InSSIDer Wireless Network Scanner in Operation.
seen it in the news: A large organization is “hacked.” The Bad
Guys steal credit and debit card numbers, PINs and even CVV codes.
sure you’ve heard about the recent incident involving Target,
Neiman Marcus and some others. More than 100 million customers
(that’s the count as of this writing) were affected. Many learned
of it when the criminals started using that information to make
illegal purchases. Their banks had to cancel existing cards and send
new ones, right in the middle of holiday shopping. In fact, the week
before Christmas, my wife and I were behind a customer at a local
store who had learned of the “hacking” when his bank called to
ask why he was buying exercise equipment 1,000 miles away!
post-mortem is still being done on the Target incident, so let’s go
back a few years.
2007, the parent company for TJ Maxx Stores (TJX) was hacked and
millions of customers were affected. This case is especially
interesting to me because of what the post-mortem concluded: The
hackers initially gained access through an older wireless network at
one of their stores. The store was using WEP (Wired Equivalent
Privacy), which can be cracked easily.
worse, TJ Maxx apparently used “One Big Network” at the time. By
gaining access through that one weak point at one store, the Bad Guys
eventually were able to hack into many other systems across the
company. Result: disaster.
might think this has nothing to do with radio, but I beg to differ.
As I was preparing this article, a story broke about how someone
hacked the RDS being transmitted by some Michigan (public) radio
stations. They only learned about the profane text after listeners
called and emailed. It can happen to you, so read on.
of this is obvious, but it’s worth repeating.
only use wireless when you absolutely need to. While I’ll admit
that it’s not likely that someone could hack your network through a
printer or scanner, why even risk it? Many of these devices come with
wireless turned on by default nowadays. I disable it and use wired
Ethernet as a matter of principle. The wire gives better performance,
author scans a portion of his audio network with the Angry IP
if you have wireless networking in your facilities, make sure that
you’re using the best encryption with a good password. Currently
that would be WPA2 (Wi-Fi Protected Access, version 2). Change the
SSID (the “network name”) from the default and change the
password from time to time — especially after an employee
that documentation and look at your configuration. If your unit won’t
do WPA2 encryption, replace it. In fact, if your wireless router is
more than a few years old, you probably ought to upgrade it anyway.
If it has the so-called Wi-Fi Protected Setup (WPS) or “Wi-Fi
Simple Config,” disable that. These have known security holes. If
you can’t disable it, you definitely
need to replace that router with one that will allow you to do so.
and this is a big one: Watch for unauthorized access points that are
installed by employees! Wireless devices are cheap and readily
available. An employee who wants Internet on his tablet might pick
one up at Wal-Mart on the way to work. To make matters worse, he or
she probably won’t even bother to use encryption and a good
password (because it’s such a pain to enter all that gibberish in
an iPad, y’know?). Next thing you know, without your knowledge or
consent, you’ve got a wireless
unit broadcasting in the clear, exposing your network’s innards to
anyone within range.
are nice “sniff-and-scan” programs available online, including
WebStumbler for Windows, Kismet for Linux and KisMAC for Mac OS. The
weapon of choice for Windows, Mac OS and Android is inSSIDer
The basic version is $20. But if nothing else, you should regularly
check the “available networks” screen on your laptop, smartphone
or tablet to see if anything new has popped up. If so, investigate.
on the subject of range, limit the signal if possible. If the
wireless device allows you to adjust the power, don’t just set it
to maximum without thinking. Make it as low as you can tolerate to
further discourage hackers who might sit in the parking lot with a
laptop and a “sniffer.” Choose a good physical location that
limits the signal outside of your facility, too — an interior room,
rather than an outside wall.
stay informed. You should occasionally do Web searches on the model
number for your wireless unit to see if there are known issues. If
there are upgrades available, install them.
ALL Network Access
don’t stop there. Learn to think like a Bad Guy. (Don’t do it out
loud, though, or management will wonder about you.) Remember the
number one, primary rule of security: If
you can get into it, a determined Bad Guy can get into it as well.
job is to keep out the hackers and crackers while still allowing
yourself entry. The first step is limiting physical
access. Most of us don’t spend enough time on this. But
if you walk around your facility, I guarantee that there are
unattended workstations open to anyone, left that way by the previous
user. He/she didn’t bother to log out. You need to establish a firm
rule about that.
anyone complains, get management on your side. Explain that this is
no different from leaving a door unlocked when the building is
unattended. Secure those systems!
as you should scan your wireless network for unauthorized users, you
should occasionally scan your network for PCs that might have been
added without your knowledge. For this, the tool of choice is the
Angry IP Scanner, available for Windows, Linux and Mac. You can
download it at angryip.org
mentioned the employee who might insert a wireless access point
without even bothering to use a password. But we need to make sure
that we aren’t doing the equivalent with our systems in general.
the next step is to change your settings from the defaults. Don’t
think, “Aw, no one will hack my Nanobridge M5. I’m just using it
for a few hours to network from the main building to the garage.”
If it can be hacked,
it could be hacked.
The fact that it has never been targeted before doesn’t mean that
you’re safe for all time.
isn’t a hard and fast rule; it will require some thought for each
application. Always change the passwords, account names, IP address
and other settings from those provided by the factory or vendor. Do
this across the board and before you put any unit or server into
example, Virtual Network Computing (VNC), which many of us use to
access our systems at night and on weekends, uses ports 5900–5910
by default. Change that to some random number above 20,000. Ultr@VNC,
a popular free program that we use (see www.ultravnc.com),
allows you to do this in the primary setup screen.
with Secure Shell (SSH), Telnet, FTP and many other popular network
services. There’s not much you can do about standards like HTTP
(port 80) and incoming email (port 25). Anyone who wants to go to
your website or send you an email expects to use those ports. But
whenever you can change these values, you should.
important is this? It adds another layer of security. Back when we
were running UltraVNC on the default 5900, our logs showed constant
attempts to crack the password. The same was true of our SSH servers
when they were on the default (port 22). Our logs were filled with
hacker attempts. Seriously. We had page after page of lines like,
“incorrect password from [strange IP address in Bulgaria].” Once
we changed these to random numbers in the 20,000–40,000 range, the
cracking attempts ceased.
one thing in our favor is that criminals, generally speaking, are
lazy. Just as a thief
is less likely to break into a home with secure windows and deadbolt
locks, most hackers will try you a few times, then move on to easier
targets. Scanning every possible IP address or port takes a lot of
time. They’re going to go for the low-hanging fruit.
job is to avoid being that fruit.
A Good Password
use good passwords. This is tricky, because if you make it too
difficult, your coworkers will write the password on a sticky note
and plaster it to the computer! (Thanks to our editor Michael
LeClair, who pointed that one out to me a few years ago.)
mentioned this previously, but my preferred method to generate a
password is to use an easily-remembered phrase like, “My mother
lives at 120 South Street in Podunk.” Take the first character of
each word: “Mmla1SSiP.” That’s easy to remember but very
difficult to crack, because it’s the recommended mix of uppercase,
lowercase and numbers.
all you have to do is discourage them from writing out that phrase
every time they use the password … and leaving that
scrap of paper on the desk while they go to the restroom!
assume that just because you’ve never been cracked, you won’t be.
Sure, I doubt that you are a high-priority target for serious hackers
(most of them are after big money, like in the Target incident). But
don’t get complacent.
this article, I’ve especially focused on securing your network, and
wireless in particular. But do more research. Do some Web searches,
post queries online. Take this threat seriously and you won’t be
surprised and dismayed one day to find out someone did hack into your
problem in our specific case is exacerbated by one sad fact: Most of
our equipment doesn’t use secure or encrypted communications by
default. At best, we have “security by obscurity” — the vendor
might use a proprietary scheme to shoot data across the network. But
in the specific case of RDS and PAD, those standards are well-known
and are published on the Internet. Even worse, the text is
transmitted in clear — that is, you can actually read the ASCII
text as it transmits.
not sure what happened in the Michigan Radio case yet, but I imagine
that it was an “inside” job, in the sense that someone was able
to get “inside” that network. Once they had access, all they
needed was the IP address of the RDS encoder. At that point, they
could easily “swamp” it with profane text strings, drowning out
the legitimate data coming from the studios.
Poole is market chief of Crawford Broadcasting in Alabama and a
frequent Radio World contributor.