3DSC Days 12 & 13: Weekend Project #2

This weekend’s project is to check up on your Wi-Fi security.  This shouldn’t take you more than an hour or so, and you will have to reconnect all your devices to the internet.  But once it is done correctly you shouldn’t have to go through the hassle again for a long time.

Login to your router:  The first thing you will have to do is figure out how to get into your router’s settings.  First this will require connecting the router.  Typically you connect by opening your web browser and typing the router’s IP address into the address bar.  How you do this will depend on whether you own or rent your wireless router.  Regardless of whether you own or rent, I recommend that you get an Ethernet cable to connect your computer and your router, because one setting we will change later will disable your ability to modify the router’s settings without being physically connected to it.

  • Own: If you own your router and have never changed the login credentials, look the defaults up online.  If you can’t find defaults for your router, you always have the option to reset the router totally by holding the reset button for 30 seconds (removing power won’t clear out the old settings).  Links for default credentials and login IPs for the most popular home routers are:
    • Linksys:  192.168.1.1
    • Netgear:  192.168.1.1 or 192.168.0.1
    • TP Link:  http://192.168.1.1 or http://192.168.0.1 or http://tplinklogin.net
  • Rent:  If you rent your router from your internet service provider, the management credentials are likely on a label on the router.  If not, you may have to call your ISP to find the managment credentials.

Once you have logged into the router you can begin modifying its settings.  The specifics of each router’s menus will vary but the principles presented here should be available on all manufacturers’ products.

Change the management credentials:  One of the first steps you should take is to change your router’s management credentials.  This will prevent someone from connecting to it remotely, logging into it, and making changes to your settings, subverting your wi-fi security settings.  Use your password manager to generate a good, strong password and store it there.

Wi-Fi Security

Disable remote management:  Only do so at this point if you are connected via an Ethernet cable.  If you are connected wirelessly you will not be able to make any further changes to the router.  If you don’t have an Ethernet cable and don’t wish to buy one, save this step for last.  If you do make this change prematurely, or wish to modify settings later, you can always reset the router back to defaults and start over.

Wi-Fi Security

Encrypt the signal:  This is perhaps the most important setting you can change to increase your wi-fi security.  Select WPA2 encryption.  If your router does not support the WPA2 protocol consider upgrading it immediately.

Disable Wi-Fi Protected Setup (WPS):  Wi-Fi Protected Setup allows you to quickly connect devices when you have physical access to the router.  You press the button while a device is attempting to connect, and it connects.  This works great in theory but in reality this protocol is broken (and has been for a long time) and can allow anyone to view your Wi-Fi traffic.

Wi-Fi Security

Change your SSID: Your SSID (your network’s visible name) should not leak information about you or your residence.  It should be either generic or misleading.  I would not want someone to drive up my driveway and be able to see my family’s last name by merely looking at the name of the Wi-Fi network.  There are good arguments to be made for not using common network names.  Your Wi-Fi network should not be super common, but it shouldn’t give away information about you, either.  I also recently wrote about hiding your SSID as a Wi-Fi security measure.  I leave it to you to come to your own conclusion.

One other thing to consider when naming your network: include the suffix “_nomap”.  This will ensure that Google will not index your Wi-Fi network along with your home address.  As an example, if your Wi-Fi network is “FamilyWiFi” change it to FamilyWiFi_nomap”.

3DSC Day 10: Firefox Security Add-Ons

Today we have crossed a new landmark: after this task you have completed one-third of the Thirty-Day Security Challenge!  Congratulations!

Yesterday we installed Mozilla Firefox.  We made some changes to Firefox’s settings to evade online tracking and limit the browsing data that is stored locally on your device.  Today we will increase Firefox’s security further by installing some security add-ons.  Add-ons are small plug-ins that that enhance an existing piece of software.  To install these add-ons follow the link provided.  On the resulting webpage click the green “Add to Firefox” button.

There is a slight chance that you have some other add-ons in Firefox already.  You should think twice about these.  They are probably not security add-ons.  Add-ons like those from Amazon.com and Facebook do not enhance your privacy.  Instead they give these services access to your browser.  Consider removing any add-on that does not improve your privacy or security.

Better Privacy:  This simple add-on is designed to delete flash cookies.  Flash cookies, sometimes called Locally Shared Objects (LSOs) are more sophisticated than conventional cookies.  Flash cookies allow much more detailed tracking of your online behavior.  Better Privacy runs in the background when you close Firefox and deletes flash cookies from your browser.

Disconnect:  Disconnect is an anti-tracking application.  It is very lightweight and prevents websites from tracking your behavior and serving you certain requests.  I like Disconnect because it is incredibly lightweight but still very capable.  According to Disconnect your pages will load 27% faster when using the add-on.  This is because tracking requests and adds consume bandwidth.  When they are blocked this bandwidth is yours once again.  Once Disconnect is installed you don’t have to do anything.  Disconnect will silently protect you in the background.

HTTPS Everywhere:  Many websites offer an encrypted (SSL) login page.  Unfortunately, many of these pages revert to a plain-text connection after you have logged in.  This can allow your ISP or a hacker to see what you are doing.  To prevent this, HTTPS Everywhere attempts to force an encrypted connection during your entire session, on any website that is capable of a secure connection.  HTTPS Everywhere is written by the Electronic Frontier Foundation (EFF), an advocacy group for online privacy.

Firefox Security Add-Ons

3DSC Day 09: Browser Security

Yesterday we began to shift our focus outward when we began changing online account passwords.  Today we will continue this shift by installing Firefox and modifying some of its settings.  Browser security and privacy settings play a big role in how easily websites can track you.  Firefox gives you the maximum flexibility to control these settings to your benefit.  It also has one other huge benefit that other browsers do not, and we will discuss this later tomorrow.

The first step in this process is to download Firefox if you do not already use it.  Next, install the program on your computer. Once it is up and running, open “Preferences”.  To access Preferences click on the “hamburger icon” in the upper left of the interface. The Preferences menu will have eight tabs listed down the left-hand side of your screen.  This tutorial will only deal with those that are most relevant to improving your browser security and privacy.

Privacy Settings:  This is where most of the real work will happen to increase browser security and privacy.  First, under Tracking, uncheck the box labeled “Request that sites not track you”.  Though checking this box would allow Firefox to send a Do Not Track request to websites, the sites you visit have no obligation to honor this request.  I do recommend that you leave the Tracking Protection box checked.  Tracking protection is provided by Disconnect, a company we will see again later this week.

Next, go to the History section.  The changes made here are incredibly important.  After modifying these settings, Firefox will not save anything between browsing sessions.  This makes it much more difficult for sites to track your browsing behavior, and minimizes the browsing history that is stored locally on your computer.  Under “Firefox will:” drop-down, select “Use custom settings for history”.  This will allow you to choose exactly what Firefox “remembers” or purges when you close it.  Choose the settings that mirror those shown in the image below.

Browser Security

Next, click the “Settings” outlined in red in the above image.  This will open an additional dialogue allowing you to choose specific items to be purged when you close Firefox.  I recommend that you check all of these options as shown below.

Browser Security

Security Settings:  Set up these settings to mirror the image shown below.  Ensure to check “Warn me when sites attempt to install add-ons” (add-ons will be discussed tomorrow).  Uncheck both “Block reported attack sites” and “Block reported web forgeries”.  Both of these protections require that your browsing data be available to Mozilla for review.  I do not feel that this is in the best interest of your privacy.

Next, uncheck “Remember logins for sites” and “Use a master password”.  Because we now use a password manager it is unnecessary for Firefox (or any other browser) to remember our logins.  Firefox does not store this information securely.  If you have used this feature in the past you may wish to click “Saved Logins” button.  This will allow you to view these logins and migrate them into your password manager.  Once you have done so, delete all of them from Firefox.

Browser SecurityToday you have taken huge steps to increase your internet browser security and privacy.  Over the next two days we will take some additional steps to increase this even further, making you much more secure and private online.

File Validation Case Study: Linux Mint

A news story broke this week about a hack against the download site of Linux Mint (the official blog post is available here).  Mint is a very popular, entry-level Linux operating system.  The attacker hacked Mint’s site and redirected the download link to a modified version of the .iso file.  The modified version had/has a backdoor installed via the Tsunami malware suite.  This hack affected Linux Mint version 17.3/Cinnamon, but the backdoored version appears to have only been available for a short time.  This is obviously bad news for anyone who downloaded and installed an affected version of this OS (17.3/Cinnamon), but there are some big-picture takeaways to be gleaned from this story.  This is not just a story about Mint; it is also a story about file validation and the lack thereof.

  1. People don’t verify file integrity.  Just a couple of weeks ago I posted about the importance of verifying file integrity, and I have written about file validation in my books. The attacks that would make one vulnerable to a tainted file may seem far-fetched, but this is a prolific, real-world example. Adding insult to injury, downloaded versions could have been clearly identified using a checksum or PGP signature.  It is doubtful that many downloaders took the time to perform this step.
  2. It is *almost* understandable that they don’t.  High-profile instances of attacks like these are incredibly rare.  It is almost forgivable that people don’t validate file downloads before executing them.  On the other hand the potential consequences of working on a compromised OS are grave.  It is also worth pointing out that we have no idea how prolific NON-publicized instances of attacks like these are.  Targeted, undiscovered, and hence un-publicized attacks of this nature are the ones that keep me up at night.
  3. The Mint team responded.  Kind of.  Sadly, the Linux Mint Blog responded officially to this incident by posting MD5 checksums (shown in the photo below).  I have written about this before and hate to beat a dead horse but MD5 is insecure and should not be trusted for file validation.  I’m glad they did something, but in the wake of an actual attack one would assume they would go to great lengths to verify file integrity in the future.  MD5 is NOT “great lengths”, but rather a mild, half-hearted response.  This is the most disappointing thing about this attack in my opinion.

LM MD5 ScreenshotMy checksums will be updated this week to include SHA-256 and SHA-512 checksums for the affected version of Linux Mint.

Wi-Fi SSID: To Hide or Not to Hide?

If you read just about any article about Wi-Fi security the question of hiding/not hiding your Wi-Fi SSID (Service Set Identifier) will almost inevitably come up.  The SSID is the Wi-Fi router’s “name”, and it is what you click on when you wish to connect to that network.  Most of these articles will say that hiding your SSID is counterproductive as it will make you more interesting to a hacker.  In full fairness, this also includes my own writing.  In both the Windows 7 and iOS editions of Your Ultimate Security Guide I recommended NOT hiding your SSID.  I had some reasoning for recommending this: in my estimation it amounts to profile elevation.  Like sending a Do Not Track request to a website, a hidden SSID makes you more distinctive than everyone around you.

But does hiding your Wi-Fi SSID alone really make you a more attractive target?  To quote the inimitable Ulysses Everett McGill of O’ Brother Where Art Thou?, “it’s a fool who looks for logic in the chambers of the human heart.”  To unequivocally say that an attacker will target you just because your SSID is hidden may not be tell the whole story, or may simply be dead wrong.  Criminals are not known for following the same set of mental processes that guide the actions of the average, law-abiding individual.  Sure, it may make you the more interesting target because you may seem like the more challenging target.  But just as equally, it may not.  The hacker may be looking for soft, langorous targets.  Or perhaps he or she is after a specific target that is not you.

I think the reason this is constantly brought up is that SSID hiding has been placed in the “security” category of features for Wi-Fi networks.  I contend that this is not a security feature at all.  Choosing not to broadcast your SSID is, in my opinion, merely a choice about how “noisy” you want your network to be.  While hiding your SSID cannot protect you from Anonymous, it do a few things.  It can prevent your neighbors from seeing  your network, and prevent kids in the waiting room at your practice from connecting to it.  Again, it will absolutely not prevent a determined adversary from finding your network.  There are various tools including inSSIDer and Kismet that will find these networks with ease.

My bottom line is this:

  1.  Hiding your Wi-Fi SSID network is a personal preference that is essentially neutral as a security measure.  It doesn’t necessarily make you less secure or a more attractive target, though it might based on factors that we can’t begin to model (i.e. human unpredictability).
  2.  Hiding your SSID for security reasons is ineffective and an example of security-through-obscurity.  If you are hiding your SSID as a security measure you should reconsider.

There are meaningful security measures you can take for your Wi-Fi network.  The best and strongest of these is to ensure that your signal is encrypted with WPA2.  The WPA2 protocol is actually very good (do not use WEP or WPA).  It offers much, much more protectiong than silencing your Wi-Fi SSID.  Another meaningful measure is to use a virtual private network; this will protect your traffic regardless of the security of your Wi-Fi.  It will also protect it at a much deeper level, and provide you with a bunch of other benefits.  We will delve much more deeply into Wi-Fi security in the upcoming Thirty-Day Security Challenge, so stay with me!

COMSEC: Signal Private Messenger

Signal Private Messenger is a free application, and my new favorite encrypted communication solution.  Signal supports both voice and instant messaging (texting) in a single app.  It is incredibly easy to use, and convince others to use.  There is no complicated setup and no username or password to create and remember.  This app is incredibly intuitive and resembles native phone and texting applications.

Signal uses your phone’s Wi-Fi or data connection.  Signal has replaced the legacy RedPhone and TextSecure apps for Android and merged them into a single platform.  To use Signal Private Messenger simply install the application.  You will be prompted to enter your telephone number for verification.  I have successfully used a Google Voice number for this, even though Signal specifically warns that GV numbers will not work.  Full disclosure: I have also seen GV numbers fail.  This is the ONLY reason for which I use a Google Voice number.  I have no problem with this because the number is only used as an identifier and no data is sent though Google after the initial verification message.  The app will verify the number by sending you a code that you must enter into the application.  No other personal information is required or requested.

Signal

If you allow Signal Private Messenger to access your contacts it will identify the ones who have Signal installed.  There is one slight downside to the way Signal identifies its users: in order for others to contact you via Signal they must have the telephone number you used to register the app in their contacts.  This requires that you give out this number to others with whom you wish to use Signal.  For this reason I recommend setting up a Google Voice number that is used only for Signal, and giving that number out to friend, family, and business contacts that are likely to use Signal (or be persuaded to), rather than giving out your real phone number.  I will post in the future about why giving out your real phone number may be a bad idea.

Signal’s interface is almost disconcertingly simple.  Tapping the “+” icon in the upper right of the interface a list of your contacts who have Signal installed.  Tapping one of these contacts will open a new message to that contact.  From there you can send a text message, photo, or video, or type the handset icon to initiate a voice call.  In the search bar on this screen you may input a telephone number, which Signal will then search to see if the number has the app installed.  Once a call is initiated a more typical phone interface is displayed with some standard phone options to mute the call or use the phone’s speaker.

The call interface will also display two random words.  The words displayed will change with each voice call but should match on both handsets involved in the call.  These words are used to ensure the call is not being tampered with by a man-in-the-middle.  If an attacker were to successfully get in the middle of a call each phone would display different authentication words.  This is becasue each handset would establish a key with the attacker rather than the intended recipeint’s handset .  I recommend ALWAYS validating these words at the beginning of each conversation made over Signal.  This is especially important before engaging in sensitive communications.  The messaging portion of the application is likewise incredibly simple.  Messages are composed and set like they are in any other messaging application.  Attaching a file is as simple as tapping the paperclip icon beside the compose pane.  Signal also supports group messaging.

Signal is one of the best privacy-enhancing applications available (especially considering its cost) and I strongly encourage its use.  It’s encryption utilizes the “axolotl ratchet”, a system of perfect forward secrecy.  Perfect forward secrecy means that each message is encrypted with a unique, ephemeral key.  If one message is decrypted it has no impact on the others since each has a unique key.

As pointed out by the grugq, however, Signal does leak a great deal of metadata about you.  This includes your contact list, who you talk to, and the frequency with which you talk to them.  This metadata is certainly no worse than that generated by your normal telephone conversations.   It is also not any worse than that created by other encrypted messaging applications.  For this reason it may not be suitable for defeating certain threat models.  For encrypting your day-to-day comms that would otherwise be made through insecure means, Signal is a major upgrade.  Signal is funded by donations and grants, and much of the work in developing and maintaining the app is done by volunteers.

Signal Private Messenger is free and available in the App Store and on Google Play.  For more information on Signal visit https://whispersystems.org/blog/signal/.

Private Internet Access for iOS

During the writing of Your Ultimate Security Guide: iOS I had the opportunity to work with a lot of products that I probably wouldn’t have otherwise considered.  One of these is Private Internet Access for iOS (affiliate link).  Though over the years I have used a virtual private network on my iPhone and other mobile devices, and I have used Private Internet Access rather heavily, I had never used the two together until recently.  The Private Internet Access app for iOS is one of the most convenient VPNs I have used to date and the VPN that I will continue to rely on for my phones.

Private Internet Access for iOS
The iOS app’s homescreen. The PIA app is incredibly easy to use.

The PIA app is a certificate-authenticated VPN which means that installing the app also installs an authentication certificate on your device.  VPNs of this nature can be set to be always on, rather than credential based VPNs which must be manually reconnected each time you unlock the phone.  Though certificate-based VPNs are notorious for draining batteries rapidly, PIA has found a rather ingenous solution to this.  Rather than remaining always connected to the VPN server (which is the reason “always on” VPNs are notorious for killing batteries) PIA does not always remain connected.  Rather, it drops the connection when the device goes to sleep.  Upon unlocking the device, though, data connections are blocked until the connection is automatically reestablished.  Though your battery will not last as long as it would with a very judiciously used credential (username and password) authenticated VPN, the security PIA provides is well worth the shortened battery life.

Private Internet Access for iOS
Some of PIA’s exit server options from the iOS app.

I have written previously about the security and privacy benefits of using a VPN.  Private Internet Access provides all of these benefits, including encrypted traffic to and from the VPN server and mulitple exit servers in mulitple countries to choose from.  As I have also written before, PIA also allows you a number of anonymous payment options including BitCoin and redeeming store gift cards.  Yes, store gift cards, meaning if you have an old Starbuck or Home Depot gift card with a balance on it you can cash it in for VPN service.  Not only does this give you a way to use those small balances left on those gift cards at the bottom of the junk drawer, it also allows even the low-tech a way of purchasing VPN service anonymously.

Private Internet Access stores NO logs, allows unlimited bandwidth and five devices connected simultaneously, and costs just $40/per year.

Tutanota Encrypted Email

I love encrypted email, and I love writing about it.  In researching the next book in the Your Ultimate Security Guide series, Your Ultimate Security Guide: iOS, I decided to give Tutanota a try and I’m glad I did.

Tutanota_logo

 

The name “Tutanota” comes from the Latin words “tuta” (secure) and “nota” (message).  Tutanota offers free, end-to-end encrypted email accounts.  No personal information at all is required to create an account, and account creation is allowed through the Tor network.  Tutanota encrypts your message including the subject line, and any attachments and stores all of your emails in an encrypted state.  When you log in with your username and password, an encrypted version of your password is stored on Tutanota’s servers for the duration of your session.  If you lose your password it cannot be reset.  Tutanota also allows you to send encrypted emails to non-Tutanota users

Tutanota is incredibly streamlined and user-friendly and Tutanota apps are available for both iOS and Android, and Tutanota also offers a premium level of service for €1 per month.  Premium accounts offers some expanded functionality including the ability to create and use up to five aliases (alternate email addresses), unlimited outgoing emails (free accounts are capped at 100 per day), and the option to use your own domain.  Both free and paid accounts offer only 1Gb of storage but more (up to 1Tb) will be available for purchase soon.

Unfortunately Tutanota lacks several features that most of us have come to expect in an email service.  First, it does not allow you to save drafts (and as a result does not have a “Drafts” folder).  It also lacks a search function and the ability to assign labels (an important feature for email power-users).  Because of this I see it being used only for exchanging encrypted emails and not a day-to-day, Gmail-replacement system.

Though I am a fan of Protonmail and have been using it much longer, I do like the look and feel of Tutanota and will work it into my daily email routine.

Why YOU Need a Virtual Private Network

Using a virtual private network (VPN) is an important part of strong digital security.  A VPN can accomplish several tasks.  First, it creates an encrypted tunnel to a remote server through which your traffic transits.  This means that anyone inspecting your traffic (from internet service providers to malicious hackers) will capture nothing but unusable, encrypted data.  For best security I recommend using the OpenVPN or IPSec encryption protocols.  Next, because your traffic appears to originate from a remote server your IP address is not correlated with your browsing.  This is important: if you visit a website that logs your IP address they can use the IP address to find your geographical location, your internet service provider, and all your visits to that site.  Using a VPN server that hundreds of other people also use makes you less distinctive and protects your physical location.  Lastly, VPNs can be used to help bypass geographical restrictions.  If you are in a country that blocks certain content you can use your VPN to connect to a server in another country, bypassing geographical restriction.

IPv6 Test

I recommend strongly against using free VPN services.  The recent story about a free VPN known as Hola! last week is an excellent reminder of why paying for a VPN is worth it: Hola! was selling the bandwidth of anyone who had their plugin installed, sometimes to malicious users who conducted botnet activity.  This opens users up to a number of security risks.  Free VPN providers have also been known to monetize by collecting and selling user information which defeats much of the raison d’être for a VPN.

To determine if your VPN is leaking information about you or how much information you are leaking if you are not using a VPN, Private Internet Access (with which I am an affiliate) has some helpful links.  They will test whether your DNS is leaked, if your IP address is leaked when you send an email, and if your IPv6 address is leaked.

Though I like Astrill, Private Internet Access, and WiTopia, there are pleny of great VPN options out there.  Most are under $100 per year and offer a great many features.  This is a very small price to pay for the disporportionate level of security and privacy they provide.