Why your WiFi may well not be as private as everyone thought

At the moment, however, anyone who needs to be HIPAA compliant really needs to be aware of this, as should attorneys, accountants, and anyone in the financial industry. Anyone in that list should take steps to ensure they’re keeping patient/client data secure as it goes out to the world, whether that’s in emails, forms you’re filling out for insurance providers, and so forth.

Every situation is different, so there’s no easy “here’s what you need to do” solution I can lay out here. This is even more true with WiFi than most things in tech since WiFi devices can be from literally hundreds of vendors and every individual’s needs are different. Regardless, after reading this, if you’re concerned, you should call me ASAP so we can discuss this. If you haven’t got my contact details already, drop me a line at the contact link up top or right here. You should probably read the rest of this first, though:

So what’s the big deal, you say? The gist is there’s a way that bad guys can now invisibly eavesdrop on everything that your phone, laptop, tablet, or other WiFi connected device sends out to the Internet. (Yeah, that’s pretty serious!) Moreover, they can also potentially inject Really Bad Things(tm) into websites you’re visiting and you wouldn’t know it isn’t the site owner doing it. I won’t go in depth on the details of it all, since it’s not only dry reading but complex even for a professional geek. It’s 5:30PM as I type this and most of my day has been spent reading up on and digesting all of this!

What’s really concerning is that between when this was discovered and the paper written up, those working on the issue have learned it’s even easier to exploit and more risky than the paper itself describes. There just wasn’t time for any major updates because of the process for publication of such works. This new exploit is a problem for virtually everyone, in my opinion. If you look at how rarely I update this site, you can see that it takes something pretty big to get me to do so! (Most folks don’t need to know this stuff anyway, truth be told. That’s the job of a geek!) Regardless, this one merits a write up. While there is, at the time of this writing, no known malicious use of this it is only a matter of time after any such disclosure until the bad guys kick into high gear.

What matters most right now is if you can update your devices you should (not that this is really new advice, of course). The issue for many is not every device currently has an update released. There are things that can be done to mitigate the problem, however. It’s quite important for folks to know that this has existed since day one of WiFi’s use of this standard and we’re only now learning of it so it doesn’t matter how new or old your WiFi device is, at this point you are probably vulnerable to it!

This sort of thing is exactly why it’s critical to make sure your systems are set up with such problems in mind as much as possible, instead of just set up using whatever the defaults are out of the box. That way, if you end up hacked or even just vulnerable, the damage is mitigated as much as possible and the attacker’s job is that much more difficult.

Early this year a security researcher in Belgium, Mathy Vanhoef, found a serious flaw in WPA2 – the standard that all modern Wi-Fi networks should be using to keep their transmitted data private from “eavesdroppers”. This research was disclosed privately to many companies this summer and only made public this morning at a security conference. (This lead time gives most vendors time to craft a fix, though sadly many simply will never do so.) These researchers named their exploit KRACK, short for Key Reinstallation AttaCK. (Yes, these names are often kind of forced but the catchier names get more attention and, thus, get fixed faster.) Here’s an excerpt:

The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

This is a real problem, folks, though it doesn’t mean the sky is exactly falling since there are some things we can do to mitigate the risk. It does mean this impacts a wide variety of devices running Android, iOS, Linux, OpenBSD (on which Apple’s desktop and laptops are based) and of course Windows. So please, contact me or another IT professional if you have one as soon as humanly possible if you have any duty to keep data private! (Heck, even if you don’t, for that matter but I am admittedly biased …) So until we know your devices (phones, tablets, computers, routers, modems, etc) are up to date and you’re doing all you can to keep private what needs to still be private, you should be very cautious what you do online!

Here’s another link to my contact page in case you don’t already have my number.

Posted in Computers, Security | Comments Off on Why your WiFi may well not be as private as everyone thought

Password management

I am often asked about password management and what one should do. I believe most folks should be using a different, randomly generated, password for each service they use online these days. This is because it is never a question of if, but when, a company’s password database gets stolen and the bad guys start reverse engineering the encryption to figure out folks’ passwords. The article linked is old, yes, but it’s still appropriate. It’s just easier now to do is all since the tools involved have had time to mature in complexity and power.

Once they have a username (often an email address) and password combination they, or more frequently someone they sell it to (yes, your data is worth real money to bad guys), quite frequently then move on to logging into these accounts to use them for nefarious purposes of one sort or another. These range from using an email address to send spam, scamming your grandparents or other loved ones, or even holding your devices or accounts for ransom. This is why many now say you should never reuse a password on any site ever.

There are many different password management apps out there nowadays, but most share a particular issue, IMO. That is the fact that they integrate with your browser. Now, this is all well and good from a convenience perspective, but the browser is one of the single most at-risk programs ion anyone’s system. Why would you allow your most important passwords to be integrated with a risky piece of software? In my view, this would be like putting your house keys on a hook outside the front door. Note that this isn’t to say that all password managers which do this are poorly implemented. On the contrary, many are very well designed form a security standpoint aside form this, in my opinion, critical aspect.

Then there’s the issue of where is your password data stored. Ideally, this should be in a location solely under your control but which is backed up properly to prevent loss. Many password managers store the data on their own servers, where one presumes they handle backups and such properly. The issue here is what happens when they get hacked? This treasure trove of passwords is one of the most tempting targets to bad guys on the Net these days. Oh, sure, you can set it up so that the data is only accessible by the end user but with this kind of thing a single trivial, and of course innocent, mistake, can leave you as open as though you had no encryption at all.

This is not a simple thought experiment. The most popular such tool, LastPass, has been hacked more than once. While the organization, by all accounts, handles these events properly, this is too much risk for many to accept. This is why I do not recommend LastPass or any other similarly browser-integrated password management software. It’s just a bad idea in general, as I see it.

This does not mean, however, one must stick to the old pen and paper version. While that works for some folks who have a very small number of accounts who don’t mind the risk and don’t use the same, or a similar, password on any financial institution website, for most it’s best to use a password manager. Setting up a password can be a major pain in the neck, to be sure, but it’s the only real way to mitigate the risk these days.

As far as what password manager folks should use, I have one I use and plan to continue using. It’s important that you get it set up “properly” up front, though, so if you’re a client, give me a buzz and I’ll talk you through the options.

Posted in Opinion, Security | Leave a comment

What’s with the no update thing?

People sometimes ask me why I don’t update this more frequently.  Well, the truth is that this isn’t my main money making business.  Sure, the ads here help cover some tiny portion of my hosting cost but mostly this is here because, as a technology consultant, I need to be familiar with all aspects of the modern world.  That includes things like ad networks, websites, blogs as well as the other aspects that I consult on in person with folks.  My services cover every aspect of technology from televisions to gadgets such as cell phones or tablets and even (gasp!) computer issues.

While I may not update this often, I tend to use it as an information source to which I can refer clients.  That way I can send a link to my Eset writeup, for example, without having to type it all over again.  There are many other websites which discuss the basics of tech news and such so I don’t feel a need to cover all that again.

I’m here, though, and will post updates periodically.  For example, I recently purchased an Android tablet and will post my impressions of that before too long.

Posted in Uncategorized | Leave a comment

Having some odd issues

I’ve been having some odd issues with the site. Some of my more recent posts seem to have gone *poof*. 🙁 We’ll call this a test post to see if it is now resolved before I rebuild those.

Posted in Uncategorized | Leave a comment

Ye Gods, won’t you think of the children?!

Most folks are aware there are places on the web that are a bit, um, seedy.  While I would never suggest we not allow adults to do as they wish (assuming it harms no one else), I also don’t want my children to experience certain things while they’re children.  At the same time, I encourage my kids to explore their world and learn all they can.  So how do I protect them without unduly limiting their ability to explore?

K9 Web ProtectionThe solution is to use web filtering software.  This is a program which stops them from going to sites or categories of sites which I don’t feel they’re ready for yet.  As an IT consultant, I’ve evaluated dozens of different security software solutions, both of this sort and anti-virus software as well.  There are several different types of filtering, some more intended for corporate use, some for institutions such as schools and others for parents.  I’ll discuss the last sort here.

It’s important to keep two things in mind: that no security software is perfect and you’ll always trade some convenience for security.  The thing you want is ease of use while remaining reasonably effective.  With that in mind, I like a couple of different products for security.  The first is an antivirus product which I’ll write up a review for in a couple of days.  The other is K9 Web Protection.

K9 is quite easy to install, there’s very little configuration required and best of all it’s free while being effective!  I have it installed on each of my kids’ laptops.  K9 will, by default, simply block access to sites which feature certain types of content ranging from, of course, pornography to dating sites or sites discussing drug use.  There are quite a few categories you can block in addition to these standard ones most folks want to filter.  Other categories include shopping, weapons and even e-mail.

You can white list specific sites for a short while or permanently if you wish.  This allows the option, for example, to block all shopping except Amazon.com or block everything and allow only specific websites on a case-by-case basis if you prefer.  You can configure an audible alert when a blocked site is accessed.  One particularly important feature (in my opinion) is the option to force Safe Search on sites such as Google or Yahoo, this prevents one of the more easily used circumvention of many web filters without blocking search entirely.  You can look at logs activity on the computer to get an idea of what’s been going on.

These are just a few of the things you can do with K9.  I recommend every parent use this software on their children’s computers.  It’s a fantastic way to let your kids explore the modern world in a safe manner while being assured that they’re not going to stumble on something inappropriate.   Keep in mind this is free software; it’s not as though I get a commission or anything from people downloading and using it.  You can click the image above to go to K9’s website.

Posted in Software | Leave a comment

Backups … they’re for EVERYONE!

Well, I’d been planning a note about backups but waking up to a screen on my laptop saying “Warning! A hard drive error has occurred, please back up your data and run diagnostics.” I figured now was as good a time as any. This is just a quick blurb since, as you may imagine, I’m kind of busy dealing with the issue.

Anyhow, I’m a fan of Dropbox. Dropbox offers cloud backup and syncs data across multiple computers or devices. It’s fast and pretty much real-time backup of your data, once you configure your Documents to go there or vice versa. I’ve used it for quite a while so all my important data is backed up. Still, hopefully I won’t have to reinstall my OS … time will tell if I can image to a new hard drive or not.

Go check out Dropbox now!

Oh, and the hard drive’s only a year and a half old! Go figure, eh?

Posted in Computers | Leave a comment

Too often have I heard these words:

Floppy Disks

“Well, we talked about a backup and I bought a new external drive but I’m not sure my files are really on there.”

This is almost invariably from a new or prospective client. Regardless of what backup program is used, it’s my considered opinion that 99% of a backup strategy must be how well you can recover from a catastrophe. These can be simple, such as a hard drive failing after a week of solid work, or they can be more complex such as a virus infection that spreads among multiple systems. Heck, they can even be actual loss from theft or fire. Regardless, if you don’t know how to check your backups and restore your data then you don’t really have a backup.

My backup program of choice is Dropbox but it’s not for everyone.  There’s a bit of configuration and geekery required in order to get it configured so most find it transparent.  Despite this, I feel Dropbox is second to none.  It offers virtually real-time backup of the data it’s configured to handle.  As soon as a file changes, Dropbox syncs only the changed bits.  It also keeps the files synchronized between multiple computers (the original intent, really).  Nothing is as fast at recovery as moving to another working computer with the most up to data data on it.

A common  concern  is how safe from prying eyes the online backups are.  These are somewhat valid concerns so one must, as with any personal information, protect it with a strong password.

Macrium Reflect is another alternative which I like and have used personally for years. This fantastic program will make a “Xerox copy” of your entire hard drive in a single file called a drive, or system, image. This backs up not only your irreplaceable files but installed programs as well. Best used when you have a different hard drive on which to put this drive image, this sort of backup is generally too large for online storage. While some imaging programs offer storage online, it can take a ridiculous length of time to upload the data, let alone grab a restore in an emergency. It’s quite important to recover data in a timely fashion so you should ensure you have a local copy and only use online storage for true emergencies where no other option exists. As with Dropbox, Reflect allows you to password protect your backup image in order to keep it out of the wrong hands.

Whatever backup you choose, whether one of these or a different one, you should thoroughly test and document the restoration process.  If you don’t,  you might as well not have a backup at all.  With any luck, you will never need the process but if you do, you’ll be glad that you took the precaution.

My on-site professional services are, of course, available to those in the Puget Sound area to assist with these and any other technology needs you may have.  Phone support for those outside my local area can also be arranged.

Image: nuttakit / FreeDigitalPhotos.net

Posted in Computers, Software | Leave a comment

Have you unplugged recently?

There’s an unhealthy expectation in our society that we’re accessible any time anywhere just because we can be. Too often in modern life, folks are too “plugged in”. Even young children seem to feel a compulsion to answer the phone regardless of what’s going on around them. Many now check their e-mail every time the smartphone in their pocket beeps instead of whenever they have a spare couple of minutes.

This culture of connectedness is not good for us, in my personal opinion. We need to unplug now and again. We need downtime. There’s nothing wrong with reading a book on (GASP!) paper and certainly nothing wrong with a simple solution to a problem so long as it works. A common analogy I like to use is technology is a toolbox. We need to train ourselves to take out only those tools to fill the needs of the moment. Just because you might have 12,000 different types of screwdrivers and wrenches doesn’t mean you need each one every day, although some do.

I’m not talking about simple work-life balance here, although an Amazon search for the term sure turns up enough books on the topic to tell me it’s a not insignificant part of what I mean. No, I am talking about much more than this.

The simple truth is that we don’t allow folks to just enter our homes whenever they wish. I would no more want some relative stranger popping in on me in my home than I want to interrupt my time with my child to speak to them. This isn’t during normal business hours, of course. I expect and desire customer contact during those times, within reason. In the past, I’ve had co-workers that would leave voicemail after voice mail less than 2 minutes apart, calling over and over.  Others would send e-mail then, after 5 minutes, phone in a panic because I have yet to respond.   I understand that I’m an odd geek but that’s just downright excessive.

I don’t have internet on my phone, despite owning a smartphone. I don’t check my e-mail every 12 seconds. If my phone rings and I’m in the middle of something the call will certainly end up going to voicemail. This is especially true if I’m with a client; when I’m on a client’s dime, I’m not going to pick up.  That time belongs only to the client for whom I am working.  I don’t block mobile Internet just to save money. There are a few times a month when I sort of wish I had Google in my pocket, I just find it to be a little bit too invasive, overall.

I’m a geek, with all the toys that entails. An inventory of them would bore most people but suffice it to say I have plenty of gadgets. That fact notwithstanding, sometimes we need to just unplug and get back to the basics of life!

Image: DoctorHa.net / Used with permission, all rights reserved

Posted in Opinion | Leave a comment

Lego Antikythera Mechanism

I’m absolutely fascinated by archaeology and anthropology. I nearly went into these fields professionally years ago. When I first heard of the Antikythera Mechanism, I was frankly not terribly surprised at the complexity of it. It’s long been a pet peeve of mine that the ancients are so looked down upon as uneducated or savage. There is no reason to believe this aside from sheer arrogance at the “modern” man as the pinnacle of human development. Anyhow, I’m getting sidetracked so …

For those who don’t know, the Antikythera Mechanism is a mechanical computer which appears to have been used for calculating, predicting or modelling the movements of astronomical events. It’s long been a favorite item to read about. I won’t go in depth on all it can do here; follow my links below for articles which can tell you more (I certainly got sidetracked browsing about it again while writing this post).

Someone has made a functional equivalent of the Antikythera Mechanism out of Lego. This is so geeky-cool I can hardly describe it! Check out the video:

Here are a few links about the Antikythera Mechanism:
Official research group’s website
An article published in Nature
Wikipedia article about the device

Posted in Hobbies | Leave a comment

Well done, Weeds!

A late-night post … oh no! 🙂

Seriously, though, I’ve been catching up on Weeds lately via Netflix. While I’m enjoying the show a lot, one thing truly stands out. This show deals with breast cancer in as as straightforward a manner as any I’ve ever seen.

Breast cancer is a topic that many are “supportive” of without actually really being aware of the issues it entails for those who suffer from it. Kudos to Weeds’ producers for properly dealing with this issue. Buy their stuff!

Posted in Opinion | Leave a comment