Forest BB

The digital grapevine of The Forest.
It is currently Wed Jul 23, 2014 1:20 pm

All times are UTC




Post new topic Reply to topic  [ 19 posts ] 
Author Message
 Post subject: Network Security
PostPosted: Fri Nov 28, 2008 8:20 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Evening Chaps/Chappettes/Creatures of the Night/Various Otherwise,

I used the forest wifi for the first time today and the first thing I noticed was that it is unencrypted.
Whilst not having a key makes it a lot easier for people to connect, there's one major flaw:

Set your wifi card to "monitor" mode and you can sniff everyone's traffic with alarming ease, including any transmitted usernames/passwords, viewed email on sites like Hotmail, etc.

Encrypting the network would make this a lot more difficult (without a lot of time and computing power).

Now, I doubt it happens at the forest but it has been known for people to sit in areas with public networks (like McDonalds) and sniff traffic, which can then be used to take over accounts.

Being the security conscious person I am, whenever I'm on a public network, all my traffic goes through several encrypted SSH tunnels to make sure no-one is watching me ;) but your average-Joe user will not be doing this (or even have the faintest clue how to, I suspect).

So my questions are:

Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.


Best,
M

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Nov 29, 2008 2:34 am 
Offline
User avatar

Joined: Wed Apr 18, 2007 12:02 pm
Posts: 1798
Location: Edinburgh, UK
ChaoticReality wrote:
Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.


yes, a definite potential. would the solution not have to be at least WPA, as WEP can be cracked in ~5 mins (video link for uninitiated) in this day and age?

_________________
hey, if you don't like it, post on the BB (so you can ask about participating for better) | MilkMiruku


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Nov 29, 2008 3:35 am 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
milk wrote:
ChaoticReality wrote:
Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.


yes, a definite potential. would the solution not have to be at least WPA, as WEP can be cracked in ~5 mins (video link for uninitiated) in this day and age?


But it doesn't matter if it's cracked, because the key is public anyway. What it matters for is encrypting the traffic so you can't sniff the data out of thin air. The only advantage of using WPA1/2 over WEP is if we weren't giving the key out to everyone.

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Nov 29, 2008 4:00 am 
Offline
User avatar

Joined: Wed Apr 18, 2007 12:02 pm
Posts: 1798
Location: Edinburgh, UK
*reads up on WEP as it has been a while*

ah yes, true, which would then leave a man-in-the-middle style attack as the next requirement to sniff traffic (assumedly they'd use the same SSID as the forest's AP which would only be picked up on as a security issue by savvy users)?

_________________
hey, if you don't like it, post on the BB (so you can ask about participating for better) | MilkMiruku


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Nov 29, 2008 4:08 am 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
milk wrote:
*reads up on WEP as it has been a while*

ah yes, true, which would then leave a man-in-the-middle style attack as the next requirement to sniff traffic (assumedly they'd use the same SSID as the forest's AP which would only be picked up on as a security issue by savvy users)?


Correct. And even then, they'd have to bring in a router or other AP device, as otherwise it would show up as Ad-Hoc rather than Infrastructure based.

Because the forest's AP is a router/switch rather than just a hub, you can't sniff any traffic on it while connected to the network (I tested, to be sure), meaning that encrypting the network would secure the users from pretty much anything except someone bringing in and plugging in another router, which I doubt is going to happen.

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Thu Dec 04, 2008 2:12 am 
Offline
User avatar

Joined: Wed Apr 18, 2007 12:02 pm
Posts: 1798
Location: Edinburgh, UK
so, the nets say a basic 40-bit WEP key should be 5 ascii characters - this can just be 6 so we can use "forest" for ease of use yes?

we can stick up an A3 "WiFi key = forest" poster when the change is made.

_________________
hey, if you don't like it, post on the BB (so you can ask about participating for better) | MilkMiruku


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Thu Dec 04, 2008 2:22 am 
Offline
User avatar

Joined: Wed Apr 18, 2007 12:02 pm
Posts: 1798
Location: Edinburgh, UK
and for anyone interested in WPA cracking with rainbow tables (which mike noted at the volly party the other day), info here.

_________________
hey, if you don't like it, post on the BB (so you can ask about participating for better) | MilkMiruku


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Thu Dec 04, 2008 5:33 am 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Do we have a second AP we can use as well?

My reasoning:

We suddenly switch the AP over to use a WEP password of "forest" and put a notice up.
Not everyone will see/understand the notice.
People with autoconnecting Wifi setups will be puzzled.
Kitchen vollies suddenly get lots of people complaining that "the internet doesn't work", leading to temporary insanity and hatred of customers.

If we have a second AP, we can run an unencrypted network called "forest" (like the current one) and redirect all HTTP traffic to a web page that just says "We have now moved to an encrypted network so that things are secure for you blah blah blah. The new network is called X and the key is the word forest".

This enables users to figure things out for themselves, understand why and keeps the kitchen people nice and happy and smiley and not wanting to stab customers (for the most part).



Whether or not this is feasible I know not. Certainly I can do the bit with the redirection to a webpage, but I know not what hardware the forest has lying around and so this is where I push it back to you...

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Thu Dec 04, 2008 10:52 am 
Offline
User avatar

Joined: Mon Sep 11, 2006 12:35 pm
Posts: 1084
Our previous wireless router is still in the action room, I think. It's a D-Link DSL-604+.

What you'd probably want to do is set that up with the old connection settings (SSID "forest", unencrypted), have it do DHCP+NAT on that wireless network, and assign it a static IP on the wire.

Then, on the WRT54GL that its traffic would be going through, catch all web requests coming from that IP and redirect them to the "this is how to get on the forest network now" page.

We're running OpenWRT, there is probably a good package available for that to do this.

If you're going to do this though, please back up the existing configuration, give your setup a thorough test when the cafe is closed, and be prepared to roll back immediately if there's any problems.

Forest network trouble = not happy bunnies.


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Thu Dec 04, 2008 6:45 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Martin wrote:
Our previous wireless router is still in the action room, I think. It's a D-Link DSL-604+.

What you'd probably want to do is set that up with the old connection settings (SSID "forest", unencrypted), have it do DHCP+NAT on that wireless network, and assign it a static IP on the wire.

Then, on the WRT54GL that its traffic would be going through, catch all web requests coming from that IP and redirect them to the "this is how to get on the forest network now" page.


That's pretty much what I was planning to do. However, being a newish vollie, I have fuck all idea how the network is set up and what IPs I should connect to to do routery things. Is there a "forest network for dummies" document anywhere?

Assuming no-one has any objections, I will hopefully be doing the switch sometime in the next week

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Thu Dec 04, 2008 9:36 pm 
Offline
User avatar

Joined: Mon Sep 11, 2006 12:35 pm
Posts: 1084
Quote:
Is there a "forest network for dummies" document anywhere?


No, but here's a quick summary:

The WRT54G router is the brains of the operation. It is running OpenWRT with the X-Wrt web frontend - see documentation at those sites for details on the software. We are currently running version 0.9 ("White Russian").

You can reach the router from the forest network at 192.168.43.1, or from the internet at forestcafe.dyndns.org. Login as root by ssh (from anywhere) or using the web interface (internal network only, currently). Everything can be configured from the web interface, but ssh access is useful for installing extra OpenWRT packages (using the ipkg command) and testing/debugging.

Internet access is via BT ADSL. We have a D-Link DSL-300T ADSL modem which is set up as a transparent PPP-over-ATM to PPP-over-Ethernet bridge, plugged into the WAN port of the router. The router has the login details and takes care of bringing up and maintaining the PPP connection. This keeps all the configuration, security and QoS queue management in one place, and also turns out to be much more reliable than letting the modem manage the connection and talk IP to the router.

Forest IP addresses are in the range 192.168.43.0-254. All addresses are assigned by DHCP from the router, except for the printer which has a hardcoded IP address because the on-board DHCP is reportedly unreliable. For consistency of network share locations etc, some desktop machines in the office and action room have specific IPs assigned by DHCP, linked to their MAC addresses, configured on the router.


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Fri Dec 05, 2008 2:53 am 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Fantastic, thanks.

Can you PM me the root login details for the router and suchlike (or tell me where they are written down)?

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Fri Dec 19, 2008 1:07 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Ok, so I spent 2 and a half hours today trying to get this to work.

As soon as I turn on encryption of any kind, DHCP for the wireless network stops working. WTF?
I tried setting the WLAN to be a bridged network (on a different subnet) which worked fine, until I turned on encryption.

I might have more luck poking round the settings from SSH and not the web interface so if someone could give me the SSH login, I'd be eternally grateful.

Another question: We're running White Russian 0.9, the OpenWRT forum and homepage say this was discontinued quite a while ago in favour of the new Kamikaze release. Is there any reason we haven't upgraded yet?


Best,
M

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Dec 20, 2008 2:08 am 
Offline
User avatar

Joined: Mon Sep 11, 2006 12:35 pm
Posts: 1084
The ssh login details are the same as for the web interface.

We were sticking with White Russian while Kamikaze stabilised. If it sounds like it's up to scratch now, we could upgrade.


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Dec 20, 2008 7:56 am 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Ah, cheers. Just logged into ssh from here and realised where I was going wrong. The web and ssh have slightly different usernames (admin vs root).

Shall I go ahead with the upgrade to Kamikaze (probably tomorrow)?

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Dec 20, 2008 10:19 am 
Offline
User avatar

Joined: Mon Sep 11, 2006 12:35 pm
Posts: 1084
Ah, I remember why we didn't upgrade. Kamikaze is stable on the OpenWRT side but the X-Wrt web interface hadn't quite caught up. They have a build now for 8.09RC1, precompiled images here:

http://downloads.x-wrt.org/xwrt/kamikaz ... x/default/

Backup the configuration from the current setup in case you need to roll back.


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Sat Dec 20, 2008 3:53 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
Ok, cool. I'll have a shot at this tomorrow.

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Mon Jan 05, 2009 12:16 pm 
Offline
User avatar

Joined: Sun Nov 23, 2008 10:16 am
Posts: 1111
Location: Edinburgh!
I tried the upgrade on a device at home and it all went smoothly so I will look to do it for our setup when I can.

Can someone who knows PM me the login details for our ADSL account? I have backed up the settings for the router anyway but just in case it would be handy to have around (and can be used in the collection of details I am starting).

Cheers,
M

_________________
Mike

Dawnsio 'mlaen i'r gwres prynhawn a rwy'n addo erbyn yfori byddai wedi mynd, hwyl fawr i pawb, hwyl fawr i pawb...


Top
 Profile  
 
 Post subject: Re: Network Security
PostPosted: Mon Jan 05, 2009 5:59 pm 
Offline
User avatar

Joined: Mon Jan 22, 2007 5:50 pm
Posts: 944
ChaoticReality wrote:
Can someone who knows PM me the login details for our ADSL account?

pm'd


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group