What is Phishing?

Simply put, phishing is a form of fraud where someone tries trick you into disclosing secret information (such as your credit card number) by posing as someone you trust (such as your credit card company). In fact, phishing is a form of wire fraud, plain and simple. In my opinion it is unfortunate that the word “phishing” even exists. It’s a gratuitous neologism that, because of its cutesy spelling, potentially reads as something more innocuous than it actually is.

In fact, phishing is the most common form of identity “theft.” It’s rampant on the Internet. And you are a target.

How to Protect Yourself

You should also know better than to open a link in an e-mail message.

The whole point of phishing is that it’s trying to trick you. Contrary to what some know-it-alls might say, it is not easy to defend yourself against.

1. Don’t click on a link in an e-mail message, even if the message looks legitimate. Unfortunately this is the hardest rule to follow. Even the best of us forget. It’s easy to laugh off the silly Nigerian money-laundering scam but much harder to remember the rule when the message looks like it comes from your telephone company or a relative. And, like the hapless adventurer who picked up the Duck of Doom, our first mistake may have severe repercussions. Phishing e-mails take you to Web sites that may look legitimate, but actually capture your login and/or financial information for purposes of identity theft.
2. Use software to help you follow rule #1. As I mentioned in my previous post, you really need anti-virus software anyway. You can probably get it free of charge from your Internet service provider so there’s no excuse. Most “anti-virus” software these days is a multi-faceted suite of defenses that also includes some protection against phishing.
3. Do not trust your own judgment to identify fraudulent messages. Sooner or later, you’ll be tired or distracted and you’ll slip up. I used to take pride in my ability to spot a scam, and I almost got burned today. Only my anti-virus software saved me. If you believe you have superhuman powers and will never be fooled, please carefully read the fairly brief academic paper, Why Phishing Works.

My Lesson in Humility

Today is the day when, after years of vigilance, I finally forgot Rule #1 (don’t click on links in an e-mail message). I would have got burned if not for my anti-virus software.

I received a reasonably official-looking message that claimed to be from my Internet service provider, Comcast:

This message looks somewhat credible, but it's a fake. There are some warning signs but I missed them this time.

On a good day, I think I could have spotted this as a scam. There were a few warning signs:

Like many fraudulent messages, this one contained some spelling errors. Today, the crooks got lucky: I looked right past the errors and did what one should never do. God help me, I clicked the link.

Fortunately for me, my judgment was not the only thing standing between me and the outlaw gang that organized this sting. My anti-virus software kicked in and raised a great big red flag, just like it should:

My anti-virus software was more alert than I was, today.

The Take-Away Message

What I take away from this is that the scholars who wrote Why Phishing Works were right:

We also found that some visual deception attacks can fool even the most sophisticated users.

As in all matters of computer security, the odds are stacked in favor of the attacker. They can send a thousand fake e-mails that you easily spot, and then the thousand-and-first comes along and manages to trick you. You need anti-virus software to be there to catch you when your judgment finally does fail.

Since no software is perfect, it would be an epic mistake to rely entirely on your anti-virus program to protect you 100% of the time. Therefore, keep doing what the experts tell you to do: stay alert, and don’t click on e-mail links.

One of the remaining annoyances though is that even though I’ve been pretty careful about what I install on my PC, a certain amount of crapware has crept onto the machine. Crapware is stuff you, the computer user (or “owner” as I like to call myself) never asked for, don’t care about, and don’t want to use, but none the less is installed “for” you when you install something you did want, like a driver for a new piece of hardware. I am not talking about malware here; crapware is harmless but it’s annoying because it slows down the machine. I also have concerns that it’s spying on me a bit, sending “market research” data back to the mother ship. Besides, since I think of myself as the owner of my computer, anything I didn’t explicitly decide I want on my machine has no right to be there.

The particular piece of crapware that is on my nerves today is the help program that came with my Logitech webcam. I am not really opposed to having the webcam help program installed on my machine. What bothers me is that Logitech has decided that the help program needs to start every time I log into my computer. This post documents my quest to make it stop.

Auto-Run Programs

In Windows 7, programs can be configured to start automatically when the computer starts or when a user logs in. Loosely speaking, programs that start automatically when the computer boots are called services and those that starts when a user logs in are called, in the degraded patois that passes for technical English these days, autoruns. “Autorun” is, apparently, considered a noun. I hate that. How do we get from the verb “run” and the adverb “auto(matically)” to a noun? By means of a failing public education system, that’s how! The end result sounds like a particularly virulent form of gastro-intestinal distress: “I’ve got the autoruns.”

I will use the word “auto-run” as an adjective because I just can’t stomach using it as a noun.

Vendors have a penchant for installing their crapware as auto-run programs, either because they fervently believe that their crapware is central to the user’s computing experience and life without it would hardly be worth living, or, more likely, they want their brand name in the user’s face as often as possible for as long as possible. It’s a bit like the “free” advertising-supported PC of the late 1990′s, only without the free equipment.

Auto-run programs used to be called “startup programs” (in days when gramatical standards were a bit higher) and they were controlled via the Start Menu. This seems no longer to be the case.

Good and Bad Auto-run Program

I would first point out that there are some programs that I definitely want to run every time I log in. Norton Internet Security falls into that category. I can see people might want to always start an e-mail program or even Skype or a chat program.

However, every program that starts automatically takes some time to start. If you have too many of them it makes the log-in process slow. If you have way too many, it hogs memory and CPU power, slowing down your ability to run other programs. What I find disturbing is that increasingly, software vendors foist their crapware on us as auto-run programs for whatever reasons — and I doubt that out benefit figures prominently among those reasons.

My point is that you, the owner, should solely make the decision of what programs do and do not run automatically.

Getting Started on Controlling Auto-Run Programs

To start my quest, I typed “disable startup program” into Windows Help. Did I mention that Windows 7 Help is pretty cool? It allows you to type strings and then returns results whose relevance ranges from approximate to comically off-target. It’s like a search engine, but for help. The reason I used “startup program” as a search term is that is what auto-run programs used to be called in past version of windows.

Interestingly, Windows 7′s reply to my query was:

You can improve your computer’s performance by preventing unnecessary programs from running automatically when Windows starts. For information about tools that you can use to do this, go to the Microsoft website.

That page is actually pretty interesting: it wants me to download and install a special program that promises to help me get rid of unwanted autoruns. This sounds a lot like fighting crapware with crapware. I was skeptical, but decided play along. And it turns out the name of this “good” crapware is Autoruns. That’s right: I am going to be giving myself the autoruns!

What Autoruns Reveals

So I downloaded and unzipped the autoruns program. Just to make things confusing, “autoruns” is itself not and auto-run program: it’s a regular program you run in the usual way (by clicking), that tells you about auto-run programs.

If you are following along, you can unzip that file to any destination you want; I just stuck it in my Downloads folder for the time being. Then open the destination folder, right-click on autoruns.exe, and choose “Run as administrator.” You can run it as a regular user, but to actually remove auto-run programs (I still can’t bring myself to say it like they want me to) you’ll need administrator privileges so you might as well start out that way.

This is the list of auto-run programs that Autoruns revealed. I feel dirty.

Here’s a screenshot of what autoruns showed running on my machine. There are a lot of auto-run programs! If you try this on your machine and you see a lot of stuff you can’t identify, don’t worry: I don’t understand it either. Windows, in any version, is a big, complicated beast, and even professional Windows technicians don’t understand all of it.

Safely Removing Auto-Run Programs

Autoruns makes is pretty easy to remove auto-run programs in a way that you’ll be able to undo later. There is a check box next to each entry. Just uncheck that, without removing the entry. Danger: it does not look like autoruns has the ability to add auto-run programs, only remove them, so if you actually delete an item from the list you will not be easily able to get it back! You’d have to guess whatever software package included the deleted program(s) and re-install that.

Chances are, if you are going through this exercise you already you have in mind one or two auto-run programs of which you’d like to rid yourself. Another good cue is to look at the “Publisher” column in the autoruns display: generally things published by hardware vendors (such as the maker of your sound card or webcam) are good candidates for disablement. It is unlikely you will accidentally disable the driver because drivers aren’t auto-run programs: they need to start when the computer boots, not when a user logs in. The worst that could happen is you might accidentally turn off some automatic feature that you really do want, like the ability to play a music CD automatically when it is inserted. I am inclined to believe that most of that type of functionality is handled by Windows itself, and most auto-run programs provided by the vendor are superfluous and perhaps redundant.

Disabling a program in autoruns doesn’t stop it from running, it only stops it from starting the next time you log in. To actually stop an auto-run program that is currently running, you have two options:

1. Hit Ctrl-Alt-Delete and remove the program from the Task Manager. This may seem a bit daunting at first but you can’t mess anything up permanently; the worst that will happen is that your computer will be out of whack until you restart it.
2. Wait till you’re done editing in autoruns, log out, and log back in (or just restart your computer)

Check that everything is working normally and if it’s not, re-run autoruns and re-enable some of those programs you unchecked.

A couple of years ago I bought an Inspiron 1210 laptop (also known as “Inspiron mini 12″) from Dell. It’s a nice, lightweight laptop with a 12-inch screen. Interestingly, it has an Intel Atom processor, which is a 32-bit dual-core chip. It’s probably the last 32-bit general-purpose computer I will ever buy; all processors are 64-bit these days except for embedded processors on phones, toasters, set-top boxes, and the like.

At the time I bought it, Dell was shipping that model with Ubuntu Linux installed. I was looking for an inexpensive laptop for use at the gaming table, mostly to keep my notes and to run RPTools. My little Dell seemed to fit the bill perfectly. Initially, I was very happy with it.

Fast forward to late 2010, when I was assigned to give a presentation to my cloud computing class (I was a student, not the instructor). Like any good free software enthusiast, I made my presentation using OpenOffice (now LibreOffice) on my desktop PC at home. When I loaded the presentation onto my Dell mini, it wouldn’t open because it was created with a newer version of OpenOffice than I had used to create the presentation. “No problem!” I thought. “I’ll just update my version of OpenOffice.” That’s where the trouble began.

Linux Version on the Dell Mini

The Dell Inspiron mini shipped with a Linux variant called the “Dell remix” based on Ubuntu 8.04. (This is not to be confused with the current Linux remix Dell is using for netbooks and handhelds, called Moblin.) The main problem with the Dell remix is that it had a specially-modified version of the normal Update Manager that could only talk to Dell’s servers. That is excusable in a way, since the Inspiron needs an oodle of proprietary device drivers and the users needed some way to get those. What’s inexcusable is that Dell quietly withdrew support for the Dell (Ubuntu) remix some time in 2010; I can’t be sure because they never announced they were dropping support, and most of the documentation seems to have gone down the memory hole.

What this means is that I had a Linux computer that could only get updates from Dell’s servers, and Dell’s servers were permanently offline. So, no new versions of applications like OpenOffice for me. No security updates, either. Thanks a lot, Dell.

Needless to say, this treatment from Dell has irrevocably altered my perception of the company and its service. “Don’t buy from Dell” is my new mantra. And I didn’t; the new desktop I bought last year was from PCs for Everyone. It works great, and best of all, PCs for Everyone has never screwed me over. Thanks again, Dell.

Installing Linux 10.10

Since Dell left me with no upgrade path, the only thing for it was to wipe the hard drive and install a real version of Linux. This is not as easy as it sounds because the Inspiron mini 12 doesn’t have a built-in DVD or CD drive.

There are a couple of ways to get past this. For me it was easy; I had bought an external DVD drive that connects via a USB cable. When connected, that drive is bootable, so I could just pop in a DVD and boot and install from that. If you don’t have a DVD drive, you might want to look into trying to boot from a USB thumb drive. Since I haven’t tried that myself, I won’t try to explain how to do that.

Be sure the Linux version you install is for 32-bit machines. All the Inspiron minis were 32-bit when I bought mine, though this may have changed by now. Dell is still making machines with the “mini” label.

Drivers

Installation went smoothly enough but right away I noticed the machine was locking up within a few minutes of starting. This is due to the fact that Dell builds their laptops using a lot of proprietary hardware, for which free (as in freedom) drivers are not available, at least not from the main Ubuntu download site.

Graphics Driver

The problem was the GPU, which is an Intel GMA 500. It took quite a bit of digging to find a solution to this: finally I tracked down this excellent forum post that explains everything. Essentially you need to install some firmware packages and manually edit your /etc/X11/xorg.conf file. See the post for details; I don’t want to reiterate it here for fear of losing some important detail in the transcription.

Once I followed those instructions, my lock-up problem went away.

Wireless Driver

Which brings me to the wireless driver. I’ve heard it said that Dell is quite inconsistent with what wireless hardware it ships with each computer, and even two computers with the same model number might have very different wireless chip sets. I can kind of understand that; Dell’s supply chain is large and complex and the component vendors’ upgrade cycle is not necessarily synchronized to theirs. I understand it; I don’t have to like it.

What this means is the fix for me may not necessarily work for you.

The model number of the wireless card is listed on a label on the underside of the laptop, like this:

The wireless networking card's specifications are on the lower-left label on the underside of the Dell mini laptop.

The model number should be at the very top of this label. For me, it’s “Broadcom BCM94312MCG”. Wire that down, because you’re going to need it.

Next, see whether Ubuntu has a proprietary driver for your wireless card. This is a bit of a catch-22 because you need an Internet connection to download the driver, and you need the driver to connect to a wireless access point. So, you’ll have to connect to the Internet the old-fashioned way, with a Ethernet cable (more properly known as a Category 5 or CAT-5 cable, though technically CAT-6 should work too).

Once you’re online, go the main menu on the desktop and select System -> Administration -> Additional Drivers. This will take a moment to scan your hardware and search online for a driver that fits. You should see one or two drivers available. Choose the one that best fits your driver’s model number, select it, and click “Activate.”

If you don’t see an exact match, you can perhaps make an educated guess based on the model number. For me, there was no exact match for my model number, but the description of the “Broadcom STA wireless driver” listed a bunch of model numbers so I figured it might be close enough. Seems to work fine.

Danger! Look before you download!

CAUTION: if you just Google for keywords like “Linux driver {your model number}” you are very likely to come upon a malware site! There are shady characters who set up fake “freeware” sites to trick people into installing Bad Things on their computers. I found a bunch of ‘em, the first time I ran a quick search looking for an exact driver. I recommend you first use trial and error to see if a driver from the Ubuntu “Additional Drivers” installer will work, and if that fails, try asking in a reputable discussion forum such as Ubuntu Forums.

2010 was kind of a scary year from the point of view of computer security. One big event was the onslaught of the Stuxnet worm, the first computer attack widely believed to have been created by a nation-state for purposes of espionage. Closer to home for most users, 2010 saw a continuing parade of privacy scandals on Facebook. It may seem that last year, the state of security on the Internet was going from bad to worse.

In fact, the more I learn about computer security, the more optimistic I become that we, computer users, can do a lot to make our systems more secure. I have in mind a multi-part series of articles to explain in plain language how to go about doing that. There are some things about computer security that are out of our hands, but there are many other things we can control. The threat from black hats has never been greater, but as that threat becomes more recognized, the opportunities for users’ education and self-protection become greater.

Security for the Everyday User

Most Americans in this second decade of the 21st century use computers on a daily or at least weekly basis. Yet very few have a good grasp of the basics of computer security. I would go so far as to say that most people don’t want to know about computer security. They just want to use computers and not have to know about security or worry about security at all.

Unfortunately, the time when that attitude was reasonable has passed. The Internet has simply become too lucrative a target for criminals. The only way to safely ignore the threat is to get off the grid.

However, I don’t believe every user has to become an expert or spend a huge amount of time and effort worrying about security. In the physical world (what I like to call “meat space”), we all learn basic safety and crime-prevention habits. It starts in kindergarten when we learn to look both ways before crossing the street, and progresses into adulthood with learning to lock your car doors and avoid certain parts of town at night. Security in cyberspace (at least for ordinary users) does not have to be a lot different. The techniques I will describe are the equivalent of those basic habits. Like safety habits in meat space, they won’t guarantee that you won’t become a victim. What they’ll do is manage the risks. The future I am working toward is one where everyday computer users are equipped with the habits and tools they need to reduce their risk exposure, without much more effort and inconvenience than we exercise to manage risks in meat space.

#1 Tip: Use Anti-Virus Software

The most important thing you can do to protect yourself is to install “anti-virus” software on your computer. These days, “anti-virus” is a bit of a misnomer because viruses are not the only threat. Modern anti-virus products help protect your computer against all kinds of attacks: worms, malware, phishing, and, yes, viruses. The distinctions among these different kinds of threats are in some sense academic. The key is that you need some kind of software to provide a basic defense against the various threats, and you need to keep that software up to date.

I’ll be the first person to admit that anti-virus software isn’t perfect. The most common criticism is that it only protects you against threats that have already been detected and cataloged. That’s perfectly true, and if you are running a bank or even a commercial Web site, anti-virus software alone is not good enough. However, just because anti-virus software is imperfect is no reason not to use it. A deadbolt on the door to your house isn’t perfect, either: an intruder could always break a window instead. It remains a basic tool that is a sensible part of any risk management strategy.

Once a computer attack is written, it tends to remain active and to replicate itself over the Internet. Protecting your computer against yesterday’s attacks makes perfect sense when yesterday’s attacks are still attacking you today.

You Really Do Need Anti-Virus Software

Don’t make the mistake of thinking you are too insignificant to be a target. Computer attacks are automated; they scan the Internet for any computer that might be vulnerable. They’ll go after you regardless of whether you have valuable information. Indeed, very often your computer is not the ultimate target of the attack: the attacker only wants to take over your machine to use it to assail some higher-value target. That way, when the FBI traces that cracking attempt on Bank of America, they find it came from your computer, not the actual criminal’s.

You might think that you’re immune to “viruses” if you use a Mac. While it’s true that the majority of computer attacks are written to go after Windows, there are plenty of attacks against Mac OS as well. As recently as a couple of years ago, Apple was running TV ads claiming that Macs were less likely to fall victim to “viruses” than PCs. That was questionable to the point of being disingenuous then, and it is even less true now.

Linux users, I’m also looking at you. Most Linux users aren’t even aware that anti-virus software for their platform exists. Ponder this: with Linux becoming so prevalent as an operating system for Web servers and corporate infrastructure, does it still seem unlikely that criminals will unleash automated, self-replicating attacks against it?

Obtaining Anti-Virus Software

There are many anti-virus products on the market. In my opinion, it matters a lot more that you install something than that you pick one particular product over another.

I definitely don’t get paid to make endorsements. I have been using Norton Internet Security for the past two years and have been fairly happy with it. Before that I tried McAfee and I hated it: at the time at least, McAfee’s update mechanism required users to turn off important security features in Internet Explorer. (Specifically, it required setting IE security policy to “medium,” which enables ActiveX, a huge and unacceptable security hole).

If you are really cheap, there are several ways you can get some level of protection for free:

1. Your Internet Service Provider may offer anti-virus software to all its users. This is in their best interest because unprotected machines can be taken over by bad guys and used to launch attacks, which messed up their network. Check your ISP’s Help page or call their tech support line.
2. Here’s a list of several anti-virus programs you can download and use for free
]]> http://www.andrewgronosky.us/2011/01/2011-the-year-of-fighting-back-against-black-hats-part-1/feed/ 0 http://www.andrewgronosky.us/2010/04/it-is-never-a-good-time-to-change-your-password/ http://www.andrewgronosky.us/2010/04/it-is-never-a-good-time-to-change-your-password/#comments Sat, 24 Apr 2010 11:27:55 +0000 AndrewG http://www.andrewgronosky.us/?p=73 Many people, including (I am embarrassed to say) myself, have given people advice to periodically change their computer passwords. The more I learn about computer security and human factors, the more I come to realize this is fundamentally bad advice.

A Boston Globe article from a couple of weeks ago explains this far better than I could.

My new recommendation: don’t use passwords at all. Use pass phrases: entire phrases or sentences all mashed together into one word, or better yet, strung together with unexpected*punctuation^marks. Memorize them to the extent you can, and use a “password vault” program for those you can’t. Don’t change them unless you have to.

]]> http://www.andrewgronosky.us/2010/04/it-is-never-a-good-time-to-change-your-password/feed/ 0 http://www.andrewgronosky.us/2010/04/face-painting-for-confusing-face-recognition-software/ http://www.andrewgronosky.us/2010/04/face-painting-for-confusing-face-recognition-software/#comments Tue, 13 Apr 2010 00:04:51 +0000 AndrewG http://www.andrewgronosky.us/?p=69 A researcher named Adam Harvey published some of his findings about how face paint can confuse face-recognition software. He has pictures on his Web site.

This makes me think of science-fiction games, especially cyberpunk games. I kind of like the idea of characters painting their faces with camouflage patterns before they run the shadows. And, it’s based on Real Science! (And on the premise that face recognition software in that ultra-high-tech, futuristic world is not a whole lot better than what we have in the real world today. I think that’s called “dramatic license.”)

I guess what I’m trying to say is that cyber-elf chicks with Mohawks and facepaint are cool. That’s all.

]]> http://www.andrewgronosky.us/2010/04/face-painting-for-confusing-face-recognition-software/feed/ 0 http://www.andrewgronosky.us/2009/11/why-wireless-encryption-matters/ http://www.andrewgronosky.us/2009/11/why-wireless-encryption-matters/#comments Thu, 19 Nov 2009 12:12:54 +0000 AndrewG http://www.andrewgronosky.us/?p=195 If you were to set up a wireless network in your home, you would need to buy a wireless router. If you were to do that today, chances are the router would come pre-configured with some kind of password probably a nonsensical string of gobbledigook.

There’s a good reason for this. A few years ago (for example, when I bought my wireless router in 2004), wireless routers didn’t come with preconfigured passwords. Out of the box, a wireless router used to have no security at all. It would create what is called an “open access point,” meaning anyone strolling by with a laptop could just connect to your wireless network. Depending on where you live, having someone stroll by with a laptop could as rare as having an ivory billed woodpecker fly past your house, or as common as seeing someone talking on a cell phone. I live in Cambridge, Massachusetts, so I happen to fall into the latter category.

The reason routers need to come with the passwords enabled by default is that approximately 99% of users never used to bother to turn them on. Things are better today, and here’s why.

Ethernet is Ridiculously Easy to Eavesdrop on

I am taking a night class in computer networking because I really need to learn more about this stuff myself. What I found out is:

1. Wi-Fi is variation on the Ethernet networking protocol
2. the way Ethernet works has appalling implications for security

You might think when your computer sends data over Wi-Fi, it sends data straight to the access point. That would be incorrect. In fact the Wi-Fi card in your computer broadcasts data over a radio signal that can be picked up from anywhere nearby. But that’s not all! There’s more! If you actually read the above link about how Ethernet works, then you’d realize that all the data you send over Ethernet (or Wi-Fi) goes to all the other computers on the network. Each computer gets every piece (called a frame) of data and checks to see who is supposed to get it. If the data is intended for another computer, then the recipient throws it away.

In other words, a computer on an Ethernet or Wi-Fi network has to go out of its way not to eavesdrop on other members of the network. It is a pretty simple matter for an attacker to tell his/her computer not to go to the trouble, and just pick up everything.

Now, really sensitive data you send over the Internet is probably done using HTTPS, which is encrypted. Your bank account password and credit card numbers are probably safe. But there is still plenty of private stuff that could easily be picked up by the teenager next door. All your e-mail, for starters (incoming and outgoing). If you wouldn’t want the text of all your e-mail, and the contents of every Web site you visit, printed in the local newspaper, then Wi-Fi encryption is for you.

What To Do

If you bought your wireless router after 2006 or so, relax. It probably came with encryption pre-configured (encryption is what the WEP or WAP password is for).

If your router is a few years old, you probably remember setting up the encryption for it. Or not. In that case you would be well-advised to find or download the user’s manual for your router and find out how to enable encryption. I would love to tell you exactly how to do that, but the fact is it depends a little on what brand of router you have and what version of Windows/MacOS/whatever you are using, and if I were to research all that I would expect to get paid for it and you wouldn’t get the information for free anyway.

But I’ll give you a hint: you can try the time-tested troubleshooting method professionals use. Start by going to http://192.168.1.1 (If you get prompted for a username and password, try guessing. If you guessed right, then that’s another problem right there– change the admin password for your router. And write it down, and keep it under your mattress or something).

The Next Level

If all you do is turn on basic encryption, then I’ve accomplished my goal of informing the public and I can pat myself on the back. However, I cannot yet bring myself to shut up about this subject, so by all means, read on.

WPA instead of WEP

Many wireless routers use WEP for encryption. That’s an acronym for “Wired Equivalent Privacy,” meaning it’s as hard to eavesdrop on as if the data were flowing through a wire instead of broadcast through the air. As if. WEP was OK for a couple of years but now there are well-known programs that can defeat it. It’s still a lot better than nothing, but I think a more appropriate expansion for the acronym today is “Weak Encryption Problem.”

WPA is better, so use it if you have a choice. But even WPA can be broken.

There is a basic principle at work here: no encryption is perfect and can last forever. Sooner or later, someone will figure out how to break it. This is not to say encryption isn’t worthwhile: it will keep out an inexperienced or opportunistic intruder, but not a real professional. Using encryption is analagous to locking the front door of your house. You definitely want to do it, in spite of the fact that a really determined intruder can just break a window, or chop through the door with a fire axe for that matter.

Not Being Seen

There is another basic principle that covers a lot of flaws in your encryption, though: not being seen.

What you can do — and I think this is pretty slick — is configure your router to not broadcast your network’s name. In fact, it won’t announce its presence at all.

If you live in a condo or apartment building, or take your laptop to a public place like a railway station or hotel, you’ll probably notice in your wireless network configuration that there are a lot of other wireless networks around. Probably a lot of them have names like “linksys” or “default.” Others have names like “Steve’s Network” or “Jones.” All of these network names are set up by the router’s configuration. The wireless router broadcasts this name, which is technically called an SSID. This makes it easy for people to find and connect to the network.

That’s great for a coffee shop or other public network, but not so great for your home. Quick question: do you want people outside your home to easily find and log on to your home network? I didn’t think so.

Rule #1: For heaven’s sake, don’t put your own name or other identifying information in your SSID. That gets broadcast to the world. If anyone happened to be looking to break into your network in particular, you’d be practically giving them directions. My network SSID is something like “g45J87nwQ”. I can tell it’s mine, but damn if anybody else can.

Rule #2: You don’t need to broadcast your SSID at all. A network that doesn’t broadcast its SSID can still be connected to — by people who already know the SSID. So you can do what I do: write down the SSID, stick it under a mattress or somewhere, and then don’t broadcast. Yes, it’s a bit less convenient to connect to the network (you have to find the paper and type in the SSID). But that’s the whole point.

]]> http://www.andrewgronosky.us/2009/11/why-wireless-encryption-matters/feed/ 0 http://www.andrewgronosky.us/2008/08/thoughts-on-the-boston-subway-hack-2/ http://www.andrewgronosky.us/2008/08/thoughts-on-the-boston-subway-hack-2/#comments Tue, 26 Aug 2008 13:52:15 +0000 AndrewG http://www.andrewgronosky.us/?p=79 This happened while I was on vacation, so by now it is rather old news. That won’t stop me from sounding off about it, though.

A couple of weeks ago, now, there was a national news story about a group of MIT students who “hacked the subway system” in Boston. Basically they took a hard look at the electronic “smart” cards (where the word “smart” is defined very loosely) that the Boston transit system uses in lieu of old-fashioned subway tokens. Smart students that they are, they found several ways to tamper with the cards so that one could get through the turnstiles without paying a fare. They wrote a report on their work and wanted to present that report at a computer-security conference. They never got a chance to do that, because the Massachusetts Bay Transit Authority (MBTA) sued for an injunction to stop them publicizing their results.

Let’s be clear about what these students did. They figured out how to tamper with the “smart” cards to get through the subway turnstiles for free. The MBTA alleged, in their leagal filings, that this “constitutes a threat to public health or safety.”

Nonsense. The only security threat it constitutes is to the MBTA’s revenue stream. Not only are the MBTA’s attorneys lying through their teeth: they’re crying wolf.

The MBTA’s approach to this situation is wrong in so many ways. First and foremost, I don’t see how these electronic cards are any improvement over the token system that existed until about two years ago. Tokens have the advantage that they can’t be hacked, and also the significant advantage that the token system was already installed and paid for. Second, if the MBTA wanted for some unknown reason to spend millions to “upgrade” to an electronic card-reading system, they could have done it competently. Perhaps even hired consultants (or even a team of MIT students) to look for security holes before they paid all that money to install it. Third, they could have tried politely asking the students to postpone their talk before slapping them with a lawsuit and threatening them with an FBI criminal probe. Fourth, they could have tried to actually fix their mistakes instead of attacking the students who exposed their incompetence. Instead, they chose act belligerently (trampling the First Amendment in the process) and got the opposite of their desired result: instead of being a presented at a routine computer conference, the vulnerabilities of the card-reading system are all over the national headlines. Nice move.

The underlying problem here is that the MBTA didn’t think carefully about the system before they installed it. No doubt they were sold a rosy story by the computer manufacturer; but I still blame the MBTA. They didn’t scrutinize that story. They simply believed, as many companies and government agencies believe, that new computer systems would be some kind of magical cure-all. I work with complex computer systems all day (well, every work day at least) and take it from me: there ain’t no such thing as a free lunch. Installing a computerized system doesn’t make problems magically disappear: indeed, if done badly, it creates whole new families of problems.

We face a similar problem with electronic voting machines. Governments clamored and rushed to get new machines after the debacle of the 2000 Florida election, and crooked manufacturers rushed out shoddy machines to meet the sudden demand. No one (at least, no one who was considered worth listening to) stopped to ask why a new voting machine had to be an electronic machine, or whether there may have been a lower-cost way to solve the original problems of butterfly ballots and hanging chad. Computer experts warned that electronic voting machines could be vulnerable to error and fraud, but did the state election commissions listen to the experts? Or did they prefer to just enjoy a lot of fancy expense-account dinners and then sign on the dotted line?

Our society uses computers for practically everything. Therefore, computer security affects practically everything. I don’t expect our government officials to understand computer security in any detail, but I do think it’s reasonable to demand they acknowledge the subject exists. We wouldn’t stand for the state government hiring an architect for a new bridge without having independent experts inspect the plans. We shouldn’t stand for them spending millions on new computer systems without expert advice, either. To paraphrase my favorite NRA bumper sticker, if computer security is only considered by the experts, then only the experts will have secure computers.

]]> http://www.andrewgronosky.us/2008/08/thoughts-on-the-boston-subway-hack-2/feed/ 0