>laptop since it is built in. If not, I'll take the advice of finding an
>>alternate card.
>
>
>>I did find this interesting quote about WEP.
>
>
>>"WEP is better than nothing
>
>
>>If you can't use WPA, perhaps because you can't afford new base stations
>>and Panther upgrades for all your laptops, at least enable WEP, feeble
>>though it may. There is an old joke about two guys hiking in the woods
>>who spot a mean looking grizzly bear heading their way. One of the
>>hikers takes off his back pack, pulls out running shoes, and starts
>>putting them on. The other says "You idiot, you can't outrun a hungry
>>bear in the woods." The first replies "I don't have to outrun the bear,
>>I only have to outrun you." Even minimal security may be effective
>>against snoops who have plenty of unprotected targets to choose from.
>>Use the higher, 128-bit security setting, if possible, and change
>>passwords frequently."
>
>
>>From: http://world.std.com/~reinhold/airport.html
>
>
> That depends on whether or not someone wants to target you. do you have
> competitors who you would rather not have on your network? They do not care
> that the lumber yard down the street is easier to break into, they want
> you.
>
> Ie, if the bear wants you, for your red hat, being able to run faster than
> your friend is irrelevant.
>
Absolutely, and if you saw my other post, my home network is very likely
to be successful just as a "sprinter", my office network needs to be
able to shoot bears. ;-)
on 10/11/2005 2:54 AM Juergen Nieveler said the following:
> John Hyde <EJhyd@netscape.net> wrote:
>
>
>>I did find this interesting quote about WEP.
>>
>>"WEP is better than nothing
>>
>>If you can't use WPA, perhaps because you can't afford new base
>>stations and Panther upgrades for all your laptops, at least enable
>>WEP, feeble though it may.
>
>
> I don't agree with that, actually. Turning on WEP will make you think
> "Oh, I got at least SOME security", so you'll never know when your
> security isn't there anymore.
>
> Either go for real security, or no security - if you have no encryption
> enabled, you'll at least always remember that there's a good reason to
> be carefull.
>
> Juergen Nieveler
Ok, well, I never put high value stuff on the home network anyway; even
when it was a hardwire only network. Still have a router, precautions
on each box, etc. But I have family members who will click on anything
that moves. Yes I try to educate them, provide alternate browser, but
if something doesn't work, the immediate response is to fire up Exploder
(er Explorer). It is bad enough to have to fix the boxes without having
to worry about compromised data. (I've been fortunate - apparently some
of my pissing and moaning when I have had to flatten a system has sunk in.)
This is one of the things I learned from this list, don't put high value
data on a computer or network that you cannot adequately secure. So
thanks I guess.
"Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
news:Xns96EC5D7CFED7Cjuergennieveler@nieveler.org. ..
> John Hyde <EJhyd@netscape.net> wrote:
>
>> I did find this interesting quote about WEP.
>>
>> "WEP is better than nothing
>>
>> If you can't use WPA, perhaps because you can't afford new base
>> stations and Panther upgrades for all your laptops, at least enable
>> WEP, feeble though it may.
>
> I don't agree with that, actually. Turning on WEP will make you think
> "Oh, I got at least SOME security", so you'll never know when your
> security isn't there anymore.
>
> Either go for real security, or no security - if you have no encryption
> enabled, you'll at least always remember that there's a good reason to
> be carefull.
Oh? If you can't afford a suit of armour, best to leave your arse flapping
in the wind than put on a pair of trousers?
Perhaps better to install what security you can, but retain the mindset that
you have something approaching no security at all. After all, there are
arguments that say that no security is impossible to crack - would that mean
that you shouldn't ever add security?
Your argument, taken to its logical conclusion, is absurd. Therefore, your
argument, just like that for installing WEP, requires accepting a balance
point somewhere between "nothing" and "perfect".
"Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
news:Xns96ECD86292C4Ejuergennieveler@nieveler.org. ..
> "Alun Jones" <alun@texis.invalid> wrote:
>
>>> Either go for real security, or no security - if you have no
>>> encryption enabled, you'll at least always remember that there's a
>>> good reason to be carefull.
>>
>> Oh? If you can't afford a suit of armour, best to leave your arse
>> flapping in the wind than put on a pair of trousers?
>
> I don't wear trousers for security, I wear them to prevent freezing my
> balls off. :-)
Similarly, you don't use WEP for security, you do it so your neighbour
doesn't keep using your bandwidth.
Personally, I'd classify an unwanted orchiectomy as somewhat of a security
issue.
"Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
news:Xns96EC8D9048DF0juergennieveler@nieveler.org. ..
> "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote:
>
> >> Either go for real security, or no security - if you have no
> >> encryption enabled, you'll at least always remember that there's a
> >> good reason to be carefull.
> >
> > Interesting argument.
> >
> > A car ignition lock can be forced.. so do you park your car with the
> > doors open and the key in the ignition? ;o)
>
> No, I keep the Garage door locked ;-)
>
> And yes, as the car windows are transparent and non-armoured, I don't
> leave valuables lying openly in the car.
So, in other words, some security (even fairly inadequate) is batter than a
choice of none at all?
I *do* follow your argument, but I would hope that we agree that "some" is
better than "none". Particularly if we all understand the limitations of
"some".
"Holy Dictionary, Batman":
Uncrackable, adj.
Something that hasn't been cracked just yet. Give it a year or two.
>>> Either go for real security, or no security - if you have no
>>> encryption enabled, you'll at least always remember that there's a
>>> good reason to be carefull.
>>
>> Oh? If you can't afford a suit of armour, best to leave your arse
>> flapping in the wind than put on a pair of trousers?
>I don't wear trousers for security, I wear them to prevent freezing my
>balls off. Even WITH a suit of armour, I'd still wear trousers
>underneath :-)
I wear trousers to stop the mosquitos from biting me in uncomfortable places.
I do not pretend that they will stop grizzlies, so I keep my eyes open for
them.
Similarly with WEP.
> "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
> news:Xns96EC8D9048DF0juergennieveler@nieveler.org. ..
>> "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote:
>>
>> >> Either go for real security, or no security - if you have no
>> >> encryption enabled, you'll at least always remember that there's a
>> >> good reason to be carefull.
>> >
>> > Interesting argument.
>> >
>> > A car ignition lock can be forced.. so do you park your car with the
>> > doors open and the key in the ignition? ;o)
>>
>> No, I keep the Garage door locked ;-)
>>
>> And yes, as the car windows are transparent and non-armoured, I don't
>> leave valuables lying openly in the car.
>
> So, in other words, some security (even fairly inadequate) is batter than
> a choice of none at all?
>
> I *do* follow your argument, but I would hope that we agree that "some" is
> better than "none". Particularly if we all understand the limitations of
> "some".
>
> "Holy Dictionary, Batman":
>
> Uncrackable, adj.
> Something that hasn't been cracked just yet. Give it a year or two.
>
> :o)
>
> H1K
....I think this is more of a "weakest link" argument. I think you are both
right and wrong. True *some* security is better than none, but to
*evaluate* your security you *must* examine your weakest link. If I have
safe with a concrete floor and walls but with a paper roof does the
concrete floors *really* get me more security? In this example it does
not...I think that is the point Juergen is making.
Hairy One Kenobi wrote:
>... I would hope that we agree that "some" is
> better than "none". Particularly if we all understand the limitations of
> "some".
There is the legal argument. If you have WEP off, you may be treated as a
collaborator in a crime that was launched via your network by an unknown
war driver. If you have WEP on, you may get off the hook.
"Imhotep" <Imhotep@nospam.net> wrote in message
news:4aSdnd4FEtlf6dHeRVn-qw@adelphia.com...
> Hairy One Kenobi wrote:
>
> > "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
> > news:Xns96EC8D9048DF0juergennieveler@nieveler.org. ..
> >> "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote:
> >>
> >> >> Either go for real security, or no security - if you have no
> >> >> encryption enabled, you'll at least always remember that there's a
> >> >> good reason to be carefull.
> >> >
> >> > Interesting argument.
> >> >
> >> > A car ignition lock can be forced.. so do you park your car with the
> >> > doors open and the key in the ignition? ;o)
> >>
> >> No, I keep the Garage door locked ;-)
> >>
> >> And yes, as the car windows are transparent and non-armoured, I don't
> >> leave valuables lying openly in the car.
> >
> > So, in other words, some security (even fairly inadequate) is batter
than
> > a choice of none at all?
> >
> > I *do* follow your argument, but I would hope that we agree that "some"
is
> > better than "none". Particularly if we all understand the limitations of
> > "some".
> ...I think this is more of a "weakest link" argument. I think you are both
> right and wrong. True *some* security is better than none, but to
> *evaluate* your security you *must* examine your weakest link. If I have
> safe with a concrete floor and walls but with a paper roof does the
> concrete floors *really* get me more security? In this example it does
> not...I think that is the point Juergen is making.
Not if you leave the door wide open, because a paper roof means that,
shucks, might as well not bother using what few options we have.
To take YACA (yet another car analogy) - old cars often came fitted with
static lap belts; in the event of a crash, these caused greater injuries
than modern over-the-shoulder seat belts with pre-tensioners. Hence the
change.
Would you then argue that it's better to drive without any belts at all,
simply because the old design isn't as good; that not wearing one will make
you drive more carefully, and somehow immune from an accident?
"Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
news:Xns96EDC616CE7E1juergennieveler@nieveler.org. ..
> "Alun Jones" <alun@texis.invalid> wrote:
>
>> Similarly, you don't use WEP for security, you do it so your neighbour
>> doesn't keep using your bandwidth.
>
> But I'd have to stop reading his emails, then ;-)
Not at all - he's using wide-open wireless networking after all, more or
less trivial to sniff whether it's to your router or not.
John Hyde napisał(a):
> Greetings,
>
> I am in the process of setting up wireless access in our small office.
> The wireless access point hardware I have seen is all equipped to do up
> to 128 bit WEP encryption and MAC filtering. A couple of questions:
>
> 1. I have read that WEP is broken. Is it really? Do I want to use
> something else? One of the laptops that will be connecting is a few
> years old and it's built in wireless supports WEP 128 but not other
> encryption as far as I can tell.
>
> 2. MAC filtering seems to me to be a great idea. Adds a layer of
> security. If WEP is enabled, is the MAC address of the laptop also
> encrypted? Does it matter?
>
> 3. Thinking out loud now. If my laptop is busy looking for wireless
> access points, and transmitting it's MAC address in the clear. Assume an
> attacker learns my MAC address. Then I get to my office and log on to
> the Wireless Access Point. It requires that I send the MAC encrypted.
> Does the attacker have a crib that will them to pry open WEP 128? If
> so, am I better off with just WEP and not MAC filtering?
>
Your network is not save. Perhaps you need 30min-3hour to acces to your
wirles network. The best idea is use Radius. I don't know any person
who's broke radius security. sorry for my terrible english. In poland
wardriving is popular too :)
1. Hide your wireless network
2. Change its name from the provider default
3. Limit the IPs of the computers using the router to just what you need.
The default is usually about 25
Bob Drake
"Unruh" <unruh-spam@physics.ubc.ca> wrote in message
news:difg9n$fvf$2@nntp.itservices.ubc.ca...
> John Hyde <EJhyd@netscape.net> writes:
>
>>> WEP128 is broken, it's not even worth thinking about anymore.
>>>
>>>
>>> Juergen Nieveler
>
>>Thanks for the reply. I'll be trying to find a firmware upgrade for the
>>laptop since it is built in. If not, I'll take the advice of finding an
>>alternate card.
>
>>I did find this interesting quote about WEP.
>
>>"WEP is better than nothing
>
>>If you can't use WPA, perhaps because you can't afford new base stations
>>and Panther upgrades for all your laptops, at least enable WEP, feeble
>>though it may. There is an old joke about two guys hiking in the woods
>>who spot a mean looking grizzly bear heading their way. One of the
>>hikers takes off his back pack, pulls out running shoes, and starts
>>putting them on. The other says "You idiot, you can't outrun a hungry
>>bear in the woods." The first replies "I don't have to outrun the bear,
>>I only have to outrun you." Even minimal security may be effective
>>against snoops who have plenty of unprotected targets to choose from.
>>Use the higher, 128-bit security setting, if possible, and change
>>passwords frequently."
>
>>From: http://world.std.com/~reinhold/airport.html
>
> That depends on whether or not someone wants to target you. do you have
> competitors who you would rather not have on your network? They do not
> care
> that the lumber yard down the street is easier to break into, they want
> you.
>
> Ie, if the bear wants you, for your red hat, being able to run faster than
> your friend is irrelevant.
>
The earlier anology about the bear and the tennis shoes is a good one. When
"war driving" for a network, the wide open ones will be attacked. If yours
is at least WEP, hidden, and protected with a strong password, the "bear"
will fo after the other networks.
Around where I live, I can go through "condo canyon" and see 20-30 wide open
wireless networks. WEP is better than nothing.
"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
news:7dX2f.144$N57.70@newsfe1-gui.ntli.net...
> "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
> news:Xns96EC8D9048DF0juergennieveler@nieveler.org. ..
>> "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote:
>>
>> >> Either go for real security, or no security - if you have no
>> >> encryption enabled, you'll at least always remember that there's a
>> >> good reason to be carefull.
>> >
>> > Interesting argument.
>> >
>> > A car ignition lock can be forced.. so do you park your car with the
>> > doors open and the key in the ignition? ;o)
>>
>> No, I keep the Garage door locked ;-)
>>
>> And yes, as the car windows are transparent and non-armoured, I don't
>> leave valuables lying openly in the car.
>
> So, in other words, some security (even fairly inadequate) is batter than
> a
> choice of none at all?
>
> I *do* follow your argument, but I would hope that we agree that "some" is
> better than "none". Particularly if we all understand the limitations of
> "some".
>
> "Holy Dictionary, Batman":
>
> Uncrackable, adj.
> Something that hasn't been cracked just yet. Give it a year or two.
>
> :o)
>
> H1K
>
>
The arguments for security vs. practicality are all nice, but if have a
business that has ANYTHING sensitive being transmitted over the air, DO
NOT use WEP. It is trivial to break - trust me.
WPA with a password (WPA-PSK) is can be brute-forced by an entity with
enough computing power (read: $$$) and because of this most businesses
use a radius server with WPA. Most of your cards probably support this
with a driver and/or firmware update, and win XP with SP2 has the
software for connecting securely to a radius server with WPA.
MAC filtering is useless, as any one who knows what they are doing can
bypass this, as you don't even need to crack encryption to see the MAC
address.
Hope this helps,
ShadowEyez
John Hyde wrote:
> Greetings,
>
> I am in the process of setting up wireless access in our small office.
> The wireless access point hardware I have seen is all equipped to do up
> to 128 bit WEP encryption and MAC filtering. A couple of questions:
>
> 1. I have read that WEP is broken. Is it really? Do I want to use
> something else? One of the laptops that will be connecting is a few
> years old and it's built in wireless supports WEP 128 but not other
> encryption as far as I can tell.
>
> 2. MAC filtering seems to me to be a great idea. Adds a layer of
> security. If WEP is enabled, is the MAC address of the laptop also
> encrypted? Does it matter?
>
> 3. Thinking out loud now. If my laptop is busy looking for wireless
> access points, and transmitting it's MAC address in the clear. Assume an
> attacker learns my MAC address. Then I get to my office and log on to
> the Wireless Access Point. It requires that I send the MAC encrypted.
> Does the attacker have a crib that will them to pry open WEP 128? If
> so, am I better off with just WEP and not MAC filtering?
>
>
> Thanks for all your thoughts,
>
> John
on 10/26/2005 4:55 PM ShadowEyez said the following:
> The arguments for security vs. practicality are all nice, but if have a
> business that has ANYTHING sensitive being transmitted over the air, DO
> NOT use WEP. It is trivial to break - trust me.
Yeah, I got that message loud and clear.
>
> WPA with a password (WPA-PSK) is can be brute-forced by an entity with
> enough computing power (read: $$$) and because of this most businesses
> use a radius server with WPA. Most of your cards probably support this
> with a driver and/or firmware update, and win XP with SP2 has the
> software for connecting securely to a radius server with WPA.
>
So, in a brute force attack, how long does it take to try each possible
permutation? Surely this is a matter of sending each permutation to the
wireless access point and having it accepted or rejected. So how many
can you try a second? I assume the limitation is not processor speed,
but the turn around time for the wireless nodes to attempt a connection.
I have no concept of how long it would take an attacker. I know that
when my laptop attempts to connect to a wireless, it takes a few
seconds. Some of that time is also negotiating the rest of the
connection, so how long is spent up to the point of a WPA password being
accepted or rejected? This really is the question for whether a
password can be brute forced in the real world.
If I understand the math correctly, a password made up of 5 "diceware"
words (from a dictionary of 7,000 right?) would have 7,000^5 =
1.68*10^19 possible passwords.
If you can do 10 a second, that works out to 315 million tries a year
(3.15*10^8) so it will take about 10 million years.
On the other hand, if you could transmit one attempt each clock cycle of
the sending computer (I assume bus speed, not cpu speed) say 333 Mhz,
then the tries per year is 1.05*10^16. It would still take 2,000 years
to try all the permutations, but someone might consider this a possibility.
Of course, if the attacker does not know that they are attacking a
Diceware passphrase, then they'll have to try all the alphanumeric
combinations of the same length (Diceware words are 5 letters, right?)
so upper and lower case, numbers and the symbols over the numbers only
So, 26 letters, upper and lowercase, that's 52, 10 numbers and 10
symbols and a 25 character password. Uh that would be 72^25 or
2.71*10^46. So, even if you can send one attempt a clock cycle (which I
doubt) then it will take you 10^30 years.
But perhaps "brute force" means something else. I'm certainly no
cryptographer. (And not much of a mathmatician either).
> MAC filtering is useless, as any one who knows what they are doing can
> bypass this, as you don't even need to crack encryption to see the MAC
> address.
>
Well, that was one of my questions, "is the MAC encrypted by WEP?" I
guess this would be a "NO." Still, I would not say MAC filtering is
totally useless. At least it forces an attacker to wait around until I
connect to see what an acceptable MAC address is. Not much of a burden,
but it prevents a "drive by."
> Hope this helps,
> ShadowEyez
>
> John Hyde wrote:
>
>>Greetings,
>>
>>I am in the process of setting up wireless access in our small office.
>>The wireless access point hardware I have seen is all equipped to do up
>>to 128 bit WEP encryption and MAC filtering. A couple of questions:
>>
>>1. I have read that WEP is broken. Is it really? Do I want to use
>>something else? One of the laptops that will be connecting is a few
>>years old and it's built in wireless supports WEP 128 but not other
>>encryption as far as I can tell.
>>
>>2. MAC filtering seems to me to be a great idea. Adds a layer of
>>security. If WEP is enabled, is the MAC address of the laptop also
>>encrypted? Does it matter?
>>
>>3. Thinking out loud now. If my laptop is busy looking for wireless
>>access points, and transmitting it's MAC address in the clear. Assume an
>>attacker learns my MAC address. Then I get to my office and log on to
>>the Wireless Access Point. It requires that I send the MAC encrypted.
>>Does the attacker have a crib that will them to pry open WEP 128? If
>>so, am I better off with just WEP and not MAC filtering?
>>
>>
>>Thanks for all your thoughts,
>>
>>John
John Hyde wrote:
> on 10/26/2005 4:55 PM ShadowEyez said the following:
>
>> The arguments for security vs. practicality are all nice, but if have a
>> business that has ANYTHING sensitive being transmitted over the air, DO
>> NOT use WEP. It is trivial to break - trust me.
>
>
> Yeah, I got that message loud and clear.
>
>>
>> WPA with a password (WPA-PSK) is can be brute-forced by an entity with
>> enough computing power (read: $$$) and because of this most businesses
>> use a radius server with WPA. Most of your cards probably support this
>> with a driver and/or firmware update, and win XP with SP2 has the
>> software for connecting securely to a radius server with WPA.
>>
>
> So, in a brute force attack, how long does it take to try each possible
> permutation? Surely this is a matter of sending each permutation to the
> wireless access point and having it accepted or rejected. So how many
> can you try a second? I assume the limitation is not processor speed,
> but the turn around time for the wireless nodes to attempt a connection.
> I have no concept of how long it would take an attacker. I know that
> when my laptop attempts to connect to a wireless, it takes a few
> seconds. Some of that time is also negotiating the rest of the
> connection, so how long is spent up to the point of a WPA password being
> accepted or rejected? This really is the question for whether a
> password can be brute forced in the real world.
>
> If I understand the math correctly, a password made up of 5 "diceware"
> words (from a dictionary of 7,000 right?) would have 7,000^5 =
> 1.68*10^19 possible passwords.
>
> If you can do 10 a second, that works out to 315 million tries a year
> (3.15*10^8) so it will take about 10 million years.
>
> On the other hand, if you could transmit one attempt each clock cycle of
> the sending computer (I assume bus speed, not cpu speed) say 333 Mhz,
> then the tries per year is 1.05*10^16. It would still take 2,000 years
> to try all the permutations, but someone might consider this a possibility.
>
> Of course, if the attacker does not know that they are attacking a
> Diceware passphrase, then they'll have to try all the alphanumeric
> combinations of the same length (Diceware words are 5 letters, right?)
> so upper and lower case, numbers and the symbols over the numbers only
>
> So, 26 letters, upper and lowercase, that's 52, 10 numbers and 10
> symbols and a 25 character password. Uh that would be 72^25 or
> 2.71*10^46. So, even if you can send one attempt a clock cycle (which I
> doubt) then it will take you 10^30 years.
>
> But perhaps "brute force" means something else. I'm certainly no
> cryptographer. (And not much of a mathmatician either).
>
WPA is dependent on CPU speed, and here's why. When attacking WPA with
programs like Aircrack or COWpatty, the attacker first captures the
4-packet association that WPA always does. With WPA2 they optimized it
to 3 packet - same in principle but no common software tries to crack
WPA2 AFAIK - this does not mean it's hard to do for a good programmer.
From what I understand WPA's 4-packet association has a
challenge-response in it of a Pre-Shared Key that is hashed (calculated)
using the user-supplied password and the ESSID (name) of the network.
Once the attacker has the captured packets (usually in a .cap file)
(s)he runs the program which basically calculates the hash from the
essid and every password in his/her dictionary.
Paranoia says if a really good attacker wanted to, (s)he could make a
program to go through every combination of pre-shared key (which is 64
HEX digits, so 0-9 and A-F), not even attempting passwords but would get
any possible key, which would take a _long_ time. Reality says use a
good password (not in a dictionary, I'm assuming you know the rules) and
you'll be fine.
As a point of reference, I have a 3 ghz intel CPU which can go through
around 120 passwords/sec on aircrack. I shutter to think what NSA or
even a big/well funded company can do with mainframes and clusters of
servers ;-)
>> MAC filtering is useless, as any one who knows what they are doing can
>> bypass this, as you don't even need to crack encryption to see the MAC
>> address.
>>
> Well, that was one of my questions, "is the MAC encrypted by WEP?" I
> guess this would be a "NO." Still, I would not say MAC filtering is
> totally useless. At least it forces an attacker to wait around until I
> connect to see what an acceptable MAC address is. Not much of a burden,
> but it prevents a "drive by."
Think of it like this - if someone wanted in and could get through WPA,
do you really think MAC filtering would slow them down ;-)
ShadowEyez
>
>> Hope this helps,
>> ShadowEyez
>>
>> John Hyde wrote:
>>
>>> Greetings,
>>>
>>> I am in the process of setting up wireless access in our small office.
>>> The wireless access point hardware I have seen is all equipped to do up
>>> to 128 bit WEP encryption and MAC filtering. A couple of questions:
>>>
>>> 1. I have read that WEP is broken. Is it really? Do I want to use
>>> something else? One of the laptops that will be connecting is a few
>>> years old and it's built in wireless supports WEP 128 but not other
>>> encryption as far as I can tell.
>>>
>>> 2. MAC filtering seems to me to be a great idea. Adds a layer of
>>> security. If WEP is enabled, is the MAC address of the laptop also
>>> encrypted? Does it matter?
>>>
>>> 3. Thinking out loud now. If my laptop is busy looking for wireless
>>> access points, and transmitting it's MAC address in the clear. Assume an
>>> attacker learns my MAC address. Then I get to my office and log on to
>>> the Wireless Access Point. It requires that I send the MAC encrypted.
>>> Does the attacker have a crib that will them to pry open WEP 128? If
>>> so, am I better off with just WEP and not MAC filtering?
>>>
>>>
>>> Thanks for all your thoughts,
>>>
>>> John
"ShadowEyez" <shadoweyez@hotpop.com> wrote in message
news:M_69f.1516$te3.24366@typhoon.sonic.net...
>
[snip]
> Paranoia says if a really good attacker wanted to, (s)he could make a
> program to go through every combination of pre-shared key (which is 64
> HEX digits, so 0-9 and A-F), not even attempting passwords but would get
> any possible key, which would take a _long_ time. Reality says use a
> good password (not in a dictionary, I'm assuming you know the rules) and
> you'll be fine.
>
> As a point of reference, I have a 3 ghz intel CPU which can go through
> around 120 passwords/sec on aircrack. I shutter to think what NSA or
> even a big/well funded company can do with mainframes and clusters of
> servers ;-)
[snip]
In this respect I believe you should know what kind of adversery you are
trying to prevent to access your network.
For you usual neighboors, WEP might be sufficient.
If the adversery is more skilled, WPA(2) could pose a barrier, most
people/organizations won't be able to brake.
If the adversery is the NSA (or similar) I don't think you should have to
worry about wireless security in the first place.
So first estimate the value of your data, the risk of attacks and the costs
(in the larger meaning) of a successful attack.
This way you might be able to deside that for a small office WPA with a
pre-shared key might be sufficient. Considering that installing RADIUS might
be too much of an burden. Ensure your servers are sufficiently secure. Maybe
you should ensure the wireless network has not access to (some of) them.
Of course if you don't have the technical possibilities of implementing WPA,
you should at least try to provide the maximal security that is possible,
meaning WEP. There might be legal reasons to do so. You should verify this,
but I believe in some/most countries you must provide security measures that
are reasonable for what you are protecting.
on 10/30/2005 9:00 AM ShadowEyez said the following:
>
> John Hyde wrote:
>
>>on 10/26/2005 4:55 PM ShadowEyez said the following:
>>
>>
>>>The arguments for security vs. practicality are all nice, but if have a
>>>business that has ANYTHING sensitive being transmitted over the air, DO
>>>NOT use WEP. It is trivial to break - trust me.
>>
>>
>>Yeah, I got that message loud and clear.
>>
>>
>>>WPA with a password (WPA-PSK) is can be brute-forced by an entity with
>>>enough computing power (read: $$$) and because of this most businesses
>>>use a radius server with WPA. Most of your cards probably support this
>>>with a driver and/or firmware update, and win XP with SP2 has the
>>>software for connecting securely to a radius server with WPA.
>>>
>>
>>So, in a brute force attack, how long does it take to try each possible
>>permutation? Surely this is a matter of sending each permutation to the
>>wireless access point and having it accepted or rejected. So how many
>>can you try a second? I assume the limitation is not processor speed,
>>but the turn around time for the wireless nodes to attempt a connection.
>> I have no concept of how long it would take an attacker. I know that
>>when my laptop attempts to connect to a wireless, it takes a few
>>seconds. Some of that time is also negotiating the rest of the
>>connection, so how long is spent up to the point of a WPA password being
>>accepted or rejected? This really is the question for whether a
>>password can be brute forced in the real world.
>>
>>If I understand the math correctly, a password made up of 5 "diceware"
>>words (from a dictionary of 7,000 right?) would have 7,000^5 =
>>1.68*10^19 possible passwords.
>>
>>If you can do 10 a second, that works out to 315 million tries a year
>>(3.15*10^8) so it will take about 10 million years.
>>
>>On the other hand, if you could transmit one attempt each clock cycle of
>>the sending computer (I assume bus speed, not cpu speed) say 333 Mhz,
>>then the tries per year is 1.05*10^16. It would still take 2,000 years
>>to try all the permutations, but someone might consider this a possibility.
>>
>>Of course, if the attacker does not know that they are attacking a
>>Diceware passphrase, then they'll have to try all the alphanumeric
>>combinations of the same length (Diceware words are 5 letters, right?)
>>so upper and lower case, numbers and the symbols over the numbers only
>>
>>So, 26 letters, upper and lowercase, that's 52, 10 numbers and 10
>>symbols and a 25 character password. Uh that would be 72^25 or
>>2.71*10^46. So, even if you can send one attempt a clock cycle (which I
>>doubt) then it will take you 10^30 years.
>>
>>But perhaps "brute force" means something else. I'm certainly no
>>cryptographer. (And not much of a mathmatician either).
>>
>
> WPA is dependent on CPU speed, and here's why. When attacking WPA with
> programs like Aircrack or COWpatty, the attacker first captures the
> 4-packet association that WPA always does. With WPA2 they optimized it
> to 3 packet - same in principle but no common software tries to crack
> WPA2 AFAIK - this does not mean it's hard to do for a good programmer.
>
> From what I understand WPA's 4-packet association has a
> challenge-response in it of a Pre-Shared Key that is hashed (calculated)
> using the user-supplied password and the ESSID (name) of the network.
> Once the attacker has the captured packets (usually in a .cap file)
> (s)he runs the program which basically calculates the hash from the
> essid and every password in his/her dictionary.
>
> Paranoia says if a really good attacker wanted to, (s)he could make a
> program to go through every combination of pre-shared key (which is 64
> HEX digits, so 0-9 and A-F), not even attempting passwords but would get
> any possible key, which would take a _long_ time. Reality says use a
> good password (not in a dictionary, I'm assuming you know the rules) and
> you'll be fine.
Uh, I think they'd be better off with passwords. The math on those
permutations: 16 hex digits, 64 in length = 16^64 = 1.15*10^77. If I
were buying the CPU time, I'd take 10^46 any day.)
>
> As a point of reference, I have a 3 ghz intel CPU which can go through
> around 120 passwords/sec on aircrack. I shutter to think what NSA or
> even a big/well funded company can do with mainframes and clusters of
> servers ;-)
>
Ok, that's an interesting data point. Note my "one try per clock cycle"
example above. Here's that math:
333 Mhz = 333,000,000 cycles per second.
333,000,000 * 3600 (sec/hour) = 1.19*10^12 or 1.19e12
1.19e12 * 24 (hour/day) = 2.87e13
2.87e13 * 365 (day/year) = 1.05e16.
If you assume that you can get one try per clock cycle, then this is the
number of tries per year. To figure the number of years, you can
divide, but it's close enough to just subtract exponents.
That's where the "10^30 years" came from" (1.0e30).
So how can a well funded company do? Assume from your example that they
have software/hardware that is 10 times as fast = 1200 passwords/sec.
They will need 277,500 such machines working together just to get to my
333 Mhz range.
Naturally you can slice and dice this anyway you want. Give me more
assumptions and I'll give you another ridiculous number of years (and
$$$) to brute force my password. Actually, I can give you a guaranteed
way to "crack" the passwords on my home network. Calculate the cost to
run a server farm of 277,500 for even one year (make sure that you
include hardware, maintenance, etc. or a fair market lease rate), and
then pay me instead. (Cash only please, I'll be opening new bank
accounts) Remember that even with that install, you are still looking
at 1.0e30 years, and I'll guarantee an answer in much less time. ;-)
Regards,
JH
>
>>>MAC filtering is useless, as any one who knows what they are doing can
>>>bypass this, as you don't even need to crack encryption to see the MAC
>>>address.
>>>
>>
>>Well, that was one of my questions, "is the MAC encrypted by WEP?" I
>>guess this would be a "NO." Still, I would not say MAC filtering is
>>totally useless. At least it forces an attacker to wait around until I
>>connect to see what an acceptable MAC address is. Not much of a burden,
>>but it prevents a "drive by."
>
> Think of it like this - if someone wanted in and could get through WPA,
> do you really think MAC filtering would slow them down ;-)
>
> ShadowEyez
>
>>>Hope this helps,
>>>ShadowEyez
>>>
>>>John Hyde wrote:
>>>
>>>
>>>>Greetings,
>>>>
>>>>I am in the process of setting up wireless access in our small office.
>>>>The wireless access point hardware I have seen is all equipped to do up
>>>>to 128 bit WEP encryption and MAC filtering. A couple of questions:
>>>>
>>>>1. I have read that WEP is broken. Is it really? Do I want to use
>>>>something else? One of the laptops that will be connecting is a few
>>>>years old and it's built in wireless supports WEP 128 but not other
>>>>encryption as far as I can tell.
>>>>
>>>>2. MAC filtering seems to me to be a great idea. Adds a layer of
>>>>security. If WEP is enabled, is the MAC address of the laptop also
>>>>encrypted? Does it matter?
>>>>
>>>>3. Thinking out loud now. If my laptop is busy looking for wireless
>>>>access points, and transmitting it's MAC address in the clear. Assume an
>>>>attacker learns my MAC address. Then I get to my office and log on to
>>>>the Wireless Access Point. It requires that I send the MAC encrypted.
>>>>Does the attacker have a crib that will them to pry open WEP 128? If
>>>>so, am I better off with just WEP and not MAC filtering?
>>>>
>>>>
>>>>Thanks for all your thoughts,
>>>>
>>>>John
> Ok, that's an interesting data point. Note my "one try per clock cycle"
> example above. Here's that math:
>
> 333 Mhz = 333,000,000 cycles per second.
> 333,000,000 * 3600 (sec/hour) = 1.19*10^12 or 1.19e12
> 1.19e12 * 24 (hour/day) = 2.87e13
> 2.87e13 * 365 (day/year) = 1.05e16.
> If you assume that you can get one try per clock cycle, then this is the
> number of tries per year. To figure the number of years, you can
> divide, but it's close enough to just subtract exponents.
One try per clock cycle is not even close to reality. Depending on the
language the code is programmed in, how well the code is written, the
CPU speed and design, and the OS you're running, your lucky if you can
get 150/sec with aircrack for WPA. From what I've seen of the aircrack
code, each "try" involves hashing a chosen password with an ESSID with
the HMAC function, meaning there is a lot of overhead with each attempt.
If I get 120/sec with a 3.0 ghz, 3e9/120 = 25e6 (25 mhz) per try, not 1
hz per try.
>
> That's where the "10^30 years" came from" (1.0e30).
>
> So how can a well funded company do? Assume from your example that they
> have software/hardware that is 10 times as fast = 1200 passwords/sec.
> They will need 277,500 such machines working together just to get to my
> 333 Mhz range.
A paranoid person would say NSA has a back-door for both TKIP and AES
(the WPA and WPA2 algorithms). Keep in mind the average time to crack a
password is statistically 1/2 the time it takes to "run through" all of
them.
A well funded company would probably have mainframes or clusters with
thousands of times more computational power than my laptop. A big
company with competent programmers and enough computing power could
probably break through wireless-anything save WPA2 with EAP-TLS radius
and even then...
> Naturally you can slice and dice this anyway you want. Give me more
> assumptions and I'll give you another ridiculous number of years (and
> $$$) to brute force my password. Actually, I can give you a guaranteed
> way to "crack" the passwords on my home network. Calculate the cost to
> run a server farm of 277,500 for even one year (make sure that you
> include hardware, maintenance, etc. or a fair market lease rate), and
> then pay me instead. (Cash only please, I'll be opening new bank
> accounts) Remember that even with that install, you are still looking
> at 1.0e30 years, and I'll guarantee an answer in much less time. ;-)
What a deal ;-)
Back to reality: my recommendation for most plp is to pick a big long
password and use WPA2 if all your equipment supports it and WPA if not,
as setting up a radius server is not for everyone, and WPA support is on
most wireless stuff sold these days.
Wireless security 