WiFi Security – Are you safe online?
Wireless networking or WiFi has become a mainstream way of communication on local networks but security is often overlooked. In May of this year, Google "admitted" to collecting data from unsecured WiFi networks across the globe during their travels in their Street View Cars. These cars travel the streets taking 360 view pictures that are used in Google Maps Street View feature. Google claims that the Street View Cars were also probing for WiFi hotspots so that the hotspots could be pointed out on its maps. After initially telling German authorities that their WiFi information contained no data other than the SSID and the MAC address of the network's router, Google later admitted that they had 600 GB of information collected from these unsecured networks. The "payload data," as Google refers to it, can contain private information which could potentially be passwords, credit card information, email contents, etc... any data that was being sent across that network at the time Google's car passed by.
What's the point?
The point of this is not to shame Google for their activity but more to point out the necessity of WiFi security. All of the networks on which Google was able to gather data were open or unprotected networks. Secured wireless networks are not susceptible to this type of activity. While it sounds very technical, securing a wireless network is not all that difficult.
So how is it done?
Wireless security can be accomplished with 3 basic methods: WEP, WPA & WPA2. These methods can also be modified to be more secure by utilizing a protocol know as MAC filtering which we will cover last. (There are also some other Enterprise level methods of creating wireless security but those will not be discussed here.)
Security Methods
WEP stands for Wired Equivalent Protocol and was the first attempt at securing wireless communications. WEP enabled networks use a 64 or 128 bit hexidecimal string to encrypt the network traffic. Users are required to use this unintelligible string to gain access to the network. The encryption provided by WEP has become extremely easy to crack with readily available software tools. As such it should not be used at all but it continues to be the default option when setting up home and small office wireless equipment.
WPA stands for WiFi Protected Access. This protocol was invented to address the security flaws of the original WEP protocol. There are 2 modes of WPA security, pre-sahred key or PSK mode and 802.11x mode which is more advanced and will not be discussed. In PSK mode, instead of the hexidecimal string, WPA uses what is known as a passphrase. Simply put this is a password that is chosen to encrypt the network traffic. The longer, more complex and harder to guess the passphrase is, the more secure the network will be. But, despite its improvements over WEP, WPA has be found to have some major flaws in its encryption algorithm, TKIP, which led to the creation of WPA2.
WPA2 also stands for WiFi Protected Access, but it it simply version 2. This version operates the same way as the orignal WPA but it has introduced a more secure encryption algorithm known as AES. AES replaces the less secure TKIP but WPA2 networks can still be set in TKIP only or TKIP/AES modes that allow interaction with older wireless devices.
The final piece of the security puzzle is MAC filtering. Each network device such as a PC, laptop, smartphone etc... has a unique alphanumeric hardware number known as MAC address. Since this address is unique for every network enabled device, wireless access points can be configured with a list of acceptable MAC addresses. This means that an wireless admin must collect the MAC address from every machine that will be allowed to access the wireless network and enter those into the list on the wireless access point. If a device that is not on the list happens to gain access to the passphrase it will still be denied that ability to connect to the network.
Final Thoughts
So is using wireless safe or not!? The answer is yes and no! WiFi hotspots like those found in coffee shops etc... are not safe. This doesn't mean that you should never use them but it means you should be careful HOW you use them. Save your online banking and shopping for your secured or wired office or home network and use the hotspot for Facebook and email. That way if you happen to be in the path of a wandering Google StreetView camera car your personal information won't be in danger joining the other 600 GB that Google has already collected.
On the other hand, as a general rule I don't recommend wireless to be widely used in a business setting. Due to its inherent risks, even when properly configured, sensitive data like medical records etc... is always best left to the old fashioned network cable. The other issue with wireless beyond security is that it can be relatively unstable. Improvements in cordless telephone technology have helped but wireless is susceptible to interference from other wireless devices be they wireless or cordless phones, other wireless networks and building infrastructure. Wireless networks are also not as fast (54Mb/s) as a standard Ethernet network (100 or even 1000Mb/s). For businesses that demand performance using wired networking is always the best solution. In some cases using a wired network is not an option due to physical constraints or cost but whenever possible I always recommend wireless as a secondary option.
Restore Missing “Compressed (Zipped) Folder” in Send To menu
I have a Windows Server 2003 running Terminal Services setup for one of my clients. 2 of the users on that server need to be able to zip files and send them via email on a regular basis. Because they are limited users (non-administrators) they are missing the Compressed (Zipped) Folder option under Send To when they right-click the selected file(s). To solve this problem each user executed the following command from the Run dialog box (Click Start, then Run). The command is CASE SENSITIVE:
rundll32 zipfldr.dll,RegisterSendto
In the background, a zero byte file named Compressed (zipped) Folder.ZFSendToTarget will automatically be created in the %Userprofile%\SendTo folder. This command works for both Windows Server 2003 and Windows XP.
For Windows Vista users the fix is similar but the command is different. The Compressed (zipped) Folder icon is present in each user profile and also in the Default user profile. Follow these steps to restore the icon to your user account:
1. Click Start, type the following where it says "Start Search" and press Enter (case sensitive):
%systemdrive%\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
2. Right-click Compressed (zipped) Folder and choose Copy (Shortcut: CTRL+C)
3. Open the SendTo folder of your user profile. To do so, click Start, type the following and press Enter:
shell:sendto
4. Right-click an empty area in the folder, and choose Paste (Shortcut: CTRL+V)
Happy Zipping!
Using the NET command to change group membership
Have you ever needed to change local administrator group membership on PC's in a Windows Server 2003 Active Directory domain? I have come across a need to do this lately with a client who has about 60 workstations on a domain. I needed to remove the end users from the local administrator's group because always running your PC as an administrator is a large security risk and I was tired of dealing with the consequences. Since there were so many PC's I didn't want to physically touch each one. The solution was to create a script utilizing the NET command in DOS.
I did a little research on what the NET command can do by opening a DOS prompt and typing 'net /?' and pressing Enter. This showed me all the options available for the NET command such as NET USE for mapping resources and NET TIME for setting a computer's time. The syntax I used is as follows:
net localgroup administrators %username% /delete
Using 'net localgroup' tells the computer I am going to reference items found in local groups on the local computer, meaning the computer on which the command is being executed. Adding 'adminsitrators' to that string means I am looking specfically in the local administrators group. I used the variable %username% to insert the currently logged in user into the string and the used the /delete switch to delete that user. Final result? The currently logged in user is deleted from the local administrators group. This can be verified by using 'net localgroup adminsitrators' to print out a list of users in the local administrators group.
Since I didn't want each user to have to execute this command personally I created a batch file called removeadmin.bat which contained the command as seen above: net localgroup administrators %username% /delete. I then added this as a logon script in a Group Policy that was applied to the OU containing the users. In this way I was able to make the script run after login and remove the current user from the administrators group with relative ease.
See http://support.microsoft.com/kb/556003 to learn more about the NET command.
Long Range WiFi Solution
Do you ever wish you could extend your company network across the parking lot? Across town? With solutions from EnGenius Datacom you can! I just completed a project for one of my clients who needed to extend their network across the parking lot. They already have 2 buildings on the property networked together but, in that case, they had been able to run cables underground to facilitate the connection. Now, wanting to connect a 3rd building about 200 cable feet away proved to be more challenging because there was no conduits under the parking lot. Since trenching would be quite costly I decided to look at a wireless solution. EnGenius products were recommended to me so I took a look. After calling their sales team I was directed to the EOC-2610 device. I purchased 2 of these from CompUSA for a very reasonable $68 each (I got a $1 non-profit discount because of my client's tax status... sweet).
For physical installation of the devices I relied on the my client's maintenance staff. The EOC-2610 comes with a hose clamp style mounting system that easily clamped on to a custom bracket that was attached to each building. Power and network connection are delivered to the devices via their PoE interface. The PoE injector and A/C adapter are included with the devices. Since they were mounted outdoors, I used direct burial Category 6 ethernet cable to reach the devices. Once the cable came inside the building I terminated it and continued to the indoor switches with standard Category 5e cable.
Implementation was fairly painless once I deduced the appropriate operating mode for the devices. The devices can be configured via web console in 4 modes: Access Point, Client Bridge, WDS Bridge and Client Router. For the main building I chose Access Point (AP) and for the remote building I chose Client Bridge. Once this was done I created a wireless network on the Access Point and enabled WPA2-PSK/TKIP security. To connect the AP and the bridge I logged into the web console on the bridge and all I had to do was scan for networks. Once it found the network I wanted (and it found a bunch!) I could then connect with the appropriate passphrase (set from the AP's wireless config). In the remote building I installed a 24 port switch that receives the up-link from the bridge and then allows me to operate wired PC's and printers within the remote building.
So far I am very satisfied with this solution. The EnGenius website says this device can transmit up to 30km or 18+ miles. I am not sure about the total range, but it does work great for the distance I needed to cover.
Pros:
-Easy installation/configuration
-Long range and strong signal
-Cost effective
Cons:
- I would like to have had a MAC filtering option so that I could limit the devices that can connect to this signal (limiting wardriving)
Project Pictures:
Remote building device
Main building device
Backside of main building device, showing mounting bracket
Adobe 9 freezes Internet Explorer 8
Recently I have been working with a client who utilizes a web application from Ameripath called Physician Web Portal. This portal is used for reporting results of patient tests in PDF format. The PDFs are viewed within the browser when the report is opened. I encountered a problem with the application on a new laptop that I setup for the client where viewing the reports would freeze IE8.
Relevant system details:
Windows XP Pro SP3 (OEM installed)
Internet Explorer 8 version: 8.0.6001.18702
Adobe Reader 9.3.0
I spoke with the Ameripath's support team and they initially told me that the application was not supported in IE versions later than 6! However, after further investigation, I received a call back and I was informed that an upgrade had added support for IE7, 8 and Windows Vista/7. This meant there was something wrong with the laptop in question. After successfully testing the Ameripath application on my own laptop (XP Pro SP3, IE8, Adobe 9.3.1) and successfully testing the application on the Ameripath tech's system (SP3, IE8, Adobe 9.2) I was lost as to why this new laptop was causing me problems.
Other steps taken:
-reset IE8 to full defaults
-disabled all IE8 add-ons/extensions
When tweaking settings in IE and Adobe didn't help I decided to fully uninstall Acrobat 9.3.0 and reinstall it. After I uninstalled Acrobat 9.3.0 I changed my mind and installed 8.2.0 instead. I found the MSI for this at this link. Once I had Reader 8.2.0 I launched the Ameripath web application and to my great surprise it worked flawlessly! Thinking that maybe the initial 9.3.0 install had been damaged, I upgraded from 8.2.0 to the 9.3.1 package. After restarting and retrying the application IE8 again froze when viewing the PDF report. I also considered uninstalling IE8 but was not able to do this because it was installed as part of SP3 at Dell. I wanted to roll back SP3 as well but found no efficient way to do that either.
So... the final fix for this issue? Uninstall Reader 9.3.0 and install 8.2.0. I haven't tried incrementally upgrading to see how close to version 9 that I can get. I just don't have the time or the patience to do that! I cannot determine why the Ameripath application works with IE8 and Acrobat 9.3.1 on my system but does not work on the client's system. The only difference is that the client's system had OEM installs of Windows XP, SP3 and IE8. My system has been slowly updated over the years as these updates have come out.
Welcome!
Welcome to my technical blog site. Here I will periodically update the world on the projects I am working on and technology I am utilizing in my business, Information Technology Systems, LLC. You can also learn more at my LinkedIn page.
Recent Posts
- WiFi Security – Are you safe online?
- Restore Missing “Compressed (Zipped) Folder” in Send To menu
- Using the NET command to change group membership
Pages
RafaelWolf.com
- Ubuntu System Information on logon – how to call it on purpose :P
- date command, cygwin, getting previous day command examples
- Resetting root user in Ubuntu back to default behavior
Sponsors
