If you need an inexpensive DD-WRT compatible router, TP-Link is probably your best choice. But there are some big differences when you compare the TL-WR840n vs the TL-WR841n.
I spent some time over the weekend playing with Pfsense, and I can’t say much about it other than it does what it says. I didn’t throw a ton of hardware at it–the best motherboard I have laying around is a late P4-era Celeron board, and the best network card I could find was, believe it or not, an ancient Netgear 10/100 card with the late, lamented DEC Tulip chipset on it. Great card for its time, but, yeah, nice 100-megabit throughput, hipster.
If you actually configure your routers rather than just plugging them in, you can do this. Plug in a couple of network cards, plug in a hard drive that you don’t mind getting overwritten, download Pfsense, write the image file to a USB stick, boot off the USB stick, and follow the prompts. Then, to add wireless, plug in a well-supported card like a TP-Link and follow the howto. Read more
What can you do about it? Read more
I see the advice going around, again, to disable the Windows firewall and rely on an external router, the justification being that it makes your computer “invisible.” It doesn’t. Only IPV6 can do that–and then, only if you don’t use it for anything.
The trouble with that advice is that there are botnets targeting routers. Routers are nothing special; they’re small computers running Linux on an ARM or MIPS CPU, typically outdated versions with old vulnerabilities that can be exploited by someone who knows what to look for. One example of this is the Aidra botnet. Typically Aidra is used to attack outside targets, but it’s not outside the realm of possibility for an infected router to turn on and attack the machines it’s supposed to protect. And if you’ve turned off your firewall, then you have no protection against that.
If you own a Linksys WRT54GL or EA2700 router, both devices have serious security vulnerabilities. Serious enough that the only way to continue using them safely is to load an alternative firmware such as DD-WRT on them. That’s not entirely a bad thing; DD-WRT is more capable, and unlike most consumer-oriented firmware, allows you to disable WPS.
The EA2700, in particular, is so trivially easy to hack it’s laughable–all it takes is entering a predictable URL into a web browser. That’s it.
John C Dvorak is raving in PC Magazine about Netgear wireless routers and range extenders and how easy WPS makes it to set them up–and providing some very seriously flawed security advice along the way.
“Note that WPS is crackable by serious hackers using brute-force attack, but any SOHO user not dealing with government secrets should be fine.”
A common piece of good-meaning advice you’ll hear is that you should never use software firewalls. But is that good advice, or bad?
On the surface, it’s good advice. It’s much better to use the firewall built into a cable/DSL router. But the software firewall built into Windows XP, Vista, 7, and (presumably) 8 makes for a good second line of defense, so I don’t recommend disabling it.
I’ll explain further.
If you’ve been procrastinating about deploying 450-megabit (802.11n) wi-fi to your house, I have a reason for you to procrastinate a while longer: Gigabit wireless (802.11ac).
It’s only about twice as fast as its predecessor, which pales next to the 8x improvement 802.11n provided over 802.11g, but if you’re wanting to stream HD media through your house, you’ll notice the difference.
It was 1998. I was getting ready to network my two PCs, so I asked my friendly neighborhood networking professional what to buy. He didn’t hesitate. “Intel or 3Com,” he said. “Cheap NICs will talk, but they’ll start acting flaky after a while, dropping packets in the middle of transfers, stuff like that.”
I couldn’t afford 3Com or Intel at the time, so I bought a cheap “SOHOware” brand bundle that included two 10/100 NICs, a hub, and cables for around $150. A comparable first-tier setup would have run me twice that. The hub died after a couple of years. The cards fared better. “After a while” took 11 years or so to come, and I finally got sick enough of it to retire my last one.
It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.
Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.
“Hypothetically speaking, if you lived next door to me, how long would it take you to get into my wi-fi network?” I asked him.
Surprisingly–at least it surprised me–if you use WPA2 with a strong password, you can make it take years. While I can’t keep him out indefinitely, it’s entirely possible to make it so difficult that anyone not specifically targeting me will just move on to someone else. And you can too.
Why should I care?
Perhaps you heard in the last couple of years about credit card information being leaked out of TJ Maxx and Marshalls store networks. A 29-year-old Cuban-American named Albert Gonzalez admitted to the theft and re-selling of 170 million credit card numbers from 2005-2007. He stole them off poorly secured wireless networks.
The September 2010 issue of Hakin9 magazine (hakin9.org) details the crime, and how it could have been prevented.
WhiteQueen pointed me to page 47, which showed a diagram of Gonzalez’ wardriving setup. All of the equipment is easily obtained, or fabricated using instructions that are readily available.
If your password is something like “popcorn,” he can break it in less than 45 minutes. Dictionaries containing a couple million possible weak passwords exist.
So, what’s a good password? He recommends something 14-25 characters long, mixed case, with a couple of numbers and special characters, not substituting numbers and symbols for vowels, l337-style. th!sIz@s3cur3p@ssw0rd! isn’t quite what it claims to be. Use a random password generator, he says. A Google search will turn up web pages that will generate them for you.
You don’t have to type that password all that often, he said, so the pain/security tradeoff isn’t all that high.
WPA2 vs. WPA vs. WEP
You can forget about WEP. There are enough vulnerabilities in WEP that he can break it in minutes. WEP is effectively like the lock on your screen door, only useful for keeping honest people out.
Consider this. There are free tools that run on Android that crack WEP. You can’t install it from Google’s app store–you have to root the phone–but anyone with a little determination can do it. It might take 30 minutes a typical Android phone from 2010 to break a WEP network, but 2011’s phones should be able to do it in about five, which is about how long it takes an Atom netbook, circa 2010, to do the job.
WPA is better, but it also has vulnerabilities. There are automated tools for breaking WPA too. For $17, WPA Cracker will attempt to break a WPA network, and on average, it takes 40 minutes. And it’s not the only option out there.
If you’re serious about keeping someone with his abilities out, use WPA2.
You can increase the security of your WPA or WPA2 network by hibernating or turning off your laptop when you’re not using it. Attacks against WPA require something with an active connection to be using it at the time.
Setting your SSID to not broadcast is an old security trick, but it doesn’t gain you much anymore.
He said you might as well broadcast your SSID. Wireless networks just work better if you broadcast it, and you don’t slow a hacker down very much by not broadcasting it. You just make the hacker stop and run a tool to look for hidden SSIDs. Not broadcasting the SSID hurts you a lot more than it hurts him, he said.
But don’t include easily identifiable information in your SSID. Keep your last name, house number, and street out of it. Personal information not only helps an attacker identify his target, but it also helps a hacker create a personalized dictionary to run against your network.
Pick something with no connection to you. The more meaningless, the better. The more bland, the better. Don’t make it something that identifies your network as belonging to you, and don’t make it something that makes it look like you’re hiding something interesting.
The best is just a plain old number (other than your house number), or random gibberish.
WhiteQueen said there are mainly two reasons a lowlife might want to get into a network. Either you have data he wants, or he wants to use your network to jump off and do something else. That could be jumping off to hack another network, effectively using you to cover his tracks. Or it could be downloading illegal stuff he doesn’t want to use his own network to download.
Preventing the second case is easy. If your network is harder to hack than your neighbors’, that guy will always pick the guy whose network is wide open, or the guy who never changed his password from the factory default, or the guy who’s still running WEP.
So, the simple advice of using WPA2 with a strong password protects you from that guy.
For extra protection against someone who specifically wants to get into your network to get at your data, he recommends a second router. Or turn off wi-fi completely.
Plug one modem into your router. Assign that router an address space of 10.something. You can set the password to something your laptop-toting houseguests won’t mind typing in, but of course, you want to balance enough strength into it so that passers-by jump on someone else’s network instead of abusing yours. Ten characters, mixed case, with one number and one special character would be reasonable.
Then, plug a second router’s WAN port (not one of its Ethernet ports) into a LAN port in the first router. Assign that router a 192.168 address space. Either turn off its wireless, or turn on WPA2 and assign a nice, strong password to it. Plug your desktop PCs, your NAS, and that kind of stuff into the second router.
For the security paranoid, the two routers should be different. Different revisions of the same model could be OK (such as an early, pre-v5 Linksys WRT54G or WRT54GL based on Linux and a later v5-v8 WRT54G based on VxWorks), but different models or different brands entirely is better. That way, if someone uses a vulnerability in one to get through, he still has to get through a second one to get to your network. Of course, don’t forget to change the default passwords on your routers.
Vulnerabilities in wireless routers do come up from time to time. http://www.cvedetails.com/ has a nice database of vulnerabilities, which you can search by vendor and product. Fortunately, vulnerabilities that crash the router are a lot more common than vulnerabilities that let someone come in and do something.
Fixing them is just a matter of downloading the latest firmware from the vendor and installing it.
Hackin9 adds another step: Lock down the router to allow a limited number of connections. If you have two computers, set the router to only allow two connections. Then hard-code the MAC address of those machines. The procedure to do this varies from router to router.
The moving target
It took about five years for a vulnerability to be found in the original WPA. And brute-force attacks–trying every possible password–are much more practical now than they were in years past. The typical $500 consumer PC of today is a supercomputer compared to anything that was available in 2001.
So far, there are no known vulnerabilities in WPA2, so in 2010 the only way in is to use brute force.
Here’s some good news: A dictionary suitable for cracking 8-character passwords using all 95 of the easily typable characters on the U.S. keyboard would require approximately 11.91 petabytes to store. The largest available hard drive in 2010 is 3 terabytes–an order of magnitude smaller–so it’s safe to say we’re still a few years away from being able to store that kind of information on the desktop.
A dictionary file suitable for hacking 14-character passwords goes consumes a mere 4 brontobytes. What’s a brontobyte? One brontobyte would hold approximately 1,000 copies of the World Wide Web, circa 2010, in its entirety.
This is a bit of an oversimplification, but in 1990, consumer hard drives were measured in megabytes. In 2000, they were measured in gigabytes, and today, in 2010, they’re measured in terabytes. We may be pushing 2020 before we get to petabytes. So it’s more likely that someone will discover a flaw in WPA2 before that’s practical to store. But that, too, will take time.
But don’t feel too secure. A hacker who wants in will throw every dictionary he has at you. And WhiteQueen said hackers tend to collect passwords as they discover them, and add them to their dictionaries. He said humans aren’t very good at being random, so when they find a password one human used, there’s a good chance another human will use it.
The second-best thing you can do is stack the odds in your favor. The best thing you can do is keep your wi-fi turned off.