A friend and I started this blog several years ago to help the average person with cyber security issues. At that time, I had observed that almost no one outside of the professional IT world had any notion of cyber security. Those in big enterprises had IT departments full of professionals to take care of things so the average worker bee could go about their day doing something that was hopefully profitable for the company. Home users, and those in small or medium-sized businesses, without IT departments, however were almost always uninformed about the issues and often completely wide open!
Most average people I would talk with on the subject of cyber security had no idea that they were even at risk by using Internet! Even if they had a basic notion that they were at risk, very few of them could articulate any specific steps that could mitigate their risks of data loss or theft. In short, what I saw were average people (and even some really smart ones!) that were simply overwhelmed by a subject that they didn’t understand. As a result, they just stuck their head in the sand and continued on, with the hope that somehow they would magically be ok without doing anything.
One of the first missions of Security Beacon therefore was to try to build awareness of cyber security. Through articles on this blog and relays through our Twitter feed (Digital Fortitute @securitybeacon) we have tried to highlight news and information showing how critical cyber security has become to everyone. Since it was started, we’ve seen over 100,000 page views on this site. We now have nearly 10,000 followers on Twitter. Both of these figures are a insignificant compared to the number of people at risk. Now however, we are seeing a veritable explosion of articles on major news services about cyber security issues. We’ve seen data breaches at major corporations, state and federal governments, and people famous and not, all carried out by teenage hackers, professional hacker groups, and even government sponsored cyber warriors. You’d have to be living under a rock the past few weeks not to know at least something about the Edward Snowden / NSA issue. Now it seems, everyone should at least be aware of the idea of cyber security.
Unfortunately, I’m seeing anecdotal evidence that the average person is probably caring less and less about the issue! The problem is that we are now so saturated with cyber security news that average people are overwhelmed and resigning themselves that there is nothing they can do. Just as before there was any awareness, people are reverting to a “head in the sand” approach.
I think the average Joe is looking at the Snowden / NSA thing and thinking to himself that there is no way in hell that he can protect himself from NSA! Worse, even the NSA can’t protect itself from the likes of a Snowden! What does that say about the whole enterprise? If NSA can hack anyone, yet NSA secrets are being leaked all over the world, then we’re all in a #$%& load of trouble! This thinking leads a lot of people to simply give up and find a convenient pile of sand…
Hopefully, if you’re reading this you won’t just give up and do nothing! I wouldn’t blame you if you completely cut the cord the digital world and holed up in a remote mountain cabin, but I suggest that a more practical approach might be simply finding ways to be just a bit smarter than the average bird whose head is in the sand.
When I stared this site, I never envisioned trying to help keep anyone safe from the likes of NSA. Indeed, if you’re on the NSA radar, there is precious little I or anyone else can do to help you!
On the other hand, there are still a lot of criminals and hackers out there that might want to do things to you that you’re probably rather not have done. In spite of the NSA debacle, I believe you can still take positive steps to protect yourself from most hackers and criminals. Sure, we all know that it is extremely difficult to defend yourself from a determined adversary, but how many of you have such enemies? Our goal is simply to help you weed out the petty thieves and make it just hard enough for the determined ones that they decide to move on to someone else! Who knows? In the process of protecting yourself from the hackers and criminals, you might even make life just a bit more difficult for the likes of NSA or GCHQ!
Now, on that Snowden thing:
I’m not a big believer in the idea that people should go around betraying their county by disclosing classified information. On the other hand, much of what Mr. Snowden has revealed to date appears to fall into the the category of “disturbing”. I’m going to shrink from declaring opinion one way or another until we see how all this plays out. In the mean while, if you are at all concerned about your rights as a citizen of the interconnected world, I would urge you to read and familiarize yourself with the issues even though they may seem abstract and difficult to comprehend. I also warn you to avoid taking the cop-out approach by deluding yourself into thinking that you have nothing to hide! I’m confident that even a world driven by social media that there are still some things that we’d like to know are private and that can be kept that way. Think about this and act accordingly next time you go to the ballot box. Thanks for reading!
I just finished reading Andy Greenberg’s “THIS MACHINE KILLS SECRETS – How WIKILEAERS, CYPHERPUNKS, and HACTIVISTS aim to FREE the world’s INFORMATION”. Released in September 2012, this book attempts to document the history and ongoing story of the people and technology behind the world-wide leaker/hactivist movement. Greenberg has done a superb job here. I started working with computers in 1980 and I have lived through nearly all the years recounted in this book, yet I came away with a vastly improved understanding of this multifaceted movement and the political and technical issues surrounding it.
Logically, Greenberg begins with the epic leak of the Pentagon papers. He then moves on to illustrate how the leaker movement merged with the paranoid, the hackers, the cypherpunks and others to develop encryption and privacy technology that is now used by millions around the world. This isn’t a story just for the technologist however. Greenberg brings to life the many colorful personalities and conflicts that make the story read like a novel as opposed to a textbook. In the book you will learn about characters like Julian Assange, Bradley Manning, Daniel Ellsberg, Phil Zimmerman, Jacob Applebaum, Jim Bell, John Young and a whole host of others you’ve likely never heard of before. All of them, and countless other unnamed and or pseudo-named persons have contributed to a technology base that can be used to protect personal privacy and anonymity, yet in the hands of a leaker, be used to expose the deepest secrets of the most powerful corporations and governments on the planet.
The most important reason to read this book is because this story is still being written and it affects all of us! The leakers, cypherpunks and hactivists just happen to be on the front lines of civilizations struggle to find the correct balance between the privacy, anonymity, openness and accountability. While some might detest the leaks and the leakers, we all know that without them government power and corporate greed can quickly run into foul territory. Indeed, it is the leaker that history often judges the patriot and the powerful secret keepers the oppressors. So, the next time you’re shopping on a secure link or browsing the web anonymously with Tor take a moment to say thanks to all the wikileakers, cypherpunks and hactivists out there who are hard at work making life better for you and more difficult for big brother! Enjoy the book!
A few months ago I purchased an Apricorn Aegis 8 GB Secure Key hardware encrypted USB flash drive. These are super nice, easy to use, and very secure USB flash drives that just work regardless of what operating systems, computer and software you use! They also have 4 GB, 16 GB and 32 GB models to suit your budget or storage requirements.
The main reason to use these drives is for the security. What makes them so special is that you don’t have to worry about installing software and drivers on the host computer. The drives have a miniature 10-digit keypad so that you can configure and use a pass code of between 7 and 15 digits to secure your data. They are super easy to use. Just key in your pass code, press the unlock key and put it in the USB slot. Done! Your files are now unlocked and available on the host computer.
The Aegis Secure Keys have integrated hardware encryption circuits that use a 256-bit AES algorithm to protect your data. They automatically lock the instant they are removed from a computer or power is removed from the USB port. To prevent brute force attack, the units will destroy the key, effectively wiping the data, after 10 incorrect attempts at entering the pass code. The numbers on the keypad are wear resistant to minimize the possibility that someone could have hints at which keys you use most often. The electronics are also encapsulated in a tough epoxy making it extremely difficult for anyone to hack their way in without damaging the electronics.
The big news though is that the Apricorn Aegis Secure Key units recently received FIPS 140-2 certification. That means those of you in the health field now have a superb option for storing Patient Health Information (PHI) for on the go work. Those of you in larger organizations will benefit from the ability to set both an administrator pass code as well as user pass code. The drives can be reset with the data securely destroyed so that the devices can be safely reused again and again with different users and data sets.
I use Xubuntu Linux on all of my computers and I use the native dm-crypt encryption on all my drives, including cheap USB flash drives. This works great except when I have to interact with clients that use different operating systems. For those cases, I use the Apricon Aegis Secure Key to easily and securely move critical data between the different systems.
If you’re still using unencrypted USB flash drives to store critical data I recommend that you either learn how to use TrueCrypt or buy one of these Apricorn Aegis Secure Keys. TrueCrypt is a great piece of software and I highly recommend it! Unfortunately, it is NOT FIPS 140-2 validated so those of you working under HIPPA guidelines cannot rely on it to give safe harbor in the event a TrueCrypt encrypted USB flash drive is lost or stolen. These Apricorn Aegis Secure Keys however meet the HIPPA standard and will make your life under HIPPA easier should the worst happen.
If you’re really paranoid and can live with software encryption, you could also layer a TrueCrypt volume on top of the hardware encryption to make a drive that is even harder to crack!
The WiFi WPS vulnerability has been known for over a year so it hardly qualifies as news. On the other hand, I’m willing to bet that, even a year later, 99.99% of the general population has no idea that their home or small office WiFi router is potentially vulnerable to an easy hack!
Even smart folks who use strong WPA/WPA2 passwords are at risk. I was even caught out by this one! I started to feel bad that I missed it, but then I asked a few of my tech friends about it and discovered they knew even less than I did!
If you have a modern home or small office router with WiFi (wireless) and the WPS (WiFi Protected Service) functionality you may be at serious risk of being hacked! Software is readily available that takes advantage of an inherent security flaw within the WPS system and enables hackers to derive the router PIN and thus your WPA/WPA2 pre-shared key or password! Once someone has your wireless password they can get access to nearly anything on your local network.
The only good news here is that the vulnerability is limited to WiFi. That means your risk is to local hackers and not those from the other side of the globe. To take advantage of this vulnerability someone has to be close enough to your home or office to receive your WiFi signal. They might be in the house down the street or a car parked half a mile away. If the attacker has a good antenna and line of sight they may be able to hack you from several miles away. Just because you live in small town or rural area doesn’t mean you can afford to ignore this threat. Thieves are everywhere!
I saw headlines about a problem with WPS nearly a year ago but I didn’t dig deep enough. I don’t use WPS to configure wireless devices so I thought I was safe. I was WRONG!
The truth is that the WPS flaw is a serious security issue that affects possibly millions routers in current use. Some routers with newer firmware are smart enough to foil the attack. Others are only safe if you disable WPS. It is reported that some routers remain unsafe even with WPS disabled!
The only way to know if a router is vulnerable is to test it yourself!
Test Your Router
I use Xubuntu 12.04 but neither reaver or the required aircrack are in the repositories. I downloaded and installed them per the instructions here.
The reaver software doesn’t need a super computer to work its magic. I used a cheap old Asus 901 netbook for my tests. Almost any notebook with a wireless card is enough. If you use BackTrack Linux you may find that you need to install wireless drivers.
The first router I tested was a Netgear N600 Dual Band model. I started the brute force attack against the N600 in the evening before I went to bed. By the time I got up the next morning the WPA password was neatly displayed on the screen of my netbook. Yikes! This is definitely not a preferred outcome!
Later, I upgraded the firmware on the Netgear N600 and tested again. This time, the reaver attack progressed slower than before. I didn’t let the test continue to completion but I have every reason to believe that I could have eventually obtained the password. I then disabled WPS and tried again. This time the router didn’t respond to the attack. It seems that disabling WPS on this router foils the attack.
I then tested a Cradlepoint MBR1400 router. This time I was lucky and I couldn’t get the router to play ball with the attacking computer. I presume this is because the Cradlepoint had gone through several firmware upgrades over the past year and one of them must have done something to fix the problem. On the other hand, I’m not a very good hacker so perhaps I wasn’t using the reaver program to its fullest potential? I still turned off WPS just to be safe!
I also tested an older Linksys WRT54G that I had stashed in a drawer for a backup. This one responded to the reaver queries but at a relatively slow rate. I have every reason to believe that given enough time it would have eventually yielded to the attack.
Last weekend I tested a Qwest (now CenturyLink) ActionTec PK5000 router with the latest firmware. With WPS enabled the reaver attack processed about 4 PINs per second. I was short on time so I didn’t let the attack run to completion but it was clear that a password was only a few hours away. With WPS disabled, I saw no response from the router. Thus, the ActionTec PK5000 with latest firmware seems safe provided you disable WPS.
I have only tested a handful of routers, but 3 out of 4 of them were vulnerable with WPS enabled. Since WPS is enabled by default, there are likely a lot of vulnerable routers out there!
From what I can gather, most major manufacturers have issued firmware updates that will limit the damage reaver can do. The problem is that most people buy a router, bring it home, hook it up, and never look back. Thus, there are a lot of routers with old and vulnerable firmware just waiting to be hacked! Hopefully, by reading this article, yours won’t be one of them!
What to do?
The best advice I can give you is this:
- Upgrade your router to the latest firmware.
- Disable WPS.
- Test the router to see if it is vulnerable.
If you don’t have skills or time to test it yourself, then you should contact the router manufacturer to see if your particular router and firmware is vulnerable.
If you are really paranoid, now is the time to ditch wireless altogether and use wired connections. WiFi may be convenient, but wired connections are faster and definitely more secure!
If any of you take time to test your routers, it would be helpful if you post results in the comments section so others can benefit.
Thanks for reading!
- June 2013 (1)
- April 2013 (2)
- March 2013 (1)
- December 2012 (2)
- November 2012 (2)
- September 2012 (5)
- August 2012 (1)
- June 2012 (5)
- May 2012 (8)
- April 2012 (2)
- March 2012 (10)
- February 2012 (4)
- January 2012 (5)
- December 2011 (3)
- November 2011 (10)
- October 2011 (5)
- September 2011 (8)
- August 2011 (20)
- July 2011 (19)
- June 2011 (13)
- May 2011 (14)
- April 2011 (24)
TagsBackup CCleaner cell phone Cloud computing computer maintenance defrag Dropbox e-mail encryption Facebook failback failover FDE file sharing firefox firefox extensions firesheep firewall GPU Hacking HTTPS: IronKey keepass keylogger Linux load balancing Mac Malware passwords PGP phishing Playstation privacy router S/MIME scam Twitter Ubuntu usb flash drive USB Hard Drive Virus VMWare VMware Player WiFi Windows