Security. WPA?/-TKIP /-CCMP
in [Wireless Internet]
|
From: John Navas on 6 Dec 2008 20:01 On Sun, 07 Dec 2008 00:06:09 +0000, Mark McIntyre <markmcintyre(a)TROUSERSspamcop.net> wrote in <UrE_k.100536$i92.27467(a)en-nntp-03.am2.easynews.com>: >Jeff Liebermann wrote: >> On Sat, 6 Dec 2008 05:42:55 -0800 (PST), Chrisjoy >> <ultralibertarianer(a)gmail.com> wrote: >> >>> Logging on to windows need users to know this: >>> >>> 1) Knowing the name of your own account. >>> 2) Knowing the spelling of your own account password, and where the >>> keys are at the keyborard. >> >> A fingerprint reader can be used in place of the login and password. >> I've had rather bad luck at getting users to consistently use the >> reader, but it does work. The ones where you swipe the finger over a >> narrow reader window seem to be a problem. The ones where you just >> press your finger onto a larger window, work much better (but cost >> more). > >Unless you go high-end these things are horribly insecure. I've toyed >with deploying them but having watched the issues that others have had, >shied away. Typical problems would seem to be too many false negatives, >too easy to sniff, foolable by a variety of creative methods not >including severing digits, and not hooked into the OS at a low enough >level to properly secure the login. That's a joke, right? LOL! Assuming you can get past that worry, check out the integrated security solution in Lenovo ThinkPads equipped with security chips, fingerprint readers, and encrypting hard disk -- they are very reliable and secure. >The way a lot of banks and market data vendors do it nowadays for >internal logins is with a chip-n-pin type card and a card reader slot in >the keyboard. The next level up is a pin and an RSA securid dongle to be >used in conjunction with your normal uid and pwd to login to the company >vpn. A physical token is of course much easier to compromise than severing a digit. ;) Regardless, I'm frankly not terribly impressed by the bank measures I've seen, which is why I'm not terribly surprised by all the security breaches that have occurred, most of which never make the press. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>
From: Jeff Liebermann on 7 Dec 2008 00:05 On Sun, 07 Dec 2008 00:08:48 +0000, Mark McIntyre <markmcintyre(a)TROUSERSspamcop.net> wrote: >Jeff Liebermann wrote: >> On Sat, 6 Dec 2008 06:31:21 -0800 (PST), Chrisjoy >> <ultralibertarianer(a)gmail.com> wrote: >> >>> About 85% of all internet traffic is P2P, and close to all of it >>> contains copyrighted material that is illegal to download. >> >> I think 75% is a more accurate figure. > >I doubt its even that nowadays, not if you mean "illegal p2p". Over here >in the UK all the main free-to-air TV broadcasters now have totally >legal p2p watch-again services which I suspect eat a heck of a lot of >bandwidth. Good point. Here's Cisco's numbers: <http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-481360_ns827_Networking_Solutions_White_Paper.html> "Traffic from all applications grew in volume in 2007, but the traffic mix shifted considerably. Peer-to-peer (P2P) file sharing networks are now carrying 600 petabytes per month more than they did this time last year, which means there is the equivalent of an additional 150 million DVDs crossing the network each month, for a total monthly volume of over 500 million DVD equivalents, or two exabytes. Despite this growth, P2P as a percentage of consumer Internet traffic dropped to 51 percent at the end of 2007, down from 60 percent the year before. The decline in traffic-share is due primarily to the increasing share of video traffic. A secondary factor in the decline is the uptake of web-based file in some regions." Scroll down to Table 5 for peer-to-peer numbers. Looks like you're right about online video file sharing and viewing. "Video is now approximately one-quarter of all consumer Internet traffic, not including the amount of video exchanged through P2P file sharing. Internet video grew from 12 percent in 2006 to 22 percent in 2007, and will reach 31 percent by the end of this year." I haven't done the numbers for my wireless coffee shop customers yet, but will try to do so Sunday, after I recover from the traditional Christmas dinner over eating. >> You would if you've ever been ripped off. I have and it completely >> changed my attitude toward copyright protection and enforcement. > >Kinda depends on how, to what extent, and to what commercial or >reputational loss. It's a complex mess that I don't want to openly discuss. Sorry. -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 jeffl(a)comix.santa-cruz.ca.us # http://802.11junk.com jeffl(a)cruzio.com # http://www.LearnByDestroying.com AE6KS
From: Jeff Liebermann on 6 Dec 2008 23:48 On Sun, 07 Dec 2008 00:06:09 +0000, Mark McIntyre <markmcintyre(a)TROUSERSspamcop.net> wrote: >Jeff Liebermann wrote: >> A fingerprint reader can be used in place of the login and password. >> I've had rather bad luck at getting users to consistently use the >> reader, but it does work. The ones where you swipe the finger over a >> narrow reader window seem to be a problem. The ones where you just >> press your finger onto a larger window, work much better (but cost >> more). >Unless you go high-end these things are horribly insecure. I've toyed >with deploying them but having watched the issues that others have had, >shied away. They seem ok to me for "casual" use. My main concern is what happens to a desktop or laptop if the user/owner walks away, and some shoves in a USB dongle or something similar in their absense. My having the user lock the PC, that problem is reduced somewhat. Personally, I wouldn't mind seeing some system of face recognition deployed on laptops with cameras. It's probably even less reliable and secure than the fingerprint reader, but it sure will be more convenient, which means users may actually be inspired to use it. >Typical problems would seem to be too many false negatives, Agreed. The software requires that you train the reader with 3 successful reads in a row. That turns out to be amazingly difficult to do. After using one for a day, my batting average was only about 75%. It seemed like every other scan had to be done twice. >too easy to sniff, How so? The swipe type readers are inside the laptop. One was on a Dell XPS something laptop. Two others on various Lenovo laptops. There was no way to tap the data. What did work quite well was an external reader. It was plugged into a USB port and most certainly can be tapped and sniffed. However, it didn't require swiping the finger across the reader, which made it much easier to use and far more consistent. Incidentally, the generally acknowledged best biometric practice is currently retinal eye recognition. One that I saw, but haven't played with, is thermal imaging of the blood vessels in the hand. Expensive, but quite unique, reliable, and probably impossible to spoof. >foolable by a variety of creative methods not >including severing digits, and not hooked into the OS at a low enough >level to properly secure the login. Other than using the software, I have no experience with how it works. I'll plead ignorance here. >The way a lot of banks and market data vendors do it nowadays for >internal logins is with a chip-n-pin type card and a card reader slot in >the keyboard. The next level up is a pin and an RSA securid dongle to be >used in conjunction with your normal uid and pwd to login to the company >vpn. Yep. That's also what I'm seeing for HIPAA compliance at hospitals. However, I've also seen what I assume to be an RFID reader system that doubles for door access control. I smell lots of potential problems with these, but haven't had a chance to dig deeper. -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 jeffl(a)comix.santa-cruz.ca.us # http://802.11junk.com jeffl(a)cruzio.com # http://www.LearnByDestroying.com AE6KS
From: Jeff Liebermann on 6 Dec 2008 23:32 On Sat, 6 Dec 2008 12:12:26 -0800 (PST), Chrisjoy <ultralibertarianer(a)gmail.com> wrote: >I don't need accounts. I don't want accounts. I only want different >key for each session, and this is ONLY motivated by protecting guests, >that is our custommers, from being sniffed at. Setup the RADIUS server to accept a "guest" login with no password. I think a blank password will do the trick, but I have to try it to be sure. I don't think you can use a blank login, but maybe that's possible. Even though everyone has the same login and blank password, they will get different WPA encryption keys from the RADIUS server. Since you were able to setup a RADIUS server with MySQL in 1 hour, I would think you could try a blank login or password in a few seconds. >Are you unable to >answer me on my terms? Does it matter? I present you with the best answers and advice that I can offer. I explain most of what I present. If you fail to appreciate or benefit from such advice, that's your problem. You've offered me no reason or incentive to comply with your terms, whatever they may be. Incidentally, although this does not comply with your terms and requirements, you might find it interesting. It's basically an online RADIUS server service: http://www.linksys.com/wirelessguard/ The catch is that it uses services from Wireless Security Corp, which was bought by McAfee and appears to be unsupported, dead, or something. -- # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 # 831-336-2558 jeffl(a)comix.santa-cruz.ca.us # http://802.11junk.com jeffl(a)cruzio.com # http://www.LearnByDestroying.com AE6KS
From: John Navas on 7 Dec 2008 14:03
On Sat, 06 Dec 2008 20:32:10 -0800, Jeff Liebermann <jeffl(a)cruzio.com> wrote in <fjjmj4t96u64er82u5qvsd4k50tjf2hthf(a)4ax.com>: >On Sat, 6 Dec 2008 12:12:26 -0800 (PST), Chrisjoy ><ultralibertarianer(a)gmail.com> wrote: > >>I don't need accounts. I don't want accounts. I only want different >>key for each session, and this is ONLY motivated by protecting guests, >>that is our custommers, from being sniffed at. > >Setup the RADIUS server to accept a "guest" login with no password. I >think a blank password will do the trick, but I have to try it to be >sure. I don't think you can use a blank login, but maybe that's >possible. Even though everyone has the same login and blank password, >they will get different WPA encryption keys from the RADIUS server. >Since you were able to setup a RADIUS server with MySQL in 1 hour, I >would think you could try a blank login or password in a few seconds. I suggest using (hashing) the MAC address of the client as a login ID to provide an audit trail of sorts, although the other tricky bit would be creating RADIUS accounts invisibly and dynamically. But you're correct that even a single RADIUS account will still ensure unique encryption of different wireless connections (by generating a different Master Key for each session even for the same login ID). But snooping of WPA-PSK traffic is non-trivial. I think the much bigger risk is allowing wireless clients to connect to each other. (Think accidentally open shares.) Unless there were unusual requirements, I'd probably just publish a simple WPA-PSK key (in the SSID as well), turn on wireless-to-wireless isolation, and be done with it. I think it's unfortunate that most public hotspots don't do this. One of the reasons I use and recommend Thinkvantage Access Connections over WZC for ThinkPad computers is that it allows you to configure profiles to selectively disable File and Printer Sharing (and Internet Connection Sharing, etc). >Incidentally, although this does not comply with your terms and >requirements, you might find it interesting. It's basically an online >RADIUS server service: >http://www.linksys.com/wirelessguard/ >The catch is that it uses services from Wireless Security Corp, which >was bought by McAfee and appears to be unsupported, dead, or >something. It's pretty cheap and easy to setup a RADIUS server (e.g., FreeRADIUS) on a networked PC. I like the ASUS Eee PC because it's cheap, reliable, and essentially has its own built-in UPS -- about $250 for the 4G. Or a used computer can be used to bring the cost down even more. FWIW I do agree it's unfortunate that Master Key generation in WPA-PSK is so completely predictable -- I think it would have been better to put some effort into making Master Keys unique to each session even with the same PSK. And I don't think this is 20-20 hindsight -- it's something I think should have been done as a matter of course -- I was surprised when I first learned it hadn't been done. -- Best regards, FAQ for Wireless Internet: <http://wireless.navas.us> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes> |