I recently performed a security audit for a local retailer that provided wireless internet access as a convenience to its customers. This wireless access point (WAP) was set up by a relative of the proprietor who “knows a lot about computers”. Like many of these wireless hot-spots, customers didn’t need a password, or any special configuration to get on the internet. I often see wireless routers configured like this even in businesses that have no intention of providing public access. I turned on my laptop and was easily connected. I had no problems getting on the internet - very easy and convenient -great when your sitting in a coffee shop. I also had no problems getting on their internal network. In less than a minute, I was looking at the files on the company’s point of sale and inventory management computer - files which I could have deleted, or altered, or copied. I didn’t even use any special tools or secret scanning software to do it. In fact, a person with the very basic knowledge of how to read Windows network configuration information could have done the same thing. Fortunately, my intent was to find problems like these and get them fixed.
In addition to the very real possibility of data loss and/or theft from improperly configured equipment, there is a host of other issues that many don’t consider. Open or compromised computers are often used by criminals to ply their trade: They can install programs that act as mail servers to send out all of the junk email that most of us get everyday, they can be used with other compromised machines to launch coordinated attacks on larger networks for the purpose of extortion, and the list goes on. A detective at our local police department tells me that open networks are actively sought to store illegal data such as illegal pornography and stolen data as well. He also said that we can be liable for the things that are on our computers - even if we didn’t know that they were there. These types of criminals don’t want you to know that they are using your computer so they hide themselves well.
So many businesses are using wireless routers now to allow access to internet and network resources from laptops and other devices. It’s a great way to take your work with you. Often, it’s much easier to put a wireless network card in the computer out in the warehouse than it is to run all that wire. What ever the application, wireless is being used in the work place more and more. Most of the routers used to provide this wireless access have no security enabled on them and still have the default manufacturer’s password set on them. These passwords are readily available on the internet , not from a hacker web site - but right on the equipment manufactures site. So what can you do to protect your network.? Here are three steps that you can take today: (procedures vary according to manufacturer. see your products website, or give Gartner Web Development a call if you need a hand.)
1. Change the default password on the router to a strong password. Most wireless routers come with a default password that is the same across the same manufacturer. For example, the default admin username and password is admin and admin. I can look up devices default password just by doing an internet search. Here is one such result.
A strong password contains at least six characters, (the more characters, the better), that are a combination of numbers, letters of both lower and upper case, and non alpha-numeric symbols such as # $ % @, etc. Strong passwords should never contain words that can be found in a dictionary either. Sounds hard to remember, doesn’t it? It doesn’t have to be. Ba$k3tball is a strong password. So is IloveD3nv3rBr0nco$. Not a sports fan? Use phrases that are easy for you to remember. myThr33K1d$ is a strong password too. I’m sure that you noticed by now that I am using words or phrases that might be familiar to me, mixing the case, and then substituting numbers and symbols for some of the letters.
2. Disable the broadcasting of your wireless SSID. This is the network name that shows up when your laptop detects the wireless network. If you disable this broadcasting, you will still see that there is a network there; you just won’t see the name. You have to know the name of the network to be able to access it.
3. Use authentication. With this enabled, people will need to enter a password or key to configure their access to the wireless network. Be aware though: when you enable this, most routers by default use something called WEP encryption, which is an old technology that is trivial to crack. A utility is available on the internet that will allow someone to determine your WEP password by intercepting just two packets from your transmission. You transmit hundreds of packets just by opening your internet browser. In many cases, one can even get your email password out of these packets if they happen to be listening when you send or receive email over a compromised or open wireless connection. Gartner Web Development recommends, at a minimum, using WPA-PSK encryption. For your passphrase, use a strong password or phrase ’ but not the one you used to secure the router, or any of the examples that I gave above. I use a long string of randomly generated numbers, letters, and symbols. I then put this key, or passphrase, into a file that is stored in a secure place. When I need to configure a wireless connection, I copy the file onto a CD or flash drive, plug it in to the computer that I am configuring and then just copy and paste the key from the file into the proper field within the configuration dialog.
Following these three steps will greatly reduce your exposure to network compromise. It may sound like a hassle, but consider the possible alternative: stolen or destroyed data, rogue programs using your computers for ill gain, or worse. Additionally, you may want to consider limiting access to specific computers regardless of the passphrase being known or not. Even though some people will use an open wireless connection just to surf the internet, we should never leave our wireless network open… just as we would never leave the front door unlocked after hours. I don’t want any uninvited people walking in, regardless of their intent.