Security 101

Woman holding two cell phones at onceMost people are blissfully unaware of what security means in the 21st century, despite using 21st-century technology daily. Many nerds are aware of attacks like viruses, trojans, and phishing, and many computer users are familiar with the idea that passwords are important and that their hard drives’ data can always be recovered, but there are whole areas of security people are totally ignorant about.

This is a quick-n-dirty primer on security issues you probably don’t know about (or aren’t protecting yourself from.)

Not-So-Secure

Many people think that just because they don’t know how something works, or because something is hidden, it must be hard or impractical to discover. This is the digital equivalent of hiding money under your mattress, or putting up a NO TRESPASSING sign. You might feel safe, but it only keeps out the extremely-honest.

These are ways that normal “security” (i.e. a total lack of security) is easily broken in the 21st century:

Packet Sniffing (seeing unencrypted communications)

Image of a packet sniffer showing an unencrypted password in an HTTP packet

Sniffing unencrypted passwords

When you communicate across a network, by using your cell phone, checking your email, or browsing the Web, that communication is sent in “packets.” Think of packets as digital envelopes that hold your communique, with From and To addresses written on the front, just like a real letter. Now imagine that you couldn’t trust your family, neighbors, the postman, the people at the post office, or your recipients’ postman, neighbors, or family. Would you still send that letter the same way?

Packet sniffing is just like using an X-Ray machine to read the contents of the mailbox out on your curb. A 13-year-old kid can easily connect to your network (by asking for your WiFi password, if you have one, or by plugging into your router) and tell his computer to listen for any communication on the network. Anything you send or receive will show up on his screen.

How do you protect against this? See the Encryption section below.

RFID Sniffing (copying keyfobs, access cards, credit cards, and government ID info)

RFID keyfobs and cards showing their ID numbers

RFIDs are just wireless barcodes

Many people use touchless access cards or keyfobs to get into their workplace. Even more people have a touchless credit card (it looks just like a regular card, but usually has a PayPass or wireless logo in one corner.) Finally, many government IDs like driver’s licenses and passports have touchless chips inside of them. This touchless technology is called RFID, which means Radio Frequency Identification.

The first problem with RFID is evident in its name: Identification. Its purpose isn’t to be secure, its purpose is to identify you. Thus, anyone with the proper radio can identify you based on the RFID chips you carry, and there aren’t any safeguards to prevent that identification. RFID is simply a barcode transmitted over radio waves. How easy is it to copy a barcode? That’s how easy it is for someone to copy RFID. In fact it’s easier, because thanks to radio waves an attacker doesn’t even need to touch anything.

Simply put, any RFID chip in your pocket can be read and copied from at least a foot away, usually more. If you use an RFID device as a key, to get into your workplace or your car, that key can be copied by someone with a radio. If you use RFID as identification or for payment, your identity or money can be stolen by someone with a radio.

How do you protect against this? Line your wallet with tinfoil. (I’m not kidding, it works, try it.)

Laser Microphones (voice and password sniffing)

Laser microphone-- a laser pointer, diode receiver, and a cheap radio to transmit the sound

A simple laser microphone that transmits its sound via radio

Sounds exotic, doesn’t it? When’s the last time you lowered your voice or closed the door to prevent something from being overheard? What if an invisible beam of light bouncing off a shiny object in your room could betray you? What if that beam and the receiver cost next to nothing?

With a laser pointer and any light-sensitive diode (like an LED, or photodiode) hooked up to some earphones, you can literally listen to the vibrations in light patterns. Aim the laser at something that is reflective and exposed to sound vibrations, like a cup on your desk, and catch its reflection with that LED, and that cup is now a microphone.

Even worse– did you know that each key on your keyboard makes a slightly different sound? You probably know this intuitively, but it’s very true. Type “abc cba” and you’ll hear the difference between keys. What could someone with a recording of your keystroke noises do? With a bit of time and help from computers, listen to every word you type including your passwords. You thought people across the street couldn’t hear you or see what you’re typing, but they can!

How to thwart this? Stay out of line-of-sight from any unsecured areas when typing passwords or discussing sensitive things. If that’s not possible, reposition your laptop prior to doing so, or place your keyboard on something sound-absorbent.

Secrets

So you’re wisened up, and realize that the sounds, radio waves, and digital communications surrounding you are easily spied upon by anyone with the slightest inclination to do so. Armed with a hefty sense of paranoia, you’re finally safe, right? Not quite. Replace that paranoia with a bit of real security– arm yourself with secrets! Passwords, secret codes, and things that people truly can’t discover without a mind-reader will keep you safe… right?

Keyloggers (password sniffing)

A key logging app showing logged text data

A typical free keylogger

A more conventional and easier way of discovering your password is to ditch the laser microphone and just find a way to run a keylogging program on your computer. Anything you type (or click on) will be logged in a text file and sent to (or retrieved by) an attacker at their convenience, including your passwords and communiques. You thought a password would keep people out of your computer or files, but they just sniffed your password instead!

To prevent this, install good Anti-Virus software and never allow anyone to use your computer without keeping a careful eye out for any disks or websites they might use to install a keylogger (or other malicious program) on your computer. (I’ve personally seen this happen to friends and clients at least twice, to great devastation.)

Boot Disks (password reset & data mining)

A command-line menu for a bootable utility cd

There are many ways to run tools on a computer directly from CD or USB drive.

Physical Access Trumps All. There’s almost nothing you can practically do to prevent someone from breaching your security if they have physical access to your stuff. There are always manual overrides or workarounds to get into “secured” systems, and they usually involve having physical access to the system.

The most prevalent and easy example of this is a boot disk. In under 5 minutes I can plug a USB disk on my keyring into any computer (or in Mac and Linux, simply press some key combinations) and reset, bypass, or discover the passwords on that computer. The information is freely available online.

One way to protect against this is called “full disk encryption” however with physical access even this isn’t hard to bypass. The only real way to prevent this is to prevent physical access (to the systems, and to the network itself) in the first place.

Encryption

Armed with secret passwords and codes, you’re now able to encrypt your data and protect against intrusion, right? Well, mostly. Even if your data or passwords aren’t sniffed outright, it’s not hard to break or bypass encryption, especially with physical access to your computer:

Man-in-the-Middle (breaking encryption)

Screenshot of a man-in-the-middle attack using ARP Poison Routing

By "poisoning ARP," an attacker can pretend to be your router and intercept or modify all communications from your computer.

Screenshots of what an SSL-protected connection looks like in various browsers

Check for "https" at the beginning of your address bar, and an SSL lock icon, before typing in passwords.

One of the scariest attacks, and the reason your computer guys are so paranoid about WiFi security and securing the network jacks in your office, is because just like packet sniffing in the paragraph above, someone on your network can sniff your packets. But if they’re encrypted, they’re still safe right? Not quite. By not only “X-Raying your mailbox” but by actually pretending to be the postman, someone on your network can grab, read, and modify all communications in and out of your computer.

There are few ways to detect something like this, but checking for the HTTPS at the beginning of all web addresses is the simplest way to have a decent expectation of security. There are still ways to bypass this, but over 90% of people don’t check for HTTPS prior to typing in a password online and so this is a great first step. Also, if you use an email client like Outlook or Thunderbird, make sure that it is using SSL or TLS to encrypt its communications… otherwise all your email is being sent back and forth unencrypted. (In fact, after it leaves your computer it’s always unencrypted, but the most at-risk network is the one your computer is on and so that’s the most important to encrypt.)

To really prevent this, you need to encrypt everything, and be able to trust that nobody is on your network (or on your ISP’s network) that can’t be trusted. One way to do this is by encrypting your WiFi network… see the next paragraph!

WEP, WPA and Password Cracking (breaking encryption)

All your passwords and encryption are safe… until they’re broken. Encryption is the process of taking regular information (like the text on this page) and turning it into other information that can’t be deciphered without a password. Unfortunately, perfect encryption doesn’t exist, because the encryption process involves lots of math. (Imagine saying that A=1, B=2, etc… and then dividing each number in the message by a secret number in your head. Encryption works in much the same way.)

Screenshot of aircrack successfully finding a WEP key

It's not hard to crack WEP.

Because it’s all math, with enough computer power it’s eventually possible to make really good guesses about what the original message was, and thus find the secret number in your head (your password.) Cryptologists are constantly creating new, better formulas to encrypt things with, but computers are constantly getting faster and old encryption methods are unfortunately still widely used.

Three widely-used but easy-to-decrypt encryption methods are WEP, WPA, MD5, and LM. The first two are for WiFi, and the last two are for passwords.

You’ve probably come across a WiFi network in the past month that either doesn’t require a password, or uses a password like AAAAA11111. If it doesn’t require a password, congratulations! You’re broadcasting your communications to anyone who wants to listen. If it requires a 10-digit 0-9A-F password, that’s WEP and it can be broken in under 5 minutes by anyone with the desire to do so. WPA is more secure, but can still be cracked with the same tools used to crack WEP. You should be using WPA-2 (and only WPA-2) if possible. This setting is on your WiFi router’s wireless security page.

A screenshot of ophcrack finding Windows LM passwords

It's also not hard to crack LM passwords.

You also are probably using Windows XP, which by default stores your password with an LM Hash, which can be broken in well under a day (sometimes a matter of minutes.) You should disable the LM Hash now. It’s been replaced by NTLM or Kerberos, which is somewhat harder to crack. MD5 is another common algorithm on Linux and network systems that is trivial to crack. It’s been replaced by SHA1, which is also crackable but harder.

Wrap-Up

It’s not easy to be productive while still guarding your computers from physical attack and making sure all your communication is encrypted with the lastest encryption methods, but it’s also very easy to go through life totally unprotected.

  • Always check that your communications are encrypted, especially passwords.
  • Encrypt your WiFi network with WPA or WPA-2 as well, and don’t connect to networks that are WEP or passwordless. On shared networks, triple-check that all communications are encrypted.
  • Keep your computer and router out of other peoples’ hands.
  • Consider a tinfoil wallet and windowshades for good measure.

Now that you’re more aware than the average person of security issues and how to protect against them, you should be less at risk than the average person… right?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s