Avoiding a rude awakening

Clients sometimes wonder why I’m so concerned with configuring wireless security when setting up a new home router or reconfiguring an existing one.

You might think it’s no big deal if someone else connects to your unsecured network. After all, we’ve all taken advantage of someone’s open wireless in a pinch, at some point.

I know a teenage girl who hooked up an Xbox console herself. I had previously configured the wireless router in her house, and she didn’t give it a second thought when her Xbox connected wirelessly without asking for a passphrase. It wasn’t until months later that the wireless stopped working and we realized that her neighbor had finally secured his home router, which she’d been using the whole time without even knowing it.

There are two primary reasons to make sure your home wireless is password-protected using a solid security protocol. The first is that unauthorized users will suck up your bandwidth. If you’re paying for broadband, you don’t want to be the world’s dumbest ISP, supplying your whole neighborhood with free Internet.

The other example I give is that if some unknown person is connecting to your router and doing something illegal on the Internet, the authorities will trace it to you.

Think that’s a far-fetched scenario? Well, it just recently happened to a man in Buffalo. NY. A neighbor was using the man’s unprotected router to download child pornography, and the result was an FBI raid on the unwitting man’s home. And if the authorities assume you’ve been trafficking in child porn, don’t expect them to treat you courteously.

So, if you’ve installed a wireless router yourself, it’s a good idea to review your security settings. Make sure you are using a solid security protocol (WPA or WPA2). WEP is no longer considered secure – the keys can be cracked by anyone with a little technical know-how.

Your shared key or passphrase should be of a reasonable length (10 or more characters) and contain a mix of letters and numbers. Keep it private. If you have guests who need to connect to your router, offer to type in the shared key for them. It’s easier than changing the key after they leave.

There’s no need to be obsessively paranoid about this, but it’s an important enough issue that you should give it the appropriate level of attention. After all, you don’t want federal agents kicking in your door some morning. The neighbors will talk about it forever.

Test your phishing detective skills

Security software vendor McAfee has created a ten-question quiz to see how well you can spot a phony website. If you’ve been reading my tips here, I expect you to do very well. Let’s find out.

The quiz has some excellent examples of common phishing scams, and it’s a very good primer on how the bad guys operate.

Both Internet Explorer 7 and Firefox 2 have built-in phishing filters. These provide an additional level of protection by checking any site you visit against a list of known malicious web pages.

Depending on which browser you use, make sure the phishing filter is enabled:

Internet Explorer 7: IE 7 asks you during installation if you would like to enable the phishing filter. To double-check, click the Tools menu, then Internet Options, and then the Security tab. With the Internet zone selected, click the “Custom Level” button and scroll down through the settings until you find “Use Phishing Filter.” Make sure it’s set to “Enable.”

Firefox 2: Click the Tools menu, then Options. Click once on “Security” on the top menu bar to highlight it. Then make sure the “Tell me if the site I’m visiting is a suspected forgery” option is checked. Under that, select “Check using a downloaded list of suspected sites.”

Phishing filters are, of course, not a substitute for paying attention, but they can certainly help. Use them to back up your newly-heightened awareness after taking the quiz.

Oh, in case you’re wondering, I got a perfect score on the quiz. Why else would you take my advice?

UPDATE 9/16/07: McAfee has taken down the phishing quiz site referenced above. However, Internet security vendor SonicWALL has an even tougher quiz on their site. Here’s a link.

The bad guys are getting smarter

Continuing on the theme of “More Ways Your Poor Computer Is Under Attack,” we look today at the phenomenon of phishing, a scheme which gets hold of your personal information in a very simple way – by tricking you into willingly providing it.

You already know that you should avoid following web links in e-mail messages. A spoofed message claiming to be from PayPal, for example, can direct you to a fake website that looks just like PayPal, which then captures the password and credit card information you type in. Fraudulent purchases, or even identity theft, are likely to follow.

Fortunately for us, most of the hackers behind these tricks know their way around a computer, but not a dictionary. Lousy spelling and grammar are a good tip-off that you’re on a bogus site.

That’s why I was surprised to learn of a new Trojan horse called Kardphisher, which mimics the activation procedure for Windows XP. If the Trojan gets on to your computer, it waits until you reboot and then informs you that you have to “re-activate” your copy of Windows.

 

 
On the next screen, Kardphisher gets down to business.


 
For the record, Microsoft does not request credit card numbers during activation, and it certainly wouldn’t ask for your ATM PIN.

Nonetheless, Kardphisher is a well-designed hack. I saw no grammar or spelling errors; just a clumsy use of punctuation.

The Trojan is not widespread, and Symantec rates it a very low risk. Any updated anti-virus program will be able to deal with it, so odds are you will never see this on your computer.

However, it’s worth knowing about, because anti-virus programs and firewalls are no substitute for vigilance. We all need to pay close attention to what we are doing on the computer, because the bad guys have learned how to spell.