Great tips.  I agree with them.  I am still amazed at all the openings there are out there. 

I went to Santa Maria the other day and took my laptop with me.  While I was in traffic court my son sat in the parking lot and surfed the net.  It took 4 trys to find an open network to surf from. 

Let me correct some of your assumptions here Matt.

#1 - Disabled SSID broadcasts can't be seen... My standard wireless tool picks up over 75% of the so called "hidden" SSIDs without me trying to find them. Also, the SSID is NOT needed to connect to the access point, it is only an identifier for the MAC address needed to establish a connection. SSIDs are like DNS (I can still go to Google if I know it's IP address)

#2 It is non trivial to see which MACs (nodes) are connected to which APs. Spoofing a MAC address too is now non trivial. It can be done on Windows with regedit, and on Linux/Mac in one line of code.

#3 Doing all of things won't mean you're safe, but it does mean you are safer than before. Still use caution (see passwords below).... Just because you have a safe car doesn't mean you can drive like a maniac.
------------------------------------------------- -------------------------

Now on to your greater points and interesting links and such...

#1 Passwords should be something that doesn't exist in a dictionary!!! A great place to get EXCELLENT passwords is from this site. Yes, it is safe to print these and shove them in your wallet. Just remember that if you lose it to change your passwords immediately!

#2 This is a 101 guide to security, if you think someone would consider you a big target, my suggestion is (in ALL seriousness) to avoid going wireless (Bluetooth included, yes that headset can be hacked in under a second and I can listen to your conversations, on and off the phone). If you are a business only a good IT department can save you.

#3 WPA2 is Good, only if used in "Enterprise" aka "AES" & aka "CCMP" mode. A good place for more documentation IETF.

...Also if you want to join me, I will be attending another CTC meeting on September 20. This one on the subject of "security". See more on the website http://thectc.info There are going to be a couple of great speakers to this one and I would love to see some people in the Bakersfield IT space there.

Hi ki6,

Many of the ideas I mentioned such as hiding your SSID, enabling MAC filtering, are more 'fences' that an individual must hop. The more the better. There is a good chance that if you have too many fences in place that they will give up and go on to someone whom they are able to break in faster. It's not that they will not break in, they will. But the question is, can you prevent it.

Another good idea is to do what I like to call 'camouflaging' your network. What I mean by this is if you have let's say 6 or 7 networks around you that are 2WIRE's, why not change your SSID to a 2WIRE connection? You may not be using 2WIRE, but I find that if you just hide in and make it look that way then people will be less likely to choose you out of the other targets. If you SSID is something like 'hackers beware!' or something interesting along those lines, then you will most likely be chosen out of the other targets.

I must tell you though, WPA2 is AES even when it is not enterprise. The only downside to WPA2 is the fact that it uses up many computer resources in order to operate effectively.

Avoiding wireless would not be a normal scenario for a residential user. However, if you are a larger corporation than it is a very smart idea. Many larger businesses are using LANs now days, but this does not mean you're safe. An IT department can save you from only so much, because no matter how smart or intelligent or prepared you are, there is always someone more clever. Because of this you must not put security in place and simply walk away. The best security must be put up but it needs to be continually improved to keep malicious individuals guessing.

Matt, the idea you propose of "camouflaging" is bad, especially if you have a lot of windows users near you. Windows relies heavily on SSIDs and will try to use the strongest signal with the same SSID. The reason Microsoft does this is because it was designed with large corporate networks in mind. Corporate wireless networks have the same SSID, so if the employe goes from one floor of a building to another, the computer will seamlessly switch to the new AP and yet keep the same IP, because the DHCP server isn't getting it's address from the AP, but rather the DHCP server. SSIDs should be unique to avoid confusing the Windows wireless connection manager.

As for your fences theory, the only fence I've seen you mention is WPA2. And that is a REALLY good fence, but it's even better in the mode I mentioned. When I say spoofing a MAC is non trivial, it means that an average computer user can figure it out.  Many times people think they are being hacked simply because the log on their AP shows multiple connection attempts. We both know this is wrong.  The problem with WPA (and even WPA2 [without CCMP]) is that there are brute force attacks that can hack them. Yes it may take days, but even the first WEP cracks took days, now they take just minutes. I'm not going to go into detail why WPA2 (personal) is easier to hack. I already gave you the link to IETF. But now I will give you a link to a podcast that I know others who've commented (and decided to remove their comment for whatever reason) listen to... SECURITY NOW. The latest podcast (#108) touches on what we're talking about, but episode #89, should be of great interest for you, although it's slightly outdated.

As for corporations... they've had LANs for some time, WLANs are new to them. The reason having an IT department matters is because they won't walk away, if there is nothing to fix at the moment, it's their job to research the latest vulnerabilities and patch accordingly. Outsourcing your IT department is a bad idea if you can afford an IT department.

Hi,

Camouflaging it may be a bad idea in a corporate environment (if you are even using WLANs) but in a residential area it is useful. If you know how to, you may configure the connection manager in Windows to connect to a certain SSID. However, if all networks area encrypted, accidentally switching to an SSID would not be an issue. If your network is secured than nobody will be 'accidentally' connecting to it.

I believe you forgot to mention the fact that a VPN is also an excellent idea. This may not prevent an attack, but at least if an individual breaks in then they can't steal anything.

Another thing I failed to mention is the ability to turn down your wireless signal. If someone has an antenna it will do you absolutely no good. Antennas are getting cheaper and cheaper to create and buy. But if someone does not have one, then you succeeded in thwarting off an attack from that person (for now).

I've already listened to that episode of SecurityNow! before. Great podcast.

Matt,
    Yes, turning down your signal (although not possible on most consumer level routers) is a good idea, although it may not help at all. Depending on the "attacker's" hardware MANY things can over come signal strength. {If RFID tags can be read over 350 meters  (which don't transmit AT ALL), the distance from the curb to your house isn't going to do anything!} Matt, this where I tell you about the AMAZING thing QRP transmitters can do. I am a ham radio junkie (hence the FCC call sign as my handle). As long as my radio has decent sensitivity, and a good antenna (for the particular job I want to perform), I can read a weak signal without an issue.

    "Camouflaging" is STILL a bad idea. Spoofing those "2WIRE" (aka AT&T DSL) routers is not a good idea. Sure, accidental connections won't be made because of encryption, but you're laptop won't know any better and will try and connect anyways. It will try the next router and the next one until it finds one that is has a passcode for. Also those 2Wires are using WEP or WPA (Personal), so spoofing that is idiotic. Secondly, the passcodes those routers use are numeric, not even alphanumeric (which would provide more security). Given that they use 10 numbers (yea, that's all), all I have to have is a brute force using a password file numbered 0 to 999999999. That would take a SHORT amount of time.

    Sure, using a VPN is fine, but if I can get access to your wired network (it's easy on Cable ISP networks) then I can see EVERYTHING you're doing anyways. A better Idea would to NOT use DHCP on your wireless network, and use a different netmask for your wireless network than you do for your wired one. Of course I could still see everything on the cable network, so long as the same router is used for my IP as yours.

Hi,

I'm not certain how you think you'd see anything with a VPN, skyler. Do you have some way of breaking 256-bit AES that I don't know about? I think besides ARP poisoning there would be no other way. And if you had a static ARP table then that would not work anyway. If you're certain that you can "see everything" on a cable network regardless of their encryption simply because they are using DHCP, I'd like to know how that plays a role in that.

No, changing your SSID to a 2Wire connection is not idiotic. As I have already mentioned, you can set your network manager in windows to connect only to a specific SSID and to totally ignore the others. I have had my hidden SSID set to this for years and have not once ever had an issue with accidentally connecting to others, even though there are 3-4 other networks with "2wire." Nobody is talking about breaking into them, I'm talking about simply changing your SSID to a 2wire no matter what type of router you have. I am aware that they use 10 characters of mainly numeric, but why would I care? It isn't like I have a 2wire connection anyway. It just looks like I do.

Someone looking for a network will be more apt to break into one that says "router" or "smith family connection" as opposed to those 5 other 2wire connections, or 6, if you change yours. Even though you have WPA2 on, they'll know that probably isn't a 2WIRE connection, but who cares. That's for them to guess. If they see WPA2 and you have a 72 long password with random characters nobody is getting into it anyway (besides maybe the NSA :P).

Matt, let me explain a typical home network topology in visual terms (for a large family)...
If you use the VPN function to connect to the "office network" you are safe. However if you're using a VPN on the router, you're safe until any point after the router.

On a cable network, all users are connecting to the same "cable hub" (this is different than "cable modem"). It also is important to note the difference between what a hub and a switch is. (I've labeled the picture the way most cable operators refer to their equipment, although this is a false statement) In MOST DSL systems, switches are used, but they can't be reliably used on cable networks because of the way cable television is broadcast (multicast). When I use a neighbor's wireless AP, I can see MANY other home networks that are using the same cable hub. I can peer into them as if they were on the same network I am tapped into.

    This becomes important because if you are connected via VPN to your router, I can see  all the traffic coming from and going to your home network with any network sniffer. Each packet is being passed to all nodes on the network. IF, however, you are connected via VPN to your office network and are using SSL through that connection, you are safer.

Moving on... as you can see, the wireless network shares it's traffic to the wireless router with any other wireless enabled nodes, while the desktop (or wired) nodes use separate connections to the router. (This is similar to how hubs/switches work. ) A wireless network acts as a hub, while the wired portion acts as a switch (if it's sold as such {and most are today}). Often times if you read the boxes carefully you'll see that "wireless routers" are advertised as having an access point with a 4 port switch, or 4 port hub. This will tell you of the quality which you are buying.

If your "wireless router" has a "built-in VPN" it simply means that you can connect to your home network while you are on the road and use your home network resources (shared printers, Network drives, etc). If you use that VPN function while connecting to it wireless or wired, it's the equivalent  of wearing a condom and then taking it off half way through. (sorry for being crass but I can't explain this any simpler).

My name is "Skyler" BTW, feel free to call me whatever you wish (seriously, I've probably been called worse on the forums here).
---------------------------
In all reality though, most "war drivers" aren't snooping for private information from individuals, they're after a free lunch (not paying T-Mobile, and who can blame them). For the everyday user, WPA is fine, but if you're someone who keeps extremely valuable information on your home PCs (and leaves those PCs on when you're not home, or aren't likely to notice a strange car in front of the house for hours), then maybe this information is valuable. Otherwise you're wasting time reading this.

As for spoofing the SSID ... Let me also explain what hackers know and what you may, or may not know. Each manufacturer of an IP connected device is given a certain identification number, this can be seen in the mac address as the first 3 sets of hex pairs. My LinkSys AP for example starts with 00:13:10:xx:xx:xx This can tell you what manufacturer by the "00:13" and what approximate year by the "10". Some Macs are shared of course, but this is, for the most part, true. If I see 3 "2WIRE" SSIDs, and they start with "00:14:xx:xx:xx:xx" and then I see a SSID of "2WIRE" that starts with "00:13", I will know the difference. Your SSID is a joke. (You now have something else to look into... MAC Cloning your AP port on your router). Also, If I already know that 2WIREs don't use WPA2 by default (because not all hardware supports it), but your AP shows WPA2 is in use, I again know it's a fake (because anyone who knows enough to enable WPA2 would also know to change their SSID. And in my {former} practices I would have concentrated heavily on your system, probably by seeing what I could from down the street on the open AP on the same cable network you use). I would then use what I know about your AP (from your MAC address) against you. If it's a linksys I can see what model, by sending your public IP a set of "special" packets. I would then surf to exploit sites and see what is known to Cisco (Linksys) but hasn't had a patch made for it already. If there was nothing, I would try old security holes that may have been patched but you haven't applied through firmware updates. If none of that worked, my 10 minutes would have been spent capturing packets from you and I would leave and see what I had captured so far. If your email client had checked your pop3 account, I likely would have caught your login and password (most all web mail services take plain text passwords as a default {GMail, Yahoo, MSN, Hotmail, etc})

Hi,

To address your second post first, I understand that it's a joke. That the manufacturer's MACs start out mainly the same for the first 3 sets of hex pairs. Obviously anyone who is seasoned or experienced will figure this out in a second. The article isn't dealing with anyone experienced, but for those who are mainly unexperienced.

However, you said something that is quite interesting. You said you would send "special packets" to an individual's public IP, but you failed to mention that if a VPN is in place, if my memory serves me correct, that also hides your public IP address from anyone sniffing the network. I cannot remember if a VPN like iPhantom for instance will hide your public IP locally as well. I believe a proxy might. Any how, if most of your ports are stealthed or closed (like they should be), those "special packets" you are referring to may or may not work. It all depends on what port you are sending them to. Anyone who is experienced and who monitors their SYN/ACK packets that are being broadcasted and also monitors the entire 3 way handshake process for any issues will probably notice some strange if they see your packets incoming. This again all depends on what port is being used, and of course whether or not your spoofing your IP address when doing so.


I would also like for you to explain why you believe that all traffic is passed to all nodes on the same network. And when you explain multicasting, that's fine, however, the simple seeing multiple machines as if they are on a single network does not dumb the security down. Think of it as an external mirror location for a file, it looks different, but i t still ends up to be the same file as the other mirror. If you see it on another network, that does not take the VPN out of the equation. I am not aware as to whether or not you know of some popular VPN's such as iPhantom, the traffic is encrypted before and after it is processed on your intranet, if it worked as you explain it would be useless. The traffic therefore being encrypted before AND after, would render any type of sniffer useless, regardless of the presence of SSL. You may see someone because you happened to get into an open cable network, but the traffic is still only going in the same direction, which is on their local domain, out through the switch or hub, isp, and the internet, and all while still being encrypted by your VPN (assuming they aren't lying) which is giving you 256-bit AES encryption on ALL (or a good 95%) of your traffic. It is not going to pass any different nodes in any different manner simply because you may see it on an open network. ARP poisoning would be a good alternative, if there is a lack of a static table being in place; however, you'd actually need to be on the network to begin with for that to be a factor.

The whole point essentially being is that to best protect yourself you want to not allow anyone in to begin with. You don't want to deal with a virus after it's been spread, but to decrease the chances of it developing to begin with. You don't want to have to fight off a burglar, but to make an attempt at decreasing the chances of him or her entering by installing motion sensor lights, burglar alarms, putting a sign out on your front lawn, and so on.

Interesting, a showdown between two clashing computer giants. Like God vs. anti-God, but being unable to tell who is which.

JesusSmokedABowl, this is NOT a show down. This is more like two women disagreeing about what shade of red a pair of shoes are. This is just the fine details of network security, a conversation which, in meat space would usually take place in a server room over a few energy drinks by a few nerds in glasses.

Skyler, haha, that was a humorous, yet true description. This has nothing to do with a "showdown" as much as it does having an intellectual conversation about technology.

Matt, A VPN does NOT hide your IP address, it broadcasts it. The IP is needed for each "transaction". What will be hidden (encrypted), is your private IP address on the VPN server (as well as the data). Lets use my network diagram from above... If I am on one of the laptops and am VPNing into my router, my traffic is encrypted only over connection #5. If, however I am using a VPN to connect to my "Office Network", my traffic is encrypted from the laptop all the to the work network (across #5, #2, & #1, as well as from the internet to the Office Network). But ALL traffic in the office network (after reaching the VPN server in the office), is UNencrypted. The reason is because, if I use my office network's printer, it won't have the encryption key/certificate to understand what it is I just sent to it. If I open a web browser while connected to the office VPN and go to IPChicken.com, IPChicken will display my office's public IP address. During this time, if I watch your network (assuming you're the one on the laptop now) traffic from within your network (or down the street) I will see a bunch of random data being passed back and forth between your IP and your Office IPs public address. I won't see your NAT address, but I will see your public IP and your Office's public IP.

    I think what you're looking for, as far as security goes (because most proxies don't help) is TOR. It's uses a proxy to connect to other TOR servers. In order to be secure though, you have to run a TOR server in your network as well. This is made VERY easy in Linux. In fact my laptop is running a TOR server and a separate proxy. To use the service all I have to do is change my proxy settings. The major problem with TOR is speed (right now), which is why I don't use it all of the time. Luckily Firefox has an extension just for this purpose "TOR Button". You still have to have TOR installed on your system as well as a proxy (I don't know what you'd use for Windows, but Privoxy works great under Linux). With standard proxies, you're not encrypting your traffic at any point. If you encrypted your traffic and went through many different proxies, you'd be using TOR.
    The amazing thing with TOR is that once it leaves your network, (although it shows the next IP address) it passes through many TOR servers before it gets to the web site you're going to. Each Tor server it passes though, does not know where the original packet came from. (Imagine a letter that is in MANY different envelopes. Once, the letter gets to the first destination, the outer envelope is removed, and the envelope inside is sent off again. Even the first envelope opener (TOR server) doesn't know it was the first one to receive the letter, but it DOES know where it's going next. This process continues for some time and is finally sent to the internet (hence the reason TOR is slow.) This process is (can be) reversed because the "letter openers" still have the opened envelope's address.) In the way the EFF describes it, they refer to it as an onion (The Onion Router), you remove the outer shell of the onion, and so on.

Spoofing your IP doesn't work. If you think you can spoof your IP go to IPChicken.com, I'm not even going to begin on why IP spoofing is a joke, I really don't have the time.  As for how I know a cable hub broadcasts to all nodes... I gave you the link to read about hubs. Again I don't have time, this is something you can research on your own. If you'd like to know where I know all of this from, it's from reading, not a school teacher or professor, but reading the actual white papers, manuals and all related materials regarding the products/services (what to know more? search the knowledge base articles at Microsoft for a start). Also being a member of The CTC I've met a few VERY important people (you'll notice my name is there too) who don't just run ISPs, but run Internet Hotels (John Savageau, for example). Trust me, I know my technology. I may not be rich, or powerful, but a few important people know who I am and have even learned a few things from me. I'm not saying you're uneducated, but the fine details are missing or misguided. I hope I've helped, if not, email me. ki6amd@gmail.com

SHEESH!

I wish I had an inkling what these two "nerds" (and I use that term with due reverence and in the most positive sense) were talking about! <grin>

kI6amd reminds me of BrandonL from another board, who is a really smart dude, but he drives tanks in his spare time (jarhead). Don't think ki6 does that!

If they ever get to where they make routers and ethernet connections out of obsidian and rawhide, I'll get interested! <grin>

 

Hi Skyler,

I think we may have left out a fine point. I noticed you continue to mention "Office Networks," something that I am not really talking about. I am speaking mainly about connecting directly to the web, not your office.

However, if you speak from experience, then I stand corrected. I'm just a student who is in his first year of college working towards a BA at Computer Information Systems, who enjoys talking about technology with those who are more intelligent than myself.

Okay Matt, I think I may have spotted our misunderstanding here. You were talking about VPNs. And "VPN" stands for, as you know, Virtual Private Network. No one can have a VPN to the internet. Using a "VPN" means you're connecting from one network (intranet) to another. You can still connect to the Internet through that VPN (although you're going through the "office network" first), but you are already routing through the internet once (using encryption as your data travels), but once your traffic leaves the other (office) intranet, you're in open waters. YES, you'll still be safe if connecting via SSL to a specific web site (example: https://mail.google.com versus http://mail.google.com).

    SSL aside, VPNs are a client/server thing. You need to have client software (on your laptop), and a server service (on Windows server, Linux, OSX, BSD, etc.) This doesn't have to be any major server hardware (even routers have a VPN server, as you already know), but it's still a server that you're connecting to. If you connect to a public web server (google.com, for example), your VPN is basically acting as a proxy. The difference is that your traffic is encrypted (until it gets to the "vpn server"). 

Matt, here's something else I have been studying... @ MIT's Open CourseWare. OCW is a set of FREE online courses for anyone to study to gain a skill. Participants do NOT earn a grade, or credit in any school system, but if knowledge it what you seek, it is here! 

ChicoEsquela, I would love to see a computer case made of Obsidian, but I think rawhide would be easier to work with. On a side note.... Obsidian is made of the same stuff computers, routers, & switches are made of, silica dioxide. This is also why we call it "Silicon Valley".

However, I don't think any cattle are harmed in making computers, except maybe a few very nice laptop bags. :-)    And maybe some nerd clothing.

How about obsidean for the actual hardcase and rawhide for the hinges, keyboard (nice feel), and springs, and soft case (carrying case). <snortle>

Obsidian might be a bit heavier than titanium for the actual case, and a bit too brittle. Heat amelioration might be problematic as well.

The indigenous american of course did have a computer. It kept his ears apart.

He also had the gift for learning from less sophisticated PC's around his environs (his horses, dogs, and other domesticated livestock as well as the buffalo and wapiti).

He could forensically read their hard drives, even after death.

He also learned from his enemies, mostly two legged ones.

and of course, I meant "nerd" in only the most respectful and envious sense (as my VCR blinks 12:00 in affirmation). <grin>

(are you sure you're not Brandon?)

I've been blogging here for some time. I can assure you I'm not "Brandon". I usually blog on political topics but have recently been blogging MUCH less, due to a demanding schedule... 2 jobs, some volunteer work, and trying to help a 15 year old girl survive high school. Besides, Jason has probably had enough of my nagging about this or that on this site (Bakersfield.com).

"The indigenous American of course did have a computer. It kept his ears apart." I would Certainly say that is an understatement.
I know you meant no disrespect in using the word "nerd". I just have one question though... You mention this thing called a "VCR", what is that? (FYI I don't even have a TV anymore, I use my computers for watching/listening to broadcast media).

If I could swap my "nerd" knowledge for that of a native to this this land, I would in a heart beat! I love the wilderness and despite my love for technology, would prefer a less "paved" existence.

You remain "centered" at at one with nature even though you are a high tech guy, that is good.

BrandonL is a really smart guy on another board who works for a large multinational doing software programs , etc.

He also drives tanks for Marine Corps (reserve) in spare time.

What is VCR? Ha!

Hey! I even had a BetaMax that was the size of a samll refrigerator! The VHS VCR replaced that! I'm being drug into the 20th century kicking and screaming.

I like knives made from rocks, what do you expect? It was a leap of faith and technology when I went to black powder shooting.

(actually current formulations of black powder are more "modern" than smokeless!)