Ohio.gov  |   State Agencies   |   Online Services
You are here : News
Info & Security News

Who's Spying on You?

posted on
Who's Spying on You?

You might enjoy the convenience of wireless ("WiFi") access to the internet while you are at home. If so, you may not realize that everything you do from any wireless network attached device (whether a cellphone, laptop/computer, wireless camera, etc), is broadcasting via radio waves from that device to your wireless router/access point. Neighbors or other drive-by (uninvited)"guests" can tune-in to these transmissions, and monitor your emails, photo exchanges, text messages, bill payments, and pretty much anything else you do while you're online.

Here's how to protect your home network from these nosy (and even criminal) intruders.

Note: you'll probably need the user manual for your wireless router in order to accomplish these tasks, as the steps required to accomplish them vary by router model.  If you have misplaced your original manual, visit your router manufacturer's web site to obtain an online version. You can usually determine your router's  manufacturer and model number from a physical label located someplace (usually stuck on the back or bottom) on the router .

1. Change your wireless router/access point administrator credentials - change the administrator userid (if possible - some routers do not allow you to change the admin userid) and password (most, if not all, routers allow you to change the password - if yours does NOT - you should seriously consider acquiring a more secure router!). 

DO NOT EVER
leave the default password in place.  Lists of default userids and passwords are available on the internet, so ANYONE can sign on to your router as administrator if you don't change the default admin credentials. (see for example: http://portforward.com/default_username_password/ for a list of default ids/passwords). 

Make sure that your password is strong - at least 10 characters long (even longer is better!). See: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-passwordhttp://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password for hints, this video for general password tips: https://www.youtube.com/watch?v=pMPhBEoVulQ

And for a list of "NEVER USE" passwords, see: http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/  or http://www.wired.com/2013/12/web-semantics-the-ten-thousand-worst-passwords/ .  AND you should change your password occasionally.

2. Check all registered userIDs on your router immediately AFTER you have changed your default admin ID/password. Find the list of all user ids registered on your router. This list should be accessible from someplace in your router's administration menus.  Open the list, and make sure that nobody has added any additional accounts. Delete any unknown accounts - they may have been placed there by attackers.

3. DISABLE remote administration/configuration/upgrade.  Different routers may call this "feature" by a different name, like "remote administration", "remote configuration", "remote management", "WAN setup", etc.  I'll refer to this as "remote administration" here... Remote administration allows your router to be re-configured by ANYBODY, from the internet (of course, they would also need your admin credentials, so this is somewhat more difficult - but not impossible - to do once you have changed your default admin credentials as described in step 1...).  Disabling remote admin will require ANY future router configuration to take place via your "local LAN", instead of via the internet. Internet users will be locked out, even if they know your id and password (which they shouldn't if you've already reset your admin credentials and removed any unknown admin accounts from your router - but even if they can "guess" your admin credentials, they will still be locked out if remote administration is disallowed).

4. Ensure that your router uses encryption for all sessions. Select the STRONGEST encryption that your router and other wireless equipment support. If you have any older wireless devices that do not support strong encryption, consider upgrading those devices (you do not want to weaken your router's encryption in order to support these older devices - doing so will make it easier for criminals and snoops to spy on you). See: http://www.pcworld.com/article/130330/article.html for some hints. Currently for home users, the best choice is WPA2/PSK with a strong encryption password. For companies, WPA2 Enterprise mode is better, but requires a RADIUS server somewhere on your network. Never use WEP encryption, as it is flawed, and easily "cracked".

5. If your router supports a firewall, Intrusion Prevention (IPS), and/or Intrusion Detection (IDS) capabilities, make sure that they are enabled.  These should be "on" by default, BUT - if you had the default password set (or any of the  "NEVER USE" passwords noted item #1 above), AND you had remote admin/config enabled, and the router has been connected to the internet for a while (like 5 minutes!) - re-check to make sure that someone hasn't turned the them off.

6. Turn off responses to PING (ICMP) to make your router less detectable from the internet. If your router does not respond to these requests, potential attackers won't "find" you as easily, and if they don't find you, they're less likely to attack you. Note that doing this will not make you completely invisible, and security by obscurity is NOT to be relied on as your sole protection - but it IS another layer of protection that can at least slow down inexperienced attackers.

7. Disable "Guest" networks. This will help avoid "drive by" access to your network. While a guest network user won't necessarily see anything you're doing (if you're using encryption and/or VPN, etc., for your "non-guest" access) , it may allow anyone in range of your WiFi router to use your bandwidth for free. This is bandwidth that you're paying for, but won't be able to use if some interloper is watching  "Star Wars" via Netflix as your guest...

8. If your router supports a VPN, configure and use it. If your router does not support VPN, consider this next time you upgrade your router.

9. If your router manufacturer provides software/firmware upgrades, install them.  A manufacturer provides upgrades to router software whenever new features are available AND/OR whenever security flaws have been discovered and "fixed".  You definitely want to upgrade if security fixes are included in the new release, and you may want to add new features when they are available (see the "what's new" or "new features" doc that is usually included with the upgrade).  So check your manufacturer's web site for updates occasionally. See: http://www.cnet.com/news/top-wi-fi-routers-easy-to-hack-says-study/ for examples of why you want to upgrade security releases...

10. Change your SSID. The SSID is a name assigned to your wireless network, and allows you to differentiate your network from other wireless networks that are close by (like your next-door neighbor's wireless network). Your router manufacturer set a "default" SSID, BUT that SSID usually reveals information about your router - like the brand, and perhaps the version of the firmware - that can be used by attackers to find "known exploits" that work against your particular router. Instead, change your SSID to some non-specific name.  You should use a name that does not identify you, your company, or the router manufacturer, etc.

11. Use NAT instead of BRIDGING.  If your router is set up to "bridge" your network to the internet, every computer on your home network will be exposed directly to attacks from other internet sources.  This is NOT good, so instead of "bridge" mode, use NAT (Network Address Translation) mode, which will add a layer of protection between the internet and the computers on your network. In effect, BRIDGE extends the internet directly to each computer on your network, NAT turns your network into a network SEPARATE from the internet that is connected to the internet through your router, and computers on your network will not be directly accessible from the internet.

12. Disable DMZ. The DMZ creates a separate portion of your network that is NOT protected by the router firewall, IPS/IDS, etc.

13. Enable logging, if your router supports it. Check the logs periodically for any suspicious activity. If you see something strange going on, take evasive action - change your passwords, SSID, etc.

14. Turn off your wireless network when you are not using it. This will prevent anyone else from accessing it (you'll have to turn it back on when you need it again).

15. Disable WPS. WPS (WiFi Protected Setup) allows fast, easy connection to your network, usually using an 8 digit numeric code as a "password".  This password is extremely weak. And due to a flaw in the implementation requires only 11,000 "guesses" (max) to crack. And some routers are even worse - they compute the password directly from the MAC address. So disable this "feature". (note that while 11,000 tries is a LOT to attempt by manually typing them in, it is simple for a hacker's program to do this at lightning speed...)

16. Disable UPnP (sometimes called "Plug and Play"). UPnP allows your router to be easily discoverable and configured. It defines a protocol that allows "zero configuration" networking.  While this is convenient, it also allows programs to send controls to the router. If these controls are from you, that's fine - but if from somebody else, not-so-fine...(there is no authentication provided in the protocol, so anyone can use the UPnP interface).

Note that most routers have a "Reset" button that allows you to revert to "factory settings". If you accidentally foul up (like locking yourself out because you selected a really good - but hard to remember - password), you can use this button to start over. Note that many routers require you to use a small item (like a paper clip or the tip of a pen) to press the recessed reset button, and you usually have to depress the button for some seconds before the "reset" will take effect (your manual will tell you how long you have to "hold" to reset).

Once reset, your router default (factory) settings will be restored, including the admin userid and password, and IP address, etc.  Your router will be configured the same as when you bought it (assuming that you are the original owner...).  So start over at item #1 above to (re-)configure your security settings if you had to "reset"..

You don't have to do ALL of the above, but items 1-5 are critical. Each additional item beyond these 5 "basics" adds another layer of protection to your wireless network, which will help to deter wireless freeloaders and criminals.

Stay safe online!

sah Ω

 

 

 

 

 

 

Categories: | Tags: | View Count: (4141) | Return