 |
| Example Home Network |
People tend to be lazy and take the easiest path to accomplish want they want. If someone wants to break into your home, they are going to check first for unlocked doors and windows. This is the most obvious and easiest way in.
For your home computer network, the easiest way in is a poorly secured wireless router. Please allow me to make this clear - There is no such thing as a completely safe and secure home network. If someone wants in bad enough, there are ways to get in. However, there are some ways to make your network safer then most. Safe enough to make the cyber criminal give up and go find an easier target.
1) Wireless Encryption - Many people believe that the main purpose of the encryption key on your wireless network is to keep other people from using your internet access. While this may be a secondary benefit, the main purpose is to keep hackers from reading the text of the messages you send between your computing devices and your router. This includes user IDs, passwords, and other personal and private information.
In a nutshell, here are your options in terms of encryption, ranked from worst to best:
- No encryption at all
- WEP (wireless equivalent privacy) is worthless - If your router only support WEP – throw it away and get another one. Decent routers can be purchased for $20
- WPA (Wi-Fi Protected Access) is slightly better than WEP
- WPA + TKIP
- WPA + AES
- WPA2 + AES
Most default SSIDs contain the router name, make and model. This is information that a hacker can use to break in. Many wireless routers supplied by telecom companies, in addition to having the make and model in the SSID, also use something such as your phone number as your password. This is easy for a hacker to figure out and break in. The names, in general should not reveal the make or model of your router or the location or owner of the router.
Examples of good SSIDs are "TheStarShipEnterprise" "MyWirelessRouter" and "Wireless1234567". Some examples of bad SSIDs are "Linksys3020", "Smith Family Network" or "2121 Jefferson Avenue".
A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won't provide your network with any kind of protection if you try to hide it.
All wireless networks, regardless of the kind of operating system or encryption you might use, also emit unencrypted frames at times. One kind of unencrypted frame is an association frame. This is what a client computer emits when it wants to join a wireless network. Contained within the frame, in clear text of course (since the frame is unencrypted), is the SSID of the network the supplicant wants to join.
This behavior make it very easy for an attacker to discover your SSID. The bad guy could run one of many wireless sniffer programs and simply capture the hundreds of association frames or probes that litter your air. No amount of "hiding" configured in your access points can prevent this kind of traffic interception.
3) MAC Address filtering - By the way, ignore any advice that says to use MAC address filtering. It's amazingly trivial to spoof the MAC address of an allowed supplicant -- simply sniff the traffic, look at the MAC addresses, and use the neat little utility to change your MAC to one that's permitted.
4) IP Addresses - Every computer on your home network communicates by way of an Internet Protocol (IP) address. The default behavior for routers and computers is to enable what is called Dynamic Host Configuration Protocol (DHCP). With DHCP, the host (usually your wireless router) and the client (your computer, tablet, printer, etc.) negotiate a session based on a standard set of protocols. The host assigned the client an IP address based on a predetermined pool of addresses. It is the easiest and most convenient way to go.. No muss, no fuss.
However, using preassigned ( static) IP addresses on home networks gives somewhat better protection against network security problems than does DHCP address assignment.
When using static IP addresses on home and other private networks, they should be chosen from within the standard private IP address ranges listed:
10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255
Do not choose any addresses that end with ".0" or ".255" - these addresses are generally reserved for use by network protocols.
Do not choose the addresses at the beginning of a private range. IP addresses like 10.0.0.1 and 192.168.0.1 are very commonly used by network routers and other consumer devices. These are the first addresses someone will attack when trying to break into a private computer network.
5) Enable Firewall. If your router has a built in firewall, make sure that it is turned on.
6) Turn off your network when you are on vacation - As amazingly simple as this might seem, almost no one does this. The exception to my statement at the beginning of this article that there is no such thing as a completely safe network does not apply to networks that are turned off. If your router is turned off, there is no hack of which I am aware that will allow a criminal to remotely turn it on. If you are gone from your home for more than a few days, turn off your router.
No comments:
Post a Comment