Defending a Wi-Fi Network

Very often, you'll read that WPA2 is safe. While it is safer than WEP or WPA (assuming you opt for CCMP/AES along with it), in and of itself it is not safe.

Any wireless network is subject to a brute force attack where the bad guy guesses millions of passwords a second. A WPA2-AES network with a password of "hello" is no safer than a WEP network. I wrote about this back in September 2009 (see What no one is saying about WPA2 security).

Passwords for both WPA and WPA2 can range from 8 to 63 characters. The longer the password, the better. Considering that computers are always getting faster, I suggest a password of 20 or more characters.

Despite what most people say, the password does not have to be totally random to be secure. Something like

55555seespotrunseespotrun

is a good choice. Add a couple special characters to season as desired.

If you can't remember the password, write it on a piece of paper and tape it to the router (face side down).

I live in big city surrounded by way too many Wi-Fi networks. Back in September 2009 I wrote about a survey I did in my area where out of 100 tested networks, 49 were using WEP and 12 had no security at all.

This seems to be improving, at least in my neighborhood. Of 29 Wi-Fi networks visible to my laptop, 5 are using WEP, 3 have no security at all, 7 are secured with WPA/TKIP and 14 are secured with WPA2/AES.

Looking over the networks near me pointed up another Wi-Fi issue -- the name of your network. Apparently it took Ardolf some time to figure out which network belonged to the Kostolnik family. That's a good thing. The name of a Wi-Fi network should not identify the owner.

Some people near me give up a bit too much identifying information.

For example, there are two networks with a pair of first names (think GrouchoandHarpo). Another network has a pair of last names as the SSID (think Woodward-Bernstein). Two networks use the owners first and last name. Another network is named along the lines of joey12399 which looks innocent at first. However, there is a building near me whose address is 123 West 99th Street so this too is offering a bit too much information.

An anonymous network name doesn't do much to hide its origin from someone with a smartphone or laptop computer that is willing to walk around a measure signal strengths. Still, it's better to be anonymous.

Another important issue is protecting the router itself.

Here too, we deal with passwords, the biggest defense coming from changing the default router password. As with any password, don't use a word in the dictionary and longer is better. This password too can be written down and taped to the router. All too often, I run across router owners that don't know the userid/password to configure their router.

Another way to protect a router is insuring that only someone on the local network can get into its internal website to make configuration changes. You don't want the router talking to any Tom, Dick and Harry from the Internet that rings its doorbell asking to be let in. Look for a feature called remote management or remote administration and make sure it's turned off.

In addition, some routers offer an option that prevents all wireless users from logging in. I've locked myself out using this, but still recommend it.

Another great security feature offered by some routers is a guest network. Having two networks lets you use a private Wi-Fi password on your private network and a second Wi-Fi password for the guest and visitors network. The second password can be changed without impacting the password used by your computers.

Last year I was pleasantly surprised when I found this feature offered on the Netgear WGR614 router, a bottom-of-the-line $40 model.

Prosecutors in the Ardolf case wrote that "Ardolf was also able to access all of the Kostolniks' computers that were connected to the router". This brings to mind three things.

The first is firewall software running on a computer which should go a long way towards protecting the machine from anyone that infiltrates the local network. Windows has enabled its firewall by default for years. OS X on the Mac however, disables the firewall by default. Unfortunately configuring a firewall is beyond the ability of non-techies.

The second is file sharing. If you don't share files on a LAN, then turn off the file sharing features in your operating system.

Finally, a router can also offer file sharing protection. The previously mentioned Netgear WGR614, for example, offers a Wireless Isolation feature that gives wireless users access to the Internet but prevents them from seeing any other computers on the network. This over-rides any file sharing attempted by the computers on the network.

It does not appear that Ardolf learned the passwords of the email accounts actually used by the Kostolnik family. It is possible though that a better hacker can learn email passwords after infiltrating a network.

Yahoo webmail is vulnerable because after logging in securely, Yahoo reverts to an insecure HTTP connection. This lets snoopers capture identifying cookies and logon as you. That's what Firesheep was all about. Gmail, in contrast, always uses secure web pages.

If you use an email program (Outlook, Thunderbird), rather than webmail, be aware that, while this can be secure, it often is not.

The protocols used to read email are POP3 and IMAP. The one to send is SMTP. Each of these comes in a secure and insecure version, much like HTTP vs. HTTPS. The secure versions of these protocols offer an encrypted connection between your computer and the one hosting or sending your email. It is not end to end security, but it will protect you from eavesdropping by a bad guy sharing the LAN with you.

Finally, a word about technical topics covered by the main stream media.

Over at Time magazine, Giles Turnbull writes

If you end up with someone like Ardolf as your neighbor, there's not much you can do to deter them from trying to hack into your Wi-Fi. His victims had, after all, taken the usual precaution of locking their network down and putting a password in front of it.

As this article tried to show, there is much that can be done above and beyond a WEP password.

Blogger Ben Rooney at the Wall Street Journal wrote

It is a chilling tale, all the more so because Mr. and Mrs. Kostolnik had secured their Wi-Fi network.

No, they had not secured their Wi-Fi network. No techie would call a WEP protected network secure. If the Kostolniks had actually secured their Wi-Fi network, none of this would have happened.

People who don't know anything about automobiles are not in the habit of installing new engines. Yet, non-techies often setup their own wireless network. Hopefully, this article will make some of them safer.

Subscribe to the Security Watch Newsletter

Comments