Security Is About Being Unattractive
In my article A More Secure Home WiFi Design, I mentioned that one of the things that you should do to help make your home WiFi configuration more secure was to not broadcast the SSID (or ESSID) for your wireless network. This is a relatively simple thing to do and most modern wireless systems allow you to do this.
As I was writing the post, I knew that someone was going to point out to me that this is not an effective security practice and I was not disappointed, as Adam pointed out in his comment on the post:
Turning off ESSID broadcasting is not, I repeat not a security measure. It is broadcast when the WAP puts out a beacon, so all you have to do is wait and you’ll have any ESSID you want.
Adam also went on to point out how some of my other suggestions provided very weak security:
The same can be said for MAC filtering, small DHCP pool, and different subnets. Without encryption these are pretty much worthless. MAC filtering, without encryption, is easily circumvented. All I have to do is fire up Wireshark, and put my card in monitor mode. The first packet I pick up will have source and destination MACs. Compare them to the MAC (BSSID) of the router, and I know which is the client machine. Spoofing that MAC is trivial. A small DHCP pool is fine, if it’s always full. As long as there’s a vacant address, it can be used. The same goes with a highly subnetted network. Unless every IP is taken, there’s always one available.
It is at this point that I would like to whole heartedly agree with Adam! These are all very weak measures of security and provide very little to keep your network safe.
I still highly recommend them.
Here’s why.
“Locks are for Honest People”
This is a little pearl of wisdom that my father says whenever he hears about a home invasion or about how someone has had something stolen from lock and key. In essence, he was saying that if someone wants something bad enough, they will do whatever it takes to get it. This applies to your house, your car and your home network.
But, the miraculous thing about this is that my father is also extremely diligent about ensuring his possessions are safely locked away. “Just because the can get in and steal my stuff doesn’t mean that I have to make it easy for them!” he would say.
The same can be said for you computer security. Just because there are ways to discover your non-broadcasted SSID and your subnet even when there is no DHCP server, why would I want to volunteer this information?
People Choose To Be Lazy
OK. I’ll admit that this is a gross over generalization but it does hold true in a number of circumstances. People, just like water and electricity, will generally take the path of least resistance. This holds true for people who want to break into your home network.
Let’s say, for example, that someone pulls into your neighborhood, parks their car on the street, and fires up their WiFi enabled laptop. Which network do you think they are more likely to attempt to connect to? The one with the default SSID or the one that they can’t see (or maybe need to guess at)?
People Are Opportunistic (and Nosy)
I used to work (physical) security at a large department store. My job was to identify and apprehend shoplifters. I would then detain them until the police (and/or their parents) arrived. This would often provide a lot of time to talk and ask questions.
One of my favorite questions to ask was, “When did you decide to steal this item?” It would always seem like an odd question to them but I found the answers to be quire fascinating (I was a psych major at the time). The vast majority of them would tell me that they never planned on stealing. It was just an impulse that came over them when they saw an item that looked like they could steal without getting caught.
I quickly realized that these were not hardened criminals. They were not even kids deciding to go out and do the wrong thing. They were simply people who say an opportunity and gave in to the impulse to do the wrong thing.
The same can be said for someone who accesses your home WiFi network. These often aren’t people that are out to get your information or destroy your systems. Most of the time, they are probably someone who is at a friend’s house, fires up his laptop and sees an open network. It’s easier to connect to a WiFi signal that is ripe for the picking than it is to run that patch cable upstairs into the living room. So, illegal WiFi it is.
Once they are on your network, it is really easy to get curious. “I wonder what he’s got on here?” and you go off exploring. A few attempts with the web browser. Try to open a network share. Suddenly, a total stranger is digging through your digital business.
And all this because you decided to not select that little box that said, “Do not broadcast SSID”.
The 80-20 Rule
As was stated earlier, if someone really decided to access your computer files, all the security measures in the world aren’t going to protect you. They will get in regardless of what you do.
These are not the people that you are trying to secure your systems from. What you are trying to do is keep out the script kiddies and those who don’t really know what they are doing. Hence, the 80-20 rule of security applies as such; putting up the easiest 20% of the security options available will probably keep out 80% of the population. These are not scientific numbers and I have nothing to prove this ratio but you get the idea.
You will never keep out everyone but you can keep out the majority.
The Flip Side
The name of this article is “Security Is About Being Unattractive” and I’ve mentioned a number of ways that you can make your network less attractive to the average, opportunistic user with a wireless card. Unfortunately, some of these measures can have the opposite effect if a truly experienced cracker stumbles upon your WiFi connection.
These types of people are often motivated by a challenge. When faced with a choice of getting into an open network or one that is locked down, they will often choose the more difficult option. Unfortunately for you, this could very well be your locked down system.
Now, statistics and probability are in your favor because there are more curious average users than there are leet haxors out there. Chances are that the person probing your wireless connection is just your neighbor’s friend who stumbled on your network. (Unless, of course, your neighbor is friends with Kevin Mitnick!)
Conclusion
While some security measures may, on the surface, seem to provide only limited protection, they are still an important part in your entire security arsenal. No individual measure is effective in and of itself. But, when used in conjunction with several other security techniques, they can be effective to keep out the majority of curious lookers.
But remember. There is no infallible security solution. If someone wants to get in bad enough, they will find a way.
If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?
9 Responses to “Security Is About Being Unattractive”
-
The Fieldhouse Says:
November 30th, 1999 at 12:00 amI though that I would just highlight some of the security related articles that I have written in the past so that you may stumble on something interested that you may not have read before: FOSS for SecurityProtect Your USB Drives NOW!E-Mail TracksSecurity Is About Being UnattractiveI Think I Have A Virus: Now What?Tech Blog of the Week: Schneier on SecurityA More Secure Home WiFi DesignThe Anatomy of a VirusHigh End Router, Low End HardwareRemotely Accessing ComputersDonated/Trashed a Computer? Your Data May be at Risk
-
BillyG Says:
June 13th, 2007 at 12:20 am“People Are Opportunistic (and Nosy)”
speak for yourself lol, j/k
I’m still on a desktop (albeit one that came with a wireless card), but my wife’s work laptop will need to be online for her upcoming schoolwork, so needless to say, we will be going wireless shortly; thanks for the article.
-
Christoph Says:
June 13th, 2007 at 7:16 amIn an odd sorta way, creating a publicly open point that is locked down could be it’s own security measure for a large secure wifi mesh. Honey pot -ish.
Personally, I have a fon router that I just freely share my network connection out. Generous I suppose.
http://www.fon.com -
Penguin Geek Says:
June 13th, 2007 at 8:17 amNot really in-line with the article, which was an excellent one BTW, but what the crap is that freaky little gremlin pictured? It’s tripping me out.
-
Tim Fehlman Says:
June 13th, 2007 at 8:44 amPenguin Geek,
The picture is of an aye-aye baby. YouTube has a video of one. It’s not nearly as ugly looking but not exactly cuddly, either.
Tim
-
Duncan Cunningham Says:
June 13th, 2007 at 9:52 amTim,
Again, I have to agree with you. It is not about making it unbreakable, nothing is. At the very least it stops a browsing neighbor borrowing your ‘freely available and broadcasted’ wireless connection. Many thieves are opportunists and if there are others out there that are easier to steal from, they’ll not bother you as much. I don’t use the wireless connection on my router anyway, not that it can stop a hacker getting to my network, I’m sure they can figure out a way to Me through the DSL connection I have. One thing I do is to switch it all off when not used, it’s the best security measure you can do. Guaranteed to keep anyone out, once it’s off. I still print off important documents and file them away in folders rather then keeping everything digitally stored on my PC.. CD’s are great too. I’ve enjoyed the follow-up comments about ‘REAL’ security and I’ve learned a few things I never really thought about. Tim, Great work at shedding light on to this topic and keeping the dialog going with articles like this one.
-
Like it says... Says:
June 13th, 2007 at 8:32 pmHome network security - one perspective…
Daily Cup of Tech (one of my favorite blogs) recently posted an article about home network security, and making your home (wireless) network less attractive to casual snoopers, responding to criticism received in a comment to a previous posting. The su…
-
Kim Jalun Says:
June 14th, 2007 at 8:58 amYou wrote:
The vast majority of them would tell me that they never planned on stealing.You do realize that since your selection criteria is shoplifters that were apprehended, your responses are going to be skewed in this direction. My suspicion is that anyone who had formulated a plan ahead of time would have significantly reduced their risk of being apprehended and therefore ever having to even answer your question.
So, the vast majority of people apprehended never planned on stealing. No big surprise here, as lack of planning is going to increase the likelihood of failure (i.e. apprehension).
My suspicion is that the vast majority of shoplifters who are not apprehended, did plan things out.
-
normaleyes Says:
June 14th, 2007 at 9:09 amOn June 13, Giveaway of the Day offered a free software tool that would inventory all of the computers on your network. The comments by one person fit right in with this DCoT article.
“After installing this software and running it I was so amazed. The program reported that all 23 PC’s connected to my network were OK.
Twenty-three?? I have one PC and one laptop, not 23 computers.After consulting the servicedesk and doing some remote inspections we detected that twenty-one neighbors are using my wireless network. This also explains why the transmission speed was becoming worse and worse.
Thanks GOTD, I am going to do some home visits… “
I couldn’t stop laughing.
