Security awareness news

              Security Awareness News

December 2007



Too Much of a Good Thing?

popular protocols, including FTP, SMTP, POP3, HTTP, mySQL, ICQ, Telnet and others. This can mean that a single person in a public place can capture hundreds of User_ IDs and Passwords in a cell-phone sized device hidden in a pocket and the victims will never be the wiser. The `bad guy' will, at his leisure, go home and have access to any web site you may have logged onto, your email accounts and just about any other online activity you performed. And this is only part of the problem. Unless you have taken certain security steps, your personal computer is wide open for anyone's inspection and/or theft. That is the current state of the art of wireless. It was designed to be easy to use (which it is!), wide open for anyone (which it often is!) and not much thought to security was ever given. BUT! There are steps you can and should take to minimize your exposure. Here is a short list of things to make sure you do at home, on your own wireless network, and that you should absolutely do, On the Road, when using wireless Hot Spots or other public (fee or free) wireless networks.

Continued on p. 2



There are more than 13,000 Hot Spots, or free wireless access points in Chicago alone, with thousands of cities expanding their free municipal wireless coverage. Now, anyone with a WiFi enabled laptop, PDA or phone can access the Internet from almost anywhere they happen to be. From Starbucks, to McDonalds to hundreds of airports, hotel lobbies, convention centers and now the actual streets and avenues of cities around the world, 100% Internet connectivity is coming to fruition. But, is that such a good thing? Security is and always has been a balance between functionality and utility and the need to protect information, access and privacy. How has increasing ubiquity of WiFi affected our collective individual security or our corporate security? Unfortunately,



because of the ease of access, free or for a small fee, utility comes first and security is currently running a distant second. The results are anything but pretty. For the determined criminal type or curious hacker, hopping onto a Hot Spot and on to your computer or our corporate networks is almost trivial these days. The Silica, a popular portable Linux device, looks for open networks to grab. Using portable versions of password grabbers like Cain and Abel, your passwords and our networks can certainly be compromised. Cain and Abel is marketed as a valuable password recovery tool that enables network administrators to test network security, or home users to recover a variety of stored network passwords. The powerful program can sniff and recover passwords from most



Who Ya Gonna Call?

Need to Report Something? Contact Security, your IT manager, or Help Desk immediately. Good security comes from timely response!



Continued from p. 1



At Home:



1. Change the Administrator password on your wireless router, also known as an Access Point. 2. It is often smart to turn off `Broadcast ID', which loudly announces the name of your home network. 3. Enable crypto. The older WEP is pretty much useless these days, so choose the WPA options, and use a strong password. This keeps eavesdroppers from listening to your wireless traffic. 4. Enable MAC filtering in the wireless router. Every network device, like your laptop or home computer, has a unique MAC number. Enter the MAC numbers of only those computers you want to permit access to your network. All others will be blocked. This is a very strong, very valuable security step. 5. Enable your personal firewall on your computer. Most routers have firewalls, but the additional security is good.



On



1. Make sure your personal firewall is enabled. It is worthwhile to test the security of your computer from time to time. Visit www.GRC.Com and link



e Road



to Test My Shields. All of your ports should be in `Stealth' mode. 2. Have all other security software (antivirus, spam, popup, etc.) current and updated before hitting the road. 3. Be aware that passwords and all access codes are ripe for the picking. 4. Many companies insist that remote users only connect to corporate networks through a VPN or Virtual Private Network. (See VPN Below.) Please be aware of our company policies and follow them. 5. A corporate VPN will only protect you when connecting to the corporate LAN. If you connect to any other web site, ftp location or even web mail, your User_ID and Password credentials are at severe risk. 6. Consider subscribing to and installing a personal VPN service on your mobile computer. (Free to $30 per year and worth every penny!) You will connect through the VPN to the VPN Service server, completely secure. Once connected, you can use the Internet as safely and securely as if you were at home or in the office. Wireless computers offer tremendous flexibility and mobility, but a little extra



awareness and security is needed to make it a safe experience. Be careful about believing some of the exorbitant claims of wireless manufacturers   Wireless `G' is the current standard, with speed claims of 54mbits per second, but about only 70% of that in practice.   Wireless `N' is upcoming, but not a real standard. An `N' router might give a little better range and performance, but unless you have an `N' wireless ca rd in your laptop or desktop, there is no measurable speed increase.   Consider a wireless repeater to enlarge coverage across greater areas. Especially in cities, you can accidentally log on to neighbors networks and they can log onto yours, too. If they do something wrong or potentially illegal from your access point, you can come under suspicion, too. That is why using MAC filtering and WPA crypto is a simple, smart and secure thing to do. But that won't keep you from logging onto nearby networks. Look for available networks in your network control panel, and if you see a neighbor's and can log on, it is considerate and secure to let them in on what you have just learned, so they can secure their network and access points, too. Do not be tempted to use their network. You may be exposing yourself to `guilt by association'.



Coming up next month:



Good Security Habits

A screenshot from Cain and Able



The VPN



A VPN, or virtual private network is essentially a tunnel to communicate safely from your computer to another computer or web site or other Internet service. The tunnel is encrypted using strong algorithms so that eavesdroppers will not be able to listen in on your traffic. It is not unusual for companies to provide their road warriors with approved VPNs so they can talk securely with the company from anywhere in the world. A personal VPN connects you to a VPN service, encrypting all traffic from your computer (mobile or fixed location) to a distant server. Once connected and authenticated to the VPN server with your User_ID and Password, you can use the Internet with the same level of security as you would from home or the office.



F i n d i n g Wifi

Even though there are hundreds of thousands of WiFi points around the world, most computers merely find and automatically connect with the closest and strongest wireless access points. A mobile machine can connect to dozens of networks at the same time, but many of them may be inaccessible due to crypto (WPA) and/or MAC filtering. The user then has to individually select a network to see its status. Many road warriors prefer to identify the network and its status before attempting to log on. Programs like Net Stumbler are free, and are excellent tools to identify wireless networks, their security, exact location using GPS and much more than the average user cares about or even needs to know. Most road warriors don't want to hack;



A screenshot from Netstumbler



all they really need to know is if there is a Hot Spot nearby, where it is and if it is Open. For this application, try looking at WiFi Detectors. Some of them are keychain fobs and provide simple signal strength detection ($5-$10) and then



more sophisticated devices like WiFi Walker provide security information, direction and more. ($60+) Remember, though, before you logon to any public network, make sure you have all of your security ducks in a row.



Gift Card Scam: 2007



  and there is nothing you can do about it. Gift cards are anonymous, can be used by anyone at all, you have no way to prove you did not use it. M y New Year's Criminals like to steal in small Resolution: amounts, like $25 or $100 because most of us won't pursue it legally, and Getting Into law enforcement views it as too small Good Security Habits to investigate. Much less, the likelihood of success is low. It's a cheap crime most people just write off. 1. I promise to organize all of my busiBut gift cards are so cool... what ness and personal passwords, strengthen can you do? Here are a few tips. the weak ones, update the old ones and Imagine giving gift cards to family use a secure place to store them.   Only buy gift cards in protective and friends from the top retailers and packs if hanging on a hook. Internet sites. Imagine then, that fam2. I promise to make sure I have cur  Ask the clerk for gift cards kept ily and friends visit the retail stores in rent defensive security products in place, behind the counter. question, purchase their `present', only working automatically, updated, and if   Check the back and front of the necessary, and paid for. to discover at the cash register, that card for any signs of tampering. the gift cards are worthless. 3. I promise that I will learn how   Check the value, the card numThis is the Gift Card Scam of 2007, computer security is a lot more than just ber and PIN number on your and it's already affecting thousands of geeky, technical things; security is about receipt. It should match the card. people. a balance between Cyber, Physical and   Avoid on-line gift cards except At a retail store, gift cards often Human. from reliable, well known onhang in racks, especially in the check line retailers. Auctioned cards are 4. I promise I will be more aware of out lines: urgency sales. You pay at almost surely a scam. security relevant events that occur in my the register, and the clerk activates the daily life, share them with my friends   And as always, if you have a hint card with the appropriate amount of and family, and learn from them. of suspicion, follow your instincts money. Some have their value printed and do not purchase. on the face of the card; others are variable and can be re-loaded. Scammers and thieves will gather some of the gift cards in various stores and write down the card's ID number, which is what permits on-line spend"I do not think that the wireless ing. Some cards require the owner to scratch off an adhesive cover over and waves I have discovered will have identifying number and the thieves any practical application." will do just that. Between the time you purchase the gift card and your - Heinrich Rudolf Hertz, 1882 gift is given and used, the thief has already spent the value of the card



Security Tips and Tricks



Security Quote of the Month