Just How Secure Is A Wireless Signal ?
 

I have a Linksys 2.4GHz Wireless-B Router Model No. BEFW11S4 (Firmware updated) hardwired to my iMac Snow and a Dell Dimension XPS T500 with a wireless card.

The following are enabled on the Router -

Wireless security mode: WEP
Wireless Encryption Level: 128 bits 26 hex digits
Using Passphrase and WEP Key


I was wondering if there's anyway to check how secure my wireless signal
is ? Without getting too involved :D

It's secure until someone decides to hack it and then it will fail in about 3-5 minutes if that. Having a complex maximum character WEP key will help a bit. Something that is random and not found in a dictionary or a common word and contains a mix of numbers, letters and symbols.

You should really upgrade to at least WPA or the preferred WPA2 but that may require the purchase of a new router.

Yeah. Even a complex WEP key is pretty trivial to break. WEP is, for all intents and purposes, broken, and should not be used if you have any choice at all in the matter. You could say that WEP is better than nothing, since it will keep out your 80 year old neighbor. But it won't keep out your 80 year old neighbor's great-grandson.

WPA2 is the best choice by far, followed by WPA. No matter what you use, DO make sure to use a complex password, containing a mix of lower and uppercase letters, and numbers, and of course never anything that might be found in any dictionary.

Trevor

Just Put Up A Sign That Says Free Internet
 

What if I use the WPA Pre-Shared Key option instead ?
Wireless Encryption Level: TKIP
WPA Shared Key field between 8 and 63 characters long


What does the Group Key Renewal Interval time between 0 and 99,999 seconds option do ?

Besides someone hacking my router and into my Comcast internet just to get a free ride would the firewalls on both computer keep them out of my hard drives after that point ?

Zone Alarm Pro on the Dell and If need be I have Net Barrier X4 for the iMac ( right now just using the built in Firewall on Tiger )

Use WPA with default settings and a reasonably long key, not something obvious, and you will be fine. Breaking WPA requires years of supercomputer time. Unless you're hiding from the NSA, don't worry about it.

Agree with WPA being a better approach if available, but even WEP is "good enough" to keep the average wireless moocher off your network if that is what you are worried about. I wouldn't bother to go out and buy a new access point if WPA isn't an option unless you are sharing file systems across your machines. You're more at risk just plain web surfing with that Dell than somebody bothering to sit in your front lawn and crack your WEP key.

Well, for internet tapping, they're all set: http://www.wired.com/news/technology/0,70944-0.html .
And if they were really after the WLAN, optech would probably rather prefer a break-in and installation of slightly modded hardware - just in case all of this was legal, of course ;) .

Keeping someone out of your hard drive is only one small part of the battle. Not allowing them to see the traffic on your network (including usernames and passwords, e-mail, etc.) is of huge importance too.

WPA is pretty good, don't misunderstand. But it's not THAT good.

WPA's Little Secret

Trevor

WPA2 has TKIP+AES encryption.... its probably the best available right now on most routers. Then, I would also set a password to change the settings on the router, as an extra layer of protection.

Oh, it's good all right, as good as it can be. Read the article. The summary says "Short, text-based WPA keys can be broken through no fault in the WPA protocol."

In other words, there's probably no technical way to make WPA any more "good" than it is. The "flaw in WPA" is simply a human flaw. If you use a password so stupid that it's both short and vulnerable to a dictionary attack, no technology can save you. If you use the kind of password everybody recommends, then a hacker will need a supercomputer and quite a few lifetimes to get in.

If you only read the summary, you will have only a trivial understanding of the article.

1. WPA uses TKIP encryption. TKIP is far far better than WEP (it patches WEP with improvements in per-packet key mixing, a re-keying system, a message integrity check, and initialization vector protection).

But TKIP is still inferior to AES-CCMP, which is used in WPA2. TKIP is based on the weaker RC4 cipher algorithm. TKIP uses fewer bits in the key. The message integrity check that it uses is weaker than that of AES-CCMP. TKIP is just generally less confidential and has less integrity than AES.

AES is so highly regarded by experts that the United States National Institute of Standards and Technology has selected it to replace DES--Data Encryption Standard.

2. WPA Personal uses a pre-shared key, which is susceptible to dictionary attacks in part because a cracker can cause a wireless router using WPA to regenerate the key exchange with their computer in under a minute; even though that key exchange is secured, it can be extracted. That means they can crack it offline at their leisure.

To avoid these kind of dictionary attacks with WPA, you need to use passwords longer than 20 characters. Very few people are willing to enter passwords that long, because they are hard to remember.

Trevor

As far as i knew, WPA2 is TKIP + AES encryption, which is the best of both worlds. I'm going to go consult some of my previous professors about this, just to make sure. One of them taught Network Security at Stanford for a few years so i'm sure he'll have some good insight.

You *might* be thinking of PSK (pre-shared key) + AES.

WPA2 is definitely not TKIP. As I said above, TKIP just uses the RC4 cipher algorithm.

Trevor

Thats why I'm going to clarify those findings. My memory is a tad rusty when it comes to network security topics.

Yeah, there's a lot of acronyms--it gets confusing.

Trevor

For those interested, there's an intelligent debate on the talk page of the WPA entry on wikipedia:
http://en.wikipedia.org/wiki/Talk:Wi...WPA_or_WPA2.3F

Bottom line:
• WPA2 is better than WPA.
• Good, long passwords are needed.
• WEP is completely broken.

Which goes to show that life would probably be easier and more secure if more people used Macs. I don't know my long, scrambled WPA password, because the first time I entered it, the Keychain remembered it, and I never had to deal with it again. My PowerBook just connects to my network without my intervention. If I need to enter that password manually, I can copy it out of the Keychain.

All computers remember your wireless key. It's trivial to make it 63 bytes. Just store it in a text file in case you ever need it again.

As always, if you're too lazy to look after your own safety, you get what you deserve.

Ok, so WPA2 (802.11i) basically does away with the problems faced with WEP (we all know those) and TKIP. Simply, it uses AES for its encryption scheme. However, I'm a bit confused and perhaps someone can shed some light on this: my wireless router (WRT54G v4) allows for WPA2, but when that item is selected, you are given the choice of TKIP, AES, or TKIP + AES. Now, wouldn't it be better to use both AES in conjunction with TKIP since AES is obviously a hardened method and TKIP provides key mixing on a per packet basis?

I think maunfacturers do a great job in trying to confuse the lamen whenever possible and if I wasn't the type of person that strives to know something before actually doing it, then I would have probably just left it as the default setting (which was TKIP I believe). Any thoughts?

The difference between WPA and WPA2 is that it will take a supercomputer a few decades to crack WPA (assuming CPU power keeps growing like it has, with todays's power it would take hundreds of years), and a few hundred years to crack WPA2. For most of us, the difference is irrelevant. Just choose something simple to implement.

Thats understood. I was actually looking for a bit more of a technical interpretation. Nevertheless, I think its safe to put this thread to rest with the idea that WPA2>WPA>WEP. Cheers!

For a good technical, but easy-to-understand discussion on the subject of encryption, check out the Security Now! podcasts. Steve Gibson is a brilliant guy and his explanations of encryption are both technically advanced but easy to understand, a great feat I think.

Steve Gibson is more than a bit controversial due to the numerous factual errors and whacky, unsubstantiated claims he makes.

http://www.grcsucks.com/

and his WikiPedia entry are good starting points to form yourself an opinion.

If you look for a guy who knows what he's talking, has written a couple of books on crypto and is pleasant to read, check out Bruce Schneiers blog http://www.schneier.com/blog/ instead.

All I know of the guy is the podcasts, and those are factual and don't have any of the fear-mongering alleged on that page. In fact he downplays most of the risks people assume, and stresses that you should learn the details and decide for yourself. There is zero question that he does know how crypto works, does know the math behind it, and can explain it all very effectively.

I've never read his site or anything else about him. The podcasts have great quality. Blogs are hard to read while driving.

From what you are saying it sounds like you don't have any way to evaluate the facts of Steve Gibson's podcasts except by what he himself says. As Voldenuit mentions, security experts that have published books, regularly spoken at security conferences, who contribute to security mailing lists such as Bugtraq have a very poor opinion of Steve, and it would be wise to evaluate at least some third party materials about him before coming up with your own opinion.

http://en.wikipedia.org/wiki/Steve_Gibson
http://www.infoworld.com/articles/op...psecurity.html
http://www.theregister.co.uk/2006/01..._fud_from_grc/

Trevor

Opinionated blogs/podcasts/etc are just that, opinionated. Facts and emperical data are the end all solution. This is why I tend to stick to factual and emperical evidence when researching or examining a telecom topic/subject. I think podcasts are alot like public radio. If you have the money and tools, any average joe can get on there and start ranting and raving about something. We, as intelligent listeners, need to be able to disregard the false and embrace the true.

I think guys like Steve have something to say, and in many instances what he has to say is interesting. However, he also tends to say some things that have no factual basis. So you have this threshold that keeps some people listening, while others keep criticising. Its an interesting cycle to say the least.

Half of what he says on the podcasts are things I already know. They are basic facts about encryption, hard to have an "opinion" on it. When asked if users should or should not do things, he puts out facts and tells users to evaluate and decide. When he describes the mathematical path to achieve encryption, those are facts, which are easily checked.

If I think about it, I can't come up with any opinions stated in those podcasts. I'm sure there were some. Usually they are somewhat dry and enjoyable if you like math and technology I guess.

The guy with idiotic opinions is his sidekick, Leo Laporte...that guy can drive me to insanity in one sentence.

One of you critics should listen to one of the podcasts on crypto and tell me if there's something incorrect or opinionated about it.

This is careening off topic, but...

I'm not trying to be a critic, except in the sense of someone who looks at a question critically (2. Characterized by careful, exact evaluation and judgment: a critical reading.) I urge you to make up your own mind regarding the trustworthiness of Steve Gibson, and regarding everything else too, for that matter. If I'm seeming too negative, then I apologize.

Regarding whether or not Mr. Gibson has stated items of questionable truth in his podcast, read the article from the Register, linked above. It says in part
(Boldfacing is mine. Article is copyright 2006 The Register.)

It goes on from there, and is quite damning of Mr. Gibson.

Another interesting page related to Mr. Gibson and GRC: http://www.radsoft.net/news/roundups/grc/

Trevor

I no longer listen to TWiT because between that lunatic Dvorak and the blithering idiot Laporte, there's no content left. However, on the Security Now podcast, he said it's CONCEIVABLE that WMF and other things were back doors, and I happen to agree. So maybe we're just two conspiracy nuts.

In any case, like I said, all I know is that the Security Now podcasts are of very high quality and WILL answer these crypto questions.

This question is a bit off topic, but figured that it was better then starting a new thread. I've got an iBook G3 that I am setting it up to use with a wireless g router system. The iBook has one of the original Airport cards. I was wondering if I can set the router for WPA? Will the iBook G3 be able to access the wireless router? Or is it only usable set at WEP?
Thanks

I think WPA/WEP depends on the version of OS X you're running, not the card, just try it out, it's not like you're gonna break anything...

But of course you'll only get b-speed out of a b-card and if it's the only machine using the g router, you should try to switch it to b-only mode for slightly better speed.

It does depend on the hardware and software, but my PowerBook G3 "Pismo" also has the original Airport card and I believe WPA was enabled by an AirPort update somewhere during the Panther era and it does work. WPA was not originally available for that original card, but Apple made it happen, at least on that laptop model.