I have mentioned wireless security on the blog before and I am talking about real security not “feel good” security; at the very least you should be using WPA and preferably WPA2.
The Register reports on the consequences that have happened to a poor American expatriate living in India who just so happened to run an open unsecured wireless network.
Indian police raided the Mumbai home of an American expatriate after someone used his open wireless network to send an email that took responsibility for a bomb blast that killed at least 42 people.
Kenneth Haywood, whose internet-protocol address was included on an email sent just prior to the blasts, spent much of Thursday answering questions by the Maharashtra Anti-Terrorism Squad officials. Police seized his three computers, as well as the machines of several neighbors, and are examining them as part of an investigation.
This story demonstrates a rare but real risk of running an open wireless network.
So should you be hiding your wireless network? Should you be closing your Airport network? Should you be not broadcasting your SSID (service set identifier)?
Some people do this to make their network invisible.
Most people are not aware that hiding your SSID or “closing” your network, does not in fact make your network invisible.
All it does is stop broadcasting your SSID (network name).
Your network is still broadcasting and therefore detectable.
I have a (modern) Sony VAIO which can pick up closed networks without any extra software – the ability is built into the latest intel chipsets.
As well as your network still broadcasting your network will also “broadcast” your SSID everytime a client joins your network.
Well you want to join the network, so you tell the router that you want to join.
You tell it the SSID, it says okay and lets you join.
When you told it the SSID, this was broadcast in the clear and can be easily picked out by “sniffer” programmes.
Exactly the same process can be used to sniff out the the authorised MAC address if you use MAC address access control.
Unfortunately “Closed” networks, MAC access control lists, and reduction in transmission power are all more “feel good” security rather than real security. All these various approaches are dated and mistakenly lead to overconfidence.
They’re like putting a brown paper bag over your wireless router to “secure it”, it may make you feel better, but adds no security whatsoever.
WPA is your friend if you value wireless security.
Some people have quite a few problems connecting devices to a WEP encrypted wireless network.
One of the problems with WEP is that the actual standard relies on a 10 character HEX key for 40bit WEP and a 26 character HEX key for 128bit WEP.
In order to make things easier for people, vendors use certain algorithms to convert simple alphanumeric passwords (or passphrases) into HEX keys, thus enabling people to use simple memorable WEP password rather than lengthy HEX keys.
The problem is that different vendors use different algorithms to generate the HEX key and therefore a ASCII password on an AEBS will be hashed differently on a Netgear client and vice versa.
One thing is a 13 character 128 bit WEP password will be hashed by all vendors in the same way (if you use 40bit WEP then a 5 character password is required).
Though sometimes not even that works and the HEX key must be used regardless.
Having said all that WEP is considered today to be insecure and not recommended (it can be broken quite easily by a determined hacker) if you can use WPA. However if you have legacy devices which don’t support WPA then WEP is sometimes all you can use.
Over the last week or so, I have been messing about experimenting with my network topology.
Previously I had a relatively simple network, a sole Airport Express with a lot of wireless clients. After having quite a few connectivity issues with the Airport Express, I knew I had to replace it with my newer Airport Extreme.
Once I did this, I left it in place for a few days to iron out any wrinkles or problems. I am running it in 802.11n b/g mode so that all my wireless clients can connect to it.
Yesterday I started to rearrange things, so that I could have wired clients, a pure 802.11n network and a separate 802.11g network.
My Airport Extreme now sits under my television, connected to it is my EyeHome, this should mean it can communicate to my iMac (which I use to record television via an Elgato EyeTV device) and stream video, audio and pictures without stuttering. I also intend to hardware a Mac mini as well and this will be my media centre for the moment – longer term I will replace this either with an Apple TV or another Intel based Mac mini. This Mac mini will have an Elgato USB EyeTV device attached.
I will also connect to the Airport Extreme (the third device to the third LAN port) an older 802.11g Airport Extreme which will be running a pure 802.11g wireless network for the older wireless clients. I will very likely stop using 802.11b devices, but as these are only PDAs I am not too worried and if I do need to test them I can always use the airport Express and plug that into the AirportExtreme as and when necessary.
I am hoping that this will improve the network and make it much faster for internal file transfers and as I replace older Macs with newer ones which support 802.11n it should also be future proof as well.
The only downside I guess is the location of the 802.11n Airport Extreme does make it difficult to test USB hard drives and printers.