Heute hat Microsoft ein XBox live Update herausgebracht, das sich automatisch installiert, wenn Ihr Eure Konsole startet. Dabei handelt es sich allerdings nicht um das “große Herbstupdate”, das Twitter- und Facebook-Unterstützung bringen wird, sondern um ein kleines technisches Update.

Microsoft plant die Einführung eines neuen WLAN-Adapters, der natürlich genauso teuer wird wie der bisher erhältliche Adapter (ca. 70 Euro). Im Unterschied zu diesem soll er aber endlich (!) WPA2-Verschlüsselung beherrschen und damit in der Gegenwart der modernen Wireless-Technologie ankommen. Das Update dient der Vorbereitung dieser Verschlüsselung und der Einführung des neuen Adapters.

Ob das Update auch die WPA2-Verschlüsselung für die bisher erhältlichen alten Wireless-Adapter erlaubt oder ob die Besitzer weiterhin in die Röhre gucken (siehe meinen ausführlichen Testbericht zu diesem Thema) ist bisher nicht geklärt. Sachdienliche Hinweise nehme ich aber gerne in den Kommentaren entgegen! Sobald ich neue Infos habe, werde ich sie natürlich posten.

Ich persönlich bezweifle allerdings, daß die Verschlüsselung auch bei den alten Adaptern funktionieren wird, denn was wäre denn dann der Witz daran, daß Microsoft einen neuen Adapter einführt?

Wieder einmal 3 Stunden meines Tages für die Installation meines WLans unter Ubuntu 9.04 vergeudet, was tut man nicht alles für ein freies Betriebssystem.

Zuerst hatte ich auf einen Fehler beim Kernel getipp, aber das durchprobieren der letzten 3 Versionen brachte nicht wirklich ein brauchbares Ergebnis. Immerhin erkannte die Karte sofort alle Netzwerke in der Umgebung, auch mein Heimnetzwerk mit b&g&n Standard. Das einzige Problem war, dass er nach der Eingabe des PSK ewig herum funkte und am Ende wieder die Eingabe des Passworts verlangte.
Nach einigem Suchen fand ich dann auch die Lösung. Ubuntu mag es scheinbar nicht, wenn gleichzeitig WPA und WPA2 im Netzwerk unterstützt werden. Nachdem ich die Unterstützung für WPA ausgeschaltet hatte, funktionierte auch alles wunderbar.

Verwendete Hardware: Belkin n-Draft-Router und LogiLink WLan-n-PCI-Karte

Hier die entsprechenden Seiten im Ubuntuuser-Forum.

One major improvement of Vista and Seven over XP and 2003 is more control over your wireless settings. There were two major security issues with wireless on previous Microsoft operating systems. One issue was connecting to unsecured networks automatically and the other issue was firewall settings that might leave a user vulnerable in a hotspot. Windows XP systems have a bad habit of automatically connecting to wireless networks within their range. Although the default wireless settings of XP can be changed, the fact that it connects to unsecured networks by default is somewhat disturbing. Another limitation of XP (and 2003) is the fact that your firewall settings will remain the same when migrating from your home network to a hotspot. This is extremely alarming if the user happens to have open shares with sensitive documents. While this example may seem far-fetched, it is very common for users to have open shares on their systems at work or home and go to a hotspot. A malicious user at the hotspot could access files in any of your shares. And, if there is no password on the administrative account, that malicious user may even be able to access the administrative shares.

To manage wireless connections in Vista and Seven, open the Network and Sharing Center in the Control Panel. Click on the Manage Wireless Networks link from the list in the task pane. Clicking the Add button will give you a menu of three items, including Add a network that is in range of the computer, Manually create a network profile, and Create an ad-hoc network.

The Add a network that is in range option in Manage Wireless Connections will display a list of networks that are broadcasting their Security Set Identifier (SSID). Along with each network displayed will be information about whether the network has security enabled or if it is unsecured. Vista and Seven will warn you if you connect to an unsecured network that your information may be visible to others. Unless you are on a secure site, people using sniffing tools such as Wireshark will be able to capture all of your plain text data. Microsoft recommends using WPA2 if your equipment will support it. A list of other wireless recommendations made by Microsoft is included in the following TechNet article. It is common knowledge among wireless security experts that Wifi Protected Access version 2 (WPA2) with Advanced Encryption Standard (AES) encryption and a very difficult Passphrase should be used on wireless networks. Although Wired Equivalent Privacy (WEP) or WPA with Temporal Key Integrity Protocol (TKIP) is better than nothing, these security mechanisms can be defeated.

The Manually create a network profile option in Manage Wireless Networks can be utilized if a network is not broadcasting its SSID. Turning off the broadcast of the SSID will help to prevent people from connecting to your network. If you are not broadcasting the SSID of your access point, users will not see the network in their list of available networks to connect to in Windows XP , Vista, or Seven. While turning off the broadcast of the SSID will help increase the security of your wireless, it will not prevent hackers with the right tools from getting the information. Even if the access point is not broadcasting the SSID, security measures such as the use of WPA2 with AES encryption and a strong Passphrase should also be utilized.

The Create an ad-hoc network is the final option when adding a network in Manage Wireless Networks. The ad hoc network will allow a group of computers to network without an available access point. In Vista and Seven, you can set up an ad hoc network with no encryption, WEP, or WPA2. WPA2 is recommended, and your WPA2 Passphrase can be from 8 to 63 characters long. Numbers, symbols, and uppercase and lowercase letters can all be utilized in the Passphrase.

Note: It can be up to 64 characters long if you only use the characters 0-9 and letters A-F. The characters can be displayed for you in plain text if you check the Display characters check box

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

Download

 Windows Installer (32-bit)

 Windows Installer (64-bit)

 Windows U3 (32-bit)

 Windows PortableApps (32-bit)

 OS X 10.5 (Leopard) Intel .dmg

 OS X 10.5 (Leopard) PPC .dmg

 Source Code

The 64-bit Windows installer requires the Microsoft Visual C++ 2008 SP1 Redistributable Package (x64) in order to run.

http://www.wireshark.org/

Let’s play the WIRELESS SECURITY game! *Applause*

So, which one of the following is the most secure?!

1) Security Key (WEP): 2541293842 | SSID Hidden | MAC Addresses Filtered

2) Security Key (WPA): 2541293842 | SSID Hidden | MAC Addresses Filtered

3) Security Key (WPA): IhathN3v3rF41l3dTh33?! | SSID Visible | MAC Addresses NOT Filtered

4) Security Key (WPA): IhathN3v3rF41l3dTh33?! | SSID Hidden | MAC Addresses Filtered

5) Security Key (WPA2): IhathN3v3rF41l3dTh33?! | SSID Visible | MAC Addresses NOT Filtered

6) Security Key (WPA2): IhathN3v3rF41l3dTh33?! | SSID Hidden | MAC Addresses Filtered

Well? Any clues? It’s actually not much of a game. The least secure wireless network is at the top, the most secure is at the bottom. However, this doesn’t quite tell the whole story – as I would always use option 5 over option 6 and option 3 over option 4. Why? That is a very good question, to answer it – let’s break this down.

No Security Key vs. WEP Key vs. WPA Key vs. WPA2 Key

So you’ve  just got a shiny new wireless device, which is asking you to choose a “security mode” – or something similar.

Your options are No Security, WEP, WPA or WPA2 (WPA/WPA2 may be written as WPA-PSK, WPA2-PSK).

No Security shouldn’t even be considered. Not even for a second. If you’re a home user (or indeed a business user) and your wireless network has no security – you should switch to WPA or better now. Seriously, stop reading this article and make the change. If you don’t know how, then drop me an email (see the “about” page).

If you’re using WEP, then CONGRATULATIONS! You’ve officially earned one more point that people without security. However, you should also stop reading now and get your wireless network switched over to WPA or better. Anyone who tells you that WEP is “fine”, is probably not the kind of person you should associate with on a regular basis. At the very least, you should stop taking IT-related advice from them.

WPA and WPA2 are both decent wireless security solutions. If you’ve got a device that doesn’t support WPA2, then use WPA with AES – otherwise WPA2 is the system of choice. So, you’ve chosen WPA2 as your security mode! Have you passed the wireless security test yet?…

I’m afraid not. Unfortunately, the mode you choose (WPA2) is still only half the battle. Let’s imagine that you’re an evil genius, and you’ve created an evil fortress – which is protected by an impenetrable security bubble. The only gap in this bubble is protected by a door, which is guarded by a huge indestructible robot (named Colin). The only way in is to give the robot the correct password. This sounds pretty secure doesn’t it? However, what if the password to this evil fortress is set as “dog” or “sheep” or even “password”. It doesn’t matter that everything else is secure, the password has let you down. This is the biggest issue with wireless security. People set the security mode to something decent, and then use a terrible security key. It should be at least 20 characters and must contain numbers, upper case letters, lower case letters, and symbols (IhathN3v3rF41l3dTh33?!).

Naming your Network

Your SSID is essentially the name of your wireless network. It is a crime to leave this at the default setting, which will be something like  “BTHomeHub” or “NETGEAR”. Change it to something that doesn’t give any useful information away. Why not call your wireless network “Hamster” or “Boris”? It’s far better than calling it “34VictoryLane” or “TheJohnsons”.

MAC Address Filtering | Hidden SSID

So, you’ve secured your network with a good security mode and have got a strong wireless key in place. Now you see the options to hide your SSID (sometimes it says “disable SSID broadcast”) and to enable MAC Address Filtering. Annoyingly, these two options are practically pointless. Hiding your SSID is equivilant to making a file “hidden” in Windows. Anyone with half a brain would still be able to find and access the file, but you’ve made it slightly more difficult for you to access it. That is essentially what hiding your SSID does. It makes it more difficult for YOU to manage your wireless network (adding new devices etc), but doesn’t increase the overall security level (assuming you’ve followed the advice above and are running WPA2 with a strong key). It’s a waste of your time, so leave SSID visible. MAC Address Filtering is a pain. Every SINGLE time you want to add a new wireless device – you have to find it’s MAC address and specifically allow that MAC address to access the wireless. So, it might be a pain – but it must make your network SUPER secure, right? Of course it doesn’t. In a world of MAC address spoofing and wireless stumbling programs – MAC Address Filtering is almost totally useless. It’s a real pain to configure, and offers very little security benefit.

So, that is why I would choose option 5 to secure my wireless network, or option 3 if some devices don’t support WPA2. In fact, I’d probably choose the hidden 7th option for security – it’s called Ethernet, and it’ll blow your mind.

- James | October 2009

Note: To use WPA2 on XP, you must be running Windows XP SP3 (or SP2 with a KB update).

Since quite some time I already, I suffered from the problem that my wireless network at home got periodically stuck for several seconds. These problems usually started to appear after 20-30 minutes of using it. I don’t know whether this had to do with some handshake which happens from time to time (I’m using WPA2) or because the wireless USB adapter became more and more warm with time.

In addition, I could not use the network in all rooms at home…

A few weeks  ago I finally got a DKT-400 kit from DLink which they had at a local store (I decided not to wait any longer…). This consists of a DIR-635 base station (unfortunately they didn’t have any kit where the base station had an ADSL modem integrated) and a DWA-140 USB wireless adapter.

I don’t have much use for any bandwidth beyond the one of my ADSL line (which is 3 MBit/s), so buying 802.11n at first sight does not make much sense. However, I was hoping to benefit from features such as beam forming.

I plugged in the DWA-140 into a USB port of my laptop (ubuntu). The network device seems to appear as ‘ra0′, the kernel module which is loaded is rt2870sta, no need to run ndiswrapper.

I haven’t found out yet whether beam forming etc. is actually in use or not and it also seems that I can’t get beyond 54MBit/s (even when laptop is one meter away from the router). But everything seems to work fine so far, the wireless network connection works in places it did not before and I don’t experience the periodic network interruptions any more !

Now it would be interesting to check with which combination of old and new usb adapter and router the problem is present but on the other hand, why bother if the new combination works…

In my last week post I explained how to secure your wireless router, to reply to that post there were indeed some questions on how to choose a good Wi-Fi router, so here I am with this post dedicated to the top ten tips which will help you to buy a Wi-Fi router:

1) Should I buy a portable router?

If you need to take your Wi-Fi on the road, a new breed of router making its mark is the portable. It can travel with you because it uses a 3G signal from a cellular carrier for back to the Internet. This means it won’t be as fast as hooking it up to your cable modem, but what you lose in throughput you gain in movement. Because they’re not as fast, most of them only support 802.11g instead of the faster 802.11n, which also keeps the cost down.

2) Are dual-band routers better than single-band routers?

802.11n routers come in two flavors—single-band and dual-band. Single-band routers use the 2.4-GHz band, the same frequency used by G routers. Dual-band N routers support 2.4-GHz and 5-GHz bands. Even at 2.4 GHz, 802.11n routers are faster than G routers because they make better use of the frequency range in the band, and they’re better at bouncing signals off surrounding surfaces such as furniture and walls. Average throughput for single-band N routers is usually five times as fast as G routers. Some routers can achieve as much as 100 Mbps more by switching up. The answer is, therefore, an overwhelming yes: Dual-band band routers, though generally more expensive, outperform single-band (2.4-GHz) routers. Simultaneous dual-band routers are also more efficient in their throughput.

3) Do I need two, three, or four antennas, or hidden ones?

Because the speed in N routers depends heavily on signal bouncing and multiple transmitters and receiver antennas, the ideal antenna configuration is 4-by-4. This means the router has four antennas, each of which has a transmitter and a receiver. Generally, however, most high-end N routers come with a 3-by-2 or 3-by-3 antenna configuration. While antennas come in all shapes and sizes, most are visible, tubular antennas. The crucial point to consider is the number of transmitters and receivers built into the router. More is better.

4) Is 802.11n really that much better than 802.11g ?

Very true, 802.11g Wi-Fi router, which uses a technology that has been around for seven years, is still popular. (802.11 is the IEEE’s technical name for wireless networks; the brand name used for products is Wi-Fi which encompasses many different types of 802.11 technology.) Small businesses buy G routers because they are cheaper and perform adequately. Some 802.11g routers include specialized functions that are essential in business, such as powerful policy-based firewalls and threat-management features. In the home, however, speed is far more important, and there the 802.11n Wi-Fi router is king.

5) What is the choice of simultaneous dual-band router?

Some routers with the dual-band features transmit N signals simultaneously in 2.4 GHz and 5 GHz. By using both frequencies, the routers achieve longer range and better signal strength, and, as you might expect, they don’t require manual switching between bands. It’s like having two concurrent wireless networks, but that’s only useful if you have clients that use 5GHz, which are few are far between unless you purchase after-market 802.11a/n cards that use it. These routers are generally more expensive than regular dual-band routers, but are worth the money.

6) What about guest access??

An very recommended feature, Guest access is one of the most useful, and most underrated, features of a wireless router. Routers with guest access, can separate one Wi-Fi network into two. This allows friends to use your broadband access without knowing the password for your main network, so they can’t get to your files. You can achieve a similar configuration with routers that support virtual LANs (VLANs), but the steps in setting up multiple VLANs are more difficult.

7) Tightening access to your router with MAC access control

If you are still not convinced that your wireless network is secure after encrypting your Wi-Fi router with Wi-Fi Protected Access 2 (WPA2) —and you better be using WPA2—don’t worry because this step ensures that only your computers can access your Wi-Fi network. MAC filtering allows or prevents computers with certain MAC addresses to access your network. Like a fingerprint, no two network adapters can have the same MAC address, so snooping neighbors are out of luck when you enable that MAC filter. Your router will only accept handshakes from your computers and other Wi-Fi network devices, filtering everything else. Conversely, you can deny access to specific devices by enabling the deny option instead. MAC addresses can be spoofed, so this isn’t foolproof, but neither are doors;

What is Wi-Fi Protected Setup (WPS)?

Wi-Fi Protected Setup is a standard for securing your laptop with a Wi-Fi router. The technology simplifies the encryption process that users otherwise have to go through to secure a Wi-Fi network. Is the technology simpler to use than the schemes that preceded it? That depends on the laptop and operating system you use. Vista’s Windows Connect Now (WCN), for instance, is compliant with WPS. When WPS does work, it’s a simple process for setting up WPA2 without thinking about it. Getting the configuration to work on laptops that don’t support it (in both software and hardware), however, is quite an ordeal. Should you then look for this feature in a router? No. WPS isn’t essential, and, all too often, some part of your setup won’t be compatible. Still, many newer routers offer it, and, when it does work, it’s worthwhile.

9) Turning your router into a gaming powerhouse ?

A good tip if you are a core gamer, No one wants their Internet games to interfere with YouTube videos, Skype calls and Web surfing, or vice versa. The answer lies in the QoS (quality of service) feature in your router. A router with QoS can separate network packets and prioritize your network traffic, allowing your most important applications to get the largest bandwidth chunk. Luckily, games don’t take up a lot of bandwidth, but they can slow your network down when you are sharing the connection.

10) Is a router with a strong firewall important?

most routers include a firewall, and many use the SPI (stateful packet inspection) firewall, which is better than the older NAT firewall alone. A few routers provide a range of manual settings on a firewall. Are these routers better? Not really. Typically, manual firewall settings are designed for specific usage needs and not for enhancing the overall capability of a firewall. As long as a Wi-Fi router has a SPI firewall, that’s enough for most us.

So here few important things you may need to consider before choosing a good Wi-Fi router, but the market is already flooded with Wi-Fi routers, so finding a good one could be simpler than you might think, if you know what you’re looking for

Per i neofiti e i meno esperti può risultare difficile connettersi alla rete wireless dell’università Carlo Cattaneo con iPhone o iTouch, in realtà è molto semplice e una connessione a Internet può sempre tornare utile.

Prima di cominciare dovete aver attivato il servizio wi-fi per poter accedere con il vostro numero di matricola, entrate nel Self Service e cliccate sul link “Abilitazione rete wireless di ateneo”, se avete qualche difficoltà potete consultare la guida ufficiale.

Ora, iPhone alla mano, andate nelle impostazioni e poi alla voce Wi-Fi. Scegliete “Altro…” e inserite il nome per esteso della rete (WLiucBase) facendo attenzione alle maiuscole. Alla voce Sicurezza selezionate WPA2 Enterprise e completate con Nome utente e Password: il Nome Utente è formato dalla matricola con due o tre zeri davanti, in totale devono essere sette cifre; la password è la stessa del Self Service scritta tutta in maiuscolo.

Scegliete "Altro..." e poi inserite il nome della rete

Selezionate WPA2 Enterprise come protocollo di sicurezza della rete e completate i campi per l'identificazione

Pigiate Collega e il gioco è fatto!

Aspettate qualche minuto che si identifichi e sarete on-line!

Wanting to make changes to the wifi and DNS settings of the new routers that Cincinnati Bell (CB) is routinely installing now, I went about researching and using trial and error. The goal was to implement WPA2 wifi security and OpenDNS at a router level, so as to help clients be a bit more secure.

Overview of high speed modem/router

Near as I can tell, Cincinnati Bell is using its installed fiber in urban locations to offer a high speed internet, combined with television channels via internet, so-called IPTV. Westell has long been a provider of equipment to our local phone company and this device is meant to offer “Advanced, dual-core processing power with Ethernet, MoCA, or VDSL2 WAN interface for fiber-to-the-home and fiber-to-the-curb networks.” (link) These are hunka-chunka, white bricks and I’ll leave it to others to show us what’s actually inside them and perhaps explain their hugeness.

Getting access to advanced settings

As made clear on Westell’s web site their stuff is marketed to ISP’s, not thru retail / wholesale channels. As such, finding a manual is like pulling teeth. I must give credit to others’ posts on for helping me just figure out the interface and that you need to click on menus up top AND on the left.)

First: Set wifi to WPA2

Cincinnati Bell routinely sets up WEP, even though it’s known to be useless in the face of hacks. (To their credit, they used to always be setup as unsecured / open!) But, WEP lets customers use older equipment, especially gaming systems, so I suppose it cuts down on support calls.  Setup was pretty straightforward. Just point to the IP of the gateway (seems like CB or Westell has a tradition of making this 192.168.200.1) and input the default admin password of  (you guessed it) “admin” and “password”.    Using wireless button, wireless settings menu option (on left) set to WPA2, with PSK (Pre-Shared Key) and using AES encryption algorithm.

Westell conveniently locates all wifi setting in one spot.

On to OpenDNS

I won’t go into all the benefits of OpenDNS, but will just talk about configuring it on the UltraLine Series3 . Note that OpenDNS usually does a pretty good job of explaining this stuff at their site, but it didn’t have anything about this device when I last visited.

1.    OpenDNS
a.    OpenDNS setup with account (not described here)
b.    OpenDNS software (not described here)
c.    Westell Router settings:
i.    On top, My Network
ii.    On left, Network Connection
iii.    Click WAN VDSL, either the main link or the pencil
iv.    On left, click Settings
v.    Change DNS Server option
1.    From Obtain DNS Server Addresses Automatically
2.    To settings Use the following DNS server addresses
a.    207.68.222.222 and
b.    207.68.220.220
vi.    Test by resetting router (Advance menu and Reboot) and resetting computer’s network connection.
d.    Save Westell configuration
i.    At top, Advanced
ii.    Do you want to proceed? Yes
iii.    Configuration file option
iv.    At bottom, Save Configuration File
v.    Downloads a file called Wireless Broadband Configuration.conf. Put this someplace safe.

Here’s a pic of the Settings page:

As you know everything these days is wireless. But, rarely do we care how we connect, instead often just get online. A lot of wireless routers that are available offer very useful features that you probably didn’t know about. Chances are if you’ve never accessed your router’s settings, you are just running the defaults which means your neighbors or anyone who drives by could potentially access your data or perform a criminal act that points to you. However, there are times when it’s OK to take the shields down and let people leech off your network. For that reason, you may want to periodically check who is accessing it. In most routers, they have a status page to display connected computers.

To learn how to secure a wireless router there are three important things to know: SSID (Service set identification), MAC (Media Access Control) Address, and WEP(Wired Equivalent Privacy) / WPA (Wifi Protected Access), don’t worry I will not bug on this tech terms. Let me explain it in 5 simple steps..

Step 1) Access Your Wireless Router’s Configuration: log in to your wireless router administrative control panel. This is usually done by opening a browser and going to http://192.168.1.1 (for most Linksys routers) or http://192.168.0.1 (for most D-Link routers). Check the user manual or quick-start guide that came with your router if either of those do not work. (Once there change the Admin password. Most wireless routers ship with a blank password. It is essential that this is changed else a potential hacker could get into your router configuration and lock you out of your own hardware. Many Linksys wireless routers, use the word “admin” as the default password. Either way, you should change this to something only you know and never give this out to anyone.)

Step 2) Change the SSID name: The SSID is your Network Name. That is, it’s how other computers know what to look for when connecting to your wireless network. Linksys wireless routers use “linksys” as their default name. D-Link uses, get ready, “dlink” as their default. Changing this to a unique name, but not something related to a personal password or anything personally identifiable. My tip i have seen wireless networks named things like, “computer-virus” and they like to scare people off.

Step 3) Disable/Turn-off SSID broadcast: By default, almost all wireless routers broadcast the SSID name you setup above. This means that anyone within range of your router (neighbors, random strangers driving by, criminals, etc.) can find out the name of your network and thus try to connect to it. Make it a bit harder by disabling this broadcast feature. Combined with the unique name above, these two steps will certainly ward off the casual wi-fi poachers.

Step 4) Enable WPA or WPA2 encryption: This is switched off by default. There is a choice of WEP, WPA and WPA2. Currently the latest encryption method is WPA2 so use this where possible. Both your wireless router and wireless PC adaptor must be configured to use the same encryption, it is the most effective and most important part of securing your wi-fi network as well as the information you send across it.

The benefits here are 2-fold:

1) It makes access to your wireless network password-protected.
2) It encrypts all the data you send while browsing the internet (credit card numbers, email passwords, etc.).

You’ll want to use WPA2 if your wireless router gives you that option and your computer supports it. If it does not, go with WPA. Do not even bother with WEP encryption, as this has been proven to be hackable in minutes and really only offers a false sense of security. You will be required to enter a password, or “shared key,” when setting this up. For this, you’ll want to pick a long string of both capital and lowercase letters as well as numbers. Stick with a string of ten characters or more to be safe, although some security experts suggest going with something over twenty characters. Keep in mind that you might have to give this out to trusted visitors and weekend guests, so don’t make this the same as any other password you use.

Step 5) (Optional) MAC address filtering: As said this is more optional which works well on most branded routers. All hardware has a unique MAC address associated with it, including your PC adaptor card. This MAC address can be added to access control list in the wireless router. Only devices added to the router’s access control list are allowed to be connected. Why did I make it optional simple with MAC address filtering, you can tell your wireless network to only allow access from certain computers by inputting their MAC address into the router settings. However, from a hacker’s point of view, what this does is give them a list of MAC addresses that can access the network and gives them one more piece of information to help them snoop around on your network. Also other good tip with this is to Disable web access to the Control Panel. The fact is, once you set up all this stuff you rarely have to access the Control Panel anyway, so this just makes it all the more secure.

Final get some help out of your router manufacturer like update your router latest router firmware from the manufacturer’s website and installed in the router. This will hopefully fix any bugs that have been found for your router and also help with any known security flaws in the router itself., finally backup all router settings. If you reset the router back to its factory default settings even by mistake, your configuration can later be easily restored back with this.

Tip: The major wireless router manufacturers are Linksys/Cisco, D-Link, and Netgear. You will see these brands dominate in most retail stores. Look for sales because these manufacturers often discount models from week to week and you can sometimes find a good deal for substantially less cost. Online, you will also see brands, such as Asus, Belkin, Buffalo Technology, Beetel and SMC, all worthy of consideration

To even make it complete, I found the right video where GetConnected hosts Mike Agerbo and AJ Vickery discuss wireless router security and give some simple tips on how to keep yourself and your home computers protected from an unexpected attack

Happy WIRELESS Surfing..

A home wi-fi brings many benefits – everyone can access the Internet simultaneously, you can use a notebook anywhere , freeing you from physical constraints, you don’t have to use cabling throughout your house no holes in the wall either! – but a wi-fi network also brings it’s own set of security problems. Recommendations range from situating the access point in a central position, through activating an encryption scheme for units on your network to closing down your network when you’re not using it. The recommendations outline the steps which should be taken to improveyour wi-fi network’s security. As an example, wi-fi signals radiate from the router or access point, so locating the access device as centrally as possible achieves two objectives. Firstly it ensures that the wi-fi signal will reach all areas in your house, and secondly it will minimize the amount of signal leakage beyond your house. click for more info

Another reason why security and wireless do not go together.   Read this paper, it can be cracked in under a minute.

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf 

If you are using WPA, and you care about security, STOP !      Use wpa2

If you have to run wireless, it should be outside of your network, on a DSL line.   Users can vpn back in.

A un grupo de científicos japoneses les ha llevado 60 segundos romper el cifrado WPA utilizado en los routers inalámbricos. El récord anterior era de 15 minutos. Toshihiro Ohigashi de la Hiroshima University y Masakatu Morii de la Kobe University revelarán exactamente cómo lo han hecho en un conferencia prevista para el próximo 25 de septiembre en Hiroshima.

Aunque no han conseguido el control total de la conexión WiFi, sí que han podido leer y falsificar paquetes de datos. No obstante, el hecho de que el cifrado WPA se haya roto sugiere que cualquiera preocupado por la seguridad debería empezar a pensar en migrar hacia el cifrado WPA2 con AES (Advanced Encryption Standard).

Por el momento se confirma que “cualquier implementación WPA es susceptible de ser vulnerable, y en un tiempo bastante más reducido”, afirma el investigador David García, de Hispasec.

Os cientistas japoneses Toshihiro Ohigashi, da Universidade de Hiroshima e Masakaty Morii, da universidade de Kobe, desenvolveram uma forma de quebrar a criptografia do tipo WPA (Wi-FI Protected Access), muito usada na proteção de roteadores de redes sem fio para manter a segurança.

Em questão de minutos, os pesquisadores conseguiram a façanha, apresentada no evento Joint Workshop on Information Security, sediado em Taiwan, há duas semanas. Mais detalhes serão apresentados em conferência no Japão, que deve acontecer no dia 24 de setembro.

Quem faz o ataque consegue ler tráfego criptografado em WPA, que circula em uma rede. Especialistas em segurança já tinham alertado para essa possibilidade em novembro do ano passado, mas os japoneses levaram a teoria à prática e mostraram que a quebra de segurança pode ocorrer em minutos.

Os sistemas de criptografia em roteadores sem fio têm um longo histórico de problemas. O sistema WEP (Wired Equivalent Privacy), lançado em 1997, foi quebrado poucos anos depois e hoje é considerado completamente inseguro.

Já existe, no entanto, alternativa para o WPA. É o WPA 2, que existe desde março de 2006. “Apesar da alternativa mais segura, ainda existe uma grande base instalada pelo mundo que não migrou para o novo sistema”, afirma o diretor de marketing da organização Wi-Fi Alliance, Kelly Davis-Felner. A Wi-Fi Alliance é a entidade responsável por estabelecer padrões de redes sem fio para a indústria.

Para o CEO da empresa de segurançca Errata Security, Robert Graham, a nova prática de quebra de segurança não chega a ser um motivo de desespero, mas é preocupante. “Os softwares de segurança existentes no mercado são capazes de barrar esse ataque se o roteador não o fizer, mas a quebra da segurança é o suficiente para os profissionais de tecnologia dispensarem o sistema WPA”, diz.

A alteração do tipo de segurança no roteador é simples e pode ser configurado por qualquer pessoa que tenha acesso administrativo à interface do equipamento.

Fonte:  COMPUTERWORLD

.via

El ataque funciona sólo en los antiguos sistemas WPA que utilizan el algoritmo TKIP. Los investigadores recomiendan sustituir TKIP por AES que es un sistema más robusto.

Científicos japoneses han desarrollado un método para romper el sistema WPA de cifrado de redes inalámbricas en aproximadamente un minuto.

El ataque permite leer el tráfico encriptado que se envía entre los ordenadores y cierto tipo de routers que utilizan el sistema de cifrado WPA (Wi-Fi Protected Access). El método ha sido desarrollado por Toshihiro Ohigashi de la Universidad de Hiroshima y Masakatu Morii de la Universidad de Kobe, quienes planean ofrecer más detalles en una conferencia técnica organizada para 25 de septiembre en Hiroshima.

El pasado noviembre, investigadores de seguridad mostraron por primera vez cómo se podía romper WPA, pero los japoneses han llevado el ataque a un nuevo nivel, según con Dragos Ruiu, organizador de la conferencia de seguridad PacSec donde se demostró el primer ataque WPA. “Tomaron este tema, que fue bastante teórico y lo han hecho mucho más práctico”, dijo.

Los investigadores japoneses explican su ataque en un documento presentado en el seminario sobre seguridad de la información, celebrado en Kaohsiung, Taiwán, a principios de este mes.

El anterior ataque, fue desarrollado por los investigadores Martin Beck y Erik Tews, que trabajaron en un rango menor de dispositivos WAP y les llevó de 12 a 15 minutos. Ambos ataques sólo funcionan en los sistemas de WPA que utilizan el algoritmo TKIP, pero no funcionan en los nuevos dispositivos WPA 2, ni en los sistemas WPA que utilizan el algoritmo AES, que es más fuerte.

Los sistemas de cifrado utilizados por los routers inalámbricos tienen una larga historia de problemas de seguridad. El Wired Equivalent Privacy (WEP), introducido en 1997, estaba roto sólo unos pocos años más tarde y ahora es considerado como completamente inseguro por los expertos en seguridad.

WPA con TKIP “fue desarrollado como una especie de método de cifrado provisional pero la seguridad de las redes Wi-Fi ha evolucionado durante hace varios años”, dijo Kelly Davis-Felner, director de marketing de la Wi-Fi Alliance, el grupo que certifica los dispositivos Wi-Fi. La gente ahora debe utilizar WPA 2, dijo.

Los productos certificados Wi-Fi tienen que soportar WPA 2 desde marzo de 2006. “Ciertamente, hay una buena cantidad de WPA con TKIP en la base instalada a día de hoy, pero no ha habido una alternativa mejor durante mucho tiempo”, dijo Davis-Felner.

Las redes Wi-Fi de las empresas suelen incluir software de seguridad que detectan el tipo de ataque “hombre en medio” descrito por los investigadores japoneses, dijo Robert Graham, CEO de Errata Security. Pero el desarrollo del primer ataque realmente práctico contra WPA debería dar a la gente una razón para eliminar WPA con TKIP, dijo. “No es tan malo como WEP, pero también es ciertamente malo”.

Los usuarios pueden cambiar el cifrado TKIP por AES mediante la interfaz administrativa de muchos routers WPA.

fuente: csospain.es

Zoals ik al eerder aangaf (http://dingo99.wordpress.com/2009/08/24/adsl-modemrouterwireless/) wilde ik mijn accesspoint vervangen omdat deze alleen WPA kent en WPA2 toch wel wat veiliger is. Dit werd deze week al bevestigd op Webwereld met dit bericht. Ik raad dan ook iedereen aan om zijn draadloze netwerk te updaten naar tenminste WPA2 met AES versleuteling.

Van het weekend heb ik een groot deel van het weekend zonder internet gezeten. Eerst omdat ik gewoon niet thuis was en toen ik het wel was, mijn ADSL-modem uit was en met geen mogelijk meer te overtuigen was dat hij weer aan moest. Nu komt het altijd slecht uit als er iets kapot gaat, maar nu in het bijzonder omdat ik van plan ben binnenkort over te stappen op een glasvezelaansluiting. Plus dat in het weekend na 18:00 zaterdag de meeste winkels toch echt dicht zijn. Na me wat georienteerd te hebben op pricewatch van tweakers.net kwam ik al snel uit bij een modem van Sitecom. Dit qua prijsstelling maar ook vanuit het gegeven dat ze in de meeste winkels wel op voorraad zijn.

Vervolgens kom je op het punt wat koop je? Alleen een modem? Dan moet ik er een nieuwe netwerkhub/switch erbij kopen met weer een stekker erbij want mijn huidige modem heeft 4 netwerkaansluitingen. Aan de andere kant, als ik op glasvezel over ga doe ik niets meer met het modemdeel. Maar voor twee tientjes meer heb je en 4 netwerkaansluitingen en Wifi. Dat laatste wil ik al wat langer omdat mijn huidige accesspoint alleen WPA kent en geen WPA2 wat toch weer iets beter is. Plus dat ik dan maar één stekker nodig heb voor mijn modem, mijn hub en mijn accesspunt.

Het is uiteindelijk een Sitecom WL-606 geworden. Erg gemakkelijke installatie, vrijwel alle providers zijn voorgeprogrammeerd. Het  is een kwestie van even aanklikken en klaar is kees. Enige minpuntje is dat het wireless accesspointdeel standaard aanstaat en de versleuteling standaard uit. Verder vind ik het niet slim, maar goed dat geldt voor bijna alle accesspoints, dat ze standaard hun eigen naam in de SSID zetten. Als iemand een hack heeft voor een bepaald type accesspoint hoeven ze alleen maar te kijken welke er in hun buurt zitten. 

Wel verstandig is dat UPnP standaard uitstaat omdat daar nogal wat hacks voor zijn. En echt nodig is het ook niet omdat je via de webbrowser alles al kunt instellen. Zaken als instellen van de firewall en zelfs een DMZ zijn allemaal aanwezig. Kortom, ik ben er wel tevreden over. Volgens de definitie van Wikipedia is overigens de DMZ van de Sitecom niet een echte DMZ. Maar het aantal particulieren dat meer dan één server aan het internet wil hangen is redelijk beperkt dus de functionaliteit is, wat mij betreft, categorie goed genoeg.

A wireless home network brings many benefits – everyone can surf the Internet simultaneously, you can use a notebook anywhere putting the access point in a central position, through setting up an encryption scheme for devices on your network to shutting down your network when you’re not using it. The recommendations outline the steps which should be taken to improveyour wi-fi network’s security. As an example, wireless signals radiate from the router or access point, so positioning the access device as centrally as possible achieves two objectives. Firstly it ensures that the wireless signal will spread throughout in your house, and secondly it will decrease the amount of signal leakage beyond your home. click for more info

Estou com esse roteador agora no trabalho e já posso postar minhas impressões sobre ele em mais um review. O modelo é bem pequeno e aparenta ser bem robusto. Achei a antena um pouco pequena, de forma que o alcance não é muito grande, bem menor do que o fabricante alega. Ele suporta velocidades de até 108Mbps (802.11 g/b), apesar de só passar dos 54Mbps com equipamentos compatíveis da D-Link.

A interface de configuração é um pouco poluída visualmente, mas é rica em opções. Esse roteador conta com diversos ajustes de desempenho possíveis e tem bons recursos. É possível redirecionar portas para servidores na rede interna, como em todo roteador. O interessante é que é possível estipular horários para essa abertura de portas, garantindo um maior controle do acesso. Ele também conta com sistema de controle parental, para bloquear conteúdos impróprios. Os recursos de firewall entre outros apetrechos de segurança também são fáceis de configurar. Basta acessar pelo endereço http://192.168.0.1 para obter a interface do roteador. Ao contrário de outro modelos, ele exige poucas interrupções na conexão para configurar tudo e reinicia bem rápido.

A conexão do wireless demora mais do que eu gostaria para autenticar o usuário, sendo que eventualmente é preciso tentar uma segunda vez para conectar na rede sem fio. Outra crítica é quanto à configuração rápida, que só oferece a encriptação WEP. Para usar WPA2, é preciso configurar separadamente essa forma de segurança no menu LAN. No geral, achei bem fácil de configurar, apesar de estar tudo em inglês (para mim não é problema, mas pode gerar dúvidas). Foi fácil colocar tudo para funcionar sem encrencas, montando rapidamente uma rede para o escritório.

Apesar disso tudo, existem diversas pessoas que declaram que esse roteador deixa a conexão cair constantemente, o que é um problema sério. Pessoalmente, não sou muito chegado na D-Link. Ainda não ocorreram problemas por aqui, mas essas declarações me garantem algumas ressalvas quanto ao produto. É fácil ver na internet pessoas reclamando sobre quedas de conexão e reínicios repentinos desse roteador.

Apesar de ter bons recursos, estabilidade é fundamental. Com isso, não vejo como poderia recomendar esse modelo nesse review. Minha opinião final é: fiquem longe desse roteador. Existem modelos muito melhores pelo mesmo preço, como o Pacific PN-WR542G, que apesar de não ter tantos recursos, é muito estável e não dá problemas.

Τα περισσότερα modem/router πλέον υποστηρίζουν και την δυνατότητα ασύρματης δικτύωσης.Έτσι λοιπόν αν θέλουμε ασύρματο δίκτυο στο σπίτι μας θα πρέπει να λάβουμε υπόψιν μας ότι το θέμα της ασφάλειας είναι μία διαφορετική υπόθεση από ότι στα ενσύρματα δίκτυα.Τα πράγματα που πρέπει να προσεχθούν λοιπόν εφόσον θέλουμε το ασύρματο δίκτυο μας να είναι ασφαλές είναι τα ακόλουθα:

1)Αλλαγή του ονόματος χρήστη και του κωδικού πρόσβασης στο router

Όλα τα modem/routers έχουνε ένα προκαθορισμένο λογαριασμό (username και password) για να μπορεί ο χρήστης να συνδέεται σε αυτά συνήθως μέσω του web interface.Πολλοί χρήστες όμως δεν αλλάζουν ποτέ αυτό το κωδικό.Επειδή αυτοί οι λογαριασμοί προέρχονται από τις εταιρείες που κατασκευάζουν τα modem/routers είναι λοιπόν ήδη γνωστοί σε πολύ κόσμο ή μπορούν πολύ εύκολα να ανακαλυφθούν μέσω του Google με μία απλή αναζήτηση.Αν λοιπόν κάποιος κακόβουλος χρήστης καταφέρει να συνδεθεί στο δίκτυο μας μπορεί πολύ εύκολα μέσω του web interface να κάνει ότι θέλει στο δίκτυο μας μέχρι και να μας κλέψει το Adsl account μας.

2)Επιλογή της κωδικοποίησης που θα χρησιμοποιηθεί

Για να επικοινωνήσει ένας υπολογιστής με το router ασυρματικά θα πρέπει να στείλει και να λάβει σήματα.Αν δεν έχει επιλεχθεί κάποια κωδικοποιήση τότε κάποιος εξωτερικός χρήστης μπορεί να δει την κίνηση του δίκτυου και να ανακαλύψει λογαριασμούς και κωδικούς που πληκτρολογούμε σε ιστοσελίδες.Πλέον όλα τα modem/router υποστηρίζουν δύο τρόπους κωδικοποίησης.Την WEP και την WPA2.Η WEP πλέον μπορεί να σπαστεί σε 30 δευτερόλεπτα ασχέτως το πόσο πολύπλοκη θα είναι η φράση που θα χρησιμοποιηθεί.Η χρήση της WPA2 λοιπόν είναι επιβεβλημένη καθώς και είναι και η δυνατότερη μέχρι σήμερα.Ο αλγόριθμος που συνίσταται να επιλεχθεί είναι το  TKIP+AES.Με μία δυνατή φράση κλειδί που θα περιέχει γράμματα,αριθμούς καθώς και σύμβολα όπως @,$,%,& κτλ θα είναι πολύ δύσκολο για κάποιον να σπάσει το δίκτυο μας και να συνδεθεί.Η καλύτερη βεβαίως πολιτική ασφαλείας είναι να αλλάζει αυτήν η φράση κλειδί ανά 1 μήνα τουλάχιστον.

3)Αλλαγή του SSID

Όλα τα ασύρματα modem/router έχουν και ένα SSID το οποίο και εκπέμπουν.Το  SSID ουσιαστικά δεν είναι τίποτα παραπάνω από το όνομα που έχει το δίκτυο.Με τις προκαθορισμένες ρυθμίσεις τα router συνήθως για SSID έχουν το όνομα του router.Αλλάζοντας το SSID λοιπόν αποτρέπουμε το να γνωρίζει κάποιος εξωτερικός χρήστης τι μοντέλο router έχουμε και επίσης υπάρχει σε πολλά routers και μία επιλογή για απόκρυψη του SSID κατά την μετάδοση.Έτσι προσθέτουμε ακόμα ένα επίπεδο προστασίας στο δίκτυο μας αφού κάποιος για να συνδεθεί θα πρέπει εκτός από την φράση κλειδί να γνωρίζει και το όνομα του δικτύου μας.

4)Ενεργοποίηση του MAC Address Filtering

Η MAC address όπως όλοι γνωρίζουμε είναι η φυσική διεύθυνση μίας κάρτας δικτύου και προέρχεται από τον κατασκευαστή της.Για να δούμε ποιά είναι η MAC address της κάρτας δικτύου μας το μόνο που πρέπει να κάνουμε είναι να ανοίξουμε την διαχείριση εντολών και να πληκτρολογήσουμε ipconfig/all.Έτσι αν το ασύρματο router μας υποστηρίζει MAC address filtering τότε το μόνο που μένει να κάνουμε είναι να την κάνουμε προσθήκη στο αντίστοιχο πεδίο του MAC address στο router.Με αυτόν τον τρόπο το router θα δίνει IP διεθύνσεις μόνο στις καταχωρημένες του MAC addresses που εμείς θα έχουμε επιλέξει και τις υπόλοιπες δεν θα τις δέχεται.

5)Χρησιμοποίηση του Firewall router

Σχεδόν όλα τα router έχουν ενσωματωμένο και κάποιο firewall και κάποιες άλλες λειτουργίες για την αποτροπή των ping προς το router.Αν το firewall του router είναι ενεργοποιημένο πολλά πακέτα προς αυτό από εξωτερικούς χρήστες δεν θα φτάνουν.

Όλα τα παραπάνω είναι τα βασικά που θα πρέπει να γνωρίζει κάποιος για να ασφαλίσει το οικιακό του ασύρματο δίκτυο.Ασφαλώς και δεν σημαίνει πως και μετά από αυτές τις συμβουλές θα είναι αδύνατον για κάποιον να μπει στο δίκτυο μας αν γνωρίζει τι πρέπει να κάνει.Αλλα σίγουρα θα έχει μεγάλες πιθανότητες να μην παραβιαστεί ποτέ το δίκτυο του καθώς θα απαιτεί πολλαπλάσιο χρόνο για να εισχωρήσει σε αυτό με όλα αυτά τα επίπεδα προστασίας.