Securing Your Wireless Networks and Devices

[Wiz Feinberg]

As wireless Internet access becomes more popular and widespread and many non-technical people enter the wireless community, securing these devices becomes more important than ever before.

Most first time, or non-technical wireless customers open the box containing their new wireless equipment, read how to hook it up, power it on, install some software and delight in their new found ability to roam around their home without wires and stay connected to the internet. A large percentage of these people will not drill down through the instructions or on-disk manuals that accompany their routers, adapters or access points to learn about securing these devices against outside wireless intruders or hackers in vehicles (known as War Drivers) using specialized equipment to locate and penetrate wireless networks or to compromise wireless adapters on laptops or towers.

This topic will deal with suggestions and recommendations to help you to secure your wireless Internet devices and also to disspell false information and notions that may lead to a false sense of security.

I would like to preface what is to follow by stating that wireless security is evolving at a fairly steady pace and that practices that may have been acceptable for security a half year ago may become invalid if attackers find and distribute knowledge of an attack vector that completely nullifies an established technology. Hackers have a lot to gain from system intrusions and are constantly at work trying to find new ways to break into secured wireless networks and crack encryption algorithms.

It used to be script kiddies or social misfits who wanted to break into wireless networks, for their personal pleasure-bragging rights, or because they didn't want to pay for their own Internet access. But nowadays actual cyber-criminals are doing these things, or are employing others to do it for them for a price. One of the fastest growing methods of committing crimes over the Internet is through the remote control use of hundreds of thousands of compromised personal and business computers and servers, which have been drafted into what are known as Zombie BotNets. These computers may not reveal the presence of the remote control programs to their owners and may lie silent, like mythical Zombies, for long periods of time until awakened to do the bidding of their masters, only to fall silent until needed again. Individuals who hack into computers to plant remote control software on them and add them to a personal army are sometimes called Bot Herders. These folks may not care to do anything with their Zombies personally, but may prefer to lease their armies to other sinister individuals whose only interest is in issuing commands to activate the Zombie computers to perform an illegal function. These people are called Bot Masters. They do not seek peaceful coexistence; they are felons. Many operate in the former Soviet Union, although a lot are found in the good old USA and Canada.

You may be wondering why I bring all of this up when the title of the Post is about securing wireless networks? The reason is that if you have an unsecured wireless network of computers and a hacker is able to penetrate it because of your lack of suitable defenses, he may be able to place BotNet type programs on some or all of your networked computers, especially if file sharing is enabled (which it usually is on networks). If successful he will add your computers to his BotNet which will be leased out to spammers, scammers, people running phishing schemes, people wanting to attack governments or commercial interests on the internet, or to criminals who want to distribute malware via a BotNet. Once a computer is "owned" by a Bot Herder there is almost no limit to the damage it can be used to inflict, if so commanded. If or rather when the authorities trace the sources of these illegal acts, if they find your IP address matched to the time the attacks occured, they will come after you for damages, or may even arrest you, as the owner of the compromised account. You could find yourself charged with a misdemeanor, or even a felony, because of the actions taken by your unsecured computer, possibly because it was BotNetted via a wireless or other exploit.

Ok, on with the securing your wireless connection discussion. I prefer to keep this thread to giving good advise, rather than having it as a questions thread. Feel free to ask questions related to this topic in separate threads that you or others start, in the computers section of the SGF. You may add to it if you have verifiable, reliable information.

First of all, in addition to keeping your computers fully patched via Windows, Linux, or Mac updates, make sure you have upgraded to the latest firmware for your wireless routers, access points, and adapter cards. If your wireless equipment is more than two years old it is probably out of date, security-wise. Apply the Windows XP Wireless Client update so you have additional security options available for laptops, or for PCs in apartment buildings. Be aware that people who go around looking for wireless networks to penetrate are using sophisticated antennas and specialized sniffer programs to locate wireless access points. To fend these people off you must engage the strongest encryption available for your equipment, knowing that they may try to crack your security codes if they are weak. You will learn about which types of security are good, and which are useless.

Links will be provided whenever possible to get you to the right place to obtain patches, upgrades, or to read about wireless security issues and solutions. All statements should be backed up with a link to an authority, at least once in this thread.

Right now the best thing you can do to secure a home or SOHO wireless LAN is to only purchase access points/routers and adapter cards capable of WAP or WAP2 encryption algorithms, with TKIP and/or AES encryption methods, then to generate and deploy the strongest encrypted key to all adapters. This can be done either by plugging them into the ethernet ports of the wireless router and logging into it to get the SSID and encryption key code, or if there are no ethernet ports, save the SSID and encryption key onto a USB thumbdrive in a text file (notepad) and open it on your various computers, where you can copy and paste it into the credentials fields for that connection. If you use Windows XP or Vista it has built-in Zero Configuration Wireless Configuration Utility. This utility allows you to enter the SSID of your secured router/access point, along with the type of encryption and the key code. It also has checkbox options that you can select to only connect to preferred networks and access points that you have listed, ignoring open networks and Ad-Hoc networks completely, for better security against "man-in-the-middle" and spoofed SSID hackers.

Also, you should change your default SSID to something unique, or allow the router to select a new SSID when you engage security (don't bother turning off SSID Broadcasts); disable remote administration of the router/access point; and change the administrator password to as strong a pass-phrase as you can remember. It won't hurt to change the channel to something other than the default, especially if your router/access point is physically close to a wireless phone, or microwave oven. You can also change the IP address of the router/access point to a random number lower or higher than the range you allow it to assign via the DHCP server, then limit the server to a few addresses as you think you'll need for the computers in your location, and one or two guests who may bring their laptops in.

Some of the myths and security suggestions from the recent past that are not, or are no longer valid include these:

• Turning off SSID broadcasts will hide your access point from snoopers: (false - only incidental probes from innocent neighbors will be affected. Hackers will see your SSID anyway)
• Apply MAC filtering: Easily captured by sniffer programs in a few seconds, by determined war drivers or hackers, who then spoof one of your own online MAC addresses into their adapter to gain entry to your LAN.
• Disable SSID Broadcasts (SSID Hiding): There is no such thing as "SSID hiding". You're only hiding SSID beaconing on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum, which are easily discovered by War Drivers and hackers.
• LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack.
• Disable DHCP: This is much more of waste of time than it is a security break. It would probably take a hacker a few seconds to guess your router's IP assignment range and enter it manually into his adapter. He's in.
• Special antenna placement or painting for minimim signal bleed to the outside: A Myth. The bad guys will be using a directional amplified cone or phased array antenna and can probably pickup your signal up to a mile away. Place your antennas/router/access point for the best coverage and signal strength in your home or office.
• Just use 802.11a or Bluetooth: A wive's tale. These are not security systems, just transport mechanisms.
• Just use WEP to secure your router: 30 to 60 seconds should be enough time for a war driver to crack your WEP key if he wants to, however, it will keep innocent neighbors whose adapters are searching for any available access point from piggybacking onto your connection.
• References: The six dumbust ways to secure a wireless LAN and Wireless LAN security myths that won't die, by George Ou

I suppose that if you live far away from neighbors and the highway you won't have to worry about wireless interlopers, but most people live very close to their neighbors and are not usually very far from the street. Remember this; War Drivers and wireless hackers are looking for your access point/router, with tools to hack into it!

I'm sure there will be some things I have overlooked today, which either I or another knowledgeable member will add to this topic.

[Wiz Feinberg]

Here is an excerpt from a recent discussion about wireless security and WEP, between Steve Gibson (GRC.com) and Leo Laporte (Former TechTV host). This excerpt starts about 60% down the page. You can also listen to the entire conversation in mp3 format (Lo-Q).

Steve: Well, we haven’t talked about WEP for a long time. Back on Episode 11, which was, what, 78 episodes ago, back in October of ’05 was our coverage of – the actual title was “Bad WiFi Security.” And that was really the last time, although we’ve mentioned it in passing many times since, but it was the last time we really gave strong coverage to the problems with the original encryption for WiFi, which was called WEP, which is an acronym, WEP, which stands for Wired Equivalent Privacy. And the goal of WEP was, and the reason they named it Wired Equivalent Privacy, was they wanted to create a level of privacy for radio WiFi that they felt was as strong as if the communication was wired, as if it was wired equivalent.

Well, they really fell far short of that. And a couple weeks ago a new group, three German guys at a technical university in Germany, published a paper where they demonstrated how they had figured out that they could crack WEP, that is to say, determine the encryption key being used in under a minute.

And, further down the page they say this:

Steve: Well, from time to time we’ve made Security Now! predictions, Leo. And a Security Now! prediction would be that in short order we’re going to see some tools that are turnkey, easy for anyone to use. And, I mean, it really does change the calculus. So the takeaway message from this is that, if you’re using WiFi, and it’s not WPA encrypted, you either, A, don’t want to use that WiFi network; or you want to make sure that you’re providing your own encryption. You’re using a VPN, or you’re using HTTPS so that essentially your traffic is running through an independent layer of encryption, a so-called, you know, we’ve talked about tunneling a lot. So, for example, if you’re using Gmail, make sure you’re https://mail.google.com or Yahoo! or whatever. You want to make sure that you’re providing your own encryption because you really, unless you’re using WPA, that is, unless the network that you’re hooked to is using WPA, WEP just no longer provides virtually any protection.

Leo: In other words, treat a WEP access point as an open access point.

Their discussion gets very technical, so if such details give you a headache this may not be for you.

[Wiz Feinberg]

Wireless Deployment Recommendations and Best Practices

The above article on the Microsoft Technet describes the current best practices for securing home and SOHO wireless networks. It goes into depth to tell you why you shouldn't waste you time disabling SSID, or relying on WEP for protection. It also warns you about the dangers presented by rogue access points and how to protect your computer from accidentally connecting to them. All in all this is a great article that is up to date with current standards and threat analysis.

[Sonny Jenkins]

Wiz,,would these "dangers" only apply,,or be most likely to affect wireless users. Would we be safer if, whenever possible, we hook our wireless computer up to the router via ethernet cable,,,and only use the wireless function when absolutely necessary?

[Wiz Feinberg]

Wiz,,would these "dangers" only apply,,or be most likely to affect wireless users. Would we be safer if, whenever possible, we hook our wireless computer up to the router via ethernet cable,,,and only use the wireless function when absolutely necessary?

Absolutely! In order for somebody to break into a wired (Ethernet) network they would have to either gain physical access to one of its computers, or use an email or browser exploit, like a remote control Trojan, to get into your private network.

Wireless networks can be secured quite nicely, if you apply all available security measures, turn off UPnP, set a good Administrator password, disable remote administration and avoid poking holes in the firewall for file sharing networks, etc.

[Sonny Jenkins]

My wireless computer has been sitting 3' from my router for over a year,,,IT IS GOING TO HAVE CABLE BETWEEN THEM,,,,and the wireless switch OFF!!!!! ,,and to think,,I was even thinking about getting a wireless adapter for my older laptop!!!

[David Wright]

I have a I mac... does it have a built in wireless card in it??? it's not a lap top..

[Wiz Feinberg]

I have a I mac... does it have a built in wireless card in it??? it's not a lap top..

Read the specs sheet that came with it, or look in the System for network adapters, or visit apple.com and lookup your model to see what shipped with it.

[David Wright]

it does, and up and running

[John Cipriano]

it does, and up and running

On recent versions of OSX, if you need or want to disable wireless networking, you can go into System Preferences, Network, and then click "Turn AirPort off".

Also, there is an option that's called something like "require administrative password for changes to AirPort".

That said, wireless networking (especially with a laptop) is very convenient and something I'd be hard pressed to do without. But it pays to be smart about it.

To repeat some of Wiz's great info: turn on encryption at the router.

But which kind? The three most common, listed best to worst are WPA2, WPA, WEP. Windows XP SP3 includes support for WPA2, as does OSX Leopard. If your router supports it, just turn it on and create a password. But if your router only does WEP, then WEP it is.

The router's admin page will have a password as well. This is unrelated to the password which you would set up for your wireless network. It keeps people from changing your router settings. Do not leave this on the factory default, change it something else.

Finally, on a wireless laptop or desktop, set whatever security option would prevent people from creating connections without your knowledge. For instance, the one for OSX that I mentioned above.

If you live in apartment, securing your wireless is very important. If you live in the woods, you can perhaps have a more relaxed attitude towards it
Though, like it says in the George Ou article Wiz linked to, a weak signal is not the same as real security.

Everyone can benefit from spending that Saturday learning how to properly set up their router. It's a brave new world we live in, eh? Don't be paranoid, but do turn on encryption. On most computers, if you see a little lock next to the connection, you have it on in some form.

[Wiz Feinberg]

I have published three hi-tech security articles dealing with router security breaches, on my Blog. They are about hacking exploits targeting the 2Wire brand modems supplied to DSL customers in Mexico, but the same thing could happen anywhere. The articles are titled:

Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts,

2Wire Modem DNS Poisoning Attack Returns to Mexico, and

Routers with passwords still vulnerable to hack attacks

[John Cipriano]

Wow, that's a fairly sophisticated attack.

So an extra bit of advice then would be to make sure, after configuring your router, to make sure you actually log out.

(Edit: whoops...misread one of the articles before)

In addition, of course, to actually setting a password for configuring the router.

Then again, I'm a Charter customer in one of the "test markets" for their new DPI/spying partnership with NebuAd. So I probably have more to fear from my ISP than from crackers!

[Wiz Feinberg]

Whether you have a wired or wireless router powering your home or business network you need to be mindful of the threats that originate over the wires, so to speak. These are TCP/IP (the primary Internet communications protocol) packets that are designed by criminals and hackers to exploit weaknesses or find holes (open ports) in routers, firewalls, or modem/router combos.

In my earlier posts in this thread I detailed some steps anybody can take to setup wireless router security. I dealt mainly with matters such as SSID broadcasting, WEP vs WPA(2) encryption and MAC filtering, etc. I also briefly mentioned that it is a good idea to disable unnecessary features that could be exploited, as follows.

Wireless networks can be secured quite nicely, if you apply all available security measures, turn off UPnP, set a good Administrator password, disable remote administration and avoid poking holes in the firewall for file sharing networks, etc.

I feel that the time has come for me to elaborate further on some of the above quoted features and how they can be exploited by hackers.

UPnP

Many routers ship with a feature known as UPnP, which stands for "Universal Plug and Play," enabled by default. UPnP makes it easier for interconnected devices to be recognized and configured, saving users a lot of otherwise tedious work. This is especially true in the field of wireless networking. You plug in your new router and your wireless card in your notebook or PC detects it, or you insert a CD in the computer and it sets up everything for you.

Unfortunately for us, hackers have learned that UPnP can be exploited from both afar and from within a network. If certain so-called "ports" are open on a router it may respond to requests from the Internet to engage UPnP protocols, bypassing any administrator login requirement, allowing your router to be reconfigured by remote commands. This is one method used by the Conficker Worm to spread from the Internet to LANs.

Once you have configured your network there is no reason to leave UPnP enabled! Better yet, learn how to configure your wireless or wired router manually and turn off UPnP before you connect it to your broadband modem.

Next, disable "Remote Administration" of the router. Remote Administration allows anybody who knows or guesses the Administrator password to login to the modem and do as they please to reconfigure it. This feature is usually on the same router configuration page as UPnP, under a "Security" tab. You will need to login to the web interface via a browser to find these settings and change them.

I strongly advise you to perform all router configuration changes in a new browser session, after closing all other browser windows. After you finish changing and applying the router's security, delete the cache (Temporary Internet Files) and all "authenticated sessions" then close that browser. This will prevent scripted router attacks that work when you are already logged into the router in a browser, then unknowingly surf to a compromised website. If this happened while you were still logged into the router the hostile codes could take over the router and modify settings (like DNS or online bank IPs) without your knowledge (until your bank, or PayPal account was emptied).

While UPnP exploits bypass any need for Administrator credentials (making it easier to setup networking), other attacks require them to take over a router. Therefore, you need to establish a unique, strong password for the admin login to your router; one that isn't a word found in a common dictionary.

Also, change the IP address of the router, if possible, from the factory default setting. Many router attacks are hard-coded to login via a particular IP address that is a known default IP, or hostname. For example, if your brand of router has a factory IP address of 192.168.1.1, change it to something else, like 192.168.2.1 and restart it. You will need to reset your PC's IP address once the router has power cycled, so it is assigned a new IP by the router (that's one of its jobs). You do this by opening a command prompt (Windows Key + R, then type CMD and press Enter) and when the Command Window opens type these commands into it, in this sequence:

IPCONFIG /RELEASE
(press enter)
IPCONFIG /RENEW
(press enter)

You should see confirmation of a new IP address assigned by the router, that includes the new subnet you changed it to. E.g: instead of an IP of 192.168.1.100 you might have a new IP of 192.168.2.100.

That's all for now. I'll add more security measures and exploits to be aware of another time.

[b0b]

A little creativity when naming your wireless network can discourage hackers:
<center>
</center>