CyberArtisans Newsletter May 2005

Welcome to the May 2005 issue of the CyberArtisans monthly newsletter!

Our goal is to present information that will be useful to you as a website owner and as a user of the web. If these newsletters are not useful to you, please forward this to a friend who will find it useful. To unsubscribe, follow the directions at the bottom of this email.

This Month's Topics
Wireless Security Trap I
Wireless Security Trap II

This is wireless-security month in the CyberArtisans newsletter. One word of caution: There are a lot of acronyms in the wireless world. In most cases, what they stand for is less important than what they represent in protocols, security mechanisms, or networking components. We'll try to explain as many as seems necessary.

Wireless Security Trap I

Do you use Internet wireless in airports, Starbucks, and other public connection spaces? You're not alone, of course, and so the bad guys have found ways of compromising those spaces. Here's how it works:

You sit down at the airport and switch on your laptop with wireless. Up pops a page that looks like a normal login page for whichever wireless service is there, so you log in, type in your bank URL, type in your username and password and attempt to move some money. But the bank website appears to have a problem, so you shut down and run to catch your plane. Only problem is, you didn't log into the wireless service or your bank website. There was another person in that area with an innocuous-looking laptop who was actually running a rogue wireless server. Your system grabbed his signal first and his server fed you a fake wireless service login page and a fake bank login page. You have just given him your bank account username and password. The name for this scam is "Evil Twin."

Here are a few strategies to protect yourself:

Keep your wireless function off when you're not using it to avoid accidentally connecting to an evil twin.
Sign up for public wireless services from home or office via a wired connection (company network, cable, DSL, dial-up) so you send your credit-card information over a wired connection rather than the wireless. Some services (like T-Mobile) offer free connection software that checks the digital certificate of the wireless network to be sure you are signing onto the real service.
If you connect to a bank website, check that the login URL begins with "https." That indicates a secure server. Most fraudulent sites don't bother setting up a secure server. If you don't see the "https," don't log in.
Try to use wireless services that enable encryption (again, T-Mobile's connection software does), and use it.
If you can wait until you get to your destination to move the money, wait.

Wireless Security Trap II

Do you use wireless networking (Wi-Fi) at home or in the office? Is it encrypted? Is it encrypted securely enough? Not an issue, we hear you say -- nobody would want to attack me anyhow. Don't count on it. Here are a few hazards most people don't think about.

Wireless signals travel much further than you might think. At last years' Wireless Shootout at the DefCon hackers conference, two teens were recognized for establishing a 55 mile connection. Yes, they used amplification and special (home-brew) antennas, but then they turned off the amplification and maintained the connection.
Yes, the organized bad guys probably don't consider you a prime target. But how about the teens down the street who are looking to prove their hacker prowess and want to see how many systems they can invade and steal sensitive information from? Once it's out of your system it takes only one member of the group willing to sell your data for it to be in the hands of thieves.
Even if you have nothing of value on your system, hackers can connect to your system and use it to send out spam, kiddie porn, or other nefarious stuff. It will all look like it's coming from your computer (because it is). Are you legally liable if someone hacks into your unprotected wireless network and uses it for illegal purposes? This hasn't been tested in the courts, but you really don't want to be the test case.

How should you protect your network? Let's start with some strategies that don't work (don't worry if you don't know what all these mean -- they don't work anyway -- but if your cousin Jerry tries to tell you that you just need to do one of these, tell him he's way behind in the technology):

MAC address filtering
Turning off SSID
Disabling DHCP
WEP

Wait now, isn't WEP one of the established encryption protocols you can select in your wireless router? Yes it is, and it has been rendered essentially useless by easily-obtained software that can capture a WEP key in just minutes.

So is there a way to get reasonable protection for a reasonable price? Yes, there is -- it's called WPA-PSK and it can probably be implemented using your current wireless hardware. You must select WPA-PSK with AES encryption rather than TKIP (did we mention that these folks have a love-affair with acronyms?). "PSK" stands for Pre-Shared-Key. It means that the wireless security mechanism for every system on the network has to have the same key (a key is a series of characters, like a password). To be secure, this key should be at least 32 characters long, include upper- and lower-case letters, numbers, and punctuation, and be randomly-generated. Where can you get such a key? At http://www.winguides.com/security/password.php and it's free. Just for fun, here's what a 63-character key looks like from the Winguides password generator:

friucO#no!QlUcr-uW?oucoUcriaqiE*Oawle+1eMIuZ@?Wr6abrouT+*Jl?b#*.

Obviously this would be harder to deduce than, say, your dog's name. Just as obviously, you don't want to have to type this into each system. This is what flash drives were created for. Copy the key into a text file, put the text file on a flash drive and copy the key from the flash drive to the wireless setup for each system. Then delete the text file from the flash drive. Remember, you only have to put in the key when you set up your network initially or when you change something within the network. When that need arises, simply generate a new key and transfer it to all your wireless systems in the same way.

If all this sounds more complicated than you care to deal with, call your local computer support person -- it should only take a few minutes to set this up if your hardware is capable of handling it. Contact us if you want a referral to good computer support person.

Links

If you'd like to read more about either of the wireless security issues in this newsletter, here are a few links worth pursuing. Be forewarned that the Windows Secrets Newsletter and its links are pretty technical.

Wall Street Journal article on Evil Twins and Pharming (no registration required)

Wi-Fi Shootout in the Desert Three teens established a record-setting connection with only 19 days advance planning

Windows Secrets Newsletter May 26, 2005 -- Lots more detail about wireless security with links to some interesting sources

Thanks for joining us this month. See you next month.

Want to see back issues of this newsletter? Go to http://www.cyberartisans.com/newsletter and select an issue.

Jonathan Spencer
CyberArtisans Web Developers
jspencer@cyberartisans.com
http://www.cyberartisans.com/
617-965-4110