Internet security onboard

Don't know of specific attempts to access (I'm sure there have been some somewhere along the line), but everything that is wireless is secured with the following methods:
WPA or WAP encryption (128bit)
We *DO NOT* broadcast our SSID's
We use MAC Address filtering for all machines that access the network wireless.

Somebody technically savvy enough could technically see there is a network in range (should they be close enough) however would have a rather tough time connecting to the network, and or browsing any machines on the network.

It'd be easier to walk into the laz and plug in to the RJ45 on the bench.

Hi,

You might want to read this.

http://www.techrepublic.com/blog/security/how-to-spoof-a-mac-address/395

At a minimum you need a fairly robust firewall and encrypting of your wireless router. It might be helpful to have a traffic analyzer to figure out what IPs are pinging your system. Some years ago McAfee had this on their anti-virus software package and I used it to block out IP groups. It was interesting to note that the analyzer pointed to former East Bloc countries and China. The best security though, is to turn off your network when you don't need it.

Just saw something on TV the other night about a guy in a highrise on Florida's gulf coast who got arrested for distributing child porn. Turned out his wireless was hacked by a guy on a boat in a marina 200 yards away.

I know the exact steps and process(es) needed considering I spent much of my life in the technology field. Specifically networking.

Can someone get on our network if they had the skills and know-how? Of course. Sit out there long enough to grab enough packets to brute force a 128bit WPA key and you're in.

Do I worry about people leeching or gaining access to other machines on the network? No. Not really.

If I was worried about it, I'd implement the *ONLY* 100% true and effective security for computers. Unplug them, and put them on the shelf.

Anything plugged in to the wall and connected, is at liability of being hacked. In the truest sense, there is no absolute. The steps we take, simply slow down the smart ones, and stop the dummies.

Kismet.

A beautifully sharpened knife that will cut in both directions.

Tripwire and Ntop are two other utilities I use regularly.

LOL! That too, but I was referring to Kismet Intrusion Detection Systems for wireless networks.

WEP and WPA are both easily crackable; less than 5 minutes -- with scripts, one can obtain near-instant (<30 seconds) access to such access point. WPA2 is reasonable crackable with very short passwords or common rainbow table passwords. WPA2 is not reasonably crackable with long and random (non-human) passwords.

MAC address filtering is useless because not broadcasting your SSID is also useless. The common tool airodump-ng uses the network card in monitor mode; the MAC address of all connected users are shown even on "hidden" wifi-routers.

Once connected it is further easy to exploit the router firmware and obtain admin access, turn off intrusion detection, turn off firewall or allow inbound routing or DMZ. Since many users rely on the wifi or LAN firewall, once inside it is easy to browse files on back up servers, sniff POP3 emails, chat, unencrypted website traffic, or use firebug to hijack active SSL connections to keep an eye on a user's online bank accounts, encrypted email (gmail), brokerage accounts (where its usually easy to do ACH transfers), or just monitor trading activity and purchase stock options accordingly if its a big fish.

Interesting, and makes me glad I do no banking on line. Dare I ask what happens when people access their accounts via I-phone?

WPA2 with a high strength password, like one from here:https://www.grc.com/passwords.htm, is pretty much uncrackable. MAC address filtering and disabling SSID broadcasts are both more nuisance factors than anything else. I use them to try and drive a war driver somewhere else. If he knows he's getting a signal from a yacht worth tens of millions he might be willing to put up with the annoyance. The best thing to do is not use wifi at all and have every networked computer connected by Ethernet and a serious hardware firewall between the onboard network and it's Internet access.

ps

I have a home wifi network protected by a wpa2 encrypted router using a grc hexadecimal password because I like being able to carry my laptop around the house and have a wifi enabled printer but then I'm not worth hundreds of millions of dollars.

I have a program that can hack wep and wpa passwords. The longest it has taken was about 12 hours, and that was a very strong Key. With access to the network, I can usually access the machines and routers attached to it without any problems.

The best setup would be to have a DMZ. A wireless router, which also connects to your internet connection, then another router behind it with a firewall set up properly to prevent any unwanted access from the outside. Any machines that aren't wireless should be plugged into the firewall router. You can set up rules that would allow access to specific mac addresses through the firewall. Most wireless routers can be set up so that the only communication allowed from the wireless clients is to the wireless router itself, and the clients can't actually see or ping one another.

I would run zone alarm on any machines connecting to the wireless side of the network for firewall protection on the actual computers, too.. I do consulting, and would be happy to advise you on a more specific configuration.

You're not cracking WPA2-AES/CCMP networks with a strong 63 bit random ASCII or 64 bit random hexadecimal key.

Hi,

I am using WPA-PSK [TKIP] + WPA2-PSK [AES] on my wireless setup at home and in the office.

How do I tell if I am relying on the AES or the TKIP part of it?

Like I said earlier, you're not going to keep everyone out. Especially those tech savvy. If you want to keep them out, turn everything off and unplug it. That is the *only* secure network.

There are a few sensible things you can do to slow down the wardrivers and passers by looking for a free connection. WPA, strong passwords, and a properly built network segmented for internal and external traffic, along with a few monitoring tools.

Why?




Must make message longer.

Hi,

Because that is the last of the 4 options offered under the Wireless Security Tab.

The names I posted were copied and pasted off the routers homepage.

Using iPhone on 2G, or "E", is not secure because attacker can create his own cellphone tower/radio right next to the user and control the phone to connect to him. 3G is not yet vulnerable. 3G is sufficiently encrypted, and there are no known useful attacks. 4G also safe. iPhone over wireless subject to the before situation: anything less than wpa2 with a very long password is essentially wide open for the determined attacker. A person on a yacht is instant high value target, ruling out the idea that an attacker will just move on if there are difficult obstacles. Getting insider information or corporate credit card number etc is worth months of high CPU temps. I would venture to guess that there are active hackers poking at yachts in all ports, everywhere. What else would nerds do near a beach...

K1W1, you can probably right click on some connection symbol and see details. Otherwise you could use airodump-ng to see the state of the packets emitted around you.