How
To Defend Against Wi-Fi Security Threats
Wi-Fi
is the technology which permits users to associate their mobile phones,
computers, and other android and iOS devices to the internet whenever and
wherever they like within a range such as at homes, in the office, or even on
the street. Given that there is no physical connection that must be made to
connect to the Wi-Fi network, this form of internet connection can lead to
vulnerabilities in security if not managed correctly.
It’s common knowledge
that the best way to protect your home Wi-Fi network is by using a strong
password. This will keep uninvited guests away and protect your network so
eavesdroppers can’t intercept your communications.
Once
you’ve protected your network with Wi-Fi Protected Access 2 (WPA2), here are
four other vulnerability scenarios you should guard against.
Strong passwords are a great place to
start defending your network, but you need to take it to the next level.
Every router comes with a generic username and password that you need it the first time you access the router. You need to change the two immediately. The generic usernames are a matter of public record for just about every router in existence; not changing them makes it incredibly easy for someone who gets physical access to your router to mess with the settings.
If you forget the new username/password, you should probably stick to pencil and paper, but you can reset a router to its factory settings to get in with the original admin generic info.
Use Encryption Keys
Adding a secure password to the Wi-Fi is an approach to
quickly prevent anyone from easily connecting to it. All you need is the
Ethernet cable that comes with a router when you pull it out of the box or
installed by a cable company, and the manual that comes with the router. By
using the cable to plug directly into the router, a computer can access the
router’s internal settings using an Internet browser.
The address ,usually
in the form of an IP address, generally 192.168.1.1 or something similar, gets
you into the router’s inner workings, but you need the cable to access it, so
it can’t be altered remotely.
Then go to the security settings of your router and activate
an encrypted password called a WEP or WPA key. Users can change the password to
one which is both secure and easily remembered in order to enhance security.
The good thing about setting a complicated password is that it offers more
security while the connected devices can access the network automatically
without the need to enter the password in every time.
You can specify a password of your own, but the router’s
generated key is a much stronger encryption than using a password someone might
be able to guess. Most modern computers will save passwords when you connect to
your home Wi-Fi network, so you shouldn’t need to specify the network password
again when signing onto the Internet, unless something gets reset.
User-To-User Snooping
Threats
don’t always come from the outside. A guest, contractor, or even an employee
can snoop on wireless traffic. Though the PSK mode of WPA2 utilizes encryption
to scramble the traffic, someone can decrypt the traffic and snoop on other
users of the “secure” network if they have the password.
This is another vital
reason why the enterprise mode of WPA2 is beneficial; it stops this type of
user-to-user snooping, while still allowing sharing among users if desired.
Lost Or Stolen Devices
With Wi-Fi Passwords
You can lock down your Wi-Fi with the most stringent
security, but if you lose your smartphone, tablet, laptop, or any other device
that you’ve connected to your Wi-Fi network, whoever recovers it will be in a
position to access to every network you’ve connected to in the past,
since those passwords will have been saved to that device by default.
Depending on who recovers the device, where they found it,
and how much info they can glean from it, they might even be able to figure out
where those networks are physically located.
If you lose a mobile device, see if you can remotely lock or
even wipe it (you do back it up on a regular basis, right?) to prevent any
unauthorized person from gaining access to the Wi-Fi passwords and any other
data you have on it.
Secondly, it’s a good idea to change the Wi-Fi password of
all the networks you connected it to in the past. Some private networks might
not be in your control, so you should notify the parties who are responsible
for them—especially your employer.
While you probably want to make the SSID (service set identifier) public, using the generic network name/SSID generally gives it away. For example, routers from Linksys usually say "Linksys" in the name; some list the maker and model number ("NetgearR6700"). That makes it easier for others to ID your router type. Give your network a more personalized moniker.
It's annoying, but rotating the SSID(s) on the network means that even if someone had previous access, like a noisy neighbor, you can boot them off with regular changes. Just remember, if you change the SSID and don't broadcast the SSID, it's on you to remember the new name all the time and reconnect ALL your devices—computers, phones, tablets, game consoles, talking robots, cameras, smart home devices, etc.
Debunked' Options
People with the right equipment, such wireless analyzer
software like Kismet or mega-tools
like the Pwnie Express Pwn Pro, aren't
going to let the following tips stop them.
I include them for completion's sake
because, while they can be a pain in the ass to implement or follow up with, a
truly paranoid person who doesn't yet think the NSA is after them may want to
consider their options. So, while these are far from foolproof, they can't hurt
if you're worried.
Turn On MAC Address
Filtering And Router Firewalls
Each computer that uses your network has a specific number
attached to it called a “MAC (Media Access Control) address.” This is actually
a physical number assigned to the actual Wi-Fi adapter hardware in your
computer or mobile device.
From the internal settings of your router, you can determine
the MAC addresses of the computers that you want to be able to access your
network and specify them to the router. Any device that doesn’t have the right
MAC address will be denied access.
In order to set MAC addresses, you’ll need to have the devices
you want to be able to use on your network connected so you can see their
addresses in the router’s “MAC Address” section. There, you can usually just
click a button that turns on the router’s MAC limiting setting, and then select
which addresses are allowed access to the network.
Most routers have an internal firewall program that is anti-hacking software that makes a network
more difficult to access from the outside, and turning it on is generally
really easy.
Change Your Default
Wireless Settings
Some modem/router manufacturers and ISPs preconfigure their
gear with Wi-Fi encryption using a default password. One insecure default
setting scheme used by various companies is putting a portion of the device’s
MAC address and/or default SSID (network name) in the Wi-Fi password.
For instance, my ARRIS gateway supplied by Time Warner Cable
comes with the default SSID of TG1672G02 for its 2.4GHz network and
TG1672G02-5G for its 5GHz network, both using a default password of
TG1672G1E1F02. That looks fairly secure at first glance, since it’s at least a
combination of letters and numbers, but its comprised partially of the
gateway’s model number—TG1672G—and partially of its MAC address:
D4:05:98:1E:1F:02.
Don't Broadcast The Network Name
In the router settings for the SSID, check for a
"visibility status" or "enable SSID broadcast" and turn it
off. In the future, when someone wants to get on the Wi-Fi, you'll have to tell
them the SSID to type in—so make that network name something simple enough to
remember and type.
Note however that anyone with a wireless sniffer, however,
can pick the SSID out of the air in very little time. The SSID is not so much
as invisible as it is camouflaged.
Just like with your operating system and browsers and other software, people find security holes in routers all the time to exploit. When the router manufacturers know about these exploits, they plug the holes by issuing new software for the router, called firmware. Go into your router settings every month or so and do a quick check to see if you need an update, then run their upgrade. New firmware may also come with new features for the router, so it's a win-win.
If you're feeling particularly techie and have the right kind of router that supports it—you can upgrade to custom third-party firmware like Tomato, DD-WRT or OpenWrt. These programs completely erase the manufacturer's firmware on the router but can provide a slew of new features or even better speeds compared to the original firmware.
Don't take this step unless you're feeling pretty secure in your networking knowledge.
Sessions Hijacking
Accounts
There are many tools that make session hijacking via poorly
secured Wi-Fi quick and easy for anyone, using readily available apps. For
these particular apps to work, they just need a rooted Android device and
someone on the Wi-Fi to log into a website that’s not fully secure. Then the
app will detect the unsecured login and the session hijack would allow the
eavesdropper full access to the compromised account without having to enter a
password.
Though Wi-Fi users can try to ensure they’re logging
onto websites or services via a secured HTTPS/SSL connection to prevent session
hijacking, sometimes the session cookie is sent over clear-text, making the
user unknowingly vulnerable to this attack.
Change Your Network’s SSID And Make It Invisible
This is what the device searches for when it is trying to
connect to the network and can be done using the same method as setting up the
password. From within the same settings menus that you adjusted the MAC
settings and turned on your encryption key, you can also set whether your Wi-Fi
network is “discoverable.” This means that the router won’t broadcast its ID information
over the air for other devices to lock onto.
You
don’t want your network discoverable, and you don’t want your router to
broadcast its SSID.
Although just changing the name does not enhance the
security of the Wi-Fi, an option that is extremely powerful in stopping
unwanted users from connecting is to make the network invisible. When the
network is invisible, hackers who may be searching for a Wi-Fi connection to
access to will not be able to find it.
The Dynamic Host Configuration Protocol (DHCP) server in your router is what IP addresses are assigned to each device on the network. For example, if the router has an IP of 192.168.0.1, your router may have a DCHP range of 192.168.0.100 to 192.168.0.125 , that's 26 possible IP addresses it would allow on the network.
You can limit the range so the DHCP wouldn't allow more than a certain number of devices, but with everything from appliances to watches using Wi-Fi, that's hard to justify.
For security, you could also just disable DHCP entirely.
Assign IP Addresses To
Your Devices
Each device that
connects to the Internet does so using what’s called an IP address. Most
networks use a system called “dynamic IP addresses,” which means that every
time you connect to your network, the system assigns a temporary IP address to
your system. That’s easy, but it also means anyone jacking into your network
can get a temporary address just as easily as you can.
You can
tell your router to only allow device’s using those specified addresses to
connect
Instead, look for a tab in your router’s setup menu that
lets you set “static IP addresses.” Like MAC filtering, you should be able to
see the addresses of your devices at the moment; write them down, or specify a
series of numbers to the router when you’re prompted to.
Denial Of Service
Someone inside or outside can send
traffic to disrupt the wireless performance or halt the network altogether.
This is because wireless encryption doesn’t apply to all management and
broadcast frames, enabling someone who’s not connected or authenticated on the
wireless network to send spoofed management traffic.
Note that no network can be completely
protected against these types of attacks.
Significant interference can also come
from within your organization from other types of wireless devices using 2.4 or
5GHz, such as security cams, alarm systems, cordless phones, or wireless
speakers.
Reduce The Range Of Wi-Fi
Signals
Most wireless local area networks use 802.11 which consists
of three distinctive frequency ranges. For example, 2.4 GHz, 3.6 GHz, and likewise
4.9/5.0 GHz groups each have their own ranges. With the diversity in signal
strength, settings can be applied to limit the range so that those who are too
far are unable to find or access the signal.
As an example, with
the 2.4 GHz frequency, settings can be altered so that either 802.11b can be
selected rather than 802.11g in the router settings. In doing so, this will
help in reducing the signal strength range so that only those near the router
are able to access the network.
So There You Are ,You Can Right Ahead And Protect Your WIFI
No comments:
Post a Comment