Suggestions for stopping occasional spurious use of commercial wi-fi
I have a Rogers-supplied router and cable modem package, which twice has shown significant usage when I was out, once with the original unit and once with their replacement Cisco. That makes me suspicious of the current state of authentication for wi-fi schemes (and I use the term "schemes" advisedly: they used to horribly leaky (;-)) What's a good approach? I have considered * MAC address lists, * no wi-fi (strictly wired doesn't work with solid concrete walls), * a second router with a more secure protocol (/is/ there such a protocol? And will my wife's Mac speak it?)) * something I haven't thought of --dave [The usage never runs me over my limit: I think someone is using me for downloads that might put /them/ over their limit] -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
What's a good approach? I have considered
Many people use separate routers, as they're not happy with the Rogers hardware. I run pfSense on a refurb computer. All you have to do is put the modem in bridge mode and connect your router. Also, you may want to get something other than a Cisco modem. Rogers doesn't support IPv6 on them. I have a Hitron modem in bridge mode. BTW, when I switched from Cisco to Hitron, I wound up with a significant price decrease for my Internet/TV/Home phone service.
I daisy chain in my own router, then MAC address filtering. Turn off wifi on the Rogers router. If you are not home during the day you can possibly programmatically turn off wifi. The MAC address filtering is a bit of work to maintain, as you need all device MAC addresses, but I've gotten used to it. You can also look into using metal mesh/aluminium foil to limit your router's directionality. For example if you are in an apartment and the router is on the west perimiter, put up some chicken wire blocking access further west. If you are in an apartment with a single floor then reorient your antenna to not transmit your signal higher or lower than your floor. That will further limit access. Don On Sun, 16 Sep 2018 at 13:50, James Knott via talk <talk@gtalug.org> wrote:
On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
What's a good approach? I have considered
Many people use separate routers, as they're not happy with the Rogers hardware. I run pfSense on a refurb computer. All you have to do is put the modem in bridge mode and connect your router. Also, you may want to get something other than a Cisco modem. Rogers doesn't support IPv6 on them. I have a Hitron modem in bridge mode.
BTW, when I switched from Cisco to Hitron, I wound up with a significant price decrease for my Internet/TV/Home phone service.
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On 09/16/2018 02:32 PM, Don Tai wrote:
You can also look into using metal mesh/aluminium foil to limit your router's directionality. For example if you are in an apartment and the router is on the west perimiter, put up some chicken wire blocking access further west. If you are in an apartment with a single floor then reorient your antenna to not transmit your signal higher or lower than your floor. That will further limit access.
WPA2 encryption would be more effective. Start with a new password. I use the "Perfect Passwords" from www.grc.com to generate 63 random characters.
I am assuming that on the Rogers router you are already using WPA2 and that someone has cracked it using a tool like AirCrack-NG (Kali dist or download). Physical barriers to limit signal strength will not alone protect you. There are numerous tutorials out there on how to use Aircrack-NG. On Sun, 16 Sep 2018 at 14:36, James Knott via talk <talk@gtalug.org> wrote:
On 09/16/2018 02:32 PM, Don Tai wrote:
You can also look into using metal mesh/aluminium foil to limit your router's directionality. For example if you are in an apartment and the router is on the west perimiter, put up some chicken wire blocking access further west. If you are in an apartment with a single floor then reorient your antenna to not transmit your signal higher or lower than your floor. That will further limit access.
WPA2 encryption would be more effective. Start with a new password. I use the "Perfect Passwords" from www.grc.com to generate 63 random characters.
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On 09/16/2018 02:42 PM, Don Tai wrote:
I am assuming that on the Rogers router you are already using WPA2 and that someone has cracked it using a tool like AirCrack-NG (Kali dist or download). Physical barriers to limit signal strength will not alone protect you. There are numerous tutorials out there on how to use Aircrack-NG.
From the FAQ:
"How can I crack a WPA-PSK network ? You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required." By avoiding passwords found in the dictionary, you're much less vulnerable. A random 63 character string does that. Here's a sample:
GZcfs^7w\D$JKE8XZJ(bw#.&'(||c>tt@;yt[]gQ$<s~Xoc7}A9cQ`KhFbHM}:
Try finding that in a dictionary. And also: Will WPA be cracked in the future ? It's extremely unlikely that WPA will be cracked just like WEP was. The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos' paper). There are basically two counter-measures against this attack: Mix the IV and the shared key using a hash function or Discard the first 256 bytes of RC4's output. There has been some disinformation in the news about the “flaws” of TKIP: For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on. Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there's no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionary attack, which fails if the passphrase is robust enough. WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future. https://www.aircrack-ng.org/doku.php?id=faq
On 2018-09-16 02:57 PM, James Knott via talk wrote:
Will WPA be cracked in the future ?
It's extremely unlikely that WPA will be cracked just like WEP was.
A method of cracking WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm was found in 2009. It was reported that the attack does not work on WPA systems using Advanced Encryption Standard (AES) algorithm, or WPA2 devices. However, WPA2 was cracked as of last October. -- Cheers! Kevin. http://www.ve3syb.ca/ | "Nerds make the shiny things that https://www.patreon.com/KevinCozens | distract the mouth-breathers, and | that's why we're powerful" Owner of Elecraft K2 #2172 | #include <disclaimer/favourite> | --Chris Hardwick
On 09/16/2018 03:33 PM, Kevin Cozens via talk wrote:
On 2018-09-16 02:57 PM, James Knott via talk wrote:
Will WPA be cracked in the future ?
It's extremely unlikely that WPA will be cracked just like WEP was.
A method of cracking WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm was found in 2009. It was reported that the attack does not work on WPA systems using Advanced Encryption Standard (AES) algorithm, or WPA2 devices. However, WPA2 was cracked as of last October.
Still, it's more effective than relying on properly placing foil. As I recall, there's WPA3 in the works, which should be more secure. Then again, I suppose they could always set up an RADIUS server. ;-) https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA3
On 09/16/2018 02:42 PM, Don Tai wrote:
I am assuming that on the Rogers router you are already using WPA2 and that someone has cracked it using a tool like AirCrack-NG (Kali dist or download). Physical barriers to limit signal strength will not alone protect you. There are numerous tutorials out there on how to use Aircrack-NG.
You can't assume people use a decent password. That's why I suggested www.grc.com. BTW, I am currently rereading "The Cuckoo's Egg", by Clifford Stoll. I first read it almost 30 years ago, when I was a computer tech maintaining VAX 11/780 computers, among others. It's a good read that describes attacks on a computer and what was done to track down the attacker. IIRC, the VAX's had a default account "admin" and password "password", which often wasn't changed. So, even with the big systems, security wasn't always the greatest. Back in those days, it wasn't all that hard to walk in from Front St., past the security desk, hop on the elevator and walk into the data centre. My wife did that on occasion, to meet me. IIRC, there weren't even locks on the data centre doors until the first Gulf war. https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
On Sun, 16 Sep 2018 13:50:14 -0400 James Knott via talk <talk@gtalug.org> wrote:
On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
What's a good approach? I have considered
Many people use separate routers, as they're not happy with the Rogers hardware. I run pfSense on a refurb computer. All you have to do is put the modem in bridge mode and connect your router. Also, you may want to get something other than a Cisco modem. Rogers doesn't support IPv6 on them. I have a Hitron modem in bridge mode.
My DSL modem has a firewall feature that my vendor recommends not using. I have a wireless router that serves as my firewall, and I have a long security key. I am so glad I took typing in high school. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 09/17/2018 09:07 AM, Howard Gibson via talk wrote:
On Sun, 16 Sep 2018 13:50:14 -0400 James Knott via talk <talk@gtalug.org> wrote:
On 09/16/2018 01:45 PM, David Collier-Brown via talk wrote:
What's a good approach? I have considered
Many people use separate routers, as they're not happy with the Rogers hardware. I run pfSense on a refurb computer. All you have to do is put the modem in bridge mode and connect your router. Also, you may want to get something other than a Cisco modem. Rogers doesn't support IPv6 on them. I have a Hitron modem in bridge mode. My DSL modem has a firewall feature that my vendor recommends not using. I have a wireless router that serves as my firewall, and I have a long security key. I am so glad I took typing in high school.
Take a look at the TR-069 standard. It allows a service provider to remotely manage and control the device at the customer location. This can be a great thing if you have unsophisticated customers who need help but it does mean that you have complete control over their security and can do what you like with their device. I would suggest that if your concerned about external hacks or access get a device that has the TR-069 removed or disabled. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 2018-09-16 1:45 p.m., David Collier-Brown via talk wrote:
I have a Rogers-supplied router and cable modem package, which twice has shown significant usage when I was out, once with the original unit and once with their replacement Cisco. That makes me suspicious of the current state of authentication for wi-fi schemes (and I use the term "schemes" advisedly: they used to horribly leaky (;-))
What's a good approach? I have considered
* MAC address lists, * no wi-fi (strictly wired doesn't work with solid concrete walls), * a second router with a more secure protocol (/is/ there such a protocol? And will my wife's Mac speak it?)) * something I haven't thought of
--dave
I've set up MAC address lists, after a surprising number of reboots to unwedge the router (did I even mention I hate flaky PC-style software?). How can my hacker avoid them? Wait until my wife's Mac drops off-line and steal her MAC? --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
On 16/09/18 17:51, David Collier-Brown via talk wrote:
I've set up MAC address lists, after a surprising number of reboots to unwedge the router (did I even mention I hate flaky PC-style software?).
How can my hacker avoid them? Wait until my wife's Mac drops off-line and steal her MAC?
Actually I'd like to know more about your wifi setup. What kind of security is/was in place? I'd be somewhat dubious about a malicious hacker if you were using WPA2 with a decent passphrase. Ok, if WEP, well that takes a few minutes, but if you're using WEP then all hope is lost.. If WPA2, try it out, fire up aireplay, capture the 4 way handshake and then run wpacrack against it with a decent dictionary. If you have a moderately ok passphrase, it will take days on a decently speced machine to brute force it, if at all. Howto here: https://aircrack-ng.org/doku.php?id=cracking_wpa Are you sure something else isn't going on?
On Sun, 16 Sep 2018, David Collier-Brown wrote: |I have a Rogers-supplied router and cable modem package, which twice has shown |significant usage when I was out, once with the original unit and once with |their replacement Cisco. That makes me suspicious of the current state of |authentication for wi-fi schemes (and I use the term "schemes" advisedly: they |used to horribly leaky (;-)) | |What's a good approach? I have considered | | * MAC address lists, | * no wi-fi (strictly wired doesn't work with solid concrete walls), | * a second router with a more secure protocol (/is/ there such a | protocol? And will my wife's Mac speak it?)) | * something I haven't thought of !. yes, allow only designated MAC addresses 2. change SSID & don't broadcast it 2. consider LoRa as a possible adjunct/replacement https://en.wikipedia.org/wiki/LoRa O . Bruce Becker Toronto, Ontario +1 416 410 0879 o _///_ // Email: bdb@0123456789-abcdefghijklmnopqrstuvw.xyz <`)= _<< Cave Pilus Cani \\\ \\ ( Beware of the Hair of the dog ;)
Hey Dave, I agree with Bruce on his first 2 points, not sure about LoRa.. What I do is turn the bell wifi off, link it to my own router over the wire. It'll take a few years for manufacturers and device makers, but WPA3 has been released. Doesn't help you now, but.. https://www.schneier.com/blog/archives/2018/07/wpa3.html https://www.theverge.com/circuitbreaker/2018/6/26/17501594/wpa3-wifi-securit... Cheers. On Sun, Sep 16, 2018 at 09:47:59PM -0400, UU wrote:
On Sun, 16 Sep 2018, David Collier-Brown wrote:
|I have a Rogers-supplied router and cable modem package, which twice has shown |significant usage when I was out, once with the original unit and once with |their replacement Cisco.?? That makes me suspicious of the current state of |authentication for wi-fi schemes (and I use the term "schemes" advisedly: they |used to horribly leaky (;-)) | |What's a good approach? I have considered | | * MAC address lists, | * no wi-fi (strictly wired doesn't work with solid concrete walls), | * a second router with a more secure protocol (/is/ there such a | protocol? And will my wife's Mac speak it?)) | * something I haven't thought of
!. yes, allow only designated MAC addresses 2. change SSID & don't broadcast it 2. consider LoRa as a possible adjunct/replacement https://en.wikipedia.org/wiki/LoRa
O . Bruce Becker Toronto, Ontario +1 416 410 0879 o _///_ // Email: bdb@0123456789-abcdefghijklmnopqrstuvw.xyz <`)= _<< Cave Pilus Cani \\\ \\ ( Beware of the Hair of the dog ;)
_______________________________________________ u-u mailing list u-u@unixunanimous.org https://unixunanimous.org/mailman/listinfo/u-u
-- Bill Duncan, | http://billduncan.org/ bduncan@beachnet.org | - linux/unix/network +1 416 697-9315 | - performance engineering
I'm on Bell, who gave me a Home hub 3000. It has a log, so you can see errors. You can even download the log, but the info is not very useful.
From the Bell router I also use RJ45 to my personal router.
On Mon, 17 Sep 2018 at 10:22, Bill Duncan via talk <talk@gtalug.org> wrote:
Hey Dave, I agree with Bruce on his first 2 points, not sure about LoRa..
What I do is turn the bell wifi off, link it to my own router over the wire.
It'll take a few years for manufacturers and device makers, but WPA3 has been released. Doesn't help you now, but..
https://www.schneier.com/blog/archives/2018/07/wpa3.html
https://www.theverge.com/circuitbreaker/2018/6/26/17501594/wpa3-wifi-securit...
Cheers.
On Sun, Sep 16, 2018 at 09:47:59PM -0400, UU wrote:
On Sun, 16 Sep 2018, David Collier-Brown wrote:
|I have a Rogers-supplied router and cable modem package, which twice has shown |significant usage when I was out, once with the original unit and once with |their replacement Cisco.?? That makes me suspicious of the current state of |authentication for wi-fi schemes (and I use the term "schemes" advisedly: they |used to horribly leaky (;-)) | |What's a good approach? I have considered | | * MAC address lists, | * no wi-fi (strictly wired doesn't work with solid concrete walls), | * a second router with a more secure protocol (/is/ there such a | protocol? And will my wife's Mac speak it?)) | * something I haven't thought of
!. yes, allow only designated MAC addresses 2. change SSID & don't broadcast it 2. consider LoRa as a possible adjunct/replacement https://en.wikipedia.org/wiki/LoRa
O . Bruce Becker Toronto, Ontario +1 416 410 0879 o _///_ // Email: bdb@0123456789-abcdefghijklmnopqrstuvw.xyz <`)= _<< Cave Pilus Cani \\\ \\ ( Beware of the Hair of the dog ;)
_______________________________________________ u-u mailing list u-u@unixunanimous.org https://unixunanimous.org/mailman/listinfo/u-u
-- Bill Duncan, | http://billduncan.org/ bduncan@beachnet.org | - linux/unix/network +1 416 697-9315 | - performance engineering --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On 17/09/18 08:37, James Knott via talk wrote:
On 09/16/2018 09:47 PM, UU via talk wrote:
2. change SSID & don't broadcast it
That's generally not effective. It provides a false sense of security.
Likewise MAC address white listing. It is easy enough to use ip link set dev address, or ifconfig hw ether to spoof a MAC address. Anyone who has gone to the trouble to crack your WPA2 PSK security will be able to spoof a MAC address. Their packet captures will contain legitimate authenticated clients that can be copied. arping can be used to hijack the MAC of a currently connected client as well, no need to wait for them to be offline. So there's really no benefit to white listing if someone is targeting you - far more trouble to maintain, and very much encourages a false sense of security. Cheers, Jamon
| From: David Collier-Brown via talk <talk@gtalug.org> | To: UU <u-u@unixunanimous.org>, GTALUG Talk <talk@gtalug.org> I don't think that it is great to post a message once to two public mailing lists. It can lead to odd entanglements. It's fine to separately post the same message to two lists. I'm violating this suggestion with this message. | I have a Rogers-supplied router and cable modem package, which twice has shown | significant usage when I was out, once with the original unit and once with | their replacement Cisco. That makes me suspicious of the current state of | authentication for wi-fi schemes (and I use the term "schemes" advisedly: they | used to horribly leaky (;-)) Wow. Interesting. If it were me, I'd try to figure out who was doing this. But in reality that's probably more work than it is worth. | What's a good approach? I have considered | | * MAC address lists, MACs a so spoofable. Why bother? If I remember correctly, OSX now has a feature that lets you use a random MAC on your wireless just to avoid other people tracking you. | * no wi-fi (strictly wired doesn't work with solid concrete walls), I don't imagine your threat models are so severe that this matters. But for the paranoid: even traffic analysis (without decryption) reveals a lot. | * a second router with a more secure protocol (/is/ there such a | protocol? And will my wife's Mac speak it?)) I think that the best compromise for most individuals who care even a bit is: - Turn off the modem's WiFi and put it in bridge mode. You may have to repeat this after a power failure or a (generally unannounced) firmware update. Why: Rogers has 100% control of the modem (remote provisioning, firmware updates). They have (if they choose) access to your LAN unless you put something between the modem and the LAN. - use your own wireless router. Choose one that has a decent radio and is well supported by OpenWRT. Run OpenWRT on it. Why: firmware from the manufacturers is crappy in known and unknown ways. Other third party firmware providers are badly constituted (dictatorships, NDAs, glued together bits of binary stuff). - alternatively use a little PC and install whatever amuses you as software to make it a router. Why not: takes more resources than just using OpenWRT on consumer router hardware. Cost, time, electricity, noise, heat, risk of misconfiguring, maintenance effort. Why: more flexible, more controllable. Sometimes better performance. Can perform server roles (email, web, ...). This is what I do. I run CentOS an two of my three consumer-grade internet connections. I run Fedora 28 on the other -- that adds to the maintenance burden (so many updates!). - alternative: <https://omnia.turris.cz/en/> I'd like this to be a great solution but I don't know whether it is. It's not as inexpensive as I'd like. One of my connections is gigabit from Rogers. Ordinary wireless routers cannot pass 1G though unless proprietary NAT hardware acceleration is used. That hardware is not supported by OpenWRT. Even if it were, there are serious restrictions on what can be done to the packet before it gets punted to the software path. My little PC solution seems to handle gigabit just fine. I use Zotac ZBoxes that come with two gigabit ethernet ports (only a few do). My gigabit gateway is an RI323Nano (out of production). My others (untested for gigabyte throughput) are both CI321NANO. These cost me about the same as an expensive router. I don't use them for providing WiFi. I use a couple of consumer WiFi routers as (just) APs. As for WiFi passwords: make them long and replete with entropy. I use the mkpasswd command that is part of the expect package. Don't use the magic button on the router to make the password crap easier: it can make you vulnerable. Typing these is very error-prone so I use a USB flash drive to carry them to a new system.
On 09/17/2018 04:48 PM, D. Hugh Redelmeier via talk wrote:
- Turn off the modem's WiFi and put it in bridge mode. You may have to repeat this after a power failure or a (generally unannounced) firmware update.
I've had my Rogers modem in bridge mode for several years and a few different models. I've never seen that.
participants (10)
-
Alvin Starr -
Bill Duncan -
D. Hugh Redelmeier -
David Collier-Brown -
Don Tai -
Howard Gibson -
James Knott -
Jamon Camisso -
Kevin Cozens -
UU