Sophos Cloud Optix
Last year Sophos looked at Wi-Fi security by sending one chap right across London on a bicycle, and me on foot to tramp the Sydney CBD North to South and East to West…
…and we found that while things weren’t terrible, they weren’t 100% rosy, either.
So, to coincide with the 2013 Cyber Security Awareness Week in New Zealand, we thought it was worth making a short revision video.
Here you are: Three Wireless Security Myths.
(If you enjoyed this video, you’ll find plenty more on the SophosLabs YouTube channel.)
Can we have the text version, please?
Click the [Turn on captions] button in the video player…
I usually only upload the captions after I've finished everything else.
You'd think it woud be five minutes work, but it takes a LOT of time and concentration for me to get the captions right. A stenographer I most definitely am not!
(Google has an automatic transcription system, but it produces results that are a curious mix of comical, insulting and dangerous when you feed it my voice – sort of like Monty Python's "My hovercraft is full of eels" sketch . Not sure if Mountain View is trying to tell me something π
I recommend WPA, or, better, WPA2, to everybody who will listen. But I have two questions.
1. If a WPA or WPA2 password is set up, everybody who has that password can see traffic on that network. Such a password must be limited to legitimate users, and changed from time to tome. Is this correct?
2. If I am a guest in a B&B that provides an unsecured network, I should only enter security-related data (such as a password or credit card number or name and real address) on web sites that use HTTPS. Is this correct?
3. How do I prevent other users on the same network from getting into my Windows or Mac PC? I think this should be at least the following: a) Turn on a firewall (turned off by default on Mac) b) Turn off sharing options (on Windows, this is Network Discovery and some other settings; on Mac, this is any of the options in the "Sharing" System Preference.
That's three questions…and they're not really questions, more like good additional advice. Thanks for posting this. It's thoughtful stuff.
Some comments:
1. My understanding is that technically you need both the password and a capture of the packets at the time user X authenticated in order to decrpyt X's traffic. But that's a detail. So, anyone who knows the password is effectively a potential "cleartext sniffer" of the network, just like on a regular a wired LAN. Since you don't know how safely the password is remembered on your friends' computers, a regular password change is indeed a good move.
2. HTTPS encrypts from end-to-end, so on an open network anyone else around can see *where* you're connecting (e.g. via your DNS queries and HTTP/HTTPS GET requests) but not *what* you are sending and receiving. So definitely try to stick to HTTPS on coffee-shop networks. You might also consider using a VPN (virtual private network) service that encrypts *all* your traffic to a central server, even your DNS requests, and then "fans out" your traffic from there.
3. An endpoint firewall that blocks inbound requests by default is pretty much a necessity, as you describe. On your own Wi-Fi router, you might consider (if it has one) activating the "isolate users on this LAN" option, or some similarly-named option, as a courtesy that keeps individual users from bumping into each other, as it were.
This is good info. Since I am new to this stuff, I'd like more info – details.
Have a look at @Bob Stromberg's excellent thought above, at least as a start.
Paul,
the graph 'Wifi networks by encryption type' (at 0:22) shows both *No Encryption* and *No Encryption (hotspots)* counts.
From a security standpoint, is there any difference? AFAIK both suffer from the traffic between your device and the router being sniffable.
Thanks
Jan
Good point. (And see @Bog Stromberg's comment above.)
The reason for separating *No Encryption* and *No Encryption (hotspots)* – which we did mostly by guesswork based on the network name – was to try to get a clearer picture of how many people had an open network that *probably wasn't really what they intended*.
In other words, we didn't want to give the impression that things were worse than they were by counting something like "NSW_FreeWiFi" (that was made up – there isn't such a service, alas π as if it were a misconfigured SoHo network.
As @Bob mentions, even on a WPA-protected coffee shop access point, you may be secure against passers-by, but aren't secure against sniffing by any of the other concurrent network users.
WEP's more worrying, because those users probably intended to be secure, and thus have a false sense of being so.
*Bog* Stromberg?
I thought I'd mention this, as it's somewhere between interesting and worrying.
I have heard several people tell me "they continue to risk it with WEP because of their Nintendo DS Lites."
Apparently, older Nintendo consoles only support WEP, so if you want to play online, you can't use WPA.
Now…don't tell your husband/wife/SO that Naked Security said so, but…I think you just found a good excuse for an upgrade, wouldn't you say?
I don't know about DS Lites (does anybody have those anymore? the screen cracked on my last one about 2 years ago), but the original Wii works just fine with WPA2 as does XBox 360. Every device we have in this house (and we have some old ones since I'm somewhat of a technological pack rat) works just fine with WPA2.
It's my honest opinion that giving your security short shrift for entertainment is a ridiculous compromise and if you are making that compromise you really should reevaluate your life priorities.
The problem is that the limitation to WEP seems to be also in the libraries. Even if you have a recent version of a Nintendo DS console old games still can only make use of WEP. WiFi access wasn't part of the firmware but a driver that had to be linked to the game software.
That's why I've got a 30€ WiFi router that is in a VLAN of its own and only turned on when we want to play one of those old games online π
Good information but …
You couldn't have posted a transcript? Why make us sit through a 4.5 min video when we could have read this information in less than a minute?
I'm not *making* you sit through anything π
I chose to present this information in a visual format in the hope that it would be a bit more convincing and comprehensible to people who have already tried to read up on Wi-Fi security in less than a minute yet didn't understand some of the technicalities.
(In short: a picture is worth 1000 words, or something.)
Also, some people don't read any faster than they can listen, especially if they aren't a native speaker of the language being used. So they like to listen and watch because it's more like face-to-face communication.
So, yes, I *could* have posted a transcript. But I didn't.
Transcripts of video material usually read very badly as prose. That's because spoken and written English are quite different. So I chose to add closed captions to the video instead.
Sorry for the long answer. But if you must have written works about WEP, MACs and SSID, here are some:
http://nakedsecurity.sophos.com/2009/11/09/sun-sa…
http://nakedsecurity.sophos.com/2008/10/08/stop-u…
http://nakedsecurity.sophos.com/2013/03/16/has-ht…
WPA2-PSK vs WPA2-AES?
PSK means you choose a password, and you have to tell it to everyone first (pre-shared) as against some kind of authentication backend like RADIUS.
AES is the algorithm used by WPA.
You may see, in your router, a WPA choice of one or both of TKIP (also referred to as "RC4") and CCMP (also referred to as "AES"). Those are the crypto algorithms used, not the way you issue the key.
RC4 is the encryption algorithm used in WEP, and in the TKIP variant of WPA. But it's not used vulnerably (that we yet know) in WPA.
Anywa, if you care, and you can, turn off TKIP/RC4 and choose only CCMP/AES, on the grounds that anything based on RC4 can be considered potentially dodgy, since RC4 has flaws it's not supposed to.
If your router doesn't offer choices that look like that, don't worry. Yet. If there is cause to worry in the future, you'll read about it here π
Well I heard TKIP is not accepted by some older devices. I have set up AES on my router though some offer WPA2-AES / WPA2-TKIP "combo."
That doesn't sound right.
If memory serves, TKIP came first and was intended to be easier to implement in older devices. (You'd need extra memory to implement AES, but you already had code for RC4 in your firmware because it's used in WEP.)
So if you have an old device that doesn't support one of TKIP and CCMP, I reckon it'd be CCMP (AES) that's missing.
I mean AES is not accepted by some devices. Sorry had a few mix up.
Wait why are you commenting without logging in?
I enjoyed your crisp video Paul. I notice that many current writers still advise disabling SSID broadcast. Just an internet echo chamber effect I imagine. You described one way that SSIDs can be discovered. I’ve never tried it personally, but [redacted] discusses the use of AirJack to force an SSID response from your WiFi network. Seems most any script kiddie could find you.
Maybe this is a language thing (native German speaker here), but what is the difference between safety and security, as phrased in the video?
In German those terms are pretty much the same and I wouldn’t exactly call any of the myths safe, either.
I think I may have chosen unwisely, with hindsight. Safety and security are sort-of similar in English, too.
I meant that by *safety* you help to prevent accidents (like someone connecting to your network by mistake), while by security you act to prevent deliberate malicious attempts to hack in.
Safety is a sign saying "WARNING – NO ENTRY."
Security is one of those barriers with spikes on that pops up and shreds your tyres if you ignore the sign π
(The fact I have had to explain this means you're right – the difference probably isn't clear enough. )
Can we have text versions too from now on? Some of us still know how to read
Yes, please. Text, no video. A picture may be worth 1,000 words, but you can add all the images you want to a text page if they are needed.
Besides, editing/updating a text page is easier than remaking a video. Had you written it, you might reword the not-so-clear “is for safety, not for security” phrase in no time. π