Wireless network security - two simple suggestions for the n00bs
Category Show-n-Tell Thursday
Bookmark :
I recently was informed (in an internal forum called Iris Office Notes) about a Symantec security article highlighting the latest way that insecure home routers are being exploited. The article is called Drive-By Pharming: How Clicking on a Link Can Cost You Dearly. From the article:
The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as ‘Cross Site Request Forgery’ and logs into your local home broadband router. Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router’s settings. One simple, but devastating, change is to the user’s DNS server settings.
This article brought some basic tips to mind - tips that I routinely suggest to friends and family (non-geeks, of course) for setting up their wireless home networks. Since this topic brought these suggestions to mind again, and since I needed a SnTT topic for today, I thought I would write them down - and this way I can point my family to this post in the future when asked about wireless home networks
There are a variety of ways your (wireless) router can be exploited - this is just the latest. Of course, wireless routers are much less secure by their very nature. It is fertile ground for hackers, phishers, etc. - and this is not because wireless routers are particularly insecure, it is mainly because neophyte users have no idea how to take advantage of the security measures built into the router. To avoid these potential vulnerabilities there are a couple of steps you should take, at a minimum, when setting up a wireless network.
Step 1: Change the friggin' password!
Every geek - and I mean EVERY geek - who has an interest in wireless networks knows the default password to every router on the market, or can simply Google it to find it (don't believe me? Take a look here.) This means that a router that is set up out of the box without any changes is wide open - for access AND configuration - to anyone who wants to access it. Change your password - and just like any other password, make sure it is one that is not easily guessed.
Step 2: Use wireless encryption
When wireless networking was first beginning to make inroads into the consumer market there was really only one type of wireless encryption available - WEP, or Wirless Equivalent Privacy (BTW, no one knows what WEP stands for - it's just called WEP, so don't bother memorizing it) In the early days WEP was difficult to understand and a pain to set up, especially for the folks who wanted to use your network. You usually needed to know some really long hex string as the key, and it was just difficult for the average user - so most consumers avoided it. Also, to make matters worse, the WEP protocol was easily cracked by "Wardrivers".
Then things got much better - WPA (Wi-fi Protected Access) came along, which greatly improved upon WEP in a couple of areas. First, it was much more secure (read: harder to crack) than WEP; and second it only required a "passphrase" to access a WPA-secured network instead of some incomprehensible (by humans) hex key. This means that if you wanted to, you could make your passphrase something like "Wee willie winkie", which is much easier to remember than 37925A56C3411655B090AA5D. This means that WPA is easy to set up and is easy to use. The ONLY drawback to WPA is that older (read: more than a few of years old) wireless equipment may not support WPA, only WEP; the nice thing is that virtually all of this equipment can be updated with firmware patches to support WPA.
Now, these steps barely scratch the surface of the variety of methods you can use to make your network even more secure - things like MAC filtering, additional DMZ firewalls, and so on. However, if you take these basic steps to secure your environment you will have a wireless router and network that is more secure than most home networks in use today.
Hopefully this will help those of you who are considering a wireless home network but know nothing about it; and for those of you who are wiley veterans of wireless networking, please share other simple tips with the class!
Enjoy!
Rock
**It's not the voices in my head that bother me, it's the voices in your head that do.
Blog Roll
Comments
Now, these steps barely scratch the surface of the variety of methods you can use to make your network even more secure - things like MAC filtering, additional DMZ firewalls, and so on.
I wanted this email to be a couple of suggestions that everyone - including the folks who know nothing about this stuff - should do at a minimum. Of course there are a myriad of additional things to do to make the network even more secure, and MAC filtering is definitely at the top of the list.
Thanks again for the post though - and keep those suggestions coming!
Rock
Posted by Rock At 03:45:40 PM On 02/19/2007 | - Website - |
Second, to throw my opinion (such as it is) into the ring - I have to side with Fabian on this one. I have personally encountered problems when I tried not publishing my SSID, and I have found that it really offers no additional protection - so it isn't worth the effort and risk if issues with allowed "visitors" to my wireless cloud.
Rock
Posted by Rock At 12:56:31 PM On 02/17/2007 | - Website - |
Posted by Erik At 04:27:58 AM On 02/19/2007 | - Website - |
Posted by Tim Tripcony At 10:52:48 PM On 02/15/2007 | - Website - |
Even worse, many routers (I know of Netgear models, but heard of others as well) won't even work correctly with WPA enabled and SSID broadcasting disabled. The same seems to apply to many Linux implementations.
So, changing the SSID is a good idea (for psycological reasons). And it's even better, if you don't include your name or adress or similar stuff in the new name. Hiding the SSID just pretends security.
Posted by Fabian Robok At 09:16:44 AM On 02/16/2007 | - Website - |
Rock
Posted by Rock At 11:01:26 PM On 02/15/2007 | - Website - |
Jens, you are absolutely right. I agree with you, word by word. So, this game is purely about psychology. Changing the default SSID will indicate to potential attackers, that somebody has taken care or the access point's configuration. So will hiding it. But at the same time it might make them think, that some wanna-be expert thought, that this might be all he needs to do to keep attackers away, so it might actually draw their attention. According to the Wikipedia article on SSID, some even argue, that it might be easier to sniff the SSID now, as each client will include the SSID in it's requests.
My point is, if you technically gain nothing by suppressing the SSID, but maybe (and only maybe) call up on hackers ambitions by doing so, just don't do it.
Access points and/or wireless network cards not working correctly with SSID broadcast disabled is usually not a matter of a single faulty device, but of the whole batch being broken by design. Unfortunately, the average quality of WLAN router firmware is mediocre at best. To really technically solve this issue, you had to try each available device on the market until you find one, that does not suffer from this problem (and from no more severe problem, as a matter of fact). Plus you'll have to pray, that they won't break it with the next firmware release. As it doesn't impact security anyway, this is a bug I could live with. I didn't even bother to test it with my current router, but I know that the previous one had this problem.
Posted by Fabian Robok At 04:56:17 AM On 02/17/2007 | - Website - |
Posted by Jens At 03:39:17 AM On 02/16/2007 | - Website - |
Second, neither the renaming of the SSID nor the hiding of it is a measure of security against a malevolent intruder. Same is true for enabling WEP - unfortunately. They are all in the league of keeping away the come-along-and-try-if-it-is-working type of guys.
Posted by Jens At 09:51:51 PM On 02/16/2007 | - Website - |