|
Security check
1. Router: change your password Change the password for your router configuration as often as possible. Each router has its own setup, which you can access with the supplied software via a terminal (PC, laptop). Default passwords are generally well-known (e.g. Admin), making it a simple matter for outsiders to break into the configuration menu of your router - and to cripple your entire network. For your new password, select the most random number and letter sequence, ideally combined with a few special symbols (this approach is highly recommended for all passwords on the Internet). Here are two examples - /H81sp81s\ or ghfe235d4&3. 2. SSID: change and hide your network names The SSID (Service Set Identifier) is the network name for an access point - it is continuously transmitted (broadcast) in plain text by the router, which serves as an access point. Every Wifi card-equipped computer within range receives this signal and can subsequently connect with the router (also see Access Point). The transmission of the network names can be suppressed, with the result that a client (meaning every computer that wants in to the system of the access point) won't automatically find it. In the configuration menu of your router there is an optional setting for this - Allow/Suppress network name broadcast (SSID). The SSID is very often standardized for Hotspot installation. These standards (e.g. Wifi) are known to War Drivers, with the result that they don't even need to rely on the transmission signal. So it's advisable to not only deactivate the signal, but to also change the SSID basic settings at the same time. Select the most random number and letter sequence, ideally combined with a few special symbols (this approach is highly recommended for all passwords on the Internet). Changes to the SSID must also be made to the clients. Change the password or WEP key and SSID regularly. 3. MAC addresses: limit access authorisation Each network interface card and each Wifi applications USB stick has a clear-cut, worldwide and one-off MAC address (Media Access Control). You can normally find this on the device itself, or obtain it by means of a command in the Commands window of your computer (see the 3rd section). A certain number of MAC addresses with access authorization can be stored in each Access Point / Router. Cards with other MAC addresses are rejected. You can enter the MAC addresses of your clients into a menu of your router, e.g. "Advanced Wireless Settings" or "Access Filter". In the case of large networks, however, the effort involved is considerable and limiting authorisation has proven to be impracticable. If the MAC address isn't on the network interface card, there is another method, which applies to XP & W2000/ME/NT just click 'Start', 'Run' and then type in 'cmd' - now confirm with 'Return'. In the window that will open up, type in ipconfig /all (for W2000/ME) or getmac (for XP) - now exit with your 'Return' key. You'll find the MAC address in the "Physical Address" line. When entering the MAC address on the router, you'll very often have to omit the hyphen between the two numerals. Unfortunately, it's very simple to temporarily change the MAC address of a network interface card, using easily-obtained software. If the hacker knows one configured MAC address of the access point, he can use that to log in to the system. 4. WEP encryption WEP (Wired Equipment Privacy) encrypts data between sender and receiver using a 64 bit, 128 bit or, in the case of brand-new devices, a 256 bit key, of which only 40, 104 and 232 bits are effectively available. To do this, please use the configuration menu of your router and continue to the WEP area (possibly under "Wireless Settings"). Activate WEP, then select (where possible) the encryption strength. Now you can create a key, using the numerals 0-9 and the letters A-F (hexadecimal system). Many of the newer routers help you here - they automatically generate a key when you enter a password consisting of letters and numerals. Using the hexadecimal system, the router generates a key consisting of numerals from 0-9 and letters from A-F. For your password, we strongly advise you to use character strings which do not form a real word. So-called dictionary attacks can go through the entire content of a dictionary in the hope of finding the right password. In the case of 40 or 104 bit encryption, this only would take a few hours. As regards encryption strength, it's a case of the weakest link in the chain. The complexity of the key corresponds directly to the device that is designed for the least complexity. You can't use e.g. a 128-bit key if your laptop's Wifi card can only communicate with 64 bits, even if your router and another client (PC) could. If you're not sure, you can usually find out what kind of encryption your network interface card uses by means of the software delivered with your card, or from the card manufacturer. Although this key or password does offer a certain amount of protection, it has been proven many times that the level of protection is insufficient and that the key is relatively easy to decode. We strongly recommend that you change your key regularly, or, even better, that you use 26-digit WPA encryption, which we've dealt with next. 5. WPA data encryption As a direct result of the inadequate security provided by WEP, the WPA Protocol was developed by the WiFi Alliance, a body of manufacturers of hardware for Wifi applications. WPA is comprised of 26 characters from letters and numerals (WEP has only 10). In comparison to WEP encryption, WPA (Wireless Protected Access) offers the advantage of an automatically changing, dynamic network key. Hackers are suddenly faced with the fact that all the effort they've put into cracking a key has been to no avail (because the key has already been changed). However, this standard also works with the old RC4 algorithm. WPA is nevertheless deemed to be secure provided that you use passwords with a length of at least 20 letters, numerals and special symbols and no actual dictionary word. If you're not sure, you can usually find out what kind of encryption your network interface card uses by means of the software delivered with your card. 6. Ping requests: ignore them! Ping requests are absolutely essential for Internet traffic, since computers use them to exchange their IP addresses (Internet Protocol addresses) with one another for identification purposes. This procedure results in computers then being able to exchange data packets. As far as Hotspots are concerned, the drawback is that identification like this enables hackers to recognise the system router and to subsequently reconfigure it. In the configuration menu of your router, e.g. under WAN-configuration, you can decide (in most cases) whether to respond to ping requests or not. 7. Access points: bugs in company networks Thanks to James Bond and co., most of us are aware that electronic bugs are listening devices planted in telephones. A Wifi router smuggled into a company network works in a very similar way. All the hacker has to do is connect the router by Ethernet cable to the company's network. For the hacker, this is usually no problem at all - you can find connections like this in most conference rooms today. An installed firewall prevents the recognition of the router's IP by means of a company in-house network scan. The hacker can now access the company network externally - although he still has to be within range of the router that he smuggled in. However don't despair! There is an effective countermeasure against router-bugs it's a special software, which, with the help of other company network access points, can home in on the illegal Wifi router, localise it and switch it off. 8. Limiting range & times of operation Most operating areas of private Hotspots don't need the maximum possible range of more than 100m. So beyond a certain radius, the Hotspot will be of no use to you - but for a hacker, it's quite the opposite. He doesn't have to stay within an area where he can actually be seen by you (and the less suspicion he arouses, the better, from his point of view!). The range and coverage of your Hotspot can on the one hand be influenced by the design of the antenna and, on the other, by the location of the router. If you have a laptop or a PDA on hand, you can use these devices to check the reception in the surrounding area while on the move. If you're not online 24 hours a day, then it makes sense to switch your router off. Unfortunately most of the routers on the market today don't have a power switch. Two alternatives here are pulling out the power cord or using a time switch. Both of these alternatives make sense if you're going to be away from home for a while or if you're only online for one night so don't allow your router to attract unwelcome attention. Besides, there's also the added bonus of a somewhat reduced electricity bill! 9. Deactivate the DHCP server A DHCP server automatically allocates IP addresses to all requesting clients (laptop, PC, PDA). These ascertain which gateway and which DNS server (Domain Name System Server) are being used. If this function is deactivated, so that the IP in the client device (laptop, PC) has to be reset, access becomes more difficult for the hacker to achieve. You can set this in the configuration menu of your router - you could perhaps call the LAN-IP Configuration sub-menu and instead of static IP use the term "Address Reservation". Here it's advisable to keep the address space for static IP's as tight as possible. 10. IEE 802.11i / WPA2 The new standard 802.11i, introduced at the end of 2004, offers significantly more protection than its popular predecessors 802.11b and 802.11g. Instead of WPA and WEP, both of which use the encryption algorithm RC4, 802.11i uses WPA2, which in turn utilises the Advanced Encryption Standard (AES). Even although WPA is fully sufficient for the private sector at present, you should definitely consider purchasing 802.11i for the future. WPA and WPA2 are compatible with one another. 11. Firmware Upgrade Firmware is a software stored in various hardware components like, for example, routers. Often hardly apparent to a user, it takes over basic tasks. The most common example of a firmware is BIOS. It's not always advisable to install the latest firmware. If your Wifi system is running smoothly - and provided that the firmware doesn't address security in any way at all - you really don't need it. Online scans McAfee offers all Wifi operators a free security check. All you need is Microsoft's Internet Explorer and an activated ActiveX. This well-known manufacturer of anti-virus software scans your system and checks your security settings. It's only available in English. Sygate's Onlinescanner checks different security settings, including your system's level of vulnerability to viruses and attacks by hackers. This is recommended for more than just Wifi system! It functions with Internet Explorer and Firefox. Only available in English. The general rule of thumb is that there's no such animal as total security - although each of the systems introduced here certainly does make infiltrating your system more difficult for potential hackers and war drivers.
contact If you have any questions at all about the database or the Spotigo Hotspot search, please contact: hotspots[at]spotigo.net |
go to 
Spotigo Corporate
Guaranteeing the security of one's own network should be the natural objective of every Hotspot operator. We'll now show you just how you can raise your system security standards and prevent trespassers from gaining access to your data and/or Internet connection.
For the configuration of Wifi (as regards DSL devices), manufacturers and sales people want an installation that is fast and simple - making it easy to demonstrate the extremely fast, durable and uncomplicated use of Wifi. Unfortunately, the topic of security often has to take a back seat.
The danger for the security of your network lies in the soul of the cable-free Internet itself. Operators don't call a halt at the boundaries of houses and rented apartments when their business is the transmission of data via electronic wireless waves like Wifi. So really - it's up to you to hinder the exploitation of the one weakness of Wifi security - and give free rein to the many advantages of the system. Here are some measures you can take to make life much more difficult for those hackers:
top
 |