Announcement

Collapse
No announcement yet.

discussion wireless security retroactively apply router security/password/key

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    discussion wireless security retroactively apply router security/password/key

    I've always used a physical ethernet cable and never went anywhere that grand ma wouldn't want me to go on the net so I have not particularly worried about "security" and this even after volunteering at Castle Cops in it's hey day.

    Also I have never particularly "worried" about " wireless security" on my Linux boxes because I was always in an area where the only way somebody was going to get into my machine wirelesssly was to be driving down a dirt road with a snooper setup or, i just didn't do wireless that much.

    But, now I am in a situation where I am only working wirelessly and am within range of probably, at any one time, 6 other wireless users.

    And....the router, which is a physical and wireless router has been around for some time and I have lost "the book".

    The one time I set up Windows wireless security I just followed the manual and entered the password that was given in the book and then after things were working, went back and entered my own.

    So.....the question is, in the situation of a person who has been around Linux for some time and has a wireless setup that was no biggie but now is in a situation of "how to put in a password on the router" when the "given" password is unknown.

    And the solution to this should be:

    a) very simply and completely stated
    b) no "well just do this" or "then just follow the menu"..
    c) no use of "jargon words"..without an explanation... in other words the word "key' means something to some folks and possibly something to others, same for "passphrase" or WEP or WEP2 or whatever. SAMBA shares etc. etc.
    d) don't worry about "general statements" in case the person wants to hook up fifty servers for music and recipes, just keep it to:
    i) one router, one computer with a wireless card.

    The FEAR, that I, personally would have and also I am SURE that other people who are not "old hands" at this has is.....

    "What if I enter something 'wrong' and the router, which worked fine with no password for five years, is now bollixed up. "

    So the "answer" can be in two forms:

    a) it is complicated go look it up
    b) this is how to do it.


    First scenario:

    The person is looking through menu items and finds:

    a) find some menu item that says something like: network connections
    b) click it and find the wireless tab and find the line that is "working", click it and then click "edit" someplace.
    c) there should be a "security" tab, click it.
    d) There should be something that says "security" and "none" if you click it then you will see:

    WEP 40/128
    WEP 128 passphrase
    others as seen.

    OK, first what is a "passphrase"? Can one just "type it in"

    If one chooses say WEP 128 passphrase a new window opens and there is an empty box that says "key".

    OK what is a "key" and is it different than a "passphrase"?

    There are also boxes to be ticked like "available to all users". One might assume that the word "user" means Mom, Dad and Johnny but not the neighbor next door...so keep it ticked?

    does one then just hit apply and close and the system is "locked" when both on to the neighbor next door?

    Second scenario:

    One could go at it through the file structure using say: Dolphin

    if it is clicked, sometimes one "home", "network", "root", etc. etc.

    a) click network and one may see: "network", "samba shares" "add a network".

    Depending on how the file structure works one might see if one clicks "samba shares" the router.

    If one right clicks or something on the router one might several tabs and one of them should probably be something like "permissions"

    If one clicks that then one might see some sentence like "access permissions"

    And there might be "owner" "group" "others"....

    Ok so the question here is....just "who"....is...."others"....is "others" the people in the house that might walk over to get onto another computer in the house and one does not want them on "this" computer or is "others"....the neighbor next door?

    Because if "others" means "anybody" like your teenage kid that has a wireless in another room AND it also means the neighbor next door does that mean that one can choose "forbidden" and everybody is forbidden to

    a) view your computer files etc.

    b) it does not allow access to the ROUTER and thereby the neighbor next door cannot get onto the system...

    c) or does it mean something else?

    OK so, I have outlined two possibilities of how the uninstructed person who has lost, or never had a "passphrase/key/whatever" for the router might....

    flounder around trying to put a "key/password/passphrase" ON THE WIRELESS ROUTER so that the neighbor next door can't get onto the computer through the router

    OR to "use" the router to play games and eat up bandwidth even if one is not worried about "secure files" on the computer itself...

    So.....again....is there a SIMPLE set of instructions whereby "in Linux" or "in Kubuntu" one can "retroactively secure the router".?

    just a question.

    woodsmoke















    #2
    Re: discussion wireless security retroactively apply router security/password/key

    (Warning: this post contains strong opinions!)

    Wow, lots of questions. Where to start? How about at the end:

    is there a SIMPLE set of instructions
    Alas, no. Security is not simple. I wish it were, because its complexity drives some people away from caring, and causes other people to misconfigure the very settings that matter the most. And this is how attackers penetrate systems. In my 20 years working in information security, the vast majority of attacks I've witnessed are the result of what I call "configuration vulnerabilities" rather than errors in the program code.

    no use of "jargon words"
    I'll be the first to admit that this is very likely a contributor to the problem as I've described it above. In our efforts to be precise with security terminology, we've had to use quite a lot of words. For the layperson, it can be confusing. The difference between "key" and "password"/"passphrase," for example. So that you can understand why we have different terms, allow me to briefly describe them. (I'm going to use a little jargon here, but I'll define it as I go along.)
    • key: to protect traffic from interception, wi-fi uses an encryption algorithm -- a process that takes in clear text and applies a mathematical transformation to generate "ciphertext." The key applies a secret to the transformation. The only way to obtain the original clear text is to run the algorithm in reverse, using the same key. WEP's algorithm is called RC-4; while the algorithm is sound, its implementation has flaws, which allow an attacker to regenerate the protected text without prior knowledge of the key.
    • password/passphrase: cryptographers developed better mechanisms to eliminate the weaknesses in WEP. One of these improvements was not to use the entered value as the key, but instead generate a new key after a given time interval or even a new key for every packet. WPA's algorithm is called TKIP and is time-based; WPA2's algorithm is a derivative of AES called CCMP and is packet-based. But there still needs to be some kind of secret that both ends of the connection can either share or derive independently. That's what the passphrase is for. Because length is always better than complexity when it comes to generating good secrets, we in the security field are trying to "reprogram" people away from passwords and instead think of passphrases.


    (You don't need to know the algorithm names; I included that info for readers who are curious.)

    Now, the challenging thing here is that for WEP, you have to pay attention to length. Usually your GUI will tell you when you've entered enough characters. Fortunately for WPA/WPA2, this no longer matters; just use a nice simple sentence and you're all set.

    does one then just hit apply and close and the system is "locked" when both on to the neighbor next door?
    Only insofar as the neighbors don't know your passphrase. If you share it with them, they can configure their computers to use your wireless. Think of what you're configuring here as a network security mechanism, not a user or individual security control.

    Some wi-fi gear tries to complicate this too much by incorporating a user access control mechanism. Not everyone will agree with me here, but I view this as mostly a marketing gimmick. There are no standards for this (however, there is a standard for computer-based access control, which makes sense for enterprises but not home networks -- it requires a digital certificate authority). So wi-fi router manufacturers put all this extra junk in there which simply ends up confusing people even more. Here's a simple thing to remember: at the packet level, an access point has no idea what person generated a packet -- only what computer did.

    Bit of advice #1: ignore all those other settings. Once you've configured your WPA/WPA2 passphrase, you can consider your access point to be secure.

    One could go at it through the file structure using say: Dolphin
    Now you're entering a realm completely separate from wi-fi security: you've wandered into the land of file access control. And this, unlike the other, is truly a user-based access control mechanism.

    Depending on how the file structure works one might see if one clicks "samba shares" the router.
    Another bad idea. This gives the impression that you can adjust your access point's security, which is certainly not the case. Instead, the router is advertising itself as a file system. Again, in their efforts to lure you into buying their stuff, the consumer networking companies are adding file server capabilities directly into their routers (dumb, dumb, dumb). When you navigate the security settings here in Dolphin, you're configuring the security on the file system, not the security of the access point's wireless interface. Unfortunately, this distinction is poorly, if at all, documented.

    the question here is....just "who"....is...."others"
    Every object in Linux has an access control list. There are three aspect to the access control: an owner, a group, and others, or the rest of the world. Each aspect indicates which permissions apply. It's possible, for example, to create an access control list that grants read+write to the owner, read-only to a group, and nothing to everyone else. Generally, on your own home machines, you won't need to alter the permission settings on files. Linux automatically assigns you as the owner of files you create and also automatically sets the group owner to be the primary group of which you're a member -- and this membership is automatically taken care of for you.

    is "others" the people in the house that might walk over to get onto another computer in the house and one does not want them on "this" computer or is "others"....the neighbor next door?
    The confusion here results from what I described in my mini-rant above: by adding file server functionality to a home wi-fi router, it's easy for people to confuse the various security controls. Bit of advice #2: the passphrase you set on the wi-fi router to protect the wi-fi supersedes anything you might configure on the router's file sharing properties. If your neighbor doesn't know your router's passphrase, then even if a file's "other" group allowed read+write, your neighbor won't be able to make a connection to whatever thing you might have connected to the file sharing mechanism.

    is there a SIMPLE set of instructions
    I hope what I've typed here helps clear things up a bit. To fix an existing home network setup, my suggestion would be Bit of advice #3: start over.
    • Locate the documentation for your wi-fi router (probably online) and find the steps for performing a hard reset.
    • Connect a computer to one of the router's LAN ports and allow the computer to automatically obtain an IP address.
    • Log on to the router's administration interface and -- before you do anything else -- set a password! This is, of course, not the thing that encrypts traffic, but instead prevents others from logging on to your router (yep, yet another password for yet another purpose).
    • Next, configure wi-fi security. Use only WPA2 (preferred) or WPA (acceptable); don't use WEP at all -- it's totally broken. I can crack your WEP in minutes. Use a passphrase that's easy to type, because you don't want to be typing difficult character patterns when sometimes all you can see on the screen is a row of dots.
    • Write down both the router's administration password and your wi-fi passphrase. Yes, contrary to what some people claim, it's perfectly fine to write down your secrets, so long as you protect the piece of paper!
    • Delete and reconfigure wireless settings on all your computers. You'll be prompted to enter your wi-fi passphrase. If the GUI asks for a password instead, just remember that there's no consensus on what to call this thing, so think for a moment what you're doing: you're joining your computer to your network, so here you'd enter your wi-fi secret, not your access point administration secret. If you think about this distinction between the two secrets, it'll help you keep things straight.


    From this point, you can consider yourself finished. You've effectively isolated your network from your neighbors. They can't consume your bandwidth, your wireless traffic is safe from eavesdropping, they can't access the computers behind the router, and the data stored on those computers is not available to them. Honestly, it was easier to secure their home networks a few years ago than it is now, precisely because the home networking gear has become too complex for most people. Complexity is the enemy of security. Keep things simple and you're much more likely to have gotten it right.

    Comment


      #3
      Re: discussion wireless security retroactively apply router security/password/key

      Fantastic response Steve. I hope the mods sticky this post.

      Please Read Me

      Comment


        #4
        Re: discussion wireless security retroactively apply router security/password/key

        I agree with how Steve worded his responses. I've been on that side for about as long and can really agree with what he is saying. Along with that, I'm also a believer in STRONG Passkeys and Passwords. Some of mine can easily be nearly 12 to 16 characters/number/symbols long. And yes, it is a mix of characters/number/symbols. Some systems, though, do not allow symbols and I have seen some that don't go over a certain length as well. At which case I use the MAX that it will allow.

        Comment


          #5
          Re: discussion wireless security retroactively apply router security/password/key

          Sidebar: Am I the only person who's not totally paranoid about my internet connection? With a wireless distance of most routers isn't your "security breech zone" rather small - like a couple hundred feet?

          Ok, someone in my neighborhood decides that I am a better target than the other 20 wireless routers (I live in the city) within reach. Then what? Packet sniffing until they get my passphrase? Ok, now they're on my internet connection, now what? Steal my bandwidth? Guess my login or root passwords? And what for, to steal the $45 I have in my Paypal account? - oh yeah, different password.

          I'm not suggesting not using WPA2 (I don't) but I have no first-hand knowledge of anyone ever being hacked to the degree that they know it happened. My sister got a virus that gave someone access to her email account, but that happens regardless of passphase security. Has anyone been sent to jail because someone else gained access to their internet connection? I don't know of any cases.

          Just my opinion, but I think most home users are made safer by the fact there's not much to gain from hacking them this way than they are by a long passphrase. The payoff just isn't worth the time of any decent hacker. I think most "news" stories about the dangers of hackers are planted by the same people who advertise for home alarm companies.

          Commercial users may have a lot to lose so that's a different story.

          I did have a short conversation with a contractor who works in internet security with the Federal Government. He said the biggest problem is botnets but using linux went a long way to keep me secure. Of course, he makes money from security too...

          Please Read Me

          Comment


            #6
            Re: discussion wireless security retroactively apply router security/password/key

            Woah !!!! I second the above opinions, Steve Riley...GREAT post!

            So.....to me.... after your fine discussion, the salient point seems to be in the sentence...

            •Locate the documentation for your wi-fi router (probably online) and find the steps for performing a hard reset

            This says, to me, that ......at the stage of "wanting to do it retroactively".... one CANNOT ....just enter a passphrase in the box and it will "take".

            One really does have to find the "original" key/password/phrase that was in the original documentation OR find it online ....

            BUT THEN..... this line implies that possibly not all hardware requires an "original password" from the manufacturer....

            •Log on to the router's administration interface and -- before you do anything else -- set a password!

            Is that correct? Not all routers require an original password and one can "just set" A password?

            Then follow your steps......

            If that is correct then I think that right here....at Kubuntu forums..... right here....here....at the forums....... the spendid instructions of Steve Riley

            RIGHT HERE....at THESE FORUMS...right here....

            all right camel breath (quoting Johnny Carson to Ed mcMahon.... ) enough already woodsmoke!!!

            but yes... the above is the pithiest set of instructions that I have seen.

            thanks again Steve and all the others who posted.

            woodsmoke

            Comment


              #7
              Re: discussion wireless security retroactively apply router security/password/key

              Originally posted by oshunluvr
              Fantastic response Steve. I hope the mods sticky this post.
              Thanks. Just doing what I like to do

              Originally posted by MoonRise
              At which case I use the MAX that it will allow.
              Once upon a time I had a customer whose corporate password policy was to use the maximum length permitted by the operating system. Well, in the NT4 days, that was 15 characters, so pretty easy. Then along comes Windows 2000. How long of a password can you use there? The UI allows you to type 128 characters, but the true max is 256. So to stay in line with his policies, users would have to generate something like "mydogandiwentdowntothecornergrocerystoretodayandw henwegotthere- wesawsallyandshelookedsoniceandguesswhatshehadanew kittywellthatkittyandmydog..." Come on people, pass phrases are good, pass paragraphs are too much!

              More on passphrases vs. passwords... Another customer once lamented she simply couldn't follow the typical directions: 10 characters, with a number somewhere in the middle. She said, "I don't know any 10-character words!" Imagine trying to maintain your composure in a business meeting when you hear that. Then she went on to say, "And I don't know any words with numbers in them!" I had to bury my face in my smartphone to conceal my snicker. But the story stuck: calling the secret a password artificially limits one's thinking. This is how we came to know that passphrase is a much better descriptor.

              Comment


                #8
                Re: discussion wireless security retroactively apply router security/password/key

                Originally posted by oshunluvr
                Sidebar: Am I the only person who's not totally paranoid about my internet connection?
                You aren't the only one to wonder this. However, read on...

                With a wireless distance of most routers isn't your "security breech zone" rather small - like a couple hundred feet?
                Learn about a wonderful invention called a cantenna. I've seen them, I've built them. One time I described these at a presentation in Australia; the following year, someone brought his and asked me to autograph it

                Ok, someone in my neighborhood decides that I am a better target than the other 20 wireless routers (I live in the city) within reach. Then what? Packet sniffing until they get my passphrase? Ok, now they're on my internet connection, now what? Steal my bandwidth?
                Indeed. Bandwidth theft has been a known problem for a while. Courts are still sorting liability, but I don't envision unicorns farting rainbows across the land in the future. Semi-monopolies like ISPs seem more and more willing to bend over backwards to government pressure to transfer liabilities to customers. Yes, someone can be prosecuted for stealing your bandwidth. But if they use your network to download child pr0n, it's highly likely that you could be held partially responsible for not taking appropriate precautions to prevent that.

                Guess my login or root passwords? And what for, to steal the $45 I have in my Paypal account? - oh yeah, different password.
                The PayPal log on is protected with SSL, so your password remains confidential. But -- even today -- plenty of web sites and other applications still transmit clear-text passwords. Credit card numbers, too.

                I'm not suggesting not using WPA2 (I don't) but I have no first-hand knowledge of anyone ever being hacked to the degree that they know it happened.
                May I urge you to reconsider? Someone driving by your house and hopping on your unprotected wireless network is now behind your router or firewall (this is true even if your access point is also your router). If the attacker is using a wireless card that works in promiscuous mode, he can see every wireless datagram flowing throughout your network.

                Just my opinion, but I think most home users are made safer by the fact there's not much to gain from hacking them this way than they are by a long passphrase. The payoff just isn't worth the time of any decent hacker.
                The payoff is bigger than you might think. While email-borne attacks are the primary route for botnet zombie infections, finding vulnerable machines behind unsecured access points is another common attack vector. Unlike wired Ethernet, which requires an attacker to obtain physical access to the cable plant, wireless networks provide potentially unfettered access.

                Comment


                  #9
                  Re: discussion wireless security retroactively apply router security/password/key

                  Originally posted by woodsmoke
                  Woah !!!! I second the above opinions, Steve Riley...GREAT post!
                  My pleasure, thanks.

                  BUT THEN..... this line implies that possibly not all hardware requires an "original password" from the manufacturer....
                  When consumer wireless gear first started appearing, it was configured with no administrative password and no encryption key/passphrase. Manufacturers then grudgingly added default administrative passwords. I quit counting the number of access points I "managed" by searching for SSID="linksys" password="default" when it became predictable (read: every. single. time).

                  Is that correct? Not all routers require an original password and one can "just set" A password?
                  Nowadays, modern equipment is more likely than not to walk you through the process of configuring both the administrative password and the security key/phrase. That's why I recommend a hard reset. From this point you can establish a baseline that you know: either you have to manually configure it, or you can let it help you navigate the process.

                  the spendid instructions of Steve Riley

                  RIGHT HERE....at THESE FORUMS...right here....

                  all right camel breath (quoting Johnny Carson to Ed mcMahon.... ) enough already woodsmoke!!!

                  but yes... the above is the pithiest set of instructions that I have seen.
                  You guys are too much! I've learned a lot about Linux/Ubunutu/Kubuntu/KDE from this forum. I'm simply doing my part to contribute back.

                  Comment


                    #10
                    Re: discussion wireless security retroactively apply router security/password/key

                    Originally posted by SteveRiley

                    Learn about a wonderful invention called a cantenna. I've seen them, I've built them. One time I described these at a presentation in Australia; the following year, someone brought his and asked me to autograph it
                    Some people are sooooo desperate ..... well, OK, here's mine:

                    [img width=400 height=300]http://img802.imageshack.us/img802/8729/parabolicwifi.png[/img]


                    That is a really nice writeup, Steve. I'm with oshunluvr -- heck, half of my suburban neighbors don't even have their encryption turned on. And I should tighten up? I don't think so.

                    Comment


                      #11
                      Re: discussion wireless security retroactively apply router security/password/key

                      I looked into a can-tenna awhile back for use in my RV.

                      Watch out campers - I'm hacking your connection soon!

                      Please Read Me

                      Comment


                        #12
                        Re: discussion wireless security retroactively apply router security/password/key

                        Yeah, I'm diverting... but:



                        Separated at birth...?

                        Comment


                          #13
                          Re: discussion wireless security retroactively apply router security/password/key

                          Originally posted by SteveRiley

                          Separated at birth...?

                          No, no, no -- regardless of the striking similarity, he's a distant cousin.

                          Comment


                            #14
                            Re: discussion wireless security retroactively apply router security/password/key

                            There was also this on Lifehacker:
                            Use an Aluminum Can as a Wi-Fi Extender
                            - http://lifehacker.com/5839243/use-an...wi+fi-extender . Beer cans anyone?

                            Aside: Judged to be the funniest joke at the Edinburgh Festival this year.
                            ‘I Needed A Password Eight Characters Long So I Picked Snow White And The Seven Dwarves’
                            "A problem well stated is a problem half solved." --Charles F. Kettering
                            "Sometimes the questions are complicated and the answers are simple."--Dr. Seuss

                            Comment


                              #15
                              Re: discussion wireless security retroactively apply router security/password/key

                              Please reread what I wrote. I did not suggest using an insane length as such. I suggest those systems that restricts the length, of which I know some do to 8 to 12, to use the Max. I had other stuff after this but I really don't feel like getting into a war on who's philosophy is correct. I agree with what Steve said originally.

                              Comment

                              Working...
                              X