Re: [PLUG] Experience with Verizon FIOS & wireless installation

["Brian Vagnoni" <bvagnoni@v-system.net>]

>From what I've been hearing 802.11 is going to be seriously supplanted by 802.16 in the WAN area. The messages I'm getting about the Philly MUNI 802.11 Wireless effort aren't good. 

For example:

There is an Earthlink Philly MUNI access point on top of the light pole at 42nd and chester ave. We have an Earthlink USER access point mounted in an outdoor enclosure(ideal location) on the building at 4202 chester ave.

This is a response from Tech Support I got recently:

I have received word back from Earthlink regarding the coverage issues 
at 4202 Chester. Unfortunately, their answer doesn't help you much at 
the current time, but their comments about future plans may alleviate 
issues such as this from arising in the future. Earthlink's reply is below:

==============

I have just heard back from our Net Engineering folks on this particular
area - The reported back that this is a very marginal network connection
area for us at this time and that would explain the poor connection Apple
Vending is see at this time.

Our Net Eng folks are working to improve the areas of the network with poor
performance. They have identified this area and many others and are putting
together a plan to address them. However, I can't give you a date for this
particular area yet. 

We are also considering potentially removing marginal areas like this from
our serviceability area in the short-term to reduce false positives seen by
folks.


==============

If this is a "marginal area" I'm really concerning about the future of the Philadelphia MUNI Wireless project. Sprint is rushing their XOhm 802.16e WiMAX into service which runs on 700MHz and has the ability for better building penetration than 802.11.

One of the problems with the frequencies 802.11 uses other than it likes to bounce off solid objects rather than go through them is that there are only effectively 3 channels 1,6, & 11 for 802.11b backward compatibility. So ideally you would have you channel set to 6, your neighbors set to 1 and your other neighbor on the other side of the house set to 11. So that they don't interfere with one another. This is according to Cisco and what they recommend for stable 802.11 operation. Along with a minimum 35db SNR. 

In reality everything from cordless phones, wireless cameras, your car, computers and sat. radio all use the same set of frequencies. The spectrum is very, very crowded. I personally have a 2.4Ghz spectrum analyzer I use when I have interfere problems to see what is exactly on the spectrum.

Another problem is that 802.11 was originally only designed as a LAN technology and is really not suited for WAN though people are trying make it work. With the use of external antennas, and amplifiers up to 1 watt of radiated power is allowed and some people claim to be able to get access to there systems up to and including a mile away. But again in a crowded spectrum problems still arise.

Strong passwords are always a good idea but people have created WPA rainbow hash tables that speed up the process of brute force attacks greatly. In fact I'm downloading them as we speak. To give you an idea there are rainbow tables for windows, and rainbow crack makes the claim over a lan network that they can crack any windows password up to 14 characters in a matter of 30 minutes or less. 

See below:

					RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique.
In short, the RainbowCrack tool is a hash cracker. A traditional brute
force cracker try all possible plaintexts one by one in cracking time.
It is time consuming to break complex password in this way. The idea of
time-memory trade-off is to do all cracking time computation in advance
and store the result in files so called "rainbow table". It does take a
long time to precompute the tables. But once the one time
precomputation is finished, a time-memory trade-off cracker can be
hundreds of times faster than a brute force cracker, with the help of
precomputed tables.

					Some ready to work lanmanager and md5 tables are demonstrated in Rainbow Table
section. One interesting stuff among them is the lm #6 table, with
which we can break any windows password up to 14 characters in a few
minutes. 

				

lm configuration #6

charset	[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
keyspace	7555858447479 (2^42.8)
table size	64 GB
success probability	0.999
This table set is capable of cracking windows password(up to 14 characters) of charset "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ " in a few minutes, with the success rate 99.9%. This charset includes all possbile characters on a standard keyboard (not including those alt+xxx characters). So this table set is likely to crack any windows password up 14 characters in minutes. It will take several years if we compute these tables on single computer. However, the actual time is reduced to a few months with a lot of computers to work parallelly. Demo: crack of following windows password:     }m-6BRz*Cj=J}G     D2@,:H?+e5#: $     Ot\KZ?/a/qr4d^     yc~<{1!Oe}l_j|     5~|3&-K^4S#c3q the screen output, the windows media 9 video. Demo: crack of 100 windows password: the screen output Table generation: this table set can be generated with rtgen utility of rainbowcrack 1.2 software(table generation commands).

As far as Linux goes Ive personally been able to brute force crack Linux passwd files for an 8 character strong password in about 6 days on a 1.8GHz Dual Power MAC G5 with John the Ripper Pro v1.7.2; works about to about 2600 cps. If I had multi-threaded with defined character ranges even shorter.


Brian

I don't like talking about security stuff over public list if anyone wants to discuss this further we can do it in person at the meeting. See you Oct 3.

---

From: Brian Vagnoni [mailto:bvagnoni@v-system.net]
To: Philadelphia Linux User's Group Discussion List [mailto:plug@lists.phillylinux.org]
Sent: Mon, 01 Oct 2007 00:55:41 -0400
Subject: Re: [PLUG] Experience with Verizon FIOS & wireless installation

It's all broken WEP, WPA ..etc. I've seen hack videos for both, and cracked both myself. Aircrack-ng can crack wep and wpa in minutes. Non-broadcasting SSID's are a joke. You still transmit beacon frames and if you listen long enough you will get the SSID.

No good suggestions, except 802.1x, and dynamic keying. If you want security you should go with a Enterprise solution with a RADIUS server behind it. If you don't care just use wep with dynamic keying. A VPN over wireless would also be a good solution. This way at least your data is secure.

I would be happy to show people a thing or two about wireless but it won't last an hour.

Also, you know those bluetooth headsets everyone wears, guess what; also broken. They have been hacked and it can be done from any linux box. Wear one into a meeting and with the right equipment it can become a listening device from up to a mile away. You can also send the target any audio information you chose.

No I'm not paranoid and will also be happy to show what I been able to learn about this technology. None of this stuff I've personally come up with. It's all available for anyone to see on the internet if you know where to look.

Brian Vagnoni

---

From: James Barrett [mailto:jadoba@jadoba.net]
To: Philadelphia Linux User's Group Discussion List [mailto:plug@lists.phillylinux.org]
Sent: Sun, 30 Sep 2007 15:33:54 -0400
Subject: Re: [PLUG] Experience with Verizon FIOS & wireless installation

On Sunday 30 September 2007 15:01, jeff wrote:
> george@georgesbasement.com wrote:
> > In the meantime, I've set up a proper username and password (from the
> > router's "admin" & "password1") as well as a 128-bit WEP key. Any
> > other security advice from the PLUG group ? Oh, yeah - the web interface
>
> 1. USE WPA!!!

Good advice. Better advice would be to use WPA2 with 256-bit AES encryption
(if available). If WEP is all that your router can handle, it is "better
than nothing" but still not good. WEP keys can be cracked within a short
period of time.

> 2. put the MAC addresses of all pc's connecting to the wireless into the
> wireless router and deny access to any other MACs.

More than a handfull of wireless devices allow one to change the MAC address
at whim. Additionally, kismet lists the MAC addresses of clients connected
to a wireless network. Using MAC address filtering would slow down an
attacker, but not for long.

> 3. always change default name and passwords

Good advice.

> 4. turn off SSID broadcast

Kismet allows an attacker to find the SSID of any network within range,
regardless of whether or not it is hidden. Having said that, it is probably
a good idea to pick a unique SSID.

> 5. use other than the default channel

This can help with connection strength, depending on your neighbors'
configurations. Otherwise it is really not that big of a deal.

> 6. strong passwords

Always good advice. Using a strong encryption passphrase will help prevent
brute-force attacks.

If you are completely paranoid, using radius authentication would be the next
step towards a somewhat secured wireless network.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug