Sign in with
Sign up | Sign in
Your question

Wireless Security (lack of)

Last response: in Wireless Networking
Share
Anonymous
October 12, 2004 1:41:24 PM

Archived from groups: (More info?)

Hi, and thanks for any help.

I have read previous posts and this article:
http://netsecurity.about.com/od/hackertools/a/aa072004b...

about securing my Belkin 802.11b wireless router:
http://catalog.belkin.com/IWCatProductPage.process?Merc...

I have implemented the SSID, disabled the broadcasting and set the
encryption to 128 bit generated by a unique passphrase.

Yesterday a tech friend from down the road came over to do some work.
With his laptop, he was on my network in less than ten seconds,
without knowing anything about the settings. I asked him how he did
it and he said that my network's not secure. Can anyone explain to me
how this is possible? Is there something I'm overlooking in the
security settings? At first I thought perhaps he was picking up a
neighbor's router. But I can't detect any other connections local to
my house. I then double checked the wireless settings and everything
is as it should be. Any ideas?

Thanks
Doug

More about : wireless security lack

Anonymous
October 12, 2004 3:52:10 PM

Archived from groups: (More info?)

On 12 Oct 2004 09:41:24 -0700, delphiprog@hotmail.com (Doug Beattie)
wrote:

>I have implemented the SSID, disabled the broadcasting and set the
>encryption to 128 bit generated by a unique passphrase.
>Yesterday a tech friend from down the road came over to do some work.
>With his laptop, he was on my network in less than ten seconds,
>without knowing anything about the settings.

That's far too fast to decrypt the WEP key. My guess is that you have
inscribed a WEP key, but forgotten to enable encryption. Yes, I know
you said it was enabled but check it anyway.

Also, are you sure he was actually able to *USE* your system and surf
the web? Open authentication allows a client to associate without
knowing the WEP/WPA encryption key. The various utilities show a
connection, but until a DHCP assigned IP address is delivered, the
client radio can't do anything.

>I asked him how he did
>it and he said that my network's not secure.

Perhaps it would be best if you asked him what he did and how he did
it?

>Can anyone explain to me
>how this is possible? Is there something I'm overlooking in the
>security settings? At first I thought perhaps he was picking up a
>neighbor's router. But I can't detect any other connections local to
>my house.

Reading between the lines, that vague description sorta hints that he
was able to surf the web through your router. With the SSID broadcast
disabled (a truely worthless idea), you can't easily tell what you're
connected to. What if your neighbors have SSID broadcast turned off?

Incidentally, I once had someone declare that he could break into
almost any wireless network with his collection of tools. So, I
attended the demonstration only to find out that he had TWO wireless
cards in his laptop. One was used for sniffing, capturing,
decrypting, and such, while the other was for the actual connection.
Nice idea except that during the demo, the 2nd card managed to
associate with an open access point, which allowed him to surf the
web. The demonstration was really impressive as it appeared that
could connect to an allegedly secure access point in a few seconds. I
had him run "IPCONFIG" and the cause of the instant success became
obvious. It then took me a frustrating 15 minutes to explain what was
happening to the attending crowd.

>I then double checked the wireless settings and everything
>is as it should be. Any ideas?

Triple check the settings.
Try it with YOUR laptop or desktop.
Interrogate your friend as to how he did it.
Remove the post-it note, with the WEP key inscribed, from the router.
Check thy assumptions.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
October 12, 2004 3:55:25 PM

Archived from groups: (More info?)

I guess I would ask your friend what he used and if he has suggestions for
securing your WAP.

No need to disable the SSID broadcast.

I wonder if your encryption is not enabled. Suggest you check it.

--
Bob Alston

bobalston9 AT aol DOT com
"Doug Beattie" <delphiprog@hotmail.com> wrote in message
news:453d59b7.0410120841.28e69071@posting.google.com...
> Hi, and thanks for any help.
>
> I have read previous posts and this article:
> http://netsecurity.about.com/od/hackertools/a/aa072004b...
>
> about securing my Belkin 802.11b wireless router:
> http://catalog.belkin.com/IWCatProductPage.process?Merc...
>
> I have implemented the SSID, disabled the broadcasting and set the
> encryption to 128 bit generated by a unique passphrase.
>
> Yesterday a tech friend from down the road came over to do some work.
> With his laptop, he was on my network in less than ten seconds,
> without knowing anything about the settings. I asked him how he did
> it and he said that my network's not secure. Can anyone explain to me
> how this is possible? Is there something I'm overlooking in the
> security settings? At first I thought perhaps he was picking up a
> neighbor's router. But I can't detect any other connections local to
> my house. I then double checked the wireless settings and everything
> is as it should be. Any ideas?
>
> Thanks
> Doug


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.775 / Virus Database: 522 - Release Date: 10/8/2004
Related resources
Anonymous
October 13, 2004 3:13:08 AM

Archived from groups: (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message news:<d09om0d7ij43404hlc0eticfeoptu18vqh@4ax.com>...
> On 12 Oct 2004 09:41:24 -0700, delphiprog@hotmail.com (Doug Beattie)
> wrote:

Bob & Jeff thanks for your input. I have put a screen shot of the
main page of my router here: http://www.thegreatpuma.com/HomePage.JPG
and SSID page: http://www.thegreatpuma.com/ssid.JPG to maybe help a
little bit.

>
>
> That's far too fast to decrypt the WEP key. My guess is that you have
> inscribed a WEP key, but forgotten to enable encryption. Yes, I know
> you said it was enabled but check it anyway.
>
> Also, are you sure he was actually able to *USE* your system and surf
> the web? Open authentication allows a client to associate without
> knowing the WEP/WPA encryption key. The various utilities show a
> connection, but until a DHCP assigned IP address is delivered, the
> client radio can't do anything.
>

There was definitely a connection, we were both surfing the net
looking for a solution to an issue we were dealing with.

>
> Perhaps it would be best if you asked him what he did and how he did
> it?
>

Right, I did, and that's what he told me "your connection isn't
secure". I didn't think about it then - I assumed that maybe I'd left
something turned off. I didn't check on it until after he left. At
that point I found what I'm reporting here. I'm not going to see him
for another couple of days, so I will get more detail then.

>
> Reading between the lines, that vague description sorta hints that he
> was able to surf the web through your router. With the SSID broadcast
> disabled (a truely worthless idea), you can't easily tell what you're
> connected to. What if your neighbors have SSID broadcast turned off?
>

OK, I guess I'm confused. My laptop needs to know the SSID
"THEGREATPUMA" even though the SSID is not broadcast - I have to enter
that SSID before I can even associate to the router. So it, by
default, knows what it's connected to. If said SSID is not broadcast
(and not known by the person attempting to connect) I thought it would
then have to either be guessed or sniffed (if at all possible). Am I
wrong on this? Can you connect/associate to any router with SSID
broadcast disabled without that router's SSID? I think I'm missing
your point here.

>
> Triple check the settings.
> Try it with YOUR laptop or desktop.
> Interrogate your friend as to how he did it.
> Remove the post-it note, with the WEP key inscribed, from the router.
> Check thy assumptions.
>

Well, there's no post-it note, I'm really not that stupid ;-) In fact
I'm the only one that knows the generator key. Both my laptop and
desktop cannot see the connection without the correct ssid. They can
see it when I input the SSID, but cannot connect due to the
encryption. I will talk to him in a couple of days so it may be moot
at that point. Anyway, please do take a look at the screenshot I
posted above. When I get info from my buddy I'll post back with the
results.

Thanks again
Doug
Anonymous
October 13, 2004 11:53:54 AM

Archived from groups: (More info?)

delphiprog@hotmail.com (Doug Beattie) wrote:
>main page of my router here: http://www.thegreatpuma.com/HomePage.JPG
>and SSID page: http://www.thegreatpuma.com/ssid.JPG to maybe help a

OK, now show us the encryption page. Dunno what "128-auto" means in
this context. Feel free to disguise or change the keys if they show
up in the clear...

>There was definitely a connection, we were both surfing the net
>looking for a solution to an issue we were dealing with.

And yours is the only AP around?

>If said SSID is not broadcast
>(and not known by the person attempting to connect) I thought it would
>then have to either be guessed or sniffed (if at all possible).

This is true, though sniffing a "disabled" SSID broadcast is so
trivial that it's no longer reccomended as a security measure.
Anonymous
October 13, 2004 3:55:41 PM

Archived from groups: (More info?)

On 12 Oct 2004 23:13:08 -0700, delphiprog@hotmail.com (Doug Beattie)
wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message news:<d09om0d7ij43404hlc0eticfeoptu18vqh@4ax.com>...
>> On 12 Oct 2004 09:41:24 -0700, delphiprog@hotmail.com (Doug Beattie)
>> wrote:

>Bob & Jeff thanks for your input. I have put a screen shot of the
>main page of my router here: http://www.thegreatpuma.com/HomePage.JPG
>and SSID page: http://www.thegreatpuma.com/ssid.JPG to maybe help a
>little bit.

Everything looks correct. Encryption enabled and set. I guess(tm)
auto means Open Authentication which is fine. Therefore, you did your
part correctly.

Drivel: I suggest you get off Channel 10 and move to 1, 6, or 11.
These are non-overlapping channels. Channel 10 will overlap slightly
onto Channel 6 users. It usually not a problem unless your close, but
if there's no overpowering reason to use Channel 10, I would make the
change.

>There was definitely a connection, we were both surfing the net
>looking for a solution to an issue we were dealing with.

Thanks for clearing that up. I couldn't tell if you simply had
associated with the access point, or if you had a functional
connection.

>Right, I did, and that's what he told me "your connection isn't
>secure".

Is your friend a philosopher? He talks like one. If he was that good
at hacking your connection, he would also have made specific
recommendations or helped you with the setup. At least I would have
done that even if I were in hurry. Something is fishy here.

>OK, I guess I'm confused. My laptop needs to know the SSID
>"THEGREATPUMA" even though the SSID is not broadcast - I have to enter
>that SSID before I can even associate to the router.

Correct. If you don't broadcast the SSID, you *usually* have to
manually set it in your client software.

>If said SSID is not broadcast
>(and not known by the person attempting to connect) I thought it would
>then have to either be guessed or sniffed (if at all possible). Am I
>wrong on this? Can you connect/associate to any router with SSID
>broadcast disabled without that router's SSID? I think I'm missing
>your point here.

Your partly correct. Normally, you need the SSID to connect.
However, many wireless client application will accept the word "ANY"
in the SSID field and literally connect with anything it can hear. I
do this because I'm lazy (and it's fun). I'm not sure if XP SP2 still
allows SSID=ANY trick. (Can someone check?)

Anyway, point was that you didn't do any checking of the SSID or run
any diagnostics (netstat, ipconfig, tracert) to see what you've
connected to. You assumed[1] that you had connected to your access
point. If your friend had it set to SSID=ANY, it could have been the
neighbors.

>Well, there's no post-it note, I'm really not that stupid ;-)

Back in the dot.com era of the internet, I used to do security audits
for a few large corporations. Basically, I was the sanity check their
IT people. The first thing I looked for were the inevitable post it
notes with passwords inscribed. I think my hit rate was about 2% of
users used this method of remembering cryptic passwords. The worst
offenders were the sysadmins and vendor representatives. Let's just
say it's a rather common security violation.

>In fact
>I'm the only one that knows the generator key.

Wrong. Many wireless clients save the SSID and WEP keys in plain text
in either config files or in the registry. I can fish it out of your
laptop fairly easily.
http://wlannews.otaku42.de/newsblog/index.php?p=30&more...

>Both my laptop and
>desktop cannot see the connection without the correct ssid. They can
>see it when I input the SSID, but cannot connect due to the
>encryption.

Good. Then your encryption is working properly.

>I will talk to him in a couple of days so it may be moot
>at that point. Anyway, please do take a look at the screenshot I
>posted above. When I get info from my buddy I'll post back with the
>results.

I predict that he won't be able to tell you if he connected to your
access point or someone elses. You can sorta try the same thing with
your laptop. Turn OFF your access point, set the SSID=ANY on your
laptop, and see if you can connect to something. My guess(tm) is that
you can. If so, try to identify the access point owner that their
system is insecure.

[1] Assumption, the mother of all screwups.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
October 13, 2004 8:52:12 PM

Archived from groups: (More info?)

"Doug Beattie" <delphiprog@hotmail.com> wrote in message
news:453d59b7.0410122213.6dc515bf@posting.google.com...
> Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message
> news:<d09om0d7ij43404hlc0eticfeoptu18vqh@4ax.com>...
>> On 12 Oct 2004 09:41:24 -0700, delphiprog@hotmail.com (Doug Beattie)
>> wrote:
>
> Bob & Jeff thanks for your input. I have put a screen shot of the
> main page of my router here: http://www.thegreatpuma.com/HomePage.JPG
> and SSID page: http://www.thegreatpuma.com/ssid.JPG to maybe help a
> little bit.
>
>>
>>
>> That's far too fast to decrypt the WEP key. My guess is that you have
>> inscribed a WEP key, but forgotten to enable encryption. Yes, I know
>> you said it was enabled but check it anyway.
>>
>> Also, are you sure he was actually able to *USE* your system and surf
>> the web? Open authentication allows a client to associate without
>> knowing the WEP/WPA encryption key. The various utilities show a
>> connection, but until a DHCP assigned IP address is delivered, the
>> client radio can't do anything.
>>
>
> There was definitely a connection, we were both surfing the net
> looking for a solution to an issue we were dealing with.

The most likely answer is that your friend connected to a neighbor's WLAN,
not yours.

>
>>
>> Reading between the lines, that vague description sorta hints that he
>> was able to surf the web through your router. With the SSID broadcast
>> disabled (a truely worthless idea), you can't easily tell what you're
>> connected to. What if your neighbors have SSID broadcast turned off?
>
> OK, I guess I'm confused. My laptop needs to know the SSID
> "THEGREATPUMA" even though the SSID is not broadcast - I have to enter
> that SSID before I can even associate to the router. So it, by
> default, knows what it's connected to. If said SSID is not broadcast
> (and not known by the person attempting to connect) I thought it would
> then have to either be guessed or sniffed (if at all possible). Am I
> wrong on this? Can you connect/associate to any router with SSID
> broadcast disabled without that router's SSID? I think I'm missing
> your point here.

You're correct. If your wireless client is configured to associate with ANY
SSID, then it can only associate with networks whose SSIDs are broadcast.
To associate with a WLAN whose SSID isn't broadcast, you must enter the SSID
into the client.

> I'm the only one that knows the generator key. Both my laptop and
> desktop cannot see the connection without the correct ssid. They can
> see it when I input the SSID, but cannot connect due to the
> encryption. I will talk to him in a couple of days so it may be moot
> at that point. Anyway, please do take a look at the screenshot I
> posted above.

The screenshot indicates that encryption is enabled, which is supported by
your experience that your laptop and desktop can associate with the AP but
can't obtain an IP address from the DHCP server. Again, this points to your
friend connecting to someone else's network.

> Thanks again
> Doug

Ron Bandes, CCNP, CTT+, etc.
Anonymous
October 13, 2004 9:39:51 PM

Archived from groups: (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us>
> The demonstration was really impressive as it appeared that
> could connect to an allegedly secure access point in a few seconds. I
> had him run "IPCONFIG" and the cause of the instant success became
> obvious. It then took me a frustrating 15 minutes to explain what was
> happening to the attending crowd.

LoL... Sounds a lot like what happened when Marlon accused me of my
name server being down, when the problem was at his end of the
universe. We couldn't get to his mail server because it was down, not
because we couldn't resolve its address.

:) 
Anonymous
October 14, 2004 12:22:42 AM

Archived from groups: (More info?)

William P.N. Smith wrote in message news:<0k5qm01f3nlnltaps1oglbk8s2vd59v1se@4ax.com>...
> delphiprog@hotmail.com (Doug Beattie) wrote:
> >main page of my router here: http://www.thegreatpuma.com/HomePage.JPG
> >and SSID page: http://www.thegreatpuma.com/ssid.JPG to maybe help a
>
> OK, now show us the encryption page. Dunno what "128-auto" means in
> this context. Feel free to disguise or change the keys if they show
> up in the clear...
>
> >There was definitely a connection, we were both surfing the net
> >looking for a solution to an issue we were dealing with.
>
> And yours is the only AP around?
>
> >If said SSID is not broadcast
> >(and not known by the person attempting to connect) I thought it would
> >then have to either be guessed or sniffed (if at all possible).
>
> This is true, though sniffing a "disabled" SSID broadcast is so
> trivial that it's no longer reccomended as a security measure.

As far as I know I am the only one with a wireless router around here.
I've not been able to pick up any other signals from anywhere even
after turning my router off. See the encryption page here:

www.thegreatpuma.com/encrypt.JPG


And Jeff, thanks for the advice on channel changing. I will do that.

Again, I appreciate everyone's help.
Doug
Anonymous
October 14, 2004 1:54:41 AM

Archived from groups: (More info?)

On 13 Oct 2004 20:22:42 -0700, delphiprog@gmail.com (Doug Beattie)
wrote:

>As far as I know I am the only one with a wireless router around here.
>I've not been able to pick up any other signals from anywhere even
>after turning my router off.

Well, if that's true, it ruins my pet theory leaving your friend with
a truely impressive and quite impossible 10 second WEP cracker.

I'm not ready to give up on the mystery 2nd access point theory quite
yet. If you feel ambitious, fire up Netstumbler 0.4.0 and see if that
can find any access points.

Also, I kinda hinted that one can use IPCONFIG to determine which
access point is being used. No so. All it did in my example was tell
me that there were two wireless cards in the speakers laptop. If you
wanna be sure you haven't connected to someone elses access point, use
the SSID to identify it. If that doesn't work because it's set to
default or something equally dumb, then try pointing your web browser
at the default gateway. You should get a configuration login screen
on most routers, which should help identify the connection. Also, you
could use the MAC addresses (arp -a) to identify the access points,
but nobody remembers or records their various MAC addresses.

>See the encryption page here:
>www.thegreatpuma.com/encrypt.JPG

Looks fine.

>And Jeff, thanks for the advice on channel changing. I will do that.

Well, it's not critical or even terribly important, but it is a good
thing to do. Good luck. I wanna hear about your friends secret
method.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
October 19, 2004 3:07:43 AM

Archived from groups: (More info?)

Looking at the thread I did not see anyone mention that you may not have the
AP locked down to make WEP mandatory... Don't know about that AP, but on
many you can set the WEP key and still allow open access (which means
somebody who is running WEP w/the correct key can connect AS WELL as
somebody without WEP enabled). Or as somebody mentioned, he may have been
associating with someone else's AP near by (I can see about 8 from my home
office and only 2 of those are running WEP at all).

T


"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
news:V%Tad.36448$Lo6.3891@fed1read03...
> I guess I would ask your friend what he used and if he has suggestions for
> securing your WAP.
>
> No need to disable the SSID broadcast.
>
> I wonder if your encryption is not enabled. Suggest you check it.
>
> --
> Bob Alston
>
> bobalston9 AT aol DOT com
> "Doug Beattie" <delphiprog@hotmail.com> wrote in message
> news:453d59b7.0410120841.28e69071@posting.google.com...
> > Hi, and thanks for any help.
> >
> > I have read previous posts and this article:
> > http://netsecurity.about.com/od/hackertools/a/aa072004b...
> >
> > about securing my Belkin 802.11b wireless router:
> >
http://catalog.belkin.com/IWCatProductPage.process?Merc...
01523&pcount=&Product_Id=136514
> >
> > I have implemented the SSID, disabled the broadcasting and set the
> > encryption to 128 bit generated by a unique passphrase.
> >
> > Yesterday a tech friend from down the road came over to do some work.
> > With his laptop, he was on my network in less than ten seconds,
> > without knowing anything about the settings. I asked him how he did
> > it and he said that my network's not secure. Can anyone explain to me
> > how this is possible? Is there something I'm overlooking in the
> > security settings? At first I thought perhaps he was picking up a
> > neighbor's router. But I can't detect any other connections local to
> > my house. I then double checked the wireless settings and everything
> > is as it should be. Any ideas?
> >
> > Thanks
> > Doug
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.775 / Virus Database: 522 - Release Date: 10/8/2004
>
>
!