- Nerd Stuff
- North America
- South America
Posts Tagged security
Routers. Love ’em, hate ’em….you gotta have ’em.
There has been a number of router hacks recently but one of the most dangerous vulnerabilities to come around (after WPS hacks. ak=reaver) is a UPnP issue that may make some routers not worth the money you paid.
The test is easy but the explanation is not.
Use this link to test your router….. GRC’s Instant UPnP Exposure Test
Click on the button that says “GRC’s Instant UPnP Exposure Test”. You can also click the “Services” and then “Shields Up!” to do a full network test.
Currently, Google is reporting that many suspected hacking systems are starting to scan all IP’s on the internet for this vulnerability.
If you are interested in more data on this let me know how I can help.
Should I change my password?
If you have asked yourself this question, you are ahead of the curve. Many people think of a password like a key that you make and keep forever. The only issue is, if we are talking a key (email or account password) then the lock is available to everyone in the world. This is why you have to have a good password.
The real bummer is that even if you create and safely store a password, other people (ie; Sony, PBS, Fox.com, Gawker, and others) may have had their databases hacked and have shared your password (with them ) with hackers.
These hacks are talked about all the time in the news and lately, I find myself tuning them out. That was before I found this website;
When I ran one of my old email addresses, I found that Lifehacker, back in December had their databases hacked. If I had used the same password on any other accounts…the hackers would now have a copy of my key.
Rule; 1 – Dont use the same password for any account. If you want to know why….reread the above post.
If you are wondering how long your password should be….reread this post HERE.
More Data— If you are wondering how this website knows that my email and password (used with the company that was hacked) had been exposed; These databases are hacked, sold, shared and eventually make their way on to the internet for free. This website checks your email address with these lists.
I deal with computer security almost every day and just found one of the most shocking lapses in judgment by a major corporation I have ever seen.It will have a huge effect on many of readers of this blogs security for quite a while to come.
Lets boil it down for those non-nerds. If you have Verizon FIOS and they installed your modem/router (comes with the service) your WEP key is being broadcast through out the neighborhood. The secret code to connect to your internet is being sent to everybody in your neighborhood…. wow.
Now for some details. If you have ever fired up your computer in a neighborhood, likely you have seen the new 5 character (example; H6196, 9RHUN) wireless clouds that pop up anywhere Verizon has FIOS. This SSID is unique and helps you find your wireless cloud. Verizon decided that since they were doing all this work in setting up peoples wireless access points, why not use the MAC address of the modem and generate SSID based on this. This is a OK idea but then ,as per normal for any large corporation, decided to shoehorn the idea into every aspect of the situation. They then used the MAC address to generate the WEP key.
Any user of Network Stumbler or Wireshark knows that the MAC address is broadcast along with the SSID. You take that 5 charicture SSID, run it through the java script WEP calculator at (http://fioswepcalc.webs.com) and you will likely end up with the WEP key of most all your neighbors wireless networks.
Security through Obscurity has been the modus operandi since the start of computers. At some point, if computers systems are to continue, companies that endanger their clients, lose clients data or expose clients to data theft, will have to be held accountable for poor security.
In real life trials, only half of the FIOS WEP keys were valid.
I hope to use the blog a bit more to document not only travel but practical issues and data. Unfortunately, most of the practical data I deal with would be categorized as nerd stuff.
First off, I want to explain the issue that will dominate the coming years when it comes to internet technology: Security and Encryption.
Security is an issue that is only lightly understood by most. Our bank has a username and password, Paypal has another password, Gmail or Yahoo has another password. We store these passwords on sticky notes on our monitor, have Internet Explorer remember them or use a password manager. Keepass is the best (open source) password manager.
Unless you use a password manager, your passwords are usually in this form; “GoReds!” or “1983Win!”. All of these passwords can be cracked easily using new methods that are advancing quickly. The only password you should use for anything (even hotmail or yahoo) should be alpha numeric and longer than 16. Example: “k43uLK823JHjkasdFFf2fas43”. I probably just irritated you but it is true. Any “easy to remember” password can be cracked easily.
So, let’s just say that you want to secure your back account, investment account or Gmail with a gnarly password. How can you do this, without having to write it down for anyone that can read a sticky note to learn. As stated, I use Keepass but I wanted to show you another method.
Yubikey is a product that was made by Yubico. They are currently on version two of the device and the prices have come down enough to justify getting one. I sent Art B one so he can test it in parallel with me.
Here is the device:
It is quite small, extremely durable and looks similar to the new minimalist USB drives.
Here is a great article if you want to learn more about it’s practical nature. “ReadWriteWeb”
I am going to focus on the questions that I had to find answers for.
- How much does it cost? $15-25
- Where can I read a simple “What is this doc”? Here
- Is the unit water proof? Yes
- Where can I find the config utility? Here
- How can I use the static password option without messing up the OTP? Here
- Where is the instructions? Here (not the best documentation I have read)
- Are there real world services I can use this with now? Yes
- What is a static password? Wikipedia
- What is an OTP(one time password)? Wikipedia
More and more services using offering OTP authentication services. Google, OpenID, osCommerce, MediaWiki and Salesforce are just a few who currently use Yubikey. Below is a quick video on how to use Google with your Yubikey.
How will I use my Yubikey?
I will start with the static password config and as I get confidence in the product/concept move toward Google Apps.
One issue that I have yet to resolve is the reduncancy variable. What if I loose my OTP token?
Let me know if you find value in the “nerd stuff” or only want to read travel stuff.