How to keep guests off your home Wi-Fi

It may be useful to let guests access the Internet from your house, but control what they do

Super Hub

This post was prompted by a conversation originated by Robert Craven on Google+ relating to how guests expect to have Wi-Fi access when they visit. Leaving aside the social rules, here’s how you can enable this without endangering your own security.

Caveat

The detail only applies if you are a Virgin Media customer with a Super Hub, but the principle probably applies to other models of routers.

The issue

Like lots of people, not necessarily only the techies amongst us, I have a number of devices that connect to the Internet via a Wi-Fi network in my home. Examples include: several PCs and Macs, a Raspberry Pi based media player, a NAS file server, several smartphones, the TV, my audio system, etc. The default security for these devices is “shields down”: i.e. they assume they are operating in a secure and benign environment.

Whilst I can be reasonable sure that any device I connect to the network will play by the rules, has good anti-virus and effective anti-malware protection; I cannot assume the same for devices brought in by guests.

Luckily, there is a solution

The Guest Wi-Fi network

I am a Virgin Media customer and have a Super Hub as my router and Wi-Fi access point. By default, this has a single wireless network enabled that is secured using a reasonably strong WPA-2 password. This is the network to which all our devices connect.

However, the Super Hub, which is actually a customised Netgear router, can also be configured to support a separate Guest Wi-Fi network that only has Internet access: i.e. it cannot see or access the devices connected to the main Wi-Fi network. This network can be configured as follows:

Enabling the Guest Network

Step 1 – access the Super Hub

On most networks, where the Super Hub is also the DNS server, you can access the Super Hub simply by typing

http://192.168.0.1

into the browser address bar. If you’ve changed the network settings, then I assume you know the address of the Super Hub.

You should see Screenshot 1

Screenshot 1
Screenshot 1

Login as admin If you haven’t logged in before and changed the password, it should be changeme.

I strongly suggest you change this to something unique and stronger immediately

You should now see Screenshot 2

Screenshot 2
Screenshot 2

Access the advanced settings

Click on Advanced Settings and you should see Screenshot 3

Screenshot 3
Screenshot 3

Setup the Guest Wireless Network

As you can see, there is the potential for three wireless networks on the Super Hub. The Primary network is the one configured by Virgin, and should not be changed unless you really know what you are doing

We are going to configure SSID3 (as I don’t want you to see what I’ve configured on SSID2, my own guest Wi-Fi)

Click on Guest Network (SSID3) and you should see Screenshot 4

Screenshot 4
Screenshot 4

If you click on Enable you will be able to enter your own SSID (see Screenshot 5)

Screenshot 5
Screenshot 5

I recommend selecting “WPA Auto” for Security Mode. You can then enter a passphrase.

Scroll down to the bottom and click Apply and you’re done.

If you scan for Wireless Networks, you should now see your new Guest Wi-Fi.

I recommend that you don’t connect to it from your own devices. Depending on the SSID you choose for the new network and how your own devices choose between multiple networks, you may get odd results when you try to access other devices on your own network.

Should lawyers use Dropbox to share documents with clients?

Legal services professional should not use Dropbox to share documents with clients because of the lack of access controls.

Process flow

I won’t bother to introduce Dropbox. You’d need to have been living under a stone not to have heard about it by now. Suffice to say that it is probably the most popular Cloud Service for sharing documents between computers.

What I want to discuss is the suitability of Dropbox for one specific use case: sharing documents with clients. This applies to any professional, but I think is of particular applicability to anybody in a regulated industry.

Dropbox and the Legal Services industry

Much has been written about the general use of Dropbox and whether it can be used in the legal services industry and maintain compliance. In general, the jury is still out. A good analysis (from a US perspective) can be found on securityblawg.com. This concentrates on whether Dropbox can be used without jeopardising the tenets of Attorney-Client Privilege. A contrary view can be found in Snippets.

Sharing documents with clients

In this use case, one or other party places a document in a Dropbox folder that has been shared with the other party(s). All participants can now see the document and, crucially, can amend it.

This is the major flaw with Dropbox in a shared environment: It has no access controls. As the Dropbox website itself says:

Any member of the folder can add, delete, or edit files within that folder.
Source: Dropbox

Access Controls

Anybody operating in a corporate, shared, environment will be familiar with access controls on files. The owner of the file or folder can define the access rights of people and groups of people. Some have No Access, some have Read access only and some have Read/Write access. Some may be able to delete a document, others may not.

These are the basic requirements that have to be in place so that one can avoid the circumstances where one person (inadvertently) deletes or corrupts a document belonging to another person; possibly without even realising they did it.

A further requirement in most regulated environments is to be able to maintain an audit trail of who did what and when.

Dropbox supports none of these mechanisms.

The danger of using Dropbox

So, what could be the consequences of using Dropbox to share legally important documents like briefs, patent applications, arguments etc?

Supposing a client chose to share a proposed patent application with an agent using Dropbox. This is likely to be a Word document or something similar. Given that Dropbox has no access controls, there is nothing to catch the occasion when the agent inadvertently makes a change to the document and saves it back.

  • What if that change subtly altered the intent and meaning of the document?
  • What if the change meant that the application failed?

It’s not hard to think of similar situations in other fields where the detail of a document is of crucial importance.

In Summary

In other posts, I’ll discuss ways in which documents can be shared securely and the need to control access and maintain an immutable audit trial can be met. In the meantime, think very carefully before you use Dropbox to share that document with somebody outside of your organisation.

Is the privacy of your email a real concern?

So, users of Google Apps for Business, are you OK with Google reading your commercial email?

Last week’s revelation that users of Googles email services should have no expectation of privacy, caused quite a stir. Even when this was clarified as applying only to the privacy of emails sent to Google users, it was still a shock to some.

In case you missed all this, Google was submitting a Motion to Dismiss in response to a class action suit. The salient words are…

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed,”a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” (my emphasis)

This was later clarified and justified on the basis that:

  • the text is not about users of Gmail, but rather people to send emails to users of Gmail (presumably including other Gmail users)
  • this indeed is what US Law dictates.

For a fuller explanation of the issues, visit Naked Security

My view is that if it prompts more businesses, and individuals, to pay attention to their information security, then it will have been good thing.

Misconceptions about information security

I find that most people suffer from a number of misconceptions when it comes to the privacy of their data in the online world:

  1. They think that sending an email is like sending a letter: i.e. the contents are sealed. It isn’t, unless you have taken additional measures like encryption.
  2. They adopt the view that if you haven’t done anything wrong then you have nothing to hide.

Both statements are plainly not true if you are using Gmail for business purposes. Do you really want Google looking through your correspondence with clients, with accountants, or, perhaps most worrying, your legal representatives?

Of course there’s no suggestion that a human being is trawling through your emails. In fact it’s an automaton that is trying to profile you in order to target advertising more effectively.

In of itself this may be a good thing. After all, if we must be bombarded with adverts, at least if they are relevant, it’s maybe not as bad as random ads of no interest. I appreciate this is being a bit too forgiving; but after all, everybody’s got to make a living 🙂

Of greater concern is the potential for the automaton to get it wrong.

How it can all go wrong

Take a look at this Forbes article. It illustrates how Target used data collected from their website to predict that a teenage girl was pregnant and then use that knowledge to target[sic] her with maternity products. It may be an anecdote, but it shows how everything you do online can be aggregated and maybe used against you.

The lesson

The lesson is to be more aware of the implications of living your life online. Whilst you can take measures to reduce your digital footprint, as Tom Henderson did, for most people this will be over the top. However, at least realise this problem exists and take measures where you feel it is appropriate: e.g.

  • by installing something like OpenPGP and using it to encrypt and digitally sign sensitive email correspondence;
  • or by installing TrueCrypt to create an encrypted virtual disk on your computer, or on your cloud storage service.

Can I help you?

If you’ve found any of this interesting, or if you disagree, let me know in the comments. If I can advise you further on your specific issues, let me know through the comments.