Wireless Security

Wireless networks are common, especially in homes. They offer quite a few advantages (and often cause a few frustrations), and in a lot of cases it just comes built into the modem/router. It’s also another point of entry into your network (and your computer).

Risks:

The risk that a wireless network poses is mostly unseen. The more powerful and efficient the wireless equipment is, the further away it works from. Eg, your neighbours, passing cars, pretty much anyone within a few hundred metres radius of your home or office. In fact, an office is a greater risk because there’s likely to be other offices nearby and the data accessible from an office network would be more valuable.

Solutions:

I’ll get straight to the point here. The following solutions exist. Read on to learn which ones are good to use and which are completely useless:

  • WEP [not secure]
  • WPA [secure]
  • WPA 2 [secure]

Of these only WPA and WPA2 are secure. The WEP algorithm was cracked years ago and there are easily available programs to hack into a WEP protected network. It doesn’t matter how many bits of security are used, anyone who wants to connect to your network is able to with little effort.

WPA and WPA2 can be implemented in a few ways, and for homes and small offices the PS-KEY is the preferred method. This uses a PreShared Key, and you should really use at least 20 random characters. Medium and large organisations should be using something called a Radius server.

WPA2 has a few advantages over WPA:

  • It uses a more secure algorithm, meaning it’ll be some time before someone cracks it (eg, a few years)
  • WPA is vulnerable to denial of service (DOS) attacks, meaning that more advanced hackers can make a WPA network stop working (but at the moment cannot hack into it). This would be a nuisance for home users, and more than a nuisance for business users.

So why doesn’t the whole world user WPA2? WPA2 is fairly new and not many products support it. It seems to take years for computers, phones, and other gadgets to start using new protocols.

Since WPA has been around for a few years why doesn’t everyone use that? Again when wireless networks were first introduced a large number of devices were made that only supported WEP. Manufacturers were slow to update their software, and most consumers didn’t understand wireless security and hence didn’t care if it supported WEP or WPA, so the manufacturers had little reason to provide updates.

WPA is considered secure at the time of writing (2007). When the standard was created it was rushed and the main goal was to fix security problems without having to reinvent everything. So it was a compromise and it’s only a matter of time until some clever hackers come up with a way to break it. When that happens you’ll hear about it on this site.

So in summary,

  • If all your devices (wireless router, computers, games consoles etc) support the new WPA2 then use it.
  • If all your devices support WPA but not WPA2 then use WPA and do some research every now and then to see if it’s still safe (keep reading this site).
  • If at least one of your devices is limited to the old WEP standard then you can either
    • accept that your neighbour could break into your network and use it to download or upload whatever they want, or
    • decide not to use wireless at all, or
    • replace or upgrade your devices.

If in doubt ask, or do some research.

“Microsoft Security Update” Emails

There have been some bogus emails recently with a subject of “Microsoft Security Update“. It contains a whole lot of text encouraging you to click on a link to install a security update. If you look at the email carefully you might notice that it contains a link to a website not owned by Microsoft, and instead it will attempt to download and install a virus.

How are you supposed to know it’s false? For a start Microsoft probably doesn’t know who you are or what your email address is. If you’re a home user it’s very uncommon (and unnecessary) to register your address with them. And even if you did, email is not the method Microsoft uses to advise you on updates or to distribute the updates.

For business users, you have an IT department that takes care of all updates. You shouldn’t be trying to install security updates so treat any such email as bogus.

Bottom line: delete these emails. Any good spam or virus filter should catch most of them, and it’s best to be cautious.

Protecting A Home Computer – First Steps

This article covers the most basic proactive measures you can take to protect your computer. It’s been written with a single home computer in mind – small and large offices need completely different solutions and they’ll be covered in a future article.

So you have a computer and are aware of the dangers present on the internet. You’d like to feel safe with as little effort as possible, and you’re even prepared to buy some antivirus software. Where do you start?

Anti-virus software is one line of defence, but you can’t rely on this alone. Online crime has advanced so much in the past few years that viruses are probably the least of your concerns. Nevertheless you still need an antivirus solution.

Viruses are programs that install themselves onto your computer and do something unwanted. Some are worse than others (it could delete your files, let hackers log into your computer, and copy itself to other computers). Antivirus programs scan everything on your computer and match it against a list of known viruses – new computer viruses get created every day. So yesterday’s antivirus software won’t protect you against today’s threats (it’s a fast paced world). What you need is a way to update your antivirus software every day. This is usually called a subscription, meaning you pay an annual fee to get the latest updates every day.

Some home users have outdated antivirus software. It probably came bundled with the computer with a 3 month trial subscription, and it probably expired. Some people think it’s ok to copy antivirus programs from a friend (which is morally wrong and illegal) and without paying for the subscription it won’t protect you. Bottom line here: pay the annual subscription.

The next line of defence is protection from trojans. The simple explanation is that some programs you download (or sometimes buy) include a hidden bit that connects out to the internet and does something bad without your knowledge. There are two things you can do to prevent and control this very serious problem:

  1. Be aware of what you download. Only download programs you really need and preferably from sources you trust. Although this may sound vague it gets easier with experience.
  2. Run a personal firewall. Read below on how this can help.

A personal firewall is a program you install on your computer that stops unknown programs from connecting out to the internet. In other words, it becomes very difficult for a “bad program” to use the internet without your permission. Windows now includes a firewall program but it’s worthwhile paying for a better one.

You also need to learn to use it. In its most basic form a personal firewall with ask you for permission whenever it finds a new program (attempting to connect to the internet). If you blindly click Accept then you haven’t really achieved any better level of security. You should take a moment to read what the message says and consciously decide whether or not to allow it. Don’t fall into the habit of clicking Yes to everything. In most cases if you’re intentionally telling a program to use the internet then you would want to allow it. Again this becomes easier with experience.

Lastly, the other main line of defence for a home computer is to keep it patched. Windows is not perfect (and neither is Linux or MacOS) and the programmers generally find ways to improve security. They release a patch and it’s up to you to apply that patch to your computer. This is often automatic, and for beginners this is how you want it to work. Windows XP and Windows Vista will let you know if patches are not being applied manually (in which case you should do this at least weekly). Patches can be applied by opening Internet Explorer and selecting Windows Update from the Tools menu, then following the prompts.

In summary there are three facets to securing a home computer:

  1. Use antivirus software. It’s important that it receives updates at least daily
  2. Use a personal firewall. Learn to read the messages it gives you and use it properly.
  3. Keep your computer patched. This can often be automatic.

I think that’s enough for now. Each of the above three areas requires further articles, and there’s still an awful lot more to be learnt. I have deliberately avoided suggesting any products. This also warrants its own article and the market changes so fast that a recommendation would be out of date fairly quickly. Expect to pay about $100 per year per computer. This is reasonable considering that a computer typically costs over $1000 and your bank account could contain significantly more.

Computers Are Complicated

Computers are very complicated machines. This article is an introduction to computer security suitable for all people.

Anyone who says a computer is simple, or the latest version of anything is easy to learn either is lying (possibly with the intent of selling you something) or is naive. Over the past 25 years computers have only become more complicated, programs and systems have grown to be huge and no matter how much work is done to wrap things up in a nice simple interface it’s inherently complicated under the surface.

Compare an old car with a more complicated vehicle such as a space shuttle. If something was wrong with the old car you’d probably know just by driving it. With a space shuttle you probably wouldn’t know unless you had a large support team monitoring all the sensors. Computers have become like that.

Commercial environments (such as offices) have IT departments that constantly monitor all their computers and repair problems (including vulnerabilities), often without users being aware of it. Home users, or small office environments, don’t have this luxury and won’t be aware of a problem until it’s too late. The problem could expose itself as a failed drive, and you might lose some data. Or it could be a compromised network leaving your computers at the control of hackers. In fact there are countless possible scenarios.

And then there’s the risk to you. Some people insist there’s no reason a hacker would attack their computer, that there’s nothing valuable on it anyway. In fact there’s something very valuable in every computer you use: confidence in the computer’s security. You want to know your computer’s safe to use for internet banking (and that it’s not under the control of a hacker). You want to know that your computer isn’t being by an unknown person to send spam or to commit a crime.

The point of all this is that you should never assume anything with a computer is simple. Computers don’t take care of themselves, and problems really do exist, often without your knowledge until it’s too late to prevent it.

Your approach to computers should include the following points: 

  • Be proactive in maintaining your computer(s)
  • Spend money where necessary to have the best tools to secure and maintain them
  • Keep in mind that the risks to you are real
  • And remember that there are lots of people out there with malicious intent (the threat is real).

This article hasn’t gone into any specifics, it’s an overview on why you need to be proactive. It presents a case for putting effort into maintaining a computer or network.