Category Security

Entries 78 Total

Wi-Fi Protected Setup PIN Method Has Flaw, Allowing Hackers To Deploy Brute Force Attack For Valid PIN Number In Lesser Time Than Before

Dec 28, 11 2:23 PM

According to threatpost’s article “WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs,” your router with Wi-Fi Protected Setup enabled can allow hackers to take less time to figure out the PIN number and have access to your wireless network.  The article suggests that Wi-Fi Protected Setup reveals too much information when it tries to authenticate a device, consequently allowing hackers to take less time in acquiring the valid Wi-Fi Protected Setup PIN number through brute force hacking method.

I’ve always disabled my Wi-Fi Protected Setup, because it seems to me as if it’s just another door for hackers to break into.  When reading the piece from threatpost, I’m glad that I’d been careful all along.  Most modern routers provide Wi-Fi Protected Setup feature so users don’t have to actually enter long WPA2 passphrase for connecting to a wireless network, because Wi-Fi Protected Setup requires a PIN number (e.g., 1234567…).

I’m no expert on Wi-Fi Protected Setup, because I had avoided using it from the very beginning.  It seems to me Wi-Fi Protected Setup feature has several methods which it’s associated with.  One involves in pushing the Wi-Fi Protected Setup button on the router and then on the client in a short time frame (i.e., less than 2 minutes or so).  After the user pushes the Wi-Fi Protected Setup buttons, user can just stand idle by and wait for the client and the router to automatically communicate with each other, allowing the client to connect to the router, thus the client would be able to surf the Internet using the wireless network which the router provides.  The second method requires PIN number registration, but this very method has two sub methods of its own.  The first sub method requires less work for users, because the users can just hand their devices’ Wi-Fi Protected Setup PIN numbers (i.e., printed on the back of their devices or generated by their devices’ software) to the administrators.  The administrators then have to enter users’ Wi-Fi Protected Setup PIN numbers into a router or access point‘s administration control panel (e.g., https://192.168.1.1) to register users’ Wi-Fi Protected Setup PIN numbers with the access point, consequently allowing users’ devices to connect to the particular wireless network.  The second sub method requires the users to enter the Wi-Fi Protected Setup PIN number of the router or access point onto their devices’ software, consequently allowing the client devices and the router or access point to communicate with each other (i.e., granting wireless network access).  The piece from threatpost emphasizes the weakness in the second sub method of the Wi-Fi Protected Setup PIN number method, because the hackers only need the Wi-Fi Protected Setup PIN number and not having to be within certain distance of the access point or the router.  The third method of Wi-Fi Protected Setup feature involves with Near Field Communication method.  Wikipedia‘s article “Near field communication” explains rather well on how Near Field Communication method works.

threatpost suggests that most modern routers tend to enable Wi-Fi Protected Setup feature by default.  If you are aware about the flaw of Wi-Fi Protected Setup PIN number method, then you might want to disable Wi-Fi Protected Setup feature so the hackers won’t be able to use brute force attack to acquire the Wi-Fi Protected Setup PIN number of the specific access point or router.  threatpost suggests many well known brands are all being affected by Wi-Fi Protected Setup flaw; as long any router has Wi-Fi Protected Setup feature with PIN method enabled, then the hackers who aware of the Wi-Fi Protected Setup PIN number flaw can brute force attack the router for the Wi-Fi Protected Setup PIN number in less time than ever before.

Sources:  https://threatpost.com/en_us/blogs/wifi-protected-setup-flaw-can-lead-compromise-router-pins-122711
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
http://www.wi-fi.org/knowledge_center_overview.php?docid=4614

Related articles
Comments (3)

Some Background Check Companies Fail To Accurately Update Background Records, Leading To Much Headaches and Heartaches For The Innocents

Dec 20, 11 8:33 PM
Mistaken Identity

Image by tuchodi via Flickr

According to Associated Press article “AP IMPACT: When your criminal past isn’t yours” on Yahoo News, the irony of digitizing citizens’ records is the inaccuracy of such digital records have and had screwed some people’s lives big time.  The many purposes of turning background records and other sensitive information of citizens on papers into digital records are probably to speed things up, make things more accurate and easier to update, and to efficiently manage such records in ways that paper record filing system would not be able to compete against this modern filing system.  Unfortunately, as we find out that the advantages of having digital records store in sophisticated databases are sometimes fall short.  For an example of how our modern filing system has fell short, Associated Press reported a woman named Kathleen Ann Casey had a hard time of finding job as various background check companies had pulled up her digital background which filled with incorrect information.  It turned out that the criminal charges of the other Kathleen Ann Casey was filed onto the digital background record of the real Kathleen Ann Casey (i.e., real is a relative term in this case).  Data entry went badly?  Perhaps!  But could it be related to the carelessness of the background check companies?  Nobody would know for sure, but mistakes came from background check companies had real consequences to real people.

The whole idea of having digital records so the filing system could be more effective in ways that paper filing system could not offer, but it turns out humans are prone to make mistakes as always.  After all, it’s still the humans that have to convert or enter the information into the digital records, whether that be background records or other stuffs entirely.  What is more troubling is that the records that background check companies scour from public resources cannot not always be accurate, and the pile up of wrong information can digitally stack up, higher and higher.  So much for filing records digitally, right?

Perhaps we can always cruelly say to the people who are unlucky enough to have their background records file incorrectly by background check companies — “tough luck,” but what if you’re the one who have to go about correcting your background record?

I think background check companies do serve good purpose.  Companies do not want to hire criminals, and so background check companies provide a must needed service for companies that care about hiring clean employees as in without criminal records.  As background check companies become evermore crucial to the whole hiring process for most companies, I think someone must come up with a way to audit background records better.

We cannot ignore the damages that might be caused by mistaken identities.  Also, we cannot go back to old day where we would file records on papers, because the whole filing process which involves with digitizing records are way more efficient and faster.  With such efficiency and speed, I think there must be a way to double check and audit the background records so mistaken identity won’t be so easily occurred.

Of course, it’s easy to say so, but how to come up with a solution and implementing it?  I’m not a genius and not having any experience in the field of addressing something like this, therefore I won’t know if there is a solution to this current problem.  Nonetheless, I do feel it’s crucial that someone else must be the hero and steps up to provide a solution to address the errors while digitally filing background records.

Let not forget about implementing high computer security standard to prevent unauthorized access to such sensitive digital records.  It’s not because digital background records cannot be seen, but it’s more of preventing someone with hacking skill to be able to manipulate such digital records.  After all, these digital records such as background records are having real effects on people’s lives.

At a time when our economy is still struggling and job isn’t easy to find, people are not going to be very capable on carrying on with their lives, and bad luck such as having to be identified with wrong background information might just make the whole idea of surviving the hard time much worse.  To make matter worse, Associated Press reported few background check companies refused to update the correct information on certain background records.  Furthermore, Associated Press reported some states wanted to bring in more revenues by selling data of criminal files in bundles to several background check companies, and the worse part was that such data might have errors and therefore might lead to more problems.

In summary, I think background check companies are useful to corporations and small businesses, but these background check companies must work with a higher standard in auditing people’s background records to prevent background check mistaken identities.  The whole modern approach of digitizing records is here to stay, and I don’t see anything wrong with this.  Nonetheless, since digital records have made the update and search process much easier and faster, I think such efficiency should provide more than enough extra time for someone or an entity with the power to audit important digital records such as background records to actually prune through these records evermore carefully.  It’s great to actually know digital records aren’t always accurate, and in the case of wrong background record one can be reminded of the not always accurate digital records and look up their digital background information to see if their background is indeed their actual background.  The real question is, can one go about convincing background check companies that you are who you are and not who they claim you to be?

Source:  http://finance.yahoo.com/news/ap-impact-criminal-past-isnt-182335059.html

Related articles
Leave a Comment

Combining Local Virtualization And Remote Cloud Together Can Truly Help Everyday People Prevent Data Loss

Dec 19, 11 4:33 PM

Oh, crap!! [DSCF8022]

Image by portfolium via Flickr

Not the best data redundancy solutions of all, but if you follow my data redundancy solutions here, I think your data are going to be very resilient against data loss.  The idea is to have more than one backup of everything.  Emphasizing on data redundancy is the key.  This is well known for businesses, but here I’m pointing this out to everyday people who happen to have some personal data they want to protect for a long time to come.  So let us begin.

You need to create a personal file server and remote cloud.  Personal file server has become easy to create nowadays.  What you need is the right solution.  I used to love Pogoplug, but I noticed how Pogoplug required your local data to be trafficked through its network from remote locations from time to time, this would not be a good idea for slow Internet connection or data security.

In our specific case, we want a personal backup file server solution to help boost our data redundancy, and we don’t really have to have our file servers to stay up 24/7 as how businesses do.  With this in mind, we can just use a virtual machine as a webDAV or rsync or FTP server.  We can then clone our main virtual machine.  We’re going to store our important backup data onto the main and clone virtual machines.  We can place the clone virtual machines onto different external hard drives so we can access our clone virtual machines as easy as how we can access our main virtual machine.  Each time we have new backup data, we have to sync or copy the new backup data onto the main and clone virtual machines.  Even if our main virtual machine goes bad, we can rely on our clone virtual machines to recover our backup data.

For security purpose, our backup data must be encrypted.  Nonetheless, you don’t really have to encrypt your external hard drives since such a process would take too long, but I recommend you to encrypt one big backup partition within the main virtual machine once.  To encrypt one big partition for backup data we can use Truecrypt.  Using Truecrypt to encrypt one big backup partition within our main virtual machine once can speed the encryption process up tremendously, and yet the backup data can still be super secure.  We don’t have to create newly encrypted backup partitions for clone virtual machines since we are going to clone our main virtual machine anyway.  We only clone our main virtual machine right after we have completely saved our backup data onto the encrypted backup partition (i.e., using Truecrypt to encrypt data) within our main virtual machine.

To go about creating a main virtual machine, you can use VirtualBox or Parallels or VMware.  I recommend VirtualBox since it’s free and as capable as the paid products.  Next, you have to know which operating system you want to use for your main virtual machine.  I recommend you use an operating system you know best so you can set up a webDAV or FTP as fast as you can.  For the people who care about the planning process more and want to learn something new at the same time, I recommend Ubuntu as the operating system for the main virtual machine.  Why?  Ubuntu and any other Linux distribution can allow you to rsync backup files easily, and so by using Ubuntu or any other Linux distribution you get not just the webDAV and FTP capabilities, you also get the rsync capability.

The obvious next step is to set up the file servers for our main virtual machine so we can backup our important data onto it.  If you want to have a lot of choices, you can set up both webDAV and FTP servers for your main virtual machine.  If you want only one choice, I recommend you to set up webDAV.  webDAV is better since it allows you to map network drives to your webDAV folders.  This way, you can just copy, paste, drag, and drop the files and folders from local hard drives onto the network drives.

Ubuntu comes ready with rsync capability, and so you can just use rsync to sync your backup data from your desktop or laptop to the main virtual machine. Rsync will sync only new backup data, and so it can update your backup partition faster than otherwise.  You can also use rsync to delete old backup data from the backup partition, this way you will be able to keep the backup partition of your main virtual machine identical to the backup structure of your desktop or laptop and the clone virtual machines.

The obvious last step for the creation of personal file server solution is to clone the main virtual machine.  I think Parallels and VMware and VirtualBox all have their own special method to allow you to clone a virtual machine.  After having clone the main virtual machine more than once, you can then place the clone virtual machines onto separate external hard drives.  Each time you backup the new backup data, you have to fire up the main and the clone virtual machines to do so.  The good thing is that you don’t have to fire up all virtual machines at once, because you can always fire up the main virtual machine first and each subsequent clone virtual machines later.

By having proper local/personal backup file server solution, your backup data are now more resilient against data loss than before.  Still, local/personal backup file server solution is susceptible to fire, flood, power surge, hardware failures, and other unfortunate catastrophic events.  When such unfortunate events happen, your backup data will forever be lost.  This is why we must also backup our data to a remote cloud.

There are several remote cloud solutions you can look into, but most remote clouds require you to pay certain amount of monthly fee for a certain size of cloud storage space.  You can use free remote cloud solutions such as Skydrive, Ubuntu One, and Dropbox.  With that being said, sometimes it’s better to go with a premium cloud solutions since free cloud solutions usually come with limitations.  One good example of the limitations of using free cloud solutions is not enough cloud storage space.

Besides using remote cloud solutions through third parties, you can create your own remote cloud solution such as renting a web hosting server.  This requires you to be knowledgeable in securing your web hosting server.  After renting a web hosting server, you can turn it into a personal webDAV or FTP or rsync backup server.  This way it acts as if it’s your remote cloud, but it will be a private remote cloud.  With that being said, some web hosting companies will not allow you to use their web hosting servers as remote file servers or remote cloud solution.  This is why you need to read up on their terms of use before implementing this solution, OK?

Of course, don’t forget to encrypt your backup data using Truecrypt when you have to backup your data to a remote file server or cloud.  Encrypting data is much more important when you are actually sending your backup data out to a remote file server or cloud, because you don’t actually have a complete control over the security of the remote file server or cloud.  We’re talking about the whole enchilada here.  Ideally, the physical location of the file or cloud servers has to be secure from unauthorized access; the file or cloud servers have to be secure with firewall, antivirus and antimalware software, and so on; physical preventive measures and means to prevent hardware failures and so on; the list can go on pretty much.

Another thing to make sure is that your remote file or cloud servers have to be able to churn 24/7.  It’s important for you to be able to reach your backup data at any time, remotely.  You never know what will happen to your backup data if you cannot reach the file or cloud servers that host the backup data, right?

In summary, it costs some money to protect data.  Even if you’re just protecting some private data, it is still going to cost you some money such as buying external hard drives.  For everyday people like us, we might not even need the remote file or cloud solution.  Still, if people who are paranoid enough about protecting their backup data, then I think these people need to deploy a remote file or cloud solution.  It’s smart to go about using virtualization to deploy local backup file server solution since the virtual machines can be cloned easily and stored on external hard drives for data redundancy purpose.

Related articles
Leave a Comment
Follow

Get every new post delivered to your Inbox.

Join 138 other followers