Not long ago, I purchased a Netgear WGR614 wireless G router. It's a new router and the G flavor of Wi-Fi is relatively mature so I didn't expect any problems. Silly me.
I set up the wireless network to use WPA-PSK-TKIP and connected to it just fine from my Windows XP laptop. A relative came over and their Windows XP laptop also connected to the Wi-Fi network. But, a few days later a third person tried it and their Windows XP laptop, a ThinkPad T60, refused to make a connection.
Perhaps, the vendor software managing the network connection was at fault. The first two machines had used Windows XP to handle the wireless connection. Nope. Even with Windows XP in charge of connecting, the T60 refused to get with the program. I turned off the software firewall and verified the router was using the latest firmware (which was version 9). I even turned off the firewall in the router. In the end, nothing helped and I had to switch routers.
(Credit:
Netgear)
Now, days later, I get to finish debugging this. It turns out, the problematic T60 laptop does Wi-Fi just fine. Using the vendor supplied software, and with the firewall running, it connects to WiFi G routers from both Linksys and Belkin. Then, we try the Netgear WGR614 again, and it refuses to connect.
So, the Netgear router talks to two laptops just fine but not to the T60 ThinkPad. The T60 ThinkPad talks to two WiFi routers just fine, but not the Netgear router.
Go figure.
Last week, I set up a wireless network for a client. It worked fine for a couple days and then nothing. I'm on the phone with the client checking this and checking that, both from the wireless computer and from a wired computer connected to the same router. Some things are working, some aren't, I'm struggling to get a handle on the problem. And then, the network is working. Mind you, we didn't change anything. Like a petulant child, the network just decided to start working. Much like it decided to stop working. My best guess is some type of local radio interference.
One thing we tried was verifying the password for the network, which was also Wi-Fi G with WPA-PSK-TKIP. Rather than have the client login to the router and try to find the sub-sub section where the password is, I had them purposely enter an invalid password. I wanted to see the error message you get, figuring the lack on an error message meant the password hadn't changed. This was on a Windows XP machine using Windows to control the wireless network.
There is no error message.
Thinking that something must be wrong, I verified this on another XP machine on another network. Sure enough, if you login to a WPA-PSK-TKIP network with the wrong password, Microsoft doesn't see fit to issue any error message at all.
I hate Wi-Fi.
See a summary of all my Defensive Computing postings.
I recently found myself in an airport terminal with a laptop and time to kill. Not knowing what the Wi-Fi options were, I let Windows XP search for available wireless networks. As you can see below, one of the networks was called "Free Public WiFi". If this happens to you, don't connect to a network like this.
The first two networks are each labeled "Unsecured wireless network". Fine. But the Free Public WiFi network is described by Windows as an "Unsecured computer-to-computer network". As the name implies, this network connects to a computer run by a total stranger somewhere nearby in the terminal.
Normally, wireless networks are created, run, and governed by a router. But, two Wi-Fi-enabled computers can talk directly to each other without the need for a router-based network. Another term for this type of network is "ad-hoc". Personally, I've never needed or used an ad-hoc computer-to-computer network.
How unusual are computer-to-computer networks? I live in Manhattan, surrounded by large apartment buildings. At home, my laptop picks up 28 wireless networks. Not one of them is a computer-to-computer network.
Why would someone set up a computer-to-computer network in an airport terminal? Most likely, it is good for them and bad for you. For one thing, the network name seems a bit too obvious. Who, in an airport terminal, doesn't want free public Wi-Fi? It's like asking a child if they want candy.
I always configure laptops to only connect to router-based networks and suggest you do so, too. Windows XP has a configuration option, shown below, that controls the type of networks it talks to.
You get to this window with: Control Panel -> Network Connections -> Wireless Networks tab -> Advanced button. Router based networks are referred to as "infrastructure" or "access point" networks.
Knowing that my laptop wouldn't connect to an ad-hoc network, I tried it anyway. The result is the warning shown below.
Unfortunately, lots of software competes to control the Wi-Fi connection on laptop computers. In the examples above, Windows XP was controlling the network. Your laptop may have software from the company that made the computer controlling the wireless network. Or, your Wi-Fi environment may be controlled by software from the company that made the Wi-Fi adapter hardware or by an outside party altogether. This other software may or may not have an option to avoid computer-to-computer networks. If it doesn't, hopefully it will at least identify the type of network it detects.
Update May 14, 2008: For an explanation of where some of these computer-to-computer networks come from see Free Public WiFi SSID. The important point here is that when you are looking through the list of available wireless networks that you be on the lookout for ad-hoc computer-to-computer networks as opposed to normal, router-based (infrastructure) networks. If the software you use to scan for available networks does not indicate the type of network, you may want to use different software. As more people become aware of this particular network name, a bad guy may simply use another enticing name.
See a summary of all my Defensive Computing postings.
I could write a whole blog about correcting computer articles in newspapers, pointing out mistakes and omissions. Many times I have corrected and expanded on articles in the Wall Street Journal by Walter Mossberg, but I've also griped about mistakes in the other newspaper I read regularly, my hometown New York Times. Back in May, on my previous blog, my comments on an article that David Pogue wrote in the Times about data cartridges for backing up computer files prompted a surprising rebuttal from Mr. Pogue.
Beats me why major newspapers don't hire computer techies to write about computer topics. Even worse, neither newspaper has the computer nerds on staff review articles for technical mistakes. Puzzling.
With that in mind, todays topic is an article about Wi-Fi security by Joseph De Avila that appeared on page D1 of the Wall Street Journal on Wednesday January 16th. See Wi-Fi Users, Beware: Hot Spots Are Weak Spots.
The vast majority of the article is well done, but not the last paragraph. It offers the following advice from someone named John King, who "... avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check email and stock listings if that's the only means available, but only if he's sure of the signal. 'I won't go on a wireless access point that I'm not confident in,' he says."
Who can argue with the main point being made here, that wired Internet connections are safer than wireless?
I can. Or, perhaps more to the point, Steve Gibson of GRC, SpinRite and the Security Now podcast would if he were writing this blog.
Before going into the technical aspects, let's start with the people. The Wall Street Journal describes Mr. King as "... a 46-year-old engineer from Livermore, Calif., [who] works for a company that mines computers for evidence in legal cases. He travels a lot for business..." Nothing about this description makes me think Mr. King is a networking security expert.
As for Steve Gibson, I have enough of a technical background in the subject and have listened to enough of his Security Now podcasts, to confidently state that he is a networking security expert. I doubt that any of my fellow nerds would disagree.
The Important Part
The critical point here is that a wired Ethernet connection is not necessarily a safe haven from the insecurity of Wi-Fi wireless networks.
Exhibit A supporting this claim is Episode #29, Ethernet Insecurity, of Steve Gibson's Security Now podcast. (transcript, 64K audio, 16K audio). This podcast, which explains the security problems inherent in a wired Ethernet network, was a huge eye-opener to me when I first heard it.
By way of background, Ethernet is a set of hardware and software rules/standards/protocols that computers on a Local Area Network (LAN) use to communicate. Ethernet used to have competition in the marketplace, but those days are over.
While the term LAN may invoke a small network, such as that in a house or apartment, a LAN can encompass an entire building, such as a hotel. When you plug a computer into an Ethernet jack in a hotel room, you are on the same network as all the other guest rooms. And that can be dangerous.
As Steve Gibson explained in the podcast, the Ethernet protocol was designed long ago. Before the Internet. Before security was on anyone's radar screen. "Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..." he said.
The explanation of the vulnerabilities gets somewhat technical and includes terms such as ARP, MAC addresses, IP addresses, malicious ARP replies, NICs, man-in-the-middle attacks, ARP Poison Routing, ARP spoofing, sniffing and promiscuous mode. In simple terms, a bad guy can get in the middle of all Internet conversations (us nerds call this "traffic"). Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged.
As Steve put it "... one bad person in a hotel could arrange to, without much work, literally intercept all the traffic going to and from the hotel's gateway so that all of the email conversations, all of the traffic of any sort that is being transacted by every other hotel guest, they're able to monitor and intercept."
I don't think the danger can be overstated. Wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections.
And Ethernet is not the only weak link in the security chain. The podcast describes software that can decrypt some normally encrypted data. "And in some cases, where you have weakly authenticator protocols, like Windows Remote Desktop that really doesn't provide any kind of authentication, man-in-the-middle and complete decryption attacks are easily performed. I mean, it is really bad." said Steve Gibson.
I first listened to this podcast episode while traveling to another city where I was planning on using a wired Ethernet connection in my hotel room. The podcast scared me to the point that I installed a VPN on my laptop. VPNs, while typically used by large corporations, are available to anyone and are the best protection from this sort of thing.
If anyone you know, ever intends to use a wired Ethernet connection at a hotel, then tell them to read this posting. And get a VPN.
You don't read PC magazine for mutual fund advice, and you shouldn't read the Wall Street Journal for computer advice.
Update. February 18, 2008: For more on this see Defending against insecure hotel networks with a VPN.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
