Lock Out Internet Pests, Lock In Network Security

Technologies that provide us with the greatest benefits often also expose us to great risks. In the case of the Internet, the risk is to your privacy, your files, your identity, and your precious bandwidth. This month an expanded Internet Tips digs a little deeper into two security areas that are becoming bigger issues to all users: wireless networks and file sharing.

The main drawback to a home or small-business network is the wiring. That's why wireless networking is the greatest advance since, well, the Internet. Just buy a wireless access point or router (using either the 802.11b or the faster 802.11a wireless protocol, also known as Wi-Fi and Wi-Fi5, respectively) and a few wireless client cards, install them, and boom--you can check your e-mail at the kitchen table, in bed, or just about anywhere else within a one- or two-block radius.

But therein lies the problem: Unless you've enabled the wireless router's security features, you may be sharing your Net connection with anybody who cruises slowly by, carrying a wireless-enabled notebook PC or PDA and a copy of NetStumbler.com's NetStumbler software for detecting networks. (Wireless-network infiltrators are known as war drivers; see this month's Privacy Watch, to learn more about war driving.) If your network has been insecure for a while, it may even show up in NetStumbler.com's nationwide database of wide-open wireless networks to check--and look out front for parked cars filled with notebook users).

Bandwidth theft isn't the worst part of leaving your wireless network insecure, however. A knowledgeable person can easily capture and view the contents of your wireless-network traffic, including e-mail messages and log-in passwords, or hijack your online identity for nefarious purposes, such as using your network and computers to attack other systems.

Security in the current Wi-Fi versions is inherently flawed. Until the more secure 802.11i version of Wi-Fi is approved, you can't fully secure your network against war drivers. But by employing multiple security techniques, you can make cracking into your Wi-Fi LAN difficult enough that access thieves will simply move on to another, less secure network.

Your unsecured home or office network isn't your only vulnerability, however. If the public Wi-Fi network you connect to at an airport, hotel, or coffee shop is unsecured, your passwords, e-mail, and other data are at risk. The person sitting next to you may be there for the cracking, not for the coffee. Here's how to stay safe:

Enable WEP: The 802.11b and 802.11a protocols each include an optional security element called Wireless Equivalent Privacy (WEP) that authenticates anyone who wants to access the wireless network, and encrypts all traffic. WEP is flawed in a number of ways that must drive the average cryptography expert right up the wall (University of Maryland computer science professor William A. Arbaugh gathers the damning evidence at "802.11 Security Vulnerabilities"). Still, some security is better than no security. Your Wi-Fi hardware manuals will tell you how to enable WEP.

Use 128-bit WEP: Wi-Fi equipment supports WEP encryption of either 40 bits or 128 bits. The weaker 40-bit WEP cipher, combined with WEP's other documented flaws, makes a system easy to crack. Nota bene: To use 128-bit WEP, you must first make sure that all wireless devices on the network support it. Enabling 128-bit WEP on your entire network might justify the expense of replacing your cards that don't support this higher-level security.

Choose good pass-phrases, or go hexadecimal: Part of the process of enabling WEP is to choose a pass-phrase. Unfortunately, an easily guessed pass-phrase makes WEP even simpler to bypass. Mix upper- and lowercase letters with nonalphabetic characters, don't use real words (including foreign ones), and avoid transparent tricks such as shifting your hands a key to the side, up, or down before typing an obvious password (like password), or making predictable character substitutions (such as pa55w0rd in place of paSSwOrd). Seasoned war drivers have dictionaries and other tools that run through all these tricks and permutations in no time.

Luckily, the pass-phrase is a convenience you can skip if you want--just make up your own hexadecimal WEP key (a series of two-digit hex numbers) and type it into the setup screens of your wireless router and card (see FIGURE 1). Hexadecimal (base 16) numbers start with zero and use the letters A through F as single-digit equivalents of the decimal (base 10) numbers 10 through 15, yielding two-digit quantities like 0B (decimal 11) and FF (decimal 255). Avoid building memorable keys using hex homonyms like A1, 3D, 4F, 2B, B4--the crackers have already thought of that, and they're looking for it.

Encrypt your e-mail log-in: One way to prevent snoops from snatching your mail server password is to use one of several secure log-in methods that encrypt the password before it travels across the network to your ISP's or company's server. Ask tech support which method, if any, is supported; then enable it in your e-mail program. Most support both Secure Password Authentication (SPA) and Secure Sockets Layer (SSL) log-ins (see FIGURE 2).

Use IPSec or a VPN: You can replace WEP altogether with one of two better-designed encryption and authentication protocols, although doing so is not for the tech-timid, and it's not cheap. IPSec is a secure version of the Internet Protocol (IP) networking protocol--the IP in TCP/IP. As long as both your computer and the wireless router or access point that it communicates with support IPSec, you can skip WEP. Windows XP supports IPSec (for instructions on enabling it, choose Start, Help and Support and search for IPSec to view a list of articles on the topic). Though wireless routers that support IPSec also exist, that $150 unit you picked up at CompUSA probably doesn't.

Virtual private networks are a different technology; a VPN creates a secure, encrypted tunnel running between your PC and a remote device (such as a router or your firm's mail server). Again, your operating system and router each need to support VPN connections (most versions of Windows do, but some routers do not). VPNs also provide an excellent solution to the insecurity of public wireless access.

Use 802.1x: Not content to wait around for the more secure 802.11i, several network product vendors support an ad hoc preliminary version called 802.1x that avoids most of WEP's weaknesses. As with IPSec and VPNs, both your wireless access point or router and the PC that communicates with it must speak 802.1x. Windows XP supports this protocol.

Install a firewall on every computer: Since the wireless network is essentially insecure, every computer on your LAN is basically unsafe. Installing one of the free firewalls mentioned earlier and setting it to allow access only to specific known machines on your network as needed (to share a printer, for example) will add an extra dollop of protection to keep Internet pests at bay and security at hand.

Share Files Securely

Programs like Kazaa, Morpheus, and BearShare seem too good to be true. Free files, forever! The legal and moral issues surrounding file sharing are complex, and not all file sharing is criminal. (For more on this issue, see "Hollywood vs. Your PC.") Still, you could inadvertently get into serious trouble using one of these programs.

As with Web browsing, e-mail, or any other technology that downloads files to your computer, you could contract a virus or Trojan horse that may destroy data or let someone else control your computer remotely. A recent Hewlett-Packard Labs project found that a surprising number of Kazaa users were unknowingly sharing e-mail in-boxes, browser cookies, financial data, and other personal files (for details, see "Researchers Find Security Hole in KaZaA Multimedia File-Sharing Service"). To reduce your vulnerability but still search for those images and sounds, follow these steps:

Skip the spyware: Most commercial file-sharing tools install spyware, adware, or other bandwidth-eating, intrusive utilities you don't want. You can usually choose to block them just by paying attention during installation. However, you can also safely remove unwanted spyware using Lavasoft's Ad-aware. Someone found a way to remove the unwanted applications from Kazaa, creating an underground version called Kazaa Lite. Naturally, Kazaa's owners are doing their best to shut him down, but you can still find and download Kazaa Lite by searching the Zeropaid.com file-sharing site. Better yet, use a noncommercial file-sharing tool that doesn't foist unwanted wares on you at all. My current favorite is Gnucleus, the open-source program that the current version of Morpheus is based on.

Shut the barn door: Make sure you use firewall and antivirus software. Sygate's Personal Firewall and Zone Labs' ZoneAlarm--free versions of PC World's two top-ranked commercial firewalls--are available for download (for reviews of the Pro versions of these two programs, see July's "Protect Your PC").

Don't share private files: Your file-sharing program creates default upload and download directories. If you dislike the default file-sharing folder location, make another one, but keep it separate from your personal data files (see FIGURE 3). And remember: You're sharing not just the shared folder, but every subfolder it contains as well. Those who are truly paranoid (a good thing, in my opinion) can disable file uploads completely.

Don't download viruses: In general, you won't receive a virus from sharing a file if you stick to downloading standard text, image, audio, and video file formats. Your file-sharing program may include filtering to block the download of dangerous types, including.exe,.vbs, and.scr. Archive files--those ending with the.zip,.rar,.sit, or.arj extension, for example--aren't inherently unsafe but still can contain just about anything, including a virus- or Trojan horse-laden file.

Send your questions and tips to nettips@spanbauer.com. We pay $50 for published items. Scott Spanbauer is a contributing editor for PC World.

SpamNet: The Napster of Outlook Spam Blocking

When it comes to eradicating spam, no one tool or technique is best. PC World recently recommended McAfee's SpamKiller as the best all-around antispam utility, in part because it works with a variety of e-mail programs. Nick Bolton's MailWasher ($20 donation requested) helps you nuke spam from your mail server before you even download it. Both are excellent tools, but I sometimes long for a spam eater that does its job without requiring my personal attention. Cloudmark's free SpamNet may be the answer. The program works exclusively with Microsoft Outlook 2000 and XP (the company says Outlook Express compatibility is on the way). It requires that you first download mail to fry spam, but it managed to find nearly every unsolicited commercial e-mail message that I received over the course of a few days. When it occasionally misses one, I select the message and then click the Block button that SpamNet places in Outlook's toolbar. Conversely, to move back to my in-box the few nonspam messages that SpamNet mistakenly adds to my Spam folder, I simply click the Unblock button. Blocked and unblocked spam is fed back into Cloudmark's database of known spam messages, improving the overall detection accuracy for everyone using the program. It's the antispam equivalent of Napster.