Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.sys.mac.system > #94839 > unrolled thread

Hidden SSID is Security Risk?

Back to article view | Back to comp.sys.mac.system

Contents

  Hidden SSID is Security Risk? Davoud <star@sky.net> - 2016-09-27 21:20 -0400
    Re: Hidden SSID is Security Risk? nospam <nospam@nospam.invalid> - 2016-09-27 21:27 -0400
      Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-28 01:38 +0000
    Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-28 01:34 +0000
      Re: Hidden SSID is Security Risk? nospam <nospam@nospam.invalid> - 2016-09-27 21:36 -0400
        Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-28 02:08 +0000
          Re: Hidden SSID is Security Risk? Patty Winter <patty1@wintertime.com> - 2016-09-28 04:40 +0000
            Re: Hidden SSID is Security Risk? befr@eaglesoft.de (Bernd Fröhlich) - 2016-09-28 08:59 +0200
              Re: Hidden SSID is Security Risk? Patty Winter <patty1@wintertime.com> - 2016-09-30 01:27 +0000
                Re: Hidden SSID is Security Risk? Davoud <star@sky.net> - 2016-09-30 13:20 -0400
          Re: Hidden SSID is Security Risk? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-09-28 12:40 -0500
            Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-28 17:46 +0000
      Re: Hidden SSID is Security Risk? Patty Winter <patty1@wintertime.com> - 2016-09-28 04:39 +0000
        Re: Hidden SSID is Security Risk? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-09-28 05:03 +0000
          Re: Hidden SSID is Security Risk? Alan Browne <alan.browne@freelunchvideotron.ca> - 2016-09-28 20:07 -0400
        Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-28 16:41 +0000
          Re: Hidden SSID is Security Risk? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2016-09-28 13:32 -0400
            Re: Hidden SSID is Security Risk? Alan Browne <alan.browne@freelunchvideotron.ca> - 2016-09-28 20:11 -0400
      Re: Hidden SSID is Security Risk? Alan Browne <alan.browne@freelunchvideotron.ca> - 2016-09-28 20:05 -0400
        Re: Hidden SSID is Security Risk? Davoud <star@sky.net> - 2016-09-28 23:22 -0400
          Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-29 04:06 +0000
        Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-29 04:06 +0000
          Re: Hidden SSID is Security Risk? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2016-09-29 15:47 -0400
            Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-29 21:01 +0000
              Re: Hidden SSID is Security Risk? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2016-09-29 18:10 -0400
          Re: Hidden SSID is Security Risk? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-09-29 16:39 -0500
    Re: Hidden SSID is Security Risk? Alan Browne <alan.browne@freelunchvideotron.ca> - 2016-09-28 19:59 -0400
      Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-29 00:20 +0000
        Re: Hidden SSID is Security Risk? Alan Browne <alan.browne@freelunchvideotron.ca> - 2016-09-28 20:39 -0400
        Re: Hidden SSID is Security Risk? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-09-29 16:47 -0500
          Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-29 21:54 +0000
            Re: Hidden SSID is Security Risk? Jolly Roger <jollyroger@pobox.com> - 2016-09-29 21:56 +0000

Page 2 of 2 — ← Prev page 1 [2]

#94915

Davoud <star@sky.net> wrote:
> 
> BTW, the router in question--the one Apple tells me to reconfigure to
> reveal the SSID--is an Apple-brand Airport Base Station. So why did
> Apple make it capable of hiding the SSID if that's Bad?

Yep. And why didn't they give you a warning when you hid it on the router?
Seems sloppy to me.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#94914

Alan Browne <alan.browne@freelunchvideotron.ca> wrote:
> 
> So what's the message?
> 
> If user A uses his home or company hidden WiFi SSID and he's out and 
> about in the world, that SSID is being ping'd about looking for mama WiFi.
> 
> If someone else (mr. X) happened to discover that SSID (back home where 
> it is) and logged the coordinates of it (but not able to use it), then 
> whoever in the world broadcast that same SSID pinging to find mama could 
> be linked to "A"'s home/work WiFi area.
> 
> A bit of very obscure identity tracking?  Is that what Apple are worried 
> about?

That seems to be the case. The chances of this happening combined with the
low impact even if it did happen are why I wouldn't bother displaying any
message at all if it were my decision. And if I did display a message, I'd
definitely word it far differently.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#94937

On 2016-09-29 00:06, Jolly Roger wrote:

> That seems to be the case. The chances of this happening combined with the
> low impact even if it did happen are why I wouldn't bother displaying any
> message at all if it were my decision. 


Sicne your phone, when not connected, will constantly send out an
attempt to connect to any/all known hidden SSIDs in its list, what those
packets contain becomes important.

If it is just a "hello are you there?" , then that is fine. But if that
packet contains some encrypted login information that can relatively
easily be decrypted, then you are exposing youself. Consider industrial
spy that follows a Monsanto scientist at an airport, gets that packet,
spends time to decrupt it and eventually travers to monsanto facility
and is able to login.

[toc] | [prev] | [next] | [standalone]

#94939

JF Mezei <jfmezei.spamnot@vaxination.ca> wrote:
> On 2016-09-29 00:06, Jolly Roger wrote:
> 
>> That seems to be the case. The chances of this happening combined with the
>> low impact even if it did happen are why I wouldn't bother displaying any
>> message at all if it were my decision. 
> 
> Sicne your phone, when not connected, will constantly send out an
> attempt to connect to any/all known hidden SSIDs in its list, what those
> packets contain becomes important.
> 
> If it is just a "hello are you there?" , then that is fine. But if that
> packet contains some encrypted login information that can relatively
> easily be decrypted

WiFi probe requests don't contain login information. And WPA2 encryption
isn't easily decrypted either. I'd tell you to do your research, but I know
you'd rather just spout off bullshit from a position of ignorance. 

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#94947

On 2016-09-29 17:01, Jolly Roger wrote:

> WiFi probe requests don't contain login information. And WPA2 encryption
> isn't easily decrypted either.

The first sentence is all that is needed.

So, if a probe request contains no identifying information, except the
BSSID of the hidden network, is there much harm is having those probe
requests go out at some airport where everyone can see it ?

If someone knows there is a hidden network around, can't he just do
packet traces and found out about it ?

[toc] | [prev] | [next] | [standalone]

#94940

On 09-28-2016 23:06, Jolly Roger wrote:
> That seems to be the case. The chances of this happening combined with the
> low impact even if it did happen are why I wouldn't bother displaying any
> message at all if it were my decision. And if I did display a message, I'd
> definitely word it far differently.

Anyone whose secrets merit worrying about such things either already 
knows and doesn't need the message, or is sufficiently incompetent to be 
easily cracked in some other way.

[toc] | [prev] | [next] | [standalone]

#94892

On 2016-09-27 21:20, Davoud wrote:
> I opened my iPhone's WiFi settings to choose a different one of my
> several wireless networks, all of which have hidden SSIDs. I saw the
> message "Using a hidden network can expose personally identifiable
> information. Configure your router to broadcast this network."
>
> Huh? What personal information?
>
> I'm not laboring under any delusions about hidden SSIDs providing a lot
> of extra security‹I do that with proper passwords‹but I wasn't
> expecting to see that a hidden SSID may compromise security.

SSID's don't provide less or more security.  They're just not obvious to 
casual observation by a casual WiFi user looking to hook up.

Some people or companies use hidden SSID's as a layer of protection 
against hackers.  Against any hacker who really wants to know there are 
tools that will discover the hidden SSID as soon as anyone in the know 
hooks up to it.  It's a very thin bit of obfuscation.

The best defense WiFi station side is a strong WPA2 or higher access 
scheme with a long, random char password.

-- 
She hummed to herself because she was an unrivaled botcher of lyrics.
   -Nick (Gone Girl), Gillian Flynn.

[toc] | [prev] | [next] | [standalone]

#94898

On 2016-09-28, Alan Browne <alan.browne@freelunchvideotron.ca> wrote:
> On 2016-09-27 21:20, Davoud wrote:
>> I opened my iPhone's WiFi settings to choose a different one of my
>> several wireless networks, all of which have hidden SSIDs. I saw the
>> message "Using a hidden network can expose personally identifiable
>> information. Configure your router to broadcast this network."
>>
>> Huh? What personal information?
>>
>> I'm not laboring under any delusions about hidden SSIDs providing a lot
>> of extra security‹I do that with proper passwords‹but I wasn't
>> expecting to see that a hidden SSID may compromise security.
>
> SSID's don't provide less or more security.  They're just not obvious to 
> casual observation by a casual WiFi user looking to hook up.
>
> Some people or companies use hidden SSID's as a layer of protection 
> against hackers.  Against any hacker who really wants to know there are 
> tools that will discover the hidden SSID as soon as anyone in the know 
> hooks up to it.  It's a very thin bit of obfuscation.

Yes, and because of that, it's quite silly for that purpose. I can se
hiding your SSID to discourage relative novices from trying to connect;
but you'd have to be naive to think it is in any way protection from
people who are knowledgeable about networking.

> The best defense WiFi station side is a strong WPA2 or higher access 
> scheme with a long, random char password.

True, though it doesn't have to be random if it's of sufficient
length. I use complete sentences with spaces and punctuation, which
makes them easy to remember, unique, and very secure.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#94904

On 2016-09-28 20:20, Jolly Roger wrote:
> On 2016-09-28, Alan Browne <alan.browne@freelunchvideotron.ca> wrote:
>> On 2016-09-27 21:20, Davoud wrote:
>>> I opened my iPhone's WiFi settings to choose a different one of my
>>> several wireless networks, all of which have hidden SSIDs. I saw the
>>> message "Using a hidden network can expose personally identifiable
>>> information. Configure your router to broadcast this network."
>>>
>>> Huh? What personal information?
>>>
>>> I'm not laboring under any delusions about hidden SSIDs providing a lot
>>> of extra security‹I do that with proper passwords‹but I wasn't
>>> expecting to see that a hidden SSID may compromise security.
>>
>> SSID's don't provide less or more security.  They're just not obvious to
>> casual observation by a casual WiFi user looking to hook up.
>>
>> Some people or companies use hidden SSID's as a layer of protection
>> against hackers.  Against any hacker who really wants to know there are
>> tools that will discover the hidden SSID as soon as anyone in the know
>> hooks up to it.  It's a very thin bit of obfuscation.
>
> Yes, and because of that, it's quite silly for that purpose. I can se
> hiding your SSID to discourage relative novices from trying to connect;
> but you'd have to be naive to think it is in any way protection from
> people who are knowledgeable about networking.

Makes me wonder why there isn't a more secure fashion to find a hidden 
SSID such as an encrypted hidden SSID based on a SSID, common code, 
unique subscriber code, date and time of day changing at the top of each 
minute.  That way the "enemy" can record all of the requests he wants, 
he'll never be able to re-use anything nor compute the codes.  And on 
top of that, the shared secret password.

Just have to make sure all of the clocks are sync'd - which in the era 
of ntp is no big deal.

>> The best defense WiFi station side is a strong WPA2 or higher access
>> scheme with a long, random char password.
>
> True, though it doesn't have to be random if it's of sufficient
> length. I use complete sentences with spaces and punctuation, which
> makes them easy to remember, unique, and very secure.

Which wouldn't pass a security audit.  Not to disagree with you - just 
the way the auditing weenies are programmed.

At work we use several short words - with random placed caps, number 
fields of 4 or 5 chars and each group separated by the odd chars.

Like:	eCho-29745)torqUe&28471*AztEc

Not easy to remember, but easy to type in once in a blue moon when needed.

-- 
She hummed to herself because she was an unrivaled botcher of lyrics.
   -Nick (Gone Girl), Gillian Flynn.

[toc] | [prev] | [next] | [standalone]

#94941

On 09-28-2016 19:20, Jolly Roger wrote:
> Yes, and because of that, it's quite silly for that purpose. I can se
> hiding your SSID to discourage relative novices from trying to connect;
> but you'd have to be naive to think it is in any way protection from
> people who are knowledgeable about networking.

If you don't have anything to hide, the snoops aren't go to bother.  So 
the hidden SSID would have the small benefit of keeping the kiddies from 
wasting your bandwidth.  (Although your WiFi is probably much slower 
than your wired connection anyway.)

[toc] | [prev] | [next] | [standalone]

#94943

On 2016-09-29, Happy.Hobo <Happy.Hobo@Spam.Invalid> wrote:
> On 09-28-2016 19:20, Jolly Roger wrote:
>> Yes, and because of that, it's quite silly for that purpose. I can se
>> hiding your SSID to discourage relative novices from trying to connect;
>> but you'd have to be naive to think it is in any way protection from
>> people who are knowledgeable about networking.
>
> If you don't have anything to hide, the snoops aren't go to bother.

That's foolish reasoning. With the vast dearth of oversight into how
police departments and other government agencies are gathering and using
data about innocent citizens without due cause or court order, if it can
be abused, it likely is (or will be) abused, as Edward Snowden and
others have already shown the public.

> So the hidden SSID would have the small benefit of keeping the kiddies
> from wasting your bandwidth.

No. Hiding the SSID only discourages the most casual users from seeing
and connecting. It doesn't prevent anyone know knows anything from
seeing the network, and it *definitely* has *nothing* to do with
preventing anyone from connecting - that's what strong encryption (WPA2,
etc) does.

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [next] | [standalone]

#94945

On 2016-09-29, Jolly Roger <jollyroger@pobox.com> wrote:
> On 2016-09-29, Happy.Hobo <Happy.Hobo@Spam.Invalid> wrote:
>> On 09-28-2016 19:20, Jolly Roger wrote:
>>> Yes, and because of that, it's quite silly for that purpose. I can se
>>> hiding your SSID to discourage relative novices from trying to connect;
>>> but you'd have to be naive to think it is in any way protection from
>>> people who are knowledgeable about networking.
>>
>> If you don't have anything to hide, the snoops aren't go to bother.
>
> That's foolish reasoning. With the vast dearth of oversight into how
> police departments and other government agencies are gathering and using
> data about innocent citizens without due cause or court order, if it can
> be abused, it likely is (or will be) abused, as Edward Snowden and
> others have already shown the public.
>
>> So the hidden SSID would have the small benefit of keeping the kiddies
>> from wasting your bandwidth.
>
> No. Hiding the SSID only discourages the most casual users from seeing
> and connecting.

s/and connecting//

> It doesn't prevent anyone know knows anything from
> seeing the network, and it *definitely* has *nothing* to do with
> preventing anyone from connecting - that's what strong encryption (WPA2,
> etc) does.

s/connecting/authenticating/

-- 
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[toc] | [prev] | [standalone]

Page 2 of 2 — ← Prev page 1 [2]

Back to top | Article view | comp.sys.mac.system

csiph-web