WEP is worthless. Don't use it.

Is WEP wireless security better than no security at all? Probably, but not by much. Don't use WEP for Wi-Fi security, researchers say. It will prevent casual crackers from hacking into your network as they drive by, but if they stop for a traffic light, or to roll down the window and point the Pringles can at your WiFi router, they are in.

Instead, use WPA security to encrypt your wireless traffic. For details, see my post on How To Secure a WiFi Router for the Best Wireless Security. To better understand what all the letters & numbers mean (WPA, WEP, PSK, 802.11b, etc.), see Keith's post on 802.11 Alphabet Soup.

How To Secure a WiFi Router for the Best Wireless Security

What is best setting to secure my wireless network? What's the safest way to secure my Wifi enabled router? The steps below describe what to do for most routers that support WiFi 802.11g or better.

1. Connect your network, wired only: connect the router to your (cable/fios/phone) modem, which is of course connected to your ISP's wire. Note: in some case, the router & modem are the same device. Connect a properly-configured computer to your router, probably with a Cat-5 Ethernet cable. Check the LEDs on the computer, router, & modem, if required.
   
2. Boot up and open a browser. Can you connect to the Internet? Test with a quick trip to your favorite search page. If you can't connect wired-only, you'll never get the wireless working!
3. Log into your router's web interface using your web browser. If you know your computer's IP address, the router is usually the same address, except the last number after the right-most dot is a "1" -- for example, 192.168.2.1 (the 1 at the end is your router's address in your LAN's address space).
   
4. Enter your password to access your router's administrative features. If you didn't need a password, or you used the default password, change it now to a safe password!
5. Go to the Wireless section on your router's administrative pages. Your browser may use different terms, like WiFi instead of Wireless.

Set your wireless network up as follows:

Hide it from Casual Snoops

These options won't protect you from a hardcore hacker (like that 14-year old kid who lives a few doors down) but will hide your network from the lazy & unprepared (i.e., most everyone else). In the Channel & SSID section of your router's Wireless/WiFi administrative pages:

1. Change the SSID (or Network Name) to something memorable, besides the default. This isn't a password, so you can use the name of your dog, or other dictionary words. If someone guesses this, they still have to get past your impossible to guess password to use your WPA network.
   
2. If possible, turn off the option to broadcast the SSID.
3. Apply or Save the changes. For my Belkin router, that means the router needs to reboot and I have to log in.
   

Now, to connect to your wireless network, you have to know the SSID you set. Just don't use the default name.

Set up WPA Encryption

WPA encryption is the way to go. WEP sucks, so don't use it. WPA makes it impossible for people to connect to the network without the password, and also encrypts all the traffic so others can't snoop on your traffic and snort up your bank password.

1. Select WPA as your security/encryption mode (also WPA2-Personal PSK)
2. I recommend WPA-PSK authentication & TKIP encryption. Make sure these selections are compatible with your wireless card (AirPort for Macs).
3. Set an fearsomely strong password.
4. Save/Apply your changes.

Now, breath easy. You are locked down. Let's do a few more things to make sure your net is tight.

• Turn off remote management. If you turn this on, chances are that you will be owned eventually.
  
• Turn off UPNP (Universal Plug 'n Pray -- I mean, Play). If one of your devices requires this, your network can't be considered secure.
  

That's it. Save any changes, and now try to connect with your laptop.

Stay tuned for tips on what to do if you have a device that requires UPNP or WEP, or other inadequate security measures that would otherwise compromise your security.

Safest Way to Connect To Gmail in Public

If you connect to your Gmail account out on the road, use SSL encryption when you connect, the safest way to log in on a public network:

https://mail.google.com/

Use the "https://" (SSL) secure and encrypted protocol, instead of plain "http://" every time when you connect to your web mail on a public network. This also applies to any account where you have to log in with a user name and a password.

Web mail accounts include:

• Google
• Yahoo!
• MSN
• Your ISP's web mail pages.

Public networks include any Wi-Fi or wireless network that allows open access, even if you have to pay to get on. This includes places like:

• The airport (best to avoid at all costs -- prime snooping grounds for the black hats).
• Your hotel.
• Your favorite cafe, donut or sandwich shop that offers Wi-Fi access.
• The library.
• Your neighbor's unsecured or WEP secured network that you hacked into (if you can do it, so can someone else!)
• And so on...

Any place that offers open (not just free) access also offers that same convenient access to password snoopers, key loggers, and other malicious programs and black hatted hackers.

The Solution for Safe Surfing

To keep your accounts safe when using public networks, select either option:

1. Don't log into your accounts using a public network. Best yet, don't even fire up your laptop unless you are sure you are safe. (Yeah, right!)
   
2. Or, in the real world, always use a secure protocol to log in to any Internet accessible account. This means 100% of the time.
   

These secure protocols include:

• Web: SSL ("https://")
• Email: encrypted IMAP or POP
• Shell: SSH
• FTP: SFTP

For a moderately skilled bad guy, it's easy to capture Google log-in credentials over an open Wi-Fi network, by reading the cookies your browser sends to Google to authenticate your account.

So, you need to protect your log-in transaction, and encrypt (or scramble) the authentication cookie Google gives you after you log in.

SSL to the Rescue

Using a SSL connection protects all the traffic between your browser and the secure server. For example, to log into Google Mail, a web URL, using SSL, go here:

https://mail.google.com/

This way, all communication between your web browser and Google is encrypted using the excellent SSL encryption protocol. That's right, all you have to do is type in that "s" right between "http" and "://" -- how easy is that? It works with any web site that supports SSL. If your favorite web mail doesn't support SSL connections, it's time to find a new web mail solution.

When you connect using https, notice how your browser's address bar turns bright yellow, or that little lock icon appears in the lower right corner -- whatever your browser does, you should see a clear indication that you are using a secure SSL connection ... and also see when the web site you are visiting drops you back into regular "http" unencrypted traffic.

SSL won't protect your FTP transfers, or your Outlook or Thunderbird log-ins, either, but it does a great job protecting everything your browser sends and receives. Always use SSL when you need to log on to a public network.

Or just wait until you can plug in to log in. Most wired networks, even "open" wired networks at a hotel, for example, are much more secure than an equivalent Wi-Fi (wireless network). If you aren't sure if your wired network is secure, you can use HTTPS on that, too.

Surf safe,

Neil

802.11 Alphabet Soup

Here's a review of 802.11 b,a,n, and i, with respect to wireless internet security:

802.11b - This is a popular wireless standard, and includes WEP only. WEP stands for Wired Equivalent Privacy. This means that this protocol was supposed to be just as safe as plugging your device into the network with a cable. Unfortunately, the WEP designers didn't do all their homework, which means WEP is a poor choice for your wireless network security.

802.11a - This was the next wireless standard to be widely accepted following 802.11b, and added increased transmission speed, as well as WPA. WPA stands for Wi-Fi Protected Access. It fixes the holes in WEP and adds stronger authentication.

802.11n - This is an upcoming standard for Wi-Fi. It offers increased speeds and reliability for Wireless access. It does not include any new security standards.

Check out this interesting article that explains how the overhead involved in WiFi means that network speeds are much lower than advertised. For one thing, it's a shared medium. That's why 802.11n devices use multiple antennas. They communicate using MIMO (multiple input, multiple output) technology. Ethernet itself is rated at 10Mbit/sec but actual throughput is less. Overhead always occurs in transmission for things such as redundancy, error correction, and protocol overhead.

Currently you can get Draft 802.11n capable wireless cards. The standard is slated for finalization in Sept, 2008, at the time of this writing. Devices that use Draft 802.11n should generally be flash upgradeable to the final standard later on.

802.11i - This is the latest wireless security standard, which includes WPA2. WPA2 is the successor to WPA, and adds stronger encryption in the form of AES, vs. the older RC4. AES is used by the US Government, so it's probably secure enough for your needs too. This is currently the best choice for wireless security.

Optical Wireless Eliminates WiFi's Biggest Flaw

What's the biggest flaw with WiFi, or any radio-based wireless network? It's easy to eavesdrop on the network traffic, since the wireless base station conveniently broadcasts the signal in all directions, even through walls, ceilings and floors. This is why the WEP security protocol was hacked open so quickly: the bad guys can just eavesdrop on the network from the parking lot.

Ask TJX what the cost of using WEP is -- they can't answer yet, because the bill keeps growing. For comparisons sake, how easy is it to eavesdrop from the parking lot on a Cat5 wired network? And how do you hide the telltale 2000 foot ethernet cable out to the van? Duct tape? I don't think so.

So, wired networks are more secure, but much less flexible. But radio waves aren't the only way to transmit network data. Some labs and companies are developing optical wireless networks, that deliver the flexibility and convenience of wireless, but make eavesdropping much more difficult. The reason? The optical signal simply can't pass through solid surfaces like walls and floors. This means if you live in a house or work in a building that has good physical security (like most homes and offices do) then you could set up an optical wireless network that is much harder to eavesdrop on compared to similar WiFi or other radio networks.

The most promising technologies for transmission included infrared (the same wavelength that your TV remote uses) and white LEDs (still in the lab). Stay tuned for more developments on this speedy high-bandwidth wireless medium.

Wireless (Wi-Fi) Networks Increase the Challenges of Internet Security

Like so many technologies before it, wireless TCP/IP networks (especially WiFi/802.11 networks) were implemented and marketed without much consideration for the increased computer security risks that broadcasting your network traffic to the world might entail.

As any code-breaker knows, one of the best ways to reverse engineer coded messages is to compare lots of these messages to find common patterns. Early WiFi security, specifically WEP encryption, fell to this well known technique, because it re-used encryption keys. As any spy worth his martini and Aston Martin knows, you should never reuse your encryption keys if you want to keep your secrets safe.

Yet, WEP did exactly this, so a patient hacker needs only to listen in on your WEP traffic long enough to discover the (reused) encryption keys. At least WEP prevents casual computer users with no expertise from logging into your network by simply posting up close enough to your base station to detect your WiFi signal. Just add a Pringles potato chip can to your setup, and you can detect Wifi signals hundreds of meters from the source. That's not a problem in any urban (and most suburban) areas.

In short, wireless networks have only increased the challenges of internet security by introducing a huge "back door" into your network. No longer do hackers need physical access to your network to steal your secrets. Nor do they have to defeat a well-secured firewall. Now, they can simply eavesdrop on network traffic beamed out into the ether by your new unsecured WiFi base station.

Over the next few weeks, we'll look closely at the different ways you can reduce computer security risks by implementing basic wireless internet security techniques. Stay tuned, or grab our RSS feed.

Wireless security

Wikipedia reminds us, in the entry for Wireless security, that for typical computer users:

there are a great number of security risks associated with the current wireless protocols, encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level.

It's not hopeless, though. Review the steps in securing a wireless network to get started on locking down your WiFi network.

Wireless Router and Internet Security: Simple steps for privacy and security

As this article on wireless internet security recommends,

If you are using a wireless router for broadband internet, you MUST secure your connection.

The article, at JustText.com, also offers great tips on:

• Routers
• Firewalls
• Encryption
• Remote Access
• Wireless Internet Security
  

Welcome to the Secure My Wireless blog

We post best practices for securing wireless (typically, WiFi or 802.11) networks, and tips on how to stay safe.