Wireless Security

[trawler69]

I use WEP rather than WAP as I am in a low risk area ie. hardly any residences within radio reach. I have non default passwords on both router and modem and have router access limited to 8 known mac addresses. I check the router log fairly regularly.

I know the data can be read but anyone who wishes to do so will be fairly conspicuous from the fact they will be sitting in a dinghy in the middle of the river with a laptop. They will however find it hard to connect and while they try the torpedos will be being armed.

 

[iklier]

oooh good topic. As for this list there are a few things that people should know; first don't use WEP it might stop your elderly neighbors from accidently using your wireless but to anyone between the ages of 10-50 it's a minor roadblock that can be beaten with free software, in under an hour. As for WPA it is a much stronger system, but if your router offers it use WPA2. The last two bullet are easy to overcome with the same free software tools that you can use to crack WEP.
Another thing to remember is to set your router and access point login password to something other than the default one from the factory.

A good tip is to adjust the routers transmitter power. By adjusting this setting you can shrink the coverage area of your wireless network to mostly just within your house/apartment/etc.

 

[Marbas]

I set up my wireless router (some sort of Linksys thingy) months ago; I seem to recall choosing the 'highest level of security' listed in the guide, but I have no idea what it was. My router has worked flawlessly since I set it up, and I've never really given it a second thought. I'll have to check it out and see what security it's using.

 

[Marbas]

I remember setting a password, a strong one with lots of letters and numbers so, hopefully, no exposure for me.

 

[trawler69]

No one's getting their aerial on my wireless network!!

(it's a Faraday cage radio can't get in or out)

 

[Marbas]

^
With that and the torpedos you should be pretty secure.

 

[trawler69]

Some of us welcome the occasional invasion by a torpedo!

 

[Marbas]

^
How do I do that? Is part of Windows or part of the router?

 

[trawler69]

it's part of windows^

 

[Marbas]

So, any idea how I go about disabling this 'remote administration' business?

 

[davy]

all very good ideas.

consider using easier approaches too:

change the name of your essid every-so-often. an enormous majority of people trying to break in don't really know what they're doing (ie script kiddie). when you change the name you'll cause a whole world of problems for them.

shut of your wireless connection from time to time. next time you head off to work, unplug your router and head out the door. (plug it back when you get home). even with wpa or wep enacted, people can still break in by listening in on the frequencies. when the transmissions stop; they can't break in. if you're lucky, they'll just give up and try another network.

there's a few more i'm too tired to remember right now.

 

[teadrinker]

From some security notes I have (WAP: Wireless Access Point). It amazes me always how little people know, or care, about computer and network security. It's mostly common sense, and a bit of know-how.

Update default passwords: Many WAPs come from the manufacturer with no password installed: the password field is often left blank. This opens up the network to all sorts of attacks. Replacing the default password with a strong password is essential.

Establish proper encryption settings: This means replacing the insecure WEP with WPA, or even better, WPA2. WPA2 uses the AES (Advanced Encryption Standard) cryptosystem for encryption; WPA, which was created as a sort of "stop-gap'" measure to counter the insecurities in WEP, uses a cryptosystem called RC4, but with dynamically changing keys.

This is often not done; a survey of over 2,500 WAPs in Indianapolis revealed that nearly half of them were not running any sort of encryption. In fact:

"People just really don't care about Wi-Fi security, and open Wi-Fi at home is a nice big target. Defaults [settings] are king.''

Control the reset function: Many WAPs have the ability to be reset to a factory default, either by pressing a key, or by inserting a pointed object into a ``reset'' hole. This will cause the WAP to revert to factory settings: often no passwords and no encryption. To avoid this, the WAP should be kept itself in a secure place, and checks of the equipment should be done regularly, including of system logs.

Change the SSID: The Service Set Identifier (SSID), is the name which identifies your WAP. It is usually an ASCII string, of variable length. A default SSID is set with your equipment. This should be changed: it prevents hackers from recognizing your hardware, and so making hardware-specific attacks.

Disable broadcast SSID: Most WAPs advertise their presence by broadcasting their SSIDs; to log in to the network, you look at the list of SSIDs presented by your software, and login to whichever one you have access. But the problem here is making yourself known in the first place. If the broadcast is disabled, a general wireless sweep will not reveal your WAP; instead you will have to perform an active search on the SSID name.

Enable MAC address filtering: Every network device has a a unique identifier Media Access Control address; usually a string of 12 hexadecimal characters in pairs, separated by a hyphens or colons, such as: 00:12:F0:00:CB:7D. MAC address filtering only allows devices with address listed in a table to access the WAP. This is in fact easy to outwit: addresses are transmitted in plaintext, so can be captured, and a hacker can very easily "spoof'' the address by changing his own MAC to that of a recognized MAC.

However, as part of a general defense-in-depth strategy, for a small network such filtering should be enabled.

Note that some people don't consider wireless security a major issue, as long as the rest of the network is secure. Says Bruce Schneier ``I have a completely open Wi-Fi network. Firstly, I don't care if my neighbours are using my network. Secondly, I've protected my computers. Thirdly, it's polite. When people come over they can use it.'' (Later on, in his blog on http://www.schneier.com/blog/archives/2006/06/schneier_asks_t.html, Schneier said that: ``For the record, I have an ultra-secure wireless network that automatically reports all hacking attempts to unsavory men with bitey dogs.'')

As well as securing the access point, the clients (the laptops or other wireless equipment) must be secured:

Disable wireless when not being used:I If you are in a wired environment, or if you are offline: \emph{turn off or disable your wireless hardware}. This prevents hackers from using your wireless hardware to obtain access to the network---even if you are not logged in using wireless---or gaining control of your laptop.

Enable a firewall: This is just good sense!

Disable file sharing: Again, a standard security recommendation, but more highly desirable in a wireless setting, where the less ``openings'' available to a hacker, the better.

The "take home message'' with wireless security is this: properly configure your access points and wireless clients, regularly update software, implement proper authentication (good, strong passwords) and intrusion detection systems, perform security audits (check system logs!), and enable effective encryption.

That'll do for now.

-T.

 

[trawler69]

^ I do beg your pardon I was thinking about remote assistance as being part of windows, rather than access or administration which are for the router (it was 4:10 am)

 

[Marbas]

Thanks for all the good advice guys; I really need to check all my security settings just to be safe.

 

[gabriel1]

No one's getting their aerial on my wireless network!!

(it's a Faraday cage radio can't get in or out)

Even before I saw the caption, I chuckled and said a Faraday cage. I remembered this from an old Perry Mason on TV.