Security News

Just what is WPS and why is everyone talking about it?

It all started on December 27th when a white paper was released by Stefan Viehböck on his blog .braindump. This was quickly picked up by the security community and then the global community at large. Unfortunately many of the people that then reported on this vulnerability were not security experts or even all that knowledgeable about wireless technologies in general. Too often these news articles gave a, “the sky is falling” air of impending doom. Many, including a big name technology magazine which shall remain nameless, even got the abbreviation wrong when they first posted about the problem which didn’t help matters.

The mistake this magazine, and others, had made is assuming WPS has anything to do with WPA(2), the underlying security mechanism of current wireless products. We all remember when WEP was so completely compromised that it made its use a polite gesture and little else. WPA(2) was a response to the weaknesses with WEP and the worry was that this too had become useless. Fret not! This is absolutely not the case. The vulnerability has nothing at all to do with the encryption methods employed by WPA(2).

So, just what is WPS then? For that matter what is WPA(2) and why do I keep adding a 2 in parenthesis? Here’s it is, the history of wireless security in one paragraph. When wireless first started to make inroads it was obvious pretty quickly that transmitting all your personal data in clear text out into the ether for anyone with a strong enough antenna to pick up was going to seriously limit its adoption so WEP was created. WEP stands for “Wired Equivalent Privacy”. The title ended up being ambitious to say the least. Research into WEP quickly revealed glaring faults that over the years has turned cracking WEP into a 5 minute or less endeavor. In response the IEEE (the standards body that defines networking protocols) started work on 802.11i which was then integrated into the 802.11-2007 standard. The important part of 802.11i (at least for our discussion) was the creation of RSNs (Robust Secure Networks). The problem was that the IEEE is not exactly known for their speed so we had this proposed standard that was going to take forever to get ratified and a seriously broken security protocol. This is where the Wi-Fi Alliance stepped in. You may have see Wi-Fi plastered all over your new wireless device. It’s important to note that the primary goal of the Wi-Fi Alliance is merely to certify products. They take the products produced by various companies and make sure they work the way those companies say they do and can all talk to each other. Well, the Wi-Fi Alliance looked at the 802.11i spec and created WPA (Wi-Fi Protected Access) as a stopgap measure until the standard could be ratified. When 802.11i finally did make it to a full fledged standard the Wi-Fi Alliance went back and created WPA2 to take advantage of all the aspects of 802.11i.

If these are all the security methods used with wireless then what is WPS? WPS stands for “Wi-Fi Protected Setup” and you’ve probably never heard of it because almost nobody actually uses it. The idea was that setting up routers and client computers could be difficult for even the most tech savvy of end user so what if they could make it simple enough for a 2 year old? There are 4 methods you can use with WPS: PIN, push button, NFC and USB. As it generally works you have a button on your router/access point and a button on your wireless card. You push the button on the router to initiate the protocol and and then push a button on the wireless card and everything is set up for you automagically. Now, I used the word “button” but it may not always be an actual physical button, it could be a software button you click. It’s not always practical to have a physical button, especially it laptops, cellphones and tablet devices.

The type of WPS that was found to be vulnerable lies on the PIN method. Basically the problem is PINs are short and WPS lets you try as often as you want without getting locked out. You should see where this is going. It was fairly trivial to create a program (Reaver) that lets you try every possible PIN and effectively bypass the security of the network. Reaver is pretty simple to use and several tutorials and videos have already been put together to show just how easy this flaw is to take advantage of.

So what’s our take away here? The underlying security mechanisms of today’s wireless networks, namely WPA(2), are as safe as they ever were. I also implied that while WPS is trivial to take advantage of it’s also rarely used. This is true… but it also doesn’t take one important piece of information into account. You don’t have to actually be using WPS for it to be turned on and thus exploitable. Unfortunately many consumer routers and access points ship with this “feature” enabled by default. To effectively secure your network just make sure WPS is turned off (assuming your hardware even supports it, it is optional after all). This process is usually as simple as going to the hardware’s management interface and changing a radio button from “yes” to “no” or “on” to “off” and saving the configuration. The problem here should be fairly obvious. The people using WPS were exactly the people that didn’t want to deal with the management interface to begin with. WPS was designed specifically to keep consumers out of that area and make everything as simple as possible.

So, is this security risk the end of the world? Clearly not, but it’s also not something that can just be ignored. As is often the case the reality lies somewhere in the middle.

Password Security

Another year has come to pass. With everyone making lists around this time of year it’s important not to forget a very important list that many people take for granted. If you read the post title you already know what I’m talking about, passwords. These days more and more of our lives are spent on line and we rely heavily on passwords to confirm our identities. Everything from your twitter account to your bank account requires a password and if you’re not practicing good password security you could be in serious trouble. The three main aspects of a good password policy are as follows:

  1. Change your passwords often
  2. Never use the same password in more than one location
  3. Use complex passwords

Let’s break these down and address them individually.

1. Change your passwords often

What does this mean? It seems simple enough but what does “often” really mean? If you look at the Microsoft Live service they have an optional checkbox that would require you to change you password every 72 days. Some IT departments require you to change your password every 2 months. Some people have been using the same password for 10 years and don’t see any need to change. You may be wondering why this is important in the first place. If you’re following rule 2 you may be wondering why you need to change your password at all. Should someone figure out your password for a particular site it won’t effect anything else so what’s the big deal?

The reasons are two-fold. On the one hand just because a service was compromised doesn’t mean your password was… right away. Most places store your password in a cryptographic hash so that if their database is ever compromised the attacker still won’t have be able to log into your account and make changes. Hash functions are one way by design but they are still vulnerable to a number of attacks. Most commonly these are brute force and so-called “rainbow table” attacks. The attacker can load all the hashes into a program that will try every word in the dictionary, or every word found on wikipedia, or any number of permutations and amalgamations thereof. So the database may have been compromised in May of last  year but it took until now before they were able to crack the password and gain access to your site. On the other, the attacker may have access to your account but not do anything to let you know it. Perhaps they gained access to your e-mail account but don’t send out any e-mails or change your settings they just use it to send password resets forms from your bank for example. I tend to think 2 months or even 3 is a little paranoid but 6 is is a pretty good balance. At the least I would suggest changing passwords once a year.

2. Never use the same password in more than one location

This may seems obvious, but it’s amazing how many people pick one password and decide to use it for everything. Or maybe they have a handful that they switch between. The reason this is so important is because the reality is security breaches happen. Just look at the news this past year. A giant company like Sony faced millions of dollars in damages when the playstation network was compromised. If you were using the same password to log in and play your video games that you do to manage your bank just think about the consequences. You may be saying that there’s just too many sites now that you need to remember passwords for. I agree! There’s no way I could remember a unique password for every website and services I use. That’s why I use a password management solution which I’ll discuss in more detail at the end of this article. Even if you don’t use a robust password management solution there are tricks you can use to set unique passwords per site and still have them memorable. Let’s say your default password is “pass”. Highly secure, I know. One way you can create a unique password for facebook for example would be to use “fbook:pass” as your password. You can see I didn’t just use “facebookpass” or something like that. You don’t want to have a predictable method so that if someone gets your facebook password they can then figure out your hotmail password is “hotmailpas.” Exploring that concept our hotmail password might be “hotm-pass”.

3. Use complex passwords

This particular pillar of the password trinity has been under recent debate. Some security experts believe too much emphasis has been placed on “complex”. Complex has generally been defined as “a minimum of 8 characters including numbers an letters.” Some sources will also add a distinction between upper and lower case letters, and/or include special characters (i.e., $*@&). The real test of a passwords security is called its entropy. The debate can best be illustrated in this xkcd comic

password strengthSo basically using “JKL@!*FJ$” for a password would be technically less secure than “turkeymexicopassword”. Of course I use the word technically with some qualifier. The entropy may be higher, but many brute force scripts have several options when dealing with wordlists. They can mangle the words or combine words so it could still be faster to crack. I personally like to go as crazy as possible. I stick with a minimum of 20 characters including upper and lowercase letters, numbers and special characters. Of course, there’s no way I could remember all that which leads me into the last part of our discussion today:


Password management solutions

There’s several out there: KeePass, LastPass, PassPack and 1Password to name a few. You’ll notice I didn’t mention your browsers built in “remember password” feature. There are myriad security issues associated with using those “features” that I don’t have time to go into. Suffice it to say, don’t ever use them.  The obvious advantage of using a password management program is being able to set secure passwords for every site without having to worry about remembering anything. All of the options mentioned store the passwords in a cyrptographic vault that is unlocked with a master password so you still have to remember at least one password. It’s very important to make this as secure and memorable as possible. The last thing you want to do is finally set up all your sites to uses these fantastically complex passwords only to forget your password or resort to writing it on a post-it note stuck to your monitor completely defeating the point.  These solutions also have built in password generators that you can set to provide a random password of a specific length based on different options (Upper/lower letters, numbers, etc).

Here at Pro Web Marketing we use PassPack to manage our passwords largely because they make it easy to share the passwords without clients which is one of its main features. At home I personally use KeePass which is supported on all platforms (Windows, Mac, Linux, iOS and Android) plus it’s open source. One of the perks of using KeePass is that it’s been around for awhile now and has just about everything you could want. You can organize your passwords into folders (Website, e-mail, etc.). The password generator has very specific options differentiating special characters further because some sites will let you use special characters just not spaces. It lets you set an expiration date, website URL and offers a section for notes. One of the things I’ve come across is that websites intentionally limit your passwords. My bank, of all places, has a 16 character limit on passwords so I keep that in the notes section to remind me when I update my passwords.

Keepass also has some nice features that work under the hood. You can set a “global hotkey” (default is ctrl+alt+a on windows) which allows you to set a custom hotkey that will automatically enter your login credentials on sites for you. It uses the title bar of the window and compares that against the title of the entry, because that doesn’t always work there’s also browser plugins to help you get the right match. If you still can’t manage to get it working for whatever reason you can pull up the keepass client, find the entry and hit “ctrl+v” just like you normally would to paste and it will automatically fill in the details in whatever window is directly behind it. By default the auto-type feature uses the pattern Username <tab> password, but suppose you need username <enter> password or username <tab><tab>password? Fear not you can set a custom auto-type in the notes section! Let’s say none of the above will work for some reason, as a last resort you can always open the client, highlight the entry you want and use the icons at the top to copy your username or password to the clipboard. The nice thing about that is even if you do use this feature the clipboard will be automatically cleared in 10seconds so you don’t accidentally paste your password in the IM with your friend. One last feature of keepass I’d like to highlight is that when you update a password it automatically creates a backup of the old password for you which can be a real life saver.

There you have it, with a fresh new year ahead of us you should really think about either switching to a password manager or updating the passwords in yours.

Useful Trick: Recover Saved Passwords

If you’re like me, you often register for a website, hit the “Remember My Password” button in the browser, and totally forget what the password was to begin with.  Normally this isn’t an issue – as you’ll always have that password saved.

But what if you need to tell someone else that password, or perhaps log in on another computer?

Read More

Collaborating Files & Projects Safely & Securely

Today, communication goes way beyond the telephone and “snail mail.”  Businesses have changed the way they conduct transactions both with their staff and clients.  E-mail has now surpassed all other conventional communications and with that comes security issues that arise when the email is being transferred from the sender to the recipient.  Hackers love emails with attachments.  They are able to break into secure hubs and snatch your files.

Read More

Social Media Crimes

Now that more and more people and also businesses are signing up with Social Media networks such as Linkedin, Facebook and Myspace, these sites are starting to get hit by cyber criminals. In 2006 nearly 3,200 account hijacking cases have been reported at the Internet Crime Complaint Center. Ok so here is how this is now happening and how you can be aware of this and protect yourself from harm.

Read More

Importance of Shopping Cart Security

One of the major concerns while dealing in financial transactions on Internet is the security of such transactions. The main reason why e-commerce was not as widely accepted, as it should have been, was due to lack of security. Even today, there are many who shy away from transacting on the Internet with an unknown trader.

This problem has been solved to a great extent by digital shopping cart software.
In addition to facilitating hurdle free shopping online, this software offers security in the transactions to the online buyers. Hence, it is advisable to purchase the e-commerce software, if you are an online merchant.

Online shopping carts protect the financial and personal data of the customers through Secured Socket Layer or SSL in short. This software ensures that when the payment is made to your gateway, the transaction remains secured.

Read More

How To Protect Your PC

To ensure that your PC works fine and is secured, you need to follow the following steps:

1)    Using Anti-Virus Software: Install an anti virus software on your computer and check that the program is running smoothly. Ensure that you have the latest anti virus and scan your computer at least once in a week. Some of the free anti virus programs are Avast, Avira, Microsoft Security Beta and AVG.

2) Free Downloads: Your computer can catch a virus from free download sites. If you want to download something from the Internet, it is a better idea to pay for the download, as free download sites may contain virus that would harm your PC. Some of the free reputed download sites are PCWorld.com Downloads, Download.com and Sourceforge.net

Read More