I'm a little confoosed... what I'm seeing in the news concerns the weakness of the WPS PIN for assigning a security key across wireless devices from a router which is WPS equipped.
Many months ago there were claims of WEP security being crackable.
Most of us know to use stronger methods of encryption.
The present issue appears to relate uniquely to WPS and the PIN number generated as being vulnerable.
Computer Type: PC/Desktop System Manufacturer/Model Number: Custom Build OS: Windows 10 Pro - 64 bit CPU: Intel i7 2600K Motherboard: Asus P8P67 Memory: 8 Gig ddr3 1600 mhz - viper extreme (Patriot) Graphics Card: EVGA 980 TI Monitor(s) Displays: 2 - Lg 21" LED , sony 48 " bravia LED Mouse: logitech wireless PSU: 1000 Watt Coolmaster : Silent Pro Gold Case: antec 1200 Cooling: watercooled Hard Drives: one - samsung 840 series 465.76 GB SSD
two - wd 2 tB black
one - wd 1.5 tb black
one - wb 1 tb black Antivirus: Norton Security 2015 Other Info: powerware 3.1 KVA FERRUPS with 4 - 1000 Amp Deep cycle batteries ...
It seems like almost everything related to wireless security/setup is:
Broken.
Defective.
Ineffective.
Poorly designed/implemented.
While I'd argue the converse - all of the specs are basically open and documented, and everything is (ultimately) in the clear rather than over a wire, making security a moving target rather than something to be considered forever and unchanging. Wireless should be a combination of security - as secure a cipher and password as your router and devices that attach can all handle (and preferably one not automatically generated from a password or hash, but manually entered), some sort of device filtering, and network security at the OS networking level in addition to the wireless encryption (like IPSEC between hosts). As with anything, the only way to be truly secure is to not connect to a network - once you do, you do your best, be vigilant, and take your chances. And to those that don't, they run that risk of ending up getting hacked in some way, and there's not a whole lot you can do about or for them at that point either.
why not just set the set up to MANUAL in the router . problem fixed ? Or is that too simple ?
Qdos said:
All the more reason for a router that hides a VLAN without a WPS configuration...
That might be easy enough for us to do, but we aren't the people that WPS (Easy Setup) was aimed at.
The ordinary user would be completely baffled (if not terrified) by the idea of "screwing" with the settings.
Ordinary computer users could do it if someone walked them through it though.
cluberti said:
While I'd argue the converse - all of the specs are basically open and documented, and everything is (ultimately) in the clear rather than over a wire, making security a moving target rather than something to be considered forever and unchanging. Wireless should be a combination of security - as secure a cipher and password as your router and devices that attach can all handle (and preferably one not automatically generated from a password or hash, but manually entered), some sort of device filtering, and network security at the OS networking level in addition to the wireless encryption (like IPSEC between hosts). As with anything, the only way to be truly secure is to not connect to a network - once you do, you do your best, be vigilant, and take your chances. And to those that don't, they run that risk of ending up getting hacked in some way, and there's not a whole lot you can do about or for them at that point either.
It is fair enough that security systems fail, when attacked by innovative strategies.
The trouble is security systems are still falling to ancient attack strategies.
Remember the "War Games" movie (1983)?
The kid hacked into a military super computer (via the telephone system) using a "brute force" attack! Hollywood didn't invent the concept, it was based on reported real life incidents.
Why are systems still falling to that type of attack 29 (or more) years later (WPS)?
I'm always reading comments blaming wireless users, when their privacy/security is compromised.
Now we discover that even if the user was doing the right thing, it was futile, because the system designers and manufacturers screwed up.
Some of the problems are due to the improvements in computer technology though.
How many times more powerful is a modern PC, compared to the original PC?
There was a time, when the idea of someone cracking a 128-bit encryption key (in a short time) was laughable.
Now 2048-bit is considered barely adequate.
It probably won't be too long, before 2048-bit encryption is considered a joke.
Last edited by lehnerus2000; 01 Jan 2012 at 01:32.
Reason: Quote Added
No matter how secure you make something, someone, somewhere, is going to find a way around it, be it on purpose or by accident. That's been proven multiple times in the last few years & you can bet that it's going to continue.
BTW, if you have a Netgear router & you updated to the latest firmware version (V1.1.1.58), there is a major flaw in that. Anyone behind the router can now login to the router WITHOUT a password, and this flaw extends to the wi fi aspect of it. They've been informed of this little glitch, but have yet to fix it. If you upgraded, best to re-install the old firmware.
Computer Type: PC/Desktop System Manufacturer/Model Number: Dell Hell oh Well OS: Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10 CPU: Intel Core 2 Duo 2.93GHz Memory: Not much with my ADHD Graphics Card: ATI Radeon HD 4350 Monitor(s) Displays: 24" HDTV/Monitor Screen Resolution: Blurry after a Scotch or 2 Keyboard: Saitek Cyborg Mouse: 10 yr old MS optical mouse that still works Case: Don't get on my case...man :D Cooling: I have an Air Conditioner & Diet Pepsi Hard Drives: 1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals Internet Speed: Never fast enough Browser: Various Antivirus: Various
Anyone behind the router can now login to the router WITHOUT a password, and this flaw extends to the wi fi aspect of it. They've been informed of this little glitch, but have yet to fix it. If you upgraded, best to re-install the old firmware.
There was a time, when the idea of someone cracking a 128-bit encryption key (in a short time) was laughable.
Now 2048-bit is considered barely adequate.
It probably won't be too long, before 2048-bit encryption is considered a joke.
Just a small FYI on this one.
128 is still (currently) secure and refers to private key encryption like what is used on WiFi.
The 2048 bit keys are for public key encryption (like you would add to an email if you wanted someone to send you back something encrypted) and contain a lot more information to make the "public" process work so it isn't really that meaningful as a stand alone bit length number.
I do agree that most of the WiFi problems have been from very poor and untested implementations foisted on the public. Combined with ridiculous regulations imposed by governments that fear encryption use even over a distance of 20 feet. But most of the problems have been from piss poor design and implementations of things that should have been taken seriously from the start.
There was a time, when the idea of someone cracking a 128-bit encryption key (in a short time) was laughable.
Now 2048-bit is considered barely adequate.
It probably won't be too long, before 2048-bit encryption is considered a joke.
Just a small FYI on this one.
128 is still (currently) secure and refers to private key encryption like what is used on WiFi.
You mean CCMP(AES)?
Sure (unless there is some implementation flaw).
My bad.
I wasn't specifically refering to CCMP(AES).
I meant bit length in general (more bits = more secure).
I still think that it will only be a few years before 128-bit will have to be replaced.
"Botnets", "Grid Computing" and "Moore's Law" basically guarantee it.
Hashes were considered to be reasonably secure.
Now GPUs can smash them (i.e. create a password that matches a given hash) in a very short time (if you can get access to the hash file). Cheap GPUs are rendering strong passwords useless | ZDNet
fseal said:
The 2048 bit keys are for public key encryption (like you would add to an email if you wanted someone to send you back something encrypted) and contain a lot more information to make the "public" process work so it isn't really that meaningful as a stand alone bit length number.
Presumably 2048-bit isn't impossible to crack even now.
On my networking course, when we set up the procedure (you mentioned above) Linux offered us 4096-bit as an option.
We were specifically told that it is illegal for us to use that level of encryption, because the Government wants to be able to read your secret data.
fseal said:
I do agree that most of the WiFi problems have been from very poor and untested implementations foisted on the public. Combined with ridiculous regulations imposed by governments that fear encryption use even over a distance of 20 feet. But most of the problems have been from piss poor design and implementations of things that should have been taken seriously from the start.
Agreed.
The "Brute Force" issue reminds me of "Buffer Overflow" errors/exploits.
These problems have been known for years and yet they still keep happening.