240 likes | 619 Views
Wireless Security Issues @ Home & Hotspotting Ernest Staats Director of Technology and Network Services (TNS) MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+ erstaats@gcasda.org Resources available @ http://www.es-es.org/
E N D
Wireless Security Issues @ Home & Hotspotting Ernest Staats Director of Technology and Network Services (TNS) MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+ erstaats@gcasda.org Resources available @ http://www.es-es.org/
Information Blowin' in the Wind • Wireless open by default • Wireless networks “broadcast” data into the air • Anyone can receive the broadcast • Certain steps must be taken to protect “users” of wireless networks
Wireless Basics - 802.11 • 2.4 GHz (no license) band • Only 3 non-overlapping channels (in theory) • CSMA-CA (50% overhead) • Half Duplex (talk then listen)
Home Wireless Issues • Not enough bandwidth (when downloading or gaming) • Updates chew-up bandwidth • Co-channel interference (Phones, Microwaves) • Old Firmware (check for updates every quarter) • No Security or worse, they use WEP • SSID broadcast on • Raises your risk factor that someone could obtain personal information or worse
What Could Happen? • Slow down your Internet performance. • View files on your computers and spread dangerous software. • Monitor the Web sites you visit, read your e-mail and instant messages as they travel across the network, and copy your usernames and passwords. • Send spam or perform illegal activities with your Internet connection.
Changing Default Settings: • Change the Default logon password and make it long! • All defaults are known and published on the Net • http://www.phenoelit.de/dpl/dpl.html updated Jan 2007 • AP Management Interface • HTTP, SNMP, Telnet • HTTP Login • Linksys: UID=blank PW=admin • DLink: UID=admin PW=blank • Generic: UID=admin PW=admin • SNMP (disable SNMP for home use) • All: PW=public • Change default no Open systems to WPA2 systems for home use a long passphrase
Cell Sizing: • How far is your WIFI signal going? (that is called your cell size) • I can pickup wireless when I go visiting family in ID or CO by just turning on my laptop • Can’t cover whole house? • Repeater • Better antenna • MIMO • 802.11N (if you like Vegas) • Power Setting • The Cell size is usually adjusted by the power setting • Go outside your house and see how far your wireless single is reaching you will be surprised.
SSID Naming: • Identifies network • Helps others identify whether or not you have left default settings on • Broadcast on by default (turn it off) • Once again with the default settings your wireless device broadcasts its name saying “my name is … connect to me • Turning off SSID cloaking is called Cloaking • Avoid naming your SSID a private or personal code (don’t make it your password or your name)
MAC Filtering: • “MAC Filtering” is where you tell your wireless device what other devices can connect to it. • A MAC address is the hardware number that is network card specific (literally burned into the network card when it is made) • Can be spoofed but is still a good option for homes
Obtaining Your MAC Address • WINDOWS NT / 2000 PROFESSIONAL or XP: • After clicking on the Start Button, click on Run. • Once a small black window appears, type in ipconfig /all (with a space between the g and the /). • Locate the number to the right of Physical Address. This is your MAC address. • Macintosh (OS X): • If your computer is running OS X, it is best to have it upgraded to at least 10.1 • From the dock, select "System Preferences". • Select the "Network" Pane • With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres • Linux • On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. • For example: • # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr:131.225.84.67 Bcast:131.225.87.255 Mask:255.255.248.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15647904 errors:0 dropped:0 overruns:0 TX packets:69559 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300 • The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.
Encryption: • WEP – First Wireless Security • Cracked -- Any middle-schooler can crack your WEP key in short order • WPA • Cracked… but • Key changes • WPA2 • Cracked… but • Harder to crack than WPA • 802.1x • Uses Server to Authorize User • Can be very secure • 802.11i • AES encryption – “Uncrackable”
Wi-Fi Protected Access (WPA) • WPA: WPA stands for Wi-Fi Protected Access. WPA is much better than WEP; we recommend that you put at least WPA on your wireless. It has been cracked, but it takes much longer and is almost not worth the effort. • For “workgroups”, laptop carts, home users, etc. • Keep “secret” long and obscure (set a long passphrase of at least 20 random characters. Better yet, use the full 63 characters by typing a sentence you can remember—just don't make it something that's easily guessed, like a line from a movie.) • Additional weakness in social engineering the “secret”
Wi-Fi Protected Access (WPA2) • WPA2: is very effective for keeping most “normal” people off your wireless. • Changes encryption from RC4 to AES • coWPAtty v4 can attack and crack it • Some hardware may not support it • Firmware upgrade may be necessary • Use it if available
Turn It Off: • The easiest wireless security option. When you don’t need it, TURN IT OFF. • On vacation • After a certain hour at night • Turn OFF access point / wireless router and your laptop’s wireless card (saves your battery life some also) • Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like 10.0.0.x) to prevent computers from being directly reached from the Internet. Assign Static IP Addresses to Devices Or Limit the number of DHCP address your router will give out
Home Wireless Summary • Change default settings -- SSID and passwords • Use WPA or (better WPA2) • Use a MAC filter • Turn off SSID broadcasting • Know how far your wireless signal is reaching • Turn off wireless when not being used for extended time periods & Turn off DHCP or limit DHCP • Disable remote administration • Update Firmware on AP and wireless cards semiannually • Secure your Home machines • Current AV • Firewall (if the wireless router has a firewall option turn it on) • Spyware protection • Auto update Windows • Common Sense (Check the “Secure Your Laptop Section”)
Hot Spot or Public Access • Everything you do can be observed by other people; including your email, logon and surfing. • Etherwatch (driftnet, etherpeg) • Capture and display images • Ethereal, Commview, AirMagnet… • Capture packets and display email, web pages, etc. • Data is unencrypted • Unless an application does it • Your system can be probed to see if someone can get into your laptop
Common Laptop Issues • Most laptop users leave wireless “on” all the time • Peer attack may be possible • Firewall might block • Access to shared folders or administrative share “C$” • \\Name or IP address\c$ • Set WiFi client to “infrastructure”
Secure Your Laptop • Turn your firewall on: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select “On” > OK • BETTER YET use Another Firewall (i.e. Kerio, Jetico, or Zone Alarm) • Turn ad-hoc mode off: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Wireless Networks Tab > Select Network > Properties > Uncheck “This is a computer-to-computer (ad-hoc) network” > OK • Disable file sharing: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Uncheck “File and Printer Sharing” > OK • Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your Administrator User Account, and reset the password
Infrastructure Networks Only • To allow only connections to approved access points: • In Control Panel, double-click Network Connections. • In the Network Connections window, right-click Wireless Network Connection, and then click Properties. • In the Wireless Network Connection Properties dialog box, on the Wireless Networks tab, make sure that the Use Windows to configure my wireless network settings check box is selected. • Under Preferred networks, make sure that the name of the network that you want to connect to is highlighted, and then click Advanced. • In the Advanced dialog box, click Access point (infrastructure) network only, and then click Close. Click OK.
VPN Solutions • AnchorFree'sHotspot Shield, a new free software download. Install it on a Windows 2000 or XP system Paid VPN Solutions • WiTopia's personalVPN, • HotspotVPN (SSL) • JiWire'sSpotLock (IPSec) software. • All charge for the VPN connections they provide, and require installation of a utility on the computer.
Security Tips for Public Hotspots • Use a personal firewall • Use anti-virus software (update daily or hourly) • Update your operating system and other applications (i.e. office. adobe reader) regularly. • Turn off file sharing. • Use Web-based email that employs secure http (https) (beware of some SSL issues though) • Use a virtual private network (VPN). • Password-protect your computer and important files (make sure your administrator account has a good long password). • Encrypt files before transferring or emailing them. • Make sure you're connected to a legitimate access point. • Be aware of people around you. • Properly log out of web sites by clicking log out instead of just closing your browser, or typing in a new Internet address
TIPS for WIFI at Work • TO keep a work WIFI system so it does not drop users as they move around all vendors have some common suggestions. • Name all your AP's with the same name so if the single gets blocked by an individual standing in front of the AP or in front of another users laptop and they then get a stronger single from another work AP they do not have to re authenticate to the work wireless network. • Make sure all your AP's are on the same subnet if your are doing AD authentication. • Make sure the network is the only one listed on the preferred networks under the wireless tab of the "wireless network connection properties" on the network card adapter settings in control panel.
TIPS for WIFI at Work (cont.) • Also on the wireless tab of the "wireless network connection properties“, click on the advanced tab and: • Make sure it is set on the (Networks to Access) section to only access the Access Point also called (infrastructure) networks only • Then make sure the Automatically connect to non-preferred networks is unchecked • These steps will greatly help you only once these steps are done, and if you still have issues then turning off Windows Zero Config for WIFI might help • Use 802.1x or (better) 802.11i in offices that need secure wireless.