The other question that came out of my recommended DD-WRT settings was why not filter MAC addresses. I hate to be flip, but MAC address filtering doesn’t help, so why bother?
The reason is because your MAC addresses are broadcast as part of the network traffic, and it’s unencrypted. So your MAC addresses aren’t any secret at all. So it doesn’t do any good. One could argue it doesn’t do any harm. But it adds an extra step every time you put something on your wireless network. Why go to the inconvenience if you don’t gain anything from it?
I got a couple of questions about my recommended DD-WRT settings, but I’m going to start with the question about why not to hide the SSID. It actually turns out that hiding your SSID is bad for you, and makes your security worse. I’ll explain.
I’ve been asked a few times now for my recommended DD-WRT settings, or at least my good-enough settings. I think that’s a great idea, so I’ll walk through how I configure a DD-WRT router. Follow these steps and I can almost guarantee you’ll have the most secure network on your block.
For the purposes of this tutorial, I am going to assume you are configuring DD-WRT as your primary router.
My neighbor asked me for advice on setting up wi-fi in his new house. I realized it’s been a while since I’ve written about wi-fi, and it’s never been cheaper or easier to blanket your house and yard with a good signal.
Blanketing your house and yard while remaining secure, though, is still important.
This weekend Lifehacker advised against using things like your name and address as your wifi network name or SSID–if you’re targeted for attack, it makes you that much easier to find when your wifi name is your name or address.
When I set up a wifi network, I usually set the name to the time of day. That way the network name ends up just being a meaningless, useless number, with no clues as to who owns it, or who the broadband provider is. Clever names draw attention, and you don’t want to draw attention.
Let’s talk about two other common security measures that you probably shouldn’t do.
Last year I bought my mother in law a D-Link router, an oddball DIR-615 revision E1 that was only sold at a few stores. It was supposed to be a Fry’s exclusive, but I bought hers at Micro Center. It worked for a while, then gave her trouble, so this year I was working with it again, and when I was setting it up, I noticed it had some security vulnerabilities–remote code execution, UPnP vulnerabilities, and who knows what else. So that got me some practice upgrading a D-Link DIR-615 to DD-WRT.
DD-WRT’s track record and attitude towards security research could be better, but I’d rather trust my mother in law to DD-WRT’s B+ security than D-Link’s F.
My mother in law didn’t have wifi set up, but she picked up a smart TV this year, so she asked me if I could help her with it. So I picked up a D-Link DIR-615 on sale, brought it with me and set up wi-fi securely (hints: set the SSID to whatever time it happens to be, disable WPS, disable WEP and WPA, and use WPA2 with a long password with some numbers and symbols in it) and once it seemed to be working right, I put her TV and laptop on it. Then, as other relatives trickled in, they asked me for the wireless key. Soon the air was full of Androids and Apples chattering away on wireless.
She said she never realized how often we use our smartphones and tablets. Any time a question came up, someone whipped out a device and looked up the answer.It was nice, and it was a cheap project. Grab a name-brand wireless router on sale, grab a couple of extra CAT5e cables from Monoprice just in case, and you can be a hero for about the cost of dinner for two at any restaurant with sit-down table service. Maybe less.
While you’re ordering stuff from Monoprice, it probably wouldn’t hurt to pick up a small assortment of cheap USB and HDMI cables too, just in case anyone gave an electronic gadget to someone else and didn’t realize gadgets are more likely to come with batteries than with cables these days.
I’m a security professional by trade, with two certifications. I’m not responsible for defending your computer networks, but I want your networks to be secure. There’s a really simple reason for that. If your computer and your network is secure, then it isn’t attacking mine. Or anyone else’s.
Several fellow subscribers to a train-related interest group that I like got hacked recently, and have been sending out spam messages. They’ve received a lot of advice in the hours since. Some of it has been good, and some not as good. So I tried to think of some things that people could do in about 30 minutes to keep the crooks at bay.
Incidentally, the computer crooks won’t be going away. Computer crime happens because the criminals can make more money doing that than doing something legal. The only way to make it stop is to make it too hard, so that getting a real job becomes more profitable. You won’t solve that problem in 30 minutes, but if we all take that single step down that road, we’ll make the world that much safer. So, with that, let’s roll up our sleeves. Read more
A reader who will remain anonymous (he can out himself if he wishes) sent me an interesting observation. He was in his doctor’s office last week, and out of curiosity, he ran a wifi scanner on his phone just to see what networks were available and how they were secured.
What he saw wasn’t pretty. Especially considering he was in a building full of doctors, lawyers, and financial advisors. Read more