 Think Tech Away, civil engagement lives here. Well, welcome back to the Cyber Underground. I'm Dave Stevens, your host. I'm Dave the Cyber Guy here with Hal the Network Guy, Hal Culkin, who's a fellow instructor over at Capulani Community College for the University of Hawaii. Thanks for coming. Thanks for having me on again. Right on. Hey, today we're going to talk about how to configure your home network. And to a lot of people, this is not a big mystery because they just go buy a network device and they have their cable provider, give them something and they plug everything in and they turn it on and, hey, it works and we're done, right? Yep. Which is like the worst possible thing you could do these days. So let's go over what it looks like, first of all, what the basic network configuration should be. We've got kind of a screenshot. This is a basic network map. This is a little old. You can see a phone there from the 1980s. That looks like a Mac from the 80s. But there's a couple of key components in here. So the telephone connection, a little lighting bolt in the upper left-hand corner, telephone comes into what they got on this thing as a splitter. And the splitter will usually be something in your wall. And why you need that is because you come out with a piece of coaxial cable out of your wall, right? And you might have to split that into multiple devices. So one of those devices would be, we show it here as a set top box, but really, right off the splitter, your network today will be something like a DVR, a digital video recorder, right? That is a set top box and a kind of an internal PC for your TV so you can record shows. But it has an IP address on the public network. It is exposed to the internet. It is not managed by you, but it is in your home. So you gotta watch out for this. In addition, that splitter will also go into a router, right, and a router, or actually, we gotta go through a cable modem first. So there's a signal conversion. You have this cable, usually digital signal now, but we used to have analog, and you gotta convert that signal and split off the channels you need for internet out of that in a cable modem. And the company that you get as your provider, Spectrum out here, or Time Warner, Comcast, they will give you that as part of your internet service, right? And you pay $5 to rent the modem. You could get your own, but then they won't support it. All right, so you should use theirs. And that also is exposed to the internet, not managed by you, and your cable company is in control of that, and it is on your network. And usually you have one or two ports out of the back of that, you can physically plug in something to that cable modem, but what most people do is put a router on the other side. So let's discuss how we get multiple computers to hook up that one cable modem through a router and how to hook that up and what the best practices are. So give me a favor, how, go through what a router is, first of all, how do we arrive at a router? A router is a device that connects multiple networks, right? So networks don't talk to each other except through a router, that's the whole purpose of a router is to connect one network to another network. So the cable network coming into your house has to connect a router that will connect it to the internal network. If you're gonna have Wi-Fi, now you're gonna have a Wi-Fi router that's gonna connect that network to now a wireless network. And what most people call a Wi-Fi router is really kind of a multiple purpose device. It functions as a router, it also functions as it's the HCP server and then it's giving out IP addresses to wireless devices as they join your network. It usually has a few ports in the back, like maybe three ports that either a switch or a hub where you can connect multiple devices. Physical cables. That way where you can physically connect any internet cable. It typically has some firewalling type functions. So we call it a router, but it's really kind of a multi-purpose device that serves a lot of different... A pure router, all it does is forward packets from one network to another and vice-versa. So the reason these routers now have Wi-Fi is pretty much because we have so many devices we need to connect to our networks these days, it can get out of control. We have another picture here with the house with all the different devices. Look at this, you can have webcams and locks and mood lighting and home entertainments and everything from windows and home automation to your garage doors, your security system, your backup systems all connected to this one home network. So really if you set this up wrong and someone gets into it, you're looking at all those things being exposed in your life. And each one of those devices could be vulnerable, could be a vector for someone to come in and use that to take over your home network or to get access to your home network or to take over some of those devices and use them for some of the type of purposes, either to monitor you or to launch attacks against other sites, they could do all kinds of things. So each one of those devices could be a vulnerability. So you really need to be aware of how many different devices are on. And when you bring these devices into your house, and as you said, they usually auto-configure, you just turn them on and they immediately search for your Wi-Fi network and try to connect. Yeah, there's one button is WPS, right? Yeah, WPS. Wi-Fi protected setup, which isn't protected. Which is an oxymoron in itself. Yeah, I would strongly recommend against the Wi-Fi protected setup. Manual setup is gonna be better because you have control, you know how it's set up, you know how it's configured. You might have to learn a few things in order to do it. But in the long run, I think you're gonna be more secure and you're gonna understand how your network is set up. Whereas with the Wi-Fi protected setup, you don't even know, you just hit the button, it automatically does something and you really don't know. It's a hacker's dream. What level of security did it configure and how is it set up? Yeah, it is a hacker's dream. Dream come true, you do a little bit of war driving to find the network and you find that and it's just minimally configured. And usually it's something, any device in the network could be the vector or the path in to the entire network. So your weakest link is the path in and it's usually something like a nanny cam or a webcam or something like that that has a basic username and password and you leave the default settings, admin, admin or something like that, right? I need to put a picture up here. This has been my network at times. Don't let this happen to you. This is why we have Wi-Fi. You'll see all these cables in here and I gotta bring this up. I don't see any other cable color but gray. I think there's one blue one in the whole mess. You'll see the switch has a whole bunch of ports in the back, everything's ethernet. Do you look like homemade cables? And there's nothing but spaghetti and then there's a Wi-Fi router in the back. This reminds me that I have to make spaghetti for dinner tonight. I need some sauce, right? Don't let this happen to you because when this happens to you, you're ripe for hacking and if there's a failure, you can't track it down. It's a total mess to try to trace anything you want as well just unplug everything and start from scratch. Yeah, and I've done that before. So let's talk about, now there's a couple of features that routers have built in that help with security and obscurity. So let's go through a couple of those things. First of all is netting a network address table, right? So explain to us the network addressing table and how it works in a router, public and private internet. Okay, so there are three IP address ranges that are called private address ranges and so those can be reused on internal networks by anyone. So you buy a Wi-Fi router and it comes usually with, it's configured for the internal network to come up as like 192.168. One dot one. One dot one or zero dot one or something. Anything 192.168, that's part of a private address range. Everybody can reuse that, but it's not allowed, it's not routable on the internet. So what happens is as those packets leave your network, your router is gonna translate that private 192.168 address to whatever public IP address it got from your ISP. So as the packets leave, it's translated from 192.168 to whatever the public ranges. And when the responses come back, the router translates it back and sends it back to the host that sent it, sent the arrangement. So that's network address translation. The addresses are put in there. So once I get from the public internet to your router with the public address, your router can say, oh, well this message is intended for this PC or your DVR. Yeah, it keeps a table of who sent what request so it knows how to send things back. So it's kind of a man in the middle, it's a go between, it's passing the packets back and forth. And even though this was not originally invented and designed as a security feature, one of the side effects of this is it makes it almost impossible for someone to scan your internal network because they can't, because the private addresses won't be sent over the internet to get in. They can only scan the public IP address that's on your router. So it has some good side effects. A little obscurity. Yeah, a little bit of obscurity. It's another layer. So in security, we keep saying defense in depth. You have to layer like an onion. You can't just depend on one thing to keep you safe. You gotta apply all the layers and the theory is you apply enough layers to deter somebody and make it easier for them to hack somebody else. I hate to say that, but I'm just gonna pass them off to the next guy who's not configuring stuff right. So netting, network address table, feature one. Feature two, these routers pass things to the internal network and to get onto the router you need a username and password. To find anything out, right? But they come with a default setup. Yeah, so they'll come with a default admin password and username set and believe me, the default passwords for every model are out there on the web. Showden.io, yeah. You just look it up and so the first thing, the first thing you need to do when you plug that in is change that admin password. And some of them allow you to change the username as well. I would change both if you could. Yeah, so you wanna change that right away. Most of these routers will also allow you to limit what networks can connect to the admin interface. So if you can limit it to only your internal network, that's a lot more secure. Usually people don't need to connect to the admin interface to configure the router from the internet, right? They're gonna be on their internal home network. So if you can restrict it to only the internal home network or even to a single IP address. That's even better. It's even better. So I know the setting on most routers, that's WAN management or managed by WAN, WAN, it's a wide area network. That means you can get to it from the outside. From the internet. You wanna disable that. If it's enabled, disable that, go for LAN or local area network. Exactly. Internal, so you wanna turn that off. Good, so we have the username password, you have netting, and we have only local management. So you have to manage your network from within your network. So what else should we do? Well, what else should you do? You should choose a strong security encryption protocol. You don't wanna use WEP. I'm surprised that it's even still supported. Why is that an option for wireless encryption protocol, right? You want WPA2, if at all possible, that's the kind of the standard now. If you have an older router that doesn't support WPA2, you might get by with WPA, but you absolutely don't want WEP. WEP is almost like have it done. WPA2, now there's two options in this always, but most people get confused. There's personal, WPA2 personal, and WPA2 enterprise. You can't do enterprise unless you have a server managed system with a domain inside your network. So that's more complex setup. So go for WPA2 personal. The enterprise is when you have a centralized authentication server, then most home users aren't gonna have this. So you use the personal, which is also sometimes called PSK, or pre-shared key. Just means that you have a key or a pre-shared password. Everyone who's gonna join the network gets that password, and that's what you log in with. No, we should also state that the device is now coming off the shelves, could still have the hack for WPA2 possible on that device. So you should run a firmware update as soon as you get into the device. There's always an interface in your admin management for that device that allows you to run a firmware update over the internet. You should do that as soon as you get it, because that's going to disable the crack attack. That's the crack attack. Yeah, you can have it. So we're gonna take a short break and go to commercial and pay some bills, and then come right back. Until then, stay safe. Hi everyone, I'm Andrea Gabrieli. The host for Young Talent's Making Way here on Think Tech Hawaii. We talk every Tuesday at 11 a.m. about things that matter to tech, matter to science, to the people of Hawaii with some extraordinary guests, the students of our schools who are participating in science fair. So Young Talent's Making Way every Tuesday at 11 a.m. only on Think Tech Hawaii, mahalo. Hi, my name is Bill Shaw, our host of Asian Review coming to you from Honolulu, Hawaii, right here in the center of the Pacific Ocean. Asian Review is the oldest of the 35 or so shows broadcast by Think Tech Hawaii. We've been in production since 2009. Our goal is to provide you, the viewer, with information, breaking information about events in Asia, Asia being anything, from Hawaii west to Pakistan, from the Russian Far East, south to Australia and New Zealand. We hope to see you every Monday afternoon at 5 p.m. Welcome back to the Cyber Underground. I'm Dave Steve as your host here with Howl the Network Guy. Hi, Al. We're gonna get right back to it. We're gonna take a moment for a security moment. This is something Andrew Lanning instituted in the show, and I love this. When we come back for the break, we do a security moment. I have a warning for all those people out there. Something called slider theft. I'm gonna put an image up right here. This is an image of a young lady at the pump. You can see she's got the white car there. Her gas pump or gas tank is open there. She's using the credit card in the station at the pump, behind her, someone has pulled in and is sneaking into her car from the other side and stealing whatever's on her seat. I assume it's probably a purse or a wallet or something. And many people do this. You know, they get the credit card and they're just walking to the pump so they leave their wallet or whatever on the car seat there and that's what these guys go in and they get. Now, thankfully we were able to film this. They don't have a front license plate, but they're on film and there's a lot of features there that police can use to tag these guys. And as a matter of fact, I believe in this image, these guys tried to use the credit card a half an hour later, but it was already canceled and they're already caught. So, lesson to thieves, don't do this where there's a camera, but these guys are pretty bold. They'll swoop right in behind you. Yeah, I mean, that's bold. They don't care. And he knows he's on camera and he doesn't. Do you think he does? He's got to. Doesn't everyone know that all of those gas stations have surveillance cameras? I don't know. I thought everybody knew that Facebook was taking my data and selling it. Yeah. I don't know what he's surprised now. I used to tell people, how do you think they're making money? Do you think they just offer a free service that is a billion dollar company? You love the product. You're the product. You love the product, yes. That's right. So let's get back to, we're figuring out routers, right? And there's a number of other things we can do. And we got to mention several segments of society, including gamers. But before we do that, let's go into, most routers will have an interface that you can view. Right? I know I used to use Linksys a lot and it's always a browser interface. I think Asus has this too. And you enter the, I believe the lowest address in the range on your browser, like 192.1681.1. And it comes in with a login page. And if you were smart, you change your login to something else and you can log in and manage your router and the security features. And the first time that you connect, sometimes you need to do it from, and you turn that cable, you have to plug in, you have to plug into one of the four LAN connections on the back of the router. And open up a browser and you put in that first address in the network 192.1681.1 or something similar to that. And then you should see an administrator interface come up in the browser, you log in with that, the full admin name and password and then immediately change it. Immediately. Immediately change it. Yeah, yeah. And one of the other things you can do when you're first setting it up, you do have the ability to limit what computers can connect to your Wi-Fi network based on the MAC address. The MAC address is an address that every network interface card, wired or wireless, has burned into it from the manufacturer. It's unique. From the factory. For every device. It's supposed to be unique. Now it's certainly possible to spoof them, especially with virtual machines where you can pretty much put in any address you want. But limiting to those MAC addresses, again, as you said, it's one more layer of the onion. You want to put one more hurdle in front of someone who's trying to get it. So it's not high security, but it's one more layer. So I know on some wireless routers, you can connect all of your devices and it shows you a list of all the MAC addresses of the devices that are connected to your network. And there's your wireless. Real easy, copy and paste those into your MAC address. Allowed list, right? And disallow everything else. And then unless you get a new computer, you should be limited just to those devices. So that's, again, that's just one more layer that you can add in, you know, for security. Yeah, I don't know if you've done this on your routers, but I was enabled a guest network. Yes, that's a great idea. So it's a virtual LAN or a virtualized local area network that's specifically for other logins. And you don't have to enable MAC addresses. This is when your relatives come over or someone wants to use your internet really quick or you have someone's, we have a pet sitter when we leave, so she uses a guest network. You can enable that so they cannot get on to your network, but they can still use the internet. Yeah, the advantage is they have internet access, but they're segregated from your main network. Right, so just another layer, because you don't want to give everybody all your cousins, your wifi password. Unless you do, but probably might want to. You should have a guest network, so I always enable that. Let's go over, now when gamers set these systems up, there's specific requirements. I put in my Xbox, I put in my PS2, and every game will operate on ports. Now ports are doors into your system, right? And you have to enable these doors, otherwise the game is not going to work. And a lot of people play online gaming, and so you have to open up these ports. So we have to enable something called port forwarding. You want to go over port forwarding? So we talked about network address translation in that no one's able to scan your internal network because they can only get as far as that public IP address on your router. That's unless you enable port forwarding. Enable port forwarding, and packets come to that particular port that now you've forwarded into your internal network, and those packets come through the router into the internal network, so. To the specific machine I told it, like I enabled port 5400 or whatever for 192.164.1.101, that's a specific machine or my Xbox, right? So I've enabled just that port to just that machine inside my network. Yeah, hopefully you've limited it to just that. Hopefully, just that one machine. But you still have to be aware of that now. You're still allowing something through. So it's definitely a security concern, and you have to be aware of that. And you want to minimize that as much as possible. Now, if you need to do that for your game, and you limit it to your one device, it's not the end of the world, but you want to limit that as much as possible. If you stop playing that game, well, get rid of it. You should take that off. You should take that off. Yeah. Because it's another, it's just a hole through your firewall that someone might be able to use to sneak through. It's a pinprick where light can get through, and you're taking off layers of that onion. Yes, you've made a hole through one of those layers now in that onion, and somebody might be able to target that to get through. So we've done Mac addressing. We've done port forwarding. We've done the username and password for the admin account, running a firmware update. Absolutely. Absolutely necessary. And not just when you first install it, but periodically, whenever there's one available, you want to do the update. Right, so you should check back every once in a while. And the more advanced routers will tell you if you log in every once in a while, every month, and you look, it'll probably have some kind of indicator saying, hey, there's an update available. You should run this. And forewarned, when you run that, your whole network's gonna be down for a couple of minutes. Four or five minutes or so. It's gonna be bad. What else can we do? SSIDs. So explain SSIDs. So the SSID is the network name that you find. So when you walk around with your phone or other wireless device, and you see, oh, there's Joe's network, there's a Starbucks public network, those are the SSIDs of those networks. And they're just broadcasting out. Here I am, here's my name, connect to me. I'm this network. Well, you can disable that. And it's not gonna make it impossible for someone to find your network who knows what they're doing, but people aren't gonna see it just pop up. It's gonna be a little bit harder for them to locate your network and figure out what the name is. Not too many people know how to run AeroDump and scan a network for things that are hiding right now. So what war drivers will, but most people will just walk around with, like you said, their mobile phone and look for an SSID. So you can disable that, but if you're already connected, if you're already connected, it's no problem. It's no problem because the SSIDs are saved, right? So once you connect the first time and you check the box to save it, it's saved there. You don't need to put it again. It'll be able to find it. And even if it's not, as long as you know the name, you can manually put in the network name and it will find it, you know, fine. But it won't just advertise itself and just pop up. So what I like to do is connect all of my devices first, make it really easy to connect, get them all connected and then get it saved on all of my wireless devices and then I can just disable the SSID. You brought up something just a minute ago. When you log on to the device, you see the SSID, but then when you try to connect, it's gonna ask you for a username and password. It's another place where you should change the username and password because some networks, so if I have a router, it's got an admin username and password and I have a guest network, now that guest network has a different username and password or at least it better have a different username and password. It should, it should have it. So you should change that to a good password and we should discuss good passwords. Yeah, good passwords. Three characteristics of a good password. They should be long, right? I mean, they used to say six characters, eight characters, now it's what, 12 to 15 characters for a good password. It's really hard, you have to enter something like my Scooby Snacks tastes good or something really good, but it's really hard. But then what people were doing was putting, for different words, they put in different language because there's a dictionary attack, right? You do a brute force attack and you run all the dictionary words in different order with caps in different places against something and you try to crack the password that way. So if you plug in another language, well, someone's got to go out and get another language. They've got to be using at least two dictionaries, right? One from each. You're right, one from each. And the right dictionary is out there, I mean, for all languages, but again, it just makes it a little bit harder, right? And white space counts. You can put white space in your password. So it could be a phrase, Mary had a little lamb, change a lamb for another word, for another language. The line from your favorite song or something or a quote or yeah, we're past the point where short words make good passwords. Now we're into phrases and lines. And it's now a class phrase and not a password, yeah? Homes. Oh, before we go, one last tip for everybody out there hooking up their Wi-Fi network. I found that first of all, you might interfere with somebody else's channel. There's multiple channels you can choose. So if their frequencies might bump into your neighbor, you can change channels. What else you can do to limit the amount of traffic on your Wi-Fi network is if a device is close to your router, and it does have an ethernet port, like a printer or your Apple TV or something like that, you can hardwire it. You can run an ethernet cable there and take Wi-Fi traffic off your Wi-Fi network, which just gives you another layer in the security. That device will not be exposed in any way to your Wi-Fi, and it's only on your physical LAN, which is a little bit better security. Any other tips with our last 10 seconds? Just with regard to the passwords, complex. So lots of different types of characters. That's why they always tell you use numbers, uppercase characters, lowercase characters. Special characters. Special characters. 100 different characters on a keyboard. Try to use as many different varieties of the music in. And remember them. And don't write it down on a post-it note. Yeah, don't put the post-it note on your computer. All right, thanks for joining us, everybody. Come back next week while we do another great episode of Cyber Underground with some great content. Until then, stay safe.