Chapter 13: WEP (Wired Equivalent Privacy)

What Measures You Should Take

Most network security advice applies whether you have a Wi-Fi network or not. Wi-Fi introduces some specific complications into the network security equation, but you should take general network security precautions first:

1. Install a virus detector, and update it regularly. I've used Norton Anti Virus (NAV) for a good many years, and the only times I've ever been stung by a virus were the times I had turned NAV off for various arcane reasons and forgot to turn it back on again.

2. Make regular backups and keep them in a safe place. I'm continually amazed at the number of people who ignore this stone-age advice. I keep a monthly backup of all my data files in our safe deposit box, and perform a daily backup on any files I work on during the course of the day.

3. Put a firewall in place. Most routers and residential gateways intended for the small office/home office (SOHO) market include a Network Address Translation (NAT) hardware firewall that works very well-but doesn't do everything. To prevent certain hacker exploits and annoying nuisances like pop-under ads, you should also install a separate software firewall program, such as Zone Alarm Pro. Note well that firewalls protect you from attacks coming in from the Internet. They do nothing to prevent attacks that come in through your wireless access point!

4. Be careful about opening email attachments and installing software from unknown parties. NAV will catch a lot, but it must already know what to look for, and if you happen upon a newly released Trojan horse, NAV may miss it.

Adding Wi-Fi specific measures is actually very simple:

1. Turn on Wired Equivalent Privacy (WEP). All recent Wi-Fi access points and client adapters support WEP, but all arrive in their pretty boxes with WEP turned off. (A few brave Wi-Fi vendors will admit that they do this to keep their technical support calls to a minimum.) If you don't turn it on, it won't help you at all. The press has made much of the fact that WEP can be cracked using Packet Sniffing utilities, but it's not as quick to accomplish- nor as easy-as non-technical reporters have made it out to be.

2. Change the default Service Set Identifier (SSID). All access points come with a default SSID. Linksys's default is 'linksys'; Cisco's is 'tsunami.' Changing it doesn't really help protect your system except in a peculiar way: Hackers often assume that people who don't change the SSID have been lax in other ways, and may consider your network 'low-hanging fruit.' Don't give away too much information in your SSID. Wardrivers often see SSIDs like 'The Dorkman Family Network' and 'Cloofre Realty, Inc.' Why tempt somebody looking for clueless families and businesses? Choose a jumble of letters and numbers, or a weird word like 'tatterdemalion' that says nothing about who you are and what you do.

3. Don't use obvious passwords. Avoid your initials, the names of your kids or dogs, the make of your car, your birth year, or other guessable things. There is an obvious tension between rememberability and guessability. The passwords most resistant to cracking are truly random jumbles of characters, but something like '2GOOD2B4GOT10' is almost as good, and much harder to forget.

4. I differ strongly with most of my fellow Wi-Fi advice-givers in one way: If you enable WEP, you don't really need MAC address filtering. MAC address filtering is almost worthless, and should only be used if for some reason you have client adapters that can't communicate with your access point when WEP is enabled. (And if you can't get your adapters to talk to your access point over WEP, you need new adapters… or a new access point.) I'll speak more of MAC address filtering in Chapter 14.

5. Other security measures mentioned frequently in the press, like turning off your SSID beacon, aren't of much use if you have WEP enabled. Utilities like Kismet can find your access point whether its beacon is on or not. Don't bother.

To this regimen you can add some fairly simple 'physical' security measures that will help grind a few more pits out of security's speckled axe:

1. Use removable media for your sensitive data, and pop the media out of the machine any time you're not in front of the machine working on it. I use Zip 250 cartridges for all my data. The only stuff I really keep on my hard drive is installed software. If your data isn't on the machine when a hacker or a Trojan horse strikes, it won't be damaged or stolen!

2. Turn your broadband modem (cable or DSL) off when nobody's using it. Attacks by Drive-By-Hackers often occur in the middle of the night when there's nobody using the machines on your network and thus nobody to notice all the blinking data LEDs on your router. If your broadband modem is powered down, hackers can't use your Internet connection without your permission to commit IP impersonation.

3. Turn your computer off when no one's using it. If your computer is powered down, hackers can't break into it. Besides, you may be surprised at how much it costs in electricity to keep a modern, fast PC powered up 24/7. Read point 4 before you choose to do this, however.

4. Points 2 and 3 having been said, leave your wireless access point and (if possible) your client adapters powered up. There is a very technical but important glitch in Wired Equivalent Privacy (WEP) encryption: Many Wi-Fi devices reset their sequence of initialization vectors (IVs) when they initialize on power-up. (Don't fret if this means nothing to you just now.) This is bad engineering for reasons I will explain in Chapter 13, when I discuss in more detail how WEP fails. Most client adapters draw their power from the computer to which they are attached and power down when the computer does, and thus there's nothing you can do about them. However, you can and should put your access point on a separate outlet or power bar from the rest of your system, and leave it on all the time.

Life is rarely simple. Points 3 and 4 are to some extent in tension with one another. Leaving your computers and access point on all the time reduces the hacker threat from duplicate IV values, but if hackers do break in, your computer is on and can be compromised. My rule of thumb is this:

• If your network is at your business location, keep your computers and Wi-Fi devices powered up all the time, but power-down your broadband modem after business hours to prevent IP impersonation and incursions from outside via the Internet. Make sure you implement frequent backups and physical security for your data.

• If your network is at your home, power down your computers and broadband modem every night, but keep your access point powered up if possible. As long as your broadband modem is off, there's not much that a drive-by hacker will likely want from your network, especially if there are a lot of unsecured networks nearby.

My hope is that Wi-Fi manufacturers will gradually eliminate security glitches in their firmware, and by allowing you to upgrade the firmware in your Wi-Fi devices, you can mitigate some of these problems.This is already happening; Proxim's Orinoco line of access points and client adapters filter out weak IV values, and you can upgrade the firmware of older units to allow them that same enhancement as new-offthe-line Orinoco gear. The brand-new Wi-Fi Protected Access standard (WPA) should be available by April of 2003, and you will be able to upgrade your Wi-Fi gear to WPA-compatibility with a firmware upgrade. This is extremely important! WPA will make much of my next two chapters obsolete, and for a change I'm hoping and praying for that to happen.