Pragmatic Security Tips To Protect Routers And Networks In 2012 And Beyond

Some rights reserved by gcg2009 (Creative Commons License - Attribution 2.0 Generic) from Flickr.com

Tips to how to secure your router and network in 2012 and beyond.  These tips are pragmatic, and so it’s most likely that you may be able to apply these tips onto most routers and network setups.  Unfortunately, even though these tips are pragmatic in details, sometimes the tips here won’t be any useful for you if you have older routers or your network setups are too unique and special.  Let us get on with the tips.

In no particular order, the tips to secure your routers and networks are:

  • Change router’s default password for the administrator username/login.  Make sure the new password is a lot harder than the default password.
  • Change router’s default passphrase for your wireless network.  Make sure the passphrase is strong enough.  It’s best to throw in at least 50 plus characters string.  Also, don’t forget to include capitalization letters, numbers, and special characters (i.e. signs) in your 50 plus characters string passphrase.
  • Make sure to disable UPnP feature within your router.  I’ve heard hackers can exploit this feature.  To be safe than sorry, I guess you should turn this feature off if you don’t have the need for it.
  • Make sure your router’s firewall is turning on and filtering inbound and outbound traffics.
  • Make sure your router has MAC address filtering turns on and allowing only Mac addresses of machines on the list to access network.  Of course, you have to know hackers can still spoof MAC addresses easily, therefore this is not 100% hacker proof.
  • Disable DHCP feature or limit the DHCP IP address range to amount to how many physical machines you have and want to connect to your network using DHCP protocol (DHCP IP addresses).  This way, if an undesirable person wants to use your network, he or she might not be able to get a lease of DHCP IP address from DHCP server which runs on your router, therefore he or she cannot use DHCP IP address to access your network.  Keep in mind that he or she can just assign himself or herself a local static IP address and connect to your network anyway.  Nonetheless, this method might prevent script kiddies from acquiring DHCP IP address from using hacker tools.  Still, there is no guaranteed DHCP might prevent hackers from just running another script which automatically demands a static local IP address.  If you turn off DHCP, you might prevent hackers to exploit DHCP weakness/exploits, and so you can disregard DHCP exploits for your router.  Turning off DHCP also encourages you to enter a local static IP address for each computer’s network configuration, therefore you might prevent a specific computer from automatically connect to your router; in a way this method helps preventing a specific computer of yours from automatically connecting to a fake access point, because hackers can use a special router which can emit an even more powerful wireless signal, overwhelming your wireless router’s signal and encouraging a computer to connect to the wrong/rouge access point which hackers have controlled of (i.e., man in the middle attacks).
  • Disable Wi-Fi Protected Setup feature, because this feature is weak against hackers’ brute force attack which exploits a weak secure PIN authentication process (i.e., this feature reveals too much information on PIN authentication algorithm while authenticating a device).  Nonetheless, this feature might be patched by the routers’ makers in the near future, but to be safe than sorry it’s best to disable it until you really have the need to use it and it has been patched.
  • Enable WLAN Partition if you are paranoid about your network security.  This feature prevents wireless devices to communicate with each other.  Why is this feature useful in securing your network?  Imagine if a hacker can insert himself in your network with a wireless device, he or she might not be able to hack another wireless device of yours if the network disallows the communication between wireless devices.  Unfortunately, this feature might prevent you from sharing files and data between your wireless devices.  One example is iTunes home sharing might not work on wireless mac laptops.  Therefore, if you need to have your wireless devices to talk to each other, then you should not enable this feature.  Otherwise, it’s an awesome feature for enhancing your network security.  Let not forget, if an elite hacker has hacked into your network, he or she might also have control of your router, therefore this feature in the end might be useless if a hacker can change the router’s settings at will.
  • Turning on several log features within your router.  Logs will help you trace back to strange network traffics, requests and errors.  Perhaps, logs can even tell you that you’re getting hacked.  Of course, elite hackers might have way to not trigger your router to log their hacking activities.  Therefore, this feature is just one more layer/tool for you to protect yourself against hackers.  This feature might slow down your router though, because it’s logging network traffics.  So, if your router isn’t equipped to log heavy network traffics, then you should turn this feature off.  It’s all depend on a network situation and the capability of your router really.
  • Enable Access Control.  This feature is useful only if your router is able to allow you to add two types of rules that matter most, and these two types of rules should be made available at the same time, so one rule is enhancing the other rule in security measures.  First rule should be disallowing all other machines to connect to your network.  Second rule should be allowing only the machines with the IP addresses listed in Access Control’s IP table to connect to your router/network.  Of course, you should note that this feature will enable a default blocking feature which might prevent your machines to access dangerous websites and so on, therefore some websites you might want to access will not be accessible.  Also, your router may allow you to add additional websites to be blocked, consequently enhancing the security measure for Access Control feature.  Some routers even go as far as allowing Access Control feature to block certain network ports, but I don’t think this feature is necessary.  After all, your router’s firewall should be blocking all incoming requests and ports.
  • If your router isn’t connecting to your ISP through DHCP protocol, then you should add a trusted but more secure DNS IP addresses of third-party/trusted/secure DNS providers.  One good example would be DNS IP addresses of Google Public DNS service.  Another good example would be DNS IP addresses of OpenDNS.
  • Update your router’s firmware to the latest firmware.  This way you can prevent hackers from using known firmware exploitations that specifically target your router’s firmware.
  • Reboot your router sometimes or add a schedule reboot for your router if your router has this capability.  This way you can actually clear up the router cache and might prevent your router from storing what hackers have uploaded to your router.  I don’t think that it’s yet possible for hackers to be able to permanently make change to your router in regarding to what the router could store and so on.  Therefore, when you reboot your router, your router clears up the cache in its memory and so everything within your router should work as how it was.  Reboot a router can be done in two way.  One is to do a soft reboot which requires you to log into your router’s administration panel and reboot it this way.  The other way is just to pull the electrical adapter which powers your router off the electrical outlet, forcing the router to reboot and reconnect to your ISP.
  • You might also want to disable the SSID broadcast.  When you disable this feature, your machines might not be able to connect to your router using DHCP protocol.  Nonetheless, as long you know how to connect to your router manually using static local IP addresses, then you should be fine.  Of course, you have to remember your router’s SSID name and enter the router SSID onto your machines correctly before your machines can talk to your router.
Advertisements

Wi-Fi Protected Setup PIN Method Has Flaw, Allowing Hackers To Deploy Brute Force Attack For Valid PIN Number In Lesser Time Than Before

According to threatpost’s article “WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs,” your router with Wi-Fi Protected Setup enabled can allow hackers to take less time to figure out the PIN number and have access to your wireless network.  The article suggests that Wi-Fi Protected Setup reveals too much information when it tries to authenticate a device, consequently allowing hackers to take less time in acquiring the valid Wi-Fi Protected Setup PIN number through brute force hacking method.

I’ve always disabled my Wi-Fi Protected Setup, because it seems to me as if it’s just another door for hackers to break into.  When reading the piece from threatpost, I’m glad that I’d been careful all along.  Most modern routers provide Wi-Fi Protected Setup feature so users don’t have to actually enter long WPA2 passphrase for connecting to a wireless network, because Wi-Fi Protected Setup requires a PIN number (e.g., 1234567…).

I’m no expert on Wi-Fi Protected Setup, because I had avoided using it from the very beginning.  It seems to me Wi-Fi Protected Setup feature has several methods which it’s associated with.  One involves in pushing the Wi-Fi Protected Setup button on the router and then on the client in a short time frame (i.e., less than 2 minutes or so).  After the user pushes the Wi-Fi Protected Setup buttons, user can just stand idle by and wait for the client and the router to automatically communicate with each other, allowing the client to connect to the router, thus the client would be able to surf the Internet using the wireless network which the router provides.  The second method requires PIN number registration, but this very method has two sub methods of its own.  The first sub method requires less work for users, because the users can just hand their devices’ Wi-Fi Protected Setup PIN numbers (i.e., printed on the back of their devices or generated by their devices’ software) to the administrators.  The administrators then have to enter users’ Wi-Fi Protected Setup PIN numbers into a router or access point‘s administration control panel (e.g., https://192.168.1.1) to register users’ Wi-Fi Protected Setup PIN numbers with the access point, consequently allowing users’ devices to connect to the particular wireless network.  The second sub method requires the users to enter the Wi-Fi Protected Setup PIN number of the router or access point onto their devices’ software, consequently allowing the client devices and the router or access point to communicate with each other (i.e., granting wireless network access).  The piece from threatpost emphasizes the weakness in the second sub method of the Wi-Fi Protected Setup PIN number method, because the hackers only need the Wi-Fi Protected Setup PIN number and not having to be within certain distance of the access point or the router.  The third method of Wi-Fi Protected Setup feature involves with Near Field Communication method.  Wikipedia‘s article “Near field communication” explains rather well on how Near Field Communication method works.

threatpost suggests that most modern routers tend to enable Wi-Fi Protected Setup feature by default.  If you are aware about the flaw of Wi-Fi Protected Setup PIN number method, then you might want to disable Wi-Fi Protected Setup feature so the hackers won’t be able to use brute force attack to acquire the Wi-Fi Protected Setup PIN number of the specific access point or router.  threatpost suggests many well known brands are all being affected by Wi-Fi Protected Setup flaw; as long any router has Wi-Fi Protected Setup feature with PIN method enabled, then the hackers who aware of the Wi-Fi Protected Setup PIN number flaw can brute force attack the router for the Wi-Fi Protected Setup PIN number in less time than ever before.

Sources:  https://threatpost.com/en_us/blogs/wifi-protected-setup-flaw-can-lead-compromise-router-pins-122711
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
http://www.wi-fi.org/knowledge_center_overview.php?docid=4614

Too Good To Be True? Republic Wireless $19 Unlimited Wireless Plan Is Now Truly Unlimited.

Back in the early November, I had mentioned of Republic Wireless which offered $19 unlimited wireless plan per month, but I also pointed out how Republic Wireless $19 unlimited wireless plan could only truly be unlimited if users hogged their Wi-Fi networks so users would not have to be throttled when limited minutes, texts, and data are running out.  Well, Republic Wireless has just turn up the heat by offering truly unlimited, $19 unlimited wireless plan per month.  I feel I’m in love again.

According to Gizmodo‘s article “That Unbelievable $19 Unlimited Data/Voice/Text Plan Is Truly Unlimited,” Republic Wireless is now allowing customers to use the minutes, texts, and data as they see fit without having to worry about getting throttles, and the plan is still only $19 per month.  I do somewhat worry what if Sprint decides it doesn’t like this idea some months down the road?  After all, Republic Wireless is piggybacking Sprint’s wireless network.

Oh, never mind, don’t you worry too much, because if you are worrying about Sprint, then you never know how good it might feel when having unlimited minutes, texts, and data for your smart phones.  Did I use smartphone as in its plural form (i.e., smartphones)?  See, even if you get two or three smartphones with Republic Wireless, it seems you are saving so much money still that you might just have to give them customers of AT&T-Verizon-other-big-wireless-carriers your arrogant smirks, because you can do so.  So, don’t hold back you smirky, you.

Update:  I forgot to tell you that you don’t have to sign a contract to use Republic Wireless $19 unlimited wireless plan!  Give me five!

Source:  http://gizmodo.com/5870753/that-unbelievable-19-unlimited-datavoicetext-plan-is-truly-unlimited

Republic Wireless Offers $19 Unlimited Wireless Plan Per Month

A wireless icon

Image via Wikipedia

I can’t help myself for feeling giddy.  Republic Wireless has the best wireless deal in town?  I’ve never heard of Republic Wireless till today, because I’ve never read or heard anybody talks about them before.  I would have care less about Republic Wireless if they haven’t announced that they’re offering unlimited wireless plan for $19 per month.  Wait, what are the catches?

It seems that Republic Wireless relies on the probability of not everyone will hog the wireless network, therefore it would be OK for them to allow a Hybrid Calling technology where smartphones will hog WiFi network whenever WiFi is available.  This is one of the catches of Republic Wireless’s $19/month unlimited wireless plan.  This catch goes on dictating how users cannot abuse the wireless network.  Repeated abusers will be booted out of the wireless network or the service altogether.

So, how much bandwidth can one use on Republic Wireless’s wireless network?  Republic Wireless at now allows 400 minutes of talk, 600 MB of data, and 200 texts for each month.  In my opinion, WiFi does make a big different!  To tell the truth, 400 minutes of talk, 600 MB of data, and 200 texts for each month on wireless network seems to be very stingy.  It’s more of like for emergency usage.  With that being said, I don’t mind to piggyback ride my WiFi network for calling someone or surfing the web or send text messages at all.

Republic Wireless hints that they might roll out an application that will allow different types of smartphones to use their Hybrid Calling technology.  For now, it’s only possible for certain specific modified Android smartphones to tap into their Hybrid Calling technology.  It’s unclear to me what Android smartphones would that be!

Source:  http://www.pcworld.com/article/243389/republic_wireless_rolls_out_19_
unlimited_voice_data_text_service.html#tk.rss_news

Thought Of The Day: Would People Look Back And Laugh At Themselves For Spending So Much On So Little Data?

As I pondered on the thought of having to see people paid tens of dollars for couple hundred megabytes a month on wireless data, a chuckle came out of me.  I wondered, would these same people look back in the future and laugh that they had paid so much for so little data?  Perhaps, the ongoing trend would be so perverted to a point that it could be a lot more expensive for the same people to consume the same amount of data in the future.  For certain, it would be utterly sad to see less network activities and more boredoms when people in the future might not be able to afford to spend on data.

Such a thought saddened me, but WiGig gave me hope!  Knowing WiGig existed, there might be hope in our network horizon for that day would come where wasting data would be a bliss.  Connecting at extreme speed through wireless network without a care would definitely push for not so boring digital world.  Of course, it might be more volatile and chaotic and dangerous, but it might also be creative and interesting and interconnected.  I could not see myself in a boring digital world, because I might prefer to be either not knowing there was such a thing at all or having to see more of whatever that would drive the digital world into its own state of bliss.