Network security, passwords and keys

Discussion:

(too old to reply)

Micky

2015-12-25 05:24:01 UTC

All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

But in a moment of possible enlightenment, it occurred to me that if
an interloper can log into my router, he can change the key so that
iiuc I won't be able to use the net. That's bad, right?

And if I haven't set a router password, he can set one, and then I
would have run around in circles for an hour not understanding why I
couldn't call up my router page. (Even now it will take me a half
hour to figure out I have to push the reset button on the router,
right? And then I have to get my two wireless things connected
again. More wasted time.)

So do you all have a password for logging into your router?

With a new router, the router password has to be set first, I think,
or an aggressive interloper will change the encryption key. Does
this happen?

Thanks

Mike Easter

2015-12-25 05:29:41 UTC

Permalink

Post by Micky
So do you all have a password for logging into your router?

Absolutely.

--
Mike Easter

Micky

2015-12-25 05:36:53 UTC

Permalink

rickman

2015-12-25 05:50:33 UTC

Permalink

Post by Micky
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.
But in a moment of possible enlightenment, it occurred to me that if
an interloper can log into my router, he can change the key so that
iiuc I won't be able to use the net. That's bad, right?
And if I haven't set a router password, he can set one, and then I
would have run around in circles for an hour not understanding why I
couldn't call up my router page. (Even now it will take me a half
hour to figure out I have to push the reset button on the router,
right? And then I have to get my two wireless things connected
again. More wasted time.)
So do you all have a password for logging into your router?
With a new router, the router password has to be set first, I think,
or an aggressive interloper will change the encryption key. Does
this happen?

I'm pretty sure the access to the user page in the router is only
available on the LAN side unless you turn on access from the WAN side. No?

--
Rick

Micky

2015-12-25 06:13:01 UTC

Permalink

Post by rickman

I'm pretty sure the access to the user page in the router is only
available on the LAN side unless you turn on access from the WAN side. No?

Something I was reading also suggested this, but I checked before
posting and I can get there and change a setting from my laptop. I
don't see a place to turn it on or off, and I surely didn't turn it
on, but otoh, the router is about 8 years old (although it says the
firmware is almost 11 years old**.) Maybe D-Link hadn't thought of
this yet.

**Could a router come with firmware 3 years old? Maybe I bought the
router used and don't remember. I don't remember where I bought it at
all, new or used.

rickman

2015-12-25 07:32:44 UTC

Permalink

Post by Micky

Post by rickman

I'm pretty sure the access to the user page in the router is only
available on the LAN side unless you turn on access from the WAN side. No?

Something I was reading also suggested this, but I checked before
posting and I can get there and change a setting from my laptop. I
don't see a place to turn it on or off, and I surely didn't turn it
on, but otoh, the router is about 8 years old (although it says the
firmware is almost 11 years old**.) Maybe D-Link hadn't thought of
this yet.
**Could a router come with firmware 3 years old? Maybe I bought the
router used and don't remember. I don't remember where I bought it at
all, new or used.

Oh, so you have no security on your wifi? That's on the LAN side.
Maybe I missed the significance of your initial statement. Are you
talking about insecure wifi? Why not use the highest security on the
wifi you can? You are talking about not having access for an hour or
two it would take you to figure out the problem and fix it. If you use
a high security protocol they will just go away and break into someone
else's router.

--
Rick

Paul

2015-12-25 07:24:12 UTC

Permalink

Post by rickman

I'm pretty sure the access to the user page in the router is only
available on the LAN side unless you turn on access from the WAN side. No?

Sadly, no.

I ran into an individual, who was working with a brand new router,
and that one had access from the WAN side.

It turned out, the hardware company that made the router, were using
the *sample* firmware from the chipset maker. And the hardware company
had not added one ounce of extra code to the thing, tightened up the
configuration, or a damn thing. It was like a piece of crap they
had just got working on their lab bench.

The end result, is there are some hilariously in-secure products
out there. Just waiting for 12 year old script kiddies to find.

I don't think you will find name-brand equipment that badly
configured, but there can still be problems with the name-brand
stuff. One problem, for example, was related to the fact that
a large number of products were using a third-party firmware,
so the manufacturer didn't have to write/edit each design,
and they were using that firmware as their product firmware.
And once an exploit is uncovered for a "common" firmware
like that, it means a whole bunch of different brands/models can
be tipped over at the same time. The ideal situation would
be if all the firmwares were unique, with a unique bug in each
one, so only one model number would tip over at a time :-)

Paul

David E. Ross

2015-12-25 05:55:15 UTC

Permalink

Post by Micky
So do you all have a password for logging into your router?

Yes, I definitely have a password. Changing from the default password
was one of the very first things I did when setting up my router.

However, I have also disabled Wifi. We have two PCs wired to the
router. We have no laptop, no tablet, no iPad, and no smart phone.
Thus, we do not need Wifi.

By the way, last night, Southern California Edison had an unplanned
power outage that lasted about 3 hours. This morning, I could not
connect to the Internet. After lengthy phone calls, first to my ISP
(Time-Warner Cable) and then to the manufacturer of my router (Netgear),
the conclusion was that my router might have failed. Since my router
was several years old, Netgear wanted "big bucks" to continue the phone
call. Instead, I bought a new router for less than half the amount
Netgear wanted.
--
David E. Ross

Pharmaceutical companies claim their drug prices are
so high because they have to recover the costs of developing
those drugs. Two questions:

1. Why is the U.S. paying the entire cost of development while
prices for the same drugs in other nations are much lower?

2. Manufacturers of generic drugs did not have those
development costs. Why are they charging so much for generics?

Micky

2015-12-25 06:16:03 UTC

Permalink

On Thu, 24 Dec 2015 21:55:15 -0800, "David E. Ross"

Post by David E. Ross

Post by Micky
So do you all have a password for logging into your router?

Yes, I definitely have a password.

The thought never occurred to me, even though the field was right
there. I thought, How nice, I don't have to fill it in.

Post by David E. Ross
Changing from the default password

No default either, just blank.

Post by David E. Ross
was one of the very first things I did when setting up my router.
However, I have also disabled Wifi. We have two PCs wired to the
router. We have no laptop, no tablet, no iPad, and no smart phone.
Thus, we do not need Wifi.

I have a laptop bought used and rarely used, but sometimes. And a
printer that was far too far from the computer to run a wire.

Post by David E. Ross
By the way, last night, Southern California Edison had an unplanned
power outage that lasted about 3 hours. This morning, I could not
connect to the Internet. After lengthy phone calls, first to my ISP
(Time-Warner Cable) and then to the manufacturer of my router (Netgear),
the conclusion was that my router might have failed. Since my router
was several years old, Netgear wanted "big bucks" to continue the phone
call. Instead, I bought a new router for less than half the amount
Netgear wanted.

Paul in Houston TX

2015-12-25 06:04:34 UTC

Permalink

Post by Micky
So do you all have a password for logging into your router?

I would imagine that most computer literate people do.
Make it quite long but mnemonic so it can be remembered.
Case sensitive, alpha-numeric, and symbol.

Post by Micky
With a new router, the router password has to be set first, I think,
or an aggressive interloper will change the encryption key. Does
this happen?

More than likely it happens. Some people leave the
default in place. Not a good idea. They do the same
with their wifi. A terrible idea.

Micky

2015-12-25 06:18:10 UTC

Permalink

On Fri, 25 Dec 2015 00:04:34 -0600, Paul in Houston TX

Post by Paul in Houston TX

Post by Micky
So do you all have a password for logging into your router?

I would imagine that most computer literate people do.

Ah, no wonder! I guess I'm not really in that category anymore.

Post by Paul in Houston TX
Make it quite long but mnemonic so it can be remembered.
Case sensitive, alpha-numeric, and symbol.

Post by Micky
With a new router, the router password has to be set first, I think,
or an aggressive interloper will change the encryption key. Does
this happen?

More than likely it happens. Some people leave the
default in place. Not a good idea. They do the same
with their wifi. A terrible idea.

Thanks all.

Paul in Houston TX

2015-12-25 06:25:01 UTC

Permalink

Post by Micky
On Fri, 25 Dec 2015 00:04:34 -0600, Paul in Houston TX

Post by Paul in Houston TX

Post by Micky
So do you all have a password for logging into your router?

I would imagine that most computer literate people do.

Ah, no wonder! I guess I'm not really in that category anymore.

Sure you are! Your questions make us think, research, and remember.

Micky

2015-12-25 06:34:05 UTC

Permalink

On Fri, 25 Dec 2015 00:25:01 -0600, Paul in Houston TX

Post by Paul in Houston TX

Post by Micky
On Fri, 25 Dec 2015 00:04:34 -0600, Paul in Houston TX

Post by Paul in Houston TX

Post by Micky
So do you all have a password for logging into your router?

I would imagine that most computer literate people do.

Ah, no wonder! I guess I'm not really in that category anymore.

Sure you are! Your questions make us think, research, and remember.

You are very generous, sir. And you did say "most" in your prior
post.

Char Jackson

2015-12-25 17:25:51 UTC

Permalink

Post by Micky
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.

Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).

Enjoy.

--
Char Jackson

Micky

2015-12-26 04:09:07 UTC

Permalink

Post by Char Jackson

Post by Micky
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Very helpful information. One of the reasons I just installed the new
firmware on the router, to get WPA2, which iirc I didn't have until
just now.

Post by Char Jackson
Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.

My neighbors are not very technical, although one had a nephew who was
a drunk. I saw him at the nearby shopping strip and he asked me to
buy him a big bottle of beer. Gave me the money. I did it, but when
the owner figured out what I was doing, just as he was giving me the
change, he told me not to do it again. (I'm still glad I did it once,
because he vouched for me with his hoodlum friends. I don't think
he's a hoodlum, except when he's drunk he has no judgment.) She let
him live with her to be nice to him, and he brought home some guys who
knew he was drunk and came there with him to rob the place. They
found this very heavy "safe" which they managed to break open while
walking around the back of my house (about 100 feet from her house. We
are in the same townhouse section.) Because I have a fence, I didn't
see it for an extra day, and I sure had trouble carrying it back to
her. But it had a lot of her papers and she'd already stopped the
credit cards.

She didn't want to but she kicked her nephew out, and I never see him
anymore, and that's the kind of risk I faced, much more than n'bors
hacking me. But it's a small risk. My front door got kicked in 32
years ago, between 6 and 7 on a Sunday night, but the n'bor's dog may
have scared them away. Nothign was stolen. He barked all the time
and drove me crazy, kept me from falling asleep at night and woke me
up 15 minutes before I had to be up even on workdays, but that day it
was good.

And one time, someone stole two gas lawnmowers, push mowers, that I
had spent weeks trying to start even one of them. LOL

And another time they stole a bicycle I got from the trash, from which
I had removed the seat and seatpost, to get a longer seat post. But
I couldnt' find even a regular length seatpost in that diameter (1",
iirc) Which means they're stuck with a bike but no seat or seatpost.
LOL

No one's touched my car, even though I leave it parked with the top
down if I'm going out again.

Those are the only problems in 32 years.

Post by Char Jackson
Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).
Enjoy.

Thanks. I'll get back to you.

Mike S

2015-12-28 07:42:54 UTC

Permalink

Post by Char Jackson

Post by Micky
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.
Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.
Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).
Enjoy.

If you're referring to Backtrack and Reaver, companies are taking steps
to make brute force attacks ineffective...

"Your Impression is true..the companies that produced these new routers
realised the WPS flaw. As a result they have tighten up their controls
on WPS security and this include the AP rate limiting feature"

https://forums.kali.org/showthread.php?19641-Reaver-WPS-Locked-Situation-and-Useful-Link

Char Jackson

2015-12-28 15:17:54 UTC

Permalink

Post by Mike S

Post by Char Jackson

Post by Micky
All this time I've been thinking that if WEP or WPA-PSK enabled and a
proper key, I have adequate router security.

Others have responded to most of your questions and points, but I wanted to
emphasize that WEP is completely broken and has been so since about 2006.
With the right tools, all freely available, a WEP passphrase can be
retrieved in under 3 minutes.
Some implementations of WPA-PSK and WPA2-PSK are also broken, but take
significantly longer to retrieve a passphrase, usually on the order of 1-7
days or so, so can be considered secure from passersby but not from the
person living next door who has all the time in the world to let his tools
run.
Lastly, WPS (WiFi Protected Setup) is also broken in some implementations
such that affected routers can simply be asked to provide their WiFi
password and they will happily do so. If you're blessed with a router that
suffers from an improper WPS implementation, then it doesn't matter how long
and hairy you make the WiFi password, or how often you change it. Tools
exist, also freely available like the others above, to simply interrogate
the router and ask it to provide the WiFi password (over WiFi, of course).
Enjoy.

If you're referring to Backtrack and Reaver, companies are taking steps
to make brute force attacks ineffective...

Ineffective is too strong. I'll agree with less effective.

As you noted in the quote below, the proposed solution for the WPS
vulnerability was to introduce a rate limiting feature. That doesn't solve
the issue, though. It only means a successful attack is likely to take
longer. OTOH, the best case scenario for the attacker is that his software
makes a successful guess on the first attempt, rendering the rate limiting
feature completely moot. Even without such good fortune for the attacker, if
he or she lives close by, they'll have all the time in the world. The rate
limiting feature means the attack is likely to take longer, but it won't be
stopped. Drive-by's were never the attack vector here, so the fact that it
might take longer isn't a strong selling point. Also, statistically, some
portion of attacks will be successful very early in the process, all but
eliminating rate limiting as a factor. I'd like to see a real solution, not
a band-aid.

Post by Mike S
"Your Impression is true..the companies that produced these new routers
realised the WPS flaw."

Heh, yeah, after they got beaten up in the press about it.

Post by Mike S
As a result they have tighten up their controls
on WPS security and this include the AP rate limiting feature"
https://forums.kali.org/showthread.php?19641-Reaver-WPS-Locked-Situation-and-Useful-Link

Keep in mind, too, how many routers are in the field with the WPS issue, and
how few router owners pay attention to security or ever upgrade their
router's firmware. Heck, I still have people using WEP around here, and
that's been fully broken for a decade.

--
Char Jackson