Why set a password for a gateway or wireless AP ??

Discussion in 'Wireless Networking' started by =?Utf-8?B?Um91Z2huZWNr?=, Oct 19, 2006.

  1. Just to clarify, I'm not talking about setting an encryption key--I'm talking
    about setting a password for the setup/configuration software that comes with
    a gateway or wireless AP. i.e. I read the following in a book dealing with
    home networks.

    "The first step is to set a password for your AP... If you leave the AP set
    with the default password, it is very easy for someone to break into your
    wireless network and change your network settings."

    According to the author, changing that password was step #1. Setting
    encryption was discussed later as step #4. But... how can a wireless
    intruder get to the network configuration software on a PC unless he first
    gets past the encryption on the network? But even if the intruder got past
    the encryption, how could he access the configuration software unless the
    software was on a PC with file and printer sharing turned on (XP Home
    edition) "and" the configuration program/software was in a shared folder?

    For the record... in my situation:
    1) The network is using WPA-PSK encryption.
    2) The computer with the network configuration software requires a password
    for logon.
    3) The computer with the network configuration software has file and printer
    sharing turned on, but the only thing being shared is a printer.
    4) The network configuration software for my gateway came without a password
    and with the password feature disabled. I have since set up a password for
    the software, but don't understand how a wireless intruder could access the
    configuration software on my PC based on conditions 1 thru 3 noted above even
    if the password feature was disabled.
    --
    So much to learn... So little time.
     
    =?Utf-8?B?Um91Z2huZWNr?=, Oct 19, 2006
    #1
    1. Advertising

  2. =?Utf-8?B?Um91Z2huZWNr?=

    David Hettel Guest

    Working backwards, the software for your wireless router is the same as for
    your neighbor 2 blocks over. Much of the time now, the program such as it is
    actually resides on your wireless router and is access by going to your
    gateway address, or 192.168.0.1. So one doesn't really need access to any
    special software. If one does need special software, then often it can be
    downloaded free from the maker of your wireless router. So we don't really
    need any special software, or we can get it free on the Internet. One wall
    down.

    WPA-PSK can be broken, all it requires is enough network traffic and
    something to record it on. Often WPA-PSK is setup by someone who does not
    truly understand what they are trying to do. The key can be long, or short.
    If a short enough key is used, it can be cracked easier than WEP. If the key
    is a sentence, or a word it can be cracked rather easy.

    Someone willing to do a little reading can often find in the manual what the
    wireless router manufacture set as the default password and user name. Often
    it is Admin/admin. Many times the wireless router is set to broadcast it's
    name/model number/or maker. This give the intruder an easy place to start.
    Even if it isn't set to broadcast this, it will broadcast it's version of a
    MAC address, and from this address one can find out who manufactured it.
    Once you know that it's easy to try the default passwords, and/or
    setup/configuration software.

    --
    David Hettel

    Please post any reply as a follow-up message in the news group
    for everyone to see. I'm sorry, but I don't answer questions
    addressed directly to me in E-mail or news groups.

    Microsoft Most Valuable Professional Program
    http://mvp.support.microsoft.com

    DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    confers no rights


    "Roughneck" <> wrote in message
    news:...
    > Just to clarify, I'm not talking about setting an encryption key--I'm
    > talking
    > about setting a password for the setup/configuration software that comes
    > with
    > a gateway or wireless AP. i.e. I read the following in a book dealing
    > with
    > home networks.
    >
    > "The first step is to set a password for your AP... If you leave the AP
    > set
    > with the default password, it is very easy for someone to break into your
    > wireless network and change your network settings."
    >
    > According to the author, changing that password was step #1. Setting
    > encryption was discussed later as step #4. But... how can a wireless
    > intruder get to the network configuration software on a PC unless he first
    > gets past the encryption on the network? But even if the intruder got
    > past
    > the encryption, how could he access the configuration software unless the
    > software was on a PC with file and printer sharing turned on (XP Home
    > edition) "and" the configuration program/software was in a shared folder?
    >
    > For the record... in my situation:
    > 1) The network is using WPA-PSK encryption.
    > 2) The computer with the network configuration software requires a
    > password
    > for logon.
    > 3) The computer with the network configuration software has file and
    > printer
    > sharing turned on, but the only thing being shared is a printer.
    > 4) The network configuration software for my gateway came without a
    > password
    > and with the password feature disabled. I have since set up a password
    > for
    > the software, but don't understand how a wireless intruder could access
    > the
    > configuration software on my PC based on conditions 1 thru 3 noted above
    > even
    > if the password feature was disabled.
    > --
    > So much to learn... So little time.
     
    David Hettel, Oct 19, 2006
    #2
    1. Advertising

  3. David,

    Thanks so much for the reply! I think I'm tracking with you, but would like
    to make sure because if I am, I'm really shocked at the security risk. It
    sounds to me like you're saying that even if someone uses WPA-PSK encyrption
    with a 63 character key that's a totally random mix of numbers, letters, and
    special characters, that a person can access the gateway itself and change
    the software setup "without" having to crack the encryption key?

    I'm "hoping" that's not the case, because if it is, then the password on the
    configuration software is far and away the greatest security risk to my home
    network. i.e. My password for the configuration software is a combination of
    letters, numbers, and special characters, same as with my WPA encryption key,
    but it's certainly not as long/strong as the encryption key and it doesn't
    automatically get changed the way a WPA key does. If this creates the risk
    I'm understanding it to create, I'm really stunned by the fact that there's
    so much talk about the value of WPA over WEP and the importance of using
    strong encryption keys, yet so little discussion about the risk that can be
    created in regard to passwording the configuration software. Please tell me
    I've missed something and that it's not really as bad as all that. :-(

    --
    So much to learn... So little time.


    "David Hettel" wrote:

    > Working backwards, the software for your wireless router is the same as for
    > your neighbor 2 blocks over. Much of the time now, the program such as it is
    > actually resides on your wireless router and is access by going to your
    > gateway address, or 192.168.0.1. So one doesn't really need access to any
    > special software. If one does need special software, then often it can be
    > downloaded free from the maker of your wireless router. So we don't really
    > need any special software, or we can get it free on the Internet. One wall
    > down.
    >
    > WPA-PSK can be broken, all it requires is enough network traffic and
    > something to record it on. Often WPA-PSK is setup by someone who does not
    > truly understand what they are trying to do. The key can be long, or short.
    > If a short enough key is used, it can be cracked easier than WEP. If the key
    > is a sentence, or a word it can be cracked rather easy.
    >
    > Someone willing to do a little reading can often find in the manual what the
    > wireless router manufacture set as the default password and user name. Often
    > it is Admin/admin. Many times the wireless router is set to broadcast it's
    > name/model number/or maker. This give the intruder an easy place to start.
    > Even if it isn't set to broadcast this, it will broadcast it's version of a
    > MAC address, and from this address one can find out who manufactured it.
    > Once you know that it's easy to try the default passwords, and/or
    > setup/configuration software.
    >
    > --
    > David Hettel
    >
    > Please post any reply as a follow-up message in the news group
    > for everyone to see. I'm sorry, but I don't answer questions
    > addressed directly to me in E-mail or news groups.
    >
    > Microsoft Most Valuable Professional Program
    > http://mvp.support.microsoft.com
    >
    > DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    > confers no rights
    >
    >
    > "Roughneck" <> wrote in message
    > news:...
    > > Just to clarify, I'm not talking about setting an encryption key--I'm
    > > talking
    > > about setting a password for the setup/configuration software that comes
    > > with
    > > a gateway or wireless AP. i.e. I read the following in a book dealing
    > > with
    > > home networks.
    > >
    > > "The first step is to set a password for your AP... If you leave the AP
    > > set
    > > with the default password, it is very easy for someone to break into your
    > > wireless network and change your network settings."
    > >
    > > According to the author, changing that password was step #1. Setting
    > > encryption was discussed later as step #4. But... how can a wireless
    > > intruder get to the network configuration software on a PC unless he first
    > > gets past the encryption on the network? But even if the intruder got
    > > past
    > > the encryption, how could he access the configuration software unless the
    > > software was on a PC with file and printer sharing turned on (XP Home
    > > edition) "and" the configuration program/software was in a shared folder?
    > >
    > > For the record... in my situation:
    > > 1) The network is using WPA-PSK encryption.
    > > 2) The computer with the network configuration software requires a
    > > password
    > > for logon.
    > > 3) The computer with the network configuration software has file and
    > > printer
    > > sharing turned on, but the only thing being shared is a printer.
    > > 4) The network configuration software for my gateway came without a
    > > password
    > > and with the password feature disabled. I have since set up a password
    > > for
    > > the software, but don't understand how a wireless intruder could access
    > > the
    > > configuration software on my PC based on conditions 1 thru 3 noted above
    > > even
    > > if the password feature was disabled.
    > > --
    > > So much to learn... So little time.

    >
    >
    >
     
    =?Utf-8?B?Um91Z2huZWNr?=, Oct 19, 2006
    #3
  4. =?Utf-8?B?Um91Z2huZWNr?=

    David Hettel Guest

    Yes you've not gotten what I was trying to say. For an intruder to access
    your network wirelessly he would need to crack your encryption key. Now not
    everyone chooses to use a random key of 63 characters, some people use keys
    of 8 characters, that aren't even random. A simple key is much easier to
    crack than a more complex key is. What I was trying to say is not all keys
    in WPA provide better security than WEP, simply because they are WPA.

    What's the greatest risk? Depends on what you are trying to protect. If I
    gain access to your wireless router, I could in theory lock you out of it by
    resetting the password. But most routers have a reset button that returns it
    to factory defaults. I could upload new code to your router, there is
    generally not a lot of free room where the code goes, but it's something I
    could do. Or I could simply trash the code, and force you to buy a new
    router.

    If I happen to live near by, or have access to the area, I could crack your
    code and monitor everything you send and do wirelessly. But that will take
    some special skills and equipment, and why do it? What is so interesting in
    what you do that it would make someone want to invest that kind of time, or
    effort.

    My experience is most people simply want free access to the internet, and
    are not interested in doing harm. Or it is simply a game to them, and the
    challenge is in getting in. For most thieves it's still easier to rob
    someone the old fashion way, rather than spending the time and effort
    required to crack your system. And if your system is secured, it's easier to
    check the next one out that probably isn't secured.

    IMHO if your system is compromised it most likely will be by someone who
    knows you, and wants what they believe you have, or who is mad at you. And
    for my two cents it's much more likely that they'll be mad at you. Where one
    chooses to keep that 63 character key becomes a part of the problem then as
    well. One needs to have access to the key, so the key must be stored
    somewhere. That now becomes a risk.

    --
    David Hettel

    Please post any reply as a follow-up message in the news group
    for everyone to see. I'm sorry, but I don't answer questions
    addressed directly to me in E-mail or news groups.

    Microsoft Most Valuable Professional Program
    http://mvp.support.microsoft.com

    DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    confers no rights


    "Roughneck" <> wrote in message
    news:...
    > David,
    >
    > Thanks so much for the reply! I think I'm tracking with you, but would
    > like
    > to make sure because if I am, I'm really shocked at the security risk. It
    > sounds to me like you're saying that even if someone uses WPA-PSK
    > encyrption
    > with a 63 character key that's a totally random mix of numbers, letters,
    > and
    > special characters, that a person can access the gateway itself and change
    > the software setup "without" having to crack the encryption key?
    >
    > I'm "hoping" that's not the case, because if it is, then the password on
    > the
    > configuration software is far and away the greatest security risk to my
    > home
    > network. i.e. My password for the configuration software is a combination
    > of
    > letters, numbers, and special characters, same as with my WPA encryption
    > key,
    > but it's certainly not as long/strong as the encryption key and it doesn't
    > automatically get changed the way a WPA key does. If this creates the
    > risk
    > I'm understanding it to create, I'm really stunned by the fact that
    > there's
    > so much talk about the value of WPA over WEP and the importance of using
    > strong encryption keys, yet so little discussion about the risk that can
    > be
    > created in regard to passwording the configuration software. Please tell
    > me
    > I've missed something and that it's not really as bad as all that. :-(
    >
    > --
    > So much to learn... So little time.
    >
    >
    > "David Hettel" wrote:
    >
    >> Working backwards, the software for your wireless router is the same as
    >> for
    >> your neighbor 2 blocks over. Much of the time now, the program such as it
    >> is
    >> actually resides on your wireless router and is access by going to your
    >> gateway address, or 192.168.0.1. So one doesn't really need access to any
    >> special software. If one does need special software, then often it can be
    >> downloaded free from the maker of your wireless router. So we don't
    >> really
    >> need any special software, or we can get it free on the Internet. One
    >> wall
    >> down.
    >>
    >> WPA-PSK can be broken, all it requires is enough network traffic and
    >> something to record it on. Often WPA-PSK is setup by someone who does not
    >> truly understand what they are trying to do. The key can be long, or
    >> short.
    >> If a short enough key is used, it can be cracked easier than WEP. If the
    >> key
    >> is a sentence, or a word it can be cracked rather easy.
    >>
    >> Someone willing to do a little reading can often find in the manual what
    >> the
    >> wireless router manufacture set as the default password and user name.
    >> Often
    >> it is Admin/admin. Many times the wireless router is set to broadcast
    >> it's
    >> name/model number/or maker. This give the intruder an easy place to
    >> start.
    >> Even if it isn't set to broadcast this, it will broadcast it's version of
    >> a
    >> MAC address, and from this address one can find out who manufactured it.
    >> Once you know that it's easy to try the default passwords, and/or
    >> setup/configuration software.
    >>
    >> --
    >> David Hettel
    >>
    >> Please post any reply as a follow-up message in the news group
    >> for everyone to see. I'm sorry, but I don't answer questions
    >> addressed directly to me in E-mail or news groups.
    >>
    >> Microsoft Most Valuable Professional Program
    >> http://mvp.support.microsoft.com
    >>
    >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    >> confers no rights
    >>
    >>
    >> "Roughneck" <> wrote in message
    >> news:...
    >> > Just to clarify, I'm not talking about setting an encryption key--I'm
    >> > talking
    >> > about setting a password for the setup/configuration software that
    >> > comes
    >> > with
    >> > a gateway or wireless AP. i.e. I read the following in a book dealing
    >> > with
    >> > home networks.
    >> >
    >> > "The first step is to set a password for your AP... If you leave the AP
    >> > set
    >> > with the default password, it is very easy for someone to break into
    >> > your
    >> > wireless network and change your network settings."
    >> >
    >> > According to the author, changing that password was step #1. Setting
    >> > encryption was discussed later as step #4. But... how can a wireless
    >> > intruder get to the network configuration software on a PC unless he
    >> > first
    >> > gets past the encryption on the network? But even if the intruder got
    >> > past
    >> > the encryption, how could he access the configuration software unless
    >> > the
    >> > software was on a PC with file and printer sharing turned on (XP Home
    >> > edition) "and" the configuration program/software was in a shared
    >> > folder?
    >> >
    >> > For the record... in my situation:
    >> > 1) The network is using WPA-PSK encryption.
    >> > 2) The computer with the network configuration software requires a
    >> > password
    >> > for logon.
    >> > 3) The computer with the network configuration software has file and
    >> > printer
    >> > sharing turned on, but the only thing being shared is a printer.
    >> > 4) The network configuration software for my gateway came without a
    >> > password
    >> > and with the password feature disabled. I have since set up a password
    >> > for
    >> > the software, but don't understand how a wireless intruder could access
    >> > the
    >> > configuration software on my PC based on conditions 1 thru 3 noted
    >> > above
    >> > even
    >> > if the password feature was disabled.
    >> > --
    >> > So much to learn... So little time.

    >>
    >>
    >>
     
    David Hettel, Oct 19, 2006
    #4
  5. Thanks, David. So if I'm tracking with you, an intruder "would" have to
    crack my WPA-PSK key "before" they could take a shot at cracking the password
    for my gateway's configuration software. If that's the case, I feel much
    better. :)

    And yes, I agree with your thought that it's much more likely that I might
    do something to make a neighbor upset with me (unintentionally of course)
    than it is that I would have something of value they would want. (I sure
    wish it was the other way around.) ;-) Fortunately, we've been
    acquainted with all but one of our immediate neighbors for several years and
    get along well. There is one neighbor we've only spoken with once, but
    there's never been a conflict, so hopefully we're good to go in the public
    relations arena.
    --
    So much to learn... So little time.


    "David Hettel" wrote:

    > Yes you've not gotten what I was trying to say. For an intruder to access
    > your network wirelessly he would need to crack your encryption key. Now not
    > everyone chooses to use a random key of 63 characters, some people use keys
    > of 8 characters, that aren't even random. A simple key is much easier to
    > crack than a more complex key is. What I was trying to say is not all keys
    > in WPA provide better security than WEP, simply because they are WPA.
    >
    > What's the greatest risk? Depends on what you are trying to protect. If I
    > gain access to your wireless router, I could in theory lock you out of it by
    > resetting the password. But most routers have a reset button that returns it
    > to factory defaults. I could upload new code to your router, there is
    > generally not a lot of free room where the code goes, but it's something I
    > could do. Or I could simply trash the code, and force you to buy a new
    > router.
    >
    > If I happen to live near by, or have access to the area, I could crack your
    > code and monitor everything you send and do wirelessly. But that will take
    > some special skills and equipment, and why do it? What is so interesting in
    > what you do that it would make someone want to invest that kind of time, or
    > effort.
    >
    > My experience is most people simply want free access to the internet, and
    > are not interested in doing harm. Or it is simply a game to them, and the
    > challenge is in getting in. For most thieves it's still easier to rob
    > someone the old fashion way, rather than spending the time and effort
    > required to crack your system. And if your system is secured, it's easier to
    > check the next one out that probably isn't secured.
    >
    > IMHO if your system is compromised it most likely will be by someone who
    > knows you, and wants what they believe you have, or who is mad at you. And
    > for my two cents it's much more likely that they'll be mad at you. Where one
    > chooses to keep that 63 character key becomes a part of the problem then as
    > well. One needs to have access to the key, so the key must be stored
    > somewhere. That now becomes a risk.
    >
    > --
    > David Hettel
    >
    > Please post any reply as a follow-up message in the news group
    > for everyone to see. I'm sorry, but I don't answer questions
    > addressed directly to me in E-mail or news groups.
    >
    > Microsoft Most Valuable Professional Program
    > http://mvp.support.microsoft.com
    >
    > DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    > confers no rights
    >
    >
    > "Roughneck" <> wrote in message
    > news:...
    > > David,
    > >
    > > Thanks so much for the reply! I think I'm tracking with you, but would
    > > like
    > > to make sure because if I am, I'm really shocked at the security risk. It
    > > sounds to me like you're saying that even if someone uses WPA-PSK
    > > encyrption
    > > with a 63 character key that's a totally random mix of numbers, letters,
    > > and
    > > special characters, that a person can access the gateway itself and change
    > > the software setup "without" having to crack the encryption key?
    > >
    > > I'm "hoping" that's not the case, because if it is, then the password on
    > > the
    > > configuration software is far and away the greatest security risk to my
    > > home
    > > network. i.e. My password for the configuration software is a combination
    > > of
    > > letters, numbers, and special characters, same as with my WPA encryption
    > > key,
    > > but it's certainly not as long/strong as the encryption key and it doesn't
    > > automatically get changed the way a WPA key does. If this creates the
    > > risk
    > > I'm understanding it to create, I'm really stunned by the fact that
    > > there's
    > > so much talk about the value of WPA over WEP and the importance of using
    > > strong encryption keys, yet so little discussion about the risk that can
    > > be
    > > created in regard to passwording the configuration software. Please tell
    > > me
    > > I've missed something and that it's not really as bad as all that. :-(
    > >
    > > --
    > > So much to learn... So little time.
    > >
    > >
    > > "David Hettel" wrote:
    > >
    > >> Working backwards, the software for your wireless router is the same as
    > >> for
    > >> your neighbor 2 blocks over. Much of the time now, the program such as it
    > >> is
    > >> actually resides on your wireless router and is access by going to your
    > >> gateway address, or 192.168.0.1. So one doesn't really need access to any
    > >> special software. If one does need special software, then often it can be
    > >> downloaded free from the maker of your wireless router. So we don't
    > >> really
    > >> need any special software, or we can get it free on the Internet. One
    > >> wall
    > >> down.
    > >>
    > >> WPA-PSK can be broken, all it requires is enough network traffic and
    > >> something to record it on. Often WPA-PSK is setup by someone who does not
    > >> truly understand what they are trying to do. The key can be long, or
    > >> short.
    > >> If a short enough key is used, it can be cracked easier than WEP. If the
    > >> key
    > >> is a sentence, or a word it can be cracked rather easy.
    > >>
    > >> Someone willing to do a little reading can often find in the manual what
    > >> the
    > >> wireless router manufacture set as the default password and user name.
    > >> Often
    > >> it is Admin/admin. Many times the wireless router is set to broadcast
    > >> it's
    > >> name/model number/or maker. This give the intruder an easy place to
    > >> start.
    > >> Even if it isn't set to broadcast this, it will broadcast it's version of
    > >> a
    > >> MAC address, and from this address one can find out who manufactured it.
    > >> Once you know that it's easy to try the default passwords, and/or
    > >> setup/configuration software.
    > >>
    > >> --
    > >> David Hettel
    > >>
    > >> Please post any reply as a follow-up message in the news group
    > >> for everyone to see. I'm sorry, but I don't answer questions
    > >> addressed directly to me in E-mail or news groups.
    > >>
    > >> Microsoft Most Valuable Professional Program
    > >> http://mvp.support.microsoft.com
    > >>
    > >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    > >> confers no rights
    > >>
    > >>
    > >> "Roughneck" <> wrote in message
    > >> news:...
    > >> > Just to clarify, I'm not talking about setting an encryption key--I'm
    > >> > talking
    > >> > about setting a password for the setup/configuration software that
    > >> > comes
    > >> > with
    > >> > a gateway or wireless AP. i.e. I read the following in a book dealing
    > >> > with
    > >> > home networks.
    > >> >
    > >> > "The first step is to set a password for your AP... If you leave the AP
    > >> > set
    > >> > with the default password, it is very easy for someone to break into
    > >> > your
    > >> > wireless network and change your network settings."
    > >> >
    > >> > According to the author, changing that password was step #1. Setting
    > >> > encryption was discussed later as step #4. But... how can a wireless
    > >> > intruder get to the network configuration software on a PC unless he
    > >> > first
    > >> > gets past the encryption on the network? But even if the intruder got
    > >> > past
    > >> > the encryption, how could he access the configuration software unless
    > >> > the
    > >> > software was on a PC with file and printer sharing turned on (XP Home
    > >> > edition) "and" the configuration program/software was in a shared
    > >> > folder?
    > >> >
    > >> > For the record... in my situation:
    > >> > 1) The network is using WPA-PSK encryption.
    > >> > 2) The computer with the network configuration software requires a
    > >> > password
    > >> > for logon.
    > >> > 3) The computer with the network configuration software has file and
    > >> > printer
    > >> > sharing turned on, but the only thing being shared is a printer.
    > >> > 4) The network configuration software for my gateway came without a
    > >> > password
    > >> > and with the password feature disabled. I have since set up a password
    > >> > for
    > >> > the software, but don't understand how a wireless intruder could access
    > >> > the
    > >> > configuration software on my PC based on conditions 1 thru 3 noted
    > >> > above
    > >> > even
    > >> > if the password feature was disabled.
    > >> > --
    > >> > So much to learn... So little time.
    > >>
    > >>
    > >>

    >
    >
    >
     
    =?Utf-8?B?Um91Z2huZWNr?=, Oct 19, 2006
    #5
  6. =?Utf-8?B?Um91Z2huZWNr?=

    David Hettel Guest

    Well they'll either need to crack your WPA-PSK, or gain access physically to
    your wired connection, or send you a virus/trojan in an e-mail. Or get you
    to visit a web page, that is designed to compromise your computer. People
    are creative and always coming up with new ways of doing this. But again it
    does take a reason, for someone to decide that you are worth the effort.

    --
    David Hettel

    Please post any reply as a follow-up message in the news group
    for everyone to see. I'm sorry, but I don't answer questions
    addressed directly to me in E-mail or news groups.

    Microsoft Most Valuable Professional Program
    http://mvp.support.microsoft.com

    DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    confers no rights


    "Roughneck" <> wrote in message
    news:...
    > Thanks, David. So if I'm tracking with you, an intruder "would" have to
    > crack my WPA-PSK key "before" they could take a shot at cracking the
    > password
    > for my gateway's configuration software. If that's the case, I feel much
    > better. :)
    >
    > And yes, I agree with your thought that it's much more likely that I might
    > do something to make a neighbor upset with me (unintentionally of course)
    > than it is that I would have something of value they would want. (I sure
    > wish it was the other way around.) ;-) Fortunately, we've been
    > acquainted with all but one of our immediate neighbors for several years
    > and
    > get along well. There is one neighbor we've only spoken with once, but
    > there's never been a conflict, so hopefully we're good to go in the public
    > relations arena.
    > --
    > So much to learn... So little time.
    >
    >
    > "David Hettel" wrote:
    >
    >> Yes you've not gotten what I was trying to say. For an intruder to access
    >> your network wirelessly he would need to crack your encryption key. Now
    >> not
    >> everyone chooses to use a random key of 63 characters, some people use
    >> keys
    >> of 8 characters, that aren't even random. A simple key is much easier to
    >> crack than a more complex key is. What I was trying to say is not all
    >> keys
    >> in WPA provide better security than WEP, simply because they are WPA.
    >>
    >> What's the greatest risk? Depends on what you are trying to protect. If I
    >> gain access to your wireless router, I could in theory lock you out of it
    >> by
    >> resetting the password. But most routers have a reset button that returns
    >> it
    >> to factory defaults. I could upload new code to your router, there is
    >> generally not a lot of free room where the code goes, but it's something
    >> I
    >> could do. Or I could simply trash the code, and force you to buy a new
    >> router.
    >>
    >> If I happen to live near by, or have access to the area, I could crack
    >> your
    >> code and monitor everything you send and do wirelessly. But that will
    >> take
    >> some special skills and equipment, and why do it? What is so interesting
    >> in
    >> what you do that it would make someone want to invest that kind of time,
    >> or
    >> effort.
    >>
    >> My experience is most people simply want free access to the internet, and
    >> are not interested in doing harm. Or it is simply a game to them, and the
    >> challenge is in getting in. For most thieves it's still easier to rob
    >> someone the old fashion way, rather than spending the time and effort
    >> required to crack your system. And if your system is secured, it's easier
    >> to
    >> check the next one out that probably isn't secured.
    >>
    >> IMHO if your system is compromised it most likely will be by someone who
    >> knows you, and wants what they believe you have, or who is mad at you.
    >> And
    >> for my two cents it's much more likely that they'll be mad at you. Where
    >> one
    >> chooses to keep that 63 character key becomes a part of the problem then
    >> as
    >> well. One needs to have access to the key, so the key must be stored
    >> somewhere. That now becomes a risk.
    >>
    >> --
    >> David Hettel
    >>
    >> Please post any reply as a follow-up message in the news group
    >> for everyone to see. I'm sorry, but I don't answer questions
    >> addressed directly to me in E-mail or news groups.
    >>
    >> Microsoft Most Valuable Professional Program
    >> http://mvp.support.microsoft.com
    >>
    >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    >> confers no rights
    >>
    >>
    >> "Roughneck" <> wrote in message
    >> news:...
    >> > David,
    >> >
    >> > Thanks so much for the reply! I think I'm tracking with you, but would
    >> > like
    >> > to make sure because if I am, I'm really shocked at the security risk.
    >> > It
    >> > sounds to me like you're saying that even if someone uses WPA-PSK
    >> > encyrption
    >> > with a 63 character key that's a totally random mix of numbers,
    >> > letters,
    >> > and
    >> > special characters, that a person can access the gateway itself and
    >> > change
    >> > the software setup "without" having to crack the encryption key?
    >> >
    >> > I'm "hoping" that's not the case, because if it is, then the password
    >> > on
    >> > the
    >> > configuration software is far and away the greatest security risk to my
    >> > home
    >> > network. i.e. My password for the configuration software is a
    >> > combination
    >> > of
    >> > letters, numbers, and special characters, same as with my WPA
    >> > encryption
    >> > key,
    >> > but it's certainly not as long/strong as the encryption key and it
    >> > doesn't
    >> > automatically get changed the way a WPA key does. If this creates the
    >> > risk
    >> > I'm understanding it to create, I'm really stunned by the fact that
    >> > there's
    >> > so much talk about the value of WPA over WEP and the importance of
    >> > using
    >> > strong encryption keys, yet so little discussion about the risk that
    >> > can
    >> > be
    >> > created in regard to passwording the configuration software. Please
    >> > tell
    >> > me
    >> > I've missed something and that it's not really as bad as all that. :-(
    >> >
    >> > --
    >> > So much to learn... So little time.
    >> >
    >> >
    >> > "David Hettel" wrote:
    >> >
    >> >> Working backwards, the software for your wireless router is the same
    >> >> as
    >> >> for
    >> >> your neighbor 2 blocks over. Much of the time now, the program such as
    >> >> it
    >> >> is
    >> >> actually resides on your wireless router and is access by going to
    >> >> your
    >> >> gateway address, or 192.168.0.1. So one doesn't really need access to
    >> >> any
    >> >> special software. If one does need special software, then often it can
    >> >> be
    >> >> downloaded free from the maker of your wireless router. So we don't
    >> >> really
    >> >> need any special software, or we can get it free on the Internet. One
    >> >> wall
    >> >> down.
    >> >>
    >> >> WPA-PSK can be broken, all it requires is enough network traffic and
    >> >> something to record it on. Often WPA-PSK is setup by someone who does
    >> >> not
    >> >> truly understand what they are trying to do. The key can be long, or
    >> >> short.
    >> >> If a short enough key is used, it can be cracked easier than WEP. If
    >> >> the
    >> >> key
    >> >> is a sentence, or a word it can be cracked rather easy.
    >> >>
    >> >> Someone willing to do a little reading can often find in the manual
    >> >> what
    >> >> the
    >> >> wireless router manufacture set as the default password and user name.
    >> >> Often
    >> >> it is Admin/admin. Many times the wireless router is set to broadcast
    >> >> it's
    >> >> name/model number/or maker. This give the intruder an easy place to
    >> >> start.
    >> >> Even if it isn't set to broadcast this, it will broadcast it's version
    >> >> of
    >> >> a
    >> >> MAC address, and from this address one can find out who manufactured
    >> >> it.
    >> >> Once you know that it's easy to try the default passwords, and/or
    >> >> setup/configuration software.
    >> >>
    >> >> --
    >> >> David Hettel
    >> >>
    >> >> Please post any reply as a follow-up message in the news group
    >> >> for everyone to see. I'm sorry, but I don't answer questions
    >> >> addressed directly to me in E-mail or news groups.
    >> >>
    >> >> Microsoft Most Valuable Professional Program
    >> >> http://mvp.support.microsoft.com
    >> >>
    >> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    >> >> confers no rights
    >> >>
    >> >>
    >> >> "Roughneck" <> wrote in message
    >> >> news:...
    >> >> > Just to clarify, I'm not talking about setting an encryption
    >> >> > key--I'm
    >> >> > talking
    >> >> > about setting a password for the setup/configuration software that
    >> >> > comes
    >> >> > with
    >> >> > a gateway or wireless AP. i.e. I read the following in a book
    >> >> > dealing
    >> >> > with
    >> >> > home networks.
    >> >> >
    >> >> > "The first step is to set a password for your AP... If you leave the
    >> >> > AP
    >> >> > set
    >> >> > with the default password, it is very easy for someone to break into
    >> >> > your
    >> >> > wireless network and change your network settings."
    >> >> >
    >> >> > According to the author, changing that password was step #1.
    >> >> > Setting
    >> >> > encryption was discussed later as step #4. But... how can a
    >> >> > wireless
    >> >> > intruder get to the network configuration software on a PC unless he
    >> >> > first
    >> >> > gets past the encryption on the network? But even if the intruder
    >> >> > got
    >> >> > past
    >> >> > the encryption, how could he access the configuration software
    >> >> > unless
    >> >> > the
    >> >> > software was on a PC with file and printer sharing turned on (XP
    >> >> > Home
    >> >> > edition) "and" the configuration program/software was in a shared
    >> >> > folder?
    >> >> >
    >> >> > For the record... in my situation:
    >> >> > 1) The network is using WPA-PSK encryption.
    >> >> > 2) The computer with the network configuration software requires a
    >> >> > password
    >> >> > for logon.
    >> >> > 3) The computer with the network configuration software has file and
    >> >> > printer
    >> >> > sharing turned on, but the only thing being shared is a printer.
    >> >> > 4) The network configuration software for my gateway came without a
    >> >> > password
    >> >> > and with the password feature disabled. I have since set up a
    >> >> > password
    >> >> > for
    >> >> > the software, but don't understand how a wireless intruder could
    >> >> > access
    >> >> > the
    >> >> > configuration software on my PC based on conditions 1 thru 3 noted
    >> >> > above
    >> >> > even
    >> >> > if the password feature was disabled.
    >> >> > --
    >> >> > So much to learn... So little time.
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    David Hettel, Oct 20, 2006
    #6
  7. Thanks for all your help, David. I'll keep a low profile and hopefully know
    one will even notice our little network.
    --
    So much to learn... So little time.


    "David Hettel" wrote:

    > Well they'll either need to crack your WPA-PSK, or gain access physically to
    > your wired connection, or send you a virus/trojan in an e-mail. Or get you
    > to visit a web page, that is designed to compromise your computer. People
    > are creative and always coming up with new ways of doing this. But again it
    > does take a reason, for someone to decide that you are worth the effort.
    >
    > --
    > David Hettel
    >
    > Please post any reply as a follow-up message in the news group
    > for everyone to see. I'm sorry, but I don't answer questions
    > addressed directly to me in E-mail or news groups.
    >
    > Microsoft Most Valuable Professional Program
    > http://mvp.support.microsoft.com
    >
    > DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    > confers no rights
    >
    >
    > "Roughneck" <> wrote in message
    > news:...
    > > Thanks, David. So if I'm tracking with you, an intruder "would" have to
    > > crack my WPA-PSK key "before" they could take a shot at cracking the
    > > password
    > > for my gateway's configuration software. If that's the case, I feel much
    > > better. :)
    > >
    > > And yes, I agree with your thought that it's much more likely that I might
    > > do something to make a neighbor upset with me (unintentionally of course)
    > > than it is that I would have something of value they would want. (I sure
    > > wish it was the other way around.) ;-) Fortunately, we've been
    > > acquainted with all but one of our immediate neighbors for several years
    > > and
    > > get along well. There is one neighbor we've only spoken with once, but
    > > there's never been a conflict, so hopefully we're good to go in the public
    > > relations arena.
    > > --
    > > So much to learn... So little time.
    > >
    > >
    > > "David Hettel" wrote:
    > >
    > >> Yes you've not gotten what I was trying to say. For an intruder to access
    > >> your network wirelessly he would need to crack your encryption key. Now
    > >> not
    > >> everyone chooses to use a random key of 63 characters, some people use
    > >> keys
    > >> of 8 characters, that aren't even random. A simple key is much easier to
    > >> crack than a more complex key is. What I was trying to say is not all
    > >> keys
    > >> in WPA provide better security than WEP, simply because they are WPA.
    > >>
    > >> What's the greatest risk? Depends on what you are trying to protect. If I
    > >> gain access to your wireless router, I could in theory lock you out of it
    > >> by
    > >> resetting the password. But most routers have a reset button that returns
    > >> it
    > >> to factory defaults. I could upload new code to your router, there is
    > >> generally not a lot of free room where the code goes, but it's something
    > >> I
    > >> could do. Or I could simply trash the code, and force you to buy a new
    > >> router.
    > >>
    > >> If I happen to live near by, or have access to the area, I could crack
    > >> your
    > >> code and monitor everything you send and do wirelessly. But that will
    > >> take
    > >> some special skills and equipment, and why do it? What is so interesting
    > >> in
    > >> what you do that it would make someone want to invest that kind of time,
    > >> or
    > >> effort.
    > >>
    > >> My experience is most people simply want free access to the internet, and
    > >> are not interested in doing harm. Or it is simply a game to them, and the
    > >> challenge is in getting in. For most thieves it's still easier to rob
    > >> someone the old fashion way, rather than spending the time and effort
    > >> required to crack your system. And if your system is secured, it's easier
    > >> to
    > >> check the next one out that probably isn't secured.
    > >>
    > >> IMHO if your system is compromised it most likely will be by someone who
    > >> knows you, and wants what they believe you have, or who is mad at you.
    > >> And
    > >> for my two cents it's much more likely that they'll be mad at you. Where
    > >> one
    > >> chooses to keep that 63 character key becomes a part of the problem then
    > >> as
    > >> well. One needs to have access to the key, so the key must be stored
    > >> somewhere. That now becomes a risk.
    > >>
    > >> --
    > >> David Hettel
    > >>
    > >> Please post any reply as a follow-up message in the news group
    > >> for everyone to see. I'm sorry, but I don't answer questions
    > >> addressed directly to me in E-mail or news groups.
    > >>
    > >> Microsoft Most Valuable Professional Program
    > >> http://mvp.support.microsoft.com
    > >>
    > >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    > >> confers no rights
    > >>
    > >>
    > >> "Roughneck" <> wrote in message
    > >> news:...
    > >> > David,
    > >> >
    > >> > Thanks so much for the reply! I think I'm tracking with you, but would
    > >> > like
    > >> > to make sure because if I am, I'm really shocked at the security risk.
    > >> > It
    > >> > sounds to me like you're saying that even if someone uses WPA-PSK
    > >> > encyrption
    > >> > with a 63 character key that's a totally random mix of numbers,
    > >> > letters,
    > >> > and
    > >> > special characters, that a person can access the gateway itself and
    > >> > change
    > >> > the software setup "without" having to crack the encryption key?
    > >> >
    > >> > I'm "hoping" that's not the case, because if it is, then the password
    > >> > on
    > >> > the
    > >> > configuration software is far and away the greatest security risk to my
    > >> > home
    > >> > network. i.e. My password for the configuration software is a
    > >> > combination
    > >> > of
    > >> > letters, numbers, and special characters, same as with my WPA
    > >> > encryption
    > >> > key,
    > >> > but it's certainly not as long/strong as the encryption key and it
    > >> > doesn't
    > >> > automatically get changed the way a WPA key does. If this creates the
    > >> > risk
    > >> > I'm understanding it to create, I'm really stunned by the fact that
    > >> > there's
    > >> > so much talk about the value of WPA over WEP and the importance of
    > >> > using
    > >> > strong encryption keys, yet so little discussion about the risk that
    > >> > can
    > >> > be
    > >> > created in regard to passwording the configuration software. Please
    > >> > tell
    > >> > me
    > >> > I've missed something and that it's not really as bad as all that. :-(
    > >> >
    > >> > --
    > >> > So much to learn... So little time.
    > >> >
    > >> >
    > >> > "David Hettel" wrote:
    > >> >
    > >> >> Working backwards, the software for your wireless router is the same
    > >> >> as
    > >> >> for
    > >> >> your neighbor 2 blocks over. Much of the time now, the program such as
    > >> >> it
    > >> >> is
    > >> >> actually resides on your wireless router and is access by going to
    > >> >> your
    > >> >> gateway address, or 192.168.0.1. So one doesn't really need access to
    > >> >> any
    > >> >> special software. If one does need special software, then often it can
    > >> >> be
    > >> >> downloaded free from the maker of your wireless router. So we don't
    > >> >> really
    > >> >> need any special software, or we can get it free on the Internet. One
    > >> >> wall
    > >> >> down.
    > >> >>
    > >> >> WPA-PSK can be broken, all it requires is enough network traffic and
    > >> >> something to record it on. Often WPA-PSK is setup by someone who does
    > >> >> not
    > >> >> truly understand what they are trying to do. The key can be long, or
    > >> >> short.
    > >> >> If a short enough key is used, it can be cracked easier than WEP. If
    > >> >> the
    > >> >> key
    > >> >> is a sentence, or a word it can be cracked rather easy.
    > >> >>
    > >> >> Someone willing to do a little reading can often find in the manual
    > >> >> what
    > >> >> the
    > >> >> wireless router manufacture set as the default password and user name.
    > >> >> Often
    > >> >> it is Admin/admin. Many times the wireless router is set to broadcast
    > >> >> it's
    > >> >> name/model number/or maker. This give the intruder an easy place to
    > >> >> start.
    > >> >> Even if it isn't set to broadcast this, it will broadcast it's version
    > >> >> of
    > >> >> a
    > >> >> MAC address, and from this address one can find out who manufactured
    > >> >> it.
    > >> >> Once you know that it's easy to try the default passwords, and/or
    > >> >> setup/configuration software.
    > >> >>
    > >> >> --
    > >> >> David Hettel
    > >> >>
    > >> >> Please post any reply as a follow-up message in the news group
    > >> >> for everyone to see. I'm sorry, but I don't answer questions
    > >> >> addressed directly to me in E-mail or news groups.
    > >> >>
    > >> >> Microsoft Most Valuable Professional Program
    > >> >> http://mvp.support.microsoft.com
    > >> >>
    > >> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
    > >> >> confers no rights
    > >> >>
    > >> >>
    > >> >> "Roughneck" <> wrote in message
    > >> >> news:...
    > >> >> > Just to clarify, I'm not talking about setting an encryption
    > >> >> > key--I'm
    > >> >> > talking
    > >> >> > about setting a password for the setup/configuration software that
    > >> >> > comes
    > >> >> > with
    > >> >> > a gateway or wireless AP. i.e. I read the following in a book
    > >> >> > dealing
    > >> >> > with
    > >> >> > home networks.
    > >> >> >
    > >> >> > "The first step is to set a password for your AP... If you leave the
    > >> >> > AP
    > >> >> > set
    > >> >> > with the default password, it is very easy for someone to break into
    > >> >> > your
    > >> >> > wireless network and change your network settings."
    > >> >> >
    > >> >> > According to the author, changing that password was step #1.
    > >> >> > Setting
    > >> >> > encryption was discussed later as step #4. But... how can a
    > >> >> > wireless
    > >> >> > intruder get to the network configuration software on a PC unless he
    > >> >> > first
    > >> >> > gets past the encryption on the network? But even if the intruder
    > >> >> > got
    > >> >> > past
    > >> >> > the encryption, how could he access the configuration software
    > >> >> > unless
    > >> >> > the
    > >> >> > software was on a PC with file and printer sharing turned on (XP
    > >> >> > Home
    > >> >> > edition) "and" the configuration program/software was in a shared
    > >> >> > folder?
    > >> >> >
    > >> >> > For the record... in my situation:
    > >> >> > 1) The network is using WPA-PSK encryption.
    > >> >> > 2) The computer with the network configuration software requires a
    > >> >> > password
    > >> >> > for logon.
    > >> >> > 3) The computer with the network configuration software has file and
    > >> >> > printer
    > >> >> > sharing turned on, but the only thing being shared is a printer.
    > >> >> > 4) The network configuration software for my gateway came without a
    > >> >> > password
    > >> >> > and with the password feature disabled. I have since set up a
    > >> >> > password
    > >> >> > for
    > >> >> > the software, but don't understand how a wireless intruder could
    > >> >> > access
    > >> >> > the
    > >> >> > configuration software on my PC based on conditions 1 thru 3 noted
    > >> >> > above
    > >> >> > even
    > >> >> > if the password feature was disabled.
    > >> >> > --
    > >> >> > So much to learn... So little time.
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
     
    =?Utf-8?B?Um91Z2huZWNr?=, Oct 20, 2006
    #7
  8. =?Utf-8?B?Um91Z2huZWNr?=

    P. Johnson Guest

    Roughneck wrote:

    > "The first step is to set a password for your AP... If you leave the AP
    > set with the default password, it is very easy for someone to break into
    > your wireless network and change your network settings."
    >
    > According to the author, changing that password was step #1. Setting
    > encryption was discussed later as step #4. But... how can a wireless
    > intruder get to the network configuration software on a PC unless he first
    > gets past the encryption on the network?


    Getting past the network encryption isn't usually a major issue, just a
    matter of time and the right software. You should always set a password on
    routers, letting Joe Random play with your router settings can cause loss
    of connectivity, firewall rules being created that compromise your network,
    etc. Wired or wireless, password that stuff.

    GNU Keyring is great for generating and saving passwords if you have a
    PalmOS PDA.

    > But even if the intruder got past the encryption, how could he access the
    > configuration software unless the software was on a PC with file and
    > printer sharing turned on (XP Home edition) "and" the configuration
    > program/software was in a shared folder?


    Most home routers have a web interface, the rest configure using SNMP or by
    direct telnet. Point being, if there's a way for a legitimate user to
    connect, then that's a potential vector.
     
    P. Johnson, Oct 20, 2006
    #8
  9. P. Johnson,

    Thanks for the additional input. Between what you and David have shared,
    it's my understanding that if someone "did" manage to get through our WPA-PSK
    security and could access the web through our gateway, all they'd have to do
    is enter the right URL and that would allow them to access to our gateway.
    And if the gateway isn't passworded, the intruder would be able to adjust the
    settings from that URL.

    So in regard to an intruder being able to access our gateway, if someone
    gets past our WPA security, our File and Printer sharing settings are
    irrelevant. :-(

    Well, I have our gateway passworded now, so between the 63 character WPA-PSK
    encryption key and the passworded gateway, I guess I've done about all I can
    to make our network as safe as possible. But if there's anything else I
    can/should do, I'm all ears. :)

    --
    So much to learn... So little time.


    "P. Johnson" wrote:

    > Roughneck wrote:
    >
    > > "The first step is to set a password for your AP... If you leave the AP
    > > set with the default password, it is very easy for someone to break into
    > > your wireless network and change your network settings."
    > >
    > > According to the author, changing that password was step #1. Setting
    > > encryption was discussed later as step #4. But... how can a wireless
    > > intruder get to the network configuration software on a PC unless he first
    > > gets past the encryption on the network?

    >
    > Getting past the network encryption isn't usually a major issue, just a
    > matter of time and the right software. You should always set a password on
    > routers, letting Joe Random play with your router settings can cause loss
    > of connectivity, firewall rules being created that compromise your network,
    > etc. Wired or wireless, password that stuff.
    >
    > GNU Keyring is great for generating and saving passwords if you have a
    > PalmOS PDA.
    >
    > > But even if the intruder got past the encryption, how could he access the
    > > configuration software unless the software was on a PC with file and
    > > printer sharing turned on (XP Home edition) "and" the configuration
    > > program/software was in a shared folder?

    >
    > Most home routers have a web interface, the rest configure using SNMP or by
    > direct telnet. Point being, if there's a way for a legitimate user to
    > connect, then that's a potential vector.
    >
    >
     
    =?Utf-8?B?Um91Z2huZWNr?=, Oct 20, 2006
    #9
  10. =?Utf-8?B?Um91Z2huZWNr?=

    P. Johnson Guest

    Only you can increase readability.
    http://ursine.ca/Top_Posting

    Roughneck wrote:

    > Thanks for the additional input.


    No problem.

    > Between what you and David have shared, it's my understanding that if
    > someone "did" manage to get through our WPA-PSK security and could access
    > the web through our gateway, all they'd have to do is enter the right URL
    > and that would allow them to access to our gateway. And if the gateway
    > isn't passworded, the intruder would be able to adjust the settings from
    > that URL.


    You nailed it there.

    > So in regard to an intruder being able to access our gateway, if someone
    > gets past our WPA security, our File and Printer sharing settings are
    > irrelevant. :-(


    No, not necessarily, your file and printer sharing settings are not
    irrelevant, they're your second line of defense. Always use strong
    usernames and passwords within your own networks if you have wifi.

    > Well, I have our gateway passworded now, so between the 63 character
    > WPA-PSK encryption key and the passworded gateway, I guess I've done about
    > all I can to make our network as safe as possible. But if there's
    > anything else I can/should do, I'm all ears. :)


    Sounds like you have a good start there.
     
    P. Johnson, Oct 20, 2006
    #10
  11. "No, not necessarily, your file and printer sharing settings are not
    irrelevant, they're your second line of defense. Always use strong
    usernames and passwords within your own networks if you have wifi."

    Sorry--I wasnt' very clear about that. I just meant file and printer
    sharing appeared to be irrelevant in terms of preventing someone from
    accessing the gateway settings if they managed to get past the WPA
    encryption. I understand that it's important to have a good strategy as to
    which folders/files are set up for sharing, and whether other users can
    change/delete them or just open/read them. I'm not aware of any way to
    password protect individual folders and files with XP Home though. If there
    is a way I'd be interested in learning how to do it.

    Thanks again for your interest and help!
    --
    So much to learn... So little time.


    "P. Johnson" wrote:

    > Only you can increase readability.
    > http://ursine.ca/Top_Posting
    >
    > Roughneck wrote:
    >
    > > Thanks for the additional input.

    >
    > No problem.
    >
    > > Between what you and David have shared, it's my understanding that if
    > > someone "did" manage to get through our WPA-PSK security and could access
    > > the web through our gateway, all they'd have to do is enter the right URL
    > > and that would allow them to access to our gateway. And if the gateway
    > > isn't passworded, the intruder would be able to adjust the settings from
    > > that URL.

    >
    > You nailed it there.
    >
    > > So in regard to an intruder being able to access our gateway, if someone
    > > gets past our WPA security, our File and Printer sharing settings are
    > > irrelevant. :-(

    >
    > No, not necessarily, your file and printer sharing settings are not
    > irrelevant, they're your second line of defense. Always use strong
    > usernames and passwords within your own networks if you have wifi.
    >
    > > Well, I have our gateway passworded now, so between the 63 character
    > > WPA-PSK encryption key and the passworded gateway, I guess I've done about
    > > all I can to make our network as safe as possible. But if there's
    > > anything else I can/should do, I'm all ears. :)

    >
    > Sounds like you have a good start there.
    >
     
    =?Utf-8?B?Um91Z2huZWNr?=, Oct 20, 2006
    #11
  12. Roughneck <> wrote:

    > Just to clarify, I'm not talking about setting an encryption key--I'm talking
    > about setting a password for the setup/configuration software that comes with
    > a gateway or wireless AP. i.e. I read the following in a book dealing with
    > home networks.
    >
    > "The first step is to set a password for your AP... If you leave the AP set
    > with the default password, it is very easy for someone to break into your
    > wireless network and change your network settings."
    >
    > According to the author, changing that password was step #1. Setting
    > encryption was discussed later as step #4. But... how can a wireless
    > intruder get to the network configuration software on a PC unless he first
    > gets past the encryption on the network?


    The setup/configuration software is often located on the wireless access
    point or router. So an intruder could come in from the internet using
    your public ip-address and a well known port for remote management left
    open.

    Here's one example.

    In August, this troll posted a message with a forged sender, posing as a
    journalist from a Danish tabloide:

    : Newsgroups: dk.forbruger
    : Subject: Ny group: Meld svindel eller magtmisbrug til Ekstra Bladet
    : Date: 21 Aug 2006 13:29:15 -0700
    : Organization: http://groups.google.com
    : Lines: 2
    : Message-ID: <>
    : NNTP-Posting-Host: 83.72.241.222

    In a followup-to a few hours later another poster wrote in:

    : Newsgroups: dk.forbruger
    : Subject: Re: Ny group: Meld svindel eller magtmisbrug til Ekstra
    : Bladet
    : References: <>
    : <ecd639$86v$>
    : In-Reply-To: <ecd639$86v$>
    : Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    : Content-Transfer-Encoding: 8bit
    : Lines: 13
    : Message-ID: <ZNpGg.136$2net.dk>
    : Date: Mon, 21 Aug 2006 23:43:22 +0200

    [...]

    : Det er også ret dumt at lade sin router uden passwordbeskyttelse lytte
    : på port 80 når man poster sådan et indlæg.. http://83.72.241.222

    In English: It's pretty stupid to leave your router without a password
    listening on port 80... http://83.72.241.222

    Needless to say, the troll has since then set a password on the router -
    and probably disabled remote management on port 80 as well.

    > But even if the intruder got past the encryption, how could he access the
    > configuration software unless the software was on a PC with file and
    > printer sharing turned on (XP Home edition) "and" the configuration
    > program/software was in a shared folder?


    As the example shows, the configuration software is often located in
    flash RAM on the router or access point, but XP Home is not a insecure
    OS.

    > For the record... in my situation:
    > 1) The network is using WPA-PSK encryption.
    > 2) The computer with the network configuration software requires a password
    > for logon.
    > 3) The computer with the network configuration software has file and printer
    > sharing turned on, but the only thing being shared is a printer.
    > 4) The network configuration software for my gateway came without a password
    > and with the password feature disabled. I have since set up a password for
    > the software, but don't understand how a wireless intruder could access the
    > configuration software on my PC based on conditions 1 thru 3 noted above even
    > if the password feature was disabled.


    Anyway, if you are using some other configuration software, like a SNMP
    or something like Atmel_SNMP_manager_v1.743 for your access point, or
    have dd-wrt firmware on your router, you are still in danger, because an
    intruder can also get hold of the configuration software and run it on
    his own computer from across the internet.
     
    Axel Hammerschmidt, Oct 23, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mohamad Eslami
    Replies:
    1
    Views:
    782
    Andrew Zhilenko
    May 25, 2004
  2. Frank
    Replies:
    3
    Views:
    5,020
    Andre Wisniewski
    Sep 30, 2004
  3. Kompu Kid
    Replies:
    5
    Views:
    1,519
    Wai Doan Hsu
    Aug 2, 2004
  4. =?Utf-8?B?YXVydXg=?=

    How to set up wireless Linksys Adsl Gateway with laptop

    =?Utf-8?B?YXVydXg=?=, May 17, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    842
    Jack \(MVP-Networking\).
    May 17, 2007
  5. Giuen
    Replies:
    0
    Views:
    1,250
    Giuen
    Sep 12, 2008
Loading...

Share This Page