Is WPA Still Secure?

There was a media announcement recently from a Russian company called Elcomsoft claiming to be able to crack WPA encryption. What’s this about and how does it affect you?

WPA is the preferred encryption for wireless networks, the kind you probably have at home or in the office. Here’s a quick recap of where WPA fits in:

  • WEP – the old wireless security option. This is useless, it provides no real security.
  • WPA – this replaced WEP. Some old devices didn’t support it but most new ones do. WPA is good, highly recommended.
  • WPA2 – this is better than WPA

So what did Elcomsoft do?
They developed a way to speed up the time it takes to crack WPA and  WPA2 encryption. Here’s a short summary:

  • If you use a short password, say 10 letters long, it used to take 579,000 years to crack. With this new technology it would now take 5793 years, or 5 years if they purchase 1000 of these machines dedicated to hacking into your wireless network (at a cost of over $1m of hardware).
  • If you use a good password, e.g. 20 characters long, will now take 10,000,000,000,000 years to crack, or shorter if you have thousands of computers working together on this.

In other words the article is mostly hype. Making something 100 faster doesn’t mean much when we’re talking about trillions of years.

The short version is: use WPA/WPA2 and a long password when configuring your wireless network. Use at least 20 characters.

Further:
What I’ve written above applies to small networks such as home or small offices. For large networks you should be using a technology called Radius together with WPA, this is much more secure, extremely hard to crack, and of course more complicated and expensive to install and maintain.

False Microsoft Patch Emails

Tuesdays are when Microsoft publishes patches to their software, and today they’ve published quite a few (if you use Windows then you should be installing the patches today). 

However today there’s a malicious email being sent around that looks like it came from Microsoft (it’s actually fake). The email tells people about the patches and has a file attached. 

The attachment isn’t really a Microsoft update, it’s actually a trojan that installs something on your PC that lets hackers log into it, without you ever finding out. You really don’t want this kind of thing installed on your PC.

The email has a few features designed to convince people that it’s genuine, such as a PGP signature at the end, and the fake sender address.

The subject of the email is:

Security Update for OS Microsoft Windows

If you see this just delete it. You should also have a good spam filter for your inbox – email services such as Gmail do a good job of this. For businesses it’s a little more complicated and even more important. You should also invest in a good antivirus package, one that checks everything and downloads updates at least once a day.

And remember to never trust attachments you unexpectadly receive(you didn’t ask Microsoft to send you an attachment, so why would they really do this?)

ClickJacking Exploit

A rather serious exploit has recently been discovered.

It’s called ClickJacking. The problem is in Adobe’s Flash player, which just about everyone in the world has installed (sometimes without even knowing it). 

The vulnerability makes it possible for someone to control your computer’s webcam or microphone, lettting other people spy on you. It’s a serious problem.

Who’s at risk?

Anyone who has Flash version 9.0.124.0 or earlier is at risk. This includes Windows, Mac, and Linux users, and FireFox, IE, Safari, Chrome, and Opera users (does this list include you?)

What can you do to protect yourself?

Adobe is publishing a fix very soon and the best thing to do is to upgrade to the latest version of  Flash. Flash should prompt you to download an update – say yes to this. Otherwise download the latest version from Adobe’s web site.

If for some reason you can’t update Flash on your PC there’s another way to protect yourself (this is a last resort tactic, updating Flash is much safer). The workaround is to set the Always Deny option, as detailed here on Adobe’s site.

Further info:

Someone has gone to the trouble of setting up a sample of how the exploit works and recorded a video to demonstrate. Play the YouTube video in this article.

Unsecured Wireless Routers

Here’s what happens when you don’t take proactive steps to secure your wireless router (or wireless network). Recently there were a series terrorist bomb attacks in India, and threat emails were sent by the terrorists. 

The source of the emails were traced and they came from the home of an innocent family in Mumbai (India). The terrorists had used their unsecure wireless network to gain access to the internet and do their thing. The residents said,

“We did not feel the need to secure or password-protect our internet connection. But now it has become a necessity for all citizens to secure their connections”

This stuff really happens, read the full article here.

So how do you secure your wireless router? What other consequences can you face for leaving it unsecure? Read our previous article. In fact, use the search box on the top right of this site and search for “wireless” – there’s a lot to learn about wireless security at home and in the office.

Keep in mind that when you buy new (or old) wireless equipment such as a wireless router, the security settings are almost always set to the most insecure options. That’s crazy, but manufacturers think that turning on security by default makes it too hard for people to install these things. Maybe, but most people are lazy and don’t turn on the security features, putting them at risk of being hacked or involved in serious crime.

Password Recovery Questions

A lot of web sites these days have a question & answer system as a backup to your password. The idea is that if you forget your password you’ll be prompted to answer a private question.  Assuming you’re the only one who knows the answer to this private question it’ll give you a password to log into the website.

It’s really a second password in case you forget the main password. And it’s not very secure. Let’s look at why.

Your web site password could be anything. If you use a common word then there’s approx 1 in 100,000 chance of someone guessing it (this is actually pretty poor). If  you make up a password that couldn’t possibly exist in the dictionary, e.g. by adding a random number at the end, misspelling words, etc, then the chances of guessing the password are much lower, one in millions or billions. This is good.

Now if you have to provide the name of your pet, school, or mother’s name as a password, the choices are very limited. There aren’t billions of popular pet names, there’s only a handful.

For someone to guess the answer to this question is much easier than guessing a real password. And if someone was to do a little research on you it could be possible to find this out. 

My suggestion is that you don’t use these password recovery options. When signing up to a service and you’re prompted to enter some personal details, enter random characters instead. Go crazy bashing keys on the keyboard, use something like iojxcnmvaioasflseqq. The idea is that no one could possibly guess the answer, including yourself. Then write down your real password and keep it safe.

I’d also like to add a bit about someone that recently had her private question (backup password) guessed by a random stranger.

Her name is Sarah Palin. Someone wanted to read Sarah’s Yahoo email and instead of trying to guess a password they just tried guessing a private question, and got in. This was recently publicised. It isn’t really hacking, someone just did some research and guessed correctly.

The results were disastrous – Sarah Palin is a US governor hoping to be a vice president, and there were sensitive documents in her emails that were then leaked to the internet. 

There’s a lesson here for everyone, including web site developers. Don’t use these private password questions, it’s the weakest link into web services.

iPhone Password Flaw

The current version of the iPhone has a little security flaw. The password feature that’s built into the device can be easily bypassed by following a few steps. Apple has confirmed the problem and promised to fix it in September.

This affects iPhones version 2.0.2 (the ones available today).

Here’s how it works:

  1. Password protect the phone and lock it
  2. Slide to unlock it
  3. Tap the emergency call button
  4. Double tap the home button

Done, anyone can now access the favourites list in the phone, the full address book, and dial any number including voicemail. It also lets anyone see private information stored against a contact, full access to the email client, and they can gain access to the Safari web browser (if there’s a web address stored against a contact).

For iPhone owners there’s a way to prevent this from happening, protecting the phone from being used if it’s lost while locked:

  1. Go to the Home page on the iPhone
  2. Go to Settings
  3. Click on General
  4. Click on the Home button
  5. Click on either Home or iPod

ZoneAlarm ForceField Free – 1 Day Only – Expired

ZoneAlarm has been making security products for a number of years and they have a good reputation. I don’t have the resources to review or evaluate security products so I tend not to make specific recommendations (but I do recommend that you should invest in a good antivirus package).

For one day only ZoneAlarm has made their ForceField product free to use for one year. It blocks phishing sites (this is a good thing), blocks keyloggers, and has a host of other interesting security features.

If you don’t already have a security package that does everything (and why not?) then try this one out. As I said, ZoneAlarm has a good reputation for this kind of thing and “free” is a good price. Note that they ask for your name and email address.

Link: http://download.zonealarm.com/bin/free/sum/index.htmlclick on the red button.

More info about ForceField here.

Update: This offer has expired. Good computer security is very important (read some of the pages on this site to find out why) and it’s definitely worth paying for good software that keeps you safe. You should be using a package that constantly scans your PC for malware (viruses, trojans, etc), scans all web pages and updates itself daily. It’s a very good investment.

Fake Anti-Spyware Tools

Trend Micro make some good anti-virus and anti-spyware tools. One of their tools is called iClean. Unfortunately someone has created a fake copy of one of their websites that will install malicious code on your computer (in this case they’ve copied the Taiwan version of their site).

So which is the real one and which are the fake ones?

Real Trend Micro Site:

  • Anything that ends with .trendmicro.com, e.g.

Fake (malicious) sites:

  • hxxp://www.update-windows-microsoft.com/

These tips will help you avoid this problem, and similar threats:

  • Companies don’t usually send free applications directly by email. You would normally go to their web site to download it.
  • Have a good anti-virus / anti-spyware installed, one that is updated daily so it can protect you from new threats.
  • Pay close attention to a web page’s address.

Virus Email combines Facebook, Terrorists, and FBI

Virus writers have been sending emails with a story that use the following words, hoping to get people interested enough to click on the links:

  • Facebook
  • Terrorists
  • FBI

The exact story they came up with doesn’t really matter. If you click on the link it tries to download a file called fbi_facebook.exe. This is the part that installs the virus on your PC.

Always be wary of sensational stories arriving by email (they’re almost always malicious). And be extremely wary of any links that try to download something that ends with .exe