Protect Your Wireless Network

Security for WiFI

This article addresses a number of so-called security measures that “experts” say will help secure your wireless network from illegal access and Identity Theft. We list why these security measures don’t work and what you should really be doing to secure your wireless networks.

Before you read any further, note that Wireless Personal Secure (Wifi Security Guy’s wireless security service) completely protects you and if you were using it you wouldn’t have to worry about any of the following “security measures” (although you could do them if you wanted – even though as you’ll see, they don’t work). Click here to get this amazing protection or to learn more about it.

With Identity Theft being the fastest growing crime (according to the FBI), the growth of Identity Theft by wireless networks (millions reported in the past few years), and the ubiquity of wireless networking, there’s a lot of mis-information floating around out there where so-called “experts” give advice on how to secure wireless networks. A lot of the advice gives only a false-sense of security and since the average wifi user is not technically proficient enough to know what advice works and what doesn’t, we list the gambit of advice here, tell you if it doesn’t work (and why), and what action you should take in each case. Click here to Visit our Website 

  1. Change the default SSID.

The SSID (Service Set Identifier) gives the name of a particular wireless network. When someone comes over to your house and is going to use your wireless network you tell them the name (SSID) of the network and the password (I hope you have a password on it!!).

Every wireless access points come with a “factory default” SSID, usually the name of the manufacturer (LINKSYS, NETGEAR, D-LINK, etc), and it is good advice to change the SSID, but it doesn’t increase your security at all. Wireless networks with SSIDs that you generate are just as easy to break into as the SSIDs that came on the wireless access point from the factory.

Action: Change your SSID to something that’s more appropriate, but don’t think that changing the SSID adds any security to your network. Don’t change the SSID to your name, your address, your phone number, etc. – The problem with doing that is you let any passerby know exactly which wireless network they see in their scan is yours.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure. Looking for a  best wifi range extender

  1. Setting up MAC filtering.

Every network device (access point, laptop, computer, etc) has a MAC address (Media Access Control address). Without diving down into a lot of network theory, let me just say that your MAC address is hard coded into your computer’s wireless card. When you are using your home network you may have one IP address, and when you go to your local cafe you will more than likely get a different IP address. But your MAC never changed – it uniquely identifies you on the wireless network, no matter where you go.

MAC filtering is where you configure your wireless router to only allow certain MACs on the network, and it ignores all the rest. At first this may seem like a really good idea – a hacker driving by can’t use your network now, right? WRONG!

A hacker driving by will be using a sniffer tool like kismet, and kismet will tell the hacker all the MAC addresses in use on your wireless network (read the article to learn how). The hacker then sets his network card to use your MAC instead of the MAC that came on it. From that point forward your wireless router can’t tell the difference between your computer and the hacker’s computer.

MAC filtering is easily bypassed by a hacker. Additionally, every time a friend comes over who wants to legitimately use your wireless network you have to add their MAC to your filter list. It’s just not worth your time.

Action: None, MAC filtering adds no benefit to securing your network, it just adds an administrative burden to you every time a visitor drops by.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

  1. Disable SSID broadcast.

Wireless routers ordinarily broadcast their SSID (name) every few seconds. Your computer uses that broadcast to know which wireless networks are in the area and join them (if you’ve configured that wireless network in the past, usually your computer will automatically join that network when it sees it). When you turn off the SSID broadcast your wireless router will not announce the network every few seconds. Now every time you want to connect to that wireless network, since it’s hidden, your computer won’t automatically connect to it. Instead you have to manually tell it “connect to my wireless network”. When you do that your computer broadcasts a message like “hey, is network XYZ around here?” The wireless router then says “yes, I’m here” and your computer then joins the network.

I hope you saw the flaw(s). A minor flaw is that you have to manually join the network any time you want to use it. A major flaw is the SSID is broadcast anyway, every time your computer goes to join. All a hacker has to do is wait around for your computer to join the network to pick up the SSID, then he can join the network too. And there are ways that he can “jam” your network so your computer “drops off” of the wireless network, then when you rejoin within a few minutes he’ll see the SSID. He bascially “forced” you into telling him the SSID.

Action: None. Not broadcasting the SSID only complicates your use of the wireless network without adding any security.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

  1. Hard-code IP addresses instead of using DHCP.

DHCP stands for Dynamic Host Configuration Protocol. It’s a network administrator’s dream, and sometimes also their nightmare. Basically every computer on the network has to have an IP address. In the “old” days (pre DHCP) an administrator had to manually assign every computer on the network an IP address and make sure that none of the IP addresses overlapped (two computers with the same address). Most computers can’t handle having the same IP address that another computer has (more on this in a bit).

DHCP allows a computer to “ask” the network for an IP address whenever it connects. So when a computer joins the network it “asks” “hey, I’m new around here, can I get an IP address?” A DHCP server then says back “yes, you can have this IP: XXX.XXX.XXX.XXX”. This saves the network administrator the irritation of having to assign IPs to every computer, the DHCP server does it for him.

By turning off DHCP, the computers all have to be manually configured with different IP addresses. The idea behind turning off DHCP on a wireless network is that a hacker’s computer that connects to the network now won’t be automatically given an IP and then “can’t access the network”.

A hacker’s approach to this “problem” is to do similar to the MAC address hack. He just watches the network, sees what IPs are in use and then assigns himself one manually. If he uses a new IP but still can’t use the wireless network, he can assume it’s because the router also blocks any IPs that aren’t in it’s list, just like the MAC filtering. So he can do the same as he did for the MAC filtering hack, he just assigns the same MAC and IP of a computer that is on the network to his own computer. He can also setup his computer to not have a problem with there being another computer on the network with the same IP and now the network is wide-open to him.

Action: None. Turning off DHCP and doing IP filtering is just going to give you a headache every time a friend comes over, you have to walk him through all the steps of manually configuring his own IP as well as set up your router to now allow that IP to access the network. And all that trouble for a hacker to just side-step this “security” measure just isn’t worth it.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

  1. WEP Encryption.

OK, this and WPA encryption are going to be the biggies. Everybody just assumes “oh, they work, they’ll secure me.” Bad news – the final analysis is they don’t ensure your security. WEP stands for Wired Equivalent Privacy – it’s name means “WEP is just as secured as using a wired network”. But don’t believe it’s name, it’s far from being as secured as a wired network.

I’m not going to get into all the complexities of explaining how WEP is insecure. Let me summarize with a layman’s-terms approach to WEP. With WEP you basically have a pre-shared key that everyone on the network uses. Whenever data is going to be sent on the wireless network the computer will take this pre-shared key and an IV (Initialization Vector) and use them to encrypt the data. The IV is basically an “offset” that tells which part of the pre-shared key is going to be used. The IV is constantly changed with every packet – the down side is the IV is sent along with the data! There are only 16 million possible IVs, once they are used up they begin to repeat. Once a hacker has enough IVs (either duplicates or “weak” IVs the pre-shared key can be “cryptographically calculated” in a matter of seconds. A busy network using WEP can be broken into within a matter of minutes.

Action: Turn on WEP if that’s all you have, better yet if that’s all you have – upgrade your router.

Additional Note: Since WEP doesn’t protect you from Identity Theft on your wireless network, you need the protection of a service like our Wireless Personal Secure.

  1. WPA Encryption.

WPA (Wifi Protected Access) was created to answer the vulnerabilities in WEP. I’ll try to keep this as simple as possible, suffice it to say WPA has some strengths over WEP but in the end can still be broken and shouldn’t be trusted alone.

The full standard couldn’t be implemented with older network cards, and in their “rush” to secure wireless WPA was released without implementing all the security methods. WPA2 is the full implementation of the official WPA standard (802.11i). For the purposes of this article WPA will refer to both WPA and WPA2 from this point forward, we don’t want to muddy the waters with always pointing out their differences and we don’t think for the high-level view of WPA security it’s necessary.

WPA basically starts out as WEP with a larger pre-shared key and a larger IV. There are some other low-level differences between WEP and WPA, and they added EAP (Extensible Authentication Protocol) which allows different manufacturers and cryptography companies to add their own authentication methods to WPA. The problem the general public has with EAP is it takes an additional EAP server to secure the network, so the general public ends up using “standard” WPA.

WPA also suffers from one other weakness that WEP doesn’t have. When the router receives two packets that don’t pass integrity checks (like a hacker just blasting out packets that obviously don’t have the right pre-shared key). This is significant because it (a) causes the wireless router to shut the network down while it “resets” and (b) causes every client to re-join the wireless network. The weakest point of the WPA usage is when clients are connecting. This means a hacker can force a WPA network to continue sending the weakest packets until he’s able to break it.

Action: Use WPA2, and if possible invest in a more secured EAP-based solution.

Additional Note: Since WPA2 can be broken and leaves you vulnerable to Identity Theft on your wireless network, you need the protection of a service like our Wireless Personal Secure.

Hey, have some other security “advice” you’ve been given? Want to run it by the real experts and see if it’s good or not? Drop me a line and we’ll add it to this article!