I'll have to graciously disagree with you on this point. I think it's a very bad idea to enforce semi-regular (e.g., less than every 6 months) password changes! In my experience, doing so causes people to pick LESS secure passwords and then do stupid things like write them down in their wallet since they can't remember the new passwords that they have to keep changing. What's the point anyways? If someone's broken into an account, having the password changed a month later is not going to alleviate that security breach. I'm a fan of enforcing complex (but reasonable) passwords and not requiring changes more than every 6 months or so. I've had semi-heated discussions with IT folks more than once about this. :) I remember the last company I was at that required this I ended up just changing my (fairly secure) password by one digit each change cycle. Easy to remember for me, no chance of dictionary attack, and no need to store it elsewhere or re-memorize it.

Edit: This is also a principle thing for people remembering/writing passwords in general. I have a very odd memory; I have a very bad memory for names and faces, but have asbolutely no problem remembering tons of passwords, email addreses, and IP addresses. I can probably come up with several dozen IP addresses for current and past servers, routers, and switches off the top of my head... but completely forget someone who I just met an hour ago.

This works fine at home (I just use WPA2 Personal myself), but I would absolutely not trust wireless security on a corporate network. As far as I am concerned, a corporate wireless network should be completely open, but ONLY allow access to the VPN server. Then everyone should have to VPN in via a theoretically more-cryptographically-secure VPN client to gain access to the actual network.

<-- Very paranoid! :) (And perhaps rightfully so. I've been hit by a total of one piece of malware in my years of computing; a fairly harmless Mac OS 7 virus when I was 10 or so. All it did was speak something strange via the horrible speech synthesis at the time when you booted up. :))

Yes—this is very scary indeed. I hadn't realized there were tools out there to just record VOIP calls but that makes perfect sense; I think I'll be setting up a more robust VPN to my Unix boxes back home.

As far as WEP goes, just look up Newshams 21-bit attack. Just as bad as the weak IV frames go. If you aren't using WPA (preferably WPA2), you really should be. I've (with consent) cracked several WEP networks using Newshams 21-bit attack with all of 2 or 3 mintues of packet gathering then 15 seconds of cracking on my 1.67GHz PBG4.

Only downside is having guests over... you can certainly just give them the password, but with how cheap APs are, when at home I've found myself just having a second open AP with fairly draconian filtering on it for guests to use.

I've been reading stuff that echoes that sentiment exactly!
Despite what I posted, I actually had to make my wife's password static.

Lately I've personally been using a passphrase over 14 characters and I do change it often....but my account is also a domain admin account...something I also need to move away from. I've discovered with OS X and (some) linux distros, its easy to operate as a regular user...unlike windows...go figure, windows server may be one of the better server platforms but its more secure to use it with os x as a client...

Anyway, I dont think your disagreement is out of place at all. Its a GREAT recommendation, provided people actually understand security...in that its not something to make your life hard, but to keep (someone's) data safe.
I bet you are correct- if corporations enforced long passprharses rather than changing every 60 - 90 days, things might be a lot stronger...
of course I work for a major health care organization. We have VPN with one time passwords, mandated security training...the works... but we still send patient records/data via FTP...makes me sick!

As far as VoIP goes...for some reason I treat the phone like most people treat email.... I've always heard: "never email something you wouldn't want to show up on the front page of the paper"...and I abide by that on the phone, but expect email to be more secure (knowing full well its not).... so to that end, I have my VoIP server relatively unsecured. I do have a pretty secure e-mail solution but I know as soon as it traverses my network its wide open...

PM me if you are interested, I'll share the program that can do VoIP man-in-the-middle attacks...its FREAKY...it runs, captures MP3s of the calls and no one is the wiser...

As far as WiFi goes...I'm really nuts...I have 3 totally independent subnets....one is a wifi network with no encryption...it does force users to go to a captive portal, but thats just to (hopefully) protect me through a EULA...on my LAN I have wifi access points- but they use 64 bit wpa2 keys...and I dont share them. Besides Mrs. SpaceBass and myself, I cannot see why anyone else would need access to our lan. And if they don't have WiFi, I have a wired jack in the guest room that also diverts to the same subnet that has the captive portal.... and that subnet has no access (except for voip) to my lan.

Anyway, karthik, I guess my point is: I totally agree...its wpa/wpa2 or nothing...wep (lets forget about ssid hiding/ mac filtering) is worthless!

I bet someone has a Trojan on my domain controller or router and is dieing laughing at everything I type about security... :D

(cue the black helicopters)

We won't tell. :D

I found the software you're talking about—that is pretty scary. Especially that it includes all the MITM capabilities, lowering the bar on technical skill required to actually carry out such an attack. Gonna try it out on my next Skype call and see how well it does...

I've made plenty of Skype calls from places such as hotel networks or airport WiFi and transmitted credit card or banking information (out of earshot of passersby—apparently not out of earshot of anyone running VOIP-sniffing software!) Now I'm paranoid about that! I guess it's time to start VPNing all that traffic back to one of my coloed boxes (at a facility I trust as well as have access to their equipment at, so I'm not too worried about them port-mirroring my traffic to sniff it.) Maybe it's time to set up Asterisk as I've been meaning to do for a while since I can do lots of other cool stuff with it too. (That'll be great for traveling internationally with multiple cells to simultaneously ring, hotel numbers or friends' numbers where I'm staying, etc.)

Email is almost more secure in this sense as long as the recipient's email isn't being monitored since I use IMAPS/SMTPS back to the same coloed boxes. So it's secure on my end until it gets out onto the "public" Internet (at which point you really only need to be concerned about Government-types watching it, and if they were they could get my credit card and banking information anyways.) My main concern is the receiver being compromised—for example, my parents owe me some money which needs to be wired to an account in the US, so I emailed them my bank routing code and asked them to call me on my UK cell, where I am at the moment, to get my account number.

Hey, you weren't supposed to find out about that. :(

thanks for the tips, I was just about to post a similar thread. I too am paranoid about logging into bank accounts etc. from public machines, particularly about keyloggers. maybe bringing my PDA isn't a bad idea after all...

Ok, I can see being totally paranoid about using public internet cafes - I was in one once somewhere far-flung and happened to see behind the curtain - there was no Mr. Wizard, but there was a machine that looked like it was at least logging (visibly) web usage, possibly sniffing more.

I guess I don't fully understand the sheer paranoia that some people have on their home networks, unless you do a significant amount of highly sensitive work product at home?

For an average Joe-user who uses his computer for checking movie times and restaurant reviews, do they really need tempest shielding, hermetically sealed cable conduit, and RSA SecurID key fobs to access the internet? Won't just enabling most of the out-of-the-box functionality in a retail-bought router enough to discourage the average looking-for-a-free-internet-connection person?

I would think that if you were that concerned about someone targeting you so specifically that they would go after your WEP keys and do traffic analysis, you must be doing some level of work that would probably justify not having wireless at all, or having a "hard" break switch between you and the 'net.

I would think your first concern would be the more vulnerable stuff - physical security of your house, your mail (what, you get credit cards in the mail?), keeping nothing in your wallet but your ID and and the absolute minimum - it amazes me when I see someone open their wallet and they have their SS card! Yikes!

Yes, I'm familiar with Cain and some of the other MITM tools, and I've played with all the Linux-based Snarf-ing tools, but if all I wanted was a free internet connection, there are always tons of SSIDs in an area you could probably use.

If you want to say that part of it is just a hobby and the "fun" of making your environment totally secure, I'm totally down with that, and I can see where part of the challenge is challenging yourself to see if you have every possible screw turned.

But to think that there are people out there targeting you specifically and willing to go to (not difficult) lengths just to get to your cable modem seems like a stretch.

This is all discussion about home networking, of course, in hotels and especially the random internet cafes, all bets are off!

Pretty slick stuff huh?

Asterisk rocks! The new trixbox ISO makes it pretty darned easy too. SIP with security isn't that great right now, but at least VPN will help protect you to your endpoint.

Its my privacy and thats the only reason I need.

I know that sounds harsh, and I dont mean it to be condemnatish towards your comment at all. What I mean is that each person who wants to protect their network has their own reasons.

For instance, my wife and I use our outlook email server with web access through SSL to exchange things like credit card numbers all the time. We dont have the same numbers/accounts and if she wants to use mine I can send it knowing it never leaves our system....just an example...

Another example might include someone using your connection to do something malicious. To which one might respond, well the neighbor has a wide open AP, so they'd use his...and I'd say security through obscurity isn't security. I dont use a twist-tie on my door b/c my neighbor keeps his door unlocked...

I'm also a hypocrite- I run an open AP. ITs also firewalled off from my network entirely and has a captive portal with terms of service...which may indemnify me....according to a lawyer there hasn't been a case in Virginia yet where someone has gotten in trouble for someone else using their connection...provided your ISP is cool....


I like knowing my network is as secure as I want it to be...

You know, really, unless you're unlucky or rich, or probably both, you're pretty safe.

My policy is to never do anything in a hotel. I have auto billpay on everything and my on-line checking check-writing and wire features are disabled at the bank, so I can check my balance, whoopee.

Of course, it's a lot cheaper to intercept your cell phone or tap the PBX than it is to snoop your wifi and keylog you. When was the last time you gave someone one your credit card number?

Its probably b/c I dont know how to hack a traditional PBX or a cell...
But I find free software and a $200 laptop with wifi to be about as easy as it gets to intercept wifi and to MITM attacks...

I called a hotel in Bordeaux, using VoIP, from a hotel, two days ago and have to give a CC number. Granted, I have to trust the entire chain of that telephone call...but I know it wasn't listened to from inside the hotel!

But again, in the end, its what you are comfortable with- I just think people should fully understand the situation and make up their own minds. How hard is it to turn on WPA2 and use a 64 bit key? How hard is it to find an SSL website for your bank or a VPN solution? For my mother thats pretty close to impossible. For my father, it just took me saying "dad, use VPN when your not in the office"... for others they might say "its not worth it for me"...just as long as they make that an informed choice.

In regards to being unlucky or rich...I tend to be more of one that the other...wanna guess (hint: I'm not rich). But I do carry the medical records of about 5,000,000 people on my laptop...and I'm not going to be THAT guy on CNN (knock on wood)...

Credit Cards Bill Payments?