Re: Two wireless routers one network

Mark McIntyre <markmcintyre@xxxxxxxxxxx> hath wroth:

>All too true. However I can't think of any obvious reason to make it
>/easy/ for next door's porno freak. :-)

I've learned more about wireless security from the horde of
neighborhood kids trying to use my wireless than from any books or web
pages. Would you believe a non-TCP/IP wireless network of game
machines using my wireless bridge as a store and forward repeater? My
IDS (intrusion detection system) didn't see them because it was
sniffing the traffic to the DSL modem and not the wireless. At one
time, the log files showed over 1000 different MAC addresses thanks to
one kid using a MAC address generator which he stole off my machine.
How about a repeater installed in a tree near my house so the game
network could be easily expanded?

However, the fun ended in Sept 2005, when most of the smart ones left
for college. I'll have to wait for the next generation of currently
13 year old to get up to speed. At least I'll have some peace and
quite for a few years.

Anyway, one of the reasons I like the WRT54G with DD-WRT firmware is
that I can do scripting from the telnet command line using 'expect'.
Two of my coffee shops want to change the WEP64 key at least once per
day. It was too tedious and time consuming to do with the web
interface. So, I printed up a pile of flash cards with the WEP key of
the day (in ASCII and Hex) along with the effective days and times. I
then wrote a shell and expect script to login, change the WEP64 key,
and logout. Keys were pulled from a database with about 3 months
worth of keys. The card with the key of the day are hung in the
coffee shop in plain sight. Despite the ease with which WEP64 can be
cracked, it seems to have stopped the neighbors from hogging the
system, which was the only intent.

>Absolutely. Its amazing how many people make this mistake, - like my
>neighbour with his router visible through the window. Any casual
>passerby now knows the make & model, and that makes hacking in even
>easier [even ignoring the possibility of his WPA passphrase being
>written on a sticker :-) ]

I won't admit to how many systems I've broken into by simply looking
for passwords scribbled on terminals, monitors, and under mousepads
and keyboards. The nasty tendency of users to re-use the same
password for everything has caused problems. If I really want
someone's password, I just tell them that I have to create an
"account" for them, and ask them for a suitable login and password.
Invariably, they recycle an old password or worse yet, use the same
one for everything. One of my dingy customers was so enamored with
they're cryptic password, that they ordered a vanity license plate
with it (not a joke, for real).

Yes, one should not inscribe passwords and important information in
easily accessible locations. However, the only way I can get people
to not recycle old passwords and use a unique password for everything
is to write them down. If they have to remember the password, they'll
use the same one over and over. In that case, the only question is
where and how to write it down. I use an Excel spread*** (password
secured) on an encrypted USB dongle. I don't expect my customers to
do that although my HIPPA customers do use X.509 certificates on USB
dongles, encrypted storage, and a trivial password in case it's lost.
My level of security and paranoia largely depends on the risks and
limitations of the customer. For the average home user, a post-it
note under the router is good enough. I would never do that at a
server farm, in a server room, or for securing a high value system.

>This has nothing to do with how stupid they are. My dad has a couple
>of degrees and can barely operate a video recorder. His brain simply
>ain't wired for it.

I was trying to be nice. One of my most frustrating customer is a
well know author, who still insists on using a typewriter. His staff
then takes the type written pages and runs them through an OCR reader.
I also have a VP at a large corporation, who has to have the biggest
and newest monitor and computer on his desk, but has his secretary
print his email for him as he can't figure out how to read it on the
screen. He also verbally dictates his replys. These people would be
totally lost dealing with the intricacies of wireless. Getting the
router setup on the internet is messy enough. Now SES and AOSS want
to add another layer of complexity? Yech.

>>They're just not interested in the intricacies
>>of wireless and just want it to work.
>
>I know the feeling, and totally agree that we, the technologists, need
>to make it easier. However the same can be said of many aspects of
>modern life - 'its not my fault I crashed my car, you guys should make
>it easier to drive, all these knobs and dials, and stuff you need to
>do under the bonnet...'.

I have several proposals sitting in the trash cans of the major
wireless manufacturers to do just that. As long as sales are good,
and returns are low, they don't care about usability.

>>I notice you didn't say anything about my comments about monitoring
>
>I consider monitoring to be part of social engineering in this
>context. For example, advising everyone on a corporate lan that their
>internet use may be monitored is social engineering, they'll think
>twice about doing anything silly even if you don't ever actually look
>at the logs except after a complaint of some sort.

True. However, we're not talking about a corporate LAN where
monitoring is almost a requirement due to liability and internal
security issues. We're talking about a home user, who thinks he can
push the Cisco logo on the front of the router and be instantly
secure. Just look at the boxes that the routers are package. They
literally exude the impression that with the product inside, your home
network will be safe and secure. Nowhere is a warning label that says
"Warning. This product is insecure unless properly configured". Yet,
even if someone follows the included security advice to the letter
(does anyone actually read the included docs?), security can be
compromised by unsafe habits and technological assumption. Monitoring
would be an answer, but that's not offered by any of the
manufactories.

It's like if you wanted to protect a barn. At present, you lock the
door with a padlock and never check to see if the padlock still
functions. With monitoring, it's like forget the padlock. Install a
loud burglar alarm. If someone opens the barn door, the alarm goes
off. I'm not sure which is best as the lock and the alarm both have
their place. It's again based on what one is interested in
protecting. For example, I just ripped out a "parental control
(lock)" software pile of junk from a neighbors computer. Their 14
year old was hitting all the sex sites. Instead, I installed a URL
monitoring system (monitoring) on their BEFW11S4. Every site the kid
hits gets recorded. Mom looks at the reports and sees what her son is
doing. Seems to work MUCH better than the "parental control"
software.

>Heck I can phone up complete strangers and they'll tell me their
>password without batting an eyelid if I tell them I'm from their
>company's PC helpdesk or similar.

You must be a better actor than me. When I try that, people get very
suspicious. About 6 years ago, I got involved in a "security audit"
where I phoned users at one of my customers asking for their
passwords. I didn't have to simulate being from IT because I was
working for IT and fairly well known. Out of about 15 people that I
tried to trick, nobody gave me their passwords when I called them.
However, one of the other IT people managed to get about 5 out of 10
that he called. This company has regular lectures on security and
operating practices. This was underscored by one employee that was
fired not for breaking them (which he did anyway), but for testing the
boundaries of the security system to see what he could get away with.
None of my other customers come even close to this, so social
engineering would probably work.

>"Hi, I'm working in ntl's wireless mesh networking unit, and we're
>piloting a scheme to deploy a secure 100MB broadband in your area. Our
>site survey indicated you had a secure wireless network, and we'd
>like to invite you to take part in our secure pilot scheme. For taking
>part in the pilot, we give a 50% reduction in your current ntl bill,
>plus a 1TB/month download allowance. All I need from you is
>confirmation of your ntl account number, your mother's maiden name
>for security purposes, and the code number from your router so we can
>authenticate it on our servers."
>
>... and I'm not even a pro at this. Its sad isn't it?

I hate to admit it, but that will probably work on most of my
customers. It might even work on me. I've experienced a variation on
that with someone claiming to be from my bank. However, I got
suspicious and asked if I could call them back when I wasn't so busy.
They couldn't supply a verifiable call back number, so I knew this was
a fake.

>>However,
>>once we had broken in, the IDS (intrusion detection system) belched
>
>The next layer of the onion. My case rests. :-)

IDS is not part of the protection system (obstacle course). It's
independent, usually NOT accessible from either inside or outside, and
runs in listen only mode. Think if it as the burglar alarm, not the
door lock.

--
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.