Good Reasons to Lock Down Your Wireless Network

Sunday, September 05, 2010

Christopher Burgess

16443e0c6f6e4a400fd0164b3c406170

Do you have a wireless router? Is it appropriately configured to be secure? Why bother? I've three reasons.

  • War Driving - The revelation by Google of its inadvertent collection of publicly broadcasted SSID (the Wi-Fi network name) and MAC addresses (device identifier) while conducting their Street View data collection should serve as a reminder to tighten up our router security. Remember, anyone driving or sitting in proximity to your business, home or office may be within the exploitable footprint of Wi-Fi signal. Once within your router's footprint they too can collect your SSID and MAC addresses, and if your network is not secured, their odds of being able to collect the information traversing from one end of the connection to the next just increase exponentially.
  • Liability -- A German court recently fined an owner of a wireless router for not appropriately securing a device and thus allowing the device to be used by a third party to connect to the internet via the router and engage in illegal download activity. The court in Karlsruhe, Germany noted "Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation." The court noted that owner could be fined up to 100 Euros. Regardless of the laws in your area, legal problems are only one of many reasons to ensure your router is secure.
  • Mistaken Identity -- As noted in the prior point, a third party used the connectivity provided by the unencumbered access to an individual's router to perpetrate a crime. Think of how crime-solvers walk their data back. They trace the Internet Protocol address. If that IP address ends at your router, then it is not an inappropriate conclusion to assume the perpetrator of the crime is someone within your home/office/business. Think about the physical inconvenience of being taken down to the local precinct to sort things out; the property seizures and recovery prospects and while you will no doubt be able to explain your way out of a situation, as did the owner of the router in Germany - why put yourself in this position?

If you see your neighbor's Wi-Fi in an unsecure state (e.g., open access) let them know. Don't assume the owner configured the device, perhaps it was a more technically savvy neighborhood high school student or a for hire network installer -- who in both cases failed to put a WPA2 password in place.

In Queensland, Australia the police are identifying unprotected Wi-Fi during their routine patrols and notifying their owners in an effort to protect unwary citizens from their own unprotected routers. This is something suitable for neighborhood watch organizations.

Use a strong password (8-14 characters which aren't a word and include non-predictable symbols [ e.g. (B$@iJH91$(~(K ]. If your router is using WEP encryption and not WPA2 then think about upgrading that router of yours.

You may also consider limiting access to your network to MAC addresses you own or know. Don't forget to set up separate guest connectivity to leave a clear audit trail distinguishing between your use and guest users whom you have no control over.

This could be especially important for the small business owner whose network may be used by an unscrupulous individual.

Christopher Burgess is a senior security advisor to the chief security officer of Cisco®, where he focuses on intellectual property strategies. 

Cross-posted from Christopher Burgess, Huffington Post

 

 

Possibly Related Articles:
15933
General
Wireless Access Control
Post Rating I Like this!
Fe0cdd659ff88db65dc29352c82cb314
Shalom Cohen Very NICE article. It's very tough for users that are not aware of the risks involved (including law suites and identity theft). Simple ARP spoof attack once connected will lead to exposure of passwords, credit-card numbers, SSID's without any extensive hacking knowledge.
Running "Cain" will do the job for you.
BTW, WPA does not ensure no one will break it, but it is definitely much harder to get in through it. My general guideline, use WPA2 and turn off WIFI whenever not in use (there are boxes that a button press will do).
1283678748
Fe0cdd659ff88db65dc29352c82cb314
Shalom Cohen Forgot to add, most of the devices today know how to handle WIFI without SSID broadcasting - so disable SSID broadcasting if possible (it will definitely attract less hackers).
1283678844
7e6249b5c7f6b63c28587c820b16edcb
Robert Gezelter Yes, WiFi routers do pose challenges. It is apparently not uncommon for even ISP installers to enable unsecured WiFi access without checking whether such access is desired or usable by the customer (see "Networks Placed at Risk – By Their Providers" at http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html).

Providing a separate network for visitors is a good idea, although it is also important that the private traffic not traverse the externally accessible network, a point I have been making in a series of presentations since 2003 under the auspices of the IEEE Computer Society. At the 2007 LISAT conference, I presented "Safe Computing in the Age of Ubiquitous Connectivity" (paper and slides available at http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html). This paper and several other presentations on how Compartmented Networks can be used are outgrowths of the general notion of nested networks that I first published in Chapter 23 of the "Computer Security Handbook, Third Edition" (1995, Wiley).
1283883226
9d41713518555a98a693df6e98d14229
Michael Christensen Good job with this article though I disagree with your advice to enable MAC filtering. I find it a little “security by obscurity”.

Any just somewhat capable hacker can launch a sniffer and collect the MAC addresses of the active devices connecting to the WiFi access point. The MAC’s cannot be encrypted, as they unfortunately fall outside the scope of encryption together with the SSID and the management packages. With that information it is easy for the hacker to spoof the MAC address on his computer.

I’ve scanned 18,190, unique access points. The statistics of the encryption goes like this: No encryption – 19 %, WEP – 26 %, WPA – 36 %, WPA2 – 19 %. My WarDriving was carried out in Denmark, primarily in Northern- and Middle-Jutland.

With this statistics in hand, I find it a good thing, that this article puts focus to the fact, that there are more than a just few unsafe access points installed - even in the corporate environment. Need I say: TJX?

We just had a case in Denmark, where an open access point was used to buy goods on the internet, paying with stolen credit cards. The amount was approx DKK 250,000 which is about $46,000 – not a big amount, some will say, but I think it’s only the top of the iceberg.

Go do something about it – before you or someone else get hurt!
1284029384
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.