Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wireless Security Home & Hotspotting

Similar presentations

Presentation on theme: "Wireless Security Home & Hotspotting"— Presentation transcript:

1 Wireless Security Issues @ Home & Hotspotting
Ernest Staats Director of Technology and Network Services (TNS) MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+ Resources

2 Information Blowin' in the Wind
Wireless open by default Wireless networks “broadcast” data into the air Anyone can receive the broadcast Certain steps must be taken to protect “users” of wireless networks Since it is wireless anyone can listen to what you’re doing over the wireless because it broadcasts data in the open air. Anyone close enough can listen to whatever you are doing and see any data you are sharing. These next steps will help you better secure your wireless network.

3 Wireless Basics - 802.11 2.4 GHz (no license) band
Only 3 non-overlapping channels (in theory) CSMA-CA (50% overhead) Half Duplex (talk then listen)

4 Home Wireless Issues Not enough bandwidth (when downloading or gaming)
Updates chew-up bandwidth Co-channel interference (Phones, Microwaves) Old Firmware (check for updates every quarter) No Security or worse, they use WEP SSID broadcast on Raises your risk factor that someone could obtain personal information or worse Wireless Networking is one of the nicest features technology has to offer. Being able to move any where in the house or in the office is really nice, but it also comes with some major security vulnerabilities. If someone gets on your WIFI Slow down your Internet performance. View files on your computers and spread dangerous software. Monitor the Web sites you visit, read your and instant messages as they travel across the network, and copy your usernames and passwords. Send spam or perform illegal activities with your Internet connection.

5 What Could Happen? Slow down your Internet performance.
View files on your computers and spread dangerous software. Monitor the Web sites you visit, read your and instant messages as they travel across the network, and copy your usernames and passwords. Send spam or perform illegal activities with your Internet connection.

6 Changing Default Settings:
Change the Default logon password and make it long! All defaults are known and published on the Net updated Jan 2007 AP Management Interface HTTP, SNMP, Telnet HTTP Login Linksys: UID=blank PW=admin DLink: UID=admin PW=blank Generic: UID=admin PW=admin SNMP (disable SNMP for home use) All: PW=public Change default no Open systems to WPA2 systems for home use a long passphrase Most wireless routers today work straight out of the box, all you have to do is plug it in. That’s all nice and easy, but the problem is that wireless routers have a default password and default name. Anyone who can get close enough to your wireless can get on and change wireless settings which could be a real pain because they can lock you out, limit who can get on the wireless and encrypt it making it useless for you. So we highly recommend that you at least change the default password to protect your wireless router.

7 Cell Sizing: How far is your WIFI signal going? (that is called your cell size) I can pickup wireless when I go visiting family in ID or CO by just turning on my laptop Can’t cover whole house? Repeater Better antenna MIMO 802.11N (if you like Vegas) Power Setting The Cell size is usually adjusted by the power setting Go outside your house and see how far your wireless single is reaching you will be surprised. Another setting that should be changed is the cell sizing. There is no point in blasting wireless to your whole neighborhood if you’re the only one you want on the wireless. So when you get the wireless router change the cell size to a smaller size that still covers your house or small business office without broadcasting free internet

8 SSID Naming: Identifies network
Helps others identify whether or not you have left default settings on Broadcast on by default (turn it off) Once again with the default settings your wireless device broadcasts its name saying “my name is … connect to me Turning off SSID cloaking is called Cloaking Avoid naming your SSID a private or personal code (don’t make it your password or your name) In order to connect to a wireless network you need the wireless devices name or SSID. The default names are all the same for each wireless brand so if you leave the name default from the company any passersby will automatically connect because it is a wireless name that windows has connected to before. So changing your SSID name can make it harder for outside people to connect to your wireless. This step goes hand in hand with the next step. If you don’t bother with the next step this step is pretty much worthless other than the fact you changed the name of your wireless. Once again with the default settings your wireless device broadcasts its name saying “my name is … connect to me” This makes the last step you did totally useless. So for this step you should change it so that it doesn’t broadcast that the wireless is there. This is called cloaking, this is so good because if you cloak your wireless and change the name it makes it much harder for others to connect because they have no idea that the wireless is even there. Now this is not perfect and will not totally secure because with the right tools you can make a cloaked wireless device tell you its name anyway but it still adds an extra layer of security. .

9 MAC Filtering: “MAC Filtering” is where you tell your wireless device what other devices can connect to it. A MAC address is the hardware number that is network card specific (literally burned into the network card when it is made) Can be spoofed but is still a good option for homes Inside your device settings you can select this option and then you need to insert the MAC (or hardware number that is card specific so each card is different.) which can be found by popping open the case and locating the sticker on the network card. This step is probably the hardest but one of the most effective because it restricts access based on MAC address which is technically burned into a device. (it can be spoofed but we wont go into that.).

10 Obtaining Your MAC Address
WINDOWS NT / 2000 PROFESSIONAL or XP: After clicking on the Start Button, click on Run. Once a small black window appears, type in ipconfig /all (with a space between the g and the /). Locate the number to the right of Physical Address. This is your MAC address. Macintosh (OS X): If your computer is running OS X, it is best to have it upgraded to at least 10.1 From the dock, select "System Preferences". Select the "Network" Pane With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres Linux On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example: # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 TX packets:69559 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300 The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA. If you cannot find your MAC address in either the box or on the card, please follow the instructions below, depending on your operating system (Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000 Professional, Win XP, Macintosh OS, Macintosh OS X, Solaris/SunOS, Linux, FreeBSD, or HP). WINDOWS NT / 2000 PROFESSIONAL or XP: Using your mouse, click on the Start Button. Click on Programs. Next, click on Accessories, and then Command Prompt. Once a small black window appears, type in ipconfig /all (with a space between the g and the /). Locate the number to the right of Physical Address. This is your MAC address. or After clicking on the Start Button, click on Run. Type in the word command Click on OK. Once a small black window appears, type in winipcfg. WINDOWS 95/98/ME: In the white space of the window, type in the word winipcfg Click on "OK". Look under the info for the Ethernet adapter. (Your system may also have a modem.) The number next to "Adapter Address" is your MAC address. Macintosh OS (Pre OS X): You will need DHCP to be working on your computer. DHCP allows your computer to have access to the server. In order for DHCP to work on an Apple computer, you must be running system or higher and have Open Transport installed. Once you have made sure your Apple computer is running system or higher, and has Open Transport installed follow the instructions below to find the MAC address of your computer: Click the Apple Menu. Click on "Control Panels" to open your control panels folder. Open the "TCP/IP" control panel Go to the Edit Menu Click on User Mode Change the mode to "Advanced" and click "OK". Click on the "Info" button The Hardware address is your MAC address Macintosh (OS X): If your computer is running OS X, it is best to have it upgraded to at least 10.1 From the dock, select "System Preferences". Select the "Network" Pane With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres Solaris/SunOS On Solaris and SunOS systems, the ethernet device is typically called le0 or ie0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example: # ifconfig -a le0: flags=863 <UP,BROADCAST,NOTRAILERS,RUNNING> inet netmask ffffff00 broadcast ether 8:0:20:f:c2:f8 Note: Solaris and SunOS strip off the leading 0 commonly included in the MAC address. In the case of this machine, the MAC address is 08:00:20:0f:c2:f8 Linux On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example: # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 TX packets:69559 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300 The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.

11 Encryption: WEP – First Wireless Security
Cracked -- Any middle-schooler can crack your WEP key in short order WPA Cracked… but Key changes WPA2 Harder to crack than WPA 802.1x Uses Server to Authorize User Can be very secure 802.11i AES encryption – “Uncrackable” WEP: WEP stands for wired equivalent privacy. WEP is pretty old and has more holes than Swiss cheese. WEP is just about worthless other than it can keep your average Joe redneck from getting on. Anyone with a hacking tool can get on your wireless in seconds defeating the whole purpose. Any middle-schooler can crack your WEP key in short order Steps: Collect a lot of packets (500k-1 million) Use Aircrack (or others) Reveals WEP key in seconds With Key, All Data is Visible

12 Wi-Fi Protected Access (WPA)
WPA: WPA stands for Wi-Fi Protected Access. WPA is much better than WEP; we recommend that you put at least WPA on your wireless. It has been cracked, but it takes much longer and is almost not worth the effort. For “workgroups”, laptop carts, home users, etc. Keep “secret” long and obscure (set a long passphrase of at least 20 random characters. Better yet, use the full 63 characters by typing a sentence you can remember—just don't make it something that's easily guessed, like a line from a movie.) Additional weakness in social engineering the “secret” Weakness in initial exchange Capture four-way handshake Use protocol analyzer or Airodump Run coWPAtty from a DOS prompt coWPAtty Performs dictionary attack Success depends on weakness of WPA password Could take minutes, hours, days PC speed and completeness of dictionary are important

13 Wi-Fi Protected Access (WPA2)
WPA2: is very effective for keeping most “normal” people off your wireless. Changes encryption from RC4 to AES coWPAtty v4 can attack and crack it Some hardware may not support it Firmware upgrade may be necessary Use it if available It is set up so that the data is encrypted and the encryption is changed every few transmissions making it more difficult to crack.

14 Turn It Off: The easiest wireless security option. When you don’t need it, TURN IT OFF. On vacation After a certain hour at night Turn OFF access point / wireless router and your laptop’s wireless card (saves your battery life some also) Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like x) to prevent computers from being directly reached from the Internet. Assign Static IP Addresses to Devices Or Limit the number of DHCP address your router will give out

15 Home Wireless Summary Change default settings -- SSID and passwords
Use WPA or (better WPA2) Use a MAC filter Turn off SSID broadcasting Know how far your wireless signal is reaching Turn off wireless when not being used for extended time periods & Turn off DHCP or limit DHCP Disable remote administration Update Firmware on AP and wireless cards semiannually Secure your Home machines Current AV Firewall (if the wireless router has a firewall option turn it on) Spyware protection Auto update Windows Common Sense (Check the “Secure Your Laptop Section”) Tip: Write down your passwords on a piece of paper and store them in your home safe if you have one. If you don't have a home safe, store your passwords with your other important family documents. Most WLAN hardware has gotten easy enough to set up that many users simply plug it in and start using the network without giving much thought to security. Nevertheless, taking a few extra minutes to configure the security features of your wireless router or access point is time well spent. Here are some of the things you can do to protect your wireless network: 1) Secure your wireless router or access point administration interface  Almost all routers and access points have an administrator password that's needed to log into the device and modify any configuration settings. Most devices use a weak default password like "password" or the manufacturer's name, and some don't have a default password at all.  As soon as you set up a new WLAN router or access point, your first step should be to change the default password to something else. You may not use this password very often, so be sure to write it down in a safe place so you can refer to it if needed. Without it, the only way to access the router or access point may be to reset it to factory default settings which will wipe away any configuration changes you've made.  2) Don't broadcast your SSID Most WLAN access points and routers automatically (and continually) broadcast the network's name, or SSID (Service Set IDentifier). This makes setting up wireless clients extremely convenient since you can locate a WLAN without having to know what it's called, but it will also make your WLAN visible to any wireless systems within range of it. Turning off SSID broadcast for your network makes it invisible to your neighbors and passers-by (though it will still be detectible by WLAN "sniffers").  3)Enable WPA encryption instead of WEP 's WEP (Wired Equivalency Privacy) encryption has well-known weaknesses that make it relatively easy for a determined user with the right equipment to crack the encryption and access the wireless network. A better way to protect your WLAN is with WPA (Wi-Fi Protected Access). WPA provides much better protection and is also easier to use, since your password characters aren't limited to 0-9 and A-F as they are with WEP. WPA support is built into Windows XP (with the latest Service Pack) and virtually all modern wireless hardware and operating systems. A more recent version, WPA2, is found in newer hardware and provides even stronger encryption, but you'll probably need to download an XP patch in order to use it.   4) Remember that WEP is better than nothing  If you find that some of your wireless devices only support WEP encryption (this is often the case with non-PC devices like media players, PDAs, and DVRs), avoid the temptation to skip encryption entirely because in spite of it's flaws, using WEP is still far superior to having no encryption at all. If you do use WEP, don't use an encryption key that's easy to guess like a string of the same or consecutive numbers. Also, although it can be a pain, WEP users should change encryption keys often-- preferably every week.   See this page if you need help getting WEP to work. 5) Use MAC filtering for access control  Unlike IP addresses, MAC addresses are unique to specific network adapters, so by turning on MAC filtering you can limit network access to only your systems (or those you know about). In order to use MAC filtering you need to find (and enter into the router or AP) the 12-character MAC address of every system that will connect to the network, so it can be inconvenient to set up, especially if you have a lot of wireless clients or if your clients change a lot. MAC addresses can be "spoofed" (imitated) by a knowledgable person, so while it's not a guarantee of security, it does add another hurdle for potential intruders to jump.  6) Reduce your WLAN transmitter power You won't find this feature on all wireless routers and access points, but some allow you lower the power of your WLAN transmitter and thus reduce the range of the signal. Although it's usually impossible to fine-tune a signal so precisely that it won't leak outside your home or business, with some trial-and-error you can often limit how far outside your premises the signal reaches, minimizing the opportunity for outsiders to access your WLAN.  7) Disable remote administration Most WLAN routers have the ability to be remotely administered via the Internet. Ideally, you should use this feature only if it lets you define a specific IP address or limited range of addresses that will be able to access the router. Otherwise, almost anyone anywhere could potentially find and access your router. As a rule, unless you absolutely need this capability, it's best to keep remote administration turned off. (It's usually turned off by default, but it's always a good idea to check.)

16 Hot Spot or Public Access
Everything you do can be observed by other people; including your , logon and surfing. Etherwatch (driftnet, etherpeg) Capture and display images Ethereal, Commview, AirMagnet… Capture packets and display , web pages, etc. Data is unencrypted Unless an application does it Your system can be probed to see if someone can get into your laptop All wireless LANs have security issues, but wireless hot spots raise unique concerns. As with any wireless LAN, signals can penetrate walls and ceilings. That means that anyone in range with a standard wireless card can connect, even if they're sitting out in the parking lot. Hot-spot services are designed for maximum ease of use, so they generally don't offer WEP or WPA encryption; if you connect to a hot spot, just about all the data you send is probably unencrypted. Since wireless LANs allow peer-to-peer connections, the computer-savvy guy at the corner table may be able to connect to your notebook and mooch your Internet connection, look at your unprotected files, or hitch a ride as you connect to your corporate LAN. He can also eavesdrop the airwaves with one of the many wireless sniffers available on the Web and watch as you unintentionally reveal your corporate network log-on information, your credit card numbers, IP addresses of your connections, and even the contents of s, instant messages, and file attachments. Anyone with malicious intent can do lots of damage with this information, both to you and the company that employs you. And of course, you're vulnerable to the same viruses, worms, and other attacks as you would be on any unprotected network. So what can you do? Here are several ways you can protect yourself. • Disable your wireless card's ad-hoc (peer-to-peer) mode. You can do this via the adapter's utilities or within Windows XP by clicking on Network Connections in the Control Panel. This will help prevent anyone from connecting to your notebook. • Remove or disable your wireless card if you're working offline. • Install a personal firewall. Windows XP offers the rudimentary Internet Connections Firewall, but more advanced personal firewall products, such as Symantec's Norton Internet Security and Zone Labs' ZoneAlarm, can prevent others from accessing your notebook and even alert you when an attempt is made. • Install personal antivirus software from McAfee, Symantec, or another antivirus vendor, and enable automatic signature updates. • Take advantage of your client's security features, particularly digital signatures and encryption. Digital signatures verify your identity to your recipients and ensure that messages are not tampered with during transmission. Microsoft Outlook lets you add digital signatures to messages and encrypt messages and attachments using S/MIME. If you're using a Web-based service, make sure it offers some type of encryption. Be aware, however, that in many cases with such services only the log-on information is encrypted, while text is sent in the clear. You may want to use third-party encryption utilities, such as PGP Corp.'s PGP Personal, which offers digital signatures and strong encryption for messages and attachments, as well as for files stored on your computer. • Make sure you submit credit card information only to SSL-protected Web sites (look for https:// in the address bar). • For the best protection, use a virtual private network (VPN) to provide strong authentication and encryption for all your hot-spot communications. This is particularly important if you're connecting to your company's network, in which case you'll probably get VPN client software from your IT manager. Small-business users can install VPN-enabled firewall and router appliances from Netgear, SonicWall, 3Com, or Watchguard at the office or use one of the many small-business VPN services available, for example, from Sprint or Verio. Individual users can take advantage of inexpensive consumer VPN services such as HotSpotVPN ( Or they can limit themselves to protected hot spots, such as those from EarthLink and others that make up the Boingo Wireless network. • Keep your OS and software up to date with security patches. Before you use a Wi-Fi hot spot, mobile users need to take some precautions to ensure they are safely and securely connecting to their corporate network or to the Internet. Is your mobile gear secure enough to be using a hot spot? Install a Firewall Anytime you use your mobile gear on the road and especially in hot spots, make sure you have installed firewall software. Hot spots aren't secure access points and mobile workers need to take responsibility for their own security. Hot Spot Security Precautions Personal Firewall Software Disable Wi-Fi Ad-hoc Mode You should only allow access point networks that you have created using your Wi-Fi software or you can use network connections in Windows XP. Don't allow instant network connections that you have not approved of or are aware of. When in a hot spot you may pick up other Wi-Fi networks that you do not want to access or allow access to your laptop. Disable ad-hoc mode before entering a hot spot. Definition of ad-hoc mode Definition of access point How to create a network connection in WinXP Use a VPN When connecting to a corporate network mobile users should use their company VPN. This provides additional security for your gear. Working in a hot spot can create new risk exposures and the potential for your data to be comprised. Disable File & Printer Sharing When using a Wi-Fi hot spot, mobile users don't need to have their laptops file and printer sharing enabled. Leaving this enabled while using a hot spot leaves you vulnerable to hackers. This is another item that should be disabled before entering a hot spot. How To Disable File & Printer Sharing Turn It Off When mobile users aren't connected to a Wi-Fi hot spot, they should turn off their wireless devices. If you are working but don't wish to be connected, remove the Wi-Fi card. In Centrino-based systems there should be a manual switch to turn Wi-Fi off. You can disable the connection using the Wi-Fi software. To shutdown Wi-Fi in a Palm you hold down the Globe logo wireless navigation button. This will also save your battery in a Palm. Don't Advertise Your Wi-Fi When mobile users are in public areas such as a hot spot, it is not the time to brag to strangers about your Wi-Fi capabilities. Always be discreet when working and don't let others view your work. You could end up making yourself and your mobile gear a target for theft. Make Folders Private Making your folders private on your laptop will make it less appealing for a hacker to try and gain access to your documents. In a hot spot you don't know who is working around you or who might be attempting to access your laptop. How to make folders private in WinXP Password Protect Your Files Another step to securing your data and making your work a less desirable target is to password protect specific files. There are a variety of software programs available which can provide you with password protection and the added peace of mind that it will bring. Remember to password protect any important files before using a hot spot. 1. Make sure you're connected to a legitimate access point! This first step is probably the least obvious, but one of the most important. Rogue access points in public areas have been springing up that have the same SSID as what you'd expect (such as "Wayport" or "tmobile"), but really connect directly to hijackers' databases to collect the passwords and usernames you use to sign in. Even worse, they can collect credit card data from people who sign up for new accounts. So don't connect in places where there is no sign for a legitimate provider, and check the list of available SSIDs to make sure you are connected to the right one. Don't set your wireless card to connect automatically to any available network. Turn off the ad-hoc mode (which lets other clients connect directly to you!). And turn off your Wi-Fi card entirely as soon as you are done. 2. Encrypt sensitive data. As you beam s from your laptop to the wireless access point and back, or as you enter your username and password to check your bank account balances someone nearby can be intercepting those packets of data as they fly by. Much of the information -- even information that you might think should be encrypted -- is sent in clear text. That means that the person intercepting those packets may be able to read your s or learn your passwords. Allume Stuffit Deluxe While data sent to and from secure Web sites (those starting with https:) is generally protected, you can also use encryption in other contexts. If you are sending a sensitive file via , for example, encrypt it first with a password. Most file compression programs, such as Allume's StuffIt Deluxe, offer encryption, and there are numerous freeware and shareware encryption programs as well. 3. Use a Virtual Private Network. One of the best ways to protect your data when using a public wireless network or hotspot is to use a virtual private network (VPN), such as JiWire SpotLock. A VPN establishes a private network across the public network by creating a tunnel between the two endpoints so that nobody in between can intercept the data. Many companies allow remote users to connect to corporate networks as long as they use VPN. This keeps the users' communications just as secure as if they were sitting at a desk in the building. If you don't have a corporate VPN, you can be secure at any hotspot using JiWire SpotLock. SpotLock's IPSec VPN is supported by almost all wireless routers, both public and private, and SpotLock also includes full Wi-Fi connection management. Top 10 Security Tips for Public Hotspots Make sure you're connected to a legitimate access point. Encrypt files before transferring or ing them. Use a virtual private network (VPN). Use a personal firewall. Use anti-virus software. Update your operating system regularly. Be aware of people around you. Use Web-based that employs secure http (https). Turn off file sharing. Password-protect your computer and important files. 4. Use a personal firewall. When you connect to a public wireless network you are joining a local network with other unknown computers. Having these computers on the same IP subnet makes them more dangerous than machines elsewhere on the Internet. Machines in your network and subnet range are able to more easily capture traffic between your computer and the wireless access point or attempt to connect with your computer and access your files and folders. To protect your computer you should run a personal firewall program. There are many excellent choices. Some, such as Zone Labs ZoneAlarm, Kerio's Personal Firewall, and the built-in Windows XP Firewall are available for free for home or personal use. You should not install them on your corporate laptop, however, without purchasing the proper licensing or consulting your IT manager. Security software vendors such as Symantec and McAfee also make commercial personal firewall products. A personal firewall will help you restrict the traffic allowed in and out of your computer. This protects you not only from attacks that originate outside of your network, but also those from other computers on the same network. Personal firewall software generally monitors both incoming and outgoing traffic, as well as applications trying to interact with other system processes or with the operating system. Should your computer somehow become compromised with a Trojan horse or backdoor program, a personal firewall application should flag the unusual communication attempts and alert you. Make sure you take the time to familiarize yourself with the product you choose and configure it properly to get the maximum protection without getting in the way of legitimate traffic and applications. 5. Use anti-virus software. When you are on your home network or even on your company network you can operate with a fair assurance that the other machines on the network with you are at least as protected as yours is against viruses and other malicious code. When you connect to a public network you have no such assurance. Suddenly it is more important than ever to have antivirus software installed. Of course, antivirus software is only as good as its last update. If you updated your antivirus software a month ago there are probably at least 10 and maybe 50 or more new viruses, worms and other malware that you aren't protected against. Make a special effort to go to the vendor's Web site and download the latest update any time you hear about a new high-risk or fast-spreading threat, and take advantage of the auto-update features now found in most such programs. 6. Keep your OS and apps up to date. It seems that almost every week there's a new "security patch" for various parts of the Windows operating system or Office programs. And it's not just Microsoft. Apple has its own fair share of security updates, as do most utility and business software vendors. Most of the malicious viruses and worms that have plagued users recently spread through , so be especially cautious about opening attachments. Windows users should enable Automatic Updates or visit the Windows Update site to scan your system and identify patches you may be missing. Mac OS users should enable the automatic Software Update feature in System Preferences; and Linux/UNIX users can visit sites such as Bugtraq or subscribe to receive bulletins and alerts from the Department of Homeland Security's US-CERT. 7. Be aware of people around you. When you're at an ATM, you make sure noone can see you type your PIN. Be just as careful about typing in your name and password at a Starbucks. You pay big bucks for your T-Mobile access! 8. Use Web-based when you're connecting at a public hotspot, instead of Outlook, Eudora, or Apple Mail. Most ISPs these days let you send and receive via a Web interface as well as downloading it into your program. These Web sites generally use secure sockets layer (SSL) or other security protocols, which protect your data while it's being transmitted. 9. Make sure file sharing is off! On home networks, file sharing is frequently used to copy files back and forth between computers. On a public network, this is the last thing you want to have on, for obvious reasons. If necessary, put a sticky note on the edge of your computer screen reminding you to turn it off before you close your laptop. Just don't write your passwords on the same sticky note... 10. Use passwords for personal data. Our final tip: use strong passwords for sensitive files and folders, as well as for access to your computer as a whole. This is especially important for mobile warriors whose laptops are attractive theft targets. Consider keeping your most important data on an encrypted USB keychain storage device, so even if you lose your portable, you won't lose your presentation or

17 Common Laptop Issues Most laptop users leave wireless “on” all the time Peer attack may be possible Firewall might block Access to shared folders or administrative share “C$” \\Name or IP address\c$ Set WiFi client to “infrastructure”


19 Secure Your Laptop Turn your firewall on: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select “On” > OK BETTER YET use Another Firewall (i.e. Kerio, Jetico, or Zone Alarm) Turn ad-hoc mode off: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Wireless Networks Tab > Select Network > Properties > Uncheck “This is a computer-to-computer (ad-hoc) network” > OK Disable file sharing: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Uncheck “File and Printer Sharing” > OK Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your Administrator User Account, and reset the password

20 Infrastructure Networks Only
To allow only connections to approved access points: In Control Panel, double-click Network Connections. In the Network Connections window, right-click Wireless Network Connection, and then click Properties. In the Wireless Network Connection Properties dialog box, on the Wireless Networks tab, make sure that the Use Windows to configure my wireless network settings check box is selected. Under Preferred networks, make sure that the name of the network that you want to connect to is highlighted, and then click Advanced. In the Advanced dialog box, click Access point (infrastructure) network only, and then click Close. Click OK.

21 VPN Solutions Paid VPN Solutions
AnchorFree's Hotspot Shield, a new free software download. Install it on a Windows 2000 or XP system Paid VPN Solutions WiTopia's personalVPN, HotspotVPN (SSL) JiWire's SpotLock (IPSec) software. All charge for the VPN connections they provide, and require installation of a utility on the computer. WiTopia and HotspotVPN support the Mac OS; HotspotVPN also handles Palm and Pocket PC handhelds. SpotLock's utility (Windows 2000 and XP only) doubles as a Windows WLAN connection manager and incorporates the JiWire hotspot directory.  

22 Security Tips for Public Hotspots
Use a personal firewall Use anti-virus software (update daily or hourly) Update your operating system and other applications (i.e. office. adobe reader) regularly. Turn off file sharing. Use Web-based that employs secure http (https) (beware of some SSL issues though) Use a virtual private network (VPN). Password-protect your computer and important files (make sure your administrator account has a good long password). Encrypt files before transferring or ing them. Make sure you're connected to a legitimate access point. Be aware of people around you. Properly log out of web sites by clicking log out instead of just closing your browser, or typing in a new Internet address If you are using a browser, verify that it is using SSL to validate the T-Mobile HotSpot network via server-side authentication Ensure that any website to which you are transmitting sensitive personal or financial information uses SSL technology. To confirm that a website is using SSL: Look for the "https://..." in the URL address Look for a closed padlock (or key) icon in the bottom right-hand corner of your Internet browser as indicators you are accessing a secure site Do not ignore security warnings from the browser Inspect the Web site address in your browser's URL field to ensure you are communicating with the correct, secure Web site Use VPNs and personal firewalls Use anti-virus software and keep the software updated Be aware that others may be able to look "over your shoulder" to see your login, credit card, or other personal information while using the service. The use of a privacy screen on your computer screen may help prevent others from seeing what is on your computer. Properly log out of web sites by clicking log out instead of just closing your browser, or typing in a new Internet address Avoid using web-based or instant messaging that uses clear (unencrypted) text to send information you deem confidential Remove or disable your wireless card if you are working offline on your computer and you are not planning to connect to the HotSpot service

23 TIPS for WIFI at Work TO keep a work WIFI system so it does not drop users as they move around all vendors have some common suggestions. Name all your AP's with the same name so if the single gets blocked by an individual standing in front of the AP or in front of another users laptop and they then get a stronger single from another work AP they do not have to re authenticate to the work wireless network. Make sure all your AP's are on the same subnet if your are doing AD authentication.  Make sure the network is the only one listed on the preferred networks under the wireless tab of the "wireless network connection properties" on the network card adapter settings in control panel.

24 TIPS for WIFI at Work (cont.)
Also on the wireless tab of the "wireless network connection properties“, click on the advanced tab and: Make sure it is set on the (Networks to Access) section to only access the Access Point also called (infrastructure) networks only Then make sure the Automatically connect to non-preferred networks is unchecked These steps will greatly help you only once these steps are done, and if you still have issues then turning off Windows Zero Config for WIFI might help Use 802.1x or (better) i in offices that need secure wireless.

Download ppt "Wireless Security Home & Hotspotting"

Similar presentations

Ads by Google