Not long ago, I purchased a Netgear WGR614 wireless G router. It's a new router and the G flavor of Wi-Fi is relatively mature so I didn't expect any problems. Silly me.
I set up the wireless network to use WPA-PSK-TKIP and connected to it just fine from my Windows XP laptop. A relative came over and their Windows XP laptop also connected to the Wi-Fi network. But, a few days later a third person tried it and their Windows XP laptop, a ThinkPad T60, refused to make a connection.
Perhaps, the vendor software managing the network connection was at fault. The first two machines had used Windows XP to handle the wireless connection. Nope. Even with Windows XP in charge of connecting, the T60 refused to get with the program. I turned off the software firewall and verified the router was using the latest firmware (which was version 9). I even turned off the firewall in the router. In the end, nothing helped and I had to switch routers.
(Credit:
Netgear)
Now, days later, I get to finish debugging this. It turns out, the problematic T60 laptop does Wi-Fi just fine. Using the vendor supplied software, and with the firewall running, it connects to WiFi G routers from both Linksys and Belkin. Then, we try the Netgear WGR614 again, and it refuses to connect.
So, the Netgear router talks to two laptops just fine but not to the T60 ThinkPad. The T60 ThinkPad talks to two WiFi routers just fine, but not the Netgear router.
Go figure.
Last week, I set up a wireless network for a client. It worked fine for a couple days and then nothing. I'm on the phone with the client checking this and checking that, both from the wireless computer and from a wired computer connected to the same router. Some things are working, some aren't, I'm struggling to get a handle on the problem. And then, the network is working. Mind you, we didn't change anything. Like a petulant child, the network just decided to start working. Much like it decided to stop working. My best guess is some type of local radio interference.
One thing we tried was verifying the password for the network, which was also Wi-Fi G with WPA-PSK-TKIP. Rather than have the client login to the router and try to find the sub-sub section where the password is, I had them purposely enter an invalid password. I wanted to see the error message you get, figuring the lack on an error message meant the password hadn't changed. This was on a Windows XP machine using Windows to control the wireless network.
There is no error message.
Thinking that something must be wrong, I verified this on another XP machine on another network. Sure enough, if you login to a WPA-PSK-TKIP network with the wrong password, Microsoft doesn't see fit to issue any error message at all.
I hate Wi-Fi.
See a summary of all my Defensive Computing postings.
I have, in the past, been critical of computer articles in the newspapers I regularly read, the Wall Street Journal and the New York Times. Often I've warned that you don't read PC Magazine for mutual fund advice and you shouldn't read the Wall Street Journal for computer advice. Yet, the reporters in these newspapers are significantly more technically qualified than the Orlando Sentinel.
Today, I'm in south Florida, where the Sun Sentinel is the local paper. They reprinted an article by Etan Horowitz (no relation), Set up a home wireless network, that originally appeared last month in the Orlando Sentinel.
The article contains a number of technical inaccuracies, which I'll discuss below and well as some important omissions. The hardest part of technology may very well be learning what advice to trust.
(Credit:
Belkin)
The article says "Most new laptop and desktop computers have built-in wireless networking..." New desktop computers with built-in wireless networking? Not the ones I've seen.
It warns that "...if you are using an old computer you may have to buy a wireless network adapter." True enough, but they come in multiple form factors (PC card, Express card, PCI and USB) an important point that is not mentioned.
It says that "..a printer may ... require a wireless networking adapter."
Networking a printer that does not do networking on its own, requires a print server. As far as I know, there is no such thing as a wireless networking adapter for a printer. And the print server does not need wireless networking at all, a wired/Ethernet print server can connect to a router and make any printer available to a WiFi based laptop computer.
As for the initial router configuration, the article says "... follow the instructions that came with your router and use the installation CD. If you have a desktop computer that will always be in the same room as your modem or router, run the CD on that computer. Otherwise run the CD on your newest computer."
Newest computer? I can't even guess where this came from. Initial router configuration should be done using an Ethernet connection and any computer that can read CDs and has an Ethernet port will do.
Ethernet came up again in the discussion of adding a password to a WiFi network that doesn't have one. The article says "If you aren't prompted to do this while setting up your network, you'll need to connect a computer to your router via an Ethernet cable ..."
Ethernet is not required. You can connect to the router using the wireless network and make changes to the router this way, including adding or changing the password for the WiFi network. Most likely, after adding/changing the password, the router will re-start itself and you'll have to connect to the wireless network again, using the new password.
Connecting directly to the router requires knowing its IP address. If you don't know it, the article suggests a Google search for the default IP address used by the manufacturer of the router. This is not the best approach. For one, default IP addresses may change over time. For another, your router may not be using the factory default IP address. Your computer always knows the IP address of the router, any computer running TCP/IP knows this. In Windows, open a command prompt and type "ipconfig". The IP address of your router is referred to in the output as the "Default Gateway".
Before attempting to connect to a wireless network, the article warns that "you'll have to make sure that the computer's wireless connection is turned on or that your adapter has been installed and set up."
First of all, that's an "and" not an "or". If either of those conditions are not met, the computer won't connect to any wireless network. And just what was meant by a wireless network connection being turned on? It could refer to the switch on the outside of the laptop computer that controls the wireless radio. It might refer to the definition of the wireless network being enabled rather than disabled. It might refer to a host of things.
The instructions for connecting to an existing wireless network are not the most useful. Quoting: "On Windows computers, look in the Control Panel to enable wireless connectivity and search for available networks."
If you get as far as trying to connect to a wireless network, the article says "You will be asked to choose the type of security setting (WEP, WPA etc) and enter the network key." Windows XP users that let Windows control the WiFi connection are not asked to chose the type of security. Windows is smart enough to figure out the type of security being used all by itself. And, an article targeted at a general audience has to point out that "network key" means "WiFi password".
Omissions
The article left out a number of important issues.
The Sun Sentinel version of the story says nothing about choosing WEP, WPA or WPA2 when configuring a new network. It turns out the Sun Sentinel removed this sentence from the original story: "There are several levels of security you can add to your network, but one of the most basic is to choose a security setting such as "WEP" or "WPA" and generate network keys. If possible, use WPA."
Even with this sentence, however, WPA is not at all secure if you chose a short password or use a word in the dictionary. When it comes to WPA, you should think in terms of pass sentence rather than password. The recommendation is to use at least a 20 character password. Steve Gibson offers great 64 character passwords.
Many people share a single broadband Internet connection but don't need to share files between their computers. If that's the case for you, you're much better off turning off File and Printer sharing in the definition of the wireless network and/or the wired network connection.
The article doesn't mention changing the default password for the router itself. This has nothing to do with the WiFi network, instead it controls all access to the router for the purpose of making configuration changes. I blogged about this in March, see Defending your router, and your identity, with a password change.
Finally, the article didn't even include the word firewall. Discussing wireless networking without mentioning firewalls borders on malpractice.
If you are in south Florida, you may want to complain to the newspapers. Otherwise, you'll get more of the same.
Note: One of the earliest postings I wrote on this blog, back in July 2007, was about steps to take in preparation for networking failures. See The blinking lights on a router are talking to you.
See a summary of all my Defensive Computing postings.
I recently found myself in an airport terminal with a laptop and time to kill. Not knowing what the Wi-Fi options were, I let Windows XP search for available wireless networks. As you can see below, one of the networks was called "Free Public WiFi". If this happens to you, don't connect to a network like this.
The first two networks are each labeled "Unsecured wireless network". Fine. But the Free Public WiFi network is described by Windows as an "Unsecured computer-to-computer network". As the name implies, this network connects to a computer run by a total stranger somewhere nearby in the terminal.
Normally, wireless networks are created, run, and governed by a router. But, two Wi-Fi-enabled computers can talk directly to each other without the need for a router-based network. Another term for this type of network is "ad-hoc". Personally, I've never needed or used an ad-hoc computer-to-computer network.
How unusual are computer-to-computer networks? I live in Manhattan, surrounded by large apartment buildings. At home, my laptop picks up 28 wireless networks. Not one of them is a computer-to-computer network.
Why would someone set up a computer-to-computer network in an airport terminal? Most likely, it is good for them and bad for you. For one thing, the network name seems a bit too obvious. Who, in an airport terminal, doesn't want free public Wi-Fi? It's like asking a child if they want candy.
I always configure laptops to only connect to router-based networks and suggest you do so, too. Windows XP has a configuration option, shown below, that controls the type of networks it talks to.
You get to this window with: Control Panel -> Network Connections -> Wireless Networks tab -> Advanced button. Router based networks are referred to as "infrastructure" or "access point" networks.
Knowing that my laptop wouldn't connect to an ad-hoc network, I tried it anyway. The result is the warning shown below.
Unfortunately, lots of software competes to control the Wi-Fi connection on laptop computers. In the examples above, Windows XP was controlling the network. Your laptop may have software from the company that made the computer controlling the wireless network. Or, your Wi-Fi environment may be controlled by software from the company that made the Wi-Fi adapter hardware or by an outside party altogether. This other software may or may not have an option to avoid computer-to-computer networks. If it doesn't, hopefully it will at least identify the type of network it detects.
Update May 14, 2008: For an explanation of where some of these computer-to-computer networks come from see Free Public WiFi SSID. The important point here is that when you are looking through the list of available wireless networks that you be on the lookout for ad-hoc computer-to-computer networks as opposed to normal, router-based (infrastructure) networks. If the software you use to scan for available networks does not indicate the type of network, you may want to use different software. As more people become aware of this particular network name, a bad guy may simply use another enticing name.
See a summary of all my Defensive Computing postings.
I could write a whole blog about correcting computer articles in newspapers, pointing out mistakes and omissions. Many times I have corrected and expanded on articles in the Wall Street Journal by Walter Mossberg, but I've also griped about mistakes in the other newspaper I read regularly, my hometown New York Times. Back in May, on my previous blog, my comments on an article that David Pogue wrote in the Times about data cartridges for backing up computer files prompted a surprising rebuttal from Mr. Pogue.
Beats me why major newspapers don't hire computer techies to write about computer topics. Even worse, neither newspaper has the computer nerds on staff review articles for technical mistakes. Puzzling.
With that in mind, todays topic is an article about Wi-Fi security by Joseph De Avila that appeared on page D1 of the Wall Street Journal on Wednesday January 16th. See Wi-Fi Users, Beware: Hot Spots Are Weak Spots.
The vast majority of the article is well done, but not the last paragraph. It offers the following advice from someone named John King, who "... avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check email and stock listings if that's the only means available, but only if he's sure of the signal. 'I won't go on a wireless access point that I'm not confident in,' he says."
Who can argue with the main point being made here, that wired Internet connections are safer than wireless?
I can. Or, perhaps more to the point, Steve Gibson of GRC, SpinRite and the Security Now podcast would if he were writing this blog.
Before going into the technical aspects, let's start with the people. The Wall Street Journal describes Mr. King as "... a 46-year-old engineer from Livermore, Calif., [who] works for a company that mines computers for evidence in legal cases. He travels a lot for business..." Nothing about this description makes me think Mr. King is a networking security expert.
As for Steve Gibson, I have enough of a technical background in the subject and have listened to enough of his Security Now podcasts, to confidently state that he is a networking security expert. I doubt that any of my fellow nerds would disagree.
The Important Part
The critical point here is that a wired Ethernet connection is not necessarily a safe haven from the insecurity of Wi-Fi wireless networks.
Exhibit A supporting this claim is Episode #29, Ethernet Insecurity, of Steve Gibson's Security Now podcast. (transcript, 64K audio, 16K audio). This podcast, which explains the security problems inherent in a wired Ethernet network, was a huge eye-opener to me when I first heard it.
By way of background, Ethernet is a set of hardware and software rules/standards/protocols that computers on a Local Area Network (LAN) use to communicate. Ethernet used to have competition in the marketplace, but those days are over.
While the term LAN may invoke a small network, such as that in a house or apartment, a LAN can encompass an entire building, such as a hotel. When you plug a computer into an Ethernet jack in a hotel room, you are on the same network as all the other guest rooms. And that can be dangerous.
As Steve Gibson explained in the podcast, the Ethernet protocol was designed long ago. Before the Internet. Before security was on anyone's radar screen. "Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..." he said.
The explanation of the vulnerabilities gets somewhat technical and includes terms such as ARP, MAC addresses, IP addresses, malicious ARP replies, NICs, man-in-the-middle attacks, ARP Poison Routing, ARP spoofing, sniffing and promiscuous mode. In simple terms, a bad guy can get in the middle of all Internet conversations (us nerds call this "traffic"). Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged.
As Steve put it "... one bad person in a hotel could arrange to, without much work, literally intercept all the traffic going to and from the hotel's gateway so that all of the email conversations, all of the traffic of any sort that is being transacted by every other hotel guest, they're able to monitor and intercept."
I don't think the danger can be overstated. Wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections.
And Ethernet is not the only weak link in the security chain. The podcast describes software that can decrypt some normally encrypted data. "And in some cases, where you have weakly authenticator protocols, like Windows Remote Desktop that really doesn't provide any kind of authentication, man-in-the-middle and complete decryption attacks are easily performed. I mean, it is really bad." said Steve Gibson.
I first listened to this podcast episode while traveling to another city where I was planning on using a wired Ethernet connection in my hotel room. The podcast scared me to the point that I installed a VPN on my laptop. VPNs, while typically used by large corporations, are available to anyone and are the best protection from this sort of thing.
If anyone you know, ever intends to use a wired Ethernet connection at a hotel, then tell them to read this posting. And get a VPN.
You don't read PC magazine for mutual fund advice, and you shouldn't read the Wall Street Journal for computer advice.
Update. February 18, 2008: For more on this see Defending against insecure hotel networks with a VPN.
See a summary of all my Defensive Computing postings.
I just finished watching Leslie Stahl do a piece called "Hi-Tech Heist" on 60 Minutes in which she describes the theft of credit card and other personal information from TJX. These are a couple quick Defensive Computing thoughts on the subject.
I can't imagine using a credit card at T.J. Maxx, Marshall's, Bob's Stores or any of the other stores owned by TJX. In the 60 Minutes piece, the focus was on the poor Wi-Fi security and keeping sensitive customer information for much too long. But, after the hackers got into the Wi-Fi network, they were able to get to the master database of customer information, meaning that there were many other security problems along the way.
And, as was mentioned in the story, the bad guys poked around the internal TJX computers for about a year and half without getting noticed. The word inexcusable doesn't begin to describe the many security problems. Unless I hear that TJX has laid off people responsible for computer security, they will never see a credit card of mine again.
The story ends on a happy note, TJX has upgraded all their Wi-Fi to use the newer, better type of encryption known as WPA. But this is far from the end of the story. It may not be well known, but WPA encryption can be good or bad.
Because it is vulnerable to a brute force attack, the crucial point is the length of the password. A short password, or a word in the dictionary, offers no better security than the much maligned WEP encryption. But a really loooooooooong password is very secure. WPA supports passwords up to 63 characters long. You can think of it as a "pass sentence" rather than a password.
The WPA password only needs to be entered once on each computer, so there is no excuse not to use a long password. If you can't think of one yourself, then Steve Gibson has a Web page that will generate long passwords.
The WPA encryption may also be turned off if a WEP-using computer joins the network. Many consumer grade routers can do either WEP or WPA but not both at the same time.
Finally, if WEP is still being used at retailers, as the story pointed out, then online purchases may very well be more secure than brick and mortar.
Update: Robert Vamosi of CNET wrote an interesting story on this in his Security Watch column - What's behind retail data breaches
Update November 25: A reader comment mentioned WPA-PSK and WPA2 Enterprise. Let me explain the terms. The simplest way of using WPA encryption involves a single password for the entire network. It is entered once when configuring the router and once at each computer accessing the wireless network. This mode of operation is called "Pre-Shared Key" or "PSK" or "Personal" and is what I was referring to.
Companies with the necessary technical skill, can use WPA in such a way that each user gets his or her own password. The software that validates passwords is a Radius server. This mode of operation has multiple names. An old Belkin router calls it simply "WPA with Radius Server", it has also been called "WPA Enterprise" and "server-based infrastructure mode".
- prev
- 1
- next
