Wireless security settings

Many of us use wireless for our home connections and some at our jobs, so I thought this would be of interest. There was recently an announcement that WPA encryption had been cracked. Later, it was more specifically narrowed to WPA using the pre-shared key method or WPA-PSK. This is the primary wireless encryption security method available without some type of authentication server or digital certificate method, and is used in most homes and small businesses. The good news is that the "crack" is not as bad as it seems. The crack is aimed at the pre-shared key portion of the authenticating transmission. The PSK is what get's you started in the WPA link, though the actual encryption keys keep changing. It's kind of like a password. The crack is simply a brute force dictionary attack on the PSK, which is user generated. If you use a regular word, or combination of words as your PSK, it will almost certainly be vulnerable. The answer is, like any other password, to make it as long, complex, and random as possible. The maximum length is 32 characters, and 12 ASCII characters using letters, numbers, upper case, and punctuation should be used at a minimum. The computing power and time needed to crack a truly random 32 character ASCII PSK key is phenomenal. So there's no need for the average home user, or even average business to be terribly concerned as long as they use a sufficiently complex PSK along with standard security measures on the PC's, like a properly configured firewall, an NTFS filesystem, limited administrative access, changing or disabling the default "administrator" account, individual accounts with changing passwords, etc.

Most wireless routers offer MAC address filtering. This is the only security method I've used and it's near impossible to defeat.

Every network connection device, whether it's a USB Wireless connection, built-in wireless, or built-in hardwired LAN port, has a MAC Address. This is a unique code that identifies that specific piece of hardware. If you buy 2 of the same device, each will have a different MAC address.

Just log in to your wireless router (be sure to change the SSID name and most importantly - CHANGE THE PASSWORD), and enable MAC Address filtering. Enter the MAC Address of each device and assign each a name. (The name does not have to match the name you originally assigned the computer.) Be sure to apply or save changes and reboot your router.

To get the MAC address for your network device:

1. In Windows, click "Start", then "Run".
2. Type in cmd , and hit Enter
A black window (DOS box or command prompt) will appear.
3. Type in ipconfig /all (note: there is a space before the slash, but not after)
4. Scroll through the info that appears. You will have one or more entries titled "Ethernet adapter Local Area Connection". There might be a number at the end.
Three lines down will be the "Physical Address". That is the MAC Address. Typically, when you enter it in your router's filter tool, you won't type the dashes or colons.

I even have my router's SSID (name) set to broadcast for maximum compatibility. It's never been hacked, even though I suspect the kids in both houses next door have tried.

lol. I remember being bored one night and just driving around town seeing who's wireless network I could access. I think out of the 20 or so connections I had one of the people changed their admin password from the default.

Quote:

---

Originally Posted by LungJian

Most wireless routers offer MAC address filtering. This is the only security method I've used and it's near impossible to defeat.

Every network connection device, whether it's a USB Wireless connection, built-in wireless, or built-in hardwired LAN port, has a MAC Address. This is a unique code that identifies that specific piece of hardware. If you buy 2 of the same device, each will have a different MAC address.

Just log in to your wireless router (be sure to change the SSID name and most importantly - CHANGE THE PASSWORD), and enable MAC Address filtering. Enter the MAC Address of each device and assign each a name. (The name does not have to match the name you originally assigned the computer.) Be sure to apply or save changes and reboot your router.

To get the MAC address for your network device:

1. In Windows, click "Start", then "Run".
2. Type in cmd , and hit Enter
A black window (DOS box or command prompt) will appear.
3. Type in ipconfig /all (note: there is a space before the slash, but not after)
4. Scroll through the info that appears. You will have one or more entries titled "Ethernet adapter Local Area Connection". There might be a number at the end.
Three lines down will be the "Physical Address". That is the MAC Address. Typically, when you enter it in your router's filter tool, you won't type the dashes or colons.

I even have my router's SSID (name) set to broadcast for maximum compatibility. It's never been hacked, even though I suspect the kids in both houses next door have tried.

---

I hate to break it to you, but MAC address and IP cloning are not difficult. As a matter of fact, most home network equipment now has the capability built in. A linksys wireless router or access point can be set as a wireless bridge or client and it has an option for you to enter the MAC address you wish to use. This is primarily meant to be used in a constructive way.

Packet sniffing is the problem. A packet sniffer will capture every bit of information in a packet and show it to the user. Unencrypted radio transmissions broadcast all your information for anyone with a reciever to hear. Now mind you, it is another lock on the door that someone has to break through, but it's no effective secuirity system.

Quote:

---

Originally Posted by drew_goring

lol. I remember being bored one night and just driving around town seeing who's wireless network I could access. I think out of the 20 or so connections I had one of the people changed their admin password from the default.

---

Most folks have no clue, and don't care to get one either. No amount of talking is going to change things. A year or two back, our auditors were able to crack most of our passwords from the encrpted files with a simple dictionary attack. After all the talk about password security and complexity being important, most people still used simple words and names. They also liked to use the same password for everything, including their online shopping! Talk about begging to be hacked! We had to force password resets and force password complexity on the applications that supported it. Boy did folks ever get annoyed! You could hear the crying for miles!

Linksys has a new function now called SES (Secure Easy Setup). When setting up the router with the CD, it automatically sets up WPA for you if you'd like. This will only allow that one PC access, but for the end users completely ignorant of wireless security technology, it will at least allow them to have a secure network.

True, it's easy enough to clone MAC's. Due to the fact you can't have 2 of the same MAC's addresses on a network, windows has 2 different ways to go in and manually change you MAC. I rely more on securing my computers. Keeping personal information secure and encrypted when possible. Getting past the router should be just the first defense. You should always make sure your PC or MAC is protected.

Quote:

---

Originally Posted by Kenyth

Most folks have no clue, and don't care to get one either. No amount of talking is going to change things. A year or two back, our auditors were able to crack most of our passwords from the encrpted files with a simple dictionary attack. After all the talk about password security and complexity being important, most people still used simple words and names. They also liked to use the same password for everything, including their online shopping! Talk about begging to be hacked! We had to force password resets and force password complexity on the applications that supported it. Boy did folks ever get annoyed! You could hear the crying for miles!

Linksys has a new function now called SES (Secure Easy Setup). When setting up the router with the CD, it automatically sets up WPA for you if you'd like. This will only allow that one PC access, but for the end users completely ignorant of wireless security technology, it will at least allow them to have a secure network.

---

My neighbor doesn't have his secured and hasn't even changed the default password on his router. I've had to manually block him to keep my laptop from connecting to his network. I usually don't use my wireless unless I'm not going to be working at my desk. I'm not paranoid, just not that lazy. I have to plug everything else in, what's one more cable. :)

Quote:

---

Originally Posted by cigargirl

True, it's easy enough to clone MAC's. Due to the fact you can't have 2 of the same MAC's addresses on a network, windows has 2 different ways to go in and manually change you MAC. I rely more on securing my computers. Keeping personal information secure and encrypted when possible. Getting past the router should be just the first defense. You should always make sure your PC or MAC is protected.

---

Layered security! That's the ticket! Currently, we have wireless access at our branches. After breaching the rotating encryption, hackers will find themselves with absolute unresticted access to our............ inernet connection. :smiley12:

Yes, after all that trouble, they will still be on the public side, completely out of our private network!

Does anyone really care to packet-sniff your porno downloads or emails to your mother? My main concerns are neighbors jumping on my wireless for free (intentionally or not) and sucking up my bandwidth. If I see duplicate entries for one MAC address, I'll tighten up security. Sounds like I'm already ahead of the game with MAC filtering. AND... I never use the default password! :smiley20:

Hey LungJian-

This is some great info you're sharing, and you're obviously quite savvy in the technological world, but I was wondering: who the fuck are you?

This is generally a cigar board, and while there are a lot of different areas of discussion, we generally like it if a person who comes into our community and sets up shop tells us a little bit about themselves: what cigars they like, how long they've smoked cigars, how often they smoke cigars (seeing the theme here)? At the very least, how about heading into one of the cigar related sections and introducing yourelf?

Peace.
Heftysmokes

Quote:

---

Originally Posted by LungJian

Does anyone really care to packet-sniff your porno downloads or emails to your mother? My main concerns are neighbors jumping on my wireless for free (intentionally or not) and sucking up my bandwidth. If I see duplicate entries for one MAC address, I'll tighten up security. Sounds like I'm already ahead of the game with MAC filtering. AND... I never use the default password! :smiley20:

---

Well, you certainly are one step ahead by doing anything at all, but the main point here isn't, "Does someone want to?". It's, "If someone does.". Of course any deterrent is better than none and even the weakest deterrent is good enough for the casual passer-by. As far as packet sniffing goes, you bet hackers will sniff packets. They don't have to run through them by hand. They have software to analyse the gathered data. It doesn't take much time and effort at all if you know what you're doing and have the correct tools. If people will sniff packets just to break WEP keys and use your wireless for fun, they'll clone your MAC and IP too.

I have just set up a wireless access point??!? It was an Invensys. I had all kinds of issues setting it up, but finally got it going . I have yet to figure out the security setup.

After reading Drew's post, I really need to get on that !!! Can someone actually get into my hard drive throught the WAP?

Jason

Quote:

---

Originally Posted by Satchmo

I have just set up a wireless access point??!? It was an Invensys. I had all kinds of issues setting it up, but finally got it going . I have yet to figure out the security setup.

After reading Drew's post, I really need to get on that !!! Can someone actually get into my hard drive throught the WAP?

Jason

---

Possibly, depending on your setup.

The main problem, as mentioned before, is people stealing your bandwidth and maybe even using your network to cause mischief and do illegal things. It makes them untracable.

An usecured wireless router with an unsecured computer means that, at the very least, anyone can join your network and use any network shares. If you have an administrative root share available on your PC, they may have access to your entire HDD contents! From there, they could wreak havok. Maybe put a keylogger on the PC and capture passwords, credit card numbers, etc.

New wireless devices come with certain security features enabled by default, to help protect the technically challenged, but if you do any type of sensitive activity on your PC (including on-line purchases), you'll want to make it as secure as possible.

Packet sniffing can capture all the clear text you exchange with the internet. Most sites use HTTPS for secure transactions, ensuring sensitive data is encrypted at one level at least. Many lesser sites use clear text for basic password access though, and if you're in the habit of using the same name and password for everything, you can see the problem.

I did not realize that having the wireless network unsecured was that bad. It's like picking up the soap in prison, you could get screwed!!!

I'll have to make another attempt on password protecting that network. I'm sure one of you good ol' boyz could provide a pointer if I end up with a meltdown again :smiley5:

Quote:

---

Originally Posted by Satchmo

I did not realize that having the wireless network unsecured was that bad. It's like picking up the soap in prison, you could get screwed!!!

I'll have to make another attempt on password protecting that network. I'm sure one of you good ol' boyz could provide a pointer if I end up with a meltdown again :smiley5:

---

Like I said before, I recommend using WPA-PSK. For the ASCII pre-shared key use a long nonsensical string of letters, numbers, and punctuation marks. There's other stuff too, but that's your best first option. Do not give out your pre shared key to anyone you wouldn't trust with a full set of your house and car keys.