Hi,

Many of us would be using wireless networks at home, perhaps always on. There are a few different standards for encryption, the oldest one of which, WEP, is easy to crack. I was alarmed to find I was still using it! I bought a new router/modem unit as a result. It uses WPA2, if you are parked outside my place :lol: The newest standard is WPS, but my computer could not handle it :mad2: Now it seems WPS might not be the ant's pants after all.

Some info (safe site)

https://windowssecrets.com/newsletter/routers-using-wps-are-intrinsically-unsafe/#story1

https://windowssecrets.com/top-story/putting-wi-fi-routers-security-to-the-test/

If you can understand all this let us know :rofl: We will appoint you guardian of the Netgear Gateway :thumbsup:

Cheers

Everywhere I've worked has banned Wi-Fi (for good reason, as far as I can see).

I don't use it at home, though I might in a hotel, for example, as there seems little additional risk compared to a "public" internet connection.

I use several different security measures one is never enough a good password wpa 2 and MAC address blocking I have never been hacked so I must be doing something right.

That's not proof of anything! I could just as well say that I've never been shot, so I must be impervious to bullets.

Or you just don't know that someone else owns your ass!



:rofl::rofl:

+1 for MAC address blocking. That will all but sort out access to your network - and funny how that article never mentions this basic and fairly robust security measure.

Any wireless data can be intercepted and brute force decoded by a suitably determined person. The question you have to ask though is 'what are you moving across your wireless network (unprotected by https) that anyone will be able to use?' If you believe that your network traffic is that sensitive, then don't send it.

Despite our paranoia, there are far easier ways to steal identities and personal details than snooping wi-fi. Given the choice over sitting outside your house for hours waiting for something interesting to be transmitted versus breaking a window and pinching your wallet...

Get yourselves a safety deposit box at your bank if you really care. There is nothing on any of my computers, or in my filling cabinet that will allow a crook access to the only thing I ultimately care about beyond family - My bank account!

It slows things down a lot, but MAC spoofing (and a whole lot more) is pretty easy, so it's no panacea. If you can guess the router vendor, you can often narrow down the MAC range.

The general rule you mention is true: if you don't want anyone to know, don't put it on an internet-facing network, because it's mostly just a cheap, opaque and only partially-configurable router/firewall between you and ... well, everyone.

I think this comic sums things up fairly well: http://xkcd.com/538/

Cool! I'm bullet-proof!

Wireless security is never 100% safe all you can do is make so difficult that the perp doesn't think it is worth the time to break in given enough time you can break any system but that increases their risk of discovery so they move on to an easy target.

Any IT tech worth his or her weight in gold can tell when something isn't right there are always signs that someone has hacked you if you pay attention

I'd like to see that! ;)


Some intrusions go for months undetected (just ask the Pentagon) but the real question is how many are never detected? If you listen to the crackers on underground forums, a good proportion are never discovered.

How about wireless with 2 factor RSa authentication and wpa2-aes? I know rsa was compromised earlier but a repeat would require a number of variables to be right. Most lwaap ap's use ssl tunnels to the wlc.
Also, I thought wpa2 was not yet compromised other than one Japanese professor demonstrating that it could be. That was a while ago though.

I just use mac addresses on my wifi (for convenience more than security) so if anyone wants to hack mine be my guest. Even mac addresses are a nuisance to set up sometimes. My wifi does not recognise new clients unless the signal is strong and even then I need to look up the mac address and enter it manually most of the time.

If you can get anything worth while I would be interested because it may be useful to me. If you are worried about security on a computer just don't use it to store anything that you don't want the world to know.

Barry

PS Years ago when DOS was king I had my office computer HD arranged into multiple drives. I kept all the games and pirated programs on hidden drive "G" and used an innocuous batch file with encoded non keyboard characters to access the drives.
The IT people used to come around with a disk to examine your computer for stuff that shouldn't be there. It never ever found my "special" drives. BG

I'm not an expert on this sort of stuff ... ( I know enough to keep me out of trouble ) but what about using ' packet inspection '
If you haven't requested it through your firewall ...then the firewall ( a decent one ) should block / reject any incoming data / ping etc.

Another thing ... anything trying to ' phone home ' with your data .... it would be great if it was sent to an IP Address of 127.0.0.1 ...in other words...no mans land ... a dead end....or just keeps ' looping '

One other thing ...make sure your file sharing port 139 ( Net BIOS ) is either closed ( a hacker with a port scanner will still see it and may return later to see if it is open ) ... or better still ..Port 139 is in 'Stealth' mode ...can't be seen.

Below is a report on my Computer's vulnerability to the Internet.... done a few minutes ago.
I deliberately requested a server in Colorado USA to do a ' packet inspection' on my Computer.

My Computer refused to ' respond ' to the ' intrusion '
GRC Port Authority Report created on UTC: 2012-12-22 at 00:39:14 Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445, 1002, 1024-1030, 1720, 5000 0 Ports Open 0 Ports Closed 26 Ports Stealth --------------------- 26 Ports Tested ALL PORTS tested were found to be: STEALTH. TruStealth: PASSED - ALL tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received.


Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

I am using both Wireless and Ethernet cable connected Computers to the Internet.

Flash ..!!

I use WPA2 encryption with my wireless at home.

If you want to add extra protection to your wireless network hide the broadcast SSID. So when you want to connect to the network your modem will not show and will have to enter the SSID, security encryption type and password manually. This is people with wireless modems who live around you can't pick up your modem at all unless they know the name and other credentials.

Stefan, hiding the SSID doesn't help much. Some devices won't connect, and anyone with a wireless sniffer will eventually pick up connection packets containing the SSID. WPA2 with a complex passphrase is about as good as shared secret crypto gets at the moment. If you want more, you need centralised security like Radius, and I've never got that to work on my network.

WPA2 is as good as it gets for now. I mean still practical for a home user. If you use MAC addresses you can further control connections to your network. It's just a little longer to set up but it's a one of and then you can leave it as is. Only recognised devices will be able to connect as it's restrictive. Hiding your SSID is like shoving you head in the sand. Any kiddy will find it in about 5min or so. Just make your pwd long and mixed with symbols and alpha numeric characters.

All very good points above.

There is no 100% protection against being hijacked. But it comes back to doing as much as you can to make it as hard as possible.

If someone is wanting to steal WiFi, they are likely to pick up several sources from where ever they sit and do their detection. They will always go for the easier targets first... so if yours has as much security as possible, you go to the bottom of their hit list.

So far I have not had any break ins to my home setup... WPA2, AES, Hidden SSID, Long tricky pass-phrase, and my router set up so it only has enough IP addresses for the devices I connect with, and I change the pass-phrase now and then.

When I was running my own e-mail server (dont do it anymore) I was constantly being attacked over the net, always unsucsessfully. But so far no one has gotten into my setup... via net or WiFi. I say so far... becasue I dont want to be complaicent.

Keep all your gear updated with the latest security patches, pick a router with a good firewall, run anti-virus / anti-malware software, don't visit too many dodgey web sites and become infected with trojans and bots, put as much security as you can on your Wifi.

After that you have done as much as you can... an expert with enough time and motivation would still be able to get in... but I cant see why any one would spend the effort needed to hack me when there are much easier targets around.

For most purposes the combination of the following two security measures will suffice:



WPA2 (AES) with a reasonably long password (12+ characters with non-dictionary words and letters)
A unique SSID of good length with non-dictionary and non-company-name words/letters.

This is all you need and your network will unlikely be overcome by even the most seasoned hacker from the wireless side. Obviously if your computer is virus/trojan infested or if you use Internet Explorer, then your chances of leaking information through the Internet side through phone-home software skyrockets.

MAC address filtering and SSID hiding can be overcome by a novice with any of the dozens of automated hacking programs that are a google search away, and should only be used as temporary measures if you're unable to utilise WPA2 for whatever reason in the short-term.

They have the added disadvantage of being a headache and obstacle when you're trying to legitimately manage a dozen wireless devices on your network (phones, laptops, tablets, TV/media players, etc).

Recommendations to use just MAC filtering or SSID hiding based on anecdotal evidence of "I haven't been hacked yet" is unfortunately doing other people here a disservice, as they may be in more dense areas where there are more "eyes" that may take an interest in the network.

No-one said too use MAC filtering and SSID hiding alone to protect the network but every layer that makes the intruder have to spend more time parked outside your house means they are closer to being discovered. The idea is to make it slower to invade so they move on to easier targets.

Are you sure?



Sounds like a fairly strong recommendation that MAC filtering is all you need.

I can see where you're coming from, but my point is that with a strong WPA2 password with good SSID, you don't need to make it slower to invade, as they are stopped dead in their tracks purely from the mathematical barrier presented by the encryption in the WPA2 standard.

If the standard was a bit weaker and easier to overcome then I'd be agreeing with you about extra layers of security, but in my opinion adding MAC filtering and SSID hiding on top of WPA2 is completely unnecessary.

[QUOTE=deadsimple;937152]Sounds like a fairly strong recommendation that MAC filtering is all you need.
QUOTE]

Only if you ignore the previous post that recommended the addition of MAC filtering to WPA2. It was not my intention to mean MAC alone and thankfully the rest of humanity got the point :P

In AstroJunk's quote you edited out most of what AstroJunk said selective quoting is too often used to skew what was said by someone if you quote someone at least don't edit out some of what they say when it doesn't support your point it's disrespectful.

Ah yes, diving into specific quotes now. Let me get my dissection kit :)



In the previous post you're referring to, supernova1965 talks about "different security measures one is never enough" - note "measures" in plural.

Your reply started with "+1 for MAC address blocking", followed immediately by "That will all but sort out access to your network", and "funny how that article never mentions this basic and fairly robust security measure".

Note the specific mention and recommendation of MAC address blocking by you, singular reference to "security measure" and no mention of WPA2, which naturally leads one to assume you are praising MAC address blocking for being "fairly robust" - which it isn't. If you really did mean both then I apologise for not being able to mind-read :) <-- yes, humour involved as I'm not having a personal go at anyone.



Huh?? I don't know why you're saying that. There's nothing disrespectful nor sneaky about my edit. The second part of his post talked wireless security philosophy in general and sensitivity of what you're broadcasting (most of his points which I agree with) - which is not a line of discussion I am addressing nor intending to address in any of my posts.

My comments are about the implications of the security provided by WPA2 encryption. i.e. that since WPA2, the likelihood of being bruteforced with a good password is so remote compared to older standards (like WEP or WPA with TKIP), that extra security layers for home networks are mostly unnecessary and more of an annoyance for legitimate access. It's not like NCIS where all it takes is some whiz-kid with enough time in front of the keyboard to "crack" a network :) There's a strong and real mathematical basis behind WPA2, but of course if news of an exploit is released, then it'll be time to re-evaluate things and move onto a stronger standard. Until then ....

Think we need to calm down a bit before throwing accusations about people's posting intentions around :)

EDIT: I would like to add that for business for government networks, it is of course good practice to have extra authentication/encryption on top of regular WPA2 (MAC filtering is of course not one of them), as having all the encrypted traffic recorded by someone and decrypted 10-20 years down the track when it's more feasible to crack .. can really be almost as bad as having it decrypted and accessible now. Not really an issue for home users with the typical stuff they would have on their computers.

Put it this way, if they wanted your information, they'ed get it, regardless of what wireless security you had.

1 find out where you hang out online, like ISS.
2 ingratiate themselves to your circle of friendship, ask for help on a few astro topics.
3 send you a malicious payload in PM tailored to the IT infrastructure you have previously told everyone about win/Mac/linux- click here and have a look a my website that describes my issue, or here is a PDF in which I have been keeping track of my problem.
4 Yhey now own your computer, they infect every all other devices they can on your network within 3 mins.
5 They tell all their software to go to sleep for 2 months.
6 They start up and collect your info and send it their C&C server at regular intervals.

And they did all of this from 10,000kms away from your "secured" wireless access point, and your Antivirus program didn't bleep once during the whole affair.

That reminds me Trevor, I've a great processing tip to share with you. Send me your email and I'll mail it straight away. Oh and BTW, what's your IP, mothers Maiden name and Bank sort code...

:rofl:

Hah, nice post! Anyway I think on a home network, intruders are far more likely to be interested in just using your connection for downloading or for illegal activities. Though I've heard of some who just leeched and/or deleted movie/music collections from people's computers. Funny how many people don't care about security until their precious media gets touched :)

You forgot to ask what sort of computer I use. No use sending me windows malware if I use a Mac.

Likewise, the people who could break into your wireless would probably have a better internet service then you do, so leaching isn't their goal, and probably have downloaded all same movies as you have.

They would do it, just as you say, just to delete your media library and annoy you and leave you a message on you email from yourself telling you how to make your system more secure.

The old adage, you don't have to be the fastest person running away from the lion, just not the slowest.