Re: Wi-Fi: Essential Checklist

Interesting counter point to securing your wireless

<http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>

John


John Navas wrote:
> <http://wireless.navas.us/wiki/Wi-Fi#Essential_Checklist>
>
> * Use WPA security. If you don't do this, assume you will get hacked.
> WEP is essentially worthless. Replace wireless equipment that doesn't
> support WPA. Seriously. (See Wi-Fi Security)
>
> * Use a strong WPA passphrase. A good way to do that is with diceware
> words. (See What Makes for a Strong Password or Passphrase?) Write your
> passphrase on a label and stick it on the bottom of your wireless router
> so you won't forget it. (If someone gets to your wireless router, you
> are compromised regardless.)
>
> * Make your wireless SSID unique. This helps avoid network collisions. A
> good way to do this is to use your address, phone number, and/or name
> for your SSID (making it easy for you to be contacted if something is
> wrong with your wireless network).
>
> * Don't bother with SSID hiding or MAC address filtering. They don't do
> any real good (improve security) but they can cause you grief. (See
> Wi-Fi Security Myths)
>
> * Turn off Universal Plug and Play (UPnP) in your wireless router.
> Because most consumer-grade wireless routers lack UPnP authentication
> they are vulnerable to attack. (See Problems with UPnP, Lack of
> Authentication)
>
> * Set a strong password on the administration interface of your wireless
> router. Again, diceware is a good way to do that.
>
> * Turn off remote administration. If your wireless router supports
> remote administration, turn it off (unless you really know what you're
> doing).
>
> * On unsecured Wi-Fi use VPN (Virtual Private Networking). Otherwise
> your wireless traffic can be snooped and compromised. (See Secure
> Internet access in a public hotspot)

Jeff Liebermann wrote:
> On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
> <(E-Mail Removed)> wrote:
>
>> Interesting counter point to securing your wireless
>> <http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>
> Bruce Schneier is a well regarded author of criticism on security
> issues. He's made a career of writing articles, columns, and two
> books on the topic. Scan the list of titles and tell me if you see a
> pattern:
> <http://www.schneier.com/essays.html>
>
> I'll be blunt (because I'm in hurry to leave for a free lunch).
> Whom would you prefer to believe? The person that has to make the
> stuff work and keep the paying customers safe and happy? Or the
> professional author and critic that takes pot shots at the industries
> attempts to get it right? Pick one.

Well since he is CTO of BT Counterpane I would say he and his company
are in the business of making security work.

I thought the most imprtant pat of the article was

"If I configure my computer to be secure regardless of the network
it's on, then it simply doesn't matter. And if my computer isn't secure
on a public network, securing my own network isn't going to reduce my
risk very much.

Yes, computer security is hard. But if your computers leave your house,
you have to solve it anyway. And any solution will apply to your desktop
machines as well. "






>
> Do you subscribe to this manner of FUD (fear uncertainty doubt):
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is. But there are going to be
> security flaws in it; there always are."
> Swell. Leave your access point wide open because your neighbors might
> need it and because your chances of experiencing a problem is minimal.
> Never mind with encryption because it *MIGHT* be cracked in the
> future. While you're at it, leave your car doors unlocked for the
> same reasons. Door locks are easily picked, so why bother to use
> them.
>
> Incidentally, the real danger is not DMCA or spammers. It's someone
> giving themselves a tour of your computer, grabbing whatever seems
> interesting, because an overwhelming number of machines are running
> open shares and zero local security (i.e. passwords). Since the
> wireless LAN is behind the router, the firewall offers zero
> protection.
>
> More later....
>


John

On Nov 28, 11:27*am, John Mason Jr <notva...@cox.net.invalid> wrote:
> Interesting counter point to securing your wireless
>
> <http://www.wired.com/politics/security/commentary/securitymatters/200...>
>
> John
>
> John Navas wrote:
> > <http://wireless.navas.us/wiki/Wi-Fi#Essential_Checklist>
>
> > * Use WPA security. If you don't do this, assume you will get hacked.
> > WEP is essentially worthless. Replace wireless equipment that doesn't
> > support WPA. Seriously. (See Wi-Fi Security)
>
> > * Use a strong WPA passphrase. A good way to do that is with diceware
> > words. (See What Makes for a Strong Password or Passphrase?) Write your
> > passphrase on a label and stick it on the bottom of your wireless router
> > so you won't forget it. (If someone gets to your wireless router, you
> > are compromised regardless.)
>
> > * Make your wireless SSID unique. This helps avoid network collisions. A
> > good way to do this is to use your address, phone number, and/or name
> > for your SSID (making it easy for you to be contacted if something is
> > wrong with your wireless network).
>
> > * Don't bother with SSID hiding or MAC address filtering. They don't do
> > any real good (improve security) but they can cause you grief. (See
> > Wi-Fi Security Myths)
>
> > * Turn off Universal Plug and Play (UPnP) in your wireless router.
> > Because most consumer-grade wireless routers lack UPnP authentication
> > they are vulnerable to attack. (See Problems with UPnP, Lack of
> > Authentication)
>
> > * Set a strong password on the administration interface of your wireless
> > router. Again, diceware is a good way to do that.
>
> > * Turn off remote administration. If your wireless router supports
> > remote administration, turn it off (unless you really know what you're
> > doing).
>
> > * On unsecured Wi-Fi use VPN (Virtual Private Networking). Otherwise
> > your wireless traffic can be snooped and compromised. (See Secure
> > Internet access in a public hotspot)

I recently acquired a 2wire 2701HG-B to get around issues with my
crappy (free) Creative Briteport DSL modem. I still use my linksys
WRT330N for wifi and my lan, but technically I could turn on the wifi
on the 2701HG-B. I make the linksys be the DMZ of the 2wire box. But I
believe that means my LAN and wifi on the linksys is behind it's own
firewall, so enabling open wifi on the 2wire would be safe.

I have some Gemtek P-560s I considered installing on the router ports
of the 2wire to give me another level of protection.

Is there some website that hosts manuals on discontinued wifi gear,
much like the boat anchor website does for test gear? I have the CD
rom that comes with the P-560. It seems Gemtek doesn't maintain
documentation on discontinued products.

In article <ggpgmh$j7u$(E-Mail Removed)>,
John Mason Jr <(E-Mail Removed)> wrote:

> Interesting counter point to securing your wireless
>
> <http://www.wired.com/politics/securi...rs/2008/01/sec
> uritymatters_0110>

Yeah, well, there will always be tree-huggers and wing-nuts and women
who don't shave their pits and practice aromatherapy.

I catch Schneier downloading spanking videos in front of my house, I'll
ram a rottweiler up his ass. Irresponsible wanking.

My house is private, it's not a hotel or a motel or a brothel or a
Starbucks and I have a very secure WPA password. If we have guest want
to use it, I give them the password. It's pretty simple really. The
next-door neighbour who I trust fully also has the password in case his
network goes down; he does the same for me (he's using WEP which I can
crack if I want anyway). Although, we have the same ISP, so it's kind of
a useless exercise in neighbourly admiration.

That's the worst fucking article I've ever read in Wired.
--
W. Oates

In article <(E-Mail Removed)>,
Jeff Liebermann <(E-Mail Removed)> wrote:

> It's someone
> giving themselves a tour of your computer, grabbing whatever seems
> interesting, because an overwhelming number of machines are running
> open shares and zero local security (i.e. passwords). Since the
> wireless LAN is behind the router, the firewall offers zero

I might add that my local "shares" are nicely and tightly protected too
(it's a Mac, we don't really talk that way). My next step is to separate
the wireless (guests and the neighbour), put it on a separate route (if
that's how you say it) from the wire (me and the oul' Woman and the tv).
--
W. Oates

On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann <(E-Mail Removed)>
wrote:

>On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
><(E-Mail Removed)> wrote:
>
>>Interesting counter point to securing your wireless
>><http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>
>Bruce Schneier is a well regarded author of criticism on security
>issues. He's made a career of writing articles, columns, and two
>books on the topic. Scan the list of titles and tell me if you see a
>pattern:
><http://www.schneier.com/essays.html>
>
>I'll be blunt (because I'm in hurry to leave for a free lunch).
>Whom would you prefer to believe? The person that has to make the
>stuff work and keep the paying customers safe and happy? Or the
>professional author and critic that takes pot shots at the industries
>attempts to get it right? Pick one.

In a vacuum, I would tend to pick the professional over the repairman,
but I hope one wouldn't have to pick in a vacuum.

>Do you subscribe to this manner of FUD (fear uncertainty doubt):
> "This is not to say that the new wireless security protocol,
> WPA, isn't very good. It is. But there are going to be
> security flaws in it; there always are."

I don't think that qualifies as FUD. Not even close.

>Swell. Leave your access point wide open because your neighbors might
>need it and because your chances of experiencing a problem is minimal.
>Never mind with encryption because it *MIGHT* be cracked in the
>future. While you're at it, leave your car doors unlocked for the
>same reasons. Door locks are easily picked, so why bother to use
>them.

I'm not sure how you arrived at your conclusion, but I suspect it had
a lot to do with your mind being on the free lunch.

Pointing out that something isn't perfect is a far cry from advising
people not to use it.

Jeff Liebermann wrote:
> On Fri, 28 Nov 2008 16:18:57 -0500, John Mason Jr
> <(E-Mail Removed)> wrote:
>
>> Jeff Liebermann wrote:
>>> On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr
>>> <(E-Mail Removed)> wrote:
>>>
>>>> Interesting counter point to securing your wireless
>>>> <http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitymatters_0110>
>>> Bruce Schneier is a well regarded author of criticism on security
>>> issues. He's made a career of writing articles, columns, and two
>>> books on the topic. Scan the list of titles and tell me if you see a
>>> pattern:
>>> <http://www.schneier.com/essays.html>
>>>
>>> I'll be blunt (because I'm in hurry to leave for a free lunch).
>>> Whom would you prefer to believe? The person that has to make the
>>> stuff work and keep the paying customers safe and happy? Or the
>>> professional author and critic that takes pot shots at the industries
>>> attempts to get it right? Pick one.
>> Well since he is CTO of BT Counterpane I would say he and his company
>> are in the business of making security work.
>
> Have you ever worked with a security company? I have. There are an
> amazingly wide range of business functions that can be performed by a
> security company. It can be code audits, access control, permissions,
> authorization, authentication, identity management, external security,
> physical security, patch management, site monitoring, access devices,
> HIPAA, FASP, log rolling, etc. I probably forgot a few items.
> <http://bt.counterpane.com>
> Looks like they do all those and then some. Yep, they're definately
> qualified.
>
> Impressive list of principals, but missing Bruce Schneier:
> <http://bt.counterpane.com/team.html>
>
> So, why does he recommend *LESS* wireless security? Did I miss
> something here?


In part of the article he states he doesn't believe that it is much of a
risk that his wireless will be abused



>
>> I thought the most imprtant pat of the article was
>>
>> "If I configure my computer to be secure regardless of the network
>> it's on, then it simply doesn't matter. And if my computer isn't secure
>> on a public network, securing my own network isn't going to reduce my
>> risk very much.
>
> Baloney. I could have an adquately secured computah (personal
> firewall) and still have problems. For example, sending un-encrypted
> email and passwords (POP3, SMTP, FTP) that are sniffable via wireless
> or an ethernet tap. The computer is secure, but the transport
> mechanism is not.


I would consider fixing those type of problems part of making sure that
your computer is safe on a public network.






>
>> Yes, computer security is hard. But if your computers leave your house,
>> you have to solve it anyway. And any solution will apply to your desktop
>> machines as well. "
>
> Well, yeah. A laptop is nothing more than a small desktop with a
> built in UPS (battery). Desktops, laptops, and PDA's should be
> treated in the same way when dealing with security. Few are.
>


I agree

>> John
>

Jeff Liebermann wrote:

> ... rather than solve the problem, we have this brilliant head of a
> security company, offer that the solution is to ignore the problem
> completely, and just run a wide open system on the basis of the odds
> being in favor of nothing bad happening. He's right, in that one can
> get away with doing almost anything, but only for a short while.
> Eventually bad karma and stupidity catch up.

Based on the above, I think that you have mis-understood the article
in question. Schneier makes the point that what he's trying to protect
(as are most people) is his computer(s), and the data on it(them).
His effort, therefore, is better spent applying security mechanisms on
the computer itself, rather than trying to "protect" access to his network
(which, incidentally, he seems perfectly willing to just share).

As an analogy, consider the locks on the doors and windows of a house:
if you move into a gated-community, you're likely going to still want
locks on your doors and windows. Schneier's point (applied to this
analogy), isn't that you shouldn't move into a gated community, but
rather that you should protect your house and its contents by applying
security measures (locks on doors and windows) directly to the house.
You can take it as a given that at some time, someone who doesn't belong
in the gated community will find a way in.

Especially with a mobile computer, given that you are more likely to use
such a computer on a network that is outside of your control (and that
has other users you likely don't know and shouldn't trust), there needs
to be strong effort placed on protecting the computer itself, and its
data. That protection comes from end-to-end encryption (https, imaps,
ssh, TLS/SSL, etc.), not from WEP/WPA/WPA2/802.11i, etc.

> ... Bruce Schneier couldn't find anything specifically wrong with
> WPA, so the best he could do was imply that there *MIGHT* be something
> wrong. That's FUD methinks.

Again, I think you've misunderstood his point: When WEP was introduced, it
was touted as providing security that was equivalent to wired networking.
That turned out (after some time) not to be true. Scheiers point
isn't that there "might" be something wrong with WPA (or WPA2), it's
that regardless of whether there is a known weakness with it now,
as technology improves, the computing power that can be put towards
brute-force attacks (and ultimately more calculated attacks) increases,
and therefore the degree of security offered by technology that's "good
enough" today decreases.

If you think it's all FUD, consider the following (as one example):

http://hothardware.com/News/Russian-...rack-WPA-WPA2/

Scheier's preference is for "easy" access to the network. He claims to
like it that way. However, his point is that trying to protect the data
on the computer by attempting to secure access to the network is the
wrong way to go about it (and in some cases might be seen as duplicated
effort). See Bill Cheswick's paper on the design of Internet gateways
(which a wireless access point can ultimately be) for another
(compatible) explanation (that predates wireless networking; although
the details of the technology have changed, the points are still valid,
and on a broad scale we have not yet appeared to have learned them):

http://www.cheswick.com/ches/papers/gateway.pdf

> The part about leaving the car door open is called an analogy. Leave
> the WPA security disabled because it might be cracked.

That isn't at all Scheier's point. Leave WPA disabled, because he
prefers to share the network access. And by the way, even if WPA is
considered a suitable way to secure access to your network at the momen,
don't count on it to secure the data on your computer. Referring back
to my earlier analogy, that would be like counting on the locked gate at
the end of the street to protect your home from being entered by
unwelcome strangers.

> ... Bruce Schneier never actually came out and recommended that one
> should not use wireless security. Yet the entire article is all about
> how wonderful and easy things are without that horribly difficult
> wireless security, and how successful he and others have been running
> wide open system. ...

He's not worrying about securing his wireless network because he's
comfortable with how well the computers he has on that network are
secured. The effort he invested in securing his computers is returned
to him in his ability to not worry about the odd stranger using his
wireless network (as someone might take a walk down the street of a
gated community).

Now, having said all of that, I keep my own wireless network secured,
but all the computers I have that either use it, or are accessible from
it, also are secured as well as they can be. I don't count on the
wireless security to protect my computers, but I do expect that it will
keep most uninvited strangers from using my network.

--
----------------------------------------------------------------------
Sylvain Robitaille (E-Mail Removed)

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------

Jeff Liebermann wrote:

> Incidentally, I have an impromptu hacking demonstration today. I shut
> down the victims laptop (allegedly accidentally). When nobody's
> looking, I shove in a USB dongle with a bootable Linux system
> including various registry hacking utilities. I scripted one of them
> to make a few key changes to the registry, and to extract a few
> interesting keys. Most modern laptops will boot from USB, especially
> if I hit F10(?) during the bootup to select the boot device. The rest
> is trivial. Elapsed time is about 3 minutes, not including a 2nd
> reboot. Perhaps the author would like to revise his position on
> computer hardware security to include physical security?

Most (all?) modern laptops also provide a means to set a password to
control access to the boot-sequence configuration, or in some cases to
boot the computer at all. Your demonstration would fail on my laptop
(notwithstanding that it wouldn't even find Windows on it), and if you
understood the point of the author's (Scheier's) article, you would
understand that you would have the same problem with *his* laptop.

The network access point (wireless or otherwise) provides access to the
network, not "security". That's the point I read in the article being
discussed.

--
----------------------------------------------------------------------
Sylvain Robitaille (E-Mail Removed)

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------

On Fri, 28 Nov 2008 18:50:49 -0800, Jeff Liebermann <(E-Mail Removed)>
wrote:

>On Fri, 28 Nov 2008 19:27:17 -0600, Char Jackson <(E-Mail Removed)>
>wrote:
>
>>On Fri, 28 Nov 2008 12:11:32 -0800, Jeff Liebermann <(E-Mail Removed)>
>>wrote:
>>
>>>I'll be blunt (because I'm in hurry to leave for a free lunch).
>>>Whom would you prefer to believe? The person that has to make the
>>>stuff work and keep the paying customers safe and happy? Or the
>>>professional author and critic that takes pot shots at the industries
>>>attempts to get it right? Pick one.
>>
>>In a vacuum, I would tend to pick the professional over the repairman,
>>but I hope one wouldn't have to pick in a vacuum.
>
>Well, I screwed up several times here.

I thought I did that once, but I was mistaken. ;-)

>As for the repairman versus the professional (insert title), my
>preferences tend to vary. Next time you have a problem with your
>automobile, try asking an automotive engineer for a usable solution.
>I've actually done this. I think you'll find that the repairman knows
>more about how to fix the car than the designer.

Well, of course, if you're looking for repair advice the repairman is
likely to know more, but your question above was a much more generic
"whom would you believe". Since your preferences vary, I assume you
agree with me at least part of the time that the professional
(professional WHAT?) is likely to be the better source sometimes.

>>>Do you subscribe to this manner of FUD (fear uncertainty doubt):
>>> "This is not to say that the new wireless security protocol,
>>> WPA, isn't very good. It is. But there are going to be
>>> security flaws in it; there always are."
>>
>>I don't think that qualifies as FUD. Not even close.
>
>I usually ignore one line pontification and judgments, but since I
>asked for an opinion, I won't complain. However, you're wrong. What
>Bruce Schneier has done here is classical FUD.

FUD is fear, uncertainty, and doubt. I may be wrong, or you may be
wrong, but my opinion is that the part you quoted above doesn't
contain any of those three qualities. I'm able to parse the quoted
statements and understand that he's saying WPA is good, but not likely
to be perfect. I don't know when it was written, but we know now that
WPA has security flaws, so he was either right in advance or right in
arrears, but either way he is/was right. Just like truth is the best
defense against libel, I think truth is a pretty darn strong defense
against a claim of FUD.

>>>Swell. Leave your access point wide open because your neighbors might
>>>need it and because your chances of experiencing a problem is minimal.
>>>Never mind with encryption because it *MIGHT* be cracked in the
>>>future. While you're at it, leave your car doors unlocked for the
>>>same reasons. Door locks are easily picked, so why bother to use
>>>them.
>>
>>I'm not sure how you arrived at your conclusion, but I suspect it had
>>a lot to do with your mind being on the free lunch.
>
>Ummm... I didn't write a conclusion. The quoted paragraph is a
>cynical and sarcastic recommendations.

Your conclusion was that since WPA may or does have problems, we
should just avoid it entirely. Like I said, I don't see how you
arrived at that conclusion, or whatever you'd rather call it. That
'position' certainly doesn't follow the quoted paragraph that came
before it, so now I'm assuming that you were responding to something
else from that article that you didn't feel was worth quoting.

>The part about leaving the car door open is called an analogy.

Yes, analogies are common. No need to point them out.

>Leave the WPA security disabled because it might be cracked.

See? THAT! How did you arrive there? Besides you, who else suggested
it would be a good idea to leave WPA disabled because it might be
cracked? If not from you, did you get it from the article? That's
really all I'm asking.

>>Pointing out that something isn't perfect is a far cry from advising
>>people not to use it.
>
>Did you read the article?

No, I was responding to what you wrote, not to what someone wrote in
an article. You didn't make it clear that I had to read the article
before climbing onto the ride.