Michael Horowitz |
Home => Bing prefers bad Router Security advice
|
[Formatted for Printing] | From the personal web site of Michael Horowitz |
Created: May 15, 2021
Updated: May 16, 2021 (see update at end)
Updated: June 22, 2021 (see update at end)
Bing, like Google, used to have my RouterSecurity.org website as the top site when searching for "router security". But recently it had removed the site completely from its search results. As I write this, the site is again indexed, a couple individual pages are returned in the search results, but they are fairly low ranked. Note that DuckDuckGo, Yahoo and AOL get their search results from Bing.
So, here I a take a look at the number one hit on Bing when searching for "router security".
As you can see below, the top result is called "Router security: How to setup Wi-Fi router securely" and it lives at us.norton.com. I will not link to it. The URL
is
https :// us.norton.com/internetsecurity-how-to-how-to-securely-set-up-your-home-wi-fi-router.html
In the screen shot of the article, at the end of this blog, we see that it was written by Alison Grace Johansen for NortonLifeLock on February 7, 2019.
MISTAKES IN THE ARTICLE
- - - - - - - - - - - - - -
" ... an unsecured Wi-Fi router running on the default manufacturer settings could be a liability when it comes to hackers."
Could be? No, it definitely is a liability.
- - - - - - - - - - - - - -
"If your Wi-Fi network isn’t secured properly - a public IP address, no unique Wi-Fi password - you could be letting anyone with a wireless-enabled device gain access."
Wow. First, nothing about Wi-Fi network security has anything to do with a public IP address. Second, being unique is not a critical aspect of a good Wi-Fi password. Wi-Fi passwords need to be long enough to resist brute force guessing, they do not need to be unique. The password "ladjfEBf998KKEIEKlksadjfLWkdi" is really good, even if someone else is using it.
- - - - - - - - - - - - - -
"You might not be worried about someone using your wireless connection, but the real risk is exposing sensitive information you send and receive - your emails, banking information ... to cybercriminals."
Exposing sensitive information is not the real risk at all. A bad guy on your WiFi network, will, by default, not see much sensitive information as the vast majority of it is already encrypted with TLS. If a stranger using your wireless network does something illegal, however, it tracks back to you. To me, that is the real risk. Then too, if you have bandwidth limits it can cost you money. Another huge issue is that the bad guy might hack into or otherwise corrupt one of the devices on the network.
- - - - - - - - - - - - - -
"Every router should have a strong password to help keep out the bad guys."
This is one of two instances where the author confused the Wi-Fi password with the router password. My guess is that this was written by an intern in the marketing department. And, it assumes there is one and only one Wi-Fi network.
- - - - - - - - - - - - - -
"All wireless routers have a numerical address. If you've lost the instructions, you can probably find yours by searching online for your router’s model number."
Many routers can be accessed by name rather than IP address. For example, Asus uses router.asus.com. And, many routers are managed by a mobile app rather than a web browser. Marketing intern.
- - - - - - - - - - - - - -
"In Security Settings, create a name for the router, and a password, and then select a type of encryption, like WAP2."
There is no such thing as a name for a router. Wi-Fi networks have names, routers do not. And, its WPA2, not WAP2.
- - - - - - - - - - - - - -
"Don’t forget to save the updated information when prompted. Your router is now secured against roaming cybercriminals."
What this is saying is that as long as a Wi-Fi network has a good password, its secure. The ignorance is such that words fail me.
- - - - - - - - - - - - - -
"The most common router encryption types are WEP, WPA and WPA2"
When this article was written (2019), these were the only types, not the most common types. And, there is now a new type, WPA3.
- - - - - - - - - - - - - -
[WPA] "... is also a less secure form of encryption, partly because of legacy hardware and firmware that still used WEP as their main protocol."
This is as dumb as dumb gets. WPA encryption is less secure because old stuff still uses WEP. And, in 2019, nothing used WEP. I can see well over 100 Wi-Fi networks from my home and I check every now and then. No WEP. Not for a long long time.
- - - - - - - - - - - - - -
"Most modern routers allow you to enable notifications to prompt you when the manufacturer makes patches and updates to the router’s firmware available."
Not true. Passive notification of firmware updates is not a thing routers do. And, define "prompt".
- - - - - - - - - - - - - -
"Make sure you change the password of your router during setup ... If possible, change the username of your network, too. After all, it makes up half of the log-in credentials."
Networks do not have usernames. Yet again, confusing the router userid/password with the Wi-Fi password.
- - - - - - - - - - - - - -
" [WPA2] is one of the most secure encryption options available in the market since 2006."
One of the most secure options? It was the most secure option. There was no competition in 2019.
- - - - - - - - - - - - - -
"WPS: It works on the idea that you press a button on the router and a button on the device. This makes both devices pair automatically."
Button pushing is only one way that WPS works, there are other methods too.
- - - - - - - - - - - - - -
"The user has the option to use a personal identification number, or PIN, to setup the device to create a connection."
See, I told you. A PIN is another mode of operation for WPS. And setting up a device and creating a connection are two different things. A PIN code does nothing as far as setting up "the" device.
- - - - - - - - - - - - - -
"This eliminates the use of the 16-character WPA password that most routers use."
Wrong and wrong. Most routers use WPA2 not WPA. The length of a WPA or WPA2 password is not fixed at 16 characters.
- - - - - - - - - - - - - -
"The PIN is an eight-digit number that can easily be hacked by repeatedly using various combinations of the usernames and passwords."
I can't take this any more. It is true that attackers can guess a WPS PIN code with enough guesses, yes. But none of these PIN code guesses has anything to do with either a uername or password. Apples and oranges.
- - - - - - - - - - - - - -
"It would be wise to disable remote access to your router when you are actively connected to it."
Whether you are actively connected or not is irrelevant to the point here.
- - - - - - - - - - - - - -
"A firewall ... is an important security feature to look for when selecting a router."
Nope. Every router has a firewall. It is the least important feature to look for when selecting a router.
- - - - - - - - - - - - - -
There are so many articles on router security, how the heck did Bing rank this miserable article at the top? You don't have to read too much of the article to see that it was written by a "challenged" person. This is probably the worst article I have ever seen on router security, and I have seen a lot.
But, the important point here is not about Router Security, it is about Bing and DuckDuckGo, which gets its search results from Bing. Bing gave this article a special place, above the search results. DuckDuckGo, does not have this feature, it just lists results. A search for "router security" on DuckDuckGo on May 15th, had the offending article second, after a couple ads. Scrolling down on a Bing search showed the article was also in second place, after the same Consumer Reports article.
Clearly, Bing search results are sub-optimal. The Duck may not track you the way Google does, but the cost of that, is poor search results.
Google and Startpage (which gets its search results from Google) are not perfect here, the offending article is ranked fifth in both their search results (as of May 15,2021).
Update: May 16, 2021. Someone suggested that Bing might be rating RouterSecurity.org low because it is mis-interpreting dates on the page. It seems as if Bing is using the last date on the page as the "Last Updated" date.
In the Bing search result listing for the Test Your Router page, the date shown is Dec 5, 2015. This is the page creation date, the page was last updated April 15, 2021.
The Bing search listing for the Suggested Secure Routers page sheds more light on what appears to be a Bing Bug. The page is shown with a date of Feb 27, 2019 which is neither the creation date (which is January 20, 2019), nor the last update date (which is April 27, 2021). It is just the last date physically on the page. Specifically, it is the date used to calculate average daily page views. This is almost always the same as the page creation date, why its different on this page, I don't know.
I will try to test this by putting a recent date on the bottom of every page to see if Bing will pick that up.
Update: May 25, 2021. Just over a week ago, I put a date from this month as the last physical date on each page of RouterSecurity.org. Hard coded. Today, I ran another search for "router security" and the miserable article described above was still promoted at the very top. I had complained to both Bing and DuckDuckGo about the article and told them about this blog. But . . . now RouterSecurity.org is the top Bing search result, you just have to scroll down to see it. So, it seems that the site was indeed being penalized for the old dates. I will have to change the page footers.
Update: June 22, 2021. On Bing, the bad article is now third in the search results. My site is second but Bing shows a date of January 30, 2015 which is when the site went live. On DuckDuckGo, my site is first, followed by the bad article. On Google, my site is first, the bad article is fifth. Baby steps.
| ||
@defensivecomput | TOP | Home => Bing prefers bad Router Security advice |
michael--at--michaelhorowitz.com | Last Updated: June 22, 2021 8PM UTC | ||
Copyright 2001-2024 |
Copyright 2001-2024 |