Network Security

[ChaoticReality]

Evening Chaps/Chappettes/Creatures of the Night/Various Otherwise,

I used the forest wifi for the first time today and the first thing I noticed was that it is unencrypted.
Whilst not having a key makes it a lot easier for people to connect, there's one major flaw:

Set your wifi card to "monitor" mode and you can sniff everyone's traffic with alarming ease, including any transmitted usernames/passwords, viewed email on sites like Hotmail, etc.

Encrypting the network would make this a lot more difficult (without a lot of time and computing power).

Now, I doubt it happens at the forest but it has been known for people to sit in areas with public networks (like McDonalds) and sniff traffic, which can then be used to take over accounts.

Being the security conscious person I am, whenever I'm on a public network, all my traffic goes through several encrypted SSH tunnels to make sure no-one is watching me but your average-Joe user will not be doing this (or even have the faintest clue how to, I suspect).

So my questions are:

Do we think that this is a potential threat at Forest?
If so, is it feasible to encrypt the network and make the key available somewhere obvious (paint it on the wall or whatever)?

The encryption need only be WEP, it matters not that the security is pants, as the aim is not to stop anyone connecting, merely to stop people sniffing unencrypted traffic out of thin air.


Best,
M

[milk]

[ChaoticReality]

[milk]

*reads up on WEP as it has been a while*

ah yes, true, which would then leave a man-in-the-middle style attack as the next requirement to sniff traffic (assumedly they'd use the same SSID as the forest's AP which would only be picked up on as a security issue by savvy users)?

[ChaoticReality]

[milk]

so, the nets say a basic 40-bit WEP key should be 5 ascii characters - this can just be 6 so we can use "forest" for ease of use yes?

we can stick up an A3 "WiFi key = forest" poster when the change is made.

[milk]

and for anyone interested in WPA cracking with rainbow tables (which mike noted at the volly party the other day), .

[ChaoticReality]

Do we have a second AP we can use as well?

My reasoning:

We suddenly switch the AP over to use a WEP password of "forest" and put a notice up.
Not everyone will see/understand the notice.
People with autoconnecting Wifi setups will be puzzled.
Kitchen vollies suddenly get lots of people complaining that "the internet doesn't work", leading to temporary insanity and hatred of customers.

If we have a second AP, we can run an unencrypted network called "forest" (like the current one) and redirect all HTTP traffic to a web page that just says "We have now moved to an encrypted network so that things are secure for you blah blah blah. The new network is called X and the key is the word forest".

This enables users to figure things out for themselves, understand why and keeps the kitchen people nice and happy and smiley and not wanting to stab customers (for the most part).



Whether or not this is feasible I know not. Certainly I can do the bit with the redirection to a webpage, but I know not what hardware the forest has lying around and so this is where I push it back to you...

[Martin]

Our previous wireless router is still in the action room, I think. It's a D-Link DSL-604+.

What you'd probably want to do is set that up with the old connection settings (SSID "forest", unencrypted), have it do DHCP+NAT on that wireless network, and assign it a static IP on the wire.

Then, on the WRT54GL that its traffic would be going through, catch all web requests coming from that IP and redirect them to the "this is how to get on the forest network now" page.

We're running OpenWRT, there is probably a good package available for that to do this.

If you're going to do this though, please back up the existing configuration, give your setup a thorough test when the cafe is closed, and be prepared to roll back immediately if there's any problems.

Forest network trouble = not happy bunnies.

[ChaoticReality]

[Martin]

[ChaoticReality]

Fantastic, thanks.

Can you PM me the root login details for the router and suchlike (or tell me where they are written down)?

[ChaoticReality]

Ok, so I spent 2 and a half hours today trying to get this to work.

As soon as I turn on encryption of any kind, DHCP for the wireless network stops working. WTF?
I tried setting the WLAN to be a bridged network (on a different subnet) which worked fine, until I turned on encryption.

I might have more luck poking round the settings from SSH and not the web interface so if someone could give me the SSH login, I'd be eternally grateful.

Another question: We're running White Russian 0.9, the OpenWRT forum and homepage say this was discontinued quite a while ago in favour of the new Kamikaze release. Is there any reason we haven't upgraded yet?


Best,
M

[Martin]

The ssh login details are the same as for the web interface.

We were sticking with White Russian while Kamikaze stabilised. If it sounds like it's up to scratch now, we could upgrade.

[ChaoticReality]

Ah, cheers. Just logged into ssh from here and realised where I was going wrong. The web and ssh have slightly different usernames (admin vs root).

Shall I go ahead with the upgrade to Kamikaze (probably tomorrow)?

[Martin]

Ah, I remember why we didn't upgrade. Kamikaze is stable on the OpenWRT side but the X-Wrt web interface hadn't quite caught up. They have a build now for 8.09RC1, precompiled images here:

http://downloads.x-wrt.org/xwrt/kamikaz ... x/default/

Backup the configuration from the current setup in case you need to roll back.

[ChaoticReality]

Ok, cool. I'll have a shot at this tomorrow.

[ChaoticReality]

I tried the upgrade on a device at home and it all went smoothly so I will look to do it for our setup when I can.

Can someone who knows PM me the login details for our ADSL account? I have backed up the settings for the router anyway but just in case it would be handy to have around (and can be used in the collection of details I am starting).

Cheers,
M

[neil]