| Wireless Security for Everyone |
|
|
|
| Written by Justin Furniss | |||||
| Thursday, 19 January 2006 | |||||
Page 1 of 3 A short article on wireless security in general. Meant to help just about anyone!Wireless Security for EveryoneWhy should you listen to me? My job is to be a hacker, but a good (as in nice) one. I have the skills that the bad guys have but I choose to help people. Not entirely out of good nature mind you, it is a lot of fun for me to do what they do at times. To make this article easier to read I will jump into the bad guy hacker role to offer some insight. I will start by talking a bit about what you can do for your home network, then to your hotspots. The purpose of this article is not to scare everyone out there into calling their bank for the first time since they could auto-bill-pay; the purpose is to make you aware of your current threat level and hopefully help you become more secure. Home sweet homeOnce the average computer user experiences the convince of wireless networking it becomes a very difficult luxury to live without. Now we can check out CNN.com on our front porch, download the latest American Idol track on the kitchen table, and my personal favorite Google on the ‘John’. How could such a wonderful innovation to an already wonderful technology have downsides? The truth is that for the users of wireless technologies there have been more downsides than upsides in the past.Let’s think way back before wireless, when the only networking you knew of was the wire that was plugged into your computer at work. That wire provided a very obvious sense of security for the company’s network in that: if the company only wanted 3 people to connect to their network they handed out 3 network cables to 3 people. Wireless is more like laying out thousands of cables over a 2 block radius, tagged as belonging to ‘Widgets ABC’, and as an added incentive, attaching a brochure offering free internet access. Let’s start off by talking about what is likely in your home. If you have wireless then you almost definitely have a wireless router. They are usually the same box. The wireless router will often be plugged into your cable modem or DSL line on one end and wired computers on the other if there are any. Due to the simple topology listed above, wireless and wired computers can share the Internet connection through a common device. The common device (your wireless router) means that people connected to your wireless network can talk to your wired computers and vise versa. Not so sweet wireless homeMost home networks use the settings of their wireless routers that were set in the factory that they came from, completely wide open. This should come as no surprise if a friend or family member has brought over a laptop and connected up with no problems. No “Who are you and what are you doing here?” but rather a welcome sign.[…enter the bad hacker me…] I am driving through your neighborhood with my laptop on my passenger seat. Every quarter mile I drive I hear 10 to 15 chirps coming from the laptop as it finds the networks of almost everyone in the neighborhood. I stop in a dimly lit place to gather as little attention as possible and decide to flex my muscles. From where I stop I can see three networks, two of which are using no forms of encryption or authentication. Ennie-minii-mineeee… I connect to your network because it is the low hanging fruit, it isn’t encrypted. From this point, I can attack your computers in the house that are connected—Almost never a challenge. No scrolling lines of green code over a black terminal here; you didn’t update your computer in the last 5 weeks which allows me to exploit a vulnerability that has been publicly available for a month. I am now the administrator of your computer so I install a piece of software which silently hides in the background and on a daily basis sends every key you type, your emails, and whatever else I want to my computer at home. Once I get your passwords, credit card numbers, and personal emails, I will politely remove the bad software from your computer leaving little means of tracing it to me… [ …good guy again…] Wow I get nasty don’t I? Well it was easy, even easier than most people think. In fact I didn’t do anything that would actually gain the respect of real hackers, in the example above I would have just downloaded some tools and run them. These are tools that just about any computer user could use. The important thing to get out of the episode above is the home network which I instantly ruled out. I ruled that network out because it was encrypted, requiring me to know the password in order to join. I wasn’t looking for a couple hours of work, just an easy fix. Setting up encryption on a wireless network is not difficult but if you are a beginner to novice computer user I recommend finding a good site online or asking a techie in the family. I will not get into the different forms of encryption but it is important to pick the right ones. WEP, the first widely used form of encryption has many flaws and can be broken into in a matter of 30-60 minutes. Use WPA and TKIP if possible, they are both just as easy to use and are what I use on my home network. I will spare you of the evil hacker breaking into the WEP encrypted network as this article is getting long enough as it is. Coffee Breaks and WirelessBless the saint that brought together wireless Internet access and caffeine hubs.They really seem to go together don’t they…Oh no….I can’t fight him offff… […enter the bad hacker me… ] When I hit the coffee shop I don’t order a cappuccino grande latté, I order things with your credit cards! I don’t even need to break into innocent coffee drinker’s computers here (of course I can if I want to), it is much more efficient for me just listen in on every web site that is hit, even if it is encrypted with that stupid yellow lock in the bottom right corner… […good me popping out really quick…] Did the bad me just imply that SSL encrypted sites like my bank’s, credit card company’s, and favorite online store’s are not secure? Yes and for good reason. Your conversations with their servers are not secure if I am connected to the same network as you. It is very easy to listen to your ‘secure’ conversations. Why is this not well known to the non tech people out there? I don’t know! It’s so simple to detect when someone is listening, if you try to go to any reputable site like a bank or any online merchant you should never be prompted with a window which looks like the one below.  The ‘no’ option is selected by default but our instinct is to click yes for some reason. […bad me again…] After spending the last several hours in the coffee shop, quietly in the corner dressed like anyone else, I go home and review all of the juicy information I collected and start spending your money! […good me…] Wireless hotspots are rich fertile fields for hackers to graze, sharpening skills and stealing information/identities. By the way, hotels are no different. The above attack I pulled off is again a fairly simple one. Free tools that can be downloaded, a few clicks here and there, and you’re mince meat. Ok, but how can your safely use a wireless hotspot? There really is only one effective security measure and that is to use VPNs. A VPN is a Virtual Private Network. If Dorothy from the wizard of OZ found herself missing home nowadays, she could avoid the whole barbaric shoe tapping approach and just fire up her VPN connection and she would suddenly be there. VPNs use a strong method of encryption and virtually place your computer on another network. Normally people who work from home or travel often use VPNs to connect up to the office when away. If you don’t have access to a VPN service you can sign up for personal ones. Personal VPN services are popping all over the web because of the problem depicted in the coffee shop. Again it is best to ask a techie if available or do some research. ConclusionHopefully you’re not terrified at this point to use wireless ever again. Whatever the result, it is important to know when you are at risk and just how exposed you are. Some basic lessons to be learned from this article would have to be to:
If you can’t find answers to any questions then ask a techie friend or family member. |
|||||
| Last Updated ( Wednesday, 16 May 2007 ) | |||||