Wireless security – how secure is your data?

I have had many people ask me about wireless security lately. I attribute this to the boom in regular people now having WiFi enabled phones and netbooks that they use many times a day for every task imaginable. Many of these people use whatever wireless network they can connect to, whether they recognize it or not and they proceed as usual with e-mails, IM conversations, etc.  The following applies to any wirelessly connected device, whether it be a laptop, iPhone, Blackberry, etc.  I have tried to break these down by the most common questions.  If you have more question, please add them to the comments and I will answer them as well.

If my home wireless connection is encrypted with WEP/WPA isn’t everything secure?

Let’s get this out of the way from the beginning. If you are using WEP then your connection is NOT secure. WEP can now be cracked on average in less than 5 minutes. There is no reason to be using WEP as WPA has now been around for years and is much more secure in every way shape and form. Bottom line, if you are using WEP get off it and move to WPA or accept that your information is as secure as being in the open unencrypted.

WPA was created as quick solution the massive insecurities in WEP.  It does give a fairly high level of protection and even though there are rumors it has been cracked, those are currently rumors. When I see a tool that makes it EASY for anyone to break into a network as is the case with WEP, I would not be as worried.  WPA2 is the next step beyong WPA and is extremely secure.

Is the password I chose good enough?

Realize this.  If you have the strongest encryption in the world and everything is setup super-tight but your password is “doggy” then you might as well not have it secured at all.  I say this because there are programs that will automatically try every common word in the english language and some others, as well as variations on it.  So it would try d0ggie, d0ggie, d0gg1e, d0gg13 etc…  Moral of the story is never base your password on a common English word and use numbers with some symbols (punctuation, etc if possible).  I am not telling you to pick a password your will never remember.  If you have to write it down on a sheet of paper then that defeats the purpose.  However, making a moderately difficult password that you CAN remember is infinitely better than using a simple one that people might be able to guess.

My wireless network is secured correctly but many people share the password, is that an issue?

Yes, it is an issue.  For regular home users this is not that big of a deal because you and your family use the wireless connection.  However, lets say you live in an apartment complex and one of your kids and their friends want to use the wireless connection in your place.  Whomever has the password obviously has the ability to pass it on to someone else so that third party could access the network.  However, what most people don’t know is that anyone posessing the password can access all data on that network via wireless sniffing and decrypt all that data.  So essentially, its like people having a master key.  Except this master key magically works through walls and doors.  Oh this magic key also lets people view when you are going in and out, what you are doing, and with whom.  The point is, if you do work from home or are securing a business wireless access point then having the same password for every user is NOT a good option.  There are ways to secure this, but that is beyond the scope of this article.  If people are interested, add your thoughts into the comments.

What if I don’t have a choice and need to use an unsecured hotspot?  What can I do?!?!?!?!

This is the number one question.  I left it at the end because the other questions build a good foundation as to why you need to do this.

VPN – if you must do work through an unsecured wireless access point then a VPN is the most secure way to go by far.  A VPN allows you to tunnel all your traffic through it and it encrypts everything along the way until the server you initiated the VPN with gets the data and then decrypts it.  The assumption is that the most insecure transmission occurs before reaching the VPN server, at which time there is no need for it be encrypted anymore (this is a very simplified breakdown of VPNs).  If you are a casual user and don’t have a work VPN but want everything to be secure then you can sign up for services such as hotspot-vpn which allows you to vpn into their servers.  Many other companies offer services for a relatively cheap price.

If a VPN service is not an option then you must ensure security at the application level.  This means making sure each application does what it needs to in a secure manner.  For example, make sure you access sensitive sites using https://  if available.  If you don’t know what https:// is then stop, do not pass go and do not collect $200.  It’s best if you don’t do anything of consequence over an unsecured connection.  However, if you do then you can feel much more confidence that your transactions with that site will be secure. Secure your IM conversations as described in another blog post of mine.  For e-mail etc, most prividors offer secure connections through the Web, the same cannot be said for your client on the desktop.  I advise many people to simply use the web based mail when on the go if they are unsure.

This has been a fairly rapid rundown of some of the issues and ways to counter them and is by no means the end-all-be-all of solutions.  However, this does make you aware of potential issues and gives you teps to be ahead of most of the population.


6 responses to “Wireless security – how secure is your data?

  1. I am not sure you a leaving an accurate impression wrt webmail. At least if Yahoo and Microsoft are any indication. While the logins are secure, the viewing and composing of email are not. It is true that any email that isn’t encrypted can be viewed as it traverses the Internet, but this is significantly different than anybody around you being able to pull the content out of the airwaves.

    Also, depending on server capabilities and email client settings, both SMTP and POP3 can be can be encrypted. I believe in both cases this applies not only to authentication but also to content.

    • As another person commented below, gmail can be set to always use https to keep the entire session secure. I understand that yahoo also gives this option now as well, however I am complete unsure of Hotmail. Also, people can indeed “pull the content out of the airwaves”, the only difference is, if encrypted they can’t make sense of it. Wireless sniffing is very easy and becoming much more common.

  2. Gmail at least can be used entirely over https.

  3. About password security for network encryption technologies like WPA/WPA2, it’s best to use a random generated password of the maximum length supported as provided by https://www.grc.com/passwords.htm. This ensures nobody, not even you (the admin), will remember it. You (the admin) should then setup every computer that needs access to your network manually and should store the password in a locally encrypted file (GNU GPG) which can be decrypted only by you (the admin).

    This will make it virtually impossible to crack your wireless connection if you use WPA2. Plus you can plausibly deny that you don’t remember the password and have lost the USB-key you keep it on to prevent law-officers in jurisdictions where they require no warrant to snoop into your network in order to protect your privacy.

    • G Fernandes, I see your point and agree that this gives a very high level of security but the concept of security cannot be a one sided thing. If security is to be used on a large scale and be understood by non-techies then their has to be a happy medium. Going to a file that is already encrypted and retrieving a password that is 64 characters long is a tedious task. Double that with the issue of someone that already has your password so he could use your network for a couple of hours and you still have the situation i talked about where your network is now not *as* secure as it was. I always recommend a happy medium so that all may partake in good security practices while not losing much ease of use.

  4. After a bit of a Google search as well as looking at the options, I don’t see a way to use https for the entire session in Yahoo mail. Perhaps it is something that is available in the “new Yahoo mail” or something that is available when you pay. In my searching it looked like secure POP3 was available for a paid account but I saw no such indication for webmail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s