Who Left the Door Open?

Unlocked Cars and Computers
When you park your car downtown do you leave the doors unlocked, or worse yet, wide open with the interior light on? Locking your doors when you park your car is a simple way to protect the car and its contents. The computer equivalent of locking the doors is enabling effective network security. It’s a simple step to protect your network and the valuable personal and financial information that is stored on your computers.

We Know Better, Right?
Based on the wireless surveys that I have done in North County San Diego, lots of folks are leaving the doors to their networks wide open. San Diego County is arguably one of the most technically savvy areas of the country with many technologies that are developed here by the likes of Qualcomm and lots of technology startup companies working on cutting edge wireless networking. One might think, then, that something as important as properly securing your network would be well understood by the early adopters here. Not so.

Having worked in the wireless industry for several years, I have long advocated that home users secure their networks properly. Occasionally, I like to check in on how people are doing in this regard. Recently, I performed wireless surveys in multiple residential and business neighborhoods in Encinitas, Solana Beach, Del Mar, and downtown San Diego . What I found was not surprising based on results of similar surveys in other parts of the country. Nearly 50% of the networks that I detected did not encrypt the data that is transmitted between the computers and the access points. This means that somebody with the right equipment can capture all of the data that is being passed back and forth, including interception of e-mails, documents, print jobs, even passwords and credit card numbers if they are passed “in the clear” .

Some time ago there was a lot of press and discussion about a flaw in the security system that was used to protect Wireless LAN’s when 802.11b was first introduced. Specifically, data transmitted wirelessly was scrambled or encrypted so that only someone with the proper key could understand the data. Many industry pundits declared that it was not safe to use Wireless LAN because of the flawed encryption. This deficiency has been corrected for several years and all Wireless LAN equipment now sold is capable of stronger encryption. However, my point is that ALL Wireless LAN systems are capable of some level of protection, yet 50% of the networks I scanned used no encryption at all! Even worse, some of the systems did not even change the default settings of the equipment; making it extremely easy to identify a vulnerable network and even make changes to the network itself, turn off other security features, and other mischievous activities.

Too Busy to Lock the Door?
So the question is, why do people leave their networks unprotected? All the equipment comes with instructions to enable the security features and protect the network. I believe that people who do not enable security features fall into the following categories:

1. Liberators are aware of the security risks and choose to leave their networks open so that others may access the internet through their network. They think of it like a public service and often are technically savvy people who also support the Open Software movement, Linux, and free content on the internet. Most Liberators are aware of the risks and take other measures to protect their network, such as putting access in a DMZ that is isolated from the rest of their network. To the liberators, I say “thank you, I appreciate the access.”

2. Ostriches have heard of the security risks but choose to ignore them. They stick their heads in the sand assuming that because they have never been victims in the past that they are not vulnerable in the future. Everyone has to decide for himself or herself what risks are substantial enough to require action, but I submit that most ostriches do not understand the risks. For the ostriches, I recommend that you look into the risks and then decide if you choose to be a Liberator. If you do, then make sure you protect your computers with a good firewall. If not, see the recommendations for the Frustrated and Confused below.

3. Frustrated and Confused consumers understand the risks and know that they should enable security features, but cannot successfully do so. These consumers want the access and convenience of a wireless network, but are less interested in the technical details of how it works. The Frustrated often try to configure the security, but the arcane details of doing so are difficult for people who are not familiar with networking, even with the instructions provided with the equipment. To the frustrated I say “it’s not your fault”. Wireless networks are fantastic, they allow us to work and play on our computers without being chained to a desk. They are also fickle and when a connection doesn’t work, the consumer is left to his or her own devices to figure out if the problem is security, radio interference, or problems with other settings on the network.

Locking the Digital Door
If you are an Ostrich or Frustrated, the rest of this article is for you. Follow these recommendations and you will be up and running, safely and securely.

1. Carefully follow the instructions provided with your equipment to establish a connection to the internet via the wireless Access Point. Depending upon whether your product is A. a standalone access point or B. a router/access point or C. a Modem/router/access point the instructions will vary. It is a good idea to test your connection to the internet via a wired connection first. This helps to establish whether any wireless connection problems are due to the DSL or cable connection or a problem with the wireless link. Once you have a “wired” connection establish, use the default settings of the system to connect to the internet without any security. Now you know that the equipment is working properly and you are ready to lock it down.

2. Change the system password for your access point. This will prevent a hacker with a list of default passwords from entering your system. Write this down.

3. Change the SSID to something other than the default setting. This should be something that you will recognize, but not provide any clues to a hacker as to how to access the network. Write down your new SSID.

4. Enable encryption. I recommend that you use the highest level of encryption that is supported by all wireless clients. One complicating factor is that different manufacturers use different names for the same encryption, so some homework may be required. Use the following in descending order of preference: 256 bit WPA or AES, 192 bit WPA or AES, 128 bit WPA or AES, 128 bit WEP, 64 bit WEP. Most consumer products require that you enter the same “key” on the access point and on each client. Choose a key with the required number of digits and write it down along with the type of encryption that you chose. Now enter the same key for each of the computers that you wish to connect to the network. This will require that you access the client configuration tool for your computer. For many computers this is the XP Wireless client, accessible by “right-clicking” on the wireless icon on the right hand side of the Windows Toolbar. For help configuring the Windows XP Wireless client see http://support.microsoft.com/default.aspx?scid=kb;en-us;313242

5. Now that you have the SSID, encryption type, and encryption key written down, any time you wish to connect a guest to the network, you will need to configure their computer correctly.

These instructions are not comprehensive, but a good guideline for how to configure most home-based networks with equipment that is commonly in use. After reviewing the instructions above, you may think that it’s no wonder 50% of the wireless networks out there are not protected. You’re right. The process is more complicated than it should be and there are many companies working on solutions to simplify it. I have participated in some of this work through the WiFi Alliance. In the future, it will be much easier to configure these devices to work securely together.

In the meantime, if the steps outlined above are beyond your capabilities or interest, I strongly recommend that you contact someone you know to help you out, or contact a professional who can do all of the above and configure additional security and services on your network for around $200. The investment in time or money will be well worth it for the increased productivity you experience and the peace of mind knowing that your valuable information will be protected.

© 2005 Drew Terry


Drew Terry has worked in high-technology for over 10 years and enjoys teaching people all over the world about the benefits of Wireless LAN technology. You can find more information about wireless technologies and their application at www.terryhitech.com.