New Wireless Router
-
Bigaldoc
- PlatinumLounger
- Posts: 3757
- Joined: 24 Jan 2010, 11:00
- Location: Lexington, KY, USA
Re: New Wireless Router
Holy cow, I haven't heard the name Steve Gibson mentioned for ages. Good to hear he's still there. Guess I'll go pay a visit. Thanks for the reminder, fellas...
-
Bigaldoc
- PlatinumLounger
- Posts: 3757
- Joined: 24 Jan 2010, 11:00
- Location: Lexington, KY, USA
Re: New Wireless Router
I guess my earlier post was a fluke because I haven't had any connectivity problems in any of my recent startups.
-
Argus
- GoldLounger
- Posts: 3081
- Joined: 24 Jan 2010, 19:07
Re: New Wireless Router
Since we have been discussing security as well, I'll add some links about a vulnerability mentioned during the holidays.
Guess being wireless comes at a price, wonder how we managed earlier.
As has already been mentioned, some parts are more important than others, such as using a strong password (and changing it sometimes) and strong encryption, we all know that. Changing the SSID is of course good (and perhaps fun), but disabling the SSID broadcasting doesn't add to the security (could be the opposite), since one doesn't become invisible, the radio waves are still there.
See, for example, this tech article: What happens when I disable SSID Broadcast? Am I more secure?
Or here, covering both SSID and MAC address filtering, (second half of the page): http://nakedsecurity.sophos.com/2009/11 ... -security/" onclick="window.open(this.href);return false;
But we still see tips out there on the net to disable SSID broadcast, in the name of security.
I don't have much experience of MAC address filtering, but since it's there, clear, in the "traffic" when there are active clients, someone could find the addresses, and as Stuart mentioned it can be changed on most cards. But I guess it would be difficult to access with the same address as one already connected.
Could perhaps be seen as another "layer" stopping "accidental access", unintended. One could perhaps also use it with a schedule as part of the parental control (up to a certain age ), I guess.
Recently another vulnerability has been mentioned, a feature we see in many routers (and devices), the WPS (WiFi Protected Setup), and this one is ugly since it bypasses the other security, sort of. (That there is code out there ready to exploit this by now, after a couple of weeks, comes as no surprise.)
It was demonstrated and reported by a security researcher, some other were also looking at WPS at the time.
WPS was added in 2007 I think, to make it easy to setup encrypted connections on a network, i.e. it can be used together with WPA2 etc. One common way is to push a button on the router and the device, computer, or entering an eight digit PIN (there are some different modes; Push Button, AP PIN (access point), or Device PIN etc.). (If someone is interested there are some examples on YouTube how it is, or was, supposed to be used from different companies, help sites etc.; search keywords could be "use WPS".)
But the WPS has a design flaw that makes it much more vulnerable to brute force attacks than one would think given the 8 digits. It's not the whole PIN at one time, the first half of the PIN is sent and if correct that is confirmed by the protocol; oi! The last digit is a checksum, and if the first 4 are correct then there are 3 to go. Far less work than if it was the whole PIN (in short, 100 million attempts reduced to 11,000).
Using WPA2 together with WPS would be like having a large lock on the front door, and a puny one on the other door. The security researcher called his paper "Brute forcing Wi-Fi Protected Setup - When poor design meets poor implementation". This must be one of the worst designs in some time, defeating the whole WPA2 key thing, by adding another route and making it so simple.
Some routers seemed to be a bit cleverer, slowing down the brute force attack, but it was still a matter of hours up to two days.
I don't know how common it is to use WPS, but since it is enabled by default on most routers, this is a real vulnerability.
So, the advice is to disable WiFi Protected Setup, WPS, on the router, as a workaround.
I don't know if this works in all cases, if it is disabled in all modes. Some may also need a firmware update, since on some models it isn't possible to change this setting.
See, for example (since I guess one only have to search for "WPS" to find news about the vulnerability now):
http://www.kb.cert.org/vuls/id/723755" onclick="window.open(this.href);return false;
http://www.theregister.co.uk/2011/12/29 ... protected/" onclick="window.open(this.href);return false;
http://isc.sans.edu/diary.html?storyid=12292" onclick="window.open(this.href);return false;
http://nakedsecurity.sophos.com/2011/12 ... y-feature/" onclick="window.open(this.href);return false;
Guess being wireless comes at a price, wonder how we managed earlier.
As has already been mentioned, some parts are more important than others, such as using a strong password (and changing it sometimes) and strong encryption, we all know that. Changing the SSID is of course good (and perhaps fun), but disabling the SSID broadcasting doesn't add to the security (could be the opposite), since one doesn't become invisible, the radio waves are still there.
See, for example, this tech article: What happens when I disable SSID Broadcast? Am I more secure?
Or here, covering both SSID and MAC address filtering, (second half of the page): http://nakedsecurity.sophos.com/2009/11 ... -security/" onclick="window.open(this.href);return false;
But we still see tips out there on the net to disable SSID broadcast, in the name of security.
I don't have much experience of MAC address filtering, but since it's there, clear, in the "traffic" when there are active clients, someone could find the addresses, and as Stuart mentioned it can be changed on most cards. But I guess it would be difficult to access with the same address as one already connected.
Could perhaps be seen as another "layer" stopping "accidental access", unintended. One could perhaps also use it with a schedule as part of the parental control (up to a certain age ), I guess.Recently another vulnerability has been mentioned, a feature we see in many routers (and devices), the WPS (WiFi Protected Setup), and this one is ugly since it bypasses the other security, sort of. (That there is code out there ready to exploit this by now, after a couple of weeks, comes as no surprise.)
It was demonstrated and reported by a security researcher, some other were also looking at WPS at the time.
WPS was added in 2007 I think, to make it easy to setup encrypted connections on a network, i.e. it can be used together with WPA2 etc. One common way is to push a button on the router and the device, computer, or entering an eight digit PIN (there are some different modes; Push Button, AP PIN (access point), or Device PIN etc.). (If someone is interested there are some examples on YouTube how it is, or was, supposed to be used from different companies, help sites etc.; search keywords could be "use WPS".)
But the WPS has a design flaw that makes it much more vulnerable to brute force attacks than one would think given the 8 digits. It's not the whole PIN at one time, the first half of the PIN is sent and if correct that is confirmed by the protocol; oi! The last digit is a checksum, and if the first 4 are correct then there are 3 to go. Far less work than if it was the whole PIN (in short, 100 million attempts reduced to 11,000).
Using WPA2 together with WPS would be like having a large lock on the front door, and a puny one on the other door. The security researcher called his paper "Brute forcing Wi-Fi Protected Setup - When poor design meets poor implementation". This must be one of the worst designs in some time, defeating the whole WPA2 key thing, by adding another route and making it so simple.
Some routers seemed to be a bit cleverer, slowing down the brute force attack, but it was still a matter of hours up to two days.
I don't know how common it is to use WPS, but since it is enabled by default on most routers, this is a real vulnerability.
So, the advice is to disable WiFi Protected Setup, WPS, on the router, as a workaround.
I don't know if this works in all cases, if it is disabled in all modes. Some may also need a firmware update, since on some models it isn't possible to change this setting.
See, for example (since I guess one only have to search for "WPS" to find news about the vulnerability now):
http://www.kb.cert.org/vuls/id/723755" onclick="window.open(this.href);return false;
http://www.theregister.co.uk/2011/12/29 ... protected/" onclick="window.open(this.href);return false;
http://isc.sans.edu/diary.html?storyid=12292" onclick="window.open(this.href);return false;
http://nakedsecurity.sophos.com/2011/12 ... y-feature/" onclick="window.open(this.href);return false;
Byelingual When you speak two languages but start losing vocabulary in both of them.
-
Bigaldoc
- PlatinumLounger
- Posts: 3757
- Joined: 24 Jan 2010, 11:00
- Location: Lexington, KY, USA
Re: New Wireless Router
Wow, I can now say that running a backup image via wireless sucks, at least in my setup!
I have two USB external drives attached to my desktop, to which I've made a number of backup images using Macrium Reflect while the laptop has been cable connected to my router (LAN). Those backups have taken on the order of about an hour.
Today, for the first time since I installed the wireless router, I did an image backup wirelessly and it took about twice as long.
I suppose in the future, I will probably disconnect the USB drive from the desktop and connect it directly to the laptop.
I have two USB external drives attached to my desktop, to which I've made a number of backup images using Macrium Reflect while the laptop has been cable connected to my router (LAN). Those backups have taken on the order of about an hour.
Today, for the first time since I installed the wireless router, I did an image backup wirelessly and it took about twice as long.
I suppose in the future, I will probably disconnect the USB drive from the desktop and connect it directly to the laptop.
-
DaveA
- GoldLounger
- Posts: 2599
- Joined: 24 Jan 2010, 15:26
- Location: Olympia, WA
Re: New Wireless Router
Wireless networking is always slower than CAT 5.
I use wireless ONLY when I have to, even when I go to the library and there is a CAT 5 connection, I will use it.
I use wireless ONLY when I have to, even when I go to the library and there is a CAT 5 connection, I will use it.
I am so far behind, I think I am First 
Genealogy....confusing the dead and annoying the living
Genealogy....confusing the dead and annoying the living
-
Argus
- GoldLounger
- Posts: 3081
- Joined: 24 Jan 2010, 19:07
Re: New Wireless Router
Just to add:Argus wrote:So, the advice is to disable WiFi Protected Setup, WPS, on the router, as a workaround.
I don't know if this works in all cases, if it is disabled in all modes. Some may also need a firmware update, since on some models it isn't possible to change this setting.
It isn't; I read it somewhere at the time; but here's another article on the topic.
http://arstechnica.com/business/news/20 ... reaver.ars" onclick="window.open(this.href);return false;
Just great; in the name of user friendliness they have introduced another door, much weaker, than the front door (WPA or WPA2), and it can't be removed, shut off. They all better work on firmware updates now.
In my simple router I think I can generate new PINs for WPS, don't know how that works, with the abovementioned vulnerability. Anyhow, I don't use Wi-Fi that often.
Byelingual When you speak two languages but start losing vocabulary in both of them.