digg

Facebook Connect Join Digg About

The six dumbest ways to secure a wireless network

blogs.techrepublic.com.com I've seen a lot of misinformation about securing wi-fi networks. This article debunks those myths by explaining why mac filtering and ssid hiding is pointless in most cases. Looks like the only effective security is WPA with a strong passphrase.

Who dugg this? Made popular Jun 17, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

75 Comments

show profanity settings
expand all
  • eddiddiums, on 10/12/2007, -0/+20It should be noted that a lot of those will keep your neighbor form using your bandwidth for bit-torrent, but why would any network security guy think that any of those would protect their business? How do these people get their jobs?
  • Progranism, on 10/12/2007, -1/+17Promote city wide Wi-Fi: Unsecure Your Networks!
  • Wootery, on 10/12/2007, -0/+15"WEP is a waste because of the packet overhead."
    No, WEP is a waste because you can crack it in ten minutes.
  • rastan, on 10/12/2007, -3/+18Could we please stop the WEP bashing? WEP stands for wired equivalent privacy. ITS GOAL WAS NEVER TO BE A SECURITY SYSTEM. All it was meant was a simple way to add a small layer of privacy to prevent people from accidentally stumbling onto your network. Essentially, giving you the *WIRED EQUIVALENT* to an unencrypted ethernet cable.

    Dumbasses who use it as an actual security system are using WEP *not* how it was originally intended. That's like using telnet to send credit cards and password information and then bitch that the connection wasn't encrypted. IT WASNT DESIGNED TO DO THAT.

    Rant over. End Transmission.
  • Ultim8Fury, on 10/12/2007, -3/+17Secure your Wi-Fi. Turn it off and install Cat5 throughout the building.
  • theone3, on 10/12/2007, -1/+14MAC addresses can be very easily spoofed.

    Encryption packet overhead is irrelevant when you have a 54mbps connection to a ~4mbps cable modem, and the overhead is not that large anyway!

    I suggest you turn on WPA (WEP has been cracked), and grab a passphrase from https://www.grc.com/passwords.htm
  • jasonwc, on 10/12/2007, -0/+9I don't understand why WPA-PSK is consistently attacked for being weak due to the possibility of dictionary attacks. Nearly any system that relies on passwords is vulnerable to a dictionary attack. Wireless security is one of the areas where there is no need to remember the password. There is absolutely no threat to writing the password down because if your attacker can get into your home, then the least of your problems is wireless security. Secondly, there is no need to remember wireless passwords. You generally save the password on the machine so that wireless login is as transparent as wired access. The is only a problem if your attacker has physical access to your machine or it has been remotely compromised and again- if this happens, you have other problems to worry about. When you run the Windows Zero Configuration utility and set a password Windows asks you if you would like to copy the passphrase to a USB key to copy onto your other wireless computers. There's absolutely no need to remember the password.

    Create a randomly generated 64 character alphanumeric passphrase, save it on your key, setup wireless on your various machines and then securely wipe it off the key. GRC even offers a website with randomly generated passprhases which are unique per user for those who don't want to do this on their own and Broadcom has added a utility which does this as well for their APs. This seems like a non-issue to me. People aren't creating strong passwords because they're lazy but that doesn't make WPA-PSK flawed. There are no known attacks against WPA-PSK other than offline dictionary attacks. If you create a long, complex password,
  • FuzzyCat, on 10/12/2007, -0/+8
    Well, technically, not telling us you're using a 63 character passkey would be a little more secure, since if you hadn't mentioned it we'd had to have tried all length's up to 63... ;)


  • qwerty967, on 10/12/2007, -1/+8@xaviel

    WPA is only vulnerable if you use a weak passphrase. Using a strong passphrase such as one generated at https://www.grc.com/passwords.htm makes your network resistant to attempts to break in with brute force attacks.
  • thalee, on 10/12/2007, -2/+8I think the Article goes just a LOT overboard.

    If we're talking about a corporate LAN where data security and integrity are key I agree 100%

    I we're talking about a home network trying to keep your neighbors off, I wholeheartedly disagree.

    I live in an apartment complex and can see 13 different networks if I walk out to my balcony. Most have signals below the threshold for my Airport card to see them, but my wireless sniffer sees them just fine. MOST of these networks are 100% open. My system requires MAC adress authentication and does not broadcast SSID.

    I have yet to have a single access attempt on my network. Why would anyone try when they can snatch an open network without effort.

    The fact is these methods slow someone down long enough to make my network the most difficult target in a sea of easy catches.

    None of these methods are "urban legends". They suck as true security measures, but for a home network do the job as needed. They keep off the casual bandwidth thieves and that's really all they need to do.

    Hanging a painting over a safe is not a real security measure, but if it keeps 9 out of 10 people from knowing it's there, it serves its purpose well.
  • jtjdt, on 10/12/2007, -2/+7Where the writer says "Just use 802.11a" he is referring not to a security standard, but 802.11a is the least popular wireless standard and most hackers only have b&g compatible cards. So if your network is 5GHz 802.11a, it is less likely for a hacker to have that particular card.
  • jholdaway, on 10/12/2007, -0/+5It should be pointed out that some of these are valid security measures if your goal is to keep out casual connections. On the other hand a determined hacker will be able to break almost any security. I suggest that if you are a business you may want to go with a wired network. Home users will likely never come in contact with a hacker, statistically speaking.

    One big security risk I have seen on PCs I've repaired: Home users should not keep passwords and credit cards on their hard drive. Purchasing online is virtually safe as someone would have to be hacking at the time of transmission and advanced enough to decrypt it. But files with credit and social security numbers can be crawled by the lowliest of hackers. It is more secure to sticky note it to your monitor!
  • zcreem, on 10/12/2007, -2/+6Works for me.
    Wi-Fi should only be used were it is not practiable to use cable, in other words the exception not the rule.
  • matt0817, on 10/12/2007, -1/+5my neighbors are not computer savvy, but just incase, i only use the most offensive slurs for my passwords
  • tdiehm, on 10/12/2007, -0/+3This article is all fine and good, but it's also the reason I see so many unsecured wireless networks around me.

    The fact of the matter is that people are simply not going to buy a new wireless router for enhanced security, nor are they going to create 20-character strings without writing it down everywhere. Probably 90% of home users don't even bother with changing passwords since by default the wireless router is turned on and ready to go.

    The only real way to fix the problem for home users is for vendors to force some kind of first-time wizard for routers that sets up security, otherwise people just won't bother.

    Also, regarding this list, I still feel that having these turned on is better than nothing. It may not prevent a hacker from getting access, but why would a hacker want to spend an extra 10 minutes trying to get through your security when he/she can just jump on one of the 5 other totally unsecured networks in the area?
  • Monkeyget, on 10/12/2007, -0/+3If you only have wep security available (which can be hacked in a few minutes), the tips given are quick and small help. That might not work against hackers who want to access YOUR network. But it might be enough to deter the guy using off the shelf wifi-hacking software.
    Want a secure network? use wpa2 instead of wep. At least use some sort of encryption even if it is wep, it will discourage the random guy trying to access a wifi network to surf.
  • jeffreym, on 10/12/2007, -2/+5I totally agree. My neighbor's wi-fi is wide open and just filter MAC addresses. Since there's no one else around this works just fine.
  • zblackeagle, on 10/12/2007, -1/+4Personally I use WPA2 with a random 63 character (maximum length) passkey. If I need to hook someone else up, I use bluetooth to exchange the key.

    Paranoia? Not really. I don't have to constantly enter the key, so there's no point in me going with any less than the best security.
  • Otto, on 10/12/2007, -0/+3I spoof MAC addresses to get past MAC Filters all the time. It works very well, and it's incredibly easy to do. Never had a router "lock up" from it before.

    There is no actual difference, from the wireless router's standpoint, of one client using a MAC address from two clients using it.
  • lukas88, on 10/12/2007, -1/+4Perhaps thats why my neighbors dont even try to secure theirs! They are lucky I am not malicious, seeing as how they didnt bother to change the default username/password at the gateway.
  • inactive, on 10/12/2007, -0/+3This reflects the thought that I have had from both reading the article and the comments about how "crackable" everything is and how MAC addresses can be "easily spoofed" and so on. Your average user doesn't even know what a MAC address is.

    And I wasn't able to access the WPA has been cracked link. Last I heard, the "crack" or vulnerability was based on a brute-force attack? Everything that requires a password, regardless of the length of the key is vulnerable to such attacks.
  • sardon1c, on 10/12/2007, -1/+4@turgor

    WEP overhead? Who's koolaid are you drinking?

    I use WPA2 for home and have no measurable reduction in speed.
  • zcreem, on 10/12/2007, -2/+4Paranoid, you think so?
    Not all the information stored on computers is as harmless as you last holiday snaps or music collection, sometimes it is like really, sensitive, dangerous, expensive, secret, incriminating, or just ***** private.
  • kolop1, on 10/12/2007, -1/+3 Most of the people here may be able to crack wep, but the average user has no idea. My 80 year old neighbors on one side, and the 50 year old ones on the other have no idea either. Most of the world as of right now has no idea what wep is or how to crack it.
  • FuzzyCat, on 10/12/2007, -1/+3
    Granted, each of the points the article makes on their own are not going to provide much in the way of security, but they can and should be used as *part* of your security policy. 99% of the time you're just dealing with joe average searching for freebie access to the web or their email, if they can't get in quickly htey'll move on to try to find an open AP. They'll also prevent purely accidental connections to your AP if there's another in close proximity that a user wanted to connect to. For that 1% where you're up against a real hack attempt, then putting *anything* in the way isn't a bad thing, just so long as you realise you need more...




  • Ryosen, on 10/12/2007, -1/+3I have linksys, netgear, dlink....all of which allow IP filtering
  • Murdats, on 10/12/2007, -2/+4I only use WEP because I personally dont mind people using my network (war drivers and the like) but I have WEP to stop noob neighbours and malicious noob high schoolers who think they are leet by accessing and destroying an unsecured network from using my bandwidth

    personally if you have enough skill to get through my WEP (which isnt much) feel free to use my internet
    think of it like a skill test for access
  • Ryosen, on 10/12/2007, -0/+2Why would a hacker want to spend time trying to get into your system? Maybe because there is something there that he wants access to. Credit card numbers, social security numbers, passwords. The home user has a lot more to be concerned about than just having their bandwidth used.

    Of much bigger concern, however, are businesses that use WiFi. Corporate users must be concerned with espionage, vandalism, theft, and damage caused by inept intruders. I agree with Ultim8Fury that the best way to secure a network is to not use WiFi at all. Unfortunately, this is not always practical nor is it always our decision.

    Some businesses require wireless access as a courtesy to their customers. This isn't just limited to coffee shops and bookstores, either. Some companies, such as one of my clients, requires WiFi access for a common room where their sales reps, who are normally out in the field, can come in and get online. Sometimes execs just want the convenience of not being tethered. And some just want the aesthetic benefits of not having any visible wires.

    While implementing MAC filtering and SSID hiding won't secure a network, it will act as a deterent against casual exploration. The determined hacker will still get in, however, and that's where your dependance on WiFi's security must end and the intelligent design of your network architecture begins.

    The network acessible by the WiFi should not be the same as your general network. A captive portal is also effective. You should establish a subnet for WiFi access and keep it isolated from sensitive areas like file servers. Obviously this is more practical in business environments but it's not that difficult to do at home. A second, non-WiFi router can achieve this quite nicely. Should you require access to file servers, then an authentication system is required. VPN works for this. So does domain authentication. There is absolutely no reason why there should be an open share on a network. At the very least, access to it should be restricted to domain users, aka "Public - Authenticated".

    The simple assumption that WiFi can be compromised should be the rule. Consider it the same as installing a LAN jack on the outside of your building and treat it the same. WiFi is a convenience and security and proper planning should not be sacrificed.
  • wweasel, on 10/12/2007, -1/+3Those are very good points. The thing is, if they are using a long password for their WEP/WPA key, why not keep it on a post-it note on the router? If the hacker gains physical access to the router he can just plug his laptop into via CAT5 cable. At that point you're screwed anyways, and that is highly unrealistic for a home user.

    I think you hit it bang on when you said (paraphrasing) "if you have WEP, why would they go for yours rather than just going to the one next door." If you have any form of security, unless they are specifically targeting you they'll go to the path of least resistance, the foolish people who make it as easy as *click*click* to log onto their network.
  • jasonwc, on 10/12/2007, -1/+3When designing any security model the first question you have to ask is, "What is my threat level, and where am I most vulnerable?". I don't think this guy realizes that if you turn off SSID broadcasting, use MAC filtering, WEP encryption, and change the default password on you router to something reasonable, you have a very good chacne of never being targeted. Generally, people just want free wireless or to screw around and see what's on someone's network. Every study done on home wireless security has shown the vast majority of people don't even use WEP. If 66-80% of peole are using no security, and you have WEP, MAC filtering and you're hiding your SSID, why would someone target you when there are tons of other unencrypted APs that require you to double click to connect?

    The message this guy is sending is- "if you don't have a router that supports WPA-PSK or 802.11i don't bother doing anything." That's a horrible message to send. He's exaggerating the threat and he's only going to lead users to do nothing.
  • tatical, on 10/12/2007, -2/+4My router, D-Link 624 Rev E1, is holding up just fine with 2 identical MAC address on the network.

    Xbox 360 streaming music: 00-12-5A-6F-29-12
    Laptop continuous ping: 00-12-5A-6F-29-12

    Streaming has been uninterrupted, the ping times are still less than 1ms, and only 2 out of 1529 packets were lost.
  • Hakai, on 10/12/2007, -0/+2because someone can simply find out what IP range you're running with, then assign one statically to access your network.
    DHCP only assigns the IP addresses within the specified ranges, it doesn't block anyone else from assigning one manually.

    Example:
    you're running with a class C network.
    192.168.0.x
    255.255.255.0

    you have set DHCP to assign from 2 - 6 (lets say that 1 is issued to the router).
    In order to access the network, a person would only have to manually set their own IP address to be something along the lines of:
    192.168.0.7- 192.168.0.254
    Subnet mask: 255.255.255.0

    Once this is completed, they simply double click on your wireless network in the listing and BAM! instant access.

    Everyone needs to think, is the article is about just blocking someone from accessing your network? or is it also about making sure that your packets are encrypted?

    I personally use WPA2 and would prefer wired over wireless for security (and fiber over CAT5e/6 since you can instantly detect any tap), BUT in the cases where wireless is needed (aka hotel lobbies, other places that need public access to clients/customers) then it's a whole other ballgame.
    (then you worry about subnetting and segmenting your network to keep things seperate).

  • qwerty967, on 10/12/2007, -0/+1I use WPA to keep private data sent over the network secure, not to keep unauthorized clients from logging in. Yeah I can set up a VPN to keep my data private, but the average home user can't. WPA-PSK is closest to striking the right combination of ease of use and privacy.
  • Rosewood, on 10/12/2007, -3/+4at first, I thought about reporting the article because it is so old. But, I have linked to it in the comments because it is such a great article.

    there is a lot of bad and out dated information out there. as I bang away this comment on my mda, 2 of the 6 comments suggest things that the article rightfully calls dumb.

    if you use wireless (or work for nintendo's wifi division) read this article AND the follow up article that tells you how to secure your network. if you are too lazy, let me just say this: just use wpa2 and call it a day.
  • PacoBell, on 10/12/2007, -0/+1@kolop1: You really don't get it, do you? ¬_¬
  • SuicideInvoice, on 10/12/2007, -1/+2I agree with you. But just to say, in Kismet ctrl+c will give you all connected clients. MACs, IPs, Names and the MAC of the router itself.
  • sardon1c, on 10/12/2007, -1/+2That goes both ways. If you have to reboot or drop signal, then they get assigned on the router, and you are out of luck. Of course you can fix it, but it would be annoying.

    And MAC filtering does NOTHING to protect your data transmissions over the air. It only tries to protect access to your router.

  • ogletree, on 10/12/2007, -0/+1kolop1 what are you talking about. Why would they not be able to use it. You just have 2 wireless access points one secure and one not secure. Only connect to the secure one. If you accidently connect to the dummy one then you are too stupid to be setting up a secure network. It is very common to set up less secure hardware that goes nowhere to catch people with. As a matter of fact if you want a very secure network I think it is very important to set up a less secure dummy access point to throw people off.
  • polarism, on 10/12/2007, -3/+4ANY protection is better than NO protection. Even if it can be cracked within a minute or two, that doesn't mean every person knows how, or is willing to take the time. People are lazy, and would rather connect to an unsecured than a secured.

    Not everyone is a wardriving hacker. Yeah these things aren't really good security features, but i'd rather put a padlock on my locker than nothing at all.
  • inactive, on 10/12/2007, -1/+2Most locks only keep honest people honest. None of my neighbours are savey enough to even protect their wifi, i dont think they will be spoofing my mac anytime soon. With a coke can, some sissors, i can open the masterlock on my utility shed in seconds. By the comments here i guess people would say my masterlock is useless and maybe if i kept gold in there it would be, but i dont, i keep tools and even though i know my lock is mega easy to hack, it still keeps the honest people in my area honest
  • wunch, on 10/12/2007, -0/+1Isn't the point of the article to help the uninformed gain better knowledge about wireless security? Its not really helpful to just say that someone has no clue without helping them rectify their ignorance, especially when they imply that they are not a "security expert" from the start.
  • jasqwerty, on 10/12/2007, -3/+4How can one guy be so situationally unaware. Yes, some of these might be useless in an environment of 100+ users, but ***WORK WELL*** in an environment of, let's say, a 1 person apartment.

    MAC filtering: My router only accepts 1 MAC address. I've tried a clone connection. Doesn't work while I'm connected.
    SSID hiding: Software dependent on both sides as to usefullness. 100% effective against simple builtin OS wifi scanning. Changed from default of course too, along with the router password in general.
    Disable DHCP: Possibly phrased wrong in the article. Similiar to MAC filtering, I have DHCP off, with only one IP allowed. Yah, it's not hard to figure out, but has same cloning issues as MAC filtering bypass.

    So, if I'm not connected or can't connect to my wifi router and the little lights are blinking, it means something is up. :-)

    Then again, I also have a 22 char WPA-PSK key, with the usual random stuff thrown in, and AES data encryption enabled.
  • ogletree, on 10/12/2007, -2/+2also you could set up a dummy wireless with everything open. Connect it to the internet but make it so it only get 14.4k download.
  • therernospoons, on 10/12/2007, -1/+1any smart ways to secure a wireless network?
  • Ryosen, on 10/12/2007, -3/+3Do you really want to give your local government direct access to all of your browsing history? I haven't seen this point brought up yet which really surprises me given all the concern over the NSA's recent actions.
  • shotgunefx, on 10/12/2007, -1/+1I'd agree with you. I have Cat5 all over my residence. I have an AP for one purpose. My car PC. No one has yet accessed my AP and looking through various online wifi maps such as wigle.net, while it displays approximately 30 access points on my block alone, mine isn't one of them.

    So it does keep the casual user out of my bandwidth.
  • qwerty967, on 10/12/2007, -1/+1I use WPA to keep private data sent over the network secure, not to keep out unauthorized clients from logging in. Methods that you mention such as using timer or setting up VPN seem more time and resource consuming than a set-it-and-forget-it WPA-PSK method. Of course, businesses may be able to afford a dedicated computer for VPN or Radius, but do you expect the average home user to set up a VPN server?
  • drakethegreat, on 10/12/2007, -1/+1The way I do things is quite simple. I combine the best methods. Strong WPA is key (pass-phrases that are over 12 characters work well) and then using MAC filtering on top of this. As the article suggested, people can easily just forge a mac address when they figure out a valid one after sniffing a transaction but ultimately on a home network, there isn't that many systems broadcasting this information. In a corporate network it's different but it should deter some hackers who are lazy or have no real skills besides firing up kismet.

    Ultimately I would tell a corporate IT head, the best way to handle this is to use these 2 techniques I talked about, but have someone who can actually monitor network traffic. You should know who is who on your network in the first place. Proper IDS systems work wonders if you have someone around to monitor. Corporations have security guards and they should also have IT on staff. Maybe consider shutting off wireless during the nights and weekends since exposing your network when nobody is even using it is just as stupid.

    Ultimately humans are the best defense but one solution a lot of businesses are using is quite simple, no wireless... Consider if your business even needs a wireless network. Most companies have no reason for it because when people are in house they can just plug in.
  • ogletree, on 10/12/2007, -4/+4If you use mac filtering and turn of ssid broadcasting you will keep out 99.9999% of users. If somebody can get past that it would be easier to just break into your office when you are not open. I good robber can get in your office with less effort. It is like putting a steel door on cardboard office. I'm sick of stupid tech guys that have nothing better than to point out things that are unimportant. If you are really concerned turn off your wireless when you are not using it. Put a timer on the plug so it is not on when you are not there like night and weekends. Don't connect the thing to your main network. Put a router behind it and use a vpn. Do a site survey and find out where wireless works. Use different kinds of antennas so that you only have wireless where you want it. As in not in the parking lot.
  • s73ve, on 10/12/2007, -2/+2i know how to secure your wi-fi, make your house out of lead.
  • Fetching more discussions...
    Show 51 - 75 of 75 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.