[nycbug-talk] How secure: wireless + ssh?

Isaac Levy ike
Thu Dec 22 16:14:59 EST 2005 

Hi Francicso,

Good question,

On Dec 22, 2005, at 10:14 AM, Francisco Reyes wrote:

> Had never had the need for wireless..
> Getting a new laptop and was wondering how safe it is to use a  
> wireless WEP connection with SSH.

The setup you describe is a real winner, IMHO.  Based on how I do  
things (small scale), environments I work in rarely stand still long  
enough for me to get into setting up VPN's, (ipsec, etc...), though  
those are great tools as well.

SSH itself, over wireless, is a very secure way of working, and ssh  
tunnels are fantastic, mostly because they are quick, and possible to/ 
from just about any system running OpenSSH.

I would also add one more thing to your toolkit: a nice remote proxy,  
on a server with a 'trusted' wired connection to the net (tinyproxy  
is very nice).  Using a combination of SSH tunnels, to a proxy  
server, one can effectively proxy all traffic through the ssh tunnel,  
out to the remote server.  IT'S IMPORTANT to configure the proxy  
server to listen only to localhost, else anyone can proxy traffic  
through your server- (and do possibly fraudulent things from your IP!)

This is very similar to a VPN, except it's much faster to setup and  
discard, (to me, at least...).  Something like:


LAPTOP     (untrusted/wireless www? lan?)  SERVER
  http---> \                               / -> \
  smtp--->  >========[ssh-tunnel]=========<  ->  >127.0.0.1(proxy- 
server)
  etc----> /                               \ -> /                |
                                                                 |
                                            ('trusted' network  
connection)
                                                                 |
                                                                 |
                                                               (WWW)
                                                               / | \
                                                              / /|\ \
                                                           http smtp etc


I hope the ascii diagram makes it simpler, not confuses things.

>
> I figure I would not put too much trust on the WEP part, but figure  
> ssh will be the same regardless of whether it's wired/wireless..  
> just perhaps easier for someone to see the packets passing by..
>
> Any horror stories?

Heck yeah!  I think of it as 2 'clsses' of risk using WiFi:

1) Protecting traffic through your Local AP

2) Protecting your traffic when using a public AP (Cafe's, etc...)

--
1) With one's local AP, the ugliest thing I've seen, (at several  
different locations) is to have some neighboring PC crack accesss to  
the AP, and snif/snarf or otherwise do nasty things with the traffic  
across that wire.  This doesn't mean your upstairs neighbor is  
necessarily cracking your line, but their machine could be  
compromised by some kiddie in the Eastern Block, or S. Korea, or some  
University dorm...  (I've seen all 3 of these scenarios).

So, the common mistakes I've seen, is that people trust their own AP,  
when it can be compromised via:

- cracked WEP keys (trivial, though relatively time-consuming [read:  
kismet])

- cracked WPA keys (less trivial, very time consuming [read: kismet  
again])

- spoofed MAC addresses for MAC based AP access: (trivial,  
netStumbler and knowledge of how to configure MAC address of a given  
OS/Nic)

With that, beyond real-time sniffing/snarfing, wireless traffic can  
be trivially dumped to file, and a cracker can take all the cpu time  
they want to crack WPA/WEP traffic.

SSH (or a VPN) can be used in protecting your traffic in all these  
cases, quite nicely- but to protect your AP from resource-based  
attacks, (some jerk soaking/using your line to do nasty things), I  
find it simplest to just change keys regularly, since it takes a  
relatively long amount of time to work out cracking them.  Also,  
keeping an eye on your network using Arpwatch, or a packet sniffer,  
can possibly save you a headache.

--
2) Cafe' internet access can often be *very* dirty wires.  Not only  
can somebody in Russia sniff packets and cause MITM chaos, it's way  
more likely, insomuch as Cafe' AP's are manned by employees focused  
on serving Coffee/Food, not securing the AP.
With that, in NYC more and more, I see people clog the entire cafe  
connection with limewire, or gaming traffic- making it totally  
useless to even check email, and making remote ssh shells so  
unresponsive they're almost useless.

With that, I highly reccommend grabbing a copy of ettercap, and  
reading the man pages on how to use it.  An ike-quickstart to  
ettercap-ng is to install it (ports makes it much easier, believe  
me...), and try the Curses interface like so:

ettercap -C -i en1

You can sniff traffic passively, or by performing ARP or IP based  
MITM- easily find network abusers, and cleanly kill connections that  
are hogging the wires.  Kindof sucks to have to work to get a decent  
connnection, but I've found it's often necessary to get anything  
bloody done at public Wireless Hotspots...

Remember though, with such great power, comes great responsibility-  
(read: don't be a jerk with that samurai sword).


>
> As convenient as it may be if there is any risk.. I would just stay  
> wired...

Basically, it's a more or less the same as any physical wire, it's  
insane to trust any important packets to any unencrypted line.

Rocket-
.ike

More information about the talk mailing list