April 16, 2010

Free Wi-Fi – Is it worth the risk?

Free Wi-Fi – Is it worth the risk?

by Mark Tiongco – March 21, 2010

Since its inception in the early 2000s, Wireless-Fidelity Internet (Wi-Fi) has become virtually a staple in our technologically-enhanced lives.  Its convenience increases productivity in countless industries, academics and even the family home.  Retail establishments such as Panera Bread, McDonald’s and Barnes and Noble offer free Wi-Fi in their stores as an amenity to get customers to browse and buy their  products.  While “free Wi-Fi” might seem like a no-brainer, customers should keep in mind the inherent risks of free Wi-Fi.


What’s the Big Deal?  It’s free

Since it’s free, most establishments do not use Wi-Fi encryption to secure their respective networks thus offering hackers a way to steal your usernames and passwords.  For example, Panera Bread has signs that say “802.11b Wi-Fi” in their restaurants.  802.11b was created in 1999 which has little security so a hacker can literally intercept your Facebook username and password as you’re logging on.  Even if Panera Bread equipped their bakeries with WEP (Wired Equivalent Privacy), this security is so outdated that it can be cracked in under a few minutes.  With that being said, Barnes and Noble, Starbucks and McDonald’s also have zero security in place for their Wi-Fi.  Upon reading Starbucks’ Wi-Fi policy, they explained the reason for using unencrypted 802.11g was to ensure maximum compatibility between communication devices. 


A Hacker’s Point of View

"War driving" is the idea of driving around town and looking for a Wi-Fi network that is unencrypted or has weak encryption and can be easily cracked.  Wardriving can happen near a Starbucks, your neighborhood or a business park where Wi-Fi networks are online 24 hours a day, 7 days a week.  With zero or minimal security, a hacker can intercept, unscramble and figure out the information being sent between a customer’s laptop to the Wireless Access Point of an establishment.The essence of Wardriving involves time. For natural viagra example, a hacker can crack the password to a wireless network in possibly 3-4 hours.  You spend 8 hours sleeping and 8 hours at work.  So theoretically a hacker has 16 hours to try and compromise a home or office Wi-Fi network. And let’s not forget the fact that Notebook Computers have become more powerful over time. Multi-core CPU’s and on-board Video Cards processing power is being utilized to run more advanced hacking programs.Going from bad to worse, current WPA (Wi-Fi Protected Access) can be cracked in about 15 minutes along with WPA2 as seen in 802.11n network products. Two popular ways of cracking a wireless network are Brute Force and Dictionary Attack. Brute Force involves exhausting every single letter, number and special character in multiple combinations until the correct combination is found.  Dictionary Attacks utilizes a specific set of words and phrases from a dictionary to “guess” the correct password.  Another tactic that can easily swipe your login credentials is a Rogue Access Point. In this case, a hacker can set up a Wireless Access Point that imitates the true Access Point.  If your notebook connects to this Rogue Access Point, you won’t see any difference as the hacker can duplicate the log-in screen with near 100% accuracy.  This is like phishing, where you receive an alert email from your bank or credit card company asking you to click on their link and “verify” your account is okay by logging in.


What You Can Do

There are a few steps you can take to minimize the chance of your information getting stolen:

  • First, make sure your passwords are long and are fairly unique.
    Having “GOLAKERS_1981” as one of your passwords wouldn’t
    be difficult to crack.
  • Second, speak to your employer’s IT department about a VPN
    connection.  VPN stands for Virtual Private Network and allows
    you to connect to your company’s network in a secure way. 
  • Third, when logging in, pay attention to the URL address along
    with any inconsistencies with the log-in page (i.e. spelling,
    inaccurate pictures).

Also, check to make sure your laptop is connected to the correct Wi-Fi network and not to one with a questionable name.

  • Fourth, access your important banking and credit card
    accounts at home so as to minimize the chance of
    being a victim of financial identity theft. 

In Conclusion

Wi-Fi has come a long way in a short while with its speed, convenience and utility.  By knowing the risks associated with free Wi-Fi service, you can minimize the chance of a data breach and possible identity theft.

Permalink • Print • Comment

February 4, 2009

Wireless Security

The ability to share an Internet connection is great and the ability to do this wirelessly is even better. Wireless networks are easy to install—you don't have to run cables, and you can roam around a location within the WLAN (wireless local area network), or physical range of wireless connectivity ( here's a way to get started ). These features are what makes wireless networks so popular with both end users, and hackers.

The one problem with wireless networks is the vulnerability of your network. A typical hardwired network has physical security due to limited access to the actual network and one opening to the internet (Gateway) has a firewall or two in place (or it had better). This can stop most unauthorized access to your network. The difficulty in setting up wired networks has discouraged a lot of people from installing networks in the first place.

Then a long came the wireless which, as I stated earlier in the article, made the home networking game more appealing and not as intimidating. Having a wireless network means that the physical security that is inevitable in a wired network is simply not there. Anyone in the range of your wireless network can see your network, and if not secured properly, can gain access. If your wireless access point isn't the router on your network then outsiders can slip in behind your firewall. This used to happen at my college—there was an apartment complex behind a portion of the school, and the other techs would piggyback on some guy's network. He had an unsecured wireless network—no one did anything bad to him (at least to my knowledge)—they just used him for Internet access but he never knew.

There are some practices you can perform to insure that no one is using your connection or trying to get on your personal network. First and foremost you need to get WEP (Wired Equivalent Protection) in place, which is an encryption that stops unauthorized users from accessing your network. There are at least two encryption types in 802.11b (128bit, and 64bit) and should probably be changed every other week or so. WEP encryption used to be completely the user's responsibility, but now I'm seeing hardware out of the box with at least one encryption key configured, forcing the user to configure his PCs in order to connect.

Using WEP is essential to wireless security, but don't rely on it alone, there are other security measures you can put in place as well. With some wireless units you can set a MAC address filters, witch can really beef up your security. A MAC address is an identification number the manufacturer stamps on a network device, and is (or should be) completely unique. If this security is in place then even if someone knows the WEP Key they still cannot get into the network because your wireless access device will deny it.

There are two other things you might want to do to tighten up your network: The first thing you should do is go through and change all of the default security settings, and passwords. The reason I said this is most Routers and access points usually have a lot of these configuration fields (i.e. username and password or the SSID ) filled out with generic values for ease of setup. The bad thing about this is that people can use these settings against you to gain access into your network. Secondly, with a lot of routers your SSID is set to broadcast by default, this means that it's broadcasting your network's name to the physical reaches of your network. Not good, even if your neighbors don't have the security rights to access your network they will constantly see it every time they boot up one of their wireless PC's.

Through the use of these practices you will not only protect your network, but render it practically invisible, and that's what you want. Just a side note before I go, if one day you boot up your wireless PC and you see a new connection that isn't secure, please take it easy on 'em, it's probably your neighbor. You have to remember not everyone is as informed or prepared as the Worldstart site cialis Readers and if your feeling nice go over and warn them to tighten up there network before someone not nice finds it open.

Wireless Network Security, part two: AirSnare

Those of you who look forward to the security articles I put out may remember last week's article on the basics of wireless network security. This week's article is along the same lines, not so much locking a wireless network down, but rather how to monitor it, and a really cool way to give any freeloaders a little scare.

Before I get ahead of myself, let's do a little recap of last weeks security article. I talked primarily about locking down your wireless network using some of the integrated tools on wireless routers and WAPs (Wireless Access Points). Things like MAC filters, WEP keys, and changing "out of the box" passwords and SSIDs can stop most users from accessing your network, but what about a knowledgeable experienced user.

In case you didn't know, there are sites and tools out there that advanced users can use to circumnavigate certain security measures, in order to get what they want. This could be the neighbor trying to get free Internet access or their kid who's just horsing around. Either way you don't want this and it's a nice feeling to be able to catch' em, who knows, you might even set them straight and teach them a lesson.

If you remember last week I mentioned how my classmates snuck on to some poor guy's wireless network behind the university (bad place to have an unsecured network—these guys knew what they were doing and had the tools to do it) and surfing the web. If Mr. X had the program AirSnare he would've caught the students in the act, and he could've sent them a message letting them know the "jig is up".

AirSnare is a wireless network monitoring system that has some pretty cool features. In a nutshell, AirSnare takes a list of MAC addresses that you have OK'd as being your network devices, (i.e. your home PCs) and alerts you of access by any other MAC address. The program actually warns you by telling you with a voice that there is "unauthorized access on your network", and you can even set it to email you any security breeches. In addition to the audio warning, the interface also turns red and you can see the user's MAC address and what they are doing. That's right, you can actually see if an intruder is checking their mail or surfing the web.

Not only does it tell you this info, but you can actually double click the destination IP address and Airsnar will connect you to the site. This is all very cool, but the best is the Airhorn, an element of AirSnare that allows you to send intruders a message that pops-up on their screen telling them what ever you type in, for example "I'm watching every move you make, so get off of my network".

The GUI is a little on the primitive side, but that's because it was meant as a low requirements tool, and not a bloated end-user program. Before you download the AirSnare look over the manual, especially the setup instructions. One thing you have to do is download, and install the WinPcap library—it's a protocol analyzer and is an important component in AirSnare. The whole process (download and install) takes just a couple of seconds, basically download and double click. It doesn't install a program just a library that AirSnare uses to capture network packets.

AirSnare may be a little different than other programs you're used to, but it really is easy to use and if you have a wireless network I think it could be an invaluable tool for maintaining tight security. Besides, if friends or family come over you can blow them away with your knowledge of wireless security and your super-cool monitoring tools.

Download WinPcap…
http://winpcap.polito.it/

Download AirSnare…
http://home.comcast.net/~jay.deboer/airsnare/

Permalink • Print • Comment

February 2, 2009

GPU-Accelerated Wi-Fi password cracking goes mainstream

January 22nd, 2009

Posted by Dancho Danchev

Elcomsoft Wireless Security AuditorNo weak password can survive a GPU-accelerated password recovery attack. Last week’s released Wireless Security Auditor is prone to shorter the time it takes for a network administrator to pen-test the strength of the WPA/WPA2-PSK passwords used on the wireless network. Its core functionality of shortening the wireless password recovery time up to a hundred times based on the GPU used, is naturally going to empower unethical wardrivers with the ability to easily guess the no longer considered secure 8 character passwords.

What’s particularly interesting about the Wireless Security Auditor is that it attempts to accomplish the password recovery in an offline/stealth mode, instead of the noisy direct router brute forcing approach :

“Elcomsoft cialis tadalafil side effects Wireless Security Auditor works completely in off-line, undetectable by the Wi-Fi network being probed, by analyzing a dump of network communications in order to attempt to retrieve the original WPA/WPA2-PSK passwords in plain text. Elcomsoft Wireless Security Auditor requires a valid log of wireless communications in standard tcpdumptcpdump. The tcpdumptcpdump format is supported by all commercial Wi-Fi sniffers. In order to audit your wireless network, at least one handshake packet must be present in the tcpdump file.”

Meanwhile, pen-testing companies have once again urged IT managers and end users to go beyond the 8 character password strength myth, and anticipate the risks posed by the increasingly efficient password recovery solutions hitting the market  :

“David Hobson said: “It’s a wake-up call to IT managers, pure and simple. IT managers should now move to 12 and even 16 character keys as a matter of urgency. It’s not very user-friendly, but the potential consequences of staying with eight character keys do not bear thinking about.”

As previously discussed, best practices wake-up calls remains largely ignored prompting radical solutions in countries like India for instance, which recently announced that a Wardriving police unit will be locating insecure wireless networks and notifying the owners in order to “prevent the commission of a cognizable offense”.

Permalink • Print • Comment

November 5, 2008

Inner-city Wi-Fi rollout

Permalink • Print • Comment

June 10, 2008

Wireless Network Security, part two: AirSnare

AirSnare

Those of you who look forward to the security articles I put out may remember last week's article on the basics of wireless network security. This week's article is along the same lines, not so much locking a wireless network down, but rather how to monitor it, and a really cool way to give any freeloaders a little scare.

Before I get ahead of myself, let's do a little recap of last weeks security article. I talked primarily about locking down your wireless network using some of the integrated tools on wireless routers and WAPs (Wireless Access Points). Things like MAC filters, WEP keys, and changing "out of the box" passwords and SSIDs can stop most users from accessing your network, but what about a knowledgeable experienced user.

In case you didn't know, there are sites and tools out there that advanced users can use to circumnavigate certain security measures, in order to get what they want. This could be the neighbor trying to get free Internet access or their kid who's just horsing around. Either way you don't want this and it's a nice feeling to be able to catch' em, who knows, you might even set them straight and teach them a lesson.

If you remember last week I mentioned how my classmates snuck on to some poor guy's wireless network behind the university (bad place to have an unsecured network—these guys knew what they were doing and had the tools to do it) and surfing the web. If Mr. X had the program AirSnare he would've caught the students in the act, and he could've sent them a message letting them know the "jig is up".

AirSnare is a wireless network monitoring system that has some pretty cool features. In a nutshell, AirSnare takes a list of MAC addresses that you have OK'd as being your network devices, (i.e. your home PCs) and alerts you of access by any other MAC address. The program actually warns you by telling you with a voice that there is "unauthorized access on your network", and you can even set it to email you any security breeches. In addition to the audio warning, the interface also turns red and you can see the user's MAC address and what they are doing. That's right, you can actually see if an intruder is checking their mail or surfing the web.

Not only does it tell you this info, but you can actually double click the destination IP address and Airsnar will connect you to the site. This is all very cool, but the best is the Airhorn, an element of AirSnare that allows you to send intruders a message that pops-up on their screen buy generic propecia online telling them what ever you type in, for example "I'm watching every move you make, so get off of my network".

The GUI is a little on the primitive side, but that's because it was meant as a low requirements tool, and not a bloated end-user program. Before you download the AirSnare look over the manual, especially the setup instructions. One thing you have to do is download, and install the WinPcap library—it's a protocol analyzer and is an important component in AirSnare. The whole process (download and install) takes just a couple of seconds, basically download and double click. It doesn't install a program just a library that AirSnare uses to capture network packets.

AirSnare may be a little different than other programs you're used to, but it really is easy to use and if you have a wireless network I think it could be an invaluable tool for maintaining tight security. Besides, if friends or family come over you can blow them away with your knowledge of wireless security and your super-cool monitoring tools.

Download WinPcap…
http://winpcap.polito.it/

Download AirSnare…
http://home.comcast.net/~jay.deboer/airsnare/

Stay safe out there,

Permalink • Print • Comment
Next Page »
Made with WordPress and the Semiologic theme and CMS • Sky Gold skin by Denis de Bernardy