WiFi security

[duk3]

Hey fellas.

I bought my Cell C black MF 668 Modem back in late April and was activated in early May. Over time I've become more paranoid after reading about topics here on the forum and so on. I just wanted to know, besides buying a wireless router and enabling WPA2 encryption and the like, what else can be done to secure your WiFi?

I only ask because in the past I had an episode where there was some fella parked outside my house, and I know that these things do happen (mainly because I read about people here on MYBB bragging about how they jump onto someone's unsecured WiFi). Since then I always make sure to unplug my modem when it's not being used. That's the only 100% way of keeping them out, so I hear. I haven't seem him for months - wish I'd gotten a number plate.

By the way, what routers can I use with an MF668? Cell C's own router doesn't seem to support it, and I went to Chaos Computers in Willowbridge - none of the routers they sold there supported Cell C. MTN and Vodacom, etc. only. For the record, I have searched the forums and so on but I tend to prefer a personalized response from those in the know. I would prefer to buy one from a brick and mortar store by the way, here in Cape Town somewhere, if anyone knows.

By the way, I am running a firewall and I have other internet security. I've read that can help some. I looked into downloading a program like AirSnare which will alert you if an unrecognized "MAC address" is connecting to your network. But after the download completed, AVG's RT protection said it was adware. Don't know.

Thanks in advance for any suggestions. Will check back tomorrow.

 

[Madhawk]

Start your seach here.

The TP-LINK MR3420 / MR3220 come highly recommended.

They have their own store in Cape Town

Tell them you're a myBB member and get a discount on the router.

 

[karnuffel]

Look at the TP-Link mr 3420. It has MAC filtering which allows you to set which mac addresses are allowed on your network.

Yes it is possible to spoof a mac address (from what ive read) but I doubt anyone will go through all that trouble to access your network.

 

[bdt]

Yes it is possible to spoof a mac address (from what ive read) but I doubt anyone will go through all that trouble to access your network.

..which is why locking down MAC addresses is, to a determined attacker, only a minor impediment at best.

But, in order to even get there, they'd need to get past wi-fi security. And if that's at least WPA-PSK (if WPA2 *is* an absolute necessity, I invite someone to lead me to supporting documentation) with a decent key that's just not going to happen.

 

[karnuffel]

..which is why locking down MAC addresses is, to a determined attacker, only a minor impediment at best.

But, in order to even get there, they'd need to get past wi-fi security. And if that's at least WPA-PSK (if WPA2 *is* an absolute necessity, I invite someone to lead me to supporting documentation) with a decent key that's just not going to happen.

100% correct. I did a bit of reading and found this. @Mods not sure if this article breaks any rules. Ill remove if needed

EDIT: hehe nice xkcd ref

 

[OGroteKoning]

You can also hide the broadcast of the modem so only the MAC addresses will automatically pick up on the broadcast. (Don't know if this function is available on the TP-Link though)

 

[ajax]

You can also hide the broadcast of the modem so only the MAC addresses will automatically pick up on the broadcast. (Don't know if this function is available on the TP-Link though)

It has. Go here and click on Wireless -> Wireless Settings and then uncheck "Enable SSID broadcast."

 

[bdt]

It has. Go here and click on Wireless -> Wireless Settings and then uncheck "Enable SSID broadcast."

Only disabling SSID broadcast != actually, functionally hiding the fact of wi-fi broadcast. Yes, it can be argued that it makes your network harder to find ..to your average Joe, not to someone running even the most basic wi-fi scanning system. And in the meantime you've only (arguably, out depends on usage pattern) only made things more difficult for yourself.

 

[OGroteKoning]

Only disabling SSID broadcast != actually, functionally hiding the fact of wi-fi broadcast. Yes, it can be argued that it makes your network harder to find ..to your average Joe, not to someone running even the most basic wi-fi scanning system. And in the meantime you've only (arguably, out depends on usage pattern) only made things more difficult for yourself.

I must agree that sometimes I have a little hickup with connecting, but to be honest, that happens like once in 6 months. I for one would like to make life as difficult as possible for the ejit who wants to steal my bandwidth/data, etc. I accept that if they want to get in they will ... unfortunately ... there is no 100% secure way

 

[bdt]

I must agree that sometimes I have a little hickup with connecting, but to be honest, that happens like once in 6 months.

A wee hiccough once in a blue moon on, say, your laptop is one thing. But we now live in a world with many more mobile wifi-capable devices, notably cellphones. And they're proliferating and it's entirely likely that your own family/friends you deem worthy are also going to hop onto your wlan and hiding the SSID just makes for a complication layer you just don't need.

I for one would like to make life as difficult as possible for the ejit who wants to steal my bandwidth/data, etc. I accept that if they want to get in they will ... unfortunately ... there is no 100% secure way

Well then, set up a RADIUS server for your wlan authentication :erm: ..or just (at least) WPA-PSK with a good pass-phrase; check that xkcd link for advice.

 

[OGroteKoning]

A wee hiccough once in a blue moon on, say, your laptop is one thing. But we now live in a world with many more mobile wifi-capable devices, notably cellphones. And they're proliferating and it's entirely likely that your own family/friends you deem worthy are also going to hop onto your wlan and hiding the SSID just makes for a complication layer you just don't need..

For me it is a bigger schleb to do MAC filtering. If the MAC filtering is off (or the device is added), then it is merely a question of setting up family/friends' devices with the SSID and passphrase and there we go even if the SSID is hidden.

I will check out the RADIUS server option ....

 

[duk3]

Start your seach here.

The TP-LINK MR3420 / MR3220 come highly recommended.

They have their own store in Cape Town

Tell them you're a myBB member and get a discount on the router.

Thanks, I'll check it out. Thanks to everyone else for your input as well.

 

[Pavan]

By the way, what routers can I use with an MF668? Cell C's own router doesn't seem to support it, and I went to Chaos Computers in Willowbridge - none of the routers they sold there supported Cell C. MTN and Vodacom, etc. only. For the record, I have searched the forums and so on but I tend to prefer a personalized response from those in the know. I would prefer to buy one from a brick and mortar store by the way, here in Cape Town somewhere, if anyone knows.

Cell C sells the ZTE MF10 router which is compatible with your MF668 speed stick. Think they retail for +/- R500. Router network speed is dependent on the speed stick used...

 

[duk3]

Cell C sells the ZTE MF10 router which is compatible with your MF668 speed stick. Think they retail for +/- R500. Router network speed is dependent on the speed stick used...

Awesome. Will check that out as well.

 

[OGroteKoning]

@ bdt
I concede - hiding SSID is not really helpfull. http://www.howtogeek.com/howto/2865...hiding-your-wireless-ssid-really-more-secure/

 

[bdt]

@ bdt
I concede - hiding SSID is not really helpfull. http://www.howtogeek.com/howto/2865...hiding-your-wireless-ssid-really-more-secure/

Well now, that was really helpful of you to post that link, ta ..anything we can do to educate and enlighten is a *good* thing!

 

[Park@82]

Well now, that was really helpful of you to post that link, ta ..anything we can do to educate and enlighten is a *good* thing!

I don't know much about wifi security but I still don't see why hiding an SSID and turning on mac filtering would not help prevent an attacker at least a lay attacker.

I guess enabling a hidden ssid is like putting barb wire around a steel gage, but surely you made it a bit harder to get in...

Cant it deter script kiddies with some basic knowledge?

E.g.:

Someone walks around with an android phone scanning for wifi networks to try and hack. His android phone cannot pick up hidden SSIDs so he rather targets someone else's network...
(I have a tool on my phone for checking channels, thus I know that it does not see hidden ssids)

Where wife's mom lives they have a shared AP, basically they connect to it and then create their own dial up connection to a ISP.
The guy has MAC filtering enabled. For the life of me I can not spoof a MAC address with the broadcom network card that is in my notebook (windows). I have tried various tools and tricks none of them seems to work with my wifi card.

 

[bdt]

I don't know much about wifi security but I still don't see why hiding an SSID and turning on mac filtering would not help prevent an attacker at least a lay attacker.

Y'know, a 'lay attacker' is kind of (but not entirely) like a pregnant virgin: you *may* get someone with the right mix of idle curiousity yet still put in the effort to acquire, learn and deploy the tools necessary to poke around for the hell of it. But I wouldn't bet on its being likely.

I guess enabling a hidden ssid is like putting barb wire around a steel gage, but surely you made it a bit harder to get in...

Cant it deter script kiddies with some basic knowledge?

Not even slightly on the SSID front. Hell, *ancient* hidden-SSID scanning programs reveal what you're trying to hide, what do you think the current ones do? ..you may as well armour your cage with tissue paper.

E.g.:

Someone walks around with an android phone scanning for wifi networks to try and hack. His android phone cannot pick up hidden SSIDs so he rather targets someone else's network...
(I have a tool on my phone for checking channels, thus I know that it does not see hidden ssids)

Y'know, I just tried it out: I hid my SSID and there is *NO* way I'm going to stand for my laptop and phone failing to just get onto the network when I get home, it's SO much more hassle than the nothing it's worth.

Where wife's mom lives they have a shared AP, basically they connect to it and then create their own dial up connection to a ISP.
The guy has MAC filtering enabled. For the life of me I can not spoof a MAC address with the broadcom network card that is in my notebook (windows). I have tried various tools and tricks none of them seems to work with my wifi card.

I'm not nearly as sure about MAC-spoofing so I'm not going to up and declare that it's a wasted effort and, as you've demonstrated here, it may not be all *that* easy to pull off (I've never had a crack (ha) at it so I can't comment). Question: have you tried with BackTrack?

Finally, consider this: the front door to your house is something that you, if you look at it from a certain angle, 'publish' - it's right there in the public eye for all to see. (work with me here ok) But the fact of seeing it in no way means being able to trivially able to break through it and hiding it would just make your life all that more inconvenient ...why would you do that to yourself? :erm:

 

[Park@82]

Y'know, a 'lay attacker' is kind of (but not entirely) like a pregnant virgin: you *may* get someone with the right mix of idle curiousity yet still put in the effort to acquire, learn and deploy the tools necessary to poke around for the hell of it. But I wouldn't bet on its being likely.

Not even slightly on the SSID front. Hell, *ancient* hidden-SSID scanning programs reveal what you're trying to hide, what do you think the current ones do? ..you may as well armour your cage with tissue paper.

Y'know, I just tried it out: I hid my SSID and there is *NO* way I'm going to stand for my laptop and phone failing to just get onto the network when I get home, it's SO much more hassle than the nothing it's worth.

I'm not nearly as sure about MAC-spoofing so I'm not going to up and declare that it's a wasted effort and, as you've demonstrated here, it may not be all *that* easy to pull off (I've never had a crack (ha) at it so I can't comment). Question: have you tried with BackTrack?

Finally, consider this: the front door to your house is something that you, if you look at it from a certain angle, 'publish' - it's right there in the public eye for all to see. (work with me here ok) But the fact of seeing it in no way means being able to trivially able to break through it and hiding it would just make your life all that more inconvenient ...why would you do that to yourself? :erm:

Yes I am aware of backtrack. Downloaded it, but never played with it. I get what you are saying, I am just giving you real live examples of where enabling these might help somewhat. I don't have either enabled on my router, like you said its just not worth the effort. If someone is real paranoid radius is probably the way to go.