dailywireless.org » Securing Wi-Fi

Securing Wi-Fi

C/Net explains how to secure your home wireless network — in pictures.

This slide show assumes that you have a working wireless router. For our network we’ll be using a Linksys Wireless-G WRT54GS router plugged into a Dell XPS 600 desktop along with a wireless-enabled Acer Travelmate 8200 laptop, both machines running Windows XP SP2.
Over the next few slides we’ll discuss how to:

Change the router’s default admin password

Change the router’s network name SSID

Enable encryption (WEP and WPA)

Filter devices via MAC addresses

Nobody should use Wired Equivalent Privacy (WEP) encryption, which is easily broken. Instead, use Wireless Protected Access (WPA2 or 802.11i), which is the latest and best encryption. Having no encryption is bad; criminals can capture and read all the data transmitted between your laptop and your router.

To encrypt a network with WPA, you provide your router with a plain-English passphrase between 8 and 63 characters long — not with an encryption key — explains WiFi Planet. That passphrase, along with the network SSID, is used to generate unique encryption keys for each wireless client — and those encryption keys are constantly changed. In XP, WPA options are under Network Authentication. Choose the data encryption standard — TKIP or AES — to match that of your router. However, not all routers support WPA. It may also require a download from Microsoft’s WPA2 hotfix for Windows XP and you may need to update your wireless card driver.

All Wi-fi gear has a unique code (like a vehicle VIN number) called the “MAC” address. It can be manually typed into your access point. Then it will allow only your device in, automatically rejecting all others. That should prevent your neighbors from accessing your access point (most) of the time.

Firewalls are often included with access points. Turning it on makes it harder for hackers to break in. Placing your access point away from a window also helps.

The L.A. Times has a story on hacking in public hotspots (video).

“When people are on a public wireless connection, they have the same expectations about privacy as when they are on the Internet at home,” said Cheung, 32, a computer security expert and an editor for TG Daily, a technology news website.
“But it doesn’t work that way. Someone could be listening in.”
Cheung was using a “sniffer” program that intercepted online signals as they flew back and forth from the laptops to a wireless modem hidden somewhere amid the coffee paraphernalia.

Most major e-mail sites on the Web — such as those run by AOL, EarthLink, Google and Yahoo — as well as banks and other financial transactions are automatically protected by encryption using “https” instead of “http.” Https uses an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport mechanism. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided it is properly implemented.

For better (and worse), There is an abundance of free tools on the Internet for gaining a deeper knowledge of wireless security (and exploiting vulnerabilities). It’s important to know how to secure your wireless network against these tools, says Ethical Hacker:

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.
Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption
Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).
Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.
ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.
Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.

Nielsen Ratings are measured four times a year (in February, May, July, and November). During “sweeps week”, expect lots of internet horror stories. It’s that kind of “public service” that allows corporate media to use the 700 MHz band — without paying a dime.

Broadcasters are real good at covering shooters — local issues — not so much.