Wednesday, July 13, 2011

Security

Read an article today about a man who hacked his neighbor's wireless network and basically set out to ruin his life by sending fraudulent emails and such trying to make the father of the family seem like a pedophile and also sending death threats to the vice president from his email account. The article (http://news.yahoo.com/minnesota-wi-fi-hacker-gets-18-years-prison-032803295.html) states he was able to crack the wireless network's WEP encryption. To those who are not tech savvy, this sounds like it must have been done by a technology genius. To those familiar to WEP, you know that cracking WEP is as simple as playing solitaire. WEP stands for Wireless Encryption Protocol, and was the first popular encryption method for wireless networks, but is obsolete do to vulnerabilities in the encryption algorithm. To those who think I know Greek, basically the math that WEP uses does not scramble the information well enough to keep some one from seeing what is transmitted.

Now if your wireless router or access point is fairly new, it should have available several versions of WPA2, which you can choose from, and you will be significantly better protected. I won't recommend one protocol over the other because standards always change, and each wireless device is different in what is available, what I do suggest is that when you set up your home wireless access point, you do some research and see what the difference is. Now if your at home thinking "Wireless security is a hassle, I don't want to mess with pass phrases etc, etc" just remember what happened to the family in the above article.

So once you set up your wireless encryption, are you done with security? The answer is no. That is the same as locking your front door, but leaving your windows open. When you go to websites where you enter sensitive information, make sure that the that the address bar starts with https, not just http, and if you get a message that the certificate has an error, don't ignore it unless you know exactly why it has an error. Often times the web browser will tell you why it flagged an error or will allow you to view the certificate. If you don't understand what it is saying, email the people that run the site and let them know, especially if you are planning to spend money there. Web administrators often put an e-mail address in the contacts link at the bottom of a web page.

Firewalls are also important. When buying a home router, look for one known to have good firewalls. A home router isn't going to protect you from a dedicated attack, but a decent one will protect you from random people on the internet who scan for open networks to get into. I personally like linksys, as most models they sell are easy for me to configure, and they have a lot of nice features, but I encourage people to do their own research.

Passwords. Annoying things to most, but they are admittedly the best defense a computer or online account has, as long as good policies are enforced. When you try and come up with a password, industry standards recommend a combination of capitol and lower case letters, numbers, and symbols, and be at least 8 characters in length (P@ssw0rd is an example of the format, but heavens sakes don't actually use that one in particular.) Now for the hard part, don't use the same password for everything. Reason is if one website gets hacked, a now common tactic for hackers is to try user names and passwords they pick up on other related sites. If you just can't remember a lot at once, try grouping less critical ones like Face Book and myspace together, but do not use the same password for your banking and e-mail. Also, keep in mind, your not trying to keep out some geek typing in what he thinks your password is, but it is his computer that keeps making educated guesses until either it gets locked out, or it succeeds.

Now I often get asked, which is the safest operating system to use, the answer is, they are as all save as you make them. Some are inherently safer out of the box, but if you don't keep up with updates, and use the above methods (that includes passwords) then the only safe system is the one still in the box. Windows has many well known exploits, but it is also the OS that is on most home computers, hence it is the biggest target. I have had people I know have there Mac's attacked because they were complacent, because they thought "Mac's never get viruses", which is not true, there are just fewer designed for them, Linux and Unix are the same way, more so if you really don't understand what makes your computer tick.

So when it comes to security, instead of me recommending products or technologies that will be obsolete next year, I suggest you practice security techniques. First is try and understand something about the products you buy, and what they really offer, same as you would when buying a car or an appliance. Second, look for odd things like e-mails you know you did not send being sent to your buddy list, or certificate errors on web pages you go to.

I tried to keep this high level so that people do not get lost in technical jargon, in future I plan on have some more detailed blogs on specific security technologies and why they work the way they do, but try and keep it simple too.

Until the next time I am motivated...


Madhat

3 comments:

  1. Thanks Madhat for the advice, I'm getting ready to buy a new router and I will be back to visit your blog for other security tech. advice.

    Pssst~ The man that did that to his neighbor was a friggin Psycho! Hope he serves the full time and then some.

    ReplyDelete
  2. When I first read the article, the last sentence was something to the effect of "18 years being too harsh" and was originally going to rant on that, but when I got home and looked at it again, that bit was removed, guess he didn't want to get the crap beaten out of him...

    I personally like Lynksys, Cisco (I know, same thing) and buffalo wireless. Never liked Belkin and D-link. Belkin routers a lot of times lack what I would call basic functions like the capability to create static routes, but most people call those "advanced features". Whatever you do, buy your router new, never from E-bay or second hand, I had a friend that bout one off of E-bay, and the guy that sold it to him was having the router forward information back to him, in short a $10 router cost him something like $3500.

    ReplyDelete
  3. Thank you for being motivated once again. I look forward to the next time.

    ReplyDelete