WiFi & Security Tips

Hi all,

I created this page to store a repository of security and privacy techniques, apps and technologies.  If you have good applications and/or practices please share with me and I will update this page with your input. (Securing WiFi Router at bottom of page)

Clean, up to date system

First make sure your system is completely up to date as a single out of date application (e.g. pdf) can compromise your system.

Second, continually scan your system using your choice of anti-virus/anti-malware applications.  In my Windows VMs, I use MS Security Essentials and Spybot Search and Destroy.  Also, while we can ensure the integrity of our systems we cannot guarantee the integrity of our closest friends and family as their systems can get hacked and their compromised systems can send us

Also, beware and remain vigilant, while we can ensure the integrity of our systems we cannot guarantee the integrity of our closest friends and family as their systems can get hacked and their compromised systems can send us email.

 

Advice On Building A Better Password (from Information WeekOur fist line of defense is strong, unique passwords (i.e. strong passwords for each site).

Marc Boroditsky, president and CEO of New York-based PassLogix, was talking with me recently about passwords and the trouble that weak ones can cause on a network or a personal computer. If you use a password that’s easy to figure out (CFOs need to stop thinking they’re clever using ‘moneyman’), hackers will blow right by the weak defense. And if you use the same password for everything from your corporate login to your online dating site to your bank account, one solved password gives a hacker access to every online aspect of your life.

OK… I know most of us know this, but it hasn’t stopped us from using one lame password after another — or using the same lame password over and over, year after year. It’s simply a hassle to come up with strong passwords (a mix of letters, numbers, and even upper and lower case). And it’s no picnic to have to remember them all, especially since Boroditsky told me that one-third of all users have 15 or more passwords. And the average user has 10 passwords just for their job.

Boroditsky gave me some good advice — the structure he uses for his own passwords.

First come up with two to three letters for the name of the application, followed by a two to three letter acronym, followed by two to three numbers, which could be the year, a special date, or a special number.

It sounded a little confusing to me at first, but it’s really pretty simple.

Boroditsky explained that he’s a baseball fan so his acronym would be based on “go Yankees,” so that it would be “gy.” And say a special anniversary is Sept. 13, so his numbers would be “913.” That means his password for an SAP application would be sapgy913. If it’s a password for a Wells Fargo bank account, the password would be wfgy913.

Only the letters for the name of the application change. He noted that he might keep the acronym and date the same for three months, six months … it just depends on what he’s comfortable with.

This kind of password doesn’t include any names, nicknames, or anything else easy for hackers to guess.

“There’s no way you’re going to guess that randomly,” said Boroditsky. “It’s personalized. And it’s a little bit of a system to get back to the password when I need it.

Social Networking

US Federal Government Guidelines

Advice from Microsoft

Advice from National CyberSecurity Alliance

Now should something go awry,

 

Aggravated Harassment & Social Computing

240.30 Aggravated harassment in the second degree. ( from: http://public.leginfo.state.ny.us/LAWSSEAF.cgi?QUERYTYPE=LAWS+&QUERYDATA=@SLPEN0P3TNA240+&LIST=LAW+&BROWSER=EXPLORER+&TOKEN=36544786+&TARGET=VIEW) : relayed to me by HVCC Public Safety Director Fred Aliberti:

A person is guilty of aggravated harassment in the second degree when,
with  intent  to  harass, annoy, threaten or alarm another person, he or
she:
1. Either

(a) communicates with a person, anonymously or otherwise, by
telephone, by telegraph, or by mail, or by  transmitting  or  delivering
any  other  form  of  written communication, in a manner likely to cause
annoyance or alarm; or

(b) causes a communication to be initiated by mechanical or electronic
means  or  otherwise  with  a  person,  anonymously  or  otherwise,   by
telephone,  by  telegraph,  or by mail, or by transmitting or delivering
any other form of written communication, in a  manner  likely  to  cause
annoyance or alarm; or

2.  Makes a telephone call, whether or not a conversation ensues, with
no purpose of legitimate communication; or

3. Strikes, shoves, kicks, or otherwise  subjects  another  person  to
physical  contact,  or attempts or threatens to do the same because of a
belief or perception  regarding  such  person’s  race,  color,  national
origin,  ancestry, gender, religion, religious practice, age, disability
or sexual orientation, regardless of whether the belief or perception is
correct; or

4. Strikes, shoves, kicks or  otherwise  subjects  another  person  to
physical  contact thereby causing physical injury to such person or to a
family or household member of such person as defined in  section  530.11
of the criminal procedure law.

5.  Commits  the  crime  of  harassment  in  the  first degree and has
previously been convicted of the crime of harassment in the first degree
as defined by section 240.25 of this article within  the  preceding  ten
years.

6.  For  the  purposes  of  subdivision  one of this section, “form of
written communication” shall include, but not be limited to, a recording
as defined in subdivision six of section 275.00 of this part.

Aggravated harassment in the second degree is a class A misdemeanor.

Firewalls

We have covered firewalls (and their evolutionary generation functionality) so here’s how they should be configured.

Windows 7 Firewall

Windows 8 Firewall

Mac OSX Firewall

Ubuntu Firewall

Encryption

In a nutshell – encrypt everything that can be sensitive.  My recommendation is that you do this at the OS level and Mac’s Filevault 2 is as good as it gets.

Mac OSX Filevault

Windows EFS

Should you wish to perform your encryption piecemeal – “How to Encrypt Anything” by PC World’s Alex Castle:

 

Safe Browsing

We need to continually and consciously be aware for our actions online and this includes Web based email.  Make sure you see https in your browser’s location bar for any important transactions (see Ethics and Firesheep discussion). Do not click on unknown links, do not share information if you are uncomfortable and again question everything.  Google Chrome has anonymous browsing. You can also use Onion Routing (TOR) but a CIS student just told me of a rumor the NSA is actually targeting TOR users and TOR traffic can be identified.

Anti-Virus

Not too much to say here other than use it.  Mac and Linux are the least susceptivle to viruses for several reasons.  Interestingly we have to increasingly be vigilant with our anti-virus software as Avast was found to be spying on its users.  I have a Mac so I use the free AVG.  For my Windows VMs I use Microsoft Security Essentials.  For my Linux VMs I don’t run anything and this is one of the beauties of Virtualization as I save a system state (snapshot) and should anything go awry I simply roll back and restore the clean state.

 

Anti-phishing/spoofing

Again, the onus is on us to consciously assess the credibility of online or Internet delivered communication.  All communications should use the Secure Sockets Layer (SSL) and Extended Validation (EV) as this encrypts sensitive data and anf facilitates Website authentication. Companies and individuals can be issued an Extended Validation (EV) SSL Certificate to display that they are a legitimate and this is identified by today’s browsers in the address bar.

There are various tools that allow users to verify sites and email addresses.  Here are 2 examples:

Spoofguard

http://verify-email.org/

WiFi Security

While this graphic is supposed to show how to get proper coverage within a house, look at coverage circles.  The image on the right not only has poor transmission coverage in far corners of the house as the circle extends outside the house (i.e. WiFi eavesdropping). Now is there a window adjacent to the WiFi router as this will skew the circle outside the house even more as signals will pass through the window far easier than passing through walls.

Wifi Router Placement

 

Simply adding a WiFi router can increase your security simply due to NAT and the fact that 192.168.x.x addresses are not publicly routable (i.e. if found on the Internet packets with 192.168.x addresses are dropped).

Network_Address_Translation_(file1)

 

Wi-Fi Protected Setup (WPS) (from Wikipedia)

Originally Wi-Fi Simple Config, is a network security standard that attempts to allow users to easily secure a wireless home network but could fall to brute-force attacks if one or more of the network’s access points do not guard against the attack. With that let’s learn how to secure our network manually.

 

WiFi Router Configuration (manual config going beyond WiFi Protected Setup)

Start w/default factory settings and access router using ethernet port connection and IP address: 192.168.1.1

Router Name – nothing identifiable

SSID – nothing identifiable and don’t broadcast

Use WPA2 Personal Encription and choose a good password

Use a Wireless MAC filter and only allow your devices on your network (Use Mac/ios/Android system information or in Windows use cmd.exe and execute an ipconfig /a)

Disable wireless management

Disable remote management if possible

Use only HTTPs for management

Disable Ping if possible

Now for you gamers, if you enable a DMZ, please do so prudently.

inbound_nat_recipe8_7

 

Some What Is? answers for the WiFi Security recording above:

DDNS – Dynamic Domain Name System from Wikipedia

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames, addresses or other information. The term is used to describe two different concepts. At the administration levels of the Internet, “dynamic DNS updating” refers to systems that are used to update traditional DNS records without manual editing. These mechanisms are explained in RFC 2136, and use the TSIG mechanism to provide security. Another kind of dynamic DNS permits lightweight and immediate updates to its local database, often using a web-based mechanism. It is used to resolve a well-known domain name to an IP address that may change frequently. It provides a persistent addressing method for devices that change their location or configuration.

uPnP – Universal Plug and Play – Wikipedia

Universal Plug and Play is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing

Short Guard Interval – from Wikipedia

In telecommunications, guard intervals are used to ensure that distinct transmissions do not interfere with one another. These transmissions may belong to different users (as in TDMA) or to the same user (as in OFDM). The purpose of the guard interval is to introduce immunity to propagation delays, echoes and reflections, to which digital data is normally very sensitive.

SPI Mode – Stateful Packet Inspection as previously introduced.

Multicast Streams – About multicast streaming – TechNet – Microsoft

Multicast streaming is a one-to-many relationship between a Windows Media server and the clients receiving the stream.

Port Range Forwarding – from Linksys

Port range forwarding is done so the data for Internet applications can pass through the firewall of the router or gateway.  An example of an application port is port 25 which is assigned for email or Simple Mail Transfer Protocol (SMTP).

Port Range Triggering – from Wikipedia

Port triggering is a configuration option on a NAT-enabled router that allows a host machine to dynamically and automatically forward a specific port back to itself. Port triggering opens an incoming port when your computer is using a specified outgoing port for specific traffic.

1.
Free Wi-Fi may come with a cost: Some free or public Wi‑Fi connections may intercept your sensitive credentials. Only connect to networks you know and trust.
2.
Lock it up: Keep your phone safe by enabling it to automatically lock after a certain period of time. Ensure your password is strong and not easy to guess, or use Touch ID to balance security and convenience.
3.
Steer clear of malicious apps: Avoid installing applications from unknown third-party app stores. Find anti-malware solutions on the App Store® or Google Play™.
4.
Communicate with caution: Fraudsters may call, email or text you pretending to be someone else and request sensitive information or funds. Always validate the request with another party and communicate through a trusted channel.
5.
Stock is safer: Do not jailbreak or root your device. Altering the manufacturer’s security settings may leave your phone vulnerable to attacks from malicious applications.
6.
Stay up to date: Set your operating systems and trusted applications to update automatically, ensuring security patches are applied as soon as they’re made available.
7.
Keep your password safe: Citizens Bank will never ask for your password. If your password is requested via phone or email, call us at the number on your statement or on the back of your debit card immediately.

Physical Security Comes First

Leave a Reply