Re: ALERT: WPA-TKIP isn't secure - use WPA2 instead

On Thu, 08 Oct 2009 08:22:41 -0700, John Navas
<spamfilter1@xxxxxxxxxxxxxx> wrote:

Do you know anyone that changes their wireless WPA/WPA2
phrase regularly?

I'm the only one I know! You? ;)

Not me. Worse, I tend to use the same WPA pass phrase on multiple
systems. Recycling passwords is generally a lousy idea. However, the
systems I've seen that really do require good wireless security seem
to favor VPN's and S-key dongles. Employees have a credit card size
key generator. They login with the usual user name and intentionally
trivial password. It then asks for the number displayed on the credit
card one time key generator. Wireless access is literally wide open
as the real security is through the VPN tunnel. Also works well at
home, in a coffee shop, and at the office.

Yep, it's ugly, part of why I push WPA2 Enterprise, which minimizes the
damage of a compromised password (but is too much hassle for most -- I'd
really like to see a PEAP server in DD-WRT).

Right. However, I don't think you'll see it in the RAM limited WRT54G
implementations. It's also the type of feature that Brainslayer will
probably add to the commercial version of DD-WRT. I'm still tempted
to do it myself, as we previously discussed, but lack the time and
inspiration. (I also lack the talent, but we won't go there).

What metric shall I used to determine if I'm secure, or
not secure?

<http://world.std.com/~reinhold/dicewarefaq.html#howlong>
I personally use seven (7) diceware words, although
I agree with the five (5) word recommendation for most users.

Wrong answer. That's a good measure of how secure is the password.
That's important but is only a component of how secure I am, or how
secure is my system? It doesn't matter how many deadbolts I install
on my front door. If I leave the back door or windows wide open, I'm
not secure, and neither is my system.

The problem is that cracking tools are widely available, and it's
dangerous to assume your "script kiddies" don't have access to serious
cracking tools.

Sure, but if my password key management system is the typical
pre-shared key mess, where everyone in the company knows the password,
the availability of cracking tools doesn't do much. A cracker would
do as well just borrowing a laptop, extracting the hashed WPA key out
of the registry, and using the hash code to connect and decrypt
sniffed traffic. For typed in passwords, a video camera or binoculars
works well for finger hacking.

It's also so easy to have more robust security (e.g.,
my 7 diceware words) that I don't think it makes sense (cost/benefit) to
compromise.

Again, you're only securing the password. I'm talking about securing
the entire password system, including distribution. A better password
doesn't do much when the distribution system leaks badly.

I just looked at my own LCD monitor. There are 4 post-it notes
plastered around the edge, all with various users passwords in plain
sight. I should clean up my act.

I use Password Safe, created by noted cryptographer Bruce Schneier,
free, open source, and highly recommended.

I use an Excel spreadsheet and a USB dongle. The dongle is encrypted.
Perhaps if I added an explosive device, I might further enhance the
security.

"Security is a process." -Bruce Schneier

Yep. Exactly my point. Think of it this way.... If you were to break
into a typical office or home wireless system, would you attack the
strongest point, which is the encryption? I wouldn't. I would look
for the weakest point, which is (IMHO) the password key management.
That can usually be compromised with social engineering or post-it
notes.

I haven't had any security problems beyond idiots posting the
WPA key on the office bulletin board.

That you know of!
And "past performance is not indicative of future results"!

True. Detection intrusions is difficult. I've gone so far as to
leave messages on people Windoze desktops announcing that I've broken
into their machines (usually via open shares) and they don't notice.
Like most companies, when a breaking does occur, they patch the
problem, and blunder onward in the same manner as before. When my
crystal ball is able to predict future results, I'll stop relying on
my past performance as an indicator. Meanwhile, it's all I have to
work with.

With all due respect, that's not valid -- risk is the _product_ of all
the risk factors, not a limit, so improving any one factor _does_ have a
material effect on security.

Play it by the numbers. There's little difference in overall security
between a 1 part per million and a 1 part per billion chance in
cracking a password, when the same system has a one chance in 100 of
being cracked by social engineering, shared password management, and
just plain sloppiness. Once the password security component has
become sufficiently small, additional efforts to make it even smaller
have a negligible effect on overall probability of cracking the
system.

So by all means pay attention to the
biggest risk factors, but don't use that as an excuse to ignore cheap
and easy improvements to other risk factors.

I wouldn't call it an excuse. I would suggest it's a logical
calculation based upon probability of having the system compromised by
various means. Despite the availability of cracker tools and
monitoring hardware, the few real wi-fi breakins that I've seen were
perpetrated by means other than sniffing and cracking. Most common
are well known WPA-PSK keys. For the home user, it's the post it note
on the router with the WPA key included.

No offense intended, but you're wrong on this one and (worse) handing
out bad advice.

I'll stand on my (bad) advice.

Even though you lack security expertise? ;)

Please note that I'm not directly offering advice. I charge for that.
I simply expounded on what *I* do for security and explained why *I*
do it that way. I won't claim expertise, but I do claim some useful
experience. After all, I've never attended a security convention, am
not on any of the security related mailing lists, and don't read the
security proceedings.

Next time we get into a security discussion, remind me to stay out of
it.

--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.

Relevant Pages

  • Re: Wi-Fi: Essential Checklist
    ... "This is not to say that the new wireless security protocol, ... WPA, isn't very good. ... security flaws in it; there always are." ... If you're going to run an open network, ...
    (alt.internet.wireless)
  • Re: Configure wifi access / Free.Fr / WPA (TKIP/AES)
    ... One thing you might try is using hex instead of clear text for your ... My WPA wouldn't work with the clear ... network-manager and select 'Connect to Hidden Network', set security ... 100 http://ftp.fr.debian.org unstable/main Packages ...
    (Debian-User)
  • Re: 802.11i
    ... Access" and it is security "system" for wireless networks that employs ... While TKIP "Temporal Key Integrity Protocol" is actual protocol under ... safer to communicate using RC4 stream cipher, ... But that is WPA v1., which is done to be as an enhancement ...
    (Security-Basics)
  • Re: Wi-Fi: Essential Checklist
    ... His effort, therefore, is better spent applying security mechanisms on ... rather than trying to "protect" access to his network ... the one part of the puzzle that must work is WPA. ...
    (alt.internet.wireless)
  • Wi-Fi WPA Network Problem
    ... After setting WPA up in my Belkin ... I was able to get a Wi-Fi connection to the router ... computer's name when security is turned off. ... Seems to me that if the computers on the network connect to each other ...
    (alt.internet.wireless)