Tuesday, February 22, 2011

Why security is so frustrating

My relatives are really annoying. They won’t do the one thing that secures their WiFi (use a complex password and write it down), but they insist on doing things that provide no security (hidden networks and MAC filtering).

This is a good analogy for corporate security: people refuse to do the one thing that will make them secure, but insist on doing lots of crap that does little to to improve their security.

I understand why people don’t want to choose complex passwords, they are harder to remember than simple passwords. People gravitate toward easier security. But why, then, do they insist upon hiding the network name and MAC filtering? These things do nothing to stop hackers, but they they annoy the heck out of guests (like me) who might want to use the WiFi.

Hiding the network name is the worst. It doesn’t hide the fact you have an access-point. Windows 7 shows it as “Other Network”. More importantly, it doesn’t hide the name from hackers. The name pops up immediately in tools like Kismet. This feature only removes the name form “beacon” broadcasts, but still includes the name in “probe responses”, and hacking tools can read the “probe responses”.

Anybody that connects to a hidden network must “probe” for it. That puts their laptop/iPhone at risk when they leave your network, allowing hackers to trap their devices in fake access-points. Thus, when you use hidden networks, you increase the risk for your guests while doing essentially nothing to increase your own security.

MAC filtering annoys hackers, but only slightly. It means they have to eavesdrop on your network for a bit before cloning a permitted device’s MAC address. But MAC filtering is even more annoying for guests. It can be a complicated and time wasting affair, as they misread a character, or as I did, read off the Bluetooth MAC instead of WiFi MAC address.

I hear various excuses. For example, they claim they aren’t trying to stop the world’s best hackers. But that’s wrong, for two reasons.

The first is that it still doesn’t explain why you are replacing a minor annoyance (complex password) with a major annoyances (hidden networks and MAC filtering).

The second reason is that yes, you need to protect yourself against the best hackers. The world’s best hackers create simple tools, and publish them on the Internet. The teenage kid five doors down uses those tools (with a directional antenna) to break into your network.

Two of my relatives live far enough from other houses that they can see no other WiFi access-points. Therefore, they conclude, their neighbors cannot see their WiFi. This is the “Bugblatter Beast of Traal” theory of security: if you can’t see hackers, then hackers must not be able to see you. But directional antennas that increase the range by 100 times are rather cheap. Sure, you may have trouble getting a good signal in your yard, but a hacker a mile away can still break into your network.



George Ou from who writes at http://www.digitalsociety.org/ makes the following observations, which I thought were interesting enough to post here:

But Rob, we don't need a terribly complex WPA-PSK for a good degree of non-guessability. Even an 8-character alphanumeric PSK is extremely hard to crack even when you're leasing cloud capacity. Bump it up to 10-char or 12-char and even the cloud attack will become impractical.

1. Your neighbor's kid can crack an 8 character alpha password in a few days using his graphics card by guess all combination of letters ("brute-force attack").

2. Even a 12-char alpha/numeric/punctuation password can be guessed by going through the dictionary and doing minor alterations of the the words ("dictionary mutation attack").


Problem with the other two myths is that security "experts" (even the CISSP curriculum) teaches MAC filtering and SSID broadcast suppression.

I hadn't thought of that. This shows yet against that the CISSP is not an adequate certification for security professionals.


The MAC filtering isn't even a minor inconvenience for hacker since it probably takes a few milliseconds to see the MAC address, and it provides zero encryption for stopping wall-of-sheep attacks or sidejacking.

SSID broadcast suppression (mistakenly known as hiding) simply forces the clients to broadcast rather than the base-station. That's like trying to hide a huge fixed military installation but asking all the foot solders to go around beaconing their location even in enemy territory. It is extremely stupid yet there are so many "experts" that still teach this

Anybody can be an expert in cybersecurity: they just have to say "you aren't taking security seriously enough".

5 comments:

John Moehrke said...

One answer to your question that I often come up against is: They understand hiding the SSID and creating a white list of MAC addresses, they don't understand that fancy encryption key stuff.

Robert Graham said...

That's a great point.

George said...

But Rob, we don't need a terribly complex WPA-PSK for a good degree of non-guessability. Even an 8-character alphanumeric PSK is extremely hard to crack even when you're leasing cloud capacity. Bump it up to 10-char or 12-char and even the cloud attack will become impractical.

Problem with the other two myths is that security "experts" (even the CISSP curriculum) teaches MAC filtering and SSID broadcast suppression.

The MAC filtering isn't even a minor inconvenience for hacker since it probably takes a few milliseconds to see the MAC address, and it provides zero encryption for stopping wall-of-sheep attacks or sidejacking.

SSID broadcast suppression (mistakenly known as hiding) simply forces the clients to broadcast rather than the base-station. That's like trying to hide a huge fixed military installation but asking all the foot solders to go around beaconing their location even in enemy territory. It is extremely stupid yet there are so many "experts" that still teach this.

JMundinger said...

Another answer. We really do enjoy annoying you. ;))

Robert Graham said...

Well, Paul was more than reasonable, and quickly fixed things. It was Chris who insists on MAC filtering. Which is fine, I'm not saying it's necessarily wrong (it provides some, albeit tiny security), I'm just saying it frustrates me.

In your case, I'm sure you'll turn on MAC filtering just for me when I visit.