Home Network Security

It might be prudent to keep your routers wi-fi connection security at it highest possible encryption strength. Even WEP can be cracked!

http://www.prisonplanet.com/woman-sues-police-over-flash-grenade-swat-raid.html

True, there is no completely secure wireless.

I would agree that one should use the highest level that your devices can support, though to be brutally honest, it just needs to be higher than your neighbors.

" I don't have to be faster than the the bear, I just have to be faster than you....."

Like burglars, looking for easy targets...

WEP has been effectively useless for years. The kid next door can crack it in half an hour with a standard PC.

Even when people have WPA2 enabled, they use laughable passwords. "Fluffy" is not a solid password, and neither is your home phone number.

People don't do firmware upgrades to their wireless routers either. Yes, it's a hassle once you have everything set up because it erases your settings. But there are usually important security upgrades in there. When I was setting up my brand new router, I was amazed to find that the firmware was a year and a half out of date, and four significant firmware upgrades/patches had already been issued.

For years I had lucrative work performing wireless penetration testing for companies (it's important to note that I never did any penetration testing without a signed letter of authorization in my possession). WEP can be cracked very easily by pre-teens. It can be done tracelessly if you are willing to spend some time at it, and it can be done within about ninety seconds if you're willing to do some traffic generation.

WPA is crackable as well, but it's tougher. If you use WPA-PSK it behooves you to use a very long (20+ characters) unguessable key consisting of letters, numbers and symbols. WPA using cryptographic certificates is very tough to crack, but is beyond the capability of most (if not all) consumer wireless gear.

I really question the value of making passwords hard to remember with numbers, symbols, etc. ... this inevitably results in either people locked out of their own systems or storing the passwords in insecure locations (like a post-it note on their monitor).

As you identified, length is the real key to secure passwords.

Using MAC (Media Access Control) address filtering on top of encryption is another obstacle you add to wireless security. Most routers provide this service. This feature only allows authorized computers on your wireless network. Each network interface has a unique MAC address assigned by the manufacturer.

IOW, having the encryption key is not enough to gain wireless access. Your computer's hardware address has to be specifically authorized (or spoofed) on your router to gain access.

Again, this is about making your system just a little harder to break into than your neighbors'systems.

Nice cartoon. I totally agree with the cartoon, as far as passwords that we need to remember and input regularly are concerned. I've long been a fan of using Diceware to generate passwords (well, really passphrases). It's the combination of using real words, length, and the randomness of throws of dice that makes it work so well as well as reasonably easy to remember. For situations that require special characters or capitalization, I use the dice for that, too.

Then again, for a password that I seldom have to use, like my router at home, I personally wouldn't have any problem with using one of those random, nonesensical passwords and putting it on a sticky on the bottom of it. If some stranger can physically read that sticky, then I have far more pressing problems than a hacked wifi connection!

For the wireless key, you're typing it in approximately once per device. It's easy to attack wireless networks, and either hard or impossible to detect an attack in progress. The length, complexity and unguessability of a wireless key has a significant impact on the chances of an attack against WPA-PSK being successful.



Assuming that there is some legitimate user on the wireless network, this adds about ten seconds to the effort for the attack.

Here are some interesting articles from wired.com on the subject of passwords.

Since it's from Wired, you will naturally take it with a grain of salt. But there are a few nuggets of wisdom in there.


http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

http://www.wired.com/gadgetlab/2012/11/why-no-password-is-safe-from-hackers/

http://www.wired.com/opinion/2012/10/passwords-and-hackers-security-and-practicality/

http://www.wired.com/wiredenterprise/2013/01/google-password/

We moved to our new house in 2008 and the router sitting in the box for a couple days somehow forgot part of its settings but still worked enough that our computers connected and worked so I didn't notice until one day I found others connected to it.
I turned on logging and noticed they were looking at political sites. So rather than cut them off I put in dns redirects and pointed the R candidates site to the D candidates site and the D candidates site to the NRA

We switched to Ethernet and try to stay away from wireless.

Russ, could you explain the difference between ethernet and wireless. Short words please, I'm 63 and not too knowledgeable of electronics.

JPickett,

Ethernet is a wired local area network. Each device is connected to the network by a wire. The upside to this is that outsiders cannot connect to your wired network. The downside of this is that some devices such as smartphones and tablets cannot be connected since they only have wireless connection capabilities. It also limits where you can connect notebook computers.

I'll jump in with a quick answer---hope Russ doesn't mind.

Ethernet runs on wire, usually a wire cable that looks something like a telephone cable, except that it has 8 wires when the telephone cable has (usually) 4.

Wireless is simply using a 2 way radio, usually from a "router" back and forth to the computer.

The data going back and forth over each of these systems is in different formats and speeds, but in the end you will see the same data on your computer.

Because wireless is a radio, someone can intercept and decode the signals and see what you are doing. The radio signal in encrypted, but there are ways to break the codes, some easier than others.

Ethernet, because it is a physical wire, can't be intercepted unless someone physically gets access to the wire.

Now, the router is usually is attached to a modem. The modem is the box that hooks up (in a home setting) to the wire/cable that gets you to your internet provider. The purpose of the router is to provide the radio access to the internet through your home.

If you only have 1 device (e.g. the computer) that needs internet access, typically you can cable the computer directly into the modem using the ethernet cable. At that point your done and secure.

OTOH, if (like me) you have a couple of computers, smartphone, and a disk-player that want internet access, you probably want to use the router and have access all through your home without running cables all over the place. But you now run the risk of having the radio signals intercepted, decoded, and your information compromised.

Hope this helps.

Currently have, I think, 10 wireless devices to manage in my home (laptops, printer, smart phones, etc.) and occasionally have family or guests that would like to access it when they are over.

Having a network password that is easy to remember is a definite advantage for me.


I guess my question is what the necessity for mixed case, numbers & letters, and special characters really is.

For example, to a password cracking program, is correcthorsebatterystaple (the example from the xkcd comic) any more or less hard to guess than any other 25 character long string? A cracking program wouldn't know not to check for mixed case, etc, would it?

My understanding of this approach to using long, but easy to remember, passwords (I've had other IT professionals recommend it as well) is that the length alone is what makes password cracking unlikely due to the sheer length of time needed to find the right combination of characters.

JPickett -- Treeseeker & bws48 covered it. Since we do have multiple PC's, we use a D-Link splitter on the Ethernet connection to get multiple Ethernet connections into a single connection to the router. Works good.

Another advantage is that Ethernet has a higher download speed than the wireless connections I've seen.

The iPad and iPhone do use the wireless connection, but I don't do sensitive stuff on them.

Dennis, length is a very useful tool, as long as the system itself is secure.
Problem with home wireless is that most of the security types on most routers are already cracked; If a real live hacker is trying to get in, they can.

Going back to original article, they had open wireless. That would be the equivalent of leaving your garage door and front door open all the time.

ANY security at least gives you a door. Better protocols improve the locks.

Also, security is important from the outside in- Having one PC hooked up directly to a modem does indeed, remove risk of wireless hacking.

It opens you up COMPLETELY to ONLINE hacking. Your computer is then a wide open target from the internet side.
Even a cheap old router has a minimal effect as a firewall from the internet side. Again, internally, a modem to PC connect is a wide open door. a router closes the door, newer firmware in the router improves the locks.

Another simple, obvious step in security is to limit password ATTEMPTS. Set your PC with a good password, then make it time out after 3 attempts. You don't need a permanent shut down or lock out, just a 5 minute time out.
Why? simple- all brute force attacks need to make many attempts.
So if your 8 letter password would take ~100,000 tries to guess, but your PC will only let them try 3 times ever 5 minutes.... that is 115 days to try them all.

Not worth the time for a drive by attempt, move on to the neighbor with open wireless, or no router.....

Quick append- length is good. length plus more characters is better.
there are 10 numbers- so using just numbers
password complexity = length times 10. 8 digit give 99,999,999 combos
there are are 26 letters, 36 letter plus numbers- same 8 digit is 36 to the 8th power (36*36*36*36*36*36*36*36)-
with special characters you go from 36 characters to over 50
now (50*50*50*50*50*50*50*50)

I'm assuming that this was already an assumption of yours, but "long" really needs to be combined with some form of "random". Case in point, people may use a snippet of some famous quotation, e.g. "...four score and seven years ago...". Going by length, that's a decent amount of entropy for many situations, in theory, but not the best choice in practice. Password cracking routines can check for famous quotes, and if someone knows you're, say, a history or Civil War buff, then maybe that's something rather easily guessed.

That's the strength of a system like Diceware--it takes the personal bias/preferences out of the equation. You end up with a string of words that don't necessarily have any connection to you at all or any other quote or popular phrase, making it much harder to make educated guesses. Gosh, what was I watching just the other night on TV, where some woman is trying to get access to the "witness protection" database, so she finds a US Marshal at a bar, flirts with him and chats him up for personal info about himself, and then gets into the database by figuring out that his password is his boyhood dog's name, Guiness.

Actually, that's another fine point. That password in the TV show was guessed (by a person). The other way is to do it automatically with some password cracking software. Maybe it's semantics, but software doesn't "guess" passwords, it simply tries a whole bunch of them very, very quickly, usually in some systematic order.

bullseye- rainbow tables

With respect to XKCD (a highly admired source of information as well as humor) it's not just the keyspace that matters. A dictionary attack against a wireless key of that form would succeed within a day at the most on my work laptop. Add in numerals and special characters and you have to stop using a dictionary attack and work a brute force attack, which at that length of key would take an infeasibly long time to complete.

Forgive me for a little bit of pedantry: The home wireless networking that you're talking about is in fact an Ethernet technology. The difference between wired Ethernet and wireless Ethernet is (as others have stated) about speed, security, and convenience. For home users, wired Ethernet is faster and more secure (assuming that you prevent unauthorized users from plugging into your network equipment) but significantly less convenient for some.

Typically, speed of home wireless networks is so much less than the Internet connection speed that going to wired Ethernet isn't helpful. The big exception is if you have significant traffic that's going between devices on your network (not Internet traffic). In that case the increase in speed locally can be very worthwhile.

I found that streaming video (Netflix) didn't work well via the wireless connection to my DVD player, but when I went to the trouble to install wired Ethernet the problems were resolved. Otherwise I use wireless at home.

I didn't read the whole thread, but we all noticed she had no password, right? So, for security, I recommend starting with a password.

I stream Netflix and Amazon videos over our wireless all the time with fine results. However, I use my laptop and plug it into the TV with an HDMI cable. I have noticed that the wi-fi in the DVD player can be a bit fussy at times. I suspect the problem is in the player, not the link itself.

This is a little off topic, but it pays to check your Internet speed using a website such as www.speedtest.net.

I often find that my customers aren't getting the speed from their Internet service provider (ISP) that they expect. Often, the speed is significantly less than expected. This isn't because the service isn't being provided, it is because they are using older cable modems or older wireless routers. Most older devices don't allow the higher speed through the WAN port and they get throttled down to 5 or 6 mbps even though their ISP may provide speeds rated many times higher. This frequently happens on the wireless side, but can also be apparent on the wired side as well.

Thanks to ALL of you! I consider a day I learn something new a good day. Today, I've learned about Ethernet, (which I had assumed meant wireless, ie radio waves coming over the "aether") wired vs wireless networks, network security, and secure passwords. Even a little humor. I'll have to mark this day with a white stone. Thanks again.

I learned something new about long, somewhat random passwords. The cartoon is great.

Further, in my universe, there are well over 100 passwords I need to know, and every password verifier I have is case sensitive. So, the "26" number that some are using above is "52" for me. For example...



So, those complexities become...

(52*52*52*52*52*52*52*52) for letters only
(62*62*62*62*62*62*62*62) for letters and numbers
(76*76*76*76*76*76*76*76) for letters, numbers, and special characters

So, length with only letters is HOLY COW, TOTALLY AWESOME. Adding numbers and special characters is useless overkill for my purposes. Literally, adding numbers and special characters kills the ease of remembrance, while adding needless complexity.

Thus, the general rule of "long, letters only, and at least somewhat random" remains a fantastic rule.

Just a caution that the entropy of length with only letters is significantly degraded when you use words. A dictionary attack will usually be able to crack a very long password if it's made up of words.

Another way to create a memorable password that is quite complex is to start with phrase, like, "Fred, the mailman, always arrives by 11:30 AM on weekdays." That can be shortened to "F,tm,aab11:30AMow."

True statement, but the context is critical, too.

For example, at work, our ability to log in will lock out for 12 hours after three unsuccessful log in attempts. So, as far as keeping out someone trying to remotely connect to my work network and trying to guess my password, even a single, randomly chosen word (i.e. no particular association to me, like a hobby, pet name, etc. and isn't dumb like "password" or "asdf") is pretty much secure against that. An attacker is better off using some other method to get in.

Of course, if I'm worried about my encrypted copy of some unnamed high official's real birth certificate (I'm just joking) falling into the wrong hands, and an attacker can run a thousand keys a second against that file for weeks and months, then the reduction in entropy by using words certainly becomes very important.

Not saying that my home network has a copy of said document--if any high level, well connected parties are listening in...

In my previous line of work, I had a nice little sideline in password cracking as part of a security assessment. As I'm sure I've mentioned before, I never did any security assessment work without a signed letter of authorization from the appropriate parties.

Anyway, there are some systems out there where the hashed passwords cannot be extracted to run attacks against them by an unprivileged attacker. But there aren't very many .

So what? The attacker need not attempt a login until they have derived a good password, if they can sniff enough traffic.

Security is tough problem and hardened sites are expensive to deploy, even more expensive to maintain, and require big restrictions on a usability. In the real world you have to size the solution to match the threats & consequences.

For myself and clients the threshold is preventing drive-by (literally) downloads of kiddie porn. So it's WPA with a very strong PSK (63 characters, each from an RNG). That's not as good or as easy as certificates but it's a fair trade-off that works in our cases.

Social engineering works the best. Get to know someone and half the time you can guess the password.

Case in point - was in a buddy's office, asked to use his PC for a minute, and it was pw protected. Jokingly he said to guess his password. Got it in one. He then changed the password, got it in one again. It helped I knew him fairly well, what he was into, and some other personal data. Half the time, look at someone's desk - pictures, plaques, name plates, awards, that stuff. The password is usually right there.

That's when the addition of a strange character increases the security substantially.

REDACTED I'm trying to make a point about entropy, not the security of a particular set up. Besides, you're talking wifi sniffing, aren't you? I'm using a Remote Desktop example.

OK, throw in a VPN to an RDP login with a lock out after three wrong attempts. Then back to my point about the entropy of dictionary words versus random text passwords. If someone is trying to brute force a password in a rate limited scenario, the password does not have to be as complicated compared to a situation where someone can freely brute force a password as fast as their hardware allows, so the entropy gain in using non-dictionary words may not matter, practically speaking, and may actually be a detriment if these passwords are more easily forgotten.

Lots of good information everyone, so to summarize

i) Upgrade your routers firmware to the latest version

ii) Use the highest router security settings encryption your clients will support.

iii) Use a long password using random character string preferably more than 256 bits i.e. > 16 characters

iv) Create a MAC address filtering list.

v) Ensure your router password is just as strong.

vi) The SAS wannabe thunderflash bang throwing Walter SWAT team may still turn up at your front door before kicking it in. Counter terrorism/police stupidity is sometimes difficult to counter act or prepare for.

http://www.youtube.com/watch?v=62OmbAWC08o