Network News

X My Profile
View More Activity

The Dangers of Default Passwords

Stroll through any neighborhood with an open laptop in hand and you will probably notice your machine automatically connecting to various wireless Internet routers that local residents have set up. If you are given a connection that allows you to surf the Web, chances are very good that you can also assume control over the same network that gave you the access.

In my experience, few people who operate wide-open wireless networks -- those unprotected by even the simplest encryption technology -- ever bother to change the default user name and password needed to reconfigure the router. Perhaps consumers who operate open networks aren't terribly worried about their neighbors "sniffing" the ambient wireless airwaves for passwords and other sensitive data. But it may be that a person running a router under the default factory settings has more to fear from a malicious Web site than a local interloper.

Researchers at Symantec Corp. have devised a series of "proof-of-concept" exploits that show how an Internet user running any one of several name-brand, $50 - $100 routers under the default factory settings could be in a world of trouble in a very short time, just by browsing to a malicious Web site. One of the easiest ways to commandeer a factory-set wireless router remotely is through the use of Javascript, a powerful Web programming language that makes it easy for Web sites to monkey with or otherwise manipulate a computer's settings.

For example, a nasty site could use Javascript to change the default settings on a router so that anytime the victim tries to visit a bank Web site he or she is silently redirected to a counterfeit site set up to steal online banking credentials (this is a type of phishing attack known as "pharming.") Or, the attackers could poke holes in the router's built-in firewall to allow certain types of traffic to slip through.

Zulfikar "Zully" Ramzan, senior principal researcher at Symantec, said he successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.

The reason this has the potential to be such a problem is that a broadband router sits apart from the user's computer, so it's likely to be one of those set-it-and-forget-it type appliances. Indeed, if a malicious Web site succeeded in altering the default settings on a router, the router might be the last place most users -- even security professionals -- would look to as the source of the problem.

Michael Sutton, security evangelist for Atlanta based SPI Dynamics, said Javascript's flexibility and power make it an increasingly common component of cyber attacks.

"People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions," Sutton said.

So what's the takeaway here? Whether you're using a wired or wireless router to split traffic on your home network, make sure you change the default password. A comprehensive list of default usernames and passwords for just about every commercial router is already available online. If you're the forgetful type, write down your router password and store it in a safe place. Even if you don't remember it, all consumer Internet routers ship with a tiny pinhole in the back that -- with the aid of something pointy and a steady grip -- allow you to reset the router to the factory settings (and back to the default password).

Also, consider browsing the Web with Mozilla's Firefox; with it, you can use the excellent "noscript" add-on that allows you to control which sites should be permitted to run Javascript inside of the browser. It's not a perfect solution, but it has saved my bacon on more than a few occasions. If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below.

By Brian Krebs  |  February 15, 2007; 6:14 PM ET
Categories:  From the Bunker , Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Valentine Or Virus?
Next: Apple Works To Stave Off Big Mac Attack

Comments

Brian--I read this item with interest as it hit me that I may be at risk. Recently I converted from Verizon DSL to Verizon FIOS (their fiber link). When the individual who did the installantion left there was a wireless router between my desktop and the connection to the fiber line. While the FIOS connection is a little faster and more reliable than my DSL link, I am wondering if he left me with a security problem as I was not given any documentation about chaning passwords or anything else related to security. I don't use the router to connect anyother devices to the fiber link-yet. Any thoughts? Am I hanging out there for the neighbors to exploit my rounter? By the way Verizon also charged me $80 for the router, a fee that was never identified up front in the sales pitch for FIOS.

Posted by: Fred in McLean | February 15, 2007 7:51 PM | Report abuse

I suggest people look at the Opera browser besides just Firefox. I used Firefox for quite a while but switched to Opera about six months ago. It does support limiting Javascript and other options on a site by site basis as does Firefox.

Posted by: Kirt | February 15, 2007 8:40 PM | Report abuse

I suggest people look at the Opera browser besides just Firefox. I used Firefox for quite a while but switched to Opera about six months ago. It does support limiting Javascript and other options on a site by site basis as does Firefox.

Posted by: Kirt | February 15, 2007 8:40 PM | Report abuse

I suggest people look at the Opera browser besides just Firefox. I used Firefox for quite a while but switched to Opera about six months ago. It does support limiting Javascript and other options on a site by site basis as does Firefox.

Posted by: Kirt | February 15, 2007 8:42 PM | Report abuse

I suggest people look at the Opera browser besides just Firefox. I used Firefox for quite a while but switched to Opera about six months ago. It does support limiting Javascript and other options on a site by site basis as does Firefox.

Posted by: Kirt | February 15, 2007 8:43 PM | Report abuse

JavaScript is not a powerful language, it's a relatively weak language. I re-read that line over and over again and can't make sense of it.

Posted by: Bethesdan | February 15, 2007 8:44 PM | Report abuse

Fred, most routers can be configured using a web-based interface that you can access through your browser. To access this interface, you'll need to know the IP address of your router. (In Windows, find this by Control Panel:Network Connections:Right-click the network interface for your connection:Properties:Support:Default Gateway. In Mac OSX, Apple:System Properties:Network:Show [your network]:TCP/IP:Router.) Just type this IP address into the address bar of your browser to gain access. Check out the website of the company that manufactured your router; they should provide full documentation online. Hope this helps!

Posted by: Jesse | February 15, 2007 8:45 PM | Report abuse

If one has encryption enabled (WPA or WEP), is it necessary to change the router's password from the default? It seems to me that the encryption should prevent outsiders who don't know the encryption key from getting into the network in the firstplace, so they shouldn't be able to log in to the router, even if they know the default password, and that default has not been changed. Am I missing something?

Posted by: David | February 15, 2007 9:06 PM | Report abuse

that is odd, my linksys router can only be configured by LAN, I also agree with the WPA/WEP encryption, if my neighbors could get in, I'd see their MAC addresses and file a report of stolen service.

Posted by: passerby | February 15, 2007 9:25 PM | Report abuse

To passerby and David -- your browser is where the javascript is being run, and your browser has access to your wireless network, so regardless if you have WEP/WPA turned on you are still vulnerable to this type of attack.

Posted by: Ant | February 15, 2007 9:53 PM | Report abuse

WPA/WPE is wireless encryption ONLY. It prevents someone in your wireless range from logging onto your router and messing with your network, but it does not stop malicious websites from executing code on your computer and subsequently using your router (via your *wired* connection) to take over other devices on your network.

Posted by: Jesse | February 15, 2007 9:57 PM | Report abuse

WOW! I never thought of that but you are right.

Posted by: JMB | February 15, 2007 10:45 PM | Report abuse

changing a default password is hardly a major security revelation; for that matter neither is the existence of javascript exploit code. People cannot be reminded too often about this, it's important to reinforce these basics.

Posted by: stef caunter | February 15, 2007 11:33 PM | Report abuse

Can Java be designed to crack passwords?

Posted by: springnomad | February 15, 2007 11:53 PM | Report abuse

mep or wpa can be hacked in a matter of minutes then you can go to work on anybodys network or router

Posted by: m1 | February 16, 2007 4:00 AM | Report abuse

I imagine that they can indeed be hacked. Similarly, a determined burglar will have no problem defeated a deadbolt lock on your door - he'll just come in through some other means. In both cases, you're relying on the oft-proven fact that a bad guy, unless knows for a fact that there's something of value in your location, will move along down to street to a victim who is less protected.

Posted by: Tjohn | February 16, 2007 9:13 AM | Report abuse

Shut up

Posted by: Deek | February 16, 2007 9:27 AM | Report abuse

Yes a wireless encrypted key can be hacked. But having it set as Tjohn stated does keep the majority of people out. Why spend time trying to crack something if you can move on to another person who doesn't have it set. This only protects you from people within range of your signal. The main thrust of this article is someone gaining access via the internet anywhere in the world.

Having your administrative password set does matter. It is your machine getting compromised that is connected to your router either wirelessly or wired. Since it is on your internal network it will have access to your router. If it is still set to the default password it will then be easy to compromise and change settings on.

This should be common sense, but if you weren't the one putting your router in, it may not have been done. It should take about 10 minutes of reading to figure out how to change the password on your particular router. If you didn't get a manual with your router, check the CD. There should be a electronic version on it. If you didn't get a manual go out to the website of the manufacturer and find it by your router model number. It is worth your time to do so.

Posted by: Jaguar | February 16, 2007 9:33 AM | Report abuse

Yes a wireless encrypted key can be hacked. But having it set as Tjohn stated does keep the majority of people out. Why spend time trying to crack something if you can move on to another person who doesn't have it set. This only protects you from people within range of your signal. The main thrust of this article is someone gaining access via the internet anywhere in the world.

Having your administrative password set does matter. It is your machine getting compromised that is connected to your router either wirelessly or wired. Since it is on your internal network it will have access to your router. If it is still set to the default password it will then be easy to compromise and change settings on.

This should be common sense, but if you weren't the one putting your router in, it may not have been done. It should take about 10 minutes of reading to figure out how to change the password on your particular router. If you didn't get a manual with your router, check the CD. There should be a electronic version on it. If you didn't get a manual go out to the website of the manufacturer and find it by your router model number. It is worth your time to do so.

Posted by: Jaguar | February 16, 2007 9:44 AM | Report abuse

For the average Joe living in suburbia, I would be far more worried about the dead bolts than the router. I have clients whose biggest complaint is about weak signal strength from one end of the house to the other. Most routers only have enough signal to reach perhaps one or two houses away. If their neighbors are the type that would go to these extreme measures to get into somebody's computer, they already have bigger problems than the unsecured router. Common sense security measures like changing the default password are always a good idea, my question is this. With all the other things to worry about in life, are open networks (of which there are thousands upon thousands) worthy of the measures some people go to to keep out the "bad guys" living next door?

Posted by: Chris T. | February 16, 2007 10:45 AM | Report abuse

side bar: re fred-in-mclean's comment about the charge for the router that was not mentioned in the fios sales pitch, that practice seems to be an industry standard. i just found out that the so-called $9.95 monthly increase for updating cablevision to io digital cable is actually a $16.20 monthly increase because of an additional monthly charge of $6.25 for the required cable box. nowhere is that additional charge mentioned in the printed io digital offer i received in the mail. it really pays to 1] read the small print [if there is small print], and 2] email these outfits for clarification about exactly what costs their promotional offers entail. if contact is by phone, record the conversation [after informing the party at the other end, of course.]

Posted by: laplane | February 16, 2007 10:54 AM | Report abuse

I have been using Opera browser, which allows optional use of Javascript. Always stable and bug free. ActiveX has been reported to be maliciously exploited.

Posted by: john | February 16, 2007 11:18 AM | Report abuse

All my neighbors have wireless routers but just about all of them are locked down. the first thing I did when i got my linksys router was to change the default password. I have WEP encryption key and also limit access to the wireless network by MAC address, so only my laptop can get on the network. I feel pretty secure that no one can get on my network that way.

Posted by: dan | February 16, 2007 11:50 AM | Report abuse

Bethesdan:

JavaScript is weak at typing and can be difficult to de-bug, but it's powerful in that you can do a lot with it, and you can write really complex code if you create so-called objects.


Posted by: Richard Waddell | February 16, 2007 12:02 PM | Report abuse

What about dan's plan? Are there holes in that plan?

Posted by: springnomad | February 16, 2007 12:38 PM | Report abuse

Dan has it right. If you have a wireless router do these three things.

1. Change the default password. Obvious for the reasons stated in this blog. MUST DO!

2. Enable MAC filtering. Might be called something else on your router but it is basically a list of machines (network cards in the machines really) that can connect to your router. MUST DO!

3. Enable Wireless encryption. WEP, WPA, or WPA2 depending on your router and wireless card combo. Highly recommended, but you can live without it if you've done 1 & 2 above. A crook would have to be both talented and in close proximity to snoop on your wireless packets if encryption is not enabled. Still while your locking your router down you might as well throw the deadbolt too.

Posted by: Ron | February 16, 2007 1:05 PM | Report abuse

JavaScript, not Java (tard), is a script language based upon Java. It is mainly used to do things like, determine if you have Flash, determine your OS, validate forms, communicate between Flash and a serverside language (ie., php, aspx, etc.). If you disable it, then you probably should not surf the web because your experience will be dramatically altered in a negative way. The answer is, login to your router and enable the WAP (or WEP) key security. You will be fine. Also, a little trick that I like to do is when you name your wireless network (you do this when logged into your router) name it something that people will not want to play around with; something like (Los Angeles Police Department, Foothill Division). Good luck morons!

Posted by: Vic | February 16, 2007 1:15 PM | Report abuse

If you don't want to go thru all the steps to get your router's IP address, there are two very common IPs for them:

192.168.1.1 & 192.168.0.1

I'm sure that's not all-inclusive, but it'll get most people where they want to go.

Posted by: J | February 16, 2007 1:21 PM | Report abuse

If you don't want to go thru all the steps to get your router's IP address, there are two very common IPs for them:

192.168.1.1 & 192.168.0.1

I'm sure that's not all-inclusive, but it'll get most people where they want to go.

Posted by: J | February 16, 2007 1:22 PM | Report abuse

Vic,

You shouldn't call people names, like tard and moron, especially when you don't know what you're talking about. Java and Javascript are not related. JavaScript was named inappropriately and has confused many a person about it's relationship to Java. In fact the standards based name of JavaScript is ECMAScript. While ECMAScript isn't a very sexy name, at least it doesn't lead to confusion.

Posted by: Ron | February 16, 2007 1:25 PM | Report abuse

To dan & springnomad:
Yes, there are holes. WEP is NOT safe (can be cracked by anyone with a Linux laptop in less than one hour), MAC addresses can be spoofed. To be genuinely secure (as far as the wireless part is concerned), use WPA encryption with a looong, random password (60 characters). Last I checked, there was no known way to crack that. To summarize: WEP - bad, WPA - good.

Posted by: Dr. A | February 16, 2007 1:36 PM | Report abuse

It is irresponsible of manufacturers to not only use the same passwords but also supply pretty much all the wireless routers on the market (with very few exceptions) wide open with no wireless encryption whatsoever and with the same SSID (wireless names).

In many urban areas you can find probably a dozen closely located "Linksys" or "Default" wireless stations some of which are accessible to the public and owners have no clue about it.

I always wondered, why not make factory settings SECURE by default and if a user wants to relax security, they can do it if they know how. It should not be the other way around when most routers expose unsuspecting users and give them a false sense of security. We have to deal with it on a daily basis and it does hurt consumers.

Vlad Mayzel, Operations Manager
604-GET-HELP On-Site Computer Services
Tel: 604-GET-HELP (604-438-4357)
Web: www.604-GET-HELP.com

Posted by: Vlad Mayzel | February 16, 2007 1:37 PM | Report abuse

It is irresponsible of manufacturers to not only use the same passwords but also supply pretty much all the wireless routers on the market (with very few exceptions) wide open with no wireless encryption whatsoever and with the same SSID (wireless names).

In many urban areas you can find probably a dozen closely located "Linksys" or "Default" wireless stations some of which are accessible to the public and owners have no clue about it.

I always wondered, why not make factory settings SECURE by default and if a user wants to relax security, they can do it if they know how. It should not be the other way around when most routers expose unsuspecting users and give them a false sense of security. We have to deal with it on a daily basis and it does hurt consumers.

Vlad Mayzel, Operations Manager
604-GET-HELP On-Site Computer Services
Tel: 604-GET-HELP (604-438-4357)
Web: www.604-GET-HELP.com

Posted by: Vlad Mayzel | February 16, 2007 1:37 PM | Report abuse

To dan & springnomad:
Yes, there are holes. WEP is NOT safe (can be cracked by anyone with a Linux laptop in less than one hour), MAC addresses can be spoofed. To be genuinely secure (as far as the wireless part is concerned), use WPA encryption with a looong, random password (60 characters). Last I checked, there was no known way to crack that. To summarize: WEP - bad, WPA - good.

Posted by: Dr. A | February 16, 2007 1:39 PM | Report abuse

the aspect of free floating wireless signals is pretty prevalent in NYC. recently went to a friends house to clean up her computer do to virus and spyware junk that had bogged down her system. First thing i noticed was that her wireless internet was wide open. and i specifically remember surprising her by accessing her router with the standard u/n: admin p/w: password default setting. ...she lives in an apt building. telling her that any creep in wash heights could access the internet, and her network as easily as i just did... i think opened her eyes a little. i don't know much about java script... but i know enough to not trust it. i think anything that clues people in to the common place mistakes they do with computers is a good idea.

Posted by: stephen | February 16, 2007 1:47 PM | Report abuse

Yes, JavaScript can be turned off in IE7.

Tools -> Internet Options -> Security -> Custom Level -> Scripting -> Allow Active Scripting

Then for pages that need scripting, add those sites to your "Trusted Sites" list, and enable scripting on that level.

Posted by: Aaron | February 16, 2007 2:01 PM | Report abuse

I was having a problem of loosing connections on my dlink wireless router (and these were direct connections, not even wireless connections). I went to dlink web site, downloaded the latest firmware. IN THE PROCESS OF INSTALLING THIS FIRMWARE, my Zone Alarm firewall detected (and prevented) my banking access passwords from being sent. I submit this to show just how dangerous the router can be, acting like a back door into my system. Great article.. thanks

Posted by: Paul Palmer | February 16, 2007 2:27 PM | Report abuse

The other way to secure your wireless network is DO NOT BROADCAST

I use a wireless network in an apt bldg.
But rather than the expense of encryption, I just don't broadcast the network. Notice that when you search for available networks all your neighbors show up. But only if they broadcast their existance -- You don't have to.

The admin page for your router has a way to turn off broadcasting. It is a little trickier to establish the connection from the other end. Typing the name of the network instead of just selecting one of those from the list that is being broadcast.

If you choose a name other than linksys or default. Then it is very unlikely that some stranger is going to guess what your network is called.

I prefer this method to encryption. It is expensive and a pain to set it up. So I believe that is why most people don't bother. But not broadcasting by comparison is much easier. It's a check box on the admin page and filling in a form on the laptop.

Posted by: Rob | February 16, 2007 2:35 PM | Report abuse

The other way to secure your wireless network is DO NOT BROADCAST

I use a wireless network in an apt bldg.
But rather than the expense of encryption, I just don't broadcast the network. Notice that when you search for available networks all your neighbors show up. But only if they broadcast their existance -- You don't have to.

The admin page for your router has a way to turn off broadcasting. It is a little trickier to establish the connection from the other end. Typing the name of the network instead of just selecting one of those from the list that is being broadcast.

If you choose a name other than linksys or default. Then it is very unlikely that some stranger is going to guess what your network is called.

I prefer this method to encryption. It is expensive and a pain to set it up. So I believe that is why most people don't bother. But not broadcasting by comparison is much easier. It's a check box on the admin page and filling in a form on the laptop.

Posted by: Rob | February 16, 2007 2:37 PM | Report abuse

I'm going to second Dr. A's comments. If you have WPA, use it. Don't use WEP (which is easily cracked). Note that WPA with a short password is susceptable to an offline attack; so use a long and random password (minimum 15 random characters, not a problem since you only have to enter this once during setup). MAC address filtering may prevent casual connections, but can also be hacked, so don't depend on it for strong security.

Posted by: Ed | February 16, 2007 3:08 PM | Report abuse

Rob,

Why do you think encryption is expensive?

Posted by: Ken | February 16, 2007 3:32 PM | Report abuse

When I got my router from a local cable company they left out the part that you're going to be charged $5.95 a month for it. I called & ask if I could use my own router which they reluctantly told me I could. At the time I paid about $59 for a router from Newegg, but I figured I'd have it paid for in a year. It's now a 1 1/2 later & the router is mine.

Posted by: Wes C | February 16, 2007 4:31 PM | Report abuse

I know it does not sound all that secure, but I actually have a sticker on the bottom of my mothers Wireless router, with the password.
Let's face it, if someone gets physical access to the router they can probably get whatever they need (even could reset the router to defaults).
That way if she ever needs some work done, at least I can get into it.
And of course it is different from the default and the WEP is on :)

Posted by: Chris | February 16, 2007 5:10 PM | Report abuse

Thanks to those who clarified that WPA or WEP encryption do not protect you when the intrusion is from a malicious Web site, which is, essentially, already inside your network. I have now changed my password to a 15-character password, which took a little looking but was not all that hard to do. Ironically, I cannot figure out how to change the router's User ID, but I guess that is not really very important as long as the password is a secure one. Thanks also to BK for raising this basic but crucial security issue.

Posted by: David | February 16, 2007 5:30 PM | Report abuse

Rob -

Turning off SSID broadcast does **NOT** secure your network - it's still very easy to sniff out your network with tools that are free and easy to find and download off the net.

I feel sorry for Chris T's customers. He's too lazy to secure their networks, but rationalizes that their security isn't important anyway. Nice attitude.

For everyone, like Chris T, that says an insecure network can only be accessed by your next door neighbors - WRONG!!!! I have an antenna, which cost less than $100, that lets me connect to open networks a MILE away.

Secure your networks.

Posted by: wireless_hacker | February 16, 2007 5:40 PM | Report abuse

Rob -

Turning off SSID broadcast does **NOT** secure your network - it's still very easy to sniff out your network with tools that are free and easy to find and download off the net.

I feel sorry for Chris T's customers. He's too lazy to secure their networks, but rationalizes that their security isn't important anyway. Nice attitude.

For everyone, like Chris T, that says an insecure network can only be accessed by your next door neighbors - WRONG!!!! I have an antenna, which cost less than $100, that lets me connect to open networks up to a MILE away.

Secure your networks.

Posted by: wireless_surfer | February 16, 2007 5:41 PM | Report abuse

>>If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below.

No add-on needed, it's built-in -- it's called the Trusted Sites zone.
http://windowssecrets.com/comp/061026#story1

@Fred in McLean:
>>I am wondering if he left me with a security problem as I was not given any documentation about chaning passwords or anything else related to security.

On the evidence, that would seem likely.
http://groups.google.com/group/news.admin.net-abuse.email/msg/01d3024e79236518

Posted by: Mark Odell | February 16, 2007 5:49 PM | Report abuse

The problem with Rob's comment is that his advice is just about as bassackwards as you could go. First, he doesn't address the issue of a javascript attack running from within your network accessing the router. Second, turning off broadcast on a wireless router to keep the network's identity and existence secret is just about like wandering around in public wearing your driver's licence and SS# pinned to your lapel while wearing a blindfold. The ID is available to anyone that looks and without any encryption, everything's in plaintext. Encryption is not "expensive" in any sense of the word unless you have some weird ancient card that doesn't support it and you have to buy one. Even so, I have a $15 Airlink101 802.11G USB 2.0 device that transfers files across my network at the same speed as my built-in chip. Plugged in to a 6 year old 550 Mhz laptop it goes as fast as the USB1.1 port will muster. Encryption or no doesn't make a whit of difference on either laptop that I can measure. (And I was curious enough to do so with benchmark software)

As for MAC filtering, it's useless alone and potentially a needless stumbling block if you ever want somebody else to be able to use your network. The only person it will keep out is the clueless, and they are the least likely to want to or try to jump on your network intentionally. It's easily sniffed and just as easily spoofed.

As Brian said, regardless of whether you wish to run an open network, you should change the password on your router, if for no other reason, to keep someone from changing it for you and locking you out of your own router and/or installing hacked firmware on said router and/or opening other holes in the router's security. As someone else said, every router manufacturer will have the user manual available online for download and the step by step instructions for changing the password and putting in an encryption key are usually in the first easy-setup pages. Ready-made random keys of maximum length (and in hex, ASCII and alpha-numeric flavors) are available from https://www.grc.com/passwords.htm Instructions there will tell you what to do if your router or network card cannot do WPA2, WPA, or keys of full length. This is all free of charge.

What encryption should you use? Whatever BOTH your card(or onboard chip) and router support. In order of decreasing preference WPA2, WPA, then, if nothing else WEP. WPA2 uses the stronger AES cipher. WPA and WEP both use the RC4 cipher, but WEP used an implementation that allowed the key to be cracked with relative ease when the crack was announced in 2001. Nowadays there are automated software tools that, combined with modern hardware, will serve up your key in a pitifully small amount of time. (less than 5 minutes) Because of the way plain-ol' WPA was designed it is quite probable that updated drivers from the manufacturer would enable you to upgrade to WPA. Any card made after mid-2004 to WPA2. Any device made after June 2005 that says Wi-Fi(tm) MUST support WPA. Any home user that did not already know all of the above should not try to use WPA-enterprise just because it sounds even more secure, (it is) it requires the use of an external authentication server to hand out keys and, well, you don't have one of those do you?

A WPA key like : 4DE4BB3FD2A36482 1E79CCC23691E08B 18C23C1A6DE886DF 150CE0AA67AAB39A looks a bit daunting until you realize that it's just a copy-and-paste, email or print it. A random and free new one is waiting at grc.com/passwords 24/7 should you wish to revoke it.

In short, using no-broadcast as sole security is wacky, even trollish in a "format C:" kinda way. MAC filtering is useful only for keeping out those that can't figure out how to sniff and spoof the approved MACs and it makes it a PITA to lend a "cuppa WiFi" to a neighbor whose internet is down. Neither keeps your data secret from prying antennae. Changing your router's password is a MUST whether you encrypt or not.

Posted by: markc | February 16, 2007 8:44 PM | Report abuse

I'm a bit surprised that no one has suggested any of the network managers such as Network Magic that not only allow you to manage your own devices such as modems, routers, printers and additional computers but it tells you when they need attention. In addition they tell you when intruders have slipped in.

Posted by: Marvin | February 17, 2007 8:51 AM | Report abuse

to wireless_surfer----i want to do wireless long distance--what antenna are you using. thanks. lbb

Posted by: lbb | February 17, 2007 10:22 AM | Report abuse

Posted by: Mark Odell | February 17, 2007 11:28 AM | Report abuse

Javascript is at least supposed to run in a sandbox just like Java. It shouldn't be able to access your router unless the page was served up by the router's embedded web server - at least without exploiting some Javascript bug.

Posted by: Jack Hahn | February 17, 2007 2:36 PM | Report abuse

Guys,

I appreciate your concern but you are missing the point. I'm not saying that it is a perfect solution. But there is no perfect solution.

It's like securing your car from being stolen. Your best bet is to keep your stuff out of view. If a criminal REALLY wants in, then there is nothing you can do. But most crimes are spur of the moment and not pre-planned. If they are pre-planned then the thief knows what he is there to steal.

Computer security is the same. How much time and money are you going to spend on security for your computer? Yep, if someone wants to get onto my unsecure but non-broadcast network, then they will get in. So what? If I really had something worth stealing then I might be worried. Yes, there is the risk of malicious javascript or virus or adware, so what? Welcome to the world.

Security is expensive. Everything sent on a secure network is encrypted on send and decrypted on receive. Sure, if your network is having a good day, then you won't even notice. But if your DSL is slow or the airwaves are choppy (this happens a lot), then it's just one more step to slow things down. Then there's setting the thing up and then changing your key regularly, etc. It's just a bunch of people trying to sell me a better car alarm. And like a car alarm, it goes off when I don't want and causes me more issues than I care to deal with.

I think security is important, if you have something to secure. But MOST PEOPLE would do better, just to keep their machine backed up. Save those precious files that you just wrote, on a CD-RW. Every machine has one these days. Every couple of months or if your machine seems a little slow, go get an open-source, free of charge, virus checker, there are several. Run it for a day. It's like giving your car a bath now and then.

Virus protection is a racket. Designed to make a lot of money off FEAR. I write software for a living. I don't have any virus protection on my machine. It is a waste of money. JUST BE LOGICAL and CAREFUL.

Basic Rules:

- NEVER NEVER NEVER open any spam. And NEVER click on ANY link in a spam message. If someone can't make it clear what this is, then forget it. If it is really important, they will try again or maybe just call you.

- If you run new software on your machine. Be sure you know where it came from. If once in a blue moon, it launches a virus. Oh crap! Somebody stole your iPod out of your car. What a pain, but not the end of the world.

The world is mostly a friendly place. Go out and enjoy your computer and don't let Microsoft or Semantec or anyone make you paranoid. Don't let fear of disease turn you into a hypochondriac.

Posted by: Rob | February 17, 2007 3:43 PM | Report abuse

lol

Posted by: lol | February 17, 2007 4:28 PM | Report abuse

Bethesdan, the language itself is quite simple, but in the right enviroment (like a web browser) it can be used for powerful things.

Posted by: jaxad0127 | February 17, 2007 8:38 PM | Report abuse

i think it a bunch of crap, i'm willing to bet these anti-virus software company sit around and think of this stuff to get you to buy their software. it's funny that once a new virus hits the net, these company have a virus key with in hours of it.

i will have to said these companies are the one doing all the virus making and releasing. to make sure you need their software.....

Posted by: james | February 17, 2007 9:30 PM | Report abuse

Fun facts:
- JavaScript is definitely powerful. It's a flexible enough language that it isn't just used in browsers. More importantly, browsers repeatedly have exploits where you can use JavaScript to execute 'regular' code outside of the browser sand box.
- Security works best in layers. You would be foolish to think that leaving a default password on your router is EVER ok. If someone gains access to your network (even if it's from a wired connection), it would be trivial for them to find network properties and attempt to access them.
- Chris is absolutely right that you're better off putting a postit on your router with the user/pass... much better than leaving it as the default. As long as you don't use the password somewhere else.
- I'm sure virus companies have their ways of competing to gain market share. That doesn't mean that they're useless. As corrupt as it may be, it is nearly impossible to use Windows (and yes, MacOS X isn't immune either) without anti-virus software. Even a childish thought process would lead to the conclusion that you don't know when a virus really got out in the wild so you have no idea if anti virus software found the signature "within hours" of the release.

Definitely use WPA or WEP, definitely set the password on your devices, definitely make sure you send important info using SSL (more encryption!). Good luck on the JavaScript battle, that's becoming as much a problem for the web developers as it is for the users choosing which sites to allow. Even a completely harmless site can have a JavaScript exploit waiting to happen (called XSS).

Posted by: Andrew | February 18, 2007 1:35 AM | Report abuse

Not sure of a specific addon to disable or control Javascript in IE7, but the following site is helpful in finding addons regardless:
http://www.windowsmarketplace.com/category.aspx?bcatid=834&tabid=1/

Posted by: ed0g | February 18, 2007 7:35 PM | Report abuse

JavaScript has less to do with sensible surfing than it has to do with Java. It's a client side technology. It's OLD. There are numerous server side technologies that effectively replaced it eons ago. If sites you visit have whiskered webmeisters who can't go back to school, write and complain. JavaScript is client side and as such has no place in safe computing. Period.

Posted by: Rick | February 20, 2007 7:27 PM | Report abuse

@

'and yes, MacOS X isn't immune either'

This is a bit of a cop-out. Although OS X users are smug, you can't compare the platforms. Hopefully you never will be able to.

Most importantly, saying someone else isn't immune either (when they ARE basically immune) doesn't take away from the deplorable state of your platform.

Posted by: Rick | February 20, 2007 7:35 PM | Report abuse

I notice multiple posts are common here. Opera especially is a nuisance as saved data used to speed loading obscures the fact that updates have occurred. Once in a while I seem to run into that in Firefox as well.
Are there browser settings I should be looking at altering ( I usually run with Javascript disabled, which can lead to missing facilities on a website unless I think to check to see what is being sent ) ? Also Advice Goddess, for instance, gives me an error readback when I post comments : usually 404 : although the post is visible if I navigate away from the thread and return. Amy, a syndicated columnist, has had pretty good frustration sessions trying to figure that one out.

Posted by: opit | March 1, 2007 9:51 AM | Report abuse

Yup. I just right-clicked and hit reload to see my comment : Firefox 2.0 with NoScript allowing Washington Post but not ihost.com.

Posted by: opit | March 1, 2007 9:54 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company