Presentation on theme: "Wireless Security Home & Hotspotting Ernest Staats Director of Technology and Network Services (TNS) MS Information Assurance, CISSP, MCSE, CNA,"— Presentation transcript:
Wireless Security Issues @ Home & Hotspotting Ernest Staats Director of Technology and Network Services (TNS) MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+ firstname.lastname@example.org Resources available @ http://www.es-es.org/http://www.es-es.org/
Information Blowin' in the Wind Wireless open by default Wireless networks broadcast data into the air Anyone can receive the broadcast Certain steps must be taken to protect users of wireless networks
Wireless Basics - 802.11 2.4 GHz (no license) band Only 3 non-overlapping channels (in theory) CSMA-CA (50% overhead) Half Duplex (talk then listen)
Home Wireless Issues Not enough bandwidth (when downloading or gaming) Updates chew-up bandwidth Co-channel interference (Phones, Microwaves) Old Firmware ( check for updates every quarter ) No Security or worse, they use WEP SSID broadcast on Raises your risk factor that someone could obtain personal information or worse
What Could Happen? Slow down your Internet performance. View files on your computers and spread dangerous software. Monitor the Web sites you visit, read your e-mail and instant messages as they travel across the network, and copy your usernames and passwords. Send spam or perform illegal activities with your Internet connection.
Changing Default Settings: Change the Default logon password and make it long! All defaults are known and published on the Net http://www.phenoelit.de/dpl/dpl.html updated Jan 2007 http://www.phenoelit.de/dpl/dpl.html AP Management Interface HTTP, SNMP, Telnet HTTP Login Linksys: UID=blank PW=admin DLink: UID=admin PW=blank Generic: UID=admin PW=admin SNMP (disable SNMP for home use) All: PW=public Change default no Open systems to WPA2 systems for home use a long passphrase
Cell Sizing: How far is your WIFI signal going? (that is called your cell size) I can pickup wireless when I go visiting family in ID or CO by just turning on my laptop Cant cover whole house? Repeater Better antenna MIMO 802.11N (if you like Vegas) Power Setting The Cell size is usually adjusted by the power setting Go outside your house and see how far your wireless single is reaching you will be surprised.
SSID Naming: Identifies network Helps others identify whether or not you have left default settings on Broadcast on by default (turn it off) Once again with the default settings your wireless device broadcasts its name saying my name is … connect to me Turning off SSID cloaking is called Cloaking Avoid naming your SSID a private or personal code (dont make it your password or your name)
MAC Filtering: MAC Filtering is where you tell your wireless device what other devices can connect to it. A MAC address is the hardware number that is network card specific (literally burned into the network card when it is made) Can be spoofed but is still a good option for homes
Obtaining Your MAC Address WINDOWS NT / 2000 PROFESSIONAL or XP: After clicking on the Start Button, click on Run. Once a small black window appears, type in ipconfig /all (with a space between the g and the /). Locate the number to the right of Physical Address. This is your MAC address. Macintosh (OS X): If your computer is running OS X, it is best to have it upgraded to at least 10.1 From the dock, select "System Preferences". Select the "Network" Pane With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres Linux On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example: # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr:22.214.171.124 Bcast:126.96.36.199 Mask:255.255.248.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15647904 errors:0 dropped:0 overruns:0 TX packets:69559 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300 The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.
Encryption: WEP – First Wireless Security Cracked -- Any middle-schooler can crack your WEP key in short order WPA Cracked… but Key changes WPA2 Cracked… but Harder to crack than WPA 802.1x Uses Server to Authorize User Can be very secure 802.11i AES encryption – Uncrackable
Wi-Fi Protected Access ( WPA) WPA: WPA stands for Wi-Fi Protected Access. WPA is much better than WEP; we recommend that you put at least WPA on your wireless. It has been cracked, but it takes much longer and is almost not worth the effort. For workgroups, laptop carts, home users, etc. Keep secret long and obscure (set a long passphrase of at least 20 random characters. Better yet, use the full 63 characters by typing a sentence you can remember just don't make it something that's easily guessed, like a line from a movie.) Additional weakness in social engineering the secret
Wi-Fi Protected Access (WPA2) WPA2: is very effective for keeping most normal people off your wireless. Changes encryption from RC4 to AES coWPAtty v4 can attack and crack it Some hardware may not support it Firmware upgrade may be necessary Use it if available
Turn It Off: The easiest wireless security option. When you dont need it, TURN IT OFF. On vacation After a certain hour at night Turn OFF access point / wireless router and your laptops wireless card (saves your battery life some also) Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like 10.0.0.x) to prevent computers from being directly reached from the Internet. Assign Static IP Addresses to Devices Or Limit the number of DHCP address your router will give out
Home Wireless Summary Change default settings -- SSID and passwords Use WPA or (better WPA2) Use a MAC filter Turn off SSID broadcasting Know how far your wireless signal is reaching Turn off wireless when not being used for extended time periods & Turn off DHCP or limit DHCP Disable remote administration Update Firmware on AP and wireless cards semiannually Secure your Home machines Current AV Firewall (if the wireless router has a firewall option turn it on) Spyware protection Auto update Windows Common Sense (Check the Secure Your Laptop Section)
Hot Spot or Public Access Everything you do can be observed by other people; including your email, logon and surfing. Etherwatch (driftnet, etherpeg) Capture and display images Ethereal, Commview, AirMagnet… Capture packets and display email, web pages, etc. Data is unencrypted Unless an application does it Your system can be probed to see if someone can get into your laptop
Common Laptop Issues Most laptop users leave wireless on all the time Peer attack may be possible Firewall might block Access to shared folders or administrative share C$ \\Name or IP address\c$ Set WiFi client to infrastructure
Secure Your Laptop Turn your firewall on: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select On > OK BETTER YET use Another Firewall (i.e. Kerio, Jetico, or Zone Alarm) Turn ad-hoc mode off: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Wireless Networks Tab > Select Network > Properties > Uncheck This is a computer-to-computer (ad-hoc) network > OK Disable file sharing: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Uncheck File and Printer Sharing > OK Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your Administrator User Account, and reset the password
Infrastructure Networks Only To allow only connections to approved access points: In Control Panel, double-click Network Connections. In the Network Connections window, right-click Wireless Network Connection, and then click Properties. In the Wireless Network Connection Properties dialog box, on the Wireless Networks tab, make sure that the Use Windows to configure my wireless network settings check box is selected. Under Preferred networks, make sure that the name of the network that you want to connect to is highlighted, and then click Advanced. In the Advanced dialog box, click Access point (infrastructure) network only, and then click Close. Click OK.
VPN Solutions AnchorFree's Hotspot Shield, a new free software download. Install it on a Windows 2000 or XP system AnchorFree'sHotspot Shield Paid VPN Solutions WiTopia's personalVPN, WiTopia's HotspotVPN (SSL) HotspotVPN JiWire's SpotLock (IPSec) software. JiWire'sSpotLock All charge for the VPN connections they provide, and require installation of a utility on the computer.
Security Tips for Public Hotspots Use a personal firewall Use anti-virus software (update daily or hourly) Update your operating system and other applications (i.e. office. adobe reader) regularly. Turn off file sharing. Use Web-based email that employs secure http (https) (beware of some SSL issues though) Use a virtual private network (VPN). Password-protect your computer and important files (make sure your administrator account has a good long password). Encrypt files before transferring or emailing them. Make sure you're connected to a legitimate access point. Be aware of people around you. Properly log out of web sites by clicking log out instead of just closing your browser, or typing in a new Internet address
TIPS for WIFI at Work TO keep a work WIFI system so it does not drop users as they move around all vendors have some common suggestions. Name all your AP's with the same name so if the single gets blocked by an individual standing in front of the AP or in front of another users laptop and they then get a stronger single from another work AP they do not have to re authenticate to the work wireless network. Make sure all your AP's are on the same subnet if your are doing AD authentication. Make sure the network is the only one listed on the preferred networks under the wireless tab of the "wireless network connection properties" on the network card adapter settings in control panel.
TIPS for WIFI at Work (cont.) Also on the wireless tab of the "wireless network connection properties, click on the advanced tab and: Make sure it is set on the (Networks to Access) section to only access the Access Point also called (infrastructure) networks only Then make sure the Automatically connect to non- preferred networks is unchecked These steps will greatly help you only once these steps are done, and if you still have issues then turning off Windows Zero Config for WIFI might help Use 802.1x or (better) 802.11i in offices that need secure wireless.