How to keep my neighbors off MY network?
May 20, 2006 2:28 PM Subscribe
Two computer questions really, if that's legal. How do I make my wireless network safe, and what the heck is this cmdlog that keeps popping up in my documents.
I have a Netgear router running off my wife's desktop to give my laptop wireless access to our DSL. But I think the little slacker punks in the apartment next door are cruising on our wireless. If it were neighbors I trusted I wouldn't mind but not these trust fund brats. How do I secure it?
I also get this txt file popping up repeatedly in my documents: D2DcmdLog_D Is this just some Windows XP quirk or is there some spyware floating in here?
And yes, I am parnoid, why do you ask?
I have a Netgear router running off my wife's desktop to give my laptop wireless access to our DSL. But I think the little slacker punks in the apartment next door are cruising on our wireless. If it were neighbors I trusted I wouldn't mind but not these trust fund brats. How do I secure it?
I also get this txt file popping up repeatedly in my documents: D2DcmdLog_D Is this just some Windows XP quirk or is there some spyware floating in here?
And yes, I am parnoid, why do you ask?
Don't know about number 2 but to secure your wireless go into your router settings and turn on "WPA" encryption (if for some reason your computer wont support WPA, you can use WEP but its not AS secure (though will stop the casual user from surfing on your connection).
posted by Captain_Science at 2:45 PM on May 20, 2006
posted by Captain_Science at 2:45 PM on May 20, 2006
Best answer: Making your wireless network safe.
This does not render your network 100% safe but unless there is someone around who
1. knows you have a wireless network and
2. has advanced network sniffing tools and skills
3. is willing to sit idly for long periods of time waiting for your network to reboot
4. is malicious
5. can sit for hours within a few metres of your network without being noticed
you are pretty much completely safe
posted by zaebiz at 2:51 PM on May 20, 2006
This does not render your network 100% safe but unless there is someone around who
1. knows you have a wireless network and
2. has advanced network sniffing tools and skills
3. is willing to sit idly for long periods of time waiting for your network to reboot
4. is malicious
5. can sit for hours within a few metres of your network without being noticed
you are pretty much completely safe
posted by zaebiz at 2:51 PM on May 20, 2006
By the way don't stuff around with half-assed passwords. Use this, make it 64 characters, write it down and tape it to the underside of your monitor.
posted by zaebiz at 3:01 PM on May 20, 2006
posted by zaebiz at 3:01 PM on May 20, 2006
Best answer: There are a couple things you can do to secure your wireless hotspot. Here are they are (in descending levels of effectiveness):
1) CHANGE ROUTER DEFAULT PASSWORD! This is really, really important. If your leeches are already using your wifi, you may have been compromised already. In that case, do a hard reset (the button on the back).
2) Enable encryption. Here, you've basically got three choices:
a) WEP. WEP is the oldest and weakest type of encryption. Essentially, this is useless (there are automated tools for cracking, anybody with half a brain can download and use them), so don't enable it unless you really can't use anything else.
b) WPA (personal). WPA is newer, and better. It's more difficult to crack. If you've got a semi-old router, this will probably be the one to choose.
c) WPA2 (personal). This is the new hotness. Still crackable, but it's the best you can do. You'll have to update Windows if you want to use this.
3) Choose a secure password for your hotspot. This is also pretty important. Even if you use WPA encryption, it'll be really easy to break without a good passphrase. "password" is not a good passphrase. "QsE%jy6$53" is a good one.
4) Since you only have one laptop, you might want to enable MAC filtering. Basically, all network cards have a unique hardware address, from the factory. This is called a MAC. You can tell your router to only let your MAC address have access to the internet. It's easy to spoof (fake) an address, but filtering will add an extra layer of security for you. Kind of like those dinky little chain things you find on motel room doors.
5) Turn off SSID broadcast. This will stop your neighbours from seeing your hotspot name. Also, change the name to something cool. Just, you know, because.
There are some other things you can do, but these are the basics. Good luck to you sir, teach those punks a lesson.
ON PREVIEW: god dammit, zaebiz. I'll have to learn to type faster.
posted by Drunken_munky at 3:08 PM on May 20, 2006
1) CHANGE ROUTER DEFAULT PASSWORD! This is really, really important. If your leeches are already using your wifi, you may have been compromised already. In that case, do a hard reset (the button on the back).
2) Enable encryption. Here, you've basically got three choices:
a) WEP. WEP is the oldest and weakest type of encryption. Essentially, this is useless (there are automated tools for cracking, anybody with half a brain can download and use them), so don't enable it unless you really can't use anything else.
b) WPA (personal). WPA is newer, and better. It's more difficult to crack. If you've got a semi-old router, this will probably be the one to choose.
c) WPA2 (personal). This is the new hotness. Still crackable, but it's the best you can do. You'll have to update Windows if you want to use this.
3) Choose a secure password for your hotspot. This is also pretty important. Even if you use WPA encryption, it'll be really easy to break without a good passphrase. "password" is not a good passphrase. "QsE%jy6$53" is a good one.
4) Since you only have one laptop, you might want to enable MAC filtering. Basically, all network cards have a unique hardware address, from the factory. This is called a MAC. You can tell your router to only let your MAC address have access to the internet. It's easy to spoof (fake) an address, but filtering will add an extra layer of security for you. Kind of like those dinky little chain things you find on motel room doors.
5) Turn off SSID broadcast. This will stop your neighbours from seeing your hotspot name. Also, change the name to something cool. Just, you know, because.
There are some other things you can do, but these are the basics. Good luck to you sir, teach those punks a lesson.
ON PREVIEW: god dammit, zaebiz. I'll have to learn to type faster.
posted by Drunken_munky at 3:08 PM on May 20, 2006
Best answer: That is TOTALLY untrue, zaebiz. Completely safe, my ass.
Most things they say in that article is not true anymore. Strong passwords are always good. Some of the rest was useful at one time, but at this point, each and every one of those items is trivial to defeat. And someone can crack your network from KILOMETERS away if they have a reasonably good antenna and line of sight.
WEP encryption is so insecure that it can be hacked in under five minutes... sometimes in seconds. Once they've broken WEP, they can usually use your network freely. If you have MAC address filtering on, they can usually change their MAC to something they see in your network... so they may have to wait for you to turn your laptop off, but they can usually get access. MAC address filtering can slow down a determined attacker, but not usually for very long.
WPA and WPA2 encryption is reasonably good, and will secure your network fairly well.... there are no widely known cracks for it, at least. WEP is bad that it shouldn't even be considered encryption.
My list of things to do:
1. Use WPA or WPA2. (WPA2 uses AES, which is much stronger encryption.) If you can't use those, don't run a wireless network in your house.
2. Turn firewalling on for all other computers in your network. This will make filesharing harder, but in general, you want that. If you have a fileshare open to your laptop, it's open to anyone else who cracks the encryption. If you 'tunnel' your fileshares through Remote Desktop, it will be a little more secure.
3. Ideally, run the wireless network on a separate network segment. Unfortunately, this generally requires specialized hardware and some networking skill... this isn't something the average Joe can do.
4. Have good strong passwords on all accounts, including on the wireless AP. If your AP has the ability to refuse management connections over the wireless, enable that, and do your administration in wired mode. (this is not common, unfortunately.)
5. Change the default SSID (wireless network name), but don't think it has anything to do with security... this just prevents you from running into other networks by accident. Make your SSID untraceable to your name... don't use anything connected to you in any way. Something completely random and bizarre is best... if not, just some uninteresting name.
6. Don't worry about not broadcasting your SSID... that just screws up some clients, and wireless networks have at least three or four other ways they reveal that name. All this setting does is turn off beacon frames every few seconds. Those beacon frames announce no new information, and make your network a bit more reliable. So leave that on.
7. Static IPs don't particularly matter. Again, anyone with the least shred of brainpower will be able to see your network range and assign themselves an IP. DHCP is convenient. Use it.
8. Realize that your wireless traffic is detectable for MILES, no matter where in your house the antenna sits.
9. Shutting it off when not using it isn't a bad idea.
posted by Malor at 3:11 PM on May 20, 2006
Most things they say in that article is not true anymore. Strong passwords are always good. Some of the rest was useful at one time, but at this point, each and every one of those items is trivial to defeat. And someone can crack your network from KILOMETERS away if they have a reasonably good antenna and line of sight.
WEP encryption is so insecure that it can be hacked in under five minutes... sometimes in seconds. Once they've broken WEP, they can usually use your network freely. If you have MAC address filtering on, they can usually change their MAC to something they see in your network... so they may have to wait for you to turn your laptop off, but they can usually get access. MAC address filtering can slow down a determined attacker, but not usually for very long.
WPA and WPA2 encryption is reasonably good, and will secure your network fairly well.... there are no widely known cracks for it, at least. WEP is bad that it shouldn't even be considered encryption.
My list of things to do:
1. Use WPA or WPA2. (WPA2 uses AES, which is much stronger encryption.) If you can't use those, don't run a wireless network in your house.
2. Turn firewalling on for all other computers in your network. This will make filesharing harder, but in general, you want that. If you have a fileshare open to your laptop, it's open to anyone else who cracks the encryption. If you 'tunnel' your fileshares through Remote Desktop, it will be a little more secure.
3. Ideally, run the wireless network on a separate network segment. Unfortunately, this generally requires specialized hardware and some networking skill... this isn't something the average Joe can do.
4. Have good strong passwords on all accounts, including on the wireless AP. If your AP has the ability to refuse management connections over the wireless, enable that, and do your administration in wired mode. (this is not common, unfortunately.)
5. Change the default SSID (wireless network name), but don't think it has anything to do with security... this just prevents you from running into other networks by accident. Make your SSID untraceable to your name... don't use anything connected to you in any way. Something completely random and bizarre is best... if not, just some uninteresting name.
6. Don't worry about not broadcasting your SSID... that just screws up some clients, and wireless networks have at least three or four other ways they reveal that name. All this setting does is turn off beacon frames every few seconds. Those beacon frames announce no new information, and make your network a bit more reliable. So leave that on.
7. Static IPs don't particularly matter. Again, anyone with the least shred of brainpower will be able to see your network range and assign themselves an IP. DHCP is convenient. Use it.
8. Realize that your wireless traffic is detectable for MILES, no matter where in your house the antenna sits.
9. Shutting it off when not using it isn't a bad idea.
posted by Malor at 3:11 PM on May 20, 2006
ON PREVIEW: god dammit, zaebiz. I'll have to learn to type faster.
Don't you hate when that happens? I just got lazy and gave out the link.
posted by zaebiz at 3:11 PM on May 20, 2006
Don't you hate when that happens? I just got lazy and gave out the link.
posted by zaebiz at 3:11 PM on May 20, 2006
write it down and tape it to the underside of your monitor
*cringe*
I work in IT. This okay for your house, I guess. But please, never do this at the office.
posted by Drunken_munky at 3:13 PM on May 20, 2006
*cringe*
I work in IT. This okay for your house, I guess. But please, never do this at the office.
posted by Drunken_munky at 3:13 PM on May 20, 2006
That is TOTALLY untrue, zaebiz. Completely safe, my ass.
Oh yeah I forgot - encase yourself in a titanium box, only breathe pure oxygen and never interact with other humans or animals in case of disease. Without these you could render yourself unable to defend your network. Can never be *too* sure. ;)
posted by zaebiz at 3:19 PM on May 20, 2006
Oh yeah I forgot - encase yourself in a titanium box, only breathe pure oxygen and never interact with other humans or animals in case of disease. Without these you could render yourself unable to defend your network. Can never be *too* sure. ;)
posted by zaebiz at 3:19 PM on May 20, 2006
Two more things:
10) If you have an AP that allows you to change the amount of power that it uses to broadcast, set that power level as low as you can while still maintaining a reliable, adequately fast connection wherever you need it. The less power you use to broadcast, the less far your signal will carry. This is good both for your own security, and also to let your neighbors use wireless without interference.
11) The only channels you should use are 1,6, and 11. Channels have crosstalk, and it requires a five-channel separation to completely clear another signal. If you can see other networks in your area, be sure to choose something at least 5 channels away. If someone is broadcasting on a dumb channel, like 3... if you can figure out who it is, you might want to approach them about switching to one of the 'correct' three channels.
You may be forced to use something other than 1,6, or 11, but always try to use those first. If you're not in the US, the band goes up to 14, so you may be able to move up there if you're getting interference.
posted by Malor at 3:20 PM on May 20, 2006
10) If you have an AP that allows you to change the amount of power that it uses to broadcast, set that power level as low as you can while still maintaining a reliable, adequately fast connection wherever you need it. The less power you use to broadcast, the less far your signal will carry. This is good both for your own security, and also to let your neighbors use wireless without interference.
11) The only channels you should use are 1,6, and 11. Channels have crosstalk, and it requires a five-channel separation to completely clear another signal. If you can see other networks in your area, be sure to choose something at least 5 channels away. If someone is broadcasting on a dumb channel, like 3... if you can figure out who it is, you might want to approach them about switching to one of the 'correct' three channels.
You may be forced to use something other than 1,6, or 11, but always try to use those first. If you're not in the US, the band goes up to 14, so you may be able to move up there if you're getting interference.
posted by Malor at 3:20 PM on May 20, 2006
One more:
It might be good to change the IP that your router takes. So for example, instead of going to "192.168.1.1" for admin, change it to "192.168.1.32". Make sure you remember what you change it to, though.
Again, most of these things won't stop anyone who really wants in, but I'm willing to bet it'll keep out your garden variety neighbour.
posted by Drunken_munky at 3:24 PM on May 20, 2006
It might be good to change the IP that your router takes. So for example, instead of going to "192.168.1.1" for admin, change it to "192.168.1.32". Make sure you remember what you change it to, though.
Again, most of these things won't stop anyone who really wants in, but I'm willing to bet it'll keep out your garden variety neighbour.
posted by Drunken_munky at 3:24 PM on May 20, 2006
zaebiz, you have no business telling anyone that wireless is completely safe. You are making an implied promise that A) is not true, and B) may cause other people to make mistakes that can get them in serious legal trouble.
If someone hacks their wireless and uses it for cracking attempts or to send spam, it's their ass on the line. And the government has taken absolutely draconian powers and can make their lives miserable.
Using the words 'completely safe' is irresponsible, given the severity of the potential consequences of getting it wrong.
posted by Malor at 3:25 PM on May 20, 2006
If someone hacks their wireless and uses it for cracking attempts or to send spam, it's their ass on the line. And the government has taken absolutely draconian powers and can make their lives miserable.
Using the words 'completely safe' is irresponsible, given the severity of the potential consequences of getting it wrong.
posted by Malor at 3:25 PM on May 20, 2006
Malor writes "If someone hacks their wireless and uses it for cracking attempts or to send spam, it's their ass on the line. And the government has taken absolutely draconian powers and can make their lives miserable. "
I've heard this said again and again, but is it true? Legally, the hacker is responsible for his own actions, is he not? Has this ever actually happened?
posted by mr_roboto at 3:30 PM on May 20, 2006
I've heard this said again and again, but is it true? Legally, the hacker is responsible for his own actions, is he not? Has this ever actually happened?
posted by mr_roboto at 3:30 PM on May 20, 2006
Legally, the hacker is responsible for his own actions
I think what malor is saying is that the burden of responsibility is on the connection holder. If hack you, start doing something illegal, and get caught, the trace will go back to you. After I disconnect, how will you prove it was somebody else?
posted by Drunken_munky at 3:35 PM on May 20, 2006
I think what malor is saying is that the burden of responsibility is on the connection holder. If hack you, start doing something illegal, and get caught, the trace will go back to you. After I disconnect, how will you prove it was somebody else?
posted by Drunken_munky at 3:35 PM on May 20, 2006
Realize that your wireless traffic is detectable for MILES, no matter where in your house the antenna sits.
Detectable for miles? Maybe. Coherent and readable? You're dreaming. Inside a typical home network has a range of about 100-200 feet. In an open environment, maybe 1000 feet. You are just confusing the guy.
What I said above was true. Provided any of the above is untrue, you are pretty much completely safe. Don't use WEP yes and follow the list.
posted by zaebiz at 4:10 PM on May 20, 2006
Detectable for miles? Maybe. Coherent and readable? You're dreaming. Inside a typical home network has a range of about 100-200 feet. In an open environment, maybe 1000 feet. You are just confusing the guy.
What I said above was true. Provided any of the above is untrue, you are pretty much completely safe. Don't use WEP yes and follow the list.
posted by zaebiz at 4:10 PM on May 20, 2006
Don't waste your time with MAC filtering or SSID hiding. They will not do a damn thing to keep out anyone but the most incompetent or accidental users. Relying on these for protection would be like putting a post-it note on your front door that said "Door is kept locked all the time" without actually locking the door.
The six dumbest ways to secure a wireless LAN
posted by Rhomboid at 4:55 PM on May 20, 2006
The six dumbest ways to secure a wireless LAN
posted by Rhomboid at 4:55 PM on May 20, 2006
That "6 dumbest ways to secure a wireless lan" link is ... well, dumb. 3 of the things he attacks are perfectly valid as components of good security. The "security through obscurity is bad, m'kay?" meme is bad, m'kay?
MAC filtering : he compares it to a security guard checking nametags. Well, yeah - but that's still better than not checking for names like Richard Reid or Mohamed Atta.
Disabling SSID broadcast : Yup, deep down you're not hiding anything - but it stops the casually curious, particularly if you're the kind of person that insists on giving descriptive names like "Finance_Dept" to your access points (and yes, I have seen that one, apparently emanating from the Stock Exchange building in my city...)
Antenna placement : minor, but it does help, providing you're not compromising the coverage you need. There's no need to place the AP next to an external window (which is where the aforementioned Finance_Dept AP seemingly was, as I was able to get 90+% signal inside a residential unit across the river...)
None of these are even remotely approaching secure by themselves - but as part of a considered approach to security, there's nothing wrong with them. The best you can do for WiFi in general is use WPA2, WPA, or WEP (in order of preference). If you need more security than that then you should either be tunneling something secure (like SSH) over it was well, or not be using consumer-grade hardware...
posted by Pinback at 6:31 PM on May 20, 2006
MAC filtering : he compares it to a security guard checking nametags. Well, yeah - but that's still better than not checking for names like Richard Reid or Mohamed Atta.
Disabling SSID broadcast : Yup, deep down you're not hiding anything - but it stops the casually curious, particularly if you're the kind of person that insists on giving descriptive names like "Finance_Dept" to your access points (and yes, I have seen that one, apparently emanating from the Stock Exchange building in my city...)
Antenna placement : minor, but it does help, providing you're not compromising the coverage you need. There's no need to place the AP next to an external window (which is where the aforementioned Finance_Dept AP seemingly was, as I was able to get 90+% signal inside a residential unit across the river...)
None of these are even remotely approaching secure by themselves - but as part of a considered approach to security, there's nothing wrong with them. The best you can do for WiFi in general is use WPA2, WPA, or WEP (in order of preference). If you need more security than that then you should either be tunneling something secure (like SSH) over it was well, or not be using consumer-grade hardware...
posted by Pinback at 6:31 PM on May 20, 2006
Response by poster: My thanks to you all, especially Zaebiz, Munky, and Mallor. Jeez, I didn't mean to start a flame war. Just want to remove a couple of freeloaders from my network so they are forced to borrow money from their parents to afford 52K dial-up.
And yeah, I am guilty of having the Roxio 6.0 program. What a piece of crap that is but it has a decent labeling system that I am used to so I am not going to change to something else.
Again, thank you all for your spirited advice.
posted by Ber at 7:34 PM on May 20, 2006
And yeah, I am guilty of having the Roxio 6.0 program. What a piece of crap that is but it has a decent labeling system that I am used to so I am not going to change to something else.
Again, thank you all for your spirited advice.
posted by Ber at 7:34 PM on May 20, 2006
In case there's anyone still reading this thread.... zaebiz, you're just wrong. "Completely safe" CANNOT be used with wireless networking. Using those words is irresponsible.
Broadcast signals don't just go away. You assert that these signals can't be heard from a few hundred feet away, but that's garbage.
You're probably familiar with Bluetooth, right? It's very similar to WiFi, but it's designed to work over a very short distance, usually about 10 feet. It's very low power, far weaker than any WiFI signal, and it's in the same band, so it's essentially the same thing, writ small. Here are plans for a Bluetooth Sniper Rifle, buildable for $400, that can snoop and attack Bluetooth devices from over a mile away.
WiFi would be vulnerable from a lot further, with the same style antenna. These are coherent, finished plans available to anyone on the Net.. it's not pie-in-the-sky somewhere, it's RIGHT THERE and you could build it yourself.
You're not qualified to give advice on wireless security. Giving security advice is dangerous. You can get people in a lot of trouble if you tell them the wrong thing. Using the words "completely safe" is simple and direct proof that you do not know enough about the field to give advice.
Folks who follow the list of things I put up there are harder targets, but they are by no means impenetrable. Fortunately, most of the time, you just have to be a harder target than your neighbors... but not always.
There is no such thing as completely safe wireless networking.
Ber: best of luck with your miscreants. I hope you do manage to shut them out.
posted by Malor at 12:13 PM on May 21, 2006
Broadcast signals don't just go away. You assert that these signals can't be heard from a few hundred feet away, but that's garbage.
You're probably familiar with Bluetooth, right? It's very similar to WiFi, but it's designed to work over a very short distance, usually about 10 feet. It's very low power, far weaker than any WiFI signal, and it's in the same band, so it's essentially the same thing, writ small. Here are plans for a Bluetooth Sniper Rifle, buildable for $400, that can snoop and attack Bluetooth devices from over a mile away.
WiFi would be vulnerable from a lot further, with the same style antenna. These are coherent, finished plans available to anyone on the Net.. it's not pie-in-the-sky somewhere, it's RIGHT THERE and you could build it yourself.
You're not qualified to give advice on wireless security. Giving security advice is dangerous. You can get people in a lot of trouble if you tell them the wrong thing. Using the words "completely safe" is simple and direct proof that you do not know enough about the field to give advice.
Folks who follow the list of things I put up there are harder targets, but they are by no means impenetrable. Fortunately, most of the time, you just have to be a harder target than your neighbors... but not always.
There is no such thing as completely safe wireless networking.
Ber: best of luck with your miscreants. I hope you do manage to shut them out.
posted by Malor at 12:13 PM on May 21, 2006
This thread is closed to new comments.
"A. You probably have installed Roxio Easy CD and DVD Creator 6.0 CD burning program. That file is Drag 2 Disc's empty log file. You cannot delete it because that program is running in the background. It's not a problem"
posted by thatwhichfalls at 2:44 PM on May 20, 2006