This is a transcript of a podcast discussing Wireless Security, issues relating to using Wi-Fi and tips to enhance security of your communications.
Speaker Key: PB Phil Brown, DW David Whelan
PB: Hi it’s Phil Brown and I’m here with David Whelan and we’re going to talk about wireless security tips. We’re hearing a lot about wireless and Wi-Fi so maybe we should just talk about what is it?
DW: The basic technology is wireless networking and it sometimes becomes confusing because we now call cell phones wireless phones but they’re not really wireless in the same way that we’re talking about wireless networking, which is also known as Wi-Fi. It allows you to have high speed connections from your computer across your network or to other computers on your network.
PB: And it’s really just a radio signal that’s being broadcast back and forth by a transmitter.
DW: Exactly. The quality of that transmission can vary so if you’re inside an old-fashioned building with heavy, thick walls the signal might not actually leave your building, but if you’re in a modern building or if you have a lot of windows your wireless signal could actually penetrate out into the open world. Or conversely, if you’re outside a building that has a lot of open glass windows or thin walls you might pick up a wireless signal from somebody else who might not intend to transmit it.
PB: So the term Wi-Fi is really just a trademark name.
DW: Yes, it’s for marketing.
PB: In theory, I suppose for making regulations also so they can certify things as being a certain standard.
DW: Right and that is part of the alphabet soup that comes with wireless. You have wireless speeds of A, B, G and N. So when you hear about Wi-Fi N or Wi-Fi B those refer to particular speeds of the wireless networking technology.
PB: So in other words, how fast or how slowly you could transfer a file.
DW: Yes, and some of those speeds are aspirational.
PB: So let’s talk about some of the potential dangers of a Wi-Fi connection being open.
DW: Open really means there’s no security on it and this is most commonly discussed in the area of coffee shops where you go in and you sit down in the coffee shop. Starbucks is a good example where they have free wireless and you can get it at McDonalds as well if you’re at the McCafe. You log onto their network and you can do things on the internet, send files, download files, check your email, but there’s no real security, it’s just a checkbox saying that you agree to follow the terms and services and then you’re off and running and so is everybody who is sitting around you.
PB: Also if you set up a home Wi-Fi network or even an office Wi-Fi network without setting any security protocols it would be an open network too.
DW: Yes. A good story I have on that is my sister went to a coffee shop in Maryland and every morning there would be a lineup of cars next door and next door was the police department and all of the people in these cars were connecting to the police department’s unsecured wireless network.
PB: Now those people who are receiving those signals or picking up those signals from maybe your computer or anyone else’s computer. There’s a recent Illinois decision saying that’s not wire tapping.
DW: Yes and I think that should give everyone pause for concern if they are sending anything related to clients. It doesn’t even have to be confidential information, it can just be addresses, any sort of data they’re sending related to their clients and even more basic they should be worried about their user names and passwords being picked up by people who are using software that’s freely available and can watch transmissions that are sent from a computer to a wireless connection or access point.
PB: So we’ve talked a little bit about the potential dangers of leaving connections open. Let’s talk a bit about standard encryption that’s available.
DW: There are two ways of encrypting your transmissions. The basic one is if you’re using a web browser, make sure that the web sites that you’re visiting use the https or security sockets standard. You can tell because if you go to a web site and there is no s after the http, your connection isn’t encrypted. But if you go to your bank or if you go to certain online social media sites - your Facebook account, you’ll notice that in most cases the service wants to provide you with a secure connection and they convert that. You can see it by seeing the s in the https location in your web browser.
PB: Right and it’s available for Firefox and for Chrome. I don’t think it’s available for Safari.
DW: In some cases, the web site provides a secure connection for you and then there are additional add-ons. One of the great add-ons is called https everywhere and that is a Firefox only add-on. It will automatically turn on https if the service is available, whether or not you are aware of the service being available. Many sites will turn it on for any web browser including for portable or mobile phones.
PB: And just to be clear on what’s being encrypted - it’s your information being sent to that web site and from that web site to you.
DW: Yes, and I think one common misconception is the information on the other end is anonymous or somehow is protected. They may still be gathering information about your visit and where you came from and so on so it’s not really a privacy protection it’s really a matter of blocking eavesdroppers from seeing the information. There’s also ability to use virtual private networks or VPNs and that allow you to encrypt not only what’s going on in your web browser but if you’re using your email account through Microsoft outlook or something like that or some other software, you can actually connect to your office and securely create a tunnel or a pipe directly to your office over the internet and no one would be able to access your transmissions at that time.
PB: And that’s an option if you’re on an open network like a Starbucks or a Timothy’s or a Timmy’s or any of those. You could use a VPN, this virtual private network or pipeline to connect to your office. There are a number of different services available out there to set up a VPN for free.
DW: You may find that if you’ve got an internet router, which is the piece of hardware that connects your office to the internet, it has VPN support built in, in which case you could use this software. Otherwise, there are open standards like Open VPN, which you can download on the web and use and there are other free services that allow you to download a piece of software to your phone or to your computer and then provide you the network to connect to.
PB: One of the things that makes using wireless devices, phones, computers and wireless routers potentially dangerous is that every device has a Mac address and a Mac address is just a physical location address that you can punch into a piece of software and you can communicate with it.
DW: Right, and another misconception is that it only applies for Apple computers but every device that connects to the computer has this device specific piece of information and it can be spoofed but in many cases it can be used by you to secure your own network. So if you have your own wireless network in your office you can set it up so that only certain devices with certain Mac addresses will be able to connect up to your access point and that can help you to limit people who are wandering by or people who shouldn’t be accessing your system from getting access.
PB: Another tip on that is if you do have employees in a law office who are accessing your wireless network in the office to de-authorize their Mac addresses from whatever device they were using when they leave the office.
DW: That’s a great tip. Mac addressees don’t provide permanent or total security for your access points; it’s just one of the ways that you can secure an access point. Law firm access over Wi-Fi should really include passwords so that no one can get onto your network without having a password and they should have an encryption as well so that transmissions from the access point are encrypted, it’s not open to anybody who can see it.
PB: Another tip in terms of passwords is changing the administrative password on your router when you set up the wireless network.
DW: Yes, unfortunately if you type in the name of your router in Google and type in admin password you can probably find the admin password, which is the default for your system. So make sure that you have changed that password and maybe change the name of your router. In many cases, when you are trying to connect to a wireless network, it will tell you the name of the piece of hardware that you’re going to connect to and it usually has either the provider’s name or the company’s name. So if you buy a Linksys router for Wi-Fi it may say that you’re connecting to the Linksys network. So change that to something that doesn’t scream the name of the product or the name of your law firm so that it helps to de-identify or maybe make you less of an attractive target for people who want to hack your wireless.
PB: I know there were some suggestions in some of the tech magazines that you call your network the virus generating network to make it less attractive to join.
DW: That’s right - scary can be good.
PB: What about turning off your Wi-Fi network when you’re not using it? Is this an option or no?
DW: I think it can be an option. It tends to be more complicated than just flipping a switch. I would definitely suggest that you turn off Wi-Fi on your phone or on your tablet or laptop because at least that means you’re not broadcasting without realizing it or connecting to a network without realizing it and sharing information from your device and obviously that has battery benefits as well.
PB: It’s also probably a good idea to maintain all of your usual firewalls and things on your other devices.
DW: Absolutely. Be aware of what your device is sharing. If you’ve got a Windows computer you may have file sharing turned on. You may also have Windows Media that are looking for people to share your music work. To the extent that you can turn those off and take advantage of the public versus private networking distinctions in your operating system you can stop broadcasting information about who you are and what’s available.
PB: Great. Thanks a lot.
PB: Thanks Phil.