How To Protect Yourself!?

Wow, thanks guys.
Jamal, do u change your password every day? If so, do u write it down
on a paper or you simply copy paste it? It's impossible to remember a
pass like that. I don't usually leave my passwords as autofills when I
access mail, nor any other accounts.

I'm not sure what I'm using ... I know I bought the wireless card, and
I know the internet works, and I know it says for public use, so there
are about 10-15 people on it every day. I just hope no hackers though,
oh yeah, and there are no passkeys or any thing. I just hook up my
..11g and off I go.

Let me know if i'm in danger :


--
CoolMeEddY
brought to you by http://www.wifi-forum.com/

Even though I use WPA-PSK (AES), I still change my encryption key once
week. It's just a habit I picked up from the early days of using WEP.
As for writing it down....No. I simply create it when I'm accessin
the AP's menu then copy and paste it into the card's utility. If b
chance something happens to where I need to retrieve it, I simply lo
into the AP's menu and re-copy it or create a new key. The idea is t
not create a key that can be easily guessed by a casual snooper.
want secure traffic to and from the AP and my wireless device(s). B
the way, most of my keys have 63 characters. Take care

--
doug Jama
brought to you by http://www.wifi-forum.com

From what ? Radiation ? Wear a tin hat ?
(hint: it would help if you made the subject self explanatory)
Martin

Hello,

<quote>
Whatever. I have some doubts that adding more and more layers of
software to the security puzzle is an effective answer. If anything,
even the most secure firewalls seem to have holes. For example,
Windoze XP SP2 firewall had a rather nasty problem:
http://www.pcflank.com/news201204.htm
</quote>

I would hardly call the windows firewall "one of the most secure
firewalls". It is not meant as a full blown firewall but rather as a
minimal firewall implementation.
Besides that, what do you think WEP (already found to be flawed) and
WPA (has it's own share of weaknesses) are? They are implementations
that are programmed, so how you think that they are any more secure
than any given firewall when the insecurity lies in the implementation
and code?
Your reasoning is beyond me.

Let's sum up some of the weakness of wifi:
1. WEP is flawed and easy to crack
Can't help this, only fix is an additional layer of encryption.
If someone uses a passive Wifi sniffer you won't even realize someone
is attempting to access your network
2. Broadcasting SSID
Turn this off, saying that, even then it is flawed as it is broadcasted
in traffic so it is accessible once WEP has been cracked
3. MAC address spoofing
Yupp, easy as pie changing your mac address and passive sniffing even
tells you what to change it too

General security precautions for wireless if you want a pretty tight
system:

1. Wifi subnet is in a DMZ
2. Access to internal LAN allowed via VPN authentication or SSH tunnel
or any other encrypted AND authenticated protocol
3. ACL's
Firewall your wfi clients access. If it is to surf, allow access to
http/https or your proxy only.
4. Use WEP properly, like many people here have suggested, use a long,
mixed character string/code and change it in between.
5. Do stop ssid broadcast turned off
6. Do use MAC address restrictions
7. Do use WPA if available

Basically, what I am saying is consider the whole picture, every avenue
of escape etc.

Restricting the wifi clients to a dmz and with a firewall also helps
against buggy wifi AP implementations etc.
Security is multilayered.

regards

dc

datacide <(E-Mail Removed)> wrote:
> General security precautions for wireless if you want a pretty tight
> system:

> 1. Wifi subnet is in a DMZ

I agree WiFi should be outside the firewall. Maybe further than a DMZ.

> 2. Access to internal LAN allowed via VPN authentication or SSH tunnel
> or any other encrypted AND authenticated protocol

Everybody should already have VPN access from home, wireless in the office
looks just like it.

> 5. Do stop ssid broadcast turned off

I'm not sure I understand the double negative.
We have a few WAPs with SSID turned off. They are used by only a few
people who already have the SSID programmed for use. This is done so that
casual users don't even see that the WAP is available and ask how to get
onto it. These are generally in a restricted lab or training room, where
connecting to that WAP wouldn't get you anywhere anyway.
In this case, turning SSID off is being used to make the general purpose
SSID-broadcasting WAPs more visible and accessible.

I think SSID-off is a pain to legitimate users of WinXP-SP2, and does little
to stop hackers. In our environment it is actually an ease-of-use feature,
but it is a pain for me to connect to the lab with my multiple-profile
laptop.

> 6. Do use MAC address restrictions

There is some of that, but it seems to give misleading messages in an area
where there are both MAC-restricted and open WAPs. I am just as concerned
with ease of use for legitimate users as I am with stopping hackers.
I don't know if I like MAC-listing. It's not that effective against
hackers, and is annoying for legitimate casual users. If you have no
casual users, then it is an administrative task for someone.

A splash screen with free registration might be good for the lobby. That
would put some piece of control in place, or it could be WEP with the WEP
key on a sign in the lobby ;-)
Maybe a splash screen that says to ask the receptionist for the key.

--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

<quote Clarence A Dold>
I'm not sure I understand the double negative.
We have a few WAPs with SSID turned off. They are used by only a few
people who already have the SSID programmed for use. This is done so
that
casual users don't even see that the WAP is available and ask how to
get
onto it. These are generally in a restricted lab or training room,
where
connecting to that WAP wouldn't get you anywhere anyway.
In this case, turning SSID off is being used to make the general
purpose
SSID-broadcasting WAPs more visible and accessible.

I think SSID-off is a pain to legitimate users of WinXP-SP2, and does
little
to stop hackers. In our environment it is actually an ease-of-use
feature,
but it is a pain for me to connect to the lab with my multiple-profile
laptop
> 6. Do use MAC address restrictions

There is some of that, but it seems to give misleading messages in an
area
where there are both MAC-restricted and open WAPs. I am just as
concerned
with ease of use for legitimate users as I am with stopping hackers.
I don't know if I like MAC-listing. It's not that effective against
hackers, and is annoying for legitimate casual users. If you have no
casual users, then it is an administrative task for someone.

A splash screen with free registration might be good for the lobby.
That
would put some piece of control in place, or it could be WEP with the
WEP
key on a sign in the lobby ;-)
Maybe a splash screen that says to ask the receptionist for the key.
</quote>

I agree to an extent. In a corporate environment it may be difficult to
preconfigure the setup so that MAC address limitations and frequently
changing WEP keys due to a large amount of users, but the initial
question seemed more like SOHO usage.
Also, while I agree that those limitations won't keep a dedicated
hacker out, they will however thwart most of the "casual" wardrivers
and any extra security for a business is good if used properly.
Security is always a tradeoff between usability and security. To
identify thsoe needs in a business is what risk management is for.

Basically, the jist of this for me is not to rely on any one security
mechanism, but to add layered security, as only this ensures a high
level of access control.

regards
dc

Taking a moment's reflection, datacide mused:
|
| 2. Broadcasting SSID
| Turn this off, saying that, even then it is flawed as it is broadcasted
| in traffic so it is accessible once WEP has been cracked

Actually, you can detect a non-broadcasted SSID without cracking WEP.
Like the MAC address, the SSID is included in every packet, unencrypted.
This is why disabling SSID broadcast is worthless as a security measure.
Those who can crack WEP can easily detect the SSID.

<quote mhicaoidh>
Actually, you can detect a non-broadcasted SSID without cracking WEP.
Like the MAC address, the SSID is included in every packet,
unencrypted.
This is why disabling SSID broadcast is worthless as a security
measure.
Those who can crack WEP can easily detect the SSID.
</quote>
You are of course correct (just checked it in kismet), the ssid is
broadcast and can be obtained via a passive sniffer.