Worried about Wi-Fi security?

(continued from previous page)

acquired its own name, "wardriving." And some industry experts point out that the day of sitting outside someone's house to steal their bandwidth is being outdated by signal-boosting technology that lets individuals get onto a network that's miles away.

"A signal enhancer available at your local RadioShack can give someone access from as far as 50 miles away," said Drew Carter, product manager for strategic opportunities at security software maker McAfee. "It's not just your neighbors that you need to worry about anymore."

In fact, extending the range of wireless technologies is a popular pastime of hobbyists and researchers. The 300-foot range of most wireless networking technology for the home is set more by government and manufacturer decree than by limits to the technology. The University of California at San Diego's High-Performance Wireless Research and Education Network (HPWREN) has extended Wi-Fi to 72 miles using power amplification and improved antennas. And hackers at the Defcon conference created a wireless sniper rifle that could target Bluetooth phones a half mile away, extending that technology's range almost 100-fold.

Help on the way
Because of the growing threat, everyone from third-party software vendors to networking-gear makers is developing technologies to try to help consumers cover their backs.

Security software maker McAfee is developing a free diagnostic tool that lets people survey their computer using a Web interface to determine the security of the network the machine is registered on. Dubbed McAfee Wi-Fi Scan, the application is already undergoing beta testing and is set for release in mid-February.

Five tips for clean air

Easy ways to improve protection for your wireless network.

Turn on wireless router firewall software

Use firewall software for individual devices on a network

Use third-party software to test for network vulnerabilities

Use monitoring software to detect potential intrusions

Change passwords after allowing access to someone new

Source: CNET News.com research

"Even if you can successfully deploy the security tools that come with wireless hardware, I think a lot of users get a false sense of protection from it," Carter said. "People think a simple firewall secures all their communications, while the reality is that though your connection in and out of that device is partially secured by the firewall, the actual connection between that device and your computer...may not be secured at all."

Hardware manufacturers are taking a different route. Earlier this month at the Consumer Electronics Show in Las Vegas, Linksys, a division of networking giant Cisco Systems, said it was launching a joint effort with chipmaker Broadcom and IT behemoth Hewlett-Packard to create a push-button security system for home wireless products. The system, to be called SecureEasySetup, promises to provide coverage that meets the Wi-Fi Protected Access, or WPA, industry standard for security.

Jeff Abramowitz, senior director of wireless LAN marketing at Broadcom, said SecureEasySetup represents the kind of basic security system consumers can understand easily.

"The technology allows you to set up a very secure Wi-Fi network without having to know any of the technical ins and outs," Abramowitz said. "All you do is hit a button on your router or Wi-Fi access point and push a corresponding button on a PC or another device, and they find each other and establish a secure connection."

Linksys has agreed to start building SecureEasyStep into its networking products by the beginning of 2005. HP will add the tool to certain notebook and desktop PCs and to some of its networked printers. Abramowitz said a number of other well-known technology companies are also working with the application.

In one less-conventional approach, Force Field Wireless has begun marketing latex house paint it claims will block wireless radio waves from escaping through the walls of a home. Known as DefendAir, the paint is laced with bits of copper and aluminum that help form an electromagnetic shield around your house, Force Field said. The paint, which sells for $69 a gallon, is certified nontoxic and lead free, and comes only in one color--gray.

Those products promise a safer future. The problem right now is those people who remain oblivious to the existing vulnerabilities in their systems. Analysts point out that there are a number of ways to secure these, from making sure basic firewall technology in the wireless router is installed to buying as many components as possible from the same vendor. There are also more complicated measures home network owners can take, such as swapping out the default service set identifier, or SSID, number--a form of unique identification for each wireless local area network--for the devices and making sure security systems have been updated to meet all the latest wireless specifications.

Jonathan Penn, an analyst at Forrester Research, feels that in requiring so much attention to be made secure, wireless networks will remain something of a hassle for consumers until more effective, easy-to-use methods of self-defense are created. He argues that consumers should not have to face the challenge of dealing with technology defaults and keeping up with industry standards.

"If the gear manufacturers, Internet service providers and software makers seriously want people to come online, they can't make it so hard on their customers," Penn said. "People are being told that they need to worry about antivirus software, antispam tools, wireless security and all sorts of malicious threats online. At a certain point, unless things become easier to handle, some people might just say, 'Forget it.'"

[aemarques]

Complicated measures?

You say "There are also more complicated measures home network owners can take, such as swapping out the default service set identifier, or SSID".
However, changing the defauld SSID - or, better yet, blocking its broadcast - is one of the most simple and efective security measures one can make in a Wi-Fi network!

[djysrv]

re; WiFi Security

Cudos to Belkin on this issue. When I set up an 802.11g home network, I knew I'd be lighting up the entire neighborhood. Belkin's technical support staff walked me through setting up the router, changing the SSID, setting up 64-bit WEP encryption, strong password, and installing a USB wireless node. Everything Belkin said would work did. When I changed one of our home computers, and had to re-install the wirless node, Belkin's instructions were flawless, and the new PC got connected right away using the same secure methods.

[jeaninej]

If you aren't sure, take a class, ask questions

I took C/Net's free Wireless Home Networking classes before I even had equipment. They proved valuable sources of planning and security information when I did acquire my LinkSys equipment and set it up. I don't broadcast my SSID, have 64-bit encryption and definitely changed my IP addressing structure.

If you aren't sure what you are doing, then you shouldn't be doing it. GET EDUCATED!

[Not Bugged]

The guy is an IT pro and he's scared?

Okay, I'm not in IT but man it seems like I should be. If you set your filters to allow only specific MAC addresses, disable SSID broadcast, use a proprietary technology, mine is the D-Link which uses 256-bit encryption, don't use default settings there is no way anyone is getting in.

Other steps is make sure to strategically place the wireless router where it has the hardest time broadcasting outside of the home, like say in the basement.

Can someone break the encryption? Possibly, but that is why you change the keys (make sure it's shared) every couple of weeks or maybe once a month.

[egarc--2008]

How can managing a wifi network be a daily task??

I agree with the previous poster that keeping a wifi network
secure is not much work. But I don't believe you need to change
the key very often because it would take a hacker literally weeks
outside your house to crack WPA.

With SSID broadcasting off, MAC addressing on and WPA, home
users are safe. If you are still paranoid, make sure your
computers are asleep when not in use and change the
encryption key from time to time.

[Steven N]

That 's probably because he knows too much

The reason why he is feeling insecure is probably simply because he knows too much of it.

Changing the SSID doesn't help, it sill shows up in your wireless network list.
Hiding SSID could help a tiny bit more, but it can be retrieved through sniffing the connection.
During the same snif, you easily find out what MAC addresses can connect to the router, so MAC address blocking can easily be bypassed.
WEP keys can be retrieved in a matter of hours, depending on how busy your network is.
WPA seems to be vulnerable to dictionary attacks.

If you take a look at this you could leave some sleep over it...

However, people should not forget this is a personal network: there might be private information on your network, but how much is there on your PC that is of real importance to an outsider?
So unless someone is really, really comitted to breaking into your network, most of these security precautions will be sufficient to keep the occasional wardriver out...

On another note though, if hardware manufacturers are really comitted to security, then they should create their devices in such a way that no WIFI is possible unless it has some minimal security: e.g: no WEP key, no WIFI.
This cannot be that hard?

SSIDs are not unique, thats part of the problem.

The article states: "such as swapping out the default service set
identifier, or SSID, number--a form of unique identification for
each wireless local area network"

That's good advice, but I'd just like to point out that SSIDs are
not unique. For example the default SSID for some Dlink wireless
routers is WLAN, if your router is broadcasting its SSID (another
default setting for easier connection) then an atacker will be able
to guess what wireless router you're using. And since you
haven't bothered to change any of these settings the chances are
that the administration password for the router has been left on
the default value too!

My advice, call in a proffesional or read up on it and do it
yourself. If you get stuck you'll find plenty of free support in
newsgroups and forums (that is as long as your internet
connection's still working).

Radiuz Networks to the rescue!

Radiuz Networks (www.radiuz.net) offers a solution to the problem that's easy to setup, and lets you control your home WiFi network to match your preferences for security and sharing. If you want a locked down network you can. If you want a fully shared network you can. You can even cooperate with your neighbors - its all monitored so you've always got the security of that audit trail. Go check it out - I was surprised not to see it in their write up as its a innovative new take on the problem.

[freebedj]

Microsoft Wireless Security & SSID Broadcast

One security measure that I take in regards to wireless, is turning off the SSID broadcast. However, with a new laptop that was running Windows XP and an internal 802.11g wireless card, it depended on Windows Wireless Zero Configuration service. I was having problems with connectivity and the resolution posted on the Microsoft site was that not broadcasting the SSID was not a viable security mechanism. The MS recommendation was to turn on SSID broadcast.

So basically I have a choice to make:
Turn on SSID broadcast so that my new laptop can connect using the internal card
Buy a PCMCIA card that has management software that can connect if the SSID is not broadcasted.

[rpms]

WinXP Wireless Zero Config - possible work-around

This is a frustrating problem. Here's a possible work-around that you may or may not have considered.

1. Select Start > Settings > Control Panel
2. Open Network Connections
3. Right-click the icon for your wireless card and select Properties...
4. Click Configure...
5. Open the Advanced tab, or the Settings tab if available
6. Set the Network Name/SSID manually

I've found that all of my wireless cards -- even the ones meant to be managed through Windows XP or through proprietary software -- let me set the SSID the old fashioned way. Accordingly, I have disabled the Wireless Zero Connect service.

See if this approach works with your card. Good luck!

Paul Marcelin-Sampson
Santa Cruz, California, USA

[shadowself]

First step NOT last

In your suggestions as to what to do...
"As a final security precaution, consider limiting access to
network adapters with specific MAC addresses."

For a home system ... and any business system which does not
have a large number of visiting users ... this must be the first
step, not the last. Anyone who has a WiFi network which does
not have a large number of visiting users that does not restrict
access to specific MAC addresses has an idiot for an
administrator. Period.

Any system (base station, etc.) that does not allow a relatively
easy means (with proper, verified authorization of course) to add
and/or delet MAC addresses must be avoided at all costs.

This is the most basic means of protecting your network. Of
course other layers need to be added too in order to maintain
data confidentiality when you are using the network, but
restricting the network usage to specific MAC addresses is the
first step, NOT an optional last step.

Thank you!

You are all, mostly, correct. Limit the access to your wireless LAN by using MAC address filtering. Close your networks (in AirPort lingo or disable SSID broadcasting for you PC folks) and use the built-in encryption/security features of your router/access point. At the very least connect to your router's web-administration page and change the default password for the admin account!!! Or just leave your network open for all to use freely. The choice its yours. If you're still unsure, switch back to hardwired Ethernet connections... that's a REALLY secure connection!
My neighbor is lucky I found their network first and not some unscrupulous person. They left the admin passwords at the default and are running two routers! All without any security enabled! Great for me, but they should know better or go all hardwired. Take a few mintues to read the manual, it's all in there!

What's with the puritanical technofear?

"attackers could implant malicious programs, including spyware, adware and Trojan horse applications, directly onto a computer". How would they do that without an unprotected computer? This has nothing whatsoever to do with open wireless networks, a machine open enough to allow this to happen over wifi would have it happen with any internet connection. The only real threat in the entire article is totally bogus!

As to the rest, it gives people on your little corner of the net anonymity which the can use or abuse to do things you don't approve of. Good! I don't want to police what others do and if someone abuses the facilities to the point where the network slows down I simply put a block on their IP address (which is logged on my machine so it's not the masked intrusion you make it out to be).

At my home base is an open WIFI connection and in my RV is a signal booster for the same. Share and enjoy!

Scare Tactic... This story exaggerates

Sorry, but I think this story exaggerates to the point that it's a
bogus scare tactic. There ARE risks in an unprotected wireless
network, but connections in the article will keep readers up at
night.

e.g. -- Most WiFi are not protected... Link to identity theft story.
I'm sorry, but that's not the main concern.

I wish the story had given some practical advice... Secure your
PC so you are not vulnerable to nasty tricks from within your
LAN. Turn off services (like file sharing) unless you know what
you are doing. You should do this anyway. Then, your biggest
concern is someone using your bandwidth.

I just did a WiFi setup for a friend. Up-to-date PC's supported by
corporate IT depts. Connection to the office by VPN. No file
sharing, no services running. I don't think they even need WEP.

-- Sally

Window pane blocking Wi-Fi

Glass manyfacturer in Sweeden have for years sold dobble window pane with a transparent metal film, socalled Warm Pane. The film was put on to increase the insolation factor of the pane stopping the IR spectum to pass through. A sideeffect of this is that this panes attenuate 2.4GHz 40dB. The cellphone band is also effected, often makiong the cellphone quiet. transmissions

WIFI security

Another option for protecting your WIFI network is our free WIFI Internet Access Blocker. Works with Win2K, XP and supports WEP/WPA. Gives you real-time intruder alerts and blocks freeloaders from surfing using your network. Download from http://www.myWIFIzone.com

[bebbers]

www.witopia.net

they offer several wifi security services for your home and if you
use Hotspots that are easy to set up and very cheap.