You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

WiFi security issues, at home and WiFi hotspots

Last modified: Apr 11, 2013 12:45 PM
1 39727 Last modified Apr 11, 2013 12:45 PM

Hello and welcome to my User Tip



I will explain in short some issues in regards to safeguarding your Internet WiFi at your home or office.

Refer to your router's user manual for detailed changes to your router's settings or call a local Mac/PC specialist if this is beyond your experience.


I offer no instructions, only these tips to make sure you're as secure as possible online.




There is only ONE secure WiFi router standard and that's WPA2(AES), both WPA and WEP are cracked.



http://arstechnica.com/gadgets/2007/04/new-attack-cracks-wep-in-record-time/


https://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.htm l


Newer Mac's are not reliably connecting to WEP Encrypted so I hear, since WEP is cracked having it encrpyed makes little sense, but some older routers may still have it.


If you have a Airport Express or Extreme, Apple provides software updates (using Airport Utility) for the router to updates it's firmware.


If your using a third party router or router/modem combination, it's important to check for firmware updates and apply them.


For most users, a router has to have remote access turned off (web management OFF!!), a admin password and a 'guest for Internet use only' password.


If possible, turning off PING can assist in not responding to knocks on the door to describe itself, thus reduce the traffic on the router and being Ping flooded.


https://en.wikipedia.org/wiki/Ping_flood


The admin password for the router should be greater than 20 random characters/case/symbols to prevent brute force attacks via the Internet, it shouldn't be used or stored on any computer other than entering it to access the router for admin purposes, then by the most secure machine on the network, usually a Mac.


Great examples of passwords are:


GJØ°TR%565nt5vi4th$%#$TERgerfirj


^Y$TKW$Cto5clcÓoiwixFERFminvl


ÁıÒÚÁ°fl‡°9*6ER984utm*&%&*^5058nc50GCR˜ÓÁRi8TE


Remember, these sort of passwords are for the Admin access to the router, thus they must be very strong and complicated to thwart botnet attacks.


They need to be very carefully written down and verifed to be accurate or else you'll have to reset the router of all settings if you can't enter them in properly to gain Admin access.


Mac's have Keychain that will remmeber complicated Internet access router passwords so one doesn't have to remember them, however these sort of complicated passwords are not easily shared as they are hard to enter, but what can you do? If you make it too easy then it can be brute forced and a hostile neighbor can do crime via your Internet access. So your the judge to how complicated your passwords need to be.



Bad examples of passwords are:


!@#$ (only one section of keys, too short)

1234 (only numbers, too short)

password (word in dictionary)

12/14/1957 (date)

MyPassword1234 (words in dictionary, only a few numbers)

MaryHadALittleLamb (words in dictionary, common use)


If the computer with the routers Admin password gets compromised, then malware can have access to the router, change the DNS setting and have a adverse effect on other computers and devices on the local area network.


The 'guest for Internet use only' password can be less characters to fit the requirements of devices, but if possible also should be longer than 20 random characters to better defend against new techniques from being used. This is used for all computers and devices on the network.



If you're having trouble with your WiFi, you perhaps need to use a "sniffer" software to determine what other WiFi's are in the area and the channel they are on so you can set your routers channel far away from theirs. But usually they do that by themselves.


Computers remember the passwords of the Wifi that's entered into them, malware can glean this and hack the router, why you only use the Guest Access for all machines. Rotate the Guest Access password routinely to keep those you want off the network or sharing your password.


A router's MAC Address filtering, nor does making your network "hidden" offer any protection from hackers of your Wifi and actually causes more problems for you in most cases.


If your tired of connecting your Mac every time it wakes up or you walk out of range? It's because of the hidden network you have, the Mac is not going to go around constantly asking to connect to a hidden network, that would reveal it was connected to one and somebody might like to find out why and follow you home.




Here are some security tips for those using "open" or coffee shop type Wifi locations


Your on THEIR network, which means if you don't have a secure HTTPS connection to the website you're visiting, your traffic can be observed and likely is being recorded.


If the local network is open and it's not encrypted, others in the same area can watch your traffic even if they are not connected to the network themselves by recording the wifi traffic as it passes through the airwaves.


The sites you visit, even if you have a secure connection, can be recorded by the Domain Name Server lookups your computer does to get the current IP address of the site. It's because DNS lookups are NOT encrpyted. So they will know what sites you have visited, not necesarily the content if HTTPS was used and will include the content if only HTTP was used.


The hardwired MAC Address of your computer or device is recorded by the router of the WIFi location, each machine has it's own unique hard coded MAC address assigned at the factory and records kept for later review.


Most banking and other sales sites have enabled HTTPS, so when you enter data it gets encrypted enroute, so look for that secure connection before entering any data.




About computers you use, but don't own



If you are using a computer at a school, work etc, on a network, that you don't have Admin level control over, fully expect it can and is remote monitored, remote viewable, meaning what your doing and seeing is appearing on another computer on the network.


If it's not on the network and you don't have Admin control over it, like a locked down portable school computer that's taken home at night by the student, fully expect to have "nanny" software installed recording one's activity for later observation. The reasons why they do this are: it's their property and your just a guest using it with no rights to privacy or ownership etc., the courts have upheld this position.




How to be as secure as possible at other WiFi locations?



Firefox web browser has a add-on from the Electronic Frontier Foundation called HTTPS Everywhere


https://www.mozilla.org/en-US/plugincheck/


https://www.eff.org/https-everywhere


This add-on will ask for a HTTPS session from every website you visit. Not all can provide it as all elements on a page have to be encrypted and some sites it's not practical (like video, or with advertisements) but many websites do including Apple, Google, Wikipedia etc. This offers some measure of protection on open Wifi networks.


Look in your web browsers URL bar for https instead of http, or a lock symbol then you know you have a encrypted connection.




General Warning:



Computers are not 100% secure, even Macs (especially one's not using the latest 2 OS X versions in circulation) but they are a bit more secure than Windows machines depending upon usage. There is malware targeting Mac's, so you take some pre-cautions in that regard.


Security Issues Warning List


Harden your Mac against malware attacks


Like with gambling, do not deal with amounts online that your not willing to risk losing.


Your bank will NOT issue a refund if a loss occurs, it's out of their responsibility what occurs on your machine. Far as they know, you transferred all your money to another bank and then withdrew it all or worse, they can claim you had a accomplice! So you see their position why they don't issue refunds, they would be scammed by many often.


It's rather easy to set up a secure savings account with more substantial funds and use a more accessible online/checking/debit account with less funds and transfer some from one to the other occasionally (but not via online banking of course) with either no or very limited overdraft protection, only keeping what one is willing to lose in the less secure accounts that is exposed to the world.


Four digit passwords used for ATM machines are incredibly weak, scammers have gotten clever and even create fake ATM machines for you to "lose" your card in and enter your password, which they then go drain your savings account every day until you decide to do something about it.


Some have gleamed personal information from you in other ways and then get a fake ID made and impersonate you at another branch, withdrawing huge amounts. You can setup a secret password with banks to use on special large amount accounts that don't see frequent activity and require a manual walk-in to access those accounts.


A good bank will take a photocopy of your id when the account is opened and use that as a secret check to confirm your identity hasn't been impersonated.





Advanced!


While using others networks, if you don't want others to know what your Domain Name Server lookups are (so they don't know what websites your visiting)


Then your going to need to install DNSCrypt and change your DNS on your computer to OpenDNS in System Preferences > Network.


https://www.opendns.com/technology/dnscrypt/



I should warn you that changing your DNS settings (from your ISP's given DNS) can make large downloads of Akamai based content that Apple (and others) delivers slower as it depends upon the closest server for faster downloads which there might be a alternate DNS server close to your ISP's server.


But you should be able to create a New Location in System Preferences > Network and use OpenDNS servers that way when on the open WiFi spots which are usually not good large scale download locations anyway because of all the others sharing the same connection.


Then on another Location, use your default ISP DNS servers for faster downloading.


Some are lucky to have a OpenDNS server in the same location as their ISP's server, so there isn't a problem.


https://en.wikipedia.org/wiki/OpenDNS


If your ISP server you contact is not located in one of the cities where OpenDNS servers are located, then you need to have the dual Network > Location option for using OpenDNS servers to shield you from


Contrary to myth, changing one's DNS server isn't always faster. Use this free tool to determine.


https://code.google.com/p/namebench/


You should always carefully consider the privacy policy, services, location, character and source of alternate DNS services before using them, as they are rendering what appears on your screen basically. You can ask for apple.com and they can return a valid IP or they can return a invalid one.


So in other words, just don't search for "alternate DNS" online and enter any old IP addresses into your router or computer to change the DNS, it might be a scam, then you just compromised your own router. 🙂





Advanced!


Alternate DNS on your router


I don't advise changing your DNS server unless your more advanced in the subject.


DNS stands for Domain Name Server, when you do a search for "apple" in Google and get a link for Apple.com, you click that link and a request goes to the Domain Name Server to ask for the current IP address (number like so 23.1.61.15 ) so your computer can connect to that site.


You can choose to type in 23.1.61.15 in the URL and press enter, but Apple might change servers or establish one closer to your location which would be faster, the Domain Name Server handles all this moving around and changes automatically.


If you choose to use a alternate DNS than the one supplied by your ISP, you may want to establish this on your home/office/school/library router so all devices on your network are using it. The advantages of alternate DNS come in the form of blocking attack sties, content filtering, etc. that your ISP doesn't supply such services.


The DNS side content filtering isn't 100% perfect as new stuff is created all the time, but it can be used to reduce the likelihood of accidentally coming across unwanted content.


Usually alternate DNS services provide automatic bad site filtering as a default setting and content level filtering options as a log in option.


One choice I know of is OpenDNS, there are others merely by searching Google, however check their reputation first. Google has alternate DNS too, but we know Google to be a advertising company, tracks people on line, has little regard for users privacy, data mines people's emails, records their WiFI locations and online searches etc., so it's stands to reason they are recording everything your doing to sell that data to marketers etc. As always review the privacy policy of your alternate DNS, it's location etc., so you can get a idea who's recording what about your surfing habits.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.