Oh No – You Mean My
Wireless Home Network is At Risk?
If you are like me,
you were too lazy to run network wiring in your house when you moved in. You
have a computer, kids have computers, spouse has a computer. Cripes, these days
even the dog has his own computer. So what to do about all of these
connectivity issues? In my last house, I took the time to run network cabling
so that there were data jacks everywhere. I thought we would need them – even
in the kitchen (I’m such a geek!). Well, never again. The wireless age is
here, and that was just too much work. I guess it is time to finally get with
the program and make all my computers wireless. All my neighbors have: From
where I sit in my office on the second floor of my house, I can see at least
five networks from here. I wanna be wireless too. That way I can be like those
cool yuppies, and sit on the deck with my suntan lotion, a cool frappuccino, and
my laptop – surfin’ the Internet and checkin’ stock quotes.
So now that my
wireless network is all set up, no worries, right? I mean so what if someone in
the ‘hood steals a little of my signal, connects to my network and surfs for
themselves. The cable company won’t know and the bandwidth they steal probably
won’t affect me! Well – here’s the deal with that: If anyone can get on your
network and surf the web, then that means that they can also get to the files on
your computer(s) if they are smart enough – and these days it doesn’t take much
to hack into an unprotected system. They are completely bypassing your firewall
and they are now on the inside. Inside and free to get to all of your personal
information, tax records, personal letters, email files, you name it.
But so what if they
aren’t after your stuff, but rather just want an Internet connection so that
they can surf for free – or worse, like doing illegal things – gambling, porn,
child exploitation…. And it isn’t just your neighbors – it’s those nasty little
WAR drivers, driving around with laptops and
Net Stumbler or
AirSnort, scoping you out so they can
come back later and steal your signal or hack your systems. Then they do the
“WAR Chalking” where they make maps of where all the wireless networks are
located.
Small business
owners, you should really listen up here – there are liability issues: Guess
who get’s tagged when someone decides to crack down on illegal Internet
activities through your service provider’s records or other means. You do!
There is no evidence on your computer, because you weren’t doing anything
wrong. But all they know from their investigations it that the suspicious
traffic came to and from the connection into your network. And after you get
your computer back (after months of forensic investigation) you will be in the
clear. Can you do without your computer for that long? Worse yet, can you do
without your data for that long? Stealing my signal for free Internet access is
one thing. Using my network for illegal purposes is another – and since I have
no idea what the attacker’s real intentions are, I am just going to keep
everyone off. So, let’s just nip this little problem in the bud and protect
ourselves by using some of the built in features of this equipment.
Your
New Router/Wireless Access Point:
You have just
purchased that new combo router/access point and pulled it out of the box. They
are all configured the same, meaning that they all have the same default
settings for administrative passwords, router name, IP address ranges, and
network broadcast names (more on SSIDs in a bit). Immediately change those
factory settings. Every hacker in the world knows that the default password for
a Linksys router is “Admin” and the default SSID – the network name that it
broadcasts is “Linksys.” These settings change slightly depending on
manufacturer, but they are similar, and more importantly, they are all well
known. In other words, if you have a router/access point right out of the box
and you don’t change anything before placing it in service in your network, all
the little WAR drivers will know it, and they already know the information they
need to log in to your router and change its settings to accommodate their
needs.
At a minimum:
If they can’t get an address,
they can’t surf:
Two addresses are
important: The IP address, and the MAC address. The IP (Internet Protocol)
address is the 192.168.1.6 type address that computers use to communicate with
at Layer 3 of the OSI Model (remember that?). The IP address can be given to
you by what is known as a DHCP server, or it can be hard coded (static)
address. If you use a router, you may very well be using your router to dish
out these addresses for you. If you are letting your router dish out addresses
to your computers, then that means that they are likely to be available to
anyone with a computer who can see your wireless network and “ask” for one.
This is simple – just don’t make any available! Hard code all of your IP
addresses into your computers, and tell your router not to make DHCP addresses
available. I set all of the addresses on my computers statically.
If you do this also, you can go one
step further and make the subnet mask for your network non-standard. For
example, many people at home use the private IP address range of 192.168.1.x.
The default subnet mask for this range is 255.255.255.0. If you only have a few
computers in your network, you can change your subnet mask to something like
255.255.255.240. That mask will allow you enough address space for fourteen
computers. If you want more addresses, or need fewer addresses, you can adjust
the mask you are using. The added benefit is that even if the attacker hard
codes in their own address to fit the range you are using, they have to guess
the right mask or they won’t connect.
The MAC (Media Access
Control) address is an address that is hard coded into the network card on your
computer. You can configure your wireless access point so that only the MAC
addresses in your list will be able to connect to your network. MAC addresses
can be very easily spoofed, however, but the attackers have to know the exact
MAC address(es) listed in your access point in order to spoof the right one.
This isn’t fool proof by any means, but at least it will give you something a
bit more secure than no restrictions at all.
Encrypt your wireless traffic:
One way that eavesdroppers can find
out things like passwords and other things that you would like to keep private
is that they can “sniff” the traffic on your network and see it in plain text.
There are a variety of free tools out there, such as Ethereal, that allow
people to see network traffic and get information right out of the very packets
traveling across the network. If you encrypt the traffic, however, it comes
across as gibberish and they can’t see this information. There are a couple of
popular encryption schemes built in to home and small business wireless devices
– WEP and WPA. WEP,
which stands for Wireless Encryption Privacy, is a slightly older and somewhat
unsophisticated encryption scheme. It is static, which means it never changes
its encryption keys. You would have to periodically define new keys or
pass-phrases. WEP is minimal security at best, but again it is better than
nothing. A newer wireless encryption, WPA (Wi-Fi Protected Access) is a more
dynamic encryption scheme, and is said to me more secure than WEP. The keys are
dynamically changed during system operation, making it more difficult for
someone to sniff your traffic and find out the pass-phrase used. Not knowing
the correct WEP or WPA keys and pass-phrases to enter into their computers makes
even connecting to your network more difficult for the attackers as well.
The other thing that needs to be
encrypted is your traffic between you and your router/access point management
console. In most home and small business routers, you simply use a web browser
to log into and manage your router’s configuration. The Linksys models (and
most others) include the ability to select HTTPS (port 443) traffic between you
and your router using an SSL certificate. This will provide security in that
eaves-droppers cannot see your router administrative password in plain text if
they are using a program like Ethereal to
“sniff” your traffic from afar. Don’t confuse encryption with blocking access,
however. Anyone who types in the correct address for your router will be
offered an SSL certificate, and they can choose to install it. If they know the
password, they can still get in. What keeps them out is that they don’t have
the correct password, and you don’t want to make it easy for them to obtain it.
This type of encryption keeps that password from being sniffed, and makes it
more difficult to obtain.
Turn off the SSID broadcast:
The SSID is the network identifier
that gets broadcasts by a wireless network access point. As I mentioned
earlier, a default setting for a Linksys access point SSID out of the box is “Linsys.”
You don’t need the SSID broadcast to connect because you can simply type in the
SSID when you configure your computer(s). If configuration gives you a problem,
turn on SSID broadcasts, configure your computers, then turn the broadcasts back
off. The exception to this is earlier versions of Windows, such as Windows 98
and Windows XP without Service Pack 2. Actually, there was a patch awhile back
to ensure that Windows XP SP1 would connect without the SSID broadcast, but SP1
is about to become a non-supported product. You really need SP2 to take
advantage of the newer Windows XP security features anyway.
Disable Wireless Management:
Disabling the ability
to manage your router from a wireless connection will help ensure that people
sitting out in the street stealing your wireless connection can’t get into your
router and change settings. You will want to have at least one computer that
has a wired connection so you can connect to your router and perform
configuration changes. If you only have one computer, and it is a laptop, use
the wired connection to connect directly to the router to do maintenance, and
the wireless connection to provide your mobility and your normal day-to-day
connections.
Additionally, you can
ensure that “Remote Access” is turned off. With remote access, you can come
into your router from anywhere else that has an Internet connection. I have
mine turned on because I travel, and sometimes need to come in and make a change
while I’m gone, in case the spouse or kids can’t get connected all of a sudden.
But if you don’t need it, the rule of thumb is to just turn it off.
Other Security Measures:
Securing your
wireless access points does not relieve you of the need to use other basic
security precautions. Just because you have a firewall doesn’t mean that a
personal firewall program on each computer won’t do you any good. I have my
router locked down pretty well, but my personal firewall still alerts on and
blocks several inbound connection attempts. Antivirus software, anti-malware
software, and keeping your computer up to date with the latest patches are still
important requirements.
You play an important
part in security too – if your personal firewall alerts you to something don’t
just blindly say “Yes” to the event and move on, hoping for the best. Question
everything! Just say NO! You can look at your router’s logs to find suspicious
activity so that you will know what further steps to take. Look at the firewall
logs for your personal firewall software also to find out who is trying to
attack you, and what methods they are trying to use.
Wrapping it All Up:
Wireless networking provides an easy
and extremely flexible medium for setting up your home or small office network.
But remember: your network traffic is now traveling through free space, there
for the taking for the little WAR drivers and other eaves-droppers. All kinds
of things like passwords, personal data, and even access to the files stored on
your computer is at risk. Even the inexpensive router/access points give you a
number of security measures you can implement to help keep you safe. Nothing is
fool-proof.
This article mentioned some simple
measures you can take to increase your chances of being safe and protecting your
network. Be sure to look into the specific configurations that your
router/access point allows, and know what you can do with it. Given enough time
and effort, there is nothing that a hacker can’t break into. But by securing
your system you will more likely than not discourage a would-be hacker, and they
will just move on to the other six networks on your block. Don’t be a target –
protect your computers, your network, and your data.
[Back to Top]
For more
information, see:
NIST
Special Publication SP800-48:
Wireless Network Security
WindowsSecurity.Com:
Wireless Network Security for the Home
PC Magazine:
Ten
Steps to a Secure Wireless Network
Microsoft:
How to Secure Your Wireless Home Network with Windows XP
[Back to Top]
