[wsfii-discuss] Fwd: [india-gii] poor WiFi encryption a security risk

Sun Sep 21 14:08:41 UTC 2008

On Sep 21, 2008, at 9:07 AM, wlanmac wrote:

>> And the best part about it: it does not relate *at*all* to if the
>> wifi router is unencrypted or not.
>> You can do that kind of thing from the WAN side.
>>
>> So, closing the open signal is really the wrong choice. First you
>> have to seriously ask, what you want to protect.
>
> Are you seriously suggesting that because of security weaknesses (like
> bad default passwords), that security in general is 'the wrong  
> choice'?
>
I am seriously suggesting that looking at security needs to take more  
into account that just "closing open APs and replacing them by WEP  
encrypted APs" because the law things that will prevent terrorist  
attacks.

:) I hope that was clearer now.

>> When you want to protect from eavesdroppers , then you should use  
>> end-
>> to-end encryption (VPN) anyway!
>> Simply adding a WEP crypto layer is not going to help. WPA maybe a
>> bit. but... why should an attacker try to crack WPA when he can brute
>> force your default password on the linksys on the WAN interface? And
>> then install a packet sniffer :)
>
> Still, your attacker is actively breaking the law by gaining
> unauthorized access to a computer system. If you leave your access  
> point
> wide open and someone is sniffing that network, it is questionable
> whether or not this attacker is breaking the law (yet). They are just
> scanning the airwaves and there was no "notice" of their activity  
> being
> unauthorized. I can just picture you calling the police about someone
> running a packet sniffer and them replying: why don't you protect your
> WiFi and call us when a law has been broken.

>
>> security is not easy to get right. One in my opinion very good source
>> for getting it right is to read Bruce Schneiers blog.
>>
>
> I believe Bruce would agree that security is more than technology,  
> it is
> social awareness and behavior. As such, I go back to my original issue
> with city wide open access... as it results in people becoming more
> comfortable and trusting of open access. By saying these people  
> need to
> protect themselves with VPNs is just passing the responsibility to an
> uneducated (about the risks) public.
>
nope.
I do not agree. Because technically the point still remains - just  
adding a WEP with pre shared key
gives people the *wrong* sense of security!
Did you ever consider this is much to often a *shared*key* ?

And yet, that will be the most common use case of the "newly secure  
closed WIFI APs". Besides - when you can attack these devices from  
the WAN side, then what is the point of securing the airwaves? You  
will be able to sniff everything anyway...

ok, enough discussions for me . I think I made my point clear.
And agreed on the point that security must deal first-most with the  
psychology of people. But adding the standard WEP pre shared key is  
not an option. And exactly when you think about psychology first  
("people want easy solutions") then you will find out that just  
passing a law that APs must be encrypted, will simply give you WEP  
encrypted pre shared key APs.

L. Aaron Kaplan
CERT.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.okfn.org/pipermail/wsfii-discuss/attachments/20080921/dd5c9bf5/attachment.sig>