hello,

so, this last weekend my curiosity drove me to start looking into wireless netoworking and security issues. i bought four books and spent the weekend reading them and looking stuff up on the internet. i also spent a lot of time working with different tools to see how network traffic works.

in short, i was shocked by how much information one could get off an unsecured wireless network. i had always heard that people could read your email, see your passwords, etc., but since i didn't really understand how that would work, i assumed that it must be rare and difficult. oh, my, god was i wrong. the fact that any idiot with a wireless nic and ethereal can read my AIM messages, my POP email, and my passwords when i log on to websites is terrifying. i sat in a coffee shop for an hour connected to their unsecured wireless ap and watched the packets go by. it appeared that no one there cared that anyone sniffing packets could get their usernames and passwords. i was also shocked to find that the router at this coffee shop still had the default username and password to access the router configuration.

i know that i'm telling this to people that already know this, but i'm still in shock over it. anyhow, try to remember how shocked you were when you first saw this stuff in action. my jaw still hurts from when it hit the floor after i cracked my WEP key in about 20 minutes.

i live in a large university town and all of the students are moving back in. i thought this might be a good time to inform people about wireless security and remind them of the dangers of public wireless networks. so, i decided that i would work on putting together a one-page flyer to warn people about some of the dangers. after i do this, i'm going to take it around to coffee shops that have wireless hotspots and encourage them to make some copies of the flyers for their customers, or write their own flyer.

so, in order to be accurate, i had a quick question that i couldn't seem to find the answer. as i understand it, on a WIRED switched network, the switch sends traffic only to specific nics so as to prevent other nics from sniffing the traffic. do wireless switches exist? or, on a wireless network is all traffic pretty much just broadcast out into the open so that a nic in promiscuous mode can sniff all of the wireless traffic? i read about some pretty sophisticated wireless switches that used phased-array antennas, etc. i'm not talking about that kind of stuff. i'm talking about the basic router that you would buy down at the store.

second, any suggestions on what to include in the flyer and how to approach the owners of the coffee shops? as more coffee shops offer wireless connections and more people buy wireless laptops, it seems like this kind of sniffing for passwords and such could become a real threat to people.

i was just shocked at what could be done with mild curiosity over a single weekend.

thanks for your help and advice.

gosh, i should also mention that i'm smart enough to realize:

1) not to make the flyer technical
2) not to mention specific names of programs, etc.

this would be more of the "don't do the following" variety. probably also some "your passwords are only as safe as the weakest site that you use them on" stuff maybe?

the switch:
say we have a 5 port swicht with computers at each end... no internet yet, just computers.
the switch has a major mac address and each port of the switch has a mac address too (this is better understood when looking at a layer 2 managed switch, but they do cost over £200)
the switch also knows which pc mac is connected to which of its 5 ports (arp table)

the packet:
a packet contains header info (as you will have seen sniffing the wireless) in this header you will find destination ip, but more important to the switch is the mac.
ip's are layer 3 of the osi modle, and switches work on layer 2, which is the mac address side of things.
so: packet comes in, switch finds out which mac address it is for, looks in it's arp table, sees where that mac is connected to, and only sends it down that _wire_

wireless...
this is more like a hub (and can only be like a hub) since the arp table can only hold info on 'what is actually connected to the wireless'
when a signal is sent, it does not know where exactly the dest. computer is located, even if it did, it could only send directional, which is still not the same as a switch and still not possible in the sence that only one computer gets the packet.
so, the packet gets blasted out of that antenna... the dest. computer will pickit up and see that it is for it's own mac... MINE!

encryption:
wep is really really bad and should not be used, never... and if you really really have to, use it only for browsing the internet, no emails, no banking, no login in anythwhere, no chatting, nothing personal!!

wpa is way better, this system takes care of it's own encryption, and does not require to telling the accesspoint/router which string to use for the encryption method. what you do here is authenticate (PSK) or even better use 802.1x which is via a radius server... you can only gain access if you have a username and password, which gets checkt agains the radius server (similar to active directory)
psk (pre shared key) does the job though to, but it is a pain if you have a loot of users and you need to give them all the same keys - 802.1x is more secure in the sence that you know who logs on and when.
wpa traffic is so greatly encrypted, that you would need tens of thousands users logging in one and the same second... since wpa will chance the encryption on a regular basis, and makes cracking it nearly an impossible job, plus it being extreemly time consuming, and with wpa you do not have that time, since the encryption is constantly being changed.
you might be able to see which mac it is from, and which mac it is to, but you see nothing else...
really really secure.... even if you have authenticated agains the accesspoint, i dont think you can crack the other peoples traffic :-) but i am not quite sure about that.

wow, that is exactly the answer i was looking for. THANK YOU. it had enough technical details that i could think it through using the other stuff i read over the weekend. perfect !!!

thanks again !!!!

knowledge = power

important note: please make sure you only do what you have permission to do...
ie: logging into somebody elses router without permission
reading peoples emails (data protectino law)
logging into other computers/servers

only do something if you really know you have permission to do so, otherwise you can run yourself into big trouble at some point...

keep wearing a white hat :-)

right. thanks for the warning. aside from the brief time at the coffee shop, everything i've done has been on my own network. and, there is no reason to repeat the public experiment.

whicg books did you buy? I've been looking into security issues, and I don't know where to start. Any suggestions would be appreciated.

well, as lame as it sounds, i started with hacking for dummies. i wouldn't advise buying this though. i just wanted to start with something pretty basic and straightforward. then, i got "hacking: the art of exploitation" by jon erickson. this is a fantastic book that deals more with the nuts and bolts of things. he is critical of people that just run "hacking" programs without understanding what is going on behind the scenes. so, this book is aimed at explaining what is going on.

then, i got "wi foo: the secrets of wireless hacking" this book is more aimed at penetration testing. a lot of information that would probably be helpful if you wanted to do a serious, organization-wide pentest. it is less helpful for someone that is just curious.

my advice would be to take 5 or 6 hours on a sat. and go to the book store. get some coffee and start reading. it seems that a lot of the books have a good chapter or two, but generally not worth the $50 to purchase the book. maybe others have some suggestions on books that are worth purchasing.

thanks...The organization wide stuff would be useless to me at this point(being 16 and all). But I really appreciate those titles, I'd like to get more into infosec and stuff, so thanks!

WEP is 'better than nothing' say for a home network, but not much better. Routers that support VPN are quite inexpensive.

If you do find yourself on a public network, be sure that your firewall isn't set up as though you were connected to your office LAN (which, btw, should probably be a lot more security-conscious than it probably is...). And be sure that if you're doing anything important you're using https://.

Get to know VPN. It's your friend.

Generally, I like to do things in a way where I assume the network is insecure.

Connection-level security is widely available and implemented. Additionally, I can VPN from where ever I am to my house (yes, someone could sniff my home connection, but it's probably less likely). I can also do the same over wireless.

I *DO* use WEP (since I only have a "b" AP). But I don't use it for security. I use it as a "NO TRESPASSING" sign. If a legal battle were to ever occur, this makes it fairly obvious they knew they weren't on their/a public connection.

That's a good approach.

WEP, "it's there, it's free, why not," is a good way to declare that your network is non-public and to make it difficult (albeit near-trivially more difficult) to use it. Since most thieves or interlopers are cat-burglars, there's a good chance that they'll simply ignore your network and use the totally-unsecured one at your neighbor's house.

Beyond that, VPN is essential .. and it's important also to use digital certificates to secure the network (rather than pre-shared-keys, PSK). This allows you to specify security on a per-machine basis and to easily change the keys at will, again on a per-machine basis.

Unlike WEP, VPN (virtual private networking) provides cryptographically strong encryption and effective key-management, choosing a new key with each conversation. It effectively cloaks your communications even when they are broadcast over the air.

I admittedly use PSK, but I'm the only one using the VPN, so if I think something has been compromised, I can just generate new keys. It was just a tad easier to set up and I've been too lazy to change it yet.

One good reason to use them is that, on your internal, wired network, it provides a simple way to authenticate the various duly-authorized machines to each other. It prevents the usual scenario, which is that anyone who has access to one of your network-jacks anywhere in the building is "inside." The computers talk in cipher for everything they do, and agree only to talk with machines that they recognize. For example, "only non-revoked certificates that are signed by the same person (you...) who signed my certificate." VPN's key management is well worth looking into sometimes.

But VPN is definitely better than WEP-alone, and PSK is definitely better than no-VPN.

The VPN server I run is at my house. The only time I use it is remotely from work/school (to avoid snoopy admins) and over my wireless. Physical access to it would be very noticable.

But your points are very good for other cases. I'm just the exception rather than the rule.