Topic: PSA: Wireless security

[scottws]

Although everyone here is at least somewhat technologically proficient, I thought I would post some info to help you keep yourself secure.

http://arstechnica.com/security/2012/08/wireless-password-easily-cracked/

The gist of the article and comments:

• Use WPA2 + AES.  Do not use WPA.  Do not use WPA/WPA2 mixed or hybrid mode.  Do not use TKIP or TKIP + AES.  And for the love of all things holy do not use WEP.  If you are using an older security mechanism to support legacy devices that don't support WPA2 + AES, upgrade those devices, use an external or upgraded network adapter that does support it, or don't use those devices on the wireless network.  My stepson complains all the time that he can't connect his Nintendo DS to our wireless, but I just tell him too bad.  If your wireless router or access point or repeater doesn't support WPA2 + AES, throw it out and get a new one that does.  If you are using an ISP supplied modem/router/access point/switch all-in-one device that doesn't support it, ask the ISP for an upgrade or see if there is a way to put it into bridged mode (so it just acts as a modem) and use your own device.
• Use a very long passphrase.  Since it is rare to have to enter this, make it 20+ characters.  It is a passphrase: it should not be a single dictionary word in any language, even if you use l33tspeak to obfuscate the word with numbers or symbols like th1$ (this).  Use both upper and lowercase characters (and use uppercase characters where they would not normally be expected), use numbers, and use symbols.  Ideally, it should be something that even someone who knows you very well wouldn't be able to guess ever (don't use your kids names and birthdays or things like that).  I suggest using something like PWGen to generate a random passphrase.  You can create a QR code and print it out that mobile devices with cameras can scan to capture the passphrase easily for guests.
• Disable Wi-Fi Protected Setup (WPS).  WPS is something that helps novices get secure wireless set up, but we all know what we are doing.  Even if you don't know what you are doing with wireless security, disable this and get someone who does know to help.  WPS is actually the major vulnerability in otherwise relatively secure home and small office wireless networks.  You could be using good wireless security practices overall only to be completely undermined by WPS.  It should be noted that some devices don't actually disable WPS even if you set them to disabled.  If you own one of these, you should at the very least make sure you are on the latest firmware, which may correct the flaw.  You may also speak to the vendor, look into purchasing another device that isn't affected, or see if it supports custom firmware like dd-wrt that would most likely correct the problem by either handling it correctly or not supporting WPS at all.  Get a different device if none of these solves the issue.
• Change the factory default SSID to something else. WPA2 + AES uses the SSID as a salt for generating the passphrase hash.  If you are using the default SSID, it has a well known salt and it will exist in rainbow tables. Rainbow tables exist that help speed up the brute force attack process for devices using the default SSID (because those are then commonly known salts).  Using a non-default SSID makes rainbow tables far less effective.
• Don't bother hiding the SSID.  This is not really a security feature and would only really stop the average person from trying to associate with your access point.  Hiding a SSID is simply a way to not advertise the network to wireless clients.  It doesn't really do anything to actually hide the wireless network from eavesdroppers.  A hidden SSID can still be easily gleaned using freely available traffic sniffing tools, so it doesn't really do anything to stop someone who is trying to break into your wireless network.  Some people theorized that hiding your SSID might actually indicate you are a security novice and make you more of a target.  In fact, hiding your SSID makes you less secure in certain situations:  devices (including mobile phones) that have a stored associations with hidden wireless networks will constantly broadcast out the SSIDs of those hidden networks when they are not associated.  Though unlikely for the average individual, this information can be captured by miscreants who then could use that information to see what places you frequent or for other types of espionage.
• Don't bother using MAC address filtering.  Like hiding your SSID, this is not a useful security feature.  Associated MAC addresses can be retrieved via sniffing, and this information is sent over the air unencrypted.  All an attacker has to do is clone one of the MAC addresses that are seen to be associated to the access point.  All MAC address filtering does is make it harder to manage your own network.  The only time I could see it being useful is if you had to have an open, unencrypted network for some reason and wanted to prevent the average person from being able to connect to the wireless network.

[Cools!]

Great advice.

Back in the day when I was still learning about this I used to crack neighbours passwords for the heck of it. It was really easy. A lot of people didn't even bother changing the default password. 

[Cobra951]

I hear you, and you're right.  Then again, to follow your good advice, I would have to throw my mother's adapter, my Nintendo Wii and maybe even my router out the window.  I check my DHCP clients list regularly.  If I ever see someone else leeching broadband, I may just have to clean house, if I can find the money to do it.  Hasn't happened yet.

No one is getting access to the systems here regardless.  Absolutely nothing is shared on the network.  If I want to transfer a program across PCs, I'll walk it over on a thumbstick.

[scottws]

You don't have to follow any of this advice.  Just know that if you don't, your wireless network is trivially easy to crack by anyone with the right applications.

How scary is that?  I would say for the average person running a wireless network at home this usually means that someone might either try to just see if they could do it or try to steal your Internet connection.  If they are going after your Internet connection, maybe they are doing so just because they are cheap but probably because they want to do something that is illegal.  In terms of the common reasons for cracking a wireless network, probably the worst cases would be someone downloading child porn over your Internet connection and the FBI comes and confiscates all your devices on which files can be stored or coordinates a terrorist attack and then you have DHS breaking down your door.  I imagine in both those worst-case scenarios you would eventually be absolved of all wrongdoing, but there certainly would be embarrassment and short-term life disruption.  And even if you were innocent, the damage could be long-term: how many employers would hire you after the HR screener finds a local news article about you via a Google search saying that you were arrested for allegedly downloading child porn or participating in the planning of a foiled (or worse: realized) terrorist plot?

Less likely - but still a possibility - would be a direct attack on devices in your LAN to retrieve potentially sensitive data or to make it part of a botnet.  Note that not sharing anything via SMB to Everyone* is just one part of that.  Attackers could use any number of known vulnerabilities in Windows, other operating systems, or system or application services running on a networked device to attack host machines and devices to gain access regardless of whether or not anything is shared.  Sometimes its just a matter of sending a malformed packet to a certain port that has a service listing on it that has a known vulnerability to such packets.

How likely is any of this to happen to the average individual at home?  Such statistics are impossible to know but I would say there is safety in numbers and it is probably not very likely to happen to any one person.  But there is still a risk.

Also, controlling DHCP is not a comprehensive security mechanism.  What about people that use a static IP?  I know that if I successfully hacked into someone else's home or small office wireless network that is the first thing I would do.  Even if I show up as having a leased address the first time I gain entry, the chances that the someone at the average household or small office is checking the DHCP logs every few days are almost non-existent and my lease will simply expire and I won't show up there anymore.  So while checking DHCP logs regularly is a good security practice in general, it 1) only helps you discover potential breaches after-the-fact and 2) it doesn't really show you all computers that might be associated in a wireless network.

I am in charge of our Nessus security scans at work, and its actually pretty scary how many vulnerabilities there can be in a network and how many new ones pop up all the time.  We had a server that had over 140 individual high-risk or critical vulnerabilities at one point and many of them could be remotely exploited and would result in total control of the machine if exploited.  Honestly you could go crazy with this security vulnerability stuff.  But you should shoot for the low-hanging fruit at least:  close obvious security holes that can be easily changed via settings, upgrade device firmware, and patch your operating system(s) and applications regularly.  For the average home network, it really isn't all that difficult to do these things.  It's just a matter of education and time, and maybe some money in certain cases.  Like everything else with computer and network security, the first step is to get educated on the risks, the second step is to evaluate the risks in the context of your environment, the third step is to decide how much risk you are willing to accept, and the fourth step take the appropriate measures based on the decisions.  For me, I certainly don't want to leave my door unlocked and find out the hard way.

I know the education is the hard part for most people, because you don't know what you don't know until someone tells you, you stumble upon it on your own, or you actively seek knowledge in an area.  And that's exactly why I took just a little bit of time out of my day to put this thread out here.  Unless you haven't bought any wireless devices since 2004, these things are all really easy to do, you just have to know about them first.  Well... I concede that if a bunch of your kids' stuff can't connect to the wireless network, that can be kind of a pain to hear about all the time.  The really tech-savvy ones might even go in and undo these changes if you don't make it hard for people to get into the admin interface.

As far as comments about specific devices, you don't have to throw your Wii away, just don't connect it to the wireless network (do you even use the wireless functionality?).  I'll have to go back and correct some of the stuff to make it more clear in that sense (Edit: Just checked and I already said an option is to not use them, but I added "on the wireless network" for clarity).  But if your mom has a router that doesn't even support WPA2 + AES, yes it is time for that thing to go.

* It is safe to have SMB shares on an up-to-date Windows or Linux system.  Just use appropriate permissions to lock the shares down.

[Quemaqua]

Good post. I was doing WPA+AES, which I didn't even realize. Think I'm all set now.

[Cobra951]

OK, man.  I got it the first time, and I even thought of the child-porn issue.  (I did not think of terrorism, though.)  We also don't have guard towers or machine guns, so a successful home invasion is also a possibility.  But I'm not going to lose sleep over that either. 

Kidding aside, I think any IP going through the router is going to show up on the active table.  I will look into that, to make sure I can get a complete picture of what is connected at any given time.

OK, there are also 2 logs, one incoming and one outgoing.  I have now enabled those, and I will check them regularly.

[scottws]

Yeah obviously no network is 100% secure.  If someone wants to get in, they will get in.  Same with home invasions (rocket launchers could probably disable your towers and gun turrets).  The only way to prevent access would be to disable the computer network and then really what's the point of having a network at all?   

My goal here was just to give people some easy stuff they could do to make their wireless network vastly more secure than it might currently be and that they might not have known about before.  Even I, a seasoned IT professional, was not aware of the WPS issue until I read the article I linked to.  Whatever everyone does with that knowledge is of course up to them.

[Xessive]

Yeah, that magic little button.. of doom. I never really understood why that level of "convenience" was ever necessary, I mean how complicated is it to type a passphrase?

I understand that some people don't know their way around tech, like my parents, but even they understand the simplicity of "please enter the password to connect to..."

[Cobra951]

Yeah obviously no network is 100% secure.  If someone wants to get in, they will get in.  Same with home invasions (rocket launchers could probably disable your towers and gun turrets).  The only way to prevent access would be to disable the computer network and then really what's the point of having a network at all?   

. . .

That's it.  I can spend all kinds of time and money on this, and still end up getting hacked.  I don't have the resources of a bank, and they get hacked.  My advantage is that so few people know I exist, or care that I do.  The odds are strongly in my favor in this sleepy neighborhood.  If that ever changes, so will my security measures, which right now are admittedly crappy.

My 192.168.1.100 local address looked very lonely in my outgoing log last night . . .

[scottws]

Yeah, that magic little button.. of doom. I never really understood why that level of "convenience" was ever necessary, I mean how complicated is it to type a passphrase?

I understand that some people don't know their way around tech, like my parents, but even they understand the simplicity of "please enter the password to connect to..."

Well, I sort of do feel bad for the SOHO wireless router vendors.  They have no way of knowing what devices a customer wants to connect to the wireless network and what sort of security methods those devices support.  But they don't really want to invite a bunch of support calls into their call centers either by setting the security too high and the customers' devices won't connect.

That's why they used to default to open networks.  But the average individual has no idea about wireless security and didn't realize anything was amiss until they got cease-and-desist letters from their ISP about copyright infringement.  So it seems now a balance is being struck.  Most newer SOHO wireless access points I've seen default to WPA/WPA2 hybrid mode with TKIP+AES encryption.  This is generally broadly compatible with any device made since 2003-2004 and is much more secure than WEP encryption.  The problem is that WPA + TKIP has had security flaws exposed and is pretty weak nowadays.  Not nearly as bad as WEP, but not good either.

The problem is that the average individual just isn't savvy enough to get all this set up on their own.  They don't know how to log into their web interface of their router and even if they did they probably wouldn't know what to do with all the settings there.  Even if they found the wireless security settings, they wouldn't know what the consequences of the various settings are.  I don't know how WPS works, but I guess it was a way to address that.

Really what the manufacturers of these devices should do is default to WPA/WPA2 hybrid with TKIP+AES, print the default SSID and passphrase on the device (which should ideally be different for every device) and then capture HTTP traffic and redirect to a wizard web page running on the device that helps the users get set up more securely.  That way, the users don't really have to figure out how to get into the web interface or what settings they should change in there.   Instead it would be more geared to the average person and ask simple questions that helps them get set up with better security.  It's not perfect, but it is probably the best they can do if they don't want to help each person get set up on the phone yet still try to get them set up with the best security.

[Xessive]

Yeah, it's a tough situation when the customers just aren't tech-savvy enough to properly use the tool they purchased.

I liked D-link's approach where the the quick-install instructions explain that on first-time setup to connect a PC via cable and load up the bundled CD, which would autorun the first-time-setup wizard (set password, wireless settings, etc.) and finish in one go. Sadly that suffered much like Ikea instruction manuals: left neglected or tossed out with the trash.