Worried about Wi-Fi security?

Even for IT professional Matthew Ingrassia, keeping a home Wi-Fi network safe from outside threats is close to a full-time undertaking.

The technical coordinator for Washington, D.C.-based law firm Thompson Coburn harbors apprehensions that someone may be able to infiltrate the wireless network he set up in his Maryland home, despite all the training he brought to it. And he's pretty sure there are a lot of less-experienced people out there with no clue just how vulnerable their wireless systems may be.

"Running a home network with no security is akin to unlocking your door and hanging a sign on your house inviting thieves inside to steal," Ingrassia said. "It's easy to see how for someone with no real training, figuring out how to protect yourself might seem nearly impossible."

News.context

What's new:
As Wi-Fi networks become more popular in American homes, the need to protect systems from security threats becomes more urgent.

Bottom line:
But for many ordinary owners, the complexity of dealing with a wireless network is leading them to put security on the back burner. If technology providers can't come up with products that will change that attitude, then the problem will only get worse.

More stories on this topic

As Wi-Fi networks become popular in American homes, more people are exposed to dangers such as spyware, and the need to secure systems against those threats becomes more urgent. But for many ordinary owners, the complexity of dealing with a wireless network is leading them to put security on the back burner. If technology providers can't come up with products that will change that attitude, then the problem can only get worse.

People often struggle with installing their networks, causing them to think twice about putting in additional security measures or starting again from scratch to close potential vulnerabilities, experts said.

On top of this, the incompatibility between networking products from different sources, changing industry security standards and the growing number of devices people want to link to their wireless systems also daunt less-tech-savvy owners.

Networking industry executives say that as a result, getting consumers to use the security capabilities already built in to their wireless products is a struggle.

"Ease of use is a big problem. You can have the best encryption out there, but if someone can't set it up easily, it won't ever be used," said Mani Dhillon, the senior manager of product marketing at networking gear maker Linksys. "We've tried to make security an integral part of the (networking) setup process, but beyond that it's difficult to force people to use it. There's only so much that hardware manufacturers can do."

Plenty to lose
Studies suggest that an overwhelming majority of America's home wireless networks lack sufficient protection from outside intruders. According to figures from Gartner, some 80 percent of U.S. residential wireless local area networks, or WLANs, will classify as "unsecured" by 2007. The Stamford, Conn.-based research company contends that 70 percent of successful attacks on home wireless systems through 2006 will be the direct result of improperly configured WLAN access points and mismanaged client software.

And at a recent focus group session held in San Francisco, Tom Powledge, director of product management at security software maker Symantec, was amazed when four out of five people at the event admitted their wireless networks were not protected by any technology safeguard.

How to protect networks

CNET Labs walks you through the necessary steps to set up your Wi-Fi home network and keep it protected.

Intro What you need

Steps

1. Prepare for installation

2: Install the wireless router

3: Configure the router

4: Install wireless adapters

5: Configure wireless systems

6: Set the password

7: Set the SSID

8: Enable encryption

9: Filter Media Access Control addresses

10: Configure Wi-Fi systems

Devices Share and share alike

More help Network networking

Source: CNET Labs' "Tune-up" series.

For some of those people, the idea of offering open Internet access via their home network was novel and nothing to worry about, Powledge said.

"Some people really don't care too much if people are logging on secretly, using their wireless connection. They feel they're providing free Internet to neighbors," Powledge said. "But what these people don't understand is that if someone else starts using your network to browse whatever they want on the Web, it's going to come back to your IP address."

That means people can surf unsavory content from your unique, traceable Internet location--and slow your Internet performance down at the same time.

Those whose wireless systems can be penetrated are exposed to other serious threats too, Powledge pointed out. For example, attackers could implant malicious programs, including spyware, adware and Trojan horse applications, directly onto a computer. That could open the door to more serious problems such as online fraud or even identity theft, he said.

In one instance, a Los Angeles man pleaded guilty in September to distributing pornography spam e-mails, sent out using other people's Wi-Fi connections, which he accessed from inside his car. And in 2003, a man in Toronto was arrested for downloading child pornography using other people's unsecured wireless networks.

The practice of cruising around town to look for unguarded wireless networks has become so popular that the phenomenon has even

[aemarques]

Complicated measures?

You say "There are also more complicated measures home network owners can take, such as swapping out the default service set identifier, or SSID".
However, changing the defauld SSID - or, better yet, blocking its broadcast - is one of the most simple and efective security measures one can make in a Wi-Fi network!

[djysrv]

re; WiFi Security

Cudos to Belkin on this issue. When I set up an 802.11g home network, I knew I'd be lighting up the entire neighborhood. Belkin's technical support staff walked me through setting up the router, changing the SSID, setting up 64-bit WEP encryption, strong password, and installing a USB wireless node. Everything Belkin said would work did. When I changed one of our home computers, and had to re-install the wirless node, Belkin's instructions were flawless, and the new PC got connected right away using the same secure methods.

[jeaninej]

If you aren't sure, take a class, ask questions

I took C/Net's free Wireless Home Networking classes before I even had equipment. They proved valuable sources of planning and security information when I did acquire my LinkSys equipment and set it up. I don't broadcast my SSID, have 64-bit encryption and definitely changed my IP addressing structure.

If you aren't sure what you are doing, then you shouldn't be doing it. GET EDUCATED!

[Not Bugged]

The guy is an IT pro and he's scared?

Okay, I'm not in IT but man it seems like I should be. If you set your filters to allow only specific MAC addresses, disable SSID broadcast, use a proprietary technology, mine is the D-Link which uses 256-bit encryption, don't use default settings there is no way anyone is getting in.

Other steps is make sure to strategically place the wireless router where it has the hardest time broadcasting outside of the home, like say in the basement.

Can someone break the encryption? Possibly, but that is why you change the keys (make sure it's shared) every couple of weeks or maybe once a month.

[egarc--2008]

How can managing a wifi network be a daily task??

I agree with the previous poster that keeping a wifi network
secure is not much work. But I don't believe you need to change
the key very often because it would take a hacker literally weeks
outside your house to crack WPA.

With SSID broadcasting off, MAC addressing on and WPA, home
users are safe. If you are still paranoid, make sure your
computers are asleep when not in use and change the
encryption key from time to time.

[Steven N]

That 's probably because he knows too much

The reason why he is feeling insecure is probably simply because he knows too much of it.

Changing the SSID doesn't help, it sill shows up in your wireless network list.
Hiding SSID could help a tiny bit more, but it can be retrieved through sniffing the connection.
During the same snif, you easily find out what MAC addresses can connect to the router, so MAC address blocking can easily be bypassed.
WEP keys can be retrieved in a matter of hours, depending on how busy your network is.
WPA seems to be vulnerable to dictionary attacks.

If you take a look at this you could leave some sleep over it...

However, people should not forget this is a personal network: there might be private information on your network, but how much is there on your PC that is of real importance to an outsider?
So unless someone is really, really comitted to breaking into your network, most of these security precautions will be sufficient to keep the occasional wardriver out...

On another note though, if hardware manufacturers are really comitted to security, then they should create their devices in such a way that no WIFI is possible unless it has some minimal security: e.g: no WEP key, no WIFI.
This cannot be that hard?

SSIDs are not unique, thats part of the problem.

The article states: "such as swapping out the default service set
identifier, or SSID, number--a form of unique identification for
each wireless local area network"

That's good advice, but I'd just like to point out that SSIDs are
not unique. For example the default SSID for some Dlink wireless
routers is WLAN, if your router is broadcasting its SSID (another
default setting for easier connection) then an atacker will be able
to guess what wireless router you're using. And since you
haven't bothered to change any of these settings the chances are
that the administration password for the router has been left on
the default value too!

My advice, call in a proffesional or read up on it and do it
yourself. If you get stuck you'll find plenty of free support in
newsgroups and forums (that is as long as your internet
connection's still working).

Radiuz Networks to the rescue!

Radiuz Networks (www.radiuz.net) offers a solution to the problem that's easy to setup, and lets you control your home WiFi network to match your preferences for security and sharing. If you want a locked down network you can. If you want a fully shared network you can. You can even cooperate with your neighbors - its all monitored so you've always got the security of that audit trail. Go check it out - I was surprised not to see it in their write up as its a innovative new take on the problem.

[freebedj]

Microsoft Wireless Security & SSID Broadcast

One security measure that I take in regards to wireless, is turning off the SSID broadcast. However, with a new laptop that was running Windows XP and an internal 802.11g wireless card, it depended on Windows Wireless Zero Configuration service. I was having problems with connectivity and the resolution posted on the Microsoft site was that not broadcasting the SSID was not a viable security mechanism. The MS recommendation was to turn on SSID broadcast.

So basically I have a choice to make:
Turn on SSID broadcast so that my new laptop can connect using the internal card
Buy a PCMCIA card that has management software that can connect if the SSID is not broadcasted.

[rpms]

WinXP Wireless Zero Config - possible work-around

This is a frustrating problem. Here's a possible work-around that you may or may not have considered.

1. Select Start > Settings > Control Panel
2. Open Network Connections
3. Right-click the icon for your wireless card and select Properties...
4. Click Configure...
5. Open the Advanced tab, or the Settings tab if available
6. Set the Network Name/SSID manually

I've found that all of my wireless cards -- even the ones meant to be managed through Windows XP or through proprietary software -- let me set the SSID the old fashioned way. Accordingly, I have disabled the Wireless Zero Connect service.

See if this approach works with your card. Good luck!

Paul Marcelin-Sampson
Santa Cruz, California, USA

[shadowself]

First step NOT last

In your suggestions as to what to do...
"As a final security precaution, consider limiting access to
network adapters with specific MAC addresses."

For a home system ... and any business system which does not
have a large number of visiting users ... this must be the first
step, not the last. Anyone who has a WiFi network which does
not have a large number of visiting users that does not restrict
access to specific MAC addresses has an idiot for an
administrator. Period.

Any system (base station, etc.) that does not allow a relatively
easy means (with proper, verified authorization of course) to add
and/or delet MAC addresses must be avoided at all costs.

This is the most basic means of protecting your network. Of
course other layers need to be added too in order to maintain
data confidentiality when you are using the network, but
restricting the network usage to specific MAC addresses is the
first step, NOT an optional last step.

Thank you!

You are all, mostly, correct. Limit the access to your wireless LAN by using MAC address filtering. Close your networks (in AirPort lingo or disable SSID broadcasting for you PC folks) and use the built-in encryption/security features of your router/access point. At the very least connect to your router's web-administration page and change the default password for the admin account!!! Or just leave your network open for all to use freely. The choice its yours. If you're still unsure, switch back to hardwired Ethernet connections... that's a REALLY secure connection!
My neighbor is lucky I found their network first and not some unscrupulous person. They left the admin passwords at the default and are running two routers! All without any security enabled! Great for me, but they should know better or go all hardwired. Take a few mintues to read the manual, it's all in there!

What's with the puritanical technofear?

"attackers could implant malicious programs, including spyware, adware and Trojan horse applications, directly onto a computer". How would they do that without an unprotected computer? This has nothing whatsoever to do with open wireless networks, a machine open enough to allow this to happen over wifi would have it happen with any internet connection. The only real threat in the entire article is totally bogus!

As to the rest, it gives people on your little corner of the net anonymity which the can use or abuse to do things you don't approve of. Good! I don't want to police what others do and if someone abuses the facilities to the point where the network slows down I simply put a block on their IP address (which is logged on my machine so it's not the masked intrusion you make it out to be).

At my home base is an open WIFI connection and in my RV is a signal booster for the same. Share and enjoy!

[SallyShears]

Scare Tactic... This story exaggerates

Sorry, but I think this story exaggerates to the point that it's a
bogus scare tactic. There ARE risks in an unprotected wireless
network, but connections in the article will keep readers up at
night.

e.g. -- Most WiFi are not protected... Link to identity theft story.
I'm sorry, but that's not the main concern.

I wish the story had given some practical advice... Secure your
PC so you are not vulnerable to nasty tricks from within your
LAN. Turn off services (like file sharing) unless you know what
you are doing. You should do this anyway. Then, your biggest
concern is someone using your bandwidth.

I just did a WiFi setup for a friend. Up-to-date PC's supported by
corporate IT depts. Connection to the office by VPN. No file
sharing, no services running. I don't think they even need WEP.

-- Sally

Window pane blocking Wi-Fi

Glass manyfacturer in Sweeden have for years sold dobble window pane with a transparent metal film, socalled Warm Pane. The film was put on to increase the insolation factor of the pane stopping the IR spectum to pass through. A sideeffect of this is that this panes attenuate 2.4GHz 40dB. The cellphone band is also effected, often makiong the cellphone quiet. transmissions

WIFI security

Another option for protecting your WIFI network is our free WIFI Internet Access Blocker. Works with Win2K, XP and supports WEP/WPA. Gives you real-time intruder alerts and blocks freeloaders from surfing using your network. Download from <a class="jive-link-external" href="http://www.myWIFIzone.com" target="_newWindow">http://www.myWIFIzone.com</a>

[bebbers]

www.witopia.net

they offer several wifi security services for your home and if you
use Hotspots that are easy to set up and very cheap.

[Maxidix]

I recommend Maxidix Wifi Suite. You can get it here http://download.cnet.com/Maxidix-Wifi-Suite/3000-2651_4-75449739.html it will let you know all the network characteristics before you connect to it.

[iamveritas]

just install this program and you'll be 100% safe on any WiFi you connected to.
go to wifiprotector.com download the WiFi Protector app and install it.
regards.