PDA

View Full Version : Home Wireless Gateway security


davidh
May 24th, 2010, 09:36 PM
FYI FWIW
Tip of the Day - Home Wireless Gateways
Share |
Published: 2006-08-20,
Last Updated: 2006-08-21 20:40:03 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Today's tip focuses on small office/home office (SOHO) wireless routers.

...
As far as encryption goes, WEP is better than nothing and will deter most wardrivers. If someone wants to crack your WEP then it's because they want "your" network and not just "a" network. WAP, TKIP and other encryption systems are better, but you may not have compatability with all wireless computers. MAC authentication will slow down an attacker, but also isn't bullet proof. Then again, security is a measurement of risk: for most homes, WEP + MAC filtering is more than good enough.

Your other tips, like disabling the SSID broadcast, limiting DHCP hosts, and changing default settings is right on the money. Also, add in: disable Wifi configuration from the Wifi network (if your router has that option), set a non-trivial admin password on the router, and disable ping-from-WAN (good for all routers).
http://isc.sans.org/diary.html?storyid=1620

I just bought a Netgear Wirless G USB adapter for one of my PC's.

I've played around enuf with the router/gateway config that I understand more or less what they're talking about here.

Haven't really tried all this since it does take some time and for now I get by with ethernet cable only.

davidh
May 24th, 2010, 09:44 PM
One thing I don't like about my old gateway / router is that it does not seem to want to let me get the gateway of the ISP by DHCP and hard code the DNS to opendns.com.

So I have to set DNS in the computers individually or else use the DNS offered by the ISP.

sidney
May 25th, 2010, 02:18 AM
Regarding WEP, unless you have an ancient computer or ancient wireless card that you have to use on the wireless network, it is quite unlikely that you have any reason to use WEP instead of WPA. And that should be WPA2, not the earlier WPA. See the Wikipedia article http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access section "Security & Insecurity in pre-shared key mode" for a short clear exposition on this.

It is true that someone would have to target your network to break WEP, but it wouldn't be very difficult if someone did decide that your WiFi box is the one they feel like going after.

Jeff
May 25th, 2010, 11:33 AM
It is true that someone would have to target your network to break WEP, but it wouldn't be very difficult if someone did decide that your WiFi box is the one they feel like going after.

So if they got mine, what would they get? Why should I be concerned about it? I also have a software firewall in play on the computer..

- Jeff

davidh
May 25th, 2010, 12:33 PM
So if they got mine, what would they get? Why should I be concerned about it? I also have a software firewall in play on the computer..

- Jeff

They could read the contents of what you send an receive of the wireless connection.

However, they might not be able to read your ID's and passwords since those usually are encrypted by SSL IN ADDITION TO WEP. For example, when you log on to read web mail, the logon is encrypted by SSL. Google mail has an option to encrypt the whole web mail session, not just the log on.

Google is also in the process of adding an option to Google searches to encrypt both the queries and the results.

Firewalls don't encrypt. One thing they do do :) is block some ports such as those which Windows uses for file and printer sharing (NETBIOS). Assuming you don't want to share your files on your PC with the rest of the world :)

davidh
May 25th, 2010, 12:42 PM
FWIW, Even tho' cables are clumsy, they don't burn electric the way a USB adapter would and a 25ft. ethernet cable is probably cheaper than an adapter.

I bought a couple 6ft. ethernet cables for $1 ea. at DollarTree :) and a $1 one ear headset there once too. I don't see them stock 'em now tho'.

davidh
May 25th, 2010, 04:23 PM
Australia minister attacks 'creepy' Google in Web row
AFP
Australia minister attacks 'creepy' Google in Web row DDP/AFP/File – Australia's communications minister has called Google's privacy policy "a bit creepy" …
Tue May 25, 1:48 am ET
...
Stephen Conroy said Google had committed the "single greatest breach in the history of privacy" by collecting private wireless data while taking pictures for its "Street View" mapping service, and dismissed claims it was an accident.:D

davidh
April 24th, 2011, 03:47 PM
NY case underscores Wi-Fi privacy dangers
AP
By CAROLYN THOMPSON, Associated Press – 54 mins ago

BUFFALO, N.Y. – Lying on his family room floor with assault weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didn't need long to figure out the reason for the early morning wake-up call from a swarm of federal agents.

That new wireless router. He'd gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.

"We know who you are! You downloaded thousands of images at 11:30 last night," the man's lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum."

"No, I didn't," he insisted. "Somebody else could have but I didn't do anything like that."

"You're a creep ... just admit it," they said.

Law enforcement officials say the case is a cautionary tale. Their advice: Password-protect your wireless router.
http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning :eek:

davidh
December 30th, 2011, 10:16 PM
Wi-Fi Protected Setup (WPS) PIN Brute Force Vulnerability
Published: 2011-12-30,
Last Updated: 2011-12-30 03:19:11 UTC
by Raul Siles (Version: 1)

Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 - available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN. The vulnerability was reported by Stefan Viehböck and more details are available on the associated whitepaper. In reality, it acts as a "kind of backdoor" for Wi-Fi access points and routers.

The quick and immediate mitigation is based on disabling WPS. Your holiday gift for the people around you these days is to tell them to disable WPS. ...
http://isc.sans.edu/diary/Wi-Fi+Protected+Setup+WPS+PIN+Brute+Force+Vulnerabili ty/12292
Wi-Fi Protected Setup [WPS]
From Wikipedia, the free encyclopedia ...
Security issues
In December 2011, US-CERT (vulnerability VU#723755) reported a design flaw that makes brute-force attacks significantly easier to perform against Wi-Fi networks which have Wi-Fi Protected Setup enabled which can allow an unauthorized computer to gain access to the Wi-Fi network. The only effective workaround is to disable Wi-Fi Protected Setup[4]. Note that routers made before 2007 lack the Wi-Fi Protected Setup feature and its associated security hole. ...
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Security_issues I hope this might help somebody out there.

P.S. My router is over 6 years old, so I don't have to worry about this. Anyway I turned off Wi-Fi in my router because it has only WEP and on top of that there is a bug in the router security that makes the router crash when all the steps (settings) mentioned earlier in this thread, to increase security, are taken. I figured it would be a lot easier just to use ethernet cable, instead of trying to download and install (flash) new software from the vendor into the router flash memory.