A Windows Vista forum. Vista Banter

Welcome to Vista Banter.

You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact contact support.

Go Back   Home » Vista Banter forum » Microsoft Windows Vista » General Vista Help and Support
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

General Vista Help and Support The general Windows Vista discussion forum, for topics not covered elsewhere. (microsoft.public.windows.vista.general)

Network security, passwords and keys



 
 
LinkBack Thread Tools Display Modes
  #11 (permalink)  
Old December 25th 15, 06:34 AM posted to microsoft.public.windowsxp.general,microsoft.public.windows.vista.general,alt.windows7.general
micky
external usenet poster
 
Posts: 54
Default Network security, passwords and keys

On Fri, 25 Dec 2015 00:25:01 -0600, Paul in Houston TX
wrote:

Micky wrote:
On Fri, 25 Dec 2015 00:04:34 -0600, Paul in Houston TX
wrote:

Micky wrote:

So do you all have a password for logging into your router?

I would imagine that most computer literate people do.


Ah, no wonder! I guess I'm not really in that category anymore.


Sure you are! Your questions make us think, research, and remember.


You are very generous, sir. And you did say "most" in your prior
post.
  #12 (permalink)  
Old December 25th 15, 07:24 AM posted to alt.comp.networking.connectivity,microsoft.public.windows.vista.general,alt.windows7.general
Paul[_2_]
external usenet poster
 
Posts: 47
Default Network security, passwords and keys

rickman wrote:
On 12/25/2015 12:36 AM, Micky wrote:
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

But in a moment of possible enlightenment, it occurred to me that if
an interloper can log into my router, he can change the key so that
iiuc I won't be able to use the net. That's bad, right?

And if I haven't set a router password, he can set one, and then I
would have run around in circles for an hour not understanding why I
couldn't call up my router page. (Even now it will take me a half
hour to figure out I have to push the reset button on the router,
right? And then I have to get my two wireless things connected
again. More wasted time.)

So do you all have a password for logging into your router?

With a new router, the router password has to be set first, I think,
or an aggressive interloper will change the encryption key. Does
this happen?


I'm pretty sure the access to the user page in the router is only
available on the LAN side unless you turn on access from the WAN side. No?


Sadly, no.

I ran into an individual, who was working with a brand new router,
and that one had access from the WAN side.

It turned out, the hardware company that made the router, were using
the *sample* firmware from the chipset maker. And the hardware company
had not added one ounce of extra code to the thing, tightened up the
configuration, or a damn thing. It was like a piece of crap they
had just got working on their lab bench.

The end result, is there are some hilariously in-secure products
out there. Just waiting for 12 year old script kiddies to find.

I don't think you will find name-brand equipment that badly
configured, but there can still be problems with the name-brand
stuff. One problem, for example, was related to the fact that
a large number of products were using a third-party firmware,
so the manufacturer didn't have to write/edit each design,
and they were using that firmware as their product firmware.
And once an exploit is uncovered for a "common" firmware
like that, it means a whole bunch of different brands/models can
be tipped over at the same time. The ideal situation would
be if all the firmwares were unique, with a unique bug in each
one, so only one model number would tip over at a time :-)

Paul
  #13 (permalink)  
Old December 25th 15, 07:32 AM posted to alt.comp.networking.connectivity,microsoft.public.windows.vista.general,alt.windows7.general
rickman
external usenet poster
 
Posts: 5
Default Network security, passwords and keys

On 12/25/2015 1:13 AM, Micky wrote:
On Fri, 25 Dec 2015 00:50:33 -0500, rickman wrote:

On 12/25/2015 12:36 AM, Micky wrote:
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

But in a moment of possible enlightenment, it occurred to me that if
an interloper can log into my router, he can change the key so that
iiuc I won't be able to use the net. That's bad, right?

And if I haven't set a router password, he can set one, and then I
would have run around in circles for an hour not understanding why I
couldn't call up my router page. (Even now it will take me a half
hour to figure out I have to push the reset button on the router,
right? And then I have to get my two wireless things connected
again. More wasted time.)

So do you all have a password for logging into your router?

With a new router, the router password has to be set first, I think,
or an aggressive interloper will change the encryption key. Does
this happen?


I'm pretty sure the access to the user page in the router is only
available on the LAN side unless you turn on access from the WAN side. No?


Something I was reading also suggested this, but I checked before
posting and I can get there and change a setting from my laptop. I
don't see a place to turn it on or off, and I surely didn't turn it
on, but otoh, the router is about 8 years old (although it says the
firmware is almost 11 years old**.) Maybe D-Link hadn't thought of
this yet.

**Could a router come with firmware 3 years old? Maybe I bought the
router used and don't remember. I don't remember where I bought it at
all, new or used.


Oh, so you have no security on your wifi? That's on the LAN side.
Maybe I missed the significance of your initial statement. Are you
talking about insecure wifi? Why not use the highest security on the
wifi you can? You are talking about not having access for an hour or
two it would take you to figure out the problem and fix it. If you use
a high security protocol they will just go away and break into someone
else's router.

--

Rick
  #14 (permalink)  
Old December 25th 15, 05:25 PM posted to microsoft.public.windowsxp.general,microsoft.public.windows.vista.general,alt.windows7.general
Char Jackson
external usenet poster
 
Posts: 14
Default Network security, passwords and keys

On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.


Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

--

Char Jackson
  #15 (permalink)  
Old December 26th 15, 04:09 AM posted to microsoft.public.windowsxp.general,microsoft.public.windows.vista.general,alt.windows7.general
micky
external usenet poster
 
Posts: 54
Default Network security, passwords and keys

On Fri, 25 Dec 2015 11:25:51 -0600, Char Jackson
wrote:

On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.


Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.


Very helpful information. One of the reasons I just installed the new
firmware on the router, to get WPA2, which iirc I didn't have until
just now.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.


My neighbors are not very technical, although one had a nephew who was
a drunk. I saw him at the nearby shopping strip and he asked me to
buy him a big bottle of beer. Gave me the money. I did it, but when
the owner figured out what I was doing, just as he was giving me the
change, he told me not to do it again. (I'm still glad I did it once,
because he vouched for me with his hoodlum friends. I don't think
he's a hoodlum, except when he's drunk he has no judgment.) She let
him live with her to be nice to him, and he brought home some guys who
knew he was drunk and came there with him to rob the place. They
found this very heavy "safe" which they managed to break open while
walking around the back of my house (about 100 feet from her house. We
are in the same townhouse section.) Because I have a fence, I didn't
see it for an extra day, and I sure had trouble carrying it back to
her. But it had a lot of her papers and she'd already stopped the
credit cards.

She didn't want to but she kicked her nephew out, and I never see him
anymore, and that's the kind of risk I faced, much more than n'bors
hacking me. But it's a small risk. My front door got kicked in 32
years ago, between 6 and 7 on a Sunday night, but the n'bor's dog may
have scared them away. Nothign was stolen. He barked all the time
and drove me crazy, kept me from falling asleep at night and woke me
up 15 minutes before I had to be up even on workdays, but that day it
was good.

And one time, someone stole two gas lawnmowers, push mowers, that I
had spent weeks trying to start even one of them. LOL

And another time they stole a bicycle I got from the trash, from which
I had removed the seat and seatpost, to get a longer seat post. But
I couldnt' find even a regular length seatpost in that diameter (1",
iirc) Which means they're stuck with a bike but no seat or seatpost.
LOL

No one's touched my car, even though I leave it parked with the top
down if I'm going out again.

Those are the only problems in 32 years.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.


Thanks. I'll get back to you.
  #16 (permalink)  
Old December 28th 15, 07:42 AM posted to microsoft.public.windowsxp.general,microsoft.public.windows.vista.general,alt.windows7.general
Mike S[_3_]
external usenet poster
 
Posts: 1
Default Network security, passwords and keys

On 12/25/2015 9:25 AM, Char Jackson wrote:
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.


Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

If you're referring to Backtrack and Reaver, companies are taking steps
to make brute force attacks ineffective...

"Your Impression is true..the companies that produced these new routers
realised the WPS flaw. As a result they have tighten up their controls
on WPS security and this include the AP rate limiting feature"

https://forums.kali.org/showthread.p...nd-Useful-Link

  #17 (permalink)  
Old December 28th 15, 03:17 PM posted to microsoft.public.windowsxp.general,microsoft.public.windows.vista.general,alt.windows7.general
Char Jackson
external usenet poster
 
Posts: 14
Default Network security, passwords and keys

On Sun, 27 Dec 2015 23:42:54 -0800, Mike S wrote:

On 12/25/2015 9:25 AM, Char Jackson wrote:
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.


Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

If you're referring to Backtrack and Reaver, companies are taking steps
to make brute force attacks ineffective...


Ineffective is too strong. I'll agree with less effective.

As you noted in the quote below, the proposed solution for the WPS
vulnerability was to introduce a rate limiting feature. That doesn't solve
the issue, though. It only means a successful attack is likely to take
longer. OTOH, the best case scenario for the attacker is that his software
makes a successful guess on the first attempt, rendering the rate limiting
feature completely moot. Even without such good fortune for the attacker, if
he or she lives close by, they'll have all the time in the world. The rate
limiting feature means the attack is likely to take longer, but it won't be
stopped. Drive-by's were never the attack vector here, so the fact that it
might take longer isn't a strong selling point. Also, statistically, some
portion of attacks will be successful very early in the process, all but
eliminating rate limiting as a factor. I'd like to see a real solution, not
a band-aid.

"Your Impression is true..the companies that produced these new routers
realised the WPS flaw."


Heh, yeah, after they got beaten up in the press about it.

As a result they have tighten up their controls
on WPS security and this include the AP rate limiting feature"

https://forums.kali.org/showthread.p...nd-Useful-Link


Keep in mind, too, how many routers are in the field with the WPS issue, and
how few router owners pay attention to security or ever upgrade their
router's firmware. Heck, I still have people using WEP around here, and
that's been fully broken for a decade.

--

Char Jackson
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 10:51 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.Search Engine Optimization by vBSEO 3.0.0 RC6
Copyright ©2004-2024 Vista Banter.
The comments are property of their posters.