nanog mailing list archives

RE: Wireless insecurity at NANOG meetings

From: "Sameer R. Manek" <manek () ecst csuchico edu>
Date: Sat, 21 Sep 2002 16:21:28 -0700


Terminal Rooms are no different then an internet cafe, you are using an
untrusted system to access an untrusted network, and should be treated as
such.

The wireless network, is just an untrusted network, send over it what you
would send over such a network. There is honor among thieves, but none among
idle network admins who left their nerf guns back at the office. ssh, or
encrypted vpn traffic is the only thing that should be sent over the network
to connect to remote systems.

Enabling WEP or setting a difficult to guess SSID would be silly, given that
it is a public network, the SSID would probably posted in the terminal room
anyways. Plus there are numerous tools to decrypt WEP in almost real time,
with 400 stations, it wouldn't take long to gather the needed packets.

Ultimately security is the responsibility of the person or organization
affected by the lack of it. Which is something most people fail to realize
consistantly.

Sameer

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Sean Donelan
Sent: Saturday, September 21, 2002 2:46 PM
To: nanog () merit edu
Subject: Wireless insecurity at NANOG meetings



On Sat, 21 Sep 2002, Iljitsch van Beijnum wrote:

Anyway, in our efforts to see security weaknesses everywhere,

we might be

going too far. For instance, nearly all our current protocols are
completely vulnerable to a man-in-the-middle attack. If someone

digs up a

fiber, intercepts packets and changes the content before letting them
continue to their destination, maybe the layer 1 guys will

notice, but not

any of us IP people.


I'm waiting for one of the professional security consulting firms to issue
their weekly press release screaming "Network Operator Meeting Fails
Security Test."

The wireless networks at NANOG meetings never follow what the security
professionals say are mandatory, essential security practices. The NANOG
wireless network doesn't use any authentication, enables broadcast SSID,
has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
stations were active on the network.

Are network operators really that clueless about security, or perhaps we
need to step back and re-think.  What are we really trying to protect?

Banks are mostly concerned about people defrauding the bank, not the
bank's customers.  Banks rarely check the signature on a check.  Is
security just perception?

Current thread:

Re: Wireless insecurity at NANOG meetings, (continued)
- - - Re: Wireless insecurity at NANOG meetings Mike Harrison (Sep 23)
    - Re: Wireless insecurity at NANOG meetings alex (Sep 23)
    - Re: Wireless insecurity at NANOG meetings mike harrison (Sep 23)
    - Re: Wireless insecurity at NANOG meetings Chris Adams (Sep 23)
    - RatHole: Wireless insecurity at NANOG meetings Al Rowland (Sep 23)
    - Re: Wireless insecurity at NANOG meetings Mike Harrison (Sep 21)
    - Re: Wireless insecurity at NANOG meetings Kevin Oberman (Sep 21)
    - Re: Wireless insecurity at NANOG meetings Martin J. Levy (Sep 21)
    - Re: Wireless insecurity at NANOG meetings Sean Donelan (Sep 21)
    - Message not available
    - Re: Wireless insecurity at NANOG meetings Dave Crocker (Sep 21)
    - RE: Wireless insecurity at NANOG meetings Sameer R. Manek (Sep 21)
    - Re: Wireless insecurity at NANOG meetings Stephen J. Wilcox (Sep 21)
    - Re: Wireless insecurity at NANOG meetings alex (Sep 21)
    - Re: Wireless insecurity at NANOG meetings John M. Brown (Sep 22)
    - Re: Wireless insecurity at NANOG meetings Stephen Sprunk (Sep 23)
    - Re: Wireless insecurity at NANOG meetings David Diaz (Sep 23)
- Re: Whitehouse Tackels Cybersecurity Brad Knowles (Sep 20)
- Re: Whitehouse Tackels Cybersecurity Gregory Hicks (Sep 20)