Originally posted by macman
Go to a 16 digit password, using uppercase, lowercase, letters, numbers and special characters.

At minimum. I use a random 63-digit upper/lowercase/numeric/special character password for my WPA2.

It is very sad that there are so many uninformed and uneducated wireless users. All we can do is continue to educate and assist others in securing their wireless (and wired) networks as much as we can.

Originally posted by macman

Originally posted by ophis
Simply setup password which will look something like that:

"This Is My Super S3cret P4ssword 4nd No 1 Will Ever H4ck It"

Good look brute forcing it.... 100 000 years.

No Special Characters????
A good old packet capture as you first sign on could negate that.
Given you have the right tools and training.

SPACE (empty) is threated as a special character.

This is a good thread.

WPS has always been questionable in my eyes that is why i only use tried and test LAN from my Router and disable all Wi-Fi

Good to see someone trying to make people aware of this risk!

Thank you

Originally posted by ophis

Originally posted by macman

Originally posted by ophis
Simply setup password which will look something like that:

"This Is My Super S3cret P4ssword 4nd No 1 Will Ever H4ck It"

Good look brute forcing it.... 100 000 years.

No Special Characters????
A good old packet capture as you first sign on could negate that.
Given you have the right tools and training.

SPACE (empty) is threated as a special character.

Some devices won't allow empty space, thus the reason why people resort to the "_".
Also, when the space is used, that, by a lot, is the first character attempted.

To _R4t_ or anyone else that can answer.

How is it that Verizon FIOS's crappy router can be updated (firmware and password) by Verizon without ever stepping foot in my home?

How do they do that? By accessing my router behind my back, I suspect they can actually see my network as well. How do I block their access (to router and network)?

I realize that my inquires are not specifically about wireless issues, but they do refer to security on a router so it is partly on-topic.

-E2

Originally posted by grey580
This is assuming you use WPS.
I never use it.
And assuming also that it gets turned off when you use manual mode.
This isn't a problem.
Just go into the router and use the manual setting.

Correct. However many vendors ship with this setting enabled and if history has taught us anything its that most folks wouldn't think twice to disable it. Your suggestion is what should happen but reality says otherwise.

brill

Originally posted by EyesII
To _R4t_ or anyone else that can answer.

How is it that Verizon FIOS's crappy router can be updated (firmware and password) by Verizon without ever stepping foot in my home?

How do they do that? By accessing my router behind my back, I suspect they can actually see my network as well. How do I block their access (to router and network)?

I realize that my inquires are not specifically about wireless issues, but they do refer to security on a router so it is partly on-topic.

-E2

edit on 30-12-2011 by EyesII because: (no reason given)

If it's their gear then sure they'd have access. Just stick another router between their network and yours or put up a firewall to protect your private network.

brill

Originally posted by brill

Originally posted by EyesII
To _R4t_ or anyone else that can answer.

How is it that Verizon FIOS's crappy router can be updated (firmware and password) by Verizon without ever stepping foot in my home?

How do they do that? By accessing my router behind my back, I suspect they can actually see my network as well. How do I block their access (to router and network)?

I realize that my inquires are not specifically about wireless issues, but they do refer to security on a router so it is partly on-topic.

-E2

edit on 30-12-2011 by EyesII because: (no reason given)

If it's their gear then sure they'd have access. Just stick another router between their network and yours or put up a firewall to protect your private network.

brill

Yes this is possible I work for a major ISP we have the same setup, its pretty basic we use a "automatic configuration server" This means that whenever the customer's modem sync the server check if the firmware is up to date and if its configured properly if not it FTP to the modem and overwrite the current config with the last known good one. This is assuming your modem is using our/their stock firmware because it contain a limited access username/password that it use to connect to the DSLAM but it terminate into a jailed environment that terminates with the configuration server. Its impossible to use this to get out to the internet there's simple not gateway access in between the two.

After the "Last known good config" has been FTP'd and overwritten the old one the modem is forced to restart then use the new settings and customer is fixed. But this don't allow us to check your stuff and access your network and if we'd modify anything in there you'll be greated with "The stored security settings for this machine does not match the ones on the network" by windows Vista and Win 7 which pretty much make it hard to get around even if we'd want to... and the current way wifi keys are encrypted is through a one way cypher so its pretty safe. Even with your config file we can't reverse it to get the key ascii/hex values so...

Originally posted by brill

Originally posted by EyesII
To _R4t_ or anyone else that can answer.

How is it that Verizon FIOS's crappy router can be updated (firmware and password) by Verizon without ever stepping foot in my home?

How do they do that? By accessing my router behind my back, I suspect they can actually see my network as well. How do I block their access (to router and network)?

I realize that my inquires are not specifically about wireless issues, but they do refer to security on a router so it is partly on-topic.

-E2

edit on 30-12-2011 by EyesII because: (no reason given)

If it's their gear then sure they'd have access. Just stick another router between their network and yours or put up a firewall to protect your private network.

brill

No its not really possible even though you have access to the modem we're limited by what the modem itself can do as an example we can't access the admin panel as this is only accessable from your LAN and not the WAN (internet) some firmwares may allow WAN access to control panels but then again they are rare and usually we disable this for the same reasons you don't want it... we don't want customers to get hacked because then they call in and every time a customer call in it cost the company about 7$ per call... so this is one of the rare cases where corporate greed serve you and not them lol

Originally posted by EyesII
How is it that Verizon FIOS's crappy router can be updated (firmware and password) by Verizon without ever stepping foot in my home?

How do they do that? By accessing my router behind my back, I suspect they can actually see my network as well.

They don't have people sitting in chairs looking at peoples' routers to see if they need updating. Your router's firmware automatically checks a specific web address at certain time intervals to see if there is an updated firmware available. Just like many other hardware and softwares you buy. Nobody is snooping when your router is getting updated.

When I bought my new 3D HDTV and hooked it up to the internet, it instantly told me that there was a firmware update, and a Netflix app update. Windows automatically checks an update website and informs you of Windows updates from Microsoft.

It's all automatic. Many times, you can turn off auto-updating, but not always.


By the way, most of the time when you update a router's firmware, the password is reset. Relax, nobody is snooping into your network when your router is being updated.

Guys:

You are the best. Thanks for answering my inquiry.

I feel much better knowing that Verizon has a limited access ability to my router - and not a fully opened back-door into my home network. There is no Big Brother watching little old me (or is he?).

I presently have the crappy FIOS router in front (mandatory to watch TV and to use their DVR), and behind that, I have a Sonicwall TX-100. I forward certain ports to the Sonicwall from the FIOS router which allows me to host FTP and Web sites from home. (I need to use DDNS since I don't have a static IP. DDNS is set-up on the FIOS router.)

My internal network (a few W2003 Servers, many PC's and laptops, ipads, Zune, Xbox, etc) are all fed by the Sonicwall and so far everything has been okay. (Yes I am crazy to have all of this at my house.)

The Sonicwall was hard to configure at first, but once you understand how it works, it made sense and is now easier to program. It is not as easy as a Linksys, but I don't think the standard Linksys (wireless) is on par with the Sonicwall.

So by having the Sonicwall behind the FIOS router, I think I also have the capability to set up the FIOS router to be a dummy (decoy) wireless router, but I am not sure if that concept is being implemented properly. I just don't know. I think I have to turn on SSID on the FIOS router, and leave it off on my Sonicwall. I could put MAC filtering on the FIOS router and only have the Sonicwall's MAC address set up. I think that will work to block other MAC addresses from entering past the Sonicwall.

FYI, my 12 year old son has already hacked out our two neigbor's wireless routers. I had to tell them to change the SSID and to not broadcast it. They were also told to implement a stronger password. My son also learned how to bypass the filters I implemented on the Sonicwall. He simply plugs a CAT5e wire into the FIOS router and he is done. Time to relocate the FIOS router so he can't access it or get rid of any extra cat wires.

Kids these days..... At least he is not on Xbox all day.

You guys all know your stuff and I do thank you very much for answering my inquiry.

-E2

Originally posted by EyesII
Guys:

You are the best. Thanks for answering my inquiry.

I feel much better knowing that Verizon has a limited access ability to my router - and not a fully opened back-door into my home network. There is no Big Brother watching little old me (or is he?).

I presently have the crappy FIOS router in front (mandatory to watch TV and to use their DVR), and behind that, I have a Sonicwall TX-100. I forward certain ports to the Sonicwall from the FIOS router which allows me to host FTP and Web sites from home. (I need to use DDNS since I don't have a static IP. DDNS is set-up on the FIOS router.)

My internal network (a few W2003 Servers, many PC's and laptops, ipads, Zune, Xbox, etc) are all fed by the Sonicwall and so far everything has been okay. (Yes I am crazy to have all of this at my house.)

The Sonicwall was hard to configure at first, but once you understand how it works, it made sense and is now easier to program. It is not as easy as a Linksys, but I don't think the standard Linksys (wireless) is on par with the Sonicwall.

So by having the Sonicwall behind the FIOS router, I think I also have the capability to set up the FIOS router to be a dummy (decoy) wireless router, but I am not sure if that concept is being implemented properly. I just don't know. I think I have to turn on SSID on the FIOS router, and leave it off on my Sonicwall. I could put MAC filtering on the FIOS router and only have the Sonicwall's MAC address set up. I think that will work to block other MAC addresses from entering past the Sonicwall.

FYI, my 12 year old son has already hacked out our two neigbor's wireless routers. I had to tell them to change the SSID and to not broadcast it. They were also told to implement a stronger password. My son also learned how to bypass the filters I implemented on the Sonicwall. He simply plugs a CAT5e wire into the FIOS router and he is done. Time to relocate the FIOS router so he can't access it or get rid of any extra cat wires.

Kids these days..... At least he is not on Xbox all day.

You guys all know your stuff and I do thank you very much for answering my inquiry.

-E2

edit on 30-12-2011 by EyesII because: (no reason given)

Hah! Now that you cooled I'm going to be an a$$ and tell you about a guy called Wim Van Eck who was a dude that figured if he could make a ultra sensitive and extremely directional antenna he could point it at electronic devices from far away and capture the "data" that is leaking through the EMF *Electro Magnetic Flux" and pretty much "sniff" your data just like a network sniffer would do but its a "side-channel" means of sniffing. He went further on and wrote a paper on how one could remodulate the signal emitted by a crt screen and redisplay it on another... Essentially by pointing that thing at your house one could see what your doing on your computer or whatching on TV.

His prototype wasn't that performant HOWEVER it did reproduce the image even though it wasn't very clear and had alot of static.

The scary part is he did this in the mid 80's and the CIA have been working on his theory ever since... which makes you believe if its even worth to lose time securing your computer when the CIA likely by now have the capability to watch your computer screen half a mile away.

Originally posted by _R4t_

The scary part is he did this in the mid 80's and the CIA have been working on his theory ever since... which makes you believe if its even worth to lose time securing your computer when the CIA likely by now have the capability to watch your computer screen half a mile away.

I hear ya. That is scary.

I'm not worried about Gvmt. I am worried about my kids on the net and about others that may want to "tap" into my network to piggy back illegal activity, or grab use of one or more of my terminals to become a drone for some DOS attack somewhere. I also want my wife to do her online shopping as securely as possible, (and as little as possible - still working on this one - lol).

I wonder what would happen if I placed a microwave oven directed at the observer and put it on high for a minute with the door open. Maybe they could visualize the inside of the oven to see what I'm cooking/reheating for dinner?

A long time ago, we had a recently fired employee come to our office at night and park in the lot. He tapped into the network via a wireless router that he installed in an unobvious area on the network. He was the former IT guy at the time.

He would remote to the Novell Server using VNC and reformat the drives at least once a week. Drove us mad for a while until we were able to figure it out. His car in the parking lot was observed via security camera and a tape was provided to the Police. We eventually found the wireless router and unplugged it. His actions eventually came to an end. Not sure what happened on the Police end.

I'm not worried because CRT's are a thing of the past. I do like high-end CRT's more than LCD's, but LCD's have taken over the field. I would think the electronic radiation from an LCD is vastly less than from a CRT. CRT's have electron guns aimed at the screen from the back. You are seeing a phospher glow due to the beam refreshing the screen. It refreshes 60 times a second, or a multiple of that. LCD's use a different tech and no electron gun is used.

Additionally I have so much other crap running next to my screens that capturing anything via EM tech would be nothing but jumble anyway.

Now if a heat-detecting (infra-red) device were used to see my screens... That would be a whole other story. Although, I'm sure that any image they could secure from me would be mush. Why? Because I would be present in front of the screen. I presume I give off an over-whelming heat-signature - larger than the LCD's siggy. BTW - I always turn off the monitor (not the PC) when I walk away.

Another security problem is the capture of data off a frozen memory chip. That has been proven to be a security problem on laptops and desktops. A minimal risk, but one none-the-less.

Bottom line - Govt can watch all they want, They will get board because I have nothing to hide and am not doing anything (to my knowledge) that is illegal. While they are busy watching me, a real person of interest is going unwatched. Dummy's!

Wim Van Eck must have been from the TRaSh-80, C64, Atari-800, and Apple II+ days. A time when the CRT was big, heavy and not well matured yet. Although LCD's use less electricity, they still use a form of radiation to work. You see light, instead of the glow of phospher from an electron beam hitting it. Eitherway, I assume they are both detectable - just at different sides of the spectrum.

-E2

Originally posted by EyesII

Originally posted by _R4t_

The scary part is he did this in the mid 80's and the CIA have been working on his theory ever since... which makes you believe if its even worth to lose time securing your computer when the CIA likely by now have the capability to watch your computer screen half a mile away.

I hear ya. That is scary.

I'm not worried about Gvmt. I am worried about my kids on the net and about others that may want to "tap" into my network to piggy back illegal activity, or grab use of one or more of my terminals to become a drone for some DOS attack somewhere. I also want my wife to do her online shopping as securely as possible, (and as little as possible - still working on this one - lol).

I wonder what would happen if I placed a microwave oven directed at the observer and put it on high for a minute with the door open. Maybe they could visualize the inside of the oven to see what I'm cooking/reheating for dinner?

A long time ago, we had a recently fired employee come to our office at night and park in the lot. He tapped into the network via a wireless router that he installed in an unobvious area on the network. He was the former IT guy at the time.

He would remote to the Novell Server using VNC and reformat the drives at least once a week. Drove us mad for a while until we were able to figure it out. His car in the parking lot was observed via security camera and a tape was provided to the Police. We eventually found the wireless router and unplugged it. His actions eventually came to an end. Not sure what happened on the Police end.

I'm not worried because CRT's are a thing of the past. I do like high-end CRT's more than LCD's, but LCD's have taken over the field. I would think the electronic radiation from an LCD is vastly less than from a CRT. CRT's have electron guns aimed at the screen from the back. You are seeing a phospher glow due to the beam refreshing the screen. It refreshes 60 times a second, or a multiple of that. LCD's use a different tech and no electron gun is used.

Additionally I have so much other crap running next to my screens that capturing anything via EM tech would be nothing but jumble anyway.

Now if a heat-detecting (infra-red) device were used to see my screens... That would be a whole other story. Although, I'm sure that any image they could secure from me would be mush. Why? Because I would be present in front of the screen. I presume I give off an over-whelming heat-signature - larger than the LCD's siggy. BTW - I always turn off the monitor (not the PC) when I walk away.

Another security problem is the capture of data off a frozen memory chip. That has been proven to be a security problem on laptops and desktops. A minimal risk, but one none-the-less.

Bottom line - Govt can watch all they want, They will get board because I have nothing to hide and am not doing anything (to my knowledge) that is illegal. While they are busy watching me, a real person of interest is going unwatched. Dummy's!

Wim Van Eck must have been from the TRaSh-80, C64, Atari-800, and Apple II+ days. A time when the CRT was big, heavy and not well matured yet. Although LCD's use less electricity, they still use a form of radiation to work. You see light, instead of the glow of phospher from an electron beam hitting it. Eitherway, I assume they are both detectable - just at different sides of the spectrum.

-E2

Yup but he was a single dude with not that much funds, what worries me is what a narcissic egomaniac three letter agency and too much opium money on their hand can do in 10 years...


For your wife you could use a linux partition on your drive, this is what I use to do my banking, I make sure my network is secure first and I use a linux partition that's in a root jail + low access user accounts. There's also another way your could secure yourself very easy and it would just make it pretty useless to try to attack you or your computer. Its a very simple concept you need a cheap laptop running linux and a alfa 500mw adapter to ensure it broadcast further a bit than your own "real" routers.

There's a network security tool you can use that generate hundreds of fake access points with legit names and real encryption keys. You might not make your own network completely invisible through conventional means as Linux can sniff them out anyways HOWEVER you can easily hide your real AP through a sea of fake ones... Imagine the pain of cracking 1 WPA network and now multiply this by hundreds... It'll just piss them off and they'll quit after a week at the most with maybe 10 cracked but whats the chance of them of falling on the right one through hundreds of them right?...

WiFi can be secured to the point where no "hacker" is going to spend the years it would take to "crack" a home network. This assumes that one turns off the easy connect "PIN" that is mentioned in the OP.

WEP - is unsecure. The problem with WEP is that is uses the same key to encrypt all the packets. A "hacker" starts a "ARP" storm to collect enough packets to do a statistical analysis of the packets and figure out the encryption key. ARP requests are not generally logged, so the WiFi network owner would not know that they network is being being stormed for the packets. The average PC could crack the key in around 6-8 hours.

WPA/WPA2 change the encryption key about every 3 seconds by default. For home users that do not use a RADIUS server, there is a master key that is used in the "Handshake" when a host is establishing a connection with the wireless network.Once the handshake is established the current key is sent to the host, and every time it changes until the host is deauthorized. This means the the "master" key is only used during the 4 packet handshake making a statistical attack impossible. The only way is to brute force the password.
A WiFI owner also would not be able to tell if one is "cracking" the network because only the 4 packet handshake is used. Once the Handshake is captured, the encryption "cracking" is done locally on those packets. Contrary to the TV Versions of hacking, one is not going to try and "log in" millions of times without being noticed or locked out.

As an example, 2WIRE router WPA passwords are factory set at 10 digits (0-9). A PC using a couple of ATI 5770's is able to crack that in about 30 hours, if the password is at the far end of the search.That is 30 hours, if you know the exact length and are only using 10 characters(0-9) in the password and using the right hardware and software. These setups can go through about 80k to 100k passwords per second.

Most home users leave that master key on the default that comes with the router, or that their ISP set when they installed the router.

THE BIGGEST MISTAKE is leaving the password on whatever the default is. WPA/WPA2 allows a 63 character or 64 digit HEX key (0-9 & A-F), so USE IT. With a password this long it would be all but impossible in this lifetime to crack. Make it random and put it in a document for cut and paste. Yes I know the security hounds are going to be screaming about putting a password in a document, but we are talking about home networks, and if a neighbor or stranger has physical access to your machine , one has much larger problems than thier WIFI setup.

One has to understand that your home network is not really a big target for those that know what they are doing. A professional "Hacker" is not going to give two craps about your home network. Home users generally have to worry about the neighbors trying to get free internet from them, or kids trying to cause trouble by breaking in and disrupting your network. Both of these types can be thwarted with a long enough master password. No neighbor or kid is going to have a significant enough rig and want to spend years trying to crack a 63 character or 64 digit hex code password to get into your home network.