I dont know whether...
... to stand in awe of these guys, or to vomit.
A security researcher has unveiled a low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary. The WPA Cracker is a cloud-based service that accesses a 400-CPU cluster. For $34, it can run a password against all 135 million entries in …
Eigh?
If you're having troubles with WPA2, have you tried an alternative firmware, particularly Tomato, OpenWRT or DD-WRT? I've had a variety of WRT54G's and they all support WPA2-PSK. Haven't got a certificate infrastructure for the Enterprise level version, but certainly the menu's are there in DD-WRT for that. Plus, if your router is out of warranty and you're considering buying another one, might be worth an experiment.
In other news, is it really worth panicing about this unless you're an Enterprise? So many home users are still running WEP which doesn't require a $34 investment, that unless you're after company secrets rather than "free" internet access, you're better off driving down the road a bit.
The WRT54G routers are ripe for custom firmware. Well recommend checking what is out there.
I'm on a lower version than that, 3 or 4, but with dd-wrt custom firmware on there my router is a lot better - loads more features - I have 2 SSIDS running on it, for example. I will upgrade to an N one eventually but I'm hoping to still use dd-wrt on that too. There's more than just the encryption method for securing it anyway, there's allow only registered MACs, etc..
You'd still need to pass those through a cracker to see if they are weak. Long does not mean strong. A page of zeros is probably not real strong for example.
Steve does sort of explain where those strings come from, however he fails to explain it in enough detail for anyone to determine if he's cocked it up... Given his history of getting it wrong and then being a dick about it, I think I'll just pass.
@ WPA2 comment:
As far as I know, this attack works the same against WPA and WPA2, though I'm not sure if the rainbow tables would be the same. It only works against networks using a pre-shared key (like almost all home users,) while 802.1x / WPA Enterprise would be immune. It should also be relatively safe to setup an access point to a restricted network and use a vpn to access the rest of your network. Of course both of the secure options are well beyond the reach of the average user, plus the vpn option will require an extra step each time you connect, and 802.1x generally requires radious, the free daemons for which are all considerably less fun to configure than your average isp-level sendmail install. Either way, lots of work for a couple of home users.
If you put an idiot or complete novice in charge of Fort Knox, attackers won't attack the building. They'll simply con the idiot and walk in. Then the idiot will blame the building for its lack of security.
This service tests whether the wireless network has an idiot or complete novice in charge of it. They are not cracking proper passwords. By proper password, I mean something that can't be readily guessed and added to the dictionary that's being used.
If your neighbour is using a password like "letmein" or something else likely to be in the service's dictionary, then this test can be used to warn the neighbour. But don't expect the neighbour to thank you. They might just be alarmed, change their password to something equally dumb, and complain to the police that you've been hacking them.
If you're using a more secure password like "jaootns&33dsf", don't bother wasting your money using this service to test it. All the service will tell you is that your password couldn't be figured out because it wasn't a dumb password that's in the dictionary.
Senior people involved in the new laws about file sharing should take note because their wireless passwords are sure to be tested.
Well, quite apart from security and visibility, there's also the added caveat that wires always were, and always will be, faster than wireless.
1Mbps wired = no wireless
10Mbps wired = 10Mbps wireless (realistic throughput of 4Mbps)
100Mbps wired = 54Mbps (realistic throughput of 36Mbps)
1000Mbps wired = 270Mbps (realistic throughput of maybe 80Mbps)
If you need that service to crack someone's wireless, you are less likely to have cloud access.
But then, even a five day cracking session is no biggie for some, just a question of planning. How often do you change your WPA(2) passwords? If security is important to you then wifi is a means of last resort. Wired has always been and for the foreseeable future will remain faster, more reliable, and better secured. So in that sense, making this clear to the masses is a public service.
as 'the bad guys' are (seriously) hoovering(*) up all WPA/WPA2 wifi traffic on selected targets, storing it in their yottabyte arrays, until the next vuln comes around (like linux RNG bias attack last year) then re-processing the data.
WiFi crypto is doing its job, DELAYING data disclosure. best advice is to use a non trivial SSID - the first 1000+ 'standard' id's are rainbowed, and use a memorable pass phrase. Pros are staring to use WiFi intrusion detection hardware, actively looking for a bad or pirate node trying to merge into their network. WPA & WPA2 are still just WEP with patches, something next generation will be needed soon! remember supposedly everything is going WiFi plug & play 'auto-config' soon. Yikes! (as usual XKCD got there first http://xkcd.com/416/ )
(*) should hoovering be dysoning in this modern era?
Given that an IP address alone is proof enough for ambulance chasing lawyers such as ACS:Law to "prove" copyright infringement and soon the government will use IP evidence alone to shut down alledged filesharers connections then the consumer becomes liable for the security of their Internet connection, and anything which happens over it. And WiFi is the weakest link.
Therefore robust industry grade WiFi security is required because you will be personally liable for anything that happens on your hacked WiFi connection.
My BT Router supplied router had WEP enabled by default with the WEP key stuck on the back. So I guess the consumer is supposed to keep uptodate with all the latest WiFi vulnerabilities, patch and reconfigure as required. I'll make sure my gran is subscribed to CERT bulletins!
Time to abandon WiFi. The risks of unlimited fine and a jail term, if someone hacks it, or one of your mates pops round wit their laptop, and downloads a copyrighted song are just too great.
But what about hubs that come with pre-defined passwords like the BT Homehubs where they don't use words but a mix of characters and numbers?
Also got to wonder if they vet their clients?
Surely this should only be for those wanting to check security on their own or clients network not some lowly little teen hacker??
Anon as my wireless is on....
Thank you for sharing your very secure password with us. I don't believe it's the real one however.
The idea of sending your password to a cracking service to check whether it's in their database is hysterically funny - think about it. Likewise using a memorable phrase, unless it's only memorable to you. These people must have dictionaries of well known quotations, which is nice because I'm looking for such a thing. A network secured with the words "Ask not what your country can do for you", "Clunk click every trip" or "The quick brown fox jumps over the lazy dog" is not really secured.
My WPA2 code is, errm, unlikely to be cracked using a dictionary attack.
1 I used a phrase, not a word.
2 I picked a phrase which was significant to me, but not necessarily to someone else.
3 I picked that particular phrase 'cause i knew its transliteration (_NOT_ translation) into a certain obscure language, one which doesn't use the Latin alphabet. (Good luck figuring out which one...)
4 I then deliberately misspelled all the words in the phrase, in a way that made sense to me.
5 I sprinkled in a few numbers and symbols and changed some caps to lower case and some lower case to caps.
Result: a 18-digit phrase which is absolutely guaranteed to not be in any dictionary and which will make no sense to anyone else. And which I tweak every ever so often by adding or subtracting a number or a symbol or changing the case of a letter. Or some combination of the above. It used to be a _15_ digit phrase. I could have achieved good results by simply using the same phrase in English but adding the variable caps, numbers, and symbols.
I use a memorable telephone number (or two back to back) and transpose them. So the numeric keypad of 789456 shifted to the 6key on the keyboard would become 678yui
easy peasy and not very crackable. All I need to do is remember the transposition start point (and use a qwerty keyboard - it is VERY slow on a laptop where I need to think...)
This type of brute-force attack does not apply to WPA/WPA2-Enterprise networks, which use 802.1X authentication. Even small businesses and consumers can now easily implement this advanced security using outsourced services like AuthenticateMyWiFi (http://www.NoWiresSecurity.com).