Submitted by
Users who Dugg This
Backwards Compatible
3342 Followers
Carly Wilson
3025 Followers
Maximum PC/ Mac|Life
37 Followers
Designshop98
223 Followers
PC Gamer/ GamesRadar.com
77 Followers
Closed AccountAug 10, 2010
Soon i'm going to lose my neighbors internet connection ;0
yodacolaAug 11, 2010
Don't worry. The pics in the article suggest making a WEP connection. Doing a simple Google search on WEP hacking gives about 193,000 results.
gvoakesAug 10, 2010
I always call the network something really rude so the people in the retirement home next door don't want to connect to it
bdbrAug 11, 2010
Do you want to connect to YOURMOMSASS?
No, not really.
tragedyfishAug 11, 2010
Yeah, WPA isn't nearly enough nearly enough protection for those retirement home hackers.
dhughesAug 11, 2010
One of them may have created WPA sonny boy.
Get off my lawn!
schroederAug 11, 2010
Mine is named: 8===D~~~(_*_)
But, I think this just intrigues people.
doublebaconsodaAug 11, 2010
Changing wireless from skynet to 8===D~~~(_*_) thank you good sir.
davenp0rtAug 11, 2010
Mine was B=====D~~~({}) before my girlfriend made me change it.
handonamAug 11, 2010
i did the same thing. there are a bunch of girls in my complex in apt 8, so i would put up
8=====D~~~ apt8
thekilldoctorAug 11, 2010
I named mine 'Virus Infection'.
mendedslinkyAug 11, 2010
http://failblog.org/2009/11/10/wireless-network-fail/
thanatosstAug 11, 2010
You could just not broadcast your SSID.
Closed AccountAug 11, 2010
That actually does very little to protect yourself. Wifi sniifers can still figure it out given a little time.
mobhit101Aug 11, 2010
Well what's the fun in that?
Mine is ihaveAIDS
thanatosstAug 11, 2010
While I didn't know that at the time of my post and learned it while reading the comments further down the page, I'm pretty sure 99.9999% of people in retirement homes fit the 'casual user' profile pretty well.
gibbonsbeardAug 11, 2010
yes because there is currently a problem with the elderly hacking into peoples wireless networks
turiousAug 11, 2010
On my first day of college a few years back, we set ours up with the name "ASSBLASTINGc**kSMOKER."
These days, I just call it "Oh Billy."
It's a great joy to see my network come up on the list of local wireless at my apartment.
spacem00seAug 10, 2010
How much would a Radius server cost? 802.1x?
bdbrAug 11, 2010
Just search for "free radius server". FreeRadius for Linux, or TekRadius for Windows look OK. The biggest issue is whether you want to have a system on all the time just for that.
waitasecAug 11, 2010
You can get a RSA appliance with 10 tokens for around $3500.
sinembarg0Aug 11, 2010
Or use a custom firmware on the router.
rtechieAug 11, 2010
It's crazy overkill for the home user. You'll need a dedicated server for one. The alternative is hacked firmware on SOME routers, which is not a solution for the home user.
The article suggests, but does a poor time describing, the solution for home users: MAC blocking. Most home users only have a handful of devices on their network, so whitelisting a short list of MACs is no big deal. And it's very effective. I can't think of any easy way around it.
rtechieAug 11, 2010
Before I get slammed, I said EASY. Cracking the WPA key and then listening for an authentication and spoofing the address isn't super easy, though some might think so. In any event, it's an additional hurdle regardless of how low you think it is.
xrexracerxAug 11, 2010
This is what I do. Anyone with the know how to get past a hidden SSID, WPA key and spoof a mac address is gonna get in any home network.
yodacolaAug 11, 2010
"In this paper, we demonstrate the weakness of current storage mechanisms by showing the following
attacks: first, we show how an attacker can remotely locate and break into a Wifi network
by crafting a malicious web page that targets its access point. Secondly, we demonstrate how an
attacker can inject a malicious library that is capable of compromising subsequent SSL sessions by
leveraging the fact that websites trust external javascript libraries, such as Google Analytics. We
then describe how to easily fool the user into accepting this malicious javascript library by exploiting
browser UI corner cases. Next, we introduce frame leak attacks that are capable of extracting
private information from the website (and not from the user) by leveraging the recent scrolling
technique of Stone. Our frame leak attacks defeat click-jacking defenses that have previously been
considered secure. In addition, we illustrate how a frame leak attack works by demonstrating how
to use it to extract Facebook profile information, bypassing Facebook’s framebusting defenses
in the process. Finally, we develop a new attack called tap-jacking that uses features of mobile
browsers to implement a strong clickjacking attack on phones. We show that tap-jacking on a
phone is more powerful than traditional clickjacking attacks on desktop browsers, and thus imply
smartphones should not be considered a secure form of data storage."
From BlackHat 2010
https://media.blackhat.com/bh-us-10/whitepapers/Bursztein_Gourdin_Rydstedt/BlackHat-USA-2010-Bursztein-Bad-Memories-wp.pdf
yodacolaAug 11, 2010
DD-WRT supports this via Chillispot.
http://www.dd-wrt.com/wiki/index.php/Chillispot
realcoolguy9022Aug 10, 2010
Rainbow tables. (google and learn the potential WPA weakness) There is a reason they suggest making your password 25 characters long. I'm sure eventually someone will find a more clever way to break WPA systems, but it takes a lot of processor cycles and some huge rainbow table files today.
clariousAug 11, 2010
The key is salted with the SSID, and most new wifi routers nowaday have some random number attached to their SSID. This makes rainbow table useless (unless you happen to have the table for that SSID)
stuartgAug 11, 2010
It is not hard to generate a rainbow table for a given SSID. Creating a table from a wordlist of 1 million words takes < 3 hours on my 2.5 GHz core 2 duo.
Closed AccountAug 11, 2010
The purpose of a rainbow table is so you don't have to bruteforce generate a wordlist. If you are going to bruteforce generate anyway you may as well just brute force the key.
dhughesAug 11, 2010
> but it takes a lot of processor cycles...
Change the WPA password every six month and you'll be OK, unless your neighbour has a supercomputer or a botnet at his disposal.
knoxiouseduAug 10, 2010
great advice. dugg.
zeeakzAug 11, 2010
OMG, my Wi-Fi network was never secured it just had a simple password and I thought that's enough.
tyg10Aug 11, 2010
You're kidding.
bdbrAug 11, 2010
If it had a password, it was secured. Probably just WEP, which is easy to break, but unless you're in a place where a lot of people hang out, its not all that likely that anyone's tried.
raiderduckAug 11, 2010
That article's full of crap.
WEP is worse than worthless. There's NO reason to use it. At all.
WPA is OK if one or more of your devices can't use WPA2.
WPA2 is what you should be using, and PLEASE use at least a 15-character passphrase, with mixed upper-case letters, lower-case letters, and numbers. NO WORDS. Y'all have no idea the number of times (back when I worked at Dell) that I would tell people this, then watch them put "love" as their passphrase. Sigh.
Finally, please do not repeat the lie that your MAC addresses cannot be changed. Look up "MAC Address Spoofing," then kindly delete that entire paragraph. Thank you.
jdexAug 11, 2010
Generally words would be fine in a 'passphrase'.
DonKeyOhTeeShirtWithTen8s would be tough to crack, although
77G4bz_pUiw0#8c[p87D]2@7f would be easier to remember.
MAC address filtering is definitely a waste of time though.
Maybe I missed it in the article, but not broadcasting the SSID is a very good thing to do after you properly secure the access point. Then they need to guess the 'Name' of the network as well as the credentials.
:P
raiderduckAug 11, 2010
The problem with turning off SSID broadcasting: It makes your network harder for YOU and the casual wireless leecher down the street to find, but not a hacker. Your router broadcasts your SSID five different ways. Turning off SSID broadcasting disables ONE of those, still leaving the other four. A dedicated hacker will still be able to easily locate it.
It's the same thing with turning down your router's signal strength. Any hacker will have a more powerful WiFi antenna than your computers will, so it's a waste of time.
jdexAug 11, 2010
This I did not know: "broadcasts your SSID five different ways"
Thanks!
*scurries off to bone up on SSID broadcasting*
linuxinsidev2Aug 11, 2010
Buried for lack of competence regarding SSID Broadcasting.
stuartgAug 11, 2010
Finding the name of a hidden SSID is as easy as deauthenticating a client ;)
cam_86Aug 11, 2010
WEP is bad, but its by no means worthless. 99% of people who see a secured network, no matter what the security is, will ignore it. The problem is, those 99% probably had no intention to steal your personal info(rather, just mooch some wifi)
Wifi has become so common that unless you are broadcasting the perception that you have personal stuff worth trying to hack into and steal, WEP is sufficient.
That said, WPA is easier to setup, so unless you have some legacy hardware(DS and DSlite, in my case) you might as well just use WPA. Hell, I use WPA2-PSK even though it blocks out the DSlite, simply because there are few reasons to play DS online now a days.
Closed AccountAug 11, 2010
Thanks for pointing that out. I'm stuck using WEP because my DSlite only supports WEP. Why did Nintendo do that?
lukas88Aug 11, 2010
Even the word "love" will be safe 99.999% of the time. Even a WEP encryption will be safe 99% of the time (the other 1% live near someone like me). Even that 1% will probably never know that their network is being used by someone else and no real negative consequences will ensue.
In other words, unless you are a bank or deal with over-the-air transactions, you are better served reading an article about reducing the risk of obesity than securing your router.
raiderduckAug 11, 2010
When I worked back at Dell, I remember one memorable call from someone with an unsecured Wifi network. Someone was not only leeching, but they had actually gone into his router's settings, changed the admin password, then locked his MAC address out! Needless to say, the "hold Reset Button 15 seconds to nuke the router's settings" was a lifesaver.
I'm not saying one incident is emblematic of everyone, but it DOES happen...
lukas88Aug 11, 2010
I can't say I haven't been tempted to do the same, but I think most of us refrain, particularly if we are using their internet connection.
doublebaconsodaAug 11, 2010
@ RaiderDuck. I did that a few times just because I was bored.
dicepackageAug 11, 2010
@RaiderDuck
I had a similar situation. A while ago I had a belkin router that would occasionally reset all settings on me. I booted up and it didn't connect automatically. I saw a belkin router unsecured so I connected and set up encryption and MAC address filtering. It wasn't until later that day I noticed two belkin APs. As it turns out mine had been working fine and I had accidentally encrypted my neighbor's wi-fi. I changed all the settings back to the way they were but it is a good example of why people should use encryption.
hyperionhkAug 11, 2010
One of our employees had that happen to him as well, took me a little time to figure it out, but when I did at least it was an easy fix and I spent some time explaining basic network security, which was basically just "Set a password with WPA2 encryption".
I've changed people's network names while at school, but never messed with them beyond that.
chrismgtisAug 11, 2010
Oh cut the crap.
The chance that someone will even attempt, much less have the knowledge to break any type of protection whatsoever is so rare that, yes any kind of protection is better than nothing.
I'm getting pretty tired of armchair network engineers thinking they know what they're talking about.
raiderduckAug 11, 2010
And I'm getting equally tired of people saying, "Encryption? Bah! Who needs it?"
These people always seem to disappear when some poor schlub can no longer access his network because someone's torrenting all day, or the cops show up at said schlub's door because some neighbor is filesharing kiddie porn through this guy's Wifi.
If you wouldn't leave your front door unlocked, don't leave your wifi unlocked.Comment is buried, click here to see the rest.
chrismgtisAug 11, 2010
Here we go again.
No one said don't protect yourself with whatever means you have available.
And don't give me that pathetic kidding porn/torrent s**t. You're not succeeding at sounding like you know what the hell you're talking about.
The point is you guys blow it out of proportion. The idea that the average person is so incredibly susceptible to having their wireless connection broken into is preposterous. Protect yourself of course. But the fact is, the odds are so immensely low and unlikely that these ridiculous points about how you should spend hundreds of dollars on pointless equipment are asinine.
Do you want to protect yourself? Use the protection that every wireless router provides and odds are that you will be absolutely fine. Cut the stupid "design your home network like an enterprise network" nonsense.
raiderduckAug 11, 2010
Good grief.
I'm not saying, "design your home network like an enterprise network." People do say that and yes, I agree that it's ridiculous. Corporate-level hackers are going to be much more interested in a bank network or something with thousands of bank account numbers than your own little checking account.
HOWEVER: there is no reason not to use common sense. WPA2 takes no more work than WEP, yet it's much more secure.
I'm not talking about spending $$$ on equipment. I'm sitting here with a Linksys WRT54GL router that cost approx. 50 bucks, with Tomato firmware flashed on it, and I feel my network is fairly secure. I still do regular checks to make sure it's not broken into.
The problem is, I see people get TOO secure. Someone could read this article and come away thinking that WEP and MAC address filtering will secure their network. Wrong.
Finally, I have seen situations where people got into serious trouble (or at least were on the cusp of it) because of things that were happening on their unsecured network. So please do not pretend that it doesn't happen, because it does. You could probably leave your brand-new car parked on the street every night for a year and never have it ripped off. Does that mean you're going to? No.
chrismgtisAug 11, 2010
I said use whatever means you have available. That means if your router supports WPA2. Use it. That is obviously what I meant. All wireless routers these days come with more than WEP. The average user does not know the difference and won't even touch, nor have a clue how to access the settings.
You may not have been talking about spending hundreds of dollars on equipment, but plenty here have used it as their primary point.
WEP and MAC filtering may not be the BEST, but it is SUFFICIENT. Only WEP would be more than sufficient for most people. It is an incredible deterrent. Especially if you live in a small rural area. The situation changes depending on where you live, but even if you live next to the Empire State Building, WEP wouldn't be a disaster. It may not make incredible sense, but by using it, you're protecting yourself with up to 98% certainty.
I doubt you've "seen" people get into serious trouble. You've read it on the Internet or heard it on the news. This isn't 1975. If someone gets stabbed, you're probably going to be able to read about it. It doesn't mean the odds of it happening have increased incredibly.
fffreak2787Aug 11, 2010
i agree with chrismgtis, i am in no way telling the truth by saying i can hack any wireless network. but what i do know is this. The amount of people out there that can break into a wep network is small, the amount that can break into a wpa2-psk network is smaller. The point is is that you need to do something to make them say to them selves, "i am gonna look for an open network," and if he sees one that has wep on it. there is an even greater chance that nothing will happen to it. its like if you go to the store and you look at the sensor tags on products, you will be a fool if you think that stops theft, It asks like a deterrent and the thief MIGHT not steal it.
doublebaconsodaAug 11, 2010
I would let someone download kiddie porn with my connection simply because he would be easy to catch after that.
saranagatiAug 11, 2010
wow, you guys all don't know what you're talking about. if someone is trying to break into your computer seeing wep isn't going to stop them at all. the MOST wep is going to do is keep people off your network who just want to leech your internet connection. People can just drive by your house, crack wep in 5 seconds, run a portscan in less than a minute then exploit some new vulnerability in some software listening on your network and install some software to monitor your web traffic and report it back to some site or botnet and obtain your personal data (cc, bank account, etc). It really does happen more often than you'd expect and its much easier to do than trying to break into some "corporate network." Routers are good because they provide a firewall for users but at the same time they make people feel more secure forgetting about it being so much easier for people to get on your local network if you have wireless.
Closed AccountAug 11, 2010
I use this utility to create my passphrase:
https://www.grc.com/passwords.htm
I just keep it stored in a locknote and paste it in whenever I need to connect a new device.
raiderduckAug 11, 2010
Awesome site. A little overkill if you use the entire 64-character string, but cool nonetheless.
sabinAug 11, 2010
Want to play DS games online? WEP is the only encryption that the DS supports.
raiderduckAug 11, 2010
Unless you get the Nintendo WiFi Adaptor, and good luck finding one.
I think the DSi finally has WPA2 support, no?
ataylor32Aug 11, 2010
I'm not sure why you were buried. Here's a quote straight from Nintendo:
"The Nintendo DS is not compatible with the WPA method or any other methods of security other than WEP."
http://www.nintendo.com/consumer/wfc/en_na/customersupport/glossary.jsp
ataylor32Aug 11, 2010
@RaiderDuck:
Yes, the DSi supports WPA and WPA2. See the last page of this PDF:
http://www.nintendo.com/consumer/downloads/DSi_English.pdf
sabinAug 11, 2010
I saw the WiFi adapter in a store just the other day....actually I see it quite often, I didn't think it was that hard to find.
hyperionhkAug 11, 2010
Thankfully my DLink allows you to create a "guest" network. So I have my main network secured with WPA2 encryption, then my guest one with WEP. They're treated as separate networks that can't talk to each other. Then in addition I blocked all internet access to all non-whitelisted MAC addresses. It's not perfect. Someone could spoof a mac and break into the WEP from free wifi, but the odds of that are slim, and then at least he doesn't have access to the rest of my network. Plus if I think of it (I usually don't) I can just turn off the guest network when not using my DS, and turn it back on as needed and never have to worry about it interfering with my main wireless network.
bylethAug 11, 2010
WEP is by no means "completely useless". It is ridiculously easy to crack if you have the time and intent, but in other cases it does have a purpose.
I was recently at a hotel that had a DSL modem in my room as the only internet connection. My wife and kid wanted to use the internet at the same time, so I setup an ad-hoc wireless network on my laptop using WEP since that is all that my wireless adapter supported with that configuration. It didn't really matter since we were only on for maybe an hour or so a night since we were on vacation. I doubt enough packets were transmitted to allow someone to hack it, and even if someone used aircrack, our computers weren't on long enough for it to be useful.
I agree that WEP should never be relied on for security, but the rule of thumb should be that the internet itself is NOT secure and any sensitive information should be encrypted on an upper layer (such as SSL) since even a wired connection can be tapped or sniffed. The internet was not designed to be secured on the physical or data-link layers so the only thing your wireless network should protect you against is an unauthorized connection to your local network. You should always assume that anything transmitted in clear-text over the internet can be intercepted by a third party.
sparrowkcAug 11, 2010
The aircrack suite has the ability to force an AP to rapidly generate vulnerable packets even if there are no clients associated with it. I don't know if that works on ad-hoc networks, but I thought I'd mention it.
bylethAug 12, 2010
@sparrowkc: I know that since I've used aircrack before, but our computers were not even on long enough for aircrack to generate a significant amount of packets. Even if someone were able to hack my local hotel-room network, they wouldn't have been able to do anything they couldn't otherwise do with the free hotel network. All my data was sent (encrypted) over openvpn through my home network, and cracking the WEP would've accomplished nothing since all the computers were properly firewalled and updated. Maybe a superhacker with a 0-day exploit could've done something, but how likely is that? He'd have to be very lucky to succeed in this attack and he'd be rewarded with nothing. Locking your door is sometimes useful, even though it's still possible to bash it open.
mrbitchAug 11, 2010
@ RaiderDuck, RE: ".. That article's full of crap.
WEP is worse than worthless."
You didn't read the article, did you? FTA :
".. WEP uses a hexadecimal key to encrypt the network and is no longer recommended for wireless encryption because of weak algorithms that can lead to the encryption scheme being easily broken. "
raiderduckAug 11, 2010
I most certainly did read the article. The article discusses WEP first and does not, IMHO, emphasize its weaknesses nearly enough. A lot of computer users aren't even going to know what "hexadecimal," "algorithms" or even "encryption" even mean.
Down further in the article, the step-by-step instructions mildly state that WPA or WPA2 would be preferable to WEP. Again, WEP's unsuitability as anything more than a "Hands Off" sign should have been stated much more clearly.
Using WEP to secure your wireless network is like putting the cheapest padlock and cable you can find on your expensive 15-speed bicycle. Does it tell people that you don't want anyone touching it? Yes. Will it prevent anyone with the simplest of tools or knowledge from doing so? No.
mrbitchAug 11, 2010
@ RaiderDuck, RE: ".. The article discusses WEP first and does not, IMHO, emphasize its weaknesses nearly enough. A lot of computer users aren't even going to know what "hexadecimal," "algorithms" or even "encryption" even mean."
Actually, the article covered WEP from the point of view of being historically the earlier versions of trying to protect wireless traffic.
And the article can't get any clearer in explaining how WEP is weaker as a form of protection.
FTA :
".. is no longer recommended for wireless encryption because of weak algorithms that can lead to the encryption scheme being easily broken. "
cor315Aug 11, 2010
15 Characters is a little much don't you think? As long as you have upper and lower case letters, numbers and symbols then 8 characters is more than enough.
raiderduckAug 11, 2010
Not all wireless software will accept non-alphanumeric characters. So, you're pretty much stick with letters and numbers.
At 62 possibilities per character, 8 characters gives you approx. 218,340,106,000,000 combinations. This would take one computer (spamming your router with 10 possible keys a second) approx. 692,000 years to run through all combinations.
15 characters gives you approx 768,909,705,000,000,000,000,000,000 combinations. This would take that same computer (still spamming those 10 keys a second) approx. 2,438,196,680,000,000,000 years to run through all combinations. Remember that this planet will cease to exist in approximately 5,000,000,000 years.
Assuming I'm not wildly underestimating the number of keys a router can be spammed with (and also assuming I entered the numbers into Google Calculator correctly), 8 might be sufficient. But it's not like the overkill is really hurting anything.
adamzenwineAug 11, 2010
i would guess that the average digg user knows how to do this.
skinny01Aug 11, 2010
The digg demographic is changing.
whoreableAug 11, 2010
Summer will be over soon.
azwethinkweizmAug 11, 2010
True story: my neighbors wifi password used to be "password". I enjoyed a good year of free xbox live minus the subscription cost.
neodude237Aug 11, 2010
cool true story bro
mrbitchAug 11, 2010
Maybe a true story, but not really a cool story.
rtechieAug 11, 2010
Um, how did you spoof Microsoft's login server exactly?
Even if you could get on his network you wouldn't have a "Gold" account unless you were logging in as him, which he would probably notice. And you'd also lose most of the benefits of Live membership (friends, achievements, etc.)
Sure, you could run a Silver account through his internet, but that's not what you claimed.
Comment is buried, click here to see the rest.
azwethinkweizmAug 12, 2010
Nice try you f**king idiot, I used HIS wifi to work MY xbox live account.
rmxzAug 11, 2010
What I did when I lived in an apartment in SF is to put my wireless router *outside* my firewall; and opened up to everyone (providing free wireless to the coffee shop at the corner of the block).
With QOS routing, it didn't affect my use of the network in any noticeable way; and with casual monitoring it didn't seem anyone abused it badly if at all.
Comment is buried, click here to see the rest.
unic0rnAug 11, 2010
I would be afraid to open up a connection registered in my name to a public place. Wow.
morpheousmartyAug 11, 2010
Although your idea should work fine, the reality is: since your router is on your network, venerabilities of your firewall/network are now exposed to the public. Having a secure password would give you protection from everything but router vulnerabilities and connections you initiate. Now I would be surprised if you ever had a security problem with your setup, but it's a pretty big trade-off considering how large a surface area of attack the LAN is.
haikufuAug 11, 2010
There are only 2 ways to *properly* secure a wireless network:
- 802.1x, and make your WPA supplicant do certificate checking. Most do not, you have to usually purchase one that does (at least on Windows). If it doesn't do certificate checking, someone can set up a fake AP with the same SSID and a hacked version of FreeRadius that collects the challenge/response when your laptop tries to connect to it. They can then crack your password with asleap. Certificate checking is the only way to ensure your laptop doesn't attempt to connect to a fake AP. The tools to perform this hack are freely available, and it's easy.
- A wireless AP (preferably with 802.1x) on a segmented network that only has access to a VPN server. You connect to the AP, and then fire up your VPN client to get into the rest of the network.
Anything other than the options I listed above are fairly trivial to break.
aaroncoAug 11, 2010
Wha, you mean MAC filtering isn't impenetrable?!?
/s
But yeh, WPA+AES offers better encryption, but still has trashy authentication. 802.1x and a VPN fixes all of that if it's done right. The problem: Most people won't do it right.
Most home users aren't going to need 802.1x or a VPN. With only a few users, WPA2-PSK w/ AES and a long PSK is pretty good. Just rotate the PSK every 6 months to a year and make sure the router isn't open to the WAN and the router PW is good and solid.
haikufuAug 11, 2010
It's all about incentive also. Within an 8 block radius of my house, there are over 900 wireless networks. If I'm going to do some shady s**t, I'll move on to a network that has encryption turned off, or WEP. Unless there's a compelling reason for someone to target YOUR network, it's unlikely that anyone will spend the time unless it's your neighbor and he's really bored.
Just don't make your SSID something like "CreditCardNumbers" or "GovtSecrets."
zb757Aug 11, 2010
I think I'll buy routers and have them WEP encrypted with SSIDs of "CreditNumbers" and "GovNet" and use them an honeypots. Maybe even steal info from the people trying to get the supposed credit card numbers
rtechieAug 11, 2010
MAC Filtering works pretty well, assuming it's a whitelist. Guessing MAC addresses isn't easy and while there are automated tools for brute forcing this it's not what I'd call "quick". That plus a good WPA2 passphrase means attackers will have to bash at your network for quite a while. It would be way easier just to open a window. Such defenses will work extremely well against automated spam bots and attackers, which is 99% of the attacks most users will face.
802.1x, Radius, and a damn VPN server are way overkill for home users. Aside from the fact they have zero chance of getting it working.
I do this for a living too.
haikufuAug 11, 2010
You can see the MAC address of hosts on the network if your card allows you to put it in Monitor mode, and have a handy list of them. MAC filtering only keeps out the casual user who's looking for free internet access.
I don't deny that a good passphrase is effective, it does depend on how motivated an attacker is though. Few attackers are going to spend a ton of time trying to get into a residential network. I will for fun when I'm bored in a hotel somewhere and can see other SSID's, but I'm probably one of the few exceptions.
aaroncoAug 11, 2010
I could be wrong, but I don't think mac addresses are encrypted when the authentication process starts. So you could just sit back and monitor traffic and sniff out addresses to spoof.
But for home users, a VPN is a shot in the dark. OpenVPN is a good project, but most people will use XP's PPTP w/ MSCHAP v2 auth. Problem is, that's not secure. W/o better authentication you can MiM w/ arp spoofing and run asleap. Now try explaining authentication certs to a non-techie and see how far it gets. When working with home users or very small organizations, simplicity is better. There are less possible kinks in the armor.
rtechieAug 11, 2010
You can't see broadcast packets until after authentication. You can't see any part of the Ethernet network until authentication is complete, otherwise there wouldn't be any point. AFAIK, first you have to crack the WPA authentication, then you can easily sniff and decrypt packets until you find a packet with a whitelisted MAC (once you've broken the WPA, this won't take very long) then you spoof the MAC then you can get on the network. There are a vast number of tools to detect MAC spoofing BTW. Most network sniffers can do this. Most NAC tools can kick the dupe automatically. However these are pricey and complex corporate solutions.
To be blunt, I think very few home users will use PPTP nowadays. Home users aren't going to set up a home VPN of any kind. They'll use Remote Desktop, which is TLS encrypted.
unic0rnAug 11, 2010
Why the hell is this on Digg's front page?
glendowerAug 11, 2010
I was asking myself the same thing, but then I remember what happened the last time I scanned for networks in my neighborhood. There were at least 3-4 networks within range of my wireless card that were using the default router name and were not encrypted. Frankly, the more people who see this, the better.
aveculAug 11, 2010
Because the op is a power digger.
Ain't nothing wrong with that. Except that a misinformed article has tainted the front page.
jayskullsAug 11, 2010
Doesn't everybody know this already...?
chrismgtisAug 11, 2010
Overestimating.
fatbas202Aug 11, 2010
MAC filters can be bypassed by spoofing a MAC. TKIP+AES? Really? Even 48-bit AES has not been cracked yet, not to mention 128 bit, so why bundle it with an encryption that has been demonstrated to be vulnerable to attack? PSK is probably fine for a home wireless network, granted you have good passwords on all of your systems, which is doubtful.
But if you want to *really* secure your WiFi, set up a RADIUS server like FreeRadius (I just use MS's NPS on my 2k8R2 domain controller, but any RADIUS server will do) and configure it to use a shared secret with your AP/Router. Then setup 802.1x authentication. That is probably the most secure way that you can set up WiFi.
An article on secure WiFi and no mention of 802.1x? Amateur.
aminy23Aug 11, 2010
Yeah, but it would be pretty hard to find someone else's MAC address, it would take a lot of trial and error, and it is a great security measure.
linuxinsidev2Aug 11, 2010
You don't need to guess, the MAC addresses are broadcast and anyone can see them whether they're connected to the network or not.
rtechieAug 11, 2010
"MAC filters can be bypassed by spoofing a MAC"
The way this is typically hacked is that FIRST the attacker compromises the WPA key and THEN he listens to the authentication traffic from a host with a "good MAC", he can decrypt this traffic since he has the key, then he can spoof his local MAC for the good MAC and then he can get in. It's not useless, it does add a step at least.
And as I said in other posts, AUTOMATED attacks by bots (which is most attacks) are unlikely to utilize MAC spoofing.
jdexAug 11, 2010
This I did not know: "broadcasts your SSID five different ways"
Thanks!
*scurries off to bone up on SSID broadcasting*
columbusgeekAug 11, 2010
Enable MAC filtering. Block all. Add your computers MAC's. Done.
I get that one can spoof a MAC address, but how many people really have the knowledge to bother to do it? Not to mention they need to know the 1/2/3 MAC addresses you allowed. If somebody is outside war driving sniffing packets and cracking your security, WEP or any of the common ones nowadays are just a speedbump. If they want in, they will knwo the ways to do it. If they don't or it's an accident, then MAC blocking will work fine.
This article makes it sound like the world is out to get me and they are going to do it via my t00bz.Comment is buried, click here to see the rest.
chrismgtisAug 11, 2010
Very few people will attempt it, much less have the knowledge to attempt it or figure out how to, or care enough to figure out how to.
There's a lot of armchair network engineers out there that think they know everything. Any type of protection is good and the odds that it will be broken are so incredibly rare that you have a better chance of contracting herpes.
Not that you shouldn't use the best protection you have available, but that goes without saying.Comment is buried, click here to see the rest.
Closed AccountAug 11, 2010
If someone is willing to try to crack your network, they already know how to mac spoof.
Pretty simple logic.
sacrabosAug 11, 2010
How many people really have the knowledge to bother to do it? The ones you really want to keep off your network.
ripleyisdeadAug 11, 2010
I don't think MAC addresses are ever encrypted, even using WPA2, so any packet sniffer will find them for you
Even the most n00bly of n00blers are going to start their cracking session with a packet sniffer.
ripleyisdeadAug 11, 2010
@columbusgeek, You might want to read up on Kismet before you go live with your security set-up. MAC filtering alone is worthless.
linuxinsidev2Aug 11, 2010
They don't need to guess any MAC addresses, your machines and AP broadcast the MAC addresses freely to anyone who is listening. get a clue.
columbusgeekAug 11, 2010
Cool. Thanks for the info info @ripleyIsDead and @linuxinsideev2.
Still, the whole point is if they know how to crack WEP and WPA, they will surely know how to spoof. This keeps the neighborhoods n00bs out. If somebody really wants in, then let em. All they are going to see is a ton of torrent porn anyhow.
ripleyisdeadAug 11, 2010
@columbusgeek, If someone's on your AP they'll likely have access to all of your shares as well. If you're running any version of Windows prior to Vista, you'll also have active admin shares that can't be permanently disabled, and a default admin username, which means your just one small step away from being owned.
hyperionhkAug 11, 2010
If they're breaking into your WEP, they already can see and are quite probably spoofing a whitelisted MAC address. It's mostly worthless. I still do it myself, but I know it adds no real extra benefit.
kurtwoodfinAug 11, 2010
The best way to secure a wireless network is to turn off the wireless access points.
raiderduckAug 11, 2010
I knew someone once who had his wireless network broken into. His solution, after hardwiring all computers to his router:
HIM: "You should have seen it, man! I, like, went and turned on MAC filtering, then set the allowed addresses to 0, then I set a WPA key by typing a bunch of random gibberish in, then I TORE OFF THE ANTENNA and threw it away? How about THAT?!?!?"
ME (Nonplussed): "Ummm...Why didn't you just turn off wireless access?"
HIM: "No, you don't understand. I SET MAC FILTERING TO ZERO ADDRESSES! NO ONE WILL EVER BREAK IN NOW!"
ME: "Okay. Why didn't you just turn off the wireless access?"
HIM: [walks away in disgust at my utter uncoolness]
The scary part? He worked at the same company I did (not the same one I work at now, thank goodness).
loudmusicAug 11, 2010
That's a terrible story. But the guy you were talking with is a moron.
groofAug 11, 2010
I thought Mac users didn't need to worry about security? Just use it, it'll work!!
mrbitchAug 11, 2010
You didn't read the article. FTA :
" .. With an open network, you are setting yourself up for a potential attack, be it packet sniffing, or network sharing snooping. You’re not entirely secure until you enable wireless encryption."
gibbonsbeardAug 11, 2010
0/10 on your trolling attempt good sir
chadvaderAug 11, 2010
Also turn off admin access via wireless if you can, if they get in they can't make any changes. There is always the hard reset though.
allenmAug 11, 2010
Wow. 2001 called and wants its story back.
yodacolaAug 11, 2010
I was expecting something more, but ended up with much, much less.
Here are a few things he didn't mention:
1. UPDATE FIRMWARE: This should be the first thing anyone should do.
2. TURN OF WIRELESS NETWORK ACCESS TO ROUTER: This will help if anyone gets into your wireless network
3. WPA2 PSK 63 CHAR. AES: Just generate it.There isn't many reasons to make a password any shorter or less complex nowadays. Most modern computers can save network settings on a flash drive, too, so you won't have to type the whole thing in everything.
4. Change router username/password: this isn't such a big deal, but there would be no reason for anyone to change settings found on the router anyway.
rtechieAug 11, 2010
"Most modern computers can save network settings on a flash drive, too, so you won't have to type the whole thing in everything."
Except for your phones, network gear, and lots of other stuff. Try typing a 63 character password with punctuation on a non-QWERTY keyboard, like on a dumbphone. Or something with NO keyboard like an XBOX or PS3.
psiphreAug 11, 2010
buy one of those cool keybaord things that plugs into your xbox/ps3 controller.
yodacolaAug 11, 2010
@rtechie
As I don't own a wireless USB adapter for the Xbox 360 nor do I own anything else that you listed, I can't really tell you from experience how to do this.
I have, however, set up a Wii and an iPod Touch on my network. and iPod Touch is pretty easy: just copy it in a note with iTunes, then copy and paste it into the box. The Wii will require manual insertion, which is a pain; I haven't even found much use with my internet-enabled Wii lately.
From what a quick Google search picked up, the PS3 has a copy and paste feature, too. I am not too sure on how to do this one.
An Xbox 360 will require manual insertion. However, you don't need to do this if you haven't already purchased the xbox 360 wireless accessory. I connected my Xbox to a old router, which I reconfigured as a wireless bridge.
yodacolaAug 11, 2010
I forgot to mention a few things:
CHANGE THE DEFAULT SSID: most routers have a generic default name that could identify the make and model of the router. This normally isn't a good idea if there is a router-specific vulnerability around. Make it something easy to remember, but not personally identifying.
TURN OFF SSID BROADCASTING: this will help prevent unauthorized devices from automatically attempting to log in.
CHANGE WIRELESS CHANNEL to the lowest or the highest: this isn't much of a security issue as it will help with performance if there are a lot of wifi networks around.
godblewupAug 11, 2010
belkin support is in india , try taking instructions from someone with a heavy indian accent trying to speak english about technical matters over a crappy phone network their using ! i took 1 router back after endless confusing steps from their support to a pc world store in the uk..the amount of routers they must get returned and have to sell on as damaged/returned goods must be huge ,,,tech companies need to do so much better
raiderduckAug 11, 2010
Yeah, but they can pay even top-level India tech support something like $1.98/hr (actually, that's for the Philippines -- I'm not sure what it is for India).
See, they figure even if they lose (say) $10 million in business over a given period of time due to people not liking India tech support, they'll save $15 million, so they actually see it as making $5 million.
I believe this is what Frank Zappa called "The Big Stupid."
ehauganAug 11, 2010
My SSID is "TakeDownYourChristmasWreathItsAugust" They still havent gotten the hint. And this wreath is about 6 feet across!!!!!
raiderduckAug 11, 2010
So is their SSID "Belkin," "Linksys," or "D-Link," or "Network?"
godblewupAug 11, 2010
i agree raiderduck they think they save money..but after my experience with belkin ill never buy from them ever again so is that good business for them ?
cavimikeAug 11, 2010
WEP LOL. Mac users.
mrbitchAug 11, 2010
LOL right back at you. You didn't read the article, did you?
FTA :
".. WEP uses a hexadecimal key to encrypt the network and is no longer recommended for wireless encryption because of weak algorithms that can lead to the encryption scheme being easily broken."
bigsteveAug 11, 2010
If PC users read before they clicked, they wouldn't have the malware problem that plagues their platform so. I'm sure there was a "Your computer has 248020 infected files! Download Anti-Virus Supreme 2010 now!" pop-up in the way of that paragraph and he just didn't see it.
nubnubAug 11, 2010
If gentlemen were gentlemen then you would be a gentlemen.
gimmeslack12Aug 11, 2010
Really Diggers? We don't know how to do this?
santixxAug 11, 2010
More to the point and platform independent:
http://wcscenario.blogspot.com/2010/06/how-to-securing-home-wi-fi-network.html
Although I still can't understand how this made it to the front page.
neotechniAug 11, 2010
Faraday cage surrounding your house?
whoreableAug 11, 2010
With tin foil accents to make it look nice.
blastcubeAug 11, 2010
Buried for lame sauce that we should all already know
danielphermousAug 11, 2010
This account has been closed by the user
kenneth1213Aug 11, 2010
Everybody needs to have a secure Wi-Fi Network or just turn off wireless connections if you don't use them.
http://bit.ly/9pQBs3
nbcbayareaAug 11, 2010
great advice for first-timers
denominator88Aug 11, 2010
Open-Mesh is the best way to secure your network.
sil3nt420Aug 11, 2010
First off use WPA2, then use MAC address filter on your wi-fi. Finally go to https://www.grc.com/passwords.htm to get a random (as random as it gets) password. Use the one in the box labeled "63 random printable ASCII characters" This is the max length for a WPA2 password. The only thing that you can do that makes it more secure is to setup a RADIUS server with certificates. Most people don't know how to do that so just use the first method.
aveculAug 11, 2010
Because the OP is a powerdigger.
danielwashburnAug 11, 2010
If you don't know this. You shouldn't be here.
sonofffejAug 11, 2010
I just don't broadcast the SSID. The only person I know smart enough to get into a wireless network that doesn't show up on the list lives in my house.
seokingAug 11, 2010
Do something else with your time is also a solution.
Closed AccountAug 11, 2010
I surf behind 7 proxies so I'm safe
sputzaAug 11, 2010
Buried for NetGear!
schneidz101Aug 11, 2010
1 of the comments above mentioned that filtering by mac address is worthless.
i am aware of mac address spoofing but wouldnt the intruder need to know the address of my laptop or blu-ray player in order to successfully gain access.
also would a cracker be able to 'airsnort' packets if only mac filtering (and no wep/ wpa/ wpa2) is used ?
nikomoAug 11, 2010
Only a Mac user needs this guide.
zb757Aug 11, 2010
I think this article was leaked last year because I had to get my own internet instead of leeching from my neighbors