Archive for the 'Series' Category

The Internet… #5 - Connecting to strange networks

Published
by
patrick
on November 11, 2006
in Series and advice
. Comments

In the business of the Fall I nearly completely dropped the ball on this blog series. This series was born out of a conversation I was having in my office over the top ten things not to do on the Internet. Most problems that I see on computer systems from friends and family come from “self-inflicted wounds.” In other words, the user themselves cause the problem by not being careful. However, to be fair to my friends and family, most people just don’t know what not to do…. thus the series.

Laptop CafeI was reminded of this warning while eating the other day in a popular Memphis lunch spot. As I ate, I was amazed at the number of business men and women that were coming in the restaurant with their laptops to use the available wireless network. There were at least 20 wireless workers typing away on their laptops, performing business, checking email, all the usual. One friend of mine, a hedge fund manager, was conducting several important trades on his laptop while having a sandwich. I asked him if he ever worried about the security of performing such work on an insecure network. As expected, I got a deer in the headlights look.

In an earlier post I explained how today’s wireless networks perform like a wireless hub and not a network switch. This means that every computer connected to a wireless network can see the traffic of every other computer on that network. It did not take long for me to scare my friend thoroughly by opening my laptop, opening ethereal to sniff the network, and isolate his traffic. I could see all of the emails that he was sending and had I wanted to could even have captured a few of his unencrypted passwords. Yes, there was some shock value in showing him this, but my message was clear. Just as my mother told me not to talk to strangers - don’t talk to strange networks. You never know who may be listening.

Now all of this may sound a little paranoid, and it probably is, however if I were a smart thief and wanted to pickup a few passwords of wealthy men and women in Memphis, I know what I would do.

So how do you protect yourself? There are several ways. One, you can limit your browsing on these networks to just simple web browsing. Don’t open your email client or other programs that transmit your password. If you need to check your email, use a web based client as long as it uses a SSL encrypted connection. All SSL protected pages will show a padlock somewhere in the browser window. This encryption means that all of the traffic you are transmitting on the network is protected and even if it is intercepted it can’t be read.

The second way to protect yourself is to encrypt ALL of the traffic that you are sending out of your wireless network card. In other words don’t just encrypt what is on protected pages, but encrypt each and every packet coming and going from your system. I really like this solution because it allows me to work as normal with no fear of what my be intercepted. There are two services that I like for accomplishing this task, Hot Spot VPN and Public VPN. These services encrypt every packet of information coming and going from your computer making it virtually impossible to read any sniffed traffic.

It only takes a few minutes to setup an account with either of these services and the security that they offer is fantastic. So the next time you are working at coffee shop with your laptop you can enjoy it just a little more knowing that you are secure.

[tags]security, wifi, hotspot, vpn, wireless networking, memphis, cyber cafe[/tags]

The Internet… #4

Published
by
patrick
on August 20, 2006
in Internet, Series, WiFi, advice and security
. Comment

One of the greatest assets of our new house is my office. Not since high school have I had 200 square feet that was solely mine. My office is on the end of the house and backs up to several homes on a busy street behind us. From my office I can “see” six wireless networks including my own. All of these wireless networks belong to my neighbors.

A few of them have innocuous SSID’s such as “Linksys” but many of them identify the house from which they originate, usually with a last name. Of those six networks that are available only two of those have any type of encryption on them and one of those is my own. I have offered my neighbors my tech services to help them lock those up but to date have not been taken up on my offer. I have heard a few of them say that they like the idea of being altruistic and sharing their bandwidth, however I wish I could thoroughly explain to them the danger of leaving your wireless network unencrypted.

It is truly dangerous not to secure your wireless hub. I have vowed not to allow this blog to become too technical but there are a few things that I need to discuss to explain this. Wireless hubs work like a network hub and not a switch, meaning that all of the traffic from your computer is broadcast to every other computer on that network. This is normally not a problem on wired hub driven networks in that you can usually trust everyone on your network. However, on a wireless network, without encryption, you are trusting anyone who decides to logon to your network. Techniques such as ARP spoofing allow hackers to easily play the man in the middle between you and anyone you are contacting on the Internet. This would allow anyone to read any of your email and watch your traffic.

So how does one protect themselves from such attacks? It is really simple but sounds complicated. Depending on your wireless router all of the setups will be different but will all have some or all of the following wireless security options.

  • WEP
  • WPA Personal
  • WPA2 Personal
  • WPA Enterprise
  • WPA2 Enterprise

Do not use WEP encryption. It uses a very secure form of encryption called RC4, however it was implemented poorly and is easily hacked. There are no less than 1000 pages on the Internet explaining how to hack WEP encryption. It can be done in less than 30 minutes if you know what you are doing. WPA encryption on the other hand is virtually uncrackable depending on the length and randomness of your password. I do not see much benefit between WPA and WPA2 and most newer wireless routers will do both at the same time upon detecting what kind of wireless card is trying to logon. If your wireless router does not offer both simultaneously I suggest using just WPA as you never know if the wireless card trying to logon will support WPA2.

The difference between personal and enterprise has to do with the method used for authentication. WPA Enterprise can authenticate against databases as the personal version simply uses a key (password). For home use I truly believe that WPA Personal is more than adequate and is much easier to setup. All that is required is a key that is shared between the wireless router and the client which is your computer with a wireless card.

I mentioned a moment ago length and randomness. It is very important that your key or password for WPA encryption be long and random. Using your pet’s name fluffy will not do the trick, as anyone with a password dictionary will come up with that one pretty quick. I recommend using a very long and random key. I use a key generator to come up with my keys. It is a hassle when someone comes over to use my network but worth the trouble for the security. When someone comes over I do one of two things. I either temporarily turn off the network security while they are here, or I copy and paste the password key from a USB flash drive.

So this is the quick and dirty on setting up a safe wireless network. It really is not that big a deal, just important to follow a few basics. Maybe I will get my neighbors to add a little security to their networks sometime soon.

The Internet… #3

Published
by
patrick
on August 17, 2006
in Internet, Series, advice, family and security
. Comments

In one of my previous postings I mentioned the importance of having a physical firewall between your computer(s) and the modem provided by your cable or phone provider. In addition to this front-line protection, I also believe that it is important to have a software firewall on your system. I have made this recommendation to several people in the past and they have asked why they need two. The answer is fairly simple, if one is good, then two is even better.

The hardware router or firewall that sits at your modem is good but a software firewall can be more specific and targeted in what it blocks and looks for. Many of them are also updated by the manufacturer with patches that protect against the latest threats. But, the greatest asset to having a software firewall on your personal computer is the outbound protection that it provides. Hardware firewalls only block or protect your network from incoming traffic. By design, they allow all traffic to flow out. This means that if your computer has been taken over by a virus or by malware then any traffic generated by that critter will be allowed out. Software firewalls prevent this and alert the user to any suspicious outgoing traffic. This could prevent your system from becoming a zombie bot on the Internet and sending thousands of spam messages for some teenager in Montana.

The annoying thing about software firewalls is that they do alert you to all kind of things that your computer is doing. The alerts will pop up from time to time making sure that you are meaning for certain traffic to leave your computer. The temptation is to not read them carefully and to always approve them, but by doing this you would be defeating the purpose of having the software in the first place. Always make sure to read them carefully and if you are not sure about allowing the traffic, just say no.

So which software firewall should I use? First, turn on the one that comes with your computer. If you are using Windows XP service pack 2 then there is one built into Windows. If you are on Windows XP and have not upgraded to SP2 then Lord help you (read this post). Windows 2000 and Windows 98 users are out of luck as far as a built in firewall is concerened. To activate the firewall, go to the Control Panel / Security, and make sure that it is turned on. Like hardware firewalls, it only blocks incoming traffic but again, with security, more is better. Apple also has a built in firewall in OS X; turn it on. As for 3rd party firewalls, I used to like Zone Alarm, however recent versions have become quite bloated and heavy. It takes up a lot of system resources and it just a little too much these days. Today, I really like Kerio which was recently acquired by Sunbelt Software. The purchase price is only $19.95 and is worth every penny. Kerio is well written an will suffice for all your firewall needs.

If you look at the last three postings about the Internet you will start to see a pattern; defend yourself! There is a lot of code out on the Internet just waiting to attack your computer - make sure you do all you can to stop it.

The Internet… #2

Published
by
patrick
on August 16, 2006
in Internet, Series, advice, family and security
. Comment

As DSL and Cable Internet connections have become more prolific so have active attacks on computers that just sit on the Internet.  This is a little known fact, but just simply plugging your computer directly into your new cable or DSL modem is asking for trouble.

Sitting on the Internet this very minute are 10’s of thousand of computers infected by worms that are actively searching the Internet for unprotected machines to infect.  It is not unusual for an unpatched Windows machine placed directly on the Internet to become infected with some form of the Sasser virus within just a few minutes. 

http://img.microsoft.com/library/media/1033/athome/security/images/firewall/47223_150x140_firewall_F.jpgThe way to protect yourself against these attacks is to place a layer of defense between you and the whole of the Internet.  I highly recommend to my friends and family that they invest the money in a NAT router.  These are sometimes called firewalls and the terms are more or less synonymous.  This hardware can be bought at most any office supply store for less than $100.  I hesitate to recommend a brand but suffice it to say as long as the word router or firewall is on the box you are “good to go.” If you spend just a little extra money these routers can also be a wireless access point for your home.

This layer of protection between you and the Internet will block 99% of active attacks against your comptuer from the background radiation that exists on the net today.  Now all you have to do is not actively go looking for trouble, which we will discuss in later entries.

The Internet… #1

Published
by
patrick
on August 14, 2006
in Internet, Series, advice, family and security
. Comment

Every time that I sit down at a friends machine the first thing I do is see how many security patches need to be installed. It is always baffling, but it is not unusual for me to sit down at a machine that has not been patched in as many as 6 months. Let me fill you in on a secret, Microsoft and Apple spend many hours writing and releasing these patches for you. Take advantage of them they will save your skin. Because I can’t get any of my family to move over to the Mac I will concentrate on Windows.

  1. The first thing to do is go to Start / Control Panel / Security Center / Automatic Updates. Make sure that the button next to Automatic is filled and hit OK. This will automatically download all of the important updates from Microsoft so that you don’t have to think about it, but…
  2. In true Microsoft form automatic does not really mean automatic. Every now and then you will see a small yellow shield appear in the task bar (the row of icons in the bottom right corner fo the scree). If you click on this yellow shield it will ask you if you want to install the updates. Select the express option and hit OK. It will install all of the updates for you and probably ask you to reboot the computer. It is probably a good idea to make sure you are ready to reboot, i.e. not busy, because Windows will bug you to death wanting you to reboot.

For those of you that are feeling really brave this process may be performed manually by going to update.microsoft.com. You will have to use Internet Explorer for this as it requires some scripts that can only be run in IE, sorry Firefox users (we will talk about Firefox a little later). You can also get to this from the menu bar at the top of Internet Explorer. Go to tools / Windows Update. This will take you to the same place.
Windows Update To use Windows Update you will have to have a fully licensed verison of Windows XP, 2000, or Lord forbid Windows 98. You may be asked to validate your license so just say OK as you get to these pages. If when you run Windows Update you see a ton of patches that need to be installed make sure you run it again after the reboot as some patches require previous patches to be installed first before they can download. Get busy updating - it will save you hours of headaches. You can sleep safely at night knowing that your windows machine is totally safe from the evil side of the Internet.

The Internet, what not to do…

Published
by
patrick
on August 14, 2006
in Internet, Series, advice and family
. Comments

I have for some time been the “tech guy” of the family. Now, if you are the tech guy you will understand why I wrote this. Whenever I get a phone call from someone in the family about a computer, I can almost always attribute the problem to something the user did. Now before my family get their hackles up from reading this, let me say that malicious coders on the Internet count on users not knowing what is dangerous. Thus, I have decided to start blogging so that I can steer my friends and family away from some of the pit falls of the Internet. Over the next few weeks I am going to be posting what I am calling the top 10 things NOT to do on the Internet. Please pass this along to all your friends. These are all the things that I have learned in the last 15 years of computing and managing an office of non-tech users. Thanks for reading and I hope this is helpful.