Saturday, August 21, 2004

This isn't helping

Here's a really bad article that showed up in HITB, which
came from eBCVG,
which came from WebProNews, which supposedly came from (a link I cannot get to come up).

What's wrong with the article? How about:

  • the $25 card probably won't work as the cheap ones don't "do" RFMON
  • the computer is not looking for your SSID, it's looking for 802.11a/b/g networks. The SSID is part of that.
  • The SSID is not constantly transmitted and computers don't care about it. The SSID is periodically beaconed and wireless NIC cards use it to negotiate connections to specific networks.
  • It's Kismet, not Cismet
  • I don't get why the GPS receiver records only the coordinates of the strong signal.
  • The preliminary drive IS the wardrive. Any subsequent use of the open network is a network hijack, a theft of services, or an attack on local systems.
  • I'd like to hear more about how the wardriver can sniff passwords and credit card numbers from SSL secured data. (Yeah, I know it can be done, but not with your standard wardriving kit. The author is going for the "F" in FUD here.)
  • Don't broadcast your SSID? This one gets old. Previous guidelines recommended that you turn off SSID beaconing. It's been proven that this action only delays SSID detection for a few seconds as the SSID is included as part of Layer 2 management frames. The author seems to be aware of this but mucks up the explanation anyways.
  • How did factory default passwords for routers get into this? Do I need to buy a router too?
  • EAP is not encryption. EAP is an authentication protocol which uses encryption.
  • WEP encryption is not bypassed, it is broken via AirSnort (i.e., the shared key is extracted).
  • MAC spoofing does NOT take time. Manually spoofing a MAC address for an extremely bad typist only takes a few seconds.
  • Password protecting MS file shares are pointless on wireless networks. If you're using wireless, don't share files/folders! (Someone want to explain how having the same user accounts on each of your machines allows your computers to share files?).
  • Breaking WEP does not take days so the seconds to days/weeks-next-to-your-network comment is garbage.

The closing feel-good paragraph is garbage. The tips are confusing. A script kiddie with the programs listed in the article can still get in. A better way of putting it:

  • Enable WEP (assuming that's all you have). It will keep honest people honest. The dishonest ones can still get "in" in a matter of minutes.
  • Change the access point's default SSID and username/password. (This will show wardrivers that you've devoted at least a little bit of due diligence to your network configuration.)
  • Use MAC address filtering. It causes the attacker to execute one more command than before.
  • Turn off the d*mn access point when you're not using it.

That last recommendation will provide the most protection in the long run. The others will only make extra work for the attacker. As people tend to take the path of least resistance, an attacker will likely hijack your next door neighbor's wide open network.

If you're willing to spend the extra money, you can also:

  • use third-party layer 2 encryption
  • use wireless intrusion detection
  • periodically scan for rogue access points and clients
  • or even better, put CAT-5 cabling in the walls

It's articles of that quality that cause more damage than help. There are legitimate security-related uses for some of the software. We're already dangerously close to the point where possession of certain software will be considered illegal (and things will get very messy once we're headed down that slippery slope).

No comments:

Post a Comment