Many of us would be using wireless networks at home, perhaps always on. There are a few different standards for encryption, the oldest one of which, WEP, is easy to crack. I was alarmed to find I was still using it! I bought a new router/modem unit as a result. It uses WPA2, if you are parked outside my place The newest standard is WPS, but my computer could not handle it Now it seems WPS might not be the ant's pants after all.
I use several different security measures one is never enough a good password wpa 2 and MAC address blocking I have never been hacked so I must be doing something right.
I use several different security measures one is never enough a good password wpa 2 and MAC address blocking I have never been hacked so I must be doing something right.
Or you just don't know that someone else owns your ass!
Quote:
Originally Posted by Astro_Bot
That's not proof of anything! I could just as well say that I've never been shot, so I must be impervious to bullets.
I use several different security measures one is never enough a good password wpa 2 and MAC address blocking I have never been hacked so I must be doing something right.
+1 for MAC address blocking. That will all but sort out access to your network - and funny how that article never mentions this basic and fairly robust security measure.
Any wireless data can be intercepted and brute force decoded by a suitably determined person. The question you have to ask though is 'what are you moving across your wireless network (unprotected by https) that anyone will be able to use?' If you believe that your network traffic is that sensitive, then don't send it.
Despite our paranoia, there are far easier ways to steal identities and personal details than snooping wi-fi. Given the choice over sitting outside your house for hours waiting for something interesting to be transmitted versus breaking a window and pinching your wallet...
Get yourselves a safety deposit box at your bank if you really care. There is nothing on any of my computers, or in my filling cabinet that will allow a crook access to the only thing I ultimately care about beyond family - My bank account!
It slows things down a lot, but MAC spoofing (and a whole lot more) is pretty easy, so it's no panacea. If you can guess the router vendor, you can often narrow down the MAC range.
The general rule you mention is true: if you don't want anyone to know, don't put it on an internet-facing network, because it's mostly just a cheap, opaque and only partially-configurable router/firewall between you and ... well, everyone.
That's not proof of anything! I could just as well say that I've never been shot, so I must be impervious to bullets.
Wireless security is never 100% safe all you can do is make so difficult that the perp doesn't think it is worth the time to break in given enough time you can break any system but that increases their risk of discovery so they move on to an easy target.
Quote:
Originally Posted by tlgerdes
Or you just don't know that someone else owns your ass!
Any IT tech worth his or her weight in gold can tell when something isn't right there are always signs that someone has hacked you if you pay attention
can tell when something isn't right there are always signs that someone has hacked you if you pay attention
Some intrusions go for months undetected (just ask the Pentagon) but the real question is how many are never detected? If you listen to the crackers on underground forums, a good proportion are never discovered.
How about wireless with 2 factor RSa authentication and wpa2-aes? I know rsa was compromised earlier but a repeat would require a number of variables to be right. Most lwaap ap's use ssl tunnels to the wlc.
Also, I thought wpa2 was not yet compromised other than one Japanese professor demonstrating that it could be. That was a while ago though.
I just use mac addresses on my wifi (for convenience more than security) so if anyone wants to hack mine be my guest. Even mac addresses are a nuisance to set up sometimes. My wifi does not recognise new clients unless the signal is strong and even then I need to look up the mac address and enter it manually most of the time.
If you can get anything worth while I would be interested because it may be useful to me. If you are worried about security on a computer just don't use it to store anything that you don't want the world to know.
Barry
PS Years ago when DOS was king I had my office computer HD arranged into multiple drives. I kept all the games and pirated programs on hidden drive "G" and used an innocuous batch file with encoded non keyboard characters to access the drives.
The IT people used to come around with a disk to examine your computer for stuff that shouldn't be there. It never ever found my "special" drives. BG
Last edited by Barrykgerdes; 22-12-2012 at 11:21 AM.
I'm not an expert on this sort of stuff ... ( I know enough to keep me out of trouble ) but what about using ' packet inspection '
If you haven't requested it through your firewall ...then the firewall ( a decent one ) should block / reject any incoming data / ping etc.
Another thing ... anything trying to ' phone home ' with your data .... it would be great if it was sent to an IP Address of 127.0.0.1 ...in other words...no mans land ... a dead end....or just keeps ' looping '
One other thing ...make sure your file sharing port 139 ( Net BIOS ) is either closed ( a hacker with a port scanner will still see it and may return later to see if it is open ) ... or better still ..Port 139 is in 'Stealth' mode ...can't be seen.
Below is a report on my Computer's vulnerability to the Internet.... done a few minutes ago.
I deliberately requested a server in Colorado USA to do a ' packet inspection' on my Computer.
My Computer refused to ' respond ' to the ' intrusion ' GRC Port Authority Report created on UTC: 2012-12-22 at 00:39:14 Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445, 1002, 1024-1030, 1720, 5000 0 Ports Open 0 Ports Closed 26 Ports Stealth --------------------- 26 Ports Tested ALL PORTS tested were found to be: STEALTH. TruStealth: PASSED - ALL tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received.
Attempting connection to your computer. . . Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
I am using both Wireless and Ethernet cable connected Computers to the Internet.
Flash ..!!
Last edited by FlashDrive; 23-12-2012 at 09:10 AM.
If you want to add extra protection to your wireless network hide the broadcast SSID. So when you want to connect to the network your modem will not show and will have to enter the SSID, security encryption type and password manually. This is people with wireless modems who live around you can't pick up your modem at all unless they know the name and other credentials.
If you want to add extra protection to your wireless network hide the broadcast SSID. So when you want to connect to the network your modem will not show and will have to enter the SSID, security encryption type and password manually. This is people with wireless modems who live around you can't pick up your modem at all unless they know the name and other credentials.
Stefan, hiding the SSID doesn't help much. Some devices won't connect, and anyone with a wireless sniffer will eventually pick up connection packets containing the SSID. WPA2 with a complex passphrase is about as good as shared secret crypto gets at the moment. If you want more, you need centralised security like Radius, and I've never got that to work on my network.
Stefan, hiding the SSID doesn't help much. Some devices won't connect, and anyone with a wireless sniffer will eventually pick up connection packets containing the SSID. WPA2 with a complex passphrase is about as good as shared secret crypto gets at the moment. If you want more, you need centralised security like Radius, and I've never got that to work on my network.
WPA2 is as good as it gets for now. I mean still practical for a home user. If you use MAC addresses you can further control connections to your network. It's just a little longer to set up but it's a one of and then you can leave it as is. Only recognised devices will be able to connect as it's restrictive. Hiding your SSID is like shoving you head in the sand. Any kiddy will find it in about 5min or so. Just make your pwd long and mixed with symbols and alpha numeric characters.
There is no 100% protection against being hijacked. But it comes back to doing as much as you can to make it as hard as possible.
If someone is wanting to steal WiFi, they are likely to pick up several sources from where ever they sit and do their detection. They will always go for the easier targets first... so if yours has as much security as possible, you go to the bottom of their hit list.
So far I have not had any break ins to my home setup... WPA2, AES, Hidden SSID, Long tricky pass-phrase, and my router set up so it only has enough IP addresses for the devices I connect with, and I change the pass-phrase now and then.
When I was running my own e-mail server (dont do it anymore) I was constantly being attacked over the net, always unsucsessfully. But so far no one has gotten into my setup... via net or WiFi. I say so far... becasue I dont want to be complaicent.
Keep all your gear updated with the latest security patches, pick a router with a good firewall, run anti-virus / anti-malware software, don't visit too many dodgey web sites and become infected with trojans and bots, put as much security as you can on your Wifi.
After that you have done as much as you can... an expert with enough time and motivation would still be able to get in... but I cant see why any one would spend the effort needed to hack me when there are much easier targets around.
For most purposes the combination of the following two security measures will suffice:
WPA2 (AES) with a reasonably long password (12+ characters with non-dictionary words and letters)
A unique SSID of good length with non-dictionary and non-company-name words/letters.
This is all you need and your network will unlikely be overcome by even the most seasoned hacker from the wirelessside. Obviously if your computer is virus/trojan infested or if you use Internet Explorer, then your chances of leaking information through the Internet side through phone-home software skyrockets.
MAC address filtering and SSID hiding can be overcome by a novice with any of the dozens of automated hacking programs that are a google search away, and should only be used as temporary measures if you're unable to utilise WPA2 for whatever reason in the short-term.
They have the added disadvantage of being a headache and obstacle when you're trying to legitimately manage a dozen wireless devices on your network (phones, laptops, tablets, TV/media players, etc).
Recommendations to use just MAC filtering or SSID hiding based on anecdotal evidence of "I haven't been hacked yet" is unfortunately doing other people here a disservice, as they may be in more dense areas where there are more "eyes" that may take an interest in the network.
For most purposes the combination of the following two security measures will suffice:
WPA2 (AES) with a reasonably long password (12+ characters with non-dictionary words and letters)
A unique SSID of good length with non-dictionary and non-company-name words/letters.
This is all you need and your network will unlikely be overcome by even the most seasoned hacker from the wirelessside. Obviously if your computer is virus/trojan infested or if you use Internet Explorer, then your chances of leaking information through the Internet side through phone-home software skyrockets.
MAC address filtering and SSID hiding can be overcome by a novice with any of the dozens of automated hacking programs that are a google search away, and should only be used as temporary measures if you're unable to utilise WPA2 for whatever reason in the short-term.
They have the added disadvantage of being a headache and obstacle when you're trying to legitimately manage a dozen wireless devices on your network (phones, laptops, tablets, TV/media players, etc).
Recommendations to use just MAC filtering or SSID hiding based on anecdotal evidence of "I haven't been hacked yet" is unfortunately doing other people here a disservice, as they may be in more dense areas where there are more "eyes" that may take an interest in the network.
No-one said too use MAC filtering and SSID hiding alone to protect the network but every layer that makes the intruder have to spend more time parked outside your house means they are closer to being discovered. The idea is to make it slower to invade so they move on to easier targets.
No-one said too use MAC filtering and SSID hiding alone to protect the network
Are you sure?
Quote:
Originally Posted by AstroJunk
+1 for MAC address blocking. That will all but sort out access to your network - and funny how that article never mentions this basic and fairly robust security measure.
Sounds like a fairly strong recommendation that MAC filtering is all you need.
Quote:
but every layer that makes the intruder have to spend more time parked outside your house means they are closer to being discovered. The idea is to make it slower to invade so they move on to easier targets.
I can see where you're coming from, but my point is that with a strong WPA2 password with good SSID, you don't need to make it slower to invade, as they are stopped dead in their tracks purely from the mathematical barrier presented by the encryption in the WPA2 standard.
If the standard was a bit weaker and easier to overcome then I'd be agreeing with you about extra layers of security, but in my opinion adding MAC filtering and SSID hiding on top of WPA2 is completely unnecessary.
The newest standard is WPS, but my computer could not handle it 
Now it seems WPS might not be the ant's pants after all.
We will appoint you guardian of the Netgear Gateway 
