If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Network security, passwords and keys
On Fri, 25 Dec 2015 09:17:10 -0500, Stan Brown
wrote: On Fri, 25 Dec 2015 00:36:53 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. But in a moment of possible enlightenment, it occurred to me that if an interloper can log into my router, he can change the key so that iiuc I won't be able to use the net. That's bad, right? If an interloper is in your house, and connects to your router with an Ethernet cable, you've got bigger problems than router security. You _did_ set the option that says configuration must be by wired connection, right? Yesterday I said that option doens't seem to exist, but today I found it and iiuc, yes, it's set. Remote Management - Disabled Yet I was able to change a value of not great importance (what items get included in the log ) from my laptop. ???? The Help file says "Remote Management Remote Management allows the device to be configured through the WAN (Wide Area Network) port from the Internet using a web browser. A username and password is still required to access the browser-based management interface. IP Address - Internet IP address of the computer that has access to the DI-524. If the IP address is set to *, this allows all Internet IP addresses to access the DI-524. [I could set this to my IP address, but I'm not sure that stays the same all the time!!] Port - The port number used to access the DI-524. Example: http://x.x.x.x:8080 whereas x.x.x.x is the WAN IP address of the DI-524 and 8080 is the port used for the Web-Management interface." It's set to the default, 8080, but has other choices, 80, 88, and 1080. There are also downloadable firmware updates: Firmware 3.23 Date: 07/05/2006 Revision Info: Fixed Security Issues. Improved Performance Firmware 3.20 Date: 09/01/2005 Revision Info: Fixed MAC filtering bug. Fixed WPA-PSK bug. Added WPA2 support But I'm always afraid to update firmware, and haven't found the instructions yet anyhow. |
Ads |
#17
|
|||
|
|||
Network security, passwords and keys
On Fri, 25 Dec 2015 11:25:51 -0600, Char Jackson
wrote: On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Very helpful information. One of the reasons I just installed the new firmware on the router, to get WPA2, which iirc I didn't have until just now. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. My neighbors are not very technical, although one had a nephew who was a drunk. I saw him at the nearby shopping strip and he asked me to buy him a big bottle of beer. Gave me the money. I did it, but when the owner figured out what I was doing, just as he was giving me the change, he told me not to do it again. (I'm still glad I did it once, because he vouched for me with his hoodlum friends. I don't think he's a hoodlum, except when he's drunk he has no judgment.) She let him live with her to be nice to him, and he brought home some guys who knew he was drunk and came there with him to rob the place. They found this very heavy "safe" which they managed to break open while walking around the back of my house (about 100 feet from her house. We are in the same townhouse section.) Because I have a fence, I didn't see it for an extra day, and I sure had trouble carrying it back to her. But it had a lot of her papers and she'd already stopped the credit cards. She didn't want to but she kicked her nephew out, and I never see him anymore, and that's the kind of risk I faced, much more than n'bors hacking me. But it's a small risk. My front door got kicked in 32 years ago, between 6 and 7 on a Sunday night, but the n'bor's dog may have scared them away. Nothign was stolen. He barked all the time and drove me crazy, kept me from falling asleep at night and woke me up 15 minutes before I had to be up even on workdays, but that day it was good. And one time, someone stole two gas lawnmowers, push mowers, that I had spent weeks trying to start even one of them. LOL And another time they stole a bicycle I got from the trash, from which I had removed the seat and seatpost, to get a longer seat post. But I couldnt' find even a regular length seatpost in that diameter (1", iirc) Which means they're stuck with a bike but no seat or seatpost. LOL No one's touched my car, even though I leave it parked with the top down if I'm going out again. Those are the only problems in 32 years. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. Thanks. I'll get back to you. |
#18
|
|||
|
|||
Network security, passwords and keys
On Fri, 25 Dec 2015 14:28:51 -0500, Micky wrote:
On Fri, 25 Dec 2015 09:17:10 -0500, Stan Brown wrote: On Fri, 25 Dec 2015 00:36:53 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. But in a moment of possible enlightenment, it occurred to me that if an interloper can log into my router, he can change the key so that iiuc I won't be able to use the net. That's bad, right? If an interloper is in your house, and connects to your router with an Ethernet cable, you've got bigger problems than router security. You _did_ set the option that says configuration must be by wired connection, right? Yesterday I said that option doens't seem to exist, but today I found it and iiuc, yes, it's set. Remote Management - Disabled Yet I was able to change a value of not great importance (what items get included in the log ) from my laptop. ???? Most likely, you were connected to the router via one of its LAN ports, not via the WAN port. As you posted below, *remote* management refers to accessing the router via its WAN port. Typically, the WAN port is where your Internet connection comes into the router. WAN = Wide Area Network, for example the Internet. LAN = Local Area Network, for example the network in your home. Note that WiFi connections to your router are also on the LAN side, similar to connecting to a LAN port. The Help file says "Remote Management Remote Management allows the device to be configured through the WAN (Wide Area Network) port from the Internet using a web browser. A username and password is still required to access the browser-based management interface. IP Address - Internet IP address of the computer that has access to the DI-524. If the IP address is set to *, this allows all Internet IP addresses to access the DI-524. [I could set this to my IP address, but I'm not sure that stays the same all the time!!] The most straightforward option, if you want to use that particular security feature, is to make sure that your PC always has the same IP address. You can do that by configuring a static IP on your PC, or by configuring a DHCP reservation on your router. Both methods accomplish the same thing, an IP address that never changes, albeit with respective minor pros and cons. Port - The port number used to access the DI-524. Example: http://x.x.x.x:8080 whereas x.x.x.x is the WAN IP address of the DI-524 and 8080 is the port used for the Web-Management interface." It's set to the default, 8080, but has other choices, 80, 88, and 1080. Don't waste too much time on the port. Every script kiddie will run a port scanner and within moments they'll know exactly which ports are open. There are also downloadable firmware updates: Firmware 3.23 Date: 07/05/2006 Revision Info: Fixed Security Issues. Improved Performance Firmware 3.20 Date: 09/01/2005 Revision Info: Fixed MAC filtering bug. Fixed WPA-PSK bug. Added WPA2 support As a general rule, I would recommend upgrading to the latest version. Keep in mind that you may be trading one set of bugs for another since no one seems to put much effort into these things. If you want better firmware, check whether dd-wrt is supported. I run that on almost everything around here. But I'm always afraid to update firmware, and haven't found the instructions yet anyhow. It's doubtful that instructions would be needed. There are only a few steps and they're mostly obvious. Download the file from a trusted source and save it where you can find it. Go the router's admin page and click where necessary. Navigate to the downloaded file, select it, etc. Do it over a wired connection versus wireless, and once the process starts just let it finish without interruption. No need to be afraid. I've upgraded (and downgraded, sometimes) hundreds of routers and never had a problem. I bricked a cable modem once, but recovered after cobbling together a JTAG cable. You won't have any trouble; it's nearly foolproof. -- Char Jackson |
#19
|
|||
|
|||
Network security, passwords and keys
On 12/25/2015 9:25 AM, Char Jackson wrote:
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. If you're referring to Backtrack and Reaver, companies are taking steps to make brute force attacks ineffective... "Your Impression is true..the companies that produced these new routers realised the WPS flaw. As a result they have tighten up their controls on WPS security and this include the AP rate limiting feature" https://forums.kali.org/showthread.p...nd-Useful-Link |
#20
|
|||
|
|||
Network security, passwords and keys
On Sun, 27 Dec 2015 23:42:54 -0800, Mike S wrote:
On 12/25/2015 9:25 AM, Char Jackson wrote: On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote: All this time I've been thinking that if WEP or WPA-PSK enabled and a proper key, I have adequate router security. Others have responded to most of your questions and points, but I wanted to emphasize that WEP is completely broken and has been so since about 2006. With the right tools, all freely available, a WEP passphrase can be retrieved in under 3 minutes. Some implementations of WPA-PSK and WPA2-PSK are also broken, but take significantly longer to retrieve a passphrase, usually on the order of 1-7 days or so, so can be considered secure from passersby but not from the person living next door who has all the time in the world to let his tools run. Lastly, WPS (WiFi Protected Setup) is also broken in some implementations such that affected routers can simply be asked to provide their WiFi password and they will happily do so. If you're blessed with a router that suffers from an improper WPS implementation, then it doesn't matter how long and hairy you make the WiFi password, or how often you change it. Tools exist, also freely available like the others above, to simply interrogate the router and ask it to provide the WiFi password (over WiFi, of course). Enjoy. If you're referring to Backtrack and Reaver, companies are taking steps to make brute force attacks ineffective... Ineffective is too strong. I'll agree with less effective. As you noted in the quote below, the proposed solution for the WPS vulnerability was to introduce a rate limiting feature. That doesn't solve the issue, though. It only means a successful attack is likely to take longer. OTOH, the best case scenario for the attacker is that his software makes a successful guess on the first attempt, rendering the rate limiting feature completely moot. Even without such good fortune for the attacker, if he or she lives close by, they'll have all the time in the world. The rate limiting feature means the attack is likely to take longer, but it won't be stopped. Drive-by's were never the attack vector here, so the fact that it might take longer isn't a strong selling point. Also, statistically, some portion of attacks will be successful very early in the process, all but eliminating rate limiting as a factor. I'd like to see a real solution, not a band-aid. "Your Impression is true..the companies that produced these new routers realised the WPS flaw." Heh, yeah, after they got beaten up in the press about it. As a result they have tighten up their controls on WPS security and this include the AP rate limiting feature" https://forums.kali.org/showthread.p...nd-Useful-Link Keep in mind, too, how many routers are in the field with the WPS issue, and how few router owners pay attention to security or ever upgrade their router's firmware. Heck, I still have people using WEP around here, and that's been fully broken for a decade. -- Char Jackson |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|