Network security, passwords and keys

On Fri, 25 Dec 2015 09:17:10 -0500, Stan Brown
wrote:

On Fri, 25 Dec 2015 00:36:53 -0500, Micky wrote:
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

But in a moment of possible enlightenment, it occurred to me that if
an interloper can log into my router, he can change the key so that
iiuc I won't be able to use the net. That's bad, right?


If an interloper is in your house, and connects to your router with
an Ethernet cable, you've got bigger problems than router security.

You _did_ set the option that says configuration must be by wired
connection, right?

Yesterday I said that option doens't seem to exist, but today I found
it and iiuc, yes, it's set.

Remote Management - Disabled

Yet I was able to change a value of not great importance (what items
get included in the log ) from my laptop. ????



The Help file says "Remote Management
Remote Management allows the device to be configured through the WAN
(Wide Area Network) port from the Internet using a web browser. A
username and password is still required to access the browser-based
management interface.
IP Address - Internet IP address of the computer that has access to
the DI-524. If the IP address is set to *, this allows all Internet IP
addresses to access the DI-524.

[I could set this to my IP address, but I'm not sure that stays the
same all the time!!]

Port - The port number used to access the DI-524.
Example:
http://x.x.x.x:8080 whereas x.x.x.x is the WAN IP address of the
DI-524 and 8080 is the port used for the Web-Management interface."

It's set to the default, 8080, but has other choices, 80, 88, and
1080.


There are also downloadable firmware updates:
Firmware 3.23
Date: 07/05/2006
Revision Info:
Fixed Security Issues.
Improved Performance

Firmware 3.20
Date: 09/01/2005
Revision Info:
Fixed MAC filtering bug.
Fixed WPA-PSK bug.
Added WPA2 support

But I'm always afraid to update firmware, and haven't found the
instructions yet anyhow.

On Fri, 25 Dec 2015 11:25:51 -0600, Char Jackson
wrote:

On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Very helpful information. One of the reasons I just installed the new
firmware on the router, to get WPA2, which iirc I didn't have until
just now.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

My neighbors are not very technical, although one had a nephew who was
a drunk. I saw him at the nearby shopping strip and he asked me to
buy him a big bottle of beer. Gave me the money. I did it, but when
the owner figured out what I was doing, just as he was giving me the
change, he told me not to do it again. (I'm still glad I did it once,
because he vouched for me with his hoodlum friends. I don't think
he's a hoodlum, except when he's drunk he has no judgment.) She let
him live with her to be nice to him, and he brought home some guys who
knew he was drunk and came there with him to rob the place. They
found this very heavy "safe" which they managed to break open while
walking around the back of my house (about 100 feet from her house. We
are in the same townhouse section.) Because I have a fence, I didn't
see it for an extra day, and I sure had trouble carrying it back to
her. But it had a lot of her papers and she'd already stopped the
credit cards.

She didn't want to but she kicked her nephew out, and I never see him
anymore, and that's the kind of risk I faced, much more than n'bors
hacking me. But it's a small risk. My front door got kicked in 32
years ago, between 6 and 7 on a Sunday night, but the n'bor's dog may
have scared them away. Nothign was stolen. He barked all the time
and drove me crazy, kept me from falling asleep at night and woke me
up 15 minutes before I had to be up even on workdays, but that day it
was good.

And one time, someone stole two gas lawnmowers, push mowers, that I
had spent weeks trying to start even one of them. LOL

And another time they stole a bicycle I got from the trash, from which
I had removed the seat and seatpost, to get a longer seat post. But
I couldnt' find even a regular length seatpost in that diameter (1",
iirc) Which means they're stuck with a bike but no seat or seatpost.
LOL

No one's touched my car, even though I leave it parked with the top
down if I'm going out again.

Those are the only problems in 32 years.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

Thanks. I'll get back to you.

On Fri, 25 Dec 2015 14:28:51 -0500, Micky wrote:

On Fri, 25 Dec 2015 09:17:10 -0500, Stan Brown
wrote:

On Fri, 25 Dec 2015 00:36:53 -0500, Micky wrote:
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

But in a moment of possible enlightenment, it occurred to me that if
an interloper can log into my router, he can change the key so that
iiuc I won't be able to use the net. That's bad, right?


If an interloper is in your house, and connects to your router with
an Ethernet cable, you've got bigger problems than router security.

You _did_ set the option that says configuration must be by wired
connection, right?

Yesterday I said that option doens't seem to exist, but today I found
it and iiuc, yes, it's set.

Remote Management - Disabled

Yet I was able to change a value of not great importance (what items
get included in the log ) from my laptop. ????

Most likely, you were connected to the router via one of its LAN ports, not
via the WAN port. As you posted below, *remote* management refers to
accessing the router via its WAN port. Typically, the WAN port is where your
Internet connection comes into the router.

WAN = Wide Area Network, for example the Internet.
LAN = Local Area Network, for example the network in your home.

Note that WiFi connections to your router are also on the LAN side, similar
to connecting to a LAN port.

The Help file says "Remote Management
Remote Management allows the device to be configured through the WAN
(Wide Area Network) port from the Internet using a web browser. A
username and password is still required to access the browser-based
management interface.
IP Address - Internet IP address of the computer that has access to
the DI-524. If the IP address is set to *, this allows all Internet IP
addresses to access the DI-524.

[I could set this to my IP address, but I'm not sure that stays the
same all the time!!]

The most straightforward option, if you want to use that particular security
feature, is to make sure that your PC always has the same IP address. You
can do that by configuring a static IP on your PC, or by configuring a DHCP
reservation on your router. Both methods accomplish the same thing, an IP
address that never changes, albeit with respective minor pros and cons.

Port - The port number used to access the DI-524.
Example:
http://x.x.x.x:8080 whereas x.x.x.x is the WAN IP address of the
DI-524 and 8080 is the port used for the Web-Management interface."

It's set to the default, 8080, but has other choices, 80, 88, and
1080.

Don't waste too much time on the port. Every script kiddie will run a port
scanner and within moments they'll know exactly which ports are open.

There are also downloadable firmware updates:
Firmware 3.23
Date: 07/05/2006
Revision Info:
Fixed Security Issues.
Improved Performance

Firmware 3.20
Date: 09/01/2005
Revision Info:
Fixed MAC filtering bug.
Fixed WPA-PSK bug.
Added WPA2 support


As a general rule, I would recommend upgrading to the latest version. Keep
in mind that you may be trading one set of bugs for another since no one
seems to put much effort into these things. If you want better firmware,
check whether dd-wrt is supported. I run that on almost everything around
here.

But I'm always afraid to update firmware, and haven't found the
instructions yet anyhow.

It's doubtful that instructions would be needed. There are only a few steps
and they're mostly obvious. Download the file from a trusted source and save
it where you can find it. Go the router's admin page and click where
necessary. Navigate to the downloaded file, select it, etc. Do it over a
wired connection versus wireless, and once the process starts just let it
finish without interruption. No need to be afraid. I've upgraded (and
downgraded, sometimes) hundreds of routers and never had a problem. I
bricked a cable modem once, but recovered after cobbling together a JTAG
cable. You won't have any trouble; it's nearly foolproof.

--

Char Jackson

On 12/25/2015 9:25 AM, Char Jackson wrote:
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

If you're referring to Backtrack and Reaver, companies are taking steps
to make brute force attacks ineffective...

"Your Impression is true..the companies that produced these new routers
realised the WPS flaw. As a result they have tighten up their controls
on WPS security and this include the AP rate limiting feature"

https://forums.kali.org/showthread.p...nd-Useful-Link

On Sun, 27 Dec 2015 23:42:54 -0800, Mike S wrote:

On 12/25/2015 9:25 AM, Char Jackson wrote:
On Fri, 25 Dec 2015 00:24:01 -0500, Micky wrote:

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

If you're referring to Backtrack and Reaver, companies are taking steps
to make brute force attacks ineffective...

Ineffective is too strong. I'll agree with less effective.

As you noted in the quote below, the proposed solution for the WPS
vulnerability was to introduce a rate limiting feature. That doesn't solve
the issue, though. It only means a successful attack is likely to take
longer. OTOH, the best case scenario for the attacker is that his software
makes a successful guess on the first attempt, rendering the rate limiting
feature completely moot. Even without such good fortune for the attacker, if
he or she lives close by, they'll have all the time in the world. The rate
limiting feature means the attack is likely to take longer, but it won't be
stopped. Drive-by's were never the attack vector here, so the fact that it
might take longer isn't a strong selling point. Also, statistically, some
portion of attacks will be successful very early in the process, all but
eliminating rate limiting as a factor. I'd like to see a real solution, not
a band-aid.

"Your Impression is true..the companies that produced these new routers
realised the WPS flaw."

Heh, yeah, after they got beaten up in the press about it.

As a result they have tighten up their controls
on WPS security and this include the AP rate limiting feature"

https://forums.kali.org/showthread.p...nd-Useful-Link

Keep in mind, too, how many routers are in the field with the WPS issue, and
how few router owners pay attention to security or ever upgrade their
router's firmware. Heck, I still have people using WEP around here, and
that's been fully broken for a decade.

--

Char Jackson