Skip to comments.The unvarnished truth about unsecured Wi-Fi
Posted on 11/01/2010 9:50:50 PM PDT by Wooly
Chances are you don't leave your front door unlocked. And you shouldn't leave your Wi-Fi network unsecured either.
Many of you may have heard this before, but many still seem to not be doing anything about it. You should. Here's why. With a $50 wireless antenna and the right software a criminal hacker located outside your building as far as a mile away can capture passwords, e-mail messages, and any other data being transmitted over your network, and even decrypt data that is supposedly protected.
(Excerpt) Read more at news.cnet.com ...
I get better internet reception in my backyard from somebodies unsecured connection than i do my own.
Played much music and FR off of it last summer.
Google has admitted capturing unsecured wi-fi info as part of its Street View project.
They say they have no plans to use that data but if so, why capture it in the first place ?
Put encryption on your network with a secure password. And remove the advertising of your wi-fi name. If people want on, they would need the name as well as the password. If your wi-fi name doesn't show then people won't try to get in.
As an information security professional, I have to second this. I have heard, from numerous sources, the following description of wireless internet: wireless internet is the equivalent of carpeting a one-mile-radius area around your house with live ethernet jacks connected directly to your network. As noted above, with the right antenna, any 10-year-old kid can own your network within 2 minutes if you’re using WEP encryption, or less time if you don’t encrypt your network (and you’d better believe that there are a lot of bored 10-year-olds out there who will do exactly that).
To be secure, use WPA or WPA2 encryption, preferably with AES rather than TKIP. Use a non-dictionary password. The best ones have numbers and symbols included. This is to prevent the use of “rainbow tables”, which are basically huge files of passwords used to brute-force attack the newer encryptions. An example would be to use the first letters of all the words in a long phrase, with numbers mixed in in place of some words, thus: I Watched Lord Of The Rings 2 Times Last Night!, which produces IWLORT2TLN!
Make sure you change that phrase a couple of times a year at least.
Hiding the SSID (the network name) is not a valid security measure any more. These days, the programs “hackers” use to search wireless will detect the SSID from any network activity, since it is broadcast in the clear anytime a device communicates across the network. Actually, those programs have been capable of detecting a non-broadcast SSID for at least 5 years now.
“I Watched Lord Of The Rings 2 Times Last Night!, which produces IWLORT2TLN!”
THAT is a great idea/way of remembering an arcane password. Thank you!
While I don't disagree with the sense of your comment, let me add this: If you're using WPA2 encryption, and have a strong passphrase on it, you aren't really risking anything by broadcasting your WiFi SSID (name). And your legit guests with notebooks will appreciate being able to find it easily.
Sorta like, your house has a street number on it. Is that a risk? The lock on the door is what keeps the bad guys out -- covering up the street number only makes it harder for your legit guests to find your house.
That said, if you don't have guests who need WiFi, hiding the SSID certainly doesn't do any harm.
Actually< "I Watched Lord Of The Rings 2 Times Last Night!" produces "IWLOTR2TLN!", not "IWLORT2TLN!".
Computers can be SO picky, ya know... :)
FWIW, I use a similar scheme with a line of lyrics from favorite songs... works like a champ.
Guess I'm paranoid. I shut down my wi-fi when I'm not actively using it. I guess that's like hiding the door with a false wall.
A $50 wireless antenna?
Those are some wealthy hackers.
All you need is a $5 chinese wok, a $10 wifi card, a few flatwashers and a drinking straw.
Network passwords can be written down, and need not be remembered. You don’t need to worry about someone seeing it.
It is for that reason that I generate network passwords with my eyes closed. Pounding on the computer keyboard tends to generate nice long somewhat random blends of letters, numbers and symbols.
I also have the same SSID and password in use at my son’s apt at school. He also has one of those super long-range antennas that allows him to access the on-campus network from a couple blocks away. The on-campus network has access to online subscription-only research databases and he can get to them from home. The long-range link runs slower, but it does work.
Lock up your WIFI. Lest your liberal neighbors find out you’re a Freeper.
LOL. I live way out in the boonies, can't see a neighbor in any direction, have a 2000' rough gravel driveway up the side of a hill... and while I do have a copper telephone line for DSL, I am off the power grid, and all my electricity comes from the sun via photovoltaic panels.
So... my personal WiFi, like yours, gets shut down when I'm not using it, but that's to save electricity. :)
I don't bother with any security on that WiFi, because the only people who come anywhere near close enough to use it are my family and friends. No one else is crazy enough to come up that driveway. And it's only on when I'm here, and I can see who's within 1000 feet of the house.
But my downtown and business WiFi -- strictly WPA2, and 12-character strong passphrases.
Could somebody please tell me how I would find out if I am locked up? or encrypted? I am on Comcast with Norton Utilities, does that cover me. Be kind, I am a senior.
I’m almost a senior. But a true idiot when it comes to this kind of stuff so bookmarking!
We have a friend who got better reception off of her neighbors’ unsecured WiFi than she did off of the wireless router her provider supplied. I’ve also “borrowed” my neighbors’ unsecured WiFi in a pinch when my provider goes down.
Look at the post directly above yours. Do you see the one that says unsecured wireless networks?
To get to that screen, look under your START menu for “Connect to”. Open the “Wireless network connection”. At the bottom of that box, there is a “view wireless network” button. Click on it, and it will take you to the screen you see for the post above you. Look at your network. Does it say Secured, or Unsecured?
Make sure you change that phrase a couple of times a year at least.
Fine. But what do you recommend if you are stuck in a hotel with a wireless connection. Is there any way to protect your passwords?
Thank you so much for your attention. I followed your directions, found the screen, had 4 icons on it. Two were security enabled but the one I was on did not say anything.
I clicked on properties and it said Security:WPA Personal and TKIP Encyption type.
Does all that mean I am secure? Thank you.
The password I was referring to was the one you enter on your laptop to connect to your home wireless router (the one you have configured on the router). To protect your passwords on a public wireless network like at a hotel, you can do a few things. First, you can use https connections for any sensitive things you do, though that can be risky as some pages don’t encrypt the whole thing and if you’re not an expert it’s not always easy to tell. Another thing you can do is set up a VPN tunnel over the hotel connection, but you have to have a computer on the other end to complete the tunnel; you can’t just tunnel to anywhere. The most secure thing you can do is not visit any web pages that you need to protect the passwords for (bank, medical account, email, etc). Either get a cell modem for those pages, or wait until you can get to a trusted wired network.
I authorize only two MAC numbers on my router, one for each laptop.
"Here's a chapter right out of 'Home Network Security Simplified' that you'll end up showing to every member of your family. It's an easy-to-follow explanation of how to make sure that your home network is secure--why it's important, and amazingly, how few of us actually do it."
By Jim Doherty, Neil Anderson
Securing a wireless network--The basics--Part I
Page 1 http://networksystemsdesignline.com/howto/showArticle.jhtml;jsessionid=QN5IOL1WI2HAMQSNDLSCKHA?articleID=197003923
Page 2 http://networksystemsdesignline.com/howto/showArticle.jhtml;jsessionid=YBGRLZ3HARN0XQE1GHOSKHWATMY32JVN?articleId=197003923&pgno=2
Securing a wireless network--The basics--Part II
Page 1 http://networksystemsdesignline.com/howto/showArticle.jhtml;jsessionid=10YJRWHFMDXQCQSNDLPSKHSCJUNN2JVN?articleID=197004714
Page 2 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleId=197004714&pgno=2
Page 3 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleId=197004714&pgno=3
Securing a wireless network--The basics--Part III
Page 1 http://networksystemsdesignline.com/howto/showArticle.jhtml;jsessionid=DXLNYEIGK35N2QSNDLRSKH0CJUNN2JVN?articleID=197005104
Page 2 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleId=197005104&pgno=2
Securing a wireless network--The basics--Part IV
Page 1 http://networksystemsdesignline.com/howto/showArticle.jhtml;jsessionid=O3BWSRNIIUYKQQSNDLPCKHSCJUNN2JVN?articleID=197005948
Page 2 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleId=197005948&pgno=2
Securing a wireless network--The basics--Part V
Page 1 http://networksystemsdesignline.com/howto/showArticle.jhtml;jsessionid=3QAKD0LUJTXPIQSNDLRSKH0CJUNN2JVN?articleID=197007563
Page 2 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleId=197007563&pgno=2
Securing a wireless network--The basics--Part VI
Page 1 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleID=197008575
Page 2 http://networksystemsdesignline.com/howto/showArticle.jhtml?articleId=197008575&pgno=2
I use 63 printable ASCII characters to encrypt my home modem/router and network with WPA2 AES . I also cut out a strong password from these ASCII characters to access my modem/router. Here is where you can get a random generated string for passwords or WPA and WPA2 encryption.
Enabling MAC address filtering/restriction is the ultimate security measure, equivalent to putting a fingerprint scanner on your front door. You ultimately have control over who can and cannot access your router.
Granted, one can spoof a MAC address much like someone could cut off you finger and use it to get into your house or use something like out of a movie with a fake fingerprint, but hiding the SSID, MAC filtering, WPA2 with AES, and AP isolation (if you know how to use it) make your network as secure as most you will find.
If you have the resources, investing in a server running RADIUS or some other type of VLAN routing table software add further levels of abstraction to your network security.
A roll of postage stamps and thirty minutes doing bookkeeping and bill paying with the checkbook every Saturday afternoon work just fine for us.
I've been doing it for years. Never a problem.
I authorize only two MAC numbers on my router, one for each laptop.
MAC filtering is almost no protection. MAC addresses are transmitted in the clear and can be spoofed easily. ie. My router allows me to set its MAC address. MAC filtering is like locking your screen door. It will only keep out those that value your property. That said, I still do it myself for the heck of it. But I also have real security measures in place as well.
Two parts. One, they were cataloging WiFi hot spots. They were/are using that data. Two, As part of one, they also captured unsecured emails and passwords. They have stated they have no intention of using that data.
Granted, one can spoof a MAC address much like someone could cut off you finger and use it to get into your house or use something like out of a movie with a fake fingerprint,
Oh my dear Lord... no. PLEASE don't pass on this information anymore. MAC address filtering isn't even a good security measure, much less anything approaching "the ultimate." And while I can only imagine the logistics involved in securing a finger and using it before said owner of the finger complains or turns up missing, overcoming a MAC filter is as simple as capturing the MAC address from the air and setting it on the device you wish to access the network. I can do that here from my desk, no movies effects, bolt cuttters or bloody appendages involved.
WPA2 with AES
This on the other hand is the good advice.
I put out there that MACs can be spoofed, but the majority of script kiddies and 10 year olds aren’t going to bother with port sniffing. The initial communication between a client and the AP can be sniffed for just about anything, esp. if the AP is unsecure.
I’ve used a wireless security auditing program to sniff unsecured neighbor’s wireless APs, printed out a report of their passwords typed during the sniff, and knocked on their door with the printout in hand and said, “Secure your wireless network. If I can get this, imagine what malicious people would do with it.”
They initially rebuked me for poking around, one guy even called the police, but when they understood that I was trying to help, they actually paid me to come over to secure their network. One cop laughed when he was talking to me privately and said, “I should have you come over and do my network too!”
MAC filtering is just another tool. It’s not the best tool, but adding multiple layers of abstraction to your wireless security makes attacks less likely. The lower your risk footprint, the less likely you’ll be hacked randomly.
Hope you take the letters to the post office, because you are more likely to get something stolen from your mailbox and used.
I was taking issue with how you portrayed the level of protection it provides and level of difficulty it presents in overcoming it.
For a home user, it’s relatively simple if you have a basic understanding of networking (MAC addresses, etc.), but yeah, if someone is intent on getting into your wireless network, MAC filtering isn’t going to save your hide.
I recommend it to folks whose routers I configure, but I always explain that it’s an administrative hassle every time a new person comes over. For the micro-managers among them, they usually like to have that level of control, and I’ll teach them how to input new MACs.
Also, depending on the firmware on your router, it’s not hard to edit that table or the on/off value for it if you know what you’re doing. I setup a dedicated crossover connection between my router and my server for both RADIUS and JTAG connectivity and locked the administrative ports down to cabled-access only.
If you’re paranoid, there’s nothing wrong with throwing another spike strip down in front of war drivers, but if they’re in a half-track or a deuce.25, it’s just a speed bump, I admit.
I understand that AP isolation is really the best way to keep ne’er-do-wells out, but even I had a lot of issues getting that to work on my home network. Virtual APs are cool too; I setup a WEP VAP with AP iso for my Nintendo DS wireless, and it works incredibly well.
Go to work today after voting.
Presuming you work in an office, your computer is likely connected to a network.
Now: look at the back of your computer. Find the network connection. You will not find a wireless connection. You will see a cable.
There’s a reason for that.
I’m using wifi from somewhere in my building right now to read FR on my android - haven’t gotten up yet to turn on the computer.
MAC filtering is almost no protection.
Thanks for that information. I layer mine: 5Ghz (fewer radios, much less distance), lower TX power on router, WPA2, frequently changing very long convoluted passwords, and MAC filtering. The latter is the biggest pain to administer when guests or new network cards need to be on the network. I can now drop the MAC filtering as it really isn't that valuable for the protection it offers in trade with the hassle involved.
The computers on the network don't share anything, and encrypt data drives. The only thing open is the network share drive for music, photos, clipart and videos.
I secure my wifi network, but don't really go all out for it. If someone wants in badly enough, they can get in. If you're not willing to accept that, don't use wifi.
That helps if you want to make the bad guy's job a little bit harder, but it is trivial to spoof a MAC address.
“With a $50 wireless antenna and the right software a criminal hacker located outside your building as far as a mile away can...”
With a rock any idiot can bypass your door lock.
Very easily spoofed. Only useful if you're trying to keep out somebody's grandma.
I do - I’m paranoid about that, too......and my incoming is protected by a lock box.
I just wish encrypting didn’t adversely affect connection speed.
One thing that has not been mentioned so far in this discussion is to buy a newer model wireless router and adapter. Not only will you get the newer security protocol, but you will increase the speed and range.
The newer ones are inexpensive and easy to install. And as a plus for DSL users, you can get rid of the bloat ware that loaded with your original DSL installation.
Just do not forget to disable the wireless on the cable/DSL Modem/Router