Filed under: Tips and tricks, Internet, Security, TUAW Tips
Staying Safe: securing your wireless connection
Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of our readers, Jamie Phelps, pointed out on his blog that AT&T's Wi-Fi service is not actually a "secure connection," as is advertised in various places on their website; we had overlooked this, and mistakenly reinforced the company's shaky claim in our post.This brings to light an important point about wireless networks and security, however. It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance.
So, what can you do to protect yourself? Read on for a list of simple steps you can take to ensure that your wireless connection is safe and secure.
How to tell if your wireless connection is secure
Since many hotspots advertise "secure" connections, here's a quick acid test: Did your operating system prompt you to type in a passphrase or key when you first tried to connect to the network? If so, you are probably on a secure network. In Mac OS X, you can verify this by checking to the right of the wireless network name in the wireless menu on your menu bar. If you see a padlock, the connection between your computer and the access point is encrypted. If not, it's fair game.
Major hotspot providers may deliberately choose not to enable WEP or WPA encryption to simplify the user logon experience; if you disagree with this approach you can certainly let them know. For smaller operations like the local cafe or copy shop, it's not much effort for them to post a regularly-rotated WPA key on the wall by the cash register; that also may help cut down on unauthorized use of their wireless network by non-customers.
Use encryption features on your wireless router
If you're running a wireless network at home, one of the first and most important steps you can take is to use the encryption features that are built into your wireless access point or router. You do this by logging in to your device's configuration interface, selecting an encryption type (usually WEP or WPA/WPA2), and entering a key or passphrase. While many newer devices will let you enter anything you like for the passphrase, some won't and will require that you provide a hexadecimal key instead. If you get stuck with this, Andrews Companies provides a free online key generator here that might be useful.
By the way, if you're using an AirPort Extreme Base Station, this is as simple as opening the AirPort Utility, and going into the wireless settings of the Airport. Select WPA/WPA2 Personal from the Security dropdown, and then enter a password to use (longer is better).
Use firewall settings on your system
When you're connected to a wireless network, other computers using that network can see your computer, and thanks to discovery services like Bonjour, may automatically get access to your iTunes library or any sharing services you have enabled.
Luckily for most Mac users, OS X has a simple, built-in firewall that will cover typical security needs. But, as with all firewall solutions, it doesn't provide any benefit if it's not turned on. You can check your firewall settings by going to the Security pane of System Preferences, under the Firewall tab. If you're on a public wireless network, you should have the firewall set to either allow only essential services, or you can choose to set specific rules if you would like more fine-grained control.
If you're using Windows XP or newer via virtualization or Boot Camp, you can also use the built in firewall to restrict access to your system. There are also a number of 3rd-party solutions available for both systems if you want something more advanced than the built-in offerings.
Keep your system software up-to-date
You know those Software Update notices you get periodically prompting you to install updates to Mac OS X and other system software? Install them. Not all of them are related to security, but if a vulnerability is found, chances are those updates will correct it.
Use secure connections for e-mail and web services if your service provider supports them
This one is a bit harder, as it relies on your service provider to accept secure connections. This is particularly a problem with e-mail providers. For example, if you're using Google's Gmail (or Google Apps for your Domains) and accessing your e-mail from Mail, Thunderbird, or another mail client, your connection to Google's servers is already secure, because they require secure connections. With other e-mail providers, you sometimes can use secure connections, but their instructions usually show a basic setup instead. So your best bet is to check with your provider and see if they allow secure (sometimes called SSL or TLS) connections.
Many other services such as instant messaging clients and social networks offer secure connection options as well. Sometimes it's as simple as changing http:// to https:// in your address bar, or you may need to find a setting in the service's options that will enable it. Luckily, most web services today at least use a secure connection while logging in, which is better than nothing at all.
Use a VPN if connecting to sensitive systems
If you are connecting to services at your workplace, it's a good idea to use a VPN (Virtual Private Network) if your company provides one. VPNs allow you to create a secure "tunnel" between your computer and another network at a remote location, effectively making your computer work as if it were physically connected to the network in the office.
If you don't use an employer's VPN but you still want to leverage a VPN service to lock down your connections, see Jason's post about Hotspot Shield; for accessing Bonjour-based services on your home machine over a secure SSH tunnel, Brett noted ShareTool a while back. If you're looking for a free tool to set up your own VPN, HamachiX may be what you need.
Don't rely on MAC-based authentication
MAC-based authentication (not to be confused with Mac as in Macintosh) is a very basic security option offered by many wireless routers. A MAC address is a supposedly unique identifier programmed wireless cards and other networking devices. The router maintains a list of allowed MAC addresses, and ignores traffic from those not on the list. This method sounds like it should work perfectly, and it would, except that it is very easy to "spoof" the MAC address of any machine to look like it is coming from an authorized device. And to top things off, your MAC address is broadcast over the air with every packet you send, giving anyone who is listening a list of authorized addresses for the picking.
When in doubt, scrutinize browsing habits if roaming about
Since many aspects of your wireless browsing experience may be beyond your control (which is particularly true if you're using a public hotspot that doesn't support encryption), it's always good practice to scrutinize your browsing habits. Avoid highly sensitive browsing like accessing your banking information or completing purchases online when on an unsecured network. If you use instant messaging, avoid sending personal information unless you know the service is using a secured connection.
Be particularly wary of unusual dialogs or messages prompting you to install software or asking you to confirm your password. If it's a website, even if it looks legitimate, don't put in any information unless you specifically went to that site by typing in the address yourself.
Now, of course the point of this article isn't to scare anyone or to suggest that you shouldn't use wireless connections. Chances are, the guy sitting next to you at the coffee shop isn't just sitting there sniffing packets and waiting for someone to log in to their online banking. But that doesn't mean you shouldn't be proactive about making sure that your data is secure. As the saying goes, it's better to be safe than sorry.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Joshua Ochs said 1:15AM on 7-01-2009
Then again, if you're using SSL (banking and commerce, or most mail servers these days), then it doesn't matter one whit if you have wireless security or not. It's not like your Layer 5 SSL encryption is somehow made useless because of lack of Layer 2 WiFi encryption.
Even if you're on a "secure" WiFi network, anyone else on that network has just as much access to your packets as on an open unencrypted network. So don't think of hotspots as secure, even if they use WPA2.
Reply
Joshua Ochs said 1:19AM on 7-01-2009
Also, while it's not free, iVPN leverages the built-in VPN software on Mac OS X (even client!) to create a VPN server on any Mac. The nice thing about using the built-in server is it's guaranteed to work flawlessly with the VPN client on the iPhone and other Macs, and it works reasonably with Windows clients as well. Instant secure access to your home network (and proxy servers or whatever else you may want to run).
Reply
robb said 9:48PM on 7-01-2009
The introduction to the article seems a bit overly sensational, and misleading:
"It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance."
ANY Internet connection should be regarded as insecure. Your data is going through countless hands before it gets wherever it's going. Yes, with a wireless connection in a cafe the guy at the next table might be snooping (whether or not the connection is encrypted), but if your ISP is a little bit careless your neighbor might be snooping on your home connection. Or somebody at the ISP. Or somebody at the next link in the chain between your ISP and your bank. Etc. That's why banking transactions are encrypted, and, unless the bank has made a serious mistake, are safe even on a completely open wireless connection.
E-mail is a different story - many e-mail systems do not encrypt your password. That's not just a problem on a wifi connection, it's a problem on any connection.
Reply
paxswill said 1:33AM on 7-01-2009
One option, kinda related to the VPN option, is to have another computer at home running an SSH server so you can tunnel all of your traffic over to home (hopefully a trusted connection) and then to the internet. It's not that hard to set up, and the hardest part is setting up the SSH configuration to only use keys and only allow certain users. It doesn't take much of a computer to run an SSH server. I use a 2001 iMac that also serves as an iTunes and iPhoto server for my house.
Reply
Chris said 3:40AM on 7-01-2009
1. As others have said as long as your logins (internet banking etc..) are submitted over SSL then there is no problem.
2. WiFi encryption, in the sense its presented in the article, is useless: everyone else on that network has free access to your data.
3. The firewall / turning off sharing IS important from a perspective of stopping other programs getting on you computer... in which case all bets are off.
There are probably other reasons for worrying about hotel, workplace etc. connections, such as DNS vulnerabilities or SSL (certificate spoofing) problems... probably though your only options there are to carefully check the certificates and sites your visiting: you have these same risks of course even at home, but then at least your (normally) only having to trust yourself and your ISP.
Reply
Kate said 3:45AM on 7-01-2009
There's no padlock next to my network name in the wireless menu, yet it is WEP encrypted (I just confirmed this by going to the advanced settings in the network preferences panel; it shows WEP next to the network there).. any ideas why that would be?
Reply
FleX said 4:19AM on 7-01-2009
I can't believe people even use WEP and secure in one sentance, please if you secure they might as well secure it so you can't be cracked in 10 minutes Sniffin' your packets
Reply
greg.schmeer said 4:57AM on 7-01-2009
you can also set up a VPN to your home network if you have an old XP box laying around. http://forums.bit-tech.net/showthread.php?t=64926
You can use DynDNS to set a hostname and then log into your network remotely.
I use this combo as "back to my mac" type setup.
The Mac client setup is pretty straightforward but not listed in the link.
Reply
loser said 5:02AM on 7-01-2009
I am against this policy of encrypted hot spots. Even in my home i use no encryption so any of the neighbors may use it if needed. How many have you been in common situation where an internet connection is needed but no free wi-fi can be found.
Security must be provided by the service (SSL, https,...) and not by the router.
Reply
Phillip Dudas said 9:13AM on 7-01-2009
Letting all the people in your neighbourhood get on to your wireless internet connection at your home may be putting you at risk not from the stand point that they may be accessing your files or traffic but they may also be draining your bandwidth or heaven forbid performing any illegal acts. You may be liable for crimes commited via your connection.
noname said 5:56AM on 7-01-2009
Mind that encrypting your wireless network with WEP is practically useless, as it can be broken in a matter of minutes, no matter how complicated your password is. If you can, encrypt it with WPA/WPA2 with a random sequence of characters, because this one is sensitive for dictionary attacks.
Also, monitor your DHCP table in the router for suspicious devices, and if you see one - turn off wireless, shut down your router, and reconfigure it directly using LAN cable.
Reply
cs said 7:50AM on 7-01-2009
Do those that keep saying if I am going to an SSL site really think they are secure if they are on wireless? Those that do are why my job is so great. Simple MIM attack with some ARP Poisoning and DNS Spoofing (few simple commands) and off I go. SSLSTRIP running and every secure site you go to first goes through me and you are setup clear to me while I make the secure connection to end point. Thus I see ALL your data.
And for those uses WEP (I am sorry, but stop, way to easy to break), and those on WPA be sure, VERY SURE, to use strong non dictionary, non common, non logical passwords or it is even easier than WEP to break.
Reply
Phillip Dudas said 9:20AM on 7-01-2009
CS - How often is that going to happen. How many people have the skills to do that?
Agreed about WEP
So what are you trying to say then? What should people do to keep them selves safe. In the case of VPN it is only secure up to the endpoint of the VPN. After that, who knows where your data is going.
CVBruce said 10:36AM on 7-01-2009
cs,
If you set up the SSL connection to my bank, and then relay the data to me in the clear, wouldn't my browser show that I have an unsecured connection to the bank?
Thanks,
bjs
cs said 10:14AM on 7-01-2009
Actually, have you ever hung out at a public hotspot to see the guys that do exactly what I said just for fun. Yes it is not everytime, but by me knowing the tools and what they look like, I have many times at many different places seen a guy (funny how it is always a guy teen to mid 20's) sitting there running em.
My main point I should of made is to NEVER, and I mean NEVER trust *ANY* public hotspot for anything financial in nature (shopping, banking, etc).
As for skills, doing MIM really is just as simple as a couple of commands and just about all the tools (used by real Black and White hats) are free for all (including script kiddies).
For home users, not as much risk because unless your neighbor (or their kid) wants to mess with you, odds are nobody is going to sit outside your house to mess with your WiFi.
To help educate, here is a link to one of the newest tools SSLSTRIP that I mentioned. http://thoughtcrime.org/software/sslstrip/ Was released back in Feb at BlackHat DC and will be updated and shown off in Vegas coming up. While the video (over an hour) doesn't show exactly how to set it up (you need to know, but like I said, just a few commands), once running, it really does get all your info very easily. And btw, not only WiFi networks as there is nothing special about em, WiFi is just easy to get into. It is about being on the network that is the point.
And that is just one of many tools one could use. That one just shows how easy it is to get a user to think they are safe thinking SSL will save them. There is also SSLSNIFF which does takes a bit more work, but still works.
Reply
cs said 10:47AM on 7-01-2009
@CVBruce , actually yes one *could* notice. But for example (watch that video in my other post) most users sign in via a unsecured page posting to a secured page (common trend). If I am already in the middle, the only thing you won't see is the "s" and a lock icon (I can put one in browser link bar but not elsewhere).
No other indications what so ever. And that is if I go that route.
I could be in the middle and give you "my cert" for secure to you, and then I would secure back to endpoint, and just manage in middle (once again, the tools do this for you, it is easy) and thus you see secure and I have the cert to decrypt since you accepted mine thinking it was theirs. It is just a bit more difficult to get a good cert (script kiddies would be using bad ones, but if I really wanted to live the life of a hacker and steal from others, it is worth me getting a cert).
Once again, the rule is, if public hotspot, DON'T bank/shop. If at home, while always a risk is present, it is much lower.
Reply
+. said 10:48AM on 7-01-2009
i'm a little surprised this article doesn't mention one of the easiest methods of securing a home wireless network: keeping the SSID (network name) hidden. one can accomplish this in an Airport Extreme by using the option to "Create a Closed Network".
the effect of this is that, when one is looking at available wireless networks, a hidden/closed network name isn't displayed. you can only connect to it if (a) you know it's there & (b) you know the name of the network; this is before any sort of encryption (WEP/WPA) even comes into play.
obviously the network is still detectable with the right tools, & obviously anyone who can effectively hack WEP/WPA can still compromise it; but at the point where someone's going to all that effort they're probably going to get you one way or another, regardless of security. & out of sight tends to = out of mind, so not having a visible network tends to be the best method of avoiding casual intruders.
Reply
David said 11:42AM on 7-01-2009
Actually, + hiding the SSID is what we in the security world consider security by obscurity. ie. it doesn't really do that much. When someone connects to an AP, a beacon (wireless connection packet) is sent with the SSID in the clear, so even if the AP itself is not sending the SSID out in its beacon, a client will still do that, so any of numerous wireless sniffers will present the available SSID the first beacon it sees will show up. Having said that, I certainly have SSID turned off at home, but it shouldn't be used as the only security mechanism. Also, to loser, agree with what Phillip said. If someone is using your home network for illegal activity, whether it's hacking or kiddy porn or downloading illegal music/software, you can be held liable for not securing your home network even if you didn't do it yourself. I'm all for being neighborly, but not at the expense of someone abusing it.
Dyranios said 12:07PM on 7-01-2009
I was having problems connecting my brothers windows PC to the airport extreme WPA2 network I set up in our house as he is visiting, so I removed security altogether and hid the SSID and only allowed the Mac addresses of our devices to access the network. I am aware packets could be sniffed and mac addresses spoofed if they wanted access however to be quite frank I think this situation is highly unlikely although I would only ever use this measure temporarily.
Reply
scuttlemonkey said 12:21PM on 7-01-2009
Ok, other commentator have said this, but let me spell it out.
The purpose of "secure" wi-fi is to prevent strangers from jumping onto your network without at least having to do a bit of work. That's all it is good for! Google aircrack-ng if you want to know more.
And you know, your bank is probably 10 routers away from your computer. What's the big deal with securing one of those hops but not the other nine? No point at all, hence banks require the use of SSL -- which is actual real security.
Are we going to see a correction?
Reply