Intruder in my wireless network? / intrusion detection programs

Hi!

Today I got the message that unknown computers are connected to the wireless
network on my firewall. Usually, it just shows other computers in our
household, since 2 or 3 PCs have internet connection on our network.

But today, it showed an entirely different IP adress, as if someone from
outside tried to log in to our network.

I searched for a better program to be able to detect and eliminate wifi
intruders, and found "air snare", but it doesn't start, says a file is not
properly registered. In the online help it says the computer on which you
install air snare should be directly connected to the router. This is not
the case, since our router (D-Link DI-624+) is directly connected to a Apple
Macintosh computer.

Could you maybe tell me where to find other WiFi intrusion detection
programs, and how to install and use them?

Thanks in advance,
Valok

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <445fb2e1$0$12930$(E-Mail Removed) lekom.at> on Mon, 8 May
2006 23:06:41 +0200, "Valok" <(E-Mail Removed)> wrote:

>Today I got the message that unknown computers are connected to the wireless
>network on my firewall. Usually, it just shows other computers in our
>household, since 2 or 3 PCs have internet connection on our network.
>
>But today, it showed an entirely different IP adress, as if someone from
>outside tried to log in to our network.
>
>I searched for a better program to be able to detect and eliminate wifi
>intruders, and found "air snare", but it doesn't start, says a file is not
>properly registered. In the online help it says the computer on which you
>install air snare should be directly connected to the router. This is not
>the case, since our router (D-Link DI-624+) is directly connected to a Apple
>Macintosh computer.
>
>Could you maybe tell me where to find other WiFi intrusion detection
>programs, and how to install and use them?

I strongly recommend that you start by properly securing your wireless
network, which should eliminate any intruders:

1. Turn on SSID broadcast. (Hiding it does no real good.)

2. Turn off any MAC address filtering. (It does no real good.)

3. Set a *unique* SSID in your wireless router or access point (e.g.,
"ValokNet").

4. Turn on WPA-PSK security. (WEP is too weak to be of much value. If your
wireless gear can't handle WPA, seriously consider upgrading.)

5. Set a strong wireless pass-phrase, at least 20 characters worth of random
words (e.g., "highway soothe location bard great furry" [but NOT this one]).

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

Valok wrote:
> Hi!
>
> Today I got the message that unknown computers are connected to the
> wireless network on my firewall. Usually, it just shows other
> computers in our household, since 2 or 3 PCs have internet connection
> on our network.
> But today, it showed an entirely different IP adress, as if someone
> from outside tried to log in to our network.
>
> Thanks in advance,
> Valok

Just a heads up (may not apply in your case), but one of my new wireless
computers (a tablet/notebook combo) sometimes shows as extra devices on the
network (and uses a different workgroup name), but never when it's turned
off. I'm guessing the pc and tablet part combo are doing something strange
internally.

"John Navas" <(E-Mail Removed)> wrote in message
news:uKO7g.39891$(E-Mail Removed)...
> [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
> In <445fb2e1$0$12930$(E-Mail Removed) lekom.at> on Mon, 8
> May
> 2006 23:06:41 +0200, "Valok" <(E-Mail Removed)> wrote:
>
>>Today I got the message that unknown computers are connected to the
>>wireless
>>network on my firewall. Usually, it just shows other computers in our
>>household, since 2 or 3 PCs have internet connection on our network.
>>
>>But today, it showed an entirely different IP adress, as if someone from
>>outside tried to log in to our network.
>>
>>I searched for a better program to be able to detect and eliminate wifi
>>intruders, and found "air snare", but it doesn't start, says a file is not
>>properly registered. In the online help it says the computer on which you
>>install air snare should be directly connected to the router. This is not
>>the case, since our router (D-Link DI-624+) is directly connected to a
>>Apple
>>Macintosh computer.
>>
>>Could you maybe tell me where to find other WiFi intrusion detection
>>programs, and how to install and use them?
>
> I strongly recommend that you start by properly securing your wireless
> network, which should eliminate any intruders:
>
> 1. Turn on SSID broadcast. (Hiding it does no real good.)
>
> 2. Turn off any MAC address filtering. (It does no real good.)
>
> 3. Set a *unique* SSID in your wireless router or access point (e.g.,
> "ValokNet").
>
> 4. Turn on WPA-PSK security. (WEP is too weak to be of much value. If
> your
> wireless gear can't handle WPA, seriously consider upgrading.)
>
> 5. Set a strong wireless pass-phrase, at least 20 characters worth of
> random
> words (e.g., "highway soothe location bard great furry" [but NOT this
> one]).

I am a little naive on password cracking algorithms so I figured I would ask
this question.
I have noticed many individuals and companies have started using
passwords like "highway soothe location bard great furry". Is this type of
password any less secure than say "jdieJKndk&ksjjs2$djJOEksl@" since the
previous
passwords has dictionary words?

tia

moncho

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <Wdl8g.68788$_(E-Mail Removed) m> on Wed, 10 May 2006
12:43:34 GMT, "moncho" <(E-Mail Removed)> wrote:

>"John Navas" <(E-Mail Removed)> wrote in message
>news:uKO7g.39891$(E-Mail Removed)...

>> 5. Set a strong wireless pass-phrase, at least 20 characters worth of
>> random
>> words (e.g., "highway soothe location bard great furry" [but NOT this
>> one]).
>
>I am a little naive on password cracking algorithms so I figured I would ask
>this question.
>I have noticed many individuals and companies have started using
>passwords like "highway soothe location bard great furry". Is this type of
>password any less secure than say "jdieJKndk&ksjjs2$djJOEksl@" since the
>previous
>passwords has dictionary words?

Password/phrase strength is defined in terms of entropy, which can be
calculated. The advantage of a passphrase of random real words is that it's
easier for people to work with, reducing the chance of error and of people
writing it down in an insecure way. The drawback is that it takes more
characters to achieve the same level of entropy as a password of random
characters. But if sufficient extra characters are used a passphrase of
random real words can have just as much entropy (strength) as a password of
random characters.

A good way to generate a strong passphrase is with "diceware words" -- see
<http://world.std.com/~reinhold/diceware.html>, and the Diceware FAQ
<http://world.std.com/~reinhold/dicewarefaq.html>:

How long should my passphrase be?
...
In their February 1996 report, "Minimal Key Lengths for Symmetric
Ciphers to Provide Adequate Commercial Security" a group of
cryptography and computer security experts -- Matt Blaze, Whitfield
Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric
Thompson, and Michael Weiner -- stated:

"To provide adequate protection against the most serious threats...
keys used to protect data today should be at least 75 bits long. To
protect information adequately for the next 20 years ... keys in
newly-deployed systems should be at least 90 bits long."

A five-word Diceware passphrase has an entropy of at least 64.6 bits;
six words have 77.5 bits, seven words 90.4 bits, eight words 103
bits, four words 51.6 bits. Inserting an extra letter at random adds
about 10 bits of entropy. Here is a rough idea of how much protection
various lengths provide, based on updated estimates by A.K. Lenstra
(See www.kelength.com). Needless to say, projections for the far
future have the most uncertainty.

* Four words are breakable with a hundred or so PCs.
* Five words are only breakable by an organization with a large budget.
* Six words appear unbreakable for the near future, but may be within the
range of large organizations by around 2014.
* Seven words and longer are unbreakable with any known technology, but
may be within the range of large organizations by around 2030.
* Eight words should be completely secure through 2050.

Entropy of random passwords can be estimated from NIST guidelines (Special
Publication 800-63, Electronic Authentication Guideline). For random
passwords of all printable characters the entropy is about 6.6 bits per
character. *Thus 12 random characters from the entire printable set would be
needed for 79.2 bits of entropy, roughly the same as six diceware words.*

A narrower range of characters decreases entropy bits per character, and would
thus have to be longer for the same level of entropy. Non-randomness likewise
decreases entropy bits per character.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

This is greatly appreciated.

Thanks,

moncho
"John Navas" <(E-Mail Removed)> wrote in message
news:0Jn8g.75798$(E-Mail Removed)...
> [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
> In <Wdl8g.68788$_(E-Mail Removed) m> on Wed, 10 May 2006
> 12:43:34 GMT, "moncho" <(E-Mail Removed)> wrote:
>
>>"John Navas" <(E-Mail Removed)> wrote in message
>>news:uKO7g.39891$(E-Mail Removed)...
>
>>> 5. Set a strong wireless pass-phrase, at least 20 characters worth of
>>> random
>>> words (e.g., "highway soothe location bard great furry" [but NOT this
>>> one]).
>>
>>I am a little naive on password cracking algorithms so I figured I would
>>ask
>>this question.
>>I have noticed many individuals and companies have started using
>>passwords like "highway soothe location bard great furry". Is this type
>>of
>>password any less secure than say "jdieJKndk&ksjjs2$djJOEksl@" since the
>>previous
>>passwords has dictionary words?
>
> Password/phrase strength is defined in terms of entropy, which can be
> calculated. The advantage of a passphrase of random real words is that
> it's
> easier for people to work with, reducing the chance of error and of people
> writing it down in an insecure way. The drawback is that it takes more
> characters to achieve the same level of entropy as a password of random
> characters. But if sufficient extra characters are used a passphrase of
> random real words can have just as much entropy (strength) as a password
> of
> random characters.
>
> A good way to generate a strong passphrase is with "diceware words" -- see
> <http://world.std.com/~reinhold/diceware.html>, and the Diceware FAQ
> <http://world.std.com/~reinhold/dicewarefaq.html>:
>
> How long should my passphrase be?
> ...
> In their February 1996 report, "Minimal Key Lengths for Symmetric
> Ciphers to Provide Adequate Commercial Security" a group of
> cryptography and computer security experts -- Matt Blaze, Whitfield
> Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric
> Thompson, and Michael Weiner -- stated:
>
> "To provide adequate protection against the most serious threats...
> keys used to protect data today should be at least 75 bits long. To
> protect information adequately for the next 20 years ... keys in
> newly-deployed systems should be at least 90 bits long."
>
> A five-word Diceware passphrase has an entropy of at least 64.6 bits;
> six words have 77.5 bits, seven words 90.4 bits, eight words 103
> bits, four words 51.6 bits. Inserting an extra letter at random adds
> about 10 bits of entropy. Here is a rough idea of how much protection
> various lengths provide, based on updated estimates by A.K. Lenstra
> (See www.kelength.com). Needless to say, projections for the far
> future have the most uncertainty.
>
> * Four words are breakable with a hundred or so PCs.
> * Five words are only breakable by an organization with a large budget.
> * Six words appear unbreakable for the near future, but may be within
> the
> range of large organizations by around 2014.
> * Seven words and longer are unbreakable with any known technology, but
> may be within the range of large organizations by around 2030.
> * Eight words should be completely secure through 2050.
>
> Entropy of random passwords can be estimated from NIST guidelines (Special
> Publication 800-63, Electronic Authentication Guideline). For random
> passwords of all printable characters the entropy is about 6.6 bits per
> character. *Thus 12 random characters from the entire printable set would
> be
> needed for 79.2 bits of entropy, roughly the same as six diceware words.*
>
> A narrower range of characters decreases entropy bits per character, and
> would
> thus have to be longer for the same level of entropy. Non-randomness
> likewise
> decreases entropy bits per character.
>
> --
> Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
> John Navas
> <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

In article <0Jn8g.75798$(E-Mail Removed)>, John Navas <(E-Mail Removed)> wrote:
>[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
>In <Wdl8g.68788$_(E-Mail Removed) m> on Wed, 10 May 2006
>12:43:34 GMT, "moncho" <(E-Mail Removed)> wrote:
>
>>"John Navas" <(E-Mail Removed)> wrote in message
>>news:uKO7g.39891$(E-Mail Removed)...
>
>>> 5. Set a strong wireless pass-phrase, at least 20 characters worth of
>>> random
>>> words (e.g., "highway soothe location bard great furry" [but NOT this
>>> one]).
>>
>>I am a little naive on password cracking algorithms so I figured I would ask
>>this question.
>>I have noticed many individuals and companies have started using
>>passwords like "highway soothe location bard great furry". Is this type of
>>password any less secure than say "jdieJKndk&ksjjs2$djJOEksl@" since the
>>previous
>>passwords has dictionary words?
>
>Password/phrase strength is defined in terms of entropy, which can be
>calculated. The advantage of a passphrase of random real words is that it's
>easier for people to work with, reducing the chance of error and of people
>writing it down in an insecure way. The drawback is that it takes more
>characters to achieve the same level of entropy as a password of random
>characters. But if sufficient extra characters are used a passphrase of
>random real words can have just as much entropy (strength) as a password of
>random characters.
>
>A good way to generate a strong passphrase is with "diceware words" -- see
><http://world.std.com/~reinhold/diceware.html>, and the Diceware FAQ
><http://world.std.com/~reinhold/dicewarefaq.html>:
>
> How long should my passphrase be?
> ...
> In their February 1996 report, "Minimal Key Lengths for Symmetric
> Ciphers to Provide Adequate Commercial Security" a group of
> cryptography and computer security experts -- Matt Blaze, Whitfield
> Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric
> Thompson, and Michael Weiner -- stated:
>
> "To provide adequate protection against the most serious threats...
> keys used to protect data today should be at least 75 bits long. To
> protect information adequately for the next 20 years ... keys in
> newly-deployed systems should be at least 90 bits long."
>
> A five-word Diceware passphrase has an entropy of at least 64.6 bits;
> six words have 77.5 bits, seven words 90.4 bits, eight words 103
> bits, four words 51.6 bits. Inserting an extra letter at random adds
> about 10 bits of entropy. Here is a rough idea of how much protection
> various lengths provide, based on updated estimates by A.K. Lenstra
> (See www.kelength.com). Needless to say, projections for the far
> future have the most uncertainty.
>
> * Four words are breakable with a hundred or so PCs.
> * Five words are only breakable by an organization with a large budget.
> * Six words appear unbreakable for the near future, but may be within the
> range of large organizations by around 2014.
> * Seven words and longer are unbreakable with any known technology, but
> may be within the range of large organizations by around 2030.
> * Eight words should be completely secure through 2050.
>
>Entropy of random passwords can be estimated from NIST guidelines (Special
>Publication 800-63, Electronic Authentication Guideline). For random
>passwords of all printable characters the entropy is about 6.6 bits per
>character. *Thus 12 random characters from the entire printable set would be
>needed for 79.2 bits of entropy, roughly the same as six diceware words.*
>
>A narrower range of characters decreases entropy bits per character, and would
>thus have to be longer for the same level of entropy. Non-randomness likewise
>decreases entropy bits per character.
>

I am and remain utterly amazed at how many people think James Bond (or M)
are trying to break into their home networks. It is just mind numbing. I
guess preaching fear has worked really well, the terrorists are coming, the
commies are under your bed and the boogie man is behind that tree.
Reality check:
Even the simplest passphrase is more then enough to secure your home
network. James Bond and the NSA ARE NOT trying to hack your network. In an
office environment this might be different, but if you have that large a
concern at the office, stick to a wired network.

Diceware phrases and the Beale list, give me a break and try to return to
reality. The dog's name is more then enough for a passphrase for your home
network. You can even be secure behind WEP encryption. NONE of your
neighbors is installing Linux on his laptop so he can sit outside your
house and break into your network and anyone who tells you otherwise is
just plain nuts. It isn't happening and has never happened on a home
network. John, you are the security 'expert' please provide a single
documented instance of a home network being violated that was employing
even the simplest of passphrases for either WEP or WPA. Come on I dare you.
(not some it can be done crap, a case where it HAS been done in the real
world and not the CS lab at Dumb Ass U.)

Never happened, all this stuff above is just so much fodder for the scare
mongers. Concerned about your bank accounts, this data is sent using secure
sockets, the security of your network is not your exposure.

Boo the boogie man is out to hack your internet connection... What a joke.

fundamentalism, fundamentally wrong.

Hi!

>>4. Turn on WPA-PSK security. (WEP is too weak to be of much value. If
>>your
wireless gear can't handle WPA, seriously consider upgrading.)

5. Set a strong wireless pass-phrase, at least 20 characters worth of random
words (e.g., "highway soothe location bard great furry" [but NOT this
one]).<<

I have already done that. Still, it showed me that another IP-adress was
obviously connected, although I don't know if that meant that the intruder
was actually granted access or not, since I do have a passphrase.

>>2. Turn off any MAC address filtering. (It does no real good.)<<

Do you know how to dob that on my D-Link DI-624+ router web-configuration
site?

Hi!

>> Just a heads up (may not apply in your case), but one of my new wireless
>> computers (a tablet/notebook combo) sometimes shows as extra devices on
>> the network (and uses a different workgroup name), but never when it's
>> turned off. I'm guessing the pc and tablet part combo are doing something
>> strange internally.<<

Yes, I first thought it could be this way, too. But then again, at the time
when I was online, no other computer was connected to the internet (only the
router was turned on, of course). Besides, I do have a WPA-PSK pass phrase.

Lately, it didn't show me any other computers connected to the internet,
when I last checked (only our own family PCs).

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <31I8g.67965$(E-Mail Removed)> on Thu, 11 May 2006 14:40:12
GMT, (E-Mail Removed) (Rico) wrote:

>I am and remain utterly amazed at how many people think James Bond (or M)
>are trying to break into their home networks. It is just mind numbing. I
>guess preaching fear has worked really well, the terrorists are coming, the
>commies are under your bed and the boogie man is behind that tree.
>Reality check:
>Even the simplest passphrase is more then enough to secure your home
>network. James Bond and the NSA ARE NOT trying to hack your network. In an
>office environment this might be different, but if you have that large a
>concern at the office, stick to a wired network.
>
>Diceware phrases and the Beale list, give me a break and try to return to
>reality. The dog's name is more then enough for a passphrase for your home
>network. You can even be secure behind WEP encryption. NONE of your
>neighbors is installing Linux on his laptop so he can sit outside your
>house and break into your network and anyone who tells you otherwise is
>just plain nuts. It isn't happening and has never happened on a home
>network. John, you are the security 'expert' please provide a single
>documented instance of a home network being violated that was employing
>even the simplest of passphrases for either WEP or WPA. Come on I dare you.
>(not some it can be done crap, a case where it HAS been done in the real
>world and not the CS lab at Dumb Ass U.)
>
>Never happened, all this stuff above is just so much fodder for the scare
>mongers. Concerned about your bank accounts, this data is sent using secure
>sockets, the security of your network is not your exposure.
>
>Boo the boogie man is out to hack your internet connection... What a joke.

I strongly disagree. I've seen clear evidence of a number of dictionary and
brute force attacks on home wireless networks, and have gotten reports of
others. Software to do this is readily available. Perpetrators include
bored/irresponsible teenagers, wardrivers, and the like.

As for government surveillance, there is a very real possibility of that
happening, albeit at the ISP/carrier level, rather than at the home wireless
network level. No matter how secure your home wireless network, your
unencrypted email (for example) is exposed throughout its path.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>