Internet/ PC security part 2: wireless and passwords

brownboy66

So there's already been a great discussion re using PCs in India for internet banking...

http://www.indiamike.com/india/elect...ywhere-t44176/

with some excellent security tips given. Here are a couple of extra security tips aimed at those who have a wireless LAN setup here in India.

ENCRYPT THE NETWORK AND CHANGE THE DEFAULT PASSWORD OF YOUR WIRELESS ROUTER!

Apologies for that - let me explain.

Wireless routers use public spectrum to operate - which means anyone is freely available to use that frequency - and indeed many devices operate on public wifi 802.11x spectrum. So if you have a wireless router and intend setting up a wireless network it will be operating on public spectrum - which means it can be seen by the public unless you take steps to safeguard your network.

The easiest way of doing this is to "encrypt" your network using one of the tools available on the router. This has the effect of specifying each device that wants to use the wireless network, and ensures only the intended destination on you network is able to read the data being sent. This means someone walking pass your house with wifi enabled on their PDA (that's personal digital assistant as opposed to public displays of affection) will not be able to logon to your network.

Which leads to the second point - router passwords. If there is a number 1 golden rule in networking its change the default password. When routers come out of the factory the logon ID will be "admin" and the password will be "admin", or "password" - or it will be blank. Change it....and don't change it to "god", "love", or "sex" (funnily enough its very common for network admins to have "god" as their password - read into it what you will and you'll probably be right..............except in the case of Nadreg.............who I'm sure is much more modest .....I'll stop now.)

So go into the change password option and put in something that is unique to you (if you happen to be a god - use something unique to someone else) and that will ensure no one gets into the router and disables it, or stops you from using it.

There are couple of other things you can do like stopping the router from broadcasting its identifier once the network is setup (this means other devices wont be able to detect it) - but encrypting the network and changing the default passwords are probably the most important first steps.

Right - I'm off to my neighbours to inform him that his wireless network is open to the world, that anyone in the street (and most of Dehli on the neighbouring ring road) can browse the internet due to his generosity (not to mention access the other PCs on his network - including financial info on his server), and that if he paid someone to setup his network then he should demand a refund.

happy travels.

Nick-H

Great! Thanks!

Can you say something about the various forms of security (encryption) offered by the routers, and which is sufficient for the ordinary domestic setup?

So far I have not employed encryption on my wireless net, but I have limited access by specifying the one and only MAC address of our one and only laptop, so I don't think we can have any free riders!

__________________
.


Just one member of the IndiaMike Mod Team

brownboy66

Most wireless routers come with at least 2 encryption standards - WEP and WPA (some have a third which is WPA2). WPA (wireless protected access) is the stronger of the two as WEP only allows for a password with characters 0-9 and a-f. WPA2 is stronger still.
Having said that some devices/pcs/etc can struggle with WPA, WPA2 - in which case using WEP is better than not having anything at all. For most domestic setups - as long as you use something and find it easy to config - that should be fine.

MAC filtering is excellent - gets down to device level and specifies exactly who can access the network. The other thing to do once the network is setup is to turn off the broadcast of the network indentifier (SSID). It will still be there - just not being broadcast.

Dilliwala

Thanks for the link, bb.
So I have a few q's -

MTNL told me on another occasion that I don't need to regularly change pw's becos my account/connection will work on my phone line only due to CLI (Caller Line ID), and therefore cannot be hacked.
Is this true (a) in the case of a wired router, (b) a ADSL USB "modem" like I have?

Wud this also be true of wireless routers on an MTNL line? Or were they talking BS?

Nick-H

This does not depend on the router, but on how things are set up at the supplier (exchange) end.

In yet another stunning miss-use of terminology, this is being spoken of as the line being port-bound --- your login will only be accepted on your telephone number, and the service supplied is strictly limited to that physical line.

At first, BSNL did not do this. There have been a number of occurances of accounts being hijacked, especially as the original password-as-supplied was pretty easy to break. Also people were using their friends' higher-bandwidth accounts, etc etc.

I understand that BSNL are catching up with implementing this pretty basic form of control --- in their own commercial interest as much as in the interest of the security of their customers. I do not know whether it applies to all lines yet.

MTNL? I don't know. Probably.

Was the guy bullshitting? If it is implemented on your line, then no. If it isn't, then yes, until it is.

You should change that password anyway. I'm expect the MTNL portal provides the means to do so, as with the BSNL portal.

I'll see about that broadcast identifier! Although it may be possible that that will prevent the wireless access from my new phone --- something I may well decide I don't need anyway.

MAC filtering is going to prevent bandwidth theft, or intrusion in to the machines on my network, which is the most important thing, but it is not, of course, going to disguise data transmitted.

I know I should look at the encryption thing for privacy.

brownboy66

hmmmmm....sounds a bit fishy to me. Firstly - CLI is a whole different part of the network and completely unrelated to DSL. Its transmitted using a reserved portion of the phone line set aside specifically for signalling - and that's all it does. Your DSL router/modem doesn't get to see it because the splitter ensures that the voice and signalling portion of the phone line goes where its suppose to - the phone. Likewise at the exchange end CLI doesn't go anywhere near the DSL access multiplexors (DSLAMS), or the RAS (radius authentication servers), and its the latter which allows or denies you access. For your password to be linked to CLI the RAS would have to be able to accept this kind of signalling.

Maybe the phone number they are referring to is the user ID - since when they create the account MTNL use the destination phone numbers as the user ID?

Some of the (excuse the descent into jargon) international MPLS based broadband networks use a "circuit identifier" of sorts on broadband connections to ensure that wholesale broadband links supplied to 2nd tier telecos can only be connected to their authentication servers. Even then - it will only ensure you get to the right ISP - it would still need to be authenticated which raises the possibility of your password and ID being used by someone who is connected to the same ISP.

so in short - doubtful - but if someone can supply me the tech specs I'm willing to be convinced otherwise. In any case - changing passwords periodically is a good habit to get into.

bandwidth theft is the biggie really - encryption will prevent traffic from being read, but if it isn't sensitive then maybe it isn't necessary (also in some cases, encryption can slow the network down depending on the type of encryption and router used). Something to consider...

Nick-H

ADSL I experienced in UK never had any passwords. It could only be used on the line it was supplied for.

There was some kind of reference number that applied to your connection, and you had to get this out of your supplier if you wanted to move to a new supplier. Sometimes the existing supplier might be slow to let you go; I was astonished to get mine, when I needed it, by return of email at 1.00am!

Whatever... I'm just assuming that the telecoms companies are catching up with the same method of physical line restriction with matching accounts that my UK suppliers (with BT as wholesaler) used years ago.

kmalik

BB-

Thanks for the advice. I have WEP and MAC filtering on my home network.

In your next advice thread, I'd urge you to discuss the use of public wi-fi networks. For instance, I stay in a number of hotels which offer unsecured wi-fi access. Given the choice between connecting my laptop to that or not have an internet connection for the duration of the stay, I end up connecting. What are the implications and how could one protect the PC connecting to an unsecured wi-fi network?

Anders

MAC filtering is useless. Every frame has the source and destination MAC in clear even if encryption is enabled, anyone good enough to break your encryption shouldn't need more than 20 seconds with a sniffer and and then change his MAC address. Hiding the SSID is almost as useless, all anyone has to do is to wait for a legit station to associate with the AP and he will have the SSID which is sent in clear. These trick could possibly keep your technically clueless neighbour out from your network if you for some reason cant enable encryption but would not be much of a problem for a 12 year old geek.

Nick-H

Very good points, Anders.

Points that I should have known, I guess.

brownboy66

yeah - sounds like an MPLS based network with circuit identifier. According to their website BSNL have an MPLS network as well - so should be able to do the same. Just not sure how far it has been rolled out and what distance from the core the service has been provided (typically the standard DSLAMs in the exchanges have to be replaced with ISAMs to provide the higher bandwidth services and additional management tools needed when wholesaling services to another provider - this includes the reference number you need to shift your connection to another provider so to speak).

LOL - if they can break your encryption then they should be offered a job! Fortunately 12 year old geeks wondering the streets in india with portable devices loaded up with a protocol analyser are few and far between (and thank goodness for that - what a frightening throught) Truth is no security measure is infallible - it simply provides a measure of delay until hopefully the intrusion can be detected and dealt with (that's the other side of the coin - ideally security measures need to be partnered with intrusion detection).

Standard wifi security apps as shipped on most wifi routers are more designed to prevent the kind of situation described in the original post - prevent neighbouring wifi LANs from intefering with one another - or someone being able to log on to a neighbouring network - but the security apps have to be turned on first. Would it stop a determined attempt to hack the network? No - but then you have to ask yourself whether or not you have anything of value (other than bandwidth) that someone would want to go to so much trouble to break into your network.

Ideally you institute security using a layered approach - the first step being to hide (or at least not advertise) the existence of your wireless network, the second stage would be preventing access to your network if it is detected, the third stage being measures in place to notify you if someone is trying to access your network (so that you can go outside and throttle the little geek standing outside your house with a protocol analyser). The very least you could do....

- change default passwords,
- implement WPA,
- disable SSID broadcast,

which was sort of the idea in the original post. Useless - is not doing anything all and making your wifi network as public as the main Delhi railway station.

I guess a lot depends on what you want to do. Anytime you connect to a public network there's a risk - then again if your at home connected to the internet via DSL you're connecting to a public network as well. The difference with hotel wifi is that the connection process is usually public as well (one of the hotels I recently stayed at used a combination of name and room number to gain access to the wifi network. Anyone standing around reception who heard you supply you name when asking for your room key would be able to use that information to logon to the network - let alone using an unencrypted link to access an unencrypted logon page.)!

Is this a risk for your PC? Not really. If someone intercepts the password and ID you're using then they can access the same hotel network and use your account (which means you end up paying for their traffic). Its not going to give them access to your machine.

If however you want to use your public wifi connection to log back into the office, or internet banking transaction - then that's different. The banking internet thread has covered a lot of the issue there .....

http://www.indiamike.com/india/elect...ywhere-t44176/

I tend to think that if you are going to do that sort of work on a public network then you need to ensure your PC has all the necessary applications to manage it (firewall, spyware, usage monitor, etc) . Likewise - the destination you are connecting to has a big part to play in enhancing security as well. One of the best online banking services I've seen supplied customers with a personal token key generator so that they had to supply a username, password, and randomly generated key to log onto the site - (in addition to using 128bit encryption on the website). Likewise for an office connection - something like the AT&T VPN service is good as it allows you to use any public internet connection - but the service sets up a layer 2 tunnel I think between the AT&T client on your laptop, and the nearest AT&T node in what ever city your are in.

Anyway - I'll be interested to see what others have to say. I'm not a security expert (I know enough to know when to call in the experts.....hopefully)

Dilliwala

Yes, that's what they said basically, i.e. "your account will only work on your port."

Ok, I called it CLI becos I don't know any better, basically I meant the above "port-bound". I know from dial-up days that MTNL has CLI for dialup (still available) - if u use any ID other than the actual fone no. for your login, it won't connect.
So basically that's what I meant for DSL as well. I just confirmed this a minute ago by using my friend's MTNL ID/pw (I'm HIS techie, so it's ok ) on my line - it DOESN'T work! Login rejected - so some kind of line identification is definitely going on.
So now, that basically means no one can use my account except from my fone line (are there toher ways to hack this?).
(bb, u can easily check yourself if u know anyone with an MTNL account by trying to login with your account details on their PC).
But what if I had a wireless? Wud I still be supplying free internet to the neighbours? Doesn't really matter since I'm on the unlimited plan, but still wud be nice to know.

Yes, that's the only account ID poss (surprised that BSNL is different).

If someone can tell me what MPLS means, I can confirm whether MTNL has it or not - I vaguely recall getting a newletter which
said something about it.

bb, if this is Part 2, where's Part 1?

Nick-H

This is a different issue altogether. The security, or lack of it, of your own LAN is your responsibility --- nothing to do with your supplier, and is the main subject of this thread.

Dilliwala

Umm - OK? Still doesn't answer my Q though about whether my "port-bound" account can be tapped into if I use a wireless router?

Anders

Yes, it can be tapped into unless you turn on encryption on the wireless "router".