WiFi security

W

wamatt

Web Africa founder
Company Rep
Joined
Sep 13, 2004
Messages
601
Reaction score
1
Location
california
Just a quick headsup to remind folks to practice safe WiFi.

1. Use WPA preferably with certs otherwise a strong PSK password (not dictionary words).
2. Use a VPN on any wireless hotspot.

Its suprising trivial to sniff packets in the clear (eg email passwords, cookies etc) and to gain access to a WEP encrypted network.
 
Last edited:
On the page http://www.windowssecrets.com/comp/050526/#story1, look for the story titled "Wi-Finally: wireless security that actually works". They explicitly state therein the following:

::quote::
The top six steps you shouldn't bother with

With all the details given above, using Wi-Fi securely may seem to you like an enormous undertaking. If so, take a deep breath and plunge ahead. I can at least save you from some grief by listing a few things that won't help your security. They'll just waste your time.

George Ou, a columnist for ZDnet, has provided us with a fascinating rant against "The Six Dumbest Ways to Secure a Wireless LAN":

• MAC filtering.
• SSID hiding.
• LEAP authentication.
• Disabling DHCP.
• Interior antenna placement and low power.
• Limiting your use to 802.11a or Bluetooth.
::quote::

I'd recommend digesting that page, and looking at the links off it for a better idea on techniques that are much more likely to be worthwhile/useful.

-bdt
 
Thanks bdt.

I've been reading up on WiFi security for the last couple of days, and your link is an excellent article on the topic. I especially liked bit about the 6 dumbest ways to secure a WLAN, since many articles are suggesting a combination of these.
 
Franna said:
4. Disable SSID broadcast.
Click to expand...

Disabling SSID broadcast makes your AP about as hidden as a duck sitting very quietly in broad daylight, in the open on a pond.

It thinks that not going Quack Quack, makes it invisible. If there is any kind of traffic on your AP it and it's SSID is as visible as any other AP.
 
th0rn said:
For ppl that are not totally paranoid. How strong is 128bit WEP?
Click to expand...

Not to burst your bubble or anything, but the canonical answer is: strong enough to resist being sniffed/cracked/compromised in 10 minutes by a properly equipped (and motivated, of course) attacker. This could be defined by as little as a notebook equipped (one way or another) with Wi-Fi and a Linux live CD.

:refs:
Tomsnetworking article on cracking WEP- http://www.tomsnetworking.com/Sections-article118.php
Auditor Linux live CD: http://new.remote-exploit.org/index.php/Auditor_main

THAT SAID: bluntly put, short of your having someone determined enough to get into your systems, even having WEP on makes you more of a hassle to bother with than the other guy whose system is wide open (to abuse): this is the security version of "I don't need to outrun the bear, I just need to outrun YOU" idea. So go ahead with WEP, even 128bit if you feel up to dealing with the longer keys, just don't kid yourself that it resembles real security any more than our telecoms operator provides a fair and honest service :)
 
Thanks for the links, and explanation.

Iv put mac filtering on now. Will last another 10 mins.
 
The combination of MAC Address filtering, a 128 Bit WEP key that is not dictionary based, disabling DHCP and using Static IP Address and locking those addresses on the AP's firewall with rules, then locking down all the PC's with firewalls (for the really paranoid), will deter the casual hacker, unless they really want to get into you network they won't bother you.

The problem I have found with WPA is the lack of support on some devices. Some dude rocks up with an LG Wireless card and you can pretty much put WPA out the Window. Atleast most of the newer stuff supports WPA.
 
my word, that was a scary read...

erm, seeing as i am new to this wireless world, what would be the best way to secure a linksys wrt54g network running openwrt? does openwrt have WPA/WPA2?
 
Fortunately when I switched to wireless in our home I bought some very recent gear which supported WPA-PSK at least which was a relief after reading all the technical details on Wi-Fi security :).
 
Franna said:
4. Disable SSID broadcast.
Click to expand...

Disabling SSID broadcast on an AP increases the time to hack it by about 5 seconds. Obscuring the presence of your AP helps nothing. Securing it helps.

WPA is pretty much uncrackable, except for "brute force" guessing methods and bugs in some implementations. Thus, make sure you use a strong PSK and not something like "psk" or "secure" :)
 
Last edited:
yeah, openwrt does have wpa capabilities, it requires you to download the wpa_supplicant.
I'm probably gonna get told I'm an idiot, but I'm too lazy to get it going, since I'm on a home network, I don't have anything too serious to loose, my approach is ... macfilter, and make the l337 haxor decide its too much hassle, and so move on.

my theory on macfilter,
IMHO it takes someone dedicated on accessing YOUR Lan to do it.
The only way to get in, is to get a users mac address, sniffing with kismet is very easy, but the output is fun, a list of mac addresses on the network.
this is great, now that we have the addresses, from what I can gather, the sniff doesn't differentiate between wireless and lan, so plenty lan macs are also picked up, to add to the problems.
we can only spoof one that is not currently on the network , so it means waiting in the car like a fool until a mac disappears, then attempting connection using it.
so, on a large corporate networks, with heavy traffic, and many users logging on and off all the time, DON't USE IT, but on my home network, which has 2 laptops using it once in a while, it will waste more of this dudes time than its worth to find the valid macs.
 
HAHAHA, rodent, it looks like you've forgot where you've been on these forums.
compare posts 7 with post 14 on this topic
 
I have setup my network with WPA2-PSK with a 32 character key (combination upper and lowercase, numbers, etc.). Would this be considered secure enough, since it is only a home network?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X