Re: [Dorset] SSID Hiding
On 07/02/17 09:02, PeterMerchant via dorset wrote: On 06/02/17 16:19, Terry Coles wrote: Hi, I have just installed a shiny new Netgear VSDL Router to replace the never updated Plusnet supplied one. The main reasons that I bought it is that the Plusnet router has the above mentioned lack of security patches and the inability to filter on MAC Addresses or hide the SSID. What's the point of a hIdden SSID when the moment any device starts talking to that SSID, a listener can see it in the ether? One reason to use it is where you have multiple SSID's (say mySSID which gives full access to an internal network and mSSID-Guest which just gives visitors access to the internet). Saves the confusion of a visitor trying to connect to mySSID with the mySSID-Guest password. Cheers Tim -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
On 07/02/17 09:40, Terry Coles wrote: On Monday, 6 February 2017 16:19:26 GMT Terry Coles wrote: I have just installed a shiny new Netgear VSDL Router to replace the never updated Plusnet supplied one. The main reasons that I bought it is that the Plusnet router has the above mentioned lack of security patches and the inability to filter on MAC Addresses or hide the SSID. Thanks for all the comments on SSID hiding. Overnight, my son had problems with a couple of Windows machines that he uses and during his researches he also discovered the issues with spoofing etc mentioned by Ralph et al. As a result, I've now turned SSID hiding off. I will be asking Netgear for their opinion, given the debate. Just for interest, does Wifi Analyzer on Android see the hidden SSID? P. -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
On Monday, 6 February 2017 16:19:26 GMT Terry Coles wrote: > I have just installed a shiny new Netgear VSDL Router to replace the never > updated Plusnet supplied one. > > The main reasons that I bought it is that the Plusnet router has the above > mentioned lack of security patches and the inability to filter on MAC > Addresses or hide the SSID. Thanks for all the comments on SSID hiding. Overnight, my son had problems with a couple of Windows machines that he uses and during his researches he also discovered the issues with spoofing etc mentioned by Ralph et al. As a result, I've now turned SSID hiding off. I will be asking Netgear for their opinion, given the debate. -- Terry Coles -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
On 06/02/17 16:19, Terry Coles wrote: Hi, I have just installed a shiny new Netgear VSDL Router to replace the never updated Plusnet supplied one. The main reasons that I bought it is that the Plusnet router has the above mentioned lack of security patches and the inability to filter on MAC Addresses or hide the SSID. What's the point of a hIdden SSID when the moment any device starts talking to that SSID, a listener can see it in the ether? Here's a debunking of the Hidden SSID feature: http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/ FWIW long ago my home SSID was the same as my work one so that I didn't have to change networks when I brought my laptop home. It wasn't automatic to change networks back then. Later it made for some fun when both networks had the same SSID but different WPA keys. Cheers, Peter -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
Hi Terry, > Patrick wrote: > > Determining and spoofing the MAC address and SSID is totally > > feasible. > > But probably not by an up and coming geek. It's pretty easy due to programs like https://en.wikipedia.org/wiki/Kismet_(software) and https://en.wikipedia.org/wiki/Aircrack-ng I'd expect the Minecraft-playing kid next door could graduate to playing around having Googled some of the many tutorials. Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
Hi Patrick, > That is interesting to consider. I wonder how the psychology works > out. Are hidden networks "off the radar", or do they look like juicier > targets, because somebody is trying to hide them? I could imagine the latter. When faced with N networks to attack and limited resources, it probably won't be a random choice. And if someone has set their own SSID, and thinks `tvdetectorvan' is amusing, then they may be doing a lot of the set up themselves thus making mistakes. > Are attackers even looking for SSIDs that stand out? I would, if the alternative is mindnumbing homogenous lists. A neighbour here has house number plus first word of street name. Or someone does that wants to pretend to be that neighbour. :-) > Some attackers might actually be attracted to default-sounding SSIDs, > in the hope of finding an easy target with a weak password. By having some kit that's not Sky's, for example, have a `SKY*' SSID, then perhaps that's a slight impediment to their assumptions. > I think WPA2-PSK uses mutual authentication of the client and access > point. Yes, a Pairwise Master Key is achieved through the Four-Way Handshake that shows both parties knew the secret. WPA2-EAP also achieves this. One other point; there's no Forward Secrecy with WPA2 so an attacker can record encrypted data in the hope of one day gaining access and decrypting their backlog. That might be because you give it to them as a visitor knowing you're not doing anything yourself with wifi at the time and thinking you'll change it as soon as they've gone. Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
Hi Terry, > > https://en.wikipedia.org/wiki/Network_cloaking > > I'm assuming that you're refering to the following extract: > > 'Worse still, because a station must probe for a hidden SSID, a fake > access point can offer a connection.' > > Correct me if I'm wrong, but wouldn't that fake AP have to spoof the > MAC Address of my Router or know what the SSID was? If the SSID is hidden then the WAP isn't sending out occasional broadcast "Cooeee" beacons containing the SSID allowing all clients to passively listen to find out what are within earshot. Instead, your client, knowing the desired SSID, will send out a "probe request", described on that page: Probe request frames are sent unencrypted by the client computer when trying to connect to a network. This unprotected frame of information, which can easily be intercepted and read by someone willing, will contain the SSID. AIUI, it will send it on all the configured channels and for all hidden SSIDs it knows about which are set to "auto-connect". So a device that gets about a bit might be sending quite a few packets. Perhaps you can tell it the WAP MAC address so the probe-request packet has that as the destination address, but the packet is in the ether and audible to all so a promiscuous interface, the technical term for one configured to take all packets, not just those matching its own MAC address, will see the probe request, its SSID, and, if it wasn't a broadcast packet, the expected WAP's MAC address. It can use those in its forged reply. (Does Android allow you to set the expected WAP's MAC address for a hidden SSID?) You could install Wireshark and see if it will show you all the packets within wifi earshot. > I'm using MAC Adress filtering too (as well as WPA2 PSK encryption). I do that too, though mainly so there's a central place where I've noted what's what. > Anyway they all connect to hidden networks; even my Raspberry Pi! -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
On Tuesday, 7 February 2017 07:47:19 GMT Patrick Wigmore wrote: > MAC address filtering does not really add any security. Before it > comes into play, the attacker still needs to crack your WPA2 > encryption. If that's within their capability, then they almost > certainly know how to discover and spoof an authorised MAC > address by eavesdropping on your network traffic. A fair point. > Determining and spoofing the MAC address and SSID is totally > feasible. But probably not by an up and coming geek. I live on the edge of Corfe Mullen, if there are any seasoned, skilled and determined hackers out there, then they'll probably get through anyway. To a certain extent, I agree with you and Ralph on this; some of these measures are simply security theatre; the manufacturers want to be seen to be doing something. However, my view is that by using belt, braces *and* safety pins, all but the most determined are likely to fall at one hurdle or another. -- Terry Coles -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
On Monday, 6 February 2017, at 19:50:24 GMT, Terry Coles wrote: > I understand what that is saying, but I'm not just relying on > cloaking; I'm using MAC Adress filtering too (as well as WPA2 > PSK encryption). MAC address filtering does not really add any security. Before it comes into play, the attacker still needs to crack your WPA2 encryption. If that's within their capability, then they almost certainly know how to discover and spoof an authorised MAC address by eavesdropping on your network traffic. > My main reason for using it is to reduce the chances of some > young up and coming geek from even trying to hack me. That is interesting to consider. I wonder how the psychology works out. Are hidden networks "off the radar", or do they look like juicier targets, because somebody is trying to hide them? I find Ralph's suggestion of choosing a SSID that doesn't stand out interesting too. Are attackers even looking for SSIDs that stand out? Some attackers might actually be attracted to default-sounding SSIDs, in the hope of finding an easy target with a weak password. But, mind-games aside, at the end of the day you are still just relying on the WPA2 encryption. If that's broken, then the other measures are just ways to paper over cracks in the dam. > 'Worse still, because a station must probe for a hidden SSID, a > fake access point can offer a connection.' > > Correct me if I'm wrong, but wouldn't that fake AP have to > spoof the MAC Address of my Router or know what the SSID was? Determining and spoofing the MAC address and SSID is totally feasible. However (and I could be wrong about this -- I was unable to verify with a web search), I think WPA2-PSK uses mutual authentication of the client and access point. So, your devices would not connect to a fake access point unless the fake AP could prove that it knew the passphrase for your network. If the attacker knows the passphrase, then all bets are off. -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
Re: [Dorset] SSID Hiding
Hi Terry, > hide the SSID. You may not want to bother doing this as there are downsides, especially if you take any of those devices elsewhere. https://en.wikipedia.org/wiki/Network_cloaking I just plumped for a SSID that matched the pattern of the majority of my neighbours so I didn't stand out. > The wireless connects fine until I hide the SSID and then the > Transformer reports that there is no Internet and there is no wireless > symbol in the task bar. I think I had that in that past, it certainly seems common for Android according to Google. Most success seems to come from deleting Android's entry added when the SSID was beaconed, and then re-entering the details manually, remembering it's all case sensitive. http://androidforums.com/threads/connecting-to-wifi-network-with-a-hidden-ssid.123819/#post-7450833 Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
[Dorset] SSID Hiding
Hi, I have just installed a shiny new Netgear VSDL Router to replace the never updated Plusnet supplied one. The main reasons that I bought it is that the Plusnet router has the above mentioned lack of security patches and the inability to filter on MAC Addresses or hide the SSID. Having set the router up, I find that all of the devices in the house work fine, except an aging (but frequently used) Asus Transformer. The wireless connects fine until I hide the SSID and then the Transformer reports that there is no Internet and there is no wireless symbol in the task bar. A message then pops up stating that wireless networks are available, but needless to say, not my hidden ones. Devices that work include two Android phones, a Chromebook, a Raspberry Pi, two Win 10 machines (an old MSI laptop and a new home-brewed gaming desktop), a Roku TV box, a Panasonic TV box, a YouView TV box and this Dell Optiplex running Kubuntu. I'm assuming that the problem is the incredibly early version of Android on the Transformer, but has anyone got any other ideas? -- Terry Coles -- Next meeting: Bournemouth, Tuesday, 2017-02-07 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
