Sign in with
Sign up | Sign in
Your question

Is my network secure enough now?!?

Last response: in Wireless Networking
Share
June 13, 2005 12:04:15 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

I've set up a wireless network at home for the first time, having
hopefully read up enough on security to make this a 'safe' proposition.
What I'd like to know is, having taken these steps, can I consider my
wireless network to be fully secure to all intents and purposes (given
that I'm just an ordinary person living in a low-population density
suburb (rather than, say, a corporate user at high risk of attack)?

I have a Linksys WRT54G router connected to always-on broadband, and
have taken the following steps:

1. Changed the router admin login details from the default
2. Changed the default SSID
3. Disabled SSID broadcast
4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
to connect wirelessly)
5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
whatever that means!)
6. Enabled Windows XP firewall on all PCs (plus the router's hardware
firewall).

Does this sound reasonable? Should I really worry about accessing
online banking wirelessly for example, any more than when accessing it
from a wired PC?

--
Thanks
David

More about : network secure

Anonymous
June 13, 2005 12:04:16 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best
measure is using WPA, which you have done, with a very long and random key. Personally I use WPA-PSK
(TKIP) with a >25 character totally random ASCII key...

http://www.dslreports.com/faq/wlan/40.0+Security#10907
http://www.dslreports.com/faq/11462

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...


"Lobster" <davidlobsterpot601@hotmail.com> wrote in message
news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
> I've set up a wireless network at home for the first time, having hopefully read up enough on
> security to make this a 'safe' proposition. What I'd like to know is, having taken these steps,
> can I consider my wireless network to be fully secure to all intents and purposes (given that I'm
> just an ordinary person living in a low-population density suburb (rather than, say, a corporate
> user at high risk of attack)?
>
> I have a Linksys WRT54G router connected to always-on broadband, and have taken the following
> steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware firewall).
>
> Does this sound reasonable? Should I really worry about accessing online banking wirelessly for
> example, any more than when accessing it from a wired PC?
>
> --
> Thanks
> David
Anonymous
June 13, 2005 12:04:17 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

"Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...

[[top post relocated]]

> "Lobster" <davidlobsterpot601@hotmail.com> wrote in message
> news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>> I've set up a wireless network at home for the first time, having
>> hopefully read up enough on security to make this a 'safe' proposition.
>> What I'd like to know is, having taken these steps, can I consider my
>> wireless network to be fully secure to all intents and purposes (given
>> that I'm just an ordinary person living in a low-population density
>> suburb (rather than, say, a corporate user at high risk of attack)?
>>
>> I have a Linksys WRT54G router connected to always-on broadband, and have
>> taken the following steps:
>>
>> 1. Changed the router admin login details from the default
>> 2. Changed the default SSID
>> 3. Disabled SSID broadcast
>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>> connect wirelessly)
>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>> whatever that means!)
>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>> firewall).
>>
>> Does this sound reasonable? Should I really worry about accessing online
>> banking wirelessly for example, any more than when accessing it from a
>> wired PC?
>>
>> --
>> Thanks
>> David
>
>

> Both items 3 & 4 are of minimal to no value as far as security measures
> are concerned. The best measure is using WPA, which you have done, with a
> very long and random key. Personally I use WPA-PSK (TKIP) with a >25
> character totally random ASCII key...
>
> http://www.dslreports.com/faq/wlan/40.0+Security#10907
> http://www.dslreports.com/faq/11462
>
> --
>
> Al Jarvi (MS-MVP Windows Networking)
>

What Al told the O.P. isn't really true. Disabling SSID and enabling MAC
filtering will thwart all but the most devious and dedicated hackers who are
out crusiing the neighborhhod packet sniffing and looking to break in-- a
very small number of people indeed. The average Joe won't even see his
network-- much less get in.

It's like the lock on your front door or your car door. It can be defeated--
but only by those who really want to do that and have the technical knowhow
and tools.. The O.P. has good enough security for most situations most of
the time.

And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
tougher to defeat--- even by a techonerd....

Doc
Related resources
Anonymous
June 13, 2005 12:04:17 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

"DanR" <dhr22@sorrynospm.com> wrote:
>J.H. Holliday wrote:
>> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote:
>>>>
>>>> 3. Disabled SSID broadcast
>>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>>> connect wirelessly)
>>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>>> whatever that means!)
....
>>> Both items 3 & 4 are of minimal to no value as far as security measures
>>> are concerned. The best measure is using WPA, which you have done, with a
....
>> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC

Actually, it is *precisely* true.

>> filtering will thwart all but the most devious and dedicated hackers who are
>> out crusiing the neighborhhod packet sniffing and looking to break in-- a
>> very small number of people indeed. The average Joe won't even see his
>> network-- much less get in.

Okay, so you are saying that it keeps the harmless people out,
and only those who are most likely to do you real harm can get
in. Not good.

>I agree that disabling the SSID is a good thing. When people with Wi-Fi click on
>"view wireless networks"... they will not see you.

Generally that is a good thing too.

>Their curiosity will not be
>peeked to the point where they start thinking... "I wonder who that is... I
>wonder if my computer hacker friend Fred can get into this network?"

And if it is, he's using WPA to keep them out. Because SSID,
MAC filtering and WEP certainly won't.

>The
>argument against hiding the SSID is that you are not being a good neighbor and
>those folks won't know to avoid your channel.

That isn't a case of being a good neighbor, it's a case of being
a smart neighbor. If they don't see your network, they can't
plan to avoid it. So, they look, and see everyone except you,
and plonk down right on the same channel you chose. They just
happen to have a big antenna and good receivers, so you don't
bother them at all, but they cause just enough interference to
reduce your bit rate from 54 to 4 Mbps, but only intermittantly.

Not good!


>So... you can take the attitude
>that you will police the neighborhood and avoid other Wi-Fi channels that are in
>use. Of course you may not be the only one with that attitude and channel
>conflicts can occur. So what to do. I hide my SSID.

What for?

>I also use MAC filtering. Why not... it's easy and one more layer of protection.

Sure. Protection that causes *you* far more inconvenience
than it does someone intent on hacking into your network!

Not good...

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson&gt;
Ukpeagvik (Barrow, Alaska) floyd@barrow.com
Anonymous
June 13, 2005 12:04:18 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Well, first lets be clear on what I said and that was..."The best measure is using WPA, which you
have done..."

Now I agree that WPA using AES is better, but WPA, whatever flavor you use is better than WEP. It
simply depends on what your hardware supports. Mine supports WPA (TKIP), but not AES...

Secondly, security through obscurity is simply no security... Not to mention some clients simply can
not connect to a wireless network if the SSID is not broadcast. That is a fact...

Later...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...


"J.H. Holliday" <doc@okcorral> wrote in message news:Y-GdnZxeA4JaNjHfRVn-1Q@comcast.com...
> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
> news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...
>
> [[top post relocated]]
>
>> "Lobster" <davidlobsterpot601@hotmail.com> wrote in message
>> news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>>> I've set up a wireless network at home for the first time, having hopefully read up enough on
>>> security to make this a 'safe' proposition. What I'd like to know is, having taken these steps,
>>> can I consider my wireless network to be fully secure to all intents and purposes (given that
>>> I'm just an ordinary person living in a low-population density suburb (rather than, say, a
>>> corporate user at high risk of attack)?
>>>
>>> I have a Linksys WRT54G router connected to always-on broadband, and have taken the following
>>> steps:
>>>
>>> 1. Changed the router admin login details from the default
>>> 2. Changed the default SSID
>>> 3. Disabled SSID broadcast
>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to connect wirelessly)
>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds, whatever that means!)
>>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware firewall).
>>>
>>> Does this sound reasonable? Should I really worry about accessing online banking wirelessly for
>>> example, any more than when accessing it from a wired PC?
>>>
>>> --
>>> Thanks
>>> David
>>
>>
>
>> Both items 3 & 4 are of minimal to no value as far as security measures are concerned. The best
>> measure is using WPA, which you have done, with a very long and random key. Personally I use
>> WPA-PSK (TKIP) with a >25 character totally random ASCII key...
>>
>> http://www.dslreports.com/faq/wlan/40.0+Security#10907
>> http://www.dslreports.com/faq/11462
>>
>> --
>>
>> Al Jarvi (MS-MVP Windows Networking)
>>
>
> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC filtering will thwart all
> but the most devious and dedicated hackers who are out crusiing the neighborhhod packet sniffing
> and looking to break in-- a very small number of people indeed. The average Joe won't even see his
> network-- much less get in.
>
> It's like the lock on your front door or your car door. It can be defeated-- but only by those
> who really want to do that and have the technical knowhow and tools.. The O.P. has good enough
> security for most situations most of the time.
>
> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much tougher to defeat---
> even by a techonerd....
>
> Doc
Anonymous
June 13, 2005 2:36:42 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Lobster wrote:
> I've set up a wireless network at home for the first time, having
> hopefully read up enough on security to make this a 'safe' proposition.
> What I'd like to know is, having taken these steps, can I consider my
> wireless network to be fully secure to all intents and purposes (given
> that I'm just an ordinary person living in a low-population density
> suburb (rather than, say, a corporate user at high risk of attack)?
>
> I have a Linksys WRT54G router connected to always-on broadband, and
> have taken the following steps:
>
> 1. Changed the router admin login details from the default
> 2. Changed the default SSID
> 3. Disabled SSID broadcast
> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
> to connect wirelessly)
> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
> whatever that means!)
> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
> firewall).
>
> Does this sound reasonable? Should I really worry about accessing
> online banking wirelessly for example, any more than when accessing it
> from a wired PC?
>

So far I haven't been successful with 5 & 6. I take the MAC address is
the numbers/letters on the card that slots into the Notebook adjacent to
the serial number? Group renewal, I was wondering what that was to?

Thanks

--
Keith (Southend)

'Weather Home & Abroad'
http://www.southendweather.net
June 13, 2005 3:58:40 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

J.H. Holliday wrote:
> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
> news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...
>
> [[top post relocated]]
>
>> "Lobster" <davidlobsterpot601@hotmail.com> wrote in message
>> news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>>> I've set up a wireless network at home for the first time, having
>>> hopefully read up enough on security to make this a 'safe' proposition.
>>> What I'd like to know is, having taken these steps, can I consider my
>>> wireless network to be fully secure to all intents and purposes (given
>>> that I'm just an ordinary person living in a low-population density
>>> suburb (rather than, say, a corporate user at high risk of attack)?
>>>
>>> I have a Linksys WRT54G router connected to always-on broadband, and have
>>> taken the following steps:
>>>
>>> 1. Changed the router admin login details from the default
>>> 2. Changed the default SSID
>>> 3. Disabled SSID broadcast
>>> 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>> connect wirelessly)
>>> 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>> whatever that means!)
>>> 6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>>> firewall).
>>>
>>> Does this sound reasonable? Should I really worry about accessing online
>>> banking wirelessly for example, any more than when accessing it from a
>>> wired PC?
>>>
>>> --
>>> Thanks
>>> David
>>
>>
>
>> Both items 3 & 4 are of minimal to no value as far as security measures
>> are concerned. The best measure is using WPA, which you have done, with a
>> very long and random key. Personally I use WPA-PSK (TKIP) with a >25
>> character totally random ASCII key...
>>
>> http://www.dslreports.com/faq/wlan/40.0+Security#10907
>> http://www.dslreports.com/faq/11462
>>
>> --
>>
>> Al Jarvi (MS-MVP Windows Networking)
>>
>
> What Al told the O.P. isn't really true. Disabling SSID and enabling MAC
> filtering will thwart all but the most devious and dedicated hackers who are
> out crusiing the neighborhhod packet sniffing and looking to break in-- a
> very small number of people indeed. The average Joe won't even see his
> network-- much less get in.
>
> It's like the lock on your front door or your car door. It can be defeated--
> but only by those who really want to do that and have the technical knowhow
> and tools.. The O.P. has good enough security for most situations most of
> the time.
>
> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
> tougher to defeat--- even by a techonerd....
>
> Doc

I agree that disabling the SSID is a good thing. When people with Wi-Fi click on
"view wireless networks"... they will not see you. Their curiosity will not be
peeked to the point where they start thinking... "I wonder who that is... I
wonder if my computer hacker friend Fred can get into this network?" The
argument against hiding the SSID is that you are not being a good neighbor and
those folks won't know to avoid your channel. So... you can take the attitude
that you will police the neighborhood and avoid other Wi-Fi channels that are in
use. Of course you may not be the only one with that attitude and channel
conflicts can occur. So what to do. I hide my SSID.
I also use MAC filtering. Why not... it's easy and one more layer of protection.
Anonymous
June 13, 2005 4:03:12 AM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Lobster <davidlobsterpot601@hotmail.com> wrote in
news:3z0re.7460$a5.955@newsfe5-win.ntli.net:

> Should I really worry about accessing
> online banking wirelessly for example, any more than when
> accessing it from a wired PC?
>

When you access a security-sensitive site e.g. online banking or
shopping checkout, you will** be using a secure HTTPS connection
irrespective of how you connect. That means data is encrypted end-to-
end between your PC and the bank or store.

If you have set up your wireless LAN to provide WPA encryption, the
data is encrypted a second time whilst in transit on your wireless
LAN, using a key that is typically changed every 60 minutes. So the
answer to your question is "No".

** If not, consider changing - NOW!
Anonymous
June 13, 2005 7:47:21 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

"DanR" <dhr22@sorrynospm.com> wrote in message news:Q_3re.308$Nz2.88@newssvr11.news.prodigy.com...
> The > argument against hiding the SSID is that you are not being a good neighbor and
> those folks won't know to avoid your channel. So... you can take the attitude
> that you will police the neighborhood and avoid other Wi-Fi channels that are in
> use. Of course you may not be the only one with that attitude and channel
> conflicts can occur.

??? How showing your SSID can help other to avoid your channel?

--PA
June 13, 2005 9:51:01 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Pavel A. wrote:
> "DanR" <dhr22@sorrynospm.com> wrote in message
> news:Q_3re.308$Nz2.88@newssvr11.news.prodigy.com...
>> The > argument against hiding the SSID is that you are not being a good
>> neighbor and those folks won't know to avoid your channel. So... you can
>> take the attitude
>> that you will police the neighborhood and avoid other Wi-Fi channels that
>> are in use. Of course you may not be the only one with that attitude and
>> channel
>> conflicts can occur.
>
> ??? How showing your SSID can help other to avoid your channel?
>
> --PA

Software that comes with your wireless card can do a site survey and show the
SSID and channel number of close by wireless networks. As will Netstumbler. (my
linksys monitor software will do this)
WinXP alone does not show channel number as far as I can tell.
If everyone played fair and everyone broadcasted their SSID then everyone could
see what everyone's broadcast channel was set to and avoid conflicts.
June 13, 2005 12:57:07 PM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

J.H. Holliday wrote:
> "Sooner Al [MVP]" <SoonerAl@somewhere.net.invalid> wrote in message
> news:uHHPXv4bFHA.3912@TK2MSFTNGP15.phx.gbl...
>
>>"Lobster" <davidlobsterpot601@hotmail.com> wrote in message
>>news:3z0re.7460$a5.955@newsfe5-win.ntli.net...
>>
>>>I have a Linksys WRT54G router connected to always-on broadband, and have
>>>taken the following steps:
>>>
>>>1. Changed the router admin login details from the default
>>>2. Changed the default SSID
>>>3. Disabled SSID broadcast
>>>4. Enabled MAC filter (ie only the MAC address of my laptop is allowed to
>>>connect wirelessly)
>>>5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>>>whatever that means!)
>>>6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>>>firewall).
>>>
>>>Does this sound reasonable? Should I really worry about accessing online
>>>banking wirelessly for example, any more than when accessing it from a
>>>wired PC?

>>Both items 3 & 4 are of minimal to no value as far as security measures
>>are concerned. The best measure is using WPA, which you have done, with a
>>very long and random key. Personally I use WPA-PSK (TKIP) with a >25
>>character totally random ASCII key...

> And BTW, use WPA-PSK AES security rather than TKIP-- much stronger and much
> tougher to defeat--- even by a techonerd....

Thanks to all for the replies; I'm quite reassured now! And I can see
that I can beef up my security another notch by using a better WPA key,
and by switching from TKIP to AES, which my router also supports.

--
David
Anonymous
June 13, 2005 4:05:02 PM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

On Sun, 12 Jun 2005 20:04:15 GMT, Lobster
<davidlobsterpot601@hotmail.com> wrote:

Might as well throw in my worthless opinions and suggestions.

>I have a Linksys WRT54G router connected to always-on broadband, and
>have taken the following steps:

Dump the Linksys firmware and switch to an alternative:
http://www.sveasoft.com/content/view/3/1/
It's not any more secure, but it has many more features and goodies.

>1. Changed the router admin login details from the default

Alternative firmware can have multiple ways to access the WRT54G.
Besides the web interface, there's SSH2, telnet, SNMP, and PPTP. All
of these have passwords. SNMP has two (read and write). Do NOT
assume that they are all identical or that changing one will change
the others. Check all of them.

>2. Changed the default SSID

There's your chance to be creative.

>3. Disabled SSID broadcast

Waste of time and causes problems with some wireless clients. It also
pisses me off because I have to dig out my Linux Kismet application to
find other users on what I would expect to be an unpolluted channel.
If you're spewing RF, it's considered "polite" to tell the world that
you're around.

>4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
>to connect wirelessly)

I can spoof any MAC address in about 2 seconds.
http://www.klcconsulting.net/smac/
Actually, you don't even need a utility as a registry tweak and a
reboot will do the trick. Run:
nbtstat -A your_IP_address
to disclose your current MAC address.

>5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
>whatever that means!)

So far, nobody has been able to decrypt WPA-PSK with either RC4 or AES
encryption (with non-trivial pass phrases). I guess that means nobody
is going to hack your system. However, give me 30 seconds on your
laptop and I'll steal your WPA pass phrase, which some vendors still
stupidly plant in the registry in plain text. That's what's wrong
with WPA-PSK (pre-shared key). So, you're safe as long as nobody has
physical access to your WRT54G or client computah.

Group renewal means that every 3600 seconds (1 hr), the encryption key
is re-negotiated with all clients. Methinks that's a bit long for
roaming clients and hot spots, but probably just fine for home use.

>6. Enabled Windows XP firewall on all PCs (plus the router's hardware
>firewall).

Enabling the firewall and configuring it are two different animals.
Having a personal firewall is a good idea. However, it interferes
with many services. So, the Windoze Firewall has "Exceptions" which
are essentially holes in the firewall. Pay special attention to the
"Windoze File and Print" exception and which interfaces are allowed to
access shares. Having a firewall that looks like Swiss Cheeze is not
a good idea.

>Does this sound reasonable? Should I really worry about accessing
>online banking wirelessly for example, any more than when accessing it
>from a wired PC?

It's good enough. However, you're worrying about the wrong things.
The real threat are keyboard loggers, spyware, and trojan horse
programs. These will send your keystrokes, credit card numbers, and
useful info to the forces of evil on the internet. There's nothing
that a Windoze firewall, wireless encryption, or security band-aids
that will prevent these from arriving on your machine. Put some time
and effort into identifying, removing, and blocking your computah from
spyware infections, and your banking will be safe. Also, pay special
attention to how you access your online bank's URL. There are plenty
of URL redirectors and web and DNS hijackers around that redirect your
banks web page to the forces of evil's phishing site.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
June 13, 2005 8:34:00 PM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Taking a moment's reflection, Lobster mused:
|
| 3. Disabled SSID broadcast

Unnecessary due to #5 below, SSID is still attached, unencrypted, to
every packet. So, those who could attempt to crack your encryption
already have your SSID. Might as well broad cast it to stay within spec
(less connectivity issues), and keep neighbours from setting their
wireless up on the same channel you are using ... thus causing
interference.

| 4. Enabled MAC filter (ie only the MAC address of my laptop is allowed
| to connect wirelessly)

Unnecessary due to #5 as well. MAC address is attached to every
frame, unencrypted. So, anyone who can capture your packets can easily
determine what MACs are allowed.

| 5. Enabled WPA-TKIP encryption (with Group renewal every 3600 seconds,
| whatever that means!)

Use AES if your client software allows it. If you are using the XP
zero config connector, AES does not work with it. But, in that case,
TKIP is fine. Group renewal is the interval that the WPA keys are
regenerated automatically between server and client. This is how they
patched the vulnerability of WEP.

| Does this sound reasonable? Should I really worry about accessing
| online banking wirelessly for example, any more than when accessing it
| from a wired PC?

Other than my comments above, yes. It's reasonable. I wouldn't
worry about accessing online banking. With WPA enabled, you are
encrypted. Also, the banking website should have SSL encryption. So,
you are doubly encrypted.
Anonymous
June 13, 2005 8:34:04 PM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

Taking a moment's reflection, J.H. Holliday mused:
|
| What Al told the O.P. isn't really true. Disabling SSID and enabling
| MAC filtering will thwart all but the most devious and dedicated
| hackers who are out crusiing the neighborhhod packet sniffing and
| looking to break in-- a very small number of people indeed. The
| average Joe won't even see his network-- much less get in.

I'm afraid it is true. Because WPA enabled will thwart *everyone*.
So, SSID hiding and MAC filtering become useless and redundant ... and
can cause issues.
June 15, 2005 12:46:02 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

mhicaoidh --- please clarify your comment:

"Use AES if your client software allows it. If you are using the XP zero
config connector, AES does not work with it."

Am confused by the part that AES doesn't work if you use XP's zero config to
setup your wireless adapter. You mean even though AES is an option listed in
the Encryption drop-down it won't work? What happens, the adapter and router
fail to connect? Thanks for the clarification.
Anonymous
June 15, 2005 12:44:28 PM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

In article <d4lra15gosnhm8d3pj07mlkh5bi6pobmku@4ax.com>, jeffl@comix.santa-cruz.ca.us says...
<Snip Response>

> It's good enough. However, you're worrying about the wrong things.
> The real threat are keyboard loggers, spyware, and trojan horse
> programs. These will send your keystrokes, credit card numbers, and
> useful info to the forces of evil on the internet. There's nothing
> that a Windoze firewall, wireless encryption, or security band-aids
> that will prevent these from arriving on your machine. Put some time
> and effort into identifying, removing, and blocking your computah from
> spyware infections, and your banking will be safe. Also, pay special
> attention to how you access your online bank's URL. There are plenty
> of URL redirectors and web and DNS hijackers around that redirect your
> banks web page to the forces of evil's phishing site.
>
>
>
I was reading your comment about URL redirectors which made me think
about Mozilla Firefox with the extension called Spoofstick. This
extension is supposed to show the TRUE URL to which your browser is
pointed even if you have been redirected to a phishing site. In other
words the URL address line may show www.bankofamerica.com whereas the
Spoofstick URL address line would show you to actually be at
www.forcesofeveil.com. Any comments as to the effectiveness of the
Mozilla browser with that extension?

Thanks.
--
Robin
Charleston, WV
Anonymous
June 15, 2005 12:44:29 PM

Archived from groups: microsoft.public.windows.networking.wireless,alt.internet.wireless (More info?)

On Wed, 15 Jun 2005 08:44:28 -0400, Robin Brumfield
<rbrumfield@charter.net> wrote:

>In article <d4lra15gosnhm8d3pj07mlkh5bi6pobmku@4ax.com>, jeffl@comix.santa-cruz.ca.us says...
><Snip Response>
>
>> It's good enough. However, you're worrying about the wrong things.
>> The real threat are keyboard loggers, spyware, and trojan horse
>> programs. These will send your keystrokes, credit card numbers, and
>> useful info to the forces of evil on the internet. There's nothing
>> that a Windoze firewall, wireless encryption, or security band-aids
>> that will prevent these from arriving on your machine. Put some time
>> and effort into identifying, removing, and blocking your computah from
>> spyware infections, and your banking will be safe. Also, pay special
>> attention to how you access your online bank's URL. There are plenty
>> of URL redirectors and web and DNS hijackers around that redirect your
>> banks web page to the forces of evil's phishing site.

>I was reading your comment about URL redirectors which made me think
>about Mozilla Firefox with the extension called Spoofstick. This
>extension is supposed to show the TRUE URL to which your browser is
>pointed even if you have been redirected to a phishing site. In other
>words the URL address line may show www.bankofamerica.com whereas the
>Spoofstick URL address line would show you to actually be at
>www.forcesofeveil.com. Any comments as to the effectiveness of the
>Mozilla browser with that extension?
>Thanks.

I'm not a security expert and am no longer in the awkward positions of
having to administer and guarantee the security and integrity of my
customers systems. (Wooopeee!) Although I use Firefox heavily, I
haven't really played with all the myriad of extensions and toolbars.
A quick look at Spoofstick:
http://www.corestreet.com/spoofstick/
looks interesting, possibly useful, but due to lack of experience, I
have no opinion.

However, such a program will do nothing for the current crop of DNS
cache corruption exploits, that redirect the DNS lookup to the
phishing site. There's nothing a user can do to authenticate the DNS
lookup. BofA is adding "sitekey" in an attempt to mitigate the
phishing problem:
http://www.eweek.com/article2/0,1759,1821126,00.asp

In general, programs that require an intelligent decision on the part
of the GUM (great unwashed masses) is doomed to failure. I install
personal firewall, anti-virus, and anti-spyware programs on my
customers computahs. Depending on what they're doing (installs,
updates, getting attacked) these programs offer pop-up windows that
ask the user for an intelligent decision. The batting average of the
GUM is dismal. Most will consistently make the wrong decision. In my
cynical opinion, such decision based security methods are only useful
for intelligent and informed users, which seem to be in short supply.

In my never humble opinion, the security problem breaks down quite
simply. It's choice between authentication and anonymity. You can't
really have both at the same time. In order to prevent spoofing,
phishing, identity theft, spam, and such, it would be easy enough to
authenticate every packet, that would be traceable back to its point
of origin. That would solve most of the outstanding security issues
quite easily. Just one catch. You loose all possibilities of
anonymity. Anonymous political and corporate dissent would
effectively be over. I wouldn't be able to cruise the porn sites and
buy lingerie for my mistress without having the packets traced back
directly to me. (What a horrible thought). So, while waiting for the
GUM to decide how they want it done, various compromises are thrown
together, which methinks will generally fail or be circumvented.
Lacking a suitable consensus, our beloved government has the bad habit
of making such decisions for us and given the opportunity, will surely
do so.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
!