Router security

[GeoffW1 (Geoff)]

Hi,

All this stuff has been said before, but this newsletter is still a worthy read (it is safe)

https://windowssecrets.com/newslette...-helpful-tips/

Cheers

[jase (Jason)]

Interesting statement around WPS. Recent equipment I purchased requires physical access to the device to trigger WPS negotiation. i.e. you have to press a button in order to trigger the wireless devices (routers, bridges, whatever) to peer. From the tests I performed unless the button is pressed, the device ignores any WPS negotiation packets from peering requested devices. In any case, turn off WPS anyway. Its just a lazy way of connecting to the network if you've forgotten your SSID and WPA2 credentials.

Hidding the SSID is a security by obscurity approach that is flawed with the plethora of tools available. Android tools such as WiFinder, Fing, etc make it easy to discover networks.

[multiweb (Marc)]

Quote:

Originally Posted by jase

Interesting statement around WPS. Recent equipment I purchased requires physical access to the device to trigger WPS negotiation. i.e. you have to press a button in order to trigger the wireless devices (routers, bridges, whatever) to peer. From the tests I performed unless the button is pressed, the device ignores any WPS negotiation packets from peering requested devices. In any case, turn off WPS anyway. Its just a lazy way of connecting to the network if you've forgotten your SSID and WPA2 credentials.

Hidding the SSID is a security by obscurity approach that is flawed with the plethora of tools available. Android tools such as WiFinder, Fing, etc make it easy to discover networks.

+1. WPS is a whole can of worms. Best thing to do is the following:

1_ use WPA2.
2_ don't broadcast SSID (do it if you can - everything helps).
3_ Use MAC addresses and restrict access.

You shouldn't have any issue then #3 is the most secure way to lock everything to known devices with your wireless range and it's dead easy to do.

[killswitch (Edison)]

WPS and uPnP have been known to be exploited so careful with these. Also WPA*1 has been cracked by the japanese a couple of years ago.

Quote:

Originally Posted by multiweb

3_ Use MAC addresses and restrict access.

You shouldn't have any issue then #3 is the most secure way to lock everything to known devices with your wireless range and it's dead easy to do.

Do not depend on mac filtering alone. Its very easy to spoof a mac address. An adapters mac address on a windows PC can actually be changed in the registry

[multiweb (Marc)]

Quote:

Originally Posted by killswitch

WPS and uPnP have been known to be exploited so careful with these. Also WPA*1 has been cracked by the japanese a couple of years ago.



Do not depend on mac filtering alone. Its very easy to spoof a mac address. An adapters mac address on a windows PC can actually be changed in the registry

Ouch... nasty. I wasn't aware of this. Oh well, a strong pwd still stands in that case. So to spoof a MAC address you'd need to know one. Is there a way to find that out as well from an existing established connection like reading a SSID?

[killswitch (Edison)]

Yes a packet sniffer could easily pick it up. The Mac address is purposely stored on the outer encapsulation layer of a packet which isn't encrypted.

Also another beware, if you see a wifi access point named similar to yours but on a different security mode, do NOT connect to it at all, it is a trap.

[tlgerdes (Trevor)]

Put it into perspective. What information do you have worth stealing? People don't go wardriving anymore, that is so yesterday

WPA2 with a nice passphrase is enough to keep people out. Anything else is just annoying when people come to visit.

Any more difficult and the people who want your info will knock on your front door with a gun in their hand.

[Barrykgerdes]

Trevor has a good point. What have you got that is worth stealing.

I can't see why so many are paranoid about their WIFI security. I use a simple mac address and from experiments that I have carried out my router can't see most new computers further away than 50 metres. I then often need to enter the mac address manually before they can get in..

If you do manage to get into my system (and also my server) I am sure you will have the same trouble as me looking for specific items that I can never find and know roughly where they are. I don't store passwords, Credit card details, banking details etc on my computer.

I also have a second back up system that I use at Wiruna (or if the home system stops working). Most who come to the house at Wiruna already have the the access key. If you don't here it is 1002211747, Be my guest! Of course I need to be in range of wireless internet and the router needs to be turned on.

[multiweb (Marc)]

Well email passwords for one thing. I believe that a lot of people still don't use SSL when sending and if you're logged into a network you can figure out people email username and pwd. That much I know how to do. That could be a security problem IMHO.

[GeoffW1 (Geoff)]

Quote:

Originally Posted by Barrykgerdes

I don't store passwords

If we use Google Chrome we do

http://www.theguardian.com/technolog.../chrome-google

But you meant Barry I know, that you don't elect to "Save my password on this site" or "Keep me signed in" etc

Cheers

[Barrykgerdes]

Quote:

Originally Posted by multiweb

Well email passwords for one thing. I believe that a lot of people still don't use SSL when sending and if you're logged into a network you can figure out people email username and pwd. That much I know how to do. That could be a security problem IMHO.

I should have said except my email and forum passwords. That saves a lot of problems of memory. If you can log onto these good for you. You can send as much spam as you like from them.

I don't use google chrome.

Security only keeps the good guy's out. I don't put anything on the computer that could cause problems if compromised.

Barry