WiFi nets and cellular data nets

[navychop]

As I’ve watched my friends suffer with wireless at work and home, I’ve avoided it like the plague. However, now I must use it on occasion (more than the odd surfing at a restaurant), and may need to add it to my home network. Here’s what I think I know:

-Using no security opens your network and all traffic on it to casual snoopers.
-WEP is almost useless, it can be broken by script kiddies with limited skills.
-WPA is better but still vulnerable, esp if weak PWs are used.
-WPA2 is good (so far) but not as widespread as the others, as it's only been out a couple of years.
-MAC address filtering, changing the SSID and not broadcasting the SSID are minimally useful- i.e. almost useless.
-NEVER use a web site where you need to enter a PW over a non-secure net. You'll be giving away your PW.
-Even if you get a locked padlock/https over a non-secure network, you’re not safe because these can be spoofed.
-Just because you enter a PW to use a certain wireless network does not mean it is secured.
-For good security, you'll have to enter a good (long) PW at least once into your laptop. If you haven't, you aren't secure.

Would you say the above is correct? And that the safest way to use wireless networking is over WPA2, and that’s safe enough to do online banking? And there's nothing more secure on today's market than WPA2?

Other than asking, how can you determine what security, if any, is in use at a public spot?


Which brings us to using a data plan with a cell company. How secure is that? Better than WiFi & WPA2? Is 3G more secure than GPRS/EDGE? Are the PDA plans, smart phone plans and laptop connections equally secure? Safe to access bank accounts this way?

 

[Jared Twomey]

wow, you are security conscience.
WPA2 is fine for most people. Nothing is perfect, and on your own network WPA2 is the best it gets.
As far as public wifi, use a VPN. Something like HotSpotVPN. Once connected the connection is encrypted and is safe as you are going to get in public.

 

[mike123abc]

-Even if you get a locked padlock/https over a non-secure network, you’re not safe because these can be spoofed.

This depends on the site design of the "secure" site. One cannot spoof the https. But, the user can ignore the IE (or other browser) warnings.

But, lets say you log into google mail (this was one that was demonstrated lately). The exchange of the password is secure, and cannot be captured since it is via https, but then google just gives you back a cookie. You send the cookie back and forth in the clear. An easedropper copies the cookie and has complete access to your email until the cookie expires. Yahoo mail does the same thing.

The only way around this is what banking sites do is to stay in https the entire time, and not sending the cookies in the clear.

Cell phone transmissions are pretty secure. Not government secure, but private individual secure. The government of course would not even have to bother breaking the encryption, they would just get a feed from the wireless company in the clear routed to them.

If you have a computer that you can use putty to log in securely, you can just set up a quick tunnel that both IE and FireFox can use to encrypt all your transmissions to the computer and that computer then sends out the packets over the internet. This is what I use for WiFi, so my browser traffic stays secure the entire time. I have a putty session that I initiate, then I use FireFox set to use the putty connection for the proxy.

 

[diogen]

An alternative view on the home network security issue

I run an open wireless network at home. There’s no password, and there’s no encryption.
Honestly, I think it’s just polite. Why should I care if someone on the block steals wireless access from me?
When my wireless router broke last month, I used a neighbor’s access until I replaced it...

My philosophy is to keep the network open and secure the hosts.

Bruce Schneier Blazes Through Your Questions - Freakonomics - Opinion - New York Times Blog

Diogen.

 

[navychop]

Thanks. I have to be careful because these routes will be used to access our company's accounting program and for banking.

 

[Neutron]

I use WPA-TKIP encryption on my WiFi at home.

I do not broadcast my SSID, and it's not the default. I have a pretty long password that would be hard to break. I also have my IP addressing limited to the number of devices I have at home, so no one would be able to connect anyway and get an IP.

 

[TheForce]

Neutron- Forgive my ignorance but if you don't have a device turned on, isn't that IP now available? Please educate me. I have 8 devices in my home theater now and these are off at times. My wife has a laptop that is only on for a part of the day. I really only have one dishnetwork connection IP, 3 computers, and 3 security cameras that have 24/7 IP's assigned. The rest are part timers.


Navychop-
First of all know your neighbors within radio range. If you live next door to a hacker then stick to hard wire for sure. If not, then I doubt you need to be so paranoid unless you are doing something illegal, or top secret work that is subject to industrial espionage. eg. in my neighborhood I still have a half dozen OPEN wifi users who just don't get it. Me, I use the maximum security offered on modern wifi routers. Then I use a long key as required by banking, 128 bit encryption. Beyond that I don't worry about it.

Now here is where I do have concern. I stay in hotels and sometimes may try to use their free internet service. But here's the precautions I use- 1. I don't use my Dell windows XP. I use my Mac and don't have any sharing on. In addition, my Mac has no sensitive files. With my Dell, I use my EVDO A connection and never connect to a hotel's lan with that computer. The only wifi it has ever connected to is my own at the house.

 

[navychop]

It's not for home use. I've wired my home. Might use wifi there for outside, but mostly for setup and testing (rather than at work). Laptops will be used on the road by non computer types with no concern for security, in various places including truck stops. Must use Windows for access to the accounting system. Nothing illegal, immoral or fattening! Just got to make it work, securely, and invisibly.

I refuse to allow wifi at work due to limited bandwidth there (not enough to "share" with neighbors) and we do have a snoopy competitor.

I will explore the wireless VPN & putty routes, etc. Thanks for the help so far, and anything else you can think of.

 

[Jared Twomey]

Neutron- Forgive my ignorance but if you don't have a device turned on, isn't that IP now available? Please educate me. I have 8 devices in my home theater now and these are off at times. My wife has a laptop that is only on for a part of the day. I really only have one dishnetwork connection IP, 3 computers, and 3 security cameras that have 24/7 IP's assigned. The rest are part timers.

The IP would technically be available. But if he has DHCP turned off, then someone wanting to get on the system would have to know the IP address that was open. Or, he may have the IP's assigned by MAC address, and DHCP turned off. In which case the person wanting to gain access would have to know the IP address available, and the MAC address to spoof for that particular IP.

Makes it a bit tougher to access the router.

 

[navychop]

Couldn't a snoop have picked off that info earlier, while monitoring network traffic? Then just wait their time.

 

[diogen]

Or, he may have the IP's assigned by MAC address...

Best setup, I believe.
Called Static DHCP on third party firmware sometimes...

Diogen.

 

[VinceT3]

static dhcp is nice.. keeps your ip the same (helps if you poke holes for ports and such).. plus you can change the dns on the DHCP server and all your systems will pick that up without having to be changed..

 

[hdtvtechno]

If your router has WPA2 Enterprise Settings like mine..use that..

 

[gasman882001]

My wife makes fun of me but I just bought some long network wire from Monoprice.com and use that instead. Sure you have wire running accross a floor but for those occations were I cannot sit in front of a computer, works fine for me. Just roll it up and store it when I am done.

All of this so I don't have to keep up on the "best" security for home wireless.