Tag Archives: security

Wireless security – how secure is your data?

I have had many people ask me about wireless security lately. I attribute this to the boom in regular people now having WiFi enabled phones and netbooks that they use many times a day for every task imaginable. Many of these people use whatever wireless network they can connect to, whether they recognize it or not and they proceed as usual with e-mails, IM conversations, etc.  The following applies to any wirelessly connected device, whether it be a laptop, iPhone, Blackberry, etc.  I have tried to break these down by the most common questions.  If you have more question, please add them to the comments and I will answer them as well.

If my home wireless connection is encrypted with WEP/WPA isn’t everything secure?

Let’s get this out of the way from the beginning. If you are using WEP then your connection is NOT secure. WEP can now be cracked on average in less than 5 minutes. There is no reason to be using WEP as WPA has now been around for years and is much more secure in every way shape and form. Bottom line, if you are using WEP get off it and move to WPA or accept that your information is as secure as being in the open unencrypted.

WPA was created as quick solution the massive insecurities in WEP.  It does give a fairly high level of protection and even though there are rumors it has been cracked, those are currently rumors. When I see a tool that makes it EASY for anyone to break into a network as is the case with WEP, I would not be as worried.  WPA2 is the next step beyong WPA and is extremely secure.

Is the password I chose good enough?

Realize this.  If you have the strongest encryption in the world and everything is setup super-tight but your password is “doggy” then you might as well not have it secured at all.  I say this because there are programs that will automatically try every common word in the english language and some others, as well as variations on it.  So it would try d0ggie, d0ggie, d0gg1e, d0gg13 etc…  Moral of the story is never base your password on a common English word and use numbers with some symbols (punctuation, etc if possible).  I am not telling you to pick a password your will never remember.  If you have to write it down on a sheet of paper then that defeats the purpose.  However, making a moderately difficult password that you CAN remember is infinitely better than using a simple one that people might be able to guess.

My wireless network is secured correctly but many people share the password, is that an issue?

Yes, it is an issue.  For regular home users this is not that big of a deal because you and your family use the wireless connection.  However, lets say you live in an apartment complex and one of your kids and their friends want to use the wireless connection in your place.  Whomever has the password obviously has the ability to pass it on to someone else so that third party could access the network.  However, what most people don’t know is that anyone posessing the password can access all data on that network via wireless sniffing and decrypt all that data.  So essentially, its like people having a master key.  Except this master key magically works through walls and doors.  Oh this magic key also lets people view when you are going in and out, what you are doing, and with whom.  The point is, if you do work from home or are securing a business wireless access point then having the same password for every user is NOT a good option.  There are ways to secure this, but that is beyond the scope of this article.  If people are interested, add your thoughts into the comments.

What if I don’t have a choice and need to use an unsecured hotspot?  What can I do?!?!?!?!

This is the number one question.  I left it at the end because the other questions build a good foundation as to why you need to do this.

VPN – if you must do work through an unsecured wireless access point then a VPN is the most secure way to go by far.  A VPN allows you to tunnel all your traffic through it and it encrypts everything along the way until the server you initiated the VPN with gets the data and then decrypts it.  The assumption is that the most insecure transmission occurs before reaching the VPN server, at which time there is no need for it be encrypted anymore (this is a very simplified breakdown of VPNs).  If you are a casual user and don’t have a work VPN but want everything to be secure then you can sign up for services such as hotspot-vpn which allows you to vpn into their servers.  Many other companies offer services for a relatively cheap price.

If a VPN service is not an option then you must ensure security at the application level.  This means making sure each application does what it needs to in a secure manner.  For example, make sure you access sensitive sites using https://  if available.  If you don’t know what https:// is then stop, do not pass go and do not collect $200.  It’s best if you don’t do anything of consequence over an unsecured connection.  However, if you do then you can feel much more confidence that your transactions with that site will be secure. Secure your IM conversations as described in another blog post of mine.  For e-mail etc, most prividors offer secure connections through the Web, the same cannot be said for your client on the desktop.  I advise many people to simply use the web based mail when on the go if they are unsure.

This has been a fairly rapid rundown of some of the issues and ways to counter them and is by no means the end-all-be-all of solutions.  However, this does make you aware of potential issues and gives you teps to be ahead of most of the population.

Advertisements

How to secure your IM conversations

I was asked the other day if there was a way to truly secure IM conversations between two people. The answer is a most definately resounding YES. This can be done using Open Source and free software on every major operating system (Windows, Mac OSX, Linux) and every major IM network (Yahoo, MSN, AIM etc.). Now people may ask “Why encrypt if you have nothing to hide?”. Why is it a felony for postal workers to open mail, since its all innocent, right? Why are you worried? It’s called privacy. For no other reason then I don’t want Microsoft indexing my chat conversation and trying to sell me sneakers on a sidebar because I typed the word “Shoes”. Its nobody’s business except mine, end of story.

Lets go over a couple of things first. When you IM a person it does not go directly from you to them. It goes from you, to a server run by the IM providor, and then relayed to your friend. There are multiple security issues here. First, the obvious fact that by default nothing is encrypted anywhere between the three systems in use. Second, your IM conversation is stored temporarily or PERMANENTLY on the IM providers server. While Google offers you the option to save your chat transcripts or go “off-the-record” (don’t confuse this with the OTR application I mention later) I choose not to trust any IM providor.

Now, you might be thinking “Yahoo chat offers me encryption so why not use their built in functionality?”. Well, if you don’t want random people on the internet sniffing your traffic this may be good enough for you. However, if you want to make sure NOBODY (including the chat providors) can see your IM conversation then you need to use a technology/program that uses their network but is not controlled by them, therefore giving you freedom and a much higher level of security.

The programs I recommend are as follows.

Mac OSX – Adium
Windows and Linux – Pidgin

These two programs are Multi-Chat clients, you can use this one program to chat on many networks at the same time and even have multiple accounts on the same network all connected at the same time.  This may not seem valuable unless you have a personal account, school account  and then a business account.  This becomes invaluable.

Pidgin is actually the basis for Adium, as both use the same core libraries but Adium is simply prettied up for Mac.  The security feature at the core of this is called OTR – Off The Record.   From the OTR website

“Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

Encryption
No one else can read your instant messages.
Authentication
You are assured the correspondent is who you think it is.
Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.”

So lets go over what OTR offers you, authenticaion, super strong encryption (256-bit AES) and a way to authenticate people. Now, the encryption basically works in the background, you don’t have to select anything etc, it uses the best by default. For this to work, two people must both be using OTR complient programs. So, you can have a person using Adium and another using Pidgin on two different operating systems. It does not matter at all. So lets say Tim and Bob are trying this out.

Tim starts a conversation with Bob and they both see a popup asking if they want to secure the session. Both of their chat clients realized they were talking to another OTR capable application. Then Tim’s application asks a weird question, it asks “Are you sure this is Bob?”. This is called authentication. The first time you create a secure session with a user, you both exchange credentials. What Tim is being asked, is if its valid. this will make more sense in a moment. So the application tells Tim, “I know you want a secure connection with this guy but you never had one before”. Tim says, I know Joe and this is him. Joe does the same thing. From now on, it will not ask you to verify eachother because the credentials being passed at the beginning will always be the same.

What happens if Joe is on a new computer and wants a secure connection with Tim? Joe tries to chat with Tim and Tim receives a message saying “Ummmm, Joe wants a secure chat, but Joe is showing us different credentials. What to do?” Tim either tells the system yes this is Joe, or no its an impostor.

This can get MUCH more detailed but we want this for general use , so non-techies can have a secure chat. When this is setup then every chat between you two will be encrypted. Just make sure your preferences are set to try and always initiate a secure chat between clients that are capable. Also, ensure the secure icon is showing a locked or secured state. This is a visual indicator that everything is okay.

Note: Pidgin users must install OTR separately.

I hope this helps, feedback is welcome as always.

OS X and Apple immune to viruses and malware! Not quite…

Doesn’t need anti-virus software?  This is a lie.

This is just flat out false.  Every operating system is susceptible to viruses, Mac OSX simply does not have enough of the market share for virus writers to bother targeting it.  While its UNIX underpinnings do make it more secure than Windows per se, even if you are using UNIX, if it is not implemented correctly and if users are unaware of security related messages from the operating system, then it will fail and be infected just like Windows.

This is a real issue because there is a lack of quality anti-virus software for the Mac.  There seem to be no Open Source or free alternatives as there are for Windows (AVG-Free being my favorite) and even the commerical ones such as symantic anti-virus have received not so stellar reviews.  This has the potential to be a REAL problem as Apple’s computers grow in popularity and market share.

As Macs move into the hands of more the population you will see a proliferation of viruses, malware and general “I thought this stuff only existed on Windows” type of harmful applications.  The question is whether Apple, the community and software firms will head off the storm before it starts.

While researching the topic I found a comment that is right on the spot.

Don’t fool yourself. ALL operating systems can be compromised and need extra security.

Mac OSX is not immune to viruses, trojans, and spyware.

And as the popularity of Mac OSX increases, the number of malware writers focusing on things to exploit on that operating system will increase as well. Many claimed Firefox to be the more secure browser that couldn’t be exploited, but as more used that browser, more malware writers went out of their way to exploit it…and it was compromised…many more times than once.

Apple has already proven they can’t write software that can’t be exploited.

Remember the release of Safari for Windows was compromised in less than 24 hours. It was a flaw in their software and not Windows that was the problem. Not to mention the security issues that have plagued iTunes and Quicktime.

It is not if, but when a major virus or trojan infects Macs on a grand scale.  As more apps go online as Web based applications you better believe some websites will host applications pretending to do one thing, but actually doing another much more sinister process in the background as you play a game, use a website, or simply “waiting for it to load”.

If you have any stories of Mac security problems please post them in the comments!