[Dshield] DI-624 encryption - Run it if you have it!

Stephane Grobety security at admin.fulgan.com
Wed Feb 25 12:16:03 GMT 2004


I suggest aou read this:

http://arstechnica.com/paedia/w/wireless-security-howto/home-802.11b-1.html

Once you've been through it, you should understand why there is no currently effective way to secure WIFI short of treating it as an untrusted network and requiring VPN access to go anywhere further than the router.

Good luck,
Stephane

> I'm very interested, how many wlan keys have you
> cracked? There 'were' several issues with key exchange
> that were leveraged a few years ago, but most vendors
> have closed those holes. I'm assuming that you've
> based your position on a whitepaper that's a few years
> old - "Intercepting Mobile Communications – The
> Insecurity of 802.11, by Nikita Borisov et-al, UC
> Berkley."
> 
> Brute force is still a tactic with tools like
> AirSnort, but well chosen keys (like passwords) are
> more difficult to brute force. Any 'static' mechanism
> should demand the same type of attention that a user
> pays to passwords, develop a routine to change them
> based upon the asset value.
> 
> I would recommend deploying WEP if that is what the
> person has and can afford. I personally believe that
> any layer that can "slow" someone is better than no
> use of that technology. Several industry luminaries
> have agreed - WEP isn't bad. On the other hand, WPA
> (formerly known as TKIP)has been adopted to address
> the "concerns" with WEP and many vendors have been
> updating products with firmware upgrades etc. I
> haven't seen an install yet using 128bit keys with the
> "initialization vector" patches applied. 
> 
> Combine WEP or WPA with some open-standards stuff like
> FreeSwan and you could easily 'enhance' the security
> of running a wlan with vpn services across it. Dr.
> Dobbs had an article a ways back on deploying a cheap
> home vpn over wireless. I'm certain a quick look in
> "google-heaven" will bring up the article for those
> interested.
> 
> Last, if you're in the US and don't have explicit
> permission from "any" network owner (wireless or not),
> cable operators and the like have a new charge called
> "theft of service" that has been applied several times
> in the US and Canada.
> 
> As always, an expert is no expert at all. I'm a
> 'thinker' and study security as a passion. Comments
> welcome!
> 
> <<ATTACHED>>
> 
> From:	"Keith Bergen" <keith at keithbergen.com>
> Subject:	RE: [Dshield] DI-624 encryption
> Date:	Sun, 22 Feb 2004 10:20:08 -0500
> To:	"'General DShield Discussion List'"
> <list at dshield.org>
> 
> Michael,
> 
> I'm sorry that I cannot help with the D-Link setup
> issues, but I had to
> comment on using encryption for security. You need to
> be aware that the 
> data
> encryption on the routers (64 bit, 128 bit, and 256
> bit) can be cracked
> fairly easily, and it doesn't take an expert.
> Basically, all you need 
> to do
> is capture a few wireless packets, and you can break
> the key. Changing 
> your
> key frequently can help you in the event that somebody
> figures it out.
> 
> One thing that encryption does do for you is prevent
> pesky novice 
> neighbors
> from using your internet connection. I have two
> neighbors that have 
> wireless
> networks, and I can use them when mine is down because
> they are wide 
> open.
> 
> Keith.
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail SpamGuard - Read only the mail you want.
> http://antispam.yahoo.com/tools
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list