It's been awhile since I've connected with this blog, I figure I should update it a bit. After roughly 8 months of study I tested and obtained CISSP certification. I view the certification as a rigorous process that covers many different facets of security. In my IT circle of friends I'm commonly asked about the exam's difficulty as well as what advice I could give for anyone interested in taking the test. I offer the below tips that I've collected both of my own experience and helpful advice from others. This will be a little more advanced than my previous postings, so I apologize if this goes over some people's heads. Stay tuned, I plan on getting back into the swing of things with regular security updates.
The Exam:
The single most important thing when taking this test is to be prepared. One of the first things I set out to do was figure out what made the exam tick, so here are the basic stats;
You are given six hours to complete the test, and I clocked in at roughly four with my brain feeling scrambled.
The test consists of 250 questions, 25 are used for research and won't be graded.
At the time I took the test, it was a pencil and paper test. You were not able to take the exam via a computer like most Tech certs. So make sure you are accustomed to the old scan tron/test book formula.
Six hours is a long time, you are allowed supervised breaks.
The test will be proctored so there will be a person in front of you most of the time and possibly people walking around answering questions and monitoring.
Tips: Make use of breaks, after I went through the test book the first time I was feeling a little nervous and antsy. I took a restroom break and it helped to dramatically put me at ease. Within a few minutes my head was clear and ready to focus.
Eat a decent breakfast and try to get some sleep the night before. This is easier said than done when you are nervous about whether or not you've studied enough. The more rest you get, and the better your breakfast is will help keep your batteries charged on test day.
Bring a snack. Although I didn't end up eating the one that I brought, it was nice to have it there just in case. If you are feeling run down and ready to bash your head on the table in frustration it's a good excuse to leave the test for a few minutes and refocus.
Network with people prior to test start. Chances are you'll be early and surrounded by equally nervous/excited people, use this time to meet others, find out what they do for a living, share some of your study methods. Networking is huge in IT Security, and often times more important than the cert itself!
Bring three or four sharpened pencils and a large eraser as well as a pencil sharpener. Likely you will be given pencils to take the exam, as one fellow said as they were passing them out "This is the most expensive pencil I've ever bought!" But just in case it's good to be prepared. I went through two sharpened pencils while taking the exam. By the time you are done marking the test book and scan tron you might go through as many as three. The psychological impact here is that you've taken care of all the ancillary worries, and are freed up completely to focus on the test. Don't forget your forms of ID and exam forms as well.
How to prepare for the exam:
This section is a bit subjective. We are all different learners and what worked for me may not work for anyone else. I logged about eight months worth of study time. Others bragged they prepared for less than a few weeks. Don't let the length of prep time discourage you. Since this test is pricey, it's better to err on the side of caution. It's possible I could have passed only with four months of study. Given the test schedules in my area, I made good use of time between when I scheduled and test day.
I recommend the following books:
Shon Harris' CISSP All-In-One
The Official ISC2 Guide to the CISSP CBK (2nd edition at the time of this writing)
Go with the most current versions of the books that you can. I read them cover to cover, and if you need a cure for insomnia look no further...
I can't recommend one book over another as I felt that both overlapped in some areas but they also worked together to fill in gaps. It's a small investment when you consider the price of the exam.
I didn't attend any bootcamps, nor did I do any video training. Both were out of my price range as I personally funded my exam and self-study. If you have the cash to front for video courses, I'd say go for it. It can't hurt any besides your pocket book. I've used CBK nuggets for Cisco training and was quite pleased with how their system was set up. I can't vouch specifically for their CISSP videos, but they do a good job. Shon Harris' videos are well done that I've been told as well.
My personal feeling is to avoid boot camps for this particular exam. There is just far too much material to cover to cram it all into a few days. I have heard people touting success after doing self-study and then using the bootcamps as a refresher shortly before taking the exam. So if you are dead set, it works as a good compliment. Just don't utilize it as your only course of study.
Know the domains! No matter which method of study you use, learn the domains like you've learned the OSI Networking model. It's so important I'm going to list them below.
Access Control
Application Development Security
Business Continuity and Disaster Recovery
Cryptography
Information Security Governance and Risk Management
Legal, Regulations, Investigation, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security
Once you are armed with the CBK (Common Book of Knowledge) domains and have read through the above books, you can start to speed up your study methods.
Hit up http://www.cccure.org/ and invest in their practice tests. I was lucky as back when I studied their practice test engine was free. It's a decent set-up with test questions written by the community to test your understanding of the CBK. This isn't an "actual test" engine, that would invalidate your certificate. Their forums are fantastic for answering questions and are a wealth of knowledge in and of themselves.
The practice tests are set up so you can pick which domains and how many questions you want. The important aspect is they break down your correct/incorrect answers within each domain. Weak in Operations Security? Hit the books and study a little more, then take a new test to see how much you've improved.
Be mentally prepared for the wait:
After you take the test, do you think the worst is behind you? Unlike computer based exams, there's a wait period of up to three months for you to get your results back. If I remember correctly it took them six weeks to email me my test results. The wait is brutal, do you study in case you failed? Do you relax since you were so stressed out over the ordeal? Did they lose my answer sheet? The wait was the worst for me, and I found myself checking my email constantly. Don't be me. Try your best to forget it, and enjoy the results.
Nothing beats that moment when you read the email that says you have passed. I'll probably remember it the rest of my life, and strangely it had a much more emotional effect on me than getting my Master's.
But you're not done yet:
The next part can be difficult or easy depending on whether your know a CISSP. You now must find a CISSP to vouch for you, review your resume, and validate that you have had five years worth of full-time security experience in two of the ten domains. Chances are if you've been in the industry for five years this won't be a problem. If you don't have five years, you can still qualify for an Associate of ISC2 until you reach the five year period. The entire process is pretty painless, but will take a few more weeks before you can send off for your certification.
Good luck everyone, it's a long but worthwhile journey!
2/8/11
7/17/09
Congrats to me!
After two years of studying lunches and weekend/evening schoolwork I have completed my Masters degree program in Cybersecurity.
I thought I would take this time to reflect on what the college did correct and what they did incorrect as far as presentation. Being in the security field, I wasn't interested in a typical MIS or MBA. I wanted something relevant to my field, instructed by people who worked in the industry. One of the difficult aspects of computer and network security, a profession in its infancy, is the lack of precise standards. In other professions you know your role, i.e. in accounting you have to balance, in engineering you develop and simplify. mathematicians formulate and solve complex problems. Security is akin to MacGyver defeating terrorists with a shoe lace, gum, lye, and an oscillating fan.
I was pretty surprised to find degrees focused on security. There's a simple reason for this, technology is constantly changing. New vulnerabilities are discovered hourly, and often times it wouldn't make much sense to base curriculum off of the ever-changing world of security. If that were completely the case, however, all IT degrees would be worthless. We would have to prove our industry knowledge in certifications only, and reserve degrees for historians or other static professions.
I attempted to see what Sac State and Chico had to offer in the way of security degrees. The only programs I found at the time were generalized. My next step was to check for distance education. Holding a degree from University of Phoenix, I'm not a stranger to distance-based education, nor the stigma of being a distance education degree holder. I've always been into the current and developing methods of technological delivery including social networks. (My original ICQ number was in the thousands). I attended one of the first on-line courses that Phoenix had to offer, and determined two things that made me successful with this type of education.
1. You get out of the degree what you put into it. Yes, I found ways that I could be a completely lazy student and still manage to pass. However, this is no different than when I went to Jr. College. I immediately could tell the different between students that were interested in learning to succeed in life, and those doing the bare minimum just to pass. On one hand, I was frustrated to know that people carrying the same degree as I, hadn't put in the type of effort it should take to carry the degree. On the other hand, I reported the shortcomings to the program directors, and often times they would respond immediately with their thanks and change the systems. I've tried this in the past with brick and mortar, best I could get was to talk to a secretary who put my ideas on a post-it and conveniently filed it in the trash can as soon as I was out the door.
2. I paralleled my education with work experience. The biggest benefit that I received from distance education was the ability to work full-time in career positions while attending school. I was able to apply what I learned in class to my job, and it further solidified my education. I was living what most people only learned about in classrooms, and had a more OTJ engineering experience than years that most engineers spent in college.
So what did University of Virginia do right? Study materials were included with tuition. Often times it is a nightmare to figure out the real expense of college. All of my materials and outside reference was an incurred expense above and beyond tuition. It makes it extremely hard to budget. Back when I attended law school, I paid a huge tuition and then even more money for books. VCO provided all books and on-line services paid with tuition.
A few gem classes, a few gem instructors. One thing that caught my eye about VCO is that the instructors had real-world experience and weren't just career professors. I had hoped that there would be more people from government agencies, because unfortunately it appeared that most of the instructors were just experienced with private entities.
Pretty consistent curriculum. The curriculum paralleled with the CBK aka 10 domains of the CISSP Certification Exam. There were some interesting courses thrown in such as Criminal Law and profiling, so it wasn't completely technical. I enjoyed these out of bounds courses, and it helped give me a broad view of many aspects of professional security.
What VCO did wrong:
For roughly 75% of the courses, I had the same instructor. This concerned me because I know in security you cannot possibly be an expert in everything. It was apparent that in a few of these classes that the instructor knew quite a bit for one class, but was merely a facilitator for others. Having different and experienced instructor for each course would have made me feel better about the quality of learning that I received. The experience wasn't as negative as it seems, whenever I had a complex answer the Internet was at my fingertips. One of the things about a Master's program is that by now people should be educated enough to do their own research and come to their own conclusions. Back to rule 1 above, you get what you put in.
Interactive training was reserved for my last class. There were no network simulators, we weren't exposed to vulnerability assessment tools, and no labs. For classes like forensics, this type of hands-on approach is the difference between someone with real experience and book smarts. Thankfully I was already a security specialist and could apply what I learned at work. But for others, this might be a big con for you.
The community within VCO was pretty bland. You would expect people leaning towards a Master's degree would be fairly animated about their courses. For every one person who would participate in discussions, there were seven people who had horrendous spelling, one-liners, or add to the discussion with suggestions that were completely impractical and against best practices. I labeled these people as those who just don't get "IT". I am glad that I put effort into my discussions and work, even though it seemed like much of it went over people's heads or unacknowledged.
I am glad that I went through the course, and will hang my degree proudly on my wall. It was a good experience for the most part, and I'm better for having gone through it. So I pat myself on the back, and look forward to keeping networks secure for our future.
I thought I would take this time to reflect on what the college did correct and what they did incorrect as far as presentation. Being in the security field, I wasn't interested in a typical MIS or MBA. I wanted something relevant to my field, instructed by people who worked in the industry. One of the difficult aspects of computer and network security, a profession in its infancy, is the lack of precise standards. In other professions you know your role, i.e. in accounting you have to balance, in engineering you develop and simplify. mathematicians formulate and solve complex problems. Security is akin to MacGyver defeating terrorists with a shoe lace, gum, lye, and an oscillating fan.
I was pretty surprised to find degrees focused on security. There's a simple reason for this, technology is constantly changing. New vulnerabilities are discovered hourly, and often times it wouldn't make much sense to base curriculum off of the ever-changing world of security. If that were completely the case, however, all IT degrees would be worthless. We would have to prove our industry knowledge in certifications only, and reserve degrees for historians or other static professions.
I attempted to see what Sac State and Chico had to offer in the way of security degrees. The only programs I found at the time were generalized. My next step was to check for distance education. Holding a degree from University of Phoenix, I'm not a stranger to distance-based education, nor the stigma of being a distance education degree holder. I've always been into the current and developing methods of technological delivery including social networks. (My original ICQ number was in the thousands). I attended one of the first on-line courses that Phoenix had to offer, and determined two things that made me successful with this type of education.
1. You get out of the degree what you put into it. Yes, I found ways that I could be a completely lazy student and still manage to pass. However, this is no different than when I went to Jr. College. I immediately could tell the different between students that were interested in learning to succeed in life, and those doing the bare minimum just to pass. On one hand, I was frustrated to know that people carrying the same degree as I, hadn't put in the type of effort it should take to carry the degree. On the other hand, I reported the shortcomings to the program directors, and often times they would respond immediately with their thanks and change the systems. I've tried this in the past with brick and mortar, best I could get was to talk to a secretary who put my ideas on a post-it and conveniently filed it in the trash can as soon as I was out the door.
2. I paralleled my education with work experience. The biggest benefit that I received from distance education was the ability to work full-time in career positions while attending school. I was able to apply what I learned in class to my job, and it further solidified my education. I was living what most people only learned about in classrooms, and had a more OTJ engineering experience than years that most engineers spent in college.
So what did University of Virginia do right? Study materials were included with tuition. Often times it is a nightmare to figure out the real expense of college. All of my materials and outside reference was an incurred expense above and beyond tuition. It makes it extremely hard to budget. Back when I attended law school, I paid a huge tuition and then even more money for books. VCO provided all books and on-line services paid with tuition.
A few gem classes, a few gem instructors. One thing that caught my eye about VCO is that the instructors had real-world experience and weren't just career professors. I had hoped that there would be more people from government agencies, because unfortunately it appeared that most of the instructors were just experienced with private entities.
Pretty consistent curriculum. The curriculum paralleled with the CBK aka 10 domains of the CISSP Certification Exam. There were some interesting courses thrown in such as Criminal Law and profiling, so it wasn't completely technical. I enjoyed these out of bounds courses, and it helped give me a broad view of many aspects of professional security.
What VCO did wrong:
For roughly 75% of the courses, I had the same instructor. This concerned me because I know in security you cannot possibly be an expert in everything. It was apparent that in a few of these classes that the instructor knew quite a bit for one class, but was merely a facilitator for others. Having different and experienced instructor for each course would have made me feel better about the quality of learning that I received. The experience wasn't as negative as it seems, whenever I had a complex answer the Internet was at my fingertips. One of the things about a Master's program is that by now people should be educated enough to do their own research and come to their own conclusions. Back to rule 1 above, you get what you put in.
Interactive training was reserved for my last class. There were no network simulators, we weren't exposed to vulnerability assessment tools, and no labs. For classes like forensics, this type of hands-on approach is the difference between someone with real experience and book smarts. Thankfully I was already a security specialist and could apply what I learned at work. But for others, this might be a big con for you.
The community within VCO was pretty bland. You would expect people leaning towards a Master's degree would be fairly animated about their courses. For every one person who would participate in discussions, there were seven people who had horrendous spelling, one-liners, or add to the discussion with suggestions that were completely impractical and against best practices. I labeled these people as those who just don't get "IT". I am glad that I put effort into my discussions and work, even though it seemed like much of it went over people's heads or unacknowledged.
I am glad that I went through the course, and will hang my degree proudly on my wall. It was a good experience for the most part, and I'm better for having gone through it. So I pat myself on the back, and look forward to keeping networks secure for our future.
4/30/09
Scam Alert - Swine Flu
Leave it to scammers to pick up on the latest disaster to incite fear amongst people. As a courtesy to Bad Astronomy I will upload the image here that he has on their site. Please send word to everyone, there is no homeopathic cure for swine flu!
3/23/09
Fake text messages
I've you've begun to start understanding the world of the smartphone, some of its features may often times go overlooked depending on what type of a phone user you are. These days phones come equipped with SMS, which stands for Short Message Service. Otherwise known as "texting" or often times talked about as text messages. Since I personally own an iPhone, it's not often I'll find myself using SMS. It's just one of those features I'm not that in to, since I can usually communicate with my friends via Instant Messaging. So I was surprised that I received a cryptic message from AT&T about account information.
I found out later that the text was a scam to try and get people to respond and provide personal information. Whenever you get something out of the ordinary, never go with your first impulse just to respond and provide more info. Instead contact your cell phone carrier directly and question them on it. It is important that you use a number off of your billing statements, and not any contact information provided in the message itself. There is just no telling whether the information is accurate.
I found out later that the text was a scam to try and get people to respond and provide personal information. Whenever you get something out of the ordinary, never go with your first impulse just to respond and provide more info. Instead contact your cell phone carrier directly and question them on it. It is important that you use a number off of your billing statements, and not any contact information provided in the message itself. There is just no telling whether the information is accurate.
3/11/09
Falling behind in cyber warfare
I came across an interesting article today: The Battle Over Cybersecurity
It talks about the arguments that NSA and Department of Homeland defense have about taking on Cybersecurity. The term cybersecurity is an interesting term, and as discussed in the article really deals with protecting against cyber-terrorism. There are currently organized crime rings in China and Russia dedicated to taking down America's financial sense of well-being by attacking various points of interest that we've come to rely on now that our monetary system is virtually paperless. Sadly these two countries are leaps and bounds ahead of us when it comes to experience and methods of intrusion.
The major problem we currently have is a resource problem. Investigations are being processed by local agencies, state agencies, and federal agencies. The problem with local agencies is that often these crime are committed by people overseas utilizing compromised systems as hosts. Everyone out there who has malware installed on their computers had directly contributed to terrorism. On a Federal level, the agencies continue to fight for jurisdiction and each may hold a piece of the puzzle without communicating with other levels. This is a huge weakness within the system. The less people communicate, the easier it is for criminal computer hackers to get away with their activities. The crime rings are organized and often with the backing of the government that protects them, in order to succeed in security we too must be organized and cooperative with all agencies. From the local police who may not have technology resources to conduct proper forensics, all the way up to the level of FBI/NSA/DoHD/DoD.
If we know it: Government Needs to Get Its Cybersecurity In gear
The criminals definitely know it.
It talks about the arguments that NSA and Department of Homeland defense have about taking on Cybersecurity. The term cybersecurity is an interesting term, and as discussed in the article really deals with protecting against cyber-terrorism. There are currently organized crime rings in China and Russia dedicated to taking down America's financial sense of well-being by attacking various points of interest that we've come to rely on now that our monetary system is virtually paperless. Sadly these two countries are leaps and bounds ahead of us when it comes to experience and methods of intrusion.
The major problem we currently have is a resource problem. Investigations are being processed by local agencies, state agencies, and federal agencies. The problem with local agencies is that often these crime are committed by people overseas utilizing compromised systems as hosts. Everyone out there who has malware installed on their computers had directly contributed to terrorism. On a Federal level, the agencies continue to fight for jurisdiction and each may hold a piece of the puzzle without communicating with other levels. This is a huge weakness within the system. The less people communicate, the easier it is for criminal computer hackers to get away with their activities. The crime rings are organized and often with the backing of the government that protects them, in order to succeed in security we too must be organized and cooperative with all agencies. From the local police who may not have technology resources to conduct proper forensics, all the way up to the level of FBI/NSA/DoHD/DoD.
If we know it: Government Needs to Get Its Cybersecurity In gear
The criminals definitely know it.
1/27/09
How not to lose your shirt on craigslist (Unless you're selling it)
With these hard economic times it makes sense that more people are looking to sell items on Craig's list or other online yard-sale or auction sites. For the most part you are safe so long as you observe a few of the following safety tips.
A person may try to contact you with the following scam: "Hey I noticed you are selling yyyy item, the crazy thing is that I have a cashier's check but it's $100 more than what you're asking for. If you're willing to cash the check, and give me the remaining amount I would be glad to buy your item."
The cashier's check is counterfeit, and by the time the bank figures this out you are out the $100 deposit, the item you were selling, and the amount that you paid to the scammer.
Tip: When selling from Craig's List or other classified advertisement, deal in cash only unless it is absolutely someone you trust. Cashier's checks cost about $2 - $5 there's no reason why a person could not cut a check for the exact amount. Even then, you should arrange for the check to clear (Up to three weeks) before giving your item over to the buyer. Cash is always better.
Ebay: a few days before your auction ends you receive an email "I will be willing to pay you double what you are asking if you close the auction and use a different pay site to purchase your auction. This can also work in reverse where you bid on an item and the person offers to end the auction early if you use a different pay site. Paypal insures your purchases against fraud, if you use a different payment site you could very well be out of your item and your money.
Tip: Always pay or collect payment via trusted and guaranteed methods. Check your credit card terms to see how much they restore if you are the target of fraud. The major credit card companies give 100% back with a few conditions. If you pay with a regular debit card, you may lose out. If you fear you are the target of a fraudulent purchase, don't hesitate to contact your credit card company. The sooner you catch it, the faster the process goes. I've personally been through the process three times.
A person may try to contact you with the following scam: "Hey I noticed you are selling yyyy item, the crazy thing is that I have a cashier's check but it's $100 more than what you're asking for. If you're willing to cash the check, and give me the remaining amount I would be glad to buy your item."
The cashier's check is counterfeit, and by the time the bank figures this out you are out the $100 deposit, the item you were selling, and the amount that you paid to the scammer.
Tip: When selling from Craig's List or other classified advertisement, deal in cash only unless it is absolutely someone you trust. Cashier's checks cost about $2 - $5 there's no reason why a person could not cut a check for the exact amount. Even then, you should arrange for the check to clear (Up to three weeks) before giving your item over to the buyer. Cash is always better.
Ebay: a few days before your auction ends you receive an email "I will be willing to pay you double what you are asking if you close the auction and use a different pay site to purchase your auction. This can also work in reverse where you bid on an item and the person offers to end the auction early if you use a different pay site. Paypal insures your purchases against fraud, if you use a different payment site you could very well be out of your item and your money.
Tip: Always pay or collect payment via trusted and guaranteed methods. Check your credit card terms to see how much they restore if you are the target of fraud. The major credit card companies give 100% back with a few conditions. If you pay with a regular debit card, you may lose out. If you fear you are the target of a fraudulent purchase, don't hesitate to contact your credit card company. The sooner you catch it, the faster the process goes. I've personally been through the process three times.
Yet another Phishing alert
NCUA brings us news that there are scammers out there trying to take advantage of Instability concerns of the Federal Reserve(PDF). Ignore any NCUA / FED official looking letters, they apparently contain links that will attempt to install malware on your system. Remember to share this information with your friends.
1/26/09
Social engineering attacks in full-force 2009
2009 may very well become known as the year of fraud. Within only the last month we've watched as big name twitter accounts were compromised, recent worm attack, and any number of phishing attempts.
I say this not to scare you, just to recommend that everyone keep their SINRR tuned up and ready.
How do you prevent these recent attacks?
Knowledge is power. Make sure that your systems have the latest updates to protect from worm vulnerabilities. I know this isn't a catch-all, but you'd be surprised at how much damage control this helps with when a new worm springs up.
Keep an ear to various news sites. I personally go to about three or four consumer related security sites on a weekly basis. I was alerted to the NCUA scam by a co-worker, and from time to time I pass important information to colleagues just to keep them in the know.
If you click a link and it asks for you to log in, double-check the link at the top of your browser. Phishing starts with the redirection of your personal information to a place you don't want it to go. Always double-check your urls to make sure you aren't somewhere than where you expect to be. Especially if you've already logged in, and are once again being asked for a password.
When in doubt, don't give your information out. Ask yourself whether or not convenience is worth the time and expense it takes to recover your identity.
I say this not to scare you, just to recommend that everyone keep their SINRR tuned up and ready.
How do you prevent these recent attacks?
Knowledge is power. Make sure that your systems have the latest updates to protect from worm vulnerabilities. I know this isn't a catch-all, but you'd be surprised at how much damage control this helps with when a new worm springs up.
Keep an ear to various news sites. I personally go to about three or four consumer related security sites on a weekly basis. I was alerted to the NCUA scam by a co-worker, and from time to time I pass important information to colleagues just to keep them in the know.
If you click a link and it asks for you to log in, double-check the link at the top of your browser. Phishing starts with the redirection of your personal information to a place you don't want it to go. Always double-check your urls to make sure you aren't somewhere than where you expect to be. Especially if you've already logged in, and are once again being asked for a password.
When in doubt, don't give your information out. Ask yourself whether or not convenience is worth the time and expense it takes to recover your identity.
1/21/09
Large scale credit card attack exposed
As many of you may have heard by now, Heartland Payment Systems has released news that it ha been the target of an attack in 2008. What does this really mean to a regular person? A payment processor is a company that works as a middle-man between credit card transactions and financial institutions. When you swipe your card at a restaurant it likely goes through a third party validation process before Visa or the debit card companies collect the money from your account for the transaction. It is basically the person who says "Hi there, this person wants to give money for this item/service, let's make a deal!" what that also means is that a large volume of credit card information gets sent to Heartland's servers for processing.
Software targeted specifically to lift magnetic stripe data made its way into their transaction servers and began to send this data to a third party. Because proper reporting mechanisms weren't in place, the company had no idea this information was being beamed to another location. As such, it is estimated that 100 million transactions have been lifted. This is quite a bit more than the estimated 94 million accounts compromised by TJX.
Should you be worried? Luckily track data on credit cards doesn't give out much information. Really the only thing that is on your magnetic stripe is the account number and some other bits of information processors need to create a transaction. Essentially they can duplicate your credit card. What they don't have is your PIN, the verification code on the back of the card, or any personal information more than your name and possibly address.
Your course of action? Watch your purchase statements closely on any of your credit/debit cards. If you see transactions you didn't authorize call your bank/credit card company and have them freeze your account immediately. If a transaction from your card number was logged, Heartland is likely notifying your issuer and you may see a new card created in the near future.
Often times these card numbers are sold, and it could be months before someone even attempts to pull money from the account. A new card issued to you, will remedy the situation.
Software targeted specifically to lift magnetic stripe data made its way into their transaction servers and began to send this data to a third party. Because proper reporting mechanisms weren't in place, the company had no idea this information was being beamed to another location. As such, it is estimated that 100 million transactions have been lifted. This is quite a bit more than the estimated 94 million accounts compromised by TJX.
Should you be worried? Luckily track data on credit cards doesn't give out much information. Really the only thing that is on your magnetic stripe is the account number and some other bits of information processors need to create a transaction. Essentially they can duplicate your credit card. What they don't have is your PIN, the verification code on the back of the card, or any personal information more than your name and possibly address.
Your course of action? Watch your purchase statements closely on any of your credit/debit cards. If you see transactions you didn't authorize call your bank/credit card company and have them freeze your account immediately. If a transaction from your card number was logged, Heartland is likely notifying your issuer and you may see a new card created in the near future.
Often times these card numbers are sold, and it could be months before someone even attempts to pull money from the account. A new card issued to you, will remedy the situation.
1/6/09
30 Minute Security -- Phishing
Phishing has been around for quite some time now. I don't have a lead on the early history of phishing, but academically I'm sure I'll learn where it originated just to have an anecdote to talk about in class. Phishing is the use of social engineering paired with technology in its simplest form.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
1/1/09
Good guys vs. Bad guys
I came across a really good read this morning as I browsed through my Wired magazine. The article itself is pretty long, and filled with the kind of stuff that keeps a security guy awake at night. I read the article and proceeded to take my first "strive to lose some weight for New Years" walk, with the story fresh in my mind and I began to mix pieces of the article around to determine what was eating at me, and what I wanted to get out of reading the story. Ultimately I thought about how the guy in the article, Max Butler started out making $100/hr helping companies secure their networks.
I've always viewed computer security along the same lines as a serial killer profiler. In order to be a hacker, you ultimately have to think like a hacker. This includes using the same tools and methodologies of hacking. Now I'm not saying that FBI profilers go around killing people, but you really have to climb into the mind of a criminal to understand how and why they do what they do.
Ever since I stumbled on fraud prevention I knew that helping protect people is what I wanted to do. So I am drawn to these articles that make you toss and turn at night wondering if your finances are safe. Here we have an example of a person who found computer security interesting, but moved over to the dark side. The article dives a bit into the psychology of the guy, so maybe something about the environment that he was raised in caused him to bridge the gap between security and felony.
While walking I visualized my path along side Max Butler's path. I could see two parallel roads that we both walk. Making sure things are safe and secure. As I approach the white picket fence of completion, there's no urge to jump over the roadblock and break into the house at the end of the road. The good guys and bad guys follow the same path, but the major difference is that the good guys are content with the destination and results. Whereas with the bad guys there's always more to push, further to go.
Does jail time really work as a deterrent from fraud? It's hard to say. I've had many bad days at work where I've thought that the total lack of responsibilities in jail would seem like a vacation. Granted it's not the best environment, I'd stick out like a sore thumb, and I'm sure the food is terrible. But for us people who are constantly on alert and questioning other people's motives and actions, breaking away for a chunk of years would feel like a vacation. Once again to use the serial killer metaphor again, deep down inside there's a need to be caught and punished for their actions.
I enjoyed the article and it was fun to work it around in my mind a bit to help me understand the bad guy vs. good guy scene. Interestingly enough, the more I learn the better I can help others protect themselves. It's a crazy world we live in.
Have a happy and fraud-free New Year, with the economy the way it is cyber crime is going to reach record highs. It's all about making sure you aren't a low hanging fruit.
I've always viewed computer security along the same lines as a serial killer profiler. In order to be a hacker, you ultimately have to think like a hacker. This includes using the same tools and methodologies of hacking. Now I'm not saying that FBI profilers go around killing people, but you really have to climb into the mind of a criminal to understand how and why they do what they do.
Ever since I stumbled on fraud prevention I knew that helping protect people is what I wanted to do. So I am drawn to these articles that make you toss and turn at night wondering if your finances are safe. Here we have an example of a person who found computer security interesting, but moved over to the dark side. The article dives a bit into the psychology of the guy, so maybe something about the environment that he was raised in caused him to bridge the gap between security and felony.
While walking I visualized my path along side Max Butler's path. I could see two parallel roads that we both walk. Making sure things are safe and secure. As I approach the white picket fence of completion, there's no urge to jump over the roadblock and break into the house at the end of the road. The good guys and bad guys follow the same path, but the major difference is that the good guys are content with the destination and results. Whereas with the bad guys there's always more to push, further to go.
Does jail time really work as a deterrent from fraud? It's hard to say. I've had many bad days at work where I've thought that the total lack of responsibilities in jail would seem like a vacation. Granted it's not the best environment, I'd stick out like a sore thumb, and I'm sure the food is terrible. But for us people who are constantly on alert and questioning other people's motives and actions, breaking away for a chunk of years would feel like a vacation. Once again to use the serial killer metaphor again, deep down inside there's a need to be caught and punished for their actions.
I enjoyed the article and it was fun to work it around in my mind a bit to help me understand the bad guy vs. good guy scene. Interestingly enough, the more I learn the better I can help others protect themselves. It's a crazy world we live in.
Have a happy and fraud-free New Year, with the economy the way it is cyber crime is going to reach record highs. It's all about making sure you aren't a low hanging fruit.
10/30/08
Magazine Resubscription Scam
As a geek in touch with geek-like things I obviously hold a subscription to Wired Magazine. Through their web site, I got in on a pretty good deal for a 2-year subscription to the magazine. So imagine my surprise when an Email found its way to my inbox stating that my subscription was about to expire.
One of the first things you should learn in personal computer security is your "Something is not right radar" aka SINRR. As you begin to look at your correspondence with a more scrupulous eye, your SINRR will throw out small volts of mental electricity that have you saying "Something is not right here!" In my case, my SINRR is pretty honed from all my past experiences. The largest telling sign for me is that my magazine isn't due for a resubscribe for another full year (If you have so many subscriptions you can't keep track you can easily check your mailing label to identify how many remaining magazines you have left).
With my mental alarms going off, I clicked on the "From:" area to view the full email address. It was masked as Wired Subscription Department, however when I looked at the whole address it showed up as wired@ashtech.com. Somehow this third party farmed my Email address and sent off this subscribe notice, which was significantly more expensive than if I purchased the subscription directly off the wired web site. This kind of thing doesn't just happen with magazines. I've come across scams to register for class action lawsuits, which redirect you to a site asking for personal information.
How do you protect yourself from these scams? Many sites offer a few tips, and I will of course impart my own wisdom.
Look at the sender's email address. Does it look legitimate? Google the address and see what comes up. Often times you will find forum posts of other people wondering what the sender is all about.
Ask yourself if the email is timely, did it come as a reply to correspondence that you've recently sent out? If you are expecting the email, likely it is legitimate. If it comes out of the blue and has you confused, likely it is a scam.
Does it ask for personal information? Consider that the magazine you've subscribed to already has your name, address, phone number, credit card/check. They do not need the information. Many scams are now asking you to "verify" that it is indeed you by asking "Security questions". Do not answer these questions unless it was you who contacted the company. Also make sure that the contact information you have is legitimate and pulled straight from the company's web site and not some redirected URL.
With the economy getting so rocky, there are many scams popping up in the wild as people become desperate for money or being advantageous to people's concerns. Hone your SINRR, use it often.
One of the first things you should learn in personal computer security is your "Something is not right radar" aka SINRR. As you begin to look at your correspondence with a more scrupulous eye, your SINRR will throw out small volts of mental electricity that have you saying "Something is not right here!" In my case, my SINRR is pretty honed from all my past experiences. The largest telling sign for me is that my magazine isn't due for a resubscribe for another full year (If you have so many subscriptions you can't keep track you can easily check your mailing label to identify how many remaining magazines you have left).
With my mental alarms going off, I clicked on the "From:" area to view the full email address. It was masked as Wired Subscription Department, however when I looked at the whole address it showed up as wired@ashtech.com. Somehow this third party farmed my Email address and sent off this subscribe notice, which was significantly more expensive than if I purchased the subscription directly off the wired web site. This kind of thing doesn't just happen with magazines. I've come across scams to register for class action lawsuits, which redirect you to a site asking for personal information.
How do you protect yourself from these scams? Many sites offer a few tips, and I will of course impart my own wisdom.
Look at the sender's email address. Does it look legitimate? Google the address and see what comes up. Often times you will find forum posts of other people wondering what the sender is all about.
Ask yourself if the email is timely, did it come as a reply to correspondence that you've recently sent out? If you are expecting the email, likely it is legitimate. If it comes out of the blue and has you confused, likely it is a scam.
Does it ask for personal information? Consider that the magazine you've subscribed to already has your name, address, phone number, credit card/check. They do not need the information. Many scams are now asking you to "verify" that it is indeed you by asking "Security questions". Do not answer these questions unless it was you who contacted the company. Also make sure that the contact information you have is legitimate and pulled straight from the company's web site and not some redirected URL.
With the economy getting so rocky, there are many scams popping up in the wild as people become desperate for money or being advantageous to people's concerns. Hone your SINRR, use it often.
9/17/08
Becoming a Mark in San Francisco
This blog will not only deal with computer security but also with Fraud and Social Engineering. An an introduction I'll give you a personal story about how I left myself vulnerable and embarrassed.
I was exploring Fisherman's Wharf with a vacationing friend of mine. As with most cities as the evening begins to take over, the tourist shops begin to close up and the seedier side of the city comes out. We were walking along some of the more permanent shops on Embarcadero when we came across of group of males lounging about. I wrote them off as typical street performers, but instead of walking past I made eye contact with a guy. That was my first mistake. As an obvious tourist with a camera around my neck, I was obviously an outsider to the area. As soon as I made eye contact, he started right in.
"Would you like a shoeshine?" I said no, as we attempted to get by, almost made it but he caught my attention with another statement. "I can show you a trick." I'm normally curious about people, and for some reason that stopped me. I nodded for him to go on, curious and a bit amused. "I bet you that I can tell you where you got your shoes." this flagged my curiosity even more. Not quite sure what to say, I told him to go on. "I can tell you where you got your shoes, here let's shake on it." My impulse was not to make physical contact but he reached out and shook my hand, as everyone around him watched. Now I was obligated, and pretty much my last mistake.
He stepped back, and then said "You got your shoes, on your feet!", then swooped in and put shoeshine goop on my shoes and began cleaning them. Suckered out of $20. As I left, he imparted me with another blow to the ego. "The shine was free, you paid for an education."
You know, he was actually right. It helped me understand the phases of a con. Praying on curiosity, disbelief, and a trick that has little to no payoff. Added onto that was a false sense of obligation, and quickly catching me off guard. I'll always remember that encounter, and frankly it was worth the $20 "shoeshine" for what it taught me.
First: Never make yourself look like a tourist. I had a large camera around my neck, and I was looking around at the sights and sounds as if I were a vulnerable target. Now I've switched to a small, pocket-sized camera.
Second: Never acknowledge a stranger that has more to gain out of an encounter than you do. You see this in Las Vegas, those guys who hand cards out on the sidewalks. If you make eye contact, or start a conversation by saying "No Thanks", there's no telling how quickly you'll end up with a card in your hand.
Third: If they are with a group of people, it can be even more dangerous. Best case they'll chide you if you walk off without living up to your end of the deal worst case, they'll take you down an alley.
Fourth: Never find yourself in an unfamiliar place at night, not only is it creepy but dangerous as well.
Thankfully my encounter was fairly harmless, and this type of con has gone on for hundreds of years. I watched a show about old time freakshows, where they played these types of tricks on people. It just goes to show, no matter how old the con there are always people unprepared to deal with the situation.
I was exploring Fisherman's Wharf with a vacationing friend of mine. As with most cities as the evening begins to take over, the tourist shops begin to close up and the seedier side of the city comes out. We were walking along some of the more permanent shops on Embarcadero when we came across of group of males lounging about. I wrote them off as typical street performers, but instead of walking past I made eye contact with a guy. That was my first mistake. As an obvious tourist with a camera around my neck, I was obviously an outsider to the area. As soon as I made eye contact, he started right in.
"Would you like a shoeshine?" I said no, as we attempted to get by, almost made it but he caught my attention with another statement. "I can show you a trick." I'm normally curious about people, and for some reason that stopped me. I nodded for him to go on, curious and a bit amused. "I bet you that I can tell you where you got your shoes." this flagged my curiosity even more. Not quite sure what to say, I told him to go on. "I can tell you where you got your shoes, here let's shake on it." My impulse was not to make physical contact but he reached out and shook my hand, as everyone around him watched. Now I was obligated, and pretty much my last mistake.
He stepped back, and then said "You got your shoes, on your feet!", then swooped in and put shoeshine goop on my shoes and began cleaning them. Suckered out of $20. As I left, he imparted me with another blow to the ego. "The shine was free, you paid for an education."
You know, he was actually right. It helped me understand the phases of a con. Praying on curiosity, disbelief, and a trick that has little to no payoff. Added onto that was a false sense of obligation, and quickly catching me off guard. I'll always remember that encounter, and frankly it was worth the $20 "shoeshine" for what it taught me.
First: Never make yourself look like a tourist. I had a large camera around my neck, and I was looking around at the sights and sounds as if I were a vulnerable target. Now I've switched to a small, pocket-sized camera.
Second: Never acknowledge a stranger that has more to gain out of an encounter than you do. You see this in Las Vegas, those guys who hand cards out on the sidewalks. If you make eye contact, or start a conversation by saying "No Thanks", there's no telling how quickly you'll end up with a card in your hand.
Third: If they are with a group of people, it can be even more dangerous. Best case they'll chide you if you walk off without living up to your end of the deal worst case, they'll take you down an alley.
Fourth: Never find yourself in an unfamiliar place at night, not only is it creepy but dangerous as well.
Thankfully my encounter was fairly harmless, and this type of con has gone on for hundreds of years. I watched a show about old time freakshows, where they played these types of tricks on people. It just goes to show, no matter how old the con there are always people unprepared to deal with the situation.
9/11/08
Securing your Wireless Connection Part 2
I apologize for such a big break between blog postings. In the future I'll make my posts shorter, as I realize the last post was quite a bit to register all at once.
But at least we have the definitions out of the way and now work towards proper wireless IP configuration.
Items to disable:
SSID, so long as you know the name of your access point you can manually configure your devices to connect to your wireless access point. Disabling SSID will prevent everyone in the neighborhood from knowing that you have a wireless router.
Web based configuration from the outside, this is actually more of a port setting on the router. You never want to open up a login/password screen for anyone on the outside network. This opens up an avenue where a hacker could use automated scripts to log into your router over and over again until it has your password correct.
Items to enable:
WPA encryption, although a little more complex to set up WPA is far more advanced than WEP, which can be cracked in a short period of time. I say this because once WEP is cracked, a hacker has access to all of your computer sessions on the network. I have noticed that devices such as Nintendo WII and DS only connect using WEP protocols, if you have to go this route due to limitations of your wireless devices make sure that you have a fairly random and complex WEP key. Steve Gibson has an excellent random number/password generator, Click Here to view
MAC address filtering, this step is optional but offers more control for your network devices. Every network enabled device has a MAC (Media Access Control) address, which is unique to each device. View your network device documentation to find the Mac address, add it to the allow list and only machines with your unique addresses will be allowed on to the network. This is a huge undertaking for a large-scale network, but pretty manageable on a small home network. MAC addresses can be spoofed, in other words a person with the right software can make its MAC appear to be the same as another device. In order for this process to work correctly to get into your private network, they would have to actually know the MAC addresses that you have on your allow list. So long as you aren't broadcasting this information, you'll be safe.
That's it for now. I'll continue to add configuration tips throughout the blog, but will try to work with quick and to the point posts from now on. I'll be glad to answer any questions that you have.
But at least we have the definitions out of the way and now work towards proper wireless IP configuration.
Items to disable:
SSID, so long as you know the name of your access point you can manually configure your devices to connect to your wireless access point. Disabling SSID will prevent everyone in the neighborhood from knowing that you have a wireless router.
Web based configuration from the outside, this is actually more of a port setting on the router. You never want to open up a login/password screen for anyone on the outside network. This opens up an avenue where a hacker could use automated scripts to log into your router over and over again until it has your password correct.
Items to enable:
WPA encryption, although a little more complex to set up WPA is far more advanced than WEP, which can be cracked in a short period of time. I say this because once WEP is cracked, a hacker has access to all of your computer sessions on the network. I have noticed that devices such as Nintendo WII and DS only connect using WEP protocols, if you have to go this route due to limitations of your wireless devices make sure that you have a fairly random and complex WEP key. Steve Gibson has an excellent random number/password generator, Click Here to view
MAC address filtering, this step is optional but offers more control for your network devices. Every network enabled device has a MAC (Media Access Control) address, which is unique to each device. View your network device documentation to find the Mac address, add it to the allow list and only machines with your unique addresses will be allowed on to the network. This is a huge undertaking for a large-scale network, but pretty manageable on a small home network. MAC addresses can be spoofed, in other words a person with the right software can make its MAC appear to be the same as another device. In order for this process to work correctly to get into your private network, they would have to actually know the MAC addresses that you have on your allow list. So long as you aren't broadcasting this information, you'll be safe.
That's it for now. I'll continue to add configuration tips throughout the blog, but will try to work with quick and to the point posts from now on. I'll be glad to answer any questions that you have.
2/8/08
Securing your wireless Internet Part 1
How's this topic for an introductory subject? There are often times when I'm explaining something about computer technology to another person where I have to stop and do a reality check. Let's face it, we're not all computer experts/engineers/techs. I've spent many years involved in PCs and security-minded when it comes to configuring things, and I still cannot honestly tell you I know everything about anything. One thing I imagine that gets a ton of blank stares is explaining home wireless network security.
Say you are a regular computer user. All you want is something you can plug in and have it work right off the bat. I don't blame you. How much time during the day does a person have to sit down and fiddle with settings, learn tech terms, and just overall want to deal with a part of their life that would otherwise be spent doing something like surfing porn or entertainment weekly? The problem is that pulling your wireless router out of the box and plugging it in without giving any thought to security is akin to inviting a crack-head homeless man into your home to help you unwrap your expensive wedding gifts. I'm for free love and trust amongst neighbors and all that jazz, but would you really let anyone fumble around in your underwear drawer from off the street? I didn't think so.
WEP, WPA, WAP, SSID, Remote Access, 802.11 a/b/g, bluetooth, wifi, Broadcast range, channels, Authentication, default password, firewall, NAT, MAC address filtering, Wardriving, Net Stumbler, aircrack. What the hell is all that mumbo jumbo? You'd figure that something a person could just pull out of a box and plug into their home network would be far more understandable than this geek speak garbage. You would figure that there would be much easier to understand instructions, or a seperate manual in the box that describes proper security practices for home wireless network connections.
Often wireless manufacturers include a small flyer reminding you to change the default log-in password. Although sound advice, they really don't go into details as to how exactly to accomplish that goal. Not to mention there is no explanation as to the reason why you should change this password. If I found one of those pieces of paper in the box as a typical user. I would probably discard it thinking that it was just like all the other similar spam that comes inside electronic packaging these days. As a computer geek/nerd/fool, I open quite a few boxes of electronic goodies. I remember one time I discovered an insert marked ATTENTION!! in bold red words. Thinking that it was a security advisory, I continued to read about how the purchase of this product entitled me to $5.00 off some crummy software. Oh joy! Marketing people are brilliant. Desensitize the consumers even more towards reading the important inserts.
The reason I'm making this a multi-part blog, is that wireless technology is quite complex and confusing. In this first post, I'll define all those words above (hopefully in an easy to understand way). The second part to this blog will go over exact settings that you should put in place to make your wireless connections as safe as it can be. I have to insert a frustrating disclaimer here, and that is to keep in mind that "safe as it can be" has been inserted for a very specific reason. You can never be 100% secure when it comes to this stuff. Bad guys are constantly looking for ways to bypass/break/utterly destroy the system. What are secure best practices today, can easily become laughable the next day. I apologize for that, but that is the way it is and there's nothing you or I can do about it. Save throwing all your electronic devices away and living with the Bushmen. But at that point you have to worry about malaria, polluted water, being exposed to the elements, and never having an iron around when you need it.
So without any further pomp and circumstance, I present you the definitions.
WAP, Hotspot, Wireless Router: These terms are generally interchangeable as long as you keep it non-technical. WAP stands for Wireless Access Point. The term hot spot is generally used when you are connected to someone else's wireless connection .i.e Stabucks, Hotels, Colleges. Wireless Router is what you purchase and install in your own home to provide wireless access. These are all terms for points of entry where wireless networking is concerned. It is the brains and hardware behind allowing you to watch youtube videos while you are outside spying on your neighbors. Some familiar names in the industry are Linksys, Belkin and Dlink, if you are especially loaded and are running some type of MMOG gold farming sweatshop in your basement, you may even have a Cisco WAP. Some brands of wireless routers are so popular, setting up your router can lead to some confusion. The reason for this confusion is that routers come to your home set to factory defaults. Factory defaults is just a fancy way of saying that they are all configured the same way. That's right! Every single Linksys WRT54G model router has the exact same Username and Password. There are lists out there of these passwords. Which means that some schmuck off the street can drive up near your house, log into the router and lock you out of using it. More on this later.
SSID: Simply Seductive Indoor Diaper? Store Supper In Disposal? Good guesses, but not quite. SSID stands for Service Set Identifier. SSID Is the Marco Polo of the wireless world. It continually shouts out "Marco!" and your laptop climbs out of the water and heads over to the lounge chair and giggles as the poor access point struggles to find it. Okay, not quite. The SSID is the signal sent out into the open air that broadcasts its existence. There are also lists for default SSID broadcasts. If you have a laptop with wireless enabled, sometimes you might see a little pop-up bubble in the lower right-hand corner of your screen that says "Wireless connection found." This is because your laptop discovered a WAP with SSID enabled. The SSID forms part of what us geeks like to call extending a handshake. And it is just like it sounds.
"Hi there, I'm Wireless Access Point!"
"Pleased to meet you WAP, I'm a wireless enabled laptop."
802.11 a/b/g/n, wifi, bluetooth, Airport Extreme/Express: These are wireless standards, and wifi is actually the same as 802.11 a/b/g/n, and Airport Extreme is actually 802.11n. Confused yet? Yeah me too. I once failed miserably a job interview when I couldn't name the different speeds and ranges for 802.11a, 802.11b, 802.11g, 802.11n. That's the sort of thing you can easily reference online if you really want to know about it. But if you're being chased down by a lion, spouting off useless terminology is not really going to save your life now is it? What is a standard? If you think all that crap listed above is confusing, if there were no standards; trying to figure out wireless communication would be like row-boating backwards up a cattle ramp, while figuring out every palindrome in the English language. I don't want to get into too much detail about what each term means. But the idea is that a, b, g, or n all refer to various ranges and speeds of connection. Bluetooth is not the same thing as 802.11 a/b/g/n, it is shorter range and is only currently useful as communication devices. Wireless headphones, ear pieces, keyboards, mice that sort of thing. wifi and 802.11 a/b/g/n are the same thing. Airport (n) is Apple's naming convention for their own wifi, and is generally interchangeable with any of the letters listed after 802.11. I apologize, it's all very confusing and there is no real way to simplify it. 802.11 g is the most popular WAP out there, with 802.11 n being the latest and greatest out to the consumer. If you've purchased a WAP or are thinking about purchasing one soon, these will be the two standards you see the most.
WEP: Stands for Wired Equivalent Privacy. In older wireless devices security was kind of a thing thrown in as a second thought. Sort of like the way a man has no problem throwing a red shirt in the wash with socks until after the damage has been done. In the security world WEP is the red shirt (If you think about it, this could have Star Trek connotations as well). Unfortunately it is also the most highly recommended way to "secure" your wireless network. Usually in most wireless interfaces it asks for you to put in a word or two, and it then outputs three seemingly random codes. When you connect a wifi device into a WEP secured WAP, it will ask you to input one of these codes in. The problem is that it ends up being about as secure as a chain lock on a door.
WPA: Wi-Fi Protected Access. This is WEP's big brother. More secure, but unfortunately not built in to many network appliances. (Nintendo's DS and Wii both can only authenticate using WEP, forcing users to downgrade their WAP to WEP). One of the advantages of WPA is it allows for far more digits in the authentication key. We will get into this later.
Broadcast range: Remember earlier where I failed to simplify the wireless standards? Broadcast range is one of the variables between different standards. It merely means the range at which a WAP can send out a signal. Imagine a cloud around the access point. As you increase the broadcast range, the cloud grows out larger. A large broadcast range is helpful for large houses, or people who want to use their computers in the front or back yards (why anyone would want to use a computer outside instead of enjoy the weather is beyond me). Having a large broadcast range isn't always the best thing, if you live in California with their small, overpriced, lots you could be potentially sharing your Internet access with 40 families. Of course those 40 families live in one house, as that's the only way you can afford to live here these days.
Channels: Wireless Access Points share many of the same frequencies with other appliances in the home. Your Microwave, cordless phone, and mother-in-law all give off radio waves that interfere with your wireless connection. Although you can send the mother-in-law away to a care home, tossing out your cordless phone or microwave is probably too much for you modern suburban trailblazers. When you get crummy reception on your cordless phone, you probably have noticed that you can switch channels within your gHZ band. This same concept applies to your WAP. Some of the newer technology will actually switch channels on the fly once it detects a drop in quality.
Wardriving, Net Stumbler, aircrack: These are terms in the bad guy realm, although they are also legitimate tools and techniques to assess your own security at home. Wardriving is based off of the old school term Wardialing. There is where a computer would dial sequential telephone numbers until it came across a computer that would answer the telephone. In wardriving, a person will drive around with their laptop and discover WAPs that broadcast through SSID. With a bit of common sense and a few tools such as Net Stumbler a wardriver can determine how secure your wireless network is and possibly access your router and change settings. Net Stumbler is a tool that identifies WAP signals and attempts to give as much information about them as possible. Aircrack is software that is designed to break WEP encryption after a certain amount of data has been captured.
Firewall, NAT, MAC Filtering: Once again I put these all together. These are some of the good guy technologies. Firewalls and NAT really don't apply much to WAP security. But I'm all about balance, and wanted three good technologies to balance out the bad. MAC stands for Media Access Control. Without getting too technical this is the fingerprint of a computer. Every network device has a MAC address. If you want to see your particular computer's address (Windows users) Click Start/Run next to Open: type in cmd. This will open a black window on your screen that us geeks call the command prompt. If you type in ipconfig /all and press enter a bunch of stuff will flash on the screen. One of the categories will be "Physical address" you'll see six groups of numbers/letters separated by hyphens. This is your computer's unique fingerprint. MAC filtering basically works as an access control list (we'll talk about these at a later date) that is MAC address specific. You can select to allow only certain numbers (like the one you see in the command prompt) and access to the WAP will only allow those specific devices. I probably lost some readers with that last sentence. So I'll say that MAC Filtering allows only computers with certain fingerprints to gain access.
Well there you have it. Not too painful I hope. For my next posting, I'll show you what to enable and disable in order to keep your wireless safer than average.
Say you are a regular computer user. All you want is something you can plug in and have it work right off the bat. I don't blame you. How much time during the day does a person have to sit down and fiddle with settings, learn tech terms, and just overall want to deal with a part of their life that would otherwise be spent doing something like surfing porn or entertainment weekly? The problem is that pulling your wireless router out of the box and plugging it in without giving any thought to security is akin to inviting a crack-head homeless man into your home to help you unwrap your expensive wedding gifts. I'm for free love and trust amongst neighbors and all that jazz, but would you really let anyone fumble around in your underwear drawer from off the street? I didn't think so.
WEP, WPA, WAP, SSID, Remote Access, 802.11 a/b/g, bluetooth, wifi, Broadcast range, channels, Authentication, default password, firewall, NAT, MAC address filtering, Wardriving, Net Stumbler, aircrack. What the hell is all that mumbo jumbo? You'd figure that something a person could just pull out of a box and plug into their home network would be far more understandable than this geek speak garbage. You would figure that there would be much easier to understand instructions, or a seperate manual in the box that describes proper security practices for home wireless network connections.
Often wireless manufacturers include a small flyer reminding you to change the default log-in password. Although sound advice, they really don't go into details as to how exactly to accomplish that goal. Not to mention there is no explanation as to the reason why you should change this password. If I found one of those pieces of paper in the box as a typical user. I would probably discard it thinking that it was just like all the other similar spam that comes inside electronic packaging these days. As a computer geek/nerd/fool, I open quite a few boxes of electronic goodies. I remember one time I discovered an insert marked ATTENTION!! in bold red words. Thinking that it was a security advisory, I continued to read about how the purchase of this product entitled me to $5.00 off some crummy software. Oh joy! Marketing people are brilliant. Desensitize the consumers even more towards reading the important inserts.
The reason I'm making this a multi-part blog, is that wireless technology is quite complex and confusing. In this first post, I'll define all those words above (hopefully in an easy to understand way). The second part to this blog will go over exact settings that you should put in place to make your wireless connections as safe as it can be. I have to insert a frustrating disclaimer here, and that is to keep in mind that "safe as it can be" has been inserted for a very specific reason. You can never be 100% secure when it comes to this stuff. Bad guys are constantly looking for ways to bypass/break/utterly destroy the system. What are secure best practices today, can easily become laughable the next day. I apologize for that, but that is the way it is and there's nothing you or I can do about it. Save throwing all your electronic devices away and living with the Bushmen. But at that point you have to worry about malaria, polluted water, being exposed to the elements, and never having an iron around when you need it.
So without any further pomp and circumstance, I present you the definitions.
WAP, Hotspot, Wireless Router: These terms are generally interchangeable as long as you keep it non-technical. WAP stands for Wireless Access Point. The term hot spot is generally used when you are connected to someone else's wireless connection .i.e Stabucks, Hotels, Colleges. Wireless Router is what you purchase and install in your own home to provide wireless access. These are all terms for points of entry where wireless networking is concerned. It is the brains and hardware behind allowing you to watch youtube videos while you are outside spying on your neighbors. Some familiar names in the industry are Linksys, Belkin and Dlink, if you are especially loaded and are running some type of MMOG gold farming sweatshop in your basement, you may even have a Cisco WAP. Some brands of wireless routers are so popular, setting up your router can lead to some confusion. The reason for this confusion is that routers come to your home set to factory defaults. Factory defaults is just a fancy way of saying that they are all configured the same way. That's right! Every single Linksys WRT54G model router has the exact same Username and Password. There are lists out there of these passwords. Which means that some schmuck off the street can drive up near your house, log into the router and lock you out of using it. More on this later.
SSID: Simply Seductive Indoor Diaper? Store Supper In Disposal? Good guesses, but not quite. SSID stands for Service Set Identifier. SSID Is the Marco Polo of the wireless world. It continually shouts out "Marco!" and your laptop climbs out of the water and heads over to the lounge chair and giggles as the poor access point struggles to find it. Okay, not quite. The SSID is the signal sent out into the open air that broadcasts its existence. There are also lists for default SSID broadcasts. If you have a laptop with wireless enabled, sometimes you might see a little pop-up bubble in the lower right-hand corner of your screen that says "Wireless connection found." This is because your laptop discovered a WAP with SSID enabled. The SSID forms part of what us geeks like to call extending a handshake. And it is just like it sounds.
"Hi there, I'm Wireless Access Point!"
"Pleased to meet you WAP, I'm a wireless enabled laptop."
802.11 a/b/g/n, wifi, bluetooth, Airport Extreme/Express: These are wireless standards, and wifi is actually the same as 802.11 a/b/g/n, and Airport Extreme is actually 802.11n. Confused yet? Yeah me too. I once failed miserably a job interview when I couldn't name the different speeds and ranges for 802.11a, 802.11b, 802.11g, 802.11n. That's the sort of thing you can easily reference online if you really want to know about it. But if you're being chased down by a lion, spouting off useless terminology is not really going to save your life now is it? What is a standard? If you think all that crap listed above is confusing, if there were no standards; trying to figure out wireless communication would be like row-boating backwards up a cattle ramp, while figuring out every palindrome in the English language. I don't want to get into too much detail about what each term means. But the idea is that a, b, g, or n all refer to various ranges and speeds of connection. Bluetooth is not the same thing as 802.11 a/b/g/n, it is shorter range and is only currently useful as communication devices. Wireless headphones, ear pieces, keyboards, mice that sort of thing. wifi and 802.11 a/b/g/n are the same thing. Airport (n) is Apple's naming convention for their own wifi, and is generally interchangeable with any of the letters listed after 802.11. I apologize, it's all very confusing and there is no real way to simplify it. 802.11 g is the most popular WAP out there, with 802.11 n being the latest and greatest out to the consumer. If you've purchased a WAP or are thinking about purchasing one soon, these will be the two standards you see the most.
WEP: Stands for Wired Equivalent Privacy. In older wireless devices security was kind of a thing thrown in as a second thought. Sort of like the way a man has no problem throwing a red shirt in the wash with socks until after the damage has been done. In the security world WEP is the red shirt (If you think about it, this could have Star Trek connotations as well). Unfortunately it is also the most highly recommended way to "secure" your wireless network. Usually in most wireless interfaces it asks for you to put in a word or two, and it then outputs three seemingly random codes. When you connect a wifi device into a WEP secured WAP, it will ask you to input one of these codes in. The problem is that it ends up being about as secure as a chain lock on a door.
WPA: Wi-Fi Protected Access. This is WEP's big brother. More secure, but unfortunately not built in to many network appliances. (Nintendo's DS and Wii both can only authenticate using WEP, forcing users to downgrade their WAP to WEP). One of the advantages of WPA is it allows for far more digits in the authentication key. We will get into this later.
Broadcast range: Remember earlier where I failed to simplify the wireless standards? Broadcast range is one of the variables between different standards. It merely means the range at which a WAP can send out a signal. Imagine a cloud around the access point. As you increase the broadcast range, the cloud grows out larger. A large broadcast range is helpful for large houses, or people who want to use their computers in the front or back yards (why anyone would want to use a computer outside instead of enjoy the weather is beyond me). Having a large broadcast range isn't always the best thing, if you live in California with their small, overpriced, lots you could be potentially sharing your Internet access with 40 families. Of course those 40 families live in one house, as that's the only way you can afford to live here these days.
Channels: Wireless Access Points share many of the same frequencies with other appliances in the home. Your Microwave, cordless phone, and mother-in-law all give off radio waves that interfere with your wireless connection. Although you can send the mother-in-law away to a care home, tossing out your cordless phone or microwave is probably too much for you modern suburban trailblazers. When you get crummy reception on your cordless phone, you probably have noticed that you can switch channels within your gHZ band. This same concept applies to your WAP. Some of the newer technology will actually switch channels on the fly once it detects a drop in quality.
Wardriving, Net Stumbler, aircrack: These are terms in the bad guy realm, although they are also legitimate tools and techniques to assess your own security at home. Wardriving is based off of the old school term Wardialing. There is where a computer would dial sequential telephone numbers until it came across a computer that would answer the telephone. In wardriving, a person will drive around with their laptop and discover WAPs that broadcast through SSID. With a bit of common sense and a few tools such as Net Stumbler a wardriver can determine how secure your wireless network is and possibly access your router and change settings. Net Stumbler is a tool that identifies WAP signals and attempts to give as much information about them as possible. Aircrack is software that is designed to break WEP encryption after a certain amount of data has been captured.
Firewall, NAT, MAC Filtering: Once again I put these all together. These are some of the good guy technologies. Firewalls and NAT really don't apply much to WAP security. But I'm all about balance, and wanted three good technologies to balance out the bad. MAC stands for Media Access Control. Without getting too technical this is the fingerprint of a computer. Every network device has a MAC address. If you want to see your particular computer's address (Windows users) Click Start/Run next to Open: type in cmd. This will open a black window on your screen that us geeks call the command prompt. If you type in ipconfig /all and press enter a bunch of stuff will flash on the screen. One of the categories will be "Physical address" you'll see six groups of numbers/letters separated by hyphens. This is your computer's unique fingerprint. MAC filtering basically works as an access control list (we'll talk about these at a later date) that is MAC address specific. You can select to allow only certain numbers (like the one you see in the command prompt) and access to the WAP will only allow those specific devices. I probably lost some readers with that last sentence. So I'll say that MAC Filtering allows only computers with certain fingerprints to gain access.
Well there you have it. Not too painful I hope. For my next posting, I'll show you what to enable and disable in order to keep your wireless safer than average.
2/3/08
Welcome
Greetings everyone. Are you tired of geek speak when trying to secure your computer? Don't know virus definitions from a hole in the ground? Do you think WEP is something you do when you're sad at weddings? You're in luck! With this blog, I will start to outline the basics of computing security. I will address issues such as social engineering, computer hardening, common scams, and what to look out for on your web browsers to avoid being phished. And if you have no idea what any of these words mean, I will also define them in easy to understand terms.
My goal is to make the computing world safer for everyone. I don't do this for fame, fortune, or the babes. I'm just a guy who works in network security that wants to share as much as possible with anyone lucky enough to come across this blog.
My goal is to make the computing world safer for everyone. I don't do this for fame, fortune, or the babes. I'm just a guy who works in network security that wants to share as much as possible with anyone lucky enough to come across this blog.
Subscribe to:
Posts (Atom)