lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Apr 2007 15:09:46 -0500 (EST)
From: "Steven Adair" <steven@...urityzone.org>
To: "Troy Cregger" <tcregger@...nedyinfo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: WEEPING FOR WEP

I do not use WEP at home.  I use WPA2 on my home network.  I agree with
the majority of what you both have said.  However, if you solely relied on
the risk level as the reason not upgrading to a more secure mechanism, I
would say you are doing yourself a disservice.  Now since I often rely on
NIST for guidance, I will reference NIST SP 800-30.

"Risk is a function of the likelihood of a given threat-source’s
exercising a particular potential vulnerability, and the resulting impact
of that adverse event on the organization."

Now we might not allow agree with NIST or follow what they write, but they
are smart people doing a good job from my point of view.  However, I would
have to say for almost all home users and even most business environments
the "impact" that a successful attack would also be rated as low.  These
conversations have been focusing on likelihood of an attack.  Well
likelihood can fluctuate all of the time.  It will probably be low, but it
can change depending on your environment from a day-to-day basis.

So let's just say for the purposes of the discussion that there was a very
high likelihood someone is going to attack your home WEP network and they
are also capable of doing so.  Now what is the impact?  I doubt the real
potential impact would be crucial to ruin or end your life.  If you go to
shopping and banking sites that use TLS/SSL and you check your certs you
probably won't have your credit card information or identity stolen.  For
them to actually break into your machine once on the network there would
have to be more vulnerabilities resulting in the compromise of your
machine.  Maybe the person launches attacks and does bad stuff from your
IP address and you might at worst get paid a visit (worst case scenario).

When you look at the impact that would probably caused you have a low
impact.  Couple that with a low, medium, or high likelihood and you still
have LOW risk.  By these definitions WEP good enough in most situations. 
Heck by these definitions an open network might even be low risk in many
cases.

There is no question that there is a vulnerability with WEP that can be
exploited.  The question is whether or not someone will actually take the
time to exploit this vulnerability and what will happen as a result?

What I am getting at is that the cost of using WPA2 in many instances is
negligible if there is a cost at all.  How many people are using a Linksys
WRT54G and a laptop that is less than 3 years old.  Chances are all of
these users can support WPA at minimum.  I've had to run a separate
network for WEP users so I am not oblivious to that fact that not everyone
supports it.  However, their are PCMIA/PCI/USB wireless cards that can be
added at a low cost *if* WPA(2) is not already supported.

It seems all [most] new hardware support WPA(2).  The cost is very low and
it's readily available and accepted.  Why NOT use WPA(2) if you can?  Do
you use the Caesar Cipher to encrypt your data or AES-256?  If you just go
by risk, you could just use the Caesar Cipher half of the time.  The
likelihood someone will get your "encrypted" data is low, right?  You
cannot base all your decisions around risk of likelihood.  Especially when
there are easy, low cost, and efficient alternatives.

Also, as a side note, WPA(2) Personal mode with a strong passphrase is a
lot easier to remember than a WEP key...unless you have one of the
utilities that generates the key for you.  Even then you have diminishing
returns.

Steven



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I use WEP at home, even though my house is far enough from the road to
> make it rather difficult for someone to jump on my network.
>
> Even if someone decided to hide in the woods at the edge of my yard with
> a laptop they're more likely to be eaten by a bear, sprayed by a skunk,
> or chewed alive by mosquitoes than collecting enough packets to crack
> the WEP key, so WPA or LEAP would be overkill.
>
> Like you said, measurement of risk.
>
>
> neal.krawetz@....hush.com wrote:
>> seconds. Knowing that WEP is no more secure than a plastic luggage
>> lock, many people are questioning whether WEP is even useful at all.
>>
>> While I certainly do not recommend WEP for high security (or even
>> moderate risk) environments, you need to remember: security is a
>> measurement of risk. If the threat is low enough, then WEP should
>> be fine.
>>
>> WEP actually has three things going in its favor:
>>
>>    * Availability: While there are many alternatives to WEP, such
>> as WPA and LEAP, only WEP is widely available. Hotels and coffee
>> shops that only cater to WPA or LEAP will not support many of their
>> customers. However, if you support WEP then everyone should be able
>> to access the network.
>>
>>    * Better than nothing: There's a saying in Colorado: I don't
>> have to run faster than the bear, I just have to run faster than
>> you. If a casual war driver or WiFi-parasite has the option to use
>> your WEP system or your neighbor's open system, they will always
>> choose your neighbor. Having WEP makes you less desirable than an
>> open WiFi because there is no effort needed to use the network. If
>> you happen to live next to a coffee shop or library that offers
>> free WiFi, then the casual wireless user who just wants Internet
>> access will always choose free over the hassle of cracking WEP.
>> While WEP does not block a determined attacker who wants your
>> network, it will stop opportunistic network users.  Attackers tend
>> to not be sophisticated and do not choose their targets.  Attackers
>> are much like Russian roulette players, and like Russian roulette
>> players are usually both Russian and not very intelligent.
>>
>>    * Intent: This is a biggie. If someone trespassed on your
>> private network through an open wireless access point, then proving
>> digital trespassing can be very difficult. However, if the user
>> must bypass your minimalist WEP security, then they clearly show
>> intent to trespass.
>>
>> Consider WEP like a low fence around a swimming pool. Without the
>> fence, you are in trouble if a neighborhood kid drowns in the pool.
>> It's an "attractive nuisance". However, with the fence, you should
>> be covered if a kid climbs the fence and drowns. It's still bad,
>> but you have a standing to refute blamed since you put up a
>> barrier, even if the barrier was minimal.
>>
>> As far as WEP goes, it may not be very secure, but it is better
>> than the open-network alternative. If you have the option to use a
>> stronger security algorithm, then definitely do that. However, if
>> you have no other option, then WEP is better than nothing.
>>
>> - Dr. Neal Krawetz, PhD
>> Author of "An Advanced Guide to chmod(1)" and "An Introduction to
>> Graphical Wrappers for apt and dpkg in Ubuntu"
>>
>> I am best known for spending two weeks figuring out alternatives to
>> single user mode on my Mac.  PhD powah!
>>
>> http://www.hackerfactor.com/blog/
>
> - --
> Click to consolidate debt and lower month expenses
> http://tagline.hushmail.com/fc/CAaCXv1QPxZfhpzcJ4Xn8PICitIjcFxD/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> - --
> Troy Cregger
> Lead Developer, Technical Products.
> Kennedy Information, Inc
> One Phoenix Mill Ln, Fl 3
> Peterborough, NH 03458
> (603)924-0900 ext 662
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGFpY5nBEWLrrYRl8RAujxAJ4/emoKx9/vwwteZeGrBdEQNJq7YwCfRT+H
> w5n4HjI21HB4ENS5a2hkTI0=
> =8pPp
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> !DSPAM:461696bd242612853513125!
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ