Home Network Security Published Oct. 16, 2012 55th Communications Group OFFUTT AIR FORCE BASE, Neb. -- While cyber security awareness is paramount when using Air Force networks, that same situational awareness must also carry over into the personal realm of cyberspace. Being an Air Force member, you are not just targeted while at work but also at home. The adversary realizes that the most vulnerable avenue of attack is not to attempt breaching the multiple layers of defense found in military networks but to gain access through the more relaxed security of home networks and connected devices. It is the responsibility of all Airmen to be smart and vigilant while at work and the same also applies for at home. Everyone should follow safe network practices and know how to properly set up and secure home networks and the devices connected to them. Avoid Open Wireless Connections The first thing that everyone should know is that open Wi-Fi connections, which are wireless access points that are open to anyone, are one of the easiest targets for data thieves and hackers. Anyone with a wireless device can connect to and use that open access point. Open Wi-Fi connections pose security issues because all wireless traffic is unencrypted. This means that all network traffic being sent back and forth between the access point and each user's device can be read. By using free open source software like Wireshark, anyone with a laptop or some type of wireless listening device can capture network traffic flowing in and out of the access point. The Wireshark software will de-conflict and separate all the traffic into individual device traffic, and will then let them analyze and reconstruct the data sent in each networking packet. Since the traffic is unencrypted, they can read all the data which was transmitted including: website login information, email message contents, instant messaging text and even files that were transferred. Use Wireless Encryption or a VPN To prevent unauthorized connections and the capture of wireless traffic, wireless encryption should be used. There are three types of wireless encryption: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WAP) and Wi-Fi Protected Access version 2 (WPA2). Wireless encryption is a setting that is enabled on the access point which will scramble the data being transmitted so that it looks like unintelligible gibberish when captured and viewed. Users must know the encryption password to connect to the access point and decrypt network traffic. While these methods of wireless encryption discourage the average user from attempting to gain unauthorized access, more advanced hackers can break all 3 types of encryption with relative ease. Using a freely available Linux distribution called BackTrack, a hacker can transform almost any regular laptop computer into a mobile network penetration machine. BackTrack contains specialized network exploitation tools that will analyze, spoof, inject and eventually crack any Wi-Fi traffic that uses WEP, WPA, or even WPA2 encryption. An exploitation tool named Reaver was recently added to the BackTrack suite for cracking WPA2. This new exploit targets a flaw in the hard-coded pin's used for the Wi-Fi protected setup process that most access points have as a connection option. Although most access points have the administration option to disable WPS, the exploit will still work and provide the encryption password. The only method to counter this new WPA2 vulnerability is to use a wireless access point that does not support WPS or to use a wireless access point that is running DD-WRT, OpenWRT or Tomato firmware - these do not support WPS. These three varieties of firmware can be installed on a wide range of access points, but are only recommended for more advanced users. If it is absolutely necessary to use an open Wi-Fi connection, an excellent method of protection is to use a Virtual Private Network. A VPN creates an encrypted tunnel between you and the VPN provider, and all of your network traffic is routed through that provider. This means that even if your traffic is captured on an open Wi-Fi connection, it cannot be read since it has been encrypted. Change the default SSID, username, and password All wireless access points come from the factory with certain default settings which must be changed to mitigate the security risks they pose. The three things they need to change are the service set identifier or SSID, the administrative username, and the administrative password. The SSID is the name that identifies the Wi-Fi network and is what allows connected devices to communicate with each other. By default, this is usually set to the manufacturers' name such as "linksys" or "netgear" which gives someone valuable information regarding the Wi-Fi network. This information is very useful because if someone knows the brand, they can find the default administrative username and password associated with that device. The administrative username and password allows one to log into the device and access networking settings. Almost all companies have user manuals posted online with this information easily accessible, and people have compiled large lists containing the default login credentials for almost every make and model of Wi-Fi networking devices currently available. Therefore users should change the default username and password and set the SSID to something that does not call attention to itself. There are many more steps that can be taken to secure your home network (such as using a router firewall, static IP addressing, MAC filtering, disabling unnecessary services, logging, and monitoring) but the ones highlighted above provide the biggest bang for your buck. They are easy to accomplish and they dramatically increase home network security. If you would like to learn more about home networking and wireless security, please review the following links: http://www.us-cert.gov/reading_room/HomeRouterSecurity2011.pdf http://www.us-cert.gov/reading_room/Wireless-Security.pdf http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf http://www.cert.org/tech_tips/home_networks.html http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm http://www.wireshark.org/ http://www.backtrack-linux.org/ https://openwrt.org/ http://www.dd-wrt.com/site/support/router-database http://www.polarcloud.com/tomato http://tomatousb.org/ http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs http://www.routerpasswords.com/