How to make your WiFi more secure

You probably haven’t thought much about your wireless (WiFi) connection recently. Maybe it’s time you did.

You may well have heard about how insecure WiFi used to be. When it started to become popular, poor configuration and guidance from manufacturers combined with a degree of understandable ignorance on the part of consumers led to a lot of wireless hackery. If you conceive of your network as a set of cables strung between computers, then imagine an early wireless network as a set of loose cables hanging out of the window with signs on them urging passers-by to ‘plug me in’.

It’s all different now, we hear, what with advanced encryption technologies such as AES now built in. Or is it? I’m still surprised – and my experience is not an isolated one — when I sniff around with my laptop to find that there are still quite a few totally open networks around. Even among those that aren’t open you’ll often network names (or, more correctly, SSIDs) such as ‘linksys’, a name that the manufacturer assigned to the wireless router in the factory.

An open network is a hacked network. If it’s not hacked already, it will be soon. This means that whoever logs into it can use your broadband connection — this alone might break the terms of your broadband contract, even before the intruder has downloaded whatever — and they can access your Windows network. If you computer is on or you’re using a server of some kind, they’ve probably got access to that too.

So turn on strong encryption — you’ll see it listed as WPA2-AES, WPA2-PSK, WPA2 or WPA. That’s not all. Even after you turn on encryption, you need to take some care. The linksys or netgear names given to wireless broadband routers — there are others but I’m picking on these because they’re very common — tell the potential hacker that you’ve not changed the configuration much, if at all and that, as a result, the wireless network is likely to be easier to hack into.

There are three more steps to take to protect your wireless network. First, change the name of your wireless network name or SSID or something anonymous; it should not identify you, where you live or your business. You should use a strong wireless network key too: it should not be the same as the SSID, and it should not consist of any words that might be found in the dictionary – hackers have tools for breaking passwords like that. Finally, change the default name and password for the administrator account, as hackers know what all the defaults are.

There more steps you can take to make your system even more secure but these three will defend you against all but the most determined of hackers.

Could your Apple iPad give away your data?

I read a blog today. The blog’s author compared the much-lauded (but in my view highly overrated) Apple iPad against laptops in general, and highlighted several features that iPad has that laptops should emulate.

Well yes, maybe. The one that caught my eye was the issue of instant-on. “You can click the iPad’s power button and it is instantly ready to pull up a web page, calendar or email”, the blogger wrote. Yes of course we all want computers to be instantly available as soon as we press that button, Apple is very good at making devices that appear to be easy to use but which, after a few minutes’ thought — or, often, after a few hours of ownership and intensive use — turn out to be not quite so smart after all.

The only issue with instant-on is that anyone can do it. The person who steals your iPad that you carelessly left on the coffee-shop table as you order another skinny latte, or who lifts it from your bag on a crowded train or bus will have no problem turning it on and gaining instant access to your stuff: your email, your Facebook page, your passwords, personal information…. Your life.

If it never leaves the home then maybe that’s a different story. But wait: burglars can and do steal computers if they’re small enough to walk away with without looking suspicious, and I believe an iPad qualifies. Or your small (or not so small) child — or lodgers or whoever — can come along and press all sorts of buttons with neither let nor hindrance, leading to all sorts of weirdnesses.

Aren’t we lucky the iPad is so convenient?

A combination of username and password is not the most secure way of protecting data but, when balancing convenience against security, it’s good enough and should deter most thieves.

Many years ago, my IBM ThinkPad laptop was among the goodies taken away by a burglar and, about three years later, I received a phone call from someone (who purported to be and might well have been an innocent buyer) who had managed to find out where it came from and wanted the password for it.

Of course I refused, not knowing where the machine was, who had it, or what stuff that I wanted might still be on it. But I was satisfied that that the ThinkPad has industrial-strength, password-protected encryption and that the data would be unavailable to whomever: they would have to wipe the disk to make any use of the machine.

So when you read that convenience is the sole criterion of value, think hard: data on portable devices can end up anywhere and instant-on could mean instant bye-bye to your personal data. So if you have one, use the password feature. It might be a little inconvenient most of the time, but it will be very convenient the one time it’s really needed.

Kroxxu botnet’s secrets revealed
Avast’s Jiri Sejtko, head of virus research at the company’s virus lab, has written a fascinating account of how he tracked down Kroxxu, a botnet based on infected websites with the aim of stealing passwords.

Since its inception in October 2009, it’s grown to become a network with over 10,000 redirectors, 2,500 PHP redirectors, and over 700 malware distribution sites. The 15 redirectors used in the longest active connection send visitors through seven countries in three continents to infectious exploits, with many of the zombie machines enduring 90 days or more.

It’s worth checking out.

Privacy or security is your choice

Should your ISP be monitoring your connection? According to this story, that’s what’s starting to happen in Australia, where the government has mandated that computers spewing spam or malware must be shut off from the Internet. And the only way to do that is for your ISP to invest in some pretty heavy-duty gear to peer into every packet their customers send and receive, in order to ensure that there’s nothing nasty lurking inside.

The pluses are that it helps make for a safer Internet. The downside is that your ISP is spending more money that it’ll have to recoup somehow — guess how — and that it’s looking at your data. Right now, it’s only interested in malware – but what happens if government policy changes?

You can hear the conversation now: “Well Mr ISP, you already have the mechanism to look at everyone’s data, how much harder can it be to check for dissidents, or those with a criminal record?” The answer will be: not very. And that’s the top of a very slippery slope.

So it’s a choice: be secure or be private – you can’t have both. The best protection we can all have is the protection we ourselves provide, so that the government does not feel the need to step in with legislation. It’s illegal for them to look into your mail or listen into your phone calls, so why should your email not be subject to the same privacy?

Keep AV free!
Free anti-virus is here to stay – and it works. As someone who’s been using free AV tools for over 10 years and never had a problem, I can testify to that. And about one in four UK PC users uses Avast to protect themselves, with about 42 percent using free AV software worldwide, according to security experts at OPSWAT.

So how does it work? Companies such as Avast give away free AV software in the hope that you and I will find it so compelling that we need to upgrade to a paid-for version. Many do. Those who don’t get exactly the same level of protection but don’t get added features, such as a firewall, anti-spyware and other security measures. If you’re covered already, that’s fine.

And long may it continue.

Security: time to spread the word

There’s no shortage of information online about how to keep your computer safe. The problem is that I suspect most of those who need it are not the kinds of people who would go out and look for it; I’ll get back to this point.

As an example of the kinds of helpful instruction that’s now available, Google has just put up a page that shows you, step by step, how to make your computer as safe as possible. The first three steps consist of making sure the machine is free of viruses and malware (using Avast, naturally – end of plug); making sure your operating system is up to date; and making sure to perform regular software updates. It then provides steps for your browser and email client.

A key suggestion from Google’s list is that you change your password twice a year. Passwords provide notoriously weak protection. People use passwords that are easy to remember, such as their name and birth year. That’s information you could find on someone’s Facebook page. You wouldn’t have to look too far to find answers to other questions such as someone’s mother’s maiden name, or their favourite food.

So you need to make your passwords hard to guess. That’s tough because it makes them hard to remember too – but there are programs that can help. The simplest way is to write them down somewhere but in a safe way. That’s not on a sticky note on your desktop but in a safe, encrypted manner. It could be in your browser or, since not everything goes via the browser, in using a package such as the well-regarded KeePass, for example. This means you need only remember one master password, and the others can be pulled out of the safe as required.

Less fashionable but a method I’ve been using for years is a password generator. While some software may have limitations, such as an inability to generate passwords to meet specific criteria demanded by some websites, such as password length, a fixed number of non-alphabetic characters and so on, it’s a method that’s worked well for me for years. As before, I need only remember a master password, while the service passwords are generated using a combination of the service name I’m trying to access and other data that I’m not going to reveal.

But back to my original point: if you’re reading this you’re already in a category of people who are interested enough to have searched out a security-focused blog. This is both good for you and good for all of us — the more people who compute safely, the safer we all are because of the phenomenon of herd immunity.

What we need to do is to reach those who don’t make it this far. So perhaps we should all make it our mission to get at least one other person interested enough to do likewise, and they can then go on and infect someone else with the security bug.

How about it?

Beware the typo

Do you ever play games on your PC? If so, you may be easy meat for the malware writers.

What does this mean? We all rely on technology to get things done. Whether it’s writing a letter, playing a game, or hammering out a project that must be finished today, there are times when we’re concentrating on just one thing almost to the exclusion of everything else. It’s at this point that we’re most likely to to fall foul of the nasties.

For example, you may be researching on the web for a particular piece of information that you need to finish a project. You rattle away through Google’s search results — and then you realise that the result is on a page you’ve visited before. So you type in the web address but, in the haste to get at the details you need, you spell the URL incorrectly.

This is what they’re waiting for. There’s a web address for almost everything you type in. most are legitimate but a huge number are not. They sit at the margins of what we want, but expect a percentage of us to make a mistake when typing in the address. When that happens, you don’t go where you expect but to another page entirely. Almost any typo will take you somewhere you probably don’t want to go.

The page might announce that you’ve typed in the wrong address, or it might look very like what you think you typed in. but there’s a high chance that the page could attempt to install software on your PC that you surely do not want installed. For example, it might be a keylogger that can track your passwords and transmit them elsewhere, or a piece of malware that turns your machine into a zombie, the name used for members of a botnet — a network designed for mass spamming or denial of service attacks. And you won’t know it’s happening.

So why mention games? Because of the intensity with which you’re playing and the concentration levels required, you’re at your most vulnerable when you zap off to a site to download a utility or grab advice from a forum. That’s when the mis-typed URL grabs you and can pull your machine over to the dark side.

There are some simple steps you can take to prevent this, including leaving your anti-virus software switched on, turning on silent/gaming mode, and beware of downloading games through warez sites. You can also configure your machine to use OpenDNS, which can help trap malware sites and is a fast, free alternative to your ISP’s automatically configured DNS (domain name server). DNS is the Internet’s mechanism for converting the URL you type into a universally recognised Internet protocol address — www.bbc.co.uk translates to 212.58.246.95, for example.

There’s lots of ways to catch an infection but fortunately, awareness as well as the right technology can help prevent that. So whether you’re working or having fun, be aware and be safe!

Avast wins an advanced award

When I started using Avast (before I started blogging for Avast), it was because I liked the light load it put on my computer, I liked the lack of over-demanding, over-frequent pop-ups and I liked the fact that was fast and caught the bad stuff. To me, AV is a background task that needs to just get on with the job, only bothering me when I really do have to make a decision.

It seems that the product has not changed in its essential character, as it’s won an Advanced+ award (that’s the highest accolade) in a wide-ranging test of AV packages by AV Comparatives. The website tested a bunch of packages from the usual suspects, including Avast, rating them on how well they caught malware, how fast they were, and the degree to which they generated false positives — reporting the presence of a virus where there was none.

Avast was fastest by quite a margin of all of the 20 packages tested and, while it didn’t quite hit the top spot in terms of malware caught, being shaded by some half a percentage point, it was among the top runners when all the other criteria were taken into account.

It’s a thorough report and worth a look.

Free AV software works, says the Guardian

Well well, so the Guardian has published a piece asking is you can protect your computer against infections for free – and got most of it right too, although that can’t be said entirely of the comments that follow.

Predictably, the paper includes a comment by a spokesman from the largest paid-for AV software provider — you know who I mean — who casts doubt on the ability of free software to provide the full protection that his company’s products do. It does note though that you can get full protection without having to pay, and Avast is at top of the list of free products the paper cites.

The comments make interesting reading, with one commenter making the point about how the big yellow AV software provider “took over my pc and made my life miserable, so I uninstalled it (still couldn’t get rid of it completely, mind) “.

Another said that the only problem they’d ever had on their PC was when they had the same company’s anti-virus software installed. It didn’t prevent a rootkit infection, and the company “could not have been more unhelpful and painful to deal with, given that their product had failed to do what it said on the tin. They wanted 100 US Dollars to help with the problem, and wouldn’t guarantee a refund if they failed to sort it out.”

There’s quite a bit of mis-information there too, however. There’s a few Apple Mac users, one of whom is overly smug, claiming that you don’t need AV software on the Mac. He admits that “some security loopholes have been found in Mac OS X, but you can count them in single figures, and Apple address them.”

He’s wrong: Apple has in fact been very slow to address security holes, and it’s not inherently very secure either. As one commenter pointed out: “In cracking competitions, it is regularly the Apple systems which are cracked first by attackers….in their minds, they don’t have a security problem until it affects their bottom line, which hasn’t been the case, yet.”

Further, viruses for the Mac do exist and, as its market share grows, it can expect to get targeted more. And of course, most people understand that you’re not going to buy an expensive Apple Mac unless you only want to do office productivity tasks, email and browse because, generally speaking, the choice of software for the Mac is very limited by comparison, and it’s usually much more expensive.

It’s worth adding here that infections — both the human and computer versions — aren’t just personal: they’re about the common health too. For example, it’s in everyone’s interests that people are vaccinated as, once a critical level of vaccination takes place, everyone benefits, even those not vaccinated, as vaccination acts as a sort of firebreak or firewall in the spread of the disease. The phenomenon is called herd immunity, and it works.

So the more of us that use AV software, the better off everyone is, including those who don’t use it, as it prevents infections from spreading. You know it makes sense.

One hundred and thirty million users

Francisco F completed his registration of Avast at 05:52:52 GMT on 7 September 2010 and, in doing, so, became the 130 millionth user of the popular free AV product. Almost 35 million of those new users registered in 2010, and the company reports growth in the numbers of registered users of one-third from 2009 onwards.

The company Avast now claims that it makes the world’s most popular AV program in three categories: the size of its registered user base, its growth in the number of users during 2010, and in the high level of referrals from satisfied users.

Where have the users come from? Avast reckons that nearly half of those switching from a competing product came from AVG or one of Symantec’s Norton products, and over 60 percent of new users arrived following a friend’s recommendation.

Users are drawn from some 240 countries, although France’s is among the largest user bases, with the UK coming up fast. The wide user base is important, as it adds to the depth of the product’s security. According to Avast’s CTO Ondrej Vlcek: “Because malware can now be designed in one country, hosted in another, and targeted on a third, you really need to have a balanced presence to stay secure. Our CommunityIQ network gives us an exceptionally broad network of sensors to protect our 130 million plus users.”

Virus writers get obvious
From the first time that PC viruses appeared on the scene back in the 1980s – yes it really wasthat long ago – the one thing that’s characterised them has been their stealthiness. Oh sure, there have been plenty whose effects, once they’ve actually been installed onto a machine, have become painfully obvious. But the key to getting a virus onto a machine has always involved a degree of sneakiness or deception.

Until now. There’s quite an old virus, first spotted in 2003, that infects executable files, called Win32:Sality — and it now appears on the web, which I shan’t provide a link for, for obvious reasons, as a naked download. It was spotted by one of the Avast techies, and there’s more about it here.

The lesson here is: when spotting a download that you fancy, double-check the name of a file in the status bar of your browser, which will show you the underlying destination of any link you either hover over or click on once, depending on your browser and configuration.

Just how paranoid do you have to be?

The problem with security and technology is that it can make you paranoid. Don’t be! Most things aren’t out to get you. But you do have to be careful and you do have to be aware of the risks, as this helps when you encounter a piece of software (or hardware) that really is out to get you.

Take digital signatures. A system has evolved over time that aims to help ensure that signed software is safe. Digital signatures are intended as a form of guarantee that a piece of software has been examined for malware and doesn’t contain any. But sometimes it does. Or, at least, in one case a piece of signed software contains malware. It’s unlikely to be alone.

Avast’s Michal Krejd reports in his blog that many users asserted that some instances of Avast detecting Win32:Injected-AZ were false positives. A Google search for Win32:Injected-AZ shows up plenty of forum entries by users about the malware.

In practice, what seems to have happened is that a version of a package named Aventura in fact contained Win32:Injected-AZ, even though the developer had signed off the software as clean, using a digital signature. This can arise because developers, rather than re-inventing the wheel, will routinely re-use software from third parties to perform specific functions.

So in this case, even though the package’s container was malware-free and was signed, some of the contents were not — and were not signed. The issue is, how can you tell? If you run a signed installer, for example, you expect it to be malware-free if its signed. Yet Avast picked up the fact that the software contained malware, even though it was signed.

The moral of the story is that a signature does not necessarily guarantee that all the contents of a package are clean. Fortunately, as Krejd notes in his blog, “the malcode inside seems to have never been executed, therefore this specific case is not a critical issue”.

Krejd’s approach for the future? “If you encounter this detection on your PC, replace the infected binaries with original ones. And if the original binaries are also infected, ask their vendor to provide you with clean binaries.”

Going mobile
Do you know where you are? Probably, but do you want everyone else to know where you are too? There’s a new game out for the Android operating system for smartphones. It’s called TapSnake, and it’s a spin on the classic snake game, which used to be found on Nokia phones.

It turns out that the game contains a Trojan. The new rev of the game plays fine — but while it’s running, the game turns on the GPS location device and uploads data to a remote server so that your location is made public. All you need to find out where players of this game are is to download and run a package called GPS Spy on another Android device. It means you can see where players of the game have been and when.

Effectively, mobile software can compromise you in ways that personal computer software does not. Be aware – check the provenance of those fun little games…

Can you trust a stranger?

Can you trust strangers? That really depends on the context.

I was on a crowded train recently when two fellow passengers started reading out credit card details down their mobile phones.

I had my laptop open. Had I been in a malicious frame of mind, I could have stored their credit card numbers, security codes, start and expiry dates, and their dates of birth.

Only when I couldn’t stop myself from expressing surprise that they were prepared to divulge this information to what was effectively a roomful of strangers did they pause. When I said I didn’t think it was a good idea, they agreed, and said they’d thought twice about it but decided to go ahead anyway.

Not a good decision. Interesting that, as a side issue, they trusted me when I said that but then decided not to trust everyone else in the carriage, as they stopped reading out a further card number.

Similarly, one US man decided to trust a flashing box on his screen that appeared to be offering him free money. It said he was the millionth reader and that he’d won a $1,000 gift certificate to Wal-Mart, and all he had to do was supply his email address, age, household income, years of education completed and a bunch of health questions. Phew. All for a Wal-Mart voucher.

The pay-off, as you might have guessed, was not a $1,000 voucher but, within an hour, a deluge of spam about educational opportunities, medical supplies, dating services and laptops. He tried to unsubscribe from the emails yet each day brings 20 to 40 new items.

Fortunately, as far as we know, the spam has yet to deliver more than irritation as opposed to malware — though that’s pretty likely at some point, which is when he’ll need adequate protection from good quality, regularly updated AV software.

The moral of the story is not to assume that such pop-ups are anything to do with the site you’re visiting and not to trust strangers. At least, those with whom you’re not eyeball to eyeball — in which case you’ve slightly more of a fighting chance to use your common sense to decide whether or not they’re on the level.

My fellow passengers eventually made that judgement and, fortunately for them, I didn’t record any of the information they splashed around. For their sakes, I hope none of the fellow travellers did either.