Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
General Vista Help and Support The general Windows Vista discussion forum, for topics not covered elsewhere. (microsoft.public.windows.vista.general) |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
Network security, passwords and keys
On Fri, 25 Dec 2015 00:25:01 -0600, Paul in Houston TX
wrote: Micky wrote: On Fri, 25 Dec 2015 00:04:34 -0600, Paul in Houston TX wrote: Micky wrote: So do you all have a password for logging into your router? I would imagine that most computer literate people do. Ah, no wonder! I guess I'm not really in that category anymore. Sure you are! Your questions make us think, research, and remember. You are very generous, sir. And you did say "most" in your prior post. |
|
|||
Network security, passwords and keys
rickman wrote:
On 12/25/2015 12:36 AM, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. But in a moment of possible enlightenment, it occurred to me that if an interloper can log into my router, he can change the key so that iiuc I won't be able to use the net. That's bad, right? And if I haven't set a router password, he can set one, and then I would have run around in circles for an hour not understanding why I couldn't call up my router page. (Even now it will take me a half hour to figure out I have to push the reset button on the router, right? And then I have to get my two wireless things connected again. More wasted time.) So do you all have a password for logging into your router? With a new router, the router password has to be set first, I think, or an aggressive interloper will change the encryption key. Does this happen? I'm pretty sure the access to the user page in the router is only available on the LAN side unless you turn on access from the WAN side. No? Sadly, no. I ran into an individual, who was working with a brand new router, and that one had access from the WAN side. It turned out, the hardware company that made the router, were using the *sample* firmware from the chipset maker. And the hardware company had not added one ounce of extra code to the thing, tightened up the configuration, or a damn thing. It was like a piece of crap they had just got working on their lab bench. The end result, is there are some hilariously in-secure products out there. Just waiting for 12 year old script kiddies to find. I don't think you will find name-brand equipment that badly configured, but there can still be problems with the name-brand stuff. One problem, for example, was related to the fact that a large number of products were using a third-party firmware, so the manufacturer didn't have to write/edit each design, and they were using that firmware as their product firmware. And once an exploit is uncovered for a "common" firmware like that, it means a whole bunch of different brands/models can be tipped over at the same time. The ideal situation would be if all the firmwares were unique, with a unique bug in each one, so only one model number would tip over at a time :-) Paul |
|
|||
Network security, passwords and keys
On 12/25/2015 1:13 AM, Micky wrote:
On Fri, 25 Dec 2015 00:50:33 -0500, rickman wrote: On 12/25/2015 12:36 AM, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. But in a moment of possible enlightenment, it occurred to me that if an interloper can log into my router, he can change the key so that iiuc I won't be able to use the net. That's bad, right? And if I haven't set a router password, he can set one, and then I would have run around in circles for an hour not understanding why I couldn't call up my router page. (Even now it will take me a half hour to figure out I have to push the reset button on the router, right? And then I have to get my two wireless things connected again. More wasted time.) So do you all have a password for logging into your router? With a new router, the router password has to be set first, I think, or an aggressive interloper will change the encryption key. Does this happen? I'm pretty sure the access to the user page in the router is only available on the LAN side unless you turn on access from the WAN side. No? Something I was reading also suggested this, but I checked before posting and I can get there and change a setting from my laptop. I don't see a place to turn it on or off, and I surely didn't turn it on, but otoh, the router is about 8 years old (although it says the firmware is almost 11 years old**.) Maybe D-Link hadn't thought of this yet. **Could a router come with firmware 3 years old? Maybe I bought the router used and don't remember. I don't remember where I bought it at all, new or used. Oh, so you have no security on your wifi? That's on the LAN side. Maybe I missed the significance of your initial statement. Are you talking about insecure wifi? Why not use the highest security on the wifi you can? You are talking about not having access for an hour or two it would take you to figure out the problem and fix it. If you use a high security protocol they will just go away and break into someone else's router. -- Rick |
|
|||
Network security, passwords and keys
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:
All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. -- Char Jackson |
|
|||
Network security, passwords and keys
On Fri, 25 Dec 2015 11:25:51 -0600, Char Jackson
wrote: On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Very helpful information. One of the reasons I just installed the new firmware on the router, to get WPA2, which iirc I didn't have until just now. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. My neighbors are not very technical, although one had a nephew who was a drunk. I saw him at the nearby shopping strip and he asked me to buy him a big bottle of beer. Gave me the money. I did it, but when the owner figured out what I was doing, just as he was giving me the change, he told me not to do it again. (I'm still glad I did it once, because he vouched for me with his hoodlum friends. I don't think he's a hoodlum, except when he's drunk he has no judgment.) She let him live with her to be nice to him, and he brought home some guys who knew he was drunk and came there with him to rob the place. They found this very heavy "safe" which they managed to break open while walking around the back of my house (about 100 feet from her house. We are in the same townhouse section.) Because I have a fence, I didn't see it for an extra day, and I sure had trouble carrying it back to her. But it had a lot of her papers and she'd already stopped the credit cards. She didn't want to but she kicked her nephew out, and I never see him anymore, and that's the kind of risk I faced, much more than n'bors hacking me. But it's a small risk. My front door got kicked in 32 years ago, between 6 and 7 on a Sunday night, but the n'bor's dog may have scared them away. Nothign was stolen. He barked all the time and drove me crazy, kept me from falling asleep at night and woke me up 15 minutes before I had to be up even on workdays, but that day it was good. And one time, someone stole two gas lawnmowers, push mowers, that I had spent weeks trying to start even one of them. LOL And another time they stole a bicycle I got from the trash, from which I had removed the seat and seatpost, to get a longer seat post. But I couldnt' find even a regular length seatpost in that diameter (1", iirc) Which means they're stuck with a bike but no seat or seatpost. LOL No one's touched my car, even though I leave it parked with the top down if I'm going out again. Those are the only problems in 32 years. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. Thanks. I'll get back to you. |
|
|||
Network security, passwords and keys
On 12/25/2015 9:25 AM, Char Jackson wrote:
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. If you're referring to Backtrack and Reaver, companies are taking steps to make brute force attacks ineffective... "Your Impression is true..the companies that produced these new routers realised the WPS flaw. As a result they have tighten up their controls on WPS security and this include the AP rate limiting feature" https://forums.kali.org/showthread.p...nd-Useful-Link |
|
|||
Network security, passwords and keys
On Sun, 27 Dec 2015 23:42:54 -0800, Mike S wrote:
On 12/25/2015 9:25 AM, Char Jackson wrote: On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. If you're referring to Backtrack and Reaver, companies are taking steps to make brute force attacks ineffective... Ineffective is too strong. I'll agree with less effective. As you noted in the quote below, the proposed solution for the WPS vulnerability was to introduce a rate limiting feature. That doesn't solve the issue, though. It only means a successful attack is likely to take longer. OTOH, the best case scenario for the attacker is that his software makes a successful guess on the first attempt, rendering the rate limiting feature completely moot. Even without such good fortune for the attacker, if he or she lives close by, they'll have all the time in the world. The rate limiting feature means the attack is likely to take longer, but it won't be stopped. Drive-by's were never the attack vector here, so the fact that it might take longer isn't a strong selling point. Also, statistically, some portion of attacks will be successful very early in the process, all but eliminating rate limiting as a factor. I'd like to see a real solution, not a band-aid. "Your Impression is true..the companies that produced these new routers realised the WPS flaw." Heh, yeah, after they got beaten up in the press about it. As a result they have tighten up their controls on WPS security and this include the AP rate limiting feature" https://forums.kali.org/showthread.p...nd-Useful-Link Keep in mind, too, how many routers are in the field with the WPS issue, and how few router owners pay attention to security or ever upgrade their router's firmware. Heck, I still have people using WEP around here, and that's been fully broken for a decade. -- Char Jackson |
|
Thread Tools | |
Display Modes | |
|
|