Security

Discussion in 'Home Networking' started by Roy Amin, Oct 10, 2005.

  1. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <> on 12 Oct 2005
    How could we know that? WPA can in fact be quite secure when setup properly.
    Do you have independent verification? Without that, it becomes a matter of
    trust, not security. What makes WPA different is the standardization process,
    along with scrutiny peer review.
     
    John Navas, Oct 12, 2005
    #21
    1. Advertisements

  2. Roy Amin

    Alex Fraser Guest

    Do you mean it sends spoofed TCP RSTs?

    Alex
     
    Alex Fraser, Oct 12, 2005
    #22
    1. Advertisements

  3. On Wed, 12 Oct 2005 19:00:23 GMT, John Navas

    [WPA key generator]
    Yep. Good point. None of the first 10 or so WEP/WPA key generators I
    found with Google were also SSL encrypted. Bummer.
    Now you've got me curious. I downloaded a 30 day demo of an Excel
    medical statistics package:
    http://www.analyse-it.com
    and will run a chi square test to see how random the WPA-PSK generated
    key appears. Results later as I gotta go to a meeting (yawn).
    Argh, my fault. I didn't bother to actually try it.

    --
    Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    831.336.2558 voice
    http://www.LearnByDestroying.com AE6KS
    http://802.11junk.com Skype: JeffLiebermann
    -cruz.ca.us
     
    Jeff Liebermann, Oct 13, 2005
    #23
  4. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <> on Wed, 12 Oct 2005 23:01:44
    Look also for digit sequence repetition, the usual problem with synthetic
    "random" number generators.
     
    John Navas, Oct 13, 2005
    #24
  5. Roy Amin

    johnny Guest

    Some routers won't allow more than 31 characters in the WPA passphrase.
     
    johnny, Oct 13, 2005
    #25
  6. Roy Amin

    dold Guest

    Scrabble tiles? No numbers? No special characters?


    What about http://www.securesafepro.com/pasgen.php ?
    It runs on a Windows PC, not across the net. Freeware.
    Variable length, checkboxes for upper/lower/numeric/special/dubious.
    It has a "pronouncable" option that doesn't do what I expected.
    I had one for Unix long ago that would generate easily pronounced
    non-words. I found the easy pronounciations better, so that a user could
    remember the password, adn didn't have to write it on the face of the CRT,
    or whatever else it is that people do with passwords they can't remember.

    The pasgen program is a free piece from the $32 SecureSafe from the same
    author.
     
    dold, Oct 13, 2005
    #26
  7. Roy Amin

    david20 Guest

    Since you are looking at making the WPA-PSK more difficult to crack you are
    probably already aware of this.

    The WiFi alliance recommends a pass phrase of more than 20 characters.

    See http://www.tinypeap.com/docs/WPA_Passive_Dictionary_Attack_Overview.pdf

    (the tinypeap site also has a link to download the WPA Cracker program so
    once you've setup your network you could test out how secure it is).




    David Webb
    Security team leader
    CCSS
    Middlesex University
     
    david20, Oct 13, 2005
    #27
  8. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <dilf4o$p6h$> on Thu, 13 Oct 2005 11:07:04 +0000 (UTC),
     
    John Navas, Oct 13, 2005
    #28
  9. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <> on Thu, 13 Oct 2005 02:41:31 GMT,
    Then they would not be fully compliant with the standard, a good reason to
    avoid them.
     
    John Navas, Oct 13, 2005
    #29
  10. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <diknpg$tk4$> on Thu, 13 Oct 2005 04:28:32 +0000 (UTC),
    Doesn't hurt, but not needed if you have at least 20 random letters. A
    "random" binary key can be shorter in bits (96-128 bits), but is actually
    longer when working in hex (24-32 hex digits).
    Since it's not open source and hasn't been subjected to scrutiny and peer
    review, you're taking it on faith, which isn't a good thing when the objective
    is security.

    The password generator I use and recommend is Password Safe*
    <http://passwordsafe.sourceforge.net/>
    Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
    it's open source and free, and has been subjected to extensive peer review.

    * NOT!!! <http://www.passwordsafe.com/>
     
    John Navas, Oct 13, 2005
    #30
  11. Roy Amin

    david20 Guest

     
    david20, Oct 13, 2005
    #31
  12. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <dilnr8$s2d$> on Thu, 13 Oct 2005 13:35:36 +0000 (UTC),
    I didn't realize that only part of this thread was cross-posted to
    comp.security.misc -- sorry.
     
    John Navas, Oct 13, 2005
    #32
  13. Roy Amin

    david20 Guest

    OK.

    David Webb
    Security team leader
    CCSS
    Middlesex University

     
    david20, Oct 13, 2005
    #33
  14. An hour of tinkering and I couldn't get it to produce a useable
    result. It doesn't want to deal with hexadecimal distributions, can't
    handle binary, and I'm getting nowhere. I have 29 days left to figure
    it out. Maybe this weekend after I do some more reading.
    I appears to have a collision detector built in. I don't think it
    will happen with something as short as a 256bit sequence.

    Incidentally, the WPA password generator at:
    | http://www.winguides.com/security/password.php
    offers both SSL and non-SSL encrypted web pages. It's the only one I
    could find that did this.

    [Note that I am not a security expert]

    I agree with your point about not using a password at a public
    terminal. The danger is not decryption. It's wireless sniffing. I
    have a customer that uses OTP (one time password) USB dongles:
    | http://www.aladdin.com/etoken/usb_device.asp
    which appear to be quite useable.

    I've also implimented and S/Key based system using my Palm based cell
    phone (QCP-6035) with less success.
    | http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/
    However, these are only two machines out of perhaps several hundred
    that I deal with that require passwords.

    I also have a medical office customer that has implimented X.509
    certificates on USB dongles for authorization and authentication. That
    seems to be working quite well. It'a also used for 802.1x wireless
    authentication and digitially signed documents. There is a simple
    password involved, but it's only there in case the USB dongle gets
    lost or stolen.

    I tend to do as much as possible through either VPN tunnels or with
    SSL encrypted web pages. Unfortunately, I use fairly disgusting
    password managment practices. I have all of them inscribed in an
    Excel spreadsheet. The spreadsheet file is not stored on any computer
    and is both password protected and encrypted. I carry a printed copy,
    which if stolen, copied or lost, I'm screwed.

    At present, there are 315 passwords in the list. I can remember most
    of these passwords if I'm sitting at the computer where it was created
    or commonly used. However, if the computer or the location changes,
    my brain goes blank.

    What would be nice is a Windoze program that displays security
    "levels" when dealing with manually entered passwords. IE6, Mozilla,
    and others can detect and store passwords easily enough. It should
    also be able to provide some indication as to how safe it is to
    inscribe the password depending on encryption level and transport
    encapsulation. A simple red, yellow, or green color change should be
    sufficient. I couldn't find anything similar in the Mozilla project:
    http://www.mozilla.org/projects/security/pki/psm/
    but may have missed it.
     
    Jeff Liebermann, Oct 13, 2005
    #34
  15. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <> on Thu, 13 Oct 2005 08:38:58
    The risk is in seeding, if the generator is seeded in such a way that the
    probability of specific follow-on digits can be predicted from a given seed
    and/or starting sequence of digits.
    Why that the risk of a website at all rather than run a safe and robust
    generator on your own computer?
    Another big and real risk is capture by invisible software running on the
    public computer (keyboard monitor, browser compromise, wedge in protocol
    stack, heap and/or cache post-processing, etc.).
    Why not use Password Safe* <http://passwordsafe.sourceforge.net/>
    Originally created by noted cryptographer Bruce Schneier of Counterpane Labs,
    it's open source and free, and has been subjected to extensive peer review.

    I think it would be pretty hard for a browser to give a reliable reading on
    security since there are so many variables and unknowns.
     
    John Navas, Oct 13, 2005
    #35
  16. Roy Amin

    myWIFIzone Guest

    Does that and quite a bit more - it spoofs the requested host so it's a
    completely hijacked session (to a captive portal). See our FAQ page at
    http://www.myWIFIzone.com/faqs.asp
     
    myWIFIzone, Oct 14, 2005
    #36
  17. Roy Amin

    Bob W7AVK Guest

    I have two six months old laptop computers both with the internal
    wireless 802.11b/g option. One is a DELL INSPIRON 6000 and the other a
    HP PAVILION ZV6000. In using them at various sites and locations I've
    noticed the DELL Wireless is much more sensitive than the HP. It can
    find and use sites the HP doesn't see or seem to determine exist from
    the exact same location.

    I took the HP back for repair and I was told it was working correctly
    and no trouble was found. It does seem to work fine if the signal is
    very strong within the same room or only a few feet distance.

    Has anyone experienced poor sensitivity from the wireless card used in
    the HP Pavilion series?

    Thanks

    Regards,

    Bob
     
    Bob W7AVK, Nov 4, 2005
    #37
  18. don't have either, but aren't they both Centrino machnies with the
    same integrated Intel wireless stuff ?

    In which case it may be antenna location / type that makes the
    difference.

    Phil
     
    Phil Thompson, Nov 4, 2005
    #38
  19. Roy Amin

    John Navas Guest

    [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

    In <aQCaf.1984$> on Thu, 03 Nov 2005 22:03:41 -0800,
    Perhaps the antenna isn't connected properly. I've seen that problem with
    internal mini wireless PCI cards.
     
    John Navas, Nov 4, 2005
    #39
  20. Roy Amin

    C Denver Guest


    Wireless networks are the most insecure networks around. If I wanted I could
    gain access to a 128bit encrypted wireless network within 2-3hours depending
    on how many IVs are being transmitted. WEP is the most insecure encryption
    available. I would strongly reccomend ethernet rather than wireless.
     
    C Denver, Oct 17, 2006
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.