digg

Facebook Connect Join Digg About

Wireless LAN security myths that won’t die

blogs.zdnet.com It's been two years since I've wrote "The six dumbest ways to secure a wireless LAN" and it's probably been one of my more successful blog entries ever. Since that time I've written a free electronic book on enterprise wireless LAN security for anyone to use and download from TechRepublic. Since it has been two years, I'm going to update the ..

Who dugg this? Made popular Mar 26, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

153 Comments

show profanity settings
expand all
  • LogicBomB, on 10/12/2007, -5/+116Please ignore this. Apartments are much more fun to connect wirelessly in when you have 20 options to choose from :)
  • jlebrech, on 10/12/2007, -7/+88Rename your SSID to Unbreakable, it kinda lets hackers know beforehand that they shouldn't bother trying. It works 100% of the time.
  • Baorc, on 10/12/2007, -6/+76Well if you go to the second page, he links to his "step-by-step" guide to secure your Wireless LAN.
  • gharding, on 10/12/2007, -13/+64@baorc:
    Apparently I'm a ***** because I have a lease w/ a $1,500 security deposit and cement walls.
  • MadN, on 10/12/2007, -12/+59Two words for the ultimate Wireless LAN security:
    Off Switch

    /Hack my wireless....
  • AnteChronos, on 10/12/2007, -2/+42@Brudus
    "This guy is a complete retard."

    Mr. Pot, meet Mr. Kettle. I'm sure you'll find that you two have a lot in common.


    "You sure are good at whining about how wireless security sucks now let me read your section on how you can secure your wireless. hmmm...i scrolled all the way to the bottom and i don't see it.....OH THATS BECUASE IT'S NOT THERE!"

    About 2/3 down the first page revealed: "All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters." But then, you said that you scrolled all the way to the bottom, not that you actually bothered to read anything as you scrolled. I guess I just gave you too much credit. Next time I won't make the mistake of assuming that you're literate.
  • AnteChronos, on 10/12/2007, -2/+42@grve
    "you can crack wpa as fast as other *****, you just need the right tools."

    Well yeah, *if* the AP uses a dictionary password. But then, that's always been the case for ALL encryption schemes: Poor password = poor security.
  • tHePeOPle, on 10/12/2007, -3/+37If you rename your network SSID to "Sarcasm", jpowlus will be confused and disoriented. It works 100% of the time.
  • rspeed, on 10/12/2007, -5/+38RTFA. He says to use WPA on the second goddamn page.

    Also, didn't I block you?
  • AnteChronos, on 10/12/2007, -1/+31@grve
    "what i mean is you can have so called "strong non dictionary password", but its as weak as dictionary password (with the right tools these days)."

    I love how you keep throwing out the phrase "the right tools" without actually specifying anything specific. Are you just hoping that no one calls you on it? The only way to crack WPA is to brute force the password. There are no "right tools" that can magically give you a WPA key. I'll say it again: The ONLY way to crack WPA is to brute force the password. This is fairly easy if it's a dictionary password, as most dictionary attacks are quite fast. But for a non-dictionary password, you have to try *every possible password*. Even if you somehow managed to get a hold of the password hash, WPA salts the hashes, so pre-computed rainbow tables won't work. And thus you're back to brute force again.

    If you actually have some tools in mind that can do the impossible, by all means let us know. But if you're just going to be vague with your "the right tools" nonsense, I'm going to have to assume that you're full of it.
  • Otto, on 10/12/2007, -7/+32I have no idea why everybody is digging him down. He's absolutely correct in every word.

    -MAC filtering: Completely worthless. Using Kismet for 15 seconds will give you MAC addresses to spoof and wham, you're in. With a Linux box it takes, literally, one command.
    -Disable DHCP and use Static IP addresses: Completely worthless. Again, just looking at the sniffed info will tell you what their IP scheme is, and then you just pick one in that range.
    -Turn off SSID Broadcast: Unlike this guy, I rate it as completely worthless as well. Your SSID is in *every single packet that goes across the network*. So finding out that you're there is easy. You cannot hide wireless transmissions.

    These three things were never intended to be security related options. Mac filtering is to allow you to tie specific devices to specific places in a multi-AP setup. Disabling DHCP is to allow you to run another centralized DHCP server elsewhere (the one built into the router is a convenience for home users). Disabling SSID broadcast is there so you can reduce crosstalk in multi-path situations (where you have multiple AP's interfering with one another).

    The short version is this:
    -If you want real security, use WPA or (insert latest wireless encryption method here).
    -If you want crappy security, but enough so that your technologically unsophisticated neighbors don't connect to you accidentally, then use WEP. This is often the case because a lot of older devices can't do WPA.

    Using anything above and beyond these is not only silly, but actually *harder to do*.
  • Wootery, on 10/12/2007, -1/+26@grve

    "lol the old "dictionary password" excuse"

    That is without question the most mind-blowingly stupid thing I've read this month.

    Care to suggest how a weak password could ever be secure?
  • philz, on 10/12/2007, -3/+28Friends of mine called theirs 'Gay Porn Network' - I wouldn't want to hack that..
  • DamageInc, on 10/12/2007, -3/+27WPA Key of 63 random generated characters. Problem Solved (not perfect, but easy to setup and harder to crack).
  • xertys, on 10/12/2007, -3/+27Securing your wireless network is as easy as enabling WPA or WPA2 and using about 20 characters of the best randomness you have available (I pulled that number out of my ass), or 5 Diceware words. As long as you don't need to type the key manually anywhere (e.g. on a PSP or DS), you might as well use the full 63 character length, or 64 hex digits if your router and client hardware supports it.

    The 64 hex digits option is preferred by some because it is exactly 256 bits, which is the key length used by WPA, whereas the 8-63 character ASCII key needs to be hashed down. Any difference in security is probably negligible though.

    MAC filtering and SSID hiding are enough to stop the kid next door from connecting, but that isn't security. Security is making it infeasible for anyone to connect who isn't authorised. I know which one I prefer.
  • mb309, on 12/31/2008, -7/+27"WPA-PSK security with a random alpha-numeric pass-phrase that's a minimum of 10 characters long."

    1300+ words too many.


  • Baorc, on 10/12/2007, -23/+43As much as this can be humorous, it is the best plan out there. I think someone on digg said this once, "Wireless is for ***** that can't run wires."
  • opus20745, on 10/12/2007, -1/+20Sigh.... FUD sucks. No, WPA was not "cracked". People have gotten through WPA protected devices using brute force password attempts (and in fact many rainbow tables now exist for just this type of attack). But that is a fault of the password being used, NOT of WPA itself. If a user puts in "love" as their WPA key, odds are it'll be broken eventually using one of the brute force methods. If you're password is: "5656C1251FD4B2C525AA8EA98E745E371E2F02EE8394D8C600454939DD00E0E3" ... not so much (note, you should use mixed special chars too, but digg wouldn't allow posting them for this example.)
  • TheSeeker11, on 10/12/2007, -1/+19For those that will wisely switch to WPA/WPA2 (I recommend the latter) you should take a look at Perfect Passwords to generate a random key.

    https://www.grc.com/passwords.htm
  • bennyboy371, on 10/12/2007, -10/+28The whole reason the question marks are funny is because its not even a full plan. I think this time, you filled it out pretty perfectly without step 5.
  • gharding, on 10/12/2007, -7/+22The SSID of the AP I steal bandwidth from is called Brokeback. I'm not sure if that's some sort of sign.
  • opus20745, on 10/12/2007, -2/+17Um, no, they can't. If you're using WPA2 with a GOOD passphrase, they will not be cracking your router anytime soon. However, if you rely more on MAC filtering and SSID hiding as you suggest... then yeah, they most certainly can.
  • Wyzard, on 10/12/2007, -1/+13@grve
    "yeah right, because cracking wpa in 5 minutes is so much more secure... lol"

    WPA can't be cracked in anywhere near 5 minutes by any currently-known techniques.
    (Assuming the passphrase isn't a weak one, of course.)

    Were you maybe thinking of WEP, the known-weak predecessor of WPA?
  • gharding, on 10/12/2007, -6/+16Yeah, I get what you were saying, but plopping down $20 for a wireless router, even with the insecurities, is a much better option than renting a hammer drill, buying a spool of cat5, wiring the boxes, and losing my security deposit. If someone wants to steal my connection, kudos to them.. but even sitting inside my apartment, I get a stronger signal from a completely insecure AP :)
  • geronimo, on 10/12/2007, -1/+11@grve
    "strong non dictionary password", but its as weak as dictionary password (with the right tools these days)."

    Please link to one tool which allows you to easily crack a strong random WPA password. Just one.

    TIA.

    (WEP is flawed in that cracking doesnt involve brute force but using holes in WEP, WPA has no such weakness. There are WPA "cracking" tools that merely use brute force, 128bit WEP and below don't need brute force techniques, just capture enough packets and crack it in minutes.)
  • Otto, on 10/12/2007, -1/+10WPA and WPA2 have not been seriously breached yet.

    The thing about wireless encryption is that it's only as secure as the money/time you're willing to put in to break into it. If somebody wants in, and has enough bank to do it, they can break any wireless security. So generally, if you're really concerned about security, you put the wireless access points on a segregated network which has no access to your secure network, and force users to go through some kind of proxy or something.


  • JohnboiWaltune, on 10/12/2007, -0/+9If you honestly think there is someone out there who is personally targetting you for information theft, you need to be worried about physical security, not locking down your wireless network. If they want your computers that badly, it's easier and faster for someone to physically break into your home/office and steal them.
  • rspeed, on 10/12/2007, -2/+11jlebrech was joking.

    I hope.
  • rohanch, on 10/12/2007, -2/+11@turgor

    You do know that hidden SSID and MAC filtering can be bypassed in minutes to connect, right? And that they do **nothing whatsoever** to protect against people sitting outside and sniffing your traffic (website visits, passwords, mail, etc)?

    They will stop the average passer-by connecting to check their mail, but they don't stop anything slightly more determined than that.
  • Wyzard, on 10/12/2007, -1/+9WPA does have the slight fault that brute-force attacks can be performed offline -- if an attacker can eavesdrop on one authorized user successfully connecting to the network, he can use it to perform a dictionary attack entirely on his own comupter, without having to actually attempt wireless authentication with every candidate password. This means the attack can be performed at the speed of the attacker's own computer(s), without the bottleneck of the WPA authentication protocol.

    However, it's still quite possible to choose strong passphrases that are not feasible to crack with a brute-force attack, so used properly (i.e. with a strong passphrase), WPA is still quite secure.
  • MaximegalonInfo, on 10/12/2007, -12/+19Yah, this sucks. Too much BS about him. Just give the ***** info. No one cares about your life history on your past blog posts. Also, too much unrelated BS links in the page.
  • Fordi, on 10/12/2007, -0/+7Summary of TFA:
    For wireless,
    Pointless and possibly harmful 'security': SSID Hiding, LEAP/EAP-FAST, Static IP, MAC filtering, 'Strategic' antenna placement / signal limitation, Bluetooth/802.11a
    Weak, but deterrant: WEP, WPA/WPA2 with a weak passphrase
    Tight: WPA2 with a strong passphrase ( > 10 char, nondictionary, with lower, cap, num and symbol)
    Enterprise-tight: PEAP/RADIUS over WPA2 and switch separation

    Read it, learn it, and perhaps I won't be sucking off your network when I pass by.
  • jerwin, on 10/12/2007, -3/+9
    If your neighbor can crack your MAC filtering or WEP key, invite them over to help you with your networking issues. If not, they work just fine to keep the casual neighbor from 'sharing' your bandwidth, which is the major issue here.
  • AnteChronos, on 10/12/2007, -1/+7@grve
    "i mean wpa/wpa*crap, and if you dont know how, you dont deserve to know it anyway"

    I love how people use the old "if you don't know I'm not going to tell you" smokescreen to hide their ignorance. WPA can *only* be cracked via brute force. For dictionary passwords, brute force is fairly easy. For strong passwords, well, lets just say that you'd better hope that AP is still up a few centuries from now.
  • zai-asal, on 10/12/2007, -0/+6Blah, just name it "FBI Honeypot Tor will not work here"'. Nuff said.
  • Otto, on 10/12/2007, -2/+7>>>"For most of us, we just want to make sure we are connecting to our own network, and that our neighbor is not. SSID suppression, along with WEP encryption , accomplishes that in the absence of active, knowledgeable attackers."

    You're missing something else though: WEP accomplishes your goal *without* suppressing the SSID broadcast.

    And suppressing the SSID broadcast actually makes it more difficult to *use* your own network. It also makes it slower. Yes, that's right. Because when your network card disconnects (happens more often than you'd think, home routers tend to be crap) and then when it has to reconnect, it's possible that it will try to search for the preferred networks, and not seeing your own SSID broadcast, it'll have to do an active search, which takes longer.

    The point is that suppressing SSID is not a security measure and should never be treated as one.
  • R34C7, on 10/12/2007, -2/+6@grve

    No, simply no. Using a dictionary of every language ever devised by man, there are still exponentially less permutations possible in a password. If you use a dictionary word, a system is capable of running all possible permutations against your security in a matter of hours. If your password is not based on a dictionary word then the amount of permutations increases exponentially and becomes essentially impossible to crack using ANY technology that is currently available to man.
  • VeganG, on 10/12/2007, -0/+5I didn't know that hiding your SSID makes you broadcast even more-sensitive information. You learn something new every day...
  • Baorc, on 10/12/2007, -12/+17@gharding

    I'm just saying, it's a drawback and I found the quote funny. With wireless, you want easy access, you get the security drawbacks. I have worked in many corporate environments where they simply refuse to use wireless because of the security issues. It is just not worth it.

    But not everyone thinks alike and that's fine.
  • dbr_onix, on 10/12/2007, -0/+5"I don't understand why the guy criticizes static IP addresses."
    He only criticizes static IP addresses *as a security measure*
  • Wyzard, on 10/12/2007, -1/+5"One of the arguments being put forward is that certain procedures work "just fine". There must be a way of seeing how true those statements are."

    The problem with this line of reasoning is that it can only prove a negative, not a positive. If you use MAC filtering instead of encryption, and you find an unauthorized user on your network, it proves that MAC filtering is not an effective security measure, but if you don't find any unauthorized users, it does not prove that MAC filtering is an effective security measure.

    (If you routinely leave your front door closed but not locked, and you find no burglars in your house right now, does that prove that a closed-but-unlocked front door is an effective way to secure your house?)
  • diggnationdevon, on 10/12/2007, -0/+4Oh. I didn't read that he meant by security. That makes sense.
  • pauldonnelly, on 10/12/2007, -0/+4Your encrypted data.
  • jfinke, on 10/12/2007, -1/+5Thanks guys... those were the two most sane posts in this whole article. And it deals with the same questions that come up everytime someone posts a "wireless security" article.
  • dbr_onix, on 10/12/2007, -0/+3"First, WPA is probobaly your best option for encryption as a home user
    [..]
    Forth, Static IP's can act as another layer of security"
    If someone gets past the WPA encryption, I *really* doubt static IP's will be anything other than a nuisance to people using the network.

    Really, 99% of the time, even WEP will deter damn-near everyone from trying to connect to your access point - Leaving it unencrypted will mean people who "click wifi icon and connect to first available network thingy" may connect (unknowingly) to your network, if it asks them for a password, they will shrug and realize it's probably not their access point.
    Personally, I think the inconveniences added by using MAC-address filtering and disabling DHCP *far far* outweighs the negligible security improvements.
  • Wyzard, on 10/12/2007, -4/+7Because they're wrong -- the "security myths" mentioned by the author really are ineffective against a malicious and moderately-knowledgeable attacker. Cryptographic authentication and encryption (WPA, or at the very least WEP) are the only way to go.
  • vertinox, on 10/12/2007, -0/+3I would agree.

    I live in a city where there are like up to 5 APs from random people on most corners (most say linksys *coughs*)

    I have a wireless router for my Nintendo DS and can't use high end security, but I figure I can just MAC address filter and turn off the SSID and no one will bother to hack it. If they do then props to them for spending the extra time to use my network when they could have used anyone else's open router.
  • PedleZelnip, on 10/12/2007, -0/+3So what about when the person uses your network to download kiddie porn, or visit the Taliban's website?
  • Wyzard, on 10/12/2007, -3/+6Because not providing a DHCP server does *absolutely nothing* to prevent an attacker from eavesdropping on your wireless network, or from choosing one's own static IP and actively using your network.

    Static IPs are OK for preventing casual non-malicious users from accidentally connecting to your network, but for that (non-security-related) purpose, MAC filtering is better. Neither is an effective security measure against malicious users.
  • pauldonnelly, on 10/12/2007, -0/+3Why? Who cares if your neighbors see another network on their list? They won't even know who owns it unless you use your name.
  • Fetching more discussions...
    Show 51 - 100 of 142 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.