Fizz /thread

Just setup a good wpa2 pw and call it a day and your set against all realistic threats to a residential network.

i have found the best way to keep others from using my wifi. is to turn it off when not in use.

i keep odd hrs so not so easy to track my online time for your usage. sure still possible to tag on. but easer else where.


.

Sounds like a good way to tell the neighborhood when you're home.

sure if they know where home is.

and not always on even when i am at home.

but then i am looking into a "better" grade home video security system. and a couple "other" items, this would require the modem to be on full time.


nothing is fool proof, but working in layers helps keep one safe. and i would believe not very many computer gurus live close to me. i live up in the hills so not a very large area for any to see me. let alone anyone around to try and get in.
most up here use the dish for there tv viewing. i do not even own a tv.


is there a program one can employ to detect if someone is trying to break into your system?


logging off now so i can go shoot up some targets.


will be home latter web off and i will be reloading a couple K each of ammo. need more .40 and 9mm. then back to .38 special, then .45 long colt, .45acp, back to 5.56, after that ? --keeps me busy and off the streets... and the web.

It's not difficult to triangulate a AP signal or the signals of its clients. It Requires some conscious effort (unlikely anyone will bother) but it is possible.

I used to do this to track down non-wifi devices transmitting on 2.4ghz with a spectrum analyzer to isolate interference. Even without this, you can use RSSI values sampled from different locations and/or directional antenna to get a pretty close guesstimate.

No program will tell you if someone is breaking into your wifi. For the most part I just need to record some traffic (4 way handshake) and I can discover your password offline, assuming your password is in my dictionary or generator.

wpa 2 and passwords by rigor

-------------------------

wpa 2 aes uses a 256 bit disposable key. this key rolls, (changes every hour). to protect your wifi network you need a key that is at least 256 bits long. it makes no sense to protect 256 bit encryption with a weaker 72 bit key. each time interval , say 60 minutes is encrypted using a different key. the actual key at 2pm is not the same as 3pm.


naturally a password that is at least 32 characters long would produce 256 bits, but NO. , because of the "printable ascii character set", so therefor, you should use a password that is at least 39 characters long.

95^39 = 1.35 E 77
2^256 = 1.15 E 77

Another thing that people forget is that WIFI WPA 2 PERSONAL uses a group key. every single person connected to the same wifi network is using the same key as you are. if you want each person's web traffic to be encrypted individually, you need WIFI WPA 2 Enterprise. what this basically means that is a PUBLIC encrypted wifi network (say coffee society or applebees) is the same as using a Public unencrypted network like McDonalds or starbucks. the only public wifi network that i know of that uses WPA2 PERSONAL is google secure in mountain view.


and lastly. the password you use to connect to your wifi network is not the same key that the wifi router uses to encrypt the wifi traffic. the only thing your wifi password does is to tell the router you are authorized to encrypt and decrypt all wifi traffic and its okay to give you the current temporary session key. and after an hour or so, the entire stream re-encrypts.

this is why you need a long password and you should not share it , or at least change your wifi password when your guest leaves.

wpa 2 hacking is an offiline attack. anyone can record your "8 way handshake packet" and take it home and work on it for 3 months or a googol years and eventually they can extract your wifi passphrase and come back and connect to your network. you can do this with either a pre-calculated dictionary (called a rainbow table ) of popular network names or throw several video cards at the puzzle.

oh and lastly to all those democrats who believe apple should retain encryption keys for law enforcement, well guess what. your wireless router has been changing keys every 60 minutes for the last 12 years and no one has been writing these down!!!!!

you might know your wifi password. you might know the wifi password of your neighbor. but you do not know what the encryption key was on september 8th 2016 at 215am.

oh, and hiding your network name doesn't do any good.

moral of the post. go to GRC perfect passwords. use a wifi password containing 64 characters. . don't hide your network name. use the full 512 bit passphrase.


XOXO
rigor

wifi trivia!

lets say i set my SSID to FBI VAN and i use a password like "Password1". i can either type "password1" or i can use the 64 hexadecimal long preshared key of
af287e092c89075f81e0f59e121d82e7dbb093eb07f6dfb954 be43ddbacf6f39. its the same thing. no matter how someone argues on forums about how long your password is should be it all gets hashed out and mixed with your wifi network name to 64 characters in the end.

^If I have the wi-fi password I only need to see a fresh handshake to decrypt all of the traffic during that session. I can force this to happen by sending the client a spoofed deauthentication. This will force the client to reconnect to the AP so I can see the handshake. From that and the password all the traffic is visible as if I had Wireshark on the victim machine. The rekey interval is no security at all. Even if I miss the shake I can spam deauthentication until I get it.

I disagree that password needs to be 39 character or more. Even if the key space is known to be 10 characters, as long as those 10 are alphanunerical and have some special characters it would take so long to calculate the hashes, even with a GPU farm that the network is unfeasible to compromise. It'd take less time and resources to just break in the old fashion way.

Tagged...

Besides passwords with alphanumeric and special characters, if you know a foreign language, password creation is a good place to use it.

If you know more than one foreign language, combining them in password creation along with the use of alphanumerics and special characters, will make it that much harder.

Finally, there are many terms you may be familiar with that won't be found in common dictionaries if you work in specialty industries - scientific or otherwise - pharmacology, chemistry, medical, astrophysics, archeology, anthropology, etc.

Limit the transmission power of the access point.

Not being in range of alot of people will not necessarily protect you. The only thing that says is "my wifi antenna is <this> weak"

Theoretically someone can point a higher powered antenna and communicate quite easily with a cheap off-the-shelf router from long distances.

A quality WPA2 password, one with caps, symbols, etc, and have WPS disabled is for all intensive purposes secure. Maybe the government with a supper computer will break it but the average miscreant will not. WPS is the biggest weakness most routers have, its much easier to break the 8 digit numeric pin then someones password.

To add on.

You have an access point and clients. These do not communicate directionally (usually - there are ways to directionalize transmissions), rather, wireless signals are broadcast in essentially a sphere (the signals can be received - but not necessarily readily understood - by all within range of the sphere). This goes for the access point and the clients; there are two 'speakers' and two 'listeners' in the conversation.For example, when I type, calguns.com into my browser, my laptop (client) is a speaker. When the Access Point sends me the text and images for calguns.com, the AP is a speaker and I am a listener.

When the AP is speaking, the client is listening and vice versa (Wireless is half-duplex, you can't send and receive at the same time without interfering with yourself * there are exceptions*)

So if you limit the power of the access point, you're making the client have a harder time listening; the client may have to ask the AP to repeat information (retransmit a missing frame). This usually manifests to the user as slow video buffering, slow pages, etc.However, the client is still talking just as loudly when communicating TO the AP. One half the the conversation is 'muffled' but who's to say that what the client is saying isn't also potentially compromising/interesting information?

There are other reasons to limit AP power, but security isn't it.

Also, an attacker can use a directional antenna to do two things. Increase the size of the sphere it can 'hear' from the AP AND increase the AP ability's to 'hear' the attacker from afar, think of the effect of megaphones and satellite dishes.

Most attackers are interested in the conversation between the AP and the Client, not necessarily communicating with the router. However, communication with the router can be a platform for other attacks such as Rogue DHCP servers (I can direct ALL the traffic on the network through me by making me the gateway - AKA Man in the middle attack), DNS attacks (I can make wellsfargo.com go to a website I control to get your PW), etc.

TL;DR - have a good password - The MAC filters, Turning Ap on/off, hiding ssid, limiting power, etc. has the same effect of signing your credit card receipt. Security theater; inconvenience and headache that makes you believe you're more secure than you are.

Did you try ISL Online? They put a lot of effort in their security. It`s not expensive and you can get a free trial.

So in summary USE A STRONG PASSWORD and you are good to go on WPA2.

Strong passwords can only be brute forced. This is done as people stated earlier by sniffing your handshake with the router. They only get the hash of your password though. The hash is what your password turns into after it is cranked through WPA2's AES-256 encryption. The only way the attacker can then get your real password is by running guess passwords through AES-256 until one of their guesses spits out a matching hash. To try all of the possible guesses would take a mass of supercomputers longer than the age of the universe to do.

SO, the attacker hopes you used a stupid password made up of dictionary words with little or no numbers or symbols. There are websites online that will take the stolen hash and compare it to their massive pre-calculated tables of billions of simple dictionary word based password/hash combos and return the correct password.

But again. Using a strong password kills the dictionary attack and leaves only the trillion year process of brute force. Unless of course mathmaticians can someday solve the P=NP problem and find linear time solutions for these exponential time problems, but that is unlikely.