Before becoming a full-time Dad, I was gainfully employed as an information technology professional. I sat for, and passed, the CISSP examination. CISSP stands for Certified Information Systems Security Professional, a six-hour-long, grueling adaptive examination that tests your knowledge of the International Security Consortium's common body of knowledge, consisting of ten "security domains" - everything from encryption technologies to premises security. In earning this credential, I learned a great deal about information security. You can find out more about the credential at http://www.isc2.org. Maintaining the confidentiality, integrity and availability of critical data is at the heart of any program of information security. Though the task sounds daunting, most of creating a secure computing environment, including creating one right in your own home, can be achieved with a few simple, regular activities.
Why, you ask, am I bringing this up in a blog posting? The answer is simple - recently, two things happened that pointed out to me the need for a primer on securing information in the home environment.
The first thing that came to my attention was the case described in this link, where a suburban family with a disabled family member was hacked, harassed, emotionally tortured and psychologically abused at the hands of a mad-man neighbor who is now serving eighteen hard years in a Federal Penitentiary, and who started his campaign of terror by hacking into this family's wireless internet router.
The second thing that came to my attention started a short while ago. I received a chat request from an old, dear friend of mine, who now finds himself in the grips of near madness, completely disabled and psychosocially destroyed by a relentless campaign of cyber-stalking, harassment, bullying, spoofing (someone pretending to be the target, and then using the target's email account and even their internet circuit to send threatening or abusive emails to people in positions of power, such as Governmental officials, celebrities, and the like). In this case, my friend's current state of affairs was triggered when a major Internet web site was hacked and confidential user account data (usernames and passwords) were stolen by the perpetrators, who then filtered through their stolen booty, found my friend's credentials, tracked that information to his actual place of residence, and forged a campaign of creating misery in the life of a total stranger, for no good reason other than that they had access and opportunity.
We are all potentially subject to exactly the same type of attacks as these two people have suffered. Most of us have WiFi routers in our homes, and far too few of us have taken the time to correctly configure all the levels of security that are available to thwart an intrusion by a determined cyber-criminal (or a bored, malevolent teen) - and experience has shown us with great clarity that virus protection, while it is essential and you should have it and keep it updated, simply is not enough protection. Wireless routers all have at least three layers of security available - password protection, SSID Broadcasts, and MAC address filtering, and to create even a minimally secure wirelss router configuration, it is necessary that you configure all three of these elements. Doing so is quite simple, as you will see in the following paragraphs.
Password Protection. Everyone's wireless router comes with a password - the default password set by the manufacturer. In far too many cases, users leave the default password in place, and this is a hacker's delight, because lists of manufacturer's default passwords can be found all over the internet, and getting access to your "password protected" internet circuit is as simple as picking the signal out of the sky, entering that well-known default password, and Voila! Your intruder is now living on your network, sucking down your bandwidth (and slowing down YOUR legitimate surfing - ever wonder why your Netflix movie crapped out in the middle of a stream?), doing illegal things from YOUR electronic address (such as music file sharing, illegal downloads of copyrighted materials, and even creating and sharing repositories of pornographic/child pornographic materials - all issuing from YOUR supposedly "secure" WiFi router. While they're there, many hackers install "root kits" on visible computers in your network, thus ensuring themselves a "back door" into your network so they can come and go at will. The best and most effective way to prevent this scenario from becoming YOUR personal nightmare? Change your WiFi router's default password as soon as you install it (or after reading this article). Make the new password something very secure - do not use your last name, your dog's name, or anything that anyone who knows even a little bit about you could easily guess. Instead, try taking a favorite poem or song, and take the first letter of each word in the first line of the song, make every other letter a Capital letter, and then, at the end of that string of seemingly meaningless letters, put in a few meaningless numbers and a couple of symbols - you're looking for a password that is between 8 and 16 characters in length. For example, if my favorite song was "Yesterday" by the Beatles, I might choose a router password of "YaMtSsFa" to which I could add 96471 for my numbers and !%# for my symbols. So, my new, more secure router password would be "YaMtSsFa96741!#%" - definitely a tougher password to guess outright, and one that would stand up to a more aggressive attempt to hack it for quite some time - which adds another level of security, because the garden variety hacker likes to pick the low-hanging fruit. If your wireless router is locked down with a very secure password like the one we've created in the example above, most casual hackers will grow weary after a few attempts at guessing it, and will move on to another, easier target.
Most routers allow you to select the TYPE of password security you want to implement. You should always select WPA2 if it is available (and if it is not available, you may want to upgrade your wireless router to a more contemporary model as lesser password protocols are easier to crack with a brute-force or dictionary attack). In short, if you enable WPA2, and take care to select a password that is composed of a combination of 13 to 16 upper and lower-case letters,, numbers and symbols, none of which spell out well-known words or phrases that someone who knows you might easily guess, your wireless password should be virtually hack-proof by all but the most sophisticated attempts.
Lastly, it is wisest to revisit and change that router password every so often. I change mine when I change the filters in my HVAC system, which ends up being every two-to-three months.
SSID Broadcasts. Every contemporary wireless router gives you the option to disable SSID Broadcasts, and it is a very good idea to do so - checking the box to disable SSID broadcasts means that, when using your PC or Mac or iPad to "browse" for a network to which to connect, you won't "see" your target network listed - instead, knowing it is there but not broadcasting it's presence, you will simply type in the name of your router's configured circuit, and as long as you have the correct access password (and your client machine's MAC address is on the router's "whitelist" (more about that in the next paragraph), bingo! You're in and surfing safely (but intruders are denied at the door)! So, for purposes of example, let's say I rename my Linksys router's default wireless circuit "RUSTYTROMBONE". I make the change on the configuration pages of my router, change my default password from "admin" to "YaMtSsFa96741!#%" and save the changes to the router. After the router reboots, when I browse with my computer to find a wireless network to which to connect, I won't SEE "RUSTYTROMBONE" listed out there in the ether - but I CAN click a box, MANUALLY enter the name "RUSTYTROMBONE" in the target wireless circuit box, click "OK" and, after entering the correct password of "YaMtSsFa96741!#%", our computer is now successfully connected, provided that the MAC address of the computer in question is on the router's internal list of "approved" machines allowed to use this particular wireless circuit.
WHAT IS A MAC ADDRESS? I DON'T EVEN HAVE A MAC! In this case, MAC stands not for Macintosh, but for Media Access Control. The Media Access Control address, or MAC Address, is a unique identifier assigned to network interfaces for communications on the physical network segment. Simply put, the MAC address is like your computer's street address, if you consider that the network is the virtual "Street" on which the computer lives. Each Ethernet adapter in a computer, even wireless ethernet adapters, all have their own unique MAC address, and your wireless router has the ability to view that address at the time of the connection request, and then cross-check it against a table of authorized addresses that you have configured inside the router. If the requesting computer has a MAC address that IS on the list, then the connection is permitted, an IP address is assigned to the computer, and bingo, you're on the internet. If the computer requesting a connection does NOT have a valid MAC address, then the connection request is NOT granted by the router, and that requesting computer is deemed persona non grata - another attempt by some miscreant with whatever ill intentions he or she may have, has been successfully turned away at the door.
HOW DO I FIND THE MAC ADDRESS FOR MY COMPUTERS AND OTHER DEVICES? This can be simple. Most new computing devices have a label on the back or bottom, displaying the Ethernet or WiFi MAC Address (and it usually looks something like this 00:0B:CF:09:65:11 or 00 0B CF 09 65 11), and you can go to the "Security" tab on your router's configuration page, and then, the "Mac Address Filtering" tab, where you will see a blank table, which you can populate with the MAC addresses for each device that you want to have wireless access to your network. On some newer routers, you can even configure the first two steps (changing the default password, and disabling SSID broadcasts), leave MAC Address filtering turned OFF, and then connect each wireless device to your network. Then, with all of your wireless devices connected, get in to your router's "Security" configuration tab, click on "MAC Address Filtering," and lo and behold, you'll see a button that reads something like "Use current clients" which, when clicked, will populate that table with the MAC addresses of everything on your network. Once that happens, you can click the button to turn ON MAC address filtering, and all the addresses will be in-place - this is your "whitelist" of network devices permitted to use your circuit - and you didn't have to type a thing!
There you have it - three relatively simple steps you can take that can potentially eliminate the ability of a data-thief to piggyback on your network's bandwidth - or worse, to actually cause you real damage by stealing your content or digital identity, or planting viruses or malware on your networked systems, necessitating costly remediation.
If you want to undertake these changes and need assistance, or if you have questions, please get in touch - firstname.lastname@example.org- I'm always delighted to assist someone in making their home network more secure. Best questions (and their answers) covered in a future blog posting!