Wednesday 18 August 2010

The WiFi, it works!


How busy is life? Babies, work, pets and the occasional bit of social life seem to be keeping me occupied, and the blog slips from my mind. I am back however! If any readers have specific questions you would like me to talk about please feel free to leave a comment or drop me a line on Twitter.

Anyway, on with the blog...

Inspired by: Me! Having configured many home routers for others I thought I'd share some of the pitfalls of the free WiFi router your ISP supplies in order to gain your custom.


WiFi. The box arrives from your ISP, you plug in your new router, follow the instructions to put in your account details for your Internet connection,turn on your PC and you have WiFi. Your PC connects automatically, your phone connects, your laptop, games console, fridge, freezer, etc, etc. It works, out of the box, excellent! Wrong, it is not excellent, if all your devices connect automatically then what about next doors laptop?

I have helped set up (and fix when not involved in the set up ;) ) enough home routers to know how many of them work. Infact, alot are exactly the same underneath, especially the free ones supplied by the ISP. So, can you secure these devices? Yes, you can certainly make your home WiFi more secure. First thing first though, get a pen and some paper. If you are going to change anything always write it down, and only change one thing at a time. This will help with fault finding should anything go wrong.

Administrative account
The first step is always to change the default administrative account's password on the router. There are usually written instructions on how to login into the router (I would recommend using a wired connection to begin with) using the default password.
It is trivially easy to find a default password for a router. Try yourself, Google for "default password for {insert make and model of router}". Scary huh? As I described in this post, good passphrases are easy to make and remember. Choose a strong one for the admin account.

Remote assistance
Does the router support remote assistance? Probably yes. Search through every menu, make sure this is turned off. Why would you want anyone, at any time, attempting to log into your router? 
If it is required you can turn it on as and when it is needed. If you do turn this on for someone to gain access, set a strong passphrase, and remember to disable it once it is no longer required. Remote assistance can be the foothold the bad guys need.

SSID Broadcast
An SSID is basically the name of your wireless network. If this is set to broadcast, your router is basically shouting from the rooftops "If you want to join my network talk to me". Do you want anyone to join your wireless network? Didn't think so. Write down the SSID so you can manually configure devices with it and turn off broadcasting.

Note: If you can, configure the router with a different SSID than the one that is pre-configured.

Encryption
If your wireless network does not enforce encryption all the data you send can easily be read by a third party. This includes passwords to non-encrypted sites, such as Facebook. Even for encrypted web sites, encrypting the wireless network adds another layer of security to your data transfer.
Modern WiFi routers support WPA or WPA2, which is more than adequate for a home network. WEP may be supported, however this is considered weak encryption now and there are tools freely available which can break WEP based encryption.
WPA/WPA2 can encrypt using a pre-shared key, which is perfect for home users. Create a long password/phrase, and keep it in a safe place. I personally keep all my WiFi details in an encrypted file away from my computer ;)

Before turning on the encryption, ensure any device you want on the network supports WPA/WPA2. Most modern devices should, but there is no harm in checking.

DHCP
Dynamic Host Configuration Protocol (DHCP) is a way of automatically configuring devices with the correct address information to "talk" on the network. This is an excellent protocol, making the chore of connecting new devices to the network seamless (usually). However, it could also make life easier for a bad guy to connect to your network. If you are extra paranoid (as I am), then turn off DHCP on the router and manually configure each device you want on the network. Here is a guide to configuring static addresses on some of the most common devices...


Firewall
If your router has a firewall inbuilt, turn it on. It may not be the greatest in the world, but it is another layer of defense none the less. The firewalls that come preinstalled on these types of routers generally have three settings, deny all, allow all, and allow outbound but deny inbound. I recommend "allow outbound but deny inbound" as a general rule. This will stop connections from the Internet coming in, but not you browsing the web, emails etc.
If you require connections to come in from the Internet (for remote access) I recommend researching the router in order to just allow the type of connections you require.

The above is only a brief overview of the settings you can encounter in the typical home router, and they can vary from model to model. Before changing anything, have a look through the settings, make sure you know what they do before you change them.

As always, comments and/or questions are more than welcome.


Thursday 22 July 2010

Passwords, passwords, passwords.....

Inspired by the comment: "Why do I need a password when I'm the only one who uses the computer?"


I'm assuming if you are reading this then you have used one recently (hopefully!), but what's the point? Simply, passwords are the fortress protecting a wealth of YOUR data, your shopping list, your Amazon wishlist, your favourite sites, your Facebook information, all the information on your computer, even your credit card information.
Online retailers can implement the up-to-date security systems, the highest grade encryption, and an entire security team to protect the information on their servers (which includes your information), but what's the point if a bad guy can walk in the front door? A poor password is like building a wooden door complete with Yale lock onto the back of the Tower of London, all the protection can be bypassed.


So why do people choose short, dictionary based passwords? Simple, they are easier to remember. "password" is easier for a human to memorise than "&htR1!9I_1h", even though they are the same amount of characters. The problem is bad guys know this, and use it to their advantage.


So what can you do? Many people in the I.T. security field advocate "passphrases" (myself included!), that is using a phrase for the password. Thinking in the manner, you can create a long, strong passphrase which is easy to remember. "I hate dirty nappies" is exponentially stronger than "password", this can be proven on http://www.hammerofgod.com/passwordcheck.aspx. This website calculates how long it would take to crack (guess) a particular password. Using a computer which is capable of guessing a password 1 billion times a second, "password" would be cracked in 129 seconds, whilst "I hate dirty nappies" would take 52,530,122,724,423,900,000,000 years. That's a long time. Have a play with the site, but please do not use your real passwords, as the site says, there's no reason to risk it.
Another option is a password manager. These are pieces of software which securely store all your passwords on your computer. You set a master password in the program which will allow you access to all your other passwords. The better password managers can create complex passwords for you and auto fill them into websites, meaning you never have to remember them! But please use a passphrase as the master password for the software, you wouldn't want to undo all the good work would you?


In my line of work, we see weak passwords everywhere, and you don't need to be some super mystical ninja hacker to start guessing passwords. You can have a strong password and it be easy to remember, so start changing your passwords now.


Any questions are, as always, more than welcome.







Saturday 19 June 2010

A little peace of mind for free......

Inspired by the link: https://www.eff.org/https-everywhere


I have just installed the HTTPS everywhere Firefox plugin (linked above), and I have to say, what an awesome idea. It has never really sat well with me that certain web sites (Facebook, twitter etc) default to a non-encrypted (http) page, which means any data you enter into these sites is transmitted over the Internet in clear text (readable).


There is a downside, in the form of third party domains without support for https (encryption). For example, advertisements. Adverts tend to come from other web sites to the one you are looking at, which brings its own problems and annoyances (i'll cover this at a later date). However, this shouldn't detract from the value of this plugin. I've installed it and, barring any compatibility problems in the future, it will be staying.


So, if you are strict on your Facebook privacy settings, don't want anyone knowing your Google searches (apart from Google.....) or are wanting to add that little bit more peace of mind, install Firefox (if you aren't already using it) and use HTTPS everywhere. As the Beatles once sang "I'd give you everything for a little peace of mind". Everything may be a little too much in this case, but a little peace of mind for free has to be a good thing.



Tuesday 1 June 2010

Oooh, Bob sent me a link.......

Inspired by the link: http://www.sophos.com/blogs/gc/g/2010/05/31/viral-clickjacking-like-worm-hits-facebook-users/

"Don't click links you don't trust". This has been the mantra of I.T. security professionals since time began (was there a time before emails?). But what if the link comes from (or at least appears to come from) a friend? Unfortunately there is no easy answer.

Bad guys know how you think, and know the ways to entice you into clicking a link. But if a friend has recommended it, then it must be OK?........
Not all the time. The bad guys know how to spoof emails, know how to use "hacked" social networking accounts and send the malicious link to the entire friends list, and many other tricks to get the highest possible hit rate on these malicious links. So what can you do? A few simple steps can dramatically reduce the risk.....

1. Keep your Operating System (OS) up-to-date with the latest security patches. - Most modern day OS' allow configuration of automatic updates, which will require minimal user interaction. Windows users (most people who are reading this I assume use Windows), can browse to http://windowsupdate.microsoft.com/ for assistance setting up automatic updates.

2. Keep your web browser up-to-date. - Newer versions of your favourite web browsers have been developed with more security in mind.

3. Keep your antivirus up-to-date. - With new malware seemingly being discovered every other minute it is imperitive to keep antivirus products up-to-date with the latest definitions etc. Most will ask you to configure automatic updating when you install it, DO NOT SKIP THIS STEP!!! Please :D

4. Check a links destination before clicking. - It is trivially easy to "hide" a links true destination. If you hover your mouse cursor over the link, WITHOUT CLICKING, the real destination can be observed. (In the bottom left hand corner of your web browser is the usual place).

5. Use your instinct. - If it doesn't feel right, don't click it. Taking a few minutes to email or message the person asking if they have really sent the message could save you hours (or even days/months!) of work attempting to rectify any damage. Use yourself as the first line of defence, computers will always have security holes, being aware of this can save you.

Comments and questions are always more than welcome.

On a side note, it seems my son knows the perfect way to keep safe online....














Eat the device connected to the Internet! Such a wise head on those young shoulders :)

Friday 28 May 2010

The salesman said I need antivirus....

Inspired by the comment: "I bought {insert antivirus product} because the computer salesman said I needed it."

Anyone who has bought a computer in the last decade will have heard of antivirus, usually from the salesman when he was selling you it along with your nice, shiny, "state of the art" computer. But what is this? How does it do it? Is it the "silver bullet" for all your personal I.T security?

What is it?
The antivirus products you see in computer retailers may sell themselves as "Complete Internet Security", and they tend to include much more than an antivirus product. I won't cover these other inclusions in this post, but may at a later date.

Wikipedia describes antivirus as:
"Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware."


Which is all well and good, sounds important right?


Yes, it is important.


But before we go further we need to define malware. Malware is any software installed on your computer (intentionally or not) which has been created for malicious activities. These malicious activities can range from stealing bank account passwords to forcing your machine to actually attack others across the Internet. Scary stuff?


So simply put, antivirus looks for and attempts to remove malware on your computer.


How does it do it?
Antivirus tend to use two methods of malware detection. Signature based detection and behaviour based detection.

Antivirus companies attempt to collect malware from the Internet (also known as "in the wild"). When a sample of the malware has been collected a "signature file" is created, which is unique to that version of the malware. When the antivirus updates itself it is adding new signatures to its own dictionary for future use. This signature file is then used when the antivirus scans files, whether that is during a scan or when a file is created, emailed, downloaded etc (these functions vary by antivirus product), and an alert is created if a match is found. This is signature based detection.
The downside to signature based detection is that if an antivirus company hasn't found or received a sample of the malware it cannot detect it. This is where behaviour based detection comes into play. The antivirus product monitors the activities of all the software running on your machine, not looking for a specific signature, but for suspicious behaviour.If suspicious behaviour is discovered an alert should be produced telling you what has been discovered.


Is it the "silver bullet" for all your personal I.T. security?
In a word..... no.
The antivirus companies do attempt to have the latest signature files, behavioural detection and other seemingly unexplainable features within their product. Well, they don't want you sending your money elsewhere do they? ;) But try as they might no one product can guarantee 100% protection, no matter what the salesman says. Antivirus should be used as a last line of defence. Safe browsing/email procedures should be followed. I'll talk about these in later posts.


Any comments or questions are more than welcome. Either comment here or catch me on twitter @miketmclaughlin.




Introduction

According to www.internetworldstats.com 1,802,330,457 people are connected to the Internet. Whether you know it or not, via your phone line/cable/mobile phone network you are connected to all of these people (in a roundabout way). Amazing isn't it? Well I think so, but have you ever thought where your email to Aunty Edith actually goes? What your "Complete Internet Security" software actually does? What your web browser does when you surf the web? Most people would answer "no" to these questions, and rightly so, the Internet is a complex place.

Working within corporate environments on a day to day basis I get to see the lengths businesses go to to protect their data. Some of these systems are highly complicated, and have huge teams of experienced people dedicated to maintaining and updating them. Generally home users only have a few computers (yes this does include laptops, 3G enabled phones, games consoles and anything else which connects to the Internet!) to look after, but protecting personal data can be a daunting task. Luckily my friends and family can harrass, erm, I mean ask, me computer security related questions. But what do you do? With some basic information you can understand what the threats are, how the bad guys operate and most importantly, what you can do to help protect yourself.

I get asked the same questions over and over, and while I am (mostly) happy to answer these questions, if the answers are in one place it will make my life easier ;) Hopefully they can help others as well.