No security measure guarantees that you are immune from hackers, but what follows is a best-practice set-up for WiFi that should offer reasonable protection. Basically, you want to change the default name and password, and you need to add encryption to prevent the general public from jumping on your network to steal your information or use your connection for nefarious deeds.
I plugged in an old WiFi access point (AP) and did a complete reset to factory settings. Looking at this back of the AP, I see that the default access address is http://192.168.0.227, default user is “admin” and default password is “password”. This information is freely available on the internet as well, so we will want to change this password as we configure the AP.
Entering http://192.168.0.227 into a browser and using the default credentials above, I am now able to set the AP up for home use. Every brand and model is different, so instead of a complete walkthrough, I will instead point out the default settings that you definitely ant to turn off.
First off, now that you know that everybody on the internet knows your default password, let’s change it. Most APs and routers will differentiate between LAN settings, WiFi settings, and Security settings
Management:
- Change the password, use a secure password and keep it somewhere safe .
- If you have the option, it is always safer to turn off the ability to manage remotely from the Internet or over WiFi… better to restrict configuration to a computer directly attached to the device.
WiFi Settings:
- AP name or network name: Change from default, which advertises what brand of AP’s vulnerabilities an attacker should try first.
- Also, I disable SSID broadcast so that you have to already know the name of the network to connect instead of advertising to your neighbors
Security:
- Turn off Wi-Fi Protected Setup
- Select WPA2 Security. WEP and WPA may be options, but both are considered to be outdated and insecure
- I prefer AES as an encryption key, but as long as you pick a key, which one is not that important for home and small business use.
- Choose a secure password and write down the password and settings
As you become more comfortable with the technology, you can dig deeper into the manual to find ways to enhance your security. I also use MAC address filters and tweak a few other settings, but the base changes here should be a good start and make you reasonable secure.
All of a sudden, it seems, the news is full of stories about viruses and malware, massive data breaches, and hacker groups. One starts to wonder, what changed online and turned the internet into a battlezone?
Back in June, Freakonomics asked experts “Is There a Hacking Epidemic?” and “Why has there been such a spike in hacking recently?” and Bruce Schneier answered “I’m not sure there has been any recent increase of sophisticated cyberattacks. There has certainly been a recent increase in the press reporting incidences of sophisticated cyber attacks.”
It is true that better toolkits have evolved and that the advent of social networking has increased the level of valuable information available on the web, but the real answer is that the threat landscape is not the primary reason for increased awareness. Information assurance has become the latest public concern and sells news. In the media, attention can encourage more attention, so InfoSec is currently a hot topic for discussion. Organizations like Anonymous and LulzSec have capitalized on this attention for their own purposes, fueling even more attention and as the media jumps to put a face on the adversary. Although the threat level has been high for some time, the public is suddenly aware of the risks.
I see this as a very good thing. By increasing awareness, the media is assisting the information security community in their mission. People are one of the biggest potential weaknesses in a company’s information assurance strategy and the education of users is a critical task. Information Security is not an IT issue, but a core business issue. No expensive castle defenses can compensate for the guy who leaves the drawbridge down. Although most employees understand the importance of security and would agree to adhere to policy, they may have varying levels of actual commitment. When faced with a choice between compliance and expediency, the employee’s understanding of the policy and its validity combine with the perceived importance to that employee’s management will determine the choice made. This seems like an unlikely risk with little impact, but is actually of critical importance. A lack of employee understanding and commitment can defeat even the best laid strategy. By educating users as to the threat and the logic behind specific measures, InfoSec professionals can better ensure employee commitment to the overall security plan.
So this is where coverage by major media outlets helps our cause. When mainstream, respected sources report, the general public is less likely to discount security statements as paranoia and is more likely to listen.
The Wall Street Journal, one of the most read and respected business news sources, published an entire special section on the subject this week: The Journal Report: Leadership in Information Security. It provides a good overview, discussing the impact of social engineering, IT governance, entertainment and historical references, consumer dangers, and privacy.
The lead story, “What’s a Company’s Biggest Security Risk? You.” notes the increase in attention to phishing scams as a vector of concern. As other researchers have mentioned, increase public or semi-private sharing of information has lead to better, more accurate phishing. Even security giants like RSA (they made the digital token your company most likely gave you for accessing the corporate network from home) have fallen victim to simple attacks via email attachments, resulting in massive loss of revenue and public trust. The story also explains how non-malevolent circumvention of corporate IT and InfoSec policy for personal use can seriously impact a company’s defensive stance.
When I first joined my company’s security team, my boss and I discussed an otherwise honest employee who had built a secure, hidden tunnel to his home network to protect online banking and personal email traffic from snooping. I saw little risk, but my more experienced boss explained that we also could not see what sites he visited that might be known malware distributers, we could not see what virus attachments he might open, and were he to go rogue, we would not be able to tell if he was sending company information home. Fortunately the employee ceased activity without the need for even slight disciplinary action. He stopped tunneling out not because he was concerned that he would get in trouble, but because we explained the risk and he did not want to risk being the vector through which the company became infected. Information security succeeded in our mission through user education and commitment, instead of trying to enforce compliance.
One of the most simple and inexpensive defenses is to insist on strong passwords. Passwords are often the only form of authentication in use, so organizations must maximize their effectiveness. Unfortunately ease of memory and difficulty of compromise are opposing forces.
If a password is too simple, it can be easy for an adversary to guess. When allowed to pick passwords free-form, normal people tend to choose names, things, or dates that they will be able to remember easily. Unfortunately this increases the chance that a social engineer can guess the password given some knowledge of the user’s hobbies and interests (like, say, the sorts of things we broadcast on Twitter and Facebook).
Conversely, if the password is too complicated, though, the user will have to write it down, increasing the chance that somebody can find and exploit it. When an organization seeks to mitigate this risk and automates the generation of passwords using a random collection of characters, an adversary is more likely to find a password on a post-it note or saved in a text file. Remember the movie Wargames? Matthew Broderick’s character gains access to the school’s computer system because a secretary had the system password written on a post-it note under her keyboard.
Interestingly enough, mathematical models show that the complexity of the password has far more to do with password length than the character set used. The generally accepted equation for the number of combinations possible is (character set)(password length). For an eight character password from the standard keyboard set of 94 characters, nL = 948 = 6.10e15 combinations, so the probability of guessing correctly is 1/nL = 1/948 = 1.64e-16.
I attempted to improve on this formula in vain… if you find statistics and math amusing, be sure to read the separate blog post Where my math went horribly awry.
With modern computing tools, hackers can guess as many as a billion potential passwords per second. At this rate, they could guess your password in:
- 10 seconds for a password containing 5 characters
- 1,000 seconds for a password containing 6 characters
- 1 day for a password containing 7 characters
- 115 days for a password containing 8 characters
- 31 years for a password containing 9 characters
- 3,000 years for a password containing 10 characters
Demonstrated by the equation above we see that password length affects complexity more than the number of values each character can have, but hackers have an additional tool: the dictionary attack. These lists of words and commonly used passwords can be guessed in place of random characters, making something like “Passw0rd” a single guess and not just the combination of many letters. One must keep in mind that dictionary attacks render words into a single guessable unit, so “rover1” becomes a two-character password, not six.
By knowing more about you through social media research, they can narrow these lists of words down. Big fan of Star Trek? You can bet they would guess NCC-1701 first!
This is also my concern with passphrases, though. A recent xkcd comic suggests that due to length, passphrases are harder to crack and easier to remember, but if they are composed of normal words, a dictionary attack could be adjusted to use words in combination, reducing the passphrase into a couple guessable units again. A better solution would be to introduce the complexity of case and alternate characters into the passphrase words, but this again complicates the passphrase, increasing the likelihood that it will be written down or forgotten.
My suggested solution is to do what you can to balance complexity and ease of memory. As with many aspects of Information security, user education may be one of your strongest tools, explaining what makes a strong password and why you should not have it taped to the inside of your drawer. A tool like KeePass can help securely store and keep track of complex passwords.
To paraphrase Paul Steinbart, the effectiveness of any password depends on the password length, characters used, randomness, length of time used, and how secret the password is kept. On this last item, he notes:
“Passwords are like toothbrushes – you should not share them and you should change them periodically”
In Professor Paul Steinbart’s MSIM Information Security and Controls course (CIS 591 at ASU’s W.P. Carey) we discussed password strength and were introduced to the equation nL for determining the number of combinations possible, given a password L characters long where each character is selected from a set of n possible values.
For an eight character password from the standard keyboard set of 94 characters, nL = 948 = 6.10e15 combinations, so the probability of guessing correctly is 1/nL = 1/948 = 1.64e-16.
The illustrative purpose is to show how increasing the length of the password has a far greater effect on password strength than increasing the character set used.
Unfortunately, this class happened soon enough after my mandatory Statistics classes, leading to ego-driven extrapolation as to how I could use my recently-acquired knowledge to improve the calculations. I pondered this and thought that there must be a more precise way to determine the likelihood of a correct guess based on probability and binomial coefficients. The binomial distribution is used in Statistics to predict the likelihood of an event when one has two mutually exclusive and collectively exhaustive categories (e.g. has to be a successful or failed guess, cannot be both or neither) and the probability remains constant (a result does not change the probability of a subsequent result).
Applying the binomial distribution, we can determine P(x) as the probability for correct guess of x out of n characters, given probability p for each character. Solving this for the probability of guessing eight out of eight (0.0106 = one out of 94 possible characters):
My thoughts were that although this is not an exact match, for the purposes of Information Security, 0.000000000000000159 and 0.000000000000000164 are close enough to show the strength of the password in question.
My next thought, though was that if there is a finite distribution, should this not be Hypergeometric Distribution instead? The answer is no… the sampling is carried out with replacement as you can use the same value as many times as you want as opposed to only once. The probability of each attempt is therefore independent as per the definition of the binomial distribution.
My second concern was that the number of combinations of selecting X objects out of n objects is defined as follows:
So for eight characters from 94 possible characters:
= 111,315,063,717 eight-character combinations. (1.11e11)
This does not match up with nL = 948 = 6.10e15 as above, but this is because the equation is for combinations without repetitions, so we would actually need to use a different binomial coefficient:
Therefore, where: n= 94 and X= 8 as above,
So now we are seeing the potential for 2.02e11 eight-character combinations. Still far different from 6.10e15. Where am I going wrong?
My next epiphany was that I was using the wrong formulas. Combination is when order doesn’t matter; permutation is when the order does matter. In the case of passwords, order most definitely does matter.
In researching permutation, I came across the formula nPr for permutations possible in a set of r items from a set of n values. I calculate 94P8 = 4.49e15. Closer to nL = 948 = 6.10e15 but not quite there yet… what am I missing?
As it turns out, this is for selecting finite and unique items. I would again need a different formula if allowing for repetition as above. Realizing this, I dove further into the internet to determine what the formula to use for permutation with replacement.
Finally, I learned that the formula for permutation is: nr where n is the number of things to choose from, and you choose r of them (where repetition is allowed and order matters) which brings us back to (character set)(password length) expressed as nL
So there we are. A lot of wasted math only to arrive back at the formula we learned in class.
I have been going nuts trying to find a missing USB thumb drive over the past three weeks or so. It was a little 2Gb thing that I used for mobile content. I had vacation photos, my current resume, scanned PDFs of certifications and diplomas, and (more importantly to this forum) all of the half-completed blog posts that I had been working on over the last year or so.
Although this is a huge pain and stressor for me, it really illustrates several important issues; security best practices that I myself have hypocritically neglected:
Make regular backups of your data and keep them safe. I actually used to regularly copy all of the data from the thumb drive on my keychain into a folder named “fob” on my PC on a semi-regular basis. Why I did not continue this practice is lost upon me, as that backup would be a huge boon right about now…
I have a removable drive that I use to backup important data from my home computers in case of a fatal system crash, damaged hard drive, etc. I usually store it off site so that I do not lose my scans of important documents or every digital photo that I have ever taken should we have a fire or something.
Encrypt removable data storage (and non-removable data storage where practical). The removable drive above is an encrypted TrueCrypt volume to protect the confidentiality of the data stored. Ironically, I discovered that the thumb drive was missing after deciding that I should really copy the data over somewhere and encrypt it as I usually do for removable data storage (like literally every other thumb drive I have ever used!). TrueCrypt is a free program that can encrypt either a specific size volume or an entire disk. I use it to create “lockboxes” on computers and to perform whole-disk-encryption on laptop computers and removable storage media (with one rather embarrassing exception, of course!).
Keep your PII (Personally Identifiable Information) safe and secure. Fortunately there was little personal data on my missing thumb drive, but there are still many things that an identity thief could find useful. Scans of certificates, copies of cover letters and documents, and every note or handout I had from my Master’s program could all be used to increase the believability of a scam impersonating me. Although the database would be encrypted, I am very glad that my KeePass data was not on the lost device. Really, though, I had no reason to carry all of that around with me, so a better practice would have been to keep it secure in a lockbox on my PC instead of a very easy-to-lose fob. This is similar to why you would not want to carry a list of passwords in your wallet.
So what have I learned? Don’t put important, unencrypted information on a small and easy to misplace device! Friends have suggested DropBox or similar cloud-based solutions, but going forward, I will most likely rely on the fully-encrypted fob on my physical keychain, only store what I really need on it, and back it up weekly in case of loss.
There was quite a bit of news coverage this week regarding the information breech at Epsilon. I was asked whether or not this is something about which the average home internet user should be concerned.
Have you ever opted-in to receive marketing email from a company with which you do business? Companies like Epsilon are hired to maintain address lists and send out literally billions of emails each year on behalf of retailers, charities, banks, and other organizations. It is similar to spam, but is a legal and usually at least nominally invited form. According to the news reports and statements from Epsilon, hackers were able to compromise their databases and acquire an unknown number of email addresses and possibly the associated names. GovInfoSecurity has posted a list of the affected companies announced thus far, many of which are already notifying customers of the breech.
So no, they did not really get a lot of information, but yes, there is still a slight risk. In theory, by obtaining a list of addresses and names and assuming that they know the company that had them, criminals could use the information to refine phishing attempts into spearphishing attacks.
Phishing is an e-mail impersonating a business, usually a bank or other financial institution, designed to get the recipient to go to a web page designed to look like that business, to collect account information and steal funds from the recipient’s account.
Spearphishing is a newer development in which the attacker uses information that they already have about you to personalize the spam and increase its believability. This is one of the risks to which social media adds; a hacker can use information you post about yourself on the internet to craft a credible-sounding message. You are more likely to click on a scam link in an email that looks like it came from your bank or favorite business than from an unknown source.
The real answer, then, is that there is nothing of concern inherent to the information stolen in and of itself, but the risk of spearfishing has increased and internet users should be careful.
Beware of unsolicited emails with links or images claiming to be a bank or business. Mouse over the link and see if the browser message matches the alleged address. Companies with whom you have a business relationship are not really going to terminate that relationship if you did not go to a website or install some program… that just does not make sense. If you really think that it is legit, go to the company’s website as you normally would instead of following the email link. Better still, call the company’s helpdesk and see if they really sent you a notification.
Brian Krebs has posted a great article on Avoiding Phishing Scams if you want to read more. McAfee has a page with several useful articles on the subject (interlaced with a lot of marketing material about buying protection from them…) and notes that if you are determined to click the link and try, enter the wrong password first… a scam site won’t know and will accept your bad password!
So, as any IT person worth their salt will tell you, beware of weird emails and attachments, keep your computer patched and Anti-Virus signatures up to date, and always be skeptical.
I was just reading a ZDNet report announcing that Microsoft’s most recent patches are turning off the Autorun/Autoplay feature in XP and Vista. This is a great idea and should help quite a bit with the fight against malware entering through the USB and disk vector.
Many users are unaware of the risks autorun creates, as evidenced by the frequently-quoted (and frequently claimed) Secure Network Technologies study “The Cost of Human Curiosity” in which penetration testers “seeded” a credit union parking lot with pre-infected USB thumb drives. Fifteen of the twenty drives were found by employees and plugged into company computers. The Autorun/Autoplay feature allowed the Trojan to run, collecting passwords, usernames, and other proprietary data, and emailing it back to the security researchers.
The Microsoft Malware Protection Center also posted “Breaking up the Romance between Malware and Autorun”, attributing improved security around autorun in Windows 7 as the reason why “Windows XP users were nearly 10 times as likely to get infected by one of these worms in comparison to Windows 7. “
If you want to be sure of your settings, though, I found a great tutorial entitled “How to disable the Autorun functionality in Windows” on Microsoft’s support page.
Good news, though. Won’t do much for browser-based threats, I am afraid, but a good start.
I have been using KeePass for a couple months, thanks to a suggestion from my friend Jim Lippard.
Password management has always been a challenge and a balance between conflicting forces of paranoia and laziness. My affinity and preference for complex, lengthy, random-generated passwords and my aversion to password re-use resulted in a lot of credentials to track. Given the right motivation I might be able to memorize them all, but I have yet to successfully do so. My solution was to store a text file on an encrypted volume (using Truecrypt) and copying it between several computers and a couple encrypted USB thumb-drives. This becomes a bit onerous and discourages the kind of regular password changes we all know we should be doing.
I installed KeePass on a USB thumb-drive and found it to be a great solution to my dilemma. The program features a GUI interface to an encrypted database. After entering a master password, you can create entries for specific sites. The interface allows you to enter username, password, URL, and notes, and features a customizable password generator with default settings for several sizes of random hex keys. These records can be organized into folders for ease of use. When you want to log on to a site, you just need to go to the page’s login screen, pull up the KeePass window, and select “Perform Auto-type” to enter your username and password.
For back-up, I regularly copy the encrypted database back to a couple of home computers in case I lose (or, more likely, launder…) the fob. One drawback is that I don’t know my passwords, so I cannot access Gmail from a computer on vacation, but I am usually too paranoid to access my accounts from a public machine anyway, so this is of little consequence.
KeePass has enabled me to track more than seventy different user-password pairs using large, complex passwords, as well as expiration dates, URLs, and other account info. I highly recommend it, as does Jim, apparently.
For our last night in Australia, we went into downtown Brisbane for dinner. We stopped at a place in the Queen Street shopping area and were seated next to a slowly growing table of university students (the Queensland University of Technology is right downtown). A steady stream of the usual memes (“It’s a trap!”) confirmed that the majority of the group studied Computer Science, but I was very surprised to hear one very young man bragging that he was leaving school early. He announced several times that he had been offered a position as Lead programmer for a local company. His decision was that it was far better to get paid $800 per week to code than to have to sit in class for two more years learning how to program.
This surprised and disappointed me… I can see the temptation, but my experience has convinced me that it would be better to stick it out and finish school. I remember similar conversations in 2000 when we were all young network techs riding the end of the dot com bubble and a CCNA would guarantee you a $40k job. Don’t get me wrong, I readily agree that you do not need a degree to be successful in technology (cases in point, my very intelligent and successful friend mikeb as well as our highly qualified and creative Information Security team), but if you are halfway through the program, why discard the potential value of both the knowledge and the certification of a degree for what annualizes to a $41k job?
A review of The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know, by John Viega
Very informative book I borrowed over a weekend from a friend. The author started writing the book as Chief Security Architect at McAfee, continuing on to a startup, and then finishing back at McAfee as CTO of the Software-as-a-Service Business Unit. He tries hard, and with good humor, to not stump for McAfee, but you can tell that he has a lot of pride in his company.
John explains that most people do not really care about security because it is something that happens in the background. Issues are hidden and arcane, major attacks and vulnerabilities seem to blur into one big problem necessitating expensive AV that only appears to slow down desktop computing. Value drops as free versions become available, people are duped by fake AV malware, and even legitimate AV suffers as users forget to keep subscriptions current.
The book covers the different attacks and malware in the wild, discusses motivations and attack vectors, and identifies risks. He talks about things that he does like, including SSH, SpamAssassin, and the siteadvisor.com plugin (me too…) but discusses the things that he does not like at length as well. A big concern is the current state of firewalls and AV. He fears that false positives and negative impact on system performance drive users to disable or circumvent AV. As for firewalls, John disagrees with the old SANS standby that an unprotected computer attached to the internet will be infected within four minutes. He argues that NAT and OS firewalls prevent old school attacks, with the real threats coming instead from malware introduced by phishing, rogue websites, fake shareware, and malvertizing. Instead of focusing on perimeter defense, we need to put more emphasis on user education and awareness.
Another of his concerns is that NIDS, HIDS, and IPS are not actually cost-effective for most small and medium businesses, as output is too voluminous and complex for analysis by local IT resources. This agrees with my thoughts that managed security services offer better analysis and value through economy of scale. He gives many examples of security practices that may cause more trouble than they solve by lulling users into a false sense of security. Examples include AV, which by some estimates catches only about half of the malware in the wild, and VPN, in which an infected computer can become a trusted member of the network and spread a virus or worm. In spite of these concerns, the author feels compelled to offer suggestions to the reader for better network security.
His basic rules are as follows:
- Install all updates for your OS, browser, and any apps you use to reach the internet ASAP.
- Run an reputable Anti-Virus program and keep the definitions up to date
- Use Windows Firewall (if on Windows, of course) and use Network Address Translation to assign IPs at your firewall/router/cable modem
- Do not download software from file-sharing or P2P sites.
- Do not click ads unless you know the company. Fun ads are often malware
- Never give out personally identifiable information without validating the requestor
- Use a service like siteadvisor.com to evaluate site risk when searching online
- Never open email attachments or click email links unless you know the person sending it and that they are actually who they say they are.
I actually take this last one even further… when a friend sends me a link or image through email, text, or messaging, I usually check back with them and confirm before clicking or opening it.
The remainder of the book discusses security as part of the development cycle and identifies his thought on Cloud Security strategy and overall changes that the AV and security industries should consider.
This is a great book and gives a good background, so I suggest you read it yourself to see what these suggestions are. J
