Re: discussion wireless security retroactively apply router security/password/key

(Warning: this post contains strong opinions!)

Wow, lots of questions. Where to start? How about at the end:

Alas, no. Security is not simple. I wish it were, because its complexity drives some people away from caring, and causes other people to misconfigure the very settings that matter the most. And this is how attackers penetrate systems. In my 20 years working in information security, the vast majority of attacks I've witnessed are the result of what I call "configuration vulnerabilities" rather than errors in the program code.

I'll be the first to admit that this is very likely a contributor to the problem as I've described it above. In our efforts to be precise with security terminology, we've had to use quite a lot of words. For the layperson, it can be confusing. The difference between "key" and "password"/"passphrase," for example. So that you can understand why we have different terms, allow me to briefly describe them. (I'm going to use a little jargon here, but I'll define it as I go along.)

• key: to protect traffic from interception, wi-fi uses an encryption algorithm -- a process that takes in clear text and applies a mathematical transformation to generate "ciphertext." The key applies a secret to the transformation. The only way to obtain the original clear text is to run the algorithm in reverse, using the same key. WEP's algorithm is called RC-4; while the algorithm is sound, its implementation has flaws, which allow an attacker to regenerate the protected text without prior knowledge of the key.
• password/passphrase: cryptographers developed better mechanisms to eliminate the weaknesses in WEP. One of these improvements was not to use the entered value as the key, but instead generate a new key after a given time interval or even a new key for every packet. WPA's algorithm is called TKIP and is time-based; WPA2's algorithm is a derivative of AES called CCMP and is packet-based. But there still needs to be some kind of secret that both ends of the connection can either share or derive independently. That's what the passphrase is for. Because length is always better than complexity when it comes to generating good secrets, we in the security field are trying to "reprogram" people away from passwords and instead think of passphrases.

(You don't need to know the algorithm names; I included that info for readers who are curious.)

Now, the challenging thing here is that for WEP, you have to pay attention to length. Usually your GUI will tell you when you've entered enough characters. Fortunately for WPA/WPA2, this no longer matters; just use a nice simple sentence and you're all set.

Only insofar as the neighbors don't know your passphrase. If you share it with them, they can configure their computers to use your wireless. Think of what you're configuring here as a network security mechanism, not a user or individual security control.

Some wi-fi gear tries to complicate this too much by incorporating a user access control mechanism. Not everyone will agree with me here, but I view this as mostly a marketing gimmick. There are no standards for this (however, there is a standard for computer-based access control, which makes sense for enterprises but not home networks -- it requires a digital certificate authority). So wi-fi router manufacturers put all this extra junk in there which simply ends up confusing people even more. Here's a simple thing to remember: at the packet level, an access point has no idea what person generated a packet -- only what computer did.

Bit of advice #1: ignore all those other settings. Once you've configured your WPA/WPA2 passphrase, you can consider your access point to be secure.

Now you're entering a realm completely separate from wi-fi security: you've wandered into the land of file access control. And this, unlike the other, is truly a user-based access control mechanism.

Another bad idea. This gives the impression that you can adjust your access point's security, which is certainly not the case. Instead, the router is advertising itself as a file system. Again, in their efforts to lure you into buying their stuff, the consumer networking companies are adding file server capabilities directly into their routers (dumb, dumb, dumb). When you navigate the security settings here in Dolphin, you're configuring the security on the file system, not the security of the access point's wireless interface. Unfortunately, this distinction is poorly, if at all, documented.

Every object in Linux has an access control list. There are three aspect to the access control: an owner, a group, and others, or the rest of the world. Each aspect indicates which permissions apply. It's possible, for example, to create an access control list that grants read+write to the owner, read-only to a group, and nothing to everyone else. Generally, on your own home machines, you won't need to alter the permission settings on files. Linux automatically assigns you as the owner of files you create and also automatically sets the group owner to be the primary group of which you're a member -- and this membership is automatically taken care of for you.

The confusion here results from what I described in my mini-rant above: by adding file server functionality to a home wi-fi router, it's easy for people to confuse the various security controls. Bit of advice #2: the passphrase you set on the wi-fi router to protect the wi-fi supersedes anything you might configure on the router's file sharing properties. If your neighbor doesn't know your router's passphrase, then even if a file's "other" group allowed read+write, your neighbor won't be able to make a connection to whatever thing you might have connected to the file sharing mechanism.

I hope what I've typed here helps clear things up a bit. To fix an existing home network setup, my suggestion would be Bit of advice #3: start over.

• Locate the documentation for your wi-fi router (probably online) and find the steps for performing a hard reset.
• Connect a computer to one of the router's LAN ports and allow the computer to automatically obtain an IP address.
• Log on to the router's administration interface and -- before you do anything else -- set a password! This is, of course, not the thing that encrypts traffic, but instead prevents others from logging on to your router (yep, yet another password for yet another purpose).
• Next, configure wi-fi security. Use only WPA2 (preferred) or WPA (acceptable); don't use WEP at all -- it's totally broken. I can crack your WEP in minutes. Use a passphrase that's easy to type, because you don't want to be typing difficult character patterns when sometimes all you can see on the screen is a row of dots.
• Write down both the router's administration password and your wi-fi passphrase. Yes, contrary to what some people claim, it's perfectly fine to write down your secrets, so long as you protect the piece of paper!
• Delete and reconfigure wireless settings on all your computers. You'll be prompted to enter your wi-fi passphrase. If the GUI asks for a password instead, just remember that there's no consensus on what to call this thing, so think for a moment what you're doing: you're joining your computer to your network, so here you'd enter your wi-fi secret, not your access point administration secret. If you think about this distinction between the two secrets, it'll help you keep things straight.

From this point, you can consider yourself finished. You've effectively isolated your network from your neighbors. They can't consume your bandwidth, your wireless traffic is safe from eavesdropping, they can't access the computers behind the router, and the data stored on those computers is not available to them. Honestly, it was easier to secure their home networks a few years ago than it is now, precisely because the home networking gear has become too complex for most people. Complexity is the enemy of security. Keep things simple and you're much more likely to have gotten it right.

Re: discussion wireless security retroactively apply router security/password/key

Fantastic response Steve. I hope the mods sticky this post.

Re: discussion wireless security retroactively apply router security/password/key

I agree with how Steve worded his responses. I've been on that side for about as long and can really agree with what he is saying. Along with that, I'm also a believer in STRONG Passkeys and Passwords. Some of mine can easily be nearly 12 to 16 characters/number/symbols long. And yes, it is a mix of characters/number/symbols. Some systems, though, do not allow symbols and I have seen some that don't go over a certain length as well. At which case I use the MAX that it will allow.

Re: discussion wireless security retroactively apply router security/password/key

Sidebar: Am I the only person who's not totally paranoid about my internet connection? With a wireless distance of most routers isn't your "security breech zone" rather small - like a couple hundred feet?

Ok, someone in my neighborhood decides that I am a better target than the other 20 wireless routers (I live in the city) within reach. Then what? Packet sniffing until they get my passphrase? Ok, now they're on my internet connection, now what? Steal my bandwidth? Guess my login or root passwords? And what for, to steal the $45 I have in my Paypal account? - oh yeah, different password.

I'm not suggesting not using WPA2 (I don't) but I have no first-hand knowledge of anyone ever being hacked to the degree that they know it happened. My sister got a virus that gave someone access to her email account, but that happens regardless of passphase security. Has anyone been sent to jail because someone else gained access to their internet connection? I don't know of any cases.

Just my opinion, but I think most home users are made safer by the fact there's not much to gain from hacking them this way than they are by a long passphrase. The payoff just isn't worth the time of any decent hacker. I think most "news" stories about the dangers of hackers are planted by the same people who advertise for home alarm companies.

Commercial users may have a lot to lose so that's a different story.

I did have a short conversation with a contractor who works in internet security with the Federal Government. He said the biggest problem is botnets but using linux went a long way to keep me secure. Of course, he makes money from security too...

Re: discussion wireless security retroactively apply router security/password/key

Woah !!!! I second the above opinions, Steve Riley...GREAT post!

So.....to me.... after your fine discussion, the salient point seems to be in the sentence...

•Locate the documentation for your wi-fi router (probably online) and find the steps for performing a hard reset

This says, to me, that ......at the stage of "wanting to do it retroactively".... one CANNOT ....just enter a passphrase in the box and it will "take".

One really does have to find the "original" key/password/phrase that was in the original documentation OR find it online ....

BUT THEN..... this line implies that possibly not all hardware requires an "original password" from the manufacturer....

•Log on to the router's administration interface and -- before you do anything else -- set a password!

Is that correct? Not all routers require an original password and one can "just set" A password?

Then follow your steps......

If that is correct then I think that right here....at Kubuntu forums..... right here....here....at the forums....... the spendid instructions of Steve Riley

RIGHT HERE....at THESE FORUMS...right here....

all right camel breath (quoting Johnny Carson to Ed mcMahon.... ) enough already woodsmoke!!!

but yes... the above is the pithiest set of instructions that I have seen.

thanks again Steve and all the others who posted.

woodsmoke

Re: discussion wireless security retroactively apply router security/password/key

Thanks. Just doing what I like to do

Once upon a time I had a customer whose corporate password policy was to use the maximum length permitted by the operating system. Well, in the NT4 days, that was 15 characters, so pretty easy. Then along comes Windows 2000. How long of a password can you use there? The UI allows you to type 128 characters, but the true max is 256. So to stay in line with his policies, users would have to generate something like "mydogandiwentdowntothecornergrocerystoretodayandw henwegotthere- wesawsallyandshelookedsoniceandguesswhatshehadanew kittywellthatkittyandmydog..." Come on people, pass phrases are good, pass paragraphs are too much!

More on passphrases vs. passwords... Another customer once lamented she simply couldn't follow the typical directions: 10 characters, with a number somewhere in the middle. She said, "I don't know any 10-character words!" Imagine trying to maintain your composure in a business meeting when you hear that. Then she went on to say, "And I don't know any words with numbers in them!" I had to bury my face in my smartphone to conceal my snicker. But the story stuck: calling the secret a password artificially limits one's thinking. This is how we came to know that passphrase is a much better descriptor.

Re: discussion wireless security retroactively apply router security/password/key

You aren't the only one to wonder this. However, read on...

Learn about a wonderful invention called a cantenna. I've seen them, I've built them. One time I described these at a presentation in Australia; the following year, someone brought his and asked me to autograph it

Indeed. Bandwidth theft has been a known problem for a while. Courts are still sorting liability, but I don't envision unicorns farting rainbows across the land in the future. Semi-monopolies like ISPs seem more and more willing to bend over backwards to government pressure to transfer liabilities to customers. Yes, someone can be prosecuted for stealing your bandwidth. But if they use your network to download child pr0n, it's highly likely that you could be held partially responsible for not taking appropriate precautions to prevent that.

The PayPal log on is protected with SSL, so your password remains confidential. But -- even today -- plenty of web sites and other applications still transmit clear-text passwords. Credit card numbers, too.

May I urge you to reconsider? Someone driving by your house and hopping on your unprotected wireless network is now behind your router or firewall (this is true even if your access point is also your router). If the attacker is using a wireless card that works in promiscuous mode, he can see every wireless datagram flowing throughout your network.

The payoff is bigger than you might think. While email-borne attacks are the primary route for botnet zombie infections, finding vulnerable machines behind unsecured access points is another common attack vector. Unlike wired Ethernet, which requires an attacker to obtain physical access to the cable plant, wireless networks provide potentially unfettered access.

Re: discussion wireless security retroactively apply router security/password/key

My pleasure, thanks.

When consumer wireless gear first started appearing, it was configured with no administrative password and no encryption key/passphrase. Manufacturers then grudgingly added default administrative passwords. I quit counting the number of access points I "managed" by searching for SSID="linksys" password="default" when it became predictable (read: every. single. time).

Nowadays, modern equipment is more likely than not to walk you through the process of configuring both the administrative password and the security key/phrase. That's why I recommend a hard reset. From this point you can establish a baseline that you know: either you have to manually configure it, or you can let it help you navigate the process.

You guys are too much! I've learned a lot about Linux/Ubunutu/Kubuntu/KDE from this forum. I'm simply doing my part to contribute back.

Re: discussion wireless security retroactively apply router security/password/key

Some people are sooooo desperate ..... well, OK, here's mine:

[img width=400 height=300]http://img802.imageshack.us/img802/8729/parabolicwifi.png[/img]


That is a really nice writeup, Steve. I'm with oshunluvr -- heck, half of my suburban neighbors don't even have their encryption turned on. And I should tighten up? I don't think so.

Re: discussion wireless security retroactively apply router security/password/key

I looked into a can-tenna awhile back for use in my RV.

Watch out campers - I'm hacking your connection soon!

Re: discussion wireless security retroactively apply router security/password/key

Yeah, I'm diverting... but:



Separated at birth...?

Re: discussion wireless security retroactively apply router security/password/key


No, no, no -- regardless of the striking similarity, he's a distant cousin.

Re: discussion wireless security retroactively apply router security/password/key

There was also this on Lifehacker: - http://lifehacker.com/5839243/use-an...wi+fi-extender . Beer cans anyone?

Aside: Judged to be the funniest joke at the Edinburgh Festival this year.

Re: discussion wireless security retroactively apply router security/password/key

Please reread what I wrote. I did not suggest using an insane length as such. I suggest those systems that restricts the length, of which I know some do to 8 to 12, to use the Max. I had other stuff after this but I really don't feel like getting into a war on who's philosophy is correct. I agree with what Steve said originally.