Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WPA/WPA2 Cracking With CPUs, GPUs, and the Cloud

CmdrTaco posted more than 2 years ago | from the its-different-cuz-its-cloudy dept.

Security 106

wintertargeter writes "Yeah, it's another article on security, but this time we finally get a complete picture. Tom's Hardware looks at WPA/WPA2 brute-force cracking with CPUs, GPUs, and Amazon's Nvidia Tesla-based EC2 cloud servers. Verdict? WPA/WPA2 is pretty damn secure. Now to wait for a side-channel attack. Sigh...."

cancel ×

106 comments

brute farce (2)

constpointertoconst (1979236) | more than 2 years ago | (#37095880)

Secure from brute force attacks != secure. Hello, exploits!

http://www.wi-fiplanet.com/news/article.php/3784251/WPA-Vulnerability-Discovered.htm [wi-fiplanet.com]

Re:brute farce (3, Insightful)

Hatta (162192) | more than 2 years ago | (#37096030)

That's why we use WPA2/AES.

Re:brute farce (1)

failedlogic (627314) | more than 2 years ago | (#37100262)

I'm considering setting up WiFi in my small apartment so I don't have cables going all over the place. To PS3, printer, desktop and laptop. If I setup my computers for WPA2/AES and change the key on a regular basis, is this considered secure enough? The printer and PS3 won't be on 24/7 so no one can run through 500 pgs and a couple of toners on me.

Its difficult to figure out all the ongoing wireless standards and security when you don't work in the industry.

Re:brute farce (1)

elsJake (1129889) | more than 2 years ago | (#37101544)

Just use keys longer than 23 chars , alphanumeric + special chars , and use a nonstandard SSID for the network (treat as a password, it's used to salt the key derived from your PSK). All this on WPA2/AES and you should be considered secure.

Re:brute farce (1)

Joce640k (829181) | more than 2 years ago | (#37104718)

If I setup my computers for WPA2/AES and change the key on a regular basis, is this considered secure enough?

Yes.

Only WEP is truly broken. WPA and WPA2 are only vulnerable to weak passwords.

Re:brute farce (1)

bogie (31020) | more than 2 years ago | (#37098746)

Like the quote in the article said its "more of a pinhole than a crack". It needs very specific circumstances and also need you to use TKIP vs AES. I'm not sure about as of today but in regarding to that article WPA with AES=secure.

The real problem isn't anything to do with WPA, its with companies like Verizon who in modern times have the stupidity to use WEP. If its not WPA2 compatible throw it in the garbage.

Re:brute farce (1)

yuhong (1378501) | more than 2 years ago | (#37100970)

Yep, the main lesson I think is that it shows how bad CRC32 is as an integrity check.

Re:brute farce (1)

yuhong (1378501) | more than 2 years ago | (#37101138)

FYI, there is a new attack on TKIP that can recover the temporal key after capturing 2^38 packets (for comparison, WEP's IV is 24-bit):
http://infoscience.epfl.ch/record/165984 [infoscience.epfl.ch]

if it is so damn secure (0)

Anonymous Coward | more than 2 years ago | (#37095884)

why dont we use it for EVERYTHING else?

Re:if it is so damn secure (4, Informative)

sakdoctor (1087155) | more than 2 years ago | (#37096112)

"We", pretty much do. The underlying algorithm is AES, used in ssh, https, bitlocker, GPG, and so on.

The Only Solution (5, Insightful)

MightyMartian (840721) | more than 2 years ago | (#37095892)

Ultimately the only solution is to have a segregated WiFi network. I've set one up in one of our offices, with the others to follow soon. If one our workers needs to access internal network resources from our WiFi network, he's got to do what he'd do if he was in a coffee shop or an airport, establish a VPN connection to the internal network. There simply isn't any other solution so far as I can tell. You have to treat WiFi as a potentially hostile entry point.

Re:The Only Solution (1)

h4rr4r (612664) | more than 2 years ago | (#37095934)

I hope you are doing the same or something similar with wired then. No locking switch ports by MAC address is not good enough. Dead easy to spoof the MAC address of the machine I unplugged to get my evil device in.

Re:The Only Solution (2)

omglolbah (731566) | more than 2 years ago | (#37095996)

That requires physical access to the corporate office though.
Wireless doesnt.

Most places that is a fairly important difference.

Re:The Only Solution (5, Insightful)

h4rr4r (612664) | more than 2 years ago | (#37096022)

Anyone with a set of overalls a handtruck/cart and a cardboard box can get into pretty much any office.

Re:The Only Solution (1)

NoNonAlphaCharsHere (2201864) | more than 2 years ago | (#37096092)

You've been watching too much Burn Notice.

Re:The Only Solution (1)

moonbender (547943) | more than 2 years ago | (#37096224)

From my experience, that much is true if you've seen a single episode.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37098016)

lol

Thank You Kind Sir for the warning.

Re:The Only Solution (5, Funny)

h4rr4r (612664) | more than 2 years ago | (#37096344)

Nope, just had to chase a verizon man out of my server room a couple weeks ago.

The receptionist let him in because it said verizon on his jacket and someone kept letting him through doors after that. He was on the wrong floor and would have disconnected live equipment had I not chased him our with a rack rail.

Re:The Only Solution (1)

crashumbc (1221174) | more than 2 years ago | (#37096516)

and the other 10 times he would have all the time he needed.

Re:The Only Solution (1)

Bengie (1121981) | more than 2 years ago | (#37096622)

Can't enter our server rooms with out special electronic keys. Not getting past our receptionists without a guest pass and someone to vouch for you to sign off on the guest pass.

Re:The Only Solution (1)

sexconker (1179573) | more than 2 years ago | (#37097086)

Can't enter our server rooms with out special electronic keys. Not getting past our receptionists without a guest pass and someone to vouch for you to sign off on the guest pass.

A man with a plunger in his hand and a hustle in his step will be let in anywhere.
Beyond that - when the rats chew through the wiring, how you gonna get into the server room? You're gonna call a locksmith or a guy with a drill and sledge.
And beyond that what are you gonna do when someone trains rats to chew through your network cables?

Re:The Only Solution (1)

Bengie (1121981) | more than 2 years ago | (#37108716)

Sounds like a game of cat and mouse../snicker.....So.. if a rat hooks a fiber to it's head, would it be a rat with a freak'n laser on its head?

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37098308)

Your company has spare budget for a receptionist? How lucky.

Re:The Only Solution (1)

Bengie (1121981) | more than 2 years ago | (#37108764)

Having a programmer pull double duty as a receptionist would be instant death to any company. Most programmers around here have that standard dry sarcastic humor that would probably cost the company money if we had to interact with real people. Great bunch to work with.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37099638)

People still have server rooms?

Re:The Only Solution (1)

dragon-file (2241656) | more than 2 years ago | (#37096806)

You have to get a pass to get past the electric card reader at reception desk. From there you just open two doors and your in the server room. You could literally throw away your pass, open the IT office door, and then walk right into the server room. Don't get me wrong, the door is locked. but the latch is taped over so people can get in and out. I think its because all the fire alarm system is in there, as well as all the breakers for the building. I'd be more worried about if it wasn't a small office environment.

Who needs access to the server room? (1)

SonofSmog (1961084) | more than 2 years ago | (#37097114)

Yawn! There is CAT 5 running all over most office buildings. Physical access is always the least secure and easiest to get my hands on heh.

Re:The Only Solution (1)

skids (119237) | more than 2 years ago | (#37098346)

That's why it's important to know the MAC address of the electronic card reader at the reception desk.

Re:The Only Solution (2)

Surt (22457) | more than 2 years ago | (#37096400)

Whether or not he's been watching too much Burn Notice, Burn Notice is right about that one. You can get into about 90% of offices that way. It's actually happened (twice!) at mine, and the building is poorly designed (as recently as 20 years ago!), so improving security is difficult. Anything older than 15 years (pre-9/11) is probably similarly difficult to physically secure.

Re:The Only Solution (1)

realityimpaired (1668397) | more than 2 years ago | (#37100216)

The building I work in was designed/built in 1971, and it's easy to physically secure... there's no actual office space on the ground floor (that's retail space that we rent out), and you need two keycards to actually get anywhere in the building: the building pass which you need to get past security after hours and use the elevators (retail space and elevators shut down from 6pm - 7am and on Sundays), and the office pass, which opens the doorway into your office area. More secure floors have a 2nd security desk in the elevator lobby. For most employees, their office pass will only open the doors on the floor they work on. Beyond the office pass/employee ID, there's secured access to just about everything that isn't public/general work area, as well as to some actual work areas/sections. The security in question varies from needing another swipe, or a coded door lock, an actual physical key, or an entropy token (like an RSA Secure ID, but we replaced those shortly after they got hacked), depending on the type of security needed. The fire stairs do not open unless the alarm is going off (and opening the stairwell from an upper floor will set the alarm off), meaning that there is no way to get to the actual office space without taking the elevator, except during a fire (and if you're going to set a fire to gain access to an office, expect to get caught).

It depends on what the building was intended for, I suppose. Parts of the building I work in have access to shut down the PSTN in this country, and other parts have the ability to shut down the international links on the Internet. As such, it's a secure facility, and the age of the building has nothing to do with how difficult or easy it is to physically lock down.

Re:The Only Solution (1)

mcrbids (148650) | more than 2 years ago | (#37102702)

Ttight security is *expensive*. Special electronic keys (and the associated administration) costs thousands of dollars. Few organizations actually have sufficiently valuable data to justify this expense. Smaller organizations rarely do.

So far, so good. The tough part is that as an organization grows, it reaches a point where it will start to make sense to incorporate these additional expenses. But what triggers this decision? There's no automatic formula involved, and a growing organization has to carefully track expenses so that it maintains sufficient capital to fund additional growth. And that's where potential breaches such as the "Verizon guy" in the blue suit and a box on a hand truck make it all the way into the server room.

As my company has grown, I've made it a point to secure our assets in (relatively) secure areas. Important servers locked in steel server closets are the norm now, with only two key trusted staff having keys. This level of security is relatively tight, but doesn't scale well. This works well for now because our company is still not that large.

PS: Using high density rackmounts you can pack a surprising amount of horsepower in a single, locked, 42U rack!

Re:The Only Solution (1)

kiwimate (458274) | more than 2 years ago | (#37096694)

No, actually, I'd say it's more that you have made the error of thinking that because it's dramatized it bears no resemblance to [csoonline.com] reality [csoonline.com] . Social engineering is a big [social-engineer.org] deal [cio.com] , to the extent that in places where security is paramount it's a major component in vulnerability assessment and penetration testing.

Re:The Only Solution (1)

MightyMartian (840721) | more than 2 years ago | (#37096114)

The fact is that gaining physical access to active Ethernet RJ45 port is significantly more difficult than sitting outside an office and hacking into a WiFi network. Yes, you're right, physical security can be an issue, but it is a much more difficult target, and thus simply does not worry me as much. If your scenario were that common, then you'd best be considering the physical security of your servers. After all if a guy in coveralls can plug in a CAT5 cable, then surely he can make it into the server room and gain physical access to the servers.

WiFi is orders of a magnitude more of a security concern than your physical network infrastructure.

Re:The Only Solution (2)

localman57 (1340533) | more than 2 years ago | (#37096178)

The other thing, is that if somebody hacks you from outside, it's your fault. If they hack you from inside, it's whoever let them in's fault.

Re:The Only Solution (5, Insightful)

BitZtream (692029) | more than 2 years ago | (#37096564)

Who's fault it is isn't relevant. If you're concerned with fault, you must be a manager rather than something useful. The goal is to keep things private and secure, not make sure you get to point the finger somewhere else. If you're pointing the finger, you've already failed even if you're too stupid to realize it.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37096860)

+1 Zulu warrior

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37097134)

It will be relevant come bonus/evaluation time. The bottom line is that equipment needs to be locked up. With the only people who can grant access being those that directly manage the hardware and their boss.

Re:The Only Solution (1)

John Da' Baddest (1686670) | more than 2 years ago | (#37097146)

Not at all. You assume this is an after-the-fact discussion. From an architectural point of view this perspective makes perfect sense. (You're probably too stupid to have thought of that... :-)

Re:The Only Solution (2)

localman57 (1340533) | more than 2 years ago | (#37097182)

Who's fault it is isn't relevant. If you're concerned with fault, you must be a manager rather than something useful. The goal is to keep things private and secure, not make sure you get to point the finger somewhere else. If you're pointing the finger, you've already failed even if you're too stupid to realize it.

This kind of thinking is, in my opinion, exactly opposite of good security. Companies who take a "Security is everybody's responsiblity!" attitude are doomed to fail. Something that is everybody's responsibility is no-one's responsibility. Being able to identify whose fault it is is a side effect of knowing whose responsibility it is. My responsibility to secure the network. The receptionist's responsibility to vet the people coming into the building. The facilities/security person's responsibility to make sure there's no way for 3rd parties to get in except past the receptionist. If the network gets hacked, one of the three of us fucked up. Then you figure out how, and take corrective action in that area.

Re:The Only Solution (2)

SecurityTheatre (2427858) | more than 2 years ago | (#37098670)

The problem is, deciding that nobody should care about security opens up a bunch of potential vulnerabilities.

Most companies have a side door that is accessible to employees with a badge. This is where we target to gain physical access to a building during a penetration test. Almost everyone will hold the door for you if you look busy and are reasonably respectable looking. Most companies can't afford to secure every door, or won't do it due to parking situations, etc.

The other attack we commonly engage in during penetration testing is spear-phishing attacks. With a properly worded email, I get passwords out of about 30% of people at an average corporation. Those corporations that make sure everyone has security training and adopt the attitude of "security is everyone's responsibility" tend to have lower rates of this. Yes, it doesn't completely fix the problem but it doesn't hurt either.

As an IT Security manager, if you were to adopt the stance of "nobody else can plug the gaps, so I have to find a way to do it"- this results in pretty draconian security policies. Two factor authentication on everything, host and user certificates for wire-line (and wireless) authentication via a NAC to prevent unauthorized endpoints, WIPS to knock down any rogue wireless that does manage to connect... Binary whitelisting on the endpoints, etc, etc, etc

You can secure the environment without user cooperation, but they will not like it....

Re:The Only Solution (1)

maxwell demon (590494) | more than 2 years ago | (#37096254)

I'd expect the server rooms to be considerably harder to access than general offices. After all, I've one been at a job interview where I was asked to solve some problem for a test. While I did so, the interviewers left the room. I think it wouldn't have been too hard to plug something into an Ethernet port during that time. OTOH, getting into the server room would not have been possible, especially not alone.

in some office buildings the building maintenance (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37096436)

in some office buildings the building maintenance can get in to any room and some they are guy that must change the light blubs / fluorescent light bulbs.

Any ways it's easy to say that I need to check out a leak or any other issues to have cover story to get in they can say the office under you has the issue.

Re:in some office buildings the building maintenan (1)

BitZtream (692029) | more than 2 years ago | (#37096592)

In any secure setup, that guy can't get into server rooms without one of the operations guys watching him.

At least, thats the way its been everywhere I've managed.

Don't care whats going on in the server room, you don't go in without an authorized employee. If this is not policy, you're doing it wrong, period.

Re:in some office buildings the building maintenan (0)

Anonymous Coward | more than 2 years ago | (#37096776)

Are you telling us that if there is a fire or a mazzive water leak, no one can get into that area without one of the ops guys letting them in?

Re:in some office buildings the building maintenan (1)

maxwell demon (590494) | more than 2 years ago | (#37096794)

How would an attacker cause a fire or a massive water leak in the server room?

Re:in some office buildings the building maintenan (1)

sexconker (1179573) | more than 2 years ago | (#37097198)

How would an attacker cause a fire or a massive water leak in the server room?

Gasoline and a match, of course.
First it's on fire, and then the sprinkler systems flood the room.

Re:in some office buildings the building maintenan (1)

localman57 (1340533) | more than 2 years ago | (#37097204)

By hacking the network. :-)

Re:in some office buildings the building maintenan (1)

MooseTick (895855) | more than 2 years ago | (#37097604)

air conditioners, bathrooms, water pipes a floor above can start to leak. Sometimes those need to be dealt with quickly to contain.

As far as fire, haven't you ever seen the dukes of hazard? They could shoot bows and arrows with dynamite on the ends and blow things up and catch them on fire.

see what I did there? (2)

Thud457 (234763) | more than 2 years ago | (#37100436)

OK, here's how you do it:

1. have you mother feign car trouble and ask to use the restroom
2. while she's there, she leaves a remote-control smoke bomb in the trash.
3. find a sysadmin that's out on vacation (?wtf, that can't be right?)
4. make up a gift basket, hide some elemental sodium (hah! really?! Florida's pretty damn humid...) in it
5. send gift basket (4) to absent sysdamin (3), where it gets left sitting in the server room until his return
6. trigger smoke bomb (2)
7. smoke (6) triggers sprinkers
8. water from sprinklers (7) ignites elemental sodium (4) starting a two-alarm conflagaration
9. sneak into gangster's warehouse disguised as fireman
10. steal wifi

Re:The Only Solution (1)

arth1 (260657) | more than 2 years ago | (#37096718)

It's fairly common to have interviewers leave a room during a test. That doesn't mean you're not observed. There is a high chance that there is an inconspicuous camera pointed at you, to observe how you behave when you think you're alone. Anything from snooping to nasty personal habits can weigh in on whether you get a job offer, or what the job offer will be.

Re:The Only Solution (2)

Surt (22457) | more than 2 years ago | (#37096448)

I'd actually argue that's probably untrue at most work sites. For example, in every one of the last 5 buildings I've worked in, sharing a ride in the right elevator could get you into an area with an rj45 port, whereas getting into the server room required passing a badge access door that was only used by 5 people who all knew each other, with an expectation that anyone else would be escorted.

Re:The Only Solution (1)

swillden (191260) | more than 2 years ago | (#37096550)

The fact is that gaining physical access to active Ethernet RJ45 port is significantly more difficult than sitting outside an office and hacking into a WiFi network.

Easier than breaking WPA2? Nonsense.

Barring some newly-discovered weakness in the protocol (very unlikely at this point), breaking WPA2 essentially requires breaking AES or the public-key algorithm you're using for your 802.1x EAP-TLS certificates (no business would use PSK, right?). The only practical way to get in is to get hold of a client certificate by compromising a machine with access (e.g. a laptop). Unless of course your target keeps their client keys on password-protected smart cards. Then you're going to have to nab an employee, take their card and "motivate" them to give you the password.

Of course, if you really care about security, you should be using EAP-TLS authentication on your wired network as well.

Re:The Only Solution (1)

bill_mcgonigle (4333) | more than 2 years ago | (#37096732)

Then you're going to have to nab an employee, take their card and "motivate" them to give you the password.

Find lowest-paid employee and pay them double their yearly salary for the password. If you don't have the budget for that, you're not really involved in industrial espionage.

Re:The Only Solution (1)

swillden (191260) | more than 2 years ago | (#37097190)

Then you're going to have to nab an employee, take their card and "motivate" them to give you the password.

Find lowest-paid employee and pay them double their yearly salary for the password. If you don't have the budget for that, you're not really involved in industrial espionage.

Yep, that should do the trick very neatly.

I don't think that qualifies as "easier than gaining access to an RJ-45 port", though.

yeah, try that... (0)

Anonymous Coward | more than 2 years ago | (#37096196)

Anyone with a set of overalls a handtruck/cart and a cardboard box can get into pretty much any office.

"Ahh, I see you are here to deliver the new bits for our network! Would you like a chair, or are you comfortable just squatting next to the printer with your laptop? And do I have to sign anything?"

Re:yeah, try that... (1)

MightyMartian (840721) | more than 2 years ago | (#37096268)

And when is the last time in your company that an outsider sporting nothing more than a handcart was given access to physical network resources? It simply isn ot in the same level of risk as a WiFi network.

Re:yeah, try that... (1)

arose (644256) | more than 2 years ago | (#37096530)

When was the last time in your company that an outsider sporting nothing more then a laptop cracked your properly secured wireless network?

Re:yeah, try that... (1)

crashumbc (1221174) | more than 2 years ago | (#37096580)

I did refrigeration for 8-10 years. You can walk into just about anywhere. NOBODY EVER says anything, in fact of the 1000's of places I walked into, I don't think anyone ever challenged me. Maybe, 1 out of 20 times someone ask "can I help you?" I 'd say "I'm fine just here looking at the A/C" and then was totally ignored after that...

Re:The Only Solution (1)

IceCreamGuy (904648) | more than 2 years ago | (#37096230)

I respectfully disagree, it's very easy to put a policy in place which states that any visitor to the office needs to have a representative from within the company vouch for them and act as an escort on premises. If everyone knows the policy it's not very difficult to enforce, all it takes is proper training. It's a pretty small price to pay if your data is important enough to worry about it in the first place.

Re:The Only Solution (2)

h4rr4r (612664) | more than 2 years ago | (#37097562)

It is easy to put such a policy in place. It is near impossible to get people to actually follow that policy.

Re:The Only Solution (2)

IceCreamGuy (904648) | more than 2 years ago | (#37098296)

Again, I disagree, and I'll add that I'm basing this off of personal experience. With proper training any reasonable policy should be able to be implemented, the hard part is actually making sure that people are trained and understand the repercussions. "Hard" is the operative word, it's not "impossible," and can even be easy if you do it a lot. If you have important data, like medical records, credit card numbers, socials and people don't follow simple policies like that, then they should be terminated. If you're telling me that in your organization anyone can just walk in and plug a laptop into a jack as long as they're wearing coveralls and a Verizon badge, then I truly hope that you don't have my SSN or credit card info. An inability to enforce such a simple policy in an organization that deals with sensitive data is a terrifying thought.

Re:The Only Solution (1)

h4rr4r (612664) | more than 2 years ago | (#37098480)

I said near impossible not impossible.

I am sure anyone could do the same in 99% of businesses. Get a maintenance uniform and go into an unused conference room, that would work almost everywhere.

Re:The Only Solution (1)

SecurityTheatre (2427858) | more than 2 years ago | (#37098806)

Medical records?

Hah!!

Hospitals, by and large, have the worst security of any companies or institutions that I have done security testing for. by far.

Finding servers in accounting with blank passwords and then realizing later that they share a subnet with heart monitors makes one wonder WTF they are doing.

But it wasn't just one hospital, I've been to five and all were similar. Yuk.

At least they're improving.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37106994)

Yeah, we have that policy where I work. Funny thing. Whenever people forget their security badges at home and they don't have any programmable spares left, they just start handing out the "Visitor, requires escort badges". You see people walking around with them without an escort all the time. In a building with 600 employees they're good as gold.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37096348)

Good luck with that at the place I work. It is completely compartmentalized. Everyone either has an ID that also unlocks only the doors that they need to pass through. Anyone else must have a visitor ID and be escorted at all times by someone with access. If you see someone without a ID displayed around their neck or on their belt, you challenge them and take them to the receptionist.

Re:The Only Solution (1)

MightyMartian (840721) | more than 2 years ago | (#37095998)

IPSec ought to do the trick. Mind you, I'm less worried about physical security in general.

Re:The Only Solution (1)

afidel (530433) | more than 2 years ago | (#37096238)

802.1x is easier to deal with than IPSEC because you can make exceptions for equipment that does not support the protocol.

Re:The Only Solution (1)

gnick (1211984) | more than 2 years ago | (#37096042)

Dead easy to spoof the MAC address of the machine I unplugged to get my evil device in.

True. But that implies that you already have a security breach (even if that breach is a disgruntled employee or a bunch of employees wondering why the exterminator is hooking his laptop up to the network.) It's a lot easier to sit in the parking lot sniffing wireless traffic then it is to lob the weighted end of a long piece of CAT5 through an open 2nd story window and land it in an open port belonging to a machine that you've divined the MAC address for and spoofed.

Re:The Only Solution (1)

NoNonAlphaCharsHere (2201864) | more than 2 years ago | (#37096052)

Ofcourse, the difference iz that you need physical access to plug something in. With wireless, I don't even have to be on the same floor of the building.

Re:The Only Solution (1)

BitZtream (692029) | more than 2 years ago | (#37096542)

If you're that concerned about your wired connections, you're using IPSEC in which case, you're done.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37096628)

What about WPA2-AES + EAP + RADIUS? Except you're mostly limited to EAP-TLS if you want proven security (except you have the problem of distributing client certificates) since Windows doesn't support EAP-TTLS (username + password)

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37099004)

Ultimately the only solution is to have a segregated WiFi network. I've set one up in one of our offices, with the others to follow soon. If one our workers needs to access internal network resources from our WiFi network, he's got to do what he'd do if he was in a coffee shop or an airport, establish a VPN connection to the internal network. There simply isn't any other solution so far as I can tell. You have to treat WiFi as a potentially hostile entry point.

That's practical for enterprise networks but it doesn't help the home user feel secure who probably has a number of wireless devices, none of which can do VPN, (i.e such as the Xbox 360 or the PS3). In fact, these devices are often the reason a lot of people have wireless networks. Fortunately, most devices do WPA although I know there are even older devices limited to WEP. The bottom line from this article is that if you want to secure your network, get rid of WEP and any device that is limited to only WEP and move to WPA with a 12+ alphanumeric password. If and until a flaw is uncovered in WPA, you should be safe. I woudn't bother with MAC access lists as a forged MAC address won't help someone without a password and will only add an administrative headache should you choose to add a new wireless device to your own network later.

Re:The Only Solution (0)

Anonymous Coward | more than 2 years ago | (#37099526)

You have it backward. Properly secured on-campus wifi is safer than properly secured VPN. Hell, it can be safer than wired ethernet!

Use good encryption and require two-factor authentication for your wifi.

TL;DR! I didn't get the whole picture (0)

erroneus (253617) | more than 2 years ago | (#37095894)

... so ... yeah...

Too long, didn't read. I didn't get the complete picture. What I do know is that the weak link continues to be people and, more specifically, decision-making people.

"Someone give me 'Easy Security' damnit!!"

Side channel attack? (4, Funny)

liquidweaver (1988660) | more than 2 years ago | (#37095952)

It's not possible remotely. I'd like to know how a side channel attack could be executed against a wireless target? Magic? "Hey, do you mind if I hook up my oscilloscope to you router for a few hours? Why? No reason."

Re:Side channel attack? (2)

synthesizerpatel (1210598) | more than 2 years ago | (#37095986)

When the kids down the street asked to hook their scope up to my router I didn't even consider this as a potential explanation.

Thanks!!!!

Re:Side channel attack? (4, Funny)

localman57 (1340533) | more than 2 years ago | (#37096202)

In that case, I'd like to ask if we could have your wife come in and do some testing at the mattress store where I work. Any time after closing would be fine.

Re:Side channel attack? (1)

failedlogic (627314) | more than 2 years ago | (#37100214)

Hmm .... I didn't know Motels are now referred to as mattress stores. Suppose John's don't explaining to the cops they are paying a woman to go to a mattress store. Just sayin'.

Re:Side channel attack? (1)

h4rr4r (612664) | more than 2 years ago | (#37096062)

Clearly you just put the leads on crossbow bolts and fire them into the router.

Re:Side channel attack? (1)

Sarten-X (1102295) | more than 2 years ago | (#37096398)

Wasn't that done in a movie?

Re:Side channel attack? (0)

Anonymous Coward | more than 2 years ago | (#37099424)

Plug in the ground of the building and filter the signals PS/2 keyboards for passwords. Buy a telescope from the local astronomy shop and attach that to a camera. Point it to an unprotected building window. Solve the inverse problem of the reflections and scatter back to the image and read the passwords.
A couple of demanding (for a random criminal) and therefore practically implausible system level side channel attacks for your enjoyment.

Re:Side channel attack? (1)

Anonymous Coward | more than 2 years ago | (#37099468)

I think they mean things like timing and size of packets.

Informative article (2)

drobety (2429764) | more than 2 years ago | (#37096148)

I find this article about security to be informative. Always good to be reminded to look at how secure we think we are.

However, I didn't appreciate that, without NoScript, the web page on which the article sits would have pulled in scripts from over 25 sources from around the web...

Re:Informative article (1)

spire3661 (1038968) | more than 2 years ago | (#37096316)

ANd I received every one of those scripts AND NOTHING BAD HAPPENED. And even if it did im fully backed up. If you have to run NoScript then you are doing things on a machine you shouldnt be browsing on , arent properly backed up, and are paranoid. NoScript IS NOT worth the hassle when i have to backup my data anyways.

Re:Informative article (0)

Anonymous Coward | more than 2 years ago | (#37096894)

How true. Why bother with any security tools at all when one can just restore from a backup? STUPID NOSCRIPT! WHAT A HASSLE!!!

Re:Informative article (1)

drobety (2429764) | more than 2 years ago | (#37097206)

Right, as long as no alert warns that "SOMETHING BAD HAPPENED", then obviously NOTHING BAD HAPPENED.

Re:Informative article (1)

SecurityTheatre (2427858) | more than 2 years ago | (#37098848)

"If you have nothing to hide".....

overused (and poor) mantra.

Re:Informative article (0)

Anonymous Coward | more than 2 years ago | (#37102400)

not necessarily. I run NoScript on my netbook because it's faster than letting 25 scripts run on a page, and then having several pages do that can slow it down. I use it on my other machines because I like consistency.

Re:Informative article (0)

Anonymous Coward | more than 2 years ago | (#37096360)

But what is browser itself has scripts. And NoScript is not a full proof way. try this [votre-site-internet.com]

Computer researchers are too much like computers (0)

Anonymous Coward | more than 2 years ago | (#37096808)

With respect to the "dictionary attack," as pointed out recently on XKCD, use of a few random words would be a lot tougher for a computer to figure out than random letters/numbers/characters put together. I'm not sure how many characters are possible in ASCI II, but assuming it is 100 characters, and I choose a password 8 characters long (roughly 1 x 10^16 possible combinations), it will not be nearly as secure as four easy-to-remember words put together. The article points out that each word from the dictionary is basically like one character--true, but it is one character from a character set of 300,000 (roughly 8.1 x 10^21 possible combinations).

The problem it seems, then, is that computer geeks are still thinking in terms of bytes--fitting as secure a password as possible in as small of a space as possible. But now, as XKCD points out ( http://xkcd.com/936/ ), bytes aren't really an issue anymore--but human memory is (I have no idea how I would survive without lastpass). A longer password consisting of whole words is easier to remember, more secure, and takes less finger gymnastics to type.

Also, the article fails to note that a truly random password from the full ASCI II character set includes within it the character combination "password", and 41 instances of the number 1, and so on. The attacker might be able to figure out what character set the network will allow for possible passwords, but s/he won't know what minimum character set the user could actually pull his password from. Requiring a minimum password of 8 characters, at a least one capital letter, etc leaves out a lot of possible passwords (like everything with 7 or fewer characters, and everything without capital letters), so the attacker can limit his crack to passwords of at least 8 characters with one capital letter, etc.

Re:Computer researchers are too much like computer (2)

MPAB (1074440) | more than 2 years ago | (#37097506)

I think it's because of two things:

In the earlier days of the internet, a lot of sites wouldn't accept passwords longer than eight characters or with spaces in them. I think because of the way they were saved. What's worse is that some sites would accept the password at registration, but filter it when signing in; thus locking out the user forever.

And nowadays there's too many sites that ask such nonsense as "Must be longer than 6, shorter than 10, have 3 numbers, one capital letter". My phone company asks for 4 numbers and then 6 letters. I guess they get lots of reset password calls. I make one each 6 months or so.

Re:Computer researchers are too much like computer (2)

sexconker (1179573) | more than 2 years ago | (#37097512)

With respect to the "dictionary attack," as pointed out recently on XKCD, use of a few random words would be a lot tougher for a computer to figure out than random letters/numbers/characters put together.

Absolutely not. That XKCD comic was just fucking wrong. As usual with XKCD.

Raw entropy only matters when your search pattern is random.
Any attack that hopes to succeed on non-trivial passwords on a non-astronomical time scale will not be using a random search pattern. It will be using a dictionary-based attack, and will try single words, 2 words, 3 words, ... up to some length of characters, well before trying patterns like 7{`G2we7+_+1\aW/.

While a four-word password may have a large amount of digital entropy, it has a low amount entropy when considered by a human. Password crackers are designed to try things from simple to complex, as considered by a human, precisely because humans tend to more easily remember them (and thus use).

Beyond that, his shitty comic refers to an attack against a remote service. Any remote service worth a damn will throttle log-in attempts to all hell, and eventually lock a user out until some other verification requirement is fulfilled. Any non-trivial password is sufficient for a well-behaved remote service.
The problem occurs when the site gets hacked and the hashes get out. Then the only thing that protects you is the amount of time it would take to crack your password (with a big ol' GPU cluster courtesy of Amazon), and the amount of time you have to change it.
If the site that got hacked is shitty and doesn't notice or notify users promptly, or if they use a standard crypto scheme (scheme != algorithm, scheme includes salting, number of rounds, etc.) and are susceptible to existing rainbow tables, or if they just fucking leaked your shit in plaintext, you're fucked.

Use complex passwords. Not fourstupidwordshere, but &5b3Pwv}|=1k. Deal with it.

Re:Computer researchers are too much like computer (2)

hawguy (1600213) | more than 2 years ago | (#37101180)

I think you're missing the point of the XKCD comic... There are around 3000 commonly used words in English (xkcd assumed 11 bits per word, or 2048 words). A 6 year old child has a vocabulary of between 2500 and 5000 words [wikipedia.org] .

If user uses a 5 word password there are 3000^5 = 2.4E17 different combinations

In your 12 character, mixed case (52) + numeric (10) + symbols (20 common symbols?) password there are 83 possible symbols, so that's 1E25 combinations.

So technically, your "random" password may be 500,000 times safer, but even 2.4E17 combinations will take thousands of years to brute force at a million guesses/second. Not many people have secrets worth that much effort, and for those that do, they can use a 6 word passphrase so even at a billion guesses/second it would take thousands of years to brute force it.

Few people can reliably remember a random string, especially when they need a different password for different accounts, and have to change it every 30 - 90 days, so they'll end up writing it down or storing it in some password keeper that's subject to attack.

However, most people can remember: "seesawseashoresally" or "liontigercougarnotdog" much more easily than a random string, and they'll end up with a very secure password than the usual method of doing s1mpl3 sub5t1tut10ns. And many people (like me) can type a 20 character phrase faster than a 12 character random string.

Re:Computer researchers are too much like computer (1)

reiisi (1211052) | more than 2 years ago | (#37103842)

If that was "s1mpl3 sub5t1tut10ns" you're maybe doing okay. Either s1mpl3 or sub5t1tut10ns by themselves are going to be a little easy to hit with rainbow tables.

But I would probably expect $ub5t1tut10ns to last longer in an attack than "I date Sally."

"I date Sally's calendar." is better than "I date Sally."

"I date banana shipwreck." is better than either, but I would still use leetspeak to tighten it up.

Summary: WPA with a good password is unhackable (1)

Dr. Spork (142693) | more than 2 years ago | (#37096856)

This was really informative and good. If I were protecting valuable data, I'd use WPA and a 10-character pass and I'd be protected against hackers with today's leetest gear for the rest of the existence of the universe. That's actually a pretty amazing statistic given just how hackable everything else is these days. Well done, designers of WPA!

Re:Summary: WPA with a good password is unhackable (1)

skids (119237) | more than 2 years ago | (#37098534)

Well done, designers of WPA

I'd say "adequately done, designers of WPA." They did after all neglect to make the 4 way handshake a DH exchange. Fortunately there's always WPA-enterprise.

Re:Summary: WPA with a good password is unhackable (0)

Anonymous Coward | more than 2 years ago | (#37105372)

I'd be protected against hackers with today's leetest gear for the rest of the existence of the universe.

IF you use a strong password. Most people do not, and a standard dictionary attack is still quite effective.
For example, if you use "password" with any two characters at the end, or "0123456789" then I'd be inside your network within about 3 seconds.
Use any semi-common name, and I'll be in within an hour.

side channel attck or personal ones (0)

Anonymous Coward | more than 2 years ago | (#37098712)

funny how a simple article turns into a pissing match with stupid commenter

As long as you aren't an idiot... (1)

zerox030366 (2430128) | more than 2 years ago | (#37102556)

If you are an idiot and leave your network ID as one of the 100 most common then there are hash table available. If you also have a password with insufficient entropy then you basically aren't safe against a determined attacker. If you're not basically an idiot, though, WPA/WPA2 is good.

Hole 196, people. (0)

Khyber (864651) | more than 2 years ago | (#37102994)

Are you guys this late in the game or what? WPA2 is crap and was blown open fairly easily.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...