I have had many people ask me about wireless security lately. I attribute this to the boom in regular people now having WiFi enabled phones and netbooks that they use many times a day for every task imaginable. Many of these people use whatever wireless network they can connect to, whether they recognize it or not and they proceed as usual with e-mails, IM conversations, etc. The following applies to any wirelessly connected device, whether it be a laptop, iPhone, Blackberry, etc. I have tried to break these down by the most common questions. If you have more question, please add them to the comments and I will answer them as well.
If my home wireless connection is encrypted with WEP/WPA isn’t everything secure?
Let’s get this out of the way from the beginning. If you are using WEP then your connection is NOT secure. WEP can now be cracked on average in less than 5 minutes. There is no reason to be using WEP as WPA has now been around for years and is much more secure in every way shape and form. Bottom line, if you are using WEP get off it and move to WPA or accept that your information is as secure as being in the open unencrypted.
WPA was created as quick solution the massive insecurities in WEP. It does give a fairly high level of protection and even though there are rumors it has been cracked, those are currently rumors. When I see a tool that makes it EASY for anyone to break into a network as is the case with WEP, I would not be as worried. WPA2 is the next step beyong WPA and is extremely secure.
Is the password I chose good enough?
Realize this. If you have the strongest encryption in the world and everything is setup super-tight but your password is “doggy” then you might as well not have it secured at all. I say this because there are programs that will automatically try every common word in the english language and some others, as well as variations on it. So it would try d0ggie, d0ggie, d0gg1e, d0gg13 etc… Moral of the story is never base your password on a common English word and use numbers with some symbols (punctuation, etc if possible). I am not telling you to pick a password your will never remember. If you have to write it down on a sheet of paper then that defeats the purpose. However, making a moderately difficult password that you CAN remember is infinitely better than using a simple one that people might be able to guess.
My wireless network is secured correctly but many people share the password, is that an issue?
Yes, it is an issue. For regular home users this is not that big of a deal because you and your family use the wireless connection. However, lets say you live in an apartment complex and one of your kids and their friends want to use the wireless connection in your place. Whomever has the password obviously has the ability to pass it on to someone else so that third party could access the network. However, what most people don’t know is that anyone posessing the password can access all data on that network via wireless sniffing and decrypt all that data. So essentially, its like people having a master key. Except this master key magically works through walls and doors. Oh this magic key also lets people view when you are going in and out, what you are doing, and with whom. The point is, if you do work from home or are securing a business wireless access point then having the same password for every user is NOT a good option. There are ways to secure this, but that is beyond the scope of this article. If people are interested, add your thoughts into the comments.
What if I don’t have a choice and need to use an unsecured hotspot? What can I do?!?!?!?!
This is the number one question. I left it at the end because the other questions build a good foundation as to why you need to do this.
VPN – if you must do work through an unsecured wireless access point then a VPN is the most secure way to go by far. A VPN allows you to tunnel all your traffic through it and it encrypts everything along the way until the server you initiated the VPN with gets the data and then decrypts it. The assumption is that the most insecure transmission occurs before reaching the VPN server, at which time there is no need for it be encrypted anymore (this is a very simplified breakdown of VPNs). If you are a casual user and don’t have a work VPN but want everything to be secure then you can sign up for services such as hotspot-vpn which allows you to vpn into their servers. Many other companies offer services for a relatively cheap price.
If a VPN service is not an option then you must ensure security at the application level. This means making sure each application does what it needs to in a secure manner. For example, make sure you access sensitive sites using https:// if available. If you don’t know what https:// is then stop, do not pass go and do not collect $200. It’s best if you don’t do anything of consequence over an unsecured connection. However, if you do then you can feel much more confidence that your transactions with that site will be secure. Secure your IM conversations as described in another blog post of mine. For e-mail etc, most prividors offer secure connections through the Web, the same cannot be said for your client on the desktop. I advise many people to simply use the web based mail when on the go if they are unsure.
This has been a fairly rapid rundown of some of the issues and ways to counter them and is by no means the end-all-be-all of solutions. However, this does make you aware of potential issues and gives you teps to be ahead of most of the population.