7 Network Security F-Ups Small Offices Make (And how to avoid them)

Writer’s Note: I’ll be covering information security in much greater detail here at Techgage with some great partnerships, including Pwnie Express – the guys who invented the (now infamous) PwnPlug – and Riverbed Technology, an IT monitoring industry leader.

Along the way, I’ll show you some simple and cost-effective tools to perform basic security auditing (known as pentesting) and protection in the SysAdmin Corner, and try to break major security issues down to understandable chunks for those who are novices and intermediates in the field. I hope you will come to enjoy information security as much as I do – or at least learn enough to protect yourself and your data.

This week, I want to cover some of the most basic failings I see time and again – and outline some simple fixes. If you work in a small to mid-sized business that doesn’t have dedicated IT and security, you can’t afford to skip this article. If you don’t work in such an environment, I hope you’ll learn some tips for securing your home network – many of these will apply there as well.

Nowadays, cyber-security is front-page news. It seems like nearly every week, we hear about some big company getting hacked and its customer data being stolen. Outrage from customers and onlookers alike fills the Internet, demanding to know why this data was not protected. Many of these people then go home or to work, hop on unsecured home networks and begin browsing away on malware-infected PCs, never realizing that many of the same mistakes (and more!) are being committed by themselves and their employers.

I truly believe that a much greater amount of data, and therefore risk, lies in the hands of small business than in the mega-corporations. Breaking into Citigroup or Sony may net a real hacker a lot of credibility, but by and large it’s not the real hackers that we have to worry about. Instead, it’s the script-kiddies (miscreants who use the powerful tools that real hackers have developed, often with little understanding) and professional scammers we should fear – and they can get a lot more “bang for the buck” harvesting local, poorly secured networks than wasting time and almost assuredly getting caught busting into big companies. If Citigroup is Fort Knox, then your nearby doctor’s or accountant’s office is a simple snatch-and-grab home burglary, where the tenant won’t be back to find out… ever.

In my office complex alone, there are also: three doctors, two attorneys, one insurance agency and one financial manager (and a partridge in a pear tree!). Six of the above run wireless networks, three of them use default passwords for their router and an easily guessable wireless access password. All six networks have a critical vulnerability running that you’ll read about here. The seventh office uses conventional wired networking, but has no passwords or controls for the network and an Ethernet jack in an unattended conference room accessible from the front lobby.

If Citigroup is Fort Knox, then your nearby doctor’s or accountant’s office is a simple snatch-and-grab home burglary…

Ladies and gentlemen, this is where and how your information is being kept. Your health records, your bank info, your assets and net worth. Your wills and trusts. Your birth dates, kids’ names, speeding ticket defenses. Citigroup has nothing on this.

Have you ever asked yourself: “If that information was stolen… what would I do?”

If you work in small business (or are a small business), you owe it to your clients, yourself and your employer to treat the data you use with respect. So in honor of the seven networks above, I’ve written up seven of the simple mistakes these offices (and countless more) make, and how to protect yourself from them.

F-Up #1: Hiding the Wi-Fi network name “makes it safer”

Security by obscurity is not security at all.

Two of the offices that use wireless in the above group hid their network name (Service Set ID, or SSID) because “you can’t break into what you can’t see.” Not broadcasting the SSID may keep a client turning on his iPhone from seeing your network, but it does nothing for a hacker.

To understand why, you only need to understand the most basic thing about Wi-Fi – it’s a radio station playing roughly 100 feet in any direction. Your wireless router is “broadcasting” a signal to all devices in the area, whether they are intended to receive it or not. They broadcast back to the router when they are connected. This means that all of the traffic is in the air for anyone to see.

Broadcasting the name of this network is simply a matter of convenience for unassociated devices. Any device that wants to know what the network name is needs only look at the traffic in the air – it’s right in the data. They can also simply “ask” the router… so hiding the SSID does nothing but prevent the router from answering a question before you ask it.

Every script-kiddie and hacker wannabe knows how to find your SSID, so only hide it if there is a practical reason (keeping the list of broadcasted names down) – and don’t ever mistake it for being secure.

F-up #2: Using WPS to set up the Wi-Fi network, or leaving it active

A chain is only as good as its weakest link.

WPS, or Wi-Fi Protected Setup, was an attempt to make setting up a more secure home network both easy and foolproof for small-office and home users. It comes in two flavors, “push” and “press”. Press mode is a physical button on the router and the device, which you push to “pair” the two without having to go through the complexity of SSIDs, encryption standards, passcodes, etc. Push mode involves a single eight-digit numeric key which the user types in when associating new devices, allowing the router to send all of the network information automatically and prevent connection errors.

Because the very purpose of WPS is to facilitate hands-free setup, timeouts and lockouts are also not enforceable, meaning that all of the relevant combinations can be tried in a very short timespan.

This is all well and good, except that most consumer-level wireless routers have push-WPS enabled by default or turn it on automatically immediately after using press-WPS. To associate to a router with push-WPS, one only needs that eight-digit numeric key, which is easily brute-forced…particularly since the eight digit is nothing but a checksum of the other seven.

Because the very purpose of WPS is to facilitate hands-free setup, timeouts and lockouts are also not enforceable, meaning that all of the relevant combinations can be tried in a very short timespan. The complexities (which actually make it easier, not harder) are outside the scope of this article… but what you need to know is that leaving WPS on turns any security you have into nothing more than guessing a 7-digit pin at best.

This fairly unforgivable sin was committed by every one of the Wi-Fi networks in my complex… and if I had to guess, I’d bet that the network administrators didn’t even know it and never used WPS to set up their networks. The only workaround to this problem is to make sure to go into your router settings and disable WPS.

While you’re in there, please change your default router login and password, mmmkay? I bet it’s still admin/password or admin/12345.