WEP is worthless. Don't use it.

Is WEP wireless security better than no security at all? Probably, but not by much. Don't use WEP for Wi-Fi security, researchers say. It will prevent casual crackers from hacking into your network as they drive by, but if they stop for a traffic light, or to roll down the window and point the Pringles can at your WiFi router, they are in.

Instead, use WPA security to encrypt your wireless traffic. For details, see my post on How To Secure a WiFi Router for the Best Wireless Security. To better understand what all the letters & numbers mean (WPA, WEP, PSK, 802.11b, etc.), see Keith's post on 802.11 Alphabet Soup.

Connect a Mac (Tiger 10.4) to a WPA Wireless Network

In my previous post, I reviewed the best settings to secure my wireless network. Now it's time to connect my Mac laptop, gforce, running Tiger (OS X 10.4.11), to my WiFi (802.11g) wireless network. Boot up, and follow these steps:

1. Turn on AirPort. I use the AirPort menu to do this, on the right side of the menu bar. The "fan" icon changes from a hollow outline to grayed-out "radio waves".
2. Select Other... network from the AirPort menu. This is required because I turned off SSID broadcasting when I secured my WiFi router.
   
3. In the Network Name field, type the secret but memorable SSID.
   
4. Select WPA Personal from the Wireless Security drop-down menu. Note: the specific WPA security protocol is set by the wireless router; you need to match the setting on the router with this menu pick.
   
5. Enter your fearsomely strong password. Tip: unless you think someone is spying on you with high resolution optics, you can check Show password. It certainly reduces the typos.
6. Click [OK].

That's it! You are online. Test it out by opening your favorite browser and surfing to you your favorite search engine.

The Closed Network dialog. Enter the SSID here.


After you select WPA, you can enter the password.


Tips

• If you can't see the AirPort menu, you can turn it on here: System Preferences > Network tab; select Show: AirPort; check Show AirPort status in menu bar.
• Also, while you are making changes to the AirPort preferences, you should consider selecting By default, join: Preferred networks. If this doesn't work as expected, select the line corresponding to the SSID you selected, move it to the top of the list, and click the [Edit...] button to ensure the WPA password is set correctly.
  
• If you think you might be having problems with interference or a poor signal, perform these steps right next to the wireless router to bathe your AirPort card in the strongest signal possible..
• Save your WPA password in your Keychain, where it will be safely encrypted, so you don't have to enter it every time.
  

How To Secure a WiFi Router for the Best Wireless Security

What is best setting to secure my wireless network? What's the safest way to secure my Wifi enabled router? The steps below describe what to do for most routers that support WiFi 802.11g or better.

1. Connect your network, wired only: connect the router to your (cable/fios/phone) modem, which is of course connected to your ISP's wire. Note: in some case, the router & modem are the same device. Connect a properly-configured computer to your router, probably with a Cat-5 Ethernet cable. Check the LEDs on the computer, router, & modem, if required.
   
2. Boot up and open a browser. Can you connect to the Internet? Test with a quick trip to your favorite search page. If you can't connect wired-only, you'll never get the wireless working!
3. Log into your router's web interface using your web browser. If you know your computer's IP address, the router is usually the same address, except the last number after the right-most dot is a "1" -- for example, 192.168.2.1 (the 1 at the end is your router's address in your LAN's address space).
   
4. Enter your password to access your router's administrative features. If you didn't need a password, or you used the default password, change it now to a safe password!
5. Go to the Wireless section on your router's administrative pages. Your browser may use different terms, like WiFi instead of Wireless.

Set your wireless network up as follows:

Hide it from Casual Snoops

These options won't protect you from a hardcore hacker (like that 14-year old kid who lives a few doors down) but will hide your network from the lazy & unprepared (i.e., most everyone else). In the Channel & SSID section of your router's Wireless/WiFi administrative pages:

1. Change the SSID (or Network Name) to something memorable, besides the default. This isn't a password, so you can use the name of your dog, or other dictionary words. If someone guesses this, they still have to get past your impossible to guess password to use your WPA network.
   
2. If possible, turn off the option to broadcast the SSID.
3. Apply or Save the changes. For my Belkin router, that means the router needs to reboot and I have to log in.
   

Now, to connect to your wireless network, you have to know the SSID you set. Just don't use the default name.

Set up WPA Encryption

WPA encryption is the way to go. WEP sucks, so don't use it. WPA makes it impossible for people to connect to the network without the password, and also encrypts all the traffic so others can't snoop on your traffic and snort up your bank password.

1. Select WPA as your security/encryption mode (also WPA2-Personal PSK)
2. I recommend WPA-PSK authentication & TKIP encryption. Make sure these selections are compatible with your wireless card (AirPort for Macs).
3. Set an fearsomely strong password.
4. Save/Apply your changes.

Now, breath easy. You are locked down. Let's do a few more things to make sure your net is tight.

• Turn off remote management. If you turn this on, chances are that you will be owned eventually.
  
• Turn off UPNP (Universal Plug 'n Pray -- I mean, Play). If one of your devices requires this, your network can't be considered secure.
  

That's it. Save any changes, and now try to connect with your laptop.

Stay tuned for tips on what to do if you have a device that requires UPNP or WEP, or other inadequate security measures that would otherwise compromise your security.

Wireless Trends for 2008

For some great information on 802.11n and other wireless trends, AirWave's webcast Wireless Trends 2008 - What You Need to Know is available on Airwave's Webcast Library page.

Some highlights from the webinar:

• 802.11n will be ratified in Q3 of 2009
• It's safe to purchase 802.11n devices now. These devices will "with just the slightest doubt" be compatible with the final standard.
• With 802.11n, you can expect performance of 4-6x times that of 802.11g
• Note that Gigabit Ethernet is a requirement, otherwise your wired LAN will be slower than your wireless link.
• There will be no need to replace your 802.11g equipment
• Don't try to run 802.11g and 802.11n at the same time in the same channel

For recent performance test results of 8.02.11n products, see this article in Network World.

Mobile Smartphone Users Targeted by Trojans

McAfee has an article on Symbian mobile users in China being targeted with a Trojan that targets users of the QQ network. (QQ is a very popular Instant Messaging network in China).

McAfee notes that the Trojan contains a number of different pieces of malware. Also, they note that it was written to make a profit, not to forward the notoriety of the hacker.

McAfee also has some information on a Trojan targeting Windows CE devices that was recently discovered as well. The software, WinCE/InfoJack, was created to report information about the phone's OS and version back to a website. It also disables some of the phone's security, allowing unsigned applications to install without warning.

With the growing popularity of smart mobile phones, this activity will only increase. Users should be careful where they download software and applications from. If you get any suspicious SMS messages to your phone, don't start clicking the links.

Digital Picture Frames, USB Hard Drives Found Already Infected with Trojans

This is a little off the wireless topic, but important for security nonetheless: A recent article in the San Francisco Chronicle mentions that many USB photo frames have been found to contain Trojan Horses. When plugged into users' computers, these Trojans can get automatically installed without the user knowing. Antivirus software may not help because they don't yet have signatures for these Trojans.

A similar problem regarding USB hard drives was discussed last year at Slashdot.org.

What's the solution?
If you run Windows, disable autorun. A few sites on how to do that are here and here. Don't trust any free software already on these devices or hard drives.

Mac and Linux users generally are safe, because autorun is unsupported or disabled by default.

Vulnerabilities Found in Many Wireless AP's

A security software firm (Codenomicon) tested their software on various Bluetooth, Wi-Fi, and WiMax devices and found a very high vulnerability rate. In their whitepaper [PDF], they tested several brands of Wi-Fi Access Points (although they don't say which brands) and found vulnerability rates ranging from 25%-75% for their tests.

Take the report with a grain of salt, however, since they may be biased to sell their testing software.

Home users should consider setting up a DMZ for their wireless access points.

Corporations should consider a Wireless Security solution on top or their existing wireless infrastructure, such as Aruba Networks or AirWave (Aruba has recently announced they will be acquiring Airwave).