I was in total dismay when I read the recent commentary by known security expert Bruce Schneier about how he leaves his home wireless network open..yes, meaning no encryption..wide open free wifi generously donated to the neighborhood by Bruce. While I understand some of the points he was trying to make I started to really think more about this idea after reading two articles on Bruce’s decision.
One was from Securosis.com. Rich makes some good points that this is Bruce’s network and obviously he is more security aware then the average Joe..meaning, he knows how to properly secure his workstations, router, etc… The average citizen will normally not be educated enough on how to properly secure these devices. Let alone many home PC’s are infested with botnets and have probably been running unpatched for years…advocating to these non-security minded people that you don’t need to secure your wireless network is probably not a good idea. Rich also mentions that his network is “secure enough” even though he says he could crack it if he was determined enough. True, true..attackers have an unlimited time frame to get into your network so why would you “leave the door open” and make it even easier for someone to get in? I personally keep mine locked down with WPA2, a randomized “long” passphrase, and an uninviting SSID. Why? I don’t want to invite trouble! You never know who might use your network…it’s pretty scary out there.
The second was posted on GNUCITIZEN. Adrian mentions the following:
“Letís think about it: who gives a darn about compromising your computer when you can change the DNS settings on most consumer routers without a password via UPnP? Weíve said it before here at GNUCITIZEN: people are stuck on the old-school mentality of rooting the userís box. Things have changed. Your data is now online, your router is a computer much more insecure than your XP desktop that runs an AV + firewall and updates itself automatically on a regular basis…”
After reading the UPnP research on GNUCITIZEN and doing some on my own…this may be a new attack vector that perhaps Bruce may not be aware of yet? It’s some scary stuff…then again, Bruce probably has UPnP disabled on his router right? Or, perhaps Bruce’s commentary makes this quote from this site even more true:
“I don’t bother with WEP or WPA, I just got Bruce to autograph my wireless access point.”