Quantcast

Maximum PC

It is currently Wed Aug 20, 2014 9:10 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: Security
PostPosted: Mon Jun 28, 2010 8:12 am 
8086
8086

Joined: Sat Nov 08, 2008 9:22 am
Posts: 99
I know really vague right :roll: Anyhow, just curious, as to whether or not it is still a really bad idea to do any online shopping or other banking type stuff over the WiFi, or if I should aontinue to use a hardwire connection to the web for that stuff?

I know at one point in time it was real easy hackers and such to drive around you neighborhood, and hack yer wireless, but I wonder if using WPA personal with TKIP encrytion key is secure enough for my occasional online purchasing, or if I should stay with a hard wire for that?

Since I don't do much gaming anymore, and most of what I will do will not require bleeding edge tech, or the massive power of a desktop rig, I am contemplating getting rid of the big rig, and moving to an uber notebook for my future needs.


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jun 28, 2010 9:50 am 
Java Junkie
Java Junkie
User avatar

Joined: Mon Jun 14, 2004 10:23 am
Posts: 24222
Location: Granite Heaven
WPA / TKIP is not safe. I would absolutely not trust that encryption with your banking information.


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jun 28, 2010 9:55 am 
8086
8086

Joined: Sat Nov 08, 2008 9:22 am
Posts: 99
And here I thought that was the most secure :roll:

Ok so, what should I be using if I wanted to do banking on the WiFi? Or should I just plug any laptop I use into the hardwired ports, and shut off the laptops WiFi when banking and such?


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jun 28, 2010 10:01 am 
Team Member Top 250
Team Member Top 250
User avatar

Joined: Mon Dec 31, 2007 1:38 pm
Posts: 311
Location: VA Beach, VA
If you go with WPA2 with AES(CCMP) you will be ok. WPA can be broken, but it's not generally a fast process. TKIP will work but there are better. The biggest thing is to use a big key. At the min your password should be at least 20 characters. The bigger the better, try to get a 63 char password. The tougher your key the more unlikely they will break it (it takes a lot of time to make a very large dictionary attack).

I do all sorts of stuff over RF. I wouldn't worry to much about war drivers, they have plenty of people using wep they can go after.


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jun 28, 2010 10:58 am 
Java Junkie
Java Junkie
User avatar

Joined: Mon Jun 14, 2004 10:23 am
Posts: 24222
Location: Granite Heaven
TKIP is not safe and a large key won't matter. The exploit I linked above does not require the key in order to decrypt small packets.

They can't hack your system or decrypt the entire stream but they can grab and decode small packets ... sadly, these small packets may be exactly the information that they require (bank info and passwords) to do much more serious damage.

AES does seem safer .. I haven't seen any published exploits yet and it uses a different form of transmission checking that is not (currently) vulnerable to the exploit used in TKIP.

To be safe, plug your laptop directly into your router and ensure that the laptop is only using the hardwired connection. You don't need to disable the wireless so long as you know that it is using the wired connection .. but the easiest way to ensure that is to disable the wireless connection.

My netbook disables the wireless as soon as it detects a wired connection ... but I don't know how you'd do that in a Windows environment. I'm sure it is possible, though ..


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jun 28, 2010 3:21 pm 
Team Member Top 250
Team Member Top 250
User avatar

Joined: Mon Dec 31, 2007 1:38 pm
Posts: 311
Location: VA Beach, VA
In its current form, the impact of TKIP exploit is limited and there are some immediate remedies available to ensure that a WLAN does not fall prey to this exploit. The impact is limited because, in its current form, there are several limitations on what attacker can do with this exploit:
i. First and foremost, it is not a key recovery exploit,
ii. It only works if client uses QoS feature of 802.11e (WMM),
iii. It is slow. There has to be lead time of about 12 minutes before every burst of packet injection and there can be only about 7 packets in the burst,
iv. The injected packets have to be very small, say, less than 100 bytes, and
v. Packet injection in AP is not possible.

Fortunately, there are antidotes available:
i) Turning off QoS feature: This remedy may only be practical for those enterprises which do not (intend to) support QoS sensitive applications such as VoIP over wireless.
ii) Reducing TKIP key rotation interval: As a rule of thumb, this exploit can be frustrated by reducing TKIP key rotation interval to something less than 12 minutes (many enter-prises currently use key rotation interval of 12 hours). The administrators however will need to evaluate the impact of this on performance of their APs.
iii) Wireless intrusion detection and prevention system (WIPS): Those enterprises which already have overlay WIPS installed and those which intend to install one in near future can seek protection from this exploit from their WIPS vendor. This exploit is detectable and preventable using overlay WIPS. Granted in the home market you will probably not have a wips, but they are very cool.
iv) Migrating to WPA2: This exploit can be avoided by migrating to WPA2. WPA2 uses AES encryption instead of TKIP, thus eliminating exposure to TKIP exploit. This remedy is only possible for those which have WPA2 capable hardware and who are prepared to undertake the upgrade project right away.


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jun 28, 2010 3:38 pm 
Team Member Top 250
Team Member Top 250
User avatar

Joined: Mon Dec 31, 2007 1:38 pm
Posts: 311
Location: VA Beach, VA
So in short if you turn off QoS and use WPA/TKIP you will be ok (if you can lower you tkip key rotation that is good also). Plus use a larger key. Should you plan on upgrading to WPA/CCMP? Yes, but it's not a red alert. The odds of someone randomly driving around and cracking you are pretty low (and if you turn off 802.11e then they can't crack you). But yes WPA/TKIP has had it's first crack, so others will probably come in the future.

But if you go to AES then you have nothing to fear. If AES is good enough for the NSA and DoD you will be fine.


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jul 19, 2010 4:14 pm 
8086
8086

Joined: Sat Nov 08, 2008 9:22 am
Posts: 99
OK here's another somewhat ralated:

What about all them smartphones? Are those things secure for banking and shite?


Top
  Profile  
 
 Post subject:
PostPosted: Mon Jul 19, 2010 6:27 pm 
Java Junkie
Java Junkie
User avatar

Joined: Mon Jun 14, 2004 10:23 am
Posts: 24222
Location: Granite Heaven
Since they use wifi and the same encryption, exactly the same information applies.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Jul 20, 2010 3:56 pm 
8086
8086

Joined: Sat Nov 08, 2008 9:22 am
Posts: 99
As I thought.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Jul 20, 2010 4:53 pm 
Team Member Top 250
Team Member Top 250
User avatar

Joined: Mon Dec 31, 2007 1:38 pm
Posts: 311
Location: VA Beach, VA
Jipstyle wrote:
Since they use wifi and the same encryption, exactly the same information applies.


They are only using the same encryption if they are connecting with their wifi (802.11 g) radio. If they are using the carriers network then it is different. The GSM networks (AT&T and T-Mobile) use the A5/1 stream cipher. This cipher was broken in January 2010. The attacker only needs some software and about $500 in radio monitoring equipment.

This attack should raise serious concerns about the sensitivity of information exchanged over cell phones. An attacker with this equipment situated near a major corporate office or within a large city could easily glean very sensitive data from cellular voice calls.

Regarding data exchanged over cellular phones (e.g. EDGE), this shouldn't really have any impact. All sensitive data should already be configured to use SSL/TLS or VPN for protection during transmission. Therefore, the attacker could break the A5/1 cipher, but they would only see encrypted data being exchanged. However, all data that is exchanged using clear text protocols (HTTP, telnet, ftp, etc) would be visible to the attacker. This is not much of a concern since there should not be any expectation of confidentiality when using a clear text protocol anyway.

3G uses the A5/3 cipher and as such is not (yet) impacted by the hack.


Last edited by jlh304 on Wed Jul 21, 2010 3:00 am, edited 1 time in total.

Top
  Profile  
 
 Post subject:
PostPosted: Tue Jul 20, 2010 5:25 pm 
8086
8086

Joined: Sat Nov 08, 2008 9:22 am
Posts: 99
And verizon uses what?


Top
  Profile  
 
 Post subject:
PostPosted: Tue Jul 20, 2010 6:22 pm 
Java Junkie
Java Junkie
User avatar

Joined: Mon Jun 14, 2004 10:23 am
Posts: 24222
Location: Granite Heaven
Very interesting info, jlh ... thanks!


Top
  Profile  
 
 Post subject:
PostPosted: Sun Jul 25, 2010 3:31 pm 
Team Member Top 250
Team Member Top 250
User avatar

Joined: Mon Dec 31, 2007 1:38 pm
Posts: 311
Location: VA Beach, VA
milehighxr wrote:
And verizon uses what?

Verizon uses CDMA 2000 1x and EV-DO (some others for other services as well). Code Division Multiple Access (CDMA) technology originated from military applications and cryptography, and to date, do not have any report of highjacking or eavesdropping on a CDMA call in a commercially deployed network.

CDMA air interface is inherently secure and is clearly superior to first-generation analog and Time Division Multiple Access (TDMA) systems. The inherent security of CDMA air interface comes from spread spectrum technology and the use of Walsh codes. CDMA utilizes specific spreading sequences and pseudo-random codes for the forward link (i.e. the path from the base station to the mobile) and on the reverse link (i.e. the path from the mobile to the base station). These spreading techniques are used to form unique code channels for individual users in both directions of the
communication channel. Because the signals of all calls in a coverage area are spread over the entire bandwidth, it creates a noise-like appearance to other mobiles or detectors in the network as a form of disguise, making the signal of any one call difficult to distinguish and decode.

CDMA also has a unique soft handoff capability that allows a mobile to connect to as many as six radios in the network, each with its own Walsh code. This means that someone attempting to eavesdrop on a subscriber’s call has to have several devices connected at exactly the same time in an attempt to synchronize with the intended signal. In addition, CDMA employs a fast power control, 800 times per second, to maintain its radio link. It is difficult for a third party to have a stable link for interception of a CDMA voice channel, even with a full knowledge of a Walsh code. Synchronization is critical, as without this synchronization, the listener only hears noise.

For CDMA 1xEV-DO, the high speed data technology, the forward link utilizes rate control instead of power control and time division multiplexing instead of spreading codes. However, it still has inherent security that
protects the identity of users and makes interception very difficult. In addition, the Media Access Control Identification (MACID) assigned to users is encrypted. User packets are assigned variable time slots and the data rate is controlled by the access terminal based on radio conditions. Packets are divided into sub-packets using Hybrid Automatic Repeat Request (HARQ) and early termination mechanisms. These attributes makes it virtually impossible to identify the user or correlate user packets. 1xEV-DO standard specification supports a security protocol layer ready for implementation of future security protocols.

That secures the wireless side of the CDMA, then they have additional layered defenses on other parts, but in short it's pretty safe.


Top
  Profile  
 
 Post subject:
PostPosted: Sun Jul 25, 2010 8:07 pm 
Java Junkie
Java Junkie
User avatar

Joined: Mon Jun 14, 2004 10:23 am
Posts: 24222
Location: Granite Heaven
If you're going to cut-and-paste, please provide a link to the source

Thanks!


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group