Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Wireless Networking Security Hardware

AirTraf 802.11b Security Package 153

An anonymous reader writes "Being ignorant of network vulnerabilities is a happy condition for only so long. Ignorance is bliss, right up until someone with rogue access drives away with your company secrets. This article covers information about AirTraf, an open source package, which performs a number of tasks, such as determining the Service Set Identifier of the access points, and the channel it is operating under. It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information. The least of your fears should be the leeching of your Internet connectivity. Industrial espionage is a growing reality that you must confront."
This discussion has been archived. No new comments can be posted.

AirTraf 802.11b Security Package

Comments Filter:
  • Site Surveys (Score:4, Insightful)

    by Gortbusters.org ( 637314 ) on Tuesday May 27, 2003 @03:15PM (#6051057) Homepage Journal
    As the article points out, they can be a hastle. Metal in the walls, elevators, stairs, etc.

    The problem with site surveys is that you have to load expensive software onto a laptop or handheld computer, and go wandering the halls looking for rogue bases, rogue access, and other violations of good security practices. The wandering minstrel who's singing the song of good security must be in the right place at the right time. Invariably, this is a hit-or-miss process, great for finding good places to mount access points, but horrible at making a hit on a security violation. You'd have to traipse the halls and haunt the parking lots, lurking... waiting... like a creepy stalker, trying to find anything out of the ordinary; and you'd still be unable to be in all places at once.
  • by craenor ( 623901 ) on Tuesday May 27, 2003 @03:16PM (#6051065) Homepage
    But like most wireless security tools, are the people with ill intent just going to turn it around and use it for their own ends?

    Oh well...if the claims are correct, it will all be irrelevant when WPA releases later in the summer.
  • triangulation (Score:5, Interesting)

    by s20451 ( 410424 ) on Tuesday May 27, 2003 @03:17PM (#6051076) Journal
    Is there any way to do triangulation if you have more than one base station? Then you could do some spatial security as well, by restricting access to particular zones (say, within your own building). I know the cell phone companies have been trying to implement E911 locating for a while ... could you do such a thing with a carefully written 802.11 driver?
    • Re:triangulation (Score:5, Informative)

      by killthiskid ( 197397 ) on Tuesday May 27, 2003 @03:29PM (#6051192) Homepage Journal
      Yes, you can. [google.com]

      • Well, obviously, you can triangulate 802.11 clients but I don't think that is what the poster was asking. Rather, I think he/she was asking: What software exists to do triangulation?

        The major problem I see with triangulation is walls and other interfering objects. In an open field, triangulation should be relatively simple because the signal-to-distance curve should be fairly smooth as you move around. Throw some walls in, however, and you either need many more access points or some way of accounting
      • It's not even the correct search. Every result of that google search was some form of cellular triangulation, not 802.11 (Since they improperly searched for WAP, which is a protocol for cellular services.)

        Interesting results, but completely offtopic and noninformative regarding the original question.

        It is possible to triangulate access points, although most software I've seen to do it uses signal strength interpolation instead of triangulation. Kismet - http://www.kismetwireless.net/ is able to do this
      • The Google search turns up WAP interfaces to triangulation data. How exactly does that to the parent's question?
    • Trapeze Networks (www.trapezenetworks.com) does this. It's an option in their user profile definitions (including QoS, ACL, etc.)--their RingMaster tool rocks.
    • It's theoretically possible to triangulate the position of a wireless NIC. But there are so many things in an office/urban environment that interfere with the signal that it seems like it would be quite difficult.

      Generally triangulation works by having three receivers in a triangle surrounding the transmitter, calculating the signal strength of the received signal at each station, and from this information you can determine the location of the transmitter with some trigonometry.

      In your typical 802.11[a

    • Re:triangulation (Score:3, Interesting)

      by Bagheera ( 71311 )
      Using triangulation is relatively trivial. Combining war-driving with GPS and FoxHunting techniques can yield fairly accurate positions for AP's and the client cards. It gets difficult when there's a lot of them on the air, but it's still doable.

      It's technically possible to combine simple RDF (using phase descriminators) with a base station to get a directional vector. Two RDF equipped bases would give you a point rather than a line, so it should also be possible to location limit access. Not that I've
  • Wireless security (Score:5, Insightful)

    by OmniVector ( 569062 ) <see my homepage> on Tuesday May 27, 2003 @03:17PM (#6051079) Homepage
    I've always wondered why wireless security can be such a problem. Why hasn't someone devised a wireless system where encryption is hard to crack? Take a look at SSL: if you have someone listening to the wire, it's hard to get any good information from it based on the way the protocol works. Why can't the same thing be applied to wireless? The only real difference is you don't have to go through the trouble of intercepting the packets on a wire.
    • Re:Wireless security (Score:4, Informative)

      by illusion_2K ( 187951 ) <slashdot&dissolve,ca> on Tuesday May 27, 2003 @03:21PM (#6051119) Homepage
      Use IPSec, or some other VPN technology. They seem to fix the problem pretty well.
    • It seems the committee approving 802.11 had no cryptographer. The protocol is borked and is unsuitable without frequent changes of key for any kind of privacy. The best bet is the MAC as most APs allow restriction of which MACs can connect, but that too can be overcome.

      In reality, you want to firewall off the AP and then use SSL to tunnel through it as you suggest. If they had built something better into the spec like IPsec (as good as SSL, but implemented deeper in the protocol stack), it would have been

      • The protocol is borked and is unsuitable without frequent changes of key for any kind of privacy.

        You make it sound like I could drive by your house, sense that you have an WAP, and crack your WEP with out stopping. In reality, thousands of weak packets are required in order to break a WEP key. That can take from several hours to many days to break. Chances are, no one is going to sit in your driveway for 36 hours for some free internet.
        • About 1040 packets in my experence.
          I have heard about custom programs that are able to brute force a key from a single packet (weak or otherwise) from what I hear. Something about the fact that the IV key is only 24bit and how real time breaking of WEP isn't really that unpractical.

          40bit ssl is easy to break, why shouldn't 24bit IV keys be?

          I wouldn't sit in your driveway for 36 hours, but I bet someone would use the above stuff to go back to your house when they need net access near by.
        • No need to sit in the driveway. All a sniffer needs is a good high-gain antenna and line of sight. Here's an article about a 72-mile 802.11b link:
          http://www.computerworld.com/mobiletopics/m obile/s tory/0,10801,75830,00.html
        • About five hours of traffic seems to be enough to attack WEP. Additionally, some time is needed for analysis but with modern systems it wouldn't take more than a couple of hours or so. With 1GHz P3 machines and half a Gig of memory, it was around five hours.

          The things is that we are not talking about a normal WAN link which tries to be economical with the packets. All it takes is, for example, a live news feed and there will be lots of packets going over the link.

          As for distamce, a normal AP can easily

          • But online bank accounts ?all? use https -- that is, using SSL as well. Surely that makes it a lot harder to get at useful information on the WEP link?
            • You are quite right, I was simplifying. However, I see many non-bank services that do not use https.

              Even with https, if I can attack your machine, the https security isn't worth anything. For example, SSL establishes a random session key. The random number generator could be 'randomly' generating the value 1, in which case the SSL session can always be broken. If your machine is well protected, that wouldn't be possible. However we are talking here about a PC with a wireless LAN adapter directly connected

      • SSL?

        I think not-

        You must mean SSH?
        Or even better, IPSEC?

        Any VPN product can be used over wireless to secure the wireless portion.
        As another poster said- the only sane way to use wireless is to treat it as an entirely seperate, untrusted public network.
        It's really just as simple as that.
        • SSH uses SSL as it's transport.

          One thing often overlooked is the overhead in using these encryption schemes. If you want an access point to handle a hundred clients you need to take the load into account. These APs are designed to run w/ little heat and power usage, not to mention the small clients such as PDAs and scanners.

        • I agree that IPsec is better, but as it is deeper in the protocol stack, it generally need more configuration. As someone else has already said, SSH is just a way of using SSL as a transport layer.

          I agree that VPN tunneling is also a solution but again it either means extra hardware and/or some complicated configuration (at least more complicated than the average user can cope with). I see a lot of ADSL or broadband routers with a builtin AP that is being sold to SOHOs and domestic users, to avoid unsight

    • >Why can't the same thing be applied to wireless?

      Or better yet why aren't vendors doing this on their APs? All these companies are targeting the home market, they should make things *gasp* easy.

      Sure there are standards to consider, but considering what a mess WEP is its surprising to see that there's no big movement (or is there?) to repair it. Sure Cisco's method of filtering out weak IV packets is nice, but is anyone else going to pay to use their patents?

      I'm expecting, or perhaps hoping, that by
  • Network Security (Score:5, Insightful)

    by rwiedower ( 572254 ) on Tuesday May 27, 2003 @03:18PM (#6051091) Homepage
    After reading the article, I'm still confused as to why any defense agency would have "unsecured network access" available with wireless access. All the government places I've worked in have been extremely hesitant to allow users to even have Palms at work. None have ever been so IT-crazy that they've invested heavily in wireless networking technology, beyond simple bridging concepts. Considering that this article comes on the heels of another one a few posts back discussing how the CIA has been reluctant to invest in new tech ideas, it seems hypocritical to criticize the government for being too slow to adopt new technologies but being too quick to adopt those same ones.

    If anyone knows of any agencies progressive enough to jump on the wireless bandwagon, pipe up. Otherwise I think it's just another victim of the hype monster.

    • Why is it hypocritical to note that government agencies as a whole move slowly into new technologies, while individuals at goverment agencies sometimes introduce unauthorized elements? This is a very big problem because the cost of an access point is so low that it doesn't need special high-level approval (so it's hard for central authority to restrict such purchases)--and the security vulnerability introduced by such a cheap access point is very hard to mitigate.
  • Wired Cat5e = Secure
    Wireless 802.11(a,b,g) = unsecure

    I have cracked 'secure' wep's in a matter of hours, and the more traffic going over the network, the easier it is. All you need is about a gig of traffic, and blamo, wep key in shining black letters right in front of you. I'm sorry guys, beaming a signal through the air is not secure (as shown by the amazing security from the satelite TV companies, I think we have all had a h card at some point, or other varients)

    The only problem I have ever had with
    • by hpa ( 7948 ) on Tuesday May 27, 2003 @03:25PM (#6051151) Homepage
      Always treat your wireless network as a completely insecure network; the same way you treat the public Internet. This has the additional advantage that when visitors come to your company, they can use your wireless network to access their own home base. This can be amazingly useful.

      Then use VPN to give your own staff access to the network, with the same security level you require for access from the public Internet.

      WEP is not useful for anything than discouraging the casual bandwidth leech, if that matters to you at all.
      • by buysse ( 5473 ) on Tuesday May 27, 2003 @04:34PM (#6051702) Homepage
        WEP is not useful for anything than discouraging the casual bandwidth leech, if that matters to you at all.
        WEP may be useful in one other way -- it gives you some legal protection if someone else uses your wireless network to do something malicious. Running your network unencrypted could be seen as the equivalent of leaving your front door open when you're not home.
    • by s20451 ( 410424 ) on Tuesday May 27, 2003 @03:28PM (#6051183) Journal
      The flaw is not in the medium, it's in the protocol. Many organizations have pointed this out. The IEEE wanted to make key distribution easy, so in a system where the administrator is not absolutely on top of everything, it's very easy to learn the key and crack the network. A point-to-point, RSA encrypted wireless link should theoretically be as difficult to crack as a wired link, if designed properly.
    • by smallpaul ( 65919 ) <paul AT prescod DOT net> on Tuesday May 27, 2003 @03:36PM (#6051260)

      I have cracked 'secure' wep's in a matter of hours, and the more traffic going over the network, the easier it is.

      It is well-known that WEP is insecure but that doesn't mean that it is impossible to send secure data over the air. It is absolutely not the case that "wires=security". If you need to transmit crucial passwords over your corporate intranet you might be smarter to encrypt than rely on the fact that nobody with access to your physical network wants to steal your data. Encryption is the key to security, not broadcast medium.

      The only problem I have ever had with wired lines is bad planning. Providing you know where your workstations are going to go, and how you plan on growing, wires are just fine and MUCH faster!! :)

      So you need a network drop anywhere anyone may ever want to work on their laptop (or palmtop, or wi-fi phone). Sure, if you are going to be restrictive it is easy to force people to work in the places you tell them they should work. But this can hurt productivity. Knowledge workers will have persistent wi-fi in their homes, in cafes, in restaurants (even McDonald's), in hotels, and in trains, but you're going to tell them they have to deal with wires at the office? Sorry dude, I can't help but think that you are short-sighted and will be proved so over the next few years. Wireless with true encryption will be standard almost everywhere people work.

    • Paraniod people at the goverment say that CAT 5 is insecure and use fiber for all the connections.
    • Analogy (Score:3, Insightful)

      by FreeLinux ( 555387 )
      Rather than saying that 802.11x is analogous to a network, think of it as being analogous to an RJ-45 wall jack. If you placed a wall jack in a public area of your local shopping mall you would realize that it is insecure and is exposing your network to the world. Knowing this you would take some action to secure that wall jack. You might disable the port at the switch or you may have a firewall set up to allow the wall jack to be used but prevent unauthorized access to your private network.

      The same proced
    • This is simply not true.

      First, you can create a secure wireless network. It's complex, and requires a fair amount of kit, but you can do it. The basic premise is to avoid giving an attacker enough data encrypted with the same WEP key--i.e. rotate your keys frequently. There are several options to do this: EAP/TLS, LEAP, and PEAP to name three. Set your key rotation frequency to 3600 seconds, and you're pretty much set. If you have APs that support EAP/TLS, there is an open source solution [open1x.org].

      OTOH, f

      • No, your wrong. You cannot create a secure WiFi network. If you can't even secure the first layer, your screwed.

        Tell me, do you know what wifi network your on when your on it?

        You know the SSID, but what channel?

        You can layer cruft on top and pretend it's secure but when I can send a disconnect to your wifi clients and have them associate with my rouge network, I own your ass.

        Did you pay attention at the black hat breifing last year?

        Your real network is on channel 6.

        I can mirror your wavesec setup, mak
        • Ok, let's take EAP/TLS.

          EAP/TLS requires that you have PKI in place. To deploy it, you have to set up a CA. Presumably anyone worth their beans will have used a secure connection to distribute the root certificate and client keys to the wireless users.

          The authentication process verifies that both the client and the server are who they claim to be using certificates. If someone tries to forge packets, say with a rogue AP, they won't know the authenticator's secret key and thus the client will reject

        • No, your wrong. You cannot create a secure WiFi network.

          Sure you can, using the same methods to create a secure wired network.

          You can layer cruft on top and pretend it's secure but when I can send a disconnect to your wifi clients and have them associate with my rouge network, I own your ass.

          VPN. Man in the middle is inconsequential: all data is encrypted to the VPN gateway, so you can't read the data. If I can't get to the VPN I know something is up. A lot of these posts are talking about the secur

          • I agree, a vpn is a good way to secure it.

            As long as your not using a VPN that doesn't check host keys, one that doesn't alert you to changed keys, ssh1 or an SSL type of VPN, sure.

            It's trival to set up a man in the middle attack for a client if you control the server.

            Think about it like this:
            A new employee shows up and gets his laptop.
            He signs on for the first time and get's a host key changed (even if the key was already stored on the laptop by the IT dept.)

            What does he do?
            Go make a fool out of himsel
  • Industrial espionage is a growing reality that you must confront

    Is that a fact ? I'd say since the collapse of the USSR, it must have gone better actually.
  • Scare Tactics (Score:3, Interesting)

    by Bame Flait ( 672982 ) on Tuesday May 27, 2003 @03:22PM (#6051128)
    It's clear to me that no matter how much arm waving is done by security experts and those who stand to profit from the implementation of wireless security (cough, IBM), nothing short of tragedy can motivate American organizations to take security seriously.

    Security is NOT a necessity - in fact, many of the things people are trying to "protect" these days don't need to be protected at all - security consultants just want to rake in commissions as they help their clients "secure" their data.

    It's high time that these profiteers take off their Microsoft hats and start acting with the best interest of the end-user in mind.
    • Absolutely. (Score:3, Insightful)

      by Sheetrock ( 152993 )
      The industry is rife with snake oil. Firewalls, IDSes, and the like are pushed to every business with a computer.

      Yet nobody will put the latest service pack on.

      Microsoft software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux. The amount of FUD spread about it is all out of proportion to its flaws, and is probably due to a complete lack of familiarity of its features by its detractors, who would of course use it if it was free. It is this s

      • Re:Absolutely. (Score:5, Insightful)

        by gurps_npc ( 621217 ) on Tuesday May 27, 2003 @03:55PM (#6051399) Homepage
        Yes, today we think that MS software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux.

        But we thought the same thing 24 hours BEFORE the latest service pack came out and we were WRONG

        MS's larger number of previous screw ups, slower discovery rate, slower reaction rates, are a strong indication that there are and will continue to be a much higher possbility that you are MS software currently has an undiscovered security flaw waiting to be found by the next lucky fool that thinks he is the MastEr Hack3r.

        In addition, it is quite apparent that the number of people capable of installing and maintaing MS software correctly and to their specifications is FAR less then the number of people capable of installing and maintaing Linux software correctly and to their specifications.

        Software that is excessivley complex/difficult to install is NOT the best choice for most relatively small businesses.

        • Re:Absolutely. (Score:3, Insightful)

          by FeeDBaCK ( 42286 )
          In addition, it is quite apparent that the number of people capable of installing and maintaing MS software correctly and to their specifications is FAR less then the number of people capable of installing and maintaing Linux software correctly and to their specifications.

          I would have to disagree here. Maybe the percentages are more in favor of Linux, but I would be willing to bet that there are more people who can install and configure MS software correctly than there are Linux users total.

          If even 1% o
      • I would agree with reservations.

        It's just too bad that the point-and-click mentality that Microsoft has created means that it's almost never deployed in a secure fashion.

        In my recent testing, however, I would have to say that Windows 2003 server is orders of magnitude more secure out of the box.
      • Sometimes putting on the latest service pack is not an option, (esp. on Microsoft products) as it can break the server.

        "Microsoft software, installed correctly and to their specifications, is as if not more secure than most distributions of Linux."

        Take the Slammer worm for the SQL server for example. If Microsoft staff is lax in applying patches to their own products, do you expect most users to do any better? Firewalls and IDSes do not have to be a $10,000 band-aid. You can use open source and freewar
    • "in fact, many of the things people are trying to "protect" these days don't need to be protected at all"

      I do believe that even computers with "things" that don't need to be protected at all should be protected as they can be used a zombies to attack other computers. Why do you think that most DDOS attacks come from the unprotected Windows machines?
  • RF Monitor Mode (Score:5, Insightful)

    by fliplap ( 113705 ) on Tuesday May 27, 2003 @03:25PM (#6051158) Homepage Journal
    It can tell how many wireless nodes are connected to a given access point, as well as that point's total load. AirTraf is capable, too, of polling a number of sniffers through a central polling server in order to collect the most current information.

    As useful as this is, its not going todo much to detect or stop the fact that these are just radio waves. And you can't "detect" a hunk of metal out there picking up on them. Almost all new cards are capable of being put into RF monitor mode and sniffing raw 802.11b frames without transmitting anything.

    Prism II and Cisco based cards can do it out of the box. Orinoco cards can do it with a patched driver (patched orinoco-cs on linux, WildPackets driver on Windows).

    On top of that, AirSnort now compiles on Windows. Its not a fun/easy setup and still has a lot of problems, but it works.
    • And you can't "detect" a hunk of metal out there picking up on them. Almost all new cards are capable of being put into RF monitor mode and sniffing raw 802.11b frames without transmitting anything.

      While I agree with your main point, just a point of fact. "You", the average tech might not be able to detect a card silently sniffing. But "They" certainly can.

      An RF receiver is certainly not undetectable the way a RX only wire sniffer on a analog tap is. When an antenna receives a radio wave it retransmit

  • by grub ( 11606 ) <slashdot@grub.net> on Tuesday May 27, 2003 @03:26PM (#6051162) Homepage Journal

    FACT: The Illuminati is using 802.11b as a carrier for their Mind Control Rays. When "reputable sources" speak of 802.11b security, they really want you to work closely with an 802.11b source for a while so you receive their programming.

    Real 802.11b security can be achieved by the following means:

    Purchase a 15 meter (~50') roll of tin foil.

    Wash your hair with baking soda. Don't use commerical brands, they have 802.11b signal enhancers which tune your noggin to their Mind Control Ray.

    Once dry, wrap your head in a clockwise fashion with the tin foil. Ensure you cover the top of your head, your ears and base of the neck. You can poke small holes in each side to allow sound to reach your ears.

    Sit back and laugh knowing that you have true 802.11b security and are safe from The Illuminati's Mind Control Rays.

    Who's that at my door? )(#@Ujf0d923j 329 32

    CARRIER LOST

  • air traf's site (Score:4, Informative)

    by ih8apple ( 607271 ) on Tuesday May 27, 2003 @03:31PM (#6051215)
    Since no one else linked to it: AirTraf's web site [sourceforge.net]

    Also, This link [elixar.com] goes to Elixar, the AirTraf project team's new company.
  • by Bowie J. Poag ( 16898 ) on Tuesday May 27, 2003 @03:33PM (#6051229) Homepage


    WEP is a miserable encryption algorithm. It can be brute-forced within hours, or passively within a day or two. Simply by having WEP enabled on your access point is *no* guarantee whatsoever that your data is secure.

    Now, having everything SSH tunnelled and then wrapped in a flaky WEP crust, that's different... But WEP for 802.11(x) makes about as much sense as a bicycle for a mermaid.

    • But can you name a single tool that brute forces keys from as little as a single encrypted packet?
      • From a single key? No. To brute-force crack WEP, you either need a few million packets to work with, or, you monitor passively and basically let it do the work for you. The more packets you have at your disposal to compare, the less time its going to take.

        The whitepaper I read regarding WEP encryption vulnerabilities is the same one i'd imagine everyone else has read. There are a couple of approaches to it, but generally speaking, successful WEP cracking (IIRC) takes upwards of 5-8 million packets, minimu
  • Here's what I get with my DWL-650 Prism2 based card:

    KOS-MOS:/home/linverse/temp/airtraf-1.0/src# airtraf

    Airtraf 1.0.0 (c)2001,2002 Elixar, Inc.
    Mode: sniffing server
    Author: Peter K. Lee All Rights Reserved

    You have (1) wireless devices configured in your system
    Found wlan0: IEEE 802.11-b on IRQ: 3, BaseAddr: 0x0100 Status: UP
    Using Driver: (hostap_cs)
    Filename: /lib/modules/2.4.20/pcmcia/hostap_cs.o
    Author: "SSH Communications Security Corp, Jouni Malinen"
    success: above driver's compatibility verif

    • Here's what I get with my DWL-650 Prism2 based card:
      error: HostAP monitor mode incompatible with AirTraf at this time...
      AirTraf works fine for me using wlan-ng drivers with an AmbiCom WL1100B Prism2 card.

      I've never been able to get the HostAP drivers into promiscuous mode, myself. Perhaps your problem is somehow related.

      • Thanks for the tip, I'll have to look into that. I don't know whether the HostAP drivers support promiscuous mode, actually... Getting that card to work at ALL was a huge pain, but I'll look into the latest wlan-ng drivers...
  • by Rosco P. Coltrane ( 209368 ) on Tuesday May 27, 2003 @03:34PM (#6051240)
    Ignorance is bliss, right up until someone with rogue access drives away with your company secrets

    Most wardriving is about finding an open network where you can pull your favorite pr0n from your car on your laptop. And probably for the sheer fun of hacking too. Now, if the admin(s) of a company relie on pirates not being able to plug into the physical ethernet socket for his security, he/they surely should be fired.

    In most companies, even if someone gains access to the intranet through 802.11b, he's not going to do much, as the real meat of the company will probably be protected even there. He might get to play with some Windows boxes, see hostnames, sniff this or that, but that's all. True, it's very much better if the guy doesn't see anything in the intranet in the first place, but still, in that worst-case scenario, there is a reasonable level of security left in companies with a decent admin.

    Now, 802.11b isn't so secure. If you're really worried, don't use it. If you're really worried and you really want wi-fi, run tunnels over it : it's far from ideal but it's quite secure.
    • Never trust your depth of exploit to the benevolence of the attacker. Lots of networks don't have things like interior IDS, regular vuln scanning, or even decent administration practices. More over, all those attacks concerning physical location are now possible. Even little defacements can require substantail response in the form of rebuilt systems, reports to management, PR issues. God help you if you have overdeveloped incedent handling procedures and have to spent weeks writing reports and answeri
  • Geeze,

    Imagine a beowulf cluster ... erm ... imagine a cluster at least of these. You could easily setup a massive centrally located system and have some real fun with a wireless system. With this and AirSnort, you're bound to be able to just about do anything anywhere with a 802.11b access point laying around.

    I can see where this would definantelly help out a site admin having a birds eye view of the system itself, but boy was the article right with the comparison that a power tool can be very useful

  • by Anonymous Coward on Tuesday May 27, 2003 @03:39PM (#6051284)
    1) Terminate your wireless AP outside your network
    2) Use strong VPN software to access your network
    3) Only allow the AP to talk to the VPN box

    So what's the result?

    - no WEP problems
    - nobody on wireless is inside your network
    - nobody can steal access

    It's certainly the only sane response I've seen. Other than, of course, "Don't allow wireless at work" which is rapidly becoming the standard.
    • Right-

      I have actually set this up-
      It really is the only sane way to do things-

      But remember- there are fun routing issues to deal with when you do this-
      The internal VPN endpoint needs to be sent packets (from the internal network)- so you need to run a routing protocol so things know what needs to go to the Internet and what needs to go to the VPN.
  • Wireless security should be setup via obsticles. The best examples have already been featured on slashdot. Use the light bulbs that distrupt the same 2.4Ghz frequency (can't find the old slashdot article). Just place these around the perimiter of your wifi network. Great for corporate campuses.
  • Has anyone been able to download the source from Elixar? I submit the form and just get redirected back to it. Does someone have a URL for the source?
  • by mellon ( 7048 ) * on Tuesday May 27, 2003 @04:01PM (#6051439) Homepage
    WaveSEC [wavesec.org] is an add-on for Linux and the BSDs that lets you set up an opportunistic encryption path [freeswan.org] between your laptop and a server on the wired network. This keeps you safe from eavesdroppers who know your WEP key - indeed, with WAVEsec you don't need a WEP key.


    Note that WaveSEC is NOT a replacement for end-to-end security. All it does is protect you from wireless eavesdroppers. If you are using WaveSEC or end-to-end IPsec for all your network connections, you don't need WAVEsec.

  • From the article:
    • In fact, one of the more common questions asked at Slashdot.org, the open source "News for Nerds" page, is "How do I get developers to join my project?"

    And the most common answers are:

    BSD is dying

    Stephen King, American icon, dead at 53

    CmdrTaco is Michael's mutilated sex slave

    Micro$oft suxors

    Hot grits

    Natalie Portman petrified

    Mod parent up/down

    Frost pist

    Another question: why is there a picture of Mr Lee's crotch proudly displayed in the article referenced? Very disturbing. Perhap

  • good article on ars about 802.11b security

    http://arstechnica.com/paedia/w/wireless/securit y- 1.html

    I recently flash to wap11 v2.2's to the dlink dwl-900ap+ bios, and set them up to bridge mac address to mac address with the SSID broadcast turned off, and I used the 256k bit encryption.

    How secure is this?

  • by Spyder ( 15137 ) on Tuesday May 27, 2003 @05:56PM (#6052358)
    The creds: I'm an infosec goon for a big faceless corp that is pretty paranoid about being hacked.

    OK here we go:

    All you need to get 802.11b (or whatever) working is an access point and a host. The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID. Alllthe client needs to do to connect is specify a valid SSID to the access point in question, voila, free porn on somebody else's dime. Here's the thing, 802.11b access points broadcast their SSIDs.

    Some stoggy buggers thought that this kinda sucked, so they decided to wave the magic encryption wand over the system. What they got was the (in)famous WEP, Wire Equivalancy Protocol, or Wireless Encryption Protocol, depending on if you started messing with this before 2001 or not. This stuff comes in 2 main flavors, 56-bit and 128-bit. Two problems with WEP came up round about 2001. First, the key generation algorithim was flawed, and a 56-bit key was really a ~26-bit key, a 128-bit key was really a ~98-bit key. Second, because of the nature of the system it is very easy to gather enough data to preform differential crypto-analyses (aka extracting the keys from a bunch of traffic based on how they are encypted). Detrimental to all hope us poor white hats had of keeping our systems safe, AirSNORT was released, allowing even the cryptographically challanged intruder to compromise the best access points.

    Security for the wireless:

    Most commercial access points will allow at least some of the following:

    Turn off SSID broadcast, this helps, unless the intruder can see a user connecting for the first time, when the client broadcasts the SSID to gain access.

    Specify allowed MAC addresses, this also helps, but all an intruder has to do is change the MAC of the intruding interface, nad get on while a client isn't on.

    Stuff only a few vendors do:

    Use 256-bit encryption, this is pretty good, but only works with compatible cards and drivers. It can also still be cracked by a determined attacker using AirSNORT, (ok, ok a very detemined attacker with some form of supercomputer, but hey there's No Such Agency with that kind of equipment).

    Cisco has tech called LEAP, which will do cool things like rotate keys on a 5 minute basis. It is unlikely that an attacker using AirSNORT will get sufficent information to crack the key before it's changed. It'll do some other cool stuff, but I'm not a Cisco rep, so I won't recite the product manual.

    A "Best Practice" with wireless is to do some or all of the above, and attach the access point the the outside interface of a VPN gateway. The theory on this is to treat the wireless network like any other external connection.

    Now why, if I'm doing all this stuff to secure my network, do I do a Wireless Site Survey at least quarterly at my major sites? Well, because people like easy, and people like to do it themselves. I'm most concerned about someone setting up a combo firewall/access point on my network. The best way to find rogue access points is to play marco polo with a laptop and a directional antenna (if you want good info on that stuff, talk to a friendly neihborhood HAM operator, but a coffee can works pretty well in a pinch).

    Stuff you should know about site surving:

    Get a good card, preferably one with an external antenna input. See what you can do about getting the right antennas for this knid of thing.

    The tool De Jour for this is called Kismet. It does not have all the key cracking kung fu of AirSNORT, but it makes finding the access point pretty easy.

    Have you policy in hand for the confrontation with the owner of the rogue access point, wield it with BF&I (Brute Force and Ignorance).

    Good luck and happy hunting,
    • The Logical Link (from that OSI model in the first chapter of the MCSE book you never read) indetifiers consist of the ubiquitous MAC address and an SSID.

      Nope. SSID is strictly a wireless thing, and has nothing to do with the definition of LLC. 802.3, for example, doesn't know anything about SSIDs.

      a 56-bit key was really a ~26-bit key

      Wrong again: it's a 64-bit key with 24 bits for the Initialization Vector, leaving 40 bits of actual encryption. I think you are confusing this with 56-bit SSL. Likewise,

  • What does this package offer that Kismet doesn't? Perhaps if it offered on-the-fly WEP cracking I would take a look at it.
    • What does this package offer that Kismet doesn't?

      Some stolen source code and ideas?

      Kismet [kismetwireless.net] definitily is the "Snort" of wireless detection, just like every other IDS company using snorts "engine".

      -Rob

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...