What not to do with wireless security

It use to be a huge problem – wireless security.  Drive up and down any street in the US and you would see all kinds of wireless networks unsecured.  This was largely in part due to the failure of router manufacturers to enable basic security by default.  The sad part is that after all of the education security experts have done in this area – it still happens.

I felt compelled, almost obligated, to write an article on wireless network security after two recent incidents I encountered with administrators setting up lax security protocols.  One instance involved a private home user and the other involved a potentially more dangerous scenario, a public Wi-Fi hotspot.

Before I begin, I would like to mention that the point of this article is not to scare you away from using the Internet, but rather to educate you on safe surfing practices – practices that should start before you even launch your browser.  If you have a home or small business wireless network, I would hope you gain enough practical knowledge by reading this article to secure your network to keep intruders out.

When surf the Internet in your favorite coffee shop, you take for granted that the service you are connecting to is safe, secure and easy to connect to.  However this is not always the case.  For example, in order to make it faster and easier for you to watch your stocks during your morning coffee break, your local coffeehouse usually doesn’t enable a password.  Now you can argue that this is good or bad, depending on your mindset, but this is the first hiccup in a slippery slope of bad security practices.  Even with a password, things get complicated because the quality of the encryption now comes into play.

The acronyms used for network security can be sometimes confusing: WEP, WAP, WPA Personal and Enterprise, 802.11i, AES, TKIP – just to name a few.

The recent experience I had with the previously mentioned home user found that they were using WEP encryption on their wireless router.  WEP stands for Wired Equivalent Privacy and has the same encryption as a computer that is wired to the network with an Ethernet cable.  Wireless computers (called clients) connect to WEP-enabled routers with a 64-character alphanumeric key.  The problem with this type of encryption is that real-world exploits show that this type of encryption is not secure enough to withstand an attack.  The key can be broken within 6 minutes, allowing anyone with enough moxy to enter your network undetected. The solution was to set her up on a more secure protocol, WPA2, which stands for Wireless Protected Access version 2.  The biggest difference between versions 1 and 2 of WPA is that version 2 has mandatory encryption features that are not included in the previous version.  By rights, this makes it more secure than either WEP or WPA.  Once the new security protocol was updated on her router, the user was able to take advantage of the more secure access method.  Anyone trying to access files on her network via wireless access was now going to have a tougher time trying to break the encryption key.

The first thing anyone must do, regardless of the use of their network, is to enable wireless security as we previously discussed.  However, your security precautions should not stop there.  There is still a bit more you must do to your router to truly lock it down from prying eyes, namely in the way of additional router features that are either unnecessary or downright dangerous.

If you recall, the other example I mentioned at the beginning of this article was the public access point.  It was not unlike any other access point in a coffee shop or library, except for a few key flaws in their security.  The first flaw I discovered is the poor choice of password.  When manufacturers ship router to stores they ship them with a generic user name and password to access the administrative features.  Once inside, you can set up your router for wireless security, domain settings and other things essential to router security and function.  Usually this combination is something very generic: user name admin with a password of “password1” or something similar.  I cannot stress enough it is very important to change this.  It’s best to pick something easy for you to remember but hard for others to guess.  Poor password choices, and thus easy to crack would be those based form dictionary words or without capitalization or numbers.  A client I’ve worked with in the past likes to use numerals for numbers rather then use the words.  This makes it more secure for two reasons: it’s easy to remember and most brute force password attacks do not take into account numbers for the fact that there are more combinations of numbers then there are letters.

They tried to be a little more ambiguous with the username/password combination, however they forgot the fundamental rules of choosing a secure password above.  The user name they chose was the name of their business and the password was “admin”  No punctuation, no numbers, nothing additional to make the password secure.  With blatant disregard for the best practices in network security, they left their entire infrastructure open to a malicious hacker to make it their chew toy.  Anyone with enough intent could have done something as mundane as locked the admin out of the router or, being a bit more evil, could have redirected users to a malicious website spewing a virus or other malware.

When I examined the settings further, I noticed another feature, that when disabled, can be detrimental to everyone on the network: the firewall.  For years, security and technology experts agree that the biggest way to cut down on the spread of viruses on networks is to run a firewall.  Suppose you’re a user that for whatever reason didn’t enable your Windows or Mac firewall because you assumed that the operators of the network had the foresight to enable this feature?  You’re screwed.  You should always enable your software firewall through Windows or Mac regardless if you’re on a netbook, laptop or desktop.  Anything less than that is just foolish.

Albeit, it was the ethical responsibility of the administrator of the router in question to ensure that adequate security measures were in place, but the responsibility does not stop there.  Part of the responsibility lies with the end user as well.  Two firewalls are always better than one, and some security experts say that the best way to ensure tighter security is to run a software firewall (usually built into your operating system) and a hardware firewall (usually built into your router).  Even if you have only one machine attached to your high-speed Internet connection at your house, I recommend getting a hardware firewall or router for just that purpose.  Be aware that the cable or DSL modem you get from your Internet provider does not have adequate security built-in and it is up to you to lock this down through your computer or with another piece of hardware.

The third and most dangerous feature you should disable immediately after getting your router is Universal Plug And Play, also known as uPNP.  In the above example, this service was enabled on the access point’s router.  Why is this a bad idea?  First we need to take a look at what uPNP does.  Say you get a shiny new gaming console and you want to use it to play games over your home network with other users around the world by using your Internet connection.  With uPNP, all you have to do is enable the feature on your gaming console and plug it into your home network.  Your router will auto detect a new device on the network, assign it an IP (Internet Protocol) address and – here comes the very dangerous part – automatically open a port in your firewall for that device or service.

Why is that dangerous?  Services and software, everything from instant messaging clients to Skype to your favorite browser, use ports to allow the transmission of approved data through your firewall.  If a service auto-opens a port without your knowledge (no window saying – “Yes, we’re going to open this port now.  Is that OK?”), you are open to be attacked on that port.  Suppose after a few months, that gaming console breaks down and you didn’t know that port was open.  You send it in for service, but during that time you don’t know to close the port open in your firewall.  It’s similar to leaving for work and leaving your windows and front door open to your house.  Anyone can come in side, look in your refrigerator for a meal, leave a mess when they’re done and you come home to a mess.

That is the fundamental problem that is created with uPNP.  The solution, much like any security solution, is not intuitive.  You must turn off uPNP, and manually open the ports you want to open for each service or device on your router.  This is the safest way to allow devices or services to operate on your network, since you will know what is open and what is not.

Bottom line: never assume that adequate security measures are in place.  Also, do not assume that computer manufacturers have your best interests in mind when selling you your computer or router.  Always check to make sure your passwords are secure, your firewall is enabled, uPNP is turned off.  When you connect to a public access point such as at a coffeehouse or airport, you can use VPN tools such as AnchorFree’s HotSpot Shield (www.hotspotshield.com) to keep your sessions private.  If you’re unsure, about how to proceed, ask a geek you know or you can write me at john@newmediaindy.com with your questions or concerns.