Securing your Digital Life: Home Wireless Network

by August 23, 2011 08/23/11
1 of 1 in the series Securing Your Digital Life
Securing Your Digital Life
  1. Securing your Digital Life: Home Wireless Network

In today’s world, we rely on electronic devices more than ever before. These devices allow us to connect and share information throughout the world at a speed that was never thought possible. We can now share our ideas instantly through laptops, smartphones, tablets and other devices.

In a world where information moves at the speed of light, the need for security has never been higher. Our devices and identities are subject to a variety of attacks both physical and electronic. There are many methods and practices for securing your information. Today, we’ll start with the basics.

Having a network in your home is a great way to share information between your devices without physically transferring it. The most common way people network their devices in the home is through the use of a wireless router. Wireless routers are great because they allow us to access the Internet anywhere in the house. However, if not secured properly, routers can be a great point of attack for someone looking for your information.

Most good quality home networking equipment provides certain settings that can help to secure the wireless network. In this article we won’t cover any specific hardware, but we will discuss common settings and best practices. Remember, network security is no different than security in other areas. We advocate a multi-layered approach that doesn’t rely on just one point of failure.

Equipment and Services Needed

  • A connection to the Internet (usually broadband)
  • A wireless router
  • Ethernet Cable

Secure the Hardware

Once you have your Internet connection up and your wireless access point working, you will need to alter many default settings to begin to secure the network. Default login credentials are easily available online for much of the common hardware out there, which gives an attacker easy access to your new router. Your first priority is changing the administrative user name and password on the wireless access point.

You’ll also want to consider the physical security of your access point. By installing the access point in an insecure part of the house, such as a garage, you allow an attacker the ability to physically reset your access point and gain entry by using the default credentials. Once an attacker has physical access to any piece of computer equipment, the game is over.

Let’s pause for a moment and talk about passwords and user names. With the abundance of online services, it is becoming quite difficult to keep track of all our user names and passwords. Especially with something that you log in to as infrequently as your wireless access point. You can’t let your guard down with such a critical point of attack, so choose a password that is at least 8 characters in length and mix in numbers, upper case letters, and punctuation. For more information, see our previous article on password strategy.

Secure the Signal

Now that we have secured our access point, let’s secure the wireless signal. Most access points will give you several options for wireless encryption. You’ll want to choose the most secure settings your access point will allow. Often, the most secure encryption method is WPA2. Make sure that you choose a strong encryption key.

One method to secure your signal is to choose not to broadcast the name, or SSID, of your network. This will stop some casual hotspot snoopers and in a layered security model, it’s a great practice.

All network devices have a unique identifier called a MAC address. You can control access to your wireless network by telling the access point to only allow connections from certain MAC addresses. Follow the instructions in the user manual of your access point to enable this filtering. A MAC address is easily spoofed by an attacker, but once again, this is a good practice in a layered security model.

Computers will have MAC addresses on their wireless cards and all Wi-Fi devices have them, you just may have to do some searching to find yours. These photos show an example of one laptop’s MAC address location.

Other Security Measures

Most routers will have a remote login, which you will need to disable to ensure that only a local connection can log in. Consider enabling the family controls that turn off your network at certain times of the day. For example if you are at work during certain periods or you never use your network from 2 a.m. to 6 a.m., why does it need to be on? Make certain your devices don’t auto connect to open Wi-Fi networks. If the network is not yours, it is not secure. That doesn’t mean you shouldn’t use unsecured networks, you just need to be more cautious about what you are doing on those networks. Don’t just set it and forget it. Review your security settings once in a while. If there has been a change to your settings that you didn’t make this can signal that there has been a breach in your security.

Most Common Attack Vectors

The most common attack to home networks is not a malicious user sitting in an unmarked van on the street stealing your credit card info as you type it in to purchase something online. It’s viruses, worms, spyware, and malicious programs that steal your personal information Using the methods we’ve mentioned above, as well as having a good antivirus program (or using an alternative operating system less susceptible to common viruses) and good browsing methods can prevent these attacks. Good browsing methods include checking a website’s URL and encryption methods before entering any personal information. Internet browsers will verify a website’s credentials and many will display the information in the address bar of the browser. If you see anything out of place or are suspicious of any website you visit, do not enter any personal information.

Detecting an Attack

Intrusion detection is tricky and, by definition, can only be determined after an attack has taken place. If an individual has attacked your network, contact law enforcement and report it. Identity theft is a serious crime and carries severe penalties. (There were 10 million victims of identity theft in 2008 in the United States alone and, on average, victims lose between $851 and $1,378 out-of-pocket trying to resolve identity theft.) Monitor your systems and notice changes that you did not make. Always have updated antivirus programs, firewalls, and monitoring software installed. With these multi-layered methods we have mentioned, you can expect a reasonable level of security in your home network.


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


j wilson
j wilson

Good points all.

I would only add this - are you trying to secure/protect use of the access point -or- the data contained on the devices connected to that access point? There is quite a bit of difference between those tasks. Don't confuse one for the other. Secure the road or secure the car on the road...?

Just my 1/2 cent...

jw

j wilson
j wilson

Good points all. I would only add this - are you trying to secure/protect use of the access point -or- the data contained on the devices connected to that access point? There is quite a bit of difference between those tasks. Don't confuse one for the other. Secure the road or secure the car on the road...? Just my 1/2 cent... jw

Datajockeys
Datajockeys

Please update the firmware on your Access Point or Wireless Router before using it! Every manufacturer rushes out the hardware hoping to fix any problems in the following firmware update. Also check on a regular basis for updates. With the rollout of IPv6 and new exploits, you may want to do this quarterly.

Nick
Nick

To some degree this is correct.

Where reality differs:

If the attacker has the password hash (especially in the "LM" form from Windows XP), it takes less than 5 minutes on a cheap 4 year old low end laptop to crack. I actually was building a demonstration laptop today for a presentation that a friend is giving on laptop security this weekend. I showed him how, using open source tools (rainbow table based), that any password can broken in a very short time, provided you have the space to pre compute hash tables.

The point?

If using Windows XP, disable LM hashing, or use a mixed case/character password of AT MINIMUM 15 characters (LM hashes are NOT able to store but 14 bytes of data, therefore windows hashing breaks and resorts to NT hashing). If you are on Windows 7, please just use a strong password. It is breakable(since windows doesn't believe in "salted" hashes), but searching NT hashes is much slower!

Wireless security:

There is no such thing; remember this! Under normal circumstances, seeing a WPA/WPA2 secured access point is a 100% turn off. Most people break a wireless encryption only to try to get an internet connection. Most people will not even waste time breaking a WEP password due to the vast number of completely open AP's. If someone is wanting in your network, you will not stop them... only slow them down!

The point to all of this is how bad do they want in? If someone wants in, it will be a very directed attack, with little chance of stopping it with default off the shelf routers or standard encryptions! So don't use WEP, change your WPA key monthly (bi-monthly if a fairly unpopulated area), and if you can handle it, DON'T USE WINDOWS! If you store important data (PII, Sensitive data, etc), ENCRYPT it; lots of companies have learned this recently!

Nick
Nick

To some degree this is correct. Where reality differs: If the attacker has the password hash (especially in the "LM" form from Windows XP), it takes less than 5 minutes on a cheap 4 year old low end laptop to crack. I actually was building a demonstration laptop today for a presentation that a friend is giving on laptop security this weekend. I showed him how, using open source tools (rainbow table based), that any password can broken in a very short time, provided you have the space to pre compute hash tables. The point? If using Windows XP, disable LM hashing, or use a mixed case/character password of AT MINIMUM 15 characters (LM hashes are NOT able to store but 14 bytes of data, therefore windows hashing breaks and resorts to NT hashing). If you are on Windows 7, please just use a strong password. It is breakable(since windows doesn't believe in "salted" hashes), but searching NT hashes is much slower! Wireless security: There is no such thing; remember this! Under normal circumstances, seeing a WPA/WPA2 secured access point is a 100% turn off. Most people break a wireless encryption only to try to get an internet connection. Most people will not even waste time breaking a WEP password due to the vast number of completely open AP's. If someone is wanting in your network, you will not stop them... only slow them down! The point to all of this is how bad do they want in? If someone wants in, it will be a very directed attack, with little chance of stopping it with default off the shelf routers or standard encryptions! So don't use WEP, change your WPA key monthly (bi-monthly if a fairly unpopulated area), and if you can handle it, DON'T USE WINDOWS! If you store important data (PII, Sensitive data, etc), ENCRYPT it; lots of companies have learned this recently!

AltJ
AltJ

I only mention the weakness of the protection offered by not broadcasting your SSID because I've come across too many people that think their wireless network is secure because they have it disabled (and have taken no further measures to secure their unencrypted wireless network.)

Rob Henderson
Rob Henderson

AltJ, We definitely don't advocate not broadcasting your SSID as the only security method for your network, just one of many. You'll need multiple layers of security of all different kinds. Not broadcasting your SSID is useful in stopping casual hotspot snoopers, but not people intent on accessing your network.

I agree that the Internet is not secure and as we've mentioned above, using good browsing practices is the best way to ensure your devices protection while online. These steps we've mentioned just increase your ability to defend against possible attacks and theft of your information.

johnyD
johnyD

Good points to reminded us how important electronic security is. There are alot of password programs to keep all of your personal information (passwords, user names, account info, serial numbers, private notes, etc., etc.) organized and secure. I use iPassword Pro for my iphone. It uses AES encryption and Auto-Lock. The Pro version is not cheap, $15, but for me, its all a balance of how you precieve your personal electronic security against ruthless thieves willing to get their hands on your stuff-

I have no financial interest or gain from mentioning iPassword on the listing, it's just a program I have had a good run with and just my 0.02¢ worth of a good product.

-73

johnyD
johnyD

Good points to reminded us how important electronic security is. There are alot of password programs to keep all of your personal information (passwords, user names, account info, serial numbers, private notes, etc., etc.) organized and secure. I use iPassword Pro for my iphone. It uses AES encryption and Auto-Lock. The Pro version is not cheap, $15, but for me, its all a balance of how you precieve your personal electronic security against ruthless thieves willing to get their hands on your stuff- I have no financial interest or gain from mentioning iPassword on the listing, it's just a program I have had a good run with and just my 0.02¢ worth of a good product. -73

AltJ
AltJ

"One method to secure your signal is to choose not to broadcast the name, or SSID, of your network. This will stop some casual hotspot snoopers and in a layered security model, it’s a great practice."

FYI - not broadcasting as your only security method is comparable to not quite closing the front door of your house all the way. Your SSID is easily detected whenever you are using your network even if you have SSID broadcasting turned off.

The primary way to secure your wireless network is to use WPA2 with a strong password (don't use a dictionary word for your password.)

Also...

"If the network is not yours, it is not secure."

Remember, the Internet is not yours. Do you completely trust every employee of every company that handles the network traffic between your computer and the servers you connect to on the Internet? That's why we have secure sites, VPNs and other means of encrypting & authenticating who your computer is "talking" to. In theory, you should be using the Internet in such a way that it doesn't matter if you connect to an untrusted open wireless network because the Internet is not a trusted network.

AltJ
AltJ

"One method to secure your signal is to choose not to broadcast the name, or SSID, of your network. This will stop some casual hotspot snoopers and in a layered security model, it’s a great practice." FYI - not broadcasting as your only security method is comparable to not quite closing the front door of your house all the way. Your SSID is easily detected whenever you are using your network even if you have SSID broadcasting turned off. The primary way to secure your wireless network is to use WPA2 with a strong password (don't use a dictionary word for your password.) Also... "If the network is not yours, it is not secure." Remember, the Internet is not yours. Do you completely trust every employee of every company that handles the network traffic between your computer and the servers you connect to on the Internet? That's why we have secure sites, VPNs and other means of encrypting & authenticating who your computer is "talking" to. In theory, you should be using the Internet in such a way that it doesn't matter if you connect to an untrusted open wireless network because the Internet is not a trusted network.

Carl
Carl

There is no real differens in security between a/b/g/n as it has nothing to do with the encryption used. WPA2 is the only really secure encryption method to use. The longest password possible should also be used (I use 64 random generated characters, but that is a bit extreme). A password with 8 characters or less can be brute forced quickly if you have the processor power to do it.

The mac adress of your network card can easily be found without opening your laptop. Using the command "ipconfig /all" in your wondows command prompt should list all available network interfaces and their physical address (aka MAC-address).

And remember, just because you are associated to an SSID with your name on it doesn't mean it is yours - it's just an accesspoint using the SSID you told your computer to associate to.

Good write-up. :)

/Carl

Carl
Carl

There is no real differens in security between a/b/g/n as it has nothing to do with the encryption used. WPA2 is the only really secure encryption method to use. The longest password possible should also be used (I use 64 random generated characters, but that is a bit extreme). A password with 8 characters or less can be brute forced quickly if you have the processor power to do it. The mac adress of your network card can easily be found without opening your laptop. Using the command "ipconfig /all" in your wondows command prompt should list all available network interfaces and their physical address (aka MAC-address). And remember, just because you are associated to an SSID with your name on it doesn't mean it is yours - it's just an accesspoint using the SSID you told your computer to associate to. Good write-up. :) /Carl

Brandon Bogart
Brandon Bogart

Only downside to doing that is 1) you have no security at all and I still rather have some type of security even if it is crackable when in use. 2) having just good old a and b is still an open network that is able to be accessed by today's wireless cards, which could just switch to them when g or n not available. The article was good general information that people should know for wireless security.

wayne
wayne

I like passwords like the following---first, I pick something I will always remember such as:

I got married in Oklahoma in 2009.

So, my password is: IgmiOi2009 or something similar. Obviously, this is not any of my passwords and is only an example.

wayne
wayne

I like passwords like the following---first, I pick something I will always remember such as: I got married in Oklahoma in 2009. So, my password is: IgmiOi2009 or something similar. Obviously, this is not any of my passwords and is only an example.

Adam
Adam

I've heard the thing on passwords my entire computer life, however I was reading a web comic last week and they posted this about password strength, any thoughts on the premise they bring up? http://xkcd.com/936/

Uri
Uri

Great write up. I would add that whenever possible WEP fallback should be disabled and only allows 802.11a or 802.11b if nothing else works. Stick to 802.11g or better, 802.11n when possible.

Rob Henderson
Rob Henderson

AltJ, We definitely don't advocate not broadcasting your SSID as the only security method for your network, just one of many. You'll need multiple layers of security of all different kinds. Not broadcasting your SSID is useful in stopping casual hotspot snoopers, but not people intent on accessing your network. I agree that the Internet is not secure and as we've mentioned above, using good browsing practices is the best way to ensure your devices protection while online. These steps we've mentioned just increase your ability to defend against possible attacks and theft of your information.

Mad_Hatter
Mad_Hatter

That web comic focuses mainly on the bits in the password and not really the content and i don't know how he came up with all that about entropy but when it comes down to it there are more possible passwords on the top password than the bottom. And the bottom is susceptible to a dictionary attract. Every thing I've ever read about IPSec says the bottom password is weak.

He also limits it to 1000 guesses/sec because the target being web server would limit the amounts of logins but a hacking platform using a gpu to boost the number of guesses a second could try upwards of 2 billion passwords a second to attack your home system.

Mad_Hatter
Mad_Hatter

That web comic focuses mainly on the bits in the password and not really the content and i don't know how he came up with all that about entropy but when it comes down to it there are more possible passwords on the top password than the bottom. And the bottom is susceptible to a dictionary attract. Every thing I've ever read about IPSec says the bottom password is weak. He also limits it to 1000 guesses/sec because the target being web server would limit the amounts of logins but a hacking platform using a gpu to boost the number of guesses a second could try upwards of 2 billion passwords a second to attack your home system.

daver
daver

The point of the 'bits of entropy' is to count the actual number of possible different combinations, i.e. the possible variation in actual content. Entropy here just means: how many ways can something vary? So he's arguing that in fact the entropy, i.e. the number of total possible combinations, is higher on the bottom (4 common words) than the top (1 uncommon word, even allowing for some tricky variations), as long as you require that the top one is based on one English word (so, about 2^16=64K words). So the top password is not just a totally random string of digits, but is initially constrained by a pretty small number (64K). If you let the bottom password use all the words in the dictionary instead of the ~2K (11 bits) he seems to be allowing, the bottom password would have an astronomically high number of possibilities (I think translating to about 1/2 billion years at 1ooo tries/second).

Re: the 1000 passwords per second limit vs 2 billion, what do you think would happen if some hacker server hurled 2 billion passwords a second at a typical home system? How does that happen when the typical incoming pipe is, say, 25Mbit? if you assume a 10 byte password, (10byte*8bit*2 billion), that's 160 gigabits per second.

daver
daver

The point of the 'bits of entropy' is to count the actual number of possible different combinations, i.e. the possible variation in actual content. Entropy here just means: how many ways can something vary? So he's arguing that in fact the entropy, i.e. the number of total possible combinations, is higher on the bottom (4 common words) than the top (1 uncommon word, even allowing for some tricky variations), as long as you require that the top one is based on one English word (so, about 2^16=64K words). So the top password is not just a totally random string of digits, but is initially constrained by a pretty small number (64K). If you let the bottom password use all the words in the dictionary instead of the ~2K (11 bits) he seems to be allowing, the bottom password would have an astronomically high number of possibilities (I think translating to about 1/2 billion years at 1ooo tries/second). Re: the 1000 passwords per second limit vs 2 billion, what do you think would happen if some hacker server hurled 2 billion passwords a second at a typical home system? How does that happen when the typical incoming pipe is, say, 25Mbit? if you assume a 10 byte password, (10byte*8bit*2 billion), that's 160 gigabits per second.

The Latest
Squawk Box

We just received our Silver Play Button plaque from YouTube for surpassing 100,000 subscribers on our YouTube channel! A huge shout out to all of you that made this possible! It’s a major award and we’re extremely proud to hang this on our wall. Here’s to the next 100,000!

3 hours ago
Leave a Comment

ITS is proud to have helped sponsor a Military Appreciation Night that our local NAHL Hockey Team, the Lone Star Brahamas, are skating in on Wednesday November, 26th. The team will be wearing these special edition jerseys that feature a new ITS Military Appreciation design that’s placed directly over the fight strap location.

The ITS Crew will be hanging out at the game that night so keep an eye out for us and come say hi if you’ll be there! Who knows what a fight strap on a hockey jersey is for?

6 hours ago
Leave a Comment

Designed in house at ITS and built by our friends at Bombsquad Longboarding, a local skate shop here in TX, the ITS Threeper Skate Decks are great for sliding, pools, bowls and all around street riding.

7 hours ago
Leave a Comment