Re: About War Driving ..

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-12-06 FatalSaint wrote:
> Ansgar -59cobalt- Wiechers wrote:
> > Then you simply failed to understand my objections.
>
> Your first email consisted mostly of "Pointless." Over and over.  How
> is one to understand that without a more detailed explanation?

I consider it basic, if not common knowledge on a security-related list,
that MAC and IP addresses can be sniffed and spoofed most easily on a
WLAN. Anyway, I hope to have cleared that up with my last mail.

> > *thousand passphrases per second* 
>
> With computers today it's actually quite a bit more though I don't
> have specific numbers.  (especially if you can run a cluster or
> multiple SMP's)

Assume you have a cluster of 1000 nodes each of which can try a billion
passphrases per second. That reduces the average time to crack a 30 (!)
character passphrase from 3.66 * 10^95 years to 3.66 * 10^83 years. A
noticable reduction, yes, but still not to a point that would be even
remotely insecure. Not to mention that you'd normally use a passphrase
much longer than 30 characters.

> However, the point of your argument is still sound that it requires
> time to do.  The bigger better machinery you have the less time is
> required.

True, but see above.

[...]
> > It seems that you don't understand what the SSID's purpose is....
>   
> In order to connect a user needs to have the SSID.  I didn't mean his 
> network will appear "invisible" .. it will just show a wireless signal 
> with no name.  A Program like Kismet -will- detect a hidden ssid if 
> there is enough traffic - sure.  But when I was reading up on this I 
> remember seeing some wireless sniffers wouldn't.

I don't know about that, but even if there are sniffers that don't: from
a security PoV you have to assume that the attacker is using tools of
reasonable quality. And as I pointed out before: if the encryption is
strong it doesn't matter at all if the attacker knows the SSID to begin
with.

[...]
> You're still giving your attacker the benefit of the doubt and just
> not trying.  At the least the admin should attempt.  It could very
> well be an inside user using their own laptop (not corporate)- having
> no idea how to crack wep or spoofing anything.  Or it could be someone
> who knows how to crack WEP and set their IP using Red Hat's cutesy GUI
> having no knowledge of ifconfig or the HW option.  Etc... these people
> -do- exist.  I've met  them.  There are still people who think
> spoofing the MAC is a difficult endeavor.  I don't know how in
> Windows, personally, but in Linux it's a simple matter of 1 command -
> but you can't assume *everyone* knows that command.

When planning security measures I always assume a knowledgeable
attacker. And I usually don't consider measures that won't keep him out,
because they add complexity without creating appropriate security.

[...]
> > More layers also mean increased complexity, thus making the network
> > (and its security) harder to maintain. Which, in consequence, can
> > *reduce* the network's security.
>
> Only if you're untrained/uneducated in what you are implementing.. or
> just afraid of a little work.

I like to keep my workload low. Besides, with higher complexity you
increase your risk to simply overlook something, regardless of how well
educated you are.

> Any security measure implemented incorrectly can be a security flaw.

Which is why you want to keep things simple.

> Even your almighty WPA if the pass phrase is just "aaaaaaaa".

You remember that I had suggested using strong passphrases, and that I
said I'm aware of WPA-PSK being vulnerable in case of weak ones, don't
you?

> > Bottom line: your suggestions are either ineffective or don't address
> > the OP's original problem. Which is what I was objecting to.
>
> Not the way it sounded to me.  And why -just- tell him the one thing
> when you can offer suggestions on damage mitigation as well?

If you re-read my first mail you'll notice that I did not criticize
those measures in general, but pointed out a) that they only become
effective *after* a successful break-in, and b) where I think they may
cause problems.

[...]
> > Why even bother about additional measures that don't add any
> > significant amount of security, but do require (significant)
> > additional maintenance? It's - as I said before - pointless.
>
> Firstly, enabling those items don't require a 'significant' amount of
> work.

So you don't update the MAC filter every time you add a new device or
retire an old one? IBTD.

> Secondly - why stop building your security diagram once you've done
> just one item? 

I don't. I just don't add things that aren't worth bothering, security-
wise.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------