Chapter 2: Using A Safety NetIn This Chapter ✓ Understanding why your network should stay private ✓ Using your router’s security features ✓ Protecting your wireless network When networks
Trang 1Book IV Chapter 1
Avoiding Bad People
✦ Most Web sites that deal with sensitive information post a policy on
their Web page describing whether or not they do send such e-mails out and what sort of protections they use
When in doubt, pick up the phone or just delete the e-mail
If you use the Firefox Web browser, or Internet Explorer version 7 or later, it
adds some additional phishing protection Clicking on the link in the
previ-ous figure brings you to Figure 1-3
This screen is presented by your Web browser, and it indicates that the site
in question is known to be a phishing site It’s not perfect, but it’s an
addi-tional layer of protection
Be very careful about what private information you give over the Internet, no
matter what format Scammers are getting cleverer Identity theft is serious
and can cause you a lot of trouble
Rebills
The rebill, or the negative option billing scam, is usually legal but very shady.
The essence of the scam is that you sign up for a free trial of some
prod-uct and only have to pay a couple of dollars shipping What you missed in
the reams of fine print is that after your trial expires, you’ll be charged a
hefty sum every month to continue on the program It’s usually a couple of
months before you know and can get off the program
This type of deal has been around for a while, especially for music clubs
The scammy version is different, though:
✦ The terms of the agreement are not made clear You might have to go to
another page or scroll down to see the catch
Trang 2190 Avoiding Bad People
✦ Often the trial starts from the day you sign up, not from when you get the product People find that their credit card has been billed for the first month before they’ve even received the trial item
✦ The product itself is poor, either by not living up to the medical claims made or, in the case of make-money-fast type offers, is simply public domain information
✦ The company’s contact information is not made clear in case you want
to complain or cancel your subscription
✦ It takes several hours of dialing to get through to customer service to get off the product
These types of scams are all over, from advertising on popular Web sites to spam Often you see the product on a personal Web site from a person pur-porting to have used the product to lose weight or make thousands of dol-lars This person probably doesn’t exist; the seller has just made them up to try and get you to sign up for the trial
Beware of anything offering a free trial that requires a shipping charge, and always check the fine print Check your credit card balance online periodi-cally (having a separate credit card for Internet purchases is also helpful), and call your credit card company at the first sign of abuse
Another version of this involves your cell phone You are given a free ring tone, or told that you need to provide your cell phone number to get the results of a test you just did After you provide your cell phone number you are quietly signed up for a service on your cell phone that bills you every month
You won the lottery!
Ever got an e-mail like one of the following?
✦ Congratulations! You won the Internet lottery!
✦ You have just inherited $1 million from a long-lost relative
✦ I need you to help me get $5 million out of my country You can have
40 percent for your efforts
These are all scams
The way these go is that you chat back and forth with the person, and at some point, they come up with a story for needing a few dollars, such as $50
to process some paperwork If you pay that, more charges keep piling up for
various things until you realize you’ve been had This is called the advance
fee scam See Figure 1-4 for an example.
Trang 3Book IV Chapter 1
I really don’t think that Mr Frank has the $6.3 million dollars Just ignore
e-mails like this
These types of scams have been around for years, but the Internet has made
it easier for scammers to find their victims At one point many of the
scam-mers were based out of Nigeria, so you will find this called the Nigerian scam
or the 419 scam (419 is the section of the Nigerian criminal code dealing with
such fraud) An Internet search for these terms uncovers a variety of
differ-ent ruses used for the scam, along with some hilarious stories of people
get-ting the scammers to do all sorts of silly things
Looking at the amount of spam I get involving this scam, I can only assume
that people are still falling for it Indeed, I have seen a few stories in the
news One person was taken for $150,000, which gives you some idea of how
bad it can get
Check washing and the overpayment scam
Check washing is a process where a check that has been written on has the
payee and amount removed (washed off), and a new value and payee put
on This was around before the Internet, but again, the Internet has made it
easier to find victims
Intercepting the check is surprisingly easy, so the scammers have a wide
variety of potentially blank checks to choose from
This scam generally works two ways The first is that you are offered a job
to process paperwork at home, which ends up being to cash some company
Trang 4192 Avoiding Bad People
checks You send the money to your “employer,” sometimes minus a small commission to you
What has happened is that a legitimate check has been intercepted and washed, and your name has been put on it with a new dollar amount You deposit the check, your bank advances you the funds, and then you send the money away Usually you are told to use Western Union, which is an untrace-able system
Eventually the bank finds out when the check bounces and takes the money back from you But you’ve already sent the money away!
The second way this happens is that you offer something for sale online, and someone buys it from you When it comes time to pay they try to give you a check for more than the sale price with some excuse for why You are asked
to send the difference back to them
Of course, the check bounces, and you’re out whatever you sold and the cash
To avoid this scam:
✦ Beware of any deal where you get a check and have to send money back
✦ Never accept a check in response to an online dealing unless you know the person Look into trusted systems, such as PayPal
✦ Never send any payment to someone you don’t know by an untraceable method, such as Western Union
✦ Keep your checkbook safe and watch your bank account for the checks you issue This will help prevent one of your checks from being used for the scam
✦ Remember that if it sounds too good to be true, it probably is
Credit card stealing
Compared to all the other types of scams, this one is downright uninspiring:
1 You buy something online using your credit card
2 The Web site you bought it from is hacked into and your credit card number is stolen
3 Your credit card number is used to buy stuff, sticking you with the bill
Trang 5Book IV Chapter 1
Avoiding Bad People
Fortunately, most countries have laws dealing with credit cards such that if
you notice the fraudulent transaction before your bill is due, you can dispute
the charge and not have to pay it when it’s shown to be fraudulent Still, it’s
an inconvenience to have this happen
One sign to look for when paying over the Internet is that you are using
a secure connection A secure connection means that anyone watching
your traffic will not be able to see the information inside because it is
encrypted Figure 1-5 shows an Internet Explorer window that is using a
secure connection
Figure 1-5:
A secure
connection
In the address, note that the URL begins with https instead of http This
indicates the connection is encrypted Also note the picture of the lock This
indicates that the site you are browsing is the same one that was certified
to use the security Some older Web browsers place the lock in the bottom
status bar instead of in the URL
The certificate itself is no protection against someone coming in after the
fact and stealing the data This is an unfortunate part of the Internet and
security The credit card companies are still rolling out their security
standards across their merchants, which will enforce rules protecting your
information
Trang 6194 It’s Not All Doom and Gloom
It is a good idea to keep a credit card for use only on the Internet, and to keep the limit fairly low This makes it easier to spot fraudulent transactions and limits your liability should problems arise
It’s Not All Doom and Gloom
This chapter has shined a spotlight on some of the darker parts of the Internet I didn’t lead off with it to scare you In the next couple of chapters,
I cover tools you can use to protect yourself
Tools by themselves won’t help you, though You need to be smart before you open that attachment, or get your credit card out The bad guys prey on greedy people Don’t be one of them
You can find a lot of good stuff on the Internet, and the bad guys shouldn’t keep you from it
Trang 7Chapter 2: Using A Safety Net
In This Chapter
✓ Understanding why your network should stay private
✓ Using your router’s security features
✓ Protecting your wireless network
When networks were all wired, you’d know exactly who was on your
network because they’d be connected by a cable to your switch Unless someone snuck a 200 foot cable out your window, you could rest pretty soundly knowing that you and your family were the only users on the network
With wireless, your neighbor’s teenage son (never did trust the kid .) could be sneaking into your files, or that strange, white unmarked van across the street could be spying on you Maybe I’m just getting paranoid
Or am I?
Knowing Your Network
If you want to defend your network, then you need to understand how it’s put together Each component has different properties and is defended dif-ferently You can look at your network as if it were made up of two parts:
✦ The Internet connection
✦ All the stuff on the inside, like your computers
The next sections cover each of these in turn
Protecting the Internet connection
What happens on your Internet connection is your responsibility If one on your network does something bad, willingly or unwillingly, then the Internet service provider has your name on their billing records and will talk
some-to you first If cops get involved, you get the first interview
Trang 8196 Knowing Your Network
Problems are not unheard of Consider the following scenarios:
✦ ISPs sometimes implement a cap on the amount of data that can be transferred on a given connection as part of the monthly rate, after which they charge a fee based on usage Most people will never touch this cap, but if someone were to use your connection to download movies all month, you could blow past this limit without knowing
✦ You’ve been following the advice in this book about keeping your puter safe, but the person borrowing your Internet connection hasn’t They get infected, their computer becomes a zombie, and the next thing you know you can’t send e-mail because your provider has turned off your e-mail because of spam complaints
com-✦ A scammer finds that they can use your Internet connection if they park their car across the street They use it to commit fraud, and the police get involved The ISP traces the messages back to your address
Although the scenarios may seem far-fetched, they have happened
I’m not saying you can’t share your Internet connection with your neighbor,
or that you should rigorously inspect everyone’s computer that enters your door You can still lock down your network and share the password so that just your neighbor gets on while keeping the bad guys out If the neighbors aren’t that computer savvy, maybe you could lend them this book (or better yet, get them their own copy!)
War driving
War driving is a play on a pre-Internet activity
called War Dialing In War Dialing, someone
dials every phone number in a particular range
of telephone numbers, looking for computers
that answer instead of humans This technique
used to be very effective at finding unprotected
computers because the systems
administra-tors used to use dial-in modems as a way to
remotely manage their systems and were often
not very thorough in their security practices
If you’ve ever seen the movie War Games you’ll
recognize this If you haven’t, you should look
it up Despite being over 25 years old it’s still a great flick!
War driving involves driving around a city with
a computer and a wireless card, looking for open (or easily crackable) wireless networks It’s been refined to the point where you can tie
in a GPS unit and end up with a map of all the networks, with the exploitable ones highlighted.The bad guys will use war driving to find open access points they can use and abuse Make sure you’re not on their list!
Trang 9Book IV Chapter 2
Knowing Your Network
The stuff on the inside
Your network may include your computers, video game consoles, and
maybe a file sharing device or two If someone can connect to your wireless
network, then they can connect to your computers and file storage servers
More sophisticated attackers can pretend to be your gateway and force all
your Internet use through their computer using a process called spoofing
Anything you look at on your computer is passed through the attacker’s
computer Even though your bank uses encryption when you view their Web
page, you still have to be careful to make sure that the attacker isn’t feeding
you bad information
Your computers have files on them that you’d probably rather keep private
You may not have anything to hide, but you still don’t want to share all your
files with people Tax returns? Letters to the lawyer? If you wouldn’t stick it
to your front door, then it’s worth spending some time to protect
Hackers versus crackers
Throughout this chapter and others, I might use
the term hackers and crackers You’ve
prob-ably heard the term hacker before and have
heard it being used in the context of a bad guy
trying to break into your computer
The word hacker has a long and distinguished
history, however Hackers were the people that
advanced computer science not by exploiting
weaknesses and doing harm, but by using
their intelligence to pull off feats of skill (called
hacks) Hackers would build computers out
of spare parts or come up with brilliant ways
around limitations
As other intelligent people used their skills for
evil, the media applied the name of hacker to
them These are the bad guys: the people
writ-ing software to steal information, or comwrit-ing up
with ways to game systems to their advantage
It’s insulting to the hacker community to ciate these bad people with them, so we use the term cracker, much as in a safe cracker
asso-In this book, I don’t have the need to refer to people in the hacker sense, so I’ll just use cracker, attacker, or, even better, bad guy
There’s a third class of people that I’ll call researchers These people try to find weak-nesses in systems in the name of improving them They’re trying to break the security sys-tems before the crackers do, so that the sys-tems can be fixed These guys are on your side
Unfortunately, the public nature of research means that the crackers eventually learn about the problems and use them to their advantage
Trang 10198 Choosing Wireless Security
People from the Internet
So far I’ve been talking about people trying to get into your home network over the wireless connection There are also people trying to get in from the Internet Fortunately your firewall blocks any connections from the outside coming in, unless you deliberately turn that feature off Don’t do that!
Most of the attackers coming from the Internet are computer programs that are scanning your service provider’s network, looking for vulnerable hosts Your firewall protects you against these scans because it only allows con-nections that your computers make out to the Internet and not new connec-tions from the Internet to the inside of your network
All that said, if you run a program that’s got a virus in it, all bets are off We talk about getting anti-virus protection in the next chapter
Choosing Wireless Security
Wireless networking, by nature, involves throwing your data over the waves and hoping only the recipient is the one listening As more people used wireless, more important information was carried over the air As more important information was sent, the incentive for people to try and listen to
air-it increased As people tried to listen, the engineers in charge of the wireless standards tried to keep up
Here’s a summary of the wireless security protocols available to you
WEP
When 802.11 was introduced by the Institute of Electrical and Electronics Engineers (IEEE) in 1997, the standard called for vendors to optionally pro-
vide security through Wired Equivalent Privacy (WEP) WEP encrypted the
data that was sent over the radio so that people listening in couldn’t read it without the key
WEP had some problems from the start The key used to decrypt the data was static, meaning it never changed To get on a WEP-protected network, everybody had to share the same key As you can imagine, it became easy to figure out the key because it often got posted to the wall so people wouldn’t forget it
Secondly, the United States had some rather peculiar regulations at the time dealing with the export of encryption capable products to other coun-tries Back in 1997, encryption fell under the International Traffic in Arms Regulations (ITAR), which regulated the export of weapons out of the coun-try You couldn’t export missiles, nuclear weapons, night vision goggles, and any encryption the government couldn’t break
Trang 11Book IV Chapter 2
Choosing Wireless Security
As such, WEP went out the door with pretty weak encryption, even for 1997
But it was all we had Some people used it, some people didn’t
Fast-forward a few years, and people are starting to look closely at the
security of WEP The U.S government relaxed their position on encryption,
and WEP was upgraded to something less embarrassing However, some
researchers found that by listening to enough traffic you could deduce the
shared key As people poked deeper into WEP, they found that even less
traffic was needed, and you could even cause the access point to generate it
if the clients weren’t generating traffic The time to crack a WEP key is now
down to a minute, even with the stronger encryption in use
Yes, you heard me right Someone can listen to a WEP-protected network
and have the key before you even notice they’re there With the right
antenna, they could be farther away
This isn’t going to do Something better is needed
WPA
The IEEE started work on the 802.11i standard, which dealt with wireless
security As usual, trying to get a bunch of engineers to agree on something
takes its time, so the Wi-Fi Alliance took some of the in-progress work from
802.11i and came up with the Wi-Fi Protected Access standard (WPA).
WPA solves the key problems that were the downfall of WPA with a protocol
called the Temporal Key Integrity Protocol (TKIP) TKIP’s job is to rotate keys
constantly so that the problems WEP had won’t happen again
WPA had a major constraint in that it was intended to run on older access
points by means of a firmware upgrade This was because WEP was so
broken that the industry wanted to protect access points in the field
Therefore WPA uses some of the same encryption techniques as WEP, just
implemented in a better fashion
WPA also introduced the concepts of a pre-shared key mode (PSK) and an
enterprise mode PSK mode requires a key that’s known to all participants in
the wireless network, just like WEP Enterprise mode allows you to use your
enterprise login credentials to log in to the wireless network, eliminating the
need for a shared key
Even though enterprise mode is better security, it requires servers and
services that people at home just don’t have The acronyms and standard
names required to implement this mode are astounding So, you’ll always
want to use PSK mode if you’re ever given the option
Trang 12200 Choosing Wireless Security
WPA was a significant improvement upon WEP Eventually, researchers found ways to mess with WPA networks WPA is not as completely broken
as WEP, but it is possible to inject packets into a WPA-protected network With this ability, an attacker could still redirect the entire network’s traffic through a computer of his choosing
WPA2
Third time’s the charm, right?
The IEEE finally finished 802.11i, and the Wi-Fi Alliance called it WPA2 The Alliance also made implementation of WPA2 a mandatory part of Wi-Fi compat-ibility testing Without WPA2, vendors couldn’t put the Wi-Fi logo on the box
WPA2 got rid of TKIP and went with the Advanced Encryption Standard, which
is the same that the U.S government uses for protecting its secrets The lier WPA standard was also revised to allow AES to be used instead of TKIP
ear-To date, there are no direct attacks against WPA2 That hasn’t stopped people from trying, though!
Even though the bad guys can’t exploit weaknesses in WPA2, they can try to guess your password So pick a good one!
Deciding what to choose
If you’re setting up a wireless network, you want to be using WPA2 Most access points have a mode that allows both WPA2 and WPA to be used If you have older clients that only support WPA, then this mode will work.It’s easy enough for me to say “use WPA2” when you’re setting up your own network, but what about when you use other people’s networks?
Hotel networks generally have no encryption or security at all Anyone can
connect, anyone can read the packets in the air, usually called open mode
or an open network Access to the network is usually protected by a captive
portal, which intercepts you when you first start using the Internet, and only
lets you through after you’ve registered
Captive portals provide no protection for you; they’re there only for the venience (and usually, profit margin) of the hotel
con-Connecting to these unprotected networks is okay as long as you’ve tected your computer (see Chapter 3) and realize that anything you send over the network is visible by anyone Browsing the Web is fine Logging into your secure bank account is secure as long as you validate the site’s certifi-cate like I showed in Chapter 1
pro-WEP should be considered in the same boat as an open network
Trang 13Book IV Chapter 2
Exploring Network Security Features
Exploring Network Security Features
As technology advances, the CPUs going into routers get faster and faster
The processing power required for the basic routing and firewalling is
negligible, so there’s ever increasing room left for more features
You’d think that manufacturers would cut back and put the bare minimum
CPU in, but the way the industry works is that older chips cost more to buy,
so it ends up being cheaper to put more oomph inside the box
Most manufacturers have several features in common, though some may
implement them slightly differently Some features are handy, some not so
much, and some will completely expose your computer to Internet attackers
In the following sections, I identify when and where you’d want to use them
Understanding the SSID and password
The network name (SSID), password, and security protocol (such as WPA2)
are your first line of defense against attackers You’ve seen earlier how
WPA2 is currently the best protocol to use, and you probably gathered that
the password is important
The only known way to break into a WPA2 PSK (pre-shared key) network is
to guess the password The crackers know this and have come up with ways
to guess passwords at incredible speeds
The WPA/WPA2 key that encrypts all the data in the air is derived from both
the password and the SSID One of the optimizations the crackers use is to
pre-compute these keys by using a list of popular SSIDs and popular passwords
If you make sure that your SSID is unique, such as the name of your street,
your pet’s name, or something else unique, perhaps followed by a number,
you’ll be sure to stay off this list
The most important thing to do is to choose a complex password If you’re
using Wi-Fi protected setup (WPS), you don’t even have to remember it!
Figure 2-1 shows where you configure the SSID, protocol, and
pass-word for the network Here the SSID is “walberghome,” the passpass-word is
“W1r3l3ssB00k,” and the network uses WPA2
Search the Internet for “top 1000 ssids” and you should find, surprisingly
enough, a list of 1000 of the most common SSIDs out there
With a unique SSID and an unguessable password, the crackers will have to
find another way in!
Trang 14202 Exploring Network Security Features
Using advanced wireless settings
When wireless first came out and the low-strength version of WEP was all that was available, people came up with a few methods to increase the secu-rity of their network
Security is always a tradeoff between protection and convenience As you add more security measures, it becomes more complex to use whatever it is you’re protecting
And so, too, it is with wireless Two ideas that people came up with were
✦ Hide the existence of the SSID
✦ Find the hardware addresses of the machines you want to connect and only let those in
With today’s technology, both of these are poor protections against attack Not only do they make your wireless network terribly inconvenient for you
to use, but they don’t improve your security
Trang 15Book IV Chapter 2
Exploring Network Security Features
On the surface, hiding your SSID makes some sense Your wireless access
point broadcasts its network name periodically so that your computer can
know when it should connect Turning off this feature means that someone
driving by won’t know the access point is there and won’t try to break into it
The problem with this is that it is still possible to deduce the presence of a
wireless network because of the wireless traffic After that, there are various
ways to figure out the SSID
The second idea involves making a list of the hardware addresses of the
wireless cards and telling the router to only allow those addresses to use the
network Figure 2-2 shows the properties of a wireless card The hardware
address is the same as the physical address
Not only is it a pain to administer, spoofing a MAC address is trivial Spoofing
in this example means that the attacker is using your MAC address instead
of his; your access point is none the wiser
Browse to Wireless Settings to see where these features are configured (See
Figure 2-3) The Enable SSID Broadcast controls whether or not your SSID is
broadcast Click the Setup Access List button to set up the MAC addresses
that can connect
These features don’t do much to protect your network but do cause serious
usability concerns At one point, using these features were requirements
for companies transmitting credit card data over wireless networks, but the
requirements were dropped in late 2008 because the tradeoff wasn’t worth
it If even the credit card companies don’t think it helps security, then it’s
not worth doing