The Wild West is upon us again. We live in a world where new threats pose to cause harm in ways most of us never dreamed possible. Most of us know to look before crossing the street, be wary of parking lot sales people, and watch out for bait-and-switch tactics. However, it’s time for our society to adopt a new set of street smarts — technology skepticism. Blindly trusting electronic resources, connectivity, or services puts our identities, finances, and privacy at risk. It’s time to pay attention and take precautions, and in this two part series we’re going to show you what you’re up against and what you can do about it.
Open Wireless Networks
Problem: WiFi hotspots are convenient, but open wireless networks also attract wireless hackers. When you use an open wireless network, your network traffic is sent across the radio carrier in an easy to intercept and read form. This allows anyone with the right antenna to pick up your signal and eavesdrop on your transactions. This type of attack is known as an interception, or a man-in-the-middle (MitM), attack. Unfortunately, it’s hard to detect and easy to implement.
Solution: Don’t use open wireless networks or any network encrypted with WEP. WEP (Wireless Equivalent Privacy) is a legacy encryption system of IEEE 802.11 which can be compromised in less than 60 seconds using an attack tool from the Aircrack-ng suite known as weSSIDe-ng. The best protection is to only use WPA2 encrypted wireless or WPA encrypted network if you disconnect at least once every two hours. There’s a WPA attack which can compromise the RC4 encryption of WPA in about four hours. If you have access to a mobile hotspot, can tether your mobile phone, or use a wired connection, those will always be more secure options than an open or WEP wireless network.
Problem: Certificates are considered the foolproof method of identifying entities over the Internet based on the trust you place in a certificate authority (CA), such as Verisign, Thawte, GoDaddy, Comodo, etc. Unfortunately, this trust was violated repeatedly in recent months. While the mathematical security provided by the encryption algorithms of the certificates themselves is often flawless, the CA’s implementation and back-end security is questionable. Until certificate authorities resolve their network and Web site insecurities, certificates will be a concern since there’s no perfect method to detect or avoid being tricked by false certificates.
Solution: First, be cautious about clicking on any hyperlink, especially from an e-mail, text message, forum, PDF, or other type of document. Second, click on your browser’s locked padlock icon, and review the details of the SSL/TLS session. Pay close attention to the subject identity and issuing CA. Some browsers support plug-ins that perform additional verification on sites you visit. For example, the Firefox add-on/plug-in Certificate Patrol performs in-depth verification of each certificate, keeps track of previously seen certificates, and informs you when something changes between site visits.
Problem: DNS resolves human-friendly FQDN (fully qualified domain names) into IP addresses, but DNS was designed for efficiency rather than security. It doesn’t verify the information received when a query is answered, which allows for potential DNS compromise attacks called DNS spoofing or poisoning. Ultimately, the solution is to revise DNS to support certificate based authentication, which is known as DNSSEC (see dnssec.org). However, until certificate vulnerabilities are resolved, DNSSEC is not an invulnerable solution.
Solution: Until DNSSEC is in Internet-wide use (it’s only partially deployed across the root DNS servers and some of the GTLD servers (Global Top Level Domain), end users need to simply pay more attention to how they visit sites.
Mobile Device Loss/Theft
Problem: Within the next year, there’s a good chance there will be more mobile phones in use than there are people on the planet. Mobile phones are quickly transforming into hand-held super computers, however they pose a serious risk. Most mobile devices don’t have serious security as a standard or default feature. Some smart phones can have security enabled or added, but many owners of these devices aren’t aware of this. It is important to realize that the screen lock on your mobile phone is really only to protect against accidental use, such as the infamous “butt dial”. Any mobile device hacker can easily bypass a screen lock through any number of techniques.
Solution: If your mobile device is lost or stolen, all of your personal data (i.e. PII — personally identifiable information) is at risk. There are two main security measures you should implement, and then you should adjust your behavior. First, install a local storage encryption tool. Make sure the tool requires an unlock password that’s manually entered each time a user attempts access to an encrypted file. Second, install or configure remote wiping services.
Problem: Social engineering (a.k.a. con jobs and confidence games) is the art of manipulating people, usually by either gathering information or tricking someone into performing malicious actions. Most con jobs use some truth or insider information, often gained through extensive research or dumpster diving.
Solution: Since social engineering is an attack on people, the only protection is education and training. Here are several important items to address or manage:
- Be cautious if any communications seem odd or out of place
- Request proof of identity before providing sensitive information
- Don’t follow instructions provided by unknown entities or when not specifically elicited by you
- Always use securely dispose of discarded printed materials or any type of storage device