Wireless Security
The St. Petersburg Times writes today about a man being arrested for using someone’s un-secured wireless access point to gain access to the internet. They do not know what he was doing yet, but he was acting in a very suspicious manner, and the article goes on to describe some of the possible nefarious activities he may have been up to.
I can’t stress this enough, people: you have to set up the security features yourself. Wireless routers and access points ship from the factory with all the security features you could want, but they are turned off by default. If you follow the simple tutorial included in the documentation, however, you can turn all of that on – it only takes five minutes. Here’s a short look at what you can do:
Router Password This is the password you need to enter to access and change the router’s settings. By default, this will be blank or the same as the administrative login. Change this first thing to keep others out, and make sure the remote admin setting is turned off unless you really need it.
AD-HOC Networks This is what you call it when your computers connect to each other without the use of a router or access point. It can be usefull for file transfers to strangers, which is obviously both good and bad. Turn this off.
SSID or ESSID – This is the name of your network, so you can easily identify yours from your neighbor’s. D-Link routers use ‘default’, and Linksys call theirs ‘Linksys’ out-of-the-box. Not changing this value will lead others to think your network is open and invites hackers and bandwidth snatchers.
You can change this to anything you like, within a limit of 28 or so characters. In my line of work, we set up quite a few of these, and every time I set one up, I can ‘see’ at least one default network name. (Funniest SSID I’ve seen:” justworkdamnit”. Apparently somebody was having issues.)
SSID Broadcast This setting controls whether or not your router announces its presence to the world. With broadcast on, the router sends out a signal every few minutes saying “Hi! My Name is [SSID]! Here I am!”. If you turn it off, those computers that have been configured for your network will know where to look, but others won’t. They may be able to detect the signal itself, but they won’t be able to get a response from the router without some serious bit-flipping.
WEP Encryption The bare minimum security. This comes in two flavors: 64-bit and 128-bit, with 128 being the stronger of the two. This is the password that users must enter to gain access to your network; it consists of up to 26 hexadecimal character pairs (0-1 and a-f for 01-ff). Some routers give you the option of generating this key from a passphrase, but I reccomend a random key. Write it down on a sticky note and tape that to the router so you don’t lose it.
AES Encryption This is the standard for government and military networks, and the better routers will have it. As of this writing, no one has successfully infiltrated an AES network by hacking alone.
MAC Filtering Every network device the world over has embedded in it a hardware identifier known as the Media Access Control address (MAC Address). This address is unique to each device. To use this for security, discover the MAC addy of each computer you want to connect to the network and configure the router to only accept requests from those devices.
Yes, it is possible to spoof a valid MAC address if you know how, but it’s difficult to do on-the-fly, and the router will only assign one IP address per MAC – trying to use the same MAC on more than one device at a time will cause an error kicking both machines off the network.
So, in closing, if you have configured your system correctly, a hacker might be able to see your network, but he’ll have to somehow discover a valid MAC address and clone it, then wait for that MAC address to disconnect from the network. When that happens, he’ll have to break the nearly-unbreakable encryption.
What does all this mean? It means it will take them time to hack your net – LOTS of time. When there are as many open networks as there are out there, anything that takes more than 15 minutes to bypass simply isn’t worth the effort.
Hollerings