When networks were all wired, you’d know exactly who was on your network because they’d be connected by a cable to your switch. Unless someone snuck a 200 foot cable out your window, you could rest pretty soundly knowing that you and your family were the only users on the network.
With wireless, your neighbor’s teenage son (never did trust the kid. . .) could be sneaking into your files, or that strange, white unmarked van across the street could be spying on you. Maybe I’m just getting paranoid. Or am I?
Knowing Your Network
If you want to defend your network, then you need to understand how it’s put together. Each component has different properties and is defended differently. You can look at your network as if it were made up of two parts:
♦ The Internet connection
♦ All the stuff on the inside, like your computers
The next sections cover each of these in turn.
Protecting the Internet connection
What happens on your Internet connection is your responsibility. If someone on your network does something bad, willingly or unwillingly, then the Internet service provider has your name on their billing records and will talk to you first. If cops get involved, you get the first interview.
Problems are not unheard of. Consider the following scenarios:
♦ ISPs sometimes implement a cap on the amount of data that can be transferred on a given connection as part of the monthly rate, after which they charge a fee based on usage. Most people will never touch this cap, but if someone were to use your connection to download movies all month, you could blow past this limit without knowing.
♦ You’ve been following the advice in this topic about keeping your computer safe, but the person borrowing your Internet connection hasn’t. They get infected, their computer becomes a zombie, and the next thing you know you can’t send e-mail because your provider has turned off your e-mail because of spam complaints.
♦ A scammer finds that they can use your Internet connection if they park their car across the street. They use it to commit fraud, and the police get involved. The ISP traces the messages back to your address.
Although the scenarios may seem far-fetched, they have happened.
I’m not saying you can’t share your Internet connection with your neighbor, or that you should rigorously inspect everyone’s computer that enters your door. You can still lock down your network and share the password so that just your neighbor gets on while keeping the bad guys out. If the neighbors aren’t that computer savvy, maybe you could lend them this topic (or better yet, get them their own copy!).
War driving
War driving is a play on a pre-Internet activity called War Dialing. In War Dialing, someone dials every phone number in a particular range of telephone numbers, looking for computers that answer instead of humans. This technique used to be very effective at finding unprotected computers because the systems administrators used to use dial-in modems as a way to remotely manage their systems and were often not very thorough in their security practices.
If you’ve ever seen the movie War Games you’ll recognize this. If you haven’t, you should look it up. Despite being over 25 years old it’s still a great flick!
War driving involves driving around a city with a computer and a wireless card, looking for open (or easily crackable) wireless networks. It’s been refined to the point where you can tie in a GPS unit and end up with a map of all the networks, with the exploitable ones highlighted.
The bad guys will use war driving to find open access points they can use and abuse. Make sure you’re not on their list!
Hackers versus crackers
Throughout this topic and others, I might use the term hackers and crackers. You’ve probably heard the term hacker before and have heard it being used in the context of a bad guy trying to break into your computer.
The word hacker has a long and distinguished history, however. Hackers were the people that advanced computer science not by exploiting weaknesses and doing harm, but by using their intelligence to pull off feats of skill (called hacks). Hackers would build computers out of spare parts or come up with brilliant ways around limitations.
As other intelligent people used their skills for evil, the media applied the name of hacker to them. These are the bad guys: the people writing software to steal information, or coming up with ways to game systems to their advantage.
It’s insulting to the hacker community to associate these bad people with them, so we use the term cracker, much as in a safe cracker.
In this topic, I don’t have the need to refer to people in the hacker sense, so I’ll just use cracker, attacker, or, even better, bad guy.
There’s a third class of people that I’ll call researchers. These people try to find weaknesses in systems in the name of improving them. They’re trying to break the security systems before the crackers do, so that the systems can be fixed. These guys are on your side.
Unfortunately, the public nature of research means that the crackers eventually learn about the problems and use them to their advantage.
The stuff on the inside
Your network may include your computers, video game consoles, and maybe a file sharing device or two. If someone can connect to your wireless network, then they can connect to your computers and file storage servers.
More sophisticated attackers can pretend to be your gateway and force all your Internet use through their computer using a process called spoofing. Anything you look at on your computer is passed through the attacker’s computer. Even though your bank uses encryption when you view their Web page, you still have to be careful to make sure that the attacker isn’t feeding you bad information.
Your computers have files on them that you’d probably rather keep private. You may not have anything to hide, but you still don’t want to share all your files with people. Tax returns? Letters to the lawyer? If you wouldn’t stick it to your front door, then it’s worth spending some time to protect.
People from the Internet
So far I’ve been talking about people trying to get into your home network over the wireless connection. There are also people trying to get in from the Internet. Fortunately your firewall blocks any connections from the outside coming in, unless you deliberately turn that feature off. Don’t do that!
Most of the attackers coming from the Internet are computer programs that are scanning your service provider’s network, looking for vulnerable hosts. Your firewall protects you against these scans because it only allows connections that your computers make out to the Internet and not new connections from the Internet to the inside of your network.
All that said, if you run a program that’s got a virus in it, all bets are off. We talk about getting anti-virus protection in the next topic.
Choosing Wireless Security
Wireless networking, by nature, involves throwing your data over the airwaves and hoping only the recipient is the one listening. As more people used wireless, more important information was carried over the air. As more important information was sent, the incentive for people to try and listen to it increased. As people tried to listen, the engineers in charge of the wireless standards tried to keep up.
Here’s a summary of the wireless security protocols available to you.
WEP
When 802.11 was introduced by the Institute of Electrical and Electronics Engineers (IEEE) in 1997, the standard called for vendors to optionally provide security through Wired Equivalent Privacy (WEP). WEP encrypted the data that was sent over the radio so that people listening in couldn’t read it without the key.
WEP had some problems from the start. The key used to decrypt the data was static, meaning it never changed. To get on a WEP-protected network, everybody had to share the same key. As you can imagine, it became easy to figure out the key because it often got posted to the wall so people wouldn’t forget it.
Secondly, the United States had some rather peculiar regulations at the time dealing with the export of encryption capable products to other countries. Back in 1997, encryption fell under the International Traffic in Arms Regulations (ITAR), which regulated the export of weapons out of the country. You couldn’t export missiles, nuclear weapons, night vision goggles, and any encryption the government couldn’t break.
As such, WEP went out the door with pretty weak encryption, even for 1997. But it was all we had. Some people used it, some people didn’t.
Fast-forward a few years, and people are starting to look closely at the security of WEP. The U.S. government relaxed their position on encryption, and WEP was upgraded to something less embarrassing. However, some researchers found that by listening to enough traffic you could deduce the shared key. As people poked deeper into WEP, they found that even less traffic was needed, and you could even cause the access point to generate it if the clients weren’t generating traffic. The time to crack a WEP key is now down to a minute, even with the stronger encryption in use.
Yes, you heard me right. Someone can listen to a WEP-protected network and have the key before you even notice they’re there. With the right antenna, they could be farther away.
This isn’t going to do. Something better is needed.
WPA
The IEEE started work on the 802.11i standard, which dealt with wireless security. As usual, trying to get a bunch of engineers to agree on something takes its time, so the Wi-Fi Alliance took some of the in-progress work from 802.11i and came up with the Wi-Fi Protected Access standard (WPA).
WPA solves the key problems that were the downfall of WPA with a protocol called the Temporal Key Integrity Protocol (TKIP). TKIP’s job is to rotate keys constantly so that the problems WEP had won’t happen again.
WPA had a major constraint in that it was intended to run on older access points by means of a firmware upgrade. This was because WEP was so broken that the industry wanted to protect access points in the field. Therefore WPA uses some of the same encryption techniques as WEP, just implemented in a better fashion.
WPA also introduced the concepts of a pre-shared key mode (PSK) and an enterprise mode. PSK mode requires a key that’s known to all participants in the wireless network, just like WEP. Enterprise mode allows you to use your enterprise login credentials to log in to the wireless network, eliminating the need for a shared key.
Even though enterprise mode is better security, it requires servers and services that people at home just don’t have. The acronyms and standard names required to implement this mode are astounding. So, you’ll always want to use PSK mode if you’re ever given the option.
WPA was a significant improvement upon WEP. Eventually, researchers found ways to mess with WPA networks. WPA is not as completely broken as WEP, but it is possible to inject packets into a WPA-protected network. With this ability, an attacker could still redirect the entire network’s traffic through a computer of his choosing.
WPA2
Third time’s the charm, right?
The IEEE finally finished 802.11i, and the Wi-Fi Alliance called it WPA2. The Alliance also made implementation of WPA2 a mandatory part of Wi-Fi compatibility testing. Without WPA2, vendors couldn’t put the Wi-Fi logo on the box.
WPA2 got rid of TKIP and went with the Advanced Encryption Standard, which is the same that the U.S. government uses for protecting its secrets. The earlier WPA standard was also revised to allow AES to be used instead of TKIP.
To date, there are no direct attacks against WPA2. That hasn’t stopped people from trying, though!
Even though the bad guys can’t exploit weaknesses in WPA2, they can try to guess your password. So pick a good one!
Deciding what to choose
If you’re setting up a wireless network, you want to be using WPA2. Most access points have a mode that allows both WPA2 and WPA to be used. If you have older clients that only support WPA, then this mode will work.
It’s easy enough for me to say "use WPA2" when you’re setting up your own network, but what about when you use other people’s networks?
Hotel networks generally have no encryption or security at all. Anyone can connect, anyone can read the packets in the air, usually called open mode or an open network. Access to the network is usually protected by a captive portal, which intercepts you when you first start using the Internet, and only lets you through after you’ve registered.
Captive portals provide no protection for you; they’re there only for the convenience (and usually, profit margin) of the hotel.
Connecting to these unprotected networks is okay as long as you’ve protected your computer and realize that anything you send over the network is visible by anyone. Browsing the Web is fine.
WEP should be considered in the same boat as an open network.
Exploring Network Security Features
As technology advances, the CPUs going into routers get faster and faster. The processing power required for the basic routing and firewalling is negligible, so there’s ever increasing room left for more features.
You’d think that manufacturers would cut back and put the bare minimum CPU in, but the way the industry works is that older chips cost more to buy, so it ends up being cheaper to put more oomph inside the box.
Most manufacturers have several features in common, though some may implement them slightly differently. Some features are handy, some not so much, and some will completely expose your computer to Internet attackers. In the following sections, I identify when and where you’d want to use them.
Understanding the SSID and password
The network name (SSID), password, and security protocol (such as WPA2) are your first line of defense against attackers. You’ve seen earlier how WPA2 is currently the best protocol to use, and you probably gathered that the password is important.
The only known way to break into a WPA2 PSK (pre-shared key) network is to guess the password. The crackers know this and have come up with ways to guess passwords at incredible speeds.
The WPA/WPA2 key that encrypts all the data in the air is derived from both the password and the SSID. One of the optimizations the crackers use is to pre-compute these keys by using a list of popular SSIDs and popular passwords.
If you make sure that your SSID is unique, such as the name of your street, your pet’s name, or something else unique, perhaps followed by a number, you’ll be sure to stay off this list.
The most important thing to do is to choose a complex password. If you’re using Wi-Fi protected setup (WPS), you don’t even have to remember it!
Figure 2-1 shows where you configure the SSID, protocol, and password for the network.
Search the Internet for "top 1000 ssids" and you should find, surprisingly enough, a list of 1000 of the most common SSIDs out there.
With a unique SSID and an unguessable password, the crackers will have to find another way in!
Figure 2-1:
Configuring the SSID, password, and protocol.
Using advanced wireless settings
When wireless first came out and the low-strength version of WEP was all that was available, people came up with a few methods to increase the security of their network.
Security is always a tradeoff between protection and convenience. As you add more security measures, it becomes more complex to use whatever it is you’re protecting.
And so, too, it is with wireless. Two ideas that people came up with were
♦ Hide the existence of the SSID
♦ Find the hardware addresses of the machines you want to connect and only let those in
With today’s technology, both of these are poor protections against attack. Not only do they make your wireless network terribly inconvenient for you to use, but they don’t improve your security.
On the surface, hiding your SSID makes some sense. Your wireless access point broadcasts its network name periodically so that your computer can know when it should connect. Turning off this feature means that someone driving by won’t know the access point is there and won’t try to break into it.
The problem with this is that it is still possible to deduce the presence of a wireless network because of the wireless traffic. After that, there are various ways to figure out the SSID.
The second idea involves making a list of the hardware addresses of the wireless cards and telling the router to only allow those addresses to use the network. Figure 2-2 shows the properties of a wireless card. The hardware address is the same as the physical address.
Figure 2-2:
Showing the hardware address of a wireless NIC.
Not only is it a pain to administer, spoofing a MAC address is trivial. Spoofing in this example means that the attacker is using your MAC address instead of his; your access point is none the wiser.
Browse to Wireless Settings to see where these features are configured (See Figure 2-3). The Enable SSID Broadcast controls whether or not your SSID is broadcast. Click the Setup Access List button to set up the MAC addresses that can connect.
These features don’t do much to protect your network but do cause serious usability concerns. At one point, using these features were requirements for companies transmitting credit card data over wireless networks, but the requirements were dropped in late 2008 because the tradeoff wasn’t worth it. If even the credit card companies don’t think it helps security, then it’s not worth doing.
Figure 2-3: Advanced wireless settings.
So why did I even bring it up? If you do some reading on the Internet, you may come across a page talking about it. I wanted to make sure you knew the reasoning and history behind the recommendation and the tradeoffs involved.
