Wireless Security – Do or Die!
By Rohn Solecki
Nov 16, 2007
Wireless access to a computer network is invaluable in many situations. From the relatively innocuous use of wireless game controllers like Wii at home, to businesses using wireless connections to Point of Sale (POS) terminals and wireless security cameras 1.
At home, who cares? What’s the worst that can happen? So what if the neighbor, or their kid, uses your internet connection? Well, what if RIA or the police come knocking on your door? A study just released by SOPHOS said that “54 percent of computer users admit to riding someone else's wireless bandwidth to access the Internet.”2 Granted the statistics are questionable, but the fact still remains that there are a significant number of people willing to admit that they did it.
At work, it can be much worse. The 2007 poster child for “worse” in wireless security is TJX Inc. in the US. A couple of guys used a laptop in a parking lot to access a poorly secured store networks 3 for a year and a half until they were discovered in December 2006 . The latest count is 944 million customer records exposed. TJX projects an expense of $118 million to compensate customers5. “But that was an American company” you say, sorry, TJX owns Winners and HomeSense in Canada. If you think “it couldn’t happen to my company”, a recently released study6 7 by AirDefense Inc of 3000 retail stores in the US and Europe found half of them still have inadequately secured wireless networks.
What can be done about Wireless Security
At home and work, the basics of wireless security rely on the same concepts, encryption and customization. Most Wireless Access Points (WAP’s) ship in a very “open, easy to use” but insecure configuration. WAP’s may be dedicated units used in corporate locations or combined “Router and WAP” units commonly sold for home use. There are several techniques that can be used to secure your wireless access point 8 9 10 11 12 13 14. This collection of tips helps provide elements of a “Defense in Depth” strategy, where you do not depend on a single security technique. Instead you build layers of protection that the attacker has to work through. Some of the techniques are easy to circumvent with a little knowledge, skill, time and the appropriate hardware and software. However, even the easily bypassed techniques are often enough to provide protection from “script kiddies”, casual attackers who have very limited skills but makeup the majority of attackers. They simply move to one of the abundant other totally unsecured wireless networks. Even the more skillful attackers will eventually run out of patience and go after easier targets, unless of course they are targeting you specifically for some reason.
Encrypt the Connection
Since wireless connections broadcast your information for anyone to read, you should make the broadcast information unreadable by encrypting it securely (that is not an oxymoron, encryption can be insecure if it is done wrong). Currently there are 3 possible types of encryption available on a WAP. In order of preference they are WPA2, WPA and WEP (yes, the alphabet soup can get confusing). WPA2 is best, WPA is good but WEP is a poor third. WEP is adequate to protect a home wireless connection from casual interception attempts, but it is definitely no longer secure enough to protect a corporate connection. WEP is what TJX was using they were attacked early in 2005. The “average” WEP connection can be cracked in a matter of minutes15 16.
As well as encrypting the broadcast portion of the connection, you also should take advantage of the option to encrypt the whole connection from your laptop to the web server using VPN (Virtual Private Network) technology 17.
Secure UserID & Passwords
WAP’s typically come with an administration function. If there is one, it is secured by a default UserID and Password. These defaults are known and available on the internet. So you must change the administrator ID and password to prevent an easy attack. When you change them, make the new ones secure18 19 20. That means using the guidelines for creating a secure password for both the ID and password. In short form those guidelines are:
- Don’t use a word from the dictionary
- Don’t use a word, name or number associated with you personally or corporately
- Make it longer than 8 char if possible, 14 is currently adequate
- Using a “Pass Phrase”21 22 to build the longer password aids in remembering it, and helps make it more secure
- Make it complex, include upper and lower case, numbers and special symbols
- No simple, cute, commonly used transliterations of letters with numbers or symbols, ie “i” for “1” or “0” for “o”.
The two most common attacks are:
- testing “default” and “common” userid’s and passwords like “admin” “administrator” “god”
- using “Rainbow table” dictionaries containing tens of thousands or even millions of encrypted words, including all of the common transliteration variations
Turn off the WAP when not in use
“The most secure computer is one that is not connected to a network, locked away in a vault…”
If you are not using the WAP, turning it off is absolutely the best way to prevent other people from using it. And it saves a few pennies in electricity. If you have a combined Router and Wireless Access Point home device but you are only using a direct wired connection, make sure to turn off the unused wireless access function.
Turning off Wireless Access when not in use also applies to the laptop end of the connection. Removing the wireless connection card or turning off the wireless connection application will prevent unexpected connections.
SSID (Service Set Identifier, if you
Disable SSID Broadcast
care) is an optional way of uniquely identifying your wireless network. Some experts recommend that you disable broadcasting the SSID. However, even without broadcasting it, it is easily accessible using tools downloaded from the internet. So, whether you disable broadcasting the SSID or not, you should change the default value to a word that is not associated with you or your company. Here are a couple of examples of “bad” SSID’s:
- “CompanyName_POS” (Point of Sale)
Enable MAC Filtering
MAC (Media Access Control) is the globally unique identifier assigned to each network interface card (NIC). MAC filtering enables you to provide the WAP with a list of “authorized” network interface cards. This is another technique that has weakened with time, but still is adequate to prevent casual snooping.
Patch the Applications
The WAP hardware requires software to provide its functionality. Just like Windows, or Anti-Virus software it has to be kept up to date. As new defects are found the vendor will provide patches for them. You should periodically check on the vendor website to see if there are patches are available. An unpatched WAP (or Windows installation) is an exposure waiting to be taken advantage of.
Control the Wireless Signal
By default WAPs are designed to broadcast their signal evenly all around as far as possible. Some WAPs allow you to turn down the broadcast power of the signal, so you can limit how far beyond your control, ie your building/home, the signal travels. As well, another way of controlling where the signal travels is using antennas that are designed to broadcast in a controlled, focused pattern. Finally, you can be selective about the broadcast technology you use. 802.11b/g is the current common standard that most people use. 802.11a is an earlier technology that uses a different frequency, one that doesn’t travel as far, especially through obstacles. The average attacker is less likely to bother with the technology to receive an 802.11a signal since it is obsolescent and becoming less common.
Confirm your Laptop connected to the Right WAP
When selecting a wireless connection, be careful to connect to the right one. In crowded business areas, such as office buildings, your laptop may locate several WAPs with good signal strength. You should be sure to connect to the correct SSID.
There is an attack known as the “Evil Twin” where an attacker’s WAP is set to mimic the corporate WAP but with stronger signal strength. This type of attack is very difficult for the average user to detect.
Turn off Ad-Hoc Networking
The default installation of Windows on laptops looks for any available network, including peer-to-peer networks. That means that your corporate laptops could connect to laptops outside of your corporation, for example laptops belonging to visitors to your buildings. If the ad-hoc networking function is left enabled on company laptops, that anyone could connect to the open company laptop and through that to your protected corporate network
Install NAC or WIPS
NAC, Network Access Control 23, and WIPS, Wireless Intrusion Prevention System 24, are technologies that use slightly different techniques to control access to networks. The NAC/WIPS identify the device trying to connect, verify it is authorized for access and that it is correctly configured (patches up to date, anti-malware software running, only approved software installed etc) before allowing the connection.
Search for Illegal WiFI Hotspots
At work, it would be a good strategy to periodically search 25 for unauthorized WAP’s that have been intentionally or unintentionally connected to your LAN 26. A laptop with freeware (ie Netstumbler 27) downloaded from the internet and an add-on antenna can be used to locate WAP’s or you can buy specialized hardware 28 29 30 to do the same. These scans would also stand a chance of detecting “Evil Twin” WAP installations.