Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Way to ID Invisible Intruders on Wireless LANs

Zonk posted more than 6 years ago | from the you-have-laboured-to-produce-a-biologic dept.

Wireless Networking 122

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

cancel ×

122 comments

LAN security (-1, Troll)

eneville (745111) | more than 6 years ago | (#21531587)

If you really want to keep people off your LAN then you need to deploy a good authentication system. It's not perfect, and of course anyone who hijacks the IP address is likely to gain access, but without going into VPN tunnels it's perhaps the only good way. Take a look into pftables or see this video for a demonstration: http://s5h.net/u?14 [s5h.net]

Re:LAN security (0, Informative)

Anonymous Coward | more than 6 years ago | (#21531673)

Troll (internet is serious business).

Re:LAN security (-1, Offtopic)

midnighttoadstool (703941) | more than 6 years ago | (#21531981)

...but all I want is a nice cup of tea.

Re:LAN security (0)

Anonymous Coward | more than 6 years ago | (#21532301)

Come on, people. Inspect links before applying mod points. Link in parent redirects to internetisseriousbusiness.com. Sibling comment got modded as a TROLL for pointing that out! Eneville, it's terrific that you can read xkcd, really, but some of us read work-related Slashdot articles _at_work_.

Re:LAN security (1)

eneville (745111) | more than 5 years ago | (#21539273)

So what? I didn't make you go to the link. You clicked the link yourself. That's not my problem. If you read slashdot at work and you start following links in comments THEN YOU'RE NOT AT WORK, and personally I don't think you should be doing that during work time as you're potentially a risk to your employer by visiting sites that are of questionable trust. I'd probably sack you. You're lucky that I didn't put something there that would compromise browsers and what I did alerted you to the fact that you're going to questionable sites. This experience had learning for you.

Re:LAN security (0)

Anonymous Coward | more than 6 years ago | (#21532419)

Congrats eneville, you Rickroll'd [urbandictionary.com] me!

Virtually impossible? (5, Interesting)

morgan_greywolf (835522) | more than 6 years ago | (#21531627)

I don't know about that. I use WPA-PSK security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

Re:Virtually impossible? (-1, Offtopic)

morgan_greywolf (835522) | more than 6 years ago | (#21531693)

Um, how is this offtopic?

Re:Virtually impossible? (0)

Anonymous Coward | more than 6 years ago | (#21532141)

Virtually impossible? (Score:0, Offtopic)
by morgan_greywolf (835522) on Friday November 30, @08:50AM (#21531627)
(http://stylus-toolbox.sf.net/ | Last Journal: Tuesday May 15 2007, @11:50AM)
I don't know about that. I use WPA-PSK [wikipedia.org] security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?
Um, how is this offtopic?
War driving moderator on crack? =P

Re:Virtually impossible? (4, Insightful)

cbiltcliffe (186293) | more than 6 years ago | (#21532515)

and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?
If the intruders were invisible, how would you see them in logs and IDS? They're invisible. Passive monitoring won't show up in any logs. I know, because I do it sometimes as part of my security service to my customers. You can break into a WEP-encrypted moderate-traffic wireless network without sending a single packet. Once you're in, you can capture all traffic on that network and save it, again, without sending a single packet.
WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own.

Using the Storm botnet as an example:

There were estimates that put the botnet as large as 50,000,000 computers. Having done WPA-PSK key cracking on a P4 1.6 laptop, it can run around 30 passphrases/second. My desktop is significantly faster, although I haven't actually tried PSK cracking on it. I'd assume probably 45 / second or more. It's not a state of the art machine, by any means. Probably about average.

So if we assume an 8 character random passphrase, (which is all a lot of people will use, so it's easier to remember) that you can type on your keyboard, (again, who's going to use Alt-Numpad combinations?) there are 96 possible keystroke characters that can make up each byte. 96^8 = 7213895789838336 possible password combinations.
Assuming 45 passphrases / second for each machine, it will take, using this botnet, just over 37 days to break that password. That's assuming the most complex password possible for 8 characters. Realistically, you can take out any special character that's not in 13375p3@k, and for most all you'd need is numbers and letters. That'll cut your time significantly.
Yes, that's only an 8 character password, which will take 96 times as long to break with only 1 extra character, but how many people, who don't use their full allotment of 63-characters of randomness, are going to use something like "password", "dave sucks", "fleabert" (name of their cat), or even "fleabert scratches too much" as their passphrase?
Now you've got standard words, which can easily be pulled from a dictionary and put together in different combinations until the passphrase is cracked. Trivial, with enough computing power. And unfortunately, the only people who have access to that kind of computing power, are (I shudder to use the word) cybercriminals.

Re:Virtually impossible? (3, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#21532971)

Of course, any security can be cracked... I personally use a shared key that is significantly longer than that. adding 1 extra character over 8 makes it 96^9, but adding, say 3 extra characters makes it 6382393305518410039296 possible password combinations, which would take that same botnet like 90,000 years to crack.

Oh, yeah, and bear in mind: those 50,000,000 would all have to be in range of the access point and would have to not overwhelm the access point. Even the best Cisco Aironet equipment isn't going to handle that kind of load.

Re:Virtually impossible? (1)

VenTatsu (24306) | more than 6 years ago | (#21533391)

You only need one computer in range of the WAP to capture the encrypted traffic. Then a bot net could be used to attempt to decrypt the traffic. While doing this is significantly harder that trying to associate directly it is also totally passive, and can be run in parallel.

Re:Virtually impossible? (1)

morgan_greywolf (835522) | more than 6 years ago | (#21534949)

Using that method, you have to know something about the encrypted traffic in order to determine if you've found the plaintext or not. In any regard, you'll have to apply some analysis to figure that out and that means you'll need more processing power than what was mentioned.

Re:Virtually impossible? (2, Informative)

cbiltcliffe (186293) | more than 5 years ago | (#21538283)

You need to look into cracking WPA-PSK. You don't need to know anything about the traffic. All you need are 4 packets, one if which is a hash of the passphrase. You hash your passphrase list until you find one that matches the hash captured from the AP, and then you've got your passphrase. No extra traffic necessary.

Re:Virtually impossible? (0)

Anonymous Coward | more than 6 years ago | (#21536221)

They don't have to be in range of the access point. You capture the traffic and process it later. All you need is to send the encrypted packet capture out to the botnet and let them try to decrypt it.

Re:Virtually impossible? (2, Informative)

Anonymous Coward | more than 6 years ago | (#21533491)

yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.

If you augment this with weekly password changes and the strongest possible password, they aren't getting in unless they control a lot of systems. Yea they could still break your wireless network eventually, but there are other wireless networks that are far easier to get into so they'd move on.

Beyond that you secure the hosts on your network as well.

Security isn't about making your network unbreakable, which is impossible. It's about making your network not worth someone's time to break into. You do this with layered security and being polite.

Network crackers go for the low hanging fruit every time, unless it's a targeted attack, which most home users don't ever need to worry about unless they piss off the wrong person. They'll get your neighbor that didn't change the default password and doesn't password his hosts. There's a buffet out there of easy to break networks, so chances are, if you take reasonable precautions, and don't go around flaming people, you are fine.

Personally I don't run a wireless network. I pulled Cat5-e to every room in the house while I was rehabbing and don't need it. I did this before WEP matured because I didn't trust wireless at the time, wired networks Just Work(tm) and are much faster. Of course it's easy to do this when your walls are open 8)

-AC

Re:Virtually impossible? (1)

lubricated (49106) | more than 6 years ago | (#21534473)

>>yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.

or you could just change your mac. This is very easy.
ifconfig eth1 hw ether newmacaddress

this also isn't only about braking in but you can also listen passively without ever stepping foot onto the network.

Re:Virtually impossible? (2, Interesting)

Alpha830RulZ (939527) | more than 6 years ago | (#21535045)

Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)

Even so called security professionals seem to have trouble with this. One of my favorite gripes is the security team at my new employer, who insist on forcing us to use 8 to 10 character passwords, no more, no less. They demand a numeral and a special character, which actually reduces the search space substantially. I am prone to setting up passwords for people like "Eagles~In*Trees" which is easy to remember, and tough to crack, but they won't let me any more, forcing us to issue things like "sFg#8Jk@", which the user promptly writes on a sticky note and pastes to the monitor so they won't forget it.

Re:Virtually impossible? (2, Informative)

kickdown (824054) | more than 6 years ago | (#21535383)

"WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own."

You are assuming that WPA needs a human-configured passphrase here. Your calculations are all nice, but they refer to WPA-PSK (pre-shared key). If you use WPA with IEEE 802.1x (sometimes called WPA-"Enterprise"), a PMK (Pairwise Master Key) is generated by a AAA server *anew for every session*. I.e. as soon as someone logs off and on again, your calculations got to start from scratch. I'm assuming people don't stay connected 37 days continuously on a WiFi connection, so your botnet attack is rendered useless. To be on the safe side, you can set your APs to negotiate new keys at your personal paranoia level time interval even when connections persist.

Even with WPA-PSK, your reasoning is only correct if you really want the PMK of WPA-PSK. Your botnet could be faster if you just want the current session key: it is 128 Bits in length (both with TKIP encryption and AES), so you only need to try 2^128 numbers to get in. The amount of randomness for the PMK is irrelevant if you just want to get into a session quick-and-dirty. Another reason for WPA users to rekey every so often.

WPA-Enterprise is used worldwide in educational institutions in a free (as in spirit and in beer) manner right now, including worldwide roaming: check http://www.eduroam.org./ [www.eduroam.org] . Even in Queensland numerous universities are participating and thus have something at their disposal that is way less suscepible than static session keys. http://www.aarnet.edu.au./Content.aspx?p=133/ [aarnet.edu.au] suggests that University of Queensland is in, so I guess they are just doing the research to show people how unsecure WLAN networking is if you *don't* use IEEE 802.1x :-) Yes, that was a shameless sales pitch. This is slashdot, I'm *supposed* to promote my pet projects here, right?

Re:Virtually impossible? (1)

Hawkeye05 (1056362) | more than 6 years ago | (#21537959)

I wish i had mod points right now cause that post is damn worth it.

Re:Virtually impossible? (1)

kryliss (72493) | more than 5 years ago | (#21538907)

Strangely enough, from the days when I had to reinstall Win98 on several machines all the time, I have that 25 character key memorized.. that's what I use for my WPA encryption. Haven't seen anyone crack that one yet.

FEARMONGERUR (-1)

Anonymous Coward | more than 5 years ago | (#21539395)

EAT MY DICK SACK

Signal roundtrip times is the tipoff (1, Flamebait)

BadAnalogyGuy (945258) | more than 6 years ago | (#21531717)

This is a good heuristic, but may be misleading in the case of faulty client hardware or over-active powersaving routines.

But look, if you want a secure wifi, perhaps you're misunderstanding the need for wifi. Pervasive internet connections without wires is what we want. If you want to broadcast wifi, you ought to be required to provide this service to all listeners (how many times have I been to a customer site which had wifi that was locked down and inaccessible?). If you want to implement some sort of auth system to create private networks atop the wifi, hey, that's cool too. But leave the router open, wouldya?

Re:Signal roundtrip times is the tipoff (2, Insightful)

Silver Sloth (770927) | more than 6 years ago | (#21531899)

But leave the router open, wouldya?
No, I won't.

I don't wan't anyone not authorised by me on my network. I see no reason why I 'ought to be required to provide this service to all listeners'. Sorry, my network, my rules.

Re:Signal roundtrip times is the tipoff (1)

pipatron (966506) | more than 6 years ago | (#21532163)

He didn't say your network. Just let people browse the big evil world wide web.

Re:Signal roundtrip times is the tipoff (1)

Albio (854216) | more than 6 years ago | (#21532381)

But what if they do something illegal?
Or what if they don't play nice and cause congestion which you don't want to deal with?

Re:Signal roundtrip times is the tipoff (1)

josephdrivein (924831) | more than 6 years ago | (#21537715)

What if leaving a open access to the Internet is illegal?
There are countries in which this is true.

Re:Signal roundtrip times is the tipoff (1)

kalirion (728907) | more than 6 years ago | (#21532409)

Why the Hell would I want random strangers to reduce my bandwidth? If they want to browse the big evil world wide web, let them pay for their own high speed connection.

Re:Signal roundtrip times is the tipoff (2, Insightful)

jasen666 (88727) | more than 6 years ago | (#21533071)

Because if they download kiddie pr0n, it's *MY* IP address that gets logged, and my house the FBI raids looking for said kiddie pr0n.
Not worth the risk to be a good Samaritan to the neighbor's who can't afford their own internet.

Re:Signal roundtrip times is the tipoff (1)

Anonymous Coward | more than 6 years ago | (#21533465)

My bandwidth, my rules.

Re:Signal roundtrip times is the tipoff (1)

cheater512 (783349) | more than 6 years ago | (#21532963)

Your network which is being being beamed to my house.
If you want it secure, stop broadcasting it. Simple. :)

Re:Signal roundtrip times is the tipoff (1)

icebrain (944107) | more than 6 years ago | (#21531951)

If you want to broadcast wifi, you ought to be required to provide this service to all listeners
If I'm paying for the router, the connection, and all that... why should I have to allow someone to mooch it for free?

Re:Signal roundtrip times is the tipoff (1)

pipatron (966506) | more than 6 years ago | (#21532185)

Because it doesn't cost you anything extra, and if you do that, the moochers will let you browse for free when you're somewhere and need to check something.

Re:Signal roundtrip times is the tipoff (1)

kalirion (728907) | more than 6 years ago | (#21532433)

Doesn't cost you anything extra except bandwidth you mean. And money if they decide to bittorrent a few songs. And jail time if they decide to visit a few child porn sites.

Re:Signal roundtrip times is the tipoff (1)

hedwards (940851) | more than 6 years ago | (#21532567)

No, it isn't free. It might not cost any money directly, but I'd personally factor in the cost of the possibility of dealing with the police or FBI at some point into the cost.

Anybody posting here should know better than to leave a WAP open, the amount of trouble that can be caused by somebody abusing the set up is more than sufficient to justify keeping a sound security policy. Even then it may get broken, but that's where plausible deniability comes into it.

Re:Signal roundtrip times is the tipoff (1)

xappax (876447) | more than 6 years ago | (#21533451)

Even then it may get broken, but that's where plausible deniability comes into it.

You always have plausible deniability, even if you don't have a access point at all. It's completely possible and quite frequent that people's computers are 0wned by viruses and trojans, and used to route anonymous traffic, send spam, and mounts scans and attacks on other machines. If securing your systems was required to give plausible deniability, millions upon millions of computer users could be subject to criminal prosecution right now.

i'd personally factor in the cost of the possibility of dealing with the police or FBI at some point

Nothing can protect you from having to deal with the police or the FBI. The RIAA habitually uses bogus, unreliable IP records to prosecute people who had nothing to do with the accused crime. The police are known to make similar mistakes, and the FBI has a long honorable history of seizing computer hardware on "hunches" or anonymous unsubstantiated tips they received.

Keeping your network open doesn't put you in any more legal danger. But more importantly, locking down your network doesn't make you any safer from arbitrary harassment by the authorities.

Re:Signal roundtrip times is the tipoff (1)

Mister Whirly (964219) | more than 6 years ago | (#21534483)

"You always have plausible deniability"

Yeah, that worked splendidly in the Jammie Thomas case [wired.com] .

"Nothing can protect you from having to deal with the police or the FBI."

Well, not completely, but I would say not allowing people to commit crimes on your network would do something to dissuade that a little bit. And this [arstechnica.com] headline couldn't more clearly refute your claim - "Child porn case shows that an open WiFi network is no defense". From TFA -
The merits of leaving your wireless access point (WAP) open have been discussed and debated at length, especially when it comes to law enforcement. There is a growing belief that file sharers can protect themselves against lawsuits by keeping their wireless access points open. The problem is, it won't necessarily.
A Texas man who was convicted of possessing child pornography tried to use his open WiFi network as a defense, saying that someone else could have used the same network to traffic in pornographic images. The US Court of Appeals for the Fifth Circuit didn't buy his argument and upheld the conviction.

So while I do admire your spirit, you are obviously NAL and should stop dispensing questionable legal advice. I mean who should I believe - you or the US Supreme Court when it comes to legal questions about WiFi?

Reading TFA. (2, Informative)

Eevee (535658) | more than 6 years ago | (#21535607)

Well, the first thing you need to do is actually start reading the article you're using for support. From the fine article you quoted:

The FBI says it found CDs with child porn in Perez's room, the only one it searched.

Up to the time you can show how a wifi connection will make a physical CD magically show up in a room, then any argument about plausible deniability based off this case is full of it. You can't claim someone else was using your wireless connection to download child porn when you have a big stack of CDs with child pornography on them. Nobody is stupid enough to believe that. The only way this could have been a test case would be if they hadn't found any evidence beside the network traffic.


What this shows is that illegal traffic coming to/from your address constitutes probable cause, which is a different kettle of fish.

Re:Reading TFA. (1)

Mister Whirly (964219) | more than 6 years ago | (#21535979)

Read even further. It was most likely his roommate who had the kiddie porn, but they still basically ruled it was his connection and his liability. With no probable cause, there is no search and seizure. Eliminate the first step and you don't need to worry about the rest. And sorry, but this IS a test case no matter what other evidence was found. Until it is overturned, the ruling stands as precedent in all other cases after it.

Re:Signal roundtrip times is the tipoff (1)

xappax (876447) | more than 6 years ago | (#21535903)

And this headline couldn't more clearly refute your claim - "Child porn case shows that an open WiFi network is no defense"

But the crime in that case wasn't committed over an open wireless network. The argument was that a search warrant shouldn't have been granted because of the open access point, it didn't have anything to do with plausible deniability. The guy was caught with CDs of child porn in his room, which is pretty open and shut, he was just trying to get off on a technicality about the search warrant. The precedent this case established was that an open access point wasn't enough to eliminate the probable cause needed for a search warrant, it didn't make any judgment about plausible deniability. you are obviously NAL and should stop dispensing questionable legal advice

Fair enough, but as far as I know there is no legal precedent which says that you bear legal responsibility for all traffic that happens to travel through your publicly available network. And furthermore, like I said, if there was such a precedent, it would open up everyone with a malware-infected computer to prosecution for computer crimes. "Common carrier" status is a long established precedent which would appear to apply to individuals with open access points, and though it's true I'm not a lawyer, I'm not aware of any high-level judgments which say otherwise. Let me know if there are any.

Re:Signal roundtrip times is the tipoff (1)

Mister Whirly (964219) | more than 6 years ago | (#21537531)

The crime that caused the FBI to have probable cause WAS committed over an open wireless network - downloading child porn. They could have never searched his apartment without that evidence. In this case the person had deniable plausibility, in fact all signs pointed to his roommate being the guilty party. But that didn't stop him from being charged because it was his connection that was used. I don't know about you, but I would rather not give law enforcement probable cause to search my house, even if I had plausible deniability up the wazoo. And IANAL either, but I thought "common carrier" status was only granted to companies that were ISPs, not individuals.

Re:Signal roundtrip times is the tipoff (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#21536125)

ou always have plausible deniability, even if you don't have a access point at all. It's completely possible and quite frequent that people's computers are 0wned by viruses and trojans, and used to route anonymous traffic, send spam, and mounts scans and attacks on other machines. If securing your systems was required to give plausible deniability, millions upon millions of computer users could be subject to criminal prosecution right now.
In case you hadn't noticed, they confiscate first and ask questions later. What happens when they confiscate and find that no, there is no malware present? That rather rules out that defense, now doesn't it.

Nothing can protect you from having to deal with the police or the FBI. The RIAA habitually uses bogus, unreliable IP records to prosecute people who had nothing to do with the accused crime. The police are known to make similar mistakes, and the FBI has a long honorable history of seizing computer hardware on "hunches" or anonymous unsubstantiated tips they received. Keeping your network open doesn't put you in any more legal danger. But more importantly, locking down your network doesn't make you any safer from arbitrary harassment by the authorities.

Where to begin on this. Let me see if I get it right: sometimes mistakes are made, so if someone is /really/ doing something illegal on your open network, you don't have any increased chance of getting blamed for it. How's that again?

Re:Signal roundtrip times is the tipoff (1)

plague3106 (71849) | more than 6 years ago | (#21533957)

Even then it may get broken, but that's where plausible deniability comes into it.

No, it doesn't. At that point you need to offer some evidence that someone actually did compromise your computer / network.

Re:Signal roundtrip times is the tipoff (0)

Anonymous Coward | more than 6 years ago | (#21532417)

if I'm paying for the router, the connection, and all that... why should I have to allow someone to mooch it for free?
"If I'm spending MY time writing an operating system, why should I allow someone else to use it for free?" Decency? Sharing? I don't know. Do you use any Open Source software, you mooch?

Re:Signal roundtrip times is the tipoff (1)

Mister Whirly (964219) | more than 6 years ago | (#21535839)

software != hardware - Please cite some examples of your "open source hardware" that people are giving away for free.

Re:Signal roundtrip times is the tipoff (0)

Anonymous Coward | more than 6 years ago | (#21536457)

hardware != services. I can think of plenty of services people give away for free.

Re:Signal roundtrip times is the tipoff (2, Insightful)

X0563511 (793323) | more than 6 years ago | (#21532411)

What I love is that (the summary at least) article states you can use this to see if someone is monitoring your network.

Excuse me? How in the hells would you tell of someone was passively reading incoming radio waves? Isn't that the point of active vs passive radar systems, for instance? You can't!

Re:Signal roundtrip times is the tipoff (1)

Mister Whirly (964219) | more than 6 years ago | (#21534193)

Sure, I'll unsecure my wireless network for you to use. As long as you leave your front door unlocked so I can come over to your house anytime I want, make a sandwich, watch some TV, play some video games, etc.
Entertainment is what we want. If you want to do entertaining things, you ought to be required to provide this service to all.

Not enough information (0)

Anonymous Coward | more than 6 years ago | (#21531727)

Sorry, but the article is so low on information, it's practically useless...

Doesn't seem to practical (5, Insightful)

faloi (738831) | more than 6 years ago | (#21531729)

The description is, basically, they use the signal strength and round trip times of the signals to figure out if someone unauthorized is on your network. The downside is that, in large corporate wireless networks, I would think people tend to be pretty mobile and there won't be a reliable indicator that the odd signal from slightly too far away isn't just somebody who remembered one last thing on the way to their car. Smaller wireless networks aren't likely to care enough to spend the time it takes to tell.

It's an interesting idea, but I have a hard time seeing it become widespread.

Re:Doesn't seem to practical (1)

BadAnalogyGuy (945258) | more than 6 years ago | (#21531777)

It's an interesting idea, but I have a hard time seeing it become widespread.

Given that the primary researcher now works for a hardware maker (last line in the article), I wouldn't be surprised to see this as a feature on some routers in the near future.

Re:Doesn't seem to practical (1)

Trigun (685027) | more than 6 years ago | (#21531793)

You think that it's bad now, wait until everyone rolls out wifi enabled cell phones. In a large corporation, hackers could hide an elephant in that background noise.

Re:Doesn't seem to practical (2, Insightful)

cyriustek (851451) | more than 6 years ago | (#21531805)

Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)

As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they had to do is so important, they can either go into the building, or wait until they are home and use their VPN connection.

Re:Doesn't seem to practical (1)

faloi (738831) | more than 6 years ago | (#21531863)

That's actually a good point. I come at it from the point of view of the large companies I've worked for. To get on the corporate network via a wireless connection, you still have to authenticate to a VPN server. We have a separate wireless network that visitors from other companies can use, but it's got no connection to the corporate network. I'm sure it's not that way for every large company.

Re:Doesn't seem to practical (1)

Cyno (85911) | more than 6 years ago | (#21536831)

If their networks are so sensitive and secure why transmit ANYTHING over the air? This is just another way to use the illusion of security to adopt a police state. In the article they mention sending out armed guards to check on the intrusions, etc. See, they're already thinking in the right direction.

Damn (4, Funny)

FredDC (1048502) | more than 6 years ago | (#21531755)

What? No, but this means that I[NO CARRIER]

Re:Damn (1)

jam244 (701505) | more than 6 years ago | (#21533219)

What? No, but this means that I[NO CARRIER]
I see the network admin was nice enough to hit Submit for you.

don't bother (0)

Anonymous Coward | more than 6 years ago | (#21531811)

Restricting your WLAN from "intruders" have a number of sideaffects, some good, and some bad. If your systems are safe and you have lots of bandwidth leave the WLAN wide open as it will create some defence for plausible deniability in the event some RIAA scum bag comes knocking on your door claiming you stole music. Just make sure you don't leave any other evidence behind. Wikipedia in this case doesn't give this justice you may have to find other ones. Look at True Crypt hidden volumes for other hints. http://en.wikipedia.org/wiki/Plausible_deniability [wikipedia.org]

"detect eavesdropping" (3, Insightful)

Anonymous Coward | more than 6 years ago | (#21531813)

Yeah, right, detect eavesdropping. Any other snake oil you want to sell?

Re:"detect eavesdropping" (1)

ice_nine6 (1149219) | more than 6 years ago | (#21531885)

Seems to be a poor summarization - the article makes no mention of detecting eavesdropping (which would be impossible).

Re:"detect eavesdropping" (0)

Anonymous Coward | more than 6 years ago | (#21533129)

Err, isn't that what quantum "cryptography" is all about?

Re:"detect eavesdropping" (0)

Anonymous Coward | more than 6 years ago | (#21533611)

Is that 802.11q?

Re:"detect eavesdropping" (0)

Anonymous Coward | more than 6 years ago | (#21531971)

yeah, I have these WMDs (Wifi Mobile Devices?) that I'm selling. got em from Iraq or Iran or one of them I countries.

Re:"detect eavesdropping" (1)

Actually, I do RTFA (1058596) | more than 6 years ago | (#21532831)

Yeah, right, detect eavesdropping. Any other snake oil you want to sell?

I have a pain-relief gel which has a side-effect of super-(strength/speed/control of sea animals).

Triangulation (4, Interesting)

JustKidding (591117) | more than 6 years ago | (#21531821)

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation? Also, varying the signal strength and round trip time could throw this off, but even if the exact location of the attacker cannot be determined because of it, the alarm could still be raised.

Makes sense. (2, Interesting)

ufoolme (1111815) | more than 6 years ago | (#21531835)

Aussie's are really into all this wireless stuff!

I'm fairly new to all this but at a very basic level it seems to make sense.
It just a more complex method of looking at the flashing lights on the modem to see if its in sync with your known wireless connections. -- Okay alot more complex than that.

I wondeer if this can be applied to other wireless systems, e.g., radio systems. If so it would be very useful

Eavesdropping? (0)

Anonymous Coward | more than 6 years ago | (#21531857)

And just how does this detect eavesdropping?

eavesdropping (5, Interesting)

backwardMechanic (959818) | more than 6 years ago | (#21531903)

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that? Warping of the ether?

Re:eavesdropping (2, Interesting)

atdt1991 (1069776) | more than 6 years ago | (#21532199)

Quantum Entanglement! We've got on-board chips for that ... right?

Re:eavesdropping (1)

mossmann (25539) | more than 6 years ago | (#21533667)

TFA doesn't claim a method for detecting eavesdropping. Bad summary.

Re:eavesdropping (1)

backwardMechanic (959818) | more than 6 years ago | (#21534589)

Fair enough. Like a good ./'er I haven't read it, of course ;-)

Nothing to see here, move along (2, Funny)

Anonymous Coward | more than 6 years ago | (#21531967)

"Depending on how sensitive the network is, armed security guards could be deployed [...]"

And they would shoot the guy with the laptop in the lobby? Whoops, wrong guy. It was the other guy in the lobby. Nope, it was the woman in the parking lot. Wait, no, it was an anomoly.

Sounds more like a weak attempt at a research project.

Re:Nothing to see here, move along (1)

Firethorn (177587) | more than 6 years ago | (#21532773)

I work around some areas that would have this much sensitivity, it'd be more like 'there's somebody/somthing over there that's not authorized', they'd go check everyone, find the device and arrest.

Shooting would only come into effect if they resisted.

Of course, at those security levels they don't use wireless.

Re:Nothing to see here, move along (1)

marcello_dl (667940) | more than 6 years ago | (#21532845)

Armed guard should first look for the guy who thinks a sensitive network can adopt wireless connections.

The German Police (1)

thegermanpolice (1194811) | more than 6 years ago | (#21531985)

The German Police will be pleased.

Australia's University of Technology ? (3, Informative)

mybecq (131456) | more than 6 years ago | (#21532043)

Australia's University of Technology in Queensland
Otherwise known in reality as the Queensland University of Technology [qut.edu.au] in Australia.
Zonk or Bergkamp10, please do us all a favour and don't change the name of institutions.

Where's the paper? (1)

Raleel (30913) | more than 6 years ago | (#21532169)

I don't see it or this news on the QUT IIS website.

How is this ground breaking? (5, Insightful)

computerchimp (994187) | more than 6 years ago | (#21532241)

1) hopping from one router to another is detected via traditional means
2) higher than average roundtrip times are noticed via traditional means
3) signal is triangulated via traditional means to put a location on a suspected signal.

A new but an obvious proceedure that someone has decided to put to paper and product. It is a nice product to notice but this is about as ground breaking as peanut butter and chocolate.

CC

Re:How is this ground breaking? (0)

Anonymous Coward | more than 6 years ago | (#21532589)

Peanut butter and Chocolate? WOW! What a great idea!!

invisible intruders... (0)

Anonymous Coward | more than 6 years ago | (#21532261)

We have invisibile intruders now!?!
I'm more interested to know how these intruders managed to render themselves invisible.
Have they actually caught one yet?

Use 1x (1)

MT628496 (959515) | more than 6 years ago | (#21532313)

Use 802.1x authentication on your wireless network, or use a gateway that will log users in through a browser and you eliminate a lot of problems.

Re:Use 1x (1)

TechyImmigrant (175943) | more than 6 years ago | (#21533383)

802.1X (It's a capital X) is not an authentication protocol. It's an architecture (1X) and a protocol protocol (EAPoL) to carry a protocol (EAP) that carries authentication protocols (EAP methods).

What you said is akin to recommending a purchaser of a computer use the box it came in.

Doesn't appear to track eavesdropping (1)

davidwr (791652) | more than 6 years ago | (#21532513)

This technique doesn't appear to handle eavesdropping attacks, where the attacker records radio traffic for real-time or post-analysis.

By capturing signals, unencrypted and WEP-encrypted traffic can be snooped for sensitive data.

This same technique also works against other weakly-encrypted or unencrypted protocols, provided you can get close enough to snoop. I'm thinking infrared keyboards and possibly bluetooth not to mention old-fashioned CRT-sniffing using a specially-equipped police van like you seen in the movies. Of course all of these have very limited range.

In practical terms, if you only allow very strongly authenticated connections you should be immune from both snooping and hijacking. Of course, you'll still have to worry about a denial-of-service attack when your adversary floods the airwaves at the most inconvenient time.

All that said, this technique is one more item in the network administrator's bag of tricks.

Re:Doesn't appear to track eavesdropping (0)

Anonymous Coward | more than 6 years ago | (#21534091)

Yeah, I was looking for the same thing when reading the article. They implied they could catch passive snoopers then they gave an explanation of how that would only catch active nodes. If a node is active, there are all sort of tests beyond what's listed here that can be done to check if it's a rogue.

The only way I've seen to catch passive snooping is to send fake packets out with an unused IP address. You only send these on wireless (never publicly). Then if anyone does a reverse lookup (say running ethereal later), you know you've been snooped. I'm not sure it's worth the effort. I guess it depends on your level of paranoia.

Wireless 101 (1)

Tastecicles (1153671) | more than 6 years ago | (#21532653)

1. Secure the connection using WEP/WPA/whatever.
2. SPECIFY the MAC addresses of the specific client hardware in the routing table; a whitelist will REJECT any other connection attempt (MOST routers will do this!)
3. TURN OFF SSID Broadcast once you have the specified units set up; this will render the wireless network invisible to casual scanners.

I have never had a support call for hacked wireless on ANY system that I've set up using the three points listed.

Re:Wireless 101 (1)

jasen666 (88727) | more than 6 years ago | (#21533171)

Right, that keeps out amateurs and lazy hackers. Somebody that really, really wants in can still find a way eventually (except for WPA2... that hasn't been cracked yet has it?)

On mine, I've also taken the steps of disabling DHCP, and setting my network subnet mask to 248 as the last octet. This leaves only 6 IP's available, exactly the number of devices on my network. A hacker would not only have to clone a MAC address, but take one of my in-use IP addresses. Not an impossible task, but a pain in the ass and probably not worth the effort.

Re:Wireless 101 (0)

Anonymous Coward | more than 6 years ago | (#21533929)

Did you copy that from George Ou's "Six dumbest ways to secure a wireless LAN"?

1. I can crack WEP faster than you can turn the feature on.
1. I can change my MAC address faster than you can turn the feature on.
2. Not broadcasting the SSID makes you less friendly, not more secure.

    Jeff

Re:Wireless 101 (2, Informative)

robbeh (926092) | more than 6 years ago | (#21534563)

WEP is useless and can be cracked in less than 10 minutes using any laptop made in the last 10 years. Keep on using that WPA though.
MAC filtering is useless because anyone with Kismet can see the active MAC addresses on the network.
SSID hiding is useless because anyone with Kismet can see the active SSIDs around them.

Someone mentioned it earlier, but have a look at this:
http://blogs.zdnet.com/Ou/index.php?p=43 [zdnet.com]

If they're invisible... (1)

billcopc (196330) | more than 6 years ago | (#21532667)

How in the hell can anyone see invisible things ? If a passive eavesdropper is quietly capturing all packets without sending anything, you can't monitor them. It's not like there's an electrical connection to the host that you can monitor for power dips.

A more effective solution, which has been employed by every ignorant security "expert" in the world is to claim that all wireless networks are insecure. Yes, Duh! Next question.

To a certain extent, all networks are vulnerable whether they're carried in the aether or forced down optic cabling. That's why we have passwords, encryption and a whole buffet of software-based security paradigms. Assuming someone is friendly just because they share physical environment with you is a very flawed concept. Any half-breed can plug into your switch or wander within your antenna's range.

False Positives and Reliability (1)

neorush (1103917) | more than 6 years ago | (#21533085)

It seems this would work great for a small office scenario with a few users, but I imagine with a larger network and things like iPhones, transmitting, connecting, and disconnecting from various distances and signal strengths "odd" round trip times would seem very difficult to reliably detect. The threshold would either result in a large number of false positives, or miss the real threats all together. It would certainly be possible to throw out something like an iPhone, but then as an attacker I could just make my signal appear like an iPhone. "Depending on how sensitive the network is, armed security guards could be deployed, or the wireless network may be turned off." I'd be a pretty pissed security guard if I had to try and check out everyone of these alarms.

Freeloader (1)

MM_LONEWOLF (994599) | more than 6 years ago | (#21533103)

Damn, no more free web-browing. But wouldn't it be easier to rig the hardware to only send a signal to a certain distance?

FUD: tracking can be done w/accuracy (1)

postbigbang (761081) | more than 6 years ago | (#21533139)

Newbury Networks, among others, have used triangulation coupled with latency to 'watch' 'intruders' on networks.

Businesses that don't put lock on their doors-- oops I mean a strong access key-- invite break-ins. It IS POSSIBLE to secure specific access points to the point where it's no longer useful to try and crack them; WPA2 with a random strong temporal, randomly-changed key (say 24hrs at most) will suffice. Instead, notebooks or stationary devices are more astute targets for the ne'er-do-wells.

I have been doing this for awhile (1)

bitsiphon (879827) | more than 6 years ago | (#21533217)

We deployed Aruba wireless Access points that give you location based access 2 years ago. An Electronic fence as it were. It does not solve the problem of eavesdropping and I think encryption is the only solution to limit that type of "Hack". The paper is interseting but obvious in its arguments.

All you kids... (1)

NickCatal (865805) | more than 6 years ago | (#21533533)

Get off my WAN!

This is new? Products that do some/all now... (2, Interesting)

myvirtualid (851756) | more than 6 years ago | (#21533577)

Not to flame or troll or slashvertise, but how is this new? I was a conference recently where the coolest security product on display was from http://www.airtightnetworks.net/ [airtightnetworks.net] : Their WIPS can be configured with an organization's known wireless clients (MAC address, make, HW and SW versions, etc.), and then detect systems that shouldn't be there.

According to the reseller's CTO - I had the good fortune to stop by the booth before he and the COO departed and the booth was left with only salesdroids - the system has an extensive database of fingerprints - hardware, software, etc., think of timings and the like specific to particular combinations of OS, firmware, and chipset.

This raises the bar for a snooper: They not only have to clone your MAC addresses, etc., they have to clone the MAC, etc., on a box running the same OS, firmware, chipset, as the legit box. And they have to get the WPA keys right.

(They also a neato WPA key management app to raise that bar, too.)

Apologies if this seems slashvertisical, seems to me the best way to debunk someone's claim of newnessess and neverbeendonebeforedness is to point real selling product that does all of the non-vapourware things the someone claims to have invented.

Stating the bleeding obvious.... (1)

sifi (170630) | more than 6 years ago | (#21533627)

He said the valuable commodity at greatest risk on local area networks was information.

What, not like gold bullion or something?

URL to paper (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21533845)

This URL [qut.edu.au] seems to be the paper that presents the approach.

Does not detect eavesdropping (1)

jvkjvk (102057) | more than 6 years ago | (#21535849)

Now, I may not be a physicist, but I'll play one here on Slashdot.

I really don't see how this can detect eavesdropping. Of course, my definition of eavesdropping is that it is a passive activity, listening if you will, but not talking.

Since this technology appears to predicated on receiving a signal from the "eavesdropper" the real world equivalent would be the eavesdropper butting into your conversation to ask you a question or to tell you something.

Not that it isn't interesting or cool but perhaps the claim is a just a bit wide. Imagine that...

Detects Invisible Intruders My Ass... (1)

PainBreak (794152) | more than 6 years ago | (#21536685)

If a wireless NIC is in passive, promiscuous mode, it doesn't have to send any data out. It doesn't associate itself with the access point, it doesn't ask permission from the network to be there, and it doesn't need to send any response to anything. It's just "listening" and collecting packets as they go to and fro, in the open air. In order to triangulate anything, particularly based on response-time, the intruding node would have to respond, which it doesn't. This is just another half-hearted attempt to squeeze blood out of the turnip that is wireless security. I've sat back and watched bogus installation after bogus implementation of WiFi security measures, everything from Radius utilizing PEAP to centralized management and all access points switched from autonomous to thin mode in an effort to secure a wireless network. Oh, but make sure we leave a WEP-only SSID, because we have legacy equipment that only supports an unencrypted network, or 64 bit WEP. I can't wait to see this implemented!

Re:Detects Invisible Intruders My Ass... (1)

Hawkeye05 (1056362) | more than 6 years ago | (#21538123)

The very best way to secure a wireless network is to make your look like less of a target than thers around you, I personally have a 13 digit WPA2 passphrase including numbers and MAC filtering, overall pretty solid. But then my neighbors have completly unlocked wireless with their routers using the default settings, anyone who would choose me over them would have to be either really bored or wanting to specifically see what i'm doing, I'm not paranoid about this but i do check my router every 2 weeks or so just to make sure that only the right computers log in, if i see my laptop logged in all by itself at 2AM even though it was dissassembled i know i have a problem other than that i dont really care.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...