Re: Wi-Fi: Essential Checklist



On Sat, 29 Nov 2008 07:45:35 +0000 (UTC), Sylvain Robitaille
<syl@xxxxxxxxxxxxxxxxxx> wrote:

Schneier makes the point that what he's trying to protect
(as are most people) is his computer(s), and the data on it(them).
His effort, therefore, is better spent applying security mechanisms on
the computer itself, rather than trying to "protect" access to his network
(which, incidentally, he seems perfectly willing to just share).

As I've mentioned several times, the computer can be almost totally
protected, but without encrypting the wireless traffic, a simple
sniffer can capture unencrypted traffic, passwords, email, etc.

Schneier's point (applied to this
analogy), isn't that you shouldn't move into a gated community, but
rather that you should protect your house and its contents by applying
security measures (locks on doors and windows) directly to the house.
You can take it as a given that at some time, someone who doesn't belong
in the gated community will find a way in.

Fine. I park my truck nearby, and setup my telescope, video camera,
long range microphone, electronic sniffer, etc. Maybe electronically
reconstruct the image on your CRT. Lots of ways to be intrusive, even
in a properly locked and secured house. Ready for TEMPEST grade
wallpaper and siding?

We can play this game forever. No amount of security is ever
sufficient. Given sufficient time, resources, and technology, any
level of security can eventually be compromised. That's why I detest
such security discussions. There's no right answers, no correct
solutions, and no guaranteed results.

However, that's all playing games with logic. What I find offensive
about Schneier's article is that he trashes the most basic and easist
form of security, which in this case is WPA. To get decent security,
the one part of the puzzle that must work is WPA. Everything else can
be no more than an additional obstacle, usually of minor importance.

Scheiers point
isn't that there "might" be something wrong with WPA (or WPA2), it's
that regardless of whether there is a known weakness with it now,
as technology improves, the computing power that can be put towards
brute-force attacks (and ultimately more calculated attacks) increases,
and therefore the degree of security offered by technology that's "good
enough" today decreases.

I beg to differ. He first announces that WPA is quite good. Then
declares that all such good encryption methods are eventually cracked.
On that basis, he somehow justifies running an open system.

Incidentally, I find the double negative in his statement rather
intersting. In psychology, that's a sure sign that he's uncertain
about his logic.

If you think it's all FUD, consider the following (as one example):
http://hothardware.com/News/Russian-Firm-Uses-NVIDIA-GPUs-To-Crack-WPA-WPA2/

Clever. There's wide selection of password recovery tools available
for assorted applications. There are also brute force WPA crackers
that work with fairly short WPA pass phrases.
<http://arstechnica.com/articles/paedia/wpa-cracked.ars/>
However, why bother? I can just grab the registry keys and extract a
usable WPA hash code (not the actual key) with aircrack-ng, Cain and
Able, or others:
<http://www.passcape.com/wireless_keys_screenshots.htm>
<http://www.oxid.it/cain.html>

Scheier's preference is for "easy" access to the network.

Yep. Same with Microsoft. Convenience and easy of use over security
and reliability. I'm not sure which is better. It makes no sense to
deliver a secure and reliable operating system that nobody can use.
Various Linux distributions were like that for a long time until they
wised up. I suspect a compromise is best. Wide open security is not
my idea of a good compromise between convenience and security.

He claims to
like it that way.

Sure. *I* also like it that way. Too bad it's not a good way to run
a wireless network. I have more problems with my coffee shop open
networks, than I ever have with those secured by a proper WPA key. Too
many things that can go wrong.

However, his point is that trying to protect the data
on the computer by attempting to secure access to the network is the
wrong way to go about it (and in some cases might be seen as duplicated
effort).

Yep. One of my former (not current) HIPAA customers uses an encrypted
database. In theory, one should not be able to view or extract useful
data without authorization and authentication. I demonstrated that I
could steal the entire drive, transplant it into a different machine,
and have access to all the data. They were not thrilled, especially
since some of their RAID array was missing. I'll spare you my opinion
of their security and software provider. I've had similar fiascos
with USB keys, remote access software, and of course, wireless. Also,
of the few real data security breaches I've had to deal with in
perhaps 25 years of playing repairman, the serious ones were from
insider hacking, theft of backup media, and outright theft of the
entire system. My current worries are about key loggers, trojans, and
defective software upgrades.

See Bill Cheswick's paper on the design of Internet gateways
(which a wireless access point can ultimately be) for another
(compatible) explanation (that predates wireless networking; although
the details of the technology have changed, the points are still valid,
and on a broad scale we have not yet appeared to have learned them):
http://www.cheswick.com/ches/papers/gateway.pdf

I read that 20 years ago. As you note, it's still valid. I'm
undecided as to whether it's better to protect the data or control
access. Since some of the problems I've had were from inside employee
hacking, I'm drifting toward protecting the data, and doing a minimal
effort on controlling access, permissions, etc. Dunno. I'm not a
security expert, just a repairman.

The part about leaving the car door open is called an analogy. Leave
the WPA security disabled because it might be cracked.

That isn't at all Scheier's point. Leave WPA disabled, because he
prefers to share the network access.

I again beg to differ. If that was his point, he shouldn't have
bothered to mention that WPA and all such security protocols would
eventually be cracked. He could have said something like "WPA works
and should be used. However, I prefer....etc". Instead, he implies
that WPA *MIGHT* be cracked, and uses that as justification for
running an open network. I honestly don't care why or how he runs his
open network. It's bad advice for the general public, most of whom
fail to appreciate the risks and implications.

And by the way, even if WPA is
considered a suitable way to secure access to your network at the momen,
don't count on it to secure the data on your computer.

Ummm... it secures the data transport, not the computer. Now, if you
wanted to encrypt the entire drive, that might be useful to discourage
those that run open shares (public directories) on their laptops
because it's convenient.

Referring back
to my earlier analogy, that would be like counting on the locked gate at
the end of the street to protect your home from being entered by
unwelcome strangers.

I don't see the connection, as WPA only protects the vehicle that gets
you in and out of your gated community.

He's not worrying about securing his wireless network because he's
comfortable with how well the computers he has on that network are
secured.

Good. I'm sure he also uses a VPN and SSH to talk to his work
computers. Great idea, but somehow missing in his article advocating
running an unencrypted network.

The effort he invested in securing his computers is returned
to him in his ability to not worry about the odd stranger using his
wireless network (as someone might take a walk down the street of a
gated community).

I would be worried if he' not worried. Most real security experts
that I know, are constantly worried about this or that threat. Every
time there's a new exploit announced, there's a flurry of nervous
activity. I had one such expert bail out in the middle of lunch when
someone detailed a new exploit that he hadn't heard about. I pay
security experts to be worried.

Now, having said all of that, I keep my own wireless network secured,
but all the computers I have that either use it, or are accessible from
it, also are secured as well as they can be. I don't count on the
wireless security to protect my computers, but I do expect that it will
keep most uninvited strangers from using my network.

Again, wireless security (WPA) will not protect your computer. It
will protect your network from sniffing.

Incidentally, many of the laptops that people are buying have a built
in fingerprint reader. I think I've delivered about 3 of these in the
last few months. In all 3 cases, I set it up for using the
fingerprint reader, including showing the owner how to use it, and
training it for several of their fingers. 2 months later, none of
them are using the reader, and are instead using the backdoor
password, which in one case, was prominently displayed on a post-it
note. So much for improved access security.

--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.



Relevant Pages

  • Re: Front End/Back End communication
    ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ...
    (Focus-Microsoft)
  • Re: Laptop wont connect to WiFi network with security settings
    ... wireless network unless I remove the security settings. ... The network adaptor is an Intel WiFi Link ... WPA: WPA-PSK The only other WPA available is with Radius ...
    (alt.sys.pc-clone.dell)
  • Re: Client End Firewalls
    ... I've done what I can to protect it ... I prefer a reasonable network setup over software ... speaking to someone off list about added layers of security. ... post-it on the door next to the monitor. ...
    (Security-Basics)
  • RE: Client End Firewalls
    ... I've done what I can to protect it (mirrored the ... drive with software RAID) and have setup security precautions. ... I prefer a reasonable network setup over ... >> password on a post-it note) can't be jumping into Jane's network ...
    (Security-Basics)
  • Re: Front End/Back End communication
    ... I believe we should further protect the FE Exchange Server: ... the FE is located on the internal network with typical full-stack access to ... There is no such thing as security perfection. ...
    (Focus-Microsoft)