Network Security

[ChaoticReality]

Evening Chaps/Chappettes/Creatures of the Night/Various Otherwise,

I used the forest wifi for the first time today and the first thing I noticed was that it is unencrypted.
Whilst not having a key makes it a lot easier for people to connect, there's one major flaw:

Set your wifi card to "monitor" mode and you can sniff everyone's traffic with alarming ease, including any transmitted usernames/passwords, viewed email on sites like Hotmail, etc.

Encrypting the network would make this a lot more difficult (without a lot of time and computing power).

Now, I doubt it happens at the forest but it has been known for people to sit in areas with public networks (like McDonalds) and sniff traffic, which can then be used to take over accounts.

Being the security conscious person I am, whenever I'm on a public network, all my traffic goes through several encrypted SSH tunnels to make sure no-one is watching me but your average-Joe user will not be doing this (or even have the faintest clue how to, I suspect).

So my questions are:

Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.


Best,
M

[milk]

Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.

yes, a definite potential. would the solution not have to be at least WPA, as WEP can be cracked in ~5 mins (video link for uninitiated) in this day and age?

[ChaoticReality]

Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.

yes, a definite potential. would the solution not have to be at least WPA, as WEP can be cracked in ~5 mins (video link for uninitiated) in this day and age?

But it doesn't matter if it's cracked, because the key is public anyway. What it matters for is encrypting the traffic so you can't sniff the data out of thin air. The only advantage of using WPA1/2 over WEP is if we weren't giving the key out to everyone.

[milk]

*reads up on WEP as it has been a while*

ah yes, true, which would then leave a man-in-the-middle style attack as the next requirement to sniff traffic (assumedly they'd use the same SSID as the forest's AP which would only be picked up on as a security issue by savvy users)?

[ChaoticReality]

*reads up on WEP as it has been a while*

ah yes, true, which would then leave a man-in-the-middle style attack as the next requirement to sniff traffic (assumedly they'd use the same SSID as the forest's AP which would only be picked up on as a security issue by savvy users)?

Correct. And even then, they'd have to bring in a router or other AP device, as otherwise it would show up as Ad-Hoc rather than Infrastructure based.

Because the forest's AP is a router/switch rather than just a hub, you can't sniff any traffic on it while connected to the network (I tested, to be sure), meaning that encrypting the network would secure the users from pretty much anything except someone bringing in and plugging in another router, which I doubt is going to happen.

[milk]

so, the nets say a basic 40-bit WEP key should be 5 ascii characters - this can just be 6 so we can use "forest" for ease of use yes?

we can stick up an A3 "WiFi key = forest" poster when the change is made.

[milk]

and for anyone interested in WPA cracking with rainbow tables (which mike noted at the volly party the other day), info here.

[ChaoticReality]

Do we have a second AP we can use as well?

My reasoning:

We suddenly switch the AP over to use a WEP password of "forest" and put a notice up.
Not everyone will see/understand the notice.
People with autoconnecting Wifi setups will be puzzled.
Kitchen vollies suddenly get lots of people complaining that "the internet doesn't work", leading to temporary insanity and hatred of customers.

If we have a second AP, we can run an unencrypted network called "forest" (like the current one) and redirect all HTTP traffic to a web page that just says "We have now moved to an encrypted network so that things are secure for you blah blah blah. The new network is called X and the key is the word forest".

This enables users to figure things out for themselves, understand why and keeps the kitchen people nice and happy and smiley and not wanting to stab customers (for the most part).



Whether or not this is feasible I know not. Certainly I can do the bit with the redirection to a webpage, but I know not what hardware the forest has lying around and so this is where I push it back to you...

[Martin]

Our previous wireless router is still in the action room, I think. It's a D-Link DSL-604+.

What you'd probably want to do is set that up with the old connection settings (SSID "forest", unencrypted), have it do DHCP+NAT on that wireless network, and assign it a static IP on the wire.

Then, on the WRT54GL that its traffic would be going through, catch all web requests coming from that IP and redirect them to the "this is how to get on the forest network now" page.

We're running OpenWRT, there is probably a good package available for that to do this.

If you're going to do this though, please back up the existing configuration, give your setup a thorough test when the cafe is closed, and be prepared to roll back immediately if there's any problems.

Forest network trouble = not happy bunnies.

[ChaoticReality]

Our previous wireless router is still in the action room, I think. It's a D-Link DSL-604+.

What you'd probably want to do is set that up with the old connection settings (SSID "forest", unencrypted), have it do DHCP+NAT on that wireless network, and assign it a static IP on the wire.

Then, on the WRT54GL that its traffic would be going through, catch all web requests coming from that IP and redirect them to the "this is how to get on the forest network now" page.

That's pretty much what I was planning to do. However, being a newish vollie, I have fuck all idea how the network is set up and what IPs I should connect to to do routery things. Is there a "forest network for dummies" document anywhere?

Assuming no-one has any objections, I will hopefully be doing the switch sometime in the next week

[Martin]

Is there a "forest network for dummies" document anywhere?

No, but here's a quick summary:

The WRT54G router is the brains of the operation. It is running OpenWRT with the X-Wrt web frontend - see documentation at those sites for details on the software. We are currently running version 0.9 ("White Russian").

You can reach the router from the forest network at 192.168.43.1, or from the internet at forestcafe.dyndns.org. Login as root by ssh (from anywhere) or using the web interface (internal network only, currently). Everything can be configured from the web interface, but ssh access is useful for installing extra OpenWRT packages (using the ipkg command) and testing/debugging.

Internet access is via BT ADSL. We have a D-Link DSL-300T ADSL modem which is set up as a transparent PPP-over-ATM to PPP-over-Ethernet bridge, plugged into the WAN port of the router. The router has the login details and takes care of bringing up and maintaining the PPP connection. This keeps all the configuration, security and QoS queue management in one place, and also turns out to be much more reliable than letting the modem manage the connection and talk IP to the router.

Forest IP addresses are in the range 192.168.43.0-254. All addresses are assigned by DHCP from the router, except for the printer which has a hardcoded IP address because the on-board DHCP is reportedly unreliable. For consistency of network share locations etc, some desktop machines in the office and action room have specific IPs assigned by DHCP, linked to their MAC addresses, configured on the router.

[ChaoticReality]

Fantastic, thanks.

Can you PM me the root login details for the router and suchlike (or tell me where they are written down)?

[ChaoticReality]

Ok, so I spent 2 and a half hours today trying to get this to work.

As soon as I turn on encryption of any kind, DHCP for the wireless network stops working. WTF?
I tried setting the WLAN to be a bridged network (on a different subnet) which worked fine, until I turned on encryption.

I might have more luck poking round the settings from SSH and not the web interface so if someone could give me the SSH login, I'd be eternally grateful.

Another question: We're running White Russian 0.9, the OpenWRT forum and homepage say this was discontinued quite a while ago in favour of the new Kamikaze release. Is there any reason we haven't upgraded yet?


Best,
M

[Martin]

The ssh login details are the same as for the web interface.

We were sticking with White Russian while Kamikaze stabilised. If it sounds like it's up to scratch now, we could upgrade.

[ChaoticReality]

Ah, cheers. Just logged into ssh from here and realised where I was going wrong. The web and ssh have slightly different usernames (admin vs root).

Shall I go ahead with the upgrade to Kamikaze (probably tomorrow)?

[Martin]

Ah, I remember why we didn't upgrade. Kamikaze is stable on the OpenWRT side but the X-Wrt web interface hadn't quite caught up. They have a build now for 8.09RC1, precompiled images here:

http://downloads.x-wrt.org/xwrt/kamikaz ... x/default/

Backup the configuration from the current setup in case you need to roll back.

[ChaoticReality]

Ok, cool. I'll have a shot at this tomorrow.

[ChaoticReality]

I tried the upgrade on a device at home and it all went smoothly so I will look to do it for our setup when I can.

Can someone who knows PM me the login details for our ADSL account? I have backed up the settings for the router anyway but just in case it would be handy to have around (and can be used in the collection of details I am starting).

Cheers,
M

[neil]

Can someone who knows PM me the login details for our ADSL account?

pm'd