Jun 27, 2013 (11:06 AM EDT)
Google Shares Advice On Wi-Fi Security
Read the Original Article at InformationWeek
Having collected vast amounts of data from unprotected Wi-Fi networks over the past few years, Google knows more than most about network security, or lack thereof.
The company recently agreed to pay a $7 million penalty to settle a U.S. investigation into its unauthorized collection of data involving 38 states and the District of Columbia. It was also fined 145,000 euros in Germany.
But blame also belongs with those of us who broadcast our data without any security over the airwaves. Taking simple measures to secure Wi-Fi networks would have been enough to keep Google out.
[ Should Google be forced to delete data if someone objects to it? Read Google Gets Help In Spanish Privacy Fight. ]
Google would like to see more people take responsibility for their online security. On Thursday, technical program manager John Munoz posted some basic advice about how to operate a Wi-Fi network more securely.
"When data is in transit over an unsecured Wi-Fi network, the information you're sending or receiving could be intercepted by someone nearby," Munoz explained, as Google's Street View experiment demonstrated. He added that an unsecured network could be used by neighbors, which might slow network traffic.
Google, as it happens, is required to blog about Wi-Fi security as part of the terms of its Street View settlement. The Electronic Frontier Foundation calls the settlement "really, really awful," because it doesn't really punish Google for capturing Wi-Fi data but does require the company "to carry out a gratuitous and poorly thought-out song and dance."
The EFF considers the settlement requirement that Google promote secure Wi-Fi networks a mistake. It would rather see Google educate people about how to operate open Wi-Fi networks while running end-to-end encryption through a VPN or a browser configured to use HTTPS exclusively.
Google confirmed that Munoz's advice is being presented as part of its settlement penance. While his "song and dance" is obligatory, it still has value because it reinforces the notion that security requires user attention.
Munoz recommends identifying the kind of security available for your Wi-Fi network. Networks can be unprotected, or protected with WEP, WPA or WPA2. He says WEP is pretty weak, WPA is better and WPA2 is best. In fact, he also advises getting a new router if yours doesn't support WPA2.
However, the existence of services like CloudCracker demonstrates that even WPA2 isn't all that secure. It promises to run through some 300 million possible passwords in 20 minutes for $17.
And that underscores another piece of advice from Munoz: Pick a strong password, one with a long mix of numbers, letters and symbols so others can't easily guess it. You've probably heard this before, and perhaps you opted for something you can remember instead. But Munoz suggests that it's okay to write down your long mishmash of symbols, mixed-case letters and numbers on a piece of paper, since we're talking about your home network. If there's someone in your home reading your network password off a Post-it, network security isn't your most pressing problem.
Munoz also advises checking to make sure you've changed your router password from its default setting. You really don't want to be running a router with "admin" and "password" as the user account name and password.
There are other steps you can take to ensure a secure Wi-Fi network, but they may be of dubious value. For example, Wi-Fi networks can often be set up so that they're hidden, meaning the network name, or SSID, doesn't show up when someone is using a device to scan for nearby Wi-Fi networks.
Security by obscurity has some value when it works, but networking scanning software can find these hidden networks easily. Microsoft suggests that hiding a wireless network is not actually a security feature.
One of the more effective network security measures you can take is to disable your network when it's not in use, such as at night when you're asleep. A powered-down router isn't vulnerable. You may also be able to set up timed access, which limits connections to certain times of the day.