by Jim Healy
Although a different technology study from connectivity and networking, the security of data connections in a wireless network is a serious concern for users of any kind of mobile connectivity platform. This is one of the most complex and jargon-prone areas in the discussion of small, mobile platforms like the SOHO networks found on boats and RVs. I mean to keep it as simple as possible!
There are no data security measures that will stop a determined, professional hacker with unlimited resources: China, Russia and the NSA, for example. However, simple SOHO security measures minimize the chances that an amateur hacker can gain access to your SOHO network and personal data. These simple precautions minimize the chance that malicious software could infect your systems and launch attacks on others from your network. They demonstrate your intent to protect yourself, and therefore preserve your legal right to pursue compensation for unauthorized use of your system and its resources. Some courts have ruled that if computer owners fail to take steps to protect their systems, they can not sue for damages caused by unauthorized use of their network or attached client devices.
“Easy” Security Stuff (Wi-Fi):
By far and away the most “dangerous” thing many cruisers do with their PCs is go to public places to get access to “free wi-fi” (Starbucks, Barnes ‘n Noble, local library, marinas, municipal docks and others). There, they connect directly into an “open” AP to read email, browse the Internet, or do online shopping in plain, open-text browser (HTTP) connections. These public APs are, by definition, untrusted, untrustable and untrustworthy. On these open networks, your PC becomes a peer to all of the other connected client computers. You have no idea who else might be on with you. Your PC is directly exposed to “file share” risks, “spoofing” and “Man-in-the-Middle” attacks. The openness of the setting creates the opportunity for “sniffing” (eavesdropping) and “key-stroke logging” threats. In public “coffee house” locations, security threats are possible, common and even likely.
Use of cellular telephone system modems for Internet access is, of course, not free, but it is “easy.” The very nature of the technology used on cellular telephone systems makes it inherently more secure than Ethernet wi-fi. Ethernet wi-fi uses fixed frequency, permanently-assigned radio “channels” in public radio bands to exchange data. Once a wi-fi connection is established, it remains present on the same radio channel for relatively long durations. In that environment, “sniffing” (eavesdropping) is technologically easy and convenient for amateur hackers. Cellular system data exchange uses a mix of “Frequency Hopping Spread Spectrum” (FHSS) data exchange technologies. Data exchanged on FHSS links consists of sub-second transmissions over ever-changing frequencies in a randomized sequence. That effectively “scrambles” the data to anyone trying to intercept it. The technology requires significant knowledge and specialized equipment to eavesdrop successfully.
SOHO router and range extender manufacturers assign default SSID names and default administrator IDs and passwords to their products. For example, new Linksys devices have an SSID of <linksys>, and new NetGear devices may have an SSID of <NETGEAR> or <wireless>. When scanning for APs to which to connect, SSID names are what is seen by the scanning program. With the default SSID name, default Administrator ID and password pairs are easily found on the Internet. Skeptical? Take a look here: http://www.routerpasswords.com. So, I strongly suggest owners change SSID names and default IDs on SOHO routers. Definitely, absolutely change the administrator password away from the default password. Casual passersby as well as amateur hackers could easily gain access to your SOHO router if you have not taken this simple precaution.
Establish an “encryption method” and password for wi-fi access to your SOHO router. This is accomplished via the “wireless security” settings of the router’s firmware. Successful wi-fi client connections will then have an encrypted link for data exchanged between themselves and the router. Requiring a password causes the router to challenge anyone attempting to establish a wi-fi connection to the router. That password challenge prevents, or at least delays, unauthorized persons from successfully being connected as a client. If a hacker with nefarious intent were able to get connected to the router – for example, while sitting on a bench on the Riverwalk adjacent to where the boat is tied up, or from a nearby resort condo, coffee shoppe or boat – that intruder would be a peer on the private LAN of your router. That exposes you to surreptitious consumption of internet bandwidth, unknown and unexplained, for which you may well be paying a use-based subscription fee. Worse, perhaps, is that every legitimately connected client device is exposed to the possibility of actual data theft.
“Wired Equivalent Privacy” (WEP) encryption is no longer considered to be a secure technology, but it’s still better than nothing, because time and effort is needed to get past it; much like locking your car doors. All newer router firmware and client device operating systems now support “Wi-Fi Protected Access” (WPA), which is more secure than WEP. Still more secure is WPA2. The greater the number of characters in an encryption key, and the more random in composition, the more secure it is. Remember, this step encrypts only the wi-fi link between the client device and the onboard SOHO router. It does not encrypt data on the outgoing link on the WAN side of the router. Additional techniques – discussed below – encrypt the connection from endpoint-to-endpoint.
Progressively More Advanced Security Stuff (Wi-Fi):
Between the extremes of not having any data security and having almost total data security is a progressive range of options based on the risk tolerance you might be willing to accept as an individual. On your boat, you have “situational awareness” of potential data security threats. That is, you know if you are on the public wall in downtown Savannah, Nashville or Ottawa. You know if you’re at Delegal Creek on rural Skidaway Island, GA. You know if you’re in a crowded municipal mooring field or alone in a rural anchorage. Yes, there is always “some risk” of data security exposure, but if the personal risk is low, I feel I have acceptable choices.
The first level of intermediate protection is simply to remain on your boat to use your own local system with “Network Address Translation” (NAT) enabled in the router. NAT is a simple one-size-fits-all “firewall.” NAT will always reject incoming traffic that does not pair with a previous outgoing request generated by you. The minutia here is tedious and unnecessary. NAT generally prevents “trolling” requests. NAT is “spoof-able,” but in the absence of a known return on his or her time, a hacker is unlikely to invest the effort and technology that spoofing requires. If interested in the detail, ask your 13 year-old grandchild to show you how it’s done. Or perhaps, ask Target or Neiman Marcus…
If the browser you use allows for supplemental security and firewall “plug-ins,” and they are available, use them. Plug-ins extend and customize browser capabilities. Plug-ins are browser specific, and can be located by functional capability with a DuckDuckGo search. Search DuckDuckGo for <firefox security plugin>, for example, and see how many hits you get. Firefox’ security plug-ins will help in any Firefox-based data exchange. They will also catch many nefarious sites to which you might accidentally link or be “redirected.” At a minimum, in your browser’s “settings” or “preferences,” set your browser to notify you of “redirects.” I set mine to “disable.” If a site redirects you to another site, you’ll get a chance to approve that action. Only very complex, trusted sites will ordinarily do that, and your browser will remember any that you actually wish to permit. In ordinary Internet browsing, you do not want unknown redirects. That’s a very typical way that user email accounts get “hacked” and contact data gets stolen.
PC clients absolutely should run pop-up prevention, firewall, anti-virus and adware avoidance software; especially so on Windows PCs! There are a plethora of aftermarket applications for Windows. That’s one of the reasons I’ve abandoned Windows in favor of my Mac and OS X. Many modern routers have sophisticated, configurable built-in firewalls. These are very useful in filtering out undesirable traffic and blocking it. Router firewalls are normally enabled by default. Leave them enabled. They are configured in the router’s firmware via the browser.
All routers have a built-in security facility called “MAC Address Filtering.” This is a facility that has the effect of “pre-authorizing” specific client devices to enable them to connect to the router. By default, it is disabled in the router firmware. Use of the facility is a two-step process. First, the MAC address(es) of the specific client device(s) you want to allow to connect must be entered into the MAC Address Table. Second, the facility itself must be enabled. Do it in that order, or you may lock your computer out of the router. Once set-up, the router will only allow wi-fi connections for client devices that are listed in the table. Even if a newcomer knows the challenge password, the device will not be connected to the router unless its address is also in the router’s MAC Address Table. There is some administrative “overhead” workload associated with MAC Address Filtering. In SOHO networks that rarely or never encounter newcomers, this function offers very good control of transient clients with minimal ongoing administrative overhead. In networks that frequently encounter visitors or other newcomers, the overhead can be significant. The device’s “MAC Address” will be printed on labels on modems, routers, PCs, tablets, printer/scanners; indeed, any device that can be attached to a network. It can also be found on PCs with the <C:\ ipconfig> command on the DOS Command Line in Windows , or the <ifconfig> command via the “Terminal” utility on the Mac. An example of the appearance of a MAC addresses is: <00:07:fd:ea:05:bc>.
All banking and investment institutions, and virtually all e-commerce sites, use “secure browser” (HTTPS) web site sessions with “Secure Sockets Layer” (SSL) encryption technology. SSL is the standard security technology for establishing an end-to-end encrypted link between a web server and a client’s browser. SSL ensures that all data exchanged between that specific server and your browser is encrypted and secure. SSL is a computer industry, cross-platform security standard which is used by millions of websites for protecting online transaction exchanges with their customers. Use of SSL is automatic and requires no user enablement. SSL provides 128-bit encryption of all links between origin endpoint and destination endpoint.
“FireSheep” is a well known nefarious Firefox browser plug-in that allows “hijacking” of account passwords in 32-bit, open HTTP browser sessions. In response to “FireSheep” and other “sniffing” threats, Facebook, Twitter, Google web applications (mail, docs), AOL and many other sites switched to the default use of secure HTTPS with SSL. HTTPS is optional on Yahoo. Many sites that were not using SSL have now made that transition. To help end users further close the window on sniffing risks, a free “browser security plug-in” everyone should consider is “HTTPS Everywhere,” located here: (https://www.eff.org/https-everywhere.) The tool is a security plug-in for the most popular 3rd party browsers (mine is Firefox; note that there is no version of HTTPS Everywhere for Internet Explorer). The plug-in forces the browser to use the secure HTTPS protocol instead of the open HTTP protocol. Because the secure HTTPS protocol does not always behave in a manner that is compatible with the open, unsecure HTTP protocol, HTTPS Everywhere might introduce “unexpected behaviors” that are visible to the user. Read the HTTPS Everywhere FAQ before installing, but I use it – and like it – for casual Internet browsing protection.
Finally, we come to the “Virtual Private Network” (VPN). Although I have discouraged using any public, open wi-fi connections, I know there are those who absolutely must “live on the edge.” The only way to ensure data security and privacy for those few is to install and always use a VPN subscription product. VPNs (also called “secure tunnels,” or “tunnels”) are the opposite logical extreme from no security at all. VPNs encrypt all data exchanged over all link hops, whether wi-fi, cellular or wired, from their origin endpoint to their destination endpoint. VPNs do carry some user complexity and some platform performance overhead. For most users, I would expect the learning curve to be relatively short. Any performance impacts should be of minor significance unless CPU usage is otherwise very high due to concurrent workload.
A subscription to a VPN service includes a VPN security server paired with a client security application installed on the client’s devices. Detailed install instructions will come from the VPN service provider. A security client application needs to be installed on – or a compatible VPN function provided by – each locally attached client device: that is, each and every PC, each and every tablet. VPN vendors use a variety of encryption technologies. Some are better than others. There are “free” and “fee” VPN services. Fee VPN subscription pricing varies over a considerable dollar range. Client data (that is, your personal information, passwords, browsing content, financial information, etc.) is visible to the system administrators of your VPN vendor. In vendor selection, due diligence is necessary (required) around vendor reputation and the pros and cons related to the encryption technology the vendor uses.
Some reading this article may still be working (hopefully not fully captive ashore!) and have access to employer VPNs. That’s fine if the employer’s system use policies permit use of their computer and network facilities for personal activity. Remember though, enterprise VPNs are not there to protect you or your personal data. Enterprise VPNs are installed for the purpose of protecting the business’ internal, secure enterprise network from hackers that might gain access by hijacking validly established connections originating outside the secure network. Usually, by hijacking an authorized employee’s legitimate connection. Remember also, the employers system administrators can see and monitor user data and browsing activity, if they choose to track it. Caveat emptor. Avoid, for example, criticizing the company or your boss on an aliased Facebook account from the company’s VPN!
By Jim Healy from his Blog Travels of the Monk 36 Trawler, Sanctuary
Disclaimer: Curtis Stokes and Associates does not necessarily agree or promote the content by the above author. This content is to be used only with the reader’s discretion.
© 2018 Curtis Stokes & Associates, Inc. | All rights reserved.