Some of the devices on my home wifi network seem to work more reliably with encryption switched off.

Do I really need it switched on for security reasons if the router is locked down to only allow the MAC addresses of my devices to connect?

I know someone with a packet sniffer could intercept my traffic, but anything important (eg financial websites) will be encrypted over https anyway, no?

.

I’d have it hidden. My brother has a hidden network at home and it’s just grand.

Hiding the SID does nothing. Don’t bother it is pointless and only makes life harder for yourself. Anyone can still see all the traffic and join the network anyway.

MAC addresses are easy to spoof.

So basically the answer is yes you do need it unless you are happy for passing folk to be able to join your network, use your Internet connection, and have a good old browse through the files in your shared folders.

Simple answer: yes.

I know it’s easy to spoof MAC addresses, but how easy is it for someone to find out which MAC addresses are allowed (without physically accessing my machines)?

And, is it ok to rely on https for important traffic encryption (after all, I do once it’s left my house, surely)?

They just listen in on your traffic and find out which MAC addresses your stuff has, then they use one if those. Apparently.

whats a “packet sniffer”?

GrahamS – Member
They just listen in on your traffic and find out which MAC addresses your stuff has, then they use one if those. Apparently.

Hmm, that’s what I was worried about.
Guess I might have to put up with the occasional glitches the encryption seems to bring with it.

I know it’s easy to spoof MAC addresses, but how easy is it for someone to find out which MAC addresses are allowed (without physically accessing my machines)?

As far as I’m aware it’s actually pretty straightforward and there are programs widely available on the internet to do just that. Incidently WEP encryption is only marginally better than no encryption.

And, is it ok to rely on https for important traffic encryption (after all, I do once it’s left my house, surely)?

Yes.

But the trouble is that not everything is https and some websites make an arse of their https set up (e.g. I’ve seen sites that send the password in plain text and THEN log you into the https bit)

p.s. organic355 – I wonder what you had to google to find that pic 😯

Would you be happy for someone to come into your house, plug into your home network and start snooping around?

If your devices don’t work properly with encryption on, they’re either too shonky to bother with, or faulty.

Always worth checking if any of the shonky devices have new drivers or firmware available.
Most wifi devices these days should easily cope the basic WPA encryption.

MAC filtering and hidden SSIDs can be broken in less than seconds, it’s not a security measure in any sort of practical terms.

If you’ve got devices struggling with WPA, look for updated drivers.

The fly in the ointment for me is the Nintendo DS which only supports WEP, not WPA. This is a security hole, but I’m happy that the rest of my LAN is secure even if the wireless gets compromised; the worst that’ll happen is my bandwidth gets leeched, which I’m not wholly bothered about in and of itself unless someone’s downloading something that’s going to get me into trouble. The router will email me if anyone tries to attack it directly.

Cougar,
Same problem here with a DS. You mention that the rest of your LAN (I’m guessing at home) is secure. Anything you recommend doing?
Thanks.

Cougar I take it you know about the hidden C$ administrative share[/URL] – that’s always a favourite of mine the evil scum that break into poorly secured networks just for a giggle.

Yes – anything you can do to reduce the chances of someone hacking you or using your internet connection to surf for kiddie porn or how to make bombs has got to be a good thing. I’d also recommend turning off the wireless when not using it.

I’d also recommend turning off the wireless when not using it.

Sod that. I’m pretty much always[/I] using mine (e.g. my phone will automatically use it to check email, calendar, alerts etc when in range).

Don’t think I’ve turned off my router since I moved it to its current shelf.

I leave my router on permanently but only turn on the separate wireless access point when required, e.g. when using my laptop. My phone fends for itself using 3G.

As a further precaution, I only use 802.11a wireless because the higher frequency signal generally doesn’t extend much beyong the walls of my house so their is little chance of anyone else seeing the signal anyway.

i recently shifted from MAC blocking to WPA2 purely because I’d got bored with adding new MAC addresses when folk came round. I’m not really bothered about security, sure someone can break in if they want, but I think the risk of that is pretty slim, and there’s nothing private they could get at even if they got on.

Depends on your outlook, really

I leave my router on permanently but only turn on the separate wireless access point when required, e.g. when using my laptop. My phone fends for itself using 3G.

Fair enough. Wouldn’t suit me. I do ~98% of my browsing while sat on the sofa using my phone, or sometimes a netbook or laptop. No way I could be faffed to hike upstairs and turn on the wireless access everytime I wanted to check STW/Facebook during the adverts.

Wait till someone starts paying for child pron using your internet connection.

Don’t think this can’t/hasn’t happened.

My home network is unsecured (again due to 3 kids and a multitude of devices), and yes, 2 of my neighbours can connect along with someone parked outside if they want to.

In previous companies we’ve installed open standalone internet connections, for visitors and sister companies (plus we tested it across our perimeter), as it saves the constant messing around.

Don’t lose any sleep, unless you live in a flat, city and/or by a busy road.

As for:

Wait till someone starts paying for child pron using your internet connection.

And, just ‘cos someone used your IP doesn’t make you responsible for their crime – a bit like if they stole your car to do a hit-and-run?

And, just ‘cos someone used your IP doesn’t make you responsible for their crime

Ah, but it’s your crime if you can’t prove it wasn’t you.

And, just ‘cos someone used your IP doesn’t make you responsible for their crime – a bit like if they stole your car to do a hit-and-run?

You’re completely correct.

But in the time between the report of your alleged sex crime making the front page of the local newspaper, and having the charges dropped 2 years later due to lack of evidence, you may find your life a bit messed up!

I’m not trying to be funny or anything – I just think people should be careful, and not be too trusting.

Surely people can only browse your files if they try MSHOME or WORKGROUP. If you have changed it then this should be a good security measure! Also, depending on the sniffer then maybe any security is nothing more than a smoker screen.

luked2 makes a good point.

Don’t forget that the police would most likely seize all your computer equipment for forensic analysis in that circumstance.
And demand the passwords to anything you had encrypted. Oh and if you happen to have forgotten the password then it is off to jail for you.

As luked2 alludes to, whilst in theory you are innocent until proven guilty, for certain types of crime that isn’t true in practice. If someone hacked your wireless network and misused your internet connection it would probably be impossible to prove you didn’t do it.

If someone hacked your wireless network and misused your internet connection it would probably be impossible to prove you didn’t do it.

No, it wouldn’t – and anyway its easy to spoof most things – how else is it that you can watch BBC iPlayer from abroad?

Stop worrying about nothing – next you’ll be saying we all should live in bungelows as stairs are ‘risky’.

No, it wouldn’t – and anyway its easy to spoof most things – how else is it that you can watch BBC iPlayer from abroad?

Via a proxy. Not by “spoofing”. You can’t spoof an IP address because then whatever you asked for would go to that address instead of you!

OK, so if someone has used your unsecured wireless internet connection to surf for kiddie porn and the police arrest you, what proof could you offer that it wasn’t you – saying ‘it wasn’t me guv’ isn’t going to stop them arresting you and months/years of subsequent hell even if a court doesn’t convict you.

Even if forensic analysis of your computers showed nothing untoward, they would probably assume that you had another computer hidden elsewhere that they hadn’t found.

Or if the crime in question is terrorism related, fancy proving your innocence from Guantanamo?

This is a security hole, but I’m happy that the rest of my LAN is secure even if the wireless gets compromised

Do you have a VPN or similar between your wireless network and your “secure” network ? If not I would be sceptical about the level of security.

Bazzer

PS IPcop firewall has the concept of a Blue zone to deal with this sort of setup, but for most people would end up being a pain in the bum.

Via a proxy. Not by “spoofing”. You can’t spoof an IP address because then whatever you asked for would go to that address instead of you!

I used ‘spoof’ in the English sense, rather than the technical sense.

In either sense it doesn’t back up your point. goosander and luked2 are quite right that an open wifi could lead to you being incriminated by someone hijacking your connection and would probably lead to you having all your equipment seized.

There have already been cases of people served with court notices for illegal filesharing when it was clear they didn’t even know what that was and someone had just been piggybacking on their connection.

“If someone hacked your wireless network and misused your internet connection it would probably be impossible to prove you didn’t do it.”

No, it wouldn’t
OK, explain how you’d prove it then. Bearing in mind that the hacker’s computer would generate packets which looked exactly the same as ones genrated by your own computers.

There is a reason why those of us who know about these sort of things are very paranoid and also deeply concerned about cases of people being locked up based on this sort of evidence.

encryption has been developed for a purpose – use it. I’d NEVER leave my wi-fi unprotected, you must be nuts, as above, would you just let a stranger in your house to go through all belongings, steal all your passwords, bank details and everything else ?

WPA2 is what you should be using.

Kev

There is a reason why those of us who know about these sort of things are very paranoid and also deeply concerned about cases of people being locked up based on this sort of evidence.

Are there actually any cases of people being convicted and locked up purely based on ip evidence?

I understood from meeting the forensics guys involved in doing this for the police / CPS or whoever it is, that they very much relied on evidence from people’s actual computers for convictions (they certainly use website logs etc, for investigations though).

Anything you recommend doing?

Primarily, making sure everything’s patched. Windows Updated up to the hilt, and using Secunia PSI to find patches for non-MS applications so that known exploits are covered.

Secure passwords for admin accounts also.

Cougar I take it you know about the hidden C$ administrative share

Naturally (-: Still need an admin password though, and it’s disable-able.

just ‘cos someone used your IP doesn’t make you responsible for their crime

I’d argue that’s not the case – it’s your responsiblity to secure your network so this doesn’t happen.

Surely people can only browse your files if they try MSHOME or WORKGROUP.

Simply not true, sorry.

Do you have a VPN or similar between your wireless network and your “secure” network ? If not I would be sceptical about the level of security.

No, but. It’s back to the cycle helmets and acceptable risk argument. It would take an unlikely combination of events to compromise machines on my LAN. I’ve never had an unauthorised connection to the Wireless, for a start; the vast majority of intrusion attempts (all?) I see are bots, scripts and malware presenting on the ADSL interface.

It’s not 100% but it’s secure enough for all practical purposes. Would I recommend it to others, probably not, but I’m aware of the risks. The alternative would be to scupper the DS connection which, for the amount it’s actually used, probably wouldn’t be the end of the world.

I understood from meeting the forensics guys involved in doing this for the police / CPS or whoever it is, that they very much relied on evidence from people’s actual computers for convictions (they certainly use website logs etc, for investigations though).

That is my understanding too, and also from been ‘involved’ with the ‘experts’ on other types of investigations/frauds.

And as for my PC’s been open, yeah right.

There is, as they say only one way to secure a computer – and that is for it to be totally standalone and in a secure room with restricted personnel.

For me I’ve always looked at how the MOD secure their bases for how good security should work. A fence with signs keeps out 99% of all people, and then you increase the security as you get closer to the ‘prize’. Ending up often with 2 guards outside and 2 guards inside, plus external monitoring plus externally created 2FA for any ‘guests’.