Forgot your password?
typodupeerror
Security Wireless Networking Hardware IT

WEP And PPTP Password Crackers Released 244

Posted by timothy
from the be-worried dept.
Jacco de Leeuw writes "SecurityFocus published an article by Michael Ossmann that discusses the new generation of WEP cracking tools for 802.11 wireless networks. These are much faster as they perform passive statistical analysis. In many cases, a WEP key can be determined in minutes or even seconds. For those who have switched to PPTP for securing their wireless nets: Joshua Wright released a new version of his Cisco LEAP cracker called Asleap which can now also recover weak PPTP passwords. Both LEAP and PPTP employ MS-CHAPv2 authentication." Update: 12/22 00:14 GMT by T : Michael Ossmann wrote to point out his last name has two Ns, rather than one.
This discussion has been archived. No new comments can be posted.

WEP And PPTP Password Crackers Released

Comments Filter:
  • by Anonymous Coward
    Its obvious that people now hav ethe ability to go around neibourhoods and gain access to these networks for any purpose!

    Can we be blamed if the tenant runs a pot-growing facility in our basement? Is it the same?
    • Interesting (Score:3, Insightful)

      by paranode (671698)
      Actually this is an interesting point because you would almost certainly get pinned for not taking reasonable steps to prevent the person from growing pot in your basement. However, it's highly unlikely that anyone would expect you to take reasonable steps to prevent unauthorized access to your network if only for the simple fact that practically everyone is clueless when it comes to this stuff. It's a bit of a shame how that works, as far as liability goes.
    • by bhima (46039) <Bhima...Pandava@@@gmail...com> on Tuesday December 21, 2004 @10:55AM (#11146910) Journal
      I was speaking to an American friend, who lives in Atlanta, recently. He was complaining about this very thing. He owns & manages a variety of types of property which he leases out to people who run bars, restaurants, small businesses, warehouses, and even churches. Occasionally, he has tenants 'disappear' and when he goes down to inspect the property he finds evidence of drug related activities (i.e. rows of HPS lighting, hydroponic setups, and my favorite: money counters). So generally to keep it of his back he reports it and has the police come in and take it all in as evidence. Recently, during one of these events the investigating officer arrested him using a little known local law (either Fulton or DeKalb county) which required the owner of the property to report any illegal activities taking place on their properties. The law is so grey that they make no attempt to deal with whether or not the property owner is knowledgeable or a participant. In effect they demand that all property owners become investigators / informants.

      Welcome to post 911 America

  • by Anonymous Coward on Tuesday December 21, 2004 @06:49AM (#11145665)
    Every communication which uses passwords for authentication is susceptible to dictionary attacks. That is not a protocol weakness. If you use a random and long enough password, you'll be fine. Public key based authentication has other risks, like insufficiently secured storage of the key.
    • by amorsen (7485) <benny+slashdot@amorsen.dk> on Tuesday December 21, 2004 @07:12AM (#11145722)
      Every communication which uses passwords for authentication is susceptible to dictionary attacks

      But the good ones only allow online dictionary attacts. LEAP, PPTP, WEP, and unfortunately WPA all allow offline attacks.

      • by emil (695)

        I was thinking of using Poptop over a Netgear WiFi router. This gives me pause.

        I am thinking that it may be better to simply leave the router wide open, then put only an OpenBSD system with routing disabled on the other side of the router.

        I'll allow only SSH into the OpenBSD system, then set up an HTTP proxy that only accepts connections from localhost. I'll then use PUTTY port forwarding on the clients, then proxy off localhost port 80.

        IPSEC looks like the only other option, and it looks a lot harder

        • IPSec is the way to go for easily setting up VPN clients to access a wireless network (or any network, really). The initial IPSec server setup is difficult, to be sure, but then you have a portable setup that you could even use Windows or Mac OS X on. Setting up SSH tunnels is a pain in the ass for each client.
        • OpenVPN (Score:5, Informative)

          by halfelven (207781) on Tuesday December 21, 2004 @01:25PM (#11149090)
          By far the best way to accomplish that is by using OpenVPN [sourceforge.net].
          I tried everything, IPSec, SSH tunneling, you name it. They all suck. SSH is, let's face it, limited. IPSec is cumbersome, not exactly friendly to all operating systems, doesn't play well with NAT (unless you use UDP encapsulation), etc. It is glaringly obvious that it's a severely overdesigned protocol.

          Enter OpenVPN. It uses SSL for encryption, but it's not a SSL-based pseudo-VPN, but a true VPN - it can forward any IP protocol. Think of it as having the functionality of IPSec, but using a simpler and more sensible implementation.
          It's cross-platform (Linux, Windows, Solaris... you name it). It's simple to install and configure (same software can be either server or client and the config file semantics are similar). It's secure (it can use signed certificates, passwords, any authentication mechanism you like). It can compress the traffic on the fly (using LZO which is pretty damn fast and low-overhead). If you use TCP transport instead of UDP, it can tunnel through ordinary HTTP proxies. It has dummy-friendly GUI for Windows. It slices, it dices and it makes coffee... oh, well, maybe not that.

          Anyway, i'm running an OpenVPN server on my home firewall, and i put OpenVPN on all my computers (my workstation at the office, my laptop, etc.). Wherever i go, i just fire up OpenVPN and "i'm home".
          I run IMAP through it, so my IMAP clients (Evolution), no matter where they are, they "see" the same IMAP servers and folders. That is awesome - different systems, yet my mail looks the same. And it's also secure. ;-)

          My wireless access point has no security whatsoever: no encryption, no MAC filtering, no SSID cloaking... it even gives you a DHCP address. :-) However, it's behind a totally restrictive firewall. The only way to work around that is to open an OpenVPN tunnel. Then you can do pretty much anything, through the tunnel, of course.

          It rocks!
          • Re:OpenVPN (Score:2, Insightful)

            by the_maddman (801403)
            I will second the recommendation to OpenVPN.

            Me and a friend setup an IPSec tunnel between our linux boxes and started playing with it. The routing setup was a nightmare, and to get server to server, server to client and client to client traffic flowing you need multiple traffic filters installed. And the latency of the connection sucked, no playing Diablo 2 over that.

            OpenVPN is a breeze compared to all that, you get a tunX device on each box, and as long as you setup your routes using "ip route add (rem

      • No, WPA does not necessarily allow online attacks. Cisco's LEAP authentication for WPA does, but everyone else seems to be moving (and Cisco supports this also) to PEAP authentication, which is MS-CHAPv2, but wrapped in an SSL-encrypted session. So offline dictionary attacks are much, much more difficult since the SSL session uses a new key every authentication attempt.
    • by wirelessbuzzers (552513) on Tuesday December 21, 2004 @07:21AM (#11145744)
      Every communication which uses passwords for authentication is susceptible to dictionary attacks. That is not a protocol weakness. If you use a random and long enough password, you'll be fine. Public key based authentication has other risks, like insufficiently secured storage of the key.

      First, you will note that the attack on WEP (but not on PPTP) is not a dictionary attack and works with a computer-generated random 64- or 128-bit key. This is a protocol weakness.

      Second, a good protocol does protect passwords. Either it establishes an encrypted session with the server, like SSH or SSL does, or it uses a secure password protocol like SRP. SRP in particular has the following properties:

      1) The protocol is entirely public, and open-source implementations are available.
      2) An eavesdropper on the wire does not get a dictionary attack on the password; without breaking the crypto behind the protocol, which nobody has been able to do yet, he gets no information. Of course, he can still do an online attack, but the server should prevent that.
      3) Someone impersonating the server also does not get a dictionary attack on the password, even though the client does not need to memorize a key hash.
      4) Someone who compromises the server database does get a dictionary attack on the password (this is inevitable), but they don't get the password for free. Furthermore, the password is salted, so they have some work to do.
    • what about bank card or mobile phone PINs? get it wrong 3 times in a row and you're locked out and need to have your card/phone reactivated.

      if the protocol or system involved doesn't allow for a penalty against failed atempts, then that IS a weakness.
  • End-to-End Security (Score:4, Interesting)

    by Renegade Lisp (315687) * on Tuesday December 21, 2004 @06:54AM (#11145680)
    This just underlines that encryption at the wireless link level may not be the right way to go. Even if the algorithm wasn't so weak -- it strikes me as odd that a whole network should be protected by just a single key, which needs to be present on every individual machine of this network. How easily is this compromised!

    It's far better not to rely on wireless link encryption and encrypt your application-level protocols instead. SSL for web browsing, PGP or S/MIME for e-mail, ssh for login. Far better algorithms, far better key management.

    • by selderrr (523988) on Tuesday December 21, 2004 @07:19AM (#11145740) Journal
      While I applaud your suggestions for SSL, PGP et al., one should realize that none of these protect against network intrusion, or more often : someone living of your bandwidth...
      • For consumer-grade scenarios (my neighbour living off my bandwidth), restricting access to certain MAC addresses is enough. (By the way, does anyone know how easy/difficult it is nowadays to get WiFi hardware that lets you choose your own MAC address?)

        For higher demands, use a proxy/firewall against which users (not machines) must authenticate in order to get out.

        • -By the way, does anyone know how easy/difficult it is nowadays to get WiFi hardware that lets you choose your own MAC address?)

          It's a standard feature in almost all any device with a MAC address including WiFi & Wired.

          MAC address filtering is a useful additional layer of security but I wouldn't rely on it.

          Jason
          • A lot of campusses are using a black box scenario. ANY traffic across the wire or wireless network is subject to an authentication-before-use requirement. The person pops their laptop on our network and tries to download pron. They get a login screen forced down their port 80 comms. Pops up in a webbrowser as soon as you try and navigate to a site. You authenticate using a campus email addylogin/password (not stored on your machine, I hope) and Voom! you're on our network until you disconnect.
        • by RAMMS+EIN (578166) on Tuesday December 21, 2004 @08:13AM (#11145873) Homepage Journal
          MAC address restriction is an especially weak form of protection on wireless networks. Contrary to wired networks, where the switch may only send data over the wire connecting to the right card, a wireless AP must broadcast the data to everyone in hearing range. This means that you only have to assume one of the MAC addresses that are allowed to connect to the AP, and you're on the network.
        • By the way, does anyone know how easy/difficult it is nowadays to get WiFi hardware that lets you choose your own MAC address?

          I haven't got around to buying wifi equipment for my apartment yet. Living in a flat with a bunch of neighbours though, I just checked to see if there was any wifi network nearby. Tried it, found one, set ethereal to sniff packets for perhaps 5 minutes. Most of these packets contained relevant MAC addresses for me to use.

          After that, ifconfig ath0 hw ether [mac-addr] and voilà

        • I don't know about hardware that let's you set it, but the standard 'ifconfig' will let you spoof it.
      • This tool does (Score:3, Informative)

        by anti-NAT (709310)

        I haven't looked at it for a while, I provided a few suggestions a while back. I thought it was a good idea. For non-authorised subnets, it sends bogus ARP replies, with bogus MAC addresses.

        ipsentinel [tu-chemnitz.de]

      • A much easier solution is to place a true VPN device at the other end of your wireless network. Go get something like a Cisco VPN 3000. Connect the wireless network to the "public" port of the VPN concentrator. Connect your wired network to the "private" side of the concentrator. I know this sounds backwards when your wired network is the Internet. Now you can use WEP if you wish to give someone a little bigger challenge. Beyond that you need a DHCP server on the wireless network and your in business.
    • I prefer a different tack: Use a general-purpose VPN solution. IPsec (been around a long time, heavily analyzed, no obvious bugs) and OpenVPN (uses SSL for all the sensitive bits, much simpler but more than flexible enough for almost all use cases) both do quite well sitting on top of a wireless connection, and by restricting access to the network beyond the access point to folks coming through the VPN, moochers and such are avoided.

      Ideally, I prefer the belt-and-suspenders route: WPA, then a VPN, then app
    • by Umrick (151871)
      What I'm looking at implementing (20 wireless tablet pcs used by physicians and their techs) is something more like this:

      Bare open wireless with a dedicated DHCP/OpenVPN server. Server configured to only allow connections to/from known MAC addresses. Use OpenVPN (128 bit certificate keyed AES) to connect to the internal network.

      Potentially an attacker could compromise one of the wireless devices, however the clients could be firewalled to permit only connections to/from the server to limit that exposure
    • It makes so much more sense for everyone to remember or write down a few 1024-bit key pairs instead of those silly 128-bit WEP keys. SSL and PGP are solutions to different problems.
    • Encrypting the wireless link layer doesn't mean avoiding upper-layer security protocols like SSL or PGP, they solve two entirely different problems. You can still use SSL and PGP on top of your WEP/WPA layer.

      Even if WEP was perfect, it wouldn't protect your traffic on the distribution system that your access-point connects to. The hubs, switches, and routers that your traffic flows through on the way to its destination are still carrying your traffic unencrypted, and it is subject to interception at those
  • Easier for travelers (Score:5, Interesting)

    by ad454 (325846) on Tuesday December 21, 2004 @06:54AM (#11145681)
    Great, I will be leaving for a business trip soon, and now I can freely *access* those commercial WEP enabled Wi/Fi access points in many airports without risking my credit card.

    Seriously though, Wi/Fi has to be treated like an unsecure public network, and anyone wants to restrict access they should use a more secure protocol like IPSec in host-to-host mode. Do not count on Wi/Fi manufactures to protect you, for some reason they just simply refuse to provide secure products.
    • by Lumpy (12016) on Tuesday December 21, 2004 @07:13AM (#11145725) Homepage
      this will not break an authenticated WAP. the ones I help support in my community have only port 80 open for low bandwidth for free, you join us and you get a password you access through nocatauth and then gain full speed open access at the wireless points.

      these tools are useless against that scheme. you still need to perform old-skool cracking in order to get past nocatauth, no point and drool tools for getting past that yet, espically with the non-public modifications we made to it to make it different than what is freely available.
      • you join us and you get a password you access through nocatauth and then gain full speed open access at the wireless points.... these tools are useless against that scheme.

        Will it stand up to someone who knows how to change their MAC address and other information to match a subscriber? Collect four or five of them and odds are that at any given time one of them isn't present.

        Part of the reason that WEP is fundamentally insecure goes beyond just the broken encryption; once you've cracked the key you can
    • by lxt (724570)
      "Do not count on Wi/Fi manufactures to protect you, for some reason they just simply refuse to provide secure products."

      I wouldn't trust Wi-Fi as a fully secure medium even if the manufacturers built in more security measures. As a completely hypothetical and unrealistic example, say I had a completely closed network, with no outside net connections at all. Now, to gain access with physical connections, I've either got to get actual access to a terminal, or do a bit of cable snipping. Now, if I network wit
      • You have astutely observed one of the true aspects of security: Security is always somehow inversely proportional to the amount of functionality you allow "remotely" - i.e., without physical verification. For instance, whenever you allow remote logins, there is no difference from the server's standpoint between the authorized person using a correct password and a malevolent person using a correct password; this is because the server verifies the password (you can substitute "encrypted key of any sort" for
  • by Raindeer (104129) on Tuesday December 21, 2004 @06:58AM (#11145689) Homepage Journal
    Well, I wrote some thoughts on Wireless and Security in my blog which I now copy here.

    # setting up secure connections is too difficult for the lay person. We need standard Diffie-Helman key exchanges. I saw on the internet that it is available on some access points, but it just should be the standard of the IEEE. As far as I could find with Google it isn't yet. I can't understand why.

    # Securing accesspoints should be mandatory. There are too many open access points available. There is no use for anonymous connections over a random family's access point, it only endangers them into being seen as cybercriminals.

    # If people want to make it possible for neighbours and strangers to make use of their access point it should be done in the same way hotspots are now available at airports and Starbucks. Make it possible to extend the official network of the ISP to a users access point. This way if I open up my laptop and there is an access point available of Joe User, I can only hook up to it by propperly logging in to the ISP's network or use the airport/credit card system. This will require many roaming agreements etc, but it would bring security and convenience at the same time. It should be done in such a way that the person opening up his network in this way can throttle the speed of the guest users and/or the times they can access. So I would like to see a rule like "Guests can only connect when I am not connecting" or "Guests only get 1mbit/sec".
    • by Anonymous Coward
      ad 1: DH is a key exchange algorithm, not a complete crypto system. As an algorithm it is used in quite a few standards (IPSec for example).

      ad 2: Depends on your understanding of what the net is. If you think that WLANs are insecure means of accessing a safe network, then yes, AP security should be mandatory. If you think that WLANs are just another insecure link in a dangerous network, then what difference would it make?

      ad 3: There are so many ways to abuse this system, it isn't even funny.
    • Old news (Score:3, Funny)

      by IO ERROR (128968) *
      This story is old news [slashdot.org], as I posted the following way back in April:

      If you bought one of those shiny new 802.11{abg} access points so you could be lazy and use your laptop in bed without a bunch of cords dangling all over the place, you have a decision to make. Do you want your neighbors and random strangers using your Internet connection?

      If you decide you don't want other people using your connection, then don't do these things:

      • Hide your SSID. Your access point will broadcast it anyway whenever your
      • Re:Old news (Score:4, Insightful)

        by beeblebrox87 (234597) <<slashdot> <at> <alexander.co.tz>> on Tuesday December 21, 2004 @08:17AM (#11145887)
        Whats wrong with letting the world access your network? Use SSH/SSL etc to keep your connections secure. If somebody wants internet access, why not provide a public service to them? Wouldn't you like it if someone else did the same for you? If they start using too much bandwidth you can always you can politely ask them to stop, and if that fails, blackmail them with all the pr0n they've been downloading.
        • Re:Old news (Score:3, Informative)

          by DarkMantle (784415)
          The problem isn't about someone using another persons access point. The problem is what they use it to access. They are usually used to access things that the war driver doesn't want tracked to his home. So the problem isn't all the pr0n theve' been downloading, it's the age of the people in the pr0n. This then gets traced back to the IP address your router had at that date/time, and then you're charged for it.
          • Re:Old news (Score:3, Insightful)

            by nickname225 (840560)
            I think there is a high level of hysteria about this issue of you being responsible for someone using your link to download child porn. Remember - the criminal standard is "proof beyond a reasonable doubt". I am an attorney and I work for a District Attorney (although criminal law is not my area) and we would be extremely unlikely to prosecute anyone for child porn without finding actual images in the defendant's possession.
            • The problem with that is, the same kinda person who might have an open access point and be prosecuted for child porn based on IP tracking, might also have a not-so-secure windows install just waiting to have someone put the pictures there for you to find.

              Windows XP is getting past this issue, but anyone who might turn on filesharing just to see what it's all about could be left out in the cold. Proof beyond a reasonable doubt would be very easy to create. Oddly enough, with Mozilla it is probably easier to
        • Re:Old news (Score:3, Informative)

          by LiquidCoooled (634315)
          Whats wrong with it is your not an ISP, and your not protected by the same rules, regulations and laws as them.

          So if someone did illegal things through your connection, YOU will still be responsible.
        • What's wrong with letting people on my LAN? How about what happens when a local bootlegger uses my connection to grab 0-day torrents of the latest CDs/DVDs and the RIAA/MPAA sue ME when my ISP reports that I had the IP address he was sharing the torrent from? Or worse, some pervert starts trading kiddie porn from my home and the FBI shows up at the door? Perhaps a psychotic neighbor uses my LAN to harrass politicians and then the secret service stops by?

          Open wireless points might work for people living on
      • This is wacky. You dismiss WEP and SSID hiding as useless, yet seriously recommend turning off the DHCP server will help?

        Hiding your SSID and enabling WEP will turn away all casual freeloaders. Yes, WEP is crackable, but you still need to be fairly knowledgeable to do it. Doing these two things will save you from 99% of the attackers out there. Turn on MAC restrictions, and you've probably gotten rid of 90% of what's left. Turning off the DHCP server can't hurt, but anybody who can get through the WEP and
    • you are wrong. the FIRST step in securing a WAP is to be sure the signal is not going where you do not need it. the Accesspoint in my home is 100% open and you can not even tell it is there until you get your sniffer up against one of my windows. 2 feet from the house and you have no indication.

      THAT is higher security than the most expensive wireless access point hardware that money can buy can ever give you.

      if they can not recieve the signal, they can not hack it.

      and yes, I have good coverage all ove
      • Of course, all that aluminum foil you're using to coat your walls and windows must have set you back a bit.

        • Actually 1 meter by 1 meter aluminum panels set about 1 wavelength away from the Accesspoint in the direction you do not want the signal to propigate works perfectly.

          even with the "pringles can" or other directional antenna you can not get a signal from the street.

          I have my ap in the celing with 2 aluminum sheets at the 1 wavelength point away from the AP's antennas (that are seperated form the AP and spread out by 3 feet in both directions from the AP it's self) I have no access in the front yard, very m
    • Securing accesspoints should be mandatory. There are too many open access points available. There is no use for anonymous connections over a random family's access point, it only endangers them into being seen as cybercriminals.

      Give me a break.

      Securing one's front door should be mandatory. There are too many open front doors available. There is no use for someone to randomly walk into a family's front door, it only endangers them into being seen as victims of crime or criminals themselves if the "bad g
    • There are two fundamental concerns when considering the placement of wireless access points on any network.

      1) Someone can access my network.
      2) Someone can see my traffic.

      Any wireless network implementation should take both of these into account. Wireless access points, until other encryption and access control mechanisms mature, should be treated as if they were compromised to begin with. If you treat an access point like a live jack into your network that's located outside your building some whe
  • by Gopal.V (532678) on Tuesday December 21, 2004 @07:03AM (#11145706) Homepage Journal
    To be truthful, nothing is secure ... It can only be "Secure Enough". If the cost of breaking something is more than the benifit - that is security in one sense.

    Any encryption can be broken - given enough resources ... The trick is to make it so difficult that nobody finds out unless they are prepared to invest more than what you did (time, computing power, money, technology).

    Interestingly in India, according to Department of Telecom [64.233.167.104] website - security means something different :).
    23. Individuals/Groups/Organisations are permitted to use encryption upto 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission from the Telecom Authority. However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organisations shall do so with the prior written permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority.
    We have to keep our private keys in ESCROW to use >40 bit encryption ... Talk about stupid laws (of course which no-one enforces or obeys).
    • by amorsen (7485) <benny+slashdot@amorsen.dk> on Tuesday December 21, 2004 @07:17AM (#11145731)
      Heh, I love the fact that they mention 40-bit RSA. 40-bit symmetric could be sort of used back in the 80's. With 40-bit RSA it's faster to break the encryption than to type in the key.
    • Such a law is not meant to be enforced against random people like us. But it serves to punish people that are suspected of illegal activity, but can't be convicted because they encrypted their communications. Then, these suspects can be arrested on grounds of violation of such a law, and tried when further evidence has been gathered.

      I'd like to compare it to a weapons license that you need to obtain in every sane country in order to possess firearms legally.
      • I'd like to compare it to a weapons license that you need to obtain in every sane country in order to possess firearms legally.

        I won't have minded it if they asked for a provision to ask for private keys - I just don't trust the government that much - Especially my clients.

        Laws like patents, have to specific - otherwise they are easily misused.
      • Such a law is not meant to be enforced against random people like us. But it serves to punish people that are suspected of illegal activity, but can't be convicted because they encrypted their communications. Then, these suspects can be arrested on grounds of violation of such a law, and tried when further evidence has been gathered.

        Yes it is. All laws apply to all people. Mere suspicion of illegal activity is not enough to warrant punishment in any free society. I can't tell for certain, but it sounds

    • Any encryption can be broken - given enough resources ...

      This is false. A correct one-time pad can never be broken.

  • by Timo_UK (762705) on Tuesday December 21, 2004 @07:06AM (#11145714) Homepage
    And I thought they had released some crackers from prison...
  • by Anonymous Coward on Tuesday December 21, 2004 @07:44AM (#11145797)
    This article shows that the time needed to break WEP is smaller than previously demonstrated, not that WEP is any less safe than before. Really, we've known WEP was no good for a _long_ time. The reasons are well known. Both WPA and the recently ratified 802.11i RSN provide good solid fixes to link layer wireless security.

    So, this isn't really "new" news, although it should reinforce the message that WEP is worse than useless.
    • Actually I disagree with you. Not on the fact that WEP wasn't "broken" before, but on the fact that you say WEP is worse than useless.

      Security is not an absolute, it is relative. Yes WEP is broken, worse than previously thought.
      WEP, however bad it is (and however many better solutions exist) still stops most people from using your bandwidth. Retail studies have shown that most staff theft is opportunistic - while most people are basically honest, if they see money lying around, most of them will pick it

  • by da.phreak (820640) on Tuesday December 21, 2004 @08:11AM (#11145869)
    I did not trust WEP even before this tools were released. I read a bit about securing the connection independent of the wireless equipment. Treating the wireless connection like a public network, I set up a Virtual Private Network (VPN). I'd like to share my experiences:

    First I tried to setup IPSec. It was a nightmare. Although I know a lot about computers and networks I did not manage to setup IPSec. It's configuration is so complicated, I have no clue. Although, it must be possible to get IPSec running, maybe it's just me who is too stupid :). IPSec would have been the most secure solution, but despite public belief it's not that secure:

    http://www.schneier.com/paper-ipsec.html

    Then I tried Cipe. It was very easy to get it running, but it's horribly insecure. Peter Gutmann wrote a nice article, which was in the news on slashdot some time ago:

    http://lists.virus.org/cryptography-0309/msg00257. html

    In that article I read about tinc, which I now use. It's almost as easy to setup as cipe, but more secure (although not perfect and not as good as IPSec). Here is the answer of the developers of tinc to Peter Gutmann's article:

    http://www.tinc-vpn.org/security

    So, maybe if you believe them it's not that bad, I'm not sure about this.

    I think one great advantage of the VPN-solutions is that AFAIK there are no tools available that make cracking them as easy as cracking WEP. So the "common War Driver" or Script Kiddie has no clue what to do, you'd need some kind of expert to crack your connection. And, if such an expert is trying to break your security, you maybe have a bigger problem anyway.

    I just wanted to have an acceptable level of security and lock War Drivers out.
    • it can be easy but mostly its hard to get servers to talk to each other

      IPSec is cross platform people and AIRPORT people should just use it and dump the crypto stuff on the cards and let the OS deal with it

      N. Ferguson and B. Schneier "it is the best IP security protocol available at the moment." bbut dont like the fact the config is hard...

      push the vendors to all support IPSec and make config easy and bingo "the world is a better place" tm

      do it

      john jones
    • I have had similar problems, I find that wireless is getting so common that laptops and desktops ship with preinstalled cards and I got a router from work as part of the home broadband deal.

      I haven't started to use it yet, due to paranoia. I have several Linux boxen that are on my inside net and I don't want to compromise them.

      Fortunately, one box has an unused NIC that I can use for the 802.x router. I plan to use L2TP and IPSec on this, but the instructions are rather intimidating and the protocol com

  • by EvilStein (414640) <spam AT pbp DOT net> on Tuesday December 21, 2004 @08:14AM (#11145878) Homepage
    I have like 5 WAPs plugged in - but only one of them is actually plugged into the network. Go ahead, waste some time cracking the WEP keys on the 4 other ones that don't even have ethernet cables plugged into them. muhahahahaa..

    The 5th one is a flaky piece of crap anyway and will likely just fry your WiFi card when my roommate fires up the microwave.
    • Who needs 5 WAPs when you can use Fake AP [blackalchemy.to] and have 50,000 fake ones? Hide your one real access point in plain sight with a sea of beacon frames. Watch wardriver's heads explode when they cruise through your neighborhood!

  • I am not an expert on security -- could someone just tell me in 1 sentence whether PPTP can be considered 'secure' for a VPN at the moment? Or is it worth going to some other VPN infrastructure?

    Thanks to anyone who replies.

  • We should see more movement towards encryption at the IP layer with something like IPSec.
    I know its not the "magic bullet" but it would certainly help with some areas of weak security.

    Only problem is that no-one is interested in implementing IPSec. Why cant we implement IPSec like we do with IPv6 where if both ends support it, it gets used.
    Then, people can install IPSec on their clients and servers and start using it.

    Although unless Microsoft added IPSec support to tcpip.sys or whatever (and released vers
    • IPSec sucks. Overdesigned protocol that simply gives you too much rope to not be tempted to hang yourself, too many "slightly different" implementations that are actually different enough to not interoperate, a big pain in the ass to configure correctly, no good AND free clients (especially GUI ones) for popular OSes, etc.

      Have a look at OpenVPN [sourceforge.net]. After i tried it, i swore i'll never get back to IPSec.
  • Call me old fashioned, I still prefer UTP for regular home use. I really like the 'It just works' feeling of it. And once it works, it keeps working, unlike wireless that mysteriously feels the need to go down once in a while.

    Also, if you have a regular RTL8139 or NE2000 clone like I do, no exotic drivers are needed either to get things up and running.

    Disclaimer: I don't have a clue about the current state of wireless on live distro's such as knoppix. Anyone hit me with a clue bat please?
  • by AusG4 (651867) on Tuesday December 21, 2004 @09:16AM (#11146126) Homepage Journal

    Who still uses WEP? The weeknesses in WEP have been known for some time, and there have been more than a few working crackers in the wild for quite a while now.

    WPA [tomsnetworking.com] is the money. It's far more secure than WEP in that it has key rotation, and some of the snazzier base stations already support AES as the cryptographic algorithm. Most older stations with dilligent vendors will at least support WPA with TKIP (RC4 with rotating keys), since it's a trivial addition from a compute-intensiveness point of view.

    That said, if you do insist on sticking with WEP (some people prefer classic cars to modern ones as well, I guess), or even less (ie, run an open base station) at least ensure that your access point is configured to only allow your specific MAC (as well as those you trust) to peer with it. This will at least keep the bandwidth sucklers off your back.

    Unless, of course, being suckled upon is what you like. At that point, do what you want. I'm Canadian, so my personal bandwidth is everyones bandwidth.

    Ahhh... socialism. :)

    As for PPTP, switch to using KAME, FreeS/WAN or your IPSec implementation of choice. You can, of course, even use IPSec to do transport level encryption for your wireless connection if your base station doesn't support WPA, though you would need additional boxen to do this, of course.

    Both of these (WPA and IPSec) provide the same functionality as what they replace (WEP and PPTP) with additional security benefits. We moved to WPA for our corporate access points over a year ago and have been running a 100% IPSec (SonicWall, specifically [sonicwall.com]) VPN for just as long. They're functional, production tested and very secure.

    Don't wait. Do it now.

  • by Epistax (544591) <epistax@NospAM.gmail.com> on Tuesday December 21, 2004 @09:47AM (#11146307) Journal
    You're given a key for your computer. This key is entered into a list of keys on the server. The server decrypts each incoming transmission with all valid keys to determine the source, and encrypts all outputted signals with their own keys for each client, and the encrypting and decrypting keys are different.

    So, for each client there are four keys. One to encrypt information sent from client to server (residing only on client), one to decrypt this information (residing only on server), one to encrypt information sent from server to client (only on server), one to decrypt information sent from client to server (only on client). Plus the server has its own internal key so that even if the encryption for two clients between two computers is identical, the decryption is different. Same for the client. Ok ok- 6 keys. ;)

    Ignoring the complication, overhead, and excess noise produced by this, wouldn't it be better than say... WEP? :P This would be something such as an office setting where the area is not very open. Your competitor has the office across the street and you're not allowed to throw rocks at them when they sniff the wireless anymore.
  • IPsec is great (Score:3, Interesting)

    by prisoner (133137) on Tuesday December 21, 2004 @10:14AM (#11146526)
    it's the client software that's a pain. I use wolverine (linux based firewall) that has pptp and ipsec built in. The pptp connections are easy as windows has a client built in. I cannot, however, find a free client for windows on the ipsec side. Anyone know of one? Yeah, I'm cheap but it's for my home network.
    • The Cisco VPN Client is what you rquire young padawan
    • Re:IPsec is great (Score:2, Informative)

      by loyukfai (837795)
      Win 2K/XP has IPSec support built-in, but it was a nightmare to configure (I persume it will be easier if you use L2TP/IPSec...?).

      But you can use the following utility, it's not as polished as those $80 clients but it does the job, it's basically a front-end to configure the IPSec for you based on a simpler config file:

      http://vpn.ebootis.de/ [ebootis.de]
    • That, and many others, were the issues that i noticed while wrestling with IPSec.
      I mean, IPSec is nice and all, if you're a medium-to-large company that just goes ahead and buys a full solution from vendor XYZ. But it's a big pain in the butt for everyone else.
      At some point, i discovered OpenVPN [sourceforge.net] and i got hooked immediately. Clients and servers for all major operating systems (the same software can be either client or software, just flip a config bit), nice GUI for Windows, compression, rock-solid encryptio
  • I saw the title -- WEP And PPTP Password Crackers Released -- and thought perhaps it was time to try out some new Christmas party tray snack crackers. Very geeky food.

    Alas, I shall have to return my Publix-brand caviar and this goose pate I bought frozen from SAM's Club. I'm keeping the cheese ball, though. And the cocktail weiners.

    IronChefMorimoto

  • by frank_adrian314159 (469671) on Tuesday December 21, 2004 @11:26AM (#11147282) Homepage
    In the land of the unsecured, the WEP-ecured man is king.

    The point is that I don't have to be totally secure, just more secure than my neighbors. Unless I am specifically targeted by some scoflaw, there are a lot easier access points to get to in my neighborhood for general malfeasance.

  • Would someone with a clue mind pointing out a decent access point running WAP that can keep me covered for another year? Because when I look around, I usually end up with the following dilemma:

    - If it runs WAP, it's probably been rushed to market and has plenty of serious security issues that will give up my keys, admin access, whatever, making the whole thing a moot point.
    - If it's been on the market long enough that I can fix the really heinous flaws with firmware updates, it runs WEP.
  • by tc (93768) on Tuesday December 21, 2004 @12:04PM (#11147834)
    Two guys are out camping, when one night an angry bear starts trying to get into their tent. The first man quickly grabs his sneakers and starts lacing them up. The second man says "what the hell are you doing? You'll never outrun the bear!", to which the first replies "I don't have to outrun the bear, I just have to outrun you".

    The moral of this story is that your security doesn't need to be perfect, it just needs to be 'good enough', and in this case 'good enough' is probably merely 'better than the muppet next door who hasn't secured their network at all'.

    I use WEP to secure my wireless LAN. Does it bother me that it's possible to crack? Not really, because there are at least 2 other networks in my apartment building (with SSIDs of 'linksys' and 'default') which don't appear to have any kind of security at all. Which means that someone casually looking for a free connection is going to use them, not me. If someone really wants to compromise my network specifically, and has the time and skill to do so, well, then I have bigger problems...

  • localhost:local/src/asleap] numbski% make
    cc -pipe -Wall -D_LINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -O4 -D_OPENSSL_MD4 -g3 -ggdb -c -o sha1.o sha1.c
    sha1.c:22:20: endian.h: No such file or directory
    make: *** [sha1.o] Error 1
    Someone with a bit more programming background help me out here. I'm trying to build on MacOS X.

Dennis Ritchie is twice as bright as Steve Jobs, and only half wrong. -- Jim Gettys

Working...