|
Client-Side Concerns, by Robert Chapin
These are truly perilous times for technology consumers. Just today I helped a neighbor recover from acute malware infestation of his computer. I did this as a favor because he was helpless to fix it himself.
As threats from the public Internet increase and the cost of a new computer falls, end users are coming close to a "totaled" system every time security is breached. I see a point in the near future where data security and recovery alone cost more than replacing the failed hardware itself.
Proactive security is the only hedge against reactive security. A couple years ago, this meant: #1 don't trust software from strangers and #2 don''t trust public networks. However, recent blunders by major technology companies have turned the security world on its head. Proactive security now means: #1 don't trust your own operating system and #2 don''t trust your own network.
The biggest concern with wireless networking trust is this: Client computers do not authenticate the access point they are connected to. That is to say, nothing can prevent someone from impersonating your home wireless router, like cloning a cell phone. If you boot up a laptop in your bedroom and surf to your bank's website, how do you know you are connected to the Internet through your own wireless router? In fact, with current technologies, you don't know this for sure.
Wireless security must begin at the client. A firewall needs to be installed and enabled on every computer that uses a wireless networking adapter. This firewall protects the operating system from many threats on the public Internet, as well as many threats from the cloning attack on an access point.
End-to-end encryption is another valuable component of airwave security. Growth of hot spot Internet sites and the emergence of BPL is cause to rethink the treatment of unsecured access points as routine onramps. Think about this the next time you look at your checking account balance on your computer. If the bank's website uses SSL, then the networking equipment is not even involved in the security process. The network is subjugated to that process, and that is ideal because SSL is widely accepted for this purpose.
A solution even more robust would involve a secure "tunnel" between the client and a remote router, called a VPN server. This can be convenient for accessing a home network remotely, but it can also add headaches to the network configuration.
The wireless router setup is also important, and it is much more involved than stone5150 would have us believe. First, I must point out the default frequency channel selected by the router absolutely matters. Depending on how many access points your neighbors have set up, you could encounter a large amount of interference from their nearby signals, decreasing the speed at which you can transfer files. Since channels 6 and 7, for example, are not distinct frequencies like on a radio, they can interfere with each other. Each channel bleeds over to 4 channels above and below, so I recommended using
this channel chart as a reference.
Second, the WEP security scheme selected for The Wireless Revolution was not a good choice for most scenarios. It offers little more than obfuscation of the raw data being transmitted. On that note, my colleague, David Runion, has more to say about the pros and cons of various wireless security schemes for access points.
Robert Chapin is President of Chapin Information Services, a Michigan IT business recently involved in security defect detection at Yahoo Music and catastrophe recovery in Florida. He also holds the MS Access Master status at Experts-Exchange.com. http://www.info-svc.com/
|
Access Point Concerns, by David Runion
WEP is a fraud. The acronym stands for Wired Equivalent Privacy, which is an outright lie no matter how secure it is, but the technology is so flawed that its continued use constitutes a fraud upon the unsuspecting public. All traffic going across the wireless link is encrypted, but flaws have been discovered in its implementation. While the vulnerability started as a pinprick, time has widened it to what is now a sizeable hole.
If you use WEP, I can decrypt your access key in 10-20 minutes. After decrypting that key, I can capture the traffic generated by your computer. With that traffic, I can find passwords, credit card data, and personal information. I can see everything you send or receive, just the same as you can. But it gets worse.
Not only can I see what traffic is sent over that wireless link, I can affect the traffic in any way I desire. I can re-route your secure connections through my computer, secretly decrypting traffic between you and the computer you are supposedly communicating with securely. The time between finding a WEP-encrypted router and getting complete access to everything on your computer can be less than an hour. It's bad.
Some people suggest MAC filtering. Your router probably supports this. Essentially, your laptop's wireless network card has a unique ID. Your router can be configured to only accept connections from that unique ID. But this technique is also flawed. Anyone who can break your WEP key can also change their MAC address and clone your computer, just as they can clone your router.
Some suggest turning off the SSID broadcast, commonly known as the beacon. This makes your router "stealth". But while this may cut down on your likeliness of being casually detected, there are 3 other ways that your router can be discovered remotely.
There is a solution for router security, and its name is Wireless Protected Access (WPA).
WPA uses a different kind of encryption key. It isn't perfect, but it is much better than WEP. WPA usually works by encrypting your communications with a "pre-shared key". This is a key that both the router and the wireless client know ahead of time, like a password. Anyone who knows this password can decipher the data between the client and the router.
It is important to choose a good password. There are only two things that determine whether the password is good or bad. First is the length of the password, which is recommended to be a minimum of 20 characters. Second, the password should not be a dictionary word. If your password is a sentence over 20 characters, and not one that would be easily guessed, then you can be reasonably assured that your key will be safe.
If you are a wireless network user, you must configure and use WPA. If your router doesn't support it, check the manufacturer's website for a firmware upgrade, or turn off the wireless link. Routers can almost always be upgraded to support WPA, and if the manufacturer is reputable they should provide it for their customers. If your router cannot be upgraded to support WPA, you should buy a new router. Many can be had for $40 or less these days. I suggest the Linksys WRT54G. Similarly, if your wireless adapter does not support WPA, then you should consider a new one of those as well.
David Runion lectures at venues sponsored by CompuMaster, and specializes in OS and wireless security. His clients include public and government security firms. He also holds an MCSE on Windows 2000. http://runion.cc/
|
