.

When is enough really enough?

<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sat Feb 07, 2009 2:56 am

When is enough really enough?

Went out war driving earlier today with my EEE PC...Started kismet up and went about 2-3 miles from my house and I was astounded at how many access points I actually picked up on. 372! That's right 372! It's pretty damn amazing how many of these people still have their access points left open for the world to connect to and enjoy and even the one's that aren't left open, are secured by WEP. With tools out there now such as SpoonWPA/SpoonWEP, WEP can be broken in less than 3 minutes, infact I put 64 Bit WEP on my Access Point and broke it in about a minute and 35 seconds. The scary thing is these tools don't even need much knowledge to be able to run. My point? When are stores / businesses / home users going to actually get that there needs to be a stronger counter measures implemented to fend off (or attempt to fend off) the bad guy? We hear about it all the time, people getting busted off of using another persons network for malicious use, but seriously what needs to happen to get it through people's heads that they need to watch out for common threats that exist out there today...Thoughts?
Last edited by KrisTeason on Sat Feb 07, 2009 3:01 am, edited 1 time in total.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sat Feb 07, 2009 3:56 am

Re: When is enough really enough?

A good question raised. But I don't think that people completely neglect their security. They are oblivious of the methods in which their security can be breached.
You and I being in this field know that WEP can be cracked but for an average computer user he has put his security measures in place.
For learning security measures you have to learn how security is cracked too.And this is where the difference comes in. We can't develop interest in the average computer user for computer security. At best what we can do is guide them or posts some stuff keeping average users in mind too.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Feb 07, 2009 2:46 pm

Re: When is enough really enough?

I am impressed that you are taking a practical approach to your hacking and not just reading about it. Keep up the good work.  Now the next question is how far do we go as ethical hackers?   I think technically speaking its ok to war drive and even go so far as to see if you can crack a key.  As long as you don’t actually join a network that you are obviously not allowed or pop a box that you have no permission, you are walking on safe ground. On the other hand, I know of even some CEH instructors that confess that they practice their hacking more forcefully. One CEH I know says he like to practice on infiltrating the local University network. University networks have had a bad reputation in the past for being easy to crack.  Jeeze, I should have given myself a couple of graduate degrees by now, LOL! 

Cracking your home router is different from trying to do it outside the house. I think there is a misconception that wep and mac filtering and not using dhcp has little value. Part of me would love to issue a challenge to those that hang out on the aircarck-ng site and see how much actual wireless properly wep encrypted networks they can connect to in the real world. As far as home networks, most in my discussions will give up quickly if it takes more than 30 minutes, especially if they have to sit outside in a car.  If there is one character trait of a hacker, its paranoia and nothing can make you feel more paranoid than sitting pointing a cantenna at someone’s front door for an hour or more, LOL! There are too many easier targets.   Sometimes cracking wireless from the parking lot is amazingly easy and other times it can take some time.  You can get the key and an approved mac address and you still can’t join! Other times you slip right in.  I had one assignment were I was testing a local wireless and 2 days in a row I was having problems, could have been due to a lot of wireless noise. The 3rd day I slipped right in like it was nothing.  Our biggest disadvantage as ethical hackers is our time limits.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sat Feb 07, 2009 4:11 pm

Re: When is enough really enough?

I'll also second that of what you said about feeling it's okay to go war driving and see if you can crack a key, it is like you said, you joining the network that you have no permission to is what makes it illegal. I mean how are we suppose to test our skills and keep up with them by setting up an Access Point at home and seeing if we can penetrate that? Okay - say we can break our own 128 Bit WEP key, we'll WPA2 our access point next, we can break then that, but I think it's a bigger rush as well as it's more fun sitting out in a car in a parking lot or in your neighborhood seeing what you can break, it in away helps you build those skills as well as building that attacker mindset especially if your not using automated tools to do it like SpoonWEP / SpoonWPA.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Sat Feb 07, 2009 5:42 pm

Re: When is enough really enough?

Kris

in answer to your question "When will they get it?" in regards to securing the networks.  I don't think the masses ever will.  It's something the majority of people will never understand and that's why the vendors and the manufacturers should be putting more effort into selling devices that are secure by default.  But that means that a few things break, so what happens?  Convenience will win once again! But at least if devices are secure by default then fewer devices will be made insecure by people fiddling and the majority of devices will be secure.
----------------------------------
http://synjunkie.blogspot.com
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Thu Feb 12, 2009 10:33 am

Re: When is enough really enough?

Sorry for not having the exact info, but I think its in India, they are now giving the responsibility to the police force, to go around and enforce people to secure their wireless devices.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Fri Feb 13, 2009 8:43 am

Re: When is enough really enough?

dalepearson wrote:Sorry for not having the exact info, but I think its in India, they are now giving the responsibility to the police force, to go around and enforce people to secure their wireless devices.

I don't know whether to agree or disagree with you.
There was an incident in India in which some terrorists cracked a person's wireless network and used it to send mails to the local media. After they were exposed there were a large number of articles on how to secure your wireless devices both from the government and the local newspapers.

Articles regarding civilian security regularly come from the Police but I have to yet to read about some police responsibility like the one you are talking about(I'm an Indian).
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Fri Feb 13, 2009 1:33 pm

Re: When is enough really enough?

I found the article.

Here is the info, its in Mumbai - http://timesofindia.indiatimes.com/Citi ... 956633.cms

Be intresting to see how this develops in India, and globally.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Fri Feb 13, 2009 2:21 pm

Re: When is enough really enough?

Interesting Article, gives me some thoughts, I wonder what would have to happen to actually have that get implemented here in the US; You think they'd ever have to get to that point? If it starts to get to the point where police start mandating secured access points you we would most likely see a rise of crime considering that more people would turn toward the dark side and learn how to break these encryption's to pull off the illegal shit they're wanting to do on them. Here in the United States, you could just take your car, drive about a mile with your ALFA 500mW USB and pick up on about 10+ unsecured access points (At least in my town). Do you guys think this'll up the crime rate in India as far as "Hacking" into alternate users access points go? I mean were talking about a user who wants to do something malicious could just pull up in front of a house and do it there, now it's going to require a little bit more skill if access points are secured. I think it'll stop some of it but seriously with automated tools out there these can be broken within 20-30 minutes (WEP within 5-10).
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software