"Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
news:83B25F36-8EF2-455F-8EE9-C345867DF9D9@microsoft.com...
> Just to clarify, I'm not talking about setting an encryption key--I'm
> talking
> about setting a password for the setup/configuration software that comes
> with
> a gateway or wireless AP.  i.e.  I read the following in a book dealing
> with
> home networks.
>
> "The first step is to set a password for your AP... If you leave the AP
> set
> with the default password, it is very easy for someone to break into your
> wireless network and change your network settings."
>
> According to the author, changing that password was step #1.  Setting
> encryption was discussed later as step #4.  But... how can a wireless
> intruder get to the network configuration software on a PC unless he first
> gets past the encryption on the network?  But even if the intruder got
> past
> the encryption, how could he access the configuration software unless the
> software was on a PC with file and printer sharing turned on (XP Home
> edition) "and" the configuration program/software was in a shared folder?
>
> For the record... in my situation:
> 1) The network is using WPA-PSK encryption.
> 2) The computer with the network configuration software requires a
> password
> for logon.
> 3) The computer with the network configuration software has file and
> printer
> sharing turned on, but the only thing being shared is a printer.
> 4) The network configuration software for my gateway came without a
> password
> and with the password feature disabled.  I have since set up a password
> for
> the software, but don't understand how a wireless intruder could access
> the
> configuration software on my PC based on conditions 1 thru 3 noted above
> even
> if the password feature was disabled.
> --
> So much to learn... So little time.

"David Hettel" wrote:

> Working backwards, the software for your wireless router is the same as for
> your neighbor 2 blocks over. Much of the time now, the program such as it is
> actually resides on your wireless router and is access by going to your
> gateway address, or 192.168.0.1. So one doesn't really need access to any
> special software. If one does need special software, then often it can be
> downloaded free from the maker of your wireless router. So we don't really
> need any special software, or we can get it free on the Internet. One wall
> down.
>
> WPA-PSK can be broken, all it requires is enough network traffic and
> something to record it on. Often WPA-PSK is setup by someone who does not
> truly understand what they are trying to do. The key can be long, or short.
> If a short enough key is used, it can be cracked easier than WEP. If the key
> is a sentence, or a word it can be cracked rather easy.
>
> Someone willing to do a little reading can often find in the manual what the
> wireless router manufacture set as the default password and user name. Often
> it is Admin/admin. Many times the wireless router is set to broadcast it's
> name/model number/or maker. This give the intruder an easy place to start.
> Even if it isn't set to broadcast this, it will broadcast it's version of a
> MAC address, and from this address one can find out who manufactured it.
> Once you know that it's easy to try the default passwords, and/or
> setup/configuration software.
>
> --
> David Hettel
>
> Please post any reply as a follow-up message in the news group
> for everyone to see.  I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> confers no rights
>
>
> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
> news:83B25F36-8EF2-455F-8EE9-C345867DF9D9@microsoft.com...
> > Just to clarify, I'm not talking about setting an encryption key--I'm
> > talking
> > about setting a password for the setup/configuration software that comes
> > with
> > a gateway or wireless AP.  i.e.  I read the following in a book dealing
> > with
> > home networks.
> >
> > "The first step is to set a password for your AP... If you leave the AP
> > set
> > with the default password, it is very easy for someone to break into your
> > wireless network and change your network settings."
> >
> > According to the author, changing that password was step #1.  Setting
> > encryption was discussed later as step #4.  But... how can a wireless
> > intruder get to the network configuration software on a PC unless he first
> > gets past the encryption on the network?  But even if the intruder got
> > past
> > the encryption, how could he access the configuration software unless the
> > software was on a PC with file and printer sharing turned on (XP Home
> > edition) "and" the configuration program/software was in a shared folder?
> >
> > For the record... in my situation:
> > 1) The network is using WPA-PSK encryption.
> > 2) The computer with the network configuration software requires a
> > password
> > for logon.
> > 3) The computer with the network configuration software has file and
> > printer
> > sharing turned on, but the only thing being shared is a printer.
> > 4) The network configuration software for my gateway came without a
> > password
> > and with the password feature disabled.  I have since set up a password
> > for
> > the software, but don't understand how a wireless intruder could access
> > the
> > configuration software on my PC based on conditions 1 thru 3 noted above
> > even
> > if the password feature was disabled.
> > --
> > So much to learn... So little time.
>
>
>

"Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
news:780F62E7-5137-46C0-BED6-CD11CAB7541E@microsoft.com...
> David,
>
> Thanks so much for the reply!  I think I'm tracking with you, but would
> like
> to make sure because if I am, I'm really shocked at the security risk.  It
> sounds to me like you're saying that even if someone uses WPA-PSK
> encyrption
> with a 63 character key that's a totally random mix of numbers, letters,
> and
> special characters, that a person can access the gateway itself and change
> the software setup "without" having to crack the encryption key?
>
> I'm "hoping" that's not the case, because if it is, then the password on
> the
> configuration software is far and away the greatest security risk to my
> home
> network.  i.e. My password for the configuration software is a combination
> of
> letters, numbers, and special characters, same as with my WPA encryption
> key,
> but it's certainly not as long/strong as the encryption key and it doesn't
> automatically get changed the way a WPA key does.  If this creates the
> risk
> I'm understanding it to create, I'm really stunned by the fact that
> there's
> so much talk about the value of WPA over WEP and the importance of using
> strong encryption keys, yet so little discussion about the risk that can
> be
> created in regard to passwording the configuration software.  Please tell
> me
> I've missed something and that it's not really as bad as all that.  :-(
>
> --
> So much to learn... So little time.
>
>
> "David Hettel" wrote:
>
>> Working backwards, the software for your wireless router is the same as
>> for
>> your neighbor 2 blocks over. Much of the time now, the program such as it
>> is
>> actually resides on your wireless router and is access by going to your
>> gateway address, or 192.168.0.1. So one doesn't really need access to any
>> special software. If one does need special software, then often it can be
>> downloaded free from the maker of your wireless router. So we don't
>> really
>> need any special software, or we can get it free on the Internet. One
>> wall
>> down.
>>
>> WPA-PSK can be broken, all it requires is enough network traffic and
>> something to record it on. Often WPA-PSK is setup by someone who does not
>> truly understand what they are trying to do. The key can be long, or
>> short.
>> If a short enough key is used, it can be cracked easier than WEP. If the
>> key
>> is a sentence, or a word it can be cracked rather easy.
>>
>> Someone willing to do a little reading can often find in the manual what
>> the
>> wireless router manufacture set as the default password and user name.
>> Often
>> it is Admin/admin. Many times the wireless router is set to broadcast
>> it's
>> name/model number/or maker. This give the intruder an easy place to
>> start.
>> Even if it isn't set to broadcast this, it will broadcast it's version of
>> a
>> MAC address, and from this address one can find out who manufactured it.
>> Once you know that it's easy to try the default passwords, and/or
>> setup/configuration software.
>>
>> --
>> David Hettel
>>
>> Please post any reply as a follow-up message in the news group
>> for everyone to see.  I'm sorry, but I don't answer questions
>> addressed directly to me in E-mail or news groups.
>>
>> Microsoft Most Valuable Professional Program
>> http://mvp.support.microsoft.com
>>
>> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
>> confers no rights
>>
>>
>> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
>> news:83B25F36-8EF2-455F-8EE9-C345867DF9D9@microsoft.com...
>> > Just to clarify, I'm not talking about setting an encryption key--I'm
>> > talking
>> > about setting a password for the setup/configuration software that
>> > comes
>> > with
>> > a gateway or wireless AP.  i.e.  I read the following in a book dealing
>> > with
>> > home networks.
>> >
>> > "The first step is to set a password for your AP... If you leave the AP
>> > set
>> > with the default password, it is very easy for someone to break into
>> > your
>> > wireless network and change your network settings."
>> >
>> > According to the author, changing that password was step #1.  Setting
>> > encryption was discussed later as step #4.  But... how can a wireless
>> > intruder get to the network configuration software on a PC unless he
>> > first
>> > gets past the encryption on the network?  But even if the intruder got
>> > past
>> > the encryption, how could he access the configuration software unless
>> > the
>> > software was on a PC with file and printer sharing turned on (XP Home
>> > edition) "and" the configuration program/software was in a shared
>> > folder?
>> >
>> > For the record... in my situation:
>> > 1) The network is using WPA-PSK encryption.
>> > 2) The computer with the network configuration software requires a
>> > password
>> > for logon.
>> > 3) The computer with the network configuration software has file and
>> > printer
>> > sharing turned on, but the only thing being shared is a printer.
>> > 4) The network configuration software for my gateway came without a
>> > password
>> > and with the password feature disabled.  I have since set up a password
>> > for
>> > the software, but don't understand how a wireless intruder could access
>> > the
>> > configuration software on my PC based on conditions 1 thru 3 noted
>> > above
>> > even
>> > if the password feature was disabled.
>> > --
>> > So much to learn... So little time.
>>
>>
>>

"David Hettel" wrote:

> Yes you've not gotten what I was trying to say. For an intruder to access
> your network wirelessly he would need to crack your encryption key. Now not
> everyone chooses to use a random key of  63 characters, some people use keys
> of 8 characters, that aren't even random. A simple key is much easier to
> crack than a more complex key is. What I was trying to say is not all keys
> in WPA provide better security than WEP, simply because they are WPA.
>
> What's the greatest risk? Depends on what you are trying to protect. If I
> gain access to your wireless router, I could in theory lock you out of it by
> resetting the password. But most routers have a reset button that returns it
> to factory defaults. I could upload new code to your router, there is
> generally not a lot of free room where the code goes, but it's something I
> could do. Or I could simply trash the code, and force you to buy a new
> router.
>
> If I happen to live near by, or have access to the area, I could crack your
> code and monitor everything you send and do wirelessly. But that will take
> some special skills and equipment, and why do it? What is so interesting in
> what you do that it would make someone want to invest that kind of time, or
> effort.
>
> My experience is most people simply want free access to the internet, and
> are not interested in doing harm. Or it is simply a game to them, and the
> challenge is in getting in. For most thieves it's still easier to rob
> someone the old fashion way, rather than spending the time and effort
> required to crack your system. And if your system is secured, it's easier to
> check the next one out that probably isn't secured.
>
> IMHO if your system is compromised it most likely will be by someone who
> knows you, and wants what they believe you have, or who is mad at you. And
> for my two cents it's much more likely that they'll be mad at you. Where one
> chooses to keep that 63 character key becomes a part of the problem then as
> well. One needs to have access to the key, so the key must be stored
> somewhere. That now becomes a risk.
>
> --
> David Hettel
>
> Please post any reply as a follow-up message in the news group
> for everyone to see.  I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> confers no rights
>
>
> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
> news:780F62E7-5137-46C0-BED6-CD11CAB7541E@microsoft.com...
> > David,
> >
> > Thanks so much for the reply!  I think I'm tracking with you, but would
> > like
> > to make sure because if I am, I'm really shocked at the security risk.  It
> > sounds to me like you're saying that even if someone uses WPA-PSK
> > encyrption
> > with a 63 character key that's a totally random mix of numbers, letters,
> > and
> > special characters, that a person can access the gateway itself and change
> > the software setup "without" having to crack the encryption key?
> >
> > I'm "hoping" that's not the case, because if it is, then the password on
> > the
> > configuration software is far and away the greatest security risk to my
> > home
> > network.  i.e. My password for the configuration software is a combination
> > of
> > letters, numbers, and special characters, same as with my WPA encryption
> > key,
> > but it's certainly not as long/strong as the encryption key and it doesn't
> > automatically get changed the way a WPA key does.  If this creates the
> > risk
> > I'm understanding it to create, I'm really stunned by the fact that
> > there's
> > so much talk about the value of WPA over WEP and the importance of using
> > strong encryption keys, yet so little discussion about the risk that can
> > be
> > created in regard to passwording the configuration software.  Please tell
> > me
> > I've missed something and that it's not really as bad as all that.  :-(
> >
> > --
> > So much to learn... So little time.
> >
> >
> > "David Hettel" wrote:
> >
> >> Working backwards, the software for your wireless router is the same as
> >> for
> >> your neighbor 2 blocks over. Much of the time now, the program such as it
> >> is
> >> actually resides on your wireless router and is access by going to your
> >> gateway address, or 192.168.0.1. So one doesn't really need access to any
> >> special software. If one does need special software, then often it can be
> >> downloaded free from the maker of your wireless router. So we don't
> >> really
> >> need any special software, or we can get it free on the Internet. One
> >> wall
> >> down.
> >>
> >> WPA-PSK can be broken, all it requires is enough network traffic and
> >> something to record it on. Often WPA-PSK is setup by someone who does not
> >> truly understand what they are trying to do. The key can be long, or
> >> short.
> >> If a short enough key is used, it can be cracked easier than WEP. If the
> >> key
> >> is a sentence, or a word it can be cracked rather easy.
> >>
> >> Someone willing to do a little reading can often find in the manual what
> >> the
> >> wireless router manufacture set as the default password and user name.
> >> Often
> >> it is Admin/admin. Many times the wireless router is set to broadcast
> >> it's
> >> name/model number/or maker. This give the intruder an easy place to
> >> start.
> >> Even if it isn't set to broadcast this, it will broadcast it's version of
> >> a
> >> MAC address, and from this address one can find out who manufactured it.
> >> Once you know that it's easy to try the default passwords, and/or
> >> setup/configuration software.
> >>
> >> --
> >> David Hettel
> >>
> >> Please post any reply as a follow-up message in the news group
> >> for everyone to see.  I'm sorry, but I don't answer questions
> >> addressed directly to me in E-mail or news groups.
> >>
> >> Microsoft Most Valuable Professional Program
> >> http://mvp.support.microsoft.com
> >>
> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> >> confers no rights
> >>
> >>
> >> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
> >> news:83B25F36-8EF2-455F-8EE9-C345867DF9D9@microsoft.com...
> >> > Just to clarify, I'm not talking about setting an encryption key--I'm
> >> > talking
> >> > about setting a password for the setup/configuration software that
> >> > comes
> >> > with
> >> > a gateway or wireless AP.  i.e.  I read the following in a book dealing
> >> > with
> >> > home networks.
> >> >
> >> > "The first step is to set a password for your AP... If you leave the AP
> >> > set
> >> > with the default password, it is very easy for someone to break into
> >> > your
> >> > wireless network and change your network settings."
> >> >
> >> > According to the author, changing that password was step #1.  Setting
> >> > encryption was discussed later as step #4.  But... how can a wireless
> >> > intruder get to the network configuration software on a PC unless he
> >> > first
> >> > gets past the encryption on the network?  But even if the intruder got
> >> > past
> >> > the encryption, how could he access the configuration software unless
> >> > the
> >> > software was on a PC with file and printer sharing turned on (XP Home
> >> > edition) "and" the configuration program/software was in a shared
> >> > folder?
> >> >
> >> > For the record... in my situation:
> >> > 1) The network is using WPA-PSK encryption.
> >> > 2) The computer with the network configuration software requires a
> >> > password
> >> > for logon.
> >> > 3) The computer with the network configuration software has file and
> >> > printer
> >> > sharing turned on, but the only thing being shared is a printer.
> >> > 4) The network configuration software for my gateway came without a
> >> > password
> >> > and with the password feature disabled.  I have since set up a password
> >> > for
> >> > the software, but don't understand how a wireless intruder could access
> >> > the
> >> > configuration software on my PC based on conditions 1 thru 3 noted
> >> > above
> >> > even
> >> > if the password feature was disabled.
> >> > --
> >> > So much to learn... So little time.
> >>
> >>
> >>
>
>
>

"Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
news:B0A4158D-8346-46B6-8D30-3B9AEC6A4E26@microsoft.com...
> Thanks, David.  So if I'm tracking with you, an intruder "would" have to
> crack my WPA-PSK key "before" they could take a shot at cracking the
> password
> for my gateway's configuration software.  If that's the case, I feel much
> better.  :-)
>
> And yes, I agree with your thought that it's much more likely that I might
> do something to make a neighbor upset with me (unintentionally of course)
> than it is that I would have something of value they would want.  (I sure
> wish it was the other way around.)  ;-)      Fortunately, we've been
> acquainted with all but one of our immediate neighbors for several years
> and
> get along well.  There is one neighbor we've only spoken with once, but
> there's never been a conflict, so hopefully we're good to go in the public
> relations arena.
> --
> So much to learn... So little time.
>
>
> "David Hettel" wrote:
>
>> Yes you've not gotten what I was trying to say. For an intruder to access
>> your network wirelessly he would need to crack your encryption key. Now
>> not
>> everyone chooses to use a random key of  63 characters, some people use
>> keys
>> of 8 characters, that aren't even random. A simple key is much easier to
>> crack than a more complex key is. What I was trying to say is not all
>> keys
>> in WPA provide better security than WEP, simply because they are WPA.
>>
>> What's the greatest risk? Depends on what you are trying to protect. If I
>> gain access to your wireless router, I could in theory lock you out of it
>> by
>> resetting the password. But most routers have a reset button that returns
>> it
>> to factory defaults. I could upload new code to your router, there is
>> generally not a lot of free room where the code goes, but it's something
>> I
>> could do. Or I could simply trash the code, and force you to buy a new
>> router.
>>
>> If I happen to live near by, or have access to the area, I could crack
>> your
>> code and monitor everything you send and do wirelessly. But that will
>> take
>> some special skills and equipment, and why do it? What is so interesting
>> in
>> what you do that it would make someone want to invest that kind of time,
>> or
>> effort.
>>
>> My experience is most people simply want free access to the internet, and
>> are not interested in doing harm. Or it is simply a game to them, and the
>> challenge is in getting in. For most thieves it's still easier to rob
>> someone the old fashion way, rather than spending the time and effort
>> required to crack your system. And if your system is secured, it's easier
>> to
>> check the next one out that probably isn't secured.
>>
>> IMHO if your system is compromised it most likely will be by someone who
>> knows you, and wants what they believe you have, or who is mad at you.
>> And
>> for my two cents it's much more likely that they'll be mad at you. Where
>> one
>> chooses to keep that 63 character key becomes a part of the problem then
>> as
>> well. One needs to have access to the key, so the key must be stored
>> somewhere. That now becomes a risk.
>>
>> --
>> David Hettel
>>
>> Please post any reply as a follow-up message in the news group
>> for everyone to see.  I'm sorry, but I don't answer questions
>> addressed directly to me in E-mail or news groups.
>>
>> Microsoft Most Valuable Professional Program
>> http://mvp.support.microsoft.com
>>
>> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
>> confers no rights
>>
>>
>> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
>> news:780F62E7-5137-46C0-BED6-CD11CAB7541E@microsoft.com...
>> > David,
>> >
>> > Thanks so much for the reply!  I think I'm tracking with you, but would
>> > like
>> > to make sure because if I am, I'm really shocked at the security risk.
>> > It
>> > sounds to me like you're saying that even if someone uses WPA-PSK
>> > encyrption
>> > with a 63 character key that's a totally random mix of numbers,
>> > letters,
>> > and
>> > special characters, that a person can access the gateway itself and
>> > change
>> > the software setup "without" having to crack the encryption key?
>> >
>> > I'm "hoping" that's not the case, because if it is, then the password
>> > on
>> > the
>> > configuration software is far and away the greatest security risk to my
>> > home
>> > network.  i.e. My password for the configuration software is a
>> > combination
>> > of
>> > letters, numbers, and special characters, same as with my WPA
>> > encryption
>> > key,
>> > but it's certainly not as long/strong as the encryption key and it
>> > doesn't
>> > automatically get changed the way a WPA key does.  If this creates the
>> > risk
>> > I'm understanding it to create, I'm really stunned by the fact that
>> > there's
>> > so much talk about the value of WPA over WEP and the importance of
>> > using
>> > strong encryption keys, yet so little discussion about the risk that
>> > can
>> > be
>> > created in regard to passwording the configuration software.  Please
>> > tell
>> > me
>> > I've missed something and that it's not really as bad as all that.  :-(
>> >
>> > --
>> > So much to learn... So little time.
>> >
>> >
>> > "David Hettel" wrote:
>> >
>> >> Working backwards, the software for your wireless router is the same
>> >> as
>> >> for
>> >> your neighbor 2 blocks over. Much of the time now, the program such as
>> >> it
>> >> is
>> >> actually resides on your wireless router and is access by going to
>> >> your
>> >> gateway address, or 192.168.0.1. So one doesn't really need access to
>> >> any
>> >> special software. If one does need special software, then often it can
>> >> be
>> >> downloaded free from the maker of your wireless router. So we don't
>> >> really
>> >> need any special software, or we can get it free on the Internet. One
>> >> wall
>> >> down.
>> >>
>> >> WPA-PSK can be broken, all it requires is enough network traffic and
>> >> something to record it on. Often WPA-PSK is setup by someone who does
>> >> not
>> >> truly understand what they are trying to do. The key can be long, or
>> >> short.
>> >> If a short enough key is used, it can be cracked easier than WEP. If
>> >> the
>> >> key
>> >> is a sentence, or a word it can be cracked rather easy.
>> >>
>> >> Someone willing to do a little reading can often find in the manual
>> >> what
>> >> the
>> >> wireless router manufacture set as the default password and user name.
>> >> Often
>> >> it is Admin/admin. Many times the wireless router is set to broadcast
>> >> it's
>> >> name/model number/or maker. This give the intruder an easy place to
>> >> start.
>> >> Even if it isn't set to broadcast this, it will broadcast it's version
>> >> of
>> >> a
>> >> MAC address, and from this address one can find out who manufactured
>> >> it.
>> >> Once you know that it's easy to try the default passwords, and/or
>> >> setup/configuration software.
>> >>
>> >> --
>> >> David Hettel
>> >>
>> >> Please post any reply as a follow-up message in the news group
>> >> for everyone to see.  I'm sorry, but I don't answer questions
>> >> addressed directly to me in E-mail or news groups.
>> >>
>> >> Microsoft Most Valuable Professional Program
>> >> http://mvp.support.microsoft.com
>> >>
>> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
>> >> confers no rights
>> >>
>> >>
>> >> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
>> >> news:83B25F36-8EF2-455F-8EE9-C345867DF9D9@microsoft.com...
>> >> > Just to clarify, I'm not talking about setting an encryption
>> >> > key--I'm
>> >> > talking
>> >> > about setting a password for the setup/configuration software that
>> >> > comes
>> >> > with
>> >> > a gateway or wireless AP.  i.e.  I read the following in a book
>> >> > dealing
>> >> > with
>> >> > home networks.
>> >> >
>> >> > "The first step is to set a password for your AP... If you leave the
>> >> > AP
>> >> > set
>> >> > with the default password, it is very easy for someone to break into
>> >> > your
>> >> > wireless network and change your network settings."
>> >> >
>> >> > According to the author, changing that password was step #1.
>> >> > Setting
>> >> > encryption was discussed later as step #4.  But... how can a
>> >> > wireless
>> >> > intruder get to the network configuration software on a PC unless he
>> >> > first
>> >> > gets past the encryption on the network?  But even if the intruder
>> >> > got
>> >> > past
>> >> > the encryption, how could he access the configuration software
>> >> > unless
>> >> > the
>> >> > software was on a PC with file and printer sharing turned on (XP
>> >> > Home
>> >> > edition) "and" the configuration program/software was in a shared
>> >> > folder?
>> >> >
>> >> > For the record... in my situation:
>> >> > 1) The network is using WPA-PSK encryption.
>> >> > 2) The computer with the network configuration software requires a
>> >> > password
>> >> > for logon.
>> >> > 3) The computer with the network configuration software has file and
>> >> > printer
>> >> > sharing turned on, but the only thing being shared is a printer.
>> >> > 4) The network configuration software for my gateway came without a
>> >> > password
>> >> > and with the password feature disabled.  I have since set up a
>> >> > password
>> >> > for
>> >> > the software, but don't understand how a wireless intruder could
>> >> > access
>> >> > the
>> >> > configuration software on my PC based on conditions 1 thru 3 noted
>> >> > above
>> >> > even
>> >> > if the password feature was disabled.
>> >> > --
>> >> > So much to learn... So little time.
>> >>
>> >>
>> >>
>>
>>
>>

"David Hettel" wrote:

> Well they'll either need to crack your WPA-PSK, or gain access physically to
> your wired connection, or send you a virus/trojan in an e-mail. Or get you
> to visit a web page, that is designed to compromise your computer. People
> are creative and always coming up with new ways of doing this. But again it
> does take a reason, for someone to decide that you are worth the effort.
>
> --
> David Hettel
>
> Please post any reply as a follow-up message in the news group
> for everyone to see.  I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>
> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> confers no rights
>
>
> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
> news:B0A4158D-8346-46B6-8D30-3B9AEC6A4E26@microsoft.com...
> > Thanks, David.  So if I'm tracking with you, an intruder "would" have to
> > crack my WPA-PSK key "before" they could take a shot at cracking the
> > password
> > for my gateway's configuration software.  If that's the case, I feel much
> > better.  :-)
> >
> > And yes, I agree with your thought that it's much more likely that I might
> > do something to make a neighbor upset with me (unintentionally of course)
> > than it is that I would have something of value they would want.  (I sure
> > wish it was the other way around.)  ;-)      Fortunately, we've been
> > acquainted with all but one of our immediate neighbors for several years
> > and
> > get along well.  There is one neighbor we've only spoken with once, but
> > there's never been a conflict, so hopefully we're good to go in the public
> > relations arena.
> > --
> > So much to learn... So little time.
> >
> >
> > "David Hettel" wrote:
> >
> >> Yes you've not gotten what I was trying to say. For an intruder to access
> >> your network wirelessly he would need to crack your encryption key. Now
> >> not
> >> everyone chooses to use a random key of  63 characters, some people use
> >> keys
> >> of 8 characters, that aren't even random. A simple key is much easier to
> >> crack than a more complex key is. What I was trying to say is not all
> >> keys
> >> in WPA provide better security than WEP, simply because they are WPA.
> >>
> >> What's the greatest risk? Depends on what you are trying to protect. If I
> >> gain access to your wireless router, I could in theory lock you out of it
> >> by
> >> resetting the password. But most routers have a reset button that returns
> >> it
> >> to factory defaults. I could upload new code to your router, there is
> >> generally not a lot of free room where the code goes, but it's something
> >> I
> >> could do. Or I could simply trash the code, and force you to buy a new
> >> router.
> >>
> >> If I happen to live near by, or have access to the area, I could crack
> >> your
> >> code and monitor everything you send and do wirelessly. But that will
> >> take
> >> some special skills and equipment, and why do it? What is so interesting
> >> in
> >> what you do that it would make someone want to invest that kind of time,
> >> or
> >> effort.
> >>
> >> My experience is most people simply want free access to the internet, and
> >> are not interested in doing harm. Or it is simply a game to them, and the
> >> challenge is in getting in. For most thieves it's still easier to rob
> >> someone the old fashion way, rather than spending the time and effort
> >> required to crack your system. And if your system is secured, it's easier
> >> to
> >> check the next one out that probably isn't secured.
> >>
> >> IMHO if your system is compromised it most likely will be by someone who
> >> knows you, and wants what they believe you have, or who is mad at you.
> >> And
> >> for my two cents it's much more likely that they'll be mad at you. Where
> >> one
> >> chooses to keep that 63 character key becomes a part of the problem then
> >> as
> >> well. One needs to have access to the key, so the key must be stored
> >> somewhere. That now becomes a risk.
> >>
> >> --
> >> David Hettel
> >>
> >> Please post any reply as a follow-up message in the news group
> >> for everyone to see.  I'm sorry, but I don't answer questions
> >> addressed directly to me in E-mail or news groups.
> >>
> >> Microsoft Most Valuable Professional Program
> >> http://mvp.support.microsoft.com
> >>
> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> >> confers no rights
> >>
> >>
> >> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
> >> news:780F62E7-5137-46C0-BED6-CD11CAB7541E@microsoft.com...
> >> > David,
> >> >
> >> > Thanks so much for the reply!  I think I'm tracking with you, but would
> >> > like
> >> > to make sure because if I am, I'm really shocked at the security risk.
> >> > It
> >> > sounds to me like you're saying that even if someone uses WPA-PSK
> >> > encyrption
> >> > with a 63 character key that's a totally random mix of numbers,
> >> > letters,
> >> > and
> >> > special characters, that a person can access the gateway itself and
> >> > change
> >> > the software setup "without" having to crack the encryption key?
> >> >
> >> > I'm "hoping" that's not the case, because if it is, then the password
> >> > on
> >> > the
> >> > configuration software is far and away the greatest security risk to my
> >> > home
> >> > network.  i.e. My password for the configuration software is a
> >> > combination
> >> > of
> >> > letters, numbers, and special characters, same as with my WPA
> >> > encryption
> >> > key,
> >> > but it's certainly not as long/strong as the encryption key and it
> >> > doesn't
> >> > automatically get changed the way a WPA key does.  If this creates the
> >> > risk
> >> > I'm understanding it to create, I'm really stunned by the fact that
> >> > there's
> >> > so much talk about the value of WPA over WEP and the importance of
> >> > using
> >> > strong encryption keys, yet so little discussion about the risk that
> >> > can
> >> > be
> >> > created in regard to passwording the configuration software.  Please
> >> > tell
> >> > me
> >> > I've missed something and that it's not really as bad as all that.  :-(
> >> >
> >> > --
> >> > So much to learn... So little time.
> >> >
> >> >
> >> > "David Hettel" wrote:
> >> >
> >> >> Working backwards, the software for your wireless router is the same
> >> >> as
> >> >> for
> >> >> your neighbor 2 blocks over. Much of the time now, the program such as
> >> >> it
> >> >> is
> >> >> actually resides on your wireless router and is access by going to
> >> >> your
> >> >> gateway address, or 192.168.0.1. So one doesn't really need access to
> >> >> any
> >> >> special software. If one does need special software, then often it can
> >> >> be
> >> >> downloaded free from the maker of your wireless router. So we don't
> >> >> really
> >> >> need any special software, or we can get it free on the Internet. One
> >> >> wall
> >> >> down.
> >> >>
> >> >> WPA-PSK can be broken, all it requires is enough network traffic and
> >> >> something to record it on. Often WPA-PSK is setup by someone who does
> >> >> not
> >> >> truly understand what they are trying to do. The key can be long, or
> >> >> short.
> >> >> If a short enough key is used, it can be cracked easier than WEP. If
> >> >> the
> >> >> key
> >> >> is a sentence, or a word it can be cracked rather easy.
> >> >>
> >> >> Someone willing to do a little reading can often find in the manual
> >> >> what
> >> >> the
> >> >> wireless router manufacture set as the default password and user name.
> >> >> Often
> >> >> it is Admin/admin. Many times the wireless router is set to broadcast
> >> >> it's
> >> >> name/model number/or maker. This give the intruder an easy place to
> >> >> start.
> >> >> Even if it isn't set to broadcast this, it will broadcast it's version
> >> >> of
> >> >> a
> >> >> MAC address, and from this address one can find out who manufactured
> >> >> it.
> >> >> Once you know that it's easy to try the default passwords, and/or
> >> >> setup/configuration software.
> >> >>
> >> >> --
> >> >> David Hettel
> >> >>
> >> >> Please post any reply as a follow-up message in the news group
> >> >> for everyone to see.  I'm sorry, but I don't answer questions
> >> >> addressed directly to me in E-mail or news groups.
> >> >>
> >> >> Microsoft Most Valuable Professional Program
> >> >> http://mvp.support.microsoft.com
> >> >>
> >> >> DISCLAIMER: This posting is provided "AS IS" with no warranties, and
> >> >> confers no rights
> >> >>
> >> >>
> >> >> "Roughneck" <Roughn***@discussions.microsoft.com> wrote in message
> >> >> news:83B25F36-8EF2-455F-8EE9-C345867DF9D9@microsoft.com...
> >> >> > Just to clarify, I'm not talking about setting an encryption
> >> >> > key--I'm
> >> >> > talking
> >> >> > about setting a password for the setup/configuration software that
> >> >> > comes
> >> >> > with
> >> >> > a gateway or wireless AP.  i.e.  I read the following in a book
> >> >> > dealing
> >> >> > with
> >> >> > home networks.
> >> >> >
> >> >> > "The first step is to set a password for your AP... If you leave the
> >> >> > AP
> >> >> > set
> >> >> > with the default password, it is very easy for someone to break into
> >> >> > your
> >> >> > wireless network and change your network settings."
> >> >> >
> >> >> > According to the author, changing that password was step #1.
> >> >> > Setting
> >> >> > encryption was discussed later as step #4.  But... how can a
> >> >> > wireless
> >> >> > intruder get to the network configuration software on a PC unless he
> >> >> > first
> >> >> > gets past the encryption on the network?  But even if the intruder
> >> >> > got
> >> >> > past
> >> >> > the encryption, how could he access the configuration software
> >> >> > unless
> >> >> > the
> >> >> > software was on a PC with file and printer sharing turned on (XP
> >> >> > Home
> >> >> > edition) "and" the configuration program/software was in a shared
> >> >> > folder?
> >> >> >
> >> >> > For the record... in my situation:
> >> >> > 1) The network is using WPA-PSK encryption.
> >> >> > 2) The computer with the network configuration software requires a
> >> >> > password
> >> >> > for logon.
> >> >> > 3) The computer with the network configuration software has file and
> >> >> > printer
> >> >> > sharing turned on, but the only thing being shared is a printer.
> >> >> > 4) The network configuration software for my gateway came without a
> >> >> > password
> >> >> > and with the password feature disabled.  I have since set up a
> >> >> > password
> >> >> > for
> >> >> > the software, but don't understand how a wireless intruder could
> >> >> > access
> >> >> > the
> >> >> > configuration software on my PC based on conditions 1 thru 3 noted
> >> >> > above
> >> >> > even
> >> >> > if the password feature was disabled.
> >> >> > --
> >> >> > So much to learn... So little time.
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

"P. Johnson" wrote:

> Roughneck wrote:
>
> > "The first step is to set a password for your AP... If you leave the AP
> > set with the default password, it is very easy for someone to break into
> > your wireless network and change your network settings."
> >
> > According to the author, changing that password was step #1.  Setting
> > encryption was discussed later as step #4.  But... how can a wireless
> > intruder get to the network configuration software on a PC unless he first
> > gets past the encryption on the network?
>
> Getting past the network encryption isn't usually a major issue, just a
> matter of time and the right software.  You should always set a password on
> routers, letting Joe Random play with your router settings can cause loss
> of connectivity, firewall rules being created that compromise your network,
> etc.  Wired or wireless, password that stuff.
>
> GNU Keyring is great for generating and saving passwords if you have a
> PalmOS PDA.
>
> > But even if the intruder got past the encryption, how could he access the
> > configuration software unless the software was on a PC with file and
> > printer sharing turned on (XP Home edition) "and" the configuration
> > program/software was in a shared folder?  
>
> Most home routers have a web interface, the rest configure using SNMP or by
> direct telnet.  Point being, if there's a way for a legitimate user to
> connect, then that's a potential vector.
>
>

"P. Johnson" wrote:

> Only you can increase readability.
> http://ursine.ca/Top_Posting
>
> Roughneck wrote:
>
> > Thanks for the additional input.
>
> No problem.
>
> > Between what you and David have shared, it's my understanding that if
> > someone "did" manage to get through our WPA-PSK security and could access
> > the web through our gateway, all they'd have to do is enter the right URL
> > and that would allow them to access to our gateway. And if the gateway
> > isn't passworded, the intruder would be able to adjust the settings from
> > that URL.    
>
> You nailed it there.
>
> > So in regard to an intruder being able to access our gateway, if someone
> > gets past our WPA security, our File and Printer sharing settings are
> > irrelevant.  :-(
>
> No, not necessarily, your file and printer sharing settings are not
> irrelevant, they're your second line of defense.  Always use strong
> usernames and passwords within your own networks if you have wifi.
>
> > Well, I have our gateway passworded now, so between the 63 character
> > WPA-PSK encryption key and the passworded gateway, I guess I've done about
> > all I can to make our network as safe as possible.  But if there's
> > anything else I can/should do, I'm all ears.  :-)
>
> Sounds like you have a good start there.
>